Where Does HME Stand
Stats specific to the HME industry are not readily available, but Kauten says there are several large national HME providers who have had multiple reports of breaches. That said it’s a problem shared by all.
“At Medtrade, I was able to meet with several smaller providers who have experienced similar issues,” he says. “If we look at healthcare practices as
a whole, whether it is a chiropractic clinic, a dental clinic, or HME provider, they all have similar valuable data and are not immune to a data breach. Specific to HME providers is that they perform much of their work outside the office, which requires more mobility of patient data and could result in a greater risk than other healthcare providers that may not need the same mobility to perform their patient care.”
“The overall status of data breach preparedness and general understanding of what is at stake with a data breach is most likely pretty bleak,” says Kimberly Commito, director of product management for HME management software company Mediware Information Systems Inc. “Most HME providers are more concerned with the tangible challenges their businesses face with reimburse- ment cuts, audits on the rise and overall cost of business management.”
Commito says data security is “most definitely” an increasingly important concern as more HME businesses seek efficiencies in operations to contend with the cost of doing business challenges they face.
“Providers must be more efficient in sharing patient data amongst
care givers, payers for reimbursement and prescribers to move away
from pushing paper and to a more electronic way of doing business,” she explains. “As a result they must become well versed in what is appropriate to share, what should be protected at all costs and what the implications are of a loss of PHI or a data breach of some other sort.
“It has been estimated that 60 percent of data attacks have been on small- to medium-sized businesses,” she continues. “So much of the efficiencies gained by an organization are via the Internet and access to claims status, audit status and eligibility information, etc. This opens up
an HME organization to the threat of attack via that access. It is hard to
say how many HME providers specifically have been subject to a breach; however, when the statistics say that a business unaware of how to protect itself against such threats are 60 percent more likely to get attacked and are furthermore subject to large fines when this happens, they must begin to put forth effort to protect themselves.”
And these attacks have results beyond the breach, and the negative impact that has on a healthcare business’s reputation and level it trust it has with its patients, referral partners and other business relationships. It can hit the bottom line — hard.
“Breach costs are skyrocketing across all industries, and the fines to companies in certain industries for allowing these breaches are greater than expected,” Kauten explains. “I have seen fines for a breach ranging from $500 to as high as $2,500 (estimated) per record, depending on the multiple governmental agencies involved in the breach related to the fines, fees
and notification charges. One provider lost 412 patient records and paid $650,000 in fines alone.
“In addition to fines, there is an expense in alerting patients and the media of the breach. One major expense not often thought about is brand reputation,” he adds. “Imagine trying to get referrals from an Insurance company or health system when it is advertised that they cannot trust your systems. The brand reputation alone and potential lost revenue is likely the most damaging and largest expense to an HME.
Kauten notes that HIPAA and HITECH standards apply to all covered enti- ties, including HME providers, and they are located at 45 CFR 160-164. The HITECH Act requires data breach notification for disclosures of unsecured PHI within 60 days of enactment.
HME Provider Vulnerabilities
So where are providers most open to attack? What about their businesses provides the best opportunities for cyber criminals to get at them? VGM’s Kauten says one of their first problems might be the software services that they are using.
“One of the biggest challenges for companies regarding data security is third-party vendors,” he says. “A recent study says almost 50 percent of data breeches come from a company’s third party vendor.”
That’s a problem for providers, given that so many HME businesses opt to use software as a service (SAAS) offerings to manage segments of their businesses and sometimes their entire busiensses.
“HMEs often use third-party vendors for billing, software, audits, printing, mailings, shipping and for many other outsourced business services,” Kauten says. “So, it is similar to other industries where third-parties will often not hold themselves to the same level of security as the data owner, or they may not be experts in HIPAA requirements and often are a weak link. Specific to HME providers, they are often a third-party as well when an insurance company, health system or other referral source that is sending them patient data.
“When they are third-party they pose a threat to those who send them data,” he adds. “Many referral sources are conducting security audits on HME providers starting with the larger providers and working down to the smaller ones. Providers should start elevating their security systems in order to be prepared for audits by their business partners.”
Kauten also highlights a few other key points of vulnerability: mobility technology, the non-technical side of their businesses, and their people.
How Big of a Problem Is Ransomware?
Ransomware is a “huge challenge,” according Jeremy Kauten, CIO and senior vice president of IT for VGM Group Inc.
“The FBI reports that payments for ransomware exceeded $1 billion in 2016,” he says. “Many security experts are claiming that in 2017 we will encounter ransomware 2.0, which is a term to describe the next level of ransomware attack that will be more sophisticated and damaging than what we are currently facing. An example of this is where a ransomware attacker will lock the files on a computer or network and require a fee to unlock the files (traditional ransomware), while a second attack will be locking the computer as well, requiring a second payment to unlock each computer.”
And Ransomware attacks often target healthcare businesses, because they data they hold is so private and important. This means the ransom can wind up being incredibly lucrative for cyber criminals.
“Ransomware is prevalent in the healthcare industry because hackers can get a premium price if they know lives are at stake, especially in a hospital ER where down systems mean lives could be at risk,” Kauten explains. “One defense to traditional ransomware attacks is to restore files from a backup, which can take hours to complete. Paying a fine is often less invasive when time is of the essence to repair the issues.”
But this isn’t isolated to large hospital systems or care organizations — it’s any health business. Kauten highlights that hackers are targeting the healthcare industry by searching healthcare databases and websites, which means that HME providers are just as likely to get targeted as any other healthcare provider.
“At Medtrade Fall 2016, after a cybersecurity presentation I did, several HME providers explained that they had been hit with ransomware attacks and were negatively impacted,” he says. “I have heard of the fees ranging from $200 to $20,000 to unlock the files.”
And Kauten underscores that just because you might not read about ransomware attacks in the news, you shouldn’t conclude that it is not a pertinent issue.
“Ransomware usually goes unreported,” he explains. “If a company pays a fee, they get their data back and typically move on as if nothing happened, since it does not normally make the news media. There are many claims that the Department of Health and Human Services (HHS) are now viewing ransomware as a breach. So it may be possible in the future that fines and notification requirements may apply to a ransom- ware attack.”
So the bottom line is that providers need to work now to protect themselves going forward.
“Ransomware will continue to be a major issue in the foreseeable future,” Kauten notes. “Hackers historically had to get paid from the underground black market through distribution for things like social security numbers and credit card numbers. Conducting business with other criminals and hackers isn’t as lucrative as receiving an instant payment from a legitimate business like a ransomware payment, which is paid by the victim to the hacker.”
Management Solutions | Technology | Products
hme-business.com | February 2017 | HMEBusiness 19