Cybersecurity in Healthcare: Lessons from the Change Healthcare Outage

Written By Stephen Maharaj

The February 2024 ransomware attack on Change Healthcare—one of the largest healthcare payment and data clearinghouses in the U.S.—sent shockwaves through the medical community. The disruption affected claim submissions, prescription processing, and revenue cycles for weeks, exposing the deep vulnerabilities in our increasingly digital healthcare ecosystem.

For physicians in St. Petersburg, where many clinics rely on third-party vendors for billing, EHR access, and clearinghouse services, the outage was a wake-up call: cybersecurity is no longer just an IT concern—it’s a core business and clinical issue.

Here’s what we can learn from the incident and how you can protect your practice.

1. Understand the Scope: How the Change Healthcare Attack Disrupted Care

When Change Healthcare's systems were encrypted by ransomware, core services like claims processing, eligibility verification, prior authorization, and e-prescribing went offline. Across the country—including in Pinellas County—clinics saw:

  • Delays in billing and reimbursements

  • Inability to fill or process prescriptions electronically

  • Gaps in patient record access and communication

  • Mounting administrative backlog

While large health systems had some IT redundancy, small and midsize practices were disproportionately affected—especially those that relied on a single vendor for multiple services.

2. Lesson #1: Know Your Vendors—and Their Risks

If your EHR, billing, and e-prescribing systems are all handled by one vendor or clearinghouse, you’re putting a lot of operational eggs in one basket.

Action Steps:

  • Request a Business Associate Agreement (BAA) from every vendor handling PHI.

  • Ask each vendor about their cybersecurity measures, redundancy plans, and breach response protocols.

  • Ensure you understand how your data is stored—on-premise, in the cloud, or hybrid—and who has access to it.

St. Pete practices using cloud-based systems should confirm that vendors have geographically distributed backups and 24/7 monitoring.

3. Lesson #2: Build Local Redundancy for Critical Workflows

When national systems go down, your local capacity to continue operating is crucial. Can your clinic:

  • Process paper claims if electronic ones are unavailable?

  • Fill prescriptions with printed scripts if eRx fails?

  • Access recent patient summaries offline?

Practical Tips:

  • Maintain a “disaster mode” checklist for staff, including paper intake and claims workflows.

  • Store offline backups of recent patient records on encrypted external drives or local servers.

  • Keep a printed contact list of key payers, pharmacies, and referral partners.

A few hours of downtime may be manageable. A few days or weeks—as seen with the Change incident—can threaten revenue and continuity of care.

4. Lesson #3: Staff Training Is Your First Line of Defense

Most cyberattacks begin with human error—a phishing email, a malicious link, or an unsecured device.

Implement Routine Training:

  • Teach staff to recognize phishing and suspicious messages.

  • Require strong, unique passwords and regular password updates.

  • Establish device and access protocols for remote work or telehealth platforms.

  • Reinforce HIPAA-compliant communication habits, especially when systems are down.

Even small practices should consider an annual cybersecurity review with an IT consultant or managed services provider.

5. Lesson #4: Financial Contingency Planning Matters

Many practices saw reimbursement slow to a crawl during the Change outage. Those without sufficient cash reserves or lines of credit faced difficult decisions—delayed payroll, reduced hours, and postponed vendor payments.

Financial Resilience Tips:

  • Maintain at least 60–90 days of operating expenses in reserve, if possible.

  • Develop a protocol for rapid switching to alternative clearinghouses or billing systems.

  • Regularly assess your cyber insurance coverage, including business interruption protection.

6. Lesson #5: Cybersecurity Is a Clinical Responsibility

When patient data is compromised or care is delayed, the risks are not just financial—they’re clinical and ethical. St. Petersburg physicians must treat cybersecurity as a core component of patient safety.

Ask Yourself:

  • If your clinic was hit with ransomware today, could you notify affected patients within the HIPAA-mandated 60 days?

  • Could you identify what data was accessed and what care was delayed?

  • Do you have a clear line of communication with your EHR vendor or MSP in a crisis?

Final Thoughts: Resilience Starts With Preparation

The Change Healthcare outage highlighted how deeply intertwined healthcare operations are with digital infrastructure. For independent practices and group clinics in St. Pete, proactive cybersecurity planning is now as essential as hurricane preparedness.

By diversifying your vendors, building local fail-safes, training your team, and reviewing your contingency plans, you can protect your patients, your data, and your livelihood in an increasingly unpredictable digital world.

Stephen Maharaj
Previous

Florida’s New Ballot Law and Its Impact on Healthcare Advocacy
Next

Preparing for Hurricane Season: Emergency Planning for St. Pete Clinics