Lessons Learned from Cyberattack on Health Care Payment Processor

By Menachem Gongola, Director, Thomas DeMayo, Partner and Keith Solomon, Partner

Change Healthcare, the largest payment processor and clearinghouse for medical billing in the health care industry, recently experienced an unprecedented cyberattack. Change Healthcare processes data for one in three patients in the United States. The American Hospital Association called this incident the most significant cyberattack in U.S. health care history.

As a result of the cyberattack, the U.S. Department of Health & Human Services will investigate Change Healthcare through the Office of Civil Rights (OCR) to determine whether Change Healthcare or UnitedHealth Group violated the Health Insurance Portability and Accountability Act (HIPAA). OCR will begin with a review of Change Healthcare’s HIPAA risk assessment.

Risk Assessment

All health care entities responsible for electronic protected health information (ePHI), regardless of size, are required to have a comprehensive and meaningful risk assessment to determine the threats or hazards to the security of ePHI and implement measures to protect against these threats. As we often see from OCR enforcement actions, significant emphasis is placed on the existence and sufficiency of the health care entity’s risk assessment.

Many health care entities were impacted by the Change Healthcare incident, not only from a potential breach of patient information but also operationally, as revenue streams were halted. Such an event is an example of what a comprehensive risk assessment should include, especially as it relates to a health care entity’s business impact analysis and resultant business continuity plan.

Heightened Risk Areas

Health care entities should utilize the lessons learned from the incident by either creating or updating their HIPAA risk assessment in accordance with OCR guidelines. A risk assessment should be tailored to the covered entity’s circumstances and environment, including the following:

• Size, complexity, and capabilities of the health care entity.
• Health care entity’s technical infrastructure, hardware and software security capabilities.
• Probability of potential risks of a cyber or operationally significant event.
• Costs of security measures implemented to mitigate the risks.

Reinforcing Controls

The HIPAA risk assessment allows entities to determine their risk and make the adjustments necessary to strengthen information technology controls and business operations. As noted, it is also a requirement that entities must have in place and available when requested by OCR.

Contact Us

At PKF O’Connor Davies, we have a team of cybersecurity and business continuity specialists who can help you complete your HIPAA risk assessment and review and analyze your current cybersecurity and operational controls. If you have any questions, please contact your client service team or any of the following:

Thomas J. DeMayo, CISSP, CISA, CIPP/US, CRISC, CEH, CHFI, CCFE
Partner
Cybersecurity and Privacy Advisory
tdemayo@pkfod.com | 646.449.6353

Menachem Gongola, CPA
Director
mgongola@pkfod.com | 551.249.1839

Keith A. Solomon, CPA
Partner
Health Care Practice Co-Leader
ksolomon@pkfod.com | 914.341.7078