Experts call it the most significant cyberattack in American history!
In February, a ransomware breach on Change Healthcare, a subsidiary of UnitedHealth, brought medical billing to a standstill nationwide.
The attack, allegedly orchestrated by Russian cybercriminals, severely crippled payment processing for doctors and hospitals, putting some practices at the edge of bankruptcy. The repercussions of the breach extend far beyond financial strains. Early estimates suggest approximately one-third of Americans had their sensitive health information leaked to the dark web as a result of the attack.
Although a federal investigation is underway, this hack serves as a wakeup call. Security experts emphasize the critical importance of ensuring the security of healthcare data, not only for maintaining patient trust but also for complying with legal and regulatory requirements.
With the increasing reliance on digital health records and telemedicine, the stakes have never been higher. That’s why Legacy Consulting Services provides expert guidance and cutting-edge solutions tailored to the unique challenges of healthcare cybersecurity.
Legacy has seen firsthand the impact of this attack on our clients. Cash flow decreased significantly for providers and practices. For many payors, the only option was to send hard copy claims, which takes us back 20 years or more to the “old days” of the revenue cycle.
And it’s tough because payors don’t have a great system for receiving hard copy claims, so a large percentage of the claims when statused are “no claim on file.” This creates yet another delay in cash. The difficulty was waiting to see when or if Change Healthcare could accept claims again because nothing of this magnitude has occurred until now.
What options did they have? Continue to wait on updates, or potentially convert to another clearinghouse, if this was an option. We worked with numerous clients through this transition and it is still ongoing. Thankfully for most, the cash has started to increase, but there are also more claims for the revenue cycle experts to status online or call the payor, to get them processed and paid.
So how do we move forward? In this blog, we’ll examine common cybersecurity threats your practice could face, along with protective measures and legal requirements to report such breaches. Plus, we’ll share resources to ensure you’re informed about the latest trends and threats within the industry.
Common Threats
Cyber Attacks
Cyber attacks are a significant threat to healthcare data security. These attacks can take many forms, including ransomware, where attackers lock up data and demand a ransom for its release, and phishing scams, where hackers trick employees into revealing sensitive information. Healthcare organizations are prime targets due to the value of the data they hold and often weaker security infrastructures compared to other sectors.
Insider Threats
Insider threats are another critical concern. These threats can come from current or former employees, contractors, or business associates who have access to sensitive information. Insider threats can be intentional, such as data theft for personal gain, or unintentional, such as accidentally leaking information through mishandling or inadequate security practices.
Protective Measures
Encryption and Secure Data Storage
Encryption is a fundamental protective measure in healthcare data security. By converting sensitive information into unreadable code, encryption ensures that even if data is intercepted, it cannot be understood without the proper decryption key. Secure data storage solutions, including cloud services with robust security protocols, are also essential in protecting patient data.
Regular Security Audits or Risk Assessments
Conducting regular security audits or risk assessments helps identify vulnerabilities within a healthcare organization’s systems. These audits involve reviewing and testing the effectiveness of security measures, identifying potential threats, and ensuring that all data protection protocols are up-to-date. Regular audits are vital for maintaining a proactive approach to data security.
Incident Response Plan
It is also important to develop a comprehensive incident response plan that outlines roles, responsibilities and procedures for responding to security breaches or future attacks. Then test the plan through exercises and simulations to identify any gaps and determine the effectiveness of the plan. Of course, having a communication channel for notification to owners, partners, managers and key stakeholders is critical in the event of a breach.
Staff Training on Data Security
Human error is one of the leading causes of data breaches. That’s why comprehensive staff training on data security practices is crucial. Training programs should educate employees on:
- recognizing phishing attempts
- proper data handling procedures
- the importance of maintaining strong passwords
Ongoing education ensures that staff remain vigilant and informed about the latest security threats and best practices.
Legal Requirements
HIPAA Compliance
The Health Insurance Portability and Accountability Act (HIPAA) sets the standard for protecting sensitive patient data in the United States. HIPAA compliance involves implementing administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of electronic health information. Non-compliance can result in significant fines and legal repercussions.
Legacy Consulting Services helps healthcare organizations ensure HIPAA compliance by providing comprehensive guidance and support in implementing the necessary administrative, physical, and technical safeguards.
Data Breach Reporting
In the event of a data breach, healthcare organizations are required to follow specific protocols for reporting the incident. This includes notifying affected individuals, the Department of Health and Human Services (HHS), and sometimes the media. Timely reporting is essential for mitigating damage and maintaining transparency with patients and regulatory bodies.
How Legacy Can Assist
A revenue cycle consulting company can play a crucial role in mitigating the impact of a security attack by providing expertise, support, collaboration and resources in the following ways:
Cyber Breach Action Plan
How Legacy Consulting Services Assists
- Immediate Response & Incident Management
- Respond immediately to security incident
- Work with IT to asses scope and impact
- Activate response plan
- Coordinate communication with stakeholders
- Initiate efforts to contain and mitigate attack
- Forensic Investigation & Analysis
- Conduct forensic investigation to identify cause of breach
- Determine extent of data compromise
- Analyze log files, network traffic and system activity
- Identify unauthorized access or data exfiltration
- Security Remediation & Recovery
- Develop and implement strategies to address security vulnerabilities
- Work with IT to strengthen security controls
- Enhance monitoring to prevent future attacks
- Regulatory Compliance & Reporting
- Assist with regulatory compliance, including HIPAA, by guiding breach notification and reporting procedures
- Ensure notifications to authorities, affected individuals, and stakeholders per legal and contractual obligations
- Training & Awareness Programs
- Provide training and awareness programs for staff to recognize and report suspicious cyber activities
- Post Incident Review
- Conduct comprehensive review to analyze response efforts and identify areas for improvement
- Update response plans, policies and procedures
By leveraging the expertise and resources of a revenue cycle consulting company, organizations can effectively respond to clearinghouse security attacks, minimize the impact on their operations and reputation, and strengthen their overall cybersecurity posture for the future.
Resources for Staying Informed and Compliant
Staying informed about the latest trends and threats in cybersecurity is crucial for healthcare organizations. Resources such as the Office for Civil Rights (OCR) for HIPAA guidelines, cybersecurity frameworks from the National Institute of Standards and Technology (NIST), and industry-specific forums and publications can provide valuable information and support for maintaining compliance and enhancing data security practices.
If you want to prioritize data security, contact us today. We help healthcare organizations protect patients’ sensitive information, maintain trust, and navigate the complex landscape of digital healthcare with confidence.