Kusserow on Compliance: New Jersey’s largest hospital system—Hackensack Meridian Health—subject to ransomware attack

Hackensack Meridian Health announced that it was the subject of a ransomware attack and paid an undisclosed amount to regain control over its systems. Hackensack is the largest health system in New Jersey with $6 billion in annual revenue, more than 35,000 employees, and 17 hospitals—including, Jersey Shore University Medical Center in Neptune, Hackensack University Medical Center, and JFK Medical Center in Edison. The attack brought down the computer network for two days, forcing hospitals to reschedule non-emergency surgeries and sending doctors and nurses scrambling to deliver care without access to electronic records. The health system promptly notified the FBI and other authorities and spoke with cybersecurity and forensic experts. The announcement included that health system had insurance coverage to help cover the costs associated with cyber-attacks—payment, remediation, and recovery efforts. The attack forced hospitals to reschedule nonemergency surgeries and doctors and nurses to deliver care without access to electronic records. The network’s primary clinical systems have now returned to being operational, and information technology specialists are working to bring all its applications back online. The announcement did not include that any patient information was subject to unauthorized access or disclosure.

This is another vivid reminder for health care organizations to prepare for and plan on how to respond to such an attack. Hospitals and providers of health care services continue to be a prime target to ransomware attacks. Their systems tend to be more vulnerable and dependence of their patient data is critical to their function. Any failure to have access to it can be extremely detrimental for patients.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Upcoming Hot Topics in Privacy Webinar hosted by WK

Wolters Kluwer will be hosting an educational webinar Tuesday, October 29 at 1:00 PM EST. The webinar, titled Hot Topics in Privacy — Moving Beyond the Buzz Words and into Action, will be presented by legal experts and shareholders Katie Kenney, Elizabeth Harding, and Iliana Peters from Polsinelli PC. The presenters will cover topics related to HIPAA, GDPR, and the California Consumer Protection Act.

Register now for the webinar. If you miss it, please register for the replay.

Kusserow on Compliance: Hospital insurance trust fund will be exhausted by 2026

This year’s Medicare Board of Trustees Annual Report found that the  hospital insurance (HI) Trust Fund will be able to pay full benefits until 2026. The Medicare Program is the second-largest social insurance program in the U.S., with 59.9 million beneficiaries and total expenditures of $741 billion in 2018. By comparison, in terms of size, the Department of Defense entire budget during this period was $686 billion.

The Trustees projected that total Medicare costs (including both HI and SMI expenditures) will grow from approximately 3.7 percent of Gross Domestic Product in 2018 to 5.9 percent of GDP by 2038, and then increase gradually thereafter to about 6.5 percent of GDP by 2093. The SMI Trust Fund, which covers Medicare Part B and D, had $104 billion in assets at the end of 2018. Part B helps pay for physician, outpatient hospital, home health, and other services for the aged and disabled who voluntarily enroll. It is expected to be adequately financed in all years because premium income and general revenue income are reset annually to cover expected costs and ensure a reserve for Part B costs.

However, the aging population and rising health care costs are causing projected costs to grow steadily from 2.1 percent of GDP in 2018 to approximately 3.7 percent of GDP in 2038. Part D provides subsidized access to drug insurance coverage on a voluntary basis for all beneficiaries, as well as premium and cost-sharing subsidies for low-income enrollees.  The President’s Fiscal Year 2020 Budget, if enacted, would continue to strengthen the fiscal integrity of the Medicare program and extend its solvency.

CMS has already introduced several initiatives to strengthen and protect Medicare that includes increasing choice in Medicare Advantage and adding supplemental benefits to the program; and offering more care options for people with diabetes; providing new telehealth services; and lowering prescription drug costs for seniors. CMS is continuing to advance policies to increase price transparency and help beneficiaries compare costs across different providers.

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Most data breaches are financially motivated by outside parties

71 percent of breaches last year were financially motivated

C-Suite Executives 12 times more likely to be a target

Ransomware attacks account for one out of four cyber-attacks

Safeguarding Tips from Strategic Management

According to the to the Verizon 2019 Data Breach Investigation Report (DBIR), 71 percent of breaches were financially motivated and 69 percent were perpetrated by outsiders. This 12th edition of the annual report analyzed 41,686 security incidents, which included 2,013 confirmed breaches. This year’s report included new metrics and analysis from the FBI Internet Crime Complaint Center (IC3). Not surprising, the C-Suite was the major target, because they are in the position to transfer money. They were found twelve times more likely to be the targets of breaches.  Also, time-pressed senior executives tend to move quickly in reviewing and clicking on emails, resulting in a greater likelihood that suspicious emails slip through. On a positive note, attacks against HR personnel has rapidly decline in recent years, in large measure as result of W-2 tax form scams almost disappearing as a problem. Some other interesting statistics from the report:

  • 52 percent of breaches involved hacking
  • 33 percent of breaches included social attacks
  • 28 percent of breaches involved malware
  • 32 percent of breaches involved phishing
  • 29 percent of breaches involved the use of stolen credentials
  • 21 percent of breaches were caused by errors
  • 56 percent of breaches took months or longer to discover

 

Safeguarding Tips from Strategic Management

  • Brief executives, as the prime targets, on avoiding cyber-attacks
  • Train employees to not click on email links/attachment, or respond to “phishing” inquiries
  • Provide ongoing employee and contractor training on what to do and not to do
  • Implement policies/procedures for precautions against malware
  • Conduct a risk assessment to understand threats presented by an insider
  • Regular systems tests can also help flag vulnerabilities before a hacker can get in
  • Configure email servers to block zip or other files that are likely to be malicious
  • Continuously monitor employee and vendor networks
  • Conduct regular systems tests to flag vulnerabilities before a hacker can gain access
  • Update and upgrade software
  • Use encryption to guard against information being read by unauthorized parties
  • Establish multi-factor authentication
  • Regularly test users to make sure they are on guard

For more information health care provider cyber-security, contact Dr. Cornelia Dorfschmid at cdorfschmid@strategicm.com or at (703) 535-1419.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.