Medicare Compliance & Reimbursement

Tip: Monitor and log your networks for irregularities.

Familiarizing yourself with cyber thugs’ modus operandi will help you safeguard against attacks and thefts, saving you time, money, and headache. Test your cybersense with the following five questions.

Question 1: Everyone in your practice is crazy about this new cardiology blog that offers tips and advice for specialists in the field. Clinical staff frequent the site often throughout the workday from their various devices around the office. But, after months of utilizing the online resource, staff computers start to lag and employees have problems downloading information. One Monday morning, the entire group is locked out of the system. What might have happened?

Answer: What may have transpired involves two different, but similar, forms of phishing techniques aimed at preying on providers’ habits. Specialists, who naturally look up medical information repeatedly on the same site, may end up being targeted by “pharmers” while a group of specialists researching a particular topic are usurped by the “watering hole” tactic.

Both harness common interests and log how often a site is visited. Hackers use the information to either direct you to an identical but false page, stealing your passwords and controls, or install malware to the popular link and infiltrate your office system with it. Once inside your network, cyber criminals can wreak all sorts of havoc, including the hijack of patients’ electronic protected health information (ePHI).

Question 2: Every day when you log into your laptop, a little reminder pops up asking you to install the latest Microsoft patch for the software your hospital utilizes. Your IT manager says just click “remind me tomorrow,” but tomorrow turns into weeks. Before you know it, the entire hospital network is down. What could have stopped the outage?

Answer: Software patch management and stricter security protocols would have closed up the loophole that let hackers in. Technology coordination between vendors and health IT staff ensure compliance. And more importantly, healthcare continues to be ravaged by the lack of patch maintenance, which then breeds chaos throughout the industry.

“Cyber criminals prey upon lax security practices; most breaches and attacks are preventable through a higher prioritization of operational security, including patch management and aggressive training programs,” observes Kurt J. Long, founder and CEO of FairWarning Inc in Clearwater, Florida. “Apply vendor recommendation patches aggressively, and watch for vendor updates vigilantly.”

Tip: “Not only should your IT team remain on top of such updates, but also, they should be driving a security-centric culture through your organization,” Long advises.

Question 3: You just moved from a small-town clinic to a large, urban group practice. Your IT person okayed the use of your personal devices under the practice’s Bring Your Own Device (BYOD) policies, but he insisted that software to monitor practice data be installed for security reasons. Why?

Answer: Smartphones, laptops, and tablets allow physicians to assist patients anywhere and at anytime. However, despite this convenience, lost and stolen devices accounted for a significant number of breach cases over the last few years, exposing millions of patients’ ePHI.

Large-scale medical systems now utilize Mobile Device Management (MDM) software and governance to protect assets and patients. Certified EHR Technology (CEHRT) vendors offer additional coverage of mobile devices with applications to help providers combat this common issue, too. The HHS Office for Civil Rights (OCR) and the HHS Office of the National Coordinator for Health Information Technology (ONC) also provide advice and insight on how to implement compliant MDM programs.

Question 4: You move your pediatric practice into a new facility in a different state with new partners and staff. When you shutter your old business, your previous practice manager throws the old software, hardware, and paper files into the dumpster since you won’t need the materials or the data anymore. What’s wrong with this scenario?

Answer: Everything! The feds have specific instructions for how PHI and ePHI are disposed of whether a practice is open or closed. In fact, OCR advises covered entities (CEs) to strictly follow risk management protocols when dealing with information after a business goes under.

Some of its suggestions include:

• Shred, burn, pulp, or pulverize records that contain PHI, ensuring that the information is thoroughly indecipherable and destroyed.
• Clear, destroy, wipe, overwrite, purge, and destroy any electronic media that contains ePHI.

See the OCR’s PHI and ePHI disposal advice at:  www.hhs.gov/hipaa/for-professionals/faq/575/what-does-hipaa-require-of-covered-entities-when-they-dispose-information/index.html?language=en.

Warning: “Failing to implement reasonable safeguards to protect PHI in connection with disposal could result in impermissible disclosures of PHI,” reminds OCR guidance. “Further, covered entities must ensure that their workforce members receive training on and follow the disposal policies and procedures of the covered entity, as necessary and appropriate for each workforce member.”

Question 5: Mrs. Smith abruptly departs your practice after 20 years as a nurse practitioner. During a routine systems check, your IT manager notices remote log-in access and irregularities. What may have occurred?

Answer: In this example, there’s a possibility that Mrs. Smith illegally accessed the network for nefarious reasons for things as varied as stealing practice secrets to the theft of patients’ ePHI. Small practices are often too trusting while big healthcare groups may be too busy to notice the comings and goings of employees. And because so much of an organization’s information is stored on its network servers, they are a liability and ripe for cyberattacks.

“Network servers are great targets for hackers because they can count on stealing a lot of information at one time from a server, while there might only be a subset of that information on a laptop, and only be a few records in an email,” explains Jen Stone, MSCIS, CISSP, QSA, a security analyst with Security Metrics in Orem, Utah.

This kind of entry into a practice’s records allows cyber thugs to wreak all kinds of havoc. “If a hacker can gain access to an organization’s network, they can make their way to a network server and export the data stored there — or a copy of the data — to a server outside the organization’s network, and under the hacker’s control,” Stone warns.

Tip: Though healthcare remains a focus point for hackers, practices can use their risk assessments to look at network server issues. There are perennial problems to look for, Stone suggests. “Network vulnerabilities I see regularly include unpatched systems, shared account credentials, remote access to ePHI that only requires a username and password (no multifactor authentication), and insufficient malware protection.”