The risk of data a breach keeps many health plan leaders up at night. But while executives often focus on the IT impact of a cyberattack, they don’t worry enough about the many downstream business impacts.

Even a small breach of a third-party vendor’s system can disrupt operations for days, weeks, or longer, upsetting members and frustrating providers. Cyberattacks are also costly, with the average breach costing healthcare organizations nearly $11 million. We’ve even seen some breaches cost organizations billions of dollars.

The good news? Now is the best time to prepare. Read on to examine the risks and explore effective vendor resiliency strategies, such as comprehensive business continuity plans, to keep operations running smoothly.

Thinking Through Every Potential Scenario

One of the most challenging parts of business continuity planning is grasping just how much can go wrong when a third-party vendor’s system fails. It’s something I’ve experienced firsthand.
I was an IT leader for a large payer organization at the time when an update to one of our vendors’ systems caused unexpected chaos. The reason: Our organization’s business users had added developed other processes onto the same system, unbeknownst to our IT team. As a result, we needed extra time to assess the situation, restore those business processes, and minimize the impact.

In the same way that our IT team needed to see all the potential impacts of a system outage, so too do operations teams. It’s tempting to think that a breach impacting an electronic data interchange (EDI) platform will affect only reimbursements, or that a call center outage will only need a backup phone tree to ensure calls don’t get missed. Each of these systems, however, has ripple effects that sometimes get missed. For instance, if that data integrates into a data warehouse, claims system, or member experience queue, it will impact multiple teams and functions.

Conversely, most employees inside a payer organization rely on multiple systems to do their jobs. Nurses, for example, may spend most of their time in a utilization management and care management (UMCM) platform. However, they also need information like claims history and ADT, membership data to effectively manage a member’s continuity of care. An outage affecting any of these systems will inhibit their ability to execute these tasks properly.

Adding Up the High Costs of Business Interruption

The longer it takes an operations team to recover from a cyberattack, the greater the impact on the business. Potential risks include:

• Widespread inefficiencies: In an uncertain economy, health plans are under pressure to do more, faster—with fewer people. Without clear direction from business leaders, employees will struggle to regain their productivity after a breach, creating a negative bottom-line impact.
• Penalties and fines: Non-performance with Medicaid regulations can lead to a Corrective Action Plan (CAP), which could include hefty monetary penalties and potentially even the suspension of Medicaid eligibility.
• Employee satisfaction: Payer organizations today are leaner than ever, often relying on onshore or offshore staff augmentation for claims processing or other essential workflows. But if a cyberattack forces those tasks back in-house, the workload can quickly become overwhelming—with little time to retrain internal teams.
• Quality ratings: Ongoing disruption can cause a plan’s Medicare star ratings to decline, which could lead to millions of dollars in lost bonus payments, not to mention damage to a plan’s reputation among members and providers.
• Data dilemmas: Inaccurate data can erode care quality and member trust—and health plans don’t always realize it’s happening. In one case, a vendor cleansed data but never sent changes back to the health plan, leaving operations leaders completely unaware.

Hope for the Best; Prepare for the Worst

Although “business as usual” may not be possible during a cyberattack, payers can keep phones answered, providers paid, and members supported—with a robust business continuity plan in place. 

In the past, short-term plans that covered the initial hours or days following the attack were enough. Not anymore. Given the long-term impacts of recent large-scale ransomware attacks, today’s operations teams should develop strategies that stretch for at least 30 days. A plan should include, at a minimum:

• Communications guidelines that go beyond simply notifying members of a breach. The strongest plans are both internal and external, including key messages for line-of-business employees, providers, and regulatory bodies like the Centers for Medicare and Medicaid Services (CMS). Set clear expectations in these communications so all parties know what to expect in terms of turnaround times, reimbursements, and other crucial details.
• Clear step-by-step instructions detailing how employees should respond following a breach. Consider all alternatives and build in redundancies where possible. For example, could the organization use data in its member portals temporarily, or is that data incomplete? Are member ID cards stored in a backup system to mitigate disruptions from an attack on a mail room or print vendor?
• Resiliency without extra complexity. Two potential ways to accomplish this:
  • Consider redundant vendors for resiliency
  • Strengthen contractual service line agreements (SLAs) in existing contracts to ensure faster response and recovery times

Partner Up to Keep Business Moving

With the scope and frequency of data breaches increasing, operations teams often need support to build strategies that account for every contingency. Our team at AArete has developed a proven methodology, backed by 30-plus years of expertise in the payer space, to help health plans assess and strengthen their business continuity plans.

Our Vendor Resiliency Program assesses each vendor’s operational impact across the payer value chain, examining which processes could break should a cyberattack occur. We also talk with key health plan personnel, bringing visibility to hidden aspects of daily workflows so they can be included in an organization’s contingency strategies.

Next, we dive deep into vendors to understand the potential financial, reputational, member satisfaction, or provider satisfaction risk they may create. Using our expertise in vendor contracting, we also help operations leaders evaluate their current SLAs to determine whether any areas for improvement exist.

After gathering this background, we can create a business contingency plan from scratch or recommend ways to enhance a current plan. We recommend reviewing these plans at least twice annually, if not quarterly, to keep the organization prepared.

Even the Playing Field with IT and Operations 

While a lot can go wrong during a cyberattack, a lot can go right, too. Health plans that combine IT disaster and recovery planning with business continuity planning can minimize business interruption and emerge from a data breach stronger than before.