7 Steps for Healthcare Facilities to Strengthen Cybersecurity

Healthcare isn’t the only industry that is worried about strengthening cybersecurity.

In 2016, cybersecurity spending around the world increased by nearly $74 billion – incredible growth in such a short timeframe. It shouldn’t be much of a surprise, though, as the average cost for each stolen record now sits at $158, and the consolidated cost of a data breach has risen to $4 million. After you factor in the damage to a business’s reputation, it’s reasonable to assume these numbers grow even larger in the wake of a breach.

Over time, we’ve learned quite a bit about how breaches occur: 56 percent result from phishing attacks, with 30 percent of users opening phishing emails, and 12 percent clicking on the links contained within. These days, nearly every computer uses numerous software applications that require regular updates to protect against attacks. Technology moves at light speed, and so do those intent on stealing consumer data.

With this in mind, how should receivables professionals and healthcare facilities attempt to minimize risk and maximize cybersecurity protection?

1. Keep an eye on your vendors – Regulatory organizations, including the CFPB, have made it clear healthcare facilities are responsible for overseeing service providers’ cybersecurity practices. That means conducting appropriate oversight for every firm, since their practice can impact the security of your own data. Send a security questionnaire or schedule an on-site visit. Too much to bear? Hire an outsourcer.

1. Ensure appropriate access control – Healthcare facilities must provide employees with only the data they need to perform their jobs. Train your team, including C-level executives, on why these restrictions enhance cybersecurity. Specifically, access beyond what’s necessary often exacerbates ransomware attacks.
2. Bake your compliance and cybersecurity programs into everyday business – Keeping consumer information safe shouldn’t be a bolted-on summary process for healthcare facilities. It needs to be considered with the most granular of activities. Consider cybersecurity and compliance when making shifts in technology or operations, and create authoritative IT policies followed daily.
3. Get a handle on collection notices and letters – Know your validation notices and timelines for the first 30 days: Send a letter upon contact, validate by phone, get settlement letters in line and brush up on the ECOA.
4. Know your electronic payment requirements – There are many types of electronic payments, and each has different requirements for authorization and authentication. Are you aware of your options to appropriately document authorization and payment arrangements? Healthcare facilities’ letters, recurring payment arrangements, the FDCPA, EFTA and Reg E all come to bear here.
5. Brush up on consumer consent and revocation – Your payment arrangements, the TCPA and the FDCPA all matter when it comes to spousal communications, age of majority, doctrine of necessities, and the time, place or manner of calls you make. Document, document, document!
6. Validate your data security – You might have the best people, the best process and exhaustive documentation of it all, but technology moves at light speed, and so do identity thieves. You won’t truly know if you’re secure if you don’t test your system with an independent audit.

If you’re an organizational leader in a healthcare facility, there’s a final, crucial addition to the list: get involved! It’s essential to ask yourself what YOU are doing to make sure your company’s data stays secure and out of the news. Most established healthcare facilities and firms have a formal compliance program, but many have yet to consider standards like PCI, HIPAA and the GLBA Safeguards Rule.

You might trust that your technical and operations staff are staying compliant, but how sure are you? That’s an important question to ask in a time when cybersecurity matters more than ever. Make sure you’re confident in the answer.

 

 

Rozanne Andersen, J.D., serves as Ontario Systems’ Vice President and Chief Compliance Officer. She is responsible for leading Ontario Systems’ corporate efforts and response to the CFPB’s launch of compliance examinations in the ARM industry. Rozanne is a recognized thought leader in the area of compliance. Her advocacy work on behalf of the credit and collection industry has resulted in landmark legislation and regulation at both the state level and at the federal level with regard to the FDCPA, FCRA and HIPAA.