This year, the concept of “going to work” has taken on a new meaning. There’s no more commute to the office. Instead, employees simply walk to their desk, or couch, to log on for the day and many health system executives have shared that their organization’s remote work policies have proven successful. In fact, one-third of CFOs and revenue cycle leaders are considering more permanent remote work policies for their revenue cycle teams, according to a recent HFMA survey.
Teleworking undoubtedly offers valuable benefits. For instance, with a remote work policy, you need less office space which can reduce your organization’s real estate expenses. However, remote work environments can be a target for hackers and introduces additional IT and compliance risks. If your health system is considering longer-term telework, be sure to include the latest cybersecurity guidance as part of your strategy. These security best practices for remote revenue cycle teams will help mitigate risk and most importantly, safeguard your patients’ protected health information (PHI).
Remote Revenue Cycle Security 101
Keep operating systems up-to-date & implement host-based firewalls.
First and foremost, ensure your enterprise IT team is keeping operating systems, applications, and malware protection up-to-date. When operating systems release a security patch, every team member should apply the update within one week of release. Also, make sure the enterprise IT team implements host-based firewalls on end user systems. Host-based firewalls can help protect individual team members from viruses and malware, and can prevent malware from spreading throughout the network. Using these firewalls in addition to perimeter-based firewalls helps enhance enterprise network security.
Implement & keep VPN software patched.
Virtual Private Networks (VPNs) provide secure remote access to internal networks. In healthcare, VPNs allow team members to remotely and securely connect to their health system’s network. This allows them to easily access and electronically share health data over a secure communications channel. Similar to operating systems, it’s crucial to keep VPN software up-to-date. As the number of employees leveraging an organization’s VPN grows, the number of access points a hacker can exploit expands as well. Therefore, organizations must keep their VPN updated with the latest patches.
Implement multi-factor authentication & least privilege access.
Other recommended security best practices for remote work environments include the use of multi-factor authentication. Multi-factor authentication (MFA) requires a team member to present two or more verification factors when logging into an account. MFA goes beyond usernames and passwords with a security question and requires an additional factor, such as verification with a code sent via SMS text after the initial login request. This reduces the possibility of an unauthorized user posing as an employee to gain access to sensitive information.
Current cybersecurity guidance also advises managing user permissions to limit access to internal network resources based on least privilege, or rather access to only the data and systems necessary for team members to complete their job function. This will help strengthen the security of your health system’s network. For example, at Patientco, we’ve built user management and access control functionality that supports limiting access based on least privilege into iCash, our provider-facing payments portal.
Mask payment data from home environments.
Remove as much sensitive data from the home environment as possible, including payment information, such as credit card numbers. Remote revenue cycle team members should never write down or transfer payment or patient-related data from outside their secured device. They should also keep remote payments secure by processing as “Card Not Present.”
However, it’s best if remote team members do not see or hear a patient’s card number at all. Nor should they have to connect and maintain hardware devices in a remote environment. Patientco’s Text-to-Pay solution facilitates this. Text-to-Pay enables providers to send a payment request via SMS text to a patient in real time, where the patient can click on a secure link and make a payment directly from their smartphone. With Text-to-Pay, patients can securely complete a payment without sharing their payment information aloud on the phone with a team member. This makes it an ideal solution for remote working environments.
Other security best practices for remote revenue cycle teams
Be sure to clearly communicate security and compliance expectations to all team members. Remind your team they should not share their computer or laptop with their family or children. They should also lock their devices when they are not working. The organization should implement auto logout configurations that require team members to re-enter their password after a period of inactivity.
Lastly, it’s a good idea to offer ongoing education for security best practices and how to implement them. Your team may find it helpful to have clear, step-by-step instructions on cybersecurity guidance. For example, a how-to guide on securing your home Wi-Fi router or how to check for operating system patches ensures each team member knows how to adopt these best practices.
Protecting patients’ highly-personal medical information is crucial in the healthcare industry, but revenue cycle leaders are obligated to do more. They must protect both patients’ medical details, as well as their financial information. This means security should be top-of-mind for all revenue cycle team members, whether they continue working remotely or plan to return to the office.