Happy holidays to everyone! However you celebrate this time of year, we hope that this season brings you closer to family and friends. We are filled with gratitude as we look back at all the support we've received as we've built FinMed Partners over the past two years.
This issue we are joined by guest contributor and fellow healthcare payments traveler Rob Pinataro, who shares some perspectives on cybersecurity. The potential exposure is real, but Rob offers practical and effective tips for safeguarding patient payment data, PHI, and other corporate information.
Careful readers will notice we've rearranged the order of things a bit. Deal News is now found after our featured topic, for example. Keep an eye out for more changes to future issues as we streamline our format, and open up a small amount of space for sponsorship. Thanks as always for making us a part of your day!
Remember to download our Demystifying Healthcare Payments white paper here. And reach out here to schedule time if you'd like to take a deeper dive.
SPOTLIGHT ON CYBERSECURITY
Everything is Great. Until it Isn’t. A CEO’s Nightmare Holiday Call to Action
By Rob Pinataro, MBA, QTE; CEO, Arete Consulting
Jane, CEO of XYZPay.com, was carving the holiday roast, the house full of laughter and the January board deck done with better‑than‑budget numbers, a pristine cap table, and a top‑tier banker waiting to launch a sale process—when her company cell phone rang. Her head of security, voice tight, said customer accounts were being compromised, $3M of payments were missing; PHI exfiltration was unknown; and the Security Incident Response Team was gathering. 60 seconds killed Jane’s holiday joy…
This nightmare plays out daily for CEOs across the HCIT/ Fintech market. When attackers hit your firm, will they find you prepared, or will you be receiving that dreaded phone call?
Successful Defense Starts with Studying the Enemy's Tactics
Some CEOs feel that security matters are too technical to understand and feel incapable of proactively driving fraud prevention. In fact, “user-assisted” fraud is a process which can be understood by anyone. A leader who understands that process can virtually eliminate fraud by all but the most determined or state-sponsored fraudsters.
The Process of Compromising an Account
Harvest credentials: Fraudsters create a fake website (e.g., XYZP@y.com), and send phishing emails or texts urging customers to take urgent action. When customers try to log in, credentials are stolen, and they are redirected to the real site.
Break into the system: Fraudsters log into the platform, and change contact information to divert MFA alerts.
Exploit the system: The perpetrators create admin users and tell more fraudsters how to break in. They change “pay to” bank account numbers and divert payments, and exfiltrate PHI records.
Breaking the Fraudster's Process by Complicating Every Step
Reduce credential harvesting via External Attack Surface Management (EASM): Use an EASM firm to find fraudulent websites, shut them down quickly, and monitor the dark web for threats.
Reduce fraudulent system access via Multi-Factor Authentication (MFA): Use the MFA present in business email and other business platforms. Use a 3rd party MFA solution for XYZPay’s SaaS platform. Train users to be phish-resistant.
Prevent system exploitation by protecting sensitive actions: Limit access based on roles and require MFA and extra verification for changes to bank accounts, user accounts, and contact information.
If each of the above steps is 80% effective, the entire process becomes 99.2% effective at preventing fraud. Well-run businesses can achieve much higher than 80% effectiveness at each step.
Immediate Actions to Reduce Risk. Ask the following of your CISO:
Is our firm using External Attack Surface Management (EASM)? It takes days to implement, is highly effective, and can be done inexpensively.
How complete is the MFA coverage of our business? It needs to be everywhere.
Confirm MFA is required on business email and all other business software.
Mandate use of company email addresses for MFA on all business platforms which use email as a verification method.
For XYZPay’s proprietary SaaS or payment processing platform: If MFA is not in place, start a project with a 3rd party MFA solution provider; if MFA is in place, confirm coverage of all accounts and enable the most phish-resistant verification options
How are we tracking, alerting, and triggering verification for high-risk user actions?
Log user actions
Use Security Incident and Event Management tool to report on those actions and alert upon unusual or known suspect behaviors
Conclusion
No fraud prevention solution is perfect, but these actions are simple, cost-effective, and can reduce your fraud risk by two orders of magnitude. Become the hard target, let the fraudsters work on someone else, and enjoy your holiday in peace.
COMPANY PERSPECTIVES
American Express
Amex Sees Healthcare’s Payment Pain as Its Next Frontier. Amex is targeting the healthcare sector's inefficiencies by introducing automated digital payment solutions. Paul Martin, VP and GM of Acquiring Partnerships, talks about how Amex's strategy is focusing on modernizing B2B and patient transactions to reduce administrative costs, stabilize provider revenue, and streamline complex billing workflows. (PYMNTS)
Synchrony Financial (CareCredit)
Why Experience - Not Credit - Is the New Competitive Moat in Consumer Finance. Synchrony CFO Brian Wenzel asserts that seamless purchasing experiences, rather than credit terms, now drive competitive advantage. As a result, Synchrony is investing to become an "experience infrastructure partner," utilizing AI and embedded finance to facilitate effortless consumer transactions. (PYMNTS)
Adyen
Do Platforms need to become PayFacs to win at payments? Natalie Moreno Wexler, Adyen's VP Platform Offering Strategy, argues that platforms do not need to become full Payment Facilitators (PayFacs) to succeed. Instead, she advocates for embedded finance partnerships that deliver the same revenue and user experience benefits without the heavy regulatory and operational burdens. (LinkedIn post)
Webster Bank
Webster Bank Deploys Healthcare Savings to Generate Billions in Deposits. Webster Bank’s healthcare niche, driving 15% of deposits, leverages sticky Health Savings Accounts and Medicare Set Asides for low-cost, long-duration funding. Expanded federal eligibility for HSAs in 2026 positions the bank for significant direct-to-consumer growth. (The Financial Brand)
AI IN HEALTHCARE
Hospital Trends in the Use, Evaluation, and Governance of Predictive AI, 2023-2024. Examines trends in the foundational use, evaluation, and governance of predictive AI using data from the 2023 and 2024 American Hospital Association IT supplement. (HHS Assistant Secretary for Technology Policy). Tip of the hat to the HISTalk blog for surfacing this piece.
San Francisco-based Luma Health announced that it has acquired Tonic Health from Murray, UT-based R1.Terms were not disclosed. Luma sells an EHR-integrated patient engagement platform that automates administrative workflows such as scheduling, intake forms, appointment reminders, and referrals to streamline healthcare operations. Tonic's patient intake and consent services will supplement Luma's offerings, which the company says reach more than 1,000 health systems and 100 million patients.
Vet software company Digitail raises $23M Series B
Atlanta-based Digitail, serving over 10,000 veterinarians and 3 million pet owners with its comprehensive cloud-based practice management software, announced the close of a $23 million Series B financing. This brings the company's total funding to $37 million since its founding in 2018. The investment was led by Five Elms Capital with participation from existing investors Atomico, Partech, Byfounders, and Gradient.
Ember raises $4.3M seed round for AI revenue cycle support
San Francisco-based Ember has just raised $4.3 million in seed funding, including participation from Nexus Venture Partners and Y Combinator. Ember's solution is working to reduce claim denials by combining patient visit data, EHR documentation, and knowledge of payer policies to improve first pass claim rate. The company says it will use the funds to invest in go-to-market capabilities and accelerated technology development.
Artera announces $65M funding for AI agent communications
Santa Barbara, CA-based Artera has raised $65 million of growth capital from existing investors. The round was led by Lead Edge Capital, with participation from Jackson Square Ventures, Health Velocity Capital, Heritage Medical Systems and Summation Health Ventures. Artera combines human and agent intelligence to automate administrative and clinical workflows (e.g., scheduling, prescriptions, appointment follow up). Artera's approach builds on a decade of experience working with consumers, and currently supports 1,000 healthcare organizations and 2 billion patient communications each year.
Stablecoin Affinity Cards. Co-branded stablecoin cards sound like a fever dream, but there's a compelling business case. (Fintech Brain Food)
Six payment trends for 2026. The next wave of payments innovation uses tech to put people first, making money movement more secure, smarter and more personal. (Mastercard)
Conference List. Rolling twelve month look ahead at conferences and other events covering healthcare payments, revenue cycle, fintech and related areas. Updated through November 2026.
FMP Blog. Thoughts from healthcare payments CEOs and investors on their right to win and goals for the year ahead, as well as data and perspectives on healthcare payments.
Newsletter Archive. News, trends, and insights from the healthcare payments industry compiled in our bi-weekly newsletter. Last six months of newsletters.
Epic MyChart. Excel sheet with full listing of all Epic MyChart instances as of May 2024, categorized by state, provider type and specialty.
All of these resources can also be accessed at the FinMed Partners Insights page.
Thank you for reading! If you enjoyed this newsletter, please forward to a friend or colleague.
FinMed Partners is a management consulting and advisory business focusing at the intersection of payments/ fintech and healthcare. Our founders have developed deep expertise from decades of experience with health IT companies, healthcare providers and many players within the payments ecosystem. Investors, boards and executive teams work with us to maximize business value through strategic input and tactical execution.
FinMed Partners LLC, 34 Long Avenue, Belmont, MA 02478, United States
