In this article, we will share some of the lessons learned from a recent consulting engagement with a leading dental support organization (DSO) that successfully navigated the aftermath of a cyberattack on one of its revenue cycle management (RCM) vendors by leveraging a diversified strategy.
Background/Context
The term revenue cycle management refers to the process of managing the financial aspects of healthcare delivery. It involves identifying, collecting, and tracking payments for the services rendered by a healthcare provider, from when a patient schedules an appointment to when the final payment is received. RCM is a complex and dynamic process that requires specialized skills, knowledge, and technology. It is vital for the financial health and sustainability of a healthcare organization, as it affects the provider’s revenue, cash flow, and profitability. RCM processes for hospitals are often outsourced to third-party vendors who can lower costs, increase revenue, and ensure the quality and security of billing and collections. Outsourcing RCM also allows hospitals to focus on their core mission of providing excellent patient care and satisfaction.
However, outsourcing RCM also exposes healthcare systems to various risks, such as service disruption, performance degradation, data breach, or contract termination. These risks can have severe consequences for the healthcare organizations, such as revenue loss, operational disruption, reputational damage, and legal liability. Moreover, these risks can be exacerbated by external factors, such as geopolitical tensions, natural disasters, or cyberattacks, affecting the vendor’s operations and availability. Therefore, healthcare organizations need to have a diversified and resilient RCM outsourcing strategy that can mitigate the risk of vendor dependency and enhance their ability to cope with any potential disruption.
One of the key reasons for diversifying a vendor base for RCM outsourcing is to reduce the risk of over-reliance on a single vendor. If clients outsource all RCM functions to one vendor, they put their entire revenue production at stake. Consequently, if any extraneous event halts the vendor’s operations, they are left without any alternative option to carry out RCM processes. A disruption of this magnitude can have devastating effects on revenue, cash flow, patient satisfaction, and competitive edge. A recent cyberattack on one of our client’s RCM vendors reminded us of the importance of a diversified RCM outsourcing strategy.
The Engagement
Toward the end of 2023, we embarked on an engagement with a leading DSO to perform a gap analysis of a current contract package for one of its RCM providers for various processes, which were due to expire in March 2024. The project’s main objective was to ensure that the contract reflected the industry standards and best practices for RCM outsourcing and that it protected the DSO’s interests and rights in case of any service disruption, performance issue, or cyberattack.
Amid contract renegotiations at the beginning of February 2024, Change Healthcare, a major RCM vendor for US healthcare systems, was hit by a ransomware cyberattack. The attack disrupted the RCM processes of over 30,000 customers, including hospitals, clinics, and dental practices. They exposed the personal and financial information of millions of patients and payers. One of those customers was the DSO we were working with. Luckily, they had diversified their RCM outsourcing and could mitigate the impact of the attacks by leveraging their strong relationship with the vendor, with whom they were in the middle of contract renegotiations. The DSO had this vendor help them manually process the claims that Change Healthcare could no longer process through their electronic claim processing system.
Lessons Learned
As partners of the DSO, we were relieved they had a reliable backup strategy to deal with this severe incident. Still, it did highlight the importance of a diversified RCM outsourcing strategy. Had the DSO relied solely on Change Healthcare, it could have experienced devastating impacts:
-
- Disrupted cash flow and revenue, as the cyberattack may compromise the security, integrity, or availability of the billing and payment data, leading to delays, errors, or losses in the RCM processes and transactions.
- Damaged reputation and trust, as the cyberattack may expose the sensitive personal and financial information of the patients and providers, resulting in privacy breaches, identity theft, fraud, or lawsuits that can harm the healthcare system’s image and credibility.
- Reduced compliance and quality, as the attack may affect the accuracy, completeness, or timeliness of the RCM documentation and reporting, causing violations of the regulatory standards, contractual obligations, or best practices that can incur penalties or fines.
Conclusion
In conclusion, healthcare organizations must have a diversified RCM outsourcing strategy to ensure financial stability, operational resilience, and data security. The recent consulting engagement with a leading DSO demonstrated the practical benefits of a diversified vendor base as they leveraged external relationships to mitigate the impact of the Change Healthcare cyberattack.
This incident serves as a compelling reminder of the potential consequences of single-vendor dependency, including disrupted cash flow, reputational damage, and compliance challenges. Healthcare organizations must proactively diversify their RCM outsourcing strategy to safeguard against unforeseen disruptions and maintain continuous, efficient revenue cycle operations. This approach enhances the organization’s ability to navigate crises and reinforces its commitment to providing uninterrupted, high-quality patient care.
By Sara Phister, Senior Consultant