Cybersecurity Tactics & Tech - Podcast
2024 placed a spotlight on the critical need for cybersecurity and resilience strategies within healthcare Revenue Cycle Management (RCM). With evolving threats reshaping the landscape, organizations are rethinking how they safeguard vital systems and data. This podcast brings together HIMSS and Greg Surla, Chief Information Security Officer at FinThrive, to explore the profound shifts in healthcare RCM driven by cybersecurity challenges. From emerging best practices to robust resilience planning, they’ll uncover how these changes are shaping future compliance frameworks and protecting the integrity of healthcare operations. Don't miss this insightful deep dive into one of the most pressing issues in the healthcare industry.
Episode Transcript
We're seeing some good activity from the healthcare industry. Again, this past year has been a wake up call, and so it looks like people are starting to take notice and take some action here.
Chapter
Introduction to Cybersecurity in Healthcare
Hi. I'm Mary Ann Borer with HIMSS. Today, I'm joined by Greg Surla, chief information security officer at FinThrive, and we'll be talking about cybersecurity tactics and technology to safeguard your revenue cycle. And before we start, I want to say thank you to FinThrive for sponsoring this podcast. Greg, thanks for joining us today.
Thank you, Mary. I appreciate the opportunity to get on a call with you.
Chapter
Impact of Cyberattacks on Healthcare Revenue Cycle
Greg, let's start by reflecting on twenty twenty four and how the cyberattacks we saw impacted the health care industry and more specifically, health care revenue cycle management. What are the biggest changes you've seen related to cybersecurity in the past year?
Those attacks that occurred last year had a had a huge effect as you know. But some of the big things that I've seen in terms of changes in twenty twenty four, especially in the health care industry, is there's a there's been a greater emphasis on third party risk management. FinThrive, as a vendor, we've seen customers reach out to us more extensively about our security practices. And then FinThrive itself, we, you know, we look back at saying why we don't wanna be impacted by our vendors, so we did the same thing by looking at our vendors and and, you and our third party third parties and determining what's that risk that's out there.
The other thing we're seeing is the cybersecurity awareness. That's always a big deal, but those attacks that occurred over the past year or so have woken people up. And then the last thing we're seeing a lot more of is, business, an emphasis on business continuity and disaster recovery as well as incident response. Those three areas, everyone's saying, hey.
We saw what happened with change. We saw what happened with other organizations. Let's make sure it doesn't happen to us. There has been a lot more, emphasis on those three areas as well.
Yes.
Chapter
Future Trends in Healthcare Cybersecurity
I think a wake up call is a great way to describe what happened. So with that in mind, can you give us your insight into twenty twenty five health care cybersecurity?
And do you think it'll be the same hot topic that it was in twenty twenty four?
I do. I think that ransomware and phishing are the two areas that will be the hot topic. They continue to be a problem in the industry. Those attacks have been proven to be effective, profitable. And so when those two, come together, the ease of an attack as well as the profitability of that attack, that encourages those bad guys and bad girls to keep attacking us. So we won't see too much of a change. I mean, there might be some shifts a little bit, but I I still see ransomware and phishing, to be the hot topic of twenty twenty five.
Yes. I'd have to agree with you there. And so because of all of these different attacks that are occurring, do you foresee any compliance or legislation changes occurring?
Oh, I certainly do. There's, one that just recently was proposed by the US Senate. It's the Health Information Security and Accountability Act. It creates new requirements that address, you know, the cybersecurity risks that are out there. Requires ongoing risk assessments, audits, that are related to cybersecurity practices, and then it introduces, new penalties for noncompliance.
I think that something has to change.
I don't think that the senate, the the government is gonna stand by and continue, or sit back and and wait for another change event or some other event to occur. I think they have to do something so that that health infrastructure security and accountability act is probably gonna be impactful if it does get through congress.
Chapter
Preparing for Cybersecurity Challenges
Absolutely. How are health care organizations preparing for future cybersecurity related downtime occurrences?
Yes. So there's a recent HIMSS survey that went out and they identified six areas where health care organizations are preparing for those future security related occurrences. And so the number one area is, you know, ninety two percent of respondents so that they're engaging in cybersecurity training. And then the remaining eight percent, we're planning to do that within the near future. What we're also seeing from that response is that eighty eight percent of respondents are testing their backups regularly.
We're seeing a large percentage of organizations implementing MFA. They're conducting incident response tabletops. They're engaging in additional vendors for failover and redundancy in their critical systems, and then they're selecting breach notification partners. I think all of those areas, all six of those areas are a great way to reduce the risks and the threats that are out there. We're seeing some good activity from the health care industry. Again, this past year has been a wake up call, and so it looks like people are starting to take notice and take some action here.
That's great. It's good to see a more proactive approach being taken. And with that in mind, are you seeing any trends in how different types of organizations are tackling these security challenges?
Yeah. Absolutely. So in that in that same survey, we saw with tabletop exercises, larger organizations, had, with, you know, with twenty five hundred employees or more, seventy four percent of those larger organizations are are taking part of tabletop exercises.
On the flip side of that, smaller organizations, those with less than twenty five hundred employees, only thirty two percent are taking on tabletop exercises in terms of incident response as well as disaster recovery. We're seeing smaller on the flip side, smaller organizations, those that have a thousand or less hospital beds, ninety seven percent of those organizations are testing their backups, whereas those that are larger than a thousand beds, seventy two percent are testing backups. Now these aren't bad numbers at all, but, you know, it's interesting to see that the smaller organizations are testing their backups more so than those larger organizations.
And then finally with, multi factor authentication, those organizations with less than one billion in revenue, ninety six percent have implemented MFA, which is fantastic.
Interestingly enough, more than one billion in revenue, only seventy six percent have implemented MFA. Those three areas are really interesting to me in terms of the different types of organizations, their approach to cybersecurity.
Absolutely. I'm also a little surprised that the smaller organizations are testing those things more frequently. So that's interesting. So what do you think, Greg, should be included in a health care organization cybersecurity training?
Chapter
Essential Elements of Cybersecurity Training
Oh, I think right off the bat, phishing awareness needs to be the health care industry's top target. You know, again, ransomware is you'll see it weekly, maybe one or two a month, maybe more than that. Healthcare organizations are hit with ransomware.
Phishing phishing attacks are the primary way in which a ransomware attack has started, so absolutely need to concentrate on that. In fact, Novo for a cybersecurity training organization, they maintain a metric called phish prone percentage.
That metric is what it tells you is the more prone your organization, the employees in your organization are to phishing, the greater the percentage.
The health care industry maintains around a fifty one percent phish prone percentage, which is extremely high.
So it kind of explains why we're seeing, I wouldn't say weekly, but maybe biweekly we're seeing organizations get hit, health care organizations get hit with phishing and ransomware events.
Absolutely. And especially with the rise of things like smishing and spear phishing and things like that, that's something that's gotta be focused on for sure.
Absolutely.
So what do you consider the ultimate, revenue cycle management tech stack for health care organizations to help them guard against future cybersecurity attacks and things like unplanned downtime.
Chapter
Building an Effective Tech Stack for Cybersecurity
Yeah. I mean, if you look at the areas in the HIMS survey, I mean, the responses were spot on. You know, you saw multi factor authentication, which helps which helps against those identity based attacks. That's really important for an organization to bring on internally if they have cloud based applications.
They should utilize MFA, multi factor authentication, with those applications as well. Security awareness training, which we just, discussed, really big. Your the human your employees are your or the firewall, against those threats, so we call them human firewalls. We wanna make sure that that all of your employees are looking for those emails that are trying to fish you, looking at your their SMS messages and saying, no.
The CEO isn't asking me to buy, gift cards. So that security awareness training is really important. Incident response, you know, you have to know what to do when an event occurs. You don't really wanna stand around looking at looking at each other saying what to do next.
And then, you know, backup testing your backups is really, really important because in case of an event, you wanna be able to recover quickly. You know, the saying out there, which I'm not a big fan of, but the saying is it's not a matter of if, it's when. So if it you know, in my my mind, I don't you know, like I said, I I don't like to say when, but when it does happen, you wanna be able to respond to it quickly so that that instant response backup testing is important. But with all those areas, you know, you kinda have that secret sauce to guard against future attacks.
Make sure that there's redundancy in your environment. You know, having backup processes for, especially for your RCM, program, make sure that either you have a backup process with your current vendor or you bring on a secondary vendor to help you process your claims. That's really important. We're seeing a lot of customers are starting to do that, just in case something happens.
So that you know, I I feel like those are the areas that tech stack that, your RCM program should employ could help you with, guarding future cybersecurity attacks.
Chapter
Evaluating RCM Technology Vendors
Absolutely. Now for health care organizations that are looking to partner with an RCM technology vendor, what would you say they should look for, and what questions should they ask as part of the evaluation process around the vendor cybersecurity?
You wanna take a look at their policies. You wanna make take a look at their processes. Ask the questions. Ask them how are you backing up, your data.
How are you protecting against how is that vendor protecting the data? In the event that the vendor experiences downtime, What are they doing to bring your data back up online? You'll wanna ask those questions. You also wanna look at those compliance certifications that, your vendors have and, you know, understand or do they have HITRUST or SOC two or maybe, you know, many of the others that are out there.
Make sure they're they're putting their products that they are testing their products against compliance certifications because those those external auditors are gonna tell you in their reports whether or not something needs to be done, whether they're they're taking their security seriously. And so making sure that you get those reports and you read those reports are really important to you. And then, you know, one of the things that that we're seeing in the industry is how much is a organization spending on their security team's budget? Is the security team just one or two guys in IT?
And they say, oh, that's our security team. So what you'll want it and, you know, that may not be sufficient depending on the product that you get or what they're doing. But you wanna understand what that what that organization's security team budget is, how many people do they have assigned to security so that in the event something occurs, they can respond to it quickly. They have the right answers and they have the expertise on staff to help reduce those threats that are out there.
Yeah. It's a great point. And when you think about something like RCM, your claims processing can take a while as it is, so it's important to make sure that you have some answers on how much delay you'd be facing if that sort of thing happened.
Absolutely. I mean, we get the question all the time, like and, you know, and it does impact you. It does impact your organization when someone else is down. And as we saw with the change event, it was not a good time for a lot of people, and so we need to prevent that.
Chapter
Best Practices from Successful Organizations
Absolutely. Well, can you share any customer stories about organizations who have executed their cybersecurity strategies well, and what kind of best practices they'd implemented that we could maybe share with our audience.
Yeah. So so the ones that and I'm not gonna I'm not gonna call it specific, organizations, but what I will say is ones that stand out to me are those that, will come in, talk to me, talk to my team, and and ask us about our security program and offer suggestions and and try to understand what we're doing. They view their the our team, our security team, they view their vendors as members of their own team, and we share ideas on how to solve certain problems. And, you know, we all understand we have common goals here to prevent these cyber events from occurring. And so treating your vendors as members of your of the same team as you, I I see that as being a very solid best practice. Some of the other things we're doing is we're collaborating you know, some of the customers are collaborating with their vendors during incident response tabletops and disaster recovery testing.
They wanna understand what their vendors are doing and how does how does that vendor impact their, incident response and disaster recovery. So bringing those vendors in and including them in that process and that testing is really solid. I think that's a great way to understand where your limitations are and where your vendors' limitations lie. And then, you know, again, understanding what the roles or responsibilities are for each, each side.
So vendor a, you need to do this. We need to do, you know, these things. And and if there you see some gaps and what we've seen is they they've seen some gaps in the way that things are done and we come a little bit with a solution together to try and reduce that that impact. So those are, you know, those are some of the areas that we that we've experienced, in terms of how these organizations are implementing a stronger cybersecurity strategy.
That's fantastic. And, again, it really shows the importance of taking a proactive stance and really trying to plan ahead for what might happen.
Right.
Well, Greg, thank you for joining us today, and thanks so much for sharing your insights with us.
Well, thank you, Mary. I really appreciate it.
Wonderful. And special thanks to FinThrive for sponsoring this podcast. Have a fantastic rest of your day.
