Perfecting cybersecurity through better training and testing

Various types of training and testing of health care professionals and staff can be used by health care entities to perfect their cybersecurity programs, according to a Health Care Compliance Association (HCCA) webinar presented by Steve Snyder of Smith Moore Leatherwood, LLP.

Snyder believes that perfecting cybersecurity training and testing is made especially challenging due to the uniqueness of the cybersecurity threat. Snyder listed the primary factors making cybersecurity unique, including:

  • the people trying to penetrate are adversarial and usually off-shore;
  • cyberattacks are evolving rapidly, with attacks designed to respond to new defenses;
  • cybersecurity involves highly technical concepts, which make staff hesitant to embrace safeguards; and
  • cybersecurity is outside the core competency for most of the staff to be trained and tested.

Training

Snyder believes that cybersecurity training must take a long term view, be about learning and reminding, have the objective of conditioning behavior, and must evolve over time as circumstances and threats change.

Opportunities for training, according to Snyder, could be when new job functions are created, when introducing new procedures, or when reinforcing integral work functions. He listed the possible training scenarios and their pros and cons as:

  • External programs offered by third parties. These programs offer specialized knowledge and instruction but can be costly, rely on the competency of others, and may suffer from the lack of familiarity of the third-party with the organization.
  • Internal learning management systems (LMS). These internal systems, relying on online or classroom training, can develop custom content and make tracking compliance easy. However, they require internal expertise and can create a record of noncompliance for government investigators.
  • This method can be particularly effective for conveying best practices to staff members in a new role. However, it requires competent mentors and is not ideal for new and evolving issues that the mentor is unfamiliar with.
  • Passive measures (e-mail reminders, etc.). This method is easy, cheap, and is agile enough to address emerging issues. However, it is easy for staff to ignore and therefore it is hard to access effectiveness.
  • Training tips. Snyder’s cybersecurity training tips included the following:
  • Start with objectives (such as increasing reporting of possible cyber incidents) and work back to prevention methods.
  • Try to find objective metrics (such as the rate of reporting vs. known incidents).
  • Make it digestible by staff (we live in a sound bite society).
  • Show a tangible purpose (clicks = malware = detriment to business).
  • Use varying approaches as people learn differently.
  • Make it interesting by using gamification, simulations, scoring, ranking, competitions, etc.

Testing

Snyder believes that testing should be focused on existing knowledge and established procedures. He favors a testing program with a narrow focus and reoccurring elements. The goals of testing, according to Snyder, should insure that cybersecurity procedures are known and understood, are effective, guarantee compliance, and identify gaps in policies and procedures.

Snyder listed several types of cybersecurity testing:

  • Penetration testing (looking for breach of security from the outside).
  • Vulnerability testing from the inside (looking for known bugs, unpatched software, or legacy systems that can be exploited).
  • Simulated testing (using drills and tabletop exercises).
  • Pop quizzes (discrete staff testing).
  • Final comprehensive exams.

Final takeaway

Snyder wrapped up his presentation by stressing that in training and testing for cybersecurity, and organization should: (1) be contemplative in designing their programs, (2) use a mix of internal and external resources, and (3) assess and revisit the programs often.

Recommendations for creating compliant security relationships with vendors

Recent regulatory changes have had an impact on what “covered entities” must do to create and maintain a compliant security relationship with their “business associates.” This impact, and how information technology (IT) and compliance departments can interact to improve business associate selection and management, were the topics of a recent Health Care Compliance Association (HCCA) webinar featuring Francois J. Bodhuin, Director, Information Security Officer, and Joseph A. Piccolo, Vice President, Corporate Compliance, at the Inspira Health Network. The presenters also offered a five-step life cycle approach to managing vendor security requirements.

Background

The term “covered entity” is defined in 45 C.F.R. sec. 160.103 as either a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic format. According to the presenters, the HITECH privacy provisions (Title XIII) of the American Recovery and Reinvestment Act (ARRA) (P.L. 111-5) resulted in the promulgation of the January 25, 2013 Final rule (78 FR 5566), which strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rule also expanded the definition of “business associates” (BAs) to include subcontractors/vendors (and written assurance from subcontractors/vendors that they will uphold the security and privacy of protected health information (PHI)), increased reporting requirements, and enhanced penalties (see HIPAA final rule modifies Privacy, Security, and Enforcement Rules and establishes direct liability for business associates that violate certain rules, Health Law Daily, January 25, 2013).

Enforcement themes and challenges

The presenters noted several themes present in recent government enforcement actions, including accusations of inadequate risk assessment plans, outdated vendor agreements, the lack of risk analysis, and inadequate oversight (lack of communication). The presenters also laid out several new logistical challenges, including (1) insuring that vendor agreements are current (and incorporate the 2013 rule changes); (2) the need to educate board members, employees, and vendors; and (3) the monitoring of vendor agreements.

Interaction of IT and compliance

The presenters stressed the need for IT and compliance to jointly develop a process that makes use of (1) HHS Office of Civil Rights (OCR) guidance, audit criteria, and recent settlements; and (2) that sets guidelines for vendors, including a vendor code of conduct, specific policies and procedures for vendors, and vendor education requirements.

The presenters see the IT role as performing annual security assessments, frequent vulnerability scans, and the integration of risk analysis. In addition, in support of compliance, they believe that IT must: (1) be represented on the compliance committee; (2) have software that tracks vendors; (3) develop security questionnaires; and (4) evaluate the security programs of vendors.

Compliance, according to the presenters, must support IT by: (1) being a conduit for communication in understanding vendor relationships; (2) collaborating with IT on new and unique projects; (3) educating the board on the compliance/IT partnership; (4) developing and updating policies; and (5) including audits as part of the annual work plan.

Collaborative management of vendors

The presenters recommend language in vendor agreements that will allow for the covered entity to conduct a survey or questionnaire of the vendor. They suggest that the questionnaire incorporate the organizational values of the covered entity, not just government requirements. The questionnaire should be required of both new and existing vendors.

The presenters also recommend that the covered entity create an oversight group to review vendor responses, extrapolate risk levels, review actions taken with the vendor, tweak questionnaires, and report results to executives though the compliance committee.

Five-step approach

The presenters concluded by describing their five-step life cycle approach to managing vendor security requirements. Their approach centers on the following elements: (1) patient satisfaction; (2) quality outcomes; (3) electronic data security; (4) patient engagement/population management; and (5) stewardship and reputation.

Webinar gives tips on improving next eCQM submissions

Health care compliance professionals who are involved in electronic clinical quality measures (eCQM) submissions should prepare now for their 2017 submissions, according to Catherine Gorman Klug RN, MSN, Director, Quality Service Line, for Nuance Communications. In a Health Care Compliance Association (HCCA) webinar titled, “eCQM Lessons Learned and How to Prepare for 2017 Submissions,” Klug warned attendees about hidden dangers, including the lack of experience for eCQM vendors, inaccurate data submissions, and the challenges posed by multiple types of electronic health record (EHR) data files generated from more than one system. She also gave recommendations for reducing risk and listed sample questions for the information technology (IT) department.

CMS requires hospitals to report eight of 15 eCQMs, with data reported for the entire year. According to Klug, the agency expects “one file, per patient, per quarter,” that includes all episodes for care and measures associated with the patient. Many hospitals use vendors to assist with the eCQM submissions, but Klug noted that vendors must have an adequate amount of time to respond to required changes before submission, and that although many vendors support a broad number of eCQMs, they may lack adequate depth of coverage. Hospitals should choose vendors who are experienced in the eCQMs they are reporting. Further, there is no way to validate the files submitted. Possible consequences include an annual payment update reduction, failure to receive the EHR incentive payment, or poor quality scores on CMS’ Hospital Compare site.

To reduce risks, hospitals should ask the core measures vendor to validate files before submission to CMS. They should also review file error reports from the vendor and make corrections before the data is submitted. Aggregated file error reports should also be reviewed to ensure that formatting or data elements don’t result in an inaccurate submission. Klug said that accurate coding is absolutely essential. Therefore, hospital IT departments should be prepared to explain how files are validated prior to submission to ensure accuracy, and if not, what the remediation strategy is. Further, compliance professionals should request a file error report, and any other reports to help understand the data being submitted.

Hospitals falling short on implementing bar code medication administration

Ever noticed the steps nurses have to go through when they administer medications in the hospital? Scanning, typing, asking the patient for name and birthday – these steps protect patient health and hospitals from liability. Despite how useful these steps are for reducing medication errors, the Leapfrog Group found that not all hospitals are using them effectively.

Only 30 percent of hospitals are meeting standards

In the 2017 report on medication safety, Castlight Health analyzed hospital use of bar code medication administration (BCMA) and computer physician order entry (CPOE) systems. Although Leapfrog’s standard standards include implementation of a BCMA to cover 100 percent of a hospital’s intensive care and medical/surgical units, along with several important processes, only 30 percent of hospitals met all four of Leapfrog’s criteria.

BCMA systems

A BCMA system requires the administering nurse to scan a bar code on the patient’s wristband and then scan the bar code on the medication. This ensures that the “Five Rights of Medication Administration” are met: right patient, drug, dose, time, and route. The Leapfrog Group developed the first industry standard for BCMA adoption and included measurement elements in its 2016 hospital survey. One of Leapfrog’s standards requires scanning both bar codes for 95 percent of bedside administration in units with BCMA systems.

Findings

Although 97.8 reporting hospitals have a BCMA system in at least one inpatient unit connected to their electronic medication administration record, only 30 percent of the hospitals fully met the standard. A remaining 35 percent fulfilled three out of the four, and 26 percent met two of the criteria.

The most commonly unmet requirement was integration of Leapfrog’s seven decision support elements. These support elements are ensuring that the patient, medication, dose, and time are correct as well as checking for vital signs, performing a patient-specific allergy check, and having a second nurse perform a check. Out of these elements, the vital sign check was the most frequently lacking at 80 percent. Hospitals also failed to adhere to Leapfrog’s best practice processes and workaround prevention, which require (1) formal BCMA use committee; (2) back-up systems for hardware failure; (3) a help desk; (4) observation of BCMA users; and (5) engaging nursing leadership.

Reporting issues

In addition to the BCMA elements in the hospital survey, Leapfrog’s CPOE Evaluation Tool allows hospitals to download simulated data and input patient and medication combinations into their systems. Hospitals then track the alerts generated by the system and are scored based on correct alerts. Leapfrog noted that although more hospitals have been meeting the CPOE standards, an additional 26 percent of reporting hospitals failed to meet these standards. Only 22 percent of hospitals that reported CPOE and BCMA data fully met all standards. Leapfrog noted that some hospitals are not reporting their data at all, and noted that this can cause a serious gap in understanding hospital medication safety because Leapfrog is the only organization that publicly reports this data.