Protecting patients’ highly-personal medical information is crucial in the healthcare industry, but revenue cycle leaders are obligated to do more. They must protect both patients’ medical details, as well as their financial information. The healthcare industry is adopting more consumer-friendly patient engagement tools and digital payment options, often partnering with various vendors to do so. Therefore, maintaining a high standard of security can seem overwhelming. However, revenue cycle security doesn’t have to be overwhelming.
We’ve consulted Shane Peden, Director of Cyber Risk at risk3sixty, LLC, an Atlanta-based information risk management advisory firm, to help us break down some best practices. Shane helps companies enhance their overall security posture. He simplifies information risk management and compliance so the organization can focus on their core business processes.
Patientco: Thanks for joining us, Shane. To start, what do today’s Health Systems need to look for when vetting a potential revenue cycle vendor’s security posture?
Shane: First and foremost, you need to make sure the potential vendor meets all applicable compliance and security standards. For optimal revenue cycle security, that means complying with HIPAA, of course. This also means you should look for a vendor that has achieved SOC-2 Type II and PCI Level 1 certifications.
In Patientco’s case, we opted to achieve compliance with all five of the AICPA’s Trust Services Criteria (TSPs) when building out the enterprise cyber risk management program. This ensured that we are meeting industry best standards for Security, Availability, Processing Integrity, Confidentiality, and Privacy. I would highly recommend Health Systems to consider which TSPs are relevant to their organization when reviewing prospective vendors’ SOC reports.
Patientco: Can you explain to readers what the SOC 2 and PCI certifications mean?
Shane: Sure. SOC stands for “System and Organization Controls” and is comprised of a long list of criteria. If all criteria is met by the vendor, the Health System gains additional confidence in how well their information is being managed and secured. More specifically, SOC 2 is an internal controls report designed for service organizations. Successful completion of a SOC 2 Type II assessment is a great first step for an organization to demonstrate that it has developed and implemented strict information security procedures.
SOC 2 starts with its security criteria, and each additional SOC 2 TSP layers on additional requirements. Completing additional TSPs is decided based on the services provided by the vendor and the maturity of the vendor’s organization. Patientco felt all five TSPs were relevant to their clients and decided to complete them all as part of their SOC 2 assessment. While a SOC 2 certification is not a legal requirement, it is advised that Health Systems seek out vendors with this certification to support revenue cycle security.
PCI stands for “Payment Card Industry.” PCI is often shorthand when referring to PCI DSS. DSS stands for “Data Security Standards” There are different levels of PCI compliance. Level 1 is what will be desirable for the majority of Health Systems and is the highest standard for compliance.
Any business entity that accepts, processes or stores payment card information must comply with PCI Data Security Standards. Patientco uses best-in-class PCI-certified technology and has created unique ways to eliminate the need for Health Systems to store or manage credit card information for any transactions processed through Patientco. This helps their customers seriously reduce PCI scope (i.e. their burden of compliance) and also promotes revenue cycle security.
Patientco: Got it, so look for a vendor that meets HIPAA, SOC 2 Type II, and PCI Level 1 standards. What else should Health Systems look for to maintain revenue cycle security?
Shane: Seek out a vendor with an agile team that is willing to integrate their solution with your organization’s existing technology and EHR. You also want a vendor that has developed solutions that avoid placing additional burden on IT.
Integrations must be secure and validated, but they should also ease the flow of accepting and processing payments. I would also explore the vendor’s philosophy on development and solutions architecture. Review the vendor’s SOC report and gather information from the vendor’s DevOps and Integrations teams. By doing so, Health Systems can determine whether the solution is sufficiently engineered to minimize downtime while optimizing quality assurance and security within the development lifecycle.
Patientco: That all makes sense. Reliable and secure integrations are also probably easier to scale, right?
Shane: Yes, that’s correct. A vendor that helps you successfully maintain revenue cycle security can lift some of the burden off the Health System. Health Systems are processing patient payments, which involves personal health information and financial data. This means their compliance burden is much heavier. Therefore, partnering with a revenue cycle vendor that has obtained relevant security credentials, like SOC 2 Type II and PCI DSS Level 1, means your Health System and your patients are in good hands.
Patientco: Awesome – any other advice on revenue cycle security before we wrap up?
Shane: Beyond providing all the appropriate compliance reports, ask how a potential vendor has established a culture of security within their organization, especially within the Systems Development Lifecycle.
This means security should be top-of-mind for all employees, especially those closest to the data and processes controlling it. Ask how employees are trained to maintain a high level of awareness of security and compliance requirements. At Patientco, all employees must complete HIPAA and security training on a quarterly basis. This ensures we remain focused on protecting the personal information of our clients’ patients, which is key for revenue cycle security.