Webinar 3/18 | ASPR Healthcare System Cybersecurity Response

From the HHS Office of the Assistant Secretary for Preparedness and Response

Healthcare System Cybersecurity Response: Experiences and Considerations March 18, 2021 ~ 1:30-2:45 PM ET

Presenters on this webinar will discuss their experiences and tangible lessons learned in responding to cybersecurity incidents. This webinar builds upon the recently released Healthcare System Cybersecurity: Readiness and Response Considerations document and accompanying overview presentation that describes how to use the resource. The webinar will take place on Thursday, March 18, 2021 from 1:30-2:45 PM ET.

Register today!

Moderator:

  • John Hick, MD, Hennepin Healthcare Introductions:
  • Laura Wolf, Ph.D., Director, Division of Critical Infrastructure Protection, HHS ASPR Speakers (listed in alphabetical order):
  • Lisa Bazis, MS, Chief Information Security Officer, Nebraska Medicine
  • Craig DeAtley, PA-C, Director, Institute for Public Health Emergency Readiness, MedStar Washington Hospital Center
  • Dawn Straub, MSN, RN, NEA-BC, Executive Director, Nursing Professional Practice & Informatics, Nebraska Medicine

Register Now►

CISA Cyber Hygiene Services

Reducing the Risk of a Successful Cyber Attack

Adversaries use known vulnerabilities and phishing attacks to compromise the security of organizations. The Cybersecurity and Infrastructure Security Agency (CISA) offers several scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors.

  • Vulnerability Scanning: Evaluates external network presence by executing continuous scans of public, static IPs for accessible services and vulnerabilities. This service provides weekly vulnerability reports and ad-hoc alerts.
  • Web Application Scanning: Evaluates known and discovered publicly-accessible websites for potential bugs and weak configuration to provide recommendations for mitigating web application security risks.
  • Phishing Campaign Assessment: Provides an opportunity for determining the potential susceptibility of personnel to phishing attacks. This is a practical exercise intended to support and measure the effectiveness of security awareness training.
  • Remote Penetration Test: Simulates the tactics and techniques of real-world adversaries to identify and validate exploitable pathways. This service is ideal for testing perimeter defenses, the security of externally-available applications, and the potential for exploitation of open source information.

Frequently Asked Questions

How much does it cost? CISA cybersecurity assessment services are available at no cost.

Who can receive services? Federal, state, local, tribal and territorial governments, as well as public and private sector critical infrastructure organizations.

When will my services begin? Vulnerability Scanning and Web Application Scanning typically begin within one week of returning the appropriate forms.

Who performs the service? Cyber Hygiene services are provided by CISA’s highly trained information security experts equipped with top of the line tools. Our mission is to measurably reduce cybersecurity risks to the Nation by providing services to government and critical infrastructure stakeholders.

Get Started

Email us at vulnerability_info@cisa.dhs.gov with the subject line “Requesting Cyber Hygiene Services” to get started.

Data Privacy

This past January, the AAA hosted a webinar presented by EMS/healthcare Attorneys Matthew Streger, Margaret Keavney, and Rebecca Ragkoski, titled Cybersecurity, Top 10 Considerations in Healthcare and How to Address Them. During this very informative webinar, Matt, Margaret, and Rebecca covered one of the biggest issues facing EMS and other healthcare providers today, data security. If you did not get chance to listen in on this program, it is available on-demand at the AAA website.

As highlighted in their webinar, data security and data breach concerns are one of the most frequently encountered issues facing EMS agencies as healthcare providers but also as employers. Ensuring that patient and employee protected health information (PHI) and personally identifiable information (PII) is adequately protected from access or intrusion is critically important.

Alabama becomes the 50th state to enact data breach requirements for all individuals and businesses in the state. The Society for Human Resource Management (SHRM) provides a great summary of the new breach requirements in several article resources published this week. The National Conference on State Legislatures is a great resource for learning the laws that apply to your organization. Of course, it is recommended that all members engage a law firm that is familiar with data security requirements both at the federal and state level.

It is critically important for EMS agencies to perform a risk analysis for all data systems. This analysis should include all third party hosted web platforms that contain or may contain PHI or PII. EMS leaders should inquire with their IT departments and all EMS leadership to identify where PHI or PII might be found. Be sure to include any incident reporting system utilized by the agency. Often these systems include information about response locations, which can include patient addresses or other PHI. Also found in many incident reporting systems is employee incident and injury data which can include PII. Be sure that these often-overlooked systems meet the security requirements detailed in the applicable federal and state data protection laws.

HIPAA and Mobile Devices: What Your Service Needs to Know

For ambulance services, HIPAA compliance is a particularly sensitive issue. Because of the sensitive nature of the health data that EMS and EMT professionals deal with on a daily basis, HIPAA Privacy and Security standards must be carefully adhered to.

This issue becomes even more sensitive when you consider that most of the data collected during pre-hospital care will likely be collected, tracked, and documented on a mobile device. Laptops, smartphones, and tablets are indispensable tools for ambulance care. Most of these devices will have access to electronic health records (EHR) platforms, which will in turn be connected to the rest of a hospital’s EHR data.

While mobile devices can provide convenience in life-or-death situations, they are also particularly vulnerable to the risk of a data breach. A data breach of unsecured health information can lead to serious HIPAA violations and put patient privacy at risk.

The kind of health information that these devices have access to is called protected health information, or PHI. PHI is any demographic information that can be used to identify a patient. Common examples of PHI include names, dates of birth, medical information, insurance ID numbers, addresses, full facial photos, and telephone numbers, to name a few.

The HIPAA Rules set specific standards for maintaining the privacy, security, and integrity of PHI. Though the regulation can seem complex, the standards are in place to safeguard PHI. As per HIPAA, ambulance services necessarily fall under the category of Covered Entities, meaning that they are responsible for maintaining compliance with both the HIPAA Privacy Rule and the HIPAA Security Rule.

These two rules set limits for how and when PHI must be stored and accessed. Below, we list a few of the major components of the HIPAA Rules that all ambulance services can implement in order to keep PHI safe and secure on the go.

  • All mobile devices that can access PHI must have full-disc encryption. Additionally, all devices should be routinely backed-up on encrypted servers. In the event that a device is lost or stolen, full-disc encryption will keep hackers or thieves from accessing sensitive health data.
  • Your organization should have HIPAA policies and procedures in place pertaining to mobile devices taken “off-site.” This would necessarily include all laptops, tablets, and smartphones with access to PHI that are used in pre-hospital care in an ambulance. By outlining when devices are permitted to be used, who is permitted to use them, and how they are to be handled in off-site settings, your organization will mitigate the risk to PHI stored on these devices.
  • Keep a full inventory of all devices within your organization that can access or handle PHI in any way. Routine check-ups on the condition and location of devices listed in your inventory will help ensure that devices are not misplaced. And in the event that a device is misplaced or stolen, organization officials will notice as soon as the inventory is reviewed so that action can be taken to remedy the breach.
  • Access to PHI on mobile devices and in pre-hospital settings should be limited only to essential members of the organization’s workforce. This is known as the Minimum Necessary Standard. It’s a part of the HIPAA Privacy Rule that states that access to PHI must be limited based on employees’ roles, and that when access is granted, it should be limited to the minimum access necessary for each employee to perform their role.

These are just a few of the ways that ambulance services can protect PHI and comply with HIPAA mobile device standards.

In addition to the actions listed above, a total compliance program that addresses the full extent of the law must be in place in order to prevent HIPAA violations and data breaches.

Addressing HIPAA compliance can help ambulance services confidently treat their patients without worrying about the risk of data breaches or government fines.

5 Can’t-Miss EMS Podcasts

Podcasts are a great way to gain information and insight on a variety of topics.  With the intimidating number of podcasts on the topic of EMS and leadership available, it can take a bit of time to find the one that’s right for you.  I have been a fan of podcasts for several years now, and while some of my favorites have dropped off over the years, I am certain there are many new favorites out there waiting to be discovered.

If you’re not yet listening to podcasts, I encourage you to start exploring – here is a quick list of some of my current favorites in EMS and leadership to get you started. (* We’ve included links are iTunes, but these podcasts can be found on just about any podcast service.)

  1. Prehospital Emergency Care Podcast
    This is a newer podcast, and quickly landed on my subscribed list for the obvious reason; it is the official podcast for the NAEMSP. The first few episodes were recorded during the most recent NAEMSP annual meeting, in the most recent the hosts spend time interviewing authors of studies published in the PEC journal, discussing results questioning when, and how, changes should be implemented based on those results.  I’ve been able to make the NAEMSP conference a few times, and it is truly enjoyable.  This podcast is a nice way to keep up on the research and recommendations coming from the NAEMSP.
  2. EMJ Podcast
    This podcast discusses the research published in the Emergency Medicine Journal (EMJ) and is a great listen, in my opinion. The hosts are easy to listen to and the way they discuss the research and potential application is thought provoking, particularly given the international perspective.
  3. CPR Podcast
    This podcast is a little bit of everything in EMS. While most of the episodes seem to have a clinical education spin, others delve into some standard practice, leadership, and provider health and safety topics as well.  The conversations are well planned without seeming overly rehearsed which ads a measure of sincerity to the commentary.
  4. Dear HBR
    This is a newer podcast and is produced by the Harvard Business Review.  While not directly related to EMS, there is value for EMS listeners.  Individuals write to the show and ask questions – many of which are about how to handle conflicts or difficult situations in the workplace – and the hosts discuss the question at hand and the advice they might give the individual based on personal experience and available research.  There is so much we can learn through the experience of others, and this is a good way to compare our own experience with the experience of others, and perhaps walk away with some good advice.
  5. EM Weekly
    This focus of this podcast is emergency management (EM), but the discussion topics span everything from tactical planning to leadership and future possibilities. The host and guests mix in a bit of the history of EM throughout the episodes which helps provide perspective and understanding of the evolution of emergency management over time, and ideas for the future.

Editor’s Note

Samantha Hilker, author of this article, is the host of the excellent EMS in Wisconsin podcast created by the Professional Ambulance Association of Wisconsin. Don’t miss it!

AAA’s New URL: Ambulance.org

Welcome to www.ambulance.org, AAA’s new domain! After many years at www.the-aaa.org, we are proud to announce the successful transition to our new easier-to-type, easier-to-understand online home.

A few www.ambulance.org tips:

  • All usernames and passwords remain unchanged. (Forgot your password? No problem! Reset it here.)
  • Annual and Stars of Life have moved, too!
  • Does something on the site look or behave unexpectedly? If so, please clear your cache—you could have an old version of the site “stuck” in your browser’s temporary storage.
  • Need help? AAA staff is happy to assist at info@ambulance.org or 703-610-9018.

Thanks for your support of AAA, and we look forward to serving you for many years to come!

 

Patient Satisfaction and the Collections Conundrum

Emergency Strikes

The year was 2001—seems like a distant memory. Expecting our first child, my wife and I were living in Modesto, California, thinking about cradles and nurseries. We were so excited—the little one we’d been expecting was on his way! Excitement quickly changed to deep concern as we learned there were some major complications with the pregnancy and our baby was in serious jeopardy. Life’s pause button was pushed as everything else in the world came to a screeching halt.

An ambulance transport and emergency delivery later, we found ourselves in our new home—the neonatal intensive care unit. For the next four months, we worked with medical teams around the clock to slowly usher our new 1-pound, 4-ounce son, Noah (now 15 years old), into the world.

Financial Domino Effects

This was an incredibly stressful time in our lives. Of all the things that burdened us, one of the most memorable was the nearly $5,000 invoice we received for a specific service. With no clue how we would pay this, I finally worked up the courage to pick up the phone and call the number on the invoice. The provider was demanding immediate payment before sending the bill to collections.

Me? Collections? But I’m the good guy, right? People should be reaching out to care for me. What just happened? After days of multiple information exchanges between me, the billing office and my insurance carrier, we finally figured it out—all charges were to be covered by insurance.

While our care through this time was generally very good, this unexpected charge put a cloud over the provider who lacked the proper information—despite a 120-day inpatient stay. Why did the provider send our bill to collections without contacting us? Where was the disconnect? Does this still happen today?

Fast Forward 15 Years to Smarter Billing and Collections

Sadly, this is not an isolated incident. Everyone knows a person with a similar story. But what if this patient billing story could be different? What if instead of multiple collection agency invoices demanding payment, I had been contacted early in the process? Or better yet, what if everything had occurred behind the scenes between provider and payor?

Technology advancements have narrowed the data gap that created these and other tensions for patients, providers and insurance carriers. Health care providers today can better serve their patients and communities through technology. The systems required to instantly supply insurance information and ensure patient-friendly billing are now available. It’s a matter of awareness and investment. Two key technology strategies are rapidly emerging to make collection letters and calls a thing of the past.

Real-Time Insurance Discovery

Insurance discovery solutions help providers find hidden insurance coverage for patients up front versus after the fact. Especially in emergency or self-pay situations, patients may have coverage the provider doesn’t know about. Finding coverage provides a tremendous boost to patient satisfaction and financial engagement.

For providers, finding and securing coverage early in the encounter helps billing teams circumvent months of patient statement and collection efforts. Operational costs are reduced and payor reimbursement is hastened. Best practices are rapidly emerging on how to incorporate real-time insurance discovery within patient registration and billing workflows.

Payment Likelihood Determinations

Where insurance coverage can’t be found or high deductibles result in exorbitant patient financial responsibilities, checking “payability” becomes crucial. Patients with minimal cash reserves or low propensity to pay can be moved to charity care, Medicaid, or account write-off. Families likely to qualify for financial assistance are also quickly identified by using payment likelihood applications.

Billers and collectors are more efficient and effective without damaging patient relations or community reputation. It is often a smarter long-term decision to write off patient balances in those cases where personal bankruptcy is only one medical bill away.

Proactive financial engagement, insurance discovery and smart collections are in the early stages in healthcare. However, provider organizations that embrace more patient-friendly billing strategies can significantly promote patient satisfaction and long-term community benefits.

Ted Williams has been a featured presenter at regional and national EMS conferences, including the state medical associations, ambulance networks, and technology user group conferences. Williams is a founder of Payor Logic, a national provider of healthcare revenue cycle solutions.

Ransomware Alert

A few days ago, multiple news agencies reported that there has been a large scale cyber-attack on healthcare agency networks worldwide.  The New York Times and the Washington Post reported yesterday that hackers have exploited malware that was stolen from the National Security Agency (NSA) and have executed an attack on numerous healthcare agency networks, including the Britain’s public health system.  The hackers have essentially held the system hostage freezing users from accessing data.  The cyber-attack has spread to nearly 74 countries, including India, Africa, and several in South America countries.  This cyber-attack highlights the vulnerability of many healthcare providers, including ambulance services who have become increasingly technology dependent.

If your service has not performed an Risk Analysis as required under the Security Rule by the Health Insurance Portability & Accountability Act (HIPAA), or have not performed the analysis in the last year, I suggest that you do so as soon as possible.  If members are uncertain or concerned about how they can come into compliance with the requirements of HIPAA, please contact the consultants available as part of their AAA membership.