Let’s face it, there is not a single digital infrastructure in our society impervious to the focused, deliberate attacks of cyber criminals. Every day it seems we learn of another cyberattack bringing down a bank, a hospital, a university…all typically for a ransom paid to the criminals to release the technology so that life can move along again. However, when bad actors decided to disrupt health care claims transmission through Change Healthcare several weeks ago, the level of disruption had far-reaching and significant effects and simply can’t be written off as just another casualty of living in the digital age. APhA has been very publicly outspoken on this issue, and the APhA House of Delegates just passed policy about cybersecurity.
APhA believes there are serious ramifications to the recent cyberattack on Change Healthcare. Frankly, outside of the folks at Change Healthcare, our observation is that the rest of the health care industry—particularly those in the insurance and PBM industries—has not taken this attack seriously enough. Further, the Federal Government has not been aggressive enough with real action—and not just words.
This attack on Change Healthcare illuminated the serious vulnerability we have in our health care system when very few vendors own nearly all the market share of business. While precise data aren’t publicly available, several sources estimate that Relay Health and Change Healthcare together control over 95% of the switch aspect in the pharmacy industry. Had an attack simultaneously occurred on Relay Health, the consequences to our system could have been catastrophic.
HHS must evaluate all critical points in our nation’s health care infrastructure that rely on digital technology, and the redundancies or other fail-safes that are needed. In the case of Change Healthcare, there were no options for many claims on the pharmacy side—Change Healthcare held the sole contract for at least 40 health plans according to one of their many phone updates. They also held singular contracts for many pharmaceutical manufacturer discount cards and compassionate use programs. This meant that not only was the cyberattack disruptive on our system, but it also negatively impacted individuals in our society with health disparities who are particularly vulnerable. Singular contracts in any aspect of health care delivery without a backup plan is, frankly, irresponsible in today’s world.
What worries me most about the current situation is the lack of direct oversight and demand from CMS over Medicare Part D plans, plan sponsors, and the PBMs contracted to provide these functions. Optum Rx, Change Healthcare’s sister company under the UnitedHealthcare umbrella, is the only PBM that has publicly agreed to not financially penalize pharmacies and pharmacists for utilizing their best judgment during the outage. They’ve agreed to not conduct audits inclusive of that period of time. While CMS requested that all Part D plan sponsors, PBMs do the same, no other PBM has publicly announced their plans to do so.
CMS did not exercise their obligation as the government’s purchaser of health care coverage to intervene in the crisis. CMS should have taken a more forceful approach protecting pharmacies, as well as other health care providers, during the attack and Congress must give CMS the appropriate authorities to do so. This event should have been treated as any other public health emergency—with HHS having authority to do whatever is necessary to maintain access to care and the integrity of our health care system.
APhA has been in regular communication directly with HHS and many of the major PBMs. We are advocating strongly on behalf of America’s pharmacy teams. The negative downstream consequences of this or any other cyberattack cannot be allowed to be borne on the shoulders of our profession. This administration and Congress must step in immediately to protect our pharmacy infrastructure.
For every pharmacist. For all of pharmacy. If you are not a member, please join us so that we can continue to fight for you.