Over the past decade, the U.S. healthcare industry has seen an accelerated pace of consolidation through mergers and the formation of larger systems to spread overhead costs, resulting in the acquisition of expensive new technology and the development of deep clinical and cybersecurity expertise that can be shared among larger individual providers within a health system.
But consolidation is not easy, nor is it a panacea for rising health care costs, which have risen significantly faster than the rate of inflation while premium payments have remained roughly flat. Consolidation reduces competition and the number of options available to communities, limiting choice for patients and, in some cases, directly contributing to higher prices for both health insurance and health care services in these communities.
Protecting rural health is costly
Consolidation has saved many small and rural hospitals from closure because it reduced costs and many core services such as IT, billing, risk assessment, and regulatory compliance were taken over and centralized by the acquirer. However, the change from a local data center to a remote data center hundreds of miles away increases dependency on the remote facility’s core systems. This means that if network connectivity is lost or a ransomware attack occurs at the system level, the remote hospital has very limited access to the health IT and IoT systems needed to diagnose, treat, monitor, or manage the patients in their care, something that they were able to do using local IT resources before they were acquired. These challenges can even extend to reading a simple x-ray or CT scan in a remote clinic or rural hospital.
Consolidation has also reduced the medical services available at many hospitals, as costly diagnostic and treatment services are transferred to hospitals in larger cities where the financial costs of maintaining expensive units, their equipment, and the specialized staff needed to run them can be more easily justified. This deprives rural communities of vital medical capacity and forces patients to make expensive and inconvenient journeys.
An example of this would be a local car accident where a fracture or internal injury is suspected, but the nearest medical imaging location may be several hours away by ambulance.
A recent case study described the plight of a high-risk pregnancy in which a woman and her family lived in a small community where all health services, including general practice and primary care, had recently been abolished and they could only rely on weekly calls to an obstetrician hundreds of miles away until they could bring the pregnancy to term, forcing them to move to a relative’s house closer to the hospital.
Another commonly cited example is the growing number of rural cancer patients, many of whom must be transported to large city hospitals several times a week to receive radiation and chemotherapy. With round trips of over 200 miles, this is clearly costly and wasteful, especially since most health insurance plans do not cover ambulance travel. Here, the US health economics directly impacts patient care, outcomes, and even morbidity and mortality.
New Single Points of Failure
Consolidation has also led to the creation of single points of failure. A recent example is the cyberattack on Change Healthcare, which is used by hundreds of health systems nationwide for medical billing and prior authorization of medical services, prescriptions, and more. The collapse of Change Healthcare, now part of Optum and owned by UnitedHealth Group, led many patients to delay medical procedures or receive prescription drugs because they were not prior authorized. With providers unable to bill insurance companies, health systems also were unable to receive the payments they needed to cover overhead costs such as doctor and nurse salaries, and some health systems reportedly fell into serious financial difficulties, including bankruptcy.
A few years ago, there were many companies offering services similar to Change Healthcare, but consolidation has greatly reduced the number of alternative services available today. Few providers are set up to quickly switch from one service provider to another if a problem occurs, regardless of the level of redundancy. And no other competitor to a major player like Optum’s Change Healthcare can step up to take on significant additional capacity if a competitor experiences problems.
Lack of resilience
Even more concerning is that the healthcare industry has not implemented the resilience that the rise in cybercrime has forced other industries to adopt. Currently, there are numerous single points of failure that could easily take down an entire healthcare system, resulting in minimal or reduced healthcare services for entire communities.
A good example of cascading outages caused by an attack on a single application or service provider is the recent ransomware attack on pathology service provider Synnovis, a joint venture between SYNLAB, Europe’s largest medical testing and diagnostics provider, King’s College Hospital NHS Trust, and Guy’s and St Thomas’ NHS Trust. This includes the Royal Brompton London Children’s Hospital, Evelina London Children’s Hospital, and a number of primary care facilities in southeast London. Just as the Change Healthcare outage affected a third of Americans, the London cyber attack affected a large number of Londoners. The attack led to the cancellation of over 1,000 procedures and forced all pathology services to revert to paper-based records while urgently calling for blood donors.
While there is an intention to interconnect various NHS trusts in the future to facilitate pooling and sharing of resources such as pathology services, the funds and political will to build this are not currently feasible given the rising cost of healthcare and very limited budgets. If the American healthcare system had invested in backup or secondary providers for medical services and prescription pre-authorizations, the Change Healthcare attack would not have had such a devastating impact on the American public and many healthcare systems. Also, UHG management would not have felt the need to pay a $20 million ransom to cybercriminals, as their attempts to quickly restore their systems and recover and protect regulated PHI data failed. Ironically, the payment likely spurred further growth in the criminal cyber extortion industry and promised future cyber extortion attacks.
The bottom line is that consolidation may not be the panacea we have been led to believe. Putting all our eggs in multiple single baskets has introduced additional risk to an already highly risky industry. As the recent CrowdStrike outage demonstrated, these single points of failure extend all the way to Microsoft Windows, which has near-universal adoption across payers and providers. Perhaps it makes sense to pursue “security through obscurity” rather than following the crowd.
Of all the airlines affected by last weekend’s four-day outages and delays, the only one that wasn’t affected was Southwest Airlines, which still runs most of its systems on the 1992-era Windows 3.1, despite years of pressure from Redmond Airlines.
Richard Stennings is an internationally respected leader in healthcare cybersecurity, currently serving as Chief Security Strategist at Cylera, a pioneer in medical device and HIoT security, and a lecturer on graduate courses in cybersecurity, healthcare informatics, and healthcare management at the University of Denver University College.
