EDITOR’S NOTE: Edward Roche, in association with RACmonitor, is writing a series on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the eighth installment in the series.
Hospitals can mitigate the damage from a cyberattack by engaging in simulations designed to evaluate and improve their response. One variety of simulation is the “Tabletop Exercise” (TTX).
Unlike many organizations such as banks, the healthcare sector was never designed with a view to cyber security. Over time, the role of information systems has grown. It is only in the past few years when hospitals and others have felt the full threat of cyber sabotage. Serious hospital attacks have been growing at around 65 percent each year. For organizations that think of information technology only as a supporting infrastructure for their operations, it is common to find a lack of preparation.
Hospitals are in a very special category of organizations. If they are attacked, not only do they suffer damage to their organization and information systems, but they also will become the targets of the government. Inspections, audits, penalties, and fines are all actions that both the federal and state governments might take against a hospital if it loses control of its information system. In addition, there is the question of patient care. Since a large number of patients depend upon various medical devices, they also are vulnerable to cyberattack. Cyber can kill.
Table top exercises for hospitals, abbreviated “TTX” are the perfect way for the organization to practice how they will respond to a cyberattack. The TTX is a complex simulation. There are participants who respond to the scenario that is given to them. At the same time, a number of observers watch what is going on and take notes for future reference. When the team of participants meet to plot their response, a number of facilitators are dispatched to help to make sure the discussions go in the best direction. Finally, this type of simulation employs a number of data collectors who track everything that happens and compile data that can be used later when making an assessment of how everyone performed.
In a tabletop exercise, first the team will receive a scenario and begin to respond. After the response has been recorded then results are calculated and saved for future analysis. The next stage is for the organization to compile what lessens it learned from the exercise. If this is done correctly, then often it will lead it to the development of new protocols.
Each simulation has a number of vignettes, which are called “Injects.” These are not drug injections, instead, they are a modification in the scenario designed to challenge the participants and possibly throw them off guard. A better word for “inject” might be “monkey wrench”.
Tabletop Exercise: Scenario One
Here is an example of a scenario of the type that might form the basis for a tabletop exercise at a hospital.
The nursing staff notices a part-time security guard has started showing up an hour earlier than he needs to. Six months ago, the guard’s fiancé (also an employee at your facility) was laid off. Without warning, several administrative employees received an email with an invitation to check out her latest vacation pictures by clicking on www.SeeMyVacationPhoto.com. Then when they visit the website, they receive an error message such as: “404 Error File Not Found.”
Shortly thereafter the chief information officer receives an untraceable email. Inside the email she finds a file containing the electronic medical records, personally identifiable information, and credit card data for more than 1000 patients of the hospital. Along with this file is a note which states that this information plus data on an additional 5000 patients will go up for auction on the Dark Web. The bids close at midnight.
The remainder of the simulation focuses on the question of whether or not the healthcare organization was prepared for this type of scenario or in contrast, whether or not it must sustain significant damage.
This type of tabletop exercise is excellent because it brings together so many different parts of the healthcare organization. For example, the IT department, the department that handles compliance with federal laws and regulations, the department of security, and other organizations all are tested within the range of their competence.
The success of this type of exercise lies in the nature of the relationship between the different functional elements of the organization and how well they are able to coordinate with each other under extreme stress.
Scenario Two
The setting is a major trauma center. All of patient care is coordinated through an electronic medical records system. In order to keep things current, this software is updated on a regular basis. In fact, the software was updated only a few weeks ago.
The software has been working perfectly until today. The clinical support computers start to slow down, become sluggish, or completely freeze up and stop working. As a result, patient care becomes delayed. In response to this problem, the physicians in your facility began to switch over to manual procedures when they need to authenticate any patient information. As new patients continue to arrive, your healthcare facility becomes overwhelmed.
As the patient load continues to increase, your policies are changed so that only life-threatening emergencies are admitted to the facility. In general, your entire system has ground to a halt.
At this point, your director of information technology services receives notification from your sub-contractor that malware has been discovered. A worm has altered or erased entire data fields containing patient treatment information.
Scenario Three
It is a normal working day at your healthcare facility. Three of your administrative employees receive an email from the HR department. The email contains detailed instructions requesting them to update their passwords as a security measure. Conveniently, the email has a link to do this. Because many times in the past they have received emails with specific instructions regarding the use of the information system, they quickly update their passwords.
Within a few days, the chief financial officer discovers discrepancies in the accounting records. A quick investigation reveals that a cyberattack has been sustained against the billing system. It already was known that the system had a vulnerability, but unfortunately, this problem was not patched in a timely manner.
At this point, outsiders now control all of the billing system including receivables. The money cannot be recovered.
Shortly thereafter, the chief executive officer (CEO) receives a demand to pay $1 million dollars within 24 hours. If this payment is not received, then the entire database will be destroyed and all of the credit card information will be auctioned off on the Dark Web.
Not only is there an existential threat to the receivables for the facility, it also is the case that your system no longer is compliant with payment card industry requirements. As a result, your organization now is subject to penalties and fines. You quickly learn that the organization must pay out a minimum of $3 million to notify all patients whose credit card information has been taken and on top of that pay for one year of credit monitoring for each patient.
The Theory of Tabletop Simulations
It often is said that the organization which works best is one that practices the most. In the case of developing a robust response to cyber threats, the Department of Homeland Security has found that conducting tabletop exercises on a regular basis can greatly improve one’s chances of surviving a severe cyberattack. The theory of tabletop simulations is that each round of practice leads to an evaluation which then leads to a change in procedures (protocol). The organization learns to communicate in the ways that are necessary given these extraordinary circumstances. It becomes possible to measure response time not merely within departments, but across the entire organization as a whole on a cross functional basis.
Have you ever thought about what happens when two football teams meet on the field? Let’s assume for a moment that each team has exactly the same strength and speed. In this case, when all other conditions are experimentally controlled, so to speak, we find that the team which has practiced the most is the one that will win every time. We practice because in doing so we discover unexpected problems that can occur and if we are careful and keep records we change our procedures so the next time these unexpected events occur they can be dealt with effectively.
The cyberattack war against the United States and all of its organizations including the healthcare sector shows no sign of abating. We can only be sure of one thing: attacks will continue, attacks will become more severe, attacks will be more difficult to defeat, and attacks will become deadlier. At the heart of this problem is the simple fact that there is no such thing as a completely secure information system. It simply does not exist. Therefore, the art of management is knowing what to do in the best way when faced with the inevitable problems posed by a cyberattack.
The Medicare Advantage (MA) program has grown significantly over the past two decades, becoming a popular alternative to traditional Medicare fee-for-service (FFS). As of 2023,
The Medicare and Medicaid provider auditing process is about to get a makeover in 2025. I am talking about artificial intelligence (AI), which may be
Please log in to your account to comment on this article.
Join Beth Wolf, MD, CPC, CCDS, for an in-depth webcast on the FY2025 spinal fusion MS-DRG updates. Discover key changes in DRG classification, understand impacts on documentation and CMI, and learn strategies to ensure compliance.
Join Angela Comfort, DBA, MBA, RHIA, CDIP, CCS, CCS-P, as she presents effective strategies to strengthen collaboration between CDI, coding, and quality departments in acute care hospitals. Angela will also share guidance on implementing cross-departmental meetings, using shared KPIs, and engaging leadership to foster a culture of collaboration. Attendees will gain actionable tools to optimize documentation accuracy, elevate quality metrics, and drive a unified approach to healthcare goals, ultimately enhancing both patient outcomes and organizational performance.
Optimize your outpatient clinical documentation and gain comprehensive knowledge from foundational practices to advanced technologies, ensuring improved patient care and organizational and financial success. This webcast bundle provides a holistic approach to outpatient CDI, empowering you to implement best practices from the ground up and leverage advanced strategies for superior results. You will gain actionable insights to improve documentation quality, patient care, compliance, and financial outcomes.
Enhancing outpatient clinical documentation is crucial for maintaining accuracy, compliance, and proper reimbursement in today’s complex healthcare environment. This webcast, presented by industry expert Angela Comfort, DBA, RHIA, CDIP, CCS, CCS-P, will provide you with actionable strategies to tackle complex challenges in outpatient documentation. You’ll learn how to craft detailed clinical narratives, utilize advanced EHR features, and implement accurate risk adjustment and HCC coding. The session also covers essential regulatory updates to keep your documentation practices compliant. Join us to gain the tools you need to improve documentation quality, support better patient care, and ensure financial integrity.
Dr. Ronald Hirsch provides critical details on the new Medicare Appeal Process for Status Changes for patients whose status changes during their hospital stay. He also delves into other scenarios of hospital patients receiving custodial care or medically unnecessary services where patient notifications may be needed along with the processes necessary to ensure compliance with state and federal guidance.
Healthcare organizations face complex regulatory requirements under the No Surprises Act and Price Transparency rules. These policies mandate extensive fee disclosures across settings, and confusion is widespread—many hospitals remain unaware they must post every contracted rate. Non-compliance could lead to costly penalties, financial loss, and legal risks. Join David M. Glaser Esq. as he shows you how to navigate these regulations effectively.
Protect your facility from unwanted audits! Join Becky Jacobsen, BSN, RN, MBS, CCS-P, CPC, CPEDC, CBCS, CEMC, and take a deep dive into both the CMS and AMA guidelines for reporting post operative pain blocks. You’ll learn how to determine if the nerve block is separately codable with real life examples for better understanding. Becky will also cover how to evaluate whether documentation supports medical necessity, offer recommendations for stronger documentation practices, and provide guidance on educating providers about documentation requirements. She’ll include a discussion of appropriate modifier and diagnosis coding assignment so that you can be confident that your billing of post operative pain blocks is fully supported and compliant.
During this RACmonitor webcast Dr. Ronald Hirsch spotlights the areas of the OIG’s Work Plan and the findings of their most recent audits that impact utilization review, case management, and audit staff. He also provides his common-sense interpretation of the prevailing regulations related to those target issues. You’ll walk away better equipped with strategies to put in place immediately to reduce your risk of paybacks, increased scrutiny, and criminal penalties.
Copyright © 2024 RACmonitor. Powered by MedLearn Media.
Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
