Healthtech Security
Article | November 29, 2023
The healthcare industry has become a prime target for cybercriminals in recent times.
According to The State of Ransomware in Healthcare 2023 report from Sophos, six in 10 healthcare organizations have been hit by ransomware in the last 12 months, up from 34% in 2021.
Among this uptick have been several headline-grabbing attacks. For example, Shields Health Care Group became the subject of the single-largest breach affecting any organization globally in April 2023, when 2.3 million patients of the Massachusetts-based medical services provider had their personal data stolen after a cybercriminal gained unauthorized access to the organization’s systems.
Meanwhile, in the UK, a ransomware attack on the University of Manchester occurred in June, affecting an NHS patient data set holding information on 1.1 million patients across 200 hospitals.
Critically, the wealth of data housed in healthcare networks, and the potential impact of data unavailability in healthcare, make the industry both attractive and lucrative to threat actors.
It’s no coincidence that the Sophos report shows the rate of encryption in the healthcare sector is at its highest level in recent years. Of those healthcare organizations which suffered a ransomware attack in 2023, 73% had their data encrypted – up from 61% in 2022. When cybercriminals can successfully take down hospital systems and/or encrypt patient data so it can’t be used, they can blackmail health service providers, demanding significant sums before reinstating systems and/or data availability.
Considering healthcare's critical role as the highest-stake industry in our society, where people's lives depend on its success, the likelihood of attackers achieving their goals is greater than in other sectors, as confirmed by the Sophos report. Indeed, of the 73% of healthcare organizations that had their data encrypted, 42% reported that they paid the requested ransom to recover data.
DSPT and the compliance burden
Without question, the security-related challenges in healthcare are mounting. Right now, industry organizations are operating against a backdrop of unprecedented operational and workforce pressures, spiralling demand for care and industrial action.
Moreover, there is a growing regulatory burden, with organizations continually asked to comply with evolving cybersecurity rules, battling with multiple compliance mandates at any given time.
Take the NHS as an example. According to the 2023 NHS Providers’ Regulation Survey, just over half (52%) of respondents said the regulatory burden on their trust had increased. And this is expected to ramp up further in the future, with the UK government setting out a new 2030 strategy aimed at bolstering cyber resilience in healthcare.
Among the compliance burdens that the NHS faces is the challenge of meeting the requirements of the newly updated Data Security and Protection Toolkit (DSPT).
Mandated to minimize cyber risks and enable healthcare providers to maintain a robust information security posture, the DSPT is not a simple checklist of security controls, but a comprehensive toolkit to evaluate current security maturity and establish a risk management programme.
Indeed, in more recent times, DSPT has moved away from being a guide for achieving certain levels of assurance, and toward a mandatory evidence-based system which demands NHS organizations align with 10 precise National Data Guardian (NDG) standards: 1. The organization assures good management and maintenance of identity and access control for its networks and information systems. 2. The organization closely manages privileged user access to networks and information systems supporting essential services. 3. The organization ensures passwords are suitable for the information being protected. 4. Process reviews are held at least once a year where data security is put at risk and following security incidents. 5. Action is taken to address problems as a result of feedback at meetings. 6. All user devices are subject to anti-virus protections, while email services benefit from spam filtering and protection deployed at the corporate gateway. 7. Action is taken on known vulnerabilities based on advice from NHS Digital, and lessons are learned from previous incidents and near misses. 8. The organization has a defined, planned and communicated response to data security incidents impacting sensitive information or key operational services. 9. The organization has demonstrable confidence in the effectiveness of the security of technology, people, and processes relevant to essential services. 10. The organization securely configures the network and information systems that support the delivery of essential services.
Reducing Compliance Challenges with the Right Solutions
Taken individually, these standards may not seem too strenuous to adhere to. However, to be compliant with DSPT, all 10 items need to be completed and deemed ‘satisfactory’.
To tick all 10 key boxes in the most effective and efficient manner simultaneously, organizations should consider their strategy carefully. This could involve embracing supportive tools to accelerate and enhance their compliance journey.
Boiled down, DSPT demands several key things, including unincumbered visibility of the entire ecosystem, as well as the ability to demonstrate secure access, logs and storage, and essential auditing processes to maintain data security.
Achieving these things might appear complicated, even daunting. However, there are solutions known as Security Information and Event Management (SIEM) systems on the market that can make achieving these capabilities, and in turn DSPT compliance, easy.
Here, we outline some of the key features to look out for to meet compliance: • Log retention: A modern SIEM should be able to provide a centralized log storage and big data platform that scales to any organization’s size. Platforms should be able to provide role-based access to log data, including ‘data privacy’ functionality that can mask sensitive data until approved. Log data should not be modified or removed by users once ingested into the platform, while all data held should also be indexed and fully searchable. • Identifying and disabling unnecessary accounts: A good SIEM will also provide account auditing facilities for Active Directory that allow administrators to quickly identify dormant accounts. They should also be able to remove privileged user access when no longer required or appropriate. More sophisticated platforms will be able to do this in an automated manner. • Easy identification of issues: Clear and easily readable dashboards, alerts and reports for user logging activity should be provided, including failed login, apparent brute-force attempts, and bad password management practices. Further, those using machine learning will be able to identify unusual behavior patterns based on a baseline of activities of users and their peer group. • Integrate with third-party threat feeds: It will also be able to integrate with a wide variety of third-party threat feeds that provide information about specific known threat payloads/hashes and destination domains/addresses.
Meeting the mandate
Of course, having the right features in place is only part of the puzzle. For organizations to be truly successful in embracing tools that enable them to meet DSPT compliance more effectively, they should work to ensure that solutions providers offer them ongoing support – both in terms of ease of deployment and to ensure that they are using key systems in an optimal manner.
Scalability is another important aspect to consider.
Systems should be able to scale and continue to support the organization as data volumes increase and become more complex over time.
In respect of scalability, organizations should take time to think about pricing models, ensuring that these are based on the number of devices (nodes). In doing so, it will become easier to accurately budget future costs, as well as provide greater budgeting certainty over the short, medium and longer term.
A converged SIEM allows organizations to prioritize the big picture over individual tools, enabling them to develop a seamless and easy to use security operations setup. Not only does this approach boost cost transparency and eliminate potential complexities with managing a variety of siloed products – equally, it reduces the burdens on security teams, eliminating complexities over system integration and enhancing performance.
A converged SIEM combines key technologies easily to offer improved security outcomes. In doing so, organizations can easily home in on specific standards and adopt security best practices while reducing the burden on security teams tasked with meeting DSPT compliance.
Read More
Health Technology, Digital Healthcare
Article | August 21, 2023
Rural, community, and independent hospitals are constantly facing mounting challenges in the form of staff shortages, accessibility to patient care and a multitude of cost concerns. Getting even one of these areas under control can help hospitals drastically boost their outcomes.
Here are three areas of IT investment that hospitals must control to go beyond staying functional and create an excellent patient experience.
Telehealth for Staff Shortage
Healthcare currently face massive staff shortage with a projected gap of up to 48,000 primary care physicians and up to 77,100 specialty physicians till 2034.
The effects of this shortage could be lessened by using virtual care, which would allow hospitals to care for patients through remote staffing.
Digitalizing Patient Care with Asynchronous Telehealth
Async telehealth of patients sending photos and videos to fast-track diagnosis. Async telehealth makes it easier for doctors to connect with more patients. This shortens the time it takes to see specialists and get important care services.
Remote Patient Monitoring
According to a CDC report, 90% of all healthcare spending goes into treating chronic conditions. Considering that U.S. nonmetropolitan areas have a high number of patients diagnosed with chronic conditions, accessibility is one of the contributing factors.
Remote patient monitoring enhances patient care for people with chronic conditions. Wearable medical devices are already driving the move towards remote patient monitoring. Whether it’s through wearable weight scales, heart monitors, blood pressure bands, or pulse oximeters, clinicians can generate regular updates about a patient’s health readings and ensure a timely response in order to avert complications.
Conclusion
There is much to be achieved on the healthcare front when it comes to digitalizing care. The above technologies are enabling healthcare providers take delivery of medical care further than ever and ensure they generate more traction from their IT investments in these areas of medtech.
Read More
Healthtech Security
Article | August 31, 2023
Yes, empathy has become a fad.
Connecting to another human is actually something cool kids do now. If a brand doesn’t have an impact model that includes a practical social issue, consumers tend to not take that brand seriously. In this case, empathy needs to be revisited beyond the trend itself for these strategies to have real, lasting impact.
Practical strategies around compassion meanwhile have similarly become an intrinsic part of social impact organisations. They have become so commonplace that prosocial behaviour has strayed into a kind of tokenism. It is common for instance for consumers to donate their hard-earned money to companies who focus their energies on trying to alleviate real-world issues.
The question then is whether this proxy for compassion isn’t in fact watering down human connections, as well as our positive impact on the issues business and organisations seek to solve with our help.
Postmodern behavioral science
If it is, then we must understand why and how to change that. This is where postmodern behavioral science provides a possible better alternative to social impact strategies. Postmodern behavioral science suggests that the current approach to understanding human behaviour lacks even a rudimentary understanding of empathy, defined in the area of social impact as a discursive strategy that allows us to feel what the group we are trying to help is feeling.
Of course, compassion has very close ties with empathy. Empathy is an innate ability we all have, one that we can learn to develop and fine-tune over time. It is our emotional connection to another human, though one that lies beyond our own ego. It takes the perspective of the person who is struggling and seeks to understand their life, their struggle, and their worldview. It also resolves to value and validate their perspective and experience — something that donating money to a social impact cause does not.
In its broader definition, empathy is a shared interpersonal experience which is implicated in many aspects of social cognition, notably prosocial behavior, morality, and the regulation of aggression.
Empathy has a host of positive after-effects when applied as an interpersonal experience. If a social impact organisation is preoccupied with raising capital, then it is likely to disregard the practical worth of empathy for those who truly want to achieve its mission.
Immersive empathy
One way that behavioral science can contribute is to utilise tools that can help augment the experience of those in need for those needing to understand those needs. Both AR and VR can help people visualise and follow the stories of those who require compassion. These create virtual environments for partners, governments, and consumers to experience with the people they seek to help.
But of course, much of human behaviour is geared toward seeking pleasant experiences and avoiding unnecessary pain. Our in-built hedonic valuation systems guide decisions towards and away from experiences according to our survival instincts.
This is precisely why business owners who want to encourage empathy in their customers go the easy route, but should seek a more participatory frameworks to inspire and provide experiences for those on board with a social mission.
Then there are issues like financial literacy in underserved populations, access to clean water, education for women and girls, and environmental conservation, to name a few of the problems that social impact companies are attempting to tackle.
If a company is trying to tackle an issue such as access to clean water, then rather than start there, it should first ask exactly how this issue arose and developed. It should question the beliefs that underpin this chronic social inequality, those that inform policies, practices, cultural taboos, and beliefs about water and people’s access to it.
To simply respond to an issue in its developed form is to leave it unfixed. We must be willing to reverse engineer the origins of that issue that got us to where we are. In other words, human behaviour is not the only component to consider in this.
The main behavioral framework public servants should take with them is to develop a nudge unit solely based on the relationship between behavioural science and technology.
This is mainly because technology is an inevitable part of how we now relate to one another. Immersive Compassion meanwhile should embrace tools like AR/VR that seek to create empathetic environments and valuable impact longevity.
To fully embrace empathy as an organisation is to create relevant and rigorous responses that go as far as to alter the infrastructure of its target goals. Optimising social impact comes down to optimising human experience.
Read More
Health Technology
Article | February 19, 2022
Dialysis providers face many of the same financial and operational pressures that affect other provider organizations, including flat or reduced reimbursements, chronic staffing shortages, and increasingly complex insurance requirements. Dialysis centers, nephrologists, and renal pharmacies also grapple with the impact of a growing shift in dialysis care to the home setting.
End-to-End Automation Can Reduce Denials, Improve Cash Flow
The good news is that despite these challenges, dialysis providers can sustain strong cash flow, reduce costs, and mitigate denials by applying advanced technology to the revenue cycle.
Here are six ways technology can help strengthen the dialysis center revenue cycle in the today’s difficult operating environment:
Identify undisclosed insurance coverage
Because patients often present as self-pay even though coverage exists, determining their true insurance status can be challenging. Yet failure to identify existing insurance can result in significant write-offs.
That’s why renal providers need technology solutions that can uncover patient coverage information before care is provided. Change Healthcare’s Coverage InsightTMsolution provides an expansive network and search-and-matching capabilities necessary to identify and confirm patient coverages at the outset of care.
The solution uses machine learning algorithms—coupled with access to vast stores of available third-party-data—to develop robust patient profiles, which can then be linked to potential funding sources. Notably, it identifies a variety of indicators, including high probability of disability, income levels and financial status, insurance sources, and other actionable information to help you verify coverage and recover revenue.
We can help identify undisclosed coverage for end-stage renal disease (ESRD) patients through Medicare/Medicaid, Disability/SSI, third-party liability, commercial insurance, state and county programs, social programs, and charity.
Expedite seamless prior authorizations
Streamlining the prior authorization process is essential to help ensure optimal reimbursement for renal care rendered, particularly with commercial insurance and Medicare. But traditional prior authorization processes are frequently time-consuming and labor-intensive and can delay necessary care.
Our Clearance Authorization software addresses the chronic problem of prior authorizations with automated functionality that can determine if prior authorization is required and on file with the payer. The solution also will automatically check medical necessity requirements at the time of registration and electronically submit requests to integrated payers.
Change Healthcare’s Connected Authorization Services go a step further by deploying pre-authorization experts to handle routine authorizations quickly using intelligent technology while working complex cases by exception to improve authorization efficiency and accuracy.
Speed adjudication with electronic attachments
As claims management processes have grown more numerous and complex, providers have struggled to ensure that the correct information is provided to the payer at the appropriate time. The result can be delayed, denied, or rejected claims.
Assurance Attach AssistTMcontributes to faster reimbursement and reductions in denials, organizational expense, and administrative burden by automating the attachments process to meet payers’ increased demands for additional documentation. Attachments are automatically delivered and matched to the appropriate claim, and once the claim is released, claim and attachment status can be easily tracked.
Expedite claims workflow for recurring services
Creating claims for ongoing ESRD care requires repeatedly documenting the same details on each claim. Revenue Performance Advisor, an end-to-end medical billing platform, provides automation that allows dialysis staff to save time by quickly replicating unchanged data from prior visits while updating date-of-service and other information to expedite claims processing.
Revenue Performance Advisor also includes eligibility and benefits verification and automated claims scrubbing that flags incomplete or incorrect claims prior to submission, resulting in a first-pass clean claim rate of 98%.
Accelerate your Medicare claim cash flow
Medicare is one of the largest payers of dialysis services, so ensuring a problem-free and expedited Medicare claims submission process is essential to strong cash flow.
Our Assurance Medicare Direct EntryTMsolution provides a single system for the real-time submission and processing of Medicare claims. It can help expedite reimbursement, reduce AR days, and speed your Medicare primary claim cash flow by at least one full business day.
Assurance Medicare Direct Entry also checks your Medicare claims for eligibility errors using the CMS eligibility transaction system (HETS). Claims needing attention are flagged and posted in Assurance Reimbursement Management for editing. You can quickly correct errors within the system before transmitting the claim directly to Medicare for validation and payment processing.
Optimize patient liability
Making it easy for patients to receive, understand, and pay their portion of the medical bill is key to ensuring a healthy revenue cycle, mitigating the need for collection services, and improving patient goodwill.
With our Patient Billing and Statements solution, Change Healthcare serves as your strategic communications partner, delivering multi-channel, personalized print and digital statements to help expedite patient payment collection.
The solution is designed to provide fast, effective statement and invoice processing, printing, and mailing—cutting your costs and getting you paid sooner. Our advanced statement printing allows you to bypass conventional and time-consuming folding, stuffing, and stamping.
SmartPayTMconsolidates each step of the billing and payment process into one place, enabling you to collect more patient payments, get paid faster, reduce your collection costs, and lower patient write-offs. With multiple payment channels, including online, mobile, telephone and via mail, SmartPay helps expedite patient payments before, during, and after the encounter.
A single, trusted partner
Change Healthcare’s deep knowledge of the renal care landscape and our development of disruptive technologies to overcome traditional revenue cycle barriers can help dialysis centers achieve unprecedented revenue cycle excellence.
And unlike many point solutions that only address a specific revenue cycle issue, Change Healthcare’s technologies are part of a comprehensive approach delivered through a single, trusted vendor. That translates into improved process integration and continuity, as well as simpler overall accountability.
Read More