Guest post by Donald Voltz,MD, Aultman Hospital, Department of Anesthesiology, Medical Director of the Main Operating Room, Assistant Professor of Anesthesiology, Case Western Reserve University and Northeast Ohio Medical University.
Donald Voltz, MD
As Halloween approaches, the usual spate of horror movies will intrigue audiences across the US, replete with slashers named Jason or Freddie running amuck in the corridors of all too easily accessible hospitals. They grab a hospital gown and the zombies fit right in. While this is just a movie you can turn off, the real horror of patient data theft can follow you.
(I know how terrible this type of crime can be. I myself have been the victim of a data theft by hackers who stole my deceased father’s medical files, running up more than $300,000 in false charges. I am still disputing on-going bills that have been accruing for the last 15 years).
Unfortunately, this horror movie scenario is similar to how data thefts often occur at medical facilities. In 2015, the healthcare industry was one of the top three hardest hit industries with serious data breaches and major attacks, along with government and manufacturers. Packed with a wealth of exploitable information such as credit card data, email addresses, Social Security numbers, employment information and medical history records, much of which will remain valid for years, if not decades and fetch a high price on the black market.
Who Are The Hackers?
It is commonly believed attacks are from outside intruders looking to steal valuable patient data and 45 percent of the hacks are external. However, “phantom” hackers are also often your colleagues, employees and business associates who are unwittingly careless in the use of passwords or lured by phishing schemes that open the door for data thieves. Not only is data stolen, but privacy violations are insidious.
The problem is not only high-tech, but also low-tech, requiring that providers across the continuum simply become smarter about data protection and privacy issues. Medical facilities are finding they must teach doctors and nurses not to click on suspicious links.
To thwart accidental and purposeful hackers, organizations should implement physical security procedures to secure network hardware and storage media through measures like maintaining a visitor log and installing security cameras. Also limiting physical access to server rooms and restricting the ability to remove devices from secure areas. Yes, humans are the weakest link.
Growing Nightmare
Medical data theft is a growing national nightmare. IDC’s Health Insights group predicts that one in three healthcare recipients will be the victim of a medical data breach in 2016. Other surveys found that in the last two years, 89 percent of healthcare organizations reported at least one data breach, with 79 percent reporting two or more breaches. The most commonly compromised data are medical records, followed by billing and insurance records. The average cost of a healthcare data breach is about $2.2 million.
At health insurer Anthem, Inc., foreign hackers stole up to 80 million records using social engineering to dig their way into the company’s network using the credentials of five tech workers. The hackers stole names, Social Security numbers and other sensitive information, but were thwarted when an Anthem computer system administrator discovered outsiders were using his own security credentials to log into the company system and to hack databases.
Investigators believe the hackers somehow compromised the tech worker’s security through a phishing scheme that tricked the employee into unknowingly revealing a password or downloading malicious software. Using this login information, they were able to access the company’s database and steal files.
Healthcare Hacks Spread Hospital Mayhem in Diabolical Ways
Not only is current patient data security an issue, but thieves can also drain the electronic economic blood from hospitals’ jugular vein—its IT systems. Hospitals increasingly rely on cloud delivery of big enterprise data from start-ups like iCare that can predict epidemics, cure disease, and avoid preventable deaths. They also add Personal Health Record apps to the system from fitness apps like FitBit and Jawbone.
Banner Health, operating 29 hospitals in Arizona, had to notify millions of individuals that their data was exposed. The breach began when hackers gained access to payment card processing systems at some of its food and beverage outlets. That apparently also opened the door to the attackers accessing a variety of healthcare-related information.
Because Banner Health says its breach began with an attack on payment systems, it differentiates from other recent hacker breaches. While payment system attacks have plagued the retail sector, they are almost unheard of by healthcare entities.
Guest post by Cheri Bankston, RN, MSN, director of clinical advisory services, Curaspan.
Cheri Bankston
When determining a discharge plan, hospitals must provide a list of home health agencies (HHAs) or skilled nursing facilities (SNFs) that are available to care for the patient; this comes as part of the Conditions of Participation (CoPs) for Discharge Planning. In the case of a HHA, the provider must be able to serve the patient in the area where the patient resides, or in the case of a SNF, the area requested by the patient.
Acute care providers have been struggling on how to set up a high quality provider network to support patient choice as we move from volume to value. Provider networks aim to gather more information to assist beneficiaries with selecting a high-quality post-acute provider. CMS has not outlined any specific criterion that deems a provider “high quality,” but the end goal is to provide the patient more information on quality performance and resource use at the time they are making a decision. Through the Center for Medicaid and Medicare Services’ (CMS) Star Rating program, discharge planners or case managers working for hospitals are able to highlight those provider networks that will best fit the needs of the patient. The networks are able to counsel patients about their available choices, while more importantly upholding the patient’s right to choose.
Under the Affordable Care Act’s value-based purchasing initiative, hospitals are at financial risk for the outcomes of care its patients receive from post-acute care providers, leading hospitals to work towards establishing high-quality provider networks. For many, upholding the standard of Medicare policy – patient freedom of choice – is challenged by potential financial incentives and penalties for the bottom line – the quality of care provided to the patient after discharge impacts the reimbursement levels for hospitals and ACOs. Although provider networks may appear to narrow patient choice, they actually create a set of higher quality post-acute providers that improve patient outcomes without impeding access to care.
Payers have been using “provider networks” for years, but being applied to hospitals is a brand new concept. An ACO’s success depends on using a provider network that has a demonstrated history of high quality of care outcomes. For example, SNFs that have a high rate of patients going to emergency rooms and not being admitted must be evaluated to determine the variance from other providers with the same level of care and fewer emergency room visits. Quality outcomes and patient satisfaction are going to drive the definition of provider networks.
Ironically the prevailing attitude among clinicians remains; “healthcare does not consider itself a process or system industry” therefore, it is not one which would significantly benefit from leveraging technology to improve its processes. As a data science community within the healthcare industry, we must all push the envelope to demonstrate that Healthcare has a lot to gain by becoming more efficient and effective via process improvement technologies as it clearly has done by embracing clinical improvement technologies.
Dale Schroyer, a certified data scientist, and ProModel’s leading healthcare simulation expert overheard these comments while attending an immersion workshop on RCA, or root cause analysis, at the NPSF Patient Safety Congress earlier this year.
This program looked at what hospitals do when an adverse event occurs. According to the workshop instructors, Dr. James P. Bagian and Mr. Joseph M. DeRosier, “Usually, such events occur because of system faults or failures, not necessarily human error. The challenge is determining what the faults in the system are, how they can be fixed and instituting actions to fix them and measure those fixes.”
Schroyer found it a fascinating topic because of the similarities to what is done in the aerospace industry in which he started his career. One of the instructors was also from the aerospace industry. Both instructors teach at the University of Michigan which is also Schroyer’s alma mater.
From listening and interacting with conference attendees, most of whom were nurses and doctors, Schroyer observed that healthcare does not consider itself a process industry. However, the mere fact that doctors and nurses were having the conversation is a considerable step in the right direction.
Many in attendance wanted to know what techniques would best serve them in convincing their coworkers back home that the system approach is a good and necessary one for the healthcare industry that can benefit patients, hospitals, nurses and physicians. Using a predictive/prescriptive analytic tool such as discrete event simulation (DES) is one possible approach.
Schroyer spoke with the instructors, as well as other attendees, about simulation as a tool to improve patient flow and other hospital system shortfalls. They mentioned that the barriers to simulation are many such as a long, cumbersome learning curve.
Guest post by Rashmi Katiyar, director, Kratin LLC.
Rashmi Katiyar
I read an article recently in the favor of mobile development in healthcare, though the article was making sense to me, it got comments like “mobile is good but we have many other challenges to cater and mobile is far low on priority.”
As an immediate reaction, I agreed to this comment, but it kept me bugging over the time. When mobile is so powerful (with its reach) so connected why it can’t solve bigger problems? May be they are not thinking mobile beyond “find a physician” or “fitness step count” apps. There are actually endless opportunities and much more serious tasks await smartphone, in healthcare provider perspective.
Patient Assistance: Mobile can be handy guide for a patient outside and inside hospitals, it can not only give information about your facility, services and physicians but also can keep your patients engaged with notifications , health library, you tube channels , care gap management, immunization schedules, etc.
Physician Assistance: In today’s competitive healthcare industry with growing ACOs and other policies it’s equally important to keep your physicians engaged and equipped. Handy & secure access to needed information like patient data , technical terms, on call schedules etc. assist doctors, nurses and clinical staff to increase overall coordination among the care team and achieve greater satisfaction.
Population Health: Good mobile application provides opportunity to stay connected with wider number of people beyond patients, as a result it’s easy to run real-time push surveys, polls and run healthy community forums across. Social and mobile plays vital role in information spreading process, with access to more number of people things can be done altogether at different scale.
These are just some of the very high level thoughts; mobile applications are growing richer in capability and technology. One of the biggest benefits of staying connected to the patients beyond the walls of the hospitals is; it allows care team to keep check on adherence and wellness of the patients, which avoids re-admissions and reduces overall cost of care.
We discuss possibilities with various IT teams from different hospitals, more we talk more I feel the need for healthcare providers to embrace mHealth for better health outcomes and truly emerge as fee for value organization catering to not only about patient’s illness but about wellness of the each and every individual in its sphere.
Guest post by Cheri Bankston, director of clinical advisory services, Curaspan.
Cheri Bankston
As physicians across large and small practices struggle to prepare for the many payment reforms under the Medicare Access and CHIP Reauthorization Act (MACRA), Centers for Medicare and Medicaid Services’ (CMS) Acting Administrator Andy Slavitt recently suggested that MACRA could be delayed from its intended Jan. 1, 2017, start date. He also proposed that reporting requirements may be adjusted to ease the burdens on physicians. For example, data and measurements could be potentially submitted through an automated method.
MACRA is expected to greatly transform how Medicare pays for physicians and other clinicians who participate in the fee-for-service program. Under MACRA, payment changes will be split into a two-track system for Medicare reimbursement:
Merit-based Incentive Payment System (MIPS) is for providers who operate using fee-for-service reimbursements. This new program combines parts of the Physician Quality Reporting System (PQRS), the Value Modifier (VM), and the Medicare Electronic Health Record (EHR) incentive program into one single program for participants.
Alternate Payment Model (APM) is for physicians who take on a significant caseload of patients. New payment models enable health care providers to be paid by Medicare. From 2019 to 2024, CMS may pay some participating health care providers a lump sum incentive payment.
How This May Impact You
Working with physicians and understanding their business model is the core of transition management, especially for physicians who are providing care to patients in the Fee-for-Service program. With a deeper understanding, it is easier to foster a more collaborative and effective relationship. Hospitals have been paid a lump sum since the early ‘80s, but it is important to recognize that some physicians and physician groups do have patients enrolled in bundled payment models and others who are not. So how important is it for case managers to know how a physician is paid? For a case manager to properly perform their job, they must know how the business of health care functions.
Guest post by Stu Sjouwerman, founder and CEO, KnowBe4.
Stu Sjouwerman
Bad guys are abusing the Social Security Administration’s (SSA) online service called My SocialSecurity Account in two ways:
A phishing scam that encourages employees to create an account, where your user enters all their confidential information at the scammer’s site, leaving them open to ID theft and social engineering attacks with that data and infect their workstation either in the office or the house.
The scammers set up My Social Security Accounts on behalf of people, and change the account to direct the benefits checks to a bank account they control.
Basically, this “My Social Security Account” is very useful. It allows you to set up a personal online account that enables you to view your earnings history, estimates of benefits, change your address or start or change direct deposits of your check into a bank account. The SSA also supports two-factor authentication, which is good.
However, it’s a heaven for scammers. Yes, to open an account the SSA requires verification of personal data by asking questions that only the Social Security recipient should know but this info is easily available to an identity thief, who can open an account in the name of the intended victim.
The introduction of two-factor authentication does not prevent an identity thief from initially setting up a My Social Security Account in the name of their victim, and we all know that you can social engineer the user to send the 2FA code to the hacker.
What to Do About This
I suggest you send your employees, friends and family the following. Feel free to copy/paste/edit:
Guest post by Tatsiana Levdikova, copywriter, EffectiveSoft.
Tatsiana Levdikova
The DICOM format has appeared more than 20 years ago. Since then a number of technological advancements have taken place resulting in better resolution in such files and an increase in volume of data. New technologies made it possible not only to get just an ordinary photo, but an animated image. Such new options had direct impact on a size of data being processed by DICOM Viewers.
In the meantime, many hospitals continue to use DICOM viewers that were created many years ago. These viewers work slower than latest solutions and lack many useful functions. Besides, they cannot master a growing volume of data. But hospital staff are reluctant to stop using outdated solutions, and there are some reasons for such attitude:
health professionals are sure that solutions they have been using for years are reliable;
there is no need to train the staff, so no extra expenses are involved;
a software update, as a rule, goes hand in hand with a hardware update, thus leading to new expenses.
Consequently, hospitals have to solve the dilemma; they have latest diagnostic equipment that undergoes regular updates, while their software is too old to work with large volumes of data.
Exploring the Paradox
Health professionals do not participate in development of software they make use of. Being user expertise bearers since they deal each day with images, make diagnosis and conduct researches, diagnosticians barely have relation to the development of software they use.
To keep up with latest developments in the field of diagnosis, healthcare facilities have to look for opportunities to make improvements in the diagnostic software, and in DICOM viewers, in particular.
DICOM viewers’ development prospects
There are a number of lucrative directions that DICOM viewers’ developers should bear in mind.
Collaboration plays a crucial role in making a diagnosis. Diagnosticians often consult each other if they have some doubts or if there is a need to get access to a medical history of a patient.
DICOM viewers could become a solution by providing its users with remote access to images. Besides, they could become a tool for an online discussion (where participants could use different graphic tools to review images).
Import of images from different sources (e.g. from one hospital with its own requirements to file formats to another) and their displaying according to requirements and standards of each health facility.
A built-in set of instruments can be extended by improving their functions by giving DICOM viewers’ users to ability to utilize an advanced review, create annotations and notes, measure angles, circles, add annotations, etc.
DICOM viewers could automatically compile medical assessment reports on the basis of available annotations, with hyperlinks to particular images and image areas.
DICOM viewers could also be used in workflow managing by forwarding processed images to other experts for additional research.
Three dimensional modelling is one more promising direction for DICOM viewers, and auto adjustment of images by improving their quality by using latest algorithms for dealing with pixel images seems to be a solution in this case.
Difficulties Developers of Healthcare Software and Health Facilities Face
Quality and accuracy of healthcare software’s work must be very high, and there must be no room for mistakes in order to eliminate a possibility of a medical error. This makes testing a very important part of the development process, and it accounts from 40 percent to 60 percent of the total development time.
Guest post by Santosh Varughese, president, Cognetyx.
Santosh Varughese
The U.S. healthcare industry is under siege from cyber criminals who are determined to access patient and employee data. Information security think tank Ponemon Institute’s most recent report on healthcare cyber security, published in May 2016, revealed some sobering statistics:
In the past two years, 89 percent of healthcare organizations – and 60 percent of their business associates (or BAs) – experienced at least one data breach, with 79 percent experiencing two or more breaches. The most commonly compromised data are medical records, followed by billing and insurance records. These breaches have not declined since Ponemon began tracking them in 2010.
The average cost of a healthcare data breach is about $2.2 million.
Criminal attacks, from outside the organization or from malicious insiders, account for half of all healthcare data breaches, the other half being due to mistakes by employees or BAs.
The majority of respondents (69 percent of healthcare organizations and 63 percent of BAs) feel that the healthcare industry is at greater risk of breaches than other industries. Despite these concerns, the majority of respondents reported that their organizations had either decreased their cyber security budgets or kept them the same.
Another study conducted in April by IBM, found similar problems, as well as insufficient employee training on cybersecurity best practices and a lack of commitment to information security from executive management.
With only about 10 percent of healthcare organizations not having experienced a data breach, hackers are clearly winning the healthcare data security war. However, there are proactive steps that the healthcare industry can take to turn the tide in its favor.
Data Security Starts with a Culture of Security Awareness
Both the IBM and Ponemon studies highlight an issue that experts have been talking about for some time: despite increasing dangers to information security, many healthcare organizations simply do not take cybersecurity seriously. Digital technologies are relatively new to the healthcare industry, which was very slow to adopt electronic records and when it finally did so, it implemented them rapidly without providing employees adequate training on information security procedures.
Unfortunately many front-line employees feel their only job is to treat patients and that information security is “the IT department’s problem.” These employees fail to grasp the importance of data security, and are not educated on the dangers of patient data breaches, reflected in Ponemon’s findings that employee mistakes account for half of all healthcare data breaches.
The healthcare industry needs to adjust this attitude toward cybersecurity and implement a comprehensive and ongoing information security training program, and cultivate a culture of security awareness. Information security should be included in every organization’s core values, right beside patient care. Employees should be taught that data security is part of everyone’s job, and all supervisors – from the C-suite down to the front line – should model data security best practices.
Additionally, organizations should implement physical security procedures to secure network hardware and storage media (such as flash drives and portable hard drives) through measures like maintaining a visitor log and installing security cameras, limiting physical access to server rooms, and restricting the ability to remove devices from secure area. Continue Reading
