RSSRecent Articles

Learning from a ransomware attack on your hospital

By Philip Betbeze

It’s breach season.

That’s what Ron Pelletier, founding partner of Pondurance, a cybersecurity company based in Indianapolis, calls February through April. Partly, that’s because it’s also tax season, when a lot of financial information is being sent and received via the internet. Bad actors often spend the latter part of the previous year “weaponizing” their tools and doing reconnaissance. Then they look for vulnerabilities.

For Hancock Health in Greenfield, Indiana, just outside Indianapolis, breach season started a little early. About 9:30 p.m. on the night of January 11, 2018, Steve Long, its president and CEO, got a call from the health system’s IT staff, telling him a computer in the lab was infected with ransomware. In an abundance of caution, the IT staff had turned everything off that was connected to the internet.

They were too late.

The attack from a criminal syndicate in Eastern Europe was initiated through the emergency backup facility used by the 71-staffed-bed hospital many miles away, and it had infected many, if not all its servers. The SamSam ransomware did not affect patient life-support systems.

Unlike ransomware programs that depend on phishing tactics to trick employees to open an infected email, the SamSam attack is more sophisticated. The criminals found a vulnerable port set up by one of the hospital’s vendors, then located a password to gain entry into the system, Long says. They infected data files associated with the hospitals’ most critical information systems.

“It was a port you had to log into but it was exposed to the internet,” Long says.

Long hopes by sharing his story that other healthcare organizations will avoid the disruptions that Hancock Regional experienced. He’s even written a publicly accessible blog about it.

From a forensics investigation done later, it appears the criminals made attempts at a “brute force” attack, in which they ran through tens of thousands of potential password combinations to gain entry.

“That did not work, but at some point, they found a login and password from a vendor who was working with our IT systems,” says Long. “We probably will never know exactly how they got a login and password. We’re told all the time we should be prepared for such things. We had hired a company that was supposed to track this, and had anti-malware and antivirus software we thought was good.”

In short, Long says, Hancock Health probably had a false sense of security about its network.

Long decided to pay the ransom price of four bitcoin, about $50,000 at the time, to begin the recovery process. After about 70 hours offline, and little sleep for the IT staff, communication systems were restored, network file servers were brought back online, and the electronic medical record system was restored.

Long and his staff emerged scarred, but smarter. He says other CEOs should learn at least four lessons from his headaches:

1. Remote Desktop Protocol ports need multifactor authentication

The vulnerability the criminals took advantage of at Hancock is a common port associated with Windows that has plenty of legitimate uses, says Pelletier, such as remote system maintenance, but ports like that are often exploited.

“With this particular port, if clients have a business case that it needs to be open we advise multifactor authentication, including a password, a biometric, and a PIN, randomly generated,” he says.

2. You’re more vulnerable than you think

“In terms of readiness, we had systems in place, had a company that was supposedly monitoring us, and we had cyberinsurance,” says Long.

Hancock didn’t use the cheapest vendors, but not the most expensive, either.

“When you’re the [CEO], IT is the thing you always feel like you put so much money into,” he says. “What we’ve also learned is you could have the best of everything, and you’re not 100% safe. There is a balance.”

3. It takes humans to counter humans

Software can’t fully do the job. It takes humans to offer a dynamic defense to the ingenuity of a hardworking criminal enterprise.

“A lot of organizations buy into what vendors say about their tool but there are vulnerabilities we don’t know about and someone might be harvesting that,” says Pelletier. “Bad actors leave evidence of their attempts that can show something is going on, but it takes a human to do the analysis.”

“In cyber terms, if you are targeted, then with enough time, effort, and resources, they will likely be successful, but It takes time and resources and money,” says Pelletier. “If you make yourself a hard target, they’ll move to someone else who is more vulnerable.”

4. Don’t underestimate the criminals

Cybercriminals carefully calibrate the ransom they ask for based on your organization’s ability to pay, Pelletier says.

“They want to get paid and that’s why the [ransom] dollar amounts, relatively speaking, are low,” Pelletier says.

He says you can restore from a backup rather than pay the ransom, but the likelihood of being able to recover completely may be questionable.

Adds Long: “They force you down a path. We needed to get up quickly, and we had some question about whether our backups were viable,” he says. “I agree with every reason not to pay, but until you are faced with the decision, it’s easy to say lots of things. For us it made the most sense to get the decryption keys.”

Long says such things can happen to anyone. You have to plan for the worst.

“I never imagined I would be sitting there on a Thursday night having shut down all our computers,” Long says. “We want others to learn from this and we believe we can be, for lack of a better word, a beacon.”

Check your State for deadlines on new hazardous waste pharmaceuticals rule

By A.J. Plunkett

Let your pharmacists and anyone else in your organization who handles hazardous waste pharmaceuticals know that flushing those drugs down a drain or toilet will be specifically prohibited as of August 2019. That is provided the EPA’s new final rule on the management of hazardous waste pharmaceuticals is published as planned on February 22 in the Federal Register.

The ban on sewering hazardous waste pharmaceuticals is “long overdue,” said Kristin Fitzgerald, with the EPA Office of Resource Conservation and Recovery on February 14 during the first of what could be several informational webinars the agency plans on the long-awaited rule.

Sewering “is a common practice in many healthcare facilities and it needs to stop,” said Fitzgerald, noting that the while the new prohibition applies only to hazardous waste drugs and only to those organizations covered under the new rule, the EPA strongly discourages the flushing of any pharmaceuticals by anyone anywhere.

While the final rule creating a new Subpart P to the federal Resource Conservation and Recovery Act (RCRA) does exempt controlled substances that are under the Drug Enforcement Administration’s jurisdiction from the new hazardous waste regulations, even those controlled drugs still are banned under the no-flushing rule. [more]

ER Doc: Protect Your Staff From Workplace Violence

By Christopher Cheney, HealthLeaders Media

Amy Costigan, MD, 
wants to be able to practice emergency medicine without being punched in the face.

Healthcare staff carry a heavy workplace violence burden, with about 74% of workplace assaults occurring in the healthcare setting. Workplace violence is prevalent in the emergency department—78% of emergency physicians have reported being targets of workplace violence in the prior 12 months.

Costigan wrote about her workplace violence experience in Annals of Emergency Medicine. She had lost a young woman in cardiac arrest, then went to a family room to inform the woman’s mother.

When she entered the room, the ER physician had a choice—sit in a chair near the door or sit on the couch next to the young woman’s mother. Costigan picked the couch.

After she shared the bad news, the enraged mom punched her in the face. [more]

Challenges of antibiotic stewardship in the ICU

By Christopher Cheney, HealthLeaders Media

Antibiotic stewardship in the intensive care unit setting poses unique challenges to intensivists and other ICU clinicians, recent research indicates.

Appropriate prescribing of antibiotics by healthcare providers is essential to help avoid the development of antibiotic-resistant infections, which the Centers for Disease Control and Prevention calls one of the most severe public health problems in the country. About 23,000 Americans die annually from an antibiotic-resistant infection, the CDC says.

Research co-author Richard Wunderink, MD, FCCP, of Northwestern University Feinberg School of Medicine in Chicago, told HealthLeaders that there are three primary unique aspects of antibiotics stewardship in the ICU.

  • Severity and acuity of illness requires early administration of antibiotics
  • Diagnostic uncertainty in a patient who presents with multiple potential sites of infection prompts multiple potential antibiotic treatment regimens
  • There is a tendency for patients with risk factors for multidrug-resistant, extensively drug-resistant, and pan-drug-resistant infections to require transfer to the ICU

As a result of these challenges, ICU clinicians often deal with the negative impact of excess antibiotic therapy, Wunderink and his co-authors wrote in the journal CHEST. [more]

TJC, Others respond to CMS concerns about AO consulting, conflicts of interest

By A.J. Plunkett

With less than four days to go before the February 19 public comment deadline, so far only The Joint Commission (TJC) and the Center for Improvement in Healthcare Quality (CIHQ) are among the hospital accrediting organizations (AO) to formally respond to CMS’ concerns about conflict of interest.

CMS published a request for information in mid-December, asking the public to weigh in on whether AOs that also offer consulting services have, or at least create, a public perception of conflict of interest. The request was made ahead of potential new regulations, according to CMS.

As of February 8, CMS has posted only about 80 comments from people or organizations responding to the request. Many of the comments said that TJC and other AOs keep sufficient firewalls to avoid conflicts of interest and expressed concern that more regulation would make hospitals and other healthcare facilities less safe.

“Why do you continue to make things more difficult for facilities to meet compliance standards? This would have a negative impact on facilities to maintain regulation. Facilities are having a difficult time to maintain compliance with the ever decreasing amount the health care facilities are reimbursed for services,” said one member of the public.

However, another public commenter said that she was against the practice of AOs “providing consulting as I have personally seen questionable interactions, both overt and implied.” That included one hospital system that was encouraged to use a product from an AO affiliate to improve survey scores, and the cross-marketing of services across the AO platforms.

TJC provided a 14-page response to CMS’ request for information, noting that TJC and its affiliates, Joint Commission Resources (JCR) and the Joint Commission Center for Transforming Healthcare, are all not-for-profit companies with separate organizations and boards of directors. The comment was introduced by a letter from Margaret VanAmringe, MHS, executive vice president of Public Policy and Government Relations.

The response provides a history of its efforts to avoid conflicts of interest, outlining the creation of an organizational and cultural firewall decades ago that prohibits and prevents consultants from JCR and surveyors from TJC communicating about clients.

“The structures and processes implemented and monitored by The Joint Commission and JCR to prevent any sharing of confidential consulting information with Joint Commission accreditation personnel are necessary for preventing any real or perceived conflict with the provision of consulting services. Firewall Policies and Procedures have been tested by independent, external auditors and by the Government Accountability Office (GAO),” wrote TJC in its comment.

While the firewall policy has evolved along with TJC and JCR over the years, the commission’s response noted that “what has never changed is the core principle addressed by the policy – to protect the integrity of The Joint Commission accreditation process. The policy was tested by GAO investigators in 2006, with a final report issued December 2006 that concluded:

‘Despite The Joint Commission’s control over JCR, the two organizations have taken steps designed to protect facility-specific information. In 1987, the organizations created a Firewall—policies designed to establish a barrier between the organizations to prevent improper sharing of this information. For example, the Firewall is intended to prevent JCR from sharing the names of hospital clients with The Joint Commission. Beginning in 2003, both organizations began taking steps intended to strengthen this Firewall, such as enhancing monitoring of compliance.

Ensuring the independence of The Joint Commission’s accreditation process is vitally important. To prevent the improper sharing of facility-specific information, it would be prudent for The Joint Commission and JCR to continue to assess the Firewall and other related mechanisms.’”

TJC also offered a point-by-point rebuttal to specific concerns CMS outlined in its request for information.

CIHQ, meanwhile, kept its comments to just over one page, in a letter written by Richard Curtis, the Texas-based AO’s chief executive officer. CIHQ was formally approved as an AO in 2013 following the extended CMS application process.

Like TJC, Curtis noted that CMS already requires AOs to demonstrate that they have sufficient protections against conflicts of interest as part of that initial and renewal applications. “CIHQ respectfully questions why additional rules would be required,” wrote Curtis.

And like other commenters, Curtis said more regulations could hurt healthcare organizations trying to comply with standards and improve patient safety.

“Some AOs – including CIHQ – offer a variety of support services to their accredited providers to help them understand standards and regulations, and provide tools to help them develop compliant processes. These take the form of standards interpretation, education programs, template policies, and documentation tools. These services do not assess a provider’s compliance, but rather provide information to the provider to help them comply. We are concerned that an overly expansive definition of what constitutes consulting would rob providers of vital sources of assistance that do not pose a conflict of interest.”

CMS will continue to take comments until February 19. Note that comments may be made public.

Comments should refer to file code CMS-3367-NC. CMS will not accept fax copies of comments. They can be submitted electronically by following the “submit a comment” instructions on http://www.regulations.gov, by regular mail or by overnight express mail.

To find out more about what information CMS hopes to learn, and specifics on how to comment, read the rule at http://federalregister.gov/d/2018-27506.

Hospital-Acquired Conditions drop 13%

By John Commins

Hospital-acquired conditions dropped 13% from 2014 to 2017; from 99 per 1,000 acute care discharges to 86 per 1,000, according to newly released federal data.

That reduction translates into 910,000 fewer HACs, including adverse drug events and healthcare-associated infections, which helped prevent 20,500 hospital deaths and saved $7.7 billion over the three-year span, according to a new analysis from the Agency for Healthcare Research and Quality.

AHRQ’s review quantifies trends for several HACs, including adverse drug events, catheter-associated urinary tract infections, central-line associated bloodstream infections, Clostridioides difficile infections, pressure ulcers, and surgical site infections.

The report showed marked declines in several categories, such as adverse drug events, which dropped 28%, and C. diff. infections, which fell 37% from 2014 to 2017.

“The updated estimates are a testament to the successes we’ve seen in continuing to reduce hospital-acquired conditions,” AHRQ Director Gopal Khanna said.

It was not all good news, however. HACs involving pressure ulcers increased by 6%, and the number of surgical site infections didn’t budge over the three years.

“There’s no question that challenges still remain in addressing the problem of hospital-acquired conditions, such as pressure ulcers,” Khanna said. “But the gains highlighted today were made thanks to the persistent work of many stakeholders’ ongoing efforts to improve care for all patients.

The Centers for Medicare & Medicaid Services wants to reduce HACs by 20% between 2014 and 2019, which would result in 1.8 million fewer HACs over the five-year period, potentially saving 53,000 lives and saving $19.1 billion in hospital costs.

CMS Administrator Seema Verma said Tuesday that the work around reducing HACs is ongoing, as her agency develops new patient-centered measures that place outcomes over processes.

“While I am so proud of this accomplishment, we are working to get to a smaller set of dynamic measures that patients can use to identify high-value providers,” Verma told the CMS Quality Conference.

PSMF Targets Problem of Postoperative Delirium in Older Adults

By Jay Kumar

As it works toward its goal of eliminating preventable in-hospital deaths, the Patient Safety Movement Foundation (PSMF) has identified a new challenge to target: postoperative delirium.

Speaking in January at the 7th annual meeting of the World Patient Safety Science & Technology Summit in Huntington Beach, California, a panel of experts discussed the issues around postoperative delirium and how to detect and prevent it. The PSMF has named postoperative delirium as its 18th patient safety challenge, collecting solutions for organizations to implement to reduce the number of preventable deaths from the condition.

Delirium is a condition of acute cerebral dysfunction that may be seen in patients in the early postoperative period or in patients in the intensive care unit (ICU). The condition is found frequently in elderly patients, but the diagnosis is often missed. In some patients, it manifests in hyperactivity and requires immediate intervention.

The audience heard the story of Audrey Curtis, an Australian retiree, who was in the hospital in March 2017 to undergo an operation to replace her aortic valve. After 48 hours in the ICU postoperatively, Curtis was moved back to a general ward. She began hallucinating and, believing she had been kidnapped and tied up with rope, pulled out all the tubes attached to her body. Curtis said the nursing staff never mentioned the incident after the initial nurse responded. Nearly two years later, she still remembers the visions vividly and is hesitant to undergo any further surgery.

“Delirium is a manifestation of brain organ dysfunction,” said Pratik Pandharipande, MD, MSCI, professor and chief of anesthesiology critical care medicine, Vanderbilt University Medical Center.

Delirium occurs in 62% to 80% of mechanically ventilated patients, and it has ramifications months to years later, he said.

Assessing delirium

One way to check for delirium in patients is to use the Confusion Assessment Method for the ICU (CAM-ICU), a tool that can help clinicians determine whether delirium is present. [more]

CMS’ hospital readmission reductions program’s impact downgraded

The reduction in readmission rates is about half as large as previously reported, researchers say.

Gains from Medicare’s most prominent readmissions reduction initiative have been overstated, recent research indicates.

Since October 2012, the Hospital Readmissions Reduction Program (HRRP) has financially penalized hospitals for high readmissions rates. HRRP started with three targeted conditions—acute myocardial infarction, heart failure, and pneumonia. In 2012, the penalty was a maximum 1% of Medicare reimbursements and that figure was raised to 2% in 2015.

The recent research in Health Affairs claims the positive impact of HRRP has been overstated.

“HRRP has been credited with lowering risk-adjusted readmission rates for targeted conditions at general acute care hospitals. However, these reductions appear to be illusory or overstated,” the researchers wrote.

The researchers contend that declines in risk-adjusted readmission rates for targeted conditions are 48% lower than previously reported.The primary mechanism for the discrepancy is a change in the electronic transaction standards that hospitals use to submit claims to Medicare, the researchers say.

In 2011, the Centers for Medicare & Medicaid Services (CMS) allowed an increased number of diagnosis codes for Medicare claims.

  • Before 2011, healthcare providers could not have more than nine or 10 diagnosis codes for a Medicare claim.
  • After January 2011, healthcare providers could submit claims with as many as 25 diagnosis codes. “We document that around January 2011 the share of inpatient claims with nine or ten diagnoses plummeted and the share with eleven or more rose sharply,” the researchers wrote.
  • Allowing hospitals to file a larger number of diagnoses per claim reduced risk-adjusted patient readmission rates.

“By coincidence, the HRRP was implemented just before a change in electronic transaction standards that increased diagnostic coding and therefore created the illusion that risk-adjusted readmission rates had decreased,” the researchers wrote.

Readmission reduction skepticism

The study findings should raise concern among hospital leaders, the lead author of the research told HealthLeaders recently.

“The efforts to reduce readmission have been much less successful than were previously believed. As a result, I would urge renewed skepticism about whether processes to reduce readmissions are in fact working,” said Christopher Ody, PhD, a research assistant professor at Northwestern University’s Kellogg School of Management in Illinois.The research also raises concerns related to clinical care, he said.

“The evidence that readmissions have fallen was flawed; and as a result, practitioners should be re-examining that evidence and any subsequent knowledge that was based on this flawed evidence.”

Forecastinig fate of HRRP

HRRP is a value-based program that should probably continue, Ody said.

“The goal with these programs isn’t to pay good hospitals more and bad hospitals less; it is to create incentives for hospitals with worse outcomes to improve.

“CMS has addressed the worst flaws in HRRP, he said. “Some of the most troubling aspects of the HRRP have been reformed since its inception.”

The reforms have included fixing a risk adjustment problem that unfairly penalized safety net hospitals for having a difficult case mix.HRRP should continue within bounds, Ody said.

“These programs deserve more time to be tweaked. But for HRRP to make sense in the longer term, benefits from lower readmissions will need to be big, compared to the downside of exposing providers to a lot of risk.”

Joint Commission: How to improve patient depression screening and treatment

A new study published in The Joint Commission Journal on Quality and Patient Safety showcases four ways to improve screening and treatment of patients for depression. Depression is the leading cause of disability and 16.2 million Americans experienced a major depressive episode in 2016.  The condition often goes untreated in certain demographics such as minorities, refugees, and immigrants.

The study, “Not Missing the Opportunity: Improving Depression Screening and Follow-Up in a Multicultural Community,” was conducted by Ann M. Schaeffer, DNP, CNM, and Diana Jolles, PhD, CNM, at the Harrisonburg Community Health Center (HCHC) in Virginia. Their goal was to improve their Screening, Brief Intervention, and Referral to Treatment (SBIRT) method for identifying and treating depression.

Evidence-based guidelines recommend facilities screen for depression diagnosis, treatment and follow-up. However, they explain that only seven states report depression screening and follow-up data and the condition is the fourth least-reported measure on the Medicaid Adult Core Set.

“The project demonstrated the feasibility of using rapid-cycle improvement to improve depression screening and follow-up within a multicultural community health center,” the authors noted. “This project also brought attention to a chronic condition with long-standing implications for individual and community health that too often go unidentified and therefore unaddressed.”

The study looked at the impact of four core interventions:

  • Using written standardized screening tools in six languages
  • Using the Option Grid™, a standardized tool to help clients who screen positive for depression to share what matters most to them
  • Using a “right care” tracking log to help providers document follow-up phone calls and visits for at-risk patients
  • Conducting team meetings and in-services to support capacity building

By the end of the study:

  • The use of evidence-based care increased to 71.4 %
  • Compliance with follow-up policies increased from 33.3% to 60%
  • Screenings done in the patient’s preferred language increased to 85.2%
  • Identifying at-risk patients using a patient health questionnaire increased 45.5%

Improving depression care can also be useful in suicide prevention—a major goal of The Joint Commission this year.

(Webinar) Accreditation 101: A Beginner’s Guide to Hospital Surveys

Webinar Date: Tuesday,February 19 2019 |1:00-2:30 p.m. EST

Presented by: Heather Forbes, BSN, RN, CEN, CPhT

Register: http://hcmarketplace.com/accreditation-101-guide-hospital-surveys

Summary: Accreditation is a complex topic with multiple branches, specialties, and nuances. New accreditation specialists often come from disparate backgrounds, with huge variations in the type and amount of training (if any) they had before accepting their new role. There’s a steep learning curve involved, with countless terms, organizations, and processes to understand and no clear method to go about it.

“Accreditation 101” provides a road map for the new specialist’s education and orientation, with plenty of guidance along the way. In this 90-minute webinar, accreditation expert Heather Forbes, BSN, RN, CEN, CPhT, covers survey preparation, responding to findings, maintaining compliance, and the role of the accreditation specialist.

Conducted in clear, accessible terms, this webinar is open to anyone wanting to learn more about the accreditation process—hospital leaders, quality officers, facility directors, and nurse leaders.

At the conclusion of this program, participants will be able to:

  • Establish a solid foundational knowledge of healthcare accreditation
  • Understand how to prepare for an accreditation survey and respond to findings
  • List the role and responsibilities of an accreditation specialist
  • Understand the differences between accrediting organizations such as The Joint Commission, HFAP, and DNV
  • Maintain survey readiness and compliance
  • Know key accreditation terms