When ASCs choose a billing partner, data security usually isn't a reason
driving the decision. Rather, it's typically one or more financial
objectives (e.g., improving collections, reducing denials, eliminating
bad debt and revenue leakage, streamlining business office performance,
maximizing profitability).
However, success in these areas would be naught if the billing partner
doesn't effectively protect its ASC clients' sensitive patient
and financial data. A breakdown in security that leads to a data breach
and subsequent theft of client data could lead to significant financial,
legal, and reputational challenges for the billing company and its partner
ASCs. That's why it's imperative for an ASC billing company to
treat all layers of security as a top priority.
What does prioritizing security look like when selecting an ASC billing
partner? Be sure the company you choose takes these steps.
Follow best practices for security management
To achieve effective security management, an ASC billing company should
keep current with best practices. For example, a company may use what's
described as the "CIA triad" model, which is comprised of three
elements: confidentiality, integrity, and availability. The company can
pair that model with an internally developed hybrid risk management framework
that uses qualitative and quantitative methods to analyze risk and guide
decisions and actions.
While that's heavy on the security jargon, the key takeaway is that
an ASC billing company should have clearly defined security practices
and methodologies while leveraging controls and solutions that can defend
the latest threats.
An ASC billing company should also be transparent about how it approaches
security management. This includes permitting surgery center clients to
audit the company's defense mechanisms by reviewing security policies
and procedures and requesting information about the solutions used to
protect sensitive data. If a billing company pushes back on requests to
learn more about its approach to security management, consider this a red flag.
Approach security and compliance as complementary
Security and compliance are typically treated as separate functions with
a symbiotic relationship. They share the goal and vision of helping organizations
manage their risk, and thus should work hand in hand. Yet companies often
struggle to attain such successful collaboration between security and
compliance, which typically results in these functions operating in silos.
That's how it's possible for an organization to be secure and
not compliant or be compliant and not secure.
Perhaps the most famous example of the latter is the data breach
Target experienced in 2013. The company had its Payment Card Industry Data Security Standard (PCI
DSS) compliance confirmed just weeks before it suffered one of the largest
breaches on record affecting more than 41 million consumers.
An ASC billing company should have strong security and compliance leadership
who understand the complementary nature of those two functions and work
closely together. When this is achieved, the company will perform better
in both areas, as will its ASC clients.
Make ongoing investments in security
While cybercriminals are becoming savvier with their tactics, security
technology companies are developing solutions to help keep criminals at
bay. An ASC billing company should invest in such solutions, including
powerful data encryption, password managers, and endpoint detection and
response tools that leverage artificial intelligence.
The company should also provide ongoing security training to its staff
and undergo assessments to identify improvement opportunities. Such assessments
include those performed by the ASC billing company and those performed
by an external entity that provide an unbiased look into the company's
technology and security environments.
Commit to continuous improvement
Finally, like its ASC clients, a billing company should maintain an overarching
commitment to continuous improvement. That's not just for client-facing
services but internal operations as well. This extends to how the company
manages risk and the steps it takes from a security standpoint, including
those discussed above.
Give Security the Attention It Deserves
Cybercrime is on the rise, and ASCs and their data are appealing targets.
By making security a top priority — and ensuring the vendors you
partner with, including your ASC billing company — do the same,
you increase the likelihood that cybercriminals will view your ASC and
its data as challenging targets and move on.
That's why if you're considering outsourcing your ASC billing and
revenue cycle management or any other function that will require you to
share sensitive data with a third party, ask those companies under consideration
about how they approach data security. If the answer you're given
doesn't instill confidence, look elsewhere for a partner.