WASHINGTON - The Change Healthcare cyberattack made obvious the deep vulnerabilities of our nation’s digital health care infrastructure, resulting in devastating patient care disruption, particularly at community and health system pharmacies across the country. The attack, and even more so the prolonged inability to restore service, severed the lifelines to patient coverage and reimbursement for needed medications. Patients, prescribers, and pharmacies were left in the dark, unsure about medication coverage or patient out of pocket cost. The outage also halted transmission of electronic prescriptions and processing of manufacturer discount cards. Even as reimbursement stopped flowing to pharmacies, pharmacies endeavored to provide appropriate care and medication. However, in many cases, prescription dispensing was inevitably delayed. This chaos and uncertainty continued for over a month.
The American Pharmacists Association (APhA), representing pharmacists and pharmacy teams in all practice settings, urges policymakers to closely examine the cause, along with patient and business impact, aftermath, responses, penalties, and legal consequences related to the system outages. In the case of Change Healthcare, we recognize that one serious vulnerability is that industry consolidation and vertical integration has resulted in lack of options and competition in the market for pharmacies and other providers to transact claims. There must be accountability, oversight, and systemic policy fixes. Additionally, pharmacies must not be held financially liable for good faith efforts undertaken during the outage nor subjected to punitive or exploitative actions by pharmacy benefit managers, plans, or patients.
APhA stands ready to work with policymakers to identify lessons learned and what’s needed for prevention, mitigation, emergency preparedness and response, and penalties to ensure this does not happen again.
Additionally, APhA’s House of Delegates (HOD), comprised of over 300 delegates from state pharmacy associations, APhA membership, recognized national pharmacy organizations, and ex-officio groups, met during APhA’s 2024 Annual Meeting & Exposition in Orlando over March 22–25, 2024, to debate and adopt policy proposals developed throughout the year. The APhA HOD passed the following cybersecurity policy statements.
-
APhA advocates for implementation and maintenance of cybersecurity systems, safeguards, and response mechanisms to mitigate risk and minimize harm or disruption for all pharmacies and related parties who manage or access electronic health and business information.
-
APhA advocates for all pharmacies and related business entities responsible for electronic health and business information to have cyber liability insurance or an equivalent self-funded plan to protect all relevant parties in the event of a cyberattack and data breach.
-
APhA advocates for education providers to facilitate, and pharmacy personnel to seek out, education and training on cybersecurity laws, regulations, and best practices.
APhA believes that continuity of patient care is paramount and cannot be jeopardized or compromised again.
###