Getty Images

How revenue cycle management’s security needs are evolving

The recent cybersecurity attack on Change Healthcare has revenue cycle management vendors and clients prioritizing security and system changes.

In February 2024, Change Healthcare experienced a network interruption due to a cyberattack. But to the surprise of many, this interruption would last months as the company re-secured its systems and got them operating again.

The Change Healthcare cyberattack is likely the largest to affect healthcare this year, and it hit providers where they are already the most vulnerable: their revenue cycles.

Provider financial performance nosedived during the height of the COVID-19 pandemic. Revenues have picked up as volumes have stabilized in the last few years. However, provider financial standing is still precarious as facilities experience persistently high expenses, especially in light of labor shortages, and razor-thin margins.

Change Healthcare is one of the largest medical claim clearinghouses in the US, touching 1 in 3 medical records and processing about half of all medical claims in the US. Providers using the clearinghouse — many of whom had exclusive contracts with the vendor, too — could not process claims with payers to receive reimbursement for rendered services.

Change Healthcare’s parent company, United Health Group, advanced billions of dollars to providers to compensate for the shortfall in revenues during system downtime. However, the American Medical Association reported that over three-quarters of physicians responding to a survey said they lost revenue from unpaid claims, and 85% had to devote additional staff and resources to completing revenue cycle tasks. Over half of respondents also had to use personal funds to cover their practice’s experience, while 31% couldn’t make payroll at the time.

The magnitude of the Change Healthcare cyberattack is impacting how providers interact with their revenue cycle management vendors; providers are examining what systems they have in place, especially for claims management, and their security features. For revenue cycle management vendors, this also means taking a closer look at their security strategies to reassure their clients they operate in a secure environment.

Diversifying vendors to ensure continuity

Managing vendors across a healthcare organization’s IT environment is a challenge. However, it may be a necessary one to tackle if revenue cycle management leaders want to ensure continuity in the current threat landscape.

Healthcare is a top target for threat actors, with a recent study finding that over a third (35%) of third-party data breaches in 2023 affected healthcare organizations. Furthermore, the culprit behind Change Healthcare’s cyberattack, ransomware, is at the top of health tech hazards, according to ECRI, a nonprofit focusing on health tech safety.

As revenue cycle management leaders learned with the Change Healthcare cyberattack, keeping all your eggs (or claims, in this case) in one basket can mean turning off claims management entirely. For most providers and claims management vendors, that is just not feasible.

“The bigger lesson some organizations learned is around redundancy,” explains Andrew Lockhart, co-founder and CEO of medical coding technology vendor Fathom. “Hey, we have this critical function that basically drives our entire business, and in this scenario, we entrusted it to one of the biggest organizations in the healthcare industry, yet they evaporated for, depending on the organization, a month or two. A lot of these organizations are thinking about redundancy for critical functions now.”

SYNERGEN Health is one of those organizations. The company specializes in end-to-end and point revenue cycle management solutions but found itself stuck in the initial days of the Change Healthcare cyberattack when systems went down.

“Typically, when you have these critical systems going down, it’s for a couple of hours at the most, and they are back up,” says Sunil Konda, chief product officer and executive vice president of products at SYNERGEN Health. “Once we realized that the downtime would be significantly longer, we actively started communicating with clients and looking for an alternative.”

To Konda, SYNERGEN Health had two options: return to paper claims or find another clearinghouse vendor. Paper-based claim submission was not ideal, especially considering paper claims still need to go through a clearinghouse. However, switching to another vendor is not a simple process.

“Changing a clearinghouse is not a quick setting or configuration,” Konda states. “There's this integration that the billing system has to do to submit the claims and process them. There's a lot of IT infrastructure integration work that needs to be done to be able to switch the clearinghouse. So, we started engaging with our billing system partner to understand how we can try to shift the clearinghouse.”

SYNGERGEN Health found a new vendor while Change Healthcare’s systems were down. But that begged the question: What if this new vendor’s systems experienced a cyberattack?

“Our approach now is having a backup option in case one clearinghouse goes down,” Konda says. “So, we can still submit the claims to another clearinghouse, and that's something that we had been working on with our billing system partner previously. They were only supporting Change before, but now they also support Availity. If one goes down, we can switch to the other.”

Healthcare providers, especially larger organizations, are considering a similar strategy if they have the resources to manage multiple vendors for the same function, according to Lockhart.

Providers, vendors prioritize security qualifications

The Change Healthcare cyberattack also got more providers wondering about compliance programs, especially with revenue cycle management vendors. These vendors have fielded more questions about their cybersecurity strategy and, specifically, certifications.

“There's definitely an uptick in focus on security,” Konda explains. “Previously, it used to be focused on HITECH compliance or ISO 27001, but now, most organizations are asking for a SOC 2 or SOC 3. We see this on a regular basis from most of our clients.”

There are many certifications in healthcare to keep highly valuable data secure, especially as it moves from provider to provider or provider to vendor. Data exchange, after all, is necessary in healthcare for care coordination, patient access to care and revenue cycle management. Regulators and the healthcare sector have created data security standards to ensure security. Chief among those standards is HIPAA, but the Health Information Technology for Economic and Clinical Health (HITECH) Act also aims for stricter enforcement of HIPAA’s Privacy and Security Rules.

Meanwhile, providers and vendors also rely on standards outside of healthcare to boost data security. ISO 27001 is an information security standard developed by the International Organization for Standardization (ISO) to provide a framework and guidelines for establishing, implementing and managing an information security management system.

Gaining in popularity is System and Organization Controls (SOC) 2, which is a voluntary compliance standard from the American Institute of Certified Public Accountants for managing and protecting sensitive data. The standard provides a structure for auditing and reporting on internal controls for data security, availability, processing, integrity and privacy within an organization. SOC 3 is a similar standard with different reporting requirements, and SOC 3 is mainly for general use.

Providers need to rely on these standards, for better or worse, according to Lockhart. This is because the certifications point to something hard to capture: security culture. The Change Healthcare cyberattack was the result of a “fairly basic corporate security” issue in which hackers obtained a username and password to gain access to critical systems.

“Security is a culture because people are the failure points,” Lockhart explains. “However, that’s amorphous and difficult to evaluate from the outside. How do you evaluate how strong an organization’s security culture is? So, I think that’s why we see a higher percentage of organizations wanting to see our SOC 2 certification.”

This is likely just the start for providers probing their vendors, too.

“Right now, we are getting asked about SOC 2, but in another year, we’re probably going to be asked about HITRUST,” Lockhart says, referring to another standardized approach to security and risk management in healthcare developed by the Health Information Trust Alliance, a non-profit organization that developed the HITRUST Common Security Framework (CSF).

Another major approach is the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), which was designed to meet evolving cybersecurity challenges.

Addressing the people problem

Hackers acquired credentials to remotely access Change Healthcare’s systems that were not protected by multifactor authentication, according to UnitedHealth Group CEO Andrew Witty, testifying at a House Energy and Commerce Committee hearing in May. Cybersecurity incidents like this one highlight the role people play in ensuring healthcare data security.

“The biggest failure point from a security perspective is humans, and the more humans you have in your loop, the more opportunity there is for failure,” Lockhart says.

To address this people problem, Konda recommends a “nesting doll” approach in which organizations have multiple layers of protection to secure their IT environment.

“Starting with your email, you put in controls to watch for spam, phishing attacks and any ransomware emails that may come through,” Konda explains. “So, you try to do the basic PC health check and training while securing access to your environments, especially those available on the internet. You can do this through a virtual private network, or VPN, that secures it and makes sure all users are authenticated against an active directory and with two-factor authentication.”

Two-factor authentication is key in today’s threat landscape and maybe healthcare’s most effective defense. With two-factor authentication, users have to provide two ways of identifying themselves to gain access to a system. It provides a higher level of security versus just typing in a username and password; users may also have to use a security token or biometric factor, for example. This way, if credentials are obtained inappropriately, threat actors won’t be able to get through the second phase of authentication.

Konda also advises minimizing access to applications or servers that are available directly on the web. But when the use of these systems is unavoidable, penetration testing and vulnerability assessments are required on a regular basis.

Technology itself may also help providers and their revenue cycle management vendors minimize security risks, especially as providers rely more on AI and other forms of technology to fill gaps left by recent staffing shortages.

“Medical coding, specifically, is something that people are having a lot of difficulty staffing, so many providers are going to need a third party,” Lockhart states. “However, an AI solution may be much more secure than looking at offshore vendors. AI gives you a closed system in which not a lot of people are touching [your data], which we all know creates opportunities for mistakes and security lapses.”

Leveraging AI can also make it easier to swap something like a clearinghouse vendor, Lockhart adds. “You can move things around if the machine’s performing the work versus needing people overnight to start working on volumes because your primary vendor had a meltdown,” he says.

SYNERGEN Health actually leveraged robotic process automation and other AI-based tools during Change Healthcare’s downtime to complete tasks like claim status verifications and payment posting.

Still, there is an inherent security risk in using any technology, especially for operations. Providers and their vendor partners need to have a robust risk management program in place, whether they are using one vendor for a process or multiple vendors.

“You have to be constantly monitoring and constantly working on [identifying security issues, especially with third-party programs],” Konda states. “There will always be a new threat.”

Next Steps

Dig Deeper on Medical billing and collections