Readers Write: Spotting a Spoofed Email in Healthcare

Spotting a Spoofed Email in Healthcare
By Matt Mellen

Over the past year, healthcare organizations of all sizes have been impacted by cyberattacks. Most of them involve malware of one sort or another. As a former security operations lead at a hospital network in the San Francisco Bay Area, I learned what my research at Palo Alto Networks has confirmed: By far, the most common way for malware to make its way into Healthcare networks is by spoofed emails.

Spoofed emails are intended to fool the recipient into clicking a link or attachment that’s actually malicious. Once clicked, malware is typically downloaded and executed on the hospital workstation. There are plenty of technical approaches to filtering out these type of emails, but none are perfect. For that reason, it’s always prudent to also take some steps to educate your staff to help prevent them from clicking on malicious links and attachments in emails.

I’ll outline a few ‘tells’ or things your staff should look for to spot spoofed emails.

Tell #1. Look for Warning Signs
Before you click a link, look for warning signs that will help you determine its legitimacy. For example, was it sent by an unknown sender? Is it unsolicited? Are there any missing or replaced characters? Is it a shortened URL? If you’ve answered “yes” to any of these questions, you may have received a phishing link.

Tell #2. Unofficial “From” Address
Look out for a sender’s email address that is similar to, but not the same as, a company’s official email address. Fraudsters often sign up for free email accounts with company names in them (such as “hospitalABC@gmail.com”). Users that don’t carefully review the sender’s email may miss the suspicious sending address.

Tell #3. Emotional Motivators
Fraudsters often prey on emotions to drive users to click on a link immediately. Emotions like fear, urgency, and curiosity are effective and frequently used. Additionally, be wary of emails containing phrases like “your account will be closed,” “your account has been compromised,” or “urgent action required.” The fraudster is taking advantage of your concern to trick you into providing confidential information.

Some examples:

1. You have a new voicemail.
2. Your mailbox is almost full.
3. You have a new e-fax.
4. We have detected a fraudulent credit card charge.
5. Your account has been locked.
6. View your invoice.
7. Your package is at the front desk.

Tell #4. Generic Content
Fraudsters often send thousands of phishing emails at one time. They could have your email address, but they usually don’t know your name. Be skeptical of emails with a generic greeting like Dear Healthcare Professional or Dear Customer.

Tell #5. Grammar and Spelling Mistakes
Fraudsters will often make spelling or grammar mistakes when creating a phishing email. If an email sounds unprofessional, this is a red flag that the email may be a fake.

Tell #6. Fake and Obfuscated Links
Phishers include links in their emails to lure you to fake sites that look like the real ones to steal your login credentials or to sites that will infect your computer with malware. To find out where a link is really taking you, always hover over the hyperlink. If the URL that is displayed is only an IP address, does not match the URL that is shown in the email content. or is long and confusing but includes a familiar term, you are likely looking at a phishing link.

For example: https://login.hospitalXYZ.com.av6shj825.com/login.htm

Next-generation security technologies can stop many threats before they even reach the user, but for those that slip through, whether or not the attack is successful depends on the behavior of the staff. If you educate your personnel on what to look for, they’ll be much less likely to make a mistake and click on that malicious link or attachment.

Matt Mellen is security architect, healthcare at Palo Alto Networks in Santa Clara, CA.

Contacts

Jenn, Mr. H, Lorre

More news: HIStalk, HIStalk Connect.

Get HIStalk Practice updates.
Contact us online.
Become a sponsor.

News 12/21/16

Top News

CMS anticipates that 171,000 physicians will see a “downward payment adjustment” (such an innocuous way to say penalty) in 2017 for not meeting Meaningful Use requirements in 2015. The cut is slightly below the 209,000 who took a penalty in 2016, and far below the 257,000 EPs – almost half of those eligible – who saw punitive penalties in 2015. As you probably already know, Medicare MDs will transition out of the MU program into MIPS beginning with reporting periods in 2017 for the 2019 payment year. Medicaid physicians will attest to their respective states for MU incentive payments.

HIStalk Practice Announcements and Requests

Listening: My absolute favorite Christmas album is the soundtrack to 1965’s “A Charlie Brown Christmas.” Fun facts: The holiday special was sponsored by The Coca-Cola Company, written in just a few weeks, and animated in six months. Both its producers and the network predicted it would flop because it didn’t have a laugh track.

I plan on posting tomorrow, provided there is enough news to warrant readers’ time. HIStalk Practice will take a break next week, returning on Monday, January 2. Wishing you a Merry MACRA in 2017!

Webinars

January 18 (Wednesday) 1:00 ET. “Modernizing Quality Improvement Through Clinical Process Measurement.” Sponsored by LogicStream Health. Presenters: Peter Chang, MD, CMIO, Tampa General Hospital; Brita Hansen, MD, CHIO, Hennepin County Medical Center. The presenters will describe how they implemented successful quality governance programs, engaged with their health system stakeholders, and delivered actionable information to clinical leadership and front-line clinicians. Q&A will follow.

January 26 (Thursday) 1:00 ET. “Jump Start Your Care Coordination Program: 6 Strategies for Delivering Efficient, Effective Care.” Sponsored by Healthwise. Presenters: Jim Rogers, RN, RPSGT, director of healthcare solutions, Persistent Systems; Charlotte Brien, MBA, solutions consultant, Healthwise. This webinar will explain how to implement a patient-centered care coordination program that will increase quality as well as margins. It will provide real-world examples of how organizations used care coordination to decrease readmission rates, ED visits, and costs.

Acquisitions, Funding, Business, and Stock

New Jersey-based Allegiance Health Group’s ACO sees $2 million in savings across its 2,867 Medicare patients – a figure it attributes to population health management technology and services from HealthEC. The ACO has 43 physicians working in 28 practices. “We are a small group of providers working with patients from the inner cities of central New Jersey who still managed to achieve federal savings, reduce spending, and significantly have an impact on cost utilization,” says Allegiance ACO CEO Marc Whitman, MD adding that the PHM technology helped to alleviate back-office work so that physicians could spend more time with their patients.

Announcements and Implementations

Behavioral health agency Our Children Our Future (FL) selects EHR and PM technology from the TenEleven Group.

Telemedicine

Fort Worth, TX-based Online Doctor Visit joins what seems like an already saturated market in launching direct-to-consumer virtual consults.

Government and Politics

ONC releases an updated (and more interactive) catalog of interoperability standards and implementation specifications to help stakeholders better understand federal program requirements and utilization. “The Interoperability Standards Advisory is a key step toward achieving the goals we have outlined with our public and private sector partners in the Shared Nationwide Interoperability Roadmap, as well as the Interoperability Pledge announced earlier this year,” explains National Coordinator Vindell Washington, MD. “We incorporated detailed stakeholder feedback to provide a consolidated, public list of standards and specifications that can be put to use to address clinical, public health, and research needs for sharing electronic health information.”

HHS releases details on the Track 1+ ACO model announced as part of the final MACRA rule. In an effort to encourage more small practices to participate, the new track will offer more limited downside risk than Tracks 2 or 3 – a move the department attributes to physician practice feedback. It expects 70,000 clinicians to qualify for Advanced Alternative Payment Model incentive payments in 2018. Those working in the trenches are slightly less confident.

Research and Innovation

Walgreens will tap into Chicago-based incubator Matter’s network of entrepreneurs as it looks to stay on top of innovations in healthcare and pharmacy. The retail clinic and pharmacy chain, which announced this week that it will become the exclusive retail pharmacy provider for the University of Miami Health System and is in the midst of acquiring Rite-Aid for $9.4 billion, will lend its mentoring capabilities and development expertise to Matter’s 150-plus startups. (Perhaps it will share lessons learned from its ties with Theranos, which has resulted in a $140 million lawsuit.) Both organizations are founding members of the new business development-focused Healthcare Council of Chicago.

Other

The local news highlights a new pilot program in New Jersey that provides state employees with free direct primary care through managed primary care company R-Health. Physicians in the three-year pilot will be limited to 1,000 patients and receive a per-member fee per month, as well as incentives based on clinical outcomes and patient satisfaction.

Spoiler Alert: Slate takes a humorous look at the lax cybersecurity practices of the Empire in the new Star Wars film Rogue One. New America’s Open Technology Institute Director Kevin Bankston astutely observes that “best practices dictate that you should at least wait until you’ve ‘been able to conduct a meaningful forensic examination’ before testing out your planet-killing super weapon,” adding, “It seems like the guys who developed digital security for the Empire are the same guys who developed that completely useless storm trooper armor.”

Sponsor Updates

PerfectServe employees are supporting charitable programs that include donating duffel bags packed with personal items for adolescents completing treatment services; providing financial support to a co-worker who lost belongings in an apartment fire; collecting food and supplies for families affected by the Gatlinburg, TN fires; and collecting food for the Chicago food bank.

Blog Posts

• Access to Care … or Lack Thereof (Culbert Healthcare Solutions)
• A Capital Investment Before Year-end Can Save You Big Bucks in 2016 (E-MDs)

Contacts

Jenn, Mr. H, Lorre

More news: HIStalk, HIStalk Connect.

Get HIStalk Practice updates.
Contact us online.
Become a sponsor.

News 12/20/16

Top News

TPG Capital will acquire Mediware Information Systems from private equity firm Thoma Bravo in the first quarter of 2017 for an undisclosed sum. Thoma Bravo acquired Mediware, which develops software for healthcare and human services providers and payers, for $195 million in 2012. TPG’s healthcare IT investments also include Evolent Health, and IMS and Quintiles, which merged earlier this year to form QuintilesIMS.

Webinars

None scheduled in the coming weeks. Contact Lorre for webinar services.

People

The National Quality Forum appoints Teladoc CMO Henry DePhillips to its new Telehealth Multi-stakeholder Committee.

Announcements and Implementations

The Illinois Rural Community Care Organization signs a three-year agreement with RoundingWell to deploy its care management software across its rural ACO participants, including 24 hospitals, 35 clinics, and 14 independent physician practices that serve over 24,000 Medicare members.

Orthopedic + Fracture Specialists (OR) will integrate Odoro’s patient self-scheduling technology with its GE Centricity EHR.

Exxemplar EDI will provide its Web-based Vital Monkey PM and billing software to customers using a separate EHR.

Research and Innovation

A Healthgrades study of 1,037 consumers finds that they place higher value on physicians that offer online appointment scheduling but have lesser availability than those that have greater availability but no online scheduling. The company contends that, “Consumers who use online scheduling tend to be younger, better educated, and schedule more appointments for themselves and others,” though I find it hard to believe those “others” might include kids.

Government and Politics

The State of Michigan will implement Appriss Health’s prescription monitoring program technology as part of its broader efforts to prevent prescription drug abuse. The PMP AwaRxe system will replace the Michigan Automated Prescription System, give physicians access to statewide data-sharing, and allow them to integrate PMP data with their EHR and drug dispensing systems.

Oh the irony: After extending open enrollment due consumer demand, a GAO “sting” finds that Healthcare.gov once again approved coverage for fake applicants. Of the 12 fake applications submitted by the GAO, nine were approved and given premium tax credit subsidies verging on $19,000 per year. The office performed a similar test last year with similar results, and contends that HHS has still not acted on the eight recommendations it made last February to bolster enrollment controls.

Telemedicine

The Verge takes a long-form dive into the many controversies surrounding Talkspace, a New York City-based startup that offers anonymous therapy via chat-based messaging app. Talkspace employees have been vocal about the company’s confusing (and, in some cases, downright shady) payment, vacation, patient attrition, and medical records access policies. They have been especially indignant about the company’s lack of clear policy around contacting patients (known only by their user names) who have admitted to endangering or harming themselves or others – an issue that highlights the many privacy issues telemedicine companies find themselves facing as technology evolves and consumer demand increases. As one anonymous Talkspace therapist admitted: “All of the risk is on the therapist, all the work is done by the therapist, but there’s a tremendous amount of fear and control — and they dangle this carrot, that you’re part of something big and important. It’s neurotic handcuffing.”

EWellness Healthcare develops a telemedicine profitability calculator to help interested physical therapy clinics understand the potential profits associated with using the company’s Phzio platform.

Other

Slightly creepy holiday tidings from the US Public Health Service

Contacts

Jenn, Mr. H, Lorre

More news: HIStalk, HIStalk Connect.

Get HIStalk Practice updates.
Contact us online.
Become a sponsor.

5 Questions with John Brickley, VP, Ambulatory Operations & Network Development, MedStar National Rehabilitation Network

John Brickley is vice president of ambulatory operations and network development at Washington, DC-based MedStar National Rehabilitation Network, which includes one hospital and 50 outpatient facilities in DC, Maryland, Northern Virginia, and Delaware. As part of the larger MedStar Health system, MedStar NRH employs 1,200 FTEs across its network, and sees 500,000 patients at its ambulatory locations each year. The company implemented WebPT’s EHR for physical, occupational, and speech therapists last month. Its outpatient physicians also use Cerner Millenium.

Why did MedStar NRH decide the time was right to implement new EHR technology?
The payer and regulatory environment continues to become more and more complex. Manual systems, or even EHRs that are not specifically suited to the nuances of an outpatient therapy environment, do not allow the therapy provider to effectively and efficiently migrate this environment. Even though our healthcare system was deploying an enterprise-wide solution, after extensive analysis, we determined that WebPT was the tool that best positioned us for long-term success and to support our continued growth. We will continue to determine ways to best integrate their technology into our system’s enterprise solution to maximize communication among caregivers. Through this process, we will promote the safe, high quality and efficient provision of care across not only all of MedStar’s network but throughout MedStar Health.

How do you anticipate it will affect provider workflows and patient outcomes?
We feel that it enhances communication among caregivers and provides both clinicians and administrative operations support personnel with much appreciated efficiencies. In turn, this provides additional direct patient care time for our providers. We believe this will have positive impacts upon care delivery and thus patient outcomes. A key driver in this is finding an EHR/PM system that has a positive versus a negative impact on both MedStar NRH team member efficiency and revenue capture.  

Is this implementation part of the group’s larger preparation for MACRA and its value-based care/payment programs?
Ultimately, we feel the information provided and the overall improvements in clinical, administrative operations, and revenue cycle functionality, positions us all the better for upcoming changes in payer requirements and value-based reimbursement models.

Do PT practices face unique healthcare IT implementation challenges? Can you share a few examples?
Definitely. Many EHRs, particularly those focused on providing an enterprise-wide healthcare solution, tend to be very physician practice focused. The therapy reimbursement and practice environment are very different from that of what physicians use. To effectively provide day-to-day operational efficiencies for therapists, and to address the unique payer environment to best meet the needs of accounts receivable nuances, we felt it was vital to tailor the system to the therapy environment. Additionally, central billing functions need to be tailored for these unique payer requirements and limitations. The EHR must effectively link to the backend AR world, and the billing function must be designed to address the payer requirements specific only to the therapy world.  Some things we did to adapt include:

• Select an EHR that was dedicated to meeting the needs of the therapy environment.
• Create a go-live preparation, launch, and ongoing operational team comprised of clinical, administrative, and revenue cycle personnel. Dedicated time and attention has been extensive, but has led to a very successful launch up to this point in time.
• Create a relationship with the EHR vendor that will promote ongoing evolution of their tools to best meet not only our needs, but those of the evolving therapy environment. We and our EHR vendor have ongoing, open dialogue and working sessions to continue to improve their system, and in essence, a partnership approach to making one another better. Our size, scope, and full spectrum of therapy services and programs has been a tremendous benefit in this relationship.  We have ongoing lists of enhancements that we prioritize together. These enhancements make us both stronger in the marketplace.
• Tie ourselves to a billing component (AdvancedMD) that interfaces very well with both the EHR and ultimately the backend of our EHR.
• Customized billing office operations at this time are distinct from the entire MedStar Health system’s CBO. In time, we plan to integrate these, but not until the overall CBO is prepared.

Christmas is coming! What is on your health IT wish list?
I would like to see us effectively migrate the waters to best integrate for system-wide caregivers, our therapy-specific EHR and PM system, and MedStar Health’s enterprise-wide solution. We feel this is extremely important to our operations.

Contacts

Jenn, Mr. H, Lorre

More news: HIStalk, HIStalk Connect.

Get HIStalk Practice updates.
Contact us online.
Become a sponsor.

News 12/19/16

Top News

In an effort to help more physicians join Advanced Alternative Payment Models, CMS will open up new application periods for practices and payers interested in joining Comprehensive Primary Care Plus and Next Generation ACO programs. The agency expects that a quarter of providers in the Quality Payment Program will be eligible to earn incentive payments as part of these APMs by the 2018 performance period.

HIStalk Practice Announcements and Requests

Head over to HIStalk for details on submitting HISsies nominations (please, someone nominate Siemens and its Healthineers for “Stupidest Vendor Action Taken”), New Sponsor Intro Week in mid-February, and HIStalkapalooza invites.

Webinars

None scheduled soon. Contact Lorre for webinar services.

Announcements and Implementations

Aledade will expand its ACOs in Delaware and West Virginia to include 40,000 Highmark Blue Cross Blue Shield plan members. The independent physician-led organizations include 22 and 26 primary care practices and FQHCs, respectively. This expansion marks Aledade’s fifth commercial agreement following announcements earlier this year of contracts with Blue Cross Blue Shield of Kansas, Blue Cross Blue Shield of Louisiana, Florida Blue, and the West Virginia Public Employees Insurance Agency.

Fallas Family Vision (GA) implements RevolutionEHR. The optometry-focused EHR company acquired competitor GetWell including its Visions and Eyebase product lines in June.

The American Board of Family Medicine launches a registry focused on physician quality assessment, improvement, data-reporting requirements, and population management in an effort to promote self-governance and prevent burnout.

Acquisitions, Funding, Business, and Stock

The University of Kansas Hospital partners with Cerner to open an employee health center for the Unified Government of Wyandotte County and Kansas City, KS. The 5,000 square foot Road to Wellness Health Center marks the eighth such facility Cerner has opened in Kansas City and the fortieth nationwide. I interviewed Cerner VP of Population Health Services Mike Heckman (above left) earlier this year.

Global IT services company CSC will invest an undisclosed amount in Smartlink Mobile Systems and integrate its Medicare-friendly chronic care management technologies with new CSC CCM software and services.

Telemedicine

The Greenwood Genetic Center launches telemedicine capabilities between its five locations in South Carolina, thanks to financial support from the South Carolina Telehealth Alliance, the Medical University of South Carolina, the GGC Foundation, and an anonymous $150,000 grant from private donors. The nonprofit provides clinical genetic services, diagnostic testing, educational programs and resources, and conducts medical genetics research.

Government and Politics

Due to consumer demand, HHS extends Healthcare.gov open enrollment though midnight tonight for coverage starting January 1. Last Thursday marked the enrollment site’s busiest day ever, with 670,000 people signing up.

MGMA offers commentary on the final MACRA rule, imploring CMS to:

• Allow more streamlined reporting across the four MIPS categories
• Switch from a hard and fast December 31 pick-your-pace deadline to a more gradual transition period.
• Shorten the mandatory quality and advancing care information reporting periods to any 90 consecutive days.
• Allow participants to use 2014 or 2015 certified EHR technology until at least 2020. (The association points out that ONC lists just 27 products – 14 from the same vendor – as certified for 2015.)

CMS announces a new Medicare-Medicaid ACO model in an effort to bridge the cost gap for dual eligibles already enrolled in MSSPs. CMS will enter into participation agreements with up to six states, provided those states have enough Medicare-Medicaid patients in fee-for-service programs. The ACO’s first year-long performance period is slated to start January 1, 2018.

Contacts

Jenn, Mr. H, Lorre

More news: HIStalk, HIStalk Connect.

Get HIStalk Practice updates.
Contact us online.
Become a sponsor.