Revenue Cycle Management Security: Why It’s a Problem, and How It Can Be Solved

Healthcare business associates who provide revenue cycle management services are vulnerable to cyber attack

Vendors who provide revenue cycle management services to hospitals, medical centers, and other healthcare providers continue to be vulnerable to hacking, ransomware schemes, and other cybersecurity issues. Not only do their vulnerabilities put patient data at risk—they can also have downstream effects on other vendors in the healthcare supply chain.

Last year, 15% of all data breaches involved a third party, according to the highly respected 2024 Verizon Data Breach Investigations Report. Data breaches originating with third parties exploit the fact that vendors frequently require access to their customers’ sensitive data in order to integrate with customer networks and systems to provide the expected services. Revenue cycle management services are a classic example, with RCM firms routinely processing, storing, and managing sensitive data for multiple large clients.

Third Party Data Breaches in Healthcare Led by Hacking and Ransomware

Healthcare providers rely heavily on third parties, known as business associates in the healthcare industry. The number of revenue cycle management service providers in the U.S. currently exceeds 350, according to a 2024 list compiled by Becker’s Hospital Review.

Data breaches continue to plague the healthcare industry as providers and their suppliers struggle to achieve full HIPAA compliance. A statement by the HHS Office for Civil Rights in March 2024 named ransomware and hacking as the primary cyberthreats in healthcare. “Over the past five years, there has been a 256% increase in large breaches reported to the OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR.”

In 2023 alone, healthcare providers were responsible for two thirds of all data breaches reported to the HHS Office for Civil Rights. Of the total 548 reported breaches, one third (33%) were attributable to third parties—specifically business associates and health insurance plans.

Drilling down, 22 of all breaches reported to OCR in 2023 were on a grand scale—with each one affecting a million or more individuals, primarily patients.

Of these massive data breaches, over three quarters (77%) were attributable to third parties. This fact alone illustrates how much higher the level of risk is among third parties than among the healthcare providers they serve.

Unfortunately, vulnerable third parties do not simply risk their own data—they jeopardize the data of the organizations to whom they sell goods and services, including revenue cycle management services.

Revenue Cycle Management is Complicated

In simple terms, revenue cycle management is a business process that enables organizations to obtain payment for services they have provided. A more expansive definition is “the process of managing all functions related to revenue generation in a healthcare organization.” These functions generally utilize medical billing software, and the revenue cycle begins when a patient obtains medical services and ends when all payments have been collected from the patient and insurer.

Despite fairly simple definitions, revenue cycle management can get complicated fast. According to an article in Healthcare Finance News, a national survey conducted by the Healthcare Financial Management Association among 587 chief financial officers and revenue cycle leaders revealed that 30% of health systems and hospitals admit to using at least two RCM vendors. Specifically:

• 38.5% use one vendor who can perform all steps of the RCM automation process.
• 31.5% don't use third parties, but instead have internal RCM teams, although more than 75% of these organizations are large ($1 billion or more in net revenues).
• 30% rely on two or more vendors: 19.6% use two vendors, with one handling multiple RCM activities; 4.9% use three vendors, with each handling a different part of the process; and 5.6% engage with four vendors or more.

While synergies are certainly obtainable in this environment, the use of multiple vendors to manage different parts of a single process adds a layer of complexity. It may also reduce individual vendor accountability and may increase overall costs. Despite these pitfalls, revenue cycle management services offer a number of advantages.

Third Party RCM Services Offer Many Benefits

Revenue cycle management services offered by third parties deliver numerous advantages for healthcare providers. Following are just a few potential benefits.

• Helping healthcare providers maximize revenue through more accurate coding, more timely submission (and follow-up) of claims, and more efficient payment collection.

• Creating a more organized billing process with fewer billing errors.

• Improving cash flow by reducing the amount of time between (a) when medical service is provided and (z) when payment is received.

• Assisting healthcare providers in meeting regulatory requirements and adhering to increasingly complex coding guidelines.

• Automating repetitive tasks and streamlining workflows to enable healthcare staff to focus on patient care.

• Enhancing financial stability and sustainability for healthcare organizations in the face of economic and market fluctuations.

• Enabling healthcare providers to make better decisions by providing insights into revenue sources and uses, payer trends, and operational efficiencies.

• Helping healthcare providers keep up with industry and market changes such as evolving regulations, shifting reimbursement models, and ongoing advances in technology.

Despite the benefits of using skilled third party RCM services, the picture is not entirely rosy. That’s because most RCM companies have security issues, as demonstrated by six of the top ten.

Revenue Cycle Management Security Issues at Six of Top Ten RCM Service Providers

The top ten RCM service providers in the U.S., according to a recent article at medium.com, are Allscripts Healthcare Solutions, AGS Health, AthenaHealth, Cerner Corporation, Change Healthcare, Epic Systems, McKesson Corporation, NextGen Healthcare, NThrive, and R1 RCM Inc. Most of these companies bundle revenue cycle management services with electronic health record systems to integrate these two core software platforms for the benefit of their RCM/EHR customers.

Of the top ten RCM service providers in the U.S., three have experienced cyberattacks in the past 18 months and another three in the past decade, highlighting the need for improved revenue cycle management security across the board.

• Change Healthcare’s RCM solutions are “powered by advanced analytics and artificial intelligence.” In February 2024, the company experienced a cyberattack that caused a network interruption that lasted for months. The breach also forced the company to temporarily cease providing revenue cycle management services to its customers. Customers were scrambling to identify backup RCM services or other solutions as the service interruption continued. According to a TechTarget RevCycle Intelligence article, Change Healthcare is one of the largest medical claim clearinghouses in the U.S., touching one third of all medical records and processing nearly half of all medical claims. During the outage, Change Healthcare customers were unable to process claims with payers to receive reimbursement for services they had delivered. Parent company United Health Group advanced billions of dollars to healthcare providers to defray revenue shortfalls, but providers suffered business setbacks nevertheless.
  
• Epic Systems Corporation provides RCM and EHR solutions to healthcare providers, and in April 2024 terminated its relationship with business associate Particle Health after learning of their misuse of Epic patient data. Epic’s systems contain more than 300 million patient records, and the company claimed that Particle Health had been using their patient data in an "unauthorized and unethical" manner not related to medical treatment. In an unrelated incident, a data breach at Epic Systems in 2021 potentially compromised the names, dates of birth, Social Security numbers, drivers’ license numbers, passport numbers, financial data, health insurance and medical information, and payment card data of an undisclosed number of patients.

• R1 RCM Inc. provides RCM services to hospitals, and in November 2023 reported a breach of the protected health information of 16,121 hospital patients. While the hospital’s network was not compromised, breached data included names, contact information, dates of birth, Social Security numbers, location of services, clinical and/or diagnosis information, and patient account and/or medical record numbers. 
• Allscripts Healthcare Solutions suffered a ransomware attack in January 2018 that crippled its systems and caused an outage that affected thousands of physician practices and other healthcare providers across the U.S. Allscripts provides RCM, EHR, and other services to 180,000 physicians, including 100,000 electronic prescribing physicians, as well as 2,700 hospitals and 13,000 extended care organizations. These services touch some seven million patients.
• Cerner Corporation, which offers RCM and EHR solutions to a variety of healthcare providers, discovered that an unauthorized party had accessed servers at its Kansas City data center. The 2016 hack jeopardized the data of NCH Healthcare System, which treats more than 40,000 patients annually in Florida.
• McKesson Corporation provides “flexible solutions for end-to-end revenue cycle management for many different medical specialties and practice sizes.” In 2014, its billing services were delivered through a subsidiary, PST Services. PST experienced a data breach that exposed the personal information of more than 10,000 patients online, including patient names, billing and insurance information, diagnosis codes, and some Social Security numbers.
  
  

How Can RCM Service Providers Improve Security?

Business associates, including providers of revenue cycle management services, must comply with HIPAA security requirements just as hospitals, medical centers, physician practices, and other healthcare providers must comply. However, in order to achieve robust revenue cycle management security, full compliance is necessary.

Four outstanding cybersecurity solutions are readily available to RCM providers and other members of the healthcare industry, enabling organizations to map their security policies, procedures, and safeguards to universally accepted cybersecurity frameworks, including the HITRUST CSF, NIST CSF, ISO 27001 Standard, and SOC 2 framework.

• The HITRUST CSF is a “universal framework that maps to all critical security control sets” and provides a “comprehensive, scalable, reliable, and efficient framework for risk management and regulatory compliance” that is designed to help any organization adapt to new threats, standards, and regulations quickly and effectively. HITRUST was originally developed to promote HIPAA compliance in the healthcare industry and remains a great option for healthcare providers and their business associates.
• The National Institute of Standards and Technology (NIST) promotes a cybersecurity framework that enables organizations to better manage and reduce cybersecurity risk. NIST CSF 2.0 consists of six core functions: Identify, Protect, Detect, Respond, Recover, and Govern. A key benefit of this framework is enabling the assessment of an organization's ability to respond to and recover from a data breach or other cyber incident, which are especially common in the healthcare industry.
• According to the International Organization for Standardization, ISO 27001 “promotes a holistic approach to information security, vetting people, policies, and technology. An information security management system implemented according to this standard is a tool for risk management, cyber resilience, and operational excellence” for any organization.
• Systems and Organizational Control Type 2 (SOC 2) is a “cybersecurity compliance framework developed by the American Institute of Certified Public Accountants for the primary purpose of ensuring that third party service providers store and process customer data in a secure manner.” Information systems are evaluated based on five Trust Services Criteria, including security, availability, processing integrity, confidentiality, and privacy.

Summary

The revenue cycle management market was valued at USD $135.92 billion in 2023 and is projected to grow to $361.86 billion globally by 2032, with a compound annual growth rate of 11.7%, according to Fortune Business Insights. The number of RCM service providers exceeds 350, as listed by Becker’s Hospital Review in 2024. Enormous volumes of sensitive patient data are processed, used, stored, and managed by these RCM companies—most of whom have untreated cybersecurity vulnerabilities if data breaches among the top ten are any indication.

As healthcare business associates, revenue cycle management companies are required to comply with HIPAA regulations. Fortunately, revenue cycle management security and compliance can be achieved through the implementation of one of the highly respected cybersecurity frameworks available today. RCM firms owe it to their customers and their customers’ patients, as well as their other stakeholders, to improve revenue cycle management security without further delay.