American Pharmacists Association Update: Cybersecurity Recommendations Amid Change Healthcare Cyberattack

As effects of the February 21 Change Healthcare cyberattack continue to impact health systems across the country, the American Pharmacists Association (APhA) has issued a series of recommendations for policy makers to swiftly ameliorate the fallout of the attack. APhA released its recommendations ahead of the May 1 US Senate Committee on Finance hearing, which saw Andrew Witty, CEO of UnitedHealth Group—of which Change Healthcare is a recent acquisition—testify regarding the cyberattack.¹

Instead of aiming the recommendations at pharmacists and pharmacies within its extensive membership network, APhA targeted government leaders with suggested policies that will help health systems recover from the attack and prevent future attacks of this scale from occurring in the future. Ranging from pharmacy ecosystem audits to policies ending vertical integration, the recommendations would create much-needed protections for the country’s digital health infrastructure involving millions of patients, providers, hospitals, and pharmacies in the United States.

The American Pharmacists Association building in Washington, D.C. | image credit: JHVEPhoto / stock.adobe.com

APhA recommended “[mapping] out the pharmacy ecosystem to identify infrastructure vulnerabilities.”² Unfortunately, cyberattacks have become an increasingly alarming issue within the pharmacy industry, evidenced by recent increases in e-prescription fraud.³ The digital systems processing prescriptions and insurance claims—similar to the main functions of Change Healthcare—are far from perfect.

As a first step to mitigating the issues created from the Change Healthcare attack, APhA is calling for a nationwide audit to fully understand the holes that exist within these digital platforms that are carrying heaps of sensitive medical records. Next, APhA called for further accountability for both violators of cyberattacks and health systems failing to enact proper security standards. Additionally, it called for ways to incentivize minimum security standards, encouraging an even playing field of fully secured health systems across the country.²

READ MORE: Ascension Hospitals Face Disruptions from Suspected Cyberattack

Leaning into a larger issue affecting so many independent pharmacies nationwide, APhA recommended ending “vertical integration practices that result in health care market consolidation,” which is something that has helped UnitedHealth Group grow into the largest health care company and the 11th overall most profitable company in the world.^2,4

“Too much of our health care system is being allowed to flow through gigantic corporate monsters like UnitedHealth; this unfortunate circumstance is proof positive of that,” said B. Douglas Hoey, MBA, RPh CEO of the National Community Pharmacists Association (NCPA).⁵ “This entity rakes in a tremendous amount of cash, yet it arbitrarily denies or slow-walks patient care, underreimburses providers, and otherwise makes it difficult to provide health care services. [It also] fails to protect itself and its customers from a catastrophic cyberattack. These broad, debilitating disruptions reiterate independent pharmacies’ view that UnitedHealth Group should not have been allowed to acquire Change Healthcare in the first place and that Congress and other policymakers must finalize and enforce stronger laws to rein in these behemoths as swiftly as possible.”

With both industry organizations denouncing vertical integration, the Change Healthcare cyberattack has opened larger conversations for how market consolidation is negatively affecting the pharmaceutical industry. As advocacy groups continue to fight against the impact that pharmacy benefit managers (PBMs) have on independent pharmacies, these groups argue that PBM tactics—especially their effort to eliminate market competition—and vertical integration are exposing key security pitfalls exploited in the Change Healthcare cyberattack.

“The Change Healthcare cyberattack led to significant business disruptions for pharmacies with few exceptions as a direct result of the vertically integrated nature of UnitedHealth Group,” the NCPA stated in a press release.⁵ “Independent pharmacies are still struggling daily with operational and financial disruptions months after the cyberattack.”

Aside from APhA’s expressed displeasure toward large health care corporations like UnitedHealth, the organization also recommended the federal government establish a cyber insurance program.² “Given the importance of strong and reliable public health infrastructure, a federal cyber insurance program should be established that offers affordable cybersecurity coverage to ensure that pharmacy doors can remain open to provide patient care,” APhA stated.⁶ They also suggested breach notification requirements that would force systems to immediately flag any type of attack, alerting all affected parties of the extent of any future cybersecurity disruptions.²

Finally, completing APhA’s extensive but secure framework for keeping health systems safe in the future, they suggested increased funds toward cybersecurity and required backup systems for businesses using digital tools to store sensitive medical data.³

READ MORE: Technology and Data Resource Center

Don’t get left behind: Sign up today for our free Drug Topics newsletter and get the latest drug information, industry trends, and patient care tips delivered straight to your inbox.

References

1. Nowosielski B. UnitedHealth CEO testifies before Congress on Change Healthcare cyberattack. Drug Topics. May 1, 2024. Accessed May 3, 2024. https://www.drugtopics.com/view/unitedhealth-ceo-testifies-before-congress-on-change-healthcare-cyberattack 

2. Nowosielski B. How individuals are committing e-prescription fraud. Drug Topics. April 16, 2024. Accessed May 3, 2024. https://www.drugtopics.com/view/how-individuals-commit-e-prescription-fraud 

3. APhA’s cybersecurity recommendations to secure the pharmacy ecosystem and patient safety. American Pharmacists Association. May 1, 2024. Accessed May 3, 2024. https://www.pharmacist.com/About/Newsroom/aphas-cybersecurity-recommendations-to-secure-the-pharmacy-ecosystem-and-patient-safety 

4. UnitedHealth CEO Andrew Witty testifies about cyberattack. Youtube. May 1, 2024. Accessed May 1, 2024. https://www.youtube.com/watch?v=vjQAcWy1_dQ

5. Change Healthcare cyberattack still harming independent pharmacies, NCPA says. NCPA. May 1, 2024. Accessed May 1, 2024. https://ncpa.org/newsroom/news-releases/2024/05/01/change-healthcare-cyberattack-still-harming-independent

6. American Pharmacists Association cybersecurity recommendations related to pharmacy infrastructure and patient safety. American Pharmacists Association. Accessed May 3, 2024.https://www.pharmacist.com/Advocacy/Issues/Cybersecurity