jttconnect.com

Top 40 in 2017Tips & Trends

Cybersecurity & HIPAA Security for the Healthcare Provider

Nic Cofield | Jackson Thornton Technologies

Cybersecurity – What to Know

jttconnect.com

Given the significant impact of a data breach, it’s always good to know exactly that

the threats are.

Malware

jttconnect.com

Threat to Know:Malware

• Generic term for any malicious software that is designed to damage or disable computers and computer systems.

• Trojans, worms, viruses, spyware, etc. are all type of Malware.

• Malware can be used to intimidate users, alter or delete information, steal sensitive data, or take control of remote systems.

Malware

jttconnect.com

Examples of Malware

Significant Threats

jttconnect.com

Hacking

• “Hacking” is action taken by someone to gain unauthorized access to a computer.

• Hackers seek to find weakness in security settings and protocols in order to exploit and gain entry into private systems.

• Due to widespread access to information, it is very easy for someone to obtain the tools and education needed to perform a sophisticated attack.

Significant Threats

jttconnect.com

Significant Threats

jttconnect.com

Brute Force Attacks

Significant Threats

jttconnect.com

Spyware and Adware

• Used by third-party groups, these malicious software applications are used to infiltrate a computer or network.

• Collects personal information from the user without his/her knowledge.

• Spyware and Adware can be difficult to detect and even more difficult to remove.

• These applications can send usernames, passwords, surfing habits, etc. to unauthorized organizations.

Significant Threats

jttconnect.com

Toolbars very commonly carry spyware and adware. It is never recommended to download and install any sort of toolbar within your internet browser.

Significant Threats

jttconnect.com

Phishing

• Phishing is the creation of fraudulent e-mails, text messages, and/or websites in order to try and fool a user into giving out personal or confidential information.

• Phishing attempts can trick by asking for personal account updates, validation of specific personal information, and can often intimidate a user into taking action that leads to sensitive information being stolen.

• More targeted attacks, known as Spear Phishing, are becoming more common.

Significant Threats

jttconnect.com

Example - Phishing Attack

• Sample phishing attempt, based on a completely separate cybersecurity incident (Anthem BlueCross BlueShield Attack)

Significant Threats

jttconnect.com

Wi-Fi Eavesdropping

• Hackers have the ability to intercept, or “eavesdrop,” on information that’s shared over an unsecure (not encrypted Wi-Fi network).

• Any information that’s shared over the unsecure connection can be stolen.

• In certain instances, hackers can gain access to your computer.

Significant Threats

jttconnect.com

www.datamation.com

Wi-Fi Eavesdropping

• An example of what a plain text file would look like in a commonly-used Wi-Fi analyzer tool (if sent over an unsecure connection).

Ransomware

Medical Device Ransomware

• Security experts are concerned the next target for ransomware attacks may be medical devices.

• Both Forrester and NBC News reports predict that in the future, healthcare entities will be faced with malicious software targeted at medical devices and/or wearables.*

• The FDA has already issued a safety notice regarding infusion pumps that are, according to the agency, vulnerable to cyber attack, as medical providers were “strongly encouraged” to discontinue use of the pump.**

*http://motherboard.vice.com/read/ransomware-is-coming-to-medical-devices**http://www.popsci.com/fda-issues-warning-cyber-security-risks-medical-devices

jttconnect.com

Social Engineering

jttconnect.com

Best Practices for Protection

Risk Management

jttconnect.com

– The weakest link in any computer system is the user

– Never think “It Can’t Happen to Me”– Ignorance and naiveté are not

acceptable excuses– Every person is responsible for the

protection of sensitive information– Assess Risk (Risk Assessment), then

Manage Risk (Culture of Compliance)• Constantly Educate and Train• Identify champions of your

security culture – avoid exceptionalism

• Accountability and responsibility must be part of your core values

Security Culture

Know The Three Safeguards (Physical, Technical,

Administrative)

Physical

• Facility Access Controls

• Workstation Security• Device and Media

Controls

Technical

• Access Control• Audit Control• Data Integrity• Person/Entity

Authentication• Transmission

Security

Administrative

• Security Management Process

• Security Responsibility

• Workforce Security• Data Access

Management• Security Awareness

and Training• Security Incident

Procedures• Contingency Plan

Evaluation• BAA Agreements

Avoid The Wall of Shame

Know Where Your Data Is*

*Third-party analysis of OCR “Wall of Shame” breach notification listings (Precyse)

Plan for the Unexpected

jttconnect.com

• HIPAA says you must maintain availability to all PHI, regardless of incident.

• Consider all scenarios – fire, tornado, server crash, internet outage, etc.

• Data backups need to be encrypted – the information in the backup is still considered ePHI!

• Test your policy and your system –don’t chance it.

Protect Mobile Devices

jttconnect.com

– Mobile devices have become quite ubiquitous within medical facilities

– These devices are easily lost or stolen, increasing the importance of protecting and mitigating the risk and exposure they present to the covered entity

– Consider location (both permanent and temporary) and determine how to prevent unauthorized viewing

– Always implement strong authentication and access controls to secure against unauthorized use

– Never transmit ePHI over public wireless networks without encryption

– If ePHI must be placed on a mobile device, always encrypt the data – avoid using mobile devices that cannot support encryption

Avoid Default Admin Passwords

Use Strong Passwords and Change Them Regularly

jttconnect.com

• Strongly related to access control, a proper password policy is vital for preventing unauthorized viewing of PHI.

• Brute Force Attacks are much less likely to occur when complex passwords are present.

• Avoid personal information (birthdays, family member names, etc.)

• Consider password length, use of upper and lower case letters, and, if allowable, consider pass phrases.

• Configure systems to enforce both complexity of password as well as require users to change passwords at a set frequency

• Consider, especially in areas where access control is important, the use of dual-factor authentication

TOP 40 IN 2017

Rebecca Lynn Hanif, CPC,CPCO,CCS, CPMA| AHIMA Approved ICD-10-CM/PCS Trainer

jacksonthornton.com

BCBS Value Based Payment

Clinical Effectiveness Assessment

Clinical Effectiveness Assessment Calculation

• Inpatient admissions• Office visits• Laboratory• Prescription drug claims• Emergency room visits• Outpatient surgery• Radiology

Clinical Effectiveness Assessment

• If you believe that the data being displayed is inaccurate, you should notify your Network Services Performance Representative at 1-866-904-4130, option 5, to allow Blue Cross to investigate the issue further.

Check your Stats for Quality Metrics

• There is a list of patient names that are attributed to your NPI. Mistakes happen all the time.

Cost Efficiency Assessment

Service Setting Actual Average Allowed

Expected Average Allowed

Performance Ratio Actual to Expected

Episode Total $1572 $2094 .75

Admission $342 $373 .92

ER Visit $153 $196 .78

Office Visit $430 $460 .93

Labs $54 $57 .94

Radiology $125 $216 .58

RX Drugs $292 $263 1.11

Cost Efficiency Assessment

Driving Down Costs and Increasing Clinical Effectiveness

Driving Down Costs and Increasing Clinical Effectiveness

Driving Down Costs and Increasing Clinical Effectiveness

CMS MIPS

The Report Card CMS

Consequences

• Neutral• Positive = Increase• Negative = Decrease

Effective Clinical Care

Population Health Quality Score

Quality Outcomes – Calculated from CMS Claims Data

Medicare Costs per Beneficiary

Medicare Costs per Beneficiary

Strategy for Possible Incentives

• Pick your Pace• No registration is required for Pick Your Pace. Groups electing

to report via CMS Web Interface or administer the CAHPS for MIPS survey must register by June 30.

• Partial Participation—Report at least 90 days of data for more than one quality measure, more than one improvement activity, or 4 or 5 Required Advancing Care Information Measures and avoid the negative payment adjustment. ECs will also be eligible for a small positive payment adjustment.

• Full Participation—Report for a full 90-day period or a full calendar year for all required quality measures, all required improvement activities, and all required ACI measures and avoid negative payment adjustments. Full participation optimizes an EC’s chance for a moderate positive payment adjustment in 2019

Advancing Care Information (MU)

• ERx• Health Information Exchange• Medication Reconciliation• Patient Education• Patient Access• Secure Messaging• View, Download, Transmit

Advancing Care Information

Clinical Improvement Activities

• 13 IA measures require the use of a QCDR• 3 IA measures require the use of a survey• Small practices with 15 or fewer clinicians and practices

located in rural and geographic health provider shortage areas (HPSAs) can report one high-weighted or two medium-weighted activities to achieve a full score in this category

• Easy to document – specific requirements

High Priority Measures Clinical Improvement

High Priority Measures Quality

Consumer Assessment of Healthcare Providers and Systems (CAHPS)

• The patient experience– When you phoned this provider’s office to get an appointment for care

you needed right away, how often did you get an appointment as soon as you needed?

– When you phoned this provider’s office during regular office hours, how often did you get an answer to your medical question that same day?

– How often did you get an answer to your medical question as soon as you needed?

– How often did you see this provider within 15 minutes of your appointment time?

– How often did this provider explain things in a way that was easy to understand?

Quality Category for MIPS

Measure Name

Body Mass Index (BMI) screening and follow-up plan (18-64)

Body Mass Index (BMI) screening and follow-up plan (65 and older)Controlling high blood pressure

Documentation of current medications in the medical recordHeart failure: Angiotensin-converting enzyme inhibitor or angiotensin receptor blocker therapy for left ventricular systolic dysfunction

Ischemic vascular disease: Use of aspirin or another antithrombotic

Preventive care: Screening for high blood pressure and follow-up documentedRegistry: Care Plan

Registry: Coronary Artery Disease (CAD): Angiotensin Converting Enzyme (ACE) Inhibitor or Angiotensin Receptor Blocker (ARB) Therapy: Diabetes or Left Ventricular Systolic Dysfunction (LVEF < 40%)Registry: Coronary Artery Disease: Beta-blocker therapy for Prior Myocardial infarction or Left ventricular systolic dysfunction < 40%Tobacco use: Screening and cessation intervention

Body Mass Index (BMI) screening and follow-up plan (18-64)

Body Mass Index (BMI) screening and follow-up plan (65 and older)Controlling high blood pressure

Documentation of current medications in the medical record

Ischemic vascular disease: Use of aspirin or another antithrombotic

Preventive care: Screening for high blood pressure and follow-up documentedRegistry: Care Plan

TELEMEDICINE AND OTHER UNDERUTILIZED CODES

Chronic care management: Don’t leave money on the table

• 99490 - CHRON CARE MGMT SRVC 20 MIN• 99487 - CMPLX CHRON CARE W/O PT VSIT• + 99489 - CMPLX CHRON CARE ADDL 30 MIN• No specific technology requirements for sharing care plan

information electronically within and outside the practice, and fax can count

• Verbal consent instead of written consent in 2017• Extra payment for extensive initiating services by the CCM

practitioner (G0506)

Chronic care management: Don’t leave money on the table

Chronic care management: Don’t leave money on the table

• Initiating Visit - Initiation during an AWV, IPPE, or face-to-face E/M visit

• Structured Recording of Patient Information Using Certified EHR Technology

• 24/7 Access & Continuity of Care• Comprehensive Care Management • Comprehensive Care Plan• Management of Care Transitions• Home- and Community-Based Care Coordination• Enhanced Communication Opportunities • Medical Decision-Making – moderate to high

Telemedicine in Alabama BC and M’Care• Distant Site Practitioners

– All licensed independent practitioners who are responsible for BCBSAL member care, treatment, and services via telemedicine link are/will:

• Members in good standing in the BCBSAL network.• Credentialed and approved to provide telemedicine services by BCBSAL.• Sign a BCBSAL Telemedicine Attestation if applicable

– Interactive– Real-time (synchronous)– Secured and HIPPA compliant– This initiative is designed to help fill those gaps and facilitate care

for conditions that fall into the following categories:• Cardiologic conditions• Dermatologic conditions• Infectious disease• Behavioral health• Neurologic diseases (including stroke)

Telemedicine as a Self-pay Service

• Request a visit with a doctor by web, phone, or mobile app.• Talk to the doctor. • If medically necessary, a prescription will be sent to the pharmacy of

your choice.• Payment is negotiated by the vendor

– Teledoc– MeMD– iCliniq– American Well– MDlive– MDAligne– CareClix– ConsultADoctor

Patient Centered Medical Homes or Patient Centered Specialty Practice Recogntion

• The PCMH provides or arranges for all of the patient’s healthcare needs, including:– Preventive Care– Treatment of Acute and Chronic Illnesses– Assistance with End-of-Life Care

• 99497 – ACP, including the explanation and discussion of advance directives, such as standard forms (with completion of such forms, when performed), by the physician or other qualified health professional

• 99498 – Each additional 30 minutes (list separately in addition to code for primary procedure)

Patient Centered Medical Homes or Patient Centered Specialty Practice Recogntion

Patient Centered Medical Homes or Patient Centered Specialty Practice Recognition

Patient Centered Medical Homes or Patient Centered Specialty Practice Recognition

• Develop & implement standardized treatment orders/evidenced-based clinical guidelines

• Utilize Disease Registries for population health management• Track and coordinate care across healthcare continuum• Exchange clinical information electronically with referral providers-build a

strong “Medical Neighborhood”• Integrate comprehensive medication management program • http://www.ncqa.org/programs/recognition/practices/patient-centered-

medical-home-pcmh/pcmh-2014-content-and-scoring-summary

Questions?Rebecca Hanif, CCS, CPCO, CPC

AHIMA Approved ICD-10-CM/PCS Trainer JACKSON THORNTON HEALTHCARE

t (334) 386-9594 f (334) 956-5090w cpmresults.com

e Rebecca.Hanif@jacksonthornton.com