Skip to Main Content

insightsarticles

PEPPER temporarily suspended by CMS

02.09.24

The Centers for Medicare and Medicaid Services (CMS) has temporarily paused the Program for Comparative Billing Reports (CBRs) and Evaluating Payment Patterns Electronic Report (PEPPERs). During this pause, which is expected to end in the fall of 2024, CMS will be improving and updating the program.

The PEPPER summarizes provider-specific Medicare claims data that can be used as a guide for providers to help identify and prevent payment errors and revenue capture opportunities.

For more information, visit the CMS website.

BerryDunn partners with assisted living, skilled nursing, and specialized housing facilities, as well as retirement communities, to optimize their operations. Our senior living experts have more than four decades of experience in helping clients optimize finances, staffing, processes, and technology. Our advisors deliver practical, up-to-date advice for improving operational performance, and can help with issues like high taxes, financial and regulatory compliance, poor cash flow, leadership turnover, technology challenges, and more.  Learn more about how we can help.

Topics: senior living, CMS

Related Services

Related Professionals

Principals

BerryDunn experts and consultants

Follow these six steps to help your senior living organization improve cash flow, decrease days in accounts receivable, and reduce write offs.

From regulatory and reimbursement rule changes to new software and staff turnover, senior living facilities deal with a variety of issues that can result in eroding margins. Monitoring days in accounts receivable and creeping increases in bad debt should be part of a regular review of your facility’s financial indicators.

Here are six steps you and your organization can take to make your review more efficient and potentially improve your bottom line:

Step 1: Understand your facility’s current payer mix.

Understanding your payer mix and various billing requirements and reimbursement schedules will help you set reasonable goals and make an accurate cash flow forecast. For example, government payers often have a two-week reimbursement turn-around for a clean claim, while commercial insurance reimbursement may take up to 90 days. Discovering what actions you can take to keep the payment process as short as possible can lessen your average days in accounts receivable and improve cash flow.

Step 2: Gain clarity on your facility’s billing calendar.

Using data from Step 1, review (or develop) your team’s billing calendar. The faster you send a complete and accurate bill, the sooner you will receive payment.

Have a candid discussion with your billers and work on removing (or at least reducing) existing or perceived barriers to producing timely and accurate bills. Facilities frequently find opportunities for cash flow optimization by communicating their expectations for vendors and care partners. For example, some facilities rely on their vendors to provide billing logs for therapy and ancillary services in order to finalize Resource Utilization Groups (RUGs) and bill Medicare and advantage plans. Delayed medical supply and pharmacy invoices frequently hold up private pay billing. Working with vendors to shorten turnaround time is critical to receiving faster payments.

Interdependencies and areas outside the billers’ control can also negatively influence revenue cycle and contribute to payment delays. Nursing and therapy department schedules, documentation, and the clinical team’s understanding of the principles of reimbursement all play significant roles in timeliness and accuracy of Minimum Data Sets (MDSs) — a key component of Medicare and Medicaid billing. Review these interdependencies for internal holdups and shorten time to get claims produced.

Step 3: Review billing practices.

Observe your staff and monitor the billing logs and insurance claim acceptance reports to locate and review rejected invoices. Since rejected claims are not accepted into the insurer’s system, they will never be reflected as denied on remittance advice documents. Review of submitted claims for rejections is also important as frequently billing software marks claims as billed after a claim is generated. Instruct billers to review rejections immediately after submitting the bill, so rework, resubmission, and payment are timely.

Encourage your billers to generate pull communications (using available reporting tools on insurance portals) to review claim status and resolve any unpaid or suspended claims. This is usually a quicker process than waiting for a push communication (remittance advice) to identify unpaid claims.

Step 4: Review how your facility receives payments.

Challenge any delays in depositing money. Many insurance companies offer payment via ACH transfer. Discuss remote check deposit solutions with your financial institution to eliminate delays. If the facility acts as a representative payee for residents, make sure social security checks are directly deposited to the appropriate account. If you use a separate non-operating account to receive residents’ pensions, consider same day bill pay transfer to the operating account.

Step 5: Review industry benchmarks.

This is critical to understanding where your facility stands and seeing where you can make improvements. BerryDunn’s database of SNF Medicare cost reports filed for FY 2015 - 2018 shows:

Skilled Nursing Facilities: Days in Accounts Receivable

Step 6: Celebrate successes!

Clearly some facilities are doing it very well, while some need to take corrective action. This information can also help you set reasonable goals overall (see Step 1) as well as payer-specific reimbursement goals that make sense for your facility. Review them with the revenue cycle team and question any significant variances; challenge staff to both identify reasons for variances and propose remedial action. Helping your staff see the big picture and understanding how they play a role in achieving department and company goals are critical to sustaining lasting change AND constant improvement.

Change, even if it brings intrinsic rewards (like decreased days in accounts receivable, increased margin to facilitate growth), can be difficult. Acknowledge that changing processes can be tough and people may have to do things differently or learn new skills to meet the facility’s goal. By celebrating the improvements — even little ones — like putting new processes in place, you encourage and engage people to take ownership of the process. Celebrating the wins helps create advocates and lets your team know you appreciate their work. 

To learn more, contact one of our revenue cycle specialists.

Article
Six steps to gain speed on collections

Cost increases and labor issues have contributed to the rise of outsourcing as an option for senior living and health care providers.  While outsourcing of all types is a growing trend — from the C-suite to food service, it is a decision that should be considered carefully, as lack of planning could result in significant long-lasting financial, public relations and personnel losses. Let’s examine the outsourcing of billing services and collections.

If you are concerned with efficiencies and focusing on your core business needs — nursing care and rehabilitation — then your facility owners and management may have or are currently considering outsourcing one or both end stages of the revenue cycle.

There are some compelling reasons to outsource.

When choosing to outsource, your facility can reduce or even eliminate the challenge of keeping up with increasing complexities of medical billing, staff development and retraining, software costs, and workforce challenges. Smaller facilities can mitigate billing office resource shortages caused by staff vacations, medical leaves and turnover via outsourcing portions of their revenue cycle processes.

Because of a variety of software options, extensive coding and evolving reimbursement policies, professional billing and collection companies may be more efficient, delivering a stronger cash flow by reducing the rate of denied or rejected claims and assuring accurate coding. As facilities normally pay either a “per claim” fee or a percentage of their patient service revenue for this service, the facility’s cost fluctuates with changes in census or payer mix. Facilities may serve their customers better by decreasing insurance denials and reducing balance transfers to patients.

Outsourcing may help organizations to focus on their core business: senior living services.

Your facility should assess your organization’s readiness, fit and contract limitations prior to outsourcing. Here are some things to consider.

1. Be accountable. It is your facility’s ultimate responsibility to comply with all applicable rules and regulations, including HIPAA. And while signing a business associate agreement is a step in right direction, it may not guarantee peace of mind.

  • Ask a potential vendor about data transmission, storage, sharing, access and destruction policies, as well as processes designed to monitor compliance. Question any recent breaches or unauthorized access incidents — how were they handled? As HIPAA non-compliance and unauthorized access to protected health information (PHI) may result in financial penalties and bad publicity, you should evaluate the need to consult with an expert.
  • Ensure the vendor knows your state’s facility licensing regulations. For example, some states prohibit charging patients or residents any collection fees. Some states or payers require refunds for any overpayments to within certain defined periods. A good vendor will meet your state’s regulations. Ask to review their standard collection forms and collection procedures and protect your organization from unexpected non-compliance tags. 

2. Communicate. Discuss what information they require, when, in what format, and how they will make corrections. In-house billing staff can normally access a resident’s medical file, whether electronic or paper, or inquire with the facility operations team regarding a particular claim. This is not the case with an external vendor. 

  • To outsource effectively, you need to designate an in-house position to respond to missing information requests promptly. Facilities operating on web-based medical records software should evaluate the risks of granting a billing vendor even limited access to residents’ electronic medical files.
  • Review contract terms for any up charges assessed by the vendor if your facility can’t respond to information requests in a timely fashion. 

3. Understand and agree upon the scope of the contract. Contract scope misunderstanding can have long-lasting financial implications for the facility, and result in increased bad debt. Your management team should compile a list of assumptions and agreement terms not stated clearly in the contract, and address them in a meeting before accepting the terms. At a minimum, get answers to these questions:

  • Is the vendor submitting bills for all types of payers, levels of care and billing forms, including private, private long-term care insurance, adult day and outpatient, or only certain electronic claims?
  • Is the vendor responsible for notifying your organization of any delays with claim processing, payer requests for supporting medical records and any other identified administrative requests and rejections? If so, how fast and in what format?
  • Is the vendor responsible for assisting with regulatory compliance reporting, such as required data for a cost report preparation, audit, etc.?
  • What minimum quality assurance steps does the vendor apply when generating and processing claims, and how do they remedy identified issues?
  • Is the vendor only submitting bills or are they also working on collections?
  • Is the facility or a vendor responding to resident requests for additional information or questions about the billing statements?

4. Maintain alignment with the organization’s philosophy and vision. As with any other area of operations you consider outsourcing, outsourcing billing and collections requires careful examination of its impact on customer service and community relations. If a vendor produces co-pay and private pay invoices or statements, will you have control over the format and presentation of these mailings? If a vendor is engaged to perform collections follow up, your management team needs to understand collections procedures and methods used and ensure they are a good fit with your mission.

5. Set goals and benchmarks. Your management should analyze days in accounts receivable, accounts receivable aging trends, and cash as a percent of net revenue monthly, and then meet with the vendor promptly to understand the causes of any undesired trends and work on remedial plan. 

6. Understand your organization’s reasons for outsourcing. If your facility struggles with completing resident pre-admission screening, obtaining prior authorizations, or staying on top of Medicaid applications and recertifications — stop. Outsourcing is very unlikely to remedy these situations and could even make them worse. We recommend seeking the assistance of an experienced revenue cycle or process improvement consultant before outsourcing any portion of the billing and collections process.

The BerryDunn Senior Living team welcomes your feedback, and is always one phone call or email away, should your organization need to take a deeper look at revenue cycle and process improvement opportunities.

Article
Can outsourcing increase revenues and reduce cycle time? Yes, if it's the right fit

In a previous blog post, “Six Steps to Gain Speed on Collections”, we discussed the importance of regular reviews of long-term care facility financial performance indicators and benchmarks, and suggestions to speed up collections. We also noted that knowledge of your facility’s current payer mix is critical to understanding days in accounts receivable (A/R).

The purpose of a regular A/R review is to facilitate prompt and complete collections by identifying trends and potential system issues and then implementing an action plan. Additionally, an A/R review is used to report on certain regulatory compliance requirements, and could help management identify staff training and development needs. Here are some tips on how to make your review both effective and efficient.

  • Practice professional skepticism. Generate your own A/R reports. While your staff may be competent and trustworthy, it is a good habit to get information directly from your billing system.
     
  • Understand your revenue cycle calendar. A common approach is to generate A/R reports at the end of each month. While you can generate reports at any time, always ask your staff whether all recent cash receipts and adjustments have been posted.
     
  • Know your software. Billing software usually has a few pre-set A/R reports available, and you can customize some of them to simplify your review and analysis. Consult with your IT department or software vendor to gain a better understanding of available report types, parameters, options and limitations. Three frequently-used reports are:

    A/R Transaction Report: This report shows selected transaction details (date, payer, account, transaction type) and can help you understand changes in those parameters. Start with a “summary by type” then drill down to further detail if needed. Run and review this report monthly to identify any unexpected write-offs or adjustments in the prior period.

    A/R Aging Report: This report breaks A/R data into aging buckets (current, 30, 60, 90, etc.). It is used to fine-tune collection efforts and evaluate a bad debt allowance (as older balances are less likely to be collected). Using a higher number of buckets will provide more detailed information, and replacing “age” of accounts with a “month” label will make it easier to see trends in month-to-month changes. Your facility’s payer mix will determine a reasonable “Days in A/R” benchmark. Generally, you should see the most dramatic drop in open accounts within 30 days for Medicare, Medicaid and private payers; and within 60-90 days for other payers. Focus your staff’s attention on balances nearing 300 days, as many insurers have a claim filing limit of one year from the service date. Develop an action plan to follow up within two to three weeks.

    Unbilled Claims Report: This report shows un-submitted claims. Discuss unbilled claims with your staff, understand why they are unbilled to reduce the number of un-submitted claims, and develop an action plan for submission to responsible parties.
     
  • Understand available report formats. Billing software usually offers the option to run reports in different file formats (web, PDF, Excel, etc.). Know your options and select the one you are most comfortable with. We recommend Excel for easy data analysis and trending.
     
  • Segment, segment, segment — and look for trends! Data segmentation and filtering is the best approach to effective and efficient A/R review. At a minimum, you should be separating Medicare A, Medicare B, Medicare Advantage, Medicaid, private pay, pending/presumed Medicaid and any other payers with a particularly high volume of claims. The differences in timing of billing, complexity, compliance requirements, benchmarking and submission of claim methods warrant a separate, more-detailed review of claims. Here are some examples of what to look for.

    Medicare: An open claim will hold payments for all following claims within that stay. Instruct your billing team to ensure claim submission, and review any rejected or suspended claims. Carefully analyze any Medicare credits. Small credit and debit balances may indicate errors in the rate-setting module of your software. Review for rate changes, contractual adjustments and sequestration set up. Review any credit balances over $25 for potential overpayment. These credits have to be corrected in that quarter or listed on your quarterly credit balance report to Medicare. Balances of $160 or more may indicate incorrectly calculated co-pay days, while balances over $200 may indicate billing for an incorrect number of days. Medicare has a one-year limit on submitting claims so act promptly to resolve any balances over 300 days.

    Medicaid: Open balances may indicate eligibility gaps, changes in coverage levels, rate set-up errors or incorrect classification as primary or secondary payer. This payer also has a one-year limit on submitting claims. Again, act promptly to resolve any balances over 300 days.

    Pending/Presumed Medicaid: Medicaid application processing times vary by state. Normally eligibility is determined within a few months at the most. Open claims older than 120 days should be investigated promptly.
     
  • Filter data for the highest and lowest balances. Focus on your five to ten highest balances and work with staff to resolve. Discuss reasons for any credit balances with staff, as regulations often require a prompt refund or claim adjustment. Credit balances could also indicate incorrectly posted payments (to the wrong patient account or service date). Instruct staff to routinely review and resolve credits to prevent collection activities on paid-off accounts. 

Ask questions, follow up and recognize good work. If you notice an improvement in your facility’s A/R report, make sure you recognize team and individual efforts. If improvements are slow to come, discuss obstacles with staff, refine your A/R reporting, and review the plan as needed.

Article
Segmenting accounts receivable reports: How to use your reports to understand where you are

Read this if your CFO has recently departed, or if you're looking for a replacement.

With the post-Covid labor shortage, “the Great Resignation,” an aging workforce, and ongoing staffing concerns, almost every industry is facing challenges in hiring talented staff. To address these challenges, many organizations are hiring temporary or interim help—even for C-suite positions such as Chief Financial Officers (CFOs).

You may be thinking, “The CFO is a key business partner in advising and collaborating with the CEO and developing a long-term strategy for the organization; why would I hire a contractor to fill this most-important role?” Hiring an interim CFO may be a good option to consider in certain circumstances. Here are three situations where temporary help might be the best solution for your organization.

Your organization has grown

If your company has grown since you created your finance department, or your controller isn’t ready or suited for a promotion, bringing on an interim CFO can be a natural next step in your company’s evolution, without having to make a long-term commitment. It can allow you to take the time and fully understand what you need from the role — and what kind of person is the best fit for your company’s future.

BerryDunn's Kathy Parker, leader of the Boston-based Outsourced Accounting group, has worked with many companies to help them through periods of transition. "As companies grow, many need team members at various skill levels, which requires more money to pay for multiple full-time roles," she shared. "Obtaining interim CFO services allows a company to access different skill levels while paying a fraction of the cost. As the company grows, they can always scale its resources; the beauty of this model is the flexibility."

If your company is looking for greater financial skill or advice to expand into a new market, or turn around an underperforming division, you may want to bring on an outsourced CFO with a specific set of objectives and timeline in mind. You can bring someone on board to develop growth strategies, make course corrections, bring in new financing, and update operational processes, without necessarily needing to keep those skills in the organization once they finish their assignment. Your company benefits from this very specific skill set without the expense of having a talented but expensive resource on your permanent payroll.

Your CFO has resigned

The best-laid succession plans often go astray. If that’s the case when your CFO departs, your organization may need to outsource the CFO function to fill the gap. When your company loses the leader of company-wide financial functions, you may need to find someone who can come in with those skills and get right to work. While they may need guidance and support on specifics to your company, they should be able to adapt quickly and keep financial operations running smoothly. Articulating short-term goals and setting deadlines for naming a new CFO can help lay the foundation for a successful engagement.

You don’t have the budget for a full-time CFO

If your company is the right size to have a part-time CFO, outsourcing CFO functions can be less expensive than bringing on a full-time in-house CFO. Depending on your operational and financial rhythms, you may need the CFO role full-time in parts of the year, and not in others. Initially, an interim CFO can bring a new perspective from a professional who is coming in with fresh eyes and experience outside of your company.

After the immediate need or initial crisis passes, you can review your options. Once the temporary CFO’s agreement expires, you can bring someone new in depending on your needs, or keep the contract CFO in place by extending their assignment.

Considerations for hiring an interim CFO

Making the decision between hiring someone full-time or bringing in temporary contract help can be difficult. Although it oversimplifies the decision a bit, a good rule of thumb is: the more strategic the role will be, the more important it is that you have a long-term person in the job. CFOs can have a wide range of duties, including, but not limited to:

  • Financial risk management, including planning and record-keeping
  • Management of compliance and regulatory requirements
  • Creating and monitoring reliable control systems
  • Debt and equity financing
  • Financial reporting to the Board of Directors

If the focus is primarily overseeing the financial functions of the organization and/or developing a skilled finance department, you can rely — at least initially — on a CFO for hire.

Regardless of what you choose to do, your decision will have an impact on the financial health of your organization — from avoiding finance department dissatisfaction or turnover to capitalizing on new market opportunities. Getting outside advice or a more objective view may be an important part of making the right choice for your company.

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.

Article
Three reasons to consider hiring an interim CFO

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

  • What metrics will be monitored, specifically?
  • Why do the metrics being monitored matter to our own business objectives?
  • What thresholds must be met to notify us or produce an alert?
  • What does exceeding a threshold mean to our business?
  • Who on our team will be notified if an alert is warranted?
  • What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Article
Oxymoron of the month: Outsourced accountability

More and more emphasis is being put on cybersecurity by companies of all sizes. Whether it’s the news headlines of notable IT incidents, greater emphasis on the value of data, or the monetization of certain types of attacks, an increasing amount of energy and money is going towards security. Security has the attention of leadership and the board and it is not going away. One of the biggest risks to and vulnerabilities of any organization’s security continues to be its people. Innovative approaches and new technology can reduce risk but they still don’t prevent the damage that can be inflicted by an employee simply opening an attachment or following a link. This is more likely to happen than you may think.

Technology also doesn’t prepare a management team for how to handle the IT response, communication effort, and workforce management required during and after an event. Technology doesn’t lessen the operational impact that your organization will feel when, not if, you experience an event.

So let’s examine the human and operational side of cybersecurity. Below are three factors you should address to reduce risk and prepare your organization for an event:

  1. People: Create and maintain a vigilant workforce
    Ask yourself, “How prepared is our workforce when it comes to security threats and protecting our data? How likely would it be for one of our team members to click on a link or open an attachment that appear to be from our CFO? Would our team members look closely enough at the email address and notice that the organization name is different by one letter?”
     

    According to the 2016 Verizon Data Breach Report, 30% of phishing messages were opened by the target across all campaigns and 12% went on to click on the attachment or link.

    Phishing email attacks directed at your company through your team range from very obvious to extremely believable. Some attempts are sent widely and are looking for just one person to click, while others are extremely targeted and deliberate. In either case, it is vital that each employee takes enough time to realize that the email request is unusual. Perhaps there are strange typos in the request or it is odd the CFO is emailing while on vacation. That moment your employees take to pause and decide whether to click on the link/attachment could mean the difference between experiencing an event or not.

    So how do you create and cultivate this type of thought process in your workforce? Lots of education and awareness efforts. This goes beyond just an annual in-service training on HIPAA. It may include education sessions, emails with tips and tricks, posters describing the risk, and also exercises to test your workforce against phishing and security exploits. It also takes leadership embracing security as a strategic imperative and leading the organization to take it seriously. Once you have these efforts in place, you can create culture change to build and maintain an environment where an employee is not embarrassed to check with the CFO’s office to see if they really did send an email from Bora Bora.
  1. Plan: Implement a disaster recovery and incident response plan 
    Through the years, disaster recovery plans have been the usual response. Mostly, the emphasis has been on recovering data after a non-security IT event, often discussed in context of a fire, power loss, or hardware failure. Increasingly, cyber-attacks are creeping into the forefront of planning efforts. The challenge with cyber-events is that they are murkier to understand – and harder for leadership – to assist with.

    It’s easier to understand the concept of a fire destroying your server room and the plan entailing acquiring new equipment, recovering data from backup, restoring operations, having good downtime procedures, and communicating the restoration efforts along the way. What is much more challenging is if the event begins with a suspicion by employees, customers, or vendors who believe their data has been stolen without any conclusive information that your company is the originating point of the data loss. How do you take action if you know very little about the situation? What do you communicate if you are not sure what to say? It is this level of uncertainty that makes it so difficult. Do you have a plan in place for how to respond to an incident? Here are some questions to consider:
     
    1. How will we communicate internally with our staff about the incident?
    2. How will we communicate with our clients? Our patients? Our community?
    3. When should we call our insurance company? Our attorney?
    4. Is reception prepared to describe what is going on if someone visits our office?
    5. Do we have the technical expertise to diagnose the issue?
    6. Do we have set protocols in place for when to bring our systems off-line and are our downtime procedures ready to use?
    7. When the press gets wind of the situation, who will communicate with them and what will we share?
    8. If our telephone system and network is taken offline, how we will we communicate with our leadership team and workforce?

By starting to ask these questions, you can ascertain how ready you may, or may not be, for a cyber-attack when it comes.

  1. Practice: Prepare your team with table top exercises  
    Given the complexity and diversity of the threats people are encountering today, no single written plan can account for all of the possible combinations of cyber-attacks. A plan can give guidance, set communication protocols, and structure your approach to your response. But by conducting exercises against hypothetical situations, you can test your plan, identify weaknesses in the plan, and also provide your leadership team with insight and experience – before it counts.

    A table top exercise entails one team member (perhaps from IT or from an outside firm) coming up with a hypothetical situation and a series of facts and clues about the situation that are given to your leadership team over time. Your team then implements the existing plans to respond to the incident and make decisions. There are no right or wrong answers in this scenario. Rather, the goal is to practice the decision-making and response process to determine where improvements are needed.

    Maybe you run an exercise and realize that you have not communicated to your staff that no mention of the event should be shared by employees on social media. Maybe the exercise makes you realize that the network administrator who is on vacation at the time is the only one who knows how to log onto the firewall. You might identify specific gaps that are lacking in your cybersecurity coverage. There is much to learn that can help you prepare for the real thing.

As you know, there are many different threats and risks facing organizations. Some are from inside an organization while others come from outside. Simply throwing additional technology at the problem will not sufficiently address the risks. While your people continue to be one of the biggest threats, they can also be one of your biggest assets, in both preventing issues from occurring and then responding quickly and appropriately when they do. Remember focus on your People, Your Plan, and Your Practice.

Article
The three P's of improving your company's cybersecurity soft skills