The ransomware crisis continues to impact hospitals and health systems with little sign of slowing down.
In 2017, IT security in healthcare was in the media spotlight. In May, the WannaCry ransomware hit thousands of information systems. It was followed by NotPetya, which took down Merck and Nuance. In June, the Health Care Industry Cybersecurity Task Force released a number of security frameworks, and the number of cybersecurity training programs increased.
Security frameworks are not the answer to this problem, but they are organizing schema that sometimes help an organization think through its requirements to protect its healthcare data. By August, professionals were worrying about the Internet-of-things (IoT), including malware infection of medical devices – to possibly even include pacemakers active within patients’ bodies.
In Stockholm, at the October ITechLaw conference, practicing attorneys expressed concerns that there was no legal standard that defined the level of due diligence necessary in the management of their information systems. Organizations were being held responsible by government regulators, but with no objective standard of security. CMS delayed requirements for using the 2015 certified electronic health record (EHR) standard. eClinicalWorks’ software company was brought into court because its software could not identify cancer. Medicare continued to deny reimbursement for many telemedicine procedures, thus remaining Luddite in its orientation. Without an accepted standard for reasonable cybersecurity, organizations will remain unable to protect themselves from litigation claiming negligence in their data management.
The end-of-year statistics said it all. Healthcare system security breaches rose 24 percent, but ransomware incidents rose 89 percent.
We can expect that in 2018, IT security in the healthcare sector will continue to be a challenge. Hackers, terrorists, non-state actors, even state actors all continue to be antagonists to the global cyber infrastructure. Information systems can be compromised in a number of ways:
The industry already is off to a good start in 2018. Last Thursday, two North Carolina-based data centers of the giant company Allscripts had its cloud platform disabled by a ransomware attack. All patient information became unavailable. The e-prescribing system and EHR platform went offline. The Electronic Prescribing of Controlled Substances (EPCS) functionality went down. Physicians had to go back to paper records.
The previous week, Hancock Health in Greenfield, Ind. was hit by ransomware. All of the patient names in its EHR were changed to “I’m sorry.” They paid out $55,000, which is much less than it would have cost to restore the system had the records remained locked. The “I’m sorry” attack had been visited on Indiana’s Adams Memorial Hospital prior to this. In early January, it was reported that more than one-half of all patient information in Norway had been compromised.
The creativity of criminals is limitless, and law enforcement sometimes is a step behind. Likewise, healthcare security professionals and the security countermeasures they are able to deploy can be insufficient.
And in many cases, they will remain behind, because IT security involves what professionals describe as “asymmetric warfare,” a fancy way of saying that the cost of the attack is many times less than the cost of defense.
In particular, the tsunami of ransomware will continue to do damage to thousands of enterprises, both public and private.
Some have placed blame for ransomware on the outlaw government in North Korea. After all, it is a money-making operation, and the use of crypto-currency makes it easy to get paid. Or it could be Russian organized crime, or other governments, or rogue hackers, or someone else. It really doesn’t matter. What’s important is that ransomware is what the U.S. intelligence community calls an “advanced persistent threat.”
Efforts are being made to set up mechanisms for sharing of cyber threat information between organizations. Theoretically, this should mitigate the damage, but we will have to wait for 2019 to see if it really works as planned – and my guess is that it will not.
The spike in telehealth usage during the COVID pandemic has generated a plethora of questions about the ramifications of geography. Let’s cover a few. First,
I recently asked a question to ChatGPT, the artificial intelligence (AI) chatbot launched late last year. I got a well-worded response that made a lot
Please log in to your account to comment on this article.
Dr. Ronald Hirsch provides tried-and-true strategies and insight into outpatient in hospital bed stays including determining the applicable definition, who uses it, and when and how to bill for this circumstance, solidified with concrete case examples and expert insight.
Practical solutions for CDM departments to protect your hospital’s revenue.
This webcast teaches hospitals how to comply with CMS price transparency rules and compare their rates with peer hospitals. It covers creating a compliant machine-readable file, comparing negotiated rates, and improving pricing decisions.
The No Surprises Act (NSA) presents a challenge for hospitals and providers who must provide Good Faith Estimates (GFEs) for all schedulable services for self-pay and uninsured patients. Compliance is necessary, but few hospitals have been able to fully comply with the requirements despite being a year into the NSA. This webcast provides an overview of the NSA/GFE policy, its impact, and a step-by-step process to adhere to the requirements and avoid non-compliance penalties.
This expert-guided webcast will showcase tips for providers to ensure appropriate capture of the work performed for a visit. Comprehensive examples will be given that demonstrate documentation gaps and how to educate providers on the documentation necessary to appropriately assign a level of service. You will gain clarification on answers regarding emergency department and urgent care coding circumstances as well as a review of how/when it is appropriate to code for E&M in radiology and more.
Set yourself up for financial and compliance success with expert guidance that breaks down the impactful changes including MS-DRG methodology, surgical hierarchy updates, and many new technology add-on payments (NTAPs). Identify areas of potential challenge ahead of time and master solutions for all 2024 Proposed IPPS changes.
Do you struggle with selecting and appending the correct modifier for your medical claims? Join our must-attend webinar, “Mastering Modifier Usage: Preventing Denials and Ensuring Compliance” to reduce claim denials and improve your reimbursement rates.
Kay Piper reviews the guidance and updates coders and CDISs on important information in the AHA’s fourth quarter 2023 ICD-10-CM/PCS Quarterly Coding Clinic in an easy to access on-demand webcast.
Copyright © 2023 RACmonitor. Powered by MedLearn Media.
