Products and Technology
HMEB: Let’s transition over to the patients. What are the trends that are driving remote connectivity for patients?
Dennany: Well, again COVID, a sentinel event. However, for patients, another trend is providing patient engagement so that patients can choose the modality in which they want to communicate.
Previously in HME, you would go into the HME provider, for sleep and CPAP for example, and you would bring your little chip in and download the data right there in the office. With shifts towards remote technology capabilities the machine can do that remotely automatically.
That said, as we look towards resupply, for example, we see the ability for us to understand as an HME and as a market, how does that patient want to interact? Do they want a phone call? Do they want a text message? Do they like an app like experience? We’re really putting more op- tions in the hands of patients and changes in technology have made that possible. (And then again, COVID has really forced the issue as many people don’t want to necessarily engage face-to-face.)
HMEB: And I would imagine that remote patient monitoring for certain types of patient groups like sleep patients or diabetes patients and now even some respiratory patients is helping kind of push things in that direction too. Dennany: It is and it’s also creating a deluge of data for providers to better understand how these devices are being used and what care can be provided. So in addition to a lower touch, it’s also an op- portunity to provide better outcomes. It is a really, really great time to be in healthcare and a really great time to be in HME.
HMEB: Okay, let’s review: We have workers and employees that are remote accessing. We have patients that are remote accessing. We have a lot of data that’s going across a lot of lines. What are the underlying security concerns here? Dennany: Oh, there are plenty. And if we look towards some of the industry data
on this. The U.S. Department of Health and Human Services in 2020 reported well over 600 significant breaches, and that’s up from 500 or so in the previous year. So incidents are climbing.
The severity of incidents is climbing too, with two thirds of those breaches last year
were reported as “hacking” incidents, where a system was broken into. There’s also a significant number of unauthorized disclosures in there. Lost and stolen on encrypted computing devices.
So there’s a systems factor and a human factor, and really I think where HMEs can concentrate on is that human factor.
HMEB: Before we get into the factors, can you quantify this? Do you have any statistics that show the depth of the problem when it comes to healthcare data security?
Dennany: We should talk about it in terms of volumes. With Brightree’s own systems we’ve seen a more than 70 percent climb just in 2021 over this time last year in the number of attempted attacks through vari- ous vectors. That can include everything from phishing, malware and ransomware attempts all the way to direct, attempted attacks on the Brightree system itself.
And of course, we have security in depth to protect from those, but we see a significant lift in the number of “knocks on the door” we get, so to speak.
HMEB: Wow. So it sounds to me like anybody who’s thinking that ransom- ware attacks and things like that are a problem that only hospitals and large facility-based care environments deal with really needs to think again. Dennany: Yes and I actually have a personal story on this that affects me and Brightree: As we just mentioned, phishing attacks and email are a primary source of attack and they can be used to distribute malware or ransomware, but sometimes it’s just information that’s being sought.
Recently, we experienced a cyber secu- rity attacker who emailed our payroll team and said, “Hey, I’m Jerry Dennany and I want to change my direct deposit informa- tion for my check.”
Because we focus on training all of our employees regardless of role on HIPAA, on cyber security, the finance team knew to use a secondary method of confirming the message. So they picked up the phone
— we have a phone tree — they called my cell phone and they said, “Hey, Jerry did you do this?” And of course I didn’t.
So, we prevented an incident, but it shows that a lot of times, when we’re talk- ing about cyber security, people think of systems at threat and it’s really about the hu- man interaction piece. Ensuring that we’re doing the training and creating a culture of appropriately questioning things, so that even the finance team feels comfortable picking up the phone and calling the CTO to ask that question is really important.
HMEB: Wow! So here we have — right in your lap — somebody trying to stage one of these attacks. Knowing that a whole lot of providers that use Brightree, do you see specific types
of providers where ensuring remote access security, whether for patients or providers, is more of an issue than others? Perhaps in size or product cat- egory or types of referrals. Or is this a pretty general threat?
Dennany: Well, I think there’s different aspects to what is a general threat. Larger providers tend to be larger targets as they have more patients making that dataset more valuable on the black market. But larger providers also tend to have more electronic and people defenses, and this makes smaller providers a bit vulnerable as they have somewhat less defense in depth and there’s ways of protecting either profile. So it’s not really related to a type of business, but more related to size.
HMEB: You had mentioned that a lot of these attacks have more to do, or at least as much to do with people as they do technology. I’m curious. How do providers approach this problem then both from a technological per- spective and from a workflow or sort of procedural perspective?
Dennany: Like we were just talking about HMEs have the most control over the human side, but you have to protect both aspects of this. From the human perspective, training is key and a lot of it,
“Caring for patient data is another aspect of patient care, and your reputation as a provider can really depend on how well you carry out this critical task.”
— Jerry Dennany, Brightree LLC
10 HMEBusiness | July/August 2021 | hme-business.com Management Solutions | Technology | Products