How to Boost Cybersecurity Confidence in Your Third-Party Revenue Cycle Partnerships

Cybersecurity is often seen as the responsibility of the IT department—but in the event of a breach, its impact stretches far beyond the server room. A single ransomware attack can disrupt billing workflows, delay collections, stall patient follow-up, and jeopardize regulatory compliance. Even more damaging is the erosion of patient trust, which can take years to rebuild and directly affects an organization’s financial health.

Lately, we have all seen the devastating effects of cyber attacks against major health networks. In fact, according to the AHA, in 2024, the healthcare records of over 150 million Americans have been hacked — the most in history.

So, what can providers do? After all, many breaches seem to happen to essential third parties in the industry that then impact healthcare organizations and their patients. According to the same AHA report, 85% of the largest healthcare data breaches are due to attack on third-party vendors or non-hospital health care organizations.

In this article, we want to empower healthcare leaders with the right questions to ask and the right safeguards to seek when partnering with vendors, and more specifically, revenue cycle vendors. With the right due diligence and collaboration, providers can strengthen their cybersecurity posture without compromising efficiency or patient experience.

Cyberattacks Don’t Discriminate…Unless You’re in Healthcare

Healthcare continues to hold the unwanted distinction of being the most targeted—and most costly—industry for cyberattacks. According to the AHA report, healthcare has led all sectors in cost per breach for 14 consecutive years, with the average breach in 2024 reaching an astounding $9.77 million. But why is this sector so uniquely vulnerable?

Several converging factors have expanded the attack surface across healthcare organizations. One particularly concerning trend is the growth of “medjacking,” or medical device hijacking, where attackers exploit unsecured devices as entry points into hospital networks. The rapid adoption of connected medical devices, while improving care delivery, has also introduced new vulnerabilities. Many of these devices lack modern security protections and are difficult to update, especially in the hands of less tech-savvy users. The rise of telehealth and remote care, accelerated by the pandemic, added even more endpoints that transmit and store sensitive patient data. At the same time, the industry faces persistent staffing shortages, including in cybersecurity roles, making it harder to defend against increasingly sophisticated threats.

There’s no question that technology has brought incredible advancements to patient care and operational efficiency. But with each digital innovation comes added responsibility—to safeguard patient data, protect operational continuity, and ensure trust in the systems that support care.

Maintaining Trust with Your Revenue Cycle Partner

In today’s threat landscape, cybersecurity isn’t just about firewalls and software upgrades—it’s about trust. When healthcare organizations share access to patient data, billing systems, and financial infrastructure with third-party vendors, they are placing a significant amount of confidence in those relationships. Maintaining that trust requires more than service-level agreements; it demands ongoing collaboration, transparency, and accountability.

Your revenue cycle management (RCM) partner should function as an extension of your team—not just in helping you optimize financial performance, but in safeguarding your data. That means clearly communicating security protocols, being responsive to questions about risk mitigation, and proactively sharing updates around compliance and system safeguards. Providers should feel empowered to ask questions about cybersecurity posture, request documentation around certifications or breach response protocols, and understand exactly how their data is being handled and protected. Additionally, it’s crucial to not just have the controls in place, but to regularly test them. For example, Revco performs two Incident Response exercises per year and one Disaster Response exercise per year.

10 Questions to Ask Your RCM Vendor About Cybersecurity

Not all third-party partners are created equal. As providers navigate a complex digital ecosystem, it’s critical to assess vendors not just on performance — but on protection. Here are key questions to ask any revenue cycle management partner to ensure they are as serious about cybersecurity as you are:

1. What cybersecurity frameworks do you follow?
   • Revco follows PCI, HITRUST, SOC2 and NIST.
2. How is patient data encrypted, both in transit and at rest?
   • At Revco, data at rest is encrypted with AES 256 bit strength encryption. Data in motion/transit is encrypted with TLS 1.2 or stronger.
3. Do you conduct regular third-party penetration testing and risk assessments?
   • Yes. We conduct annual Internal and External penetration tests, in addition to multiple third party audits.
4. What is your incident response plan in the event of a breach — and how will you communicate with us?
   • In the event of a breach, we activate our incident response team to assess, contain, and remediate the issue, guided by legal and contractual obligations. If client data is affected, we will promptly notify impacted parties with any relevant details and next steps.
5. How do you vet and monitor your own subcontractors and partners?
   • We have a very strong third party vendor management process that onboards every vendor and requires they show evidence of security controls being in place.
6. Are you compliant with HIPAA, HITECH, and other relevant regulations? Can you demonstrate it with recent audits or certifications?
   • Yes
7. Do you offer Business Associate Agreements (BAAs) with clear data protection clauses?
   • Yes
8. What measures are in place to ensure continuity of service during a cyberattack?
   • Some measures Revco has in place include fault tolerance, high availability and real time data sync across multiple data centers to ensure we are resilient to cyber attacks.
9. How often do you train your employees on security best practices?
   • We host multiple annual trainings and weekly phishing exercises to test our employees.
10. What role can we play in jointly strengthening cybersecurity across our partnership?
    • At Revco we believe a strong cybersecurity partnership relies on open communication, shared awareness, and mutual accountability. By regularly exchanging intel, best practices, and timely updates on potential risks, we can work together to proactively strengthen our joint security posture.

Download the questionnaire here to share it with your vendor partners!

Revco Solutions Can Help

At the same time, RCM vendors must recognize that trust is earned continuously. Regular training, maintaining certifications, independent audits, real-time monitoring, and transparent communication channels all play a role in reinforcing confidence. In a climate where patient trust is closely linked to data protection, healthcare organizations need partners who are not just technically capable, but also committed to security as a shared value.

Revco Solutions understands the sensitive environment we are involved with and works diligently to protect our environment. Because we strive to achieve the highest standards in compliance and technology, we have chosen to pursue and obtain the following audits/certifications:

• Audited Financial Statements
• HITRUST r2
• $20M cyber liability
• SOC2 Type II
• Tech Lock Certified Audit for the following:
  • Payment Card Industry Data Security Standard (PCI DSS) version 3.2 – Level 1 Service Provider
  • Health Insurance Portability & Accountability Act (HIPAA)
  • ISO 27002-2013
  • Gramm-Leach-Bliley Act (GLBA) Safeguards Rule
  • Federal Trade Commission (FTC) Red Flag Rules
  • Adherence to State Regulatory requirements regarding patients and consumers

Cybersecurity isn’t just an IT issue—it’s a shared responsibility, and a strong vendor relationship will enhance your organization’s resilience, not weaken it. For providers, this means that even routine clinical or billing workflows could be vulnerable if the right protections aren’t in place. As the digital front door widens, so must our vigilance—especially when it comes to the systems and partners that support the revenue cycle.