Synopsis: Hacking May Change Workers’ Comp Record/Bill Keeping But Not in a Good Way.
Editors’ comment: If your financial stuff has ever been hacked, consider a challenging new statistic, by 2024, everyone in the U.S. may have had health care and workers’ comp data compromised if online theft keeps accelerating at the current pace. As ouir health records are going digital in the past several years, they've become far more vulnerable to poaching—and far more interesting to online thieves, who may sell a complete medical record for more than $1,000 on the darknet. That is because the records contain not just your insurance info—which can be used for fraudulent billing and prescriptions—but also they include your Social Security, driver's license and credit card numbers. As a result, the health care and work comp industry is scrambling to play catch-up to secure patient and hospital data.
Always remember workers comp benefits are about 45% health care costs in the U.S. and other countries. Health care has lagged far behind banking, financial services and retail when it comes to implementing security protocols. Until Obamacare mandated electronic records, many medical providers still operated with ancient concepts like paper, faxes and handwritten charts. Once electronic systems were finally implemented, the industry struggled to attract and retajn top IT talent to protect us. The access issues are industry-specific. "Security in health care has some unique challenges because we have to share data in order to save lives while also protecting patient information," says Steven Smith, chief information officer at Evanston-based NorthShore University HealthSystems. "If you think of a bank, your financial information is locked up and not shared. But we need to share our data with all doctors, nurses and outside payers, as well as with the patients themselves."
IT security experts say it's tough to overstate the enormity and frequency of the threats, which have skyrocketed in the past decade as everything has become exponentially more networked.
So far in 2017, 79 security breaches, each affecting at least 500 patients, have been reported to the U.S. Health & Human Services Department. That's more than five incidents a week. Only one, involving Walgreens Boots Alliance and 4,500 records, took place in Illinois. Still, our State has experienced nearly 100 incidents since 2010, according to the HHS breach portal, known as the "Wall of Shame" to security professionals.
Major hospital systems here are beginning to pay the price as HHS levies fines on providers who have lost sensitive patient data. In January, Chicago's Presence Health agreed to pay $475,000 to HHS for failing to report in a timely manner a 2013 breach involving missing paper schedules containing patient information. Presence is "working diligently" on a corrective plan, including additional security training for staff, a spokesman says.
That figure pales in comparison to the $5.5 million shelled out by Advocate Health Care in August. The Downers Grove-based hospital network agreed to pay HHS the largest settlement ever by a single entity for potential violations of federal patient privacy law related to three separate 2013 breaches that compromised the data of at leaset 4 million people. Two of the incidents involved stolen employee laptops, while a third involved a consultant's potentially unauthorized access to patient records. Since then, Advocate has "enhanced (its) data encryption measures," says a spokeswoman, adding that there's been no indication the information was misused.
Nationwide, IT breaches cost the medical and workers comp industry more than $6 billion annually—a number that grows each year.
Hospitals and physicians' practices make enticing targets. For starters, the protections are lax. "Based on our testing, health care applications performed more poorly on just about every (security) measure than applications in any other industry," says Tim Jarrett, a senior director of product marketing at Veracode, a Boston software security firm. Then there's the industry's personnel problem. "The U.S. has a huge shortage of highly qualified cybersecurity people across all industries," says Rod Piechowski, a senior director at the Healthcare Information & Management Systems Society, or HIMSS, a Chicago-based nonprofit with more than 50,000 members. "Being late to the game, health care just can't compete."
Although they're in high demand, IT professionals in health care and workers’ comp historically have not had a major say in their employers' procurement process, unlike in other industries, according to Jarrett. Until recently, security wasn't prioritized the way it was in finance or banking, and, as a result, network administrators couldn't effectively lobby manufacturers to increase software security standards, so they often ended up overseeing systems that are tough to keep safe. Plus, it's not just computer and billing systems that are vulnerable. Medical devices from insulin pumps to pacemakers store information wirelessly. Several years ago, former Vice President Dick Cheney revealed that, while he was in office, his doctors had disabled his heart implant's wireless connection because of a fear of assassination attempts. More recently, Johnson & Johnson warned customers about a security problem with one of its insulin pumps.
Some medical devices aren't made to allow any remote management, which prevents IT people from detecting problems and installing updates efficiently. Once tech teams are saddled with subpar systems, they're really stuck—because medical equipment tends to have a much longer life cycle than consumer electronics. Jarrett says he knows of one Midwestern drug company where computers that prepare prescription for patients use Windows XP, a 16-year-old operating system that stopped being supported in 2014. "That's horrifying," he says.
'SHADOW IT' SYSTEMS
Compounding the issue, some physicians, frustrated by clunky systems and compelled to find quick workarounds in the name of patient care, have created ad hoc "shadow IT" systems that rely on insecure methods like texts or unencrypted personal email, according to Coady.
As health care systems struggle to secure their data, increasingly sophisticated thieves have more reasons to steal it. Because the records include so much information, thieves can falsify insurance claims and collect checks, get tens or hundreds of thousands of dollars of free care on someone else's insurance (which might affect the real policyholder's coverage limits), and falsify driver's licenses to illegally get prescriptions. "The fraud that can be executed against payers is incredible," Coady says. Medical hackers have also been known to attempt extortion. In late 2014, Clay County Hospital, an 18-bed facility in downstate Flora, received an anonymous message saying that more than 12,000 patient files would be released unless it paid thousands of dollars. Administrators instead contacted the FBI—but other hospitals, including Hollywood Presbyterian Medical Center in Los Angeles, have paid thousands of dollars in similar situations.
Most Chicago hospital systems are reluctant to discuss their security efforts beyond confirming that they've invested lots of time and money. But they acknowledge the pressing issue. "The Cook County Health & Hospitals System has invested considerable financial and human resources into ensuring the highest level of security possible," Donna Hart, the system's chief information officer, says in a statement. "The security of our systems is one of our highest priorities."
We appreciate your thoughts and comments. Please post them on our award-winning blog.
Synopsis: Whistleblower Claims Have to Relate to Issues Complained Of. Analysis by Shawn Biery, J.D., M.S.CC.
Editor’s comment: Interesting decision for anyone who has been subjected to defending claims made under the Whistleblower Act. In Corah v. The Bruss Co., No. 1-16-1030, decided before the Appellate Court of Illinois, First Judicial District, Third Division March 2017, the court found no whistleblower protection for employee Corah due to lack of any evidence that his refusal to complete accident reporting.
Joseph Corah was the supervisor of bone-in-steak production at The Bruss Co., an affiliate of Tyson Foods. In September 2010, an employee under his supervision named Yvette Albea began having issues with lightheadedness and sweating, which caused her glasses to fog up. At Corah's recommendation, Albea was taken off the production line however after Albea threatened a union grievance, she was placed back on the line and after her return, cut her finger on a band saw. Corah completed an accident report (internally identified as an AIR) in which he placed the root cause of the accident on the superintendents for negligently placing Albea back on the line. After a dispute with the two superintendents and the plant's human resources manager over what to put in the report, Corah was terminated for insubordination.
The court again held that the language of section 20 is unambiguous and thata‘plaintiffmustactuallyrefusetoparticipate’ inanactivitythatwouldviolatealawor regulation.” citing Lucasv. CountyofCook, 2013ILApp(1st) 113052(quoting Sardigav. Northern Trust Co., 409 Ill. App. 3d 56, 62 (2011) which indicated Plaintiff bears the burden of establishing his claim under the Whistleblower Act.
The appellate court found that because the worker was not being asked to do anything illegal, his actions were not protected under whistleblower laws.
Key to the decision was evidence that Corah's managers said they were willing to include typewritten notes from Corah "voicing (his) concerns about Albea being permitted to remain qualified on the band saw" in the report. They said they terminated Corah after he refused to fill out the AIR completely. The court also accurately determined that the AIR was an internal document not submitted to any outside agency so Corah failed to demonstrate that modifying the AIR would have violated any state or federal law, rule or regulation.
The court specifically noted "Defendant did not ask Plaintiff to falsify the AIR but merely to include the technical cause of Albea's accident," and “In addition, defendant's safety manager established the AIR was an internal document that would not have been submitted to any government agency."
Other facts determined in the matter also confirmed Bruss Co. submits a separate workers' compensation form to the state and only circulates the AIR internally, managers testified. The workers' compensation administrator for Tyson, a self-insured company, indicated access to AIRs when processing claims but confirmed they are not submitted anywhere.
It is probably also relevant that Bruss/Tyson approved Albea's application for workers' compensation benefits as a result of the accident.
This case is a strong example of an employer’s ability to control their internal documentation process and procedures. It also supports our general longstanding advice to KCBA clients when we consistently recommend investigation matching the urgency of claims and detailing all issues, including facts which may impact other potential claims—in this case, the initial WC investigation noting the threat of union grievance provided evidence to defend the whistleblower claim.
It is also important to note that Bruss/Tyson did not violate any state or federal laws in this matter—and it is significantly easier to defend a well-managed and innocent client! This article was researched and written by Shawn R. Biery, JD. You can contact Shawn at firstname.lastname@example.org for questions regarding any of your employer defense claims.
We appreciate your thoughts and comments. Please post them on our award-winning blog.