The three P's of improving your company's cybersecurity soft skills

Read this if your company is considering outsourced information technology services.

For management, it’s the perennial question: Keep things in-house or outsource?

For management, it’s the perennial question: Keep things in-house or outsource? Most companies or organizations have outsourcing opportunities, from revenue cycle to payment processing to IT security. When deciding whether to outsource, you weigh the trade-offs and benefits by considering variables such as cost, internal expertise, cross coverage, and organizational risk.

In IT services, outsourcing may win out as technology becomes more complex. Maintaining expertise and depth for all the IT components in an environment can be resource-intensive.

Outsourced solutions allow IT teams to shift some of their focus from maintaining infrastructure to getting more value out of existing systems, increasing data analytics, and better linking technology to business objectives. The same can be applied to revenue cycle outsourcing, shifting the focus from getting clean bills out and cash coming in, to looking at the financial health of the organization, analyzing service lines, patient experience, or advancing projects.  

Once you’ve decided, there’s another question you need to ask
Lost sometimes in the discussion of whether to use outsourced services is how. Even after you’ve done your due diligence and chosen a great vendor, you need to stay involved. It can be easy to think, “Vendor XYZ is monitoring our servers or our days in AR, so we should be all set. I can stop worrying at night about our system reliability or our cash flow.” Not true.

You may be outsourcing a component of your technology environment or collections, but you are not outsourcing the accountability for it—from an internal administrative standpoint or (in many cases) from a legal standpoint.

Beware of a false state of confidence
No matter how clear the expectations and rules of engagement with your vendor at the onset of a partnership, circumstances can change—regulatory updates, technology advancements, and old-fashioned vendor neglect. In hiring the vendor, you are accountable for oversight of the partnership. Be actively engaged in the ongoing execution of the services. Also, periodically revisit the contract, make sure the vendor is following all terms, and confirm (with an outside audit, when appropriate) that you are getting the services you need.

Take, for example, server monitoring, which applies to every organization or company, large or small, with data on a server. When a managed service vendor wants to contract with you to provide monitoring services, the vendor’s salesperson will likely assure you that you need not worry about the stability of your server infrastructure, that the monitoring will catch issues before they occur, and that any issues that do arise will be resolved before the end user is impacted. Ideally, this is true, but you need to confirm.

Here’s how to stay involved with your vendor
Ask lots of questions. There’s never a question too small. Here are samples of how precisely you should drill down:

• What metrics will be monitored, specifically?
• Why do the metrics being monitored matter to our own business objectives?
• What thresholds must be met to notify us or produce an alert?
• What does exceeding a threshold mean to our business?
• Who on our team will be notified if an alert is warranted?
• What corrective action will be taken?

Ask uncomfortable questions
Being willing to ask challenging questions of your vendors, even when you are not an expert, is critical. You may feel uncomfortable but asking vendors to explain something to you in terms you understand is very reasonable. They’re the experts; you’re not expected to already understand every detail or you wouldn’t have needed to hire them. It’s their job to explain it to you. Without asking these questions, you may end up with a fairly generic solution that does produce a service or monitor something, but not necessarily all the things you need.

Ask obvious questions
You don’t want anything to slip by simply because you or the vendor took it for granted. It is common to assume that more is being done by a vendor than actually is. By asking even obvious questions, you can avoid this trap. All too often we conduct an IT assessment and are told that a vendor is providing a service, only to discover that the tasks are not happening as expected.

You are accountable for your whole team—in-house and outsourced members
An outsourced solution is an extension of your team. Taking an active and engaged role in an outsourcing partnership remains consistent with your management responsibilities. At the end of the day, management is responsible for achieving business objectives and mission. Regularly check in to make sure that the vendor stays focused on that same mission.

Texting has become a simple, convenient, and entrenched component of our everyday lives. We use it with family, friends, coworkers—and clients. My wife and I text to coordinate day care pickup and drop off of our kids every day. It is a quick and easy alternative to our large, and sometimes overwhelming, volume of email.

And with that convenience comes the temptation for clinicians, care teams, and healthcare providers to communicate sensitive content via text in the workplace. The ability to take a photograph of a wound and share with a colleague for a consult is convenient and effective. The number of patients who want to text a non-urgent question to their providers is also growing, particularly with younger patient populations. Population health teams who want to better engage patients may see texting as an easy format to achieve that.

The problem? Texting is not a secure communication method. The native SMS (short message service) used by many phones, including iPhones (at times), is not encrypted, and messages are sent in plain text over cellular networks. SMS messages are vulnerable to “man-in-the-middle” attacks, in which a third-party eavesdrops or potentially manipulates a conversation. The native message format of iPhones has security risks, too. And when a text message contains protected patient information or images, these risks become significant.

On December 28, 2017 CMS released clarification on text messaging. The highlights:

• Texting is permissible between care team members if accomplished through a secure platform.

• Texting of orders: prohibited.

• Computerized Physician Order Entry (CPOE) is the preferred method of provider order entry.

The first bullet allows some consideration of text messaging but with an important caveat: you must use a secure platform. The last two bullets steer providers to using their EHR systems.

What should you do if you find yourself in a position where text messaging has crept into your culture?

• Establish a policy to govern the use of text messaging and update your mobile device policy.

• Determine whether you will implement (and allow your care team to use) a secure texting platform or prohibit texting all together.

• Consider how secure texting impacts your policies and procedures related to data retention, discovery, and the legal health record. 

• Educate your patients about secure messaging available on your patient portal.

• Assess your organization’s usage and level of risk.

• Stop using unsecure text messaging for patient related communications.

For more information, contact me.

Related content:

Watch our video on adopting technology for success. 
Read Dan's article on soft cybersecurity skills.

Read this if your CFO has recently departed, or if you're looking for a replacement.

With the post-Covid labor shortage, “the Great Resignation,” an aging workforce, and ongoing staffing concerns, almost every industry is facing challenges in hiring talented staff. To address these challenges, many organizations are hiring temporary or interim help—even for C-suite positions such as Chief Financial Officers (CFOs).

You may be thinking, “The CFO is a key business partner in advising and collaborating with the CEO and developing a long-term strategy for the organization; why would I hire a contractor to fill this most-important role?” Hiring an interim CFO may be a good option to consider in certain circumstances. Here are three situations where temporary help might be the best solution for your organization.

Your organization has grown

If your company has grown since you created your finance department, or your controller isn’t ready or suited for a promotion, bringing on an interim CFO can be a natural next step in your company’s evolution, without having to make a long-term commitment. It can allow you to take the time and fully understand what you need from the role — and what kind of person is the best fit for your company’s future.

BerryDunn's Kathy Parker, leader of the Boston-based Outsourced Accounting group, has worked with many companies to help them through periods of transition. "As companies grow, many need team members at various skill levels, which requires more money to pay for multiple full-time roles," she shared. "Obtaining interim CFO services allows a company to access different skill levels while paying a fraction of the cost. As the company grows, they can always scale its resources; the beauty of this model is the flexibility."

If your company is looking for greater financial skill or advice to expand into a new market, or turn around an underperforming division, you may want to bring on an outsourced CFO with a specific set of objectives and timeline in mind. You can bring someone on board to develop growth strategies, make course corrections, bring in new financing, and update operational processes, without necessarily needing to keep those skills in the organization once they finish their assignment. Your company benefits from this very specific skill set without the expense of having a talented but expensive resource on your permanent payroll.

Your CFO has resigned

The best-laid succession plans often go astray. If that’s the case when your CFO departs, your organization may need to outsource the CFO function to fill the gap. When your company loses the leader of company-wide financial functions, you may need to find someone who can come in with those skills and get right to work. While they may need guidance and support on specifics to your company, they should be able to adapt quickly and keep financial operations running smoothly. Articulating short-term goals and setting deadlines for naming a new CFO can help lay the foundation for a successful engagement.

You don’t have the budget for a full-time CFO

If your company is the right size to have a part-time CFO, outsourcing CFO functions can be less expensive than bringing on a full-time in-house CFO. Depending on your operational and financial rhythms, you may need the CFO role full-time in parts of the year, and not in others. Initially, an interim CFO can bring a new perspective from a professional who is coming in with fresh eyes and experience outside of your company.

After the immediate need or initial crisis passes, you can review your options. Once the temporary CFO’s agreement expires, you can bring someone new in depending on your needs, or keep the contract CFO in place by extending their assignment.

Considerations for hiring an interim CFO

Making the decision between hiring someone full-time or bringing in temporary contract help can be difficult. Although it oversimplifies the decision a bit, a good rule of thumb is: the more strategic the role will be, the more important it is that you have a long-term person in the job. CFOs can have a wide range of duties, including, but not limited to:

• Financial risk management, including planning and record-keeping
• Management of compliance and regulatory requirements
• Creating and monitoring reliable control systems
• Debt and equity financing
• Financial reporting to the Board of Directors

If the focus is primarily overseeing the financial functions of the organization and/or developing a skilled finance department, you can rely — at least initially — on a CFO for hire.

Regardless of what you choose to do, your decision will have an impact on the financial health of your organization — from avoiding finance department dissatisfaction or turnover to capitalizing on new market opportunities. Getting outside advice or a more objective view may be an important part of making the right choice for your company.

BerryDunn can help whether you need extra assistance in your office during peak times or interim leadership support during periods of transition. We offer the expertise of a fully staffed accounting department for short-term assignments or long-term engagements―so you can focus on your business. Meet our interim assistance experts.

Follow these six steps to help your senior living organization improve cash flow, decrease days in accounts receivable, and reduce write offs.

From regulatory and reimbursement rule changes to new software and staff turnover, senior living facilities deal with a variety of issues that can result in eroding margins. Monitoring days in accounts receivable and creeping increases in bad debt should be part of a regular review of your facility’s financial indicators.

Here are six steps you and your organization can take to make your review more efficient and potentially improve your bottom line:

Step 1: Understand your facility’s current payer mix.

Understanding your payer mix and various billing requirements and reimbursement schedules will help you set reasonable goals and make an accurate cash flow forecast. For example, government payers often have a two-week reimbursement turn-around for a clean claim, while commercial insurance reimbursement may take up to 90 days. Discovering what actions you can take to keep the payment process as short as possible can lessen your average days in accounts receivable and improve cash flow.

Step 2: Gain clarity on your facility’s billing calendar.

Using data from Step 1, review (or develop) your team’s billing calendar. The faster you send a complete and accurate bill, the sooner you will receive payment.

Have a candid discussion with your billers and work on removing (or at least reducing) existing or perceived barriers to producing timely and accurate bills. Facilities frequently find opportunities for cash flow optimization by communicating their expectations for vendors and care partners. For example, some facilities rely on their vendors to provide billing logs for therapy and ancillary services in order to finalize Resource Utilization Groups (RUGs) and bill Medicare and advantage plans. Delayed medical supply and pharmacy invoices frequently hold up private pay billing. Working with vendors to shorten turnaround time is critical to receiving faster payments.

Interdependencies and areas outside the billers’ control can also negatively influence revenue cycle and contribute to payment delays. Nursing and therapy department schedules, documentation, and the clinical team’s understanding of the principles of reimbursement all play significant roles in timeliness and accuracy of Minimum Data Sets (MDSs) — a key component of Medicare and Medicaid billing. Review these interdependencies for internal holdups and shorten time to get claims produced.

Step 3: Review billing practices.

Observe your staff and monitor the billing logs and insurance claim acceptance reports to locate and review rejected invoices. Since rejected claims are not accepted into the insurer’s system, they will never be reflected as denied on remittance advice documents. Review of submitted claims for rejections is also important as frequently billing software marks claims as billed after a claim is generated. Instruct billers to review rejections immediately after submitting the bill, so rework, resubmission, and payment are timely.

Encourage your billers to generate pull communications (using available reporting tools on insurance portals) to review claim status and resolve any unpaid or suspended claims. This is usually a quicker process than waiting for a push communication (remittance advice) to identify unpaid claims.

Step 4: Review how your facility receives payments.

Challenge any delays in depositing money. Many insurance companies offer payment via ACH transfer. Discuss remote check deposit solutions with your financial institution to eliminate delays. If the facility acts as a representative payee for residents, make sure social security checks are directly deposited to the appropriate account. If you use a separate non-operating account to receive residents’ pensions, consider same day bill pay transfer to the operating account.

Step 5: Review industry benchmarks.

This is critical to understanding where your facility stands and seeing where you can make improvements. BerryDunn’s database of SNF Medicare cost reports filed for FY 2015 - 2018 shows:

Step 6: Celebrate successes!

Clearly some facilities are doing it very well, while some need to take corrective action. This information can also help you set reasonable goals overall (see Step 1) as well as payer-specific reimbursement goals that make sense for your facility. Review them with the revenue cycle team and question any significant variances; challenge staff to both identify reasons for variances and propose remedial action. Helping your staff see the big picture and understanding how they play a role in achieving department and company goals are critical to sustaining lasting change AND constant improvement.

Change, even if it brings intrinsic rewards (like decreased days in accounts receivable, increased margin to facilitate growth), can be difficult. Acknowledge that changing processes can be tough and people may have to do things differently or learn new skills to meet the facility’s goal. By celebrating the improvements — even little ones — like putting new processes in place, you encourage and engage people to take ownership of the process. Celebrating the wins helps create advocates and lets your team know you appreciate their work. 

To learn more, contact one of our revenue cycle specialists.

It may be hard to believe some seasons, but every professional sports team currently has the necessary resources — talent, plays, and equipment — to win. The challenge is to identify and leverage them for maximum benefit. And every organization has the necessary resources to improve its cybersecurity. Chapter 3 in BerryDunn’s Cybersecurity Playbook for Management looks at how managers can best identify and leverage these resources, known collectively as internal capacity.

The previous two chapters focused on using maturity models to improve an organization’s cybersecurity. The next two are about capacity. What is the difference, and connection, between maturity and capacity, and why is it important? 
RG: Maturity refers to the “as is” state of an organization’s cybersecurity program compared to its desired “to be” state. Capacity refers to the resources an organization can use to reach the “to be” state. There are two categories of capacity: external and internal. External capacity refers to outside resources — people, processes, and tools — you can hire or purchase to improve maturity. (We’ll discuss external capacity more in our next installment.) Internal capacity refers to in-house people, processes, and tools you can leverage to improve maturity. 

Managers often have an unclear picture of how to use resources to improve cybersecurity. This is mainly because of the many demands found in today's business environments. I recommend managers conduct internal capacity planning. In other words, they need to assess the internal capacity needed to increase cybersecurity maturity. Internal capacity planning can answer three important questions:

1. What are the capabilities of our people?
2. What processes do we need to improve?
3. What tools do we have that can help improve processes and strengthen staff capability?

What does the internal capacity planning process look like?
RG: Internal capacity planning is pretty easy to conduct, but there’s no standard model. It’s not a noun, like a formal report. It’s a verb — an act of reflection. It’s a subjective assessment of your team members’ abilities and their capacity to perform a set of required tasks to mature the cybersecurity program. These are not easy questions to ask, and the answers can be equally difficult to obtain. This is why you should be honest in your assessment and urge your people to be honest with themselves as well. Without this candor, your organization will spin its wheels reaching its desired “to be” state.

Let’s start with the “people” part of internal capacity. How can managers assess staff?RG: It’s all about communication. Talk to your staff, listen to them, and get a sense of who has the ability and desire for improving cybersecurity maturity in certain subject areas or domains, like Risk Management or Event and Incident Response. If you work at a small organization,  start by talking to your IT manager or director. This person may not have a lot of cybersecurity experience, but he or she will have a lot of operational risk experience. IT managers and directors tend to gravitate toward security because it’s a part of their overall responsibilities. It also ensures they have a voice in the maturing process.

In the end, you need to match staff expertise and skillsets to the maturity subject areas or domains you want to improve. While an effective manager already has a sense of staff expertise and skillsets, you can add a SWOT analysis to clarify staff strengths, weaknesses, opportunities, and threats.

The good news: In my experience, most organizations have staff who will take to new maturity tasks pretty quickly, so you don’t need to hire a bunch of new people.

What’s the best way to assess processes?
RG: Again, it’s all about communication. Talk to the people currently performing the processes, listen to them, and confirm they are giving you honest feedback. You can have all the talent in the world, and all the tools in the world — but if your processes are terrible, your talent and tools won’t connect. I’ve seen organizations with millions of dollars’ worth of tools without the right people to use the tools, and vice versa. In both situations, processes suffer. They are the connective tissue between people and tools. And keep in mind, even if your current ones are good, most  tend to grow stale. Once you assess, you probably need to develop some new processes or improve the ones in place.

How should managers and staff develop new processes?
RG: Developing new ones can be difficult — we’re talking change, right? As a manager, you have to make sure the staff tasked with developing them are savvy enough to make sure the processes improve your organization’s maturity. Just developing a new one, with little or no connection to maturity, is a waste of time and money. Just because measuring maturity is iterative, doesn’t mean your approach to maturing cybersecurity has to be. You need to take a holistic approach across a wide range of cybersecurity domains or subject areas. Avoid any quick, one-and-done processes. New ones should be functional, repeatable, and sustainable; if not, you’ll overburden your team. And remember, it takes time to develop new ones. If you have an IT staff that’s already struggling to keep up with their operational responsibilities, and you ask them to develop a new process, you’re going to get a lot of pushback. You and the IT staff may need to get creative — or look toward outside resources, which we’ll discuss in chapter 4.

What’s the best way to assess tools?
RG: Many organizations buy many tools, rarely maximize their potential. And on occasion, organizations buy tools but never install them. The best way to assess tools is to select staff to first measure the organization’s inventory of tools, and then analyze them to see how they can help improve maturity for a certain domain or subject area. Ask questions: Are we really getting the maximum outputs those tools offer? Are they being used as intended?

I’ll give you an example. There’s a company called SolarWinds that creates excellent IT management tools. I have found many organizations use SolarWinds tools in very specific, but narrow, ways. If your organization has SolarWinds tools, I suggest reaching out to your IT staff to see if the organization is leveraging the tools to the greatest extent possible. SolarWinds can do so much that many organizations rarely leverage all its valuable feature.

What are some pitfalls to avoid when conducting internal capacity planning?
RG: Don’t assign maturity tasks to people who have been with the organization for a really long time and are very set in their ways, because they may be reluctant to change. As improving maturity is a disruptive process, you want to assign tasks to staff eager to implement change. If you are delegating the supervision of the maturity project, don’t delegate it to a technology-oriented person. Instead, use a business-oriented person. This person doesn’t need to know a lot about cybersecurity — but they need to know, from a business perspective, why you need to implement the changes. Otherwise, your changes will be more technical in nature than strategic. Finally, don’t delegate the project to someone who is already fully engaged on other projects. You want to make sure this person has time to supervise the project.

Is there ever a danger of receiving incorrect information about resource capacity?
RG: Yes, but you’ll know really quickly if a certain resource doesn’t help improve your maturity. It will be obvious, especially when you run the maturity model again. Additionally, there is a danger of staff advocating for the purchase of expensive tools your organization may not really need to manage the maturity process. Managers should insist that staff strongly and clearly make the case for such tools, illustrating how they will close specific maturity gaps.

When purchasing tools a good rule of thumb is: are you going to get three times the return on investment? Will it decrease cost or time by three times, or quantifiably reduce risk by three times? This ties in to the larger idea that cybersecurity is ultimately a function of business, not a function of IT. It also conveniently ties in with external capacity, the topic for chapter four.

Read our next cybersecurity playbook article, External capacity: Cybersecurity playbook for management #4, here.

It’s one thing for coaching staff to see the need for a new quarterback or pitcher. Selecting and onboarding this talent is a whole new ballgame. Various questions have to be answered before moving forward: How much can we afford? Are they a right fit for the team and its playing style? Do the owners approve?

Management has to answer similar questions when selecting and implementing a cybersecurity maturity model, and form the basis of this blog – chapter 2 in BerryDunn’s Cybersecurity Playbook for Management.

What are the main factors a manager should consider when selecting a maturity model?
RG: All stakeholders, including managment, should be able to easily understand the model. It should be affordable for your organization to implement, and its outcomes achievable. It has to be flexible. And it has to match your industry. It doesn’t make a lot of sense to have an IT-centric maturity model if you’re not an extremely high-tech organization. What are you and your organization trying to accomplish by implementing maturity modeling? If you are trying to improve the confidentiality of data in your organization’s systems, then the maturity model you select should have a data confidentiality domain or subject area.

Managers should reach out to their peer groups to see which maturity models industry partners and associates use successfully. For example, Municipality A might look at what Municipality B is doing, and think: “How is Municipality B effectively managing cybersecurity for less money than we are?” Hint: there’s a good chance they’re using an effective maturity model. Therefore, Municipality A should probably select and implement that model. But you also have to be realistic, and know certain other factors—such as location and the ability to acquire talent—play a role in effective and affordable cybersecurity. If you’re a small town, you can’t compare yourself to a state capital.

There’s also the option of simply using the Cybersecurity Capability Maturity Model (C2M2), correct?
RG: Right. C2M2, developed by the U.S. Department of Energy, is easily scalable and can be tailored to meet specific needs. It also has a Risk Management domain to help ensure that an organization’s cybersecurity strategy supports its enterprise risk management strategy.

Once a manager has identified a maturity model that best fits their business or organization, how do they implement it?
RG: STEP ONE: get executive-level buy-in. It’s critical that executive management understands why maturity modeling is crucial to an organization's security. Explain to them how maturity modeling will help ensure the organization is spending money correctly and appropriately on cybersecurity. By sponsoring the effort, providing adequate resources, and accepting the final results, executive management plays a critical role in the process. In turn, you need to listen to executive management to know their priorities, issues, and resource constraints. When facilitating maturity modeling, don’t drive toward a predefined outcome. Understand what executive management is comfortable implementing—and what the business or organization can afford.

STEP TWO: Identify leads who are responsible for each domain or subject area of the maturity model. Explain to these leads why the organization is implementing maturity modeling, expected outcomes, and how their input is invaluable to the effort’s success. Generally speaking, the leads responsible for subject areas are very receptive to maturity modeling, because—unlike an audit—a maturity model is a resource that allows staff to advocate their needs and to say: “These are the resources I need to achieve effective cybersecurity.”

Third, have either management or these subject area leads communicate the project details to the lower levels of the organization, and solicit feedback, because staff at these levels often have unique insight on how best to manage the details.

The fourth step is to just get to work. This work will look a little different from one organization to another, because every organization has its own processes, but overall you need to run the maturity model—that is, use the model to assess the organization and discover where it measures up for each subject area or domain. Afterwards, conduct work sessions, collect suggestions and recommendations for reaching specific maturity levels, determine what it’s going to cost to increase maturity, get approval from executive management to spend the money to make the necessary changes, and create a Plan of Action and Milestones (POA&M). Then move forward and tick off each milestone.

Do you suggest selecting an executive sponsor or an executive steering committee to oversee the implementation?
RG: Absolutely. You just want to make sure the executive sponsors or steering committee members have both the ability and the authority to implement changes necessary for the modeling effort.

Should management consider hiring vendors to help implement their cybersecurity maturity models?
RG: Sure. Most organizations can implement a maturity model on their own, but the good thing about hiring a vendor is that a vendor brings objectivity to the process. Within your organization, you’re probably going to find erroneous assumptions, differing opinions about what needs to be improved, and bias regarding who is responsible for the improvements. An objective third party can help navigate these assumptions, opinions, and biases. Just be aware some vendors will push their own maturity models, because their models require or suggest organizations buy the vendors’ software. While most vendor software is excellent for improving maturity, you want to make sure the model you’re using fits your business objectives and is affordable. Don’t lose sight of that.

How long does it normally take to implement a maturity model?

RG: It depends on a variety of factors and is different for every organization. Keep in mind some maturity levels are fairly easy to reach, while others are harder and more expensive. It goes without saying that well-managed organizations implement maturity models more rapidly than poorly managed organizations.

What should management do after implementation?
RG: Run the maturity model again, and see where the organization currently measures up for each subject area or domain. Do you need to conduct a maturity model assessment every year? No, but you want to make sure you’re tracking the results year over year in order to make sure improvements are occurring. My suggestion is to conduct a maturity model assessment every three years.

One final note: make sure to maintain the effort. If you’re going to spend time and money implementing a maturity model, then make the changes, and continue to reassess maturity levels. Make sure the process becomes part of your organizations’ overall strategic plan. Document and institutionalize maturity modeling. Otherwise, the organization is in danger of losing this knowledge when the people who spearheaded the effort retire or pursue new opportunities elsewhere.

What’s next?
RG: Over the next couple of blogs, we’ll move away from talking about maturity modeling and begin talking about the role capacity plays in cybersecurity. Blog #3 will instruct managers on how to conduct an internal assessment to determine if their organizations have the people, processes, and technologies they need for effective cybersecurity.

Read our next cybersecurity playbook article, Tapping your internal capacity for better results: Cybersecurity playbook for management #3, here.

In a previous blog post, “Six Steps to Gain Speed on Collections”, we discussed the importance of regular reviews of long-term care facility financial performance indicators and benchmarks, and suggestions to speed up collections. We also noted that knowledge of your facility’s current payer mix is critical to understanding days in accounts receivable (A/R).

The purpose of a regular A/R review is to facilitate prompt and complete collections by identifying trends and potential system issues and then implementing an action plan. Additionally, an A/R review is used to report on certain regulatory compliance requirements, and could help management identify staff training and development needs. Here are some tips on how to make your review both effective and efficient.

• Practice professional skepticism. Generate your own A/R reports. While your staff may be competent and trustworthy, it is a good habit to get information directly from your billing system.
   
• Understand your revenue cycle calendar. A common approach is to generate A/R reports at the end of each month. While you can generate reports at any time, always ask your staff whether all recent cash receipts and adjustments have been posted.
   
• Know your software. Billing software usually has a few pre-set A/R reports available, and you can customize some of them to simplify your review and analysis. Consult with your IT department or software vendor to gain a better understanding of available report types, parameters, options and limitations. Three frequently-used reports are:
  
  A/R Transaction Report: This report shows selected transaction details (date, payer, account, transaction type) and can help you understand changes in those parameters. Start with a “summary by type” then drill down to further detail if needed. Run and review this report monthly to identify any unexpected write-offs or adjustments in the prior period.
  
  A/R Aging Report: This report breaks A/R data into aging buckets (current, 30, 60, 90, etc.). It is used to fine-tune collection efforts and evaluate a bad debt allowance (as older balances are less likely to be collected). Using a higher number of buckets will provide more detailed information, and replacing “age” of accounts with a “month” label will make it easier to see trends in month-to-month changes. Your facility’s payer mix will determine a reasonable “Days in A/R” benchmark. Generally, you should see the most dramatic drop in open accounts within 30 days for Medicare, Medicaid and private payers; and within 60-90 days for other payers. Focus your staff’s attention on balances nearing 300 days, as many insurers have a claim filing limit of one year from the service date. Develop an action plan to follow up within two to three weeks.
  
  Unbilled Claims Report: This report shows un-submitted claims. Discuss unbilled claims with your staff, understand why they are unbilled to reduce the number of un-submitted claims, and develop an action plan for submission to responsible parties.
   
• Understand available report formats. Billing software usually offers the option to run reports in different file formats (web, PDF, Excel, etc.). Know your options and select the one you are most comfortable with. We recommend Excel for easy data analysis and trending.
   
• Segment, segment, segment — and look for trends! Data segmentation and filtering is the best approach to effective and efficient A/R review. At a minimum, you should be separating Medicare A, Medicare B, Medicare Advantage, Medicaid, private pay, pending/presumed Medicaid and any other payers with a particularly high volume of claims. The differences in timing of billing, complexity, compliance requirements, benchmarking and submission of claim methods warrant a separate, more-detailed review of claims. Here are some examples of what to look for.
  
  Medicare: An open claim will hold payments for all following claims within that stay. Instruct your billing team to ensure claim submission, and review any rejected or suspended claims. Carefully analyze any Medicare credits. Small credit and debit balances may indicate errors in the rate-setting module of your software. Review for rate changes, contractual adjustments and sequestration set up. Review any credit balances over $25 for potential overpayment. These credits have to be corrected in that quarter or listed on your quarterly credit balance report to Medicare. Balances of $160 or more may indicate incorrectly calculated co-pay days, while balances over $200 may indicate billing for an incorrect number of days. Medicare has a one-year limit on submitting claims so act promptly to resolve any balances over 300 days.
  
  Medicaid: Open balances may indicate eligibility gaps, changes in coverage levels, rate set-up errors or incorrect classification as primary or secondary payer. This payer also has a one-year limit on submitting claims. Again, act promptly to resolve any balances over 300 days.
  
  Pending/Presumed Medicaid: Medicaid application processing times vary by state. Normally eligibility is determined within a few months at the most. Open claims older than 120 days should be investigated promptly.
   
• Filter data for the highest and lowest balances. Focus on your five to ten highest balances and work with staff to resolve. Discuss reasons for any credit balances with staff, as regulations often require a prompt refund or claim adjustment. Credit balances could also indicate incorrectly posted payments (to the wrong patient account or service date). Instruct staff to routinely review and resolve credits to prevent collection activities on paid-off accounts. 

Ask questions, follow up and recognize good work. If you notice an improvement in your facility’s A/R report, make sure you recognize team and individual efforts. If improvements are slow to come, discuss obstacles with staff, refine your A/R reporting, and review the plan as needed.

For professional baseball players who get paid millions to swing a bat, going through a slump is daunting. The mere thought of a slump conjures up frustration, anxiety and humiliation, and in extreme cases, the possibility of job loss.

The concept of a slump transcends sports. Just glance at the recent headlines about Yahoo, Equifax, Deloitte, and the Democratic National Committee. Data breaches occur on a regular basis. Like a baseball team experiencing a downswing, these organizations need to make adjustments, tough decisions, and major changes. Most importantly, they need to realize that cybersecurity is no longer the exclusive domain of Chief Information Security Officers and IT departments. Cybersecurity is the responsibility of all employees and managers: it takes a team.

When a cybersecurity breach occurs, people tend to focus on what goes wrong at the technical level. They often fail to see that cybersecurity begins at the strategic level. With this in mind, I am writing a blog series to outline the activities managers need to take to properly oversee cybersecurity, and remind readers that good cybersecurity takes a top-down approach. Consider the series a cybersecurity playbook for management. This Q&A blog — chapter 1 — highlights a basic concept of maturity modeling.

Let’s start with the basics. What exactly is a maturity model?
RG: A maturity model is a framework that assesses certain elements in an organization, and provides direction to improve these elements. There are project management, quality management, and cybersecurity maturity models.

Cybersecurity maturity modeling is used to set a cybersecurity target for management. It’s like creating and following an individual development program. It provides definitive steps to take to reach a maturity level that you’re comfortable with — both from a staffing perspective, and from a financial perspective. It’s a logical road map to make a business or organization more secure.

What are some well-known maturity models that agencies and companies use?
RG: One of the first, and most popular is the Program Review for Information Security Management Assistance (PRISMA), still in use today. Another is the Capability Maturity Model Integration (CMMI) model, which focuses on technology. Then there are some commercial maturity models, such as the Gartner Maturity Model, that organizations can pay to use.

The model I prefer is the Cybersecurity Capability Maturity Model (C2M2), developed by the U.S. Department of Energy. I like C2M2 because it directly maps to the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) compliance, which is a prominent industry standard. C2M2 is easily understandable and digestible, it scales to the size of the organization, and it is constantly updated to reflect the most recent U.S. government standards. So, it’s relevant to today’s operational environment.

Communication is one of C2M2’s strengths. Because there is a mechanism in the model requiring management to engage and support the technical staff, it facilitates communication and feedback at not just the operational level, but at the tactical level, and more significantly, the management level, where well-designed security programs start.

What’s the difference between processed-based and capability-based models?
RG: Processed-based models focus on performance or technical aspects — for example, how mature are processes for access controls? Capability-based models focus on management aspects — is management adequately training people to manage access controls?

C2M2 combines the two approaches. It provides practical steps your organization can take, both operationally and strategically. Not only does it provide the technical team with direction on what to do on a daily basis to help ensure cybersecurity, it also provides management with direction to help ensure that strategic goals are achieved.

Looking at the bigger picture, what does an organization look like from a managerial point of view?
RG: First, a mature organization communicates effectively. Management knows what is going on in their environment.

Most of them have very competent staff. However, staff members don’t always coordinate with others. I once did some security work for a company that had an insider threat. The insider threat was detected and dismissed from the company, but management didn’t know the details of why or how the situation occurred. Had there been an incident response plan in place (one of the dimensions C2M2 measures) — or even some degree of cybersecurity maturity in the company, they would’ve had clearly defined steps to take to handle the insider threat, and management would have been aware from an early stage. When management did find out about the insider threat, it became a much bigger issue than it had to be, and wasted time and resources. At the same time, the insider threat exposed the company to a high degree of risk. Because upper management was unaware, they were unable to make a strategic decision on how to act or react to the threat.

That’s the beauty of C2M2. It takes into account the responsibilities of both technical staff and management, and has a built-in communication plan that enables the team to work proactively instead of reactively, and shares cybersecurity initiatives between both management and technical staff.

Second, management in a mature organization knows they can’t protect everything in the environment — but they have a keen awareness of what is really important. Maturity modeling forces management to look at operations and identify what is critical and what really needs to be protected. Once management knows what is important, they can better align resources to meet particular challenges.

Third, in a mature organization, management knows they have a vital role to play in supporting the staff who address the day-to-day operational and technical tasks that ultimately support the organization’s cybersecurity strategy.

What types of businesses, not-for-profits, and government agencies should practice maturity modeling?
RG: All of them. I’ve been in this industry a long time, and I always hear people say: “We’re too small; no one would take any interest in us.”

I conducted some work for a four-person firm that had been hired by the U.S. military. My company discovered that the firm had a breach and the four of them couldn’t believe it because they thought they were too small to be breached. It doesn’t matter what the size of your company is: if you have something someone finds very valuable, they’re going to try to steal it. Even very small companies should use cybersecurity models to reduce risk and help focus their limited resources on what is truly important. That’s maturity modeling: reducing risk by using approaches that make the most sense for your organization.

What’s management’s big takeaway?
RG: Cybersecurity maturity modeling aligns your assets with your funding and resources. One of the most difficult challenges for every organization is finding and retaining experienced security talent. Because maturity modeling outlines what expertise is needed where, it can help match the right talent to roles that meet the established goals.

So what’s next?
RG: In our next installment, we’ll analyze what a successful maturity modeling effort looks like. We’ll discuss the approach, what the outcome should be, and who should be involved in the process. We’ll discuss internal and external cybersecurity assessments, and incident response and recovery.

You can read our next chapter, Selecting and implementing a maturity model: Cybersecurity playbook for management #2, here.