Compliance & Legal

The healthcare industry appears to have successfully withstood the transition from ICD-9 to ICD-10. But are the sighs of relief premature? Is another shoe waiting to drop?

It's now easier than ever for criminals to get into hospital networks, and ransomware is on the rise. Cybersecurity experts offer advice to help hospitals beat back the hackers.

With the recent surge in ransomware attacks, cybersecurity is a top priority for healthcare organizations across the nation. But even if providers have top security measures in place, there's another component to consider: the vulnerabilities of third- and fourth-party vendors. Almost three-quarters of businesses said cybersecurity incidents related to vendors are increasing, according to a recent Ponemon Institute survey, requested by BuckleySander and Treliant Risk Advisors. About half of the respondents said their organization experienced a data breach caused by a vendor, but 16 percent of respondents were unsure if a breach had occurred. And another 65 percent said managing cybersecurity incidents involving vendors is difficult. "The type of risk we're seeing now is changing in response to our evolving data-driven economy," Rena Mears, managing director of BuckleySandler, said in a statement. "The risk to strategic data assets extends beyond any single third-party, but rather to the web of relationships that comprise the data ecosystem." [Also: Lack of business associate agreement, risk analysis to cost Minnesota health system $1.55 M in HIPAA fines] More than a third of businesses don't believe their third-party vendors would notify them if a data breach occurred. And a staggering 73 percent of respondents don't believe a fourth-party vendor would contact them regarding a data breach. A fourth-party vendor is often hired by the third-party vendor. Survey respondents admitted their organizations shared sensitive data with third-parties that may have poor security policies in place. More than half said they weren't able to determine the safeguards in place by their vendors to prevent a data breach and 60 percent of respondents said their organizations don’t monitor their vendors’ security and privacy practices. Only 41 percent said their vendors' safeguards were sufficient. "The inability of so many companies to confirm whether third-parties have had a data breach or cyberattack involving sensitive and confidential information should be a wake-up call for businesses across all industries," said Susanna Tisa, chief business officer of Treliant Risk Advisors, in a statement. "To mitigate this risk, companies should compile a comprehensive inventory of and conduct data and privacy risk assessments for all third-party vendors," Tisa added. "However, we found few companies represented in this research, in particular those outside the regulated banking sector, have done so." Twitter: @JessieFDavis Email the writer: jessica.davis@himssmedia.com Like Healthcare IT News on Facebook and LinkedIn

The Samsam and Maktub Locker malicious code programs attack vulnerable patches and spread to all systems connected to a network.  

Now the question is whether cyber criminals could someday emulate that approach to access encrypted patient data.

Arguing that too many well-meaning providers are facing financial penalties from meaningful use, the American Hospital Association called on the Centers for Medicare and Medicaid Services this week to offer more flexibility. Specifically, AHA says hospitals that meet 70 percent of meaningful use requirements should be deemed as having complied with the program. With the current "all-or-nothing approach," writes Ashley Thompson, AHA's senior vice president of public policy analysis and development, "failure to meet any one of the requirements under the Medicare and Medicaid EHR Incentive Programs has meant a provider would not receive an incentive payment; more recently, it has meant a provider would be penalized." [Also: Hospitals press HHS on meaningful use] Given the huge complexity and high hurdles of meaningful use, the fact that a hospital missing a given threshold by small amount leads to overall failure is "unfair to providers that make good faith efforts to comply," according the March 22 letter to CMS Acting Principal Deputy Administrator Patrick Conway, MD. CMS has told AHA that it doesn't have the statutory authority to offer anything less than that absolutist approach, according to the letter. But AHA offers a legal analysis that suggests that's not true: "We believe that CMS possesses the authority to eliminate the all-or-nothing approach to meaningful use and that the agency should do so." Among the arguments put forth by CMS for the necessity of an all-in requirement: The law requires more stringent MU measures to improve quality over time; certain measures capture policies, such as health information exchange, that are specifically required by statute; use of a "qualified EHR" must meet all the requirements, not some, in order to meet the law's objectives. The agency has also argued that a more flexible framework wouldn't reduce providers' reporting burden anyway – a contention with which AHA "respectfully disagrees" but points out isn't statutorily binding anyway. "We strongly believe that CMS is not legally required to maintain its  all-or-nothing approach to meaningful use," AHA argues, but instead has "ample legal authority" to adopt a more forgiving approach like the 70 percent threshold it suggests. "This flexibility would support providers who have implemented IT functionality but may not have optimized each function sufficiently to meet the full set of requirements in the EHR Incentive Program in order to avoid a payment adjustment." Twitter: @MikeMiliardHITN Email the writer: mike.miliard@himssmedia.com Like Healthcare IT News on Facebook and LinkedIn

Physicians are embracing electronic prescribing more rapidly than ever before, according to new data from Surescripts – especially in New York. In the Empire State, more than 48,000 providers have embraced digital prescriptions as a way to avoid fraud and abuse of prescription drugs – and a way to avoid fines. The deadline for complying with the state’s Internet System for Tracking Over Prescribing, or I-STOP, mandate for digital prescribing is March 27. [See also: NY e-prescribing law takes effect March 27, doctors now face fines for pen-and-paper.] Since March 1, the number of New York providers adopting electronic prescribing of controlled substances increased 28 percent, Surescripts reports. New York Is ahead of other states in e-prescribing adoption with 47 percent uptake, compared with numbers nationwide at just 8 percent. “The industry has made remarkable progress in adopting this critical technology that can have a direct and immediate impact on improving patient care and saving lives,” commented Surescripts CEO Tom Skelton, in a news release. Skelton pointed out that pharmacy adoption of the technology is nearly universal, with 95 percent of pharmacies in New York ready to prescribe controlled substances electronically. In 2013, more than two million Americans abused prescription painkillers such as hydrocodone, oxycodone and methadone, according to Surescripts. Drug diversion is a significant concern when it comes to controlled substances, officials say, with between three and nine percent of diverted drugs for abuse tied to fraud or forgery of paper prescriptions.  Twitter: @Bernie_HITN Email the writer: bernie.monegain@himssmedia.com Like Healthcare IT News on Facebook and LinkedIn

The Office for Civil Rights has launched a new round of HIPAA audits. Will the program succeed in improving privacy and security practices and protecting patient data? Or could it have the opposite impact?  

The I-STOP legislation, first passed in 2012, aims to combat controlled substance abuse. A provision set to take effect at the end of this month requires doctors to prescribe almost everything electronically.

Justice Department had alleged that the major oncology firm billed for medically unnecessary radiation treatments.