About

TechNation is the primary monthly magazine and ultimate resource guide for over 12,000 medical equipment service professionals. Its diverse editorial and information helps biomedical, HTM, imaging and I.T. professionals keep their finger on the pulse of the healthcare technology community, helping advance their careers and further their profession.

Roundtable on Employment/Recruiting | May 13
TechNation.TV | HTM Jobs | Right to Repair | Advertise
Subscribe

AAMI Update: A ‘Colonial Pipeline’ Moment

6 Mins Read
By AAMI

Recently, the House of Representatives Energy and Commerce Committee, chaired by Representative Cathy McMorris Rogers (R-WA), held a hearing on the fallout of the Change Healthcare cyber breach. According to KFF Health News, the attack was first made public on February 21, 2024, and resulted in Change Healthcare’s payment services becoming temporarily unavailable as well as impacting many hospitals’ and pharmacies’ ability to process prescriptions. At that time, doctors, pharmacists, and other health care professionals could not discern whether patients had health insurance and payments to health care organizations like pharmacies and hospitals were halted. This resulted in healthcare delivery organizations suffering serious losses. In March, CBS News reported that healthcare delivery organizations across the industry could be losing a cumulative $100 million a day. The cost to UnitedHealth is already estimated as $872 million but is likely to exceed $1 billion and therefore would make it one of the most costly cyber losses for a single organization.

Change Healthcare worked to restore services, but periodic problems have persisted and the company has faced additional cyberthreats. The federal government also continues to take interest, with Senator Ron Wyden (D-OR) promising an April 30th hearing by the Senate Finance Committee.

To better understand the implications of this story, AAMI News spoke to Axel Wirth, longtime AAMI member, AAMI Fellow, and chief security strategist at the medical device cybersecurity firm Medcrypt. The following represents Wirth’s views as a cybersecurity professional and a friend to the health care industry and do not necessarily represent AAMI’s perspective. The correspondence has been lightly edited for length and clarity.

Q: What are the long-term implications of this breach?
A: Many have identified the Change Healthcare breach as a paradigm shift for the health care industry, similar to the Colonial Pipeline event for the oil and gas industry. I would tend to agree and similarly, I would expect that governments’ and regulators’ efforts to improve health care’s cybersecurity posture will accelerate now.

Q: Do you have any thoughts on the fallout of the breach and what weaknesses it revealed?
A: It is worth noting the sheer impact these events had on the larger industry. It was estimated that over 50% of U.S. health care providers were impacted from a revenue cycle perspective and experienced the impact of their ability to process billings or prescriptions. This is pretty much a traditional single point of failure example but on a very large scale.

Q: What can healthcare delivery organizations and cybersecurity professionals learn from these events?
A: The lesson learned for us is that we really shouldn’t be looking at security risks as an issue for individual systems or even the individual hospital. It really has become an issue of regional and even national criticality as it affects, due to scale, our larger public health system.

Q: Why all the concern? Was the Change Healthcare breach simply bigger than most attacks or does it imply innovation on part of bad actors?
A: A noteworthy aspect is the speed and scale of the attack relative to what we have seen in the past. On one hand, this established a new precedent of the level of impact on the industry, on the other hand it is a continuation of increasing attack severity and malice trends as we have been observing over the past years when analyzing HHS “Wall of Shame” breach reporting data.

Q: So, while the attack demonstrated new capabilities from malign actors, this also part of an industry-wide trend?
A: Sure. For example, despite 733 breaches reported, 2023 stayed relatively flat compared to the two previous years. However, the number of breached records set a new all-time high, exceeding last year by a factor of 2.5. Further, breaches reported now show 80% classified as “Hacking/IT Incident”, which aligns with my previous statement about increase in targeted and malicious attacks.

Another important trend to note is that of cyber adversaries using strategies to maximize their profits. For example, in the Change Healthcare case, in addition to the initial ransom demand (rumors have it pegged at $22 million) we now see additional extortion of Change, affected patients, as well as attempts to whole-sale the data in the underground markets.

Guide for HTM Department Financials
Do you work in a management capacity in healthcare technology management (HTM)? The AAMI has published a new document on non-technical skills development designed to help HTM staff improve the financial management of their departments. HTM Non-Technical Skills Development: Financial Acumen focuses on two issue areas; financial considerations in HTM and business planning.

According to Danielle McGeary, AAMI’s vice president of HTM, “this new document is the right place to start if you’re seeking to increase financial literacy in your HTM department and improve your employees’ understanding of your business model.”

First, the document presents the key concepts HTM staff will need to know, such as cost of service ratio, total cost of ownership, and others. It then applies these concepts to the financial operations of an HTM department and the management of medical devices, looking at:

  • Budgeting concerns including capital budgets and operating budgets
  • Earnings before interest, taxes and depreciation
  • Revenue and return on investment

The document also includes the fundamentals of business planning so that HTM departments can establish and pursue a long-term strategy and deal with future financial issues. Analytic frameworks for assessing a given department can include:

  • A SBAR analysis, which uses a “Situation, Assessment, Recommendation” model
  • A SWOT analysis, which focuses on “Strengths, Weaknesses, Opportunities and Threats”
  • The PEST analysis, which addresses “Political, Economic, Social and Technology” factors
  • The guide addresses all three paradigms and provides readers with the information needed to choose the version that best fits their department. Further, the document provides the basics on:
  • Constructing one-, three-, and five-year plans
  • Performance indicators
  • Benchmarking
  • Labor and training costs

Mike Powers, director of HTM at Intermountain Health, collaborated with his fellow AAMI volunteers to produce the document. “When trying to encourage engagement of caregivers with their roles, it is helpful to illustrate for them ‘why what you do is important.’ It is also important to understand the finance side of an HTM shop,” Powers explained. “HTM Non-Technical Skills Development: Financial Acumen goes a long way towards accomplishing both tasks by equipping caregivers with the baseline financial knowledge to run an HTM department as a business unit and answer the question, ‘What do you do here?’ ”

In short, Powers and his peers have designed HTM Non-Technical Skills Development: Financial Acumen to be a one-stop resource to educate employees, gauge the financial health of your department, and plan for the future.

The document is free for AAMI members and can be purchased by non-members in the AAMI store. Non-members who are interested in this and other AAMI documents are encouraged to consider a one-year individual AAMI membership. Priced at $100, this membership tier includes immediate access to a wealth of other AAMI HTM resources and BI&T publications such as guides on equipment acquisition, cybersecurity issues, career planning and more.

Share.

Related Posts

Add A Comment

Leave A Reply

X