Thursday, October 13, 2016

Ransomware in Hospitals: What Providers Face When Attacked

Healthcare providers are now discovering they are a soft target for highly sophisticated cybercriminals. It is nearly impossible for ransomware victims to crack a hacker’s crypto keys. The FBI is even on record advising ransomware victims to just pay.

In the July/August issue of, The Journal of Medical Practice Management, Bruno Kelpsas and Adam Nelson authored an article: “Ransomware in Hospitals: What Providers Will Inevitably Face When Attacked,” and describe the following scenario:

One Friday, Sally, a member of a local hospital’s finance team, receives an overdue billing statement from a vendor's email address. Being the end of the month, she considers this email a routine part of billing and reporting. Sally opens the email, as well as the attached contract in Word format. Suddenly, Sally’s monitor turns to a red screen, beginning with the word CryptoLocker.

Sally froze. She had heard about cyber threats in training, but in her trusted vendor's billing statement? Who would be as sophisticated as that? Sally immediately picked up the phone and called the IT department.

Too late.
Sally just experienced a highly advanced cybersecurity breach known as ransomware – this one specifically referred to as CryptoWall (CW). In the following moments Sally, IT, hospital executives, nurses, doctors, and patients will discover valuable database files have been locked. Being a threat to hospital operations and the Emergency Department, patients are moved to another physical facility for care. Typically, the only way for the hospital to regain access to its information is to pay the hacking agent a requested fee using Bitcoin.

Currently, the healthcare industry is responding to compromises on a reactive basis, much like the way in which the financial services industry simply replaces consumers’ credit cards after a retail breach, such as the recent attacks on Target and Home Depot. This security mindset is predicated on a lack of enforcement, the absence of appropriate penalties, and a culture of risk mitigation. Due to this attitude of acceptance, patients are consistently at risk of having their personally identifiable information compromised. To reset how healthcare organizations think about cybersecurity, measures must be taken proactively to protect businesses against impending attacks. Otherwise, breaches are likely to continue until stricter enforcements and penalties are put in place for healthcare companies and stakeholders.

All organizations need a proactive and comprehensive cybersecurity plan. However, although many operations have the “right” plan and necessary hardware, software, and processes in place, the reality is that many do not have the time and resources to implement their response plan and fulfill the necessary documentation requirements for HIPAA, the SEC, and State regulations, in addition to ensur­ing business continuity. Therefore, to get started, healthcare organizations must focus on the four pillars of security:
  • Governance risk and compliance; 
  • Security monitoring and management; 
  • Threat intelligence; and 
  • Incident response. 
Furthermore, organizations must layer their efforts from basic responsiveness to advanced responsiveness, and finally, become preemptive.

Once the strategy is developed and implemented, companies must conduct an internal review and gauge where teams will align with internal security: Be out of the security business, own some of it, or close the gaps. Ensure there is balance between managing the unexpected and current resources.

The healthcare industry is the #1 industry targeted by attackers. It is imperative for organizations to reevaluate the way they approach cybersecurity, rather than resting on their laurels in what is currently seen as the “new normal” security mindset.

The Journal of Medical Practice Management

Thursday, April 7, 2016

Doctors Should Google Themselves

A physician's online reputation is important because more and more patients are going online to research their doctors. They’re going to search engines like Google and Googling their doctors names. For example, if you google Dr. Kevin Pho (author of the leading book on this subject), his blog comes up, but so does his social media platforms such as Facebook, Twitter and LinkedIn. Many doctors are apprehensive making their names visible online, but when their names are Googled, pages from physician ratings sites can show up and they may not like what they see. In today's transparent era where patients can go online and research their doctor, it's important for physicians to manage their online reputation. An online reputation could be the patients first impression of a doctor, and online reputation is just as important as their reputation in the community. Make it a good one.

Want in-depth advice? Check  the number one book on physician reputation management "Establishing, Managing and Protecting Your Online Reputation: A Social Media Guide for Physicians and Medical Practices".

Tuesday, April 5, 2016

Impaired Physicians —Tough Decisions for Administrators

Impaired Physicians
Like most major crises, handling physician impairment will resemble a runaway train if you don’t put policies into place before a problem arises. You and your physician partners will be miles ahead if you’ll take the time now to draft an impaired-physician policy and design procedures for dealing with the different causes and manifestations of physician impairment.

Hammering out such policies is not for the faint of heart, however. In fact, you will improve your chances for coming up with fair and workable policies if you bring legal counsel to the table. Just make sure that you find an attorney who has dealt with these specific issues before. Defining “impairment” requires a lot of thought— and familiarity with definitions such as that out- lined in the AMA’s policies.

For another useful resource, contact your hospital’s administration and get a copy of its policies regarding physician impairment and discipline. It can provide a starting place for crafting your own documents.

Along with the procedures, assign specific roles for the administrator and for the practice’s leading physicians. You don’t want to decide who will take on which responsibilities in the middle of a crisis.

Plan on spending some time and having some spirited conversations about controversial issues. But in the end, bring your final draft to a vote, and get a signed statement from each physician in the practice that he or she has read and will abide by the policies. Then hope that you will never have to invoke the rules in your practice.
According to the AMA, an impaired physician is a doctor “unable to practice medicine with reasonable skill and safety to patients because of physical or mental illness, including deterioration through the aging process or loss of motor skill, or excessive use or abuse of drugs including alcohol.”

An administrator finds himself or herself in a unique position as a steward of healthcare services. To handle physician impairment effectively, he or she must consider more than the classic definition of impairment offered by the AMA. The administrator must see that:

Impairment causes can be broader than even the general terms (psychiatric/physical disorders, alcoholism, or drug dependence) specified by the AMA definition; and

An impaired physician can cause damage to individuals far beyond the patient. Colleagues, employees, and the healthcare community at large suffer injury at the public exposure of an impaired physician as well. Administrators who observe behavior leading them to suspect physician impairment will have to proceed with considerable care. What to do depends on factors such as:
  • The suspect physician’s position in the organization. Is he or she an owner? A senior member or leader? An employee? 
  • Does the organization have a written policy about physician impairment? Having decided to proceed, an administrator then can take these steps: 
  • Approach physician leadership—that is, talk to a doctor who wields significant influence within the group, whether a formal or “traditional” leader. 
  • Seek outside counsel—you can attempt to seek help anonymously from the state medical society or approach the group’s usual legal counsel to seek advice on how to proceed. 
  • Approach the offending physician—if you feel empowered to pursue this course, make sure you arrive at the meeting well-armed with examples and evidence to support your suspicions. 
  • Approach the offending physician’s family— in some (rather unique) circumstances, it may make sense to talk to the doctor’s family about your concerns. 
The worst course of action, naturally, would be to do nothing. But an administrator must understand the risks involved in addressing physician impairment—it can cost you your job.

A group practice leader’s wisdom and skill face some of their toughest challenges when a member physician shows signs of impairment. The challenges multiply for the “lay” administrator in a physician-owned practice. First, the administrator finds himself or herself in the difficult position of calling an employer to accountability. Second, the medical community has a long tradition that assigns near-absolute authority to physicians—an authority that non-physicians aren’t supposed to challenge.

If you enjoy reading the blog entries in "Solving Problems in the Medical Practice" you may want to check out all the great products at Greenbranch Publishing.

Monday, March 14, 2016

Pay Attention to Patient Flow in Your Medical Practice

Avoid Patient Bottlenecks
Avoid Patient Bottlenecks in the
Medical Practice
“In an ideal world,” says practice management expert Judy Capko, “the patient-flow process should be predictable.” But that will never happen until the physicians and managers step back and honestly analyze problems that interfere— and come up with workable solutions. Taking the time to look closely at patient flow will pay off for the practice via more predictable days, managers and physicians who have a better handle on the day, and patients who are pleased with the care and service they get from the practice.

But to address the impediments that sabotage your patient flow, you must first identify the bottlenecks caused by human, technical, and design flaws existing in your practice.

Typical bottlenecks include:
  • Multiple appointments occupying a single provider time slot (double- and triple-booking);
  • Patient no-shows and late arrivals;
  • Providers arriving late;
  • Providers taking an inordinate amount of time with patients;
  • Emergencies and urgent walk-ins;
  • Duplicated processes (such as registration/check-in procedures);
  • Efficient and consistent internal systems and processes ignored (or not implemented in the first place);
  • Lost or incomplete paperwork or electronic documentation; and
  • Confusing, inefficient office layout.
Often, physicians and managers feel helpless because they’ve bought in to the idea that improved patient flow can’t be accomplished without a very expensive construction or remodeling project. But there are dozens of ways to improve efficiency without spending a lot of money. It takes some creative—even “out-of-the-box”—thinking, but sometimes simple solutions have a big impact. For example, if patient-prep is taking a long time because nursing assistants are waiting in line at the “vitals” station, buy more equipment and take the pressure off.

In the end, recognize that the “ideal” visit keeps patients moving through the system, but does not leave them feeling so rushed as not to have time to ask questions and understand instructions. It will require education and staff buy-in to change your culture to seek efficiency in all processes.

If you enjoy reading the blog entries in "Solving Problems in the Medical Practice" you may want to check out all the great products at Greenbranch Publishing.

Friday, October 30, 2015

The Legal Audit: A 10 Step Checklist for Your Healthcare Practice

10 Step Checklist for Your Healthcare Practice
Heathcare Practice
Legal Checklist

Medical practices are always preaching preventative medicine to their patients. They can be well-advised to practice their own legal preventative medicine through an internal audit of the legal issues involving the practice. Dealing with these issues now rather than when a problem arises will save time, money and stress. According to attorney Charles E. Rosolio, P.A., at, the following is a good checklist that all medical practices should follow when conducting an internal legal audit:
  1. Employment agreements. It is always good to examine all employment contracts to make sure that they are up to date, have not expired or are not outdated by actual practice and implementation. Confirm that there is consistency throughout the practice on all aspects of the terms and conditions of employment.
  2. Contracts with health care providers. Check to see that the practice is in compliance, that the other contracting party is in compliance and all terms and conditions are being met. Pay particular attention to the renewals and termination scenarios to avoid unintended results. 
  3. Compliance with healthcare regulations (HIPAA, Stark, Fraud and abuse). With the ever-changing landscape of health care regulations, examine all current arrangements to insure continued compliance. Examine written contracts and also review implementation to insure that the actual practice is consistent with current regulations.
  4. Policy manual and employment manuals. Insure that such manuals are up-to-date and compliant with actual practice as well as current law. This is an evolving process and an inconsistent or out-of-date manual can spell trouble later. This includes social media policies, a key element with any policy or employment manual.
  5. Reporting requirements for lenders and financial institutions. Examine the reporting requirements in any loan documents to lenders to make sure that the practice is in compliance and has provided all that is required under loan or line of credit agreements with such institutions. 
  6. Corporate documents up to date. Make sure that the governing documents of the practice are up to date. If the practice is a professional corporation or some other type of entity that requires the preparation of minutes on at least an annual basis, attend to these requirements. Work with the practice’s tax advisors to insure that whatever needs to be reflected for purpose of tax compliance has been addressed. 
  7. Contracts with service providers. Review these on a regular basis. Many times, they will have termination requirements and automatic renewals that should not be ignored. Better terms can sometimes be obtained with a long-standing vendor.
  8. Insurance issues, particularly with malpractice carriers. Coverage and compliance requirements should be examined on a regular basis to make sure that the practice is adequately covered.
  9. Review of significant contracts. If there are any other significant contracts not outlined above, they should be reviewed for the same issues as discussed.
  10. Polling for potential claims among group members. Check with the practice physicians to see if there are any potential claims that may be present or percolating so that they may be addressed early and properly. 
Do not hesitate to involve your legal professionals in an internal audit. They can identify issues that may not be identified by a non-lawyer and can offer advice before the issue becomes a real problem.

For more information or guidance, contact:
Charles E. Rosolio
1 Olympic Place, Suite 900 | Towson, MD 21204
Office: 410.576.8912 | Mobile: 410.949.6666
Fax: 410.576.8999

Wednesday, October 14, 2015

There’s Still Time to Succeed at PQRS - Here’s How

Joy Rios
According to Joy Rios, MBA, CHTS-PW, “The year is closing in on us and the countdown to MU and PQRS submission season has begun.”

You may think that the game is over, but there’s still time to make a big impact in your quality score even if you thought it was too late.

At this stage of the game, if you haven’t started PQRS, let’s talk about your best options.

Since the deadline to report as a group passed at the end of June, eligible providers - even if practicing as part of a group - will need to report as individuals.

The two options left to report as an individual are either through your EHR or through a Registry.

Option 1: EHR Reporting

It is important to understand the measures for which your EHR can capture data and whether or not the measures align with your specialty.

Question: In your EHR, when you run the PQRS report, how many measures have a denominator and of those measures, which ones have a numerator greater than zero?

Answer 1: If the answer is 9 or more and the measures align with your specialty, you will likely be able to use the EHR-Direct method to report.

To do so, confirm that your EHR vendor can generate a QRDA I or QRDA III file that passes the validation test to be submitted to QualityNet.

Then make sure you have the right user roles set up to be able to submit that QRDA file — they will most likely be the Security Official and the PQRS Submitter roles.

Answer 2: If you run the PQRS report and you show results for fewer than 9 measures AND/OR if your numerators are particularly low for the measures for which you are capturing data, you may want to consider reporting through a Registry.

Option 2: Registry Reporting

Although you can report 9 individual measures (covering at least 3 NQS domains) through a Registry, you would need to submit data for at least 50% of your Medicare patients from January 1 - December 31, 2015. If you have not been collecting data, this method is too difficult to chase.

However, there is a more attainable Registry-based reporting method — via a Measures Group.
The beauty of the Measures Group method is you only need to collect data on a minimum of 20 patients, 11 of whom must be on Medicare. This is a task that can be completed by the end of the year.

CMS has defined 22 groups of measures (aka a Measures Group) to choose from this year. Each group revolves around a particular topic (i.e. Oncology Care, Diabetes, IBD, etc.) However, if none of those match your patient population, I implore you to consider the Preventive Care group.

This group is designed to collect data on patients aged 50 years and older with a specific patient encounter code (i.e., 99201 - 99205, 99212 - 99215).

You’ll need to collect data on a total of 10 measures that are geared toward preventive care. For example, you’ll ask the patient if they’ve had a flu shot this year or whether they have had their Pneumonia vaccine - that’s two. You’ll ask it for eight more measures.

Then you’ll fill out a Data Collection Worksheet for each of the 20 patients. Don’t worry, this document is provided by the Registry. Once data has been collected on enough patients, you’ll transfer that information over to an Excel Document and upload that to the Registry.

The Registry will then submit the data on your behalf to CMS.

And that’s it - you’re done.

Where can you sign up with a Registry? Well, Joy’s personal favorite is - it will cost about $300 per provider and is worth every penny.

The clock is ticking and if you have done nothing for PQRS up until now, this would be your best option to avoid up to 6% in penalties.

For more information on how to successfully participate in PQRS this year, check out my book,  ABCs of PQRS: Your 2015 Guide to Successfully Participating in the Physician Quality Reporting System or order at (800) 933-3711. Also now available on Kindle.

Thursday, September 3, 2015

Don't Let Loan Debt Drag Down Your Practice

medical practice and debt
Avoid Debt!
Even after you allow for a banker’s vested interest in writing capital loans, many physician-owned practices—especially those with only one or two partners or shareholders—find themselves sliding down the slippery slope of debt financing. Most business owners, including doctors, would never advise friends or family members to live off their credit cards! But when debt threatens to overwhelm their practices, that’s essentially what they’ve done in their businesses.

Unless you can print your own money, a high-debt strategy is untenable for the long term. (That’s how the Fed manages to stay afloat in a sea of red ink.) If your practice has more than six or eight significant loan/lease arrangements, consider that a potential red flag and possibly a signal to talk to your banker about consolidation.

However, the big trouble with consolidation loans is this: Once a practice has lowered its monthly debt payments, it can become tempting to activate new lines of credit. In the end, it’s in worse shape than it was before signing the consolidation note. Since the “profit margin” in a private practice refers primarily to the owners’ compensation, a practice that uses credit lines to pay doctor salaries is following a no-win strategy: Questionable at best—downright foolish at worst.

Physicians often throw money away every month by not properly managing their loans and leases. They lose control incrementally—taking out a loan here, an equipment lease there, and a business line of credit—and eventually find themselves “treading water” financially. Equipment leases have become very common. They often have hefty prepayment penalties written in, so even physicians earning a good return on the equipment investment wind up paying every penny of interest demanded by the contract. A capitalization loan usually rewards the debtor for early pay-off.

Physicians might want to consider loan consolidation, capital financing instead of leases, and real estate investment rather than facility rental. That last bit of advice can serve as an integral part of a good exit strategy. Real property increases the practice’s overall value when it comes time to sell.

When looking for help with financing, medical practices should seek out banks with departments specializing in healthcare providers’ unique needs.