Fortifying defenses: essential cybersecurity strategies for revenue cycle management

Healthcare leaders understand that the quality of their organization’s revenue cycle is directly reflected in its bottom line. However, it is also reflected in quality outcomes and patient satisfaction scores. Inefficiencies in eligibility, coverage, prior authorization and other revenue cycle processes can lead to delays in care and surprise patient bills, in addition to poor cash flow and write-offs.

However, there’s another area where a poorly managed revenue cycle can affect patients: cybersecurity. When systems go down, so do EHRs, revenue cycle interfaces, clinical notifications, patient portals and health information exchanges. These events can also inhibit clinicians from accessing vital patient information and life-saving equipment such as IV infusion pumps and ventilators.

The Department of Health and Human Services reports that there were “725 large security breaches” in 2023, higher than any previous year. It is expected that 2024 will top that. The recent ransomware attack on the nation’s largest clearinghouse in February is thought to have exposed the data of nearly one in three Americans. The impact on patients could last for years and include stolen identities, financial loss and destroyed credit ratings, which can hurt a person’s ability to take out a student loan or purchase a car or home.

According to CNBC, medical records sell for $60 on the dark web, as compared to $15 for Social Security numbers and $3 for a credit card number.

In a recent interview with US News & World Report, Cleveland Clinic Health System Chief Information Security Officer Vugar Zeynalov said, “Cyber incidents are not just about losing data anymore. They’re about losing patients’ confidence, undermining safety and impacting care delivery and lives.” In these cases, it can take significant hours and effort for patients to restore their lives and livelihoods after such an attack.  

A cyberattack can also negatively impact a provider’s brand reputation and patient loyalty, even if the attack wasn’t on their systems but from one of their business partners, like the clearinghouse mentioned above.

Understanding the threat landscape

Five of the most common cyber events that organizations must be aware of, according to Cyber Magazine, are as follows:

1. Phishing. Attacks from email phishing, a technique that targets employees through “emails, websites or messages that masquerade as legitimate communications,” increased 464% in just the first six months of 2023. This is why employee education and ongoing awareness campaigns are critical.
2. Ransomware. This is where nefarious actors deploy malware to encrypt the organization’s files or lock down systems so they can’t be accessed. The February clearinghouse cyber event was a ransomware attack, and the company paid an estimated $22 million to the hackers.
3. Data breaches. Besides ransomware and phishing, according to Veritas, common types of data breaches include “stolen information,” “password guessing,” “recording keystrokes,” “malware or viruses,” and “distributed denial of service (DDoS).” According to Cyber Magazine, more than 30% of 100,000 data breaches in one research study “could have been avoided by having better data management and security.”
4. Social engineering. This is where attackers leverage “psychological manipulation” to get people to voluntarily give away data, not knowing they’re being scammed. This might be an email or phone call from hackers posing as an authority figure like a police officer or even a coworker. The goal is to get the individual to provide data or access to data that should be secure.
5. Cloud vulnerabilities. With so many companies now using cloud solutions, this type of cyber event is on the rise. According to the Department of Defense, these types of hacks are often from malicious, untrained or neglectful cloud administrators who intentionally or unintentionally “expose sensitive data.”

Cybersecurity best practices

There are multiple steps organizations can take to identify and mitigate their threat profile.

• Conduct a risk assessment. The first step is to take inventory of where an organization’s cyber weaknesses are at the present as well as ongoing. As cybercriminals become more sophisticated, organizations must too. The National Institute of Standards and Technology, a part of the U.S. Department of Commerce, offers a “comprehensive, flexible, repeatable and measurable 7-step process” for managing privacy and security that organizations can find on its website.
• Implement comprehensive employee training. According to Deloitte, 91% of all security breaches are caused by phishing emails, which makes employee education critical. Besides interactive online programs, organizations may want to test employees by sending out emails that look similar to phishing emails. Any employee who takes the requested action should be flagged for additional security training. As part of the education, employees need to understand the impact their actions have on not only their jobs but also on the company, its clients and patients.  
• Deploy access controls. The breach at the clearinghouse earlier this year was caused by hackers using “compromised credentials to access a Citrix portal” that was not being protected by multi-factor authentication (MFA). Every access point into an organization’s systems must be protected by MFA.
• Use encryption. According to IBM, encryption is a crucial data security tool. “By encoding plain text as ciphertext, encryption helps organizations protect data against a range of cyberattacks, including ransomware and other malware.”
• Ensure network security. Multiple tools, including firewalls and intrusion detection systems, are readily available to protect network security. Conducting regular security audits is another vital tool for keeping an organization’s network safe.
• Data backup and recovery. It may sound fundamental, but recovery is not possible without data backup. Morgan Stanley recommends a 3-2-1 approach to data backups: 1) create three copies of the data, including an original and two duplicate versions; 2) Use two types of storage in case a specific type of storage solution fails; and 3) Store one copy away from the business in case the company’s property is damaged or destroyed.
• Develop an incident response plan. Having a detailed response plan in the event of a cyberattack is critical for timely recovery and mitigation of harm and risk. This should include having a designated response team with clearly developed responsibilities and an escalation pathway. It is also vital to have clear communication plans customized to every audience, although with the same foundational message. These communication plans should be developed for employees, clients, vendors, patients, the press, and any other stakeholders. Without a plan, organizations will have to scramble to pull these teams and messages together, taking valuable time away from addressing the attack and beginning the recovery process.

The bottom line

Cyberattackscause organizations more than 695 hours of downtime and over 2,500 hours of recovery time, in addition to the effect on revenue, patients and brand loyalty. It is important to note that more than eight in ten Americans surveyed said that “the way an organization treats personal data is indicative of how it views and respects its customers.”

The recent clearinghouse ransomware attack should serve as a warning to all healthcare organizations to act now, before an attack occurs. As the saying goes, “It’s not a matter of if; it’s a matter of when.”

Understanding the threat landscape, conducting a threat assessment, implementing best practices and developing a response plan is vital to protecting revenue and patients alike.

---