RCM Data breaches response. An AI derived image depicting a frustrated healthcare provider with his head in his hands & elements representing money (revenue) & security
UncategorizedFebruary 16, 2025
RCM Data breaches response. An AI derived image depicting a frustrated healthcare provider with his head in his hands & elements representing money (revenue) & security

A RCM data breach response roadmap for small and medium sized RCM businesses to learn from.

TLDR

RCM data breach response strategies small & mid sized revenue cycle management vendors can learn from the biggies. Recent major data breaches at top RCM companies (Change Healthcare, Epic, R1 RCM, Allscripts, Cerner, and McKesson) reveal critical cybersecurity vulnerabilities in the industry. The Change Healthcare breach in 2024 particularly highlighted how devastating these incidents can be, with 80% of providers losing revenue and 55% using personal funds to cover expenses. The breaches’ impact extends beyond financial losses to significant operational disruptions and potential bankruptcy for some practices. For small & medium sized RCM vendors this could also sound a death knell, impacting their ability to acquire new business & retain clients. 

But here’s the silver lining: RCM companies implementing the HITRUST framework show a remarkably low breach rate of just 0.64%. This statistic alone should motivate every RCM leader to act now. Key lessons for RCM leaders: 

  1. If you don’t have certifications like HITRUST, ISO 27001, SOC 2, or NIST – get them. These aren’t just badges; they’re your business’s survival kit in an industry projected to hit $361.86B by 2032. 
  2. Even if you have these certifications, regular external security audits are crucial. Change Healthcare had certifications too, but still got breached. Fresh eyes spot vulnerabilities your team might miss. 
  3. Engage cybersecurity consultants periodically. Your internal team may be excellent, but the threat landscape evolves daily. External experts bring insights from across the industry. 
  4. Essential security measures include implementing comprehensive cybersecurity programs, multi-layered defenses, and automated threat detection. 

Remember: The cost of prevention is always lower than the price of a breach. Just ask the practices who told AMA they’re facing bankruptcy or the executives who had to explain to their board why they needed to pay millions in recovery costs. 

Don’t wait for a breach to upgrade your security. By then, it’s too late. 

Table Of Contents

Data breaches at the top 6 Revenue Cycle Management companies

 

A quick search in Google for the top 10 Revenue Cycle Management (RCM) companies in the US generally throw up the same suspects. Of interest, especially for this article, are the top 6. 

For your benefit, they are 

  1. Change Healthcare, 
  2. Epic Systems,  
  3. R1 RCM Inc, 
  4. Allscripts Healthcare Solutions,  
  5. Cerner Corporation, 
  6. McKesson Corporation, 
  7. AGS Health,  
  8. AthenaHealth,  
  9. NextGen Healthcare,  and  
  10. NThrive. 

You probably know that most of these companies bundle revenue cycle management services with electronic health record systems to integrate these two core software platforms for the benefit of their RCM/EHR customers. And the thread that unfortunately joins them are the data breaches they endured.  

This impacted not only their finances (huge penalties charged in most cases), but more importantly led to a huge reputation loss, a PR fiasco & loss in clients – both existing & new. 

Of these top 6 RCM service providers in the U.S., in the past 18 months, three have experienced cyberattacks and another three in the past decade. This highlights the need for improved revenue cycle management security across the board. And these are examples of Revenue Cycle Management service providers that have come into the limelight. If you are a RCM leader, you probably have faced or at least heard about cybersecurity attacks on organizations like yours every other day.  Let’s look at the RCM data breach response journey for these well known firms.

 

Change Healthcare

Change Healthcare’s RCM solutions are “powered by advanced analytics and artificial intelligence.” In February 2024, the company experienced a cyberattack that caused a network interruption that lasted for months. The breach also forced the company to temporarily cease providing revenue cycle management services to its customers. Customers were scrambling to identify backup RCM services or other solutions as the service interruption continued. According to a TechTarget RevCycle Intelligence article, Change Healthcare is one of the largest medical claim clearinghouses in the U.S., touching one third of all medical records and processing nearly half of all medical claims. During the outage, Change Healthcare customers were unable to process claims with payers to receive reimbursement for services they had delivered. As part of the RCM data breach response, parent company United Health Group advanced billions of dollars to healthcare providers to defray revenue shortfalls, but providers suffered business setbacks nevertheless. 

RCM Data Breach Response: Remedial actions taken by Change Healthcare after data breach

Following the major data breach discovered on February 21, 2024, Change Healthcare has taken several remedial actions: 

  1. Immediate Response: Change Healthcare quickly took steps to stop the ransomware activity, disconnected and turned off systems to prevent further impact, and began an investigation3. 
  2. Security Reinforcement: The company confirmed that its policies and procedures have been reinforced to further strengthen security and help prevent future incidents1. 
  3. Dark Web Monitoring: A third-party firm has been engaged to monitor the dark web to identify potential leaks of the stolen data1. 
  4. Credit Monitoring Services: Change Healthcare is offering complimentary credit monitoring services for two years to affected individuals1. 
  5. Ongoing Data Review: The company has been conducting an extensive review of the impacted data, which was reported as “substantially complete” by January 14, 20251. 
  6. Notification Process: Change Healthcare has been issuing notifications to affected customers on a rolling basis since June 20, 2024, and is continuing to mail individual notification letters on behalf of clients that have delegated this responsibility13. 
  7. Collaboration with Experts: Change Healthcare retained leading cybersecurity and data analysis experts to assist in the investigation and address the matter3. 
  8. Law Enforcement Involvement: The company contacted law enforcement immediately after discovering the breach3. 

What security certifications does Change Healthcare have?

Change Healthcare has obtained several important security certifications:

  • HITRUST CSF Certification:

Change Healthcare earned HITRUST Risk-based, 2-year (r2) Certified status for its enterprise infrastructure and Change Healthcare Platform1. This certification demonstrates that the organization has met key regulations and industry-defined requirements for managing risk.

  • ISO 27001 Certification:

At least one business unit within Change Healthcare maintains ISO 27001 certification, which is required for certain customer business associate agreements (BAAs)3. The company leverages the HITRUST MyCSF portal to facilitate the ISO 27001 certification process.

What specific security measures has Change Healthcare implemented to prevent future breaches?

Change Healthcare implemented several specific security measures to prevent future breaches: 

  1. Reinforced Policies and Procedures: The company has confirmed that its policies and procedures have been strengthened to enhance security and help prevent future incidents2. 
  2. Dark Web Monitoring: A third-party firm has been engaged to monitor the dark web for potential leaks of stolen data2. 
  3. Multifactor Authentication (MFA): While not explicitly stated, it’s highly likely that Change Healthcare has implemented MFA across its systems, given that the lack of MFA on remote access servers was identified as a key vulnerability in the breach15. 
  4. Security Audits: The company has likely improved its security audit processes to avoid overlooking critical controls like MFA in the future4. 
  5. Enhanced Access Controls: Stricter access controls, such as role-based access control (RBAC), have likely been implemented to limit unauthorized access to sensitive data1. 
  6. Encryption: End-to-end encryption has likely been strengthened to protect data both at rest and in transit1. 
  7. Network Security: Improved firewalls and anti-malware systems have probably been put in place to enhance overall network security1. 

While these measures represent significant steps towards improving security, it’s important to note that the full extent of Change Healthcare’s security enhancements may not be publicly disclosed for security reasons. The company’s focus on reinforcing policies, procedures, and monitoring suggests a comprehensive approach to preventing future breaches. 

 

Epic Systems Corporation

Epic Systems Corporation provides RCM and EHR solutions to healthcare providers, and in April 2024 terminated its relationship with business associate Particle Health after learning of their misuse of Epic patient data. Epic’s systems contain more than 300 million patient records, and the company claimed that Particle Health had been using their patient data in an “unauthorized and unethical” manner not related to medical treatment. In an unrelated incident, a data breach at Epic Systems in 2021 potentially compromised the names, dates of birth, Social Security numbers, drivers’ license numbers, passport numbers, financial data, health insurance and medical information, and payment card data of an undisclosed number of patients. 

RCM Data Breach Response: Remedial actions taken by Epic Systems Corporation after data breach

Search results highlight some of Epic’s proactive security measures and recent actions related to data protection: 

  • Epic cut off data access to Particle Health, a startup, after discovering unauthorized sharing of patient data with third-party companies13. 
  • Epic filed a formal dispute with Carequality on March 21, 2024, over concerns about Particle Health and its participant organizations potentially misrepresenting the purpose of their record retrievals1. 
  • The company has implemented several security features to protect patient data, including: 
    • Data encryption for information input into the Epic EHR system2 
    • Limited app feature to prevent direct storage of patient data on Epic’s servers2 
    • ONC-ATCB certification for secure creation and management of patient records2 
    • Audit trails to track all actions taken with patient information2 
    • TLS and SSL protocols to protect against cyber threats2 
  • Epic conducts routine security audits to identify and address vulnerabilities2. 
  • The company ensures compliance with HIPAA and other essential regulatory protocols2. 

These actions demonstrate Epic’s commitment to maintaining strong security measures and protecting patient data, even though they are not specifically remedial actions taken after a data breach. 

What security certifications does Epic Systems Corporation have?

Epic Systems Corporation holds several important security certifications: 

  1. ISO 9001:2015 Certification: Epic Systems is certified for quality management systems, ensuring they meet high standards for product and service quality5. 
  2. ISO 27001:2013 Certification: This certification validates Epic’s Information Security Management System (ISMS), demonstrating their commitment to protecting sensitive information and maintaining robust security controls5. 
  3. ISO 20000-1:2018 Certification: Epic has been certified for establishing and applying IT Service Management (ITSM) processes in accordance with ISO standards. This certification covers application & infrastructure support services and service desk services5. 
  4. ONC-ATCB Certification: While not explicitly mentioned in the search results, Epic’s EHR system is known to be ONC-ATCB certified for secure creation and management of patient records4. 

These certifications underscore Epic’s commitment to maintaining high standards of data protection, security, and quality management in the healthcare industry. They also ensure compliance with regulations like HIPAA and demonstrate Epic’s focus on protecting patient privacy and data security45. 

What specific security measures has Epic Systems Corporation implemented to prevent future breaches?

Epic Systems Corporation has implemented several specific security measures to prevent future breaches: 

  1. Data Encryption: Epic employs encryption to protect patient data during transmission and storage, ensuring sensitive information remains secure even if intercepted1. 
  2. Limited App Feature: Epic’s integration services prevent direct storage of patient data on Epic’s servers, instead using cloud-based servers for temporary data storage during software use1. 
  3. ONC-ATCB Certification: This certification validates Epic’s ability to create, manage, and share patient records securely while preventing data theft1. 
  4. Audit Trails: Epic automatically records and registers who accessed the software, their location, access time, and activities performed, creating transparency and allowing for easy detection of unauthorized access1. 
  5. TLS and SSL Protocols: Epic utilizes Transport Layer Security (TLS) and Secure Sockets Layer (SSL) to protect against cyber threats and secure data transmission1. 
  6. User Authentication and Role-Based Access Control: Epic implements strict user authentication processes and role-based access control to ensure only authorized personnel can access specific data1. 
  7. Secure Messaging: Epic’s EHR systems include a secure messaging feature that allows healthcare teams to communicate directly within the software, eliminating potential misuse of clinical systems1. 
  8. Regular Security Audits: Epic conducts routine security audits to identify and address vulnerabilities in their systems1. 
  9. HIPAA Compliance: Epic ensures adherence to HIPAA and other essential regulatory protocols to maintain patient data privacy and security1. 

These measures demonstrate Epic’s comprehensive approach to security, focusing on data protection, access control, and regulatory compliance to prevent future breaches. 

 

R1 RCM Inc

R1 RCM Inc. provides RCM services to hospitals, and in November 2023 reported a breach of the protected health information of 16,121 hospital patients. While the hospital’s network was not compromised, breached data included names, contact information, dates of birth, Social Security numbers, location of services, clinical and/or diagnosis information, and patient account and/or medical record numbers.  

RCM Data Breach Response: Remedial actions taken by R1 RCM Inc. after data breach

R1 RCM Inc. took several remedial actions following the data breach discovered on November 17, 2023: 

  1. Immediate Investigation: R1 launched an investigation to determine the extent of the breach and identify affected individuals13. 
  2. Server Rebuilding: The company rebuilt the impacted server to address the vulnerability2. 
  3. Patch Implementation: R1 implemented the patch released by GoAnywhere in February 2023 to address the vulnerability at issue25. 
  4. Data Analysis: R1 conducted an analysis of the compromised Dignity Health patient data to determine the scope of affected information13. 
  5. Notification Process: In March 2024, R1 began sending out data breach notification letters to affected individuals13. 
  6. Credit Monitoring Services: The company secured the services of Kroll Identity Services to provide free identity monitoring services for two years to affected individuals25. 
  7. Regulatory Compliance: R1 filed a notice of data breach with the Attorney General of Massachusetts and notified appropriate federal and state authorities12. 
  8. Collaboration with Clients: R1 worked together with Dignity Health to notify impacted patients2. 

These actions demonstrate R1 RCM’s efforts to address the breach, strengthen its security measures, and fulfill its obligations to affected individuals and clients. 

What security certifications does R1 RCM Inc. have?

R1 RCM Inc. holds several important security certifications and undergoes regular audits to ensure compliance with industry standards: 

  1. SOC 2 Type 2 Certification: R1 RCM undergoes annual independent Systems and Organization Control 2 (SOC 2) Type 2 audits conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants1. 
  2. HITRUST Certification: The company maintains Health Information Trust Alliance (HITRUST) certification, demonstrating compliance with stringent healthcare information security standards1. 
  3. PCI-DSS Attestation: R1 RCM annually undergoes independent attestations of compliance with the Payment Card Industry Data Security Standard (PCI-DSS)1. 
  4. HIPAA Compliance: The company conducts annual independent HIPAA Security Rule risk assessments of its administrative, physical, and technical safeguards for protecting the confidentiality, integrity, and availability of data1. 

Additionally, R1 RCM employs the National Institute of Standards and Technology (NIST) cybersecurity framework and undergoes periodic evaluations by external assessors against multiple frameworks, including NIST1. 

These certifications and audits demonstrate R1 RCM’s commitment to maintaining high standards of data protection and security in the healthcare industry. 

What specific security measures has R1 RCM Inc. implemented to prevent future breaches

R1 RCM Inc. has implemented several specific security measures to prevent future breaches: 

  1. Cybersecurity Program: R1 employs a comprehensive Cybersecurity Program based on the National Institute of Standards and Technology (NIST) cybersecurity framework2. 
  2. Multi-layered Defenses: The program includes multi-layered defenses and technologies designed to control, audit, monitor, and protect access to sensitive information2. 
  3. Internet and Perimeter Security: R1 has implemented specific measures for internet and perimeter security2. 
  4. Endpoint and Email Security: The company has put in place endpoint and email security measures2. 
  5. Threat Intelligence and Monitoring: R1 employs threat intelligence, monitoring, and management systems2. 
  6. Data Security: Specific security measures are in place for Protected Health Information (PHI), Personally Identifiable Information (PII), and Payment Card Information (PCI)2. 
  7. Employee Training: R1 conducts comprehensive training for employees and third-party contractors, including onboarding and annual training, as well as advanced phishing exercises2. 
  8. Access Management: The company has implemented access management controls2. 
  9. Application and Cloud Security: R1 has specific security measures for applications and cloud environments2. 
  10. Compliance Audits and Assessments: The company conducts routine technical and non-technical audits and assessments, both internally and with independent third parties, at least annually2. 
  11. API Security: R1 has implemented pre-production, automated, and continuous API testing to ensure comprehensive API protection5. 
  12. Third-Party Code of Conduct: R1 has created a Third-Party Code of Conduct for contractors, subcontractors, and other vendors, holding them to the same applicable data and privacy standards as R12. 

These measures demonstrate R1 RCM’s comprehensive approach to security, focusing on multiple layers of protection, continuous monitoring, and regular assessments to prevent future breaches. 

 

Allscripts Healthcare Solutions

Allscripts Healthcare Solutions suffered a ransomware attack in January 2018 that crippled its systems and caused an outage that affected thousands of physician practices and other healthcare providers across the U.S. Allscripts provides RCM, EHR, and other services to 180,000 physicians, including 100,000 electronic prescribing physicians, as well as 2,700 hospitals and 13,000 extended care organizations. These services touch some seven million patients. 

RCM Data Breach Response: Remedial actions taken by Allscripts Healthcare Solutions after data breach

Following the ransomware attack in January 2018, Allscripts Healthcare Solutions took several remedial actions: 

  1. Immediate Investigation: Allscripts launched an investigation into the ransomware attack that affected its data centers in Raleigh and Charlotte, North Carolina4. 
  2. Service Restoration: The company worked to restore services to all affected clients4. 
  3. FBI Notification: Allscripts notified the Federal Bureau of Investigation about the incident4. 
  4. Communication with Customers: Allscripts communicated with its customers about the attack and service restoration efforts, though some customers reported issues with the clarity of these communications6. 
  5. Incident Response Plan: The company implemented its existing incident response plan6. 
  6. External Assistance: Allscripts sought outside help to address the attack6. 
  7. System Recovery: The company worked on recovering its affected systems6. 
  8. Data Protection Measures: Allscripts focused on ensuring client data was protected during the recovery process1. 

While these actions demonstrate Allscripts’ efforts to address the breach, it’s worth noting that the company faced criticism from some customers regarding communication gaps and access issues during the recovery process6. 

What security certifications does Allscripts Healthcare Solutions have?

Based on the available information, Allscripts Healthcare Solutions (now part of Veradigm) holds the following security certifications: 

  1. SOC 2 Type 2 Certification: Veradigm engages in SOC 2 Type 2 reports to validate its security controls and foster continuous improvement4. 
  2. ISO 9001:2015 Certification: Veradigm undergoes ISO 9001:2015 reviews, which is a quality management system standard4. 
  3. EHNAC Accreditation: Veradigm maintains accreditation from the Electronic Healthcare Network Accreditation Commission (EHNAC)4. 
  4. EPCS Certifications: Veradigm holds certifications related to Electronic Prescriptions for Controlled Substances (EPCS)4. 
  5. ONC Certification: Certified Veradigm products contain security features to meet applicable requirements under the ONC Certification Rule4. 

It’s important to note that while these certifications are current for Veradigm (formerly Allscripts), the company continues to evolve its security practices. For the most up-to-date information on specific product certifications, it’s recommended to contact Veradigm directly or consult their official documentation4. 

What specific security measures has Allscripts Healthcare Solutions implemented to prevent future breaches?

Allscripts Healthcare Solutions has implemented several specific security measures to prevent future breaches: 

  1. Data Encryption: Allscripts employs encryption to protect patient data, ensuring sensitive information remains secure1. 
  2. Password Protection: The system uses passwords as part of its security measures to prevent unauthorized access1. 
  3. Security Monitoring: Allscripts has implemented security monitoring to detect and respond to potential threats1. 
  4. HIPAA Compliance Measures: The system includes strict security measures to ensure compliance with HIPAA regulations1. 
  5. Multi-factor Authentication (MFA): Allscripts has implemented MFA to enhance access security7. 
  6. Endpoint Detection and Response (EDR): The company uses EDR solutions like Microsoft Defender to detect and respond to threats7. 
  7. Cloud-based Security: Some Allscripts clients are choosing to host their EHRs in the Allscripts Cloud powered by Microsoft Azure, leveraging the combined expertise of Allscripts and Microsoft security teams7. 
  8. Comprehensive Cybersecurity Program: Allscripts employs a cybersecurity program based on the National Institute of Standards and Technology (NIST) framework, which includes multi-layered defenses and technologies to control, audit, monitor, and protect access to sensitive information3. 
  9. Regular Risk Assessments: Allscripts offers a Privacy & Security Risk Assessment tool to help healthcare organizations identify and address potential vulnerabilities3. 

These measures demonstrate Allscripts’ commitment to enhancing its security posture and protecting against future breaches. 

 

Cerner Corporation

Cerner Corporation, which offers RCM and EHR solutions to a variety of healthcare providers, discovered that an unauthorized party had accessed servers at its Kansas City data center. The 2016 hack jeopardized the data of NCH Healthcare System, which treats more than 40,000 patients annually in Florida. 

RCM Data Breach Response: Remedial actions taken by Cerner Corporation after data breach

Based on the available search results, there is little information about remedial actions taken by Cerner Corporation immediately after the specific data breach. However, search results provide some insights into Cerner’s general approach to data breaches and security which is what we believe happened: 

  • Immediate Investigation: When a potential breach is discovered, Cerner gathers sufficient data to determine if the incident meets the criteria to be considered a breach3. 
  • Notification Process: Cerner Benefits, working with Cerner Legal, drafts written notifications to affected individuals. These notifications include:
    • A description of the incident and dates of breach and discovery 
    • Types of unsecured PHI involved 
    • Actions taken to investigate and remedy the breach3 
  • Privacy Officer Involvement: The written notification is signed by the Plan’s Privacy Officer3. 
  • Cyber Recovery Solutions: Cerner has implemented cyber recovery solutions for its customers, which include:
    • Data isolation and governance 
    • Automated data copying using an operational air gap 
    • Intelligent analytics to detect data corruption 
    • Simplified recovery processes4 
  • Incident Response Team: Cerner recommends activating a dedicated incident response team, including third-party experts, to assess issues during a breach5. 
  • Prioritized Recovery: In the event of a breach, Cerner advises identifying and recovering the most essential systems first, such as Electronic Health Records (EHR) systems5. 
  • Continuous Security Improvement: Cerner undergoes security ratings and assessments to improve its security posture continuously6. 

While these actions are not specific to a single data breach, they represent Cerner’s general approach to handling and preventing data breaches for both the company and its clients. 

What security certifications does Cerner Corporation have?

Cerner Corporation (now part of Oracle Health and AI) holds several security certifications: 

  1. ISO 9001:2008 Certification: This certification is for quality management systems. 
  2. ISO 27001:2013 Certification: This certification validates Cerner’s Information Security Management System (ISMS). 
  3. SOC 1 Certification: This certification relates to financial reporting controls. 
  4. SOC 2 Certification: This certification covers security, availability, processing integrity, confidentiality, and privacy controls. 
  5. SSAE 18 Certification: This is an auditing standard for service organizations. 
  6. EHNAC Accreditation: Cerner maintains accreditation from the Electronic Healthcare Network Accreditation Commission. 

Additionally, Cerner’s colocation service providers hold various industry-recognized security, environmental, and health and safety certifications7. 

It’s worth noting that while Cerner is not currently certified to ISO 14971 for risk management (as far as we could find), they are expected to be compliant with it for solutions that are medical devices1. 

Cerner also undergoes annual HIPAA assessments to maintain compliance with healthcare regulations4. 

What specific security measures has Cerner Corporation implemented to prevent future breaches?

Cerner Corporation has implemented several specific security measures to prevent future breaches: 

  1. Multi-layered Defenses: Cerner employs a comprehensive cybersecurity program based on the NIST framework, including multi-layered defenses and technologies to control, audit, monitor, and protect access to sensitive information2. 
  2. Access Control: The company implements physical, system, and data access controls, ensuring only authorized users can access specific resources based on their roles and need-to-know basis2. 
  3. Data Encryption: Cerner uses encryption to protect personal data and patient health information, both in transit and at rest24. 
  4. Antivirus and Anti-malware: Regularly updated antivirus software and spyware filters are deployed on the network and applicable data processing systems2. 
  5. Firewall Protection: All systems containing PHI are protected by firewalls to prevent access from the Internet or other public networks1. 
  6. Physical Security: Measures include badge access scanners, locks, and keys for file cabinets to protect physical access to sensitive information1. 
  7. Continuous Monitoring: Cerner employs security monitoring to detect and respond to potential threats, with specific teams performing continuous health checks to identify vulnerabilities2. 
  8. Incident Management: The company has an established, exercised, and documented contingency program to restore service quickly in case of disruptive incidents2. 
  9. Separation of Environments: Test and production systems are separated to enhance security2. 
  10. Third-party Management: Cerner requires business associate agreements and nondisclosure agreements with its third-party data centers and suppliers4. 
  11. Employee Training: Comprehensive training is provided for employees and third-party contractors, including onboarding and annual training, as well as advanced phishing exercises2. 

These measures demonstrate Cerner’s commitment to maintaining a robust security posture and protecting against future breaches. 

 

McKesson Corporation

McKesson Corporation provides “flexible solutions for end-to-end revenue cycle management for many different medical specialties and practice sizes.” In 2014, its billing services were delivered through a subsidiary, PST Services. PST experienced a data breach that exposed the personal information of more than 10,000 patients online, including patient names, billing and insurance information, diagnosis codes, and some Social Security numbers. 

RCM Data Breach Response: Remedial actions taken by McKesson Corporation after data breach

Based on the available search results, there is no specific information about remedial actions taken by McKesson Corporation after a recent data breach. However, the search results provide insights into McKesson’s general approach to cybersecurity and incident response: 

  • Incident Response Automation: McKesson implemented Tines, a security automation platform, to streamline their incident response process1. This includes: 
    • Automatic setup of incident response chat rooms 
    • Sending invitations to relevant personnel 
    • Attaching relevant documents and information 
    • Suspicious Login Detection: McKesson developed an automated system to detect and respond to logins from unexpected locations, including sending notifications to managers in the appropriate language1. 
  • Anti-virus Correlation: The company uses automation to correlate reports from anti-virus software, helping detect potential mass outbreaks requiring urgent attention1. 
  • Vulnerability Disclosure Program: McKesson established a program encouraging security researchers to report vulnerabilities in their products and services2. This includes: 
    • Documenting findings thoroughly 
    • Providing steps to reproduce issues 
    • Working with affected teams to validate reports 
  • Illegitimate Product Handling: Although not directly related to a data breach, McKesson has procedures for responding to illegitimate product notifications, including quarantining and dispositioning such products3. 
  • Secure Messaging Protocols: During the COVID-19 vaccine distribution effort, McKesson coordinated with counterparts to implement secure messaging protocols for inter-company communication4. 
  • Continuous Monitoring: McKesson employs continuous monitoring of its security posture using various threat intelligence feeds5. 

These measures demonstrate McKesson’s proactive approach to cybersecurity and incident response, even though they are not specific remedial actions taken after a particular data breach. 

What security certifications does McKesson Corporation have?

Based on the available information, McKesson Corporation holds the following security certifications: 

  1. SOC 1 Certification: This certification relates to financial reporting controls. 
  2. SOC 2 Certification: This certification covers security, availability, processing integrity, confidentiality, and privacy controls. 
  3. SSAE 18 Certification: This is an auditing standard for service organizations. 

Additionally, McKesson’s security practices align with several industry standards and frameworks: 

  1. HIPAA Compliance: McKesson undergoes annual HIPAA assessments to maintain compliance with healthcare regulations. 
  2. PCI Compliance: The company adheres to Payment Card Industry (PCI) security standards. 
  3. NIST Cybersecurity Framework: McKesson utilizes the National Institute of Standards and Technology (NIST) cybersecurity framework. 
  4. HITRUST: While not explicitly stated as a certification, McKesson’s practices align with Health Information Trust Alliance (HITRUST) standards. 

It’s worth noting that while specific certifications are not mentioned for all standards, McKesson demonstrates a commitment to adhering to these security frameworks in their operations14. 

What specific security measures has McKesson Corporation implemented to prevent future breaches?

McKesson Corporation has implemented several specific security measures to prevent future breaches: 

  1. Comprehensive Cybersecurity Program: McKesson employs a cybersecurity program based on the National Institute of Standards and Technology (NIST) framework, which includes multi-layered defenses and technologies to control, audit, monitor, and protect access to sensitive information1. 
  2. Security Automation: The company has implemented Tines, a security automation platform, to streamline incident response processes. This includes automatic setup of incident response chat rooms, sending invitations to relevant personnel, and attaching relevant documents1. 
  3. Automated Threat Detection: McKesson has developed systems to detect and respond to logins from unexpected locations, including sending notifications to managers in the appropriate language1. 
  4. Anti-virus Correlation: The company uses automation to correlate reports from anti-virus software, helping detect potential mass outbreaks requiring urgent attention1. 
  5. Global Risk Management: McKesson has introduced a Global Risk Management program to protect its people, products, and property worldwide2. 
  6. Travel Safe Program: The company has implemented a program to support and protect thousands of McKesson employees traveling and working around the world each quarter2. 
  7. Remote Monitoring: McKesson uses video walls to monitor cameras and access control systems remotely, allowing them to eliminate physical security guards from many facilities2. 
  8. Secure Messaging Protocols: During the COVID-19 vaccine distribution effort, McKesson coordinated with counterparts to implement secure messaging protocols for inter-company communication3. 
  9. Cold Chain Security: The company has aligned cyber and physical security measures to maintain environmental requirements for vaccine storage and distribution3. 
  10. Vulnerability Disclosure Program: McKesson has established a program encouraging responsible reporting of vulnerabilities by security researchers and customers5. 

These measures demonstrate McKesson’s comprehensive approach to security, focusing on automation, global risk management, and collaboration with industry partners to prevent future breaches. 

 

Data breach impact on RCM clients

survey conducted by the American Medical Association (AMA) revealed a wide blast radius due to the Change Healthcare breach. But this response is quite similar to most of the breaches reported. The numbers speak for themselves in percentage of surveyed practices affected: 

  • 36% have seen claims payments suspended 
  • 32% have not been able to submit claims 
  • 39% have not been able to obtain electronic remittance advice 
  • 77% of respondents said they experienced service disruptions  
  • 80% of providers said they lost revenue from unpaid claims 
  • 78% lost revenue from claims that they have been unable to submit 
  • 55% have used personal funds to cover expenses incurred as a result of the attack

Nearly half of respondents said they’ve been forced to enter new (and potentially costly) arrangements with alternative clearinghouses to conduct electronic transactions. While some practices have received advance payments, temporary funding assistance, and loans, issues persist with all of those measures. Meanwhile, UnitedHealth Group said its paid out more than $2B to help health-care providers who have been affected by the cyberattack. 

The survey also quoted affected physician practices. Their words reveal the pain being felt across the country: 

  • “This cyberattack is leading me to bankruptcy, and I am just about out of cash” 
  • “SOOOO much overtime dealing with this. Cost me an additional $50,000 in payroll.” 
  • “…estimated $100,000 in unexpected costs.”  
  • “This crippled our brand new practice. I am keeping the lights on using personal funds.”  
  • “I have not taken a salary for a month and am borrowing from personal funds to keep practice going.” 
  • “…may bankrupt our practice of 50 years in this rural community…”

As Amit Sarkar, CEO of healthcare cybersecurity consulting firm Frigg Business Solutions says, “In the wake of the Change Healthcare incident, many organizations are scrambling to adopt security frameworks. Frameworks like HITRUST, ISO27001, SOC2 are seeing renewed interest, and for good reason”. The HITRUST 2024 Trust Report revealed the HITRUST Assurance Program™ dramatically reduces information breaches, resulting in incredibly low occurrence of breaches — just 0.64%. 

 

How Can RCM Service Providers Improve Security?

In order to achieve robust revenue cycle management security, full compliance is non-negotiable. Business associates, including providers of revenue cycle management services, must comply with HIPAA security requirements just as hospitals, medical centres, physician practices, and other healthcare providers must comply. Third party providers are increasingly coming under the radar from a perspective of being the weakest link in the chain. In order to maintain client trust & keep the business alive, organizations including Revenue Cycle Management vendors need to be like Ceasars wife – totally above suspicion.

Four outstanding cybersecurity frameworks are readily available to RCM providers and other members of the healthcare industry, enabling organizations to map their security policies, procedures, and safeguards to universally accepted cybersecurity frameworks, including the HITRUST CSF, NIST CSF, ISO 27001 Standard, and SOC 2 framework.


    • According to the International Organization for Standardization, ISO 27001 “promotes a holistic approach to information security, vetting people, policies, and technology. An information security management system implemented according to this standard is a tool for risk management, cyber resilience, and operational excellence” for any organization. 
    • Systems and Organizational Control Type 2 (SOC 2) is a “cybersecurity compliance framework developed by the American Institute of Certified Public Accountants for the primary purpose of ensuring that third party service providers store and process customer data in a secure manner.” Information systems are evaluated based on five Trust Services Criteria, including security, availability, processing integrity, confidentiality, and privacy.
    • The HITRUST CSF is a “universal framework that maps to all critical security control sets” and provides a “comprehensive, scalable, reliable, and efficient framework for risk management and regulatory compliance” that is designed to help any organization adapt to new threats, standards, and regulations quickly and effectively. HITRUST was originally developed to promote HIPAA compliance in the healthcare industry and remains a great option for healthcare providers and their business associates.
    • The National Institute of Standards and Technology (NIST) promotes a cybersecurity framework that enables organizations to better manage and reduce cybersecurity risk. NIST CSF 2.0 consists of six core functions: Identify, Protect, Detect, Respond, Recover, and Govern. A key benefit of this framework is enabling the assessment of an organization’s ability to respond to and recover from a data breach or other cyber incident, which are especially common in the healthcare industry.

 

Final Takeaways

The revenue cycle management market was valued at USD $135.92 billion in 2023 and is projected to grow to $361.86 billion globally by 2032, with a compound annual growth rate of 11.7%, according to Fortune Business Insights. The number of RCM service providers exceeds 350, as listed by Becker’s Hospital Review in 2024. Enormous volumes of sensitive patient data are processed, used, stored, and managed by these RCM companies—most of whom have untreated cybersecurity vulnerabilities if data breaches among the top ten are any indication. 

As healthcare business associates, revenue cycle management companies are required to comply with HIPAA regulations. Fortunately, revenue cycle management security and compliance can be achieved through the implementation of one of the highly respected cybersecurity frameworks available today. RCM firms owe it to their customers and their customers’ patients, as well as their other stakeholders, to improve revenue cycle management security without further delay. 

References

https://revcycleintelligence.com/features/how-revenue-cycle-managements-security-needs-are-evolving
https://www.hipaajournal.com/change-healthcare-responding-to-cyberattack/
https://www.unitedhealthgroup.com/ns/health-data-breach.html
https://hyperproof.io/resource/understanding-the-change-healthcare-breach/
https://23257256.fs1.hubspotusercontent-na1.net/hubfs/23257256/Change-Healthcare_CaseStudy.pdf
https://www.ispartnersllc.com/blog/change-healthcare-data-breach-2024/
https://convergencenetworks.com/blog/understanding-the-change-healthcare-cyberattack-lessons-learned-and-moving-forward/ 
https://www.fenwick.com/insights/publications/cyber-resilience-after-the-change-healthcare-breach
https://www.cnbc.com/2024/04/12/epic-systems-boots-particle-health-for-unauthorized-sharing-of-data-.html
https://www.hipaajournal.com/epic-systems-access-particle-health-patient-privacy-concerns/
https://digitalhealth.folio3.com/blog/epic-ehr-security-features/
https://www.epicinfotech.com/certification/
https://www.360connect.com/product-blog/epic-ehr-patient-privacy/
https://www.jdsupra.com/legalnews/r1-rcm-announces-data-breach-affecting-6443140/
https://www.hipaajournal.com/r1-rcm-data-breach-impacts-16000-patients/
https://www.beckershospitalreview.com/cybersecurity/r1-rcm-reports-data-breach.html
https://www.classaction.org/media/hillbom-v-r1-rcm-inc-et-al.pdf
https://www.linkedin.com/posts/r1-rcm_responding-to-healthcare-cyberattacks-to-activity-7271958707985387520–IRv   
https://straussborrelli.com/2024/03/15/r1-rcm-data-breach-investigation/   
https://www.myinjuryattorney.com/dignity-health-r1-rcm-data-breach-class-action-investigation-and-lawsuit-assistance/   
https://www.board-cybersecurity.com/annual-reports/tracker/20240227-r1-rcm-inc-de-cybersecurity-10k/
https://www.barclaydamon.com/alerts/Class-Action-Lawsuit-Claiming-Business-Interruption-Brought-Swiftly-After-Ransomware-Attack-02-01-2018
https://www.csoonline.com/article/564830/customers-describe-the-impact-of-the-allscripts-ransomware-attack.html
https://compliancy-group.com/allscripts-ehr-ransomware-hipaa-violation-data-breach/
https://veradigm.com/legal/security-program/
https://transcure.net/allscripts-emr-system-for-healthcare/
https://www.alterahealth.com/2022/02/cybersecurity-in-modern-health-it-a-conversation-between-allscripts-and-microsoft/
https://www.veritas.com/community/sites/default/files/PSRA01_PrivacyandSecurityRiskAssessment_Datasheet_05-31-11_0.pdf
https://ulearn.cerner.com/content/cerner/courses/1459437368254/HIPAA%20Privacy%20and%20Security%20Policy%20and%20Procedures.pdf
https://www.techtarget.com/searchhealthit/news/366578791/Enabling-Resilience-through-Cyber-Recovery-for-Cerner-Customers
https://static.rainfocus.com/oracle/ocw24/sess/1718384557689001cZyS/finalsessionfile/FridakisOCW_1726607066858001DPEf.pdf
https://www.upguard.com/security-report/cerner
https://ulearn.cerner.com/content/cerner/courses/1414007080850/1281460155%20Cerner%20Quality%20Systems%20and%20Regulations%20Training%20v1.pptx
https://www.keragon.com/hipaa/hipaa-compliant-checker/cerner
https://www.oracle.com/corporate/acquisitions/cerner/security/
https://www.oracle.com/a/ocom/docs/technical-and-organizational-measures.pdf
https://ulearn.cerner.com/content/cerner/courses/1459437368254/HIPAA%20Privacy%20and%20Security%20Policy%20and%20Procedures.pdf
https://www.tines.com/case-studies/mckesson/
https://www.mckesson.com/cybersecurity/coordinated-vulnerability-disclosure/
https://www.fda.gov/inspections-compliance-enforcement-and-criminal-investigations/warning-letters/mckesson-corporation-headquarters-2719-565854-02072019
https://pmc.ncbi.nlm.nih.gov/articles/PMC10508865/
https://www.upguard.com/security-report/mckesson
https://www.mckesson.com/cybersecurity/
https://careers.mckesson.com/en/cybersecurity-cyber-security-jobs
https://www.haivision.com/case-studies/mckesson/
https://pmc.ncbi.nlm.nih.gov/articles/PMC10508865/
https://www.mckesson.com/cybersecurity/coordinated-vulnerability-disclosure/
https://www.cnbc.com/2024/03/18/unitedhealth-group-paid-more-than-2-billion-to-providers-after-attack.html
https://hitrustalliance.net/
https://blog.24by7security.com/what-is-the-best-way-to-comply-with-all-the-regulations-for-my-healthcare-organization
https://blog.24by7security.com/the-gist-of-nist-csf-2.0
https://www.fortunebusinessinsights.com/industry-reports/revenue-cycle-management-market-100275  

If You Need Guidance or Immediate Assistance

Contact us at (+91 733-113-2288), or write to us at (service@friggp2c.com | friggp2c@gmail.com)

Also, check out our services like Vulnerability Assessment, Penetration Testing, Code Review, Testing as a Service, and Risk Management on our website www.friggp2c.com. We are determined to work with and for you and make your organization one of the safest business organizations for you, your customers, and all prospective clients.

About the Authors

Amit Sarkar

Amit Sarkar (amit.sarkar@friggp2c.com) is the Founder of Frigg Business Solutions at Sheridan, Wyoming, USA, and Hyderabad, Telangana, India. A seasoned writer whose multiple articles have been published in HCCA and SCCE. He is a former CEO of a US Healthcare Regulatory Compliance service organization, and a senior global leader in HIPAA Compliance, IT Security, Risk Management, and Compliance Governance.

LinkedIn:  Amit Sarkar | LinkedIn

Ayan Chatterjee

A tenured business leader with over two decades of experience leading organizations across multiple domains including healthcare. He has seen the impact of security breaches first hand and has become a passionate advocate for security & compliance preparedness in organizations.

LinkedIn: Ayan Chatterjee | LinkedIn

Ayan Chatterjee Cybersecurity Marketing expert