Dear CSHRM member,
Thank you for allowing me to serve as the 2016 CSHRM President— it was an honor and a privilege, and I am delighted in the opportunity to continue my service as CSHRM President in 2017. I would like to thank my fellow CSHRM Board members for their tireless assistance: Carol Doty, President-elect; Lisa Calafiore, Past-President; Allison Funicelli, Treasurer; Pam Fiore, Secretary; and Directors: Anne Huben-Kearney, Trish Farmer and Dan O'Brien. I want to also give a warm welcome to our newest Director, Pam Miller. We have a terrific Board and I am looking forward to continuing CSHRM's growth in 2017.
As you may know, CSHRM is hosting this year's New England Regional Healthcare Risk Management Conference ("Risk Management Rising to the Challenges") in Mystic, CT on April 30- May 2. I encourage you all to register and attend- it is going to be another excellent educational offering. For those interested in playing a more active role in the conference, we have lots of ways you can help out during the conference days, please contact me if you are interested.
Moira Wertheimer, Esq., RN, CPHRM
Upcoming 2017 CSHRM Meetings:
3/7/17: Quarterly Meeting- Bring a guest (complimentary)
6/7/17: Quarterly Meeting- Virtual Meeting (log in details provided at later date)
9/6/17: Quarterly Meeting (evening meeting- 4p-7p)
12/5/17: Quarterly Meeting (Newly Elected Board Members Inducted)
|Feb. Webinar: What Risk Managers Need to Know about Plaintiffs' Reptile Strategy
Date: February 16 2017
Time:1 - 2 p.m. (CT)
Hospital personnel, managing officers, staff physicians and administrative personnel are frequently subpoenaed to give deposition testimony, both in cases where the institution is a party and in those where it is not yet involved. By this point in time, most healthcare risk managers have likely heard of the "Reptile" approach to depositions and litigation being employed by plaintiff attorneys nationwide.
Date: April 24 - 27 2017
ASHRM Academy 2017 is ASHRM’s intensive learning program held every Spring. ASHRM Academy combines four days of educational activities with a refreshing getaway at a luxury resort in a warm climate.
Date: June 19 - 23 2017
Hosted by: ASHRM
Join the American Society for Healthcare Risk Management in celebrating HRM Week Presented by The Risk Authority Stanford, June 19-23, 2017. This week is time to show your appreciation for the work that risk management and patient safety professionals do to ensure that patients receive safe and trusted health care.
|ASHRM 2017 Annual Conference & Exhibition
Date: October 15 - 18 2017
Save the date for the ASHRM 2017 Annual Conference and Exhibition, October 15-18, 2017, at the Washington State Convention Center in Seattle Washington.
BIG or Small – No One is Immune from Cyber Attacks
By Allison Funicelli, MPA, CCLA, ARM, ACHE
2015 was named “Year of the Healthcare Hack”. We saw computer hackers making a major switch from hacking industries, such as retail and banking, to hacking healthcare institutions and large physician practices. Why the switch? It’s simple; a hacker can sell a healthcare record for at least three times more than other industry records. While hackers can obtain social security numbers and dates of birth from most types of industries, a healthcare provider also collects Medicare and Medicaid participant numbers and health insurance policy numbers. Someone who buys an illegal health record can use this information for identity theft, to file false tax returns using the social security numbers, as well as file false healthcare claims. Between the volume of patient and employee data available to hackers from healthcare organizations, it is “one-stop shopping”.
While hacking of healthcare records continued to increase, 2016 became known as the “Year of the Healthcare Ransomware Attack”. With the use of ransomware, even novice hackers could create a panic situation for healthcare providers by threatening to expose their data. The hacker would claim that for “a price” (a ransom), the hacker would not expose nor steal the healthcare provider’s data. Interestingly, ransomware threats against smaller healthcare institutions, such as long term care facilities in rural areas, increased in 2016. Hackers hope that these smaller facilities are unprepared for these types of attacks. Thus, no one is sheltered from this threat. If you are connected to the web, you are exposed.
How much is the ransom? In a ransomware attack, the hacker typically makes a modest demand in exchange for return of “keys” to “unlock” the system’s data. Note that the data is not typically hacked or stolen…yet. Rather, it is a threat that the provider’s data is now locked and can be hacked, stolen and “irretrievably gone”, if the ransom is not paid. The typical ransomware demand is five figures. For providers that are not prepared with backup data, backup servers, and left only with expensive means by which to retrieve the data, there is often no choice but to pay the ransom.
Both healthcare record theft and ransomware threats create additional financial exposure, beyond the hack itself, for healthcare organizations. State and Federal Regulators take cyber-attacks seriously when there is the potential for healthcare information exposure. HIPAA violations alone can be a six or seven figure expense to an organization, particularly when appropriate risk assessments and measures are not undertaken prior to or after the attack.
As we proceed into 2017, hackers are trying to exploit the use of ransomware attacks on the same healthcare provider/organization multiple times, or using ransomware with a follow up hack, to include the theft of records. For organizations and providers in these situations, the cost can bankrupt a business, especially small long term care, urgent care and rehabilitation type organizations, as well as physician group practices.
What should healthcare providers do to protect themselves? It is BEFORE an attack occurs that a provider should protect against hacking. Therefore, it is critical to conduct a comprehensive risk assessment to develop a management plan on the security side of an organization. This includes fire walls, strict password protection rules, annual employee training and annual security system reviews. Developing such a plan needs to be approached with the same thought and depth as an organization would prepare a disaster plan for weather, fire, active shooter, etc. Providers should also proactively assemble a team that is “ready to go” if an attack occurs. The team should include key internal people employees from departments such as administration, IT, risk management and HR. The team should also include external members such as cyber-trained claims professionals, defense counsel, etc. The duties of each team member should be clearly defined and understood by each team member. “Mock cyber-attacks” can provide “practice” for the team, which will enable them to timely and efficiently carry out their assigned duties in the event of a real attack.
In conclusion, take the necessary security steps to keep the bad-deed doers out of your system. However, should a bad-deed doer manage to sneak his way into your system, it is just as important to be fully prepared to appropriately deal with the situation.
About the Author: Allison Funicelli is a Litigation Manager with Hamlin & Burton Liability Management, Inc. focusing on claim handling in the area of cyber, medical profession, long term care and general liability lines of business. She is currently serving as Treasurer on the Board of Directors for the Connecticut Society of Healthcare Risk Management.