Cybersecurity: The Nightmare That Keeps Me Up At Night

You are preparing for board meeting, but you can’t get into your reporting application.  You log off the computer and then log back in – no good.  You call the helpdesk and hear what you never want to: “The application is offline due to a potential cyber attack.”

Keeping organization data safe from hackers is a real concern for compliance professionals.  When asked what keeps them up at night, most would say it is the fear of finding one of the IT systems or applications was hacked. The nightmare may be recurring for compliance professionals who work in health care where personal, protected health information (PHI) data is stored in electronic health record applications.

To optimize cyber protection and minimize cyber events, it is recommended that compliance departments partner with their organization’s information technology (IT) and risk management departments.  A good place to start collaborating is to write and implement an organization-wide cybersecurity plan (CSP) based on each discipline’s input, this way input is included from each discipline leading to a more robust plan

As required under HIPAA and HITECH, Compliance and IT professionals generally focus on how to prevent both privacy and security breaches respectively, so the CSP should include prevention steps from both of those aspects.  While risk management includes prevention, risk also focuses on loss mitigation and minimizing impact to the organization’s reputation after a cyber event has occurred.

And the CSP must include ongoing staff education.  While there are many commercially available tools or applications which provide cyber protection against email hackers, phishers, malware, spyware, and viruses, these tools are only as good as the end users working on the organization’s computers.  Of course, the CSP should include appropriate fire walls and penetration testing by an outside vendor to assess the organizations privacy and security vulnerabilities; however, the best prevention is education for staff so they can identify emails which may contain malware, spyware or viruses.

Ongoing education should occur with staff at all levels of the organization.  Education should include internal IT generated phishing emails with remediation for those who “take the bait” and click on the bad links.  It should also include cross-departmental table-top exercises where cybersecurity related scenarios are presented and discussed to ensure familiarity with the CSP and to identify and improve upon weaknesses in the plan, staff education, or the applications used.

PRACTICE TIPS:

  1. Schedule a one-hour call with your insurance broker to review your cyber liability insurance policy and reporting requirements in the event of a privacy or security breach.
  2. Ensure you are current with not only federal, but state security and privacy laws.

Denise Atwood, RN, JD, CPHRM
District Medical Group (DMG), Inc., Chief Risk Officer and owner of Denise Atwood, PLLC
Disclaimer: The opinions expressed in this article or blog are the author’s and do not represent the opinions of DMG.


Denise Atwood, RN, JD, CPHRM has over 30 years of healthcare experience in compliance, risk management, quality, and clinical areas. She is also a published author and educator on risk, compliance, medical-legal and ethics issues. She is currently the Chief Risk Officer and Associate General Counsel at a nonprofit, multispecialty provider group in Phoenix, Arizona and Vice President of the company’s self-insurance captive.  


Minimize Regulatory Impact On Patient Care

New regulations are a fact of life in healthcare. But the head of your pharmacy or lab or revenue cycle department just wants to focus on patient care – not reading new regulations.

How would they react if you told them they can comply with ALL new regs without having to read them?

Recently, the Oregon Association of Hospitals & Health Systems (OAHHS) released a report showing that acute care inpatient hospitals must comply with over 2,000 rules created by the state (and that’s JUST the state).

Clinical workers usually bear the most responsibility when states (and others) pass new regulations. Clinical staff must:

  • Assess a new regulation’s relevance to the organization,
  • Determine what steps need to be taken to comply, and
  • Implement the steps required to comply.

This creates big headaches for these folks, as it takes their time away from what they actually want to do: providing care.  Meet youCompli. youCompli software monitors, reads and translates regulations into easy-to-understand business requirements.  The requirements are delivered to the responsible party and you can keep track of all of it.

If you think it sounds too good to be true, click here and see what our clients are saying about youCompli.

Want to get started right now? Click here and let’s talk about how youCompli can help.

CMS Does It Again

What an October!  In addition to all the Halloween fun, we processed over 100 new regulatory changes last month.

They covered both state and federal regulators and came in all shapes and sizes, but one stands out.

CMS decided to lump together seemingly unrelated concepts covering everything from multi-hospital QAPI programs and critical access hospitals to long-term care and autopsy services.

(84 FR 51732)

We’re experts at dealing with these large complex regs and I thought I would share a hint on how to deal with them more effectively.

We find it helpful to break the reg into more meaningful chunks. To do this start by analyzing the summary, you’ll usually find it in the preamble to most large regs.  That summary typically lists the different areas the regulator has targeted with a particular change.

Next group the different areas that tend to make sense (grouping should be done based on your organization’s structure)  into one “chunk,” while separating out the disparate areas into their own “chunk”. Breaking down a large regulation this way allows us to:

  1. Pinpoint the individual functional areas of an organization being affected;
  2. Tune in to specific issues involved with each functional area of an organization; and
  3. Ensure an easy-to-understand business requirement is a result.

84 FR 51732 was a real “bear”, it resulted in 10 different business requirements.

If your organization is faced with a similar complex regulation, you too might benefit from breaking it down into smaller projects or “chunks” to ensure it is effectively implemented into your organization’s policies and procedures…or…let us do the work for you!

Click this link and sign-up for a 10-minute demo and see how you can comply without reading regs.

Schedule 10-minute demo

Chief Compliance Officers Can Be in the Cross hairs

Chief compliance officers should take note of two recent enforcement actions in the financial sector.

In these cases, the regulators have gone after the compliance officers (in addition to others).

In the 1st case, the SEC alleges that the chief compliance officer was “carrying out his compliance responsibilities in an extremely reckless manner.” It further alleges that the cco “was required to review and monitor” trading practices “to make sure they were fair and equitable”.   It says, other than occasionally “spot checking” trade paperwork the CCO “essentially did nothing” to ensure the firm’s trading policies and procedures were being followed.

Attorney Brian Daly, a partner in the regulatory and compliance and investment management groups of Schulte Roth & Zabel in New York, called the SEC action “pretty extreme.” (Reisnger, 2019) Daly spent a decade as a general counsel and chief compliance officer at several investment firms before joining Schulte, including at Kepos Capital, Raptor Capital Management and The Carlyle Group.

“It’s unusual,” Daly told Corporate Counsel. “It’s one thing to say he [compliance officer] could be sanctioned or censured, but they are accusing him of recklessly not carrying out his duties because of inaction, and of aiding and abetting bad actions.” (Reisnger, 2019)

The 2nd enforcement case accused the chief compliance officer of allegedly engaging in fraud and then making false statements to the National Futures Association.

In May of this year, the CEO of the firm was charged with allegedly misappropriation, fraud and making false statements.  This led to the CFTC ordering the firms cco to pay $150,000 ($125,000 in restitution and $25,000 civil penalty) for fraud and false statements.

Philadelphia attorney Mary Hansen, the co-chair of the white-collar defense and corporate investigations practice at Drinker Biddle & Reath, said (about the 2nd case), the case should serve as a warning to chief compliance officers. “In the last couple years, we’ve seen more compliance officers charged,” adding, “and that’s not going away.” (Resinger, 2019)

While not in the healthcare field these cases and others reinforce the on-going need to create effective compliance programs.

youCompli’s regulatory change management software ensures your program is effectively managing ALL regulatory changes. To see a 2-minute video to learn how and hear from one of our customers click below.

See the Video

Reisinger, S. (2019, Sept. 25) Regulators Put Chief Compliance Officers in Their Sights in 2 Financial Fraud Cases Retrieved from http://www.law.com

Understanding Regulish

Do you have someone in your healthcare practice who can read and translate Regulish?

No that’s not a typo, we meant to type Regulish.

Regulish is the “language” healthcare regulators use to communicate with you. It includes a series of long complex words, phrases and numbers…lots of numbers.

Regulish is difficult to read and even harder to understand. (picture to the right is Klingon)

Most healthcare employees can’t understand Regulish. When they look at a regulation it appears to be mostly gibberish. Reading it creates frustration, often leading the reader to ignoring it, thus increasing your regulatory risk.

youCompli’s compliance experts read and translate Regulish into easy-to-understand business requirements. The requirements include:

* The ability to instantly decide if the regulation matters to you

* The specific tasks you need to complete to comply

* Detailed policies and procedures you’ll use to easily comply

Take 10-minutes of your time and learn how you can comply with ALL new regulations without having to read anymore Regulish.

10-Minute Demo Sign-Up

Regulatory Rolodex

You’re responsible for creating and maintaining a culture of compliance in your organization.  You need to embed compliance into everyday workflows and set expectations for individual behavior across your organization.

This is impossible if you don’t know who the right people are in each area of your organization.

What you need is a Regulatory Rolodex©, youCompli has one and you can have it for FREE.

We use this tool to identify and track 2 different types of individuals in each area of your organization.

  • The person responsible for doing regulatory change work
  • The person responsible for higher-level oversight to ensure the regulatory work gets done

youCompli delivers new regulatory requirements to both types of people (and to the compliance department) inside our software.  This allows the compliance department to have complete visibility into the whole compliance process.

To get your free copy of the Regulatory Rolodex© provide the info below and we’ll send it to you.

[email-download-link namefield=”YES” id=”2″]

Interested in seeing how youCompli automates the whole regulatory compliance process?

Attend our 10-minute demo, click the link and select a date and time that is convenient for you.

10-minute demo

“All Rights Reserved”

Can’t Have The 7 Elements Without This!

 

While not named by the OIG as one of the “7 elements of an Effective Compliance Program” the ability to manage regulations directly affects 5 of the 7 actual elements (the 5 affected are listed at the bottom of this post).

So, you need to manage regulations effectively to have an effective compliance program.

When regulations change you (and many of your colleagues) need answers to one, two or all three of these questions.

  1. Are we aware of all the new regs that might apply to us?
  2. For the ones that do, what needs to be done to comply?
  3. Did we do it?

To make this work easier and give you the ability to manage it, we suggest relying on a methodology to perform this work.  When we created our software, we developed Regulatory Compliance Lifecycle Management (RCLM).

RCLM is a methodology that if followed will give you the ability to answer the questions above and be able to demonstrate what was done to comply (assuming you keep track of it).

RCLM includes:

  • Identification and documentation of new regulations
  • Assessing its relevance to your organization
  • Translation into business requirements, (specific activities required to comply)
  • Communication of requirements to ALL stakeholders
  • Execution of activities required to comply
  • Monitoring and validation that required activities have been completed
  • Demonstration of the steps taken above

Our software automates RCLM and makes compliance much easier.

If you’re interested in seeing how sign-up for our 10-minute demo by clicking the link and picking a date/time that is convenient for you.

#chaostoconfidence #StopReadingRegs

10-Minute Demo

 

 

5 Elements directly affected by regulatory changes

  1. Implementing written policies, procedures and standards of conduct.
  2. Conducting effective training and education.
  3. Conducting internal monitoring and auditing.
  4. Enforcing standards through well-publicized disciplinary guidelines.
  5. Responding promptly to detected offenses and undertaking corrective action.

Highlights from OIG’s Semi-Annual Report to Congress

Late last week, the HHS OIG made available its semi-annual report to Congress summarizing OIG activities occurring from October 1, 2017 to March 31, 2018. As one might expect, OIG continues to commit resources to enforcement-related activities and to improve its data analytics capabilities. A few of the “headlines” from an enforcement perspective include: Criminal […]

Continue reading

To Bundle Or Not To Bundle?

In August of 2017, CMS announced the cancellation of a proposed Cardiac Care Bundled Payment model as well as reversing course on a proposal to expand the Comprehensive Joint Replacement Bundled Payment model. Participation in both payment models would have been mandatory for certain providers in specified markets. In January 2018, to considerable fanfare, CMS […]

Continue reading