Cyberattack Would be a Disaster for Access

Your patient access department probably can cope with unscheduled downtime for a few hours due to system updates or weather events. But what if a cyberattack forces registrars to revert to paper processes for days?

“A cyberattack has the potential to be a disaster of monumental proportions — one that will impact healthcare delivery at every level,” says Pete Kraus, CHAM, CPAR, FHAM, business analyst for revenue cycle operations at Emory Healthcare in Atlanta.

A February 2016 cyberattack left Hollywood Presbyterian Medical Center in Los Angeles unable to access medical records for 10 days, until the hospital paid a $17,000 ransom in bitcoin to hackers. The FBI is investigating the attack, which forced patient access employees to switch to paper processes for registration.

When contacted by Hospital Access Management for this story, a hospital spokesperson declined to comment. In an official statement, the hospital’s president and CEO said, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

Ransomware attacks against hospitals are on the rise, says Mac McMillan, co-founder and CEO of CynergisTek, an Austin, TX-based information security and privacy consulting firm. “In the last six months, at least half a dozen hospitals we work with have been the victims of a ransomware attack,” he reports.

Cyberattacks against doctors and hospitals have more than doubled in the past five years, with the average data breach costing a hospital $2.1 million, according to a May 2015 study from the Ponemon Institute, a Traverse City, MI-based security research and consulting firm. (The Fifth Annual Study on Privacy & Security of Healthcare Data is available at bit.ly/1nzomQG.)

“The attacks highlight the lack of preparedness of some of our health systems to fight or defend against these more advanced threats,” says McMillan.

SWITCH: MANUAL PROCESSES

Unscheduled downtime is never easy for patient access, regardless of the reason.

Stacy Calvaruso, CHAM, system director of patient access at LCMC Health in New Orleans, says, “We should be prepared for unscheduled downtime at all times, whether it is a cyberattack, weather incident, natural disaster, or terrorist incident.”

Patient access employees suddenly find themselves faxing requests to and from payers and spending multiple hours manually processing frontline transactions. “Outside of the manual workflows, the registration process feeds many downstream systems,” adds Calvaruso. This connection means slower-than-normal processing times by clinical areas. Internal systems such as bed placement, provider order entry, and medication dispensing are affected, as well as diagnostic services such as laboratory and radiology.

“Most providers and clinicians have spent years working in an EMR environment,” notes Calvaruso. “They will find it difficult to transition back to a manual process in some instances.”

SHORT-TERM EVENTS

Most downtime protocols in patient access are geared toward a short-term event of hours, not days.

Kraus says, “Addressing the ongoing impact of a prolonged, successful cyberattack should be an integral part of hospital disaster preparedness and training.”

Joseph Ianelli, director of patient financial services at Massachusetts General Hospital in Boston, has never seen unscheduled downtime last longer than about five hours. Like many patient access leaders, he questioned just what the department would do if a ransomware attack left his staff unable to access data for days.

“We have never had to deal with somebody holding the data hostage for money,” Ianelli says. “A lot is undefined.” It’s unclear how patient access would handle having to revert to manual processes for an undetermined period of time.

“We could probably float by for a little bit with paper processes, but to get authorizations, we really do need access to the medical record,” Ianelli says. “Anything extended would affect the clinical piece, which would be really problematic.”

Ianelli sees the inability to provide requested clinical information to payers to obtain authorizations as one of the biggest roadblocks. “If we were going to be in a major downtime, the first step would be to reach out to the payers,” he says. “Usually, the payer liaison is able to be flexible in emergent situations.”

Unscheduled downtime used to be common in patient access areas, but upgrades in technology have made these events very rare, says Kim Rice, director of patient access at Redding, CA-based Shasta Regional Medical Center. “We usually come across downtime during an IT implementation or an actual downtime due to a fiberoptic cable getting cut, for example,” says Rice.

The department created pre-made registration paper packets. “My team uses a template that we follow to make our own labels during downtime,” says Rice. “This provides pertinent information that the clinical team needs on all the paperwork.”

Room for error grows significantly when staff is handwriting information, however. “Remind staff to take that extra moment to make sure they write down the correct information and keep organized with the account/medical record numbers,” advises Rice.

CONTINGENCY PLANS

To be ready for a ransomware attack that locks users out of the EMR, patient access leaders should do these two things, recommends McMillan:

• Identify what data employees need to do their jobs.
• Have a plan to access the necessary data without going through the EMR or the Internet.

“If you need today’s schedule or next week’s, or information about the patient, does that data exist somewhere else, other than the system?” asks McMillan. Patient access should ask the question, “If we had to operate in a worst-case scenario, if we lose access to the EHR and the Internet, will registrars still have access to the information they need?” he says.

McMillan recommends that patient access leaders meet with health information systems to determine exactly what they would do if a ransomware attack occurs. “Too many organizations don’t do that level of detailed contingency planning,” says McMillan. If crucial data can’t be accessed during a prolonged ransomware attack, hospitals will have no choice but to turn patients away, he warns.

Solutions include separate computers that are not connected to the network, are offline, or are connected to a different network, with a certain amount of data backed up at regular intervals. “It’s not as current as what they normally have, but the data is no more than a day old,” McMillan says. “If you are just missing the last few hours, that’s still enough to operate. You can, at least, look at the schedule as it was last night.”

Mary Lee DeCoster, vice president of consulting services at Phoenix-based Adreima, sees these as the primary issues for patient access:

• There is a possibility of duplicate medical records being created.

“Lacking access to the database, the registration specialist must rely on the patient’s memory as to their history with the hospital,” says DeCoster.

• Additional time and resources are required to process each step of the registration manually.

“The registration specialist will need to conduct a thorough interview versus the more efficient ‘update’ method,” says DeCoster.

• All registration documents, including the Condition of Admissions, need to be printed and signed by the patient.

“Where a registration event which is supported by a fully functioning electronic health record system may take five to seven minutes, a full interview — capturing information and printing on paper —may take 10 to 12 minutes,” notes DeCoster.

• Employees need to call payers to confirm eligibility and to verify insurance coverage, including effective dates.

“Management may wish to review the potential requirements for additional staff,” says DeCoster.

• The face sheet has to be printed on paper, and distributed to the receiving clinical department, to be included in the paper health record.

“Existing downtime procedures should be reviewed to ensure they are complete and robust enough to cover special circumstances such as a cyberattack,” emphasizes DeCoster. (See related story later in this issue on how patient access departments handled unscheduled downtime.)

SOURCES

• Stacy Calvaruso, CHAM, System Director, Patient Access, LCMC Health, New Orleans. Email: [email protected].
• Mary Lee DeCoster, Vice President, Consulting Services, Adreima, Phoenix. Email: [email protected].
• Joseph Ianelli, Director, Patient Financial Services, Massachusetts General Hospital, Boston. Email: [email protected].
• Pete Kraus, CHAM, CPAR, FHAM, Business Analyst, Revenue Cycle Operations, Emory Healthcare, Atlanta. Phone: (404) 712-4399. Email: [email protected].
• Mac McMillan, Co-Founder/CEO, CynergisTek, Austin, TX. Phone: (512) 402-8550.
• Kim Rice, Director of Patient Access/ Communications, Shasta Regional Medical Center, Redding, CA. Phone: (530) 229-2944. mehealthcare.com.