Kusserow on Compliance: Health care remains a top target for cyber-criminals

Data has value and businesses and individuals rely upon imperfect systems to store their information. Those committing fraud focus on sensitive data and targets with weak controls. For these reasons, data breaches are becoming more common in the health care sector where sensitive data can be found. Thus, organizations which have yet to protect themselves need to take proper cautionary steps to control access to that information. Among the best targets are hospitals and other health care institutions that are dependent on immediate access to their data in order to provide necessary treatment for their patients. They also have a treasure chest of data about their patients, including addresses, date of birth, Social Security numbers, family members, phone numbers, contact details, and more. Once obtained, this information can be sold on the “black market.” Gaining access to this valuable data can be extremely profitable, but locking the entity out of access to their information, as in the case of ransomware, can be a calamity for providers that must have immediate access to their patient data. A further attraction to cyber-criminals is the fact that many health care entities have weak controls. In this regard, entities’ major weakness is their employees, who through ignorance or carelessness open the door to cyber-attacks. With that in mind, health care firms should put more resources into proper training for their employees.

Cyber-Attack Prevention Tips

  1. Implement policies and procedures for taking precautions against malware
  2. Provide training on recognizing phishing and the danger of malicious links and attachments
  3. Ensure everyone creates complex passwords that are difficult to penetrate
  4. Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access
  5. Limit employee access to systems on a need to know standard.
  6. Review/restrict privilege by limiting the people accessing files on a single server
  7. Monitor email carefully and don’t open email attachments from unknown parties
  8. Train employees (the weak link) to recognize and prevent cybercrimes
  9. Train against clicking email links/attachments, or responding to “pfishing” inquiries
  10. Ensure employees don’t leaving the workplace with data and files
  11. Monitor external exchanges
  12. Continuously monitor employee and vendor networks
  13. Establish an aggressive patching schedule for all software
  14. Update software to include improved controls
  15. Establish and monitor the use of encryption of transmitted information
  16. Regularly test users to make sure they are on guard
  17. Configure email servers to block zip or other files that are likely to be malicious
  18. Focus security efforts on those files that are most critical—patient records

For more information on this subject, contact Dr. Cornelia Dorfschmid at cdorfschmid@strategicm.com

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: False Claims Act settlements on the risk spectrum

OIG reported results of action taken in FY2019

The government’s primary civil tool for addressing health care fraud is the False Claims Act (FCA) and most of these cases are resolved through settlement agreements in which the government alleges fraudulent conduct and the settling parties do not admit liability. Based on the information it gathers in an FCA case, the OIG assesses the future trustworthiness of the settling parties (which can be individuals or entities) for purposes of deciding whether to exclude them from the federal health care programs or take other action. The OIG applies published criteria to assess future risk and places each party to an FCA settlement into one of five categories on a risk spectrum. OIG bases its assessment on the information OIG has reviewed in the context of the resolved FCA case and does not reflect a comprehensive review of the party.

The OIG published its FCA risk spectrum report for 2019. The amount of settlements was not part of this report but will be provided separately later. There were fifteen entities excluded based on FCA violations. Another 40 entities entered into Corporate Integrity Agreements (CIAs), which was at about the same rate as in recent past years. Also reported were two cases where the entity was placed on Heightened Security, rather than signing a CIA. In addition there were twelve self-disclosures related to FCA violations reported.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Debriefing complainants—24 question tips

It is very important to fully debrief any complainants and act in a very timely manner to avoid having them go elsewhere with their information—such as an attorney, government agency, media, etc. Any of these other channels could result in serious problems and possible liability. In many cases the information may come anonymously from the hotline, underscoring the importance that those answering the calls be trained on properly debriefing callers and be familiar with health care related issues.

Also, time is not a friend once information is received that may warrant immediate action. Complicating matters is that frequently a single complaint may include several different allegations, each of which needs to be addressed independently. In the debriefing process, once the story is told, specific clarifying questions need to be asked in guiding the person back through the information. This should be done by asking the standard WHO, WHAT, WHEN, WHERE, and WHY questions. These should be designed to expand on the factual details and to test and corroborate the information and be sure the chronologies of events are established.

It is important also to look for avenues and leads that will provide direction by which to either substantiate the allegations or dismiss them. Inasmuch as the allegations may relate to a specific event, something personal or organization wide, an ongoing process problem, etc. It is impossible to draft a set of question that would apply in every circumstance, however the following gives an idea about the types of questions that can be asked in a formal debriefing.

 

DEBRIEFING QUESTIONS

 

  1. What happened that led to the making of the complaint?
  2. Why are you coming forth with it now?
  3. What occurred, where, when, and how?
  4. Did the person who engaged in the conduct engage in similar conduct with anyone else?
  5. Has anyone else complained to you about similar conduct?
  6. When did it occur (date and time)?
  7. Where did it take place?
  8. How did you respond when it occurred?
  9. Who did you discuss it with and when? 
  10. What did you say? What did they say?
  11. How has this incident affected you?
  12. Has your job been affected in any way?
  13. Who else was present when the act occurred? 
  14. Where were they in relation to you? 
  15. Who else has any knowledge of the act? 
  16. Has anyone else discussed it with you? 
  17. If so, who and what did that person say? 
  18. Did anyone see you immediately after the act?
  19. Who else was involved, knows about, or witnessed it?
  20. Who else have you told (employees, supervisor, attorney, media,)?
  21. Why do you think it happened?
  22. What documentary evidence would help in the investigation?
  23. What do you believe should be done to resolve this matter?
  24. Has is happened before (an isolated event or part of a pattern)?

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Medicare overpaying for graduate medical education (GME)

A study published in the Journal of the American Medical Association (JAMA) Internal Medicine raises questions about overpayments by Medicare for graduate medical education (GME) to train residents. By way of background, the Medicare Program makes payments to teaching hospitals for training physician residents. These payments are known as GME payments. Hospitals may also incur real and significant costs beyond training residents in the patient care setting. For those such costs, the Medicare Program makes direct GME (DGME) payments to hospitals for added direct costs incurred by teaching hospitals, such as stipends and/or fringe benefits paid to residents or to faculty who supervise the residents. The JAMA reported study suggests that if Medicare capped funds for GME at $150,000 per resident, it would free up over $1 billion a year and use the savings to address the shortage of doctors in certain specialties in underserved areas. The training of residents is funded by GME payments made to hospitals and health systems, largely through Medicare and Medicaid. Researchers examined cost reports to calculate GME payments to hospitals from 2000 to 2015 at among 1,624 teaching hospitals. The study found GME payment rates to hospitals in 2015 varied significantly, with 25 percent of hospitals receiving less than $105,761 while 25 percent received more than $182,233 per resident. Nearly half of teaching hospitals received more than the $150,000 per resident rate.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.