– A ransomware infection on DCH Health System forced three of its hospitals to close its doors to new patients the night of the attack, and staff are continuing to recover and operate under downtime procedures.
The DCH Regional Medical Center, Northport Medical Center, and Fayette Medical Center were all impacted by the initial attack that began on Tuesday. Officials said attack limited use of the computer systems. Hackers are demanding an “as-yet unknown payment.”
Emergency procedures have been launched to ensure patient care can continue. However, out of concern for patient safety, officials said they closed the three hospitals yesterday to “all but the most critical patients” and were only caring for patients currently admitted to the hospital.
There were no plans to transfer any current patients. Patients were told to call before scheduled appointments, and local ambulances were instructed to bring patients to other area hospitals, if possible.
Patients that arrived at the emergency department would be cared for until they were stabilized but could potentially be transferred to another hospital.
By Wednesday morning, elective procedures and surgical cases already scheduled were being performed as planned, as officials said they were “confident that our downtime procedures will allow us to provide safe an effective care for those patients.”
But patients are still being told to call before scheduled appointments, if they have not already been contacted by DCH. And all new admissions will continue to be diverted to other facilities, outside of critical patients. Officials said the IT staff is working with federal authorities, staff, vendors, and consultants to restore the systems.
The DCH report mirrors the recent ransomware attack on Campbell County Health, in Gillette, Wyoming less than two weeks ago, which disrupted patient care. Patients were being diverted to area hospitals, and some patients were transferred if officials determined CCH was unable to provide adequate care.
CCH is still working to get its systems back online, and as of Wednesday, email and fax services were back online. However, medications, clinic appointments, medical records, and visit history are still unavailable.
Currently, an Australian medical system is also facing downtime after a ransomware attack, according to ABC.
This time last year, many security leaders noted that ransomware was in decline, especially in the healthcare sector. Ransomware hackers were being indicted and fewer hospitals were reporting attacks.
But these near-weekly reports of cities, hospitals, and other organizations facing service disruptions highlight a rise in “disruptionware.”
The Institute for Critical Infrastructure Technology recently reported there’s been an alarming trend of this type of ransomware, where hackers are moving to disrupt business and continuity by introducing malware designed to halt operations, damage reputations, extort money, or other malicious goals.
“Disruptionware is an emerging category of malware designed to suspend operations within a victim organization through the compromise of the availability, integrity, and confidentiality of the systems, networks, and data belonging to the target,” researchers wrote.
“For OT environments, disruptionware is particularly devastating when it sequesters mission-critical systems and legacy systems that lack redundancy,” they added. “Ransomware is currently the most common disruptionware component, with incidents such as the LockerGoga ransomware campaign demonstrating that even unsophisticated malware has the capacity to bring businesses to a halt.”
Hackers leverage ransomware, wipers, bricking capabilities, automated components, data exfiltration tools, and network reconnaissance tools to break into targeted networks. But researchers explained that these attacks are not sophisticated and have a high rate of successful compromise.
The most vulnerable organizations are those that depend on remote access over manual maintenance, network expansion and drift, unsecured industrial internet of things sensors and devices, vulnerable third- and fourth-party networks. Operational technology is most targeted, however, healthcare shares many of these same vulnerabilities.
ICIT predicted that 2019 will be remembered as the year of disruptionware, while others have “more narrowly categorized the emerging threat as a permanent denial of service attack.” For example, California’s Wood Ranch Medical was forced to permanently close after a ransomware attack damaged their computer system and made it impossible for the provider to restore patient data.
“Disruptionware has the potential to cause a number of highly impactful risk scenarios to materialize within organizations including that can bring down a business unit or an entire company for hours, days, or weeks,” researchers wrote.
“Organizations with extensive OT networks must act immediately to secure their combined IT and OT networks against the emerging ransomware threat before a single incident metastasizes into a global epidemic,” they added.
As of September, McAfee found that ransomware attacks have doubled in 2018, with hackers ramping up brute-force attacks on RDP and SMB.
On Tuesday, Emsisoft revealed that between the first and third quarters of 2019, 491 healthcare providers were hit with ransomware. Researchers noted there’s been a steady increase in attacks targeting software commonly used by managed service providers and other third-party services providers.
Microsoft noted in March that these attacks have continued to pummel all sectors, while Carbon Black Global Incident Response Threat Report showing that 50 percent of cyberattacks target supply chain. According to Emsisoft, hackers are also demanding larger ransoms: “If one organization is willing to pay to $500,000, the next may be willing to pay $600,000.”
Email and remote desktop protocol continue to be the most targeted vector, especially on unpatched systems, misconfigured security settings, and brute force attacks on weak login credentials.
“There is no reason to believe that attacks will become less frequent in the near future,” Fabian Wosar, CTO at Emsisoft, said in a statement. “Organizations have a very simple choice to make: Prepare now or pay later.”
– Industry efforts to remove a Congressional ban on funding the development of a unique patient identifier stalled last week, as Senate appropriators declined to include the language in its draft fiscal year 2020 funding legislation.
Released on Wednesday, the Senate Appropriations Subcommittee’s proposal would keep the two-decades-old ban on providing funds to the Department of Health and Human Services for the development of a unique patient identifier.
Since 1999, a provision written into every Congressional budget has included the ban. However, the House of Representatives signaled support to remove the provision and implemented an amendment to eliminate the ban in its Departments of Labor, Health, and Human Services, and Education, and Related Agencies Act of 2020.
Industry stakeholders like CHIME have been calling for a removal of the ban in recent years and had hoped the House’s support would move into the Senate. But the draft bill does not include funds for HHS to begin developing a unique patient identifier, which many believe would help with patient privacy risks.
“None of the funds made available in this act may be used to promulgate or adopt any final standard under section 1173(b) of the Social Security Act providing for, or providing for the assignment of, a unique health identifier for an individual (except in an individual’s capacity as an employer or a health care provider), until legislation is enacted specifically approving the 13 standard,” according to the bill.
In 2018, CHIME told HHS that as it works toward strengthening healthcare innovation and investment, officials should seek out technology that more accurately identifies patients and work with the Centers for Medicare and Medicaid Services to promote patient identification solutions.
“CHIME has long been a supporter of developing a national patient identifier to accurately and efficiently match patients with the correct record,” CHIME officials explained at the time. “This is integral to CMS’ goal to achieve the free-flowing exchange of patient records and true interoperability.”
“From the perspective of CHIME, accurately matching patients to their data should be one of the principal goals of the innovation work group,” they added.
Just last month, CHIME joined 55 other stakeholder groups urging the Senate to remove the ban or to adopt the unique patient identifier, as well as identifying a solution to protect patient privacy.
The Health Innovation Alliance made a similar call to Congress on September 18, calling out the Senate for its failure to include the provisions to remove the “antiquated” ban. The lack of a unique patient identifier is not only a privacy risk, but patient safety concern, as well.
“Senate appropriators’ initial rejection of the overwhelming, bipartisan will of the House of Representative on UPI funding is disappointing, but there is still time to change course,” HIA Executive Director Joel White, said in a statement. “This outdated ban has contributed to healthcare waste and misspending while threatening patient safety for far too long.”
“With the UPI ban in place, studies show patients are accurately matched to their medical records as seldom as 50 percent of the time,” he added. “That is a failing score that Washington must not accept.”
Jeffrey Springer, Sr. VP of Healthcare Solutions for CitiusTech
The game is changing faster than ever as more payer contracts and regulatory programs adopt risk-based models. To be successful, payer and provider organizations know they must increase quality scores and revenue while reducing avoidable medical costs. Yet, the providers who are critical to that success are burned out. According to a recent survey, nearly one-third of providers say their biggest frustration is constant “busy work,” such as electronic health record (EHR) data entry and prior authorizations. Instead of adding to these burdens, organizations need to build an environment that simultaneously reduces overhead, reaches targets and improves relationships with all stakeholders, including providers, administrators, and patients.
The difference often boils down to eliminating short-sighted, tactical approaches that do not support a mature and effective environment for quality improvement. While achieving maturity may seem daunting, it’s attainable when viewed as an evolutionary process. With five critical steps in mind, organizations can assess where they are along the path from tactical to strategic and create a roadmap that continually improves scores while meeting revenue targets for value-based programs – all while enabling providers to focus on caring for patients.
Step 1: Dissolve Data Silos
There is no shortage of valuable data available from a wide range of sources. The challenge is managing it all effectively. For example, a large integrated delivery network (IDN) purchased three functionally equivalent data warehouses, plus seven individual analytics solutions. It’s easy to imagine the user confusion, IT overhead, and lack of integration that ensued. Unfortunately, most organizations take a tactical approach and add a new repository for each new initiative.
With a mature program, data silos disappear. The strategic approach employs a single data strategy with strong governance built around a common organizational language. To set a course, assess from an organizational perspective: How many data repositories do you manage? Are there separate data sources for clinical, financial and operational reporting, regulatory programs, and contractual agreements? Also consider that regulatory programs require data to be separated. For example, stakeholders who are not involved in an accountable care organization (ACO) contract cannot see the financial data for at-risk patients. Creating a robust data strategy requires keen attention to complex data security and privacy needs.
Step 2: Coordinate Across Programs
As healthcare organizations become more intentional about engaging with patients and providers, coordination is an area that is often overlooked. For example, many organizations take a tactical approach and create specific outreach and engagement models for each program. However, the outreach typically occurs reactively when a gap is discovered, resulting in multiple contacts, and ultimately increasing costs, while failing to prevent avoidable ED visits and admissions.
As an organization’s program matures, they coordinate multiple programs and initiatives and bundle all touchpoints into one conversation or scorecard. Plus, each person engaging with a patient or provider has insight across all programs, along with the steps required to achieve program goals. Progress starts with assessment: How many times has each provider been approached? Does each communication bundle multiple initiatives? Adopt the consumerism mindset common in other industries to coordinate the key request for each program as well as the next step, so follow-ups are consolidated.
Step 3: Curate Data Across the Enterprise
With vast amounts of data from many disparate sources, trust quickly becomes a concern. Stakeholders, including providers and executives, are often frustrated when data seems wrong or doesn’t reflect program definitions. Tactical decisions based on up-front costs or return on investment metrics lead organizations to limit data to the types needed to answer only specific questions. As the program matures, enterprise data from a wide range of traditional and newly available sources resides in a single well-governed source that assures consistently defined terms and concepts.
Organizations progress toward this strategic approach by assessing: Do business users have separate sources for medical management, care management, registry, contractual and regulatory views of the patient? With today’s late-binding architecture, organizations can take only the data needed for a question, metric or pattern, and then curate additional data as needed. This opens the door for going beyond the standard healthcare sources, such as claims, HL7, and CCDA, to also include historically cost-prohibitive data, such as social media, benefit information and unstructured data. These data sets can be leveraged to determine the most effective engagement models, risk patterns and communications.
Step 4: Add Perspective to Measurement
Once organizations consistently measure key quality metrics, they often find that considering only short-term quality scores falls short for creating ongoing improvement. While scores are important, identifying a provider who is 55 percent compliant reveals a problem, but does not drive change.
In a mature program, a strategy for organizational learning enables effective engagement with patients and providers that anticipates and solves problems while supporting ongoing improvement. The key is to build measurement and intervention within workflows by asking: When should the provider be involved versus leveraging administration, care management, coding, and medical resources?
This leads to alignment across processes. For example, providers often perform the correct actions for a value-based contract, such as foot and eye checks during a routine diabetes management visit. However, medical coders are trained for fee-for-service, so specific actions can often be coded incorrectly, resulting in apparent care gaps months later. When coding practices are aligned with value-based contracts, coding accurately documents adherence to care protocols.
Step 5: Engage Proactively
Today, most payers and providers look at regulatory results only after the reporting period is over. HEDIS is structured this way. Not only are regulatory programs reactive, but many population health systems and data warehouse solutions use data from yesterday, last week or even last month to determine gaps and engagement models. This misses the opportunity to touch a patient or process once and solve the problem. What’s more, providers are already short on time and struggle do this work within today’s workflows.
With a mature program, interaction is no longer reactive. Organizations can use technology and processes to proactively supply information to the appropriate stakeholders at the right time to ensure gaps are understood, closed and documented.
Begin by asking: Is there a coordinated plan in place between payers and providers that includes sharing gaps, data, and resources? Use this insight along with technology to structure workflows that enable front and back-office administrators and care managers to provide the documentation. In parallel, the provider workflows facilitate quick attestation of actions, so they can focus on patient care.
Maturing the State of Healthcare
Healthcare is at a critical juncture. As it evolves beyond the tactics that currently create gaps, inefficiencies, and inaccuracies, a strategic approach to enterprise-class quality management becomes more pressing. To be successful, the focus must be on operationalizing what the patient needs with care processes, quality metrics, coding, and communications among stakeholders. All while assuring providers have the right amount of time to ensure all the right things happen for each patient. As organizations enter more at-risk agreements, they must evaluate their organizational maturity to achieve the results they need to not only stay in business but to thrive under the new business models healthcare will require in the future.
Dissolve Data Silos
Add a new repository for each new initiative.
Employ a single data strategy with strong governance.
Coordinate Across Programs
Create specific outreach and engagement models for each program.
Coordinate multiple programs and initiatives that bundle all touchpoints into one conversation or scorecard.
Curate Data Across the Enterprise
Data is limited to the types needed to answer specific questions.
Enterprise data from a wide range of traditional and newly available sources resides in a single well-governed source that assures consistently defined terms and concepts.
Measure with Perspective
Consider only short-term quality scores.
An organizational learning approach enables effective engagement with patients and providers that anticipates and solves problems while supporting ongoing improvement.
Use historical data to determine gaps and engagement models.
Use technology and processes to proactively supply information to the appropriate stakeholders at the right time to ensure gaps are understood, closed and documented.
About Jeffrey Springer – SVP of Healthcare Solutions at CitiusTech
Jeff Springer has been associated with CitiusTech for the past 4 years, driving product management, business analysis and product strategy for all products and solutions. He also currently leads an industry workgroup with WEDI focused on ACO payments. With over 20+ years of healthcare industry experience, Jeff has worked with some of the industry’s most leading healthcare technology vendors.
Prior to CitiusTech, he led the product management and strategy for analytics at Siemens and care management and analytics at MEDecision and also ran a business unit at McKesson to develop new products working with payers and providers. He is also the founder of the first payer-provider contract management company in the U.S.