The revenue cycle is an important target for cybercriminals because of the information that flows through it.
Intermountain Healthcare’s chief information security officer Karl West kicked off the HIMSS19 Revenue Cycle Solutions Summit with a strong message for his captive audience. If you’re a revenue cycle leader, you need to understand a fundamental reality: There’s a whole host of data available for hackers in your rev cycle. Not only is there payment information, there is also member information and all of your PHI. All of those are sources of cyber risk.
For example, patient portal credentials are highly valuable for hackers at around $1,500 or more according to one study, West said.
As such, there needs to be a strong partnership between your cyber organization/operation and your revenue cycle. You also need to understand what are the threats and sources of loss. First, there’s phishing. It’s common and proven to be effective. At Intermountain, they phish their employees four times a year to test their proclivity to fall victim. Even though some find the measure frustrating, it’s essential to flushing out vulnerability.
Malware is also a significant security threat. To thwart such threats, it’s important to keep your systems patched. In your system, you need to have someone watching for vulnerability and patching.
“That’s the basic blocking and tackling,” West said.
Another source of loss is the misconfiguration of public-facing systems, which occurs when at build time, the proper protections are not built in.
And then there are nation-state actors, which are harder to protect against because smaller organizations do not have the resources to spend a lot on cybersecurity. Intermountain has a 24/7 security station/operation with eyes on such threats.
Finally, there are theft or loss/inadvertent accidents that involve employee error or bad action.
“If you aren’t, those are things you should be considering,” West said.
As consumerism continues to drive healthcare, the revenue cycle must move with that trend, and in a consumer-driven revenue cycle organization, fraud, breach, patient card information, PHI, personally identifiable information and the cloud are both assets and areas of risk.
As such, vulnerability management in the revenue cycle should be a big part of your operation and claims processing.
“When a caregiver gives care, they must be current on flu shots and vaccines,” West said. “It’s not an option. It’s a condition of employment. It means that the caregiver is protected to the best ability that we can. In the cyber world, it’s the same. Your networks, laptops and servers, how are you protecting them?”
While updates are annoying, vulnerabilities do need to be patched. Most healthcare organizations patch on an annual basis. At Intermountain, however, it is on a weekly or monthly basis. It’s a different mindset, West said. That is because not only did healthcare cyber attacks increase 320 percent between 2015 and 2016, but the attacks are also growing in sophistication. They don’t just slow systems down – they can cripple them for days, weeks or even months.
So, it is important to know that your patches are in place and your action plans are in place, he said. Have arrangements with vendors and partners. And for the many who have migrated to the cloud to streamline and cut costs, develop a strategy that isn’t just focused on one cloud but the whole cloud and know the controls required to protect you. West asked, does your cloud partner have a vulnerability and what are their safety practices?
“Have an inventory of your partnerships and manage them. Establish governance. As the primary organization, you are the one accountable to your patients,” he said.
Have an inventory of your data – where it is stored, where will it move to, and how it will move safely and securely. This should be a key performance indicator (KPI). Classify your data as public, restricted, private, classified or confidential, such that it is properly protected, and have data loss protection tools.
“When you wonder how did one system get taken down and not another, it’s your patching and practices,” West said.