Small and rural healthcare organizations have to grapple seriously with many challenges that their larger counterparts are often better able to navigate. Not to do so could risk closure.
Uncompensated care is a big one, of course. Combined with ever-higher operational costs, declining reimbursements mean many rural health systems and hospitals skate on thin financial ice and fear finding themselves at the brink of closure.
Another challenge is cybersecurity. Costly data breaches can pose a potentially existential risk to some facilities. Worse, small hospitals are often top targets for cybercriminals. It’s not a challenge many can face on their own.
Consider this vicious cycle:
- Workforce shortages and/or increased labor costs drive the need to invest in technology that controls overall operating costs.
- But added software and new IT platforms introduce new network security risks, requiring further investments in cybersecurity to protect organizations from bad actors who seek to disable services or hold protected data for ransom.
- If a cyberattack is successful, the incident then poses new recovery costs and may incur expensive fines to settle with regulatory agencies for failures to protect patient data.
These are potentially huge problems for small providers and only compound the workforce and resource challenges they’re already dealing with.
But some affordable and manageable technology strategies can help address those vulnerabilities, keeping providers up and running while delivering quality patient care and securing their data.
We spoke recently with Chris Stenglein, CEO of Curae, which develops healthcare financing technologies and other tools. He discussed how rural healthcare providers can manage these challenges while maintaining profitability.
We also spoke with George Pappas, CEO of security service firm Intraprise Health, about how small health systems can boost their cyber resilience by purchasing IT and security resources collectively and contracting with lower-cost virtual security officers.
Both experts say small and rural providers could benefit from some careful and collaborative approaches to cost-efficiency and cybersecurity.
Affordability gap
Financial struggle is particularly acute for rural emergency hospitals (25-50 beds) that don’t receive the same explicit federal help as critical access hospitals (25 beds and below), said Pappas.
When Medicaid cuts impact access to care, it motivates providers serving rural and underserved communities to look at other ways to address uncompensated care, Steinglen said in a separate conversation.
State Medicaid regulations further complicate rural providers’ financial stability, as high eligibility thresholds can significantly reduce reimbursement for large portions of their patients.
As a result, the patient has become the largest single payer in healthcare, Steinglen said.
“What we hear from executive CFOs, CEOs, revenue cycle managers and even patient access coordinators [is that] patients have continued to defer care,” he said.
This affordability gap, exacerbated by COVID-19, has driven hospitals to connect patients with payment sources and help providers to keep funding their care services.
But reducing a rural health system’s uncompensated care level by 10-20% could avoid shuttering its doors permanently, Stenglein said.
Curae’s cost recovery and containment platform for Federally Qualified Health Centers and acute care providers leverages numerous data sources to connect patients with potential payment opportunities and automates the organization’s billing communications with them.
Cost-containment burdens
Stenglein said the platform searches all avenues of eligibility, identifying insured patients mistakenly categorized as self-pay, performing Medicaid eligibility checks and simplifying access to charitable and philanthropic funding sources, and offers a self-pay financing option.
“Unbanked and undocumented individuals” who apply can and do get approved, while provider customers achieve returns that range from 10% to 30% of their uncompensated care levels, he said.
Overall, for patients who apply for either a two-year interest-free plan or a five-year, interest-bearing plan, an average of 80-94% are approved.
Stenglein said one multi-state health system operating dozens of rural hospitals gained >$100M in transactions over more than two years from 90,000 applicants, 93% of which were approved.
“As the patient pays down their balance, they can use up to their remaining credit limit across most of our acute and ambulatory services,” a patient administration support specialist from the organization said in a statement shared with Healthcare IT News.
Stenglein said bridging the affordability gap and encouraging more patients to seek care when needed requires a data engine to simplify the complex process of charity care, philanthropic resourcing and free drug programs.
They are “archaic and paper-based,” he said.
With the automated platform connecting patients to healthcare payment resources and helping uninsured patients find affordable insurance programs, providers can avoid adding labor costs and burdens.
Safety in numbers
Many smaller hospitals are not performing basic cybersecurity practices like managing privileged accounts, instituting multi-factor authentication or conducting regular vulnerability scanning and timely patching, Pappas said.
Community hospitals running on smaller electronic health record systems often run into these issues, he said.
“I’ve seen this first-hand,” said Pappas. “They have shared common instances, because cloud computing has been around for a while. How secure is it? How elegant is the partitioning and the user responsibilities?”
Fundamental progress can be made with relatively small investments. Federal programs, like Microsoft’s and other Big Tech outreach initiatives, have shown this to be true, he added.
However, while many offer temporary discounted access to better assessment and remediation products, the long-term sustainability and consistent oversight for fixing vulnerabilities will remain a challenge for rural providers, he said.
Pappas said it’s crucial for their survival to join collaboratives like Healthcare Controlled Networks.
These groups have supported adopting EHRs, improved data sharing and provided shared licenses and operational support to members, including common infrastructure services.
“The concept behind FQHCs and HCCNs is to enable small healthcare providers to access high-quality, well-resourced support for both front- and back-office operations – support they would struggle to build and manage on their own,” he said.
OSIS, which serves more than 100 health centers across 32 states, is an HCCN that “exemplifies this model,” he said.
To support members’ annual security risk analyses to ensure compliance with HIPAA privacy law, OSIS implemented an automated tool called HIPAA One to increase SRA completion, according to a case study Pappas provided.
In the first year, the shared tool achieved an 83.9% improvement in SRA completion and an 11.5% year YoY increase in OSIS members completing SRAs.
The improvement rates show that “without centralized support from organizations like OSIS and tools like HIPAAOne, individual medical practices often struggle to complete their SRAs,” Pappas said. “Many either skip them entirely or abandon the process midway due to limited understanding, time, or financial resources.”
The shared tool not only helped OSIS members identify and address security issues, but it also saved them compliance time. With many SRA questions answered through the HIPAAOne platform, “when a health center logs into its local version, over half of the questions are already pre-populated,” he said.
Because OSIS has a centralized view of progress, it can prioritize where support is needed across its membership and provide resources to address the highest risks.
“Ultimately, this turns security from a once-a-year compliance exercise into an ongoing conversation,” Pappas said.
While individual hospitals ultimately remain responsible for their security posture, the HCCN model allows for pooling resources to share Security Operations Centers, purchase penetration testing and other tools that reduce provider security operations burdens.
Introducing the vCISO
Another important cybersecurity affordability strategy for rural providers is the implementation of a virtual chief information security officer, said Pappas. Intraprise offers a suite of cybersecurity services, including vCISOs.
In this model, a trained cybersecurity professional helps to oversee security practices and protocols across multiple hospitals and health systems. With remote accountability, they can nurture security programs and prioritize fixes.
While Microsoft’s rural vulnerability assessment program has been helpful, “Why don’t they just make all those more advanced features available on a more permanent basis, like through a nonprofit program?” Pappas suggested.
After a healthcare organization opts to take advantage of the Microsoft program assessment and a one-year 75% discount on security products that help them identify needed system remediation, “Someone has to supervise the fixing,” he said.
“How can that be made more available on a more sustained basis? That’s kind of the conundrum there that I think the industry is going to face when [the assessment and discount program] winds down.”
While automation and artificial intelligence technologies could improve endpoint detection and remediation capabilities for rural hospitals with significant vulnerabilities stemming from outdated technology and legacy systems, AI is not ready to manage cyber hygiene alone.
“Remediation tracking cannot only be automated,” said Pappas. “You still need a person who has some accountability to that organization to be looking at those outstanding things that need to be fixed.”
A vCISO can help keep cybersecurity defense top-of-mind among an organization’s leadership, in addition to detecting and preventing cyber threats in other ways.
“Someone who doesn’t live there is fractional and can do a lot of this job remotely,” he said.
If rural organizations make use of resources such as virtual CISOs and HCCNs to improve security postures and operations, perhaps they might not just avoid closure but also find they can increase their margins, attract more patients and improve health outcomes.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.
