When you first read about the Equifax cyber breach were you surprised? It seemed odd considering they are one of the largest organizations in the business of housing and selling your personal and financial details. I think many of us thought companies like theirs were bullet-proof. There may have even been a casual confidence and assumption that companies like that would employ some of the strictest data protection measures available. They were also in the business of accurately analyzing your financial behavior. The integrity of this data was enormously important, considering credit markets rely on it to make sound decisions as to whether or not you are likely to repay a debt. This breach changed the way we look at our own identity protection and lessened our trust in the big three reporting agencies.
Companies like Equifax do much more than assist the credit markets. The big three, Experian, Trans Union and Equifax have actually grown to be significant players in the healthcare space. They are data partners supporting efforts to refine work-flow and reduce internal costs to collect for some of the largest health systems in the country. Providers embraced being able to implement analytics that would provide them with information regarding a patient’s propensity to pay their bill. They embraced having the ability to move indigent patients out of their collection teams and straight to presumptive eligibility for a charitable write-off. Employing these automated management techniques meant hospitals could collect more money at a lower expense.
So what now? There are numerous questions that need to be answered. Was your patient data part of the breach? Most likely there won’t be any implications for the majority of providers with the exception of those hospitals that chose to place their patients who failed to pay timely into one of the three credit bureaus with the hopes of securing payment in the future. But what about patients who are processed through the three credit agencies to determine eligibility or the likelihood of paying their debt? With so many news stories highlighting a solution or protective measure requiring consumers to “freeze” their credit, it begs the question as to what that will ultimately mean for hospitals and physician practices who utilize this data on a regular basis. How many patients will opt to take this freezing measure? Will this begin to impact the integrity of the financial modeling you apply today? Doesn’t your automated receivable flow for propensity to pay and presumptive charity eligibility rely on the financial information provided by these credit agencies? It most certainly relies on a large portion of it.
So what is the potential impact on your operations? Will patients who freeze their personal credit files provide you with incomplete or less accurate data on which you base your decisions? Will it simply reduce the number of patients you can automate into a preferred work flow? One thing is for sure; you need to explore the impact with your current vendor, and you need to plan to address it. A significant reduction in available data could ultimately impact your staffing should you begin reverting back to more manual processes when assessing patients’ abilities to resolve their debts.
So by now it is clear that we live in an era where healthcare organizations are forced to allocate valuable dollars away from delivering patient care and towards improving information systems security. Facilities must invest heavily to protect their patient’s information from being hacked or accessed by an increasing number of outside threats. More and more we read about attacks on healthcare organizations by foreign and domestic cyber criminals. Those successful in accessing a provider’s system can bring internal operations to a grinding halt. Frequently the attack is coupled with a ransom demand to stop that facility’s information from being made public. The data can contain medical and demographic information including social security and date of birth which are frequently sold on the black market for profit. IT Security Officers should frequently be at senior management meetings keeping them informed of potential threats and conveying current steps taken to shore-up defenses.
What about the vendors who provide services to the organization? Healthcare providers tend to have numerous buyers of products and services in a single organization. Frequently, receivable vendors are engaged without the level of IT scrutiny needed in order to protect an organization from possible threats. I can’t remember ever having to share a desired tool with an IT Security professional before moving forward. In Revenue Cycle there are numerous technical applications sold on the market intended to help improve financial performance.
The contracting phase usually concludes before the IT professionals get an opportunity to dig into the details. Allowing executives to engage vendors without having their IT Security team dictate the strength and minimum standards required for technology invites trouble. These products are sought after by Revenue Cycle professionals because of their perceived technical superiority when compared to the offerings of most HIS systems. The perception of advanced technical capability often can be misinterpreted by the buyer to mean they have somehow met very stringent security guidelines. It can leave one with a false sense of security. When we perform assessments of clients, we often see these types of contracts not having been appropriately vetted. It is essential to have a qualified cyber security expert assess your situation.
So whether you use data to streamline your workflow, technology to enhance performance, or just want to protect patient’s identities from being compromised, the need to be more collaborative and to engage in interdepartmental reviews and discussions prior to making any decisions to provide a third party with your data has never been more important.