Ransomware in the Revenue Cycle

Blog March 11, 2024

Cyberattacks can block hospitals and health systems from filing claims or collecting revenue.

Here are three ways to safeguard against the threats.

When MGM Resorts was struck with a cybersecurity attack in September 2023, the organization was forced into “manual mode,” with handwritten receipts and physical room keys, to remain partially operational while its systems were shut down. ¹ The approximately 10 days MGM needed to return to normal operations shined a light on the continuous and rising threat of ransomware, phishing, and other cyberattacks.

Cyberattacks cause 25% of security incidents across all industries, in fact, outpacing infrastructure failures (20%), software bugs (15%), and natural disasters (5%). ² And healthcare organizations are the top target for attackers, according to the U.S. Federal Bureau of Investigation.³

“Hospitals and health systems are dependent on their IT systems for patient care and revenue, and that high–dependency on all the sensitive data makes interruptions in these programs extremely impactful,” said Dana Hartman, Vice President of Sales, Marketing & Operations, Ingenious Med.

Hartman explained that dependency during a webinar hosted by HFMA and another hosted by MGMA, Under Attack: Safeguarding Revenues in a Downtime Event, that also featured Rob McGinnis, Portfolio Leader, Mergers & Acquisitions, Harris Healthcare.

During the webinars, Hartman and McGinnis shared insights and perspectives about:

Cyberthreats and downtime growing worse
Leaders still neglecting cybersecurity at enormous expense
Three solutions for protecting revenue during downtime

Cyberthreats and Downtime Growing Worse

Healthcare institutions averaged 1,463 cyberattacks globally — every week — in 2022, a 75% increase over 2021, a threat that puts many hospitals just one cyberattack away from shuttering operations altogether. ⁴

Also making matters more difficult is the reality that the average downtime as a result of cyberattacks increased from 15 days in 2021 to 24 days in 2022. ⁵

“Not only are cybercriminals conducting more and more attacks every year,” McGinnis said, “but they also continue making the attacks more sophisticated and effective.”

Leaders neglecting cybersecurity at enormous expense

The facts illustrate the prevalence and havoc that cyberattacks are wreaking on healthcare, but many organizations are not yet allocating budgetary resources to address the threat.

Despite the 96% of executives who consider cybersecurity resilience a top priority, ⁶ the mere 11% of hospital IT teams actually prioritizing cybersecurity spending ⁷ is certainly alarming considering that 62% have experienced a data security event in the past 24 months that impacted operations. ⁸

“Healthcare C-suites need to be thinking about the revenue that’s no longer coming in during an attack. You cannot submit claims, so there’s nothing coming back from the payers,” Hartman said. “Hospitals must protect that revenue that they are not going to be able to file claims on. Or they are not going to be able to actually see patients, which is even worse.”

For hospitals and health systems that are attacked, the average cost is $10 million — but some cyberattacks can cost an order of magnitude more. Take the high-profile ransomware attack against Scripps Health in May 2021, for example. McGinnis said the ransomware attack impacted 1.2 million patients and two hospitals for four weeks at a total of $113 million in losses.

As we will see later in this article, that attack could have been worse.

Three Solutions for Protecting Revenue During Downtime

Given the persistent and growing cyberthreat in healthcare, hospital and health system leaders need solutions to protect their revenue in the event such an attack should encrypt their data or knock billing systems offline.

To that extent, McGinnis and Hartman pointed to three existing solutions currently available: cybersecurity insurance, back-up systems, and Ingenious Med Continuum.

Cybersecurity insurance: Similar to homeowners insurance, cybersecurity insurance generally indemnifies policyholders and can provide the means to reestablish a previous financial state. That said, the insurance does not safeguard doctors, clinicians, administrators, IT staff, patients and caregivers from being seriously impacted by the attack and ensuing downtime. Also, McGinnis noted that since 2019 there’s been a double-digit rise in the cost of premiums as attacks become both more frequent and more severe.
Back-up systems: Hosting redundant IT systems and storage either off-site or with cloud vendors enables hospitals and health systems to leverage the information security of those organizations to offset some of the financial and logistical burdens of data management. But they’re imperfect, create new areas of vulnerability, and it’s possible for attacks to bleed from primary systems into backup systems and render those inaccessible as well, McGinnis added.
Continuum: During the downtime at Scripps, the health system’s patient information was flowing from its EHR into Ingenious Med’s Continuum, which Hartman said enabled a continuous workflow that avoided any stoppage in what Scripps’ clinicians could actually do in the hospital. Continuum is a cloud-based system for uninterrupted workflow in case primary systems go offline by providing secure remote access for alternative routes to vital patient data and billing operations.

Scripps’ Experience

Jason Cook, Assistant Vice President of Medical Management at Scripps Health, explained that Ingenious Med is embedded in its providers’ native workflow, which brought many benefits during the health system’s downtime.

“The ability for Ingenious Med to work independent from the EHR allowed us to maintain our revenue cycle operations, patient list, patient distribution, and care team communication,” Cook said. “The ability to live embedded in the tool, as well as alongside the tool, not only creates workflow efficiency, but also creates that redundant capability in the event you have any downtime to your EHR.”

Conclusion

Healthcare organizations are at a critical point: after years of under-investing in cybersecurity protections, attacks are rising in frequency, severity, and financial damage, including the inability to file claims or collect revenue during attacks and downtime.

“There’s uncertainty about our ability to prepare for these things, but we need to do a better job of understanding what’s coming for us,” McGinnis said. “We need to prepare ourselves better.”