HFMA: 8 Security Tips for Remote Revenue Cycle Staff

Ken TownsendAugust 5, 2020

improving revenue cycle security

Poorly secured home networks. Highly accessible workstations. Use of personal laptops that don’t adhere to security standards. Each of these (and more) is a vulnerability for revenue cycle staff working at home during COVID-19. Unfortunately, with vulnerability comes opportunity for hackers to target this newly remote workforce and access protected health information (PHI). Consider the following strategies to mitigate risk:


1. Require a signed telecommuting agreement.


Chris Apgar, CISSP, CCISO, president of Apgar & Associates, LLC, a privacy and security consulting company based in Tigard, Oregon, said remote revenue cycle staff must attest to the following:


  • Anti-malware and firewalls updated at least weekly with continuous scans enabled
  • Operating system patches applied within one week of release
  • Secure cabled router or wireless router secured with WPA2
  • Secure connection to the corporate network (e.g., through a Virtual Private Network [VPN])
  • Strong device password
  • Strong home router password


Security patching, in particular, tends to go under the radar, says Ken Townsend, CISSP, vice president and chief information security officer at R1 RCM, an outsource revenue cycle management vendor headquartered in Chicago, Illinois. Patching is likely an afterthought for remote staff using their home computer because most users are focused on providing customer service — not keeping up with the latest vulnerabilities, he said. For health systems, it’s also difficult to routinely identify software bugs and vulnerabilities, and it’s challenging to take critical systems offline for routine maintenance, he adds.


Read the full HFMA article here.

Author Bio: Ken Townsend is the Vice President and Chief Information Security Officer at R1.