Strengthen healthcare revenue practices to combat evolving cyber threats

Read Time: 5 Min
Escalating cyber threats against the healthcare sector have highlighted vulnerabilities in cash management and revenue cycle processing. Building defenses and implementing redundancies can help guard against interruption.

By Amber Buening, Security Outreach Director at Huntington National Bank, Scott Krah, Senior Vice President, Treasury Management Product Segment Manager, and Dan Storer, Senior Managing Director of Healthcare Banking at Huntington Commercial Bank

Healthcare revenue cycle management and provider payments have become increasingly dependent on digital platforms to streamline critical processes and improve medical care services. However, a recent ransomware attack on one of the largest healthcare clearinghouses in the U.S. has highlighted critical vulnerabilities for provider organizations, causing them to revisit their revenue cycle practices.

While not isolated, this incident underscores the need for healthcare organizations to address these at-risk areas and safeguard themselves against disruption. Prioritizing dedicated continuity and incident response planning and enhanced security measures that meet HIPAA requirements can help ensure continued revenue cycle operations, patient data security, and care delivery in the event of a cybersecurity incident.

The escalating cyber threat landscape in healthcare

The healthcare sector’s increasing reliance on digitalization has not gone unnoticed by threat actors. In the past five years, the U.S. Department of Health and Human Services (HHS) reported a 264% increase in ransomware incidents against health plans, clearinghouses, healthcare providers, and business associates covered by HIPAA. Recently, the FBI’s Internet Crime Complaint Center identified the healthcare and public health sector as disproportionately affected by ransomware attacks.

Healthcare’s vulnerability is exacerbated by the sheer volume of medical data transactions processed annually and the growing adoption of electronic transmissions. Overall medical administrative transaction volume grew to 49.7 billion in 2022, 82% of which was transmitted electronically§. The sector’s expansive digital footprint has become a lucrative target for threat actors, as evidenced by the 256% increase in reported large healthcare data breaches in the last five years. These incidents increasingly threaten operations and the confidentiality of healthcare data.

Exposing the weak points in the healthcare revenue cycle

Unfortunately, it is no longer a question of “if,” but rather "when" the next attack will occur. Understanding where the system has failed in recent incidents can allow providers to adjust their own payment and revenue cycle management practices can help mitigate the impact when it does.

Below are three areas that have been highlighted in recent ransomware attacks as common vulnerabilities within health systems and physician practices. These vulnerabilities contributed to the wide-reaching ramifications of recent attacks against clearinghouses and other healthcare organizations.

  1. Concentrated third-party reliance. Relying on a single third-party entity to handle a considerable portion of a provider system’s revenue cycle is inherently risky. This practice, however, has become more common due to the consolidation of organizations providing administrative and financial services. When there is a choice, the convenience of working through a single third-party entity is outweighed by the risk of being beholden to that entity’s vulnerabilities and practices.
  2. Centralized risk. Maintaining sensitive data, systems, and networks in the same place offers an easy target to threat actors. Decentralizing risk across the organization, such as segmenting critical systems and enhancing securities, can help protect against ransomware and other malicious attacks.
  3. Lack of continuity planning. Not prioritizing a business continuity plan that aligns with an incident response plan means providers are paralyzed when services are interrupted. Without a backup plan, there is no immediate solution for payments, collections, and care delivery, which has devastating financial, reputational, and patient care consequences. Cyberattacks are not the only threats providers contend with: Earthquakes, wind events, fires, flooding, and other natural disasters could also severely disrupt services.

HIPAA considerations for covered entities

Organizations need to dedicate the time and effort that is required to develop a strong, effective incident response plan. Outside the healthcare sector, not having an incident response plan could result in operational, financial, and reputational losses. For HIPAA-covered entities, the stakes are higher. The absence of or a weak business continuity and incident response plan not only compromises patient safety, but it also violates regulatory mandates designed to protect health information.

Under HIPAA, healthcare organizations are obliged to protect patient data through proactive measures, including contingency planning for data breaches and other cybersecurity incidents. These requirements involve regular risk assessments, employee training, and implementing physical, technical, and administrative safeguards. Taking a systematic approach to assessing current practices against HIPAA-mandated requirements and industry standards can help organizations ensure compliance.

These requirements extend to third-party vendors and partners as well. Evaluating vendors’ cybersecurity framework and compliance with HIPAA, NIST and ISO frameworks, and other standards can help organizations assess their third-party risk. Reviewing vendors’ audits and certifications also offer high-level insights into their cybersecurity sophistication.

Reducing risk to help prevent future revenue cycle losses or delays

Providers can consider the following areas to build resiliency against future incidents and hopefully mitigate the impact of future ransomware variants and other cyber threats.

Map the full revenue cycle process

Identifying weaknesses in a process begins with understanding every step within it. Hosting whiteboarding sessions to map out the process can help identify gaps or potential risks at various touchpoints. From there, providers can take action to build in redundancies, fail-safes, or other mitigation steps to reduce risk.

Reduce third-party risk

Instead of relying on a single entity to facilitate eligibilities, claim submissions, remittances, and benefit coordination, diversify vendors and third-party dependencies, and implement back-ups in the event of service interruption. As mentioned previously, evaluate vendors’ practices carefully, including their security protocols, back-up practices, and audit measures.

System and data redundancies

System and data redundancies can strengthen operational continuity. Healthcare organizations should consider options such as cloud services, off-site backups, or failover systems that can be activated in the event of a primary system failure.

Network segmentation

Network segmentation is a method to mitigate damage from a cyberattack, though one study found nearly 25% of healthcare providers haven’t implemented it. Work with your internal IT group to understand how your network is segmented within your organization.

Alternative payment options

If the healthcare clearinghouse you relied on abruptly stopped services tomorrow, what would your organization do? Providers have already seen what can happen without a plan. Consider alternate options to address payment issues, such as proactively securing a line of credit to mitigate payment issues or setting aside cash reserves in case of future disruptions.

Prioritize business resiliency planning

Business resiliency planning is a multi-layered approach to preparing for events that could disrupt operations. A healthcare organization’s ability to remain resilient in the face of cybersecurity threats and weather-related disasters relies on a comprehensive plan that includes business continuity, disaster recovery, and incident responses.

Data recovery and protection

Developing and implementing a strong data recovery and protection plan is particularly important for healthcare providers, as it stipulates how operations and technology are restored following an incident. Prioritize systems with critical data and establish a tiered recovery strategy that ensures the most vital information is retrievable first. Implementing system backups and testing recovery processes can help guarantee data integrity and availability.

Proactive vulnerability management

Healthcare data is a high value target for cyber threats , and healthcare organizations storing and transmitting it are held to rigorous standards due to HIPAA to keep it safe. Security vulnerabilities present opportunities for threat actors to infiltrate systems more easily, so staying ahead of these threats is imperative.

A strong vulnerability management program includes regular vulnerability assessment, automated patching, security scanning tool implementation, and updating systems and devices when security patches or upgrades are available.

Employee training and security culture

Employees are the first line of defense against cyber threats. Healthcare organizations should endeavor to foster a strong culture of security awareness through regular training and clear protocols for reporting suspected incidents.

Routine review and practice

The security landscape is continually evolving, and an organization’s response to those threats should follow. Annual reviews and regular exercises and simulations to test the practical application of continuity plans help ensure they remain relevant and effective.

Building healthcare resiliency through continuity planning

As digital dependency in the healthcare and public health sectors grows, so does the need for airtight defenses and recovery strategies to protect providers and their patients. Healthcare leaders must prioritize cybersecurity in revenue cycle management efforts going forward. Doing so not only complies with regulatory demands, but it also secures the wellbeing of patients and the operational integrity of healthcare organizations.

For more information on implementing business resiliency, best practices, and security controls to mitigate risk to revenue cycle practices, reach out to your relationship manager or contact our team through the link below.

Have a question about healthcare banking?

Managing the complexities of the healthcare industry has never been more challenging. Our Healthcare Banking team is here to help.
Contact Us

Related Content

U.S. Department of Health and Human Services. 2024. “HHS’ Office for Civil Rights Settles Second Ever Ransomware Cyber-Attack.” Accessed April 4, 2024.  

Federal Bureau of Investigation. 2024. “Internet Crime Report 2023.” Accessed April 4, 2024.  

§ CAQH Index. 2023. “2022 CAQH Index: A Decade of Progress.” Accessed April 4, 2024.

U.S. Department of Health and Human Services. 2024. “Ransomware and Active Directory.” Accessed April 18, 2024.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Lending and leasing products and services, as well as certain other banking products and services, may require credit application approval.

Third-party product, service and business names are trademarks/service marks of their respective owners.