elenabs/istock via getty images

Why diversifying clearinghouse, banking partners is crucial

In the aftermath of the Change Healthcare cyberattack, hospitals should consider diversification of clearinghouses and banking partners to reduce risk.

Clearinghouses and banks are crucial in supporting hospitals’ financial health, enabling providers to focus on delivering high-quality patient care. However, a recent cyberattack that shut down one of the largest clearinghouses in healthcare has caused many hospital leaders to wonder how to balance this reliance on key vendors with the risk of partnering with third-party companies.

On February 21, 2024, Change Healthcare alerted customers of a network interruption due to a cyberattack. The attack left the operator of the largest US clearinghouse for medical payments unable to process claims for reimbursement. Many providers who relied on the vendor for claims reimbursement had to take out loans through UnitedHealth Group, Change Healthcare’s parent company, to stay afloat as more than 100 of the vendor’s services shut down.

Change Healthcare has been restoring systems since March 2024, but healthcare providers still feel the impact of the cyberattack. A recent American Medical Association (AMA) survey found that over three-quarters of physicians lost revenue from unpaid claims due to network interruptions. More than half of physicians responding to the survey also said they had to use personal funds to cover their practice’s expenses, with 31% unable to make payroll at the time.

The Change Healthcare cyberattack is a wake-up call for hospital finance leaders whether their organizations use the vendor’s services or not, says Geoff Stenger, senior vice president with Kaufman Hall’s Treasury and Capital Markets practice.

“Treasurers who had to live through trying to find access to balance sheets and credit really two times in the last 15 years (with the 2008 financial crisis and the COVID-19 pandemic), this was another time for them to ask: Where are my sources of liquidity? How do I get access to them? Is it okay for me to have a relationship with one bank or do I need multiple?” Stenger said.

“Their minds have been very attuned to how to spread what bankers would call non-credit revenue to access balance sheets.”

Hospital revenue cycle leaders also wonder how concentrating services under one vendor elevates the risk they take with third-party companies. As one hospital CEO told Stenger, hospitals got comfortable with the amount of risk they accepted as UnitedHealth Group acquired more businesses.

But UnitedHealth Group hasn’t been the only company engaging in more deals lately, and they certainly aren’t the only ones being targeted by cybercriminals. Last month, leading revenue cycle technology and services vendor R1 RCM notified the public of a data breach involving personally identifiable information and protected health information after hackers targeted a zero-day vulnerability of a software product it uses.

“If I'm buying 15 services from a vendor — as hospitals have trended towards because it's easier to interact with one firm — then they need to evaluate risk, figure out what the dollars are attached to that, and make some thoughtful decisions about diversification,” Stenger explained.

Diversifying clearinghouses and banking partners can reduce counterparty concentration risk, according to experts at Kaufman Hall. After all, healthcare is a common target for cybercriminals and was the hardest hit by ransomware last year, according to the FBI.

“The nature of the industry is that there are so many disparate owners and processes, and the ambitions that someone like UnitedHealthcare Group has to bring all that together in a corporate environment are certainly noble,” Stenger said. “But the fact that healthcare data is so valuable means the reality is that healthcare is such a target for all of these cybersecurity events.”

Hospital leaders, especially treasurers and other finance leaders, need to understand risk management in this reality. There is also a balance between managing multiple vendors and the risk associated with partnering with third-party companies.

“If you're going to have multiple vendors, it's extra management with that vendor. You need a good lay of the land to assess what you have and the associated risk; that's always our first step,” Stenger stated.

The Change Healthcare cyberattack also raises questions about risks that are not obvious when partnering with a vendor, such as the added risk of the company's mergers and acquisitions. Understanding what level of risk is appropriate for the hospital to manage helps leaders be more proactive about what are seemingly inevitable cybersecurity incidents.

“Our thought is to take that to the next level; you do need to put a number on the risk,” Stenger said. “There are always competing priorities and opportunity costs, but quantifying and prioritizing risks is critical. Then, is it a management function or do you do something different about it, like reserving some of your balance sheet resources against that type of risk?”

“Whatever it may be, I think that's the next step for us: Risk management on an integrated basis between finance, strategy, and operations to ensure that it's set up appropriately.”

Hospitals should have a robust risk management strategy in place to protect their systems and data from potential breaches. However, Stenger acknowledged that pushing the needle on being proactive about cybersecurity from a business perspective is challenging. The central mission of hospitals is to provide high-quality patient care, which takes precedence over some administrative functions depending on available resources.

“I do think there is some room, though, to get more people involved in decision-making here,” Stenger states. “The best thing you can do is spend that time as a decision-making group and do it on an ongoing basis. You need to be thoughtful about vendor relationships over time.”

Hospitals tend to evaluate vendor contracts every three to five years or when the contract is due, according to Stenger. However, the uptick in healthcare-related cyberattacks signals a need for more frequent management, including an annual review. For example, finance leaders should know the balance within their banking partners to determine if they are more reliant on a particular bank. Diversifying may help to mitigate the impacts of a financial crisis.

“The biggest takeaway is to take some time to do that in whatever form you can based on all the other competing priorities,” Stenger concluded.

Next Steps

Dig Deeper on Medical billing and collections