Thursday, October 13, 2016

Ransomware in Hospitals: What Providers Face When Attacked

Healthcare providers are now discovering they are a soft target for highly sophisticated cybercriminals. It is nearly impossible for ransomware victims to crack a hacker’s crypto keys. The FBI is even on record advising ransomware victims to just pay.

In the July/August issue of, The Journal of Medical Practice Management, Bruno Kelpsas and Adam Nelson authored an article: “Ransomware in Hospitals: What Providers Will Inevitably Face When Attacked,” and describe the following scenario:

One Friday, Sally, a member of a local hospital’s finance team, receives an overdue billing statement from a vendor's email address. Being the end of the month, she considers this email a routine part of billing and reporting. Sally opens the email, as well as the attached contract in Word format. Suddenly, Sally’s monitor turns to a red screen, beginning with the word CryptoLocker.

Sally froze. She had heard about cyber threats in training, but in her trusted vendor's billing statement? Who would be as sophisticated as that? Sally immediately picked up the phone and called the IT department.

Too late.
Sally just experienced a highly advanced cybersecurity breach known as ransomware – this one specifically referred to as CryptoWall (CW). In the following moments Sally, IT, hospital executives, nurses, doctors, and patients will discover valuable database files have been locked. Being a threat to hospital operations and the Emergency Department, patients are moved to another physical facility for care. Typically, the only way for the hospital to regain access to its information is to pay the hacking agent a requested fee using Bitcoin.

Currently, the healthcare industry is responding to compromises on a reactive basis, much like the way in which the financial services industry simply replaces consumers’ credit cards after a retail breach, such as the recent attacks on Target and Home Depot. This security mindset is predicated on a lack of enforcement, the absence of appropriate penalties, and a culture of risk mitigation. Due to this attitude of acceptance, patients are consistently at risk of having their personally identifiable information compromised. To reset how healthcare organizations think about cybersecurity, measures must be taken proactively to protect businesses against impending attacks. Otherwise, breaches are likely to continue until stricter enforcements and penalties are put in place for healthcare companies and stakeholders.

All organizations need a proactive and comprehensive cybersecurity plan. However, although many operations have the “right” plan and necessary hardware, software, and processes in place, the reality is that many do not have the time and resources to implement their response plan and fulfill the necessary documentation requirements for HIPAA, the SEC, and State regulations, in addition to ensur­ing business continuity. Therefore, to get started, healthcare organizations must focus on the four pillars of security:
  • Governance risk and compliance; 
  • Security monitoring and management; 
  • Threat intelligence; and 
  • Incident response. 
Furthermore, organizations must layer their efforts from basic responsiveness to advanced responsiveness, and finally, become preemptive.

Once the strategy is developed and implemented, companies must conduct an internal review and gauge where teams will align with internal security: Be out of the security business, own some of it, or close the gaps. Ensure there is balance between managing the unexpected and current resources.

The healthcare industry is the #1 industry targeted by attackers. It is imperative for organizations to reevaluate the way they approach cybersecurity, rather than resting on their laurels in what is currently seen as the “new normal” security mindset.

The Journal of Medical Practice Management

Thursday, April 7, 2016

Doctors Should Google Themselves

A physician's online reputation is important because more and more patients are going online to research their doctors. They’re going to search engines like Google and Googling their doctors names. For example, if you google Dr. Kevin Pho (author of the leading book on this subject), his blog comes up, but so does his social media platforms such as Facebook, Twitter and LinkedIn. Many doctors are apprehensive making their names visible online, but when their names are Googled, pages from physician ratings sites can show up and they may not like what they see. In today's transparent era where patients can go online and research their doctor, it's important for physicians to manage their online reputation. An online reputation could be the patients first impression of a doctor, and online reputation is just as important as their reputation in the community. Make it a good one.

Want in-depth advice? Check  the number one book on physician reputation management "Establishing, Managing and Protecting Your Online Reputation: A Social Media Guide for Physicians and Medical Practices".

Tuesday, April 5, 2016

Impaired Physicians —Tough Decisions for Administrators

Impaired Physicians
Like most major crises, handling physician impairment will resemble a runaway train if you don’t put policies into place before a problem arises. You and your physician partners will be miles ahead if you’ll take the time now to draft an impaired-physician policy and design procedures for dealing with the different causes and manifestations of physician impairment.

Hammering out such policies is not for the faint of heart, however. In fact, you will improve your chances for coming up with fair and workable policies if you bring legal counsel to the table. Just make sure that you find an attorney who has dealt with these specific issues before. Defining “impairment” requires a lot of thought— and familiarity with definitions such as that out- lined in the AMA’s policies.

For another useful resource, contact your hospital’s administration and get a copy of its policies regarding physician impairment and discipline. It can provide a starting place for crafting your own documents.

Along with the procedures, assign specific roles for the administrator and for the practice’s leading physicians. You don’t want to decide who will take on which responsibilities in the middle of a crisis.

Plan on spending some time and having some spirited conversations about controversial issues. But in the end, bring your final draft to a vote, and get a signed statement from each physician in the practice that he or she has read and will abide by the policies. Then hope that you will never have to invoke the rules in your practice.
According to the AMA, an impaired physician is a doctor “unable to practice medicine with reasonable skill and safety to patients because of physical or mental illness, including deterioration through the aging process or loss of motor skill, or excessive use or abuse of drugs including alcohol.”

An administrator finds himself or herself in a unique position as a steward of healthcare services. To handle physician impairment effectively, he or she must consider more than the classic definition of impairment offered by the AMA. The administrator must see that:

Impairment causes can be broader than even the general terms (psychiatric/physical disorders, alcoholism, or drug dependence) specified by the AMA definition; and

An impaired physician can cause damage to individuals far beyond the patient. Colleagues, employees, and the healthcare community at large suffer injury at the public exposure of an impaired physician as well. Administrators who observe behavior leading them to suspect physician impairment will have to proceed with considerable care. What to do depends on factors such as:
  • The suspect physician’s position in the organization. Is he or she an owner? A senior member or leader? An employee? 
  • Does the organization have a written policy about physician impairment? Having decided to proceed, an administrator then can take these steps: 
  • Approach physician leadership—that is, talk to a doctor who wields significant influence within the group, whether a formal or “traditional” leader. 
  • Seek outside counsel—you can attempt to seek help anonymously from the state medical society or approach the group’s usual legal counsel to seek advice on how to proceed. 
  • Approach the offending physician—if you feel empowered to pursue this course, make sure you arrive at the meeting well-armed with examples and evidence to support your suspicions. 
  • Approach the offending physician’s family— in some (rather unique) circumstances, it may make sense to talk to the doctor’s family about your concerns. 
The worst course of action, naturally, would be to do nothing. But an administrator must understand the risks involved in addressing physician impairment—it can cost you your job.

A group practice leader’s wisdom and skill face some of their toughest challenges when a member physician shows signs of impairment. The challenges multiply for the “lay” administrator in a physician-owned practice. First, the administrator finds himself or herself in the difficult position of calling an employer to accountability. Second, the medical community has a long tradition that assigns near-absolute authority to physicians—an authority that non-physicians aren’t supposed to challenge.

If you enjoy reading the blog entries in "Solving Problems in the Medical Practice" you may want to check out all the great products at Greenbranch Publishing.

Monday, March 14, 2016

Pay Attention to Patient Flow in Your Medical Practice

Avoid Patient Bottlenecks
Avoid Patient Bottlenecks in the
Medical Practice
“In an ideal world,” says practice management expert Judy Capko, “the patient-flow process should be predictable.” But that will never happen until the physicians and managers step back and honestly analyze problems that interfere— and come up with workable solutions. Taking the time to look closely at patient flow will pay off for the practice via more predictable days, managers and physicians who have a better handle on the day, and patients who are pleased with the care and service they get from the practice.

But to address the impediments that sabotage your patient flow, you must first identify the bottlenecks caused by human, technical, and design flaws existing in your practice.

Typical bottlenecks include:
  • Multiple appointments occupying a single provider time slot (double- and triple-booking);
  • Patient no-shows and late arrivals;
  • Providers arriving late;
  • Providers taking an inordinate amount of time with patients;
  • Emergencies and urgent walk-ins;
  • Duplicated processes (such as registration/check-in procedures);
  • Efficient and consistent internal systems and processes ignored (or not implemented in the first place);
  • Lost or incomplete paperwork or electronic documentation; and
  • Confusing, inefficient office layout.
Often, physicians and managers feel helpless because they’ve bought in to the idea that improved patient flow can’t be accomplished without a very expensive construction or remodeling project. But there are dozens of ways to improve efficiency without spending a lot of money. It takes some creative—even “out-of-the-box”—thinking, but sometimes simple solutions have a big impact. For example, if patient-prep is taking a long time because nursing assistants are waiting in line at the “vitals” station, buy more equipment and take the pressure off.

In the end, recognize that the “ideal” visit keeps patients moving through the system, but does not leave them feeling so rushed as not to have time to ask questions and understand instructions. It will require education and staff buy-in to change your culture to seek efficiency in all processes.

If you enjoy reading the blog entries in "Solving Problems in the Medical Practice" you may want to check out all the great products at Greenbranch Publishing.