Cyber-attacks in Healthcare and the Need for Business Continuity Plans

The American Healthcare sector was rocked by the recent cyber attack on Change Healthcare in February 2024. Many healthcare providers are still impacted both financially and operationally. Although cyber-attacks are not new to healthcare organizations, this event is being cited by many in the industry as the most catastrophic. This event has shown how reliant the American Healthcare industry is on third party processing companies and the importance of updated business continuity plans to ensure operations can continue during service disruptions. Organizations that do not have comprehensive downtime procedures and policies risk severe financial repercussions that can have negative implications on patient care.

Organizations should develop processes that they can use during planned and unplanned downtime events. These should be inclusive of both medical and pharmacy billing processes as these will often include different information systems. Additional areas to ensure are included in the plan are home health services, physician-based practices, and patient financial assistance programs that the healthcare organization utilizes. These business continuity processes should be reviewed and updated on an annual basis to ensure that any gaps are identified and rectified prior to an actual downtime. 

Business continuity strategies should be inclusive of shortand long-term downtimes as the tactics used may be different depending upon the duration of the event. Communication cadence and method should also be outlined in the plan.

Simulated tabletop exercise of this business continuity plan should be periodically performed to test the procedures. All new staff should be educated in these plans and shown where to find them. These resources should be easily accessible to all staff and have a checklist of who inside and outside of the organization needs to be notified during an event.

Following each real or simulated event, a debrief should be held to discuss any learnings. This debrief should be shared with both frontline staff and executive leaders and used to update the business continuity plan. Additionally, any time a new location or billing process is added or changed; it should be reconciled with the existing business continuity plan to ensure there is no misalignment of processes.

Cyber-attacks are just one cause of billing process downtime and rarely are anticipated. Organizations that proactively develop robust business continuity plans before an event are positioned to maintain operations and continue to provide patient care.