by Tim Rowan, Editor
"Learn from the mistakes of others. You can't live long enough to make them all yourself." -Eleanor Roosevelt
If an anonymous hacker can insert a ransomware virus into the servers of a sophisticated, 20-year old technology company, it is safe to assume no one is safe. There are two lessons here. Casamba's peers and competitors who pay attention and take action can benefit from both lessons without having to suffer through a ransomware experience of their own.
The first lesson, of course, is about physical cybersecurity. More than 20 years into HIPAA, most healthcare providers have appointed a security officer and instructed their IT departments to strengthen network borders. Small companies without their own IT staff turn to HIPAA consultants and local IT services companies. Commercially available firewalls and malware detectors become more effective every year.
People Who Said
"It Can't Happen to Us" in 2019
A subset of this first lesson, however, is that hackers' cleverness grows to keep up with, or surpass, corporate security measures. When firewalls prove impenetrable, they turn to social engineering. They develop convincing, legitimate-sounding, phishing emails. Gone are the days when they sent emails obviously written by someone whose first language is not English. They embed logos and fonts of the familiar company they want you to think they represent.
Hackers do not care if 99 people say, "What? I don't have an account at that bank." They only need one person to say, "This appears to be from my bank. I'd better click on the link to see what they want." If emails fail to fool someone, they pick up the phone and represent themselves as someone from company management or the IT department. This too has a low percentage of success but, again, they only need to fool one person to take down an entire company.
Services like the one we profiled elsewhere in this week's issue, "KnowBe4," are growing because the threat is growing. As explained in greater detail in "Casamba Says it has Learned from Ransomware Attack," companies like KnowBe4 teach employees how to recognize a fake email or phone call. This type of service complements the high-tech forensic services from companies like the one Casamba used, Charles River Associates. Patching firewalls coupled with employee behavior are synergistic approaches. Their effectiveness is more than the sum of their separate services.
If all the efforts from lesson one still somehow fail. If a cloud-based software system is victimized by ransomware or some other malware and all of its customers are down, how the software vendor responds may determine its ability to survive the attack. The lesson from the Casamba experience is that there are a right way and a dozen wrong ways to react to a crisis.
One home health agency that works with Managed Care Organizations as well as Medicare and Medicaid reports that MCOs were denying claims that were submitted late, beyond each one's policy deadline.
A few paid backlogged claims after the agency filed an appeal accompanied by the Casamba email explaining the ransomware attack, but the delay was nearly double the MSO's normal, 45-day payment cycle.
The same agency reported that some lost data that will never be recovered includes OASIS assessments, which cannot legally be recreated so long after the assessment visit. Patient care must continue, even with the understanding it will never be reimbursed.
Casamba president Nutter submitted to us a detailed description of the company's serious efforts to do two things at the same time, recover from ransomware and update for PDGM.
"Casamba clients were well prepared for PDGM, the biggest change in reimbursement since the PPS model was introduced back in 2000. Our goal in developing these tools was to help our clients be successful. We began building a PDGM grouper and pricing model to support the Casamba PDGM Analytics tool. Our strategy was to empower our clients with data, lots of data. The PDGM Analytics tool enabled users to compare both historic and real-time PPS data alongside PDGM results. The real-time data provided the facts to gain insight to future outcomes and pinpoint specific clinical themes.
"Most importantly, prepare for the future and implement organizational changes to realign clinical and financial goals to ensure they are moving in the right direction. Our workflows provide real-time alerts to assist clients in navigating the many changes under PDGM, such as clinical groupings and diagnosis management, LUPA thresholds, and care periods with no visits. In addition, the Casamba team offered PDGM training and support webinars focused on regulations and software functionality throughout 2019 and we just completed our January PDGM Training Support Series to ensure our clients' success. The Home & Hospice clients have proven to be well prepared, submitting over 2 million PDGM RAPs through the Casamba product."
Lesson #4, For Providers: Take Advantage of Consultants and Free Government Services
The Home Care Alliance of Massachusetts sponsored a conference call for Massachusetts-based Casamba users to give them a forum to hear and learn from each other. It was hosted by home care disaster prevention and recovery consultant Barbara Citarella, RN, BSN, MS, CHCE, NHDP-BC, National Healthcare Disaster Professional and President, RBC Limited Healthcare & Management Consultants, Staatsburg, NY. During the call, providers had an opportunity to network and discuss processes and strategies to continue to provide care. In addition, agencies were provided with resources from ASPR TRACIE on handling a ransomware event.
ASPR TRACIE (HHS Office of the Assistant Secretary for Preparedness and Response, Technical Resources, Assistance Center, and Information Exchange) is a healthcare emergency preparedness information gateway that ensures that all stakeholders— federal, state, local, tribal, and territorial government agencies, nongovernmental organizations, and in the private sector—have access to information and resources to improve preparedness, response, recovery, and mitigation efforts. Each domain provides users with unique, tailored support.
©2020 by Rowan Consulting Associates, Inc., Colorado Springs, CO. All rights reserved. This article originally appeared in Tim Rowan's Home Care Technology Report. homecaretechreport.com One copy may be printed for personal use; further reproduction by permission only. firstname.lastname@example.org