Holding steady in the No. 1 spot, the healthcare industry has held the top rank in IBM’s Cost of Data Breach report for the past 11 years. It’s a lead that seems secure. In just a year from 2020-2021, the average total cost for healthcare for an event increased 29.5%, and now sits at $9.23 million.
Even amidst that threat landscape, the percentage those in the healthcare space spend on cybersecurity hasn’t climbed out of the single digits. Only 6% or less of the IT budget is typically allocated for cybersecurity, according to HIMSS’ 2020 Cybersecurity Survey. Not helping the cause is that security spending is competing against even more tech priorities for attention. Data from the Department of Health and Human Services (HHS) shows that healthcare organizations planned to increase their budgets for cybersecurity in 2021, but that cybersecurity spending could play second fiddle to technology projects vital for patient service in a post-COVID world.
Given all this, a statement in a report issued by the HHS Cybersecurity Task Force in 2017 holds all too true today: “Within the healthcare industry, cybersecurity has historically been viewed as an IT challenge, is approached reactively, and is often not seen as a solution that can help protect the patient.”
There are lots of complexities to navigate when it comes to healthcare cybersecurity. But on a basic level, to elevate the cybersecurity conversation and move it forward, IT needs a partner, and revenue cycle management makes a good one. This is because revenue cycle management has significant experience implementing processes and technology around PCI DSS compliance, and has learned lessons that lend themselves well to framing cybersecurity priorities.
Here are a few.
Education and training are crucial. Across industry surveys, organizations name implementing more training as a major priority in boosting cybersecurity. The type of user awareness training that is required as part of PCI DSS compliance also provides a line of defense against cyberattacks. This includes training employees to recognize suspicious emails, open attachments and more. In fact, training is a focus for mitigating all of the threats outlined in guidance from the U.S. Department of Health and Human Services’ Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) Guidance.
You can achieve objectives and spend wisely. One thing everyone who is working toward PCI compliance knows is that it pays to reduce scope. You can build up internal competencies, to maintain network segmentation, monitor threats, and hire an auditor to review the results of the segmentation and help answer a 300+ question audit each year. But you can also comply with PCI DSS by moving all credit card transactions to a PCI-validated P2PE device. This option actually lets you unwind your network segmentation, reducing network complexity, eliminating the extra work associated with segmentation, and allowing organizations to answer a PCI audit with about 26 questions instead of 320 or so. This designation ensures both the highest-level security available and the narrowest auditing scope. With cybersecurity budgets limited, be mindful that the best approaches aren’t necessarily the most resource-intensive, and must be flexible enough to shift and scale.
Compliance doesn’t equal cybersecurity. While the steps to compliance will automatically build in security, compliance isn’t a direct substitute for cybersecurity practices. Ensuring that your organization is HIPAA compliant or PCI compliant does not mean that you’ve eliminated risk from your environment, only that you won’t be subject to additional fines. When it comes to PCI compliance, for instance, most hospitals are capturing cardholder data via web services on their local PCs, making them vulnerable to hackers. The only way to maintain an environment that is risk-free is to take the steps to ensure that sensitive financial data never touches your network in the first place.
Don’t ignore the physical environment in cybersecurity strategy. We know from implementing PCI compliance processes that steps must be taken to secure how information is exchanged in physical and digital ways. As long as the hospital accepts a single credit card payment over the phone, in person, or online, it is responsible for protecting that information and maintaining compliance with network security standards. Cybersecurity must take a holistic approach to the many ways threats enter your environment – which could include unclear device policies and a failure to examine access controls regularly.
It’s not just about technology. A lot of people think PCI is strictly technical. IT has to work to implement PCI, but at the end of the day, compliance is the business’ job. PCI is about people, processes and technology – and if you’re not addressing all of those, you will fall out of compliance. For example, if controls are in place for digital payment processing, but someone still takes a credit card over the phone, writes it on a post-it and fails to securely destroy it, your organization is not in compliance. The same is true for cybersecurity. While threat monitoring, penetration testing and more fall to IT, inattention to people and how processes actually work will result in gaps.
The attractiveness of healthcare as a target for bad actors isn’t hard to comprehend. The demographic for healthcare is the world. There’s an opportunity to access both personally identifiable information (PII) and credit card data. And stakeholders often have their guard down because care is the primary objective. Hospitals must balance securing information, but make it accessible enough to deliver the best possible outcomes for the patient.
In healthcare, the risks of relegating cybersecurity to only an IT issue are perhaps steeper than in any other space. Potential disruptions to the operations of the organization can impact patient care and safety. And if we widen the definition of cybersecurity to account for medical devices and hacks that potentially could be perpetrated through connected health devices, the stakes are much, much higher.
But revenue cycle management can become a champion for cybersecurity – a role that is increasingly becoming more urgent and important to take on.
About John Talaga
John Talaga is EVP and GM of Healthcare at Flywire, where he oversees the healthcare practice. He is a member of Financial Management Association (HFMA), Healthcare Information and Management Systems Society (HIMSS) and the American Association of Healthcare Administrative Management (AAHAM), and is on the board of NCHL (National Center for Healthcare Leadership).
About David King
David King is CTO of Flywire, where he oversees all technical platforms and teams. David is a seasoned technologist, and together with John Talaga, helped launch healthcare’s first automated payment plan solution. David King is Flywire’s representative as a Participating Organization on the PCI Standards Council.