As the mercury soars this summer, we’re turning our attention to the burning issues in Health Information Technology (HIT). We’re delving into the latest developments in Fast Healthcare Interoperability Resources (FHIR), the blazing necessity of cybersecurity, updates on the Change Healthcare breach, and upcoming events and webinars.
HL7® FHIR® (Fast Healthcare Interoperability Resources) represents a paradigm shift in healthcare data exchange. In our most recent blog post, Ryan McLelland (Chief Technology Officer at UHIN) provides a thought-provoking look at the benefits of FHIR, the myths around it, and a strategic approach to implementing this powerful catalyst for innovation in healthcare.
Maintaining a strong security posture is critical for protecting personal health information (PHI) and other data. Good practices include establishing interoperability, resiliency and redundancy across your network. As ransomware attacks continue to climb in the US, you need to cover your network to make sure you don’t get burned.
We continue to monitor and share updates about the Change Healthcare (CHC) breach on our News & Updates page. You can also sign up to receive Status updates via email, Slack, text, and other preferred methods whenever UHIN creates, updates or resolves an incident, including information about the CHC breach.
We recently shared an update on our ongoing efforts to minimize disruption caused by the cybersecurity event at Change Healthcare (CHC), with a specific focus on Electronic Remittance Advice (ERA) delivery (835 files).
July is National Minority Mental Health Awareness Month. We’ll share info, inspiration, and resources for mental health on our social media.
We will be closed for Independence Day on Thursday, July 4, 2024.
Upcoming Conferences:September 13: Utah Medical Association (UMA) annual House of Delegates in Midvale, UT
October 15-17: Civitas Annual Conference in Detroit, MI
Trainings and Webinars
Upcoming Online Trainings and Webinars
In July, we’re starting our virtual Payer Panel series where you can ask questions and get answers from health plan representatives.
Later this year, we’ll host training sessions on the new CHIE platform, specifically for portal users.
Wrapping Up
Get Your Claims Flowing
We continue to support Providers affected by the CHC breach by working with payers to expedite Provider enrollment. Once enrolled, Providers can use our solutions to create and send professional and institutional claims via SFTP, file tool or online hand-entry, check claims status, manage denials and rejections, and search, view, and download payment information. Click below to learn more and get your claims flowing again!
This message serves as an update on our ongoing efforts to minimize disruption caused by the cybersecurity event at Change Healthcare (CHC), with a specific focus on Electronic Remittance Advice (ERA) delivery (835 files). We appreciate your continued patience and understanding as we work to resolve these challenges. Please click here for more information on expediting enrollment with UHIN and FAQs regarding the CHC cybersecurity event.
Collaborative Efforts to Restore ERA Delivery:
UHIN is actively working to restore consistent ERA delivery for our broader provider community. Our internal teams, including enrollment specialists, application support staff, business analysts, and software engineers, are collaborating closely with their counterparts at our clearinghouse partners. This combined effort is focused on facilitating the smooth and efficient transmission of 835 files.
Acknowledging Provider Challenges:
We understand the difficulties this outage has caused for providers who rely on timely ERAs for accurate payment reconciliation. We are committed to making significant progress in opening these critical channels for a wider range of providers.
Positive Developments and Upcoming Information:
We have made significant strides in restoring ERA delivery functionality. We will provide more detailed information and a clearer timeline for full restoration once we complete the next round of testing currently underway.
Continued Commitment and Support:
UHIN remains dedicated to resolving outstanding issues and ensuring a smooth claims processing experience for all our customers. We will continue to provide regular updates and are here to assist you. Please do not hesitate to reach out to our customer support team if you have any questions or require further assistance.
The experiences of 2023 have underscored the critical importance of cybersecurity in the healthcare sector. Per HIPAA Journal, “133 million records were exposed or stolen” in 2023. The recent Change Healthcare cyber incident, which is still impacting the healthcare ecosystem, indicates that 2024 could likely be another record-breaking year for healthcare cyberattacks in the U.S.
Ransomware attacks are the fastest growing threat in the U.S. The U.S. Department of Health and Human Services (HHS) and Office of Civil Rights (OCR) identified a 278% increase in cyberattacks involving ransomware from 2018-2022. To clarify, this is just the data breaches that were reported to the OCR.
The fallout from a ransomware attack is comprehensive:
Loss of personal health data
Loss of trust by patients, members, customers and partners
Decrease in employee productivity and morale
Extensive system downtime
Legal and regulatory fines
Steep financial implications, like paying the ransom and the cost to get systems back up and securely running
The global average cost of a data breach in 2023 was $4.45 million, a 15% increase over 3 years.
The alarming rise in cyber threats – namely ransomware – highlight the urgent need for enhanced cyber resiliency and robust security measures in healthcare. The healthcare sector is predicted to continue its investment in cybersecurity, focusing on resilient data management practices, threat detection, and employee training, while expanding into new technologies (like artificial intelligence) and collaborative efforts.
Here are five ways to reduce your risk and secure personal health information (PHI) from cyberattacks
1. Consistent Data Management Practices
Consistency is key, especially when it comes to basic cyber protection. These five stepping stones are just a start to laying out a consistent cybersecurity plan.
Create a secure cybersecurity policy – Establish a firm security stance, then periodically review, modify and update policies and procedures in response to environmental or operational changes affecting the security of Electronic PHI.
Encrypt data – Convert data to ciphertext that can only be read if decrypted
Backup data – Ensure PHI data are backed up frequently, at least nightly, and stored in a HIPAA-compliant data center
Update systems and software – Verify information systems are up to date with the latest security patches and diligently check programs for updates.
Assess and monitor vendors –Ensure that third-party vendors agree to a business associate agreement (BAA) and monitor their activities to be sure they adhere to the policies. Review vendors to ensure compliance on a consistent basis.
2. Detection
As Benjamin Franklin said: “If you fail to plan you are planning to fail.” Detecting and addressing vulnerabilities in advance of an incident is critical to ensuring a strong security posture. The investment in audits and technology improvement almost always outweigh the costs of a ransomware attack.
Implementing a threat detection strategy is critical to identifying and preventing data breaches. Healthcare institutions and security leadership, like the chief information security officer (CISO), are investing more in security infrastructure. Guidehouse’s 2024 report found 85% of respondents’ organizations planned increases to their 2024 digital and IT budgets, with cybersecurity listed as their top investment priority. This demonstrates the industry’s commitment to safeguarding patient data.
By 2026, organizations prioritizing their security investments based on a continuous threat exposure management program will realize a two-thirds reduction in breaches.
Gartner
3. Employee training
To err is human and healthcare employees are no exception. Taking a human-centric approach to organizational security can cultivate shared cybersecurity responsibility, which in turn could dramatically reduce the chances of a data breach, HIPAA violation, and the costs associated with both. Given that social engineering now represents more than 50% of incidents (per Verizon’s DBIR Report 2023), the focus on the human element is pivotal to securing your data.
Adopting this approach can (1) increase awareness of accidental and intentional HIPAA violations, and (2) empower appropriate responses to social engineering. Ultimately staff need to make decisions and take action. However, leadership must engender the organizational identity around shared security responsibility.
Instilling the values of cyber detection and resiliency helps employees feel more invested. If they understand what’s at stake, then they can make quicker decisions and adhere to monotonous, daily security measures, like multi-factor authentication (MFA).
By 2027, 50% of large enterprise chief information security officers (CISOs) will have adopted human-centric security design practices to minimize cybersecurity-induced friction and maximize control adoption.
Gartner
Employers and employees should be aware of the human elements that factor into data breaches, including:
Stolen credentials – Implement a strong password protocol that eliminates easy to hack passwords or the use of post-it notes with passwords on desks.
Phishing – Monitor email (and other technology) and train employees to recognize signs of phishing, such as unusual messages from leadership or HR, and clicking on links or attachments from unknown sources.
Error and Misdelivery – Ensure employees review the recipient of all of their communications so they don’t send PHI or other data to the incorrect audience.
One place to start: Conduct regular employee training.
Healthcare organizations can use a wide range of training programs and courses to keep employees up-to-speed on the latest security best practices. Updated approaches will mitigate insecure employee behaviors and tackle outstanding cybersecurity risks.
Security leaders should continue to review vendors and software to ensure they meet all requirements (such as HIPAA regulations) to effectively evaluate and educate staff, and reduce overall risk.For small and medium sized employers who have limited resources, HHS is providing free cybersecurity training courses for their staff.
4. Artificial Intelligence (A.I.)
Like nearly every other sector, the healthcare vertical is actively exploring and investing in A.I. Specifically, how it can improve data security. In fact, 73% of CIOs said they’re increasing investments into A.I. and Machine Learning (ML) (Per Gartner, 2024 Gartner CIO and Technology Executive Survey).
A.I. solutions present vast opportunities for automation: from visualization of networks, to identifying vulnerabilities at scale, to detecting suspicious behavior. Furthermore, machine learning models and A.I.-driven security can aggregate knowledge from previous experiences (in your own system and broader ecosystems) to predict and quickly respond to abnormalities. This knowledge can accelerate cyber defense within an organization and empower health systems to take proactive, automated measures to protect its network.
Before considering A.I. or another new technology, healthcare companies should continue to focus on shoring up foundational security technologies. This includes firewalls, encryption, and MFA.
5. Collaboration
One entity cannot secure everyone. Healthcare is built on interoperability. The strength of every single bond can determine the success or failure of our ecosystem. Hospitals, payers, providers, third-party vendors, and government entities must work together to ensure our security against cyber attacks.
Collaboration between healthcare institutions is anticipated to increase. While the use of disparate systems creates barriers to collaboration, the focus on standardization and interoperability can develop a more holistic, resolute system. By sharing knowledge and resources, we can collectively strengthen our defenses against cyber threats.
The U.S. Government continues to put cybersecurity in the healthcare industry at the forefront, instituting policies in the National Cybersecurity Strategy that will address cyber threats. Learn more about the HHS and the National Cybersecurity Strategy here.
In Conclusion
Early investments in consistent practices, detection, employee education, new technologies and collaboration can ensure a strong security posture that offsets potential costs of recovery and crises of confidence caused by a data breach. The lessons learned from 2023 have made it clear that cybersecurity is not just an IT issue, but a patient safety issue. As we move into the future, it is critical that the healthcare sector continues to prioritize and invest in cybersecurity measures to safeguard patient data and ensure the seamless delivery of healthcare services.
