Perfecting cybersecurity through better training and testing

Various types of training and testing of health care professionals and staff can be used by health care entities to perfect their cybersecurity programs, according to a Health Care Compliance Association (HCCA) webinar presented by Steve Snyder of Smith Moore Leatherwood, LLP.

Snyder believes that perfecting cybersecurity training and testing is made especially challenging due to the uniqueness of the cybersecurity threat. Snyder listed the primary factors making cybersecurity unique, including:

  • the people trying to penetrate are adversarial and usually off-shore;
  • cyberattacks are evolving rapidly, with attacks designed to respond to new defenses;
  • cybersecurity involves highly technical concepts, which make staff hesitant to embrace safeguards; and
  • cybersecurity is outside the core competency for most of the staff to be trained and tested.

Training

Snyder believes that cybersecurity training must take a long term view, be about learning and reminding, have the objective of conditioning behavior, and must evolve over time as circumstances and threats change.

Opportunities for training, according to Snyder, could be when new job functions are created, when introducing new procedures, or when reinforcing integral work functions. He listed the possible training scenarios and their pros and cons as:

  • External programs offered by third parties. These programs offer specialized knowledge and instruction but can be costly, rely on the competency of others, and may suffer from the lack of familiarity of the third-party with the organization.
  • Internal learning management systems (LMS). These internal systems, relying on online or classroom training, can develop custom content and make tracking compliance easy. However, they require internal expertise and can create a record of noncompliance for government investigators.
  • This method can be particularly effective for conveying best practices to staff members in a new role. However, it requires competent mentors and is not ideal for new and evolving issues that the mentor is unfamiliar with.
  • Passive measures (e-mail reminders, etc.). This method is easy, cheap, and is agile enough to address emerging issues. However, it is easy for staff to ignore and therefore it is hard to access effectiveness.
  • Training tips. Snyder’s cybersecurity training tips included the following:
  • Start with objectives (such as increasing reporting of possible cyber incidents) and work back to prevention methods.
  • Try to find objective metrics (such as the rate of reporting vs. known incidents).
  • Make it digestible by staff (we live in a sound bite society).
  • Show a tangible purpose (clicks = malware = detriment to business).
  • Use varying approaches as people learn differently.
  • Make it interesting by using gamification, simulations, scoring, ranking, competitions, etc.

Testing

Snyder believes that testing should be focused on existing knowledge and established procedures. He favors a testing program with a narrow focus and reoccurring elements. The goals of testing, according to Snyder, should insure that cybersecurity procedures are known and understood, are effective, guarantee compliance, and identify gaps in policies and procedures.

Snyder listed several types of cybersecurity testing:

  • Penetration testing (looking for breach of security from the outside).
  • Vulnerability testing from the inside (looking for known bugs, unpatched software, or legacy systems that can be exploited).
  • Simulated testing (using drills and tabletop exercises).
  • Pop quizzes (discrete staff testing).
  • Final comprehensive exams.

Final takeaway

Snyder wrapped up his presentation by stressing that in training and testing for cybersecurity, and organization should: (1) be contemplative in designing their programs, (2) use a mix of internal and external resources, and (3) assess and revisit the programs often.

Keys to successful contracting and credentialing: honesty, questions, compliance

Contracting and credentialing are critical aspects when it comes to providers and payment. Insights and suggestions for avoiding missteps and getting the best agreement when it comes to contracting and credentialing were presented by Anna Whites and Nathan Moore, Compliance Officer at Premier Tox Laboratory, in a Health Care Compliance Association (HCCA) webinar on September 13, 2017.

Contracts

Whites defined a contract as an agreement that contains every aspect of what each party is required to do, noting that state and federal law outline contractual terms. Because different states have different laws, she recommended ensuring that the state law relied upon in the contract be the state where the individual or entity is located. She stressed the importance of reading the contract, understanding what it contains, and asking questions before signing. “Contract terms govern,” she said, and once the contract is signed, the parties can’t take the conditions back unless the contract provides for modifications as part of the terms. She also warned that the contract may require compliance with terms in other documents, for example, a provider manual.

  • Payor contracts. Provisions of payor contracts usually include services covered, provider types covered, frequency of services, and term and termination. Whites recommended providers pay close attention to these terms to ensure that they are able to meet the specifics of the provisions. Terms in payor contracts also address claims management. Providers should focus on the details of how, when, and where to submit a claim as well as how payment is made (electronically or paper), how medical necessity is defined, and how denials and appeals will be handled. In addition, providers must be aware of fee schedules included in the contract to ensure they know what they will be paid and if they are comfortable with the amount of the payment.
  • Provider contracts with health care entities. Provider contracts include the scope of services, reporting and oversight requirements, licensure and/or credentialing requirements, hours and payment, liability and insurance, and behavioral health carve-outs. Whites pointed out that when entering into a contract, parties must be aware of who is responsible for mistakes and whether tail coverage is provided. She recommended asking many questions about liability and obtaining coverage.
  • Entity provider contract with physicians and other staff. Under these contracts, the terms will include scope of services, who is in charge, who is liable, cost of services and whether the contract is with an employee or independent contractor. Providers need to determine whether employees or independent contractors are better for their organization.

In negotiations of contracts, there should be a discussion between the parties. The discussions should allow for changes and modifications. Parties should consider proposing pilots and new services. White highly recommended engaging an attorney to provide legal oversight of the contract and review the terms and provisions as well as the state and federal requirements.

Moore addressed the compliance oversight component in contracting and provided the following recommendations.

  • Ensure processes are in place to identify nonstardard terms or terms that would not be fulfilled in the organization in day to day operations.
  • Clarify any requirements that seem too rigorous prior to executing the contract.
  • Create awareness and make recommendations on how to fulfill any new requirements by coordinating with the appropriate department head.

Credentialing

Credentialing generally takes place when joining a new practice, becoming a participating provider, adding new providers to an existing group, updating information for carriers, and at the start of a new practice, Whites said. Credentialing involves collecting and verifying information about a provider’s professional qualifications, such as relevant training, licensure, certification and/or registration to practice in a health field, and academic background. Information collected before the process begins includes such documents as a copy of state licensure, a copy of board certification, proof of current malpractice coverage, a statement of disclosure of ownership and control interest statement, and a summary of any prior malpractice or disciplinary action. During the credentialing process, payors assess whether a provider meets certain criteria related to professional competence and conduct, Whites explained. Relevant factors may include location, cultural diversity, ability to speak other languages, treatment provided to children, availability, crisis training such as ability to provide care in emergency and address behavioral issues, and ability to refer and admit (to other hospitals or entities).

Whites recommended providers to be aware of specific degree requirements of the payor or network, state requirements regarding credentialing, and billing regulations that may limit reimbursable services to certain provider types. When permitted, Whites suggested submitting a resume. She also stressed that it is a provider’s right to: (1) request a status of the application, (2) review information that the payor used to deny or defer credentialing, and (3) correct any inconsistencies between the information obtained by the provider.

Credentialing issues

Whites and Moore identified issues and areas providers must be aware of to ensure that they are in compliance with requirements. Some of those areas include:

  • Cooperate in CMS audits and sites visits to ensure providers are properly enrolled, credentialed, and operating. Not cooperating may result in revocation of provider agreement.
  • Maintain compliance with payor requirements, good intentions are irrelevant to CMS.
  • Regularly review credentialing and licensing to ensure they are up to date.
  • Screen for excluded providers on available sources, prior to employment of individuals or contracting with vendors and maintain screening records for seven years. Develop a removal and notification process.
  • Ensure that providers are properly enrolled in Medicare and Medicaid enrollment systems.
  • Be aware of billing issues such as out-of-network denials, nonpayment for new provider types, and services that payors will not pay for because they were provided by a noncredentialed provider.
  • Ensure that providers are aware of coverage and payment rules regarding telemedicine.

Conclusion

Whites emphasized transparency and clarity in responses in contracting and credentialing. She stressed that providers must be honest because information is much more readily available to parties seeking it, for example, from the national databank. She noted that there are severe penalties for errors in credentialing and pointed out that CMS can exclude providers for multiple years. On the other hand, she said there are unintended negative consequences related to credentialing that arise from such things as not updating an address, not disclosing working with an excluded entity, and being responsible for a prior owner’s bad actions.

Continuous improvement in compliance can proceed systematically

Provider organizations should not dread continuous improvement in compliance and can apply several techniques to simple problems to bring about simple solutions. In a Health Care Compliance Association (HCCA) webinar entitled “Continuous Improvement in Compliance,” presenter Alan Wileman, Corporate Compliance Manager at Shriners Hospitals for Children, discussed applying principles from Lean and Six Sigma to improve function and eliminate waste in company functioning.

Improvement methodologies

Wileman noted that compliance goals evolve, and that the OIG uses subjective terms for compliance matters such as “reasonable,” “appropriate,” and “meaningful.” What is meaningful or reasonable for one compliance area may not be sufficient for another area or at a later date. Overall, lowering risk is the focus of many compliance tasks, but there may be better ways to bring about that desired result.

Improvement methodologies such as Lean, Six Sigma, and project management have been proven to streamline procedures, eliminate waste, and bring value. Lean ideas and practices originally derived from industrial manufacturing, and have one main purpose: eliminating waste. Six Sigma is often grouped with Lean concepts, and focuses on eliminating error waste by removing variation in procedures. According to Six Sigma, there may be multiple ways to do the same thing, but there is always a best way to do so that reduces variation. Project management focuses on clearly defined terms, roles, and goals in order to successfully complete a project—a non-routine operation with a definite beginning, end, and goal.

Waste

According to Wileman, there are several types of waste. Among those discussed included talent, inventory, waiting, defects, and motion. Compliance departments should ensure that a particular task is being completed by the employee whose strengths play to that area. Motion waste comes from requiring employees to move around the work area too much in unnecessary ways, when communication could effectively be conducted in a non-face-to-face manner or when a workplace could be reorganized to provide a better workflow.

Toolkit

Reorganization also applies to employees’ personal workspaces, which should be uncluttered and only contain the necessary, crucial supplies. Wileman suggests adding the “5S” strategy to an operation’s compliance toolkit. The five elements are: sort, set in order, shine, standardize, and sustain. These elements ensure that a workspace is stocked as necessary, arranged to promote efficiency, neat, organized consistently with other spaces, and sustained in this manner. For tasks, the “DMAIC” acronym is made up of the elements define, measure, analyze, improve, and control. Once a problem is clearly defined, it is easier to map out the process, identify the cause of the problem, implement the solution, and maintain the solution over time.

Webinar tackles the tribulations of investigator initiated trials

Investigators should be careful to distinguish between interventional and observational studies when developing investigator initiated trials (IITs) because the distinction can effect billing strategies and budget, according a Health Care Compliance Association (HCCA) webinar, presented by Liz Christianson and David Russell of PFS Clinical. The webinar addressed key areas of focus for developing IITs, including protocol development, industry funding, and regulatory requirements.

IITs

Christianson noted there has been a remarkable renewed interest in IITs in the last two years, due largely due to industry sponsors realizing that IIT relationships are symbiotic. However, despite the renewed focus, IITs present challenges. In some cases, challenges arise from the fact that 85 percent of investigators have participated in only one clinical trial in their careers.

Protocols

Protocol development is important, particularly with respect to the articulation of an IIT as interventional or observational. Christianson noted that from reading the protocol it should be obvious whether an IIT is interventional or observational because the distinction can have significant downstream effects on budgets and billing. Christianson defined observational studies as trials where the investigator makes no intervention and allocates treatment based upon clinical decisions. She distinguished this from interventional studies, where participants are assigned to receive one or more interventions (or no intervention) so researchers can evaluate the effects of the interventions on health outcomes.

Billing

Because Medicare uses set criteria for reimbursement of trials, the objective language can be crucial to reimbursement. In observational studies, study actions should not be able to be linked to specific claims codes. Conversely, in an interventional study, actions should be linked to a specific billing code. Thus, the objective language in a study should clearly indicate what the PI’s true intent is—to treat with routine care, then collect patient data (observational) or to assign patients to specific treatment groups (interventional).

Registration

Russell discussed the registration of trials on ClinicalTrials.gov. All applicable clinical trials must be registered on the website in order to receive a unique National Clinical Trial (NCT) number, which is required on all CMS claims. Russell also covered specific data elements and registration information required by the September 21, 2016, Final rule for clinical trials (81 FR 64982). Russell reminded responsible parties that trials must be registered no later than 21 days after enrollment of the first participant and, at minimum, the applicable clinical trial must be updated every 12 months. Summary results (including adverse even information), must be submitted not later than one year after a trial’s primary completion date.