In the wake of the cyberattack on Change Healthcare’s reimbursement system, which has led UnitedHealth Group to distribute more than $2 billion to providers amid operational disruptions, the healthcare sector has gleaned an important lesson. Cyber threats, an inevitable part of today’s interconnected digital landscape, require a degree of preparedness that goes beyond conventional technology defenses. A crucial strategy to emerge in the wake of this crisis should be the incorporation of specific contractual language to maintain the flow of payments to providers and partners, even during a crisis.
The situation brings to mind the words of former U.S. Secretary of Defense Donald Rumsfeld: “There are known knowns. There are things we know we know. We also know there are known unknowns. That is to say, we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know.” Applying his thoughtful epistemology to cybersecurity reflects the necessity for a comprehensive approach that prepares for both predictable and unpredictable challenges.
Contractual foresight can serve as an insurance policy against the operational and financial chaos that follows a cyber breach, thus establishing a promise of stability. By embedding provisions in contracts that ensure the continuity of payments during data disruptions, healthcare systems also can lay a foundation for future financial resilience. Such measures will go beyond mitigating the immediate effects of cyber incidents; they will reinforce trust and partnership among stakeholders so that attention can remain focused on caring for patients rather than on navigating administrative and technological turmoil.
Collaboration between legal, financial and cybersecurity experts is essential for developing clauses that are both robust and adaptable to reflect the diversity of cyber threats. Additionally, adopting this strategy aligns with broader efforts to enhance the resilience of critical infrastructure, because financial stability is integral to organizational security. Moreover, it is just a good standard business practice.
The substantial operational and financial consequences of the Change Healthcare cyberattack for healthcare providers highlight the risks to the healthcare sector. As organizations traverse the terrain of cybersecurity, with the risk of more attacks on healthcare organizations always lurking, the inclusion of contractual measures to guarantee uninterrupted financial operations is a critical defense measure.
Ensuring the continuity of payments through carefully crafted contractual agreements addresses the immediate impact of an attack and strengthens the entire healthcare ecosystem against future threats. This counteroffensive must include the deliberate structuring of financial and operational relationships to anticipate and mitigate the challenges of our digital age—the known and the unknown.
Eric W. Ford, PhD, is editor, Journal of Healthcare Management.
Editor’s Note: This content has been excerpted from “Beyond the Breach: Navigating the Knowns and Unknowns of Cybersecurity,” Journal of Healthcare Management, vol. 69, no. 3.