Dan Munro On Healthcare Information Security
MediPro had the opportunity to interview Dan Munro, the man who literally wrote the book on the subject. Dan is highly respected authority on the subject writing for Forbes and authoring the book Casino Healthcare. So without further ado … let’s get right to the questions:
What are the biggest security challenges facing healthcare providers in 2016 and how do you think that will change in the next few years?
The biggest challenges are cultural and operational – not technical – and I don’t think this changes for the foreseeable future. Opsec and infosec (and all the related legal and technical functions) demand the committed focus of an Executive Team and Board of Directors. This isn’t just an IT issue. John Chambers (of CISCO fame) said it best.
“There are two types of companies: those who have been hacked and those who don’t yet know they have been hacked.”
I’ve also seen this rephrased recently in a way that emphasizes the operational challenge:
“It’s not a question of if your organization will be breached … it’s how long will it take to discover it.”
According to one recent study, the answer to that question is – on average – almost 5 months.
Specific to healthcare, what’s become crystal clear over the last few years is the huge magnet health data represents to criminals that are able to penetrate healthcare networks with relative impunity. The number of health records breached in just one year – 2015 – was a staggering 112 million. As a percentage of the population, that’s about 35% of the U.S. I wrote about the ease of logging into the network of a sizable hospital (through a network attached printer) in 2014, and I know these vulnerabilities still exist. Health data is also lifelong, so there’s a long tail value that easily eclipses temporary financial data like credit cards.
So the real challenge I see isn’t just automating security through technology deployment, it’s the process of infusing an entire culture of security into an industry that – at least until recently – has largely managed to avoid it. The technology is relatively easy and directly tied to the IT budget process. What’s harder and longer is the training and ongoing commitment to best security practices for every organization – of every size. This is the real overhead that many healthcare organizations both resent and avoid – and this resistance has to be overcome. In the cyberwars ahead, there is no Red Cross safety zone. In fact, healthcare is a big bullseye.
It’s often mentioned that the biggest security holes are the people who don’t understand what they’re doing, installing apps and viruses on their machines. How do healthcare providers combat that?
This is the operational challenge I referenced in the previous question. It’s people and processes that create the most vulnerability to every organization and the only way to combat this is by creating a culture of security. In this sense, healthcare suffers from no less than 3 different – and significant Human Resource issues:
- Healthcare organizations need to include security as an integral – and full-time – member of the executive team. In some cases, it’s actually been relegated to part-time status and assuming that level of organizational risk is no longer an option. The Chief Information Security Officer position needs to be full-time, dedicated, Board level and not just as a token head to axe when there’s a significant breach.
- Cybersecurity talent generally is in very high-demand and short supply – and that’s not going to get better anytime soon. Healthcare organizations need to understand that they’re about 5-10 years behind other industries in their cybersecurity profile – and that’s an added burden in attracting and keeping the kind of talent necessary to reduce the risks. This will result in serious budget challenges – and discussions – as it should. Finding, securing and retaining this talent will require an even larger organizational commitment over time. I know of cases where large (instantly recognizable healthcare brands) lost key talent because they thought of security as a single hiring investment.
- Every member of an organization – both inside and outside of IT – needs to be trained on best security practices around the most serious threat of all – social engineering. In the cyber battles ahead, the attackers have the advantage because the defenders need to protect against all threats all the time, Attackers, on the other hand, only need to exploit a single vulnerability once. More and more, that vulnerability is a sophisticated phishing campaign that delivers an unknown, often unseen payload that can infect or even disable an entire organization.
Ransomware is a growing problem that doesn’t even guarantee a solution if the ransom is paid. How can healthcare providers safeguard themselves against such attacks?
Ransomware isn’t new – technically, the first example was in 1989 with the AIDS Trojan Virus – and while it’s currently a high profile one, it’s not that unique in terms of the need to develop effective planning and counter measures. An effective DDOS attack (like the hacktivism one that took Boston Children’s hospital offline for days) is a similar operational risk – and these both represent the highest cost both clinically and financially. There are a number of approaches to mitigate the risk – but there are no guaranteed, single bullet solutions.
- Consider new technical solutions (like Silo by authentic8) as a way to minimize executable code (like inside most browsers) from crossing the network perimeter altogether.
- Accelerate moves to cloud based storage and SaaS applications. This doesn’t eliminate the overall risk, but it will minimize it. Cloud vendors have strong legal motivations, big budgets, and staff dedicated to minimizing many different types of cyber threats – including ransomware.
- Successful attacks aren’t convenient and don’t adhere to any schedule. Have an approved contingency plan in place for each of the major risks. When an attack of any kind is successful, everyone should have a clear understanding of the roles and responsibilities to minimize the impact and repair the damage. This process is iterative and also needs to include communicating with regulatory bodies, partners, and patients in an honest and authentic way.
More and more healthcare practitioners need access to information from a mobile device. How big a security risk is this and how can it be mitigated to secure both the data in transit and the data in the event the device is lost or stolen?
Endpoint security is a big category of vulnerability and risk for every network, and while it does have unique attributes, it’s really no different in terms of embracing a culture of security. The goal isn’t endpoint or mobile security as a priority. The goal is a culture of security that includes all the vulnerabilities and risks. It’s why security is so challenging. Again, defenders have to protect against all vulnerabilities all the time whereas attackers only need to exploit a single vulnerability once. That attack surface could be a mobile device, but it could just as easily be a network attached color printer that the marketing department bought and installed yesterday.
Backups are a critical component of any healthcare provider’s strategy to keep their data available. How can they keep their offsite backups secure once it out of their hands?
Cloud storage, SaaS and data backups through any 3rd party (large or small) rely almost entirely on legally binding agreements and contracts. In a culture of security, the goal here is to fully understand the bounds of liability and capacity for all 3rd party agreements. A small vendor that handles data storage offsite can be appealing for economic reasons, but have limited capacity to handle the real economic liability associated with a breach – which includes communication, remediation, fines, legal defense and (potentially) expenses around brand damage. The larger vendors are well equipped to handle these extended terms and conditions – even if their monthly service expense is considerably higher. A culture of security is able to weigh all the security risks – and liabilities – associated with all 3rd party vendor contracts.
Medical software is moving towards the Cloud. What security features should physicians look for in a Cloud based product to help protect their practice and patient data?
I can’t make individual recommendations, of course, because they’re highly variable to the size and need of the organization, but generally, all vendor partners should be carefully screened through a competitive review and budgeting process. Data security is a critical lens through which all vendor partners need to be assessed. The stakes are high – and getting higher as more health data is captured, managed, manipulated and stored through 3rd party contracts. It’s also never ending. A good example here is that Microsoft just announced another security update today. That’s not surprising except that it’s for Office 2003.
In the end, the most important commodity in all of healthcare is trust – and that’s the biggest risk behind any deficiencies in the culture of security. The size of the organization is immaterial. It can easily be a small solo practice – or a globally recognized healthcare brand – but every organization is dependent on both partners and employees to protect the most valuable healthcare asset we all rely on in all its forms – health data.
About Our Interviewee: Dan Munro is an author and Forbes Contributor on the topic of U.S. Healthcare. His book ‘Casino Healthcare‘ in now available and he has written extensively on cyber threats in healthcare. Follow him on Twitter at: @danmunro
What to Do When You Get a Bad Physician Review
Bad physician reviews happen, even to the best of doctors. Someone on the office staff may have a bad day, miscommunications are real and people are human. When patients have a bad experience, they often use sites like Vitals, RateMDs or Yelp to vent (which is one of the reasons we recommend patient satisfaction surveys. It gives patients the opportunity to be heard before broadcasting online). Unfortunately, these venting reviews can do some significant harm to a practice (see how much doctor reviews affect your bottom line).
So what do you do when you inevitably receive a negative review?
- Don’t panic, don’t fight back. One of the first instincts is to challenge the reviewer. Trust us, this is not a direction you want to go. Confrontation only makes you look bad and has the potential to escalate the situation. While the review may be unfair, there are other ways to deal with it that wind up placing you in a better light.
- Act reasonably quickly. While you don’t have to respond the minute there’s a bad review, you don’t want to let it linger either. Responding in a timely manner shows that you’re actively listening to your patients, which can go a long way. If a future patient is looking at your reviews online and sees that there was a response to a complaint within a day, it indicates that you care and that’s highly important to patients. Think of it as an online bedside manner. Now, because we know that healthcare professionals are very busy and do not usually have the time to actively monitor online review sites, we have also put together 5Star-MD as a free service in order to create one place for physicians to monitor their online presence and receive text/SMS or email updates when new reviews come up. This will help you manage your online bedside manner.
- Dispute the review if it is not legitimate. This step will vary from review site to review site. Some sites have relatively simple processes for disputing reviews while others are very complicated. In most cases, there are ways to have a review removed if it is not valid (e.g., meant for another practice, has incorrect information, is written as slanderous instead of a valid review, not a valid patient, etc.). Realize that the number of reviews you can remove will be limited in most cases, so this cannot be the core of your strategy. However, it can be highly effective in removing some damaging content. Also note that while text reviews can be disputed, in many cases the “star” rating associated with the review will not be removed. Note: Matt Rasmusson just wrote an excellent site by site guide to getting reviews removed that is worth checking out if you want to dispute a review.
- If the review is legitimate, write an honest response. If there is a negative review that you can not or have decided not to remove, respond to it. Stay away from any negative and/or attacking phrases and focus on the patient’s concerns. Apologize for a negative experience, explain how you strive to create a positive experience for patients and then focus on what you’re doing to either investigate the problem and/or ensure it doesn’t happen again (if applicable). What you’re doing here is letting the patient know that he/she has been heard and that you are concerned about the negative experience. This is your opportunity to explain where the breakdown happened (e.g., We have a new patient scheduling system that had a bug on the first day, which has been addressed. We are terribly sorry for the inconvenience). However, make sure you do not come across defensive or inadvertently disclose any information that would be in violation of HIPAA. Keep it short, sweet and sincere.
- Work to bring in more positive reviews. One of the best defenses against a negative review is a stream of positive reviews. A negative review stands out by itself, but a negative review in-between 10 positive reviews falls in the shadows. Unfortunately, it’s usually a disproportionate number of people with bad experiences that leave a review. This means that you have to use a little elbow grease and work to have positive reviews come in – verbally encourage your patients, send a follow-up email after an appointment, have a flyer/handout in your office. Whatever you do, don’t collect and upload reviews yourself – this is a policy violation on almost every review site.
- Learn from what patients are saying. The worst thing you can do is simply ignore what patients are saying. Negative online reviews do provide beneficial information about what patients are truly thinking. Use this as a learning session. Do people perceive the doctor as cold and uncaring? It may be totally unintentional, but now you know to make a concerted effort to make patients feel more at ease. Is there an issue with the office staff’s efficiency? You may never have known otherwise, but now you can take a look at process improvements for your practice. Don’t simply respond to patients and forget what was said – see what you can truly learn about their collective experiences.
Negative reviews are a reality for all medical practices at some point. That’s why it’s so important to monitor what people are saying about you and preparing to deal with negative posts when they come. Of course, if you need additional help managing your reputation, give us a call. We’d be happy to help you put your best foot forward and grow your practice.
Instituting Cycle Billing
Are you sending all of your bills once a month and getting a rush of questions and calls? Have you considered Cycle Billing?
Cycle billing is – a method of billing customers at monthly intervals in which statements are prepared on each working day of the month and mailed to a designated fraction of the total number of customers.
Get Paid Faster
By breaking up your bills and sending them out in cycles each week or even every other week, you can get paid faster and you can reduce the rush of calls to the office after big batches are sent. By getting your bills out fast you get paid fast. This is especially true for self-pay accounts. The quicker you get the bill out the greater chances you have to collect that balance.
Cycle billing also allows you to give more attention to specific bills. You can break down the large batches to manageable sizes and give each patient account the attention it may need. This will help to reduce the number of unnecessary statements and allow you time to add notes or color to the needed statements.
With BillFlash you can send statement batches as often as you would like. With the Review function, you can add notes, delete statements from the batch, change the statement color and even choose delivery method of mail, eBill or both.
Make It Easier
By incorporating the BillFlash Pay Services you can also reduce this stress on your office by allowing patients to manage statements and pay online.
Whether you use cycle billing or not. The full BillFlash suite offers you the tools you need to collect payments and reduce the stress of a monthly activity burst.
- Professionally printed statements
- HIPAA compliant email notifications
- Online payment portal
- Payments Anywhere, Anytime
- Online 24/7
- Over the phone
- Mailed payments
- Stored payment methods
- Payment plans
Contact MediPro, Inc. at 1.800.759.1321 opt 2 to set up your BillFlash suite of services.
Bill Flash tips provided by:
Senior Vice President Sales & Marketing | NexTrust
*BillFlash is a product of NexTrust
Plans for the Quality Payment Program in 2017: Pick Your Pace
As published on the CMS Blog 9/8/16
By Andy Slavitt, Acting Administrator of CMS
As the baby boom generation ages, 10,000 people enter the Medicare program each day. Facing that demand, it is essential that Medicare continues to support physicians in delivering high-quality patient care. This includes increasing its focus on patient outcomes and reducing the obstacles that make it harder for physicians to practice good care.
The bipartisan Medicare Access and CHIP Reauthorization Act of 2015 (MACRA) offers the opportunity to advance these goals and put Medicare on surer footing. Among other policies, it repeals the Sustainable Growth Rate formula and its annual payment cliffs, streamlines the existing patchwork of Medicare reporting programs, and provides opportunities for physicians and other clinicians to earn more by focusing on quality patient care. We are referring to these provisions of MACRA collectively as the Quality Payment Program.
We received feedback on our April proposal for implementing the Quality Payment Program, both in writing and as we talked to thousands of physicians and other clinicians across the country. Universally, the clinician community wants a system that begins and ends with what’s right for the patient. We heard from physicians and other clinicians on how technology can help with patient care and how excessive reporting can distract from patient care; how new programs like medical homes can be encouraged; and the unique issues facing small and rural non-hospital-based physicians. We will address these areas and the many other comments we received when we release the final rule by November 1, 2016.
But, with the Quality Payment Program set to begin on January 1, 2017, we wanted to share our plans for the timing of reporting for the first year of the program. In recognition of the wide diversity of physician practices, we intend for the Quality Payment Program to allow physicians to pick their pace of participation for the first performance period that begins January 1, 2017. During 2017, eligible physicians and other clinicians will have multiple options for participation. Choosing one of these options would ensure you do not receive a negative payment adjustment in 2019. These options and other supporting details will be described fully in the final rule.
First Option: Test the Quality Payment Program.
With this option, as long as you submit some data to the Quality Payment Program, including data from after January 1, 2017, you will avoid a negative payment adjustment. This first option is designed to ensure that your system is working and that you are prepared for broader participation in 2018 and 2019 as you learn more.
Second Option: Participate for part of the calendar year.
You may choose to submit Quality Payment Program information for a reduced number of days. This means your first performance period could begin later than January 1, 2017 and your practice could still qualify for a small positive payment adjustment. For example, if you submit information for part of the calendar year for quality measures, how your practice uses technology, and what improvement activities your practice is undertaking, you could qualify for a small positive payment adjustment. You could select from the list of quality measures and improvement activities available under the Quality Payment Program.
Third Option: Participate for the full calendar year.
For practices that are ready to go on January 1, 2017, you may choose to submit Quality Payment Program information for a full calendar year. This means your first performance period would begin on January 1, 2017. For example, if you submit information for the entire year on quality measures, how your practice uses technology, and what improvement activities your practice is undertaking, you could qualify for a modest positive payment adjustment. We’ve seen physician practices of all sizes successfully submit a full year’s quality data, and expect many will be ready to do so.
Fourth Option: Participate in an Advanced Alternative Payment Model in 2017.
Instead of reporting quality data and other information, the law allows you to participate in the Quality Payment Program by joining an Advanced Alternative Payment Model, such as Medicare Shared Savings Track 2 or 3 in 2017. If you receive enough of your Medicare payments or see enough of your Medicare patients through the Advanced Alternative Payment Model in 2017, then you would qualify for a 5 percent incentive payment in 2019.
However you choose to participate in 2017, we will have resources available to assist you and walk you through what needs to be done. And however you choose to participate, your feedback will be invaluable to building this program for the long term to achieve outcomes that matter to your patients.
We appreciate the sincere and constructive participation in the feedback process to date and look forward to advancing step-by-step in that same spirit. We look forward to releasing the final details about the program this fall. Most importantly, we look forward to further engagement with physicians and other clinicians toward our shared goal of the highest quality of care and best outcomes for patients.
For More Information
Surescripts: E-Prescribing of Controlled Substances Jumps 600 Percent
The number of transactions over the Surescripts network increased by 48 percent in 2015, according to the company’s 2015 National Progress Report.
Surescripts performed 9.7 billion secure health data transactions in 2015, including 1.4 billion electronic prescriptions, 1.05 billion medication histories and 15.3 million clinical messages.
Last year, after processing 6.5 billion transactions, it reported its volume surpassed that of American Express (6 billion) and PayPal (4.2 billion). Its numbers top the daily number of Amazon packages shipped (1.4 million) and Uber rides (2 million), according to an announcement.
What’s more, Surescripts says, 77 percent of prescriptions were submitted digitally in 2015, compared with 67 percent in 2014, and 58 percent in 2013.
The number of providers who now can prescribe controlled substances digitally also increased 359 percent in 2015, resulting in a more than 600 percent jump in orders for such drugs. Painkillers such as morphine and oxycodone made up 32 percent of all controlled substance e-prescriptions in December 2015.
Devon Herrik, Ph.D., a senior fellow for the National Center for Policy Analysis, recently urged making e-prescribing mandatory for controlled substances as a means to address the opioid crisis.
New York has done so as part of a larger law called the Internet System for Tracking Over-Prescribing Act of 2012 (I-STOP), intended to reduce drug diversion and doctor shopping. It has the highest rate of e-prescribing for controlled substances, according to Surescripts data.
Maine, following New York’s lead, in April became the second state to enact the requirement.
SOURCE: Susan D. Hall | August 17, 2016 | FierceHealthcare
NOTE: The CureMD software has Electronic Prescribing of Controlled Substances (EPCS) with Surescripts readily available to add to a physician’s work flow. Please contact us at 1.800.759.1321 opt 2 to learn more.