COVID 19 devastation effects have not been limited to the loss of life. In fact, during the last couple of years, the FBI has been warning healthcare professionals of cybercrime and the increased focus on healthcare organizations and individuals.
Ms. Alissa Knight, a “recovering hacker” and a Knight Ink cybersecurity researcher, commented that personal health information (PHI) is the most valuable data on the dark web. Her actual words referred to PHI as: “It’s 10 times more the price of a credit card for a single PHI record.”
Add to that the initiatives and growth in fields like telemedicine, the requirement to develop application program interfaces (API) to ensure connectivity and sharing of data, the growth in the remote monitoring field, and the efforts to expedite the COVID 19 rollout and you have the elements for a perfect storm. For example, some of the findings identified in a recent research conducted by Ms. Knight and Approov, a mobile security company, included:
- According to Experian, a social security number will cost $1, a credit card up to $110, but full medical records can cost up to $1,000 per record. (Experian, 2017)
- Out of the API endpoints tested, 100% of them were vulnerable to Broken Object Level Authorization (BOLA) attacks leading to unauthorized access to full patient records, downloadable lab results and x-ray images, blood work, allergies, and personally identifiable information (PII) including home addresses, family member data, birthdates, and social security numbers.
- The findings demonstrate that the security standards required for compliance with US government FHIR/SMART standards merely represent a subset of the steps needed to secure mobile apps and the APIs which enable apps to retrieve data and interoperate with data resources and other applications.
- 27% of the mobile apps tested were not secured against reverse engineering through code obfuscation.
- 77% of the mobile apps tested contained hard-coded API keys, tokens, private keys, and hard-coded usernames and passwords.
- If hard-coded cryptographic keys are used, it is almost certain that malicious users will gain access through the account in question.
- 50% of the APIs tested allowed Ms. Knight access admissions records for patients being admitted into the hospital as inpatients that she should not have been able to access with her level of authorization.
- 100% of the APIs tested were vulnerable to Broken Object Level Authorization (BOLA) vulnerabilities.
- BOLA vulnerabilities in 100% of the APIs tested allowed Ms. Knight to view the personally identifiable information (PII) and protected healthcare information (PHI) for patients that were not assigned to her clinician account.
The information and vulnerabilities exposed are overwhelming, yet the answer is simple: “A journey of a thousand miles begins with a single step”. I believe that the first step should be based on the Standards established by HIPAA Security. Yet, remember not to be complacent as this is only the first step and a lot more will need to happen to protect our infrastructure and data.
CMS is moving forward with their attempts to move into a risk payment system. The problem is that some of the players may not have their logistics process in place which could result in those participating losing monies. CMS explains Direct Contracting as follows:
“ Direct Contracting is a set of three voluntary payment model options aimed at reducing expenditures and preserving or enhancing quality of care for beneficiaries in Medicare fee-for-service (FFS). The payment model options available under Direct Contracting create opportunities for a broad range of organizations to participate with the Centers for Medicare & Medicaid Services (CMS) in testing the next evolution of risk-sharing arrangements to produce value and high quality health care. Building on lessons learned from initiatives involving Medicare Accountable Care Organizations (ACOs), such as the Medicare Shared Savings Program (MSSP) and the Next Generation ACO (NGACO) Model, the payment model options available under Direct Contracting also leverage innovative approaches from Medicare Advantage (MA) and private sector risk-sharing arrangements.
Stay Tuned for the Release of EPITalks – EPISODE 16
Stay Tuned for the Release of EPITalks – EPISODE 15
There are new partnerships arising in the medical field. Normally, it is patients that are cost-conscious when it comes to medical expenses. Now physicians are working together in order to provide affordable services. Express Medical Imaging has state-of-the-art imaging services that can provide you with MRI results within 20 minutes! They provide mammograms that use half the dose of radiation that is normally required with old technology. These mammograms have reduced the number of callbacks, which helps to reduce costs, emotional stress and cuts out unnecessary tests. Express Imaging also has a mobile service that can provide MRI Imaging for those who may not be able to travel. Their goal in the future is to get MRI squads that can travel to low-income communities. The benefits to a free market health system is that companies like Express Medical imaging can provide quality services at an affordable rate for women. Affordable rates also slow the depletion of grants, this allows more low-income women to have access to screenings.
Stay Tuned for the Release of EPITalks – EPISODE 14
Express Medical Imaging is located in Putnam County, Florida. Their number one goal is to provide advanced Imaging in rural areas of Florida. Through new advanced techniques, patients can get an MRI after the first initial Biopsy. This advanced MRI can track exactly where the cancer is and identify the stage of severity. This saves the patient time and money by not having to receive multiple biopsies. Express Medical Imaging only charges $300 for services that can cost patients up to $5000. When considering an imaging center to select things to take into consideration are: the strength of the MRI Scanner, does the magnet have a minimum strength of 3 Tesla? What year was the MRI Scanner made and who are the radiologists working in the facility. Express Medical Imaging offers walk in appointments as long as insurance is verified. Within a hour, patients can receive their results back without having to wait for days.
Stay Tuned for the Release of EPITalks – EPISODE 13
- How can HCAN help after pandemic and 2021 uncertainty?
- Cost of services increasing
- increase in operation expenses
- PT exempt from MIPS
- Form a rehab agency
- HCAN can complete all certifications and state paperwork to convert to this agency
- Form a rehab agency
Stay Tuned for the Release of EPITalks – EPISODE 10
Who is HCAN?
- Offers billing and consulting services to outpatient PT, OT, CORF, and mental health providers building long-lasting partnerships based on commitment, integrity, and trust.
- Jorge was a Medicare Auditor for 10yrs “the dark side”
- 20+ years of expertise in the industry
Stay Tuned for the Release of EPITalks – EPISODE 9
Stay Tuned for the Release of EPITalks – EPISODE 2
Stay Tuned for the Release of EPITalks – EPISODE 1
Effective January 1st, 2021, the Centers for Medicare & Medicaid Services (CMS) Evaluation and Management (E&M) coding and documentation requirements have been changed. While some of the items remain the same, some of the items to keep in mind include:
We understand that there may be circumstances out of your control that make it difficult for you to meet program requirements. To reduce this burden, we provide an opportunity for qualifying clinicians, groups, virtual groups, and (as proposed) APM Entities to apply for performance category reweighting for the Merit-based Incentive Payment System (MIPS).
Stay Tuned for the Release of EPITalks – EPISODE 6