By Amber Buening, Security Outreach Director at Huntington National Bank, Scott Krah, Senior Vice President, Treasury Management Product Segment Manager, and Dan Storer, Senior Managing Director of Healthcare Banking at Huntington Commercial Bank
Healthcare revenue cycle management and provider payments have become increasingly dependent on digital platforms to streamline critical processes and improve medical care services. However, a recent ransomware attack on one of the largest healthcare clearinghouses in the U.S. has highlighted critical vulnerabilities for provider organizations, causing them to revisit their revenue cycle practices.
While not isolated, this incident underscores the need for healthcare organizations to address these at-risk areas and safeguard themselves against disruption. Prioritizing dedicated continuity and incident response planning and enhanced security measures that meet HIPAA requirements can help ensure continued revenue cycle operations, patient data security, and care delivery in the event of a cybersecurity incident.
The escalating cyber threat landscape in healthcare
The healthcare sector’s increasing reliance on digitalization has not gone unnoticed by threat actors. In the past five years, the U.S. Department of Health and Human Services (HHS) reported a 264% increase in ransomware incidents against health plans, clearinghouses, healthcare providers, and business associates covered by HIPAA†. Recently, the FBI’s Internet Crime Complaint Center identified the healthcare and public health sector as disproportionately affected by ransomware attacks‡.
Healthcare’s vulnerability is exacerbated by the sheer volume of medical data transactions processed annually and the growing adoption of electronic transmissions. Overall medical administrative transaction volume grew to 49.7 billion in 2022, 82% of which was transmitted electronically§. The sector’s expansive digital footprint has become a lucrative target for threat actors, as evidenced by the 256% increase in reported large healthcare data breaches in the last five years≠. These incidents increasingly threaten operations and the confidentiality of healthcare data.
Exposing the weak points in the healthcare revenue cycle
Unfortunately, it is no longer a question of “if,” but rather "when" the next attack will occur. Understanding where the system has failed in recent incidents can allow providers to adjust their own payment and revenue cycle management practices can help mitigate the impact when it does.
Below are three areas that have been highlighted in recent ransomware attacks as common vulnerabilities within health systems and physician practices. These vulnerabilities contributed to the wide-reaching ramifications of recent attacks against clearinghouses and other healthcare organizations.
- Concentrated third-party reliance. Relying on a single third-party entity to handle a considerable portion of a provider system’s revenue cycle is inherently risky. This practice, however, has become more common due to the consolidation of organizations providing administrative and financial services. When there is a choice, the convenience of working through a single third-party entity is outweighed by the risk of being beholden to that entity’s vulnerabilities and practices.
- Centralized risk. Maintaining sensitive data, systems, and networks in the same place offers an easy target to threat actors. Decentralizing risk across the organization, such as segmenting critical systems and enhancing securities, can help protect against ransomware and other malicious attacks.
- Lack of continuity planning. Not prioritizing a business continuity plan that aligns with an incident response plan means providers are paralyzed when services are interrupted. Without a backup plan, there is no immediate solution for payments, collections, and care delivery, which has devastating financial, reputational, and patient care consequences. Cyberattacks are not the only threats providers contend with: Earthquakes, wind events, fires, flooding, and other natural disasters could also severely disrupt services.
HIPAA considerations for covered entities
Organizations need to dedicate the time and effort that is required to develop a strong, effective incident response plan. Outside the healthcare sector, not having an incident response plan could result in operational, financial, and reputational losses. For HIPAA-covered entities, the stakes are higher. The absence of or a weak business continuity and incident response plan not only compromises patient safety, but it also violates regulatory mandates designed to protect health information.
Under HIPAA, healthcare organizations are obliged to protect patient data through proactive measures, including contingency planning for data breaches and other cybersecurity incidents. These requirements involve regular risk assessments, employee training, and implementing physical, technical, and administrative safeguards. Taking a systematic approach to assessing current practices against HIPAA-mandated requirements and industry standards can help organizations ensure compliance.
These requirements extend to third-party vendors and partners as well. Evaluating vendors’ cybersecurity framework and compliance with HIPAA, NIST and ISO frameworks, and other standards can help organizations assess their third-party risk. Reviewing vendors’ audits and certifications also offer high-level insights into their cybersecurity sophistication.
Reducing risk to help prevent future revenue cycle losses or delays
Providers can consider the following areas to build resiliency against future incidents and hopefully mitigate the impact of future ransomware variants and other cyber threats.
Map the full revenue cycle process
Identifying weaknesses in a process begins with understanding every step within it. Hosting whiteboarding sessions to map out the process can help identify gaps or potential risks at various touchpoints. From there, providers can take action to build in redundancies, fail-safes, or other mitigation steps to reduce risk.
Reduce third-party risk
Instead of relying on a single entity to facilitate eligibilities, claim submissions, remittances, and benefit coordination, diversify vendors and third-party dependencies, and implement back-ups in the event of service interruption. As mentioned previously, evaluate vendors’ practices carefully, including their security protocols, back-up practices, and audit measures.
System and data redundancies
System and data redundancies can strengthen operational continuity. Healthcare organizations should consider options such as cloud services, off-site backups, or failover systems that can be activated in the event of a primary system failure.
Network segmentation
Network segmentation is a method to mitigate damage from a cyberattack, though one study found nearly 25% of healthcare providers haven’t implemented itⱢ. Work with your internal IT group to understand how your network is segmented within your organization.
Alternative payment options
If the healthcare clearinghouse you relied on abruptly stopped services tomorrow, what would your organization do? Providers have already seen what can happen without a plan. Consider alternate options to address payment issues, such as proactively securing a line of credit to mitigate payment issues or setting aside cash reserves in case of future disruptions.
Prioritize business resiliency planning
Business resiliency planning is a multi-layered approach to preparing for events that could disrupt operations. A healthcare organization’s ability to remain resilient in the face of cybersecurity threats and weather-related disasters relies on a comprehensive plan that includes business continuity, disaster recovery, and incident responses.
Data recovery and protection
Developing and implementing a strong data recovery and protection plan is particularly important for healthcare providers, as it stipulates how operations and technology are restored following an incident. Prioritize systems with critical data and establish a tiered recovery strategy that ensures the most vital information is retrievable first. Implementing system backups and testing recovery processes can help guarantee data integrity and availability.
Proactive vulnerability management
Healthcare data is a high value target for cyber threats , and healthcare organizations storing and transmitting it are held to rigorous standards due to HIPAA to keep it safe. Security vulnerabilities present opportunities for threat actors to infiltrate systems more easily, so staying ahead of these threats is imperative.
A strong vulnerability management program includes regular vulnerability assessment, automated patching, security scanning tool implementation, and updating systems and devices when security patches or upgrades are available.
Employee training and security culture
Employees are the first line of defense against cyber threats. Healthcare organizations should endeavor to foster a strong culture of security awareness through regular training and clear protocols for reporting suspected incidents.
Routine review and practice
The security landscape is continually evolving, and an organization’s response to those threats should follow. Annual reviews and regular exercises and simulations to test the practical application of continuity plans help ensure they remain relevant and effective.
Building healthcare resiliency through continuity planning
As digital dependency in the healthcare and public health sectors grows, so does the need for airtight defenses and recovery strategies to protect providers and their patients. Healthcare leaders must prioritize cybersecurity in revenue cycle management efforts going forward. Doing so not only complies with regulatory demands, but it also secures the wellbeing of patients and the operational integrity of healthcare organizations.
For more information on implementing business resiliency, best practices, and security controls to mitigate risk to revenue cycle practices, reach out to your relationship manager or contact our team through the link below.
