Guest post by Santosh Varughese, president of Cognetyx
Santosh Varughese
Cybersecurity is a serious concern for every industry in America, but healthcare has been particularly hard hit. It is the most likely industry in the U.S. to suffer a data breach. According to the Ponemon Institute, nearly nine out of 10 healthcare organizations have been breached at least once, and nearly half have been breaced three times or more. Cyber-criminals are clearly winning this war, despite more funding, more firewalls, and more scrutiny. Here are five reasons why healthcare organizations are losing the cybersecurity war.
C-level healthcare executives still aren’t taking data security seriously.
Although the epidemic of healthcare cyber-attacks has C-suite executives claiming they finally realize the gravity of the situation, their actions tell a different story. A recent survey by HIMSS found that while most facilities have given information security a higher priority, healthcare IT personnel still complain of insufficient funding and staffing for cybersecurity. The same concerns were expressed by IT personnel surveyed in the Ponemon study and an earlier study conducted by IBM.
Frontline employees aren’t taking it seriously, either.
A group of security researchers from the University of Pennsylvania, Dartmouth and USC recently conducted an ethnographic study of cybersecurity practices among nurses, doctors, and other frontline medical personnel. The results showed a flagrant, widespread, shocking disregard for even the most basic data security practices; among other things, workers were observed:
Writing passwords on sticky notes and tacking them on machines in full view of anyone who wandered by.
Allowing other staff members to use their login credentials out of “professional courtesy.”
Purposefully defeating automated system timeouts by placing foam cups over sensors or by having another employee tap a spacebar at intervals.
Criminal hackers are fully aware of these types of practices and do not hesitate to take advantage of them; 95 percent of breaches occur when hackers get their hands on legitimate login credentials, either by obtaining them from a malicious insider or by taking advantage of an employee’s negligence or carelessness.
Too many facilities think that HIPAA compliance is sufficient to secure their data.
Most healthcare organizations focus primarily or exclusively on HIPAA compliance, erroneously thinking that complying with HIPAA is all they need to do to secure their systems. However, HIPAA was never meant to be a blueprint for a comprehensive data security plan. The law primarily addresses documentation and procedures, such as specifying when a patient’s medical records can legally be released, not technical safeguards. Information security experts surveyed by the Brookings Institution stated that HIPAA does very little to address the types of security challenges faced by large healthcare organizations with hundreds of employees and highly complex, interconnected data environments. The proof is in the numbers; if HIPAA compliance were enough to protect patient data, 90 percent of healthcare organizations would not have experienced breaches.
Healthcare jobs are plentiful, and at least through 2024, the demand for healthcare professionals, such as nurses, anesthesiologists and physicians, will only continue to rise.
The Bureau of Labor Statistics has said that healthcare jobs are “expected to have the fastest employment growth and to add the most jobs between 2014 and 2024.” Given the healthcare industry’s propensity for increased growth, hospitals need to embrace scalable IT—for their own sake and for the sake of their patients.
Fortunately, there are options.
Healthcare organizations increasingly rely on cloud-based IT solutions, and SADA Systems has reported that the number of organizations living in the cloud could be as high as 89 percent. There’s a reason for the high percentage—cloud solutions are safe, scalable and efficient.
Hospital data safety is no small concern.
In 2008, 9.4 percent of hospitals used EHRs. By 2014, the percentage had skyrocketed to 96.9 percent. The switch to digital records was necessary, but in the rush to modernize, hospitals were left more vulnerable to data theft than other industries that had migrated more slowly.
According to Niam Yaraghi, healthcare systems are left with an additional concern. “Hospitals cannot tolerate the consequences of computer lockdowns,” writes Yaraghi. “If Walmart gets attacked, it will likely shut down for a short period of time and fix the issue … hospitals on the other hand, are dealing with patients’ lives.”
Cloud-based IT solutions provide both reliable security and almost nonexistent downtime.
Further arguments for cloud IT include the sheer number of patients hospitals see every year. Hospitals treat 136.3 million patients in the emergency room alone, according to CDC.gov, and believe it or not, that number is growing. Cloud IT accommodates growing demand seamlessly.
The aforementioned surge in healthcare labor will also necessitate a consolidated communications option for employees—cloud solutions provides that as well. With healthcare utilization likely to rise, what are hospitals doing to keep up with the demand? Hospital staffs are growing, medical specialists are gaining more expertise, and healthcare centers are getting exponentially bigger.
Check out the graphic below showing the largest hospitals in each state by number of staffed beds, for some perspective.
Lee Horner serves as Stratus Video’s president of telemedicine, bringing more than 25 years of experience in enterprise software and healthcare IT industry. Most recently, Horner served as the president of CareCloud, a health care technology company specializing in practice management and EHR software. During that time, his core focus was setting the direction and strategy of the company while managing the top- and bottom-line revenues. He also drove both technology excellence and platform growth to meet CareCloud’s clients’ goals. Prior to CareCloud, Lee also held executive roles at Vitera Healthcare (formerly Sage Healthcare, where I worked with him; now Greenway Health) and Eliza Corporation.
You recently joined Stratus as president of telehealth – what motivated your decision and why is this such an important field nowadays?
In today’s mobile and fast-paced world, telehealth is a necessity. Telehealth is healthcare 2.0 – it can cut wait times, costs for both the provider and the patient, inefficiencies. At the same time it can elevate the kind of expertise and quality of the care patients receive, as well as give new opportunities to connect doctors to the patients who need them most. Telehealth is the future of health. It’s not only preserving that face-to-face connection between patients and providers – which is essential to great healthcare – it’s making that connection available to so many more people in so many different contexts. By enabling these essential connections, telehealth expands the probability of people getting the care they need, and is inevitably helping to save lives.
What is your background in health IT?
I have been involved in healthcare IT for the past 10 years. I have experience operating businesses in the payer, ambulatory and health system markets. It is a great field to be in. It’s very progressive and always changing.
Why is health IT where it’s at today? What do you feel has made this industry successful?
This market is expanding rapidly and technological advancement is at the forefront of that expansion. Smart people with extreme passion for improving patient quality care are really what is making this industry successful.
What are some of the things that most inspire you about the space and it’s work?
I am inspired every time I see the changes we are making improve a patient’s quality of care. It is incredible to see our work start to make a difference.
What are the most important areas in telehealth nowadays?
One important area is how telehealth is opening opportunities for more health industry professionals – and this is in turn, leading to a more robust patient experience. Predictable disruption is a huge theme in telehealth. You saw unpredictable disruption with industries like car ride service – when Uber and other apps came out, people who weren’t taxi drivers were suddenly entering that industry. In healthcare, it’s different – apps are creating opportunities for people already within the industry, allowing more providers to help the patients who need them most and more patients to connect with the providers best suited to their needs.
A couple of other important areas are readmissions and urgent care:
The Affordable Care Act penalizes hospital readmissions, because it’s important to incentivize successful treatment. Unfortunately, the nature of healthcare and the nature of life is that you sometimes need to go back in for continued treatment or to inquire about something. But maybe you moved or you’re too sick to keep going back to your treating physician. Discharge solutions are allowing people to reconnect and get the follow-up care they need without the hassle.
Urgent and emergency care solutions are also becoming really important. Imagine a burn victim walks into an ER at 4 a.m. and needs to see a specialist – but the staff is all tied up or there isn’t a specialist working in that particular facility. Without an urgent care app, the patient would be waiting and suffering, while the provider would be struggling to give them the care they need. With an app, they’d be able to pull up a tablet and connect that patient face-to-face with the doctor they need almost immediately.
About two decades ago who would’ve thought of the invention of Nano robots that are able to carry drugs all the way to the human bloodstream?
It’s happening. Technology is revolutionizing the conventional ‘human country doctor’ health care and there’s not much to be surprised of. With modern machines and software taking over the healthcare industry, one often wonders, “What good is technology doing to it?”
Health information technology (HIT is information technology applied to health and health care. It supports health information management across computerized systems and the secure exchange of health information between consumers, providers, payers, and quality monitors) is the burgeoning specialized combination of information technology, communications, and health care and it is altering the course of patient care for the better. Here’s how:
Knowledge Sharing
Practicing medicine is a lifelong learning. Doctors need to be on their toes all the time to acquire the knowledge of the latest developments in their field. Not updating themselves can make their practice stagnant – nobody would want to consult a doctor like that. Health IT brings the knowledge about everything, be it patients, therapies, diseases or medicines at their easy disposal. This knowledge can be easily shared between consultants, patients, and can even be updated when needed. That’s a whole new world of medical science for the doctors and patients to explore.
Improved Coordination
The world is swiftly moving towards specialization. Healthcare is no different. A single hospital stay could mean being under the observation of several different specialists at the same time. These specialists are required to coordinate with each other on every case they deal with. The way forward is paved by health IT. Health IT helps bring everything related to your condition from nutrition to neural complications in tandem with each other. The specialists know which condition can make regular course of treatment difficult for you or which medicine would trigger your skin allergies. The result? There are fewer chances of problems arising in your healthcare.
Better Outcomes
The most significant way IT is transforming the healthcare industry is in the form of better outcomes. Automation streamlines the operations of a medical facility, making them more effective and efficient. It is easier for different doctors and nurses to coordinate and diagnose a particular case. There are less chances of human error which ultimately leads to higher quality and safer care. With less time wasted in going through physical files and other manual work, doctors and nurses have more time on their hands to spend with patients.
The Patient’s Involvement
If anything, health IT has made patients increasingly vigilant about their health. It enables them to gain electronic access to their medical history, health records, and doctor’s recommendations. They get a chance to take control of their health. Patients’ portals and online knowledge hubs help patients educate themselves about their conditions, its symptoms and treatment procedures. Health IT makes it easier for patients to get in touch with doctors and nurses for better health outcomes and medical care.
Guest post by Abhinav Shashank, CEO and co-founder, Innovaccer.
Abhinav Shashank
According to a survey almost 50 percent of the physicians do not understand MACRA. With less than five months to full implementation of MACRA, are we ready to embrace one of the most elaborate laws of US? And, most importantly, will it produce the needed positive outcomes? The program is expected to improve the current standards, sort the most persistent problems and create opportunities to rework and revise Medicare. How will all this happen?
With MACRA in place, there won’t be two digit payment cuts like in the current Sustainable Growth Rate (SGR) formula. Besides enhancing the use of electronic health records, MACRA is expected to increase the relevance of Medicare to the real world and reduce the administrative burden from physicians’ shoulders.
Decoding MIPS
MIPS stands for Merit-Based Incentive Payment System. It will streamline the three independent programs Physician Quality Reporting System (PQRS), meaningful use, and value-based modifier to ease the burden on the clinicians. The three components in MIPS will replace these programs. Besides this, one more component will be there to bring improvements in practice. Namely following components will be there in MIPS:
1.) Quality: This component will replace the Physician Quality Reporting System (PQRS). Under MIPS the methods of reporting and the various quality measures have been adopted from the old programs PQRS and VBM. There are some changes in the reporting methods and for the registry, EHR, and Qualified Clinical Data Registry (QCDR) reporting methods, a clinician can select minimum six measures which could be a combination of any quality domain. If the clinician faces patients, then he has to select in such a way that one of these measures is cross-cutting measure (cross-domain-cutting), and one is outcome-based measure. If there is no outcome-based measure, then a high priority measure has to be selected.
Besides these six measures, CMS will calculate two or three more measures depending on the size of the group of physicians. For instance, if there is an individual physician or a group less than 10 then two measures and if more than that then three measures. Additionally, for QCDR and registry reporting methods, the “data completeness” standard has been changed. The number of patients to be reported within a measure denominator has been raised from 50 percent to 90 percent.
2.) Advancing Care Information: According to MIPS the meaningful use program will see a lot of changes. Currently, the meaningful use program is everything-or-nothing; i.e., if one clinician achieves a performance rate of 20 percent on meaningful use measures and another achieves 90 percent then they both get rewards in a similar fashion. However, under ACI the latter one gets 10 out of 10 points, and the former gets three points.
More than 100 ACI performance points have been defined out of which base 50 are base points given for reporting either “yes” or a non-zero numerator. The performance scores are up to 80 points based on the performance on eight measures. Rest bonus points are awarded for reporting any other public health registry.
Guest post by Craig Musgrave, senior vice president, information technology, The Doctors Company.
Craig Musgrave
Healthcare entities remain the top target for cyber criminals. Not only do over 50 percent of all cyberattacks occur in the healthcare industry, but there have been 4,000 daily ransomware attacks—focused mostly on healthcare entities—since early 2016, a 300 percent increase over the 1,000 daily attacks in 2015.[i]
All types of organizations must take steps to ensure they are protected. The following are six questions you should ask your IT department to evaluate your cybersecurity readiness, and some answers to these perplexing problems most industries face today.
Does our organization use a security framework?
The National Institute of Standards and Technology Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.
The Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to ensure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity.
What are the top risks I should worry about?
Human interaction: Over 80 percent of attacks are made possible by human error or human involvement, such as downloading malicious files, clicking on malicious links, or running unknown USB on computer systems. You need to provide security training for all employees and maintain constant employee awareness of the risks. There should also be a significant investment in security solutions that can help prevent damage if an employee action leads to an attack.
Technology vulnerabilities: Vulnerabilities in your defenses may be known—or newly discovered when an attack happens. Invest in tools that scan for hardware and software vulnerabilities and invest in IT staff to constantly update and patch software.
External intruders: Addressing non-stop attempts to access your network through unsecured or vulnerable access points involves investing in technologies and strategies like multi-factor authentication, advanced firewalls, web application firewalls, external monitoring, and penetration tests.
Data loss: Protected health information (PHI) could be lost through an unapproved employee data transfer. Invest in tools that encrypt data-in-transit and educate employees on proper data transfer procedures.
Delayed detection: This is the inability to detect an intrusion due to an unknown vulnerability, misconfigured technology, or employee error. Invest in constant IT training on event management, security threat detection, incident response, and technology configuration. Execute threat simulations (penetration tests) and do a continual review of system configurations.
Attacks through privileged accounts: Hackers try to gain access to privileged accounts—such as domain admin, database admin, or external vendors—to reach secure areas within computer networks. For example, the major Target hack occurred when an employee of Target’s third-party HVAC vendor responded to a spear phishing e-mail. The utilization of Privileged Account Management systems enables one-use passwords for evaluated accounts.
Guest post Ken Perez, vice president of healthcare policy, Omnicell.
Ken Perez
A recent poll conducted by Monmouth University concluded that “fully 70 percent of American voters say that this year’s presidential campaign has brought out the worst in people.”
Undoubtedly and sadly, in this era in which fact-checking of candidate statements is essential, a majority of Americans believe that all politicians lie or at least that they lie often.
That prevailing sentiment is what made former President Bill Clinton’s candid riff about the Affordable Care Act at an Oct. 3 Democratic rally in Flint, Mich. so extraordinary. He stated, “…the current system works fine if you’re eligible for Medicaid, if you’re a lower-income working person, if you’re already on Medicare, or if you get enough subsidies on a modest income that you can afford your healthcare. But the people who are getting killed in this deal are small business people and who make just a little bit too much to get any of these subsidies. Why? Because they’re not organized. They don’t have any bargaining power with insurance companies. And they’re getting whacked. So you’ve got this crazy system where all of a sudden 25 million more people have healthcare, and then the people out there bustin’ it sometimes 60 hours a week end up with their premiums doubled and their coverage cut in half. It’s the craziest thing in the world.”
Unlike the ACA’s expansion of Medicaid, which has been blocked by 19 states that have declined to go along with the law, the health insurance exchanges have been operational for a number of years in all fifty states and the District of Columbia.
So how are the health insurance exchanges of this “crazy system” really doing and, to Clinton’s point, what’s happening to people who don’t qualify for subsidies?
Clinton was generous in saying that the “system works fine” for those who get subsidies. State regulators have used terms such as “near collapse,” “emergency situation,” “meltdown,” and “financial death spiral” to describe the condition of their exchanges. In total, the health insurance exchanges are way over budget, serve fewer people, and show signs of being unsustainable, which pushes health plans to cost shift by raising premiums for non-exchange insurance policies, especially employer-sponsored health insurance. The population paying for those policies include the people Clinton described as “bustin’ it sometimes 60 hours a week.”
Originally, the federal government was supposed to spend $136 billion from 2015-2019 on health insurance exchange subsidies. However, as more states than expected opted to have the federal government run their exchanges and because of the higher-risk pool of individuals participating in the exchanges—which led to premium hikes—the Congressional Budget Office (CBO) in August projected $278 billion in federal outlays for health insurance exchange subsidies for that period, leading to an overspending or budget deficit just for the subsidies of $142 billion for 2015-2019, a staggering amount, considering that it would basically cancel out the projected 10-year budget surplus for the entire health reform law. With even greater average premium hikes expected for 2017—24 percent for the non-group market—the CBO’s projection is clearly conservative and will certainly be revised upward.
Many states are reporting individual market rate hikes in 2017 well above the aforementioned national average. Minnesota’s approved increases range from 50 to 67 percent. Blue Cross Blue Shield of Tennessee will raise its rates by 62 percent. Golden Rule Insurance Co. in Kentucky received approval for a 47.2 percent rate increase, while Wellmark in Iowa will raise its rates by 42.6 percent. In Delaware, Highmark Blue Cross Blue Shield received approval for a 32.5 percent average rate increase, and Utah’s individual exchange health plans will rise on average 30 percent.
Did you hear the one about the disbarred lawyer who embezzled more than $1.2 million from a hospital in Kansas City over four and one-half years? This is not the start of a joke; it is unfortunately all too true. The long-trusted attorney supposedly served the hospital by collecting past-due payments from patients. Money collected was to go into a trust account. However, his fingers were more than a little sticky when checks were mailed back from patients and found their way into his personal account.
Slow-/no-pay patients have become a much more important aspect of hospital financial management as high deductible health plans (HDHP) become the norm across America. What once was considered little more than an annoying write-off, keeping bad debt to an absolute minimum is very much a priority. Gone are the days when more than 90 percent of revenue came from the insurance companies. Hospitals must look to patients for 50 percent, or more, of that revenue now. My bet is the number of checks embezzled by the attorney has only recently become material, which is why it took so long to catch him.
We can criticize the hospital for not staying on top of its account receivables. Certainly, payment plans, offered at the time of service can help keep A/Rs down as can reminders emailed to the slow-poke-paying patients. But that’s misses the larger point.
Unfortunately, any time checks are directed to third-party services, the potential for maleficence exists. Any point in a process where the payment can be touched, there is an opportunity for a redirection of those funds as in the case of the hospital in the city of fountains.
A significant portion of this could have been avoided if the hospital used an online paperless solution to bill their patients. It cuts off those sticky fingers, figuratively speaking. A paperless method keeps out crooked collectors because there is no reason or way for them to get their hands on the funds since they are not deposited directly into the hospital’s bank account and reconciled nightly. There’s nothing to touch or divert.
I am of the opinion that this crime in Kansas City is not all that unusual or isolated. Perhaps a perpetrator is uncovered and reparations are made under the cover of a sealed agreement, but it happens entirely too often.
In the past year I’ve seen reports of CEOs, CFOs and directors shown the door for embezzling millions from healthcare facilities in Alabama, Idaho and Wyoming, among others. The Alabama case involved a whopping $14 million.
Cash flow has become a top priority for all segments of healthcare, but especially hospitals. As I already suggested, the presence of HDHPs has made it so. But the manner in which these institutions bill for services rendered and go about seeking payment, is opening them to the same fate as these other organizations who were robbed and so the time to change is now.
