Health Technology, Digital Healthcare
Article | September 7, 2023
The healthcare industry has become a prime target for cybercriminals in recent times.
According to The State of Ransomware in Healthcare 2023 report from Sophos, six in 10 healthcare organizations have been hit by ransomware in the last 12 months, up from 34% in 2021.
Among this uptick have been several headline-grabbing attacks. For example, Shields Health Care Group became the subject of the single-largest breach affecting any organization globally in April 2023, when 2.3 million patients of the Massachusetts-based medical services provider had their personal data stolen after a cybercriminal gained unauthorized access to the organization’s systems.
Meanwhile, in the UK, a ransomware attack on the University of Manchester occurred in June, affecting an NHS patient data set holding information on 1.1 million patients across 200 hospitals.
Critically, the wealth of data housed in healthcare networks, and the potential impact of data unavailability in healthcare, make the industry both attractive and lucrative to threat actors.
It’s no coincidence that the Sophos report shows the rate of encryption in the healthcare sector is at its highest level in recent years. Of those healthcare organizations which suffered a ransomware attack in 2023, 73% had their data encrypted – up from 61% in 2022. When cybercriminals can successfully take down hospital systems and/or encrypt patient data so it can’t be used, they can blackmail health service providers, demanding significant sums before reinstating systems and/or data availability.
Considering healthcare's critical role as the highest-stake industry in our society, where people's lives depend on its success, the likelihood of attackers achieving their goals is greater than in other sectors, as confirmed by the Sophos report. Indeed, of the 73% of healthcare organizations that had their data encrypted, 42% reported that they paid the requested ransom to recover data.
DSPT and the compliance burden
Without question, the security-related challenges in healthcare are mounting. Right now, industry organizations are operating against a backdrop of unprecedented operational and workforce pressures, spiralling demand for care and industrial action.
Moreover, there is a growing regulatory burden, with organizations continually asked to comply with evolving cybersecurity rules, battling with multiple compliance mandates at any given time.
Take the NHS as an example. According to the 2023 NHS Providers’ Regulation Survey, just over half (52%) of respondents said the regulatory burden on their trust had increased. And this is expected to ramp up further in the future, with the UK government setting out a new 2030 strategy aimed at bolstering cyber resilience in healthcare.
Among the compliance burdens that the NHS faces is the challenge of meeting the requirements of the newly updated Data Security and Protection Toolkit (DSPT).
Mandated to minimize cyber risks and enable healthcare providers to maintain a robust information security posture, the DSPT is not a simple checklist of security controls, but a comprehensive toolkit to evaluate current security maturity and establish a risk management programme.
Indeed, in more recent times, DSPT has moved away from being a guide for achieving certain levels of assurance, and toward a mandatory evidence-based system which demands NHS organizations align with 10 precise National Data Guardian (NDG) standards: 1. The organization assures good management and maintenance of identity and access control for its networks and information systems. 2. The organization closely manages privileged user access to networks and information systems supporting essential services. 3. The organization ensures passwords are suitable for the information being protected. 4. Process reviews are held at least once a year where data security is put at risk and following security incidents. 5. Action is taken to address problems as a result of feedback at meetings. 6. All user devices are subject to anti-virus protections, while email services benefit from spam filtering and protection deployed at the corporate gateway. 7. Action is taken on known vulnerabilities based on advice from NHS Digital, and lessons are learned from previous incidents and near misses. 8. The organization has a defined, planned and communicated response to data security incidents impacting sensitive information or key operational services. 9. The organization has demonstrable confidence in the effectiveness of the security of technology, people, and processes relevant to essential services. 10. The organization securely configures the network and information systems that support the delivery of essential services.
Reducing Compliance Challenges with the Right Solutions
Taken individually, these standards may not seem too strenuous to adhere to. However, to be compliant with DSPT, all 10 items need to be completed and deemed ‘satisfactory’.
To tick all 10 key boxes in the most effective and efficient manner simultaneously, organizations should consider their strategy carefully. This could involve embracing supportive tools to accelerate and enhance their compliance journey.
Boiled down, DSPT demands several key things, including unincumbered visibility of the entire ecosystem, as well as the ability to demonstrate secure access, logs and storage, and essential auditing processes to maintain data security.
Achieving these things might appear complicated, even daunting. However, there are solutions known as Security Information and Event Management (SIEM) systems on the market that can make achieving these capabilities, and in turn DSPT compliance, easy.
Here, we outline some of the key features to look out for to meet compliance: • Log retention: A modern SIEM should be able to provide a centralized log storage and big data platform that scales to any organization’s size. Platforms should be able to provide role-based access to log data, including ‘data privacy’ functionality that can mask sensitive data until approved. Log data should not be modified or removed by users once ingested into the platform, while all data held should also be indexed and fully searchable. • Identifying and disabling unnecessary accounts: A good SIEM will also provide account auditing facilities for Active Directory that allow administrators to quickly identify dormant accounts. They should also be able to remove privileged user access when no longer required or appropriate. More sophisticated platforms will be able to do this in an automated manner. • Easy identification of issues: Clear and easily readable dashboards, alerts and reports for user logging activity should be provided, including failed login, apparent brute-force attempts, and bad password management practices. Further, those using machine learning will be able to identify unusual behavior patterns based on a baseline of activities of users and their peer group. • Integrate with third-party threat feeds: It will also be able to integrate with a wide variety of third-party threat feeds that provide information about specific known threat payloads/hashes and destination domains/addresses.
Meeting the mandate
Of course, having the right features in place is only part of the puzzle. For organizations to be truly successful in embracing tools that enable them to meet DSPT compliance more effectively, they should work to ensure that solutions providers offer them ongoing support – both in terms of ease of deployment and to ensure that they are using key systems in an optimal manner.
Scalability is another important aspect to consider.
Systems should be able to scale and continue to support the organization as data volumes increase and become more complex over time.
In respect of scalability, organizations should take time to think about pricing models, ensuring that these are based on the number of devices (nodes). In doing so, it will become easier to accurately budget future costs, as well as provide greater budgeting certainty over the short, medium and longer term.
A converged SIEM allows organizations to prioritize the big picture over individual tools, enabling them to develop a seamless and easy to use security operations setup. Not only does this approach boost cost transparency and eliminate potential complexities with managing a variety of siloed products – equally, it reduces the burdens on security teams, eliminating complexities over system integration and enhancing performance.
A converged SIEM combines key technologies easily to offer improved security outcomes. In doing so, organizations can easily home in on specific standards and adopt security best practices while reducing the burden on security teams tasked with meeting DSPT compliance.
Read More
Health Technology, Digital Healthcare
Article | September 8, 2023
While artificial intelligence (AI) offers numerous advantages across a wide range of businesses and applications, an ongoing report spreads out some convincing focuses on the different difficulties and perils of using AI in the social insurance segment. As of late, AI has been progressively consolidated all through the medicinal services space. Machines would now be able to give emotional wellness help by means of a chatbot, screen tolerant wellbeing, and even anticipate heart failure, seizures, or sepsis.
Read More
Digital Healthcare
Article | November 29, 2023
Long-term care comprises all the health services that help patients with chronic illnesses or disabilities meet their medical and non-medical needs. It caters to those who cannot care for themselves for extended durations. For care providers, it becomes critical to meet the needs of patients on time while delivering top-notch quality, especially at a time when virtual care is more important than ever.
To remedy this, many of the tasks and processes within long-term care are supported by digital solutions. These long-term care software applications enable care providers to automate aspects of patient scheduling, inventory control, regulation and compliance, data management, care delivery management, and much more. Some of the end users of long-term care software include home healthcare agencies, nursing homes, and residential hospice care facilities.
What is Driving the Growth of Long-Term Care Solutions?
Digitalization has swept the healthcare industry, and medical technology now occupies a significant area of medical care delivery. With the demand for a robust healthcare infrastructure aggravated by a shortage of medical professionals, the need for automation is driving the growth of medtech across all areas of healthcare. In addition, fewer medical specialists and medical cost reduction initiatives combined are powering the long-term care software market’s growth.
Challenges for the Long-Term Care Software Market
Despite the rapid growth in the use of digital solutions to manage administrative and compliance tasks, technological transformations are expensive. The high maintenance costs incurred by care providers are a major hindrance towards a full-fledged adoption. Many care providers are also unwilling to adopt new applications due to the implementation and staff training costs involved in doing so.
What the Future Holds?
With an increase in remote care and the use of technologies like the Internet of Medical Things to deliver diagnostic services and preventive care, medtech is witnessing a revolution. Long-term care is bound to follow suit thanks to areas like remote patient monitoring and wearable technology. While the long-term care market is slated to grow by leaps and bounds, solution makers must find a way to help care providers warm up to the use of technology and de
Read More
Insurance
Article | November 2, 2021
The fall is a time of renewals and choices. It is also a time of so called “open enrolment” for health plans. It is the one time of year we can study and learn about the options offered through employers or government sponsored plans. Individuals and small business owners alike are also are faced with a myriad of choices with confusing and often contradictory language promising lower premiums with higher out of pocket costs for covered services subject to deductibles. What does it even mean anymore when your monthly premiums exceed your pay check and you still have to pay for your colonoscopy or your insulin? Where is it all going?
Let’s imagine you twist your ankle playing basketball. You might go to an urgent care, receive an X-ray, probably be examined by a non-physician, and then referred to your primary care, who can’t see you for a few weeks but eventually sends you to an orthopaedic who takes another X-ray and treats your injury. Weeks have passed, multiple visits, time out of work, and co-pays, not to mention the out-of-pocket fees associated with imaging and perhaps a $100 ace bandage. What stops you from going straight to the ankle specialist in the first place? First, we have become conditioned to follow the directions dictated by the insurance companies, even when restrictions are not in place, patients have been convinced that stepping out of line will make all insurance promises null and void resulting in catastrophic bills and financial ruin. Second, the doctors and their office staffs have been conditioned to deny entry to any patient who does not have the proper referral, authorization, or identification. There are dire consequences for both if the insurance rules are not followed and fear keeps both sides aligned.
The past two decades have seen an explosion of healthcare costs. Health insurance has become the single biggest line item second only to payroll for most businesses. It is no coincidence that as the government increased its role as payor with state subsidies, the prices have gone up. Much like college tuitions, when loans are easy to obtain and guaranteed by federal support, there is little to deter those in charge from increasing the price. After all, everyone is doing it, it must be OK, and even if students end up in debt, it will be repaid because they have received the value of a great education. Right? But unlike higher education, healthcare is a necessity. We cannot avoid it, and there needs to be a reliable mechanism in place to guarantee access.
Ironically, as charges and prices have continued to escalate, payments to doctors have diminished. Why medicine is the only service industry where there is no transparency is truly astounding, especially since the there has been no increase in so called “reimbursements” for decades. As physicians, we have been complicit, being fully aware of the discrepancies between what is charged and what a patient’s insurance will pay. Even as patients began to have higher deductibles, and therefore higher out of pocket expenses, we continued to follow the rules, asking insurance permission to collect payment from the patient. It is not surprising that bad debt accounts for over 50% of most account receivables and why over 70% of doctors are now employed by hospital networks or private equity, who not only go after patients, but benefit from the repricing that occurs when insurers pay a negotiated amount as opposed to the charge. In other words, we pay more not just for less, but for nothing.
But what if we twisted our ankle and went directly to that specialist and paid out of pocket a transparent price? What would it take for that to happen? Not much, the cost of care is predictable, and because payments have always been decreasing, most physicians have learned to be economical. Plus, out of pocket costs are capped by federal law, so no patient is really responsible for catastrophic bills. Charges inflate to cover overhead, but if payments were guaranteed and immediate, then the cost of doing business goes down. Add technologies like telemedicine to a practice and you have increased patient access to a doctor without adding more personnel. Direct pay doctors are emerging all over the country and have consistently offered better access and more affordable care. The bar is also being set by independent surgery centers and imaging centers who offer better outcomes at lower costs. Perhaps motivated by prohibitive pricing, better options have emerged that have moved patients away from expensive operating rooms to safe, office-based procedures. Even cutting-edge cancer therapies can be delivered at home, preserving more of the healthcare dollar for medical care rather than the complex system built to manage it.
Competition and choice inevitably drive prices, but in a monolithic system the price is not negotiated, but instead it is set by only a few, in this case the big insurers. Small businesses cannot compete when bigger companies come to town. Eventually, the local hardware store gives way to a national brand, and the consumer is left with fewer choices and eventually higher prices. Amazon disrupted this equation by creating a marketplace for individual buyers and sellers. The convenience of finding a trusted brand, no longer available locally, is irresistible and the reason why we became loyal consumers. Healthcare is no different. Trust exists implicitly between a physician and patient, because it is an authentic, empathetic, and logical relationship. Trust does not exist between a patient and their insurer, on the contrary it is an unsympathetic business relationship without transparency or consistency. Few doubt the insurance company’s top priority is the premium, not the patient. Creating a direct relationship between the doctor and patient is a common-sense approach that serves both stakeholders well, and requires merely a fair and affordable price. But do doctors have the capability or the will to do it and if so, can the rest of the system follow?
Never in the history of modern medicine have physicians been more dissatisfied. US healthcare used to lead the world in innovation and outcomes, now we struggle to break the top thirty. We may have the most brilliant doctors and scientists with access to the best resources, but the need to maximize profits while catering to special interests, be they commercial or political, has led us to favour certain therapies over others despite marginal proven benefits. Doctors have little autonomy and less authority; prescribed treatments are routinely denied by insurance companies without a second thought or appropriate peer review. In fact, insurers even renamed us “providers”, a term used to by Nazis when referring to Jewish doctors to devalue them professionally. Over 56% of physicians are burned out, nearly all report moral injury and as hospitals have systematically replaced doctors with non-physicians with limited training, we have watched the standard of care deteriorate. It is no wonder we have witnessed the single biggest loss in life expectancy since WWII. The prognosis is grim, but there are solutions.
We need to reinvent healthcare by removing the middleman. We don’t have to set the price, but we can make it transparent so patients can decide for themselves if it is worth the inconvenience, the delay, and the co-pay to use insurance or just pay directly. Health savings accounts are tax deferred and can cover an out-of-pocket maximum in just a couple of years. Paying for care means there are no surprise bills or out of network costs, because there are essentially no networks and therefore no need to follow restrictions. You’d be hard pressed to find a doctor or hospital unwilling to accept an immediate cash payment, especially when it costs nothing more than the service provided. There are no billing cycles, or claims to prepare, no up coding, or authorizations. Doctors free to care for patients, patients treated individually and not subject to protocols designed to maximize charges. There are literally thousands of direct pay primary care and specialists now available all over the country and they are building alliances with likeminded people providing imaging, ancillary services, surgery centers, and prescriptions all at fair market prices. More and more employers are moving toward medical cost sharing plans that not only lower the cost of care but the cost of administration. Even the biggest payor, namely the government, sees the benefit of price transparency and is piloting models of direct contracting.
We will always need coverage for those unexpected events, emergencies, or hospital-based services, but all the rest - doctor visits, screening tests, and outpatient procedures - are easily affordable. After all, do we use our car insurance to pay for an oil change? If we did, the cost would be prohibitive and few of us would drive. But health insurers have lost our trust, they no longer cover necessary services and no longer honour contracts with physicians or patients. It is time to offer another option and let the patients and doctors get back to the real business of medicine.
Read More