Fortifying Defenses: Essential Cybersecurity Strategies for Revenue Cycle Management with Conifer Health Solutions

Healthcare leaders understand that the quality of their organization’s revenue cycle is directly reflected in its bottom line. However, it is also reflected in quality outcomes and patient satisfaction scores. Inefficiencies in eligibility, coverage, prior authorization, and other revenue cycle processes can lead to delays in care and surprise patient bills, in addition to poor cash flow and write-offs.

However, there’s another area where a poorly managed revenue cycle can affect patients: Cybersecurity. When systems go down, so do EHRs, revenue cycle interfaces, clinical notifications, patient portals, and HIEs. These events can also inhibit clinicians from accessing vital patient information and life-saving equipment such as IV infusion pumps and ventilators.

The Department of Health and Human Services reports that there were 725 large security breaches in 2023, higher than any previous year. The ransomware attack on the nation’s largest clearinghouse in February 2024 is thought to have exposed the data of nearly one in three Americans. The impact on patients could last for years and include stolen identities, financial loss, and destroyed credit ratings which can hurt a person’s ability to take out a student loan or purchase a car or home.

According to CNBC, medical records sell for $60 on the dark web, as compared to $15 for Social Security numbers and $3 for a credit card number.

In a recent interview with US News & World Report, Cleveland Clinic Health System Chief Information Security Officer Vugar Zeynalov said, “Cyber incidents are not just about losing data anymore. They're about losing patients’ confidence, undermining safety, and impacting care delivery and lives.” In these cases, it can take significant hours and effort for patients to restore their lives and livelihoods after such an attack.

A cyberattack can also negatively impact a provider’s brand reputation and patient loyalty, even if the attack wasn’t on their systems but from one of their business partners, like the clearinghouse mentioned above. That’s why healthcare organizations must proactively align with revenue cycle management experts like Conifer Health Solutions, which is committed to safeguarding sensitive patient data and revenue operations through robust cybersecurity measures.

Understanding the Threat Landscape

Cyber Magazine recently outlined the most common cyber events that organizations must be aware of. The top five are as follows:

1. Phishing. Attacks from email phishing, a technique that targets employees through "emails, websites, or messages that masquerade as legitimate communications," have increased 464%. This is why employee education and ongoing awareness campaigns are critical.
2. Ransomware. This is where nefarious actors deploy malware to encrypt the organization’s files or lock down systems so they can’t be accessed. The clearinghouse cyber event was a ransomware attack, and the company paid an estimated $22 million to the hackers.
3. Data breaches. Besides ransomware and phishing, common types of data breaches include "stolen information," "password guessing," "recording keystrokes," "malware or viruses," and "Distributed Denial of Service (DDoS)." Nearly 30% of 100,000 data breaches in one research study could have been avoided by implementing better data management and security.
4. Social engineering. Attackers leverage "psychological manipulation" to get people to voluntarily give away data, not knowing they’re being scammed. This might be an email or phone call from hackers posing as an authority figure like a police officer or even a coworker.
5. Cloud vulnerabilities. With many healthcare providers now using cloud solutions, these types of cyber events are on the rise. According to the Department of Defense, these hacks often result from malicious, untrained, or neglectful cloud administrators who expose sensitive data.

Cybersecurity Best Practices with Conifer Health Solutions

There are multiple steps organizations can take to identify and mitigate their cybersecurity risk profile. Conifer Health Solutions works with healthcare providers to ensure security at every touchpoint in revenue cycle management.

• Conduct a risk assessment. The first step is to take inventory of cyber vulnerabilities. As cybercriminals become more sophisticated, organizations must too. The National Institute of Standards and Technology (NIST) offers a 7-step process for managing security risks that healthcare organizations should implement.
• Implement comprehensive employee training. 91% of all security breaches are caused by phishing emails, according to Deloitte. Besides interactive online programs, organizations should send out phishing test emails and ensure employees understand the impact their actions have on security.
• Deploy access controls. The clearinghouse attack earlier this year happened due to hackers using "compromised credentials" that weren’t protected by multi-factor authentication (MFA). Every access point into an organization’s systems must be protected by MFA.
• Use encryption. According to IBM, encryption is a crucial data security tool that protects organizations against ransomware and other malware by encoding sensitive data.
• Ensure network security. Firewalls and intrusion detection systems are vital for protecting network security. Conducting regular security audits is essential for keeping systems safe.
• Data backup and recovery. Morgan Stanley recommends a 3-2-1 approach to data backups:
• Develop an incident response plan. Organizations must have a detailed response plan in place to ensure timely recovery in the event of a cyberattack. This includes having a designated response team, escalation pathway, and customized communication plans for employees, clients, vendors, patients, and the press.

The Bottom Line

Cyberattacks cause organizations more than 695 hours of downtime and over 2,500 hours of recovery time, in addition to financial losses, patient impacts, and damage to brand loyalty. It is crucial for healthcare providers to act now to protect patient data and revenue cycle operations.

Conifer Health understands that cybersecurity is not just a compliance requirement but a mission-critical function in healthcare revenue cycle management. By implementing best practices, conducting proactive risk assessments, and deploying top-tier cybersecurity strategies, Conifer Health helps protect both revenue and patient trust.

The recent clearinghouse ransomware attack should serve as a wake-up call to all healthcare organizations. As the saying goes, "It’s not a matter of if; it’s a matter of when." Proactively partnering with an experienced revenue cycle management provider like Conifer Health can be the key to staying one step ahead of cyber threats and ensuring long-term operational resilience.