Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
jttconnect.com
Top 40 in 2017Tips & Trends
Cybersecurity & HIPAA Security for the Healthcare Provider
Nic Cofield | Jackson Thornton Technologies
Cybersecurity – What to Know
jttconnect.com
Given the significant impact of a data breach, it’s always good to know exactly that
the threats are.
Malware
jttconnect.com
Threat to Know:Malware
• Generic term for any malicious software that is designed to damage or disable computers and computer systems.
• Trojans, worms, viruses, spyware, etc. are all type of Malware.
• Malware can be used to intimidate users, alter or delete information, steal sensitive data, or take control of remote systems.
Malware
jttconnect.com
Examples of Malware
Significant Threats
jttconnect.com
Hacking
• “Hacking” is action taken by someone to gain unauthorized access to a computer.
• Hackers seek to find weakness in security settings and protocols in order to exploit and gain entry into private systems.
• Due to widespread access to information, it is very easy for someone to obtain the tools and education needed to perform a sophisticated attack.
Significant Threats
jttconnect.com
Significant Threats
jttconnect.com
Brute Force Attacks
Significant Threats
jttconnect.com
Spyware and Adware
• Used by third-party groups, these malicious software applications are used to infiltrate a computer or network.
• Collects personal information from the user without his/her knowledge.
• Spyware and Adware can be difficult to detect and even more difficult to remove.
• These applications can send usernames, passwords, surfing habits, etc. to unauthorized organizations.
Significant Threats
jttconnect.com
Toolbars very commonly carry spyware and adware. It is never recommended to download and install any sort of toolbar within your internet browser.
Significant Threats
jttconnect.com
Phishing
• Phishing is the creation of fraudulent e-mails, text messages, and/or websites in order to try and fool a user into giving out personal or confidential information.
• Phishing attempts can trick by asking for personal account updates, validation of specific personal information, and can often intimidate a user into taking action that leads to sensitive information being stolen.
• More targeted attacks, known as Spear Phishing, are becoming more common.
Significant Threats
jttconnect.com
Example - Phishing Attack
• Sample phishing attempt, based on a completely separate cybersecurity incident (Anthem BlueCross BlueShield Attack)
Significant Threats
jttconnect.com
Wi-Fi Eavesdropping
• Hackers have the ability to intercept, or “eavesdrop,” on information that’s shared over an unsecure (not encrypted Wi-Fi network).
• Any information that’s shared over the unsecure connection can be stolen.
• In certain instances, hackers can gain access to your computer.
Significant Threats
jttconnect.com
www.datamation.com
Wi-Fi Eavesdropping
• An example of what a plain text file would look like in a commonly-used Wi-Fi analyzer tool (if sent over an unsecure connection).
Ransomware
Medical Device Ransomware
• Security experts are concerned the next target for ransomware attacks may be medical devices.
• Both Forrester and NBC News reports predict that in the future, healthcare entities will be faced with malicious software targeted at medical devices and/or wearables.*
• The FDA has already issued a safety notice regarding infusion pumps that are, according to the agency, vulnerable to cyber attack, as medical providers were “strongly encouraged” to discontinue use of the pump.**
*http://motherboard.vice.com/read/ransomware-is-coming-to-medical-devices**http://www.popsci.com/fda-issues-warning-cyber-security-risks-medical-devices
jttconnect.com
Social Engineering
jttconnect.com
Best Practices for Protection
Risk Management
jttconnect.com
– The weakest link in any computer system is the user
– Never think “It Can’t Happen to Me”– Ignorance and naiveté are not
acceptable excuses– Every person is responsible for the
protection of sensitive information– Assess Risk (Risk Assessment), then
Manage Risk (Culture of Compliance)• Constantly Educate and Train• Identify champions of your
security culture – avoid exceptionalism
• Accountability and responsibility must be part of your core values
Security Culture
Know The Three Safeguards (Physical, Technical,
Administrative)
Physical
• Facility Access Controls
• Workstation Security• Device and Media
Controls
Technical
• Access Control• Audit Control• Data Integrity• Person/Entity
Authentication• Transmission
Security
Administrative
• Security Management Process
• Security Responsibility
• Workforce Security• Data Access
Management• Security Awareness
and Training• Security Incident
Procedures• Contingency Plan
Evaluation• BAA Agreements
Avoid The Wall of Shame
Know Where Your Data Is*
*Third-party analysis of OCR “Wall of Shame” breach notification listings (Precyse)
Plan for the Unexpected
jttconnect.com
• HIPAA says you must maintain availability to all PHI, regardless of incident.
• Consider all scenarios – fire, tornado, server crash, internet outage, etc.
• Data backups need to be encrypted – the information in the backup is still considered ePHI!
• Test your policy and your system –don’t chance it.
Protect Mobile Devices
jttconnect.com
– Mobile devices have become quite ubiquitous within medical facilities
– These devices are easily lost or stolen, increasing the importance of protecting and mitigating the risk and exposure they present to the covered entity
– Consider location (both permanent and temporary) and determine how to prevent unauthorized viewing
– Always implement strong authentication and access controls to secure against unauthorized use
– Never transmit ePHI over public wireless networks without encryption
– If ePHI must be placed on a mobile device, always encrypt the data – avoid using mobile devices that cannot support encryption
Avoid Default Admin Passwords
Use Strong Passwords and Change Them Regularly
jttconnect.com
• Strongly related to access control, a proper password policy is vital for preventing unauthorized viewing of PHI.
• Brute Force Attacks are much less likely to occur when complex passwords are present.
• Avoid personal information (birthdays, family member names, etc.)
• Consider password length, use of upper and lower case letters, and, if allowable, consider pass phrases.
• Configure systems to enforce both complexity of password as well as require users to change passwords at a set frequency
• Consider, especially in areas where access control is important, the use of dual-factor authentication
TOP 40 IN 2017
Rebecca Lynn Hanif, CPC,CPCO,CCS, CPMA| AHIMA Approved ICD-10-CM/PCS Trainer
jacksonthornton.com
BCBS Value Based Payment
Clinical Effectiveness Assessment
Clinical Effectiveness Assessment Calculation
• Inpatient admissions• Office visits• Laboratory• Prescription drug claims• Emergency room visits• Outpatient surgery• Radiology
Clinical Effectiveness Assessment
• If you believe that the data being displayed is inaccurate, you should notify your Network Services Performance Representative at 1-866-904-4130, option 5, to allow Blue Cross to investigate the issue further.
Check your Stats for Quality Metrics
• There is a list of patient names that are attributed to your NPI. Mistakes happen all the time.
Cost Efficiency Assessment
Service Setting Actual Average Allowed
Expected Average Allowed
Performance Ratio Actual to Expected
Episode Total $1572 $2094 .75
Admission $342 $373 .92
ER Visit $153 $196 .78
Office Visit $430 $460 .93
Labs $54 $57 .94
Radiology $125 $216 .58
RX Drugs $292 $263 1.11
Cost Efficiency Assessment
Driving Down Costs and Increasing Clinical Effectiveness
Driving Down Costs and Increasing Clinical Effectiveness
Driving Down Costs and Increasing Clinical Effectiveness
CMS MIPS
The Report Card CMS
Consequences
• Neutral• Positive = Increase• Negative = Decrease
Effective Clinical Care
Population Health Quality Score
Quality Outcomes – Calculated from CMS Claims Data
Medicare Costs per Beneficiary
Medicare Costs per Beneficiary
Strategy for Possible Incentives
• Pick your Pace• No registration is required for Pick Your Pace. Groups electing
to report via CMS Web Interface or administer the CAHPS for MIPS survey must register by June 30.
• Partial Participation—Report at least 90 days of data for more than one quality measure, more than one improvement activity, or 4 or 5 Required Advancing Care Information Measures and avoid the negative payment adjustment. ECs will also be eligible for a small positive payment adjustment.
• Full Participation—Report for a full 90-day period or a full calendar year for all required quality measures, all required improvement activities, and all required ACI measures and avoid negative payment adjustments. Full participation optimizes an EC’s chance for a moderate positive payment adjustment in 2019
Advancing Care Information (MU)
• ERx• Health Information Exchange• Medication Reconciliation• Patient Education• Patient Access• Secure Messaging• View, Download, Transmit
Advancing Care Information
Clinical Improvement Activities
• 13 IA measures require the use of a QCDR• 3 IA measures require the use of a survey• Small practices with 15 or fewer clinicians and practices
located in rural and geographic health provider shortage areas (HPSAs) can report one high-weighted or two medium-weighted activities to achieve a full score in this category
• Easy to document – specific requirements
High Priority Measures Clinical Improvement
High Priority Measures Quality
Consumer Assessment of Healthcare Providers and Systems (CAHPS)
• The patient experience– When you phoned this provider’s office to get an appointment for care
you needed right away, how often did you get an appointment as soon as you needed?
– When you phoned this provider’s office during regular office hours, how often did you get an answer to your medical question that same day?
– How often did you get an answer to your medical question as soon as you needed?
– How often did you see this provider within 15 minutes of your appointment time?
– How often did this provider explain things in a way that was easy to understand?
Quality Category for MIPS
Measure Name
Body Mass Index (BMI) screening and follow-up plan (18-64)
Body Mass Index (BMI) screening and follow-up plan (65 and older)Controlling high blood pressure
Documentation of current medications in the medical recordHeart failure: Angiotensin-converting enzyme inhibitor or angiotensin receptor blocker therapy for left ventricular systolic dysfunction
Ischemic vascular disease: Use of aspirin or another antithrombotic
Preventive care: Screening for high blood pressure and follow-up documentedRegistry: Care Plan
Registry: Coronary Artery Disease (CAD): Angiotensin Converting Enzyme (ACE) Inhibitor or Angiotensin Receptor Blocker (ARB) Therapy: Diabetes or Left Ventricular Systolic Dysfunction (LVEF < 40%)Registry: Coronary Artery Disease: Beta-blocker therapy for Prior Myocardial infarction or Left ventricular systolic dysfunction < 40%Tobacco use: Screening and cessation intervention
Body Mass Index (BMI) screening and follow-up plan (18-64)
Body Mass Index (BMI) screening and follow-up plan (65 and older)Controlling high blood pressure
Documentation of current medications in the medical record
Ischemic vascular disease: Use of aspirin or another antithrombotic
Preventive care: Screening for high blood pressure and follow-up documentedRegistry: Care Plan
TELEMEDICINE AND OTHER UNDERUTILIZED CODES
Chronic care management: Don’t leave money on the table
• 99490 - CHRON CARE MGMT SRVC 20 MIN• 99487 - CMPLX CHRON CARE W/O PT VSIT• + 99489 - CMPLX CHRON CARE ADDL 30 MIN• No specific technology requirements for sharing care plan
information electronically within and outside the practice, and fax can count
• Verbal consent instead of written consent in 2017• Extra payment for extensive initiating services by the CCM
practitioner (G0506)
Chronic care management: Don’t leave money on the table
Chronic care management: Don’t leave money on the table
• Initiating Visit - Initiation during an AWV, IPPE, or face-to-face E/M visit
• Structured Recording of Patient Information Using Certified EHR Technology
• 24/7 Access & Continuity of Care• Comprehensive Care Management • Comprehensive Care Plan• Management of Care Transitions• Home- and Community-Based Care Coordination• Enhanced Communication Opportunities • Medical Decision-Making – moderate to high
Telemedicine in Alabama BC and M’Care• Distant Site Practitioners
– All licensed independent practitioners who are responsible for BCBSAL member care, treatment, and services via telemedicine link are/will:
• Members in good standing in the BCBSAL network.• Credentialed and approved to provide telemedicine services by BCBSAL.• Sign a BCBSAL Telemedicine Attestation if applicable
– Interactive– Real-time (synchronous)– Secured and HIPPA compliant– This initiative is designed to help fill those gaps and facilitate care
for conditions that fall into the following categories:• Cardiologic conditions• Dermatologic conditions• Infectious disease• Behavioral health• Neurologic diseases (including stroke)
Telemedicine as a Self-pay Service
• Request a visit with a doctor by web, phone, or mobile app.• Talk to the doctor. • If medically necessary, a prescription will be sent to the pharmacy of
your choice.• Payment is negotiated by the vendor
– Teledoc– MeMD– iCliniq– American Well– MDlive– MDAligne– CareClix– ConsultADoctor
Patient Centered Medical Homes or Patient Centered Specialty Practice Recogntion
• The PCMH provides or arranges for all of the patient’s healthcare needs, including:– Preventive Care– Treatment of Acute and Chronic Illnesses– Assistance with End-of-Life Care
• 99497 – ACP, including the explanation and discussion of advance directives, such as standard forms (with completion of such forms, when performed), by the physician or other qualified health professional
• 99498 – Each additional 30 minutes (list separately in addition to code for primary procedure)
Patient Centered Medical Homes or Patient Centered Specialty Practice Recogntion
Patient Centered Medical Homes or Patient Centered Specialty Practice Recognition
Patient Centered Medical Homes or Patient Centered Specialty Practice Recognition
• Develop & implement standardized treatment orders/evidenced-based clinical guidelines
• Utilize Disease Registries for population health management• Track and coordinate care across healthcare continuum• Exchange clinical information electronically with referral providers-build a
strong “Medical Neighborhood”• Integrate comprehensive medication management program • http://www.ncqa.org/programs/recognition/practices/patient-centered-
medical-home-pcmh/pcmh-2014-content-and-scoring-summary
Questions?Rebecca Hanif, CCS, CPCO, CPC
AHIMA Approved ICD-10-CM/PCS Trainer JACKSON THORNTON HEALTHCARE
t (334) 386-9594 f (334) 956-5090w cpmresults.com