NJAMHAA News - October 2021

October 2021 16 W hen people think of what is needed to ensure high-quality health care, they may focus solely on provider-client relationships, clinical best practices and outcomes. In addition to these essential aspects of treatment, services need to be consistently available with no threat to the confidentiality of clients’ data. ComplyAssistant, a NJAMHAA Approved Vendor and Technology Council member, offers powerful tools to meet this critical need. “It’s like watching a horror movie doing this – seeing what can happen when a system is completely down,” said Gerry Blass, President and CEO of ComplyAssistant. “There’s a lot to think about on top of an agency’s core mission and pandemic-related issues. In some cases, staff are repurposed, which creates more vulnerabilities because the staff are not as focused.” He shared the example of information technology (IT) staff being assigned to work at vaccine megasites, which restricts their ability to help ensure that their organizations’ IT systems are secure and functioning properly. Regarding the pandemic and quick transitions to a remote workforce and telehealth, Blass commented, “Providers couldn’t do them any faster. Hackers are also quick, and they became more motivated to attack more.” For more than seven years, the healthcare industry has been the primary target of cybersecurity attacks. The risk is increased by the typical limitations in funds and staff for healthcare organizations to take proactive measures, as well as by the increasing number of locations of Patient Health Information (PHI), including Health Information Exchanges. And vulnerabilities are exacerbated due to other factors, such as interoperability and having the workforce working remotely because of the pandemic. “It is difficult for healthcare organizations to keep up with advanced threats. Yet, the costs of not keeping up can be even higher from a monetary and patient safety standpoint,” Blass stated. Costs include downtime—potentially 30 days or more—which disrupts care delivery, and financial costs, such as ransom payments. According to Blass, the initial objective of the Health Insurance Portability and Accountability Act (HIPAA) was to simplify processing of insurance claims through standardized electronic coding. The privacy and security rules were included in HIPAA due to data breaches, most of which were caused in the early 2000s by internal healthcare employees, either intentionally or accidentally, and this problem continues today. Additional efforts to ensure integrity of health data have been undertaken over the years. The Health Information Technology for Economic and Clinical Health (HITECH) Act, which was enacted as part of the American Recovery and Reinvestment Act of 2009, promotes the meaningful use of health IT and established penalties for incidents that are determined to result from negligence. The HITECH Omnibus final rule, enacted in 2013, increased penalties and civil suits for both covered entities and third-party vendors, and “updated breach determinations based on the probability of compromising PHI and defined timeframes for reporting notifications,” according to Blass. Over the years, electronic health records (EHRs) were developed, which presents both benefits and risks. While enabling patients’ data to be shared among healthcare providers to foster coordination and higher quality of care, EHRs inadvertently created greater risk of cyberattacks. “It’s difficult to implement electronic medical records and security at the same time. Hackers understand this and know where the vulnerabilities are,” Blass explained. “Expect attacks to triple in the next six months. Hackers find gaps in the healthcare system, so attacks are not a question of ‘if,’ but of ‘when,’” Blass cautioned. High Costs and Commonly Limited Tools to Prevent Them While an entire health system can be down for 30 days or longer following a breach or a natural disaster that leads to a power outage, healthcare organizations’ Disaster Recovery and Business Continuity (DRBC) plans are typically designed for only three days. ComplyAssistant can help with developing and updating DRBC plans. “The possible scenarios are dramatic and require a strategy beyond just systems to include critical business decisions that may have to be made that significantly impact operations,” Blass said. He shared the examples of when to pay a ransom, notify local police and the Federal Bureau of Investigation, close some or all of an organization, and transition patients to other care providers. Regarding ransom, Blass shared two options. The first is for healthcare organizations to purchase Bit Coin, which apparently can be limited to $20,000 per day, although a common ransom amount is $500,000. Hospitals are legally forbidden from paying ransom to attackers from countries on the Office of Foreign Assets Control (OFAC) sanctions list, and while cyber insurance companies can cover damages, they normally do not cover ransom payments due to the potential OFAC restrictions. The second option is to create a duplicate ComplyAssistant Helps Ensure Data High-quality Care October 2021