May 2007

Information Security: Incident Response

The headlines are everywhere: "Theft exposes patient data across several states"; "Stolen government health agency laptop puts patients at risk of identity theft"; "Hospital loses patient data." According to a recent study conducted by the Markle Foundation, eight out of 10 Americans are concerned about their identity being stolen and their electronic health information being misused. No organization is completely safe from cyber delinquents, but you can minimize the fallout if a security breach does occur by planning ahead and taking steps to prepare for incident response.

In the event of a breach, two steps must be taken immediately. The first step is to determine precisely what data was compromised and assess possible risk to the organization and third parties e.g., patients. Find out if the data is sensitive, encrypted and whether it can be used in a malicious way. The answers to these questions, in conjunction with a formal security management plan, will help dictate the level of response.

Not only is security management planning essential to prevent incidents, it can be imperative to a legal defense in the event sensitive data goes MIA. An organization needs to demonstrate that it has studied the threats and has committed to developing IT security policies and procedures, employee education, access controls and the physical security of information systems. A security management plan that includes reasonable and appropriate steps to take after the loss or theft of sensitive information can result in significant defense cost savings.

Once you have a formal security management plan in place, it needs to be reviewed regularly to ensure it addresses current threats and conditions - internal and external. In addition, involve your legal counsel in these reviews to ensure your plan maintains compliance with federal and state regulations.

The truth is we are never really 100% free from the danger of information theft or loss. The way organizations respond to information security incidents is just as important as the effort to prevent them.


A risk-free investment with a 200% rate of return? With no money down?!?

If your broker came to you with a stock that was guaranteed to pay you twice your investment, with no cash down, would you be interested? Of course, but you would probably ask him or her, "What's the catch?"

With Health Check there is no catch. We identify and recover money that managed care companies owe you. Our fees are 100% contingency based. If we do not collect money for your facility- you don't pay us a thing. We don't charge start-up fees, monthly retainers, travel expenses, and we don't even have any of those mysterious "convenience charges" that everything seems to include these days. We only get paid after we put money in your bank.

Because we only audit the accounts that your facility has closed, all of the money we recover is "new" money that does straight to your bottom line. To find out how Health Check can help add money to your bottom line, please visit our website or contact us at 800.633.2055.


1 in 6 Hospital CEOs change jobs each year

According to the American College of Healthcare Executives (ACHE), the average turn-over rate for hospital CEOs was 15% during 2006. This was up slightly from the 14% rate during 2005. As demonstrated by the chart to the right, turnover has remained fairly stable since 2002.

Delaware topped the list by state with a 40% turn-over rate. Meanwhile, Nevada had no CEO turnover at all during 2006.

The impact a CEO change has on a hospital can be dramatic. In addition to the cost to recruit and hire a new CEO and the impact to hospital decision-making and performance, turn-over has an affect on other executives at the hospital and can impact the hospital's position in the market.

According the ACHE, in the year following a CEO change, 77% of the chief medical officers, 53% of chief operating officers, and more than 33% of chief financial officers and other executives turned over.

CEO turnover also led to hospitals' competitors attempting to take advantage of the situation. Between 39% and 45% of the time, a hospital's competitors used a CEO change to attempt to recruit their physicians, patients, and key employees away from them.


Hospitals employ almost 4.5 million

According to Bureau of Labor Statistics, US hospitals added 9,200 new employees in March 2007, bringing total employment to 4.49 million Americans. Over the last 12 months, hospital employment has increased 2.2%, or more than 96,000 jobs.



CMS Announces plans for FY 2008 inpatient prospective payment system

On April 13th, the Centers for Medicare and Medicaid Services announced a proposed rule to update the hospital inpatient prospective payment system (IPPS) for fiscal year 2008. In the rule, CMS outlined its plan to replace the current 538 diagnostic related groups (DRGs) with 745 new severity-adjusted MS-DRGs. CMS has been attempting to adopt such a change for three years. They say that the new system would base payments on hospitals' costs, rather than charges- thus reducing hospitals' incentive for cherry-picking the healthiest patients.

In addition to the new DRGs, CMS announced that payments to all hospitals will increase 3.3% in FY2008. This represents more than $3.3 billion in increased payments. During 2008, they intend to pay hospitals based on a blend of one-third current DRGs and two-thirds new MS-DRGs.

But, as often the case with CMS, the news isn't as rosy as it sounds. The American Hospital Association argues that CMS is also including a 2.4% "back door" reduction to offset higher payments that result from hospitals' use of codes that indicate higher complexity care.
The likelihood of hospitals cherry-picking patients is about as likely as all hospitals immediately mastering the new MS-DRG system and coding procedures at a significantly higher level during the first year of the new system. Therefore, it seems that the 2.4% reduction is unnecessary and designed simply to offset the new increase.

A final rule is expected this fall.


Health Check Senior VP obtains additional security certification

Technological solutions alone cannot protect an organization's critical information assets. At Health Check, we hold our Information Technology staff to the highest standard and demand they stay current and maintain knowledge of threats to determine applicability to Health Check and our clients.

Chuck Edwards, Health Check's Senior Vice President over technical operations, was recently awarded the Certified Information Systems Security Professional (CISSP®) credential from (ISC)². (ISC)² is the only not-for-profit body charged with maintaining, administering and certifying information security professionals worldwide.

As the first credential accredited by ANSI to ISO Standard 17024:2003 in the field of information security, the CISSP certification provides information security professionals with an objective measure of competence and achievement. The CISSP credential demonstrates expertise in the following domains: Access Control; Application Security; Business Continuity and Disaster Recovery Planning; Cryptography, Information Security and Risk Management; Legal, Regulations, Compliance and Investigations; Operations Security; Physical (Environmental) Security; Security Architecture and Design; and Telecommunications and Network Security.

With centrally managed anti-virus software, intrusion-prevention systems, and multiple firewalls, Health Check's security operations include all the fundamental components of an excellent security system. Chuck and his staff continue to provide continuous, cutting-edge protection against threats, both physical and logical.

For more information about this credential and (ISC)², please visit www.isc2.org.

	Sign up for Health Check-Up — our email newsletter