Cybersecurity Realities

American security consultant and former con man Frank Abagnale once said, “Technology breeds crime and we are constantly trying to develop technology to stay one step ahead of the person trying to use it negatively.”

The average cyberattack for a small healthcare provider can cost upwards of $1 million in recovery. Download white paper, "Healthcare, Cybersecurity, and You."
btnLearnMore orange

Unfortunately, cybercrime is constantly evolving, and you need to be doing all you can to protect yourself and your company from it.   One in three Americans is affected by cyber related attacks every year – this equates to an attack every 35 seconds.  Chances are likely that you or your practice have been compromised at some point. Protecting critical data is one of the biggest challenges that a company will face.  In healthcare, with the added requirements of HIPAA compliance and protecting PHI, your information security posture can easily be one of your most important business decisions.

Alarmingly, it is reported that over 75% of the healthcare industry has been infected with malware and is in the top 5 industries attacked with ransomware.  In 2018, hackers stole nearly 600 million personal records, and overwhelmingly targeted healthcare practices, providers and medical manufacturers as victims of their crimes.

Over 95% of all cybersecurity breaches are a result of human error.  Bad actors always look for the weakest link, and the highest value targets as a point of infiltration.  Owners, the c-suite, accounts payable accountants, and in the case of practices, the physicians as well as the billing administrator are all considered to be valuable targets for the criminal looking for an opening to the data they want.  Once they are in, however, most companies don’t even detect that they have had a breach for a mind-boggling 6 months.

Develop a human firewall.

 One of the most challenging parts of developing a security minded focus in an organization is getting past the “this only happens to other people” or "this can’t happen to me” mindset.  It is commonplace for people to believe that they are never sloppy and are always doing the right things.  This is when most mistakes happen.  From day one of employment forward, employees should be assimilated into a security culture.  Everyone in the organization should be an integral part of the solution, lest they become the problem.  Simple steps such as locking the computer when not actively working, changing strong passwords often, reporting suspicious emails, and questioning things such as requests for payment or anything that seems “out of place” should all be part of a daily routine, to the point of creating muscle memory.

Education and training for employees.

Training and education is something that should always be done, and everyone in the organization needs to be involved in the process.  Benjamin Franklin best said, “Tell me and I forget, teach me and I may remember, involve me and I learn.”  A good cyber posture, for any company, begins and ends with the employees.  The threats are constantly evolving.  As such, your education should always be current, relevant and constant.  Consider things such as phishing tests and social engineering training with follow-up quizzes to stay sharp.

Limiting Network Access

Flexibility and remote access can be very useful to employees.  Network technologies such as instant messaging, file sharing, remote screen access and Bluetooth file dropping are also very popular.  These tools are often overlooked as being safe and convenient but are also wrought with security issues when not limited to the scope needed to complete business.  The law requires that health care information be protected due to its sensitivity and the use of these technologies should be used with extreme caution.  Practices with a solid security footing have taken the steps of disallowing these technologies altogether as they well understand the risks involved are not subverted by the benefits offered. 

Create a cyber security incident response plan 

Incident response is a well-planned approach to determine how to manage reaction after a breach or cyber-attack.  The goal is to minimize the damage, maintain business continuity and mitigate attack related losses and exposure.  To achieve this goal, it is recommended that you do two different things.

  • Get everyone in the habit of reporting anything they see that could have any impact. From strange emails, intrusive calls, or unknown attachments in email that have made it beyond the firewall.  Employees should have a short form that they can document and send to the team member tasked with cyber or IT.
  • Develop an incident response form and checklist. It should be simple, yet specific.  This is a great way to capture information that is needed and should be easily followed by those who have a “need to know.”  Your checklist should include some, if not all the following information:
  1. Identification: Who reported the incident? When was it reported? Where was the threat detected or located?  What impact does it have to operations?  What is the extent?
  2. Containment: Can the issue be isolated? Have backups been made to protect PHI and business-related files? Have all threats been removed from the system?
  3. Mediation/Eradication: Does anything need to be reconfigured to restore normal operations? Have all possible entry points been closed?  Have all affected machines been updated and patched?  Has all malicious activity been removed?

Once the threat has been eradicated, when possible, you should share with your team what happened, how it happened, and include training to ensure that it does not happen again. 

IBM President/CEO and Chairman Ginni Rometty said, “Cybercrime is the greatest threat to every company in the world.”  This prophecy has been trending toward trues as it is expected that data breaches, in the year 2020, will account for over 3 billion dollars and it is likely that cyber related crime could become one of the greatest threats to every person in the world within the next decade.

By developing a solid cyber stance in your practice, continuing education, creating a response plan, and above all being a human firewall you can be the strongest link in your organization, and work to stay one step ahead of the bad actors.

Cybersecurity in Healthcare and You

How much would you spend to get your life back? What about those of your patients? These are questions that many healthcare providers must ask themselves at one point or another. The healthcare sector has become one of the most popular among hackers and cyber criminals because medical identity theft is an incredibly lucrative business. Millions of patient medical records were exposed in 2016, and that number is projected to rise this year. In an industry moving towards value-based payment models, quality care must now include protecting patient health information using safe record-keeping practices.

Cybersecurity in Healthcare is Different for Every Organization

Healthcare data security is by no means "one size fits all." A small, rural practice will invest differently than a large, metropolitan hospital. Based on your business and your particular needs, you should identify what data is most important to protect, then plan your safety measures accordingly. Perhaps you'll realize that technology isn't what's needed, but people and processes instead.

The average cyberattack for a small healthcare provider can cost upwards of $1 million in recovery. Download white paper, "Healthcare, Cybersecurity, and You."
btnLearnMore orange

We're Our Own Worst Enemy

According to a recent study by the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG), users rather than technology issues are the top causes of risk to cybersecurity in healthcare because many employees forget to follow basic cyber safety rules. It happens because of a wide range of reasons: lack of training and/or cybersecurity personnel, or simply that policies aren't truly enforced by the organization. Following your safeguards plays an important role in forming a trusting relationship between provider and patient. It's not just a collection of data you're protecting, it's someone's life. Let's discuss a few tips to get your organization's record-keeping practices on the right track. 

Establish a Security Culture

There's a major human blind spot with respect to information security: overconfidence. The "it will never happen to me" mindset. No matter the level of education or experience, the weakest link in any computer system is almost always the user. So, what can be done to ensure an organization-wide security culture?
Frequent education and training - Ongoing mitigation steps allowing for discipline, documentation and compliance. 
  • Avoid exceptionalism - You shouldn't have a get-out-of-jail-free card as an executive. Those who manage and advise should set an example and take every precaution needed - the same as everyone else - to safeguard sensitive information. 
  • Information security as a core value - It should without a doubt take a seat at the table of core values within your organization. When staff embraces accountability and willingness to take responsibility over information security, you know you truly have a shared vision.

Change STRONG Passwords on a Regular Basis

Passwords are your first line of defense when preventing hacks into any computer. No matter what type of operating system, it should require a password to login. A strong password may not be able to completely deter a hacker, but it will definitely slow down their progress. Don't choose passwords that
        • Are found in a dictionary
        • Match your username
        • Include personal information - Your name, birthday, family member names, pet names, etc. 
        • Refer to anything on your social media pages - Anything found on your social pages like Facebook and Twitter should never be used as a password, whether your profiles are private or not. Anything you post on social media CAN be found and potentially used against you. 

        • What does a strong password look like?
                        • At least eight characters in length. The longer, the better! 
                        • A combination of upper AND lowercase letters, numbers, and at least one special character, like a punctuation mark. 

                        • Maintain Good Habits

                          Similar to eating fruits and vegetables or walking up the stairs instead of using the escalator in efforts to be healthier, a little goes a long way in system maintenance regimen. It's necessary to maintain the health of your systems and reduce risk of breach.
                                          • Uninstall software applications that aren't essential to running your practice - games, messaging applications, photo-sharing, etc. 
                                          • Don't simply accept default options when installing software on your device.
                                          • Read through your options and understand the choices thoroughly before accepting. 
                                          • Disable your file sharing and printing from remote staff. That could potentially result in accidental sharing of information along unauthorized locations. 

                          Plan For the Unexpected: Use Firewalls and Anti-virus

                          Unless your practice is completely disconnected from the Internet, you should always use firewall and anti-virus to protect against malicious intrusions. The firewall inspects all messages coming in from the outside and decides whether or not the message should be allowed in based on pre-determined criteria. Anti-virus actually stops malicious software that has already surpassed your safety measures and entered the system. 

                          Control Access to PHI - Both Virtually and Physically

                          Never forget that the devices that hold sensitive information should also be secured from unauthorized access. Believe it or not, the most common way that electronic health information is compromised is not through virtual attacks, but through the loss of the physical device itself, both accidental and theft. Thumb and flash drives, CDs, DVDs, laptops, handhelds, desktops, hard drives, backup tapes, and even entire network servers can be physically removed and compromised. Securing these devices in locked rooms only accessible to limited staff members, managing physical keys, and restricting staff from moving devices from a secure area is a great start. 

                          In an industry that's shifting towards value-based care and payment models, true quality care cannot be accomplished without also taking the security of your patients' health information into consideration. Protecting patients through data security practice should become second-nature to your entire staff and executive team. Once it becomes one of your organization's core values and you begin to anticipate the worst, you will truly create a long-lasting environment of cybersecurity in healthcare benefiting the health and safety of your patients and your business.

Better Data, Better Decisions. Improving Healthcare with Business Intelligence

There’s a ridiculous amount of data flowing through medical practices and billing companies every single day. EMR/EHR data, billing data, cost data, patient data… It’s enough to make your head spin. With the push to value-based care, every health organization is finding the need to transform that data into something that will improve outcomes – from both a patient and organizational level. It’s not just about capturing and managing data anymore, it’s about interpretation. How can you transform data – from management to analysis – into insightful information that will drive process improvement initiatives?

Medical billing is hard, that's where we come in.
btnLearnMore orange

Business Analytics in Healthcare

Because of the heightened demand for value and transparency, one tool many organizations are beginning to embrace is healthcare analytics, particularly through business and clinical intelligence software. When you give analysts the means to capture and analyze data, you empower them to transform your practice into one with a data-driven, value-based culture. You initiate a chain reaction: Empowering the users, making better decisions as a provider, and improving both business operations and patient outcomes.

A little background knowledge is required to fully understand the power of this tool. All data must go through a particular set of stages before an analyst can achieve meaningful analytics:

1. Data capture  It all begins with the way people and devices produce and capture data, which must be done efficiently (is the data collected in a timely manner?) and accurately (is the data relevant to the analytical needs of the organization?).

2. Data acquisition – Analysts must collect data from multiple sources throughout the organization to produce meaningful insights. Let’s use the example of an analyst assisting a radiology practice with a quality improvement issue. The analyst will pull information from a number of sources including:
  • RIS – For radiologist interpretations
  • PACS – All picture archives
  • EMR – For clinical notes
  • Clinical Decision Support Systems
As a manual process, it's nearly impossible to pull data into a single location and format while ensuring that all data points are speaking each other (that they’re linked by a common identifier, either patient or provider) without creating errors. As a result, analysts may spend more time collecting data as opposed to transforming data into meaningful analytics. That’s where business intelligence comes in. Tools like ImagineIntelligenceTM allow users to integrate multiple data sources right into the software and under one platform.

3. Data analysis – Once the data is captured and tied together, the analysis process can finally begin. Three important steps in data analysis include:
  • Evaluation – If analysts don’t understand the data they’ve collected, they can’t effectively communicate their findings with their audience (executives, staff, etc.) Analysts should take the time to explore the oddities and trends that could be essential to understanding process improvement or care coordination. If you don’t understand the data, how can you effectively solve problems with it?
  • Interpretation – How will you interpret this information in such a way that all levels of the organization will understand?
  • Presentation – The analyst should tell a story with the data presented. Tying into the interpretation step – how will you organize and present the information in a way that’s engaging and identifies the problem you're solving for?

Benefits of Business Intelligence in Healthcare

1. Reduce hospital readmissions  Business Intelligence tools allow you to compare patients who did not need readmission against those who did. Things like age, gender, ethnicity, and follow-up care are all factors taken into consideration by the software. Once the data is collected and organized, you can identify patterns of readmission. Perhaps those patients come from lower social economic groups or live alone.

2. Financial performance improvement  Imagine having the power to track exactly how much your practice is reimbursed for services over time, coupled with the ability to improve that level of reimbursement within the same interoperable software. Business Intelligence systems that integrate with
practice and revenue cycle management software and automatically extract and analyze data housed in the platform allow you to predict future trends based on factors like revenue and billing costs.

3. Improve and develop treatment programs  This falls under both care and process improvement. When more information on health and disease is readily available, that insight will allow for both treatment programs to be more quickly adjusted, as well as earlier identification of appropriate treatment. Those benefits trickle down: increased improvement on preventative treatment programs can reduce total cost of care, prevent medical episodes, and increase patient satisfaction

4. Define major KPIs  Consistent and repeated use of analytics allow you to identify significant areas to business goals. Whether you’re aiming to increase collections, improve readmission rate, or reduce total days in A/R, business intelligence enables you to monitor fluctuations and major changes in your key performance indicators and distinguish areas for improvement.

Utilizing analytics allows you to discover insights that can drive care, process improvement initiatives, and financial stability of your organization. The reality of business intelligence in healthcare is that we’re just beginning to scratch the surface of its capabilities and the possibility behind data-driven, organization-wide improvement. Business analytics in healthcare is an enormously positive step to understanding and improving all facets of your practice.

Creating Intentional Excellence with Core Values

Remember the Golden Rule?   Do unto others as you would have them do unto you?  I’m sure that most of us would agree that this should also be a rule we follow in business.  Use common sense, differentiate between right and wrong, and treat others fairly and with dignity.  Sounds simple, right?  The truth, from this writer’s opinion, is it should be.  However, if it is so simple, then why does every major association, board of directors, company andcore values visual more have a written statement of core values or code of ethics?

Core Values sets forth corporate values and ethical principles and offers ethical guidelines to which your staff aspire and by which their actions can be judged and as such should include the following:

Guidelines:  Your organization’s statement should be a guideline that defines the persona of the business or organization.  Think of this as a value proposition that defines how you want to be and be seen in the eyes of your clients, partners, and even your competitors.  Make it a firm foundation where you can stand and make solid business decisions.

Direction:  Develop ethical practices and behaviors.  Your values statement should be used as the direction for your team, and will guide them in making decisions that are beneficial to the organization as well as the individual.  It should serve as a roadmap to making the right decision in sometimes difficult situations.  By providing your team with values and ethics, you will create and foster an environment where employees can feel confident about how to handle, or get direction on how to handle an ethical issue before it becomes something much worse.

Measurability:  Create a defined set of standards by which you can measure the success of your initiatives and your reputation.   As with all business initiatives, the ethical operation of a company is directly related to profitability in both the short and long term.  The reputation of that company serves as a litmus test for potential partners, vendors and shareholders.  It is imperative that you have something in place to define and measure these metrics. At Imagine every employee is measured each quarter on our core values – we live and breathe our values.

Transparency and Accountability: 
Accountability is fundamental to performance improvement.  It is the main conduit of the relationship of every member within the organization.  It will determine how we measure and report progress, success and shortcomings.  Transparency on the other hand needs to be in place to show what you do and be held accountable.  In the past this was assumed to mean just owning up to a mistake.  Setting up guidelines for transparency will assure that you can engage and inform not only within the organization, but outside as well.  Following those guidelines will ensure that you will have solid ground to stand on should someone in your industry do something unethical.  The ability to execute and deliver results day in and day out is directly tied to accountability and transparency.  “A lack of transparency results in distrust and a deep sense of insecurity.”  -Dalai Lama

These ideals lend themselves to success within an organization, and when properly created, addressed, and followed will allow for a set of rules that define the excellence of your team.  When an organization behaves ethically it can provide for significant benefits, such as:

·             Increased visibility in the marketplace

·           A favorable view from potential clients, vendors and partners

·           Provide attention to the products which will boost sales and profitability

·           Creates loyalty amongst the team, reducing attrition and strengthening workplace interaction

·           Attract the best and brightest in the workplace which will reduce the costs associated with acquisition of talent

Recently, the Chairman of our Board of Directors at ImagineSoftware, Michael J. Hershman, was named as one of the top 10 most ethical CEO’s of 2015 by MBA*.  Michael is considered one of the top leaders in the area of corporate transparency and accountability.  He has advised various countries governments on matters of ethics, and in 2011 he was brought in to help monitor the FIFA World Cup selection committee.  We are honored to have Michael as a part of our team.  He is a constant reminder to us that in business, just as much as in our lives, we always need to be above reproach and be our best selves.

In conclusion, how about creating Core Values for your organization?

In order to maintain your standards, to protect your good reputation, to foster trust with those you do business with; you must go about your activities with purpose and drive to do what is right, not what might be easy.  It must be focused, deliberate, and it must be intentional; or as we put it here at ImagineSoftware, “Intentional Excellence!”


If you enjoyed this post, you'll love our email updates!

Receive content on industry topics, upcoming webinars, current healthcare trends, and more!