"It's not important until you need it," one cybersecurity specialist said.
When organizations decide to invest in a revenue cycle management solution, ideally, cybersecurity personnel would be included from the beginning.
“We still have some work to do where people recognize the importance,” Joi Lee, manager of cyber governance, risk, and compliance for Moffit Cancer Center, told HealthLeaders. “Because the worst thing you can do is bring stuff on site, into our environment, and not have appropriate controls in place.”
Lee has worked in cybersecurity since the early 2000s, beginning her career working with banks as they built their cybersecurity programs. She acknowledged that healthcare is lagging with its cybersecurity efforts and noted the growing presence of roles like chief information officers within organizations within the past few years.
“That’s why it’s important for the team to consistently go to training to have an ear to the ground, participate in groups where you’re talking about these various threats,” she said. “Because you just stay in your silo, you’re going to be left behind because by the time you figure out how to handle the threat, there’s going to be a new one.”
Considering the continuous growth and evolution of revenue cycle technology, information roles and cybersecurity specialists are needed for organizations to not only understand how to implement and leverage solutions, but how to ensure their data is protected.
In addition to a solution’s capabilities, organizations should make sure the vendors they’re looking at have antivirus and data protection controls in place, Lee explained, which are basic features she and her team look for.
There are a few ways organizations can be proactive in protecting themselves from security risks, like following the framework set by the National Institute of Standards and Technology (NIST). Lee’s team has modeled their policies off this framework, which include items like staff having their own usernames and passwords, having passwords be a certain length, and encrypting their information.
As we’ve seen with the recent Change Healthcare cyberattack, these threats have the potential to disrupt the operations of any health system by siphoning patient and employee information and even preventing the necessary data from being available. As cyberattacks get more sophisticated, it’s imperative that organizations have a business continuity plan in place so they’re able to continue operations.
“A lot of companies may not have a plan, or an updated plan, or may not have communicated it and had it tested,” Lee said. “We’re in the business of treating patients, so a lot of the time, if you don’t have people that are focused on this type of stuff and know its importance, it gets thrown by the wayside. It’s not important until you need it.”
Jasmyne Ray is the revenue cycle editor at HealthLeaders.
KEY TAKEAWAYS
Healthcare has only begun to make cybersecurity a priority within the last few years.
Cybersecurity teams should be brought into rev tech conversations from the beginning to ensure the neccessary controls and protections are in place.
With cyberattacks growing more frequent and complex, it's important for organizations to be proactive to keep patient and employee information secure.