Why revenue cycle teams must prepare for extended downtime in the age of cyber threats

In today’s volatile cybersecurity landscape, healthcare organizations are under siege. Ransomware, data breaches and cloud outages are no longer rare events — they are persistent threats with enterprisewide consequences. For revenue cycle teams — the financial lifeblood of hospitals — the pernicious effects are immediate: If systems are down, claims don’t go out, cash doesn’t come in and compliance risks increase. Preparing for extended downtime is no longer optional. It’s essential.

The escalating threat: 2024–2025 in review

Recent events have underscored how a single cyber incident can ripple across the entire healthcare ecosystem. Industry reporting from 2024 documented widespread ransomware activity against providers, escalating ransom payments and sizable recovery costs. There’s also an upsurge in explicit attempts to compromise or encrypt backups.

Threat actors increasingly target financial and operational systems because they know downtime directly impacts cash flow. For revenue cycle operations, these realities translate into stalled claims submission, delayed patient billing and disruptive manual workarounds. Even short outages can create significant backlogs. Multi-week outages can jeopardize payroll, vendor payments and organizational liquidity.

Case examples of cyber events underscore the risks involved

Two recent cyberattacks — one that captured the attention of the nation and one that is emblematic of the threat faced by every provider organization — serve as reminders as to why hospitals and health systems must be ever vigilant.

Case example 1: Clearinghouse outage and the revenue cycle shockwave. In early 2024, Change Healthcare — a major clearinghouse — sustained a prolonged ransomware outage that disrupted claims processing and payment flows for thousands of providers nationwide. Many revenue cycle teams had to revert to manual processes or pause transactions altogether, revealing dependencies on third parties for eligibility, claims editing and remittance access.^a

The event surfaced a critical blind spot: Many teams lacked direct, alternate pathways to payer portals, historical claims or eligibility data outside their clearinghouse connection. It also highlighted the need for organizations to understand where their financial data lives, how it flows and what access is required to keep billing operations moving during an outage.

Case example 2: Backups in the crosshairs. A regional multihospital system experienced a ransomware event that encrypted production billing servers and attempted to spread into backup repositories. Although the organization had invested in modern cybersecurity tools, its network connect backups were still vulnerable to credential-based attacks — a tactic increasingly used by threat actors targeting healthcare.

Fortunately, the health system had implemented a 3-2-1 backup strategy that included an offline, immutable copy of critical financial and operational data.^b This offline layer prevented total data loss and allowed the organization to restore priority revenue cycle systems within several days, even as forensic teams worked to contain the broader incident.

Nonetheless, the event exposed two severe gaps:

• Payer-portal credentials were not centrally tracked.
• Manual claim forms and job aids were outdated.

After the organization recovered from the event, leaders standardized the review of entitlement, rotated credentials, refreshed the manual forms library and institutionalized quarterly downtime drills. The event reinforced a critical lesson: Even when backups save the day, operational readiness determines how quickly revenue cycle teams can resume cash-generating work.

Why revenue cycle leaders must act now

The revenue cycle’s effective performance depends on a tightly coupled set of platforms including EHRs, practice management systems, clearinghouses, payer portals and banking interfaces. When any one of these systems goes offline, the impact on cash flow is immediate.

Ad‑hoc workarounds during crises can disrupt operations and result in compliance exposure if documentation is incomplete, approvals are unclear or handling of protected health information (PHI) deviates from policy. Extended downtime also increases the risk of denials, delays secondary billing and creates reconciliation challenges that can take months to unwind.

6 steps to building a resilient downtime strategy

A durable downtime program blends people, process and technology. The following components, implemented collaboratively by revenue cycle and IT leadership, turn high‑level plans into executable playbooks that can withstand outages lasting days or even weeks. Development of program approaches and policies should be a transparent process that offers all revenue cycle areas opportunities to ask questions and provide input.

1 Manual claims and payment workflows. Ensure staff are well-trained and kept up-to-date on paper/CSV file format workflows and keep approved forms, job aids and printers accessible.^c Maintain an up-to-date inventory of payer‑specific paper claims and submission options, including mailing addresses and fax numbers. Ensure staff know how to complete and route these forms without relying on automated edits or clearinghouse logic.

2 Secure offline data access. Maintain encrypted, routinely updated, read‑only copies of critical billing and patient financial data (balances, demographics, payer details, work queues) with role‑based access controls. Confirm these extracts are stored offline or in an immutable format, so they remain accessible even during a ransomware event.

3 Cross‑training and staffing flexibility. Build redundancy for key functions (charge capture, coding, claim edits, payment posting) to sustain throughput if certain specialists are unavailable. Cross-training also reduces bottlenecks when teams must shift to manual workflows.

4 Communication protocols. Define contact trees and backup channels (e.g., secure texting) for situations when email/voice over internet protocol (VoIP) are unavailable, and script messages to be shared with patients via communication channels (e.g., text, email and the organization’s website) about statements and payment options during outages. Ensure leaders know how to communicate with payers and vendors when primary systems are down.

5 Vendor and payer coordination. Document each partner’s downtime steps and recovery timelines. Confirm how to exchange eligibility, claims and remits if primary connectivity is unavailable. Ensure IT is included in these conversations, so technical recovery aligns with operational needs.

6 Regular downtime drills. The drills should be cross‑functional exercises that simulate ransomware and cloud outages, measuring time‑to‑pivot and identifying gaps in data, staffing or approvals. Drills should include IT, revenue cycle, compliance and vendor partners. They should be unannounced to simulate the unexpected nature of cyberattacks, while also being conducted often enough to ensure organizational readiness in the face of evolving security needs (e.g., at least twice annually).

Cloud vulnerabilities and access controls:
What finance leaders should verify

Cloud platforms power core revenue cycle functions — from analytics to clearinghouses. Misconfigurations, however, are a leading cause of exposure. Finance leaders should partner with IT to create and verify the following:

• Identity controls such as multi-factor authentification (MFA), conditional access, role‑based privileges
• Logging and retention for admin actions and data movement
• Segmentation of production, test and analytics environments
• Encryption and key‑management practices
• Incident‑response integration with cloud providers, including how to isolate services, rotate credentials and restore from immutable backups

Unused portals should be closed, and legacy integrations that expand the organization’s attack surface should be terminated. Finance leaders also should confirm that cloud vendors meet security baselines and participate in downtime planning.

How to assess revenue cycle risk

When reviewing cyber risk in the revenue cycle, leaders should undertake a concise process with steps focused on the following key elements:

• Inventory. List revenue‑critical systems, data stores, vendors and dependencies.
• Threats. Identify top scenarios (ransomware, cloud outage, insider misuse, vendor breach).
• Controls. Map existing safeguards (backups, MFA, monitoring) and gaps.
• Impact/likelihood. Score business impact (cash flow, compliance, patient experience) and likelihood of each.
• Plan. Prioritize mitigations (e.g., offline backups, entitlement cleanup) and assign owners and deadlines.

To promote clarity of purpose and sharpen accountability, this process should be specifically labeled a revenue cycle cyber risk assessment in related documents and presentations. The risk assessment should be reviewed annually and after any major system or vendor changes.

Vendor security, audits and contractual guardrails

Because third‑party risk also represents revenue cycle risk, organizations should expect that their vendors do the following:

• Attest to security controls, encryption of backups, MFA for support portals and breach‑notification timelines.
• Provide evidence of recent security assessments and tabletop exercises.
• Build into contracts rights to audit, minimum logging standards and obligations to support the organization’s downtime drills.
• Ensure contracts clearly define recovery expectations, data-ownership responsibilities and communication protocols during outages.

From questions to action: Incident response and business continuity

To translate risk awareness into concrete readiness, revenue cycle leaders should address five key questions, ensuring that the answers are documented, tested and refreshed after each drill or incident.

1 What systems are critical to billing and collections, and what are their recovery time objective (RTO)/recover point objective (RPO) targets? This question should be tied to the risk assessment and downtime drills.

2 How do we access patient financial data if the EHR or clearinghouse is offline? As a related concern, it is important to document offline extracts, read‑only access and data owners.

3 Are our backups protected from ransomware and operator error? Leaders should confirm encryption, offline/immutable copies, test restores and separation of duties.

4 What is our recovery time for clearinghouse or payer‑portal outages, and what are our manual alternatives? Leaders should assemble a complete list of forms, file specs and contacts.

5 How often do we test our joint downtime protocols, and what did we change after the last exercise? Lessons learned and the owners of the areas affected should be clearly described.

These five questions should be elevated into a formal incident response and business continuity plan through the following actions:

• Define roles (executive lead, ops lead, IT lead, compliance/privacy, vendor liaison)
• Determine decision thresholds (when to isolate, when to invoke manual workflows)
• Prepare and disseminate basic communication scripts (internal, payer, patient)
• Establish recovery objectives (RTO/RPO) for each critical function.
• Store the incident response and business continuity playbook in an accessible, offline location and test it regularly and jointly with IT and key vendors

What’s next: AI‑assisted threats and 2026 readiness

Cyber adversaries are rapidly adopting AI to increase the speed and sophistication of attacks — from convincing spear‑phishing to automated credential‑stuffing and lateral‑movement playbooks. Expect more frequent, blended attacks and plan for extended outages. Revenue cycle leaders should partner with IT on anomaly detection, identity protections and rapid credential rotation procedures, while making sure offline/immutable backups remain at the center of recovery planning.

A call to action

Cyber incidents are not merely IT problems — they are enterprisewide crises with immediate revenue implications. Preparedness is power: Revenue cycle leaders should align with IT now to harden identity controls, secure and test offline backups, formalize incident response and rehearse manual workflows.

The goal isn’t to eliminate risk; it’s to ensure the revenue cycle can operate through it. 

Footnotes

a. For a timeline of this event, see, Hut, N., “Cyberattack on Change Healthcare brings turmoil to healthcare operations nationwide,” hfma.org, Feb. 25, 2024.
b. A 3-2-1 strategy involves keeping three copies of data, with two media types (e.g. ,hard drive, cloud storage) and one copy kept off-site.
c. CSV stands for comma-separated values, a simple plain-text format for storing data where each data record is a line, with commas separating fields.

---