In healthcare, it's not a question of whether criminals will try to steal revenue cycle data, but when: This year alone, approximately one-third of healthcare providers have had payments data stolen, up from 25 percent in 2018, according to Mahala Johnson, director of product management at ACI Worldwide.
To ward off cyberattacks for as long as possible, there are several steps providers can take not only to secure their data management software and systems, but also to ensure the entire payment process is protected from end to end. The latter typically involves the introduction of new payment options that are not only more secure, but also make payments easier and more efficient for both patients and providers.
"Eighty-five percent of revenue cycle leaders are currently developing new payment options," Ms. Johnson said. "That's very interesting and very understandable when you start to evaluate and look at those security opportunities, as well as those opportunities to collect additional funds."
During a Sept. 26 webinar hosted by Becker's Hospital Review and sponsored by ACI Worldwide, Donna Teevens, director of global information security at ACI Worldwide, and Karen Ferguson, director of strategic partner solutions for healthcare at Elavon, joined Ms. Johnson to discuss the cybersecurity challenges facing revenue cycle managers and offer insights into what managers can do to address these issues.
Despite the many new and high-tech solutions now available to help healthcare organizations streamline payments and increase revenue, they must "remain vigilant in the cybersecurity war," according to Ms. Teevens, who described the seven IT areas that pose the biggest security threats to the revenue cycle. Staying aware of these vulnerabilities, Ms. Teevens explained, can help organizations strengthen "security posture and deploy some mitigating control."
Beginning with the most dangerous, here are the vulnerabilities outlined during the webinar:
1. Malware: As the most popular form of cyberattack in the healthcare sector, there is no way to ensure 100 percent protection from malware. That said, among the most effective strategies for mitigating its impact are committing to staying alert and ensuring senior leaders fully understand the urgency of cybersecurity.
2. Patching: Patch management should be a constantly ongoing process, with results regularly measured, recorded and presented to senior leadership to ensure they are fully on board with the organization's cybersecurity efforts. "Scan, patch, repeat; scan, patch, repeat," Ms. Teevens quipped.
3. Third-party vendors: External vendors accounted for more than 20 percent of healthcare data breaches in 2018, she said, adding, "The key to reducing vendor risk is understanding your inventory of vendors and embedding in the contract the right to perform annual risk assessments."
4. Phishing: "Phishing is the No. 1 vector for malicious actors," Ms. Teevens said. Employees, therefore, must be regularly trained to recognize phishing attempts; at ACI Worldwide, for example, every employee, including the board of directors, receives quarterly fake phishing emails, with the results of the test shared with senior leadership for further cybersecurity assessment.
5. Cloud services: When partnering with a vendor for cloud services, it is imperative that providers look past potential cost savings to fully understand process ownership, the roles and responsibilities of each party and the maturity of the cloud vendor's software and security programs.
6. Encryption: While encryption plays a significant role in mitigating the effects of a breach and is crucial for any organization's operations, it is far from the only necessary safety precaution. "Don't get lulled into believing you're covered just because you have encryption," Ms. Teevens warned.
7. Internet of Things: The rise of IoT systems — which host a variety of ongoing patient monitoring devices such as infusion pumps and CPAP machines — has ushered in a "whole new playground for hackers," according to Ms. Teevens, since many of them are either unsecured or are not even able to support endpoint security controls. "It is so easy to get swept up in the glamour of the product, but you really need to take the time to question the security controls of any potential third-party IoT partner," she said.
Conclusion
While those seven areas of vulnerability represent "tried and true data security threats," Ms. Ferguson explained, it is critical that healthcare providers consider all the ways in which cybercriminals are constantly changing their methods.
For one, she said hackers are constantly devising new ways to breach those vulnerable areas, making them harder to detect and, ultimately, more successful. For another, they regularly establish entirely new forms of hacking, such as ransomware, that keep them several steps ahead of their victims and the authorities.
With revenue cycle breaches increasing, organizations must be proactive in minimizing the potential harm and costs by installing the most secure systems possible. "It's fair to say that the more desperate these criminals get in their attacks and their abilities to try new methods, the better business practice it becomes to protect your data," Ms. Ferguson said.
View the full webinar here.