The Revenue Cycle Cyber Preparedness Playbook

The Revenue Cycle Cyber Preparedness Playbook

Last week, Signature Health in Massachusetts became the latest health system to be taken offline by a cyberattack. The list gets longer every month. The AHA and the Joint Commission have begun partnering on cyber preparedness — but the focus, again, is on the clinical side of the house. The revenue cycle has been left to figure this out on its own.

So let me say this plainly: a health system's revenue cycle is exposed during a catastrophic downtime. We as an industry are unprepared. And the people whose job it is to protect that revenue — CFOs, CROs, VPs of Revenue Cycle — have a fiduciary obligation to do something about it.

The Seatbelt Analogy

Would you put your baby in the back seat of your car without strapping them in? Of course not. Your brakes work. You passed your driver's test. Your car has regular maintenance. None of that is the point.

Now let me ask the harder version: would you drive that unstrapped baby on I-285 in Atlanta? You wouldn't. And not because you don't trust yourself. You wouldn't because you don't trust the other drivers. The potholes are real. The dangers are external — and you cannot control them. So you strap the baby in. You prepare for the worst-case scenario even when your own competence is not in question.

Your revenue cycle is the baby. And it's unstrapped.

Your IT team is competent. Your billing team is excellent. Your processes are mature. None of that protects you when a nation-state-sponsored attacker — and CISA, HHS, and the FBI have all issued advisories about exactly this — takes your EHR offline for 25 days. The threat is external. The preparation has to be specific.

This Is a Stewardship Problem

CFOs, CROs, and VPs of Revenue Cycle are hired to be good stewards of the financial health of their organizations. Protecting hundreds of millions of dollars in annual revenue against the most likely catastrophic operational event of the next 24 months is not optional. It is the job.

We have been put on high alert. The advisories are public. The attack rate on healthcare is up roughly 90% year over year. The average healthcare ransomware event now runs 18 days of downtime at $1.9M per day in operational loss. If you have not built a revenue cycle continuity program, the question is not whether you should. The question is what you are going to do about it this quarter.

The Playbook

There are three phases. Each one has specific work.

Phase 1: Before the Attack — Preparedness

Most of the work lives here. If you do this part well, the other two phases get dramatically easier.

Get an honest assessment. Not a clinical IT assessment. Not a generic cybersecurity audit. A revenue-cycle-specific resiliency assessment that looks at every department where revenue is being generated during a downtime — patient access and the clinical departments that feed the revenue cycle: pharmacy, lab, radiology, OR, ED, observation, infusion. The back-office work — billing, AR, denials — is important, but it is not at risk during the outage itself. The revenue being generated in real time is.

House your downtime documents in one place. Every hospital has them — paper procedures, downtime forms, contact trees, chargemaster snapshots — scattered across shared drives, binders, and people's heads. They need to be in one accessible system that does not depend on your EHR being up, with built-in semi-annual review reminders aligned to Revenue Cycle Cyber standards.

Stand up a downtime platform for the revenue cycle. This is the seatbelt. When the EHR goes dark, you need an active platform that preserves patient access, census and ADT, charge capture, and eMAR. Paper margins will not hold for 25 days.

Get organizational buy-in early. This is not an IT project. It is a CFO, CRO, and VP-of-Revenue-Cycle project, with IT in support. Bring your CMIO and Chief Nursing Officer into the conversation so the workflow is integrated with clinical preparedness. The boards of hospitals that have lived through a cyberattack universally said the same thing afterward: we wish we had spent the money up front.

Run drills. Not tabletop exercises ending at hour eight. Actual full-cycle drills that run documentation, charge capture, and reconciliation workflows across multi-day scenarios. The first drill will be ugly. The third will be useful. The fifth is the difference between a $3M recovery and a $300K recovery.

The assessment can be done in two months or less. The platform can be set up in the same timeframe. The question is not whether you have time. It is whether this is a priority.

Phase 2: During the Attack — Response

If you have done the work in phase one, this phase is execution, not improvisation. The teams know what to do because they have practiced.

• ›Activate the downtime platform within the first hour. Patient access, census, charge capture, and eMAR run on the downtime system. The paper chart remains the legal medical record.
• ›Run a parallel data-capture team. Clinical staff cannot retroactively enter their charges after day three — they will be seeing new patients. The work has to happen in parallel. The natural source is redeployed staff whose normal work is paused when the EHR is down: billers, follow-up reps, denial specialists. They have hands, eyes, and revenue cycle expertise — and their work has stopped anyway.
• ›Extract sub-system results before they purge. Lab, radiology, pathology, microbiology, and blood bank results sit in sub-systems with finite local storage. During an extended downtime, those caches fill and the oldest results overwrite. Someone owns getting those results out before that happens.
• ›Communicate up. The board, the bond rating agencies, and the cyber insurance carrier all want to hear from you — proactively, with a specific plan, and with confidence. Silence is what triggers downgrades and underwriting scrutiny.

Phase 3: After the Attack — Recovery

This is the phase that destroys margins if the first two phases were not done well. If they were, recovery is QA — not reconstruction.

• ›Sync the downtime platform back into the EHR. Charges, ADT events, and eMAR data flow back. Your team validates rather than rebuilds.
• ›Reconcile the paper chart against the digital record. The legal medical record stays on paper, but every entry must be verified against the structured capture from your downtime system. The unit-level user does this — they were there, they know what happened.
• ›Manage the document avalanche. Twenty-five days of paper records have to become digital records that qualify as the legal medical record — complete, authenticated, time-stamped, attributed, indexed. Plan for it. Most hospitals process loose records at a handful per week. The volume after a 25-day downtime is categorically different.
• ›Run the post-mortem. What worked. What did not. Where the drills were too easy. The third attack is when you find out whether you have actually learned.

The Economics

Take a 200-bed hospital as an example. Annual net patient revenue is roughly $200–$300 million, or about $550K–$820K per day. A 25-day downtime exposes that organization to $14–$20 million in revenue at risk — before considering recovery costs, regulatory exposure, and reputational damage.

A revenue cycle continuity program — assessment, downtime platform, training, drills — costs that 200-bed hospital roughly $40–$50K annually. That is in the neighborhood of 0.3% of the revenue it protects. If you presented those numbers to a board as a hedge against any other risk of comparable size, you would be required to buy it.

Two additional financial benefits compound over time and are worth raising in board conversations. Bond rating agencies — Fitch, Moody's, S&P — are increasingly attentive to cyber preparedness as a credit factor. Fitch issued the first cyber-related hospital downgrade in 2024. Cyber insurance underwriters are explicitly rewarding provable recovery capability with better premiums and terms. Neither of these is the reason to invest in revenue cycle continuity. They are the reasons the math works even better than the operational case alone.

From a Former VP of Revenue Cycle

I was a VP of Revenue Cycle. If I were in that seat today, knowing what I know now, I would be on pins and needles until every part of this playbook was in place. Not because I expected to be attacked tomorrow. Because I knew that if I were, the question my CFO and my board would ask is not "how did this happen?" The question would be "why weren't we ready?"

Be ready. The work is two months. The cost is a fraction of the protection. The stewardship case is unambiguous.

Strap the baby in.

Resources

For an independent revenue cycle cyber resiliency assessment: Sarah Dekutowski at Draffin & Tucker is one of the most knowledgeable people in this space. Her assessment will tell you exactly where your gaps are.

For downtime document management and revenue cycle downtime platforms: Amelior Management Solutions & Services builds purpose-built tools for exactly this problem — including a document repository with built-in semi-annual review reminders and a revenue cycle downtime platform that preserves patient access, census and ADT, charge capture, and eMAR when your EHR goes dark. ameliormss.com.

For the freely-downloadable Revenue Cycle Cyber standards: Built by a national group of revenue cycle leaders, aligned to AHA, Joint Commission, and CMS requirements. Available at ameliormss.com.

Valerie F. Barckhoff is the CEO of 6QD. She brings more than 30 years of revenue cycle experience, including leadership roles as SVP of Revenue Cycle Transformation at Optum, Director of Revenue Cycle IT at PwC, and VP of Revenue Cycle at Saint Joseph's Hospital of Atlanta. She has personally led financial-recovery workstreams for health systems following cyberattacks.