Constantly staying in first place, the healthcare sector has taken first place The cost of IBM data breach report of the last 11 years. It’s a track that looks safe. In just one year from 2020 to 2021, the average total cost of healthcare for an event increased by 29.5% and now stands at $ 9.23 million.
Even in the midst of this threat landscape, the percentage spent by those in the cybersecurity health space has not fallen below the digits. Only 6% or less of the IT budget is normally spent on cybersecurity, according to HIMSS 2020 Cybersecurity Survey. Not helping the cause is that spending on security is competing with even more technological priorities to get attention. Data from the Department of Health and Human Services (HHS) shows that healthcare organizations planned to increase their budgets for cybersecurity by 2021, but that spending on cybersecurity could play a secondary role in vital technology projects for patient service in a post-COVID world.
In the face of all this, a statement in a report issued by the HHS Cybersecurity Working Group 2017 is all too true today: “Within the healthcare industry, cybersecurity has historically been seen as a cyber challenge, is addressed in a reactive manner and is often not seen as a solution that can help protect the patient.”
There are many complexities to navigate when it comes to health cybersecurity. But at a basic level, to elevate the conversation about cybersecurity and move forward, IT needs a partner and revenue cycle management is good. This is because revenue cycle management has significant experience in implementing processes and technology around PCI DSS compliance and has learned lessons that lend themselves well to framing cybersecurity priorities.
Here are a few.
Education and training are key. Through industry surveys, organizations see the implementation of more training as a top priority for promoting cybersecurity. The type of user awareness training required as part of PCI DSS compliance also provides a line of defense against cyberattacks. This includes training employees to recognize suspicious emails, open attachments and more. In fact, the training is a focus on mitigating all of the threats outlined in the U.S. Department of Health and Human Services’ cybersecurity practice guidelines: Guide to Threat Management and Patient Protection (HICP).
You can achieve your goals and spend wisely. One thing everyone who is working for PCI compliance knows is that it is worth reducing the scope. You can create internal competencies to maintain network segmentation, control threats, and hire an auditor to review segmentation results and help answer an audit of more than 300 questions each year. But you can also comply with PCI DSS by moving all credit card transactions to a PCI-validated P2PE device. In fact, this option allows you to relax network segmentation, reducing network complexity, eliminating the extra work associated with segmentation, and allowing organizations to respond to a PCI audit with about 26 questions instead of 320 or so. . This designation guarantees both the highest level of security available and the narrowest scope of audit. With limited cybersecurity budgets, keep in mind that the best approaches are not necessarily the most resource-intensive and need to be flexible enough to change and scale.
Compliance is not the same as cybersecurity. While compliance steps will be automatically integrated into security, compliance is not a direct substitute for cybersecurity practices. Make sure your organization complies with HIPAA or PCI it does not mean that you have eliminated the risk of your environment, only will not be subject to additional fines. When it comes to PCI compliance, for example, most hospitals are capturing data from cardholders. using web services on your local computers, making them vulnerable to hackers. The only way to maintain a risk-free environment is to take the necessary steps to ensure that sensitive financial data never touches your network in the first place.
Ignore the physical environment in your cybersecurity strategy. By implementing PCI compliance processes, we know that steps must be taken to ensure that information is exchanged physically and digitally. Whenever the hospital accepts a single payment by credit card over the phone, in person or online, it is responsible for protecting that information and maintaining compliance with network security standards. Cybersecurity should take a holistic approach to the many ways in which threats enter your environment, which could include unclear device policies and a lack of regular review of access controls.
It’s not just about technology. Many people think that PCI is strictly technical. IT has to work to implement PCI, but in the end, compliance is the job of the company. PCI is about people, processes, and technology, and if you don’t address everyone, you’ll fall short. For example, if there are controls for processing digital payments, but someone still takes a credit card over the phone, writes it in a post-it note, and doesn’t securely destroy it, your organization doesn’t comply. The same goes for cybersecurity. While monitoring threats, penetration testing, and more falls on IT, the lack of attention to people and how processes actually work will create gaps.
The appeal of health care as a goal for bad actors is not hard to understand. Demographics for health is the world. You have access to both personally identifiable information (PII) and credit card information. And stakeholders often have their guard down because attention is the main goal. Hospitals need to balance information security, but make it accessible enough to provide the best possible outcomes for the patient.
In healthcare, the risks of relegating cybersecurity to only one IT The problem is perhaps more pronounced than in any other space. Possible disruptions in the organization’s operations can affect patient care and safety. And if we expand the definition of cybersecurity to take into account medical devices and hackers that could potentially be perpetrated through connected health devices, the stakes are much, much higher.
But revenue cycle managersHe can become an advocate for cybersecurity, a role that is increasingly urgent and important to take on.
About John Talaga
John Talaga is Vice President and CEO of Healthcare at Flywire, where he oversees health practice. He is a member of the Financial Management Association (HFMA), the Healthcare Information and Management Systems Society (HIMSS) and the American Association of Healthcare Administrative Management (AAHAM) and is a member of the NCHL (National Center for Healthcare Leadership). .
About David King
David King is CTO of Flywire, where he oversees all platforms and technical equipment. David is an experienced technologist and, along with John Talaga, helped launch the first automated healthcare payment plan solution. David King is the representative of Flywire as a participating organization on the PCI Standards Council.