With the ongoing impacts of the COVID-19 crisis, health insurance companies are under a lot of pressure, which is exactly the time when cyberattackers like to strike. But Matthew Krawse, Vice President of Business Solutions at Zelis Healthcare has some sound advice for helping health insurers to manage risk and withstand the efforts of cyberattackers, both today and in the future. In a conversation with Financial Technology Today, Krawse shared how risks impact payer and provider organizations both internally and externally. In addition, he commented on the importance of finding the right partner that includes cybersecurity as a core competency. Continue reading to learn how health insurers can be better prepared to defend against cyberattacks.
Financial Technology Today (FTT): Health insurers are among the most popular target for cyberattacks. What motivates these bad actors?
Matthew Krawse (MK): Health insurers are at the intersection of personal and financial information and this intersection is actually what attracts bad actors. Because we are a healthcare company, an information technology company, and a fintech company, we’ve prioritized security and it’s one of the major pillars of our business. It’s critical to understand that there are different types of bad actors, motivation, level of sophistication, and attack routes. All the while, these situations are becoming more and more prevalent as we continue to be more remote and as bad actors get smarter and advanced in their tools.
Security is not just the deployment of one layer of protection based on one type of bad actor, it’s an ever-evolving process. When you start to approach it in these terms you realize that if security and compliance are not one of the core competencies, and with many health insurers it is not, it is critically important to find a partner that has it as one of theirs.
Our approach to security is one that we call a hub-and-spoke security model. It takes into consideration all of the different aspects that I just mentioned. It mitigates all the potential risks through a process that starts with technology, goes into a systematic check and balance process, and is guided by human capital. Each spoke of that process is independent of each other, but it’s also interconnected, which means that each situation can really stand on its own. But all of the situations combined are mutually exclusive and collectively exhaustive on the risks.
FTT: It’s not just external attacks that affect payers, though. How do fraud and abuse impact payers and also add risk to business operations?
MK: The internal, or what we will call opportunistic bad actors, are a real threat. These can be individuals that are within a payer or provider, or in close proximity to the physical locations. It is absolutely something that needs to be considered when you think of the security model. First and foremost, the biggest way that someone can try and mitigate this is internally through communication within their organization. It always comes back to the basics of not sharing logins, ensuring knowledge of what a suspicious email looks like, and why you should not click on a suspicious link. These are things that we all know but need to be reminded of. As well as knowing these fundamentals it’s vital to ensure that you have a system in place that does track audit reports. With education, robust security solutions, and auditing in place you’ve got the basics in place to mitigate attacks and the downstream impacts to your business operations and, in the case of providers, patient care.
FTT: How does converting from paper-based to electronic payments and communications help protect payers?
MK: First, we are eliminating several of the human components from the risk equation. There’s no need for paper to be sent to the mail and then delivered either to a member or a provider. There’s no need for those respective parties to get that information, file that information, transact on that information. Converting from paper-based to electronic communications avoids something sitting in a mailroom, a mailbox, or on someone’s desk, and, in the process, you eliminate both malicious and benign types of risks.
Secondarily, we’re ensuring that there’s transparency on delivery. What that means is converting to an electronic or digital communication for payment ensures that there is an understanding of directly who the payment was to, who received it, when they received it, and when they transacted upon it.
The combination of those two is wildly impactful to ensuring that there’s a layer of protection above and beyond what you get from paper documentation.
FTT: What risks does embracing electronic payments and communications introduce?
MK: Risk is inherent, so even though moving to electronic payments and communications mitigates many sources of risk, risk still exist. Because payers and providers are focused on their own core competencies the issue of cyber risk management presents challenges. It isn’t that cyber risk isn’t top of mind, after all, the high-profile breaches have put cybersecurity at the top of every healthcare payer and provider’s agenda, but it’s more than finding the right solutions and trusted partner is a challenge.
From my perspective, the biggest risk that payer and provider organizations face is if they take on digitizing these payments and communications themselves. That is because bad actors will continue to get more targeted and more advanced because attacks are their core competency, and they will increase in efficiency and frequency far more quickly than a payer or provider can respond. By working with a trusted partner payers and providers can focus on their jobs and leverage the partner’s insights, resources, and expertise in protecting digital assets.
FTT: What more can payers do to ensure they can stay ahead of cyberattacks?
MK: For payers and providers the focus needs to be on internal employees and networks in particular, on communication and training. The basics of digital hygiene always start with the people that you work with. Then focus on external sources of risk and make sure you have partners for whom data protection and understanding risk is a core competency and who will work with you and protect you.
FTT: What should health insurers look for in terms of security and compliance when choosing a payments and communications partner?
MK: There are three important considerations. The first is identifying industry standard best practices. In healthcare, that means finding a partner that has audited certifications. These certifications provide a trusted framework for understanding what a partner will do, has done, and allows the third-party audits of these best practices.
Second, there is a focus to ensure that a payment and communication partner is focused on doing all these as core competencies and under their roof. You want one organization that knows the ins and outs and is able to support your organization and provide a comprehensive end-to-end solution. The real importance here, which most people overlook, is that there’s only one IT and one security team that knows the details. You want one house, one team, one solution.
The third and final consideration is understanding that certifications, best practices, and value propositions are table stakes. There is so much more that goes into protecting than just these frameworks. When an organization is looking to find a payments and communications partner, during your diligence, ask questions about education scenarios, ensure you feel comfortable with the responses you’re hearing, and make sure you’re getting the details that will ensure the organization is completely protected. Simply put, knowledge is the most important tool you can have when choosing a security of payments and communications partner.
FTT: Do you have any final thoughts to share with us?
MK: The focus of cybersecurity and compliance in healthcare has been on payers, but over the past 24 months, providers have also seen a dramatic increase in the number of potential attempts and successful attacks. We’re not turning back from an interconnected world, from remote work and care, or digital forms and this is giving bad actors so many more targets and opportunities for a successful attack. It’s imperative that payers and providers find partners that can secure both ends of the workflow and process and ensure members are completely covered.
