North Sunflower Medical Center last week asked the county board of supervisors for permission to seek a $9.5 million line of credit from Planters Bank & Trust, a move that follows nearly two months of disruptions in revenue due to the February cyberattack against one of the hospital’s vendors, Change Healthcare.
The Nashville-based Change is a subsidiary of UnitedHealth Group and manages reimbursements for thousands of hospitals and pharmacies throughout the United States.
NSMC Executive Director Billy Marlow told the board that reimbursements halted immediately following the data breach.
“We quit getting paid on February 21, and we were financially as strong as we could have been, with $20 million in the bank a year ago in January,” Marlow said. “And it takes quite a bit of money each month to operate.”
If NSMC does need to tap into the line of credit, it would come in the form of a six-month operational loan, Sunflower County Board Attorney Johnny McWilliams said.
The hospital would put up its accounts receivables as security.
McWilliams also noted that the county is authorized to levy up to 5 mils for hospital operations, and that is currently levied at .44 mils, well below the max.
Marlow also said that NSMC has other revenues set to hit the bank that could total millions.
The Ruleville hospital has the reputation as one of the strongest rural hospitals in the state, rebounding from an impending closure two decades ago to become one of the largest employers in the county.
Marlow spearheaded that turnaround, and he and the staff have managed multiple health care disruptions since 2004, including the COVID-19 pandemic.
There are 650 employees on the hospital campus, Marlow said, up from 187 when he took over the institution.
“We’ve grown, and we’re making money, but we can’t do it for free,” Marlow said. “Planters Bank has stepped up to the plate, and they’re going to help us get through this.”
The county board voted unanimously to approve Marlow’s request.
Indianola-based South Sunflower County Hospital also has not been immune to the Change debacle.
SSCH Chief Financial Officer Katie Yates told The Enterprise-Tocsin that the hospital received the same alert as others on Feb. 21 regarding the breach.
About eight days later, Yates said, the Indianola hospital decided to sign an agreement with another company as a temporary measure to handle claims.
“We kept getting the same correspondence saying that they had a cyber issue and that they were working on it, but we never could get any more information,” Yates said. “We tried calling, but we never could get any information. That’s the reason that we decided to move on with somebody else, because that’s us getting our claims out the door and getting paid.”
As nimble as the hospital was in February, Yates said the institution’s cash has still been impacted.
“It has decreased a good bit,” she said. “We’ve been able to operate, and we’re kind of starting to see it come back up.”
Yates said SSCH’s cash balance was down about 20% in February and down about 28% in March compared to months prior to the cyberattack.
“It’s picked up. April will probably still be lower than the norm, but I can start to see us trend back up, she said.
While the two Sunflower County institutions have bucked state and national trends, the United States, in recent years, has seen the closure of over 200 hospitals due to normal market forces, said Josh Corman, former chief strategist for the Cybersecurity & Infrastructure Security Agency.
Another 700, he noted, have seen services impacted greatly by mergers and acquisitions.
Corman, who is also the founder of iamthecavalry.org, told The Enterprise-Tocsin that threats to health care institutions have grown exponentially since the advent of electronic health records.
“For a long time, there were nearly zero attacks on health care,” Corman said. “We didn’t have anything worth stealing, certainly not in an efficient way.”
Corman was in Indianola last week conducting a series of meetings with DappInc., a local tech firm that is developing a series of health care applications, some of which involve facilitating an easier and more secure flow of health records between hospitals, clinics and private practices.
“We created a treasure trove of standardized and aggregated electronic health records,” Corman said. “In response to this, there was something worth stealing. These records had value. They were more valuable than credit cards, on the dark market, significantly more valuable.”
Corman said that for most nefarious ransom operations, health data is more of a means to an end. The goal is not necessarily to steal data but to interrupt normal operations at hospitals.
This poses a real threat, he says, to human life and achieving good health care outcomes.
“It’s putting (hospitals) in such economic dire straits, that they are vulnerable to closure or to being acquired for pennies on the dollar from larger health networks and private equity firms or others, which tends to diminish the quality of care and the availability of care,” Corman said.
When it comes to hospital closures, Corman said, the extra time it takes to get patients to other facilities could have a detrimental effect.
“There are some conditions that are so time sensitive that they affect mortality rates, and those tend to be heart attacks, strokes and certain acute harms like gunshot wounds or a car crash,” Corman said, adding that a delay of 4.4 minutes in the event of a heart attack could lead to a worsened outcome.
Mississippi has long experienced a reimbursement problem when it comes to its rural hospitals and health practices.
Medicaid has been at the center of that controversy for years, but the cybersecurity threat adds a potentially devastating layer to the industry’s worries.
“Even if your hospital does everything right, if you’re dependencies on connected technology have outpaced your ability to secure them, even your third-party service providers could be that weak link in the chain or could be the Achilles heel,” Corman said. “It’s not your fault, but it’s still your problem, and you can be distressed or weakened enough to be the victim of closure or acquisition.”
Change Healthcare’s parent company, UnitedHealth Group, was asked this week to testify before the U.S. House of Representatives Energy & Commerce Health Subcommittee. The company was roasted by multiple lawmakers after declining the opportunity in the wake of paying a $22 million ransom, the largest yet in U.S. history.
There was also speculation among committee members and some witnesses that UnitedHealth and its subsidiaries may be benefiting, even if unintentionally, by absorbing institutions that are in distress at least partly due to the February attack, an event Corman said Change is still grappling with.
“It’s not even done. We’re on week eight, and they’re still not clear on when it will be fully recovered,” he said.
Corman said that the federal government may need to evaluate its current public/private partnership with the health care industry to make sure that the private sector’s desire to not be regulated is consistent with sound cybersecurity policies.
He said ransomware attacks are going to be the norm for the foreseeable future, but he said there are things that can be done to mitigate them.
“We’re going to have to have a more surgical approach, like a steel-reinforced cockpit door,” Corman said, referring to the post-9/11 measure that installed those doors in airplanes to prevent terrorists from being able to access a plane’s cockpit.
Corman said the government could provide more support to affected institutions, such as emergency loans, resources from CISA, the Federal Emergency Management Agency, the U.S. Department of Health & Human Services, as well as offering more doctors, nurses and accounting staff so that a normal six-week cyberattack may be reduced to a week or less.
As for Marlow and the Ruleville hospital, they are praying the crisis ends sooner than later. Marlow said on Monday that he is optimistic reimbursements may start flowing into the hospital soon.
“We don’t even expect to tap into this line of credit, but we sure need it there if we need it,” Marlow said.
SSCH’s Yates credits the hospital’s long-term commitment to solvency to being able to ride out the current cashflow interruption.
“To have a little set aside in case something like this does happen, that’s very important,” she said. “We have to make payroll. We have to pay our bills. So far, we haven’t had any problems with that, and I don’t see us having any.”
