Facing New Vulnerabilities

May 2014, Vol 4, No 3 - From the Editor


Challenges come from all directions, and good oncology managers have eyes in the backs of their heads. Two significant challenges arose recently, stemming from a common computer operating system platform as well as from the US government.

In April 2014, Microsoft ended support for one of its still most popular computer operating system platforms, Windows XP. Considered by many to be a reliable workhorse that has weathered the debacle of Windows Vista and the recent unveiling of the less popular Microsoft 8, several small business industries have hung onto Windows XP, including medical practices. Windows XP can still run on computers; however, by withdrawing this support, Microsoft will no longer issue fixes to nonsecurity-related problems, provide new security updates, or offer online technical content updates. There will be some antimalware-related updates through July 2015, but not enough to protect an outdated operating system.

Medical practices make significant investments in technology, not the least of which are the computers, laptops, and operating systems on which to run that technology. Every time an operating system changes, the entire practice’s operational flow is put at risk. Even if the practice’s billing system or electronic medical record (EMR) system claims to be compatible with a newer operating system other than Windows XP, there is a time lag to purchase, install, and reload all software, and then train staff on the machines with the new operating software. What if supporting accessories, such as printers, applications, and medical equipment, are not readily upgradable to the new system? Each new operating system has a different style and approach, and busy staff members or physicians may become frustrated over the course of their learning curve.

However, the downside of not replacing Microsoft Windows XP can be significant. Without regular patches to repair bugs, any operating system will likely freeze up and crash. A lack of security updates means that hackers will be actively looking to explore vulnerabilities in the old system, without protection from Microsoft and developers. In an article by Bree Fowler for the Associated Press, Sam Glines, chief executive officer of a threat-detection firm, noted that healthcare-related information is 10 to 20 times more valuable on the black market than financial information, because it can be used to create fraudulent medical claims and illegally obtain prescription drugs; therefore, doctors’ offices become likely targets of hackers.1

Medical offices are well aware of the front-end threats to private health information, and take significant precautions to protect patients and their personal information in the office, but the increased potential for hackers coming through unprotected back doors in a now unprotected practice computer system may not yet have hit offices’ radar. What is a practice to do to address this new vulnerability?

Seek appropriate technical support to assist with the transfer to a new system, possibly through your billing or EMR providers

  • Identify any hardware currently in your office or at the homes of your physicians or staff who access patient information (do not forget laptops or tablets)
  • Process any current malware updates on a regular basis
  • Research upgrade options or whether new hardware is needed
  • Assess the impact on your operating system or medical records system, connections with any external software (eg, laboratories, imaging, or hospitals), and identify the best new operating system
  • Develop a plan for transfer, with substantial backups and concurrent operations until the new system is fully functional.

The other new vulnerability to hit practices in April 2014 came from the US government. As part of its increasing intent to bring transparency to healthcare, the Centers for Medicare & Medicaid Services (CMS) released data on physician payments to the press and general public for the first time in 35 years. The released data include physician names, addresses, specialties, bill rates per service, Medicare’s actual pay rate for that service, the number of Medicare beneficiaries for whom the physician billed, and the number of services provided for every Medicare provider.2,3 Instantly, the national and local news media wrote headlines and lead stories about individual physicians and specialties.4 Patients, staff, and physicians have been exploring the data and looking for answers and responses from practice administrators since the first news story hit. Medicare was to have provided physicians an opportunity to review and vet the data collected on them, but that never happened.

The biggest problem with this data (among many) is that it is being presented and used out of context. Many of the analyses show average payments per physician but do not explain what services were attributed to that physician or whether that physician had extenders who also billed under their number. Most important for oncology as a specialty, there is no obvious explanation that doctors pay for their offices and staff from these Medicare payments, and also purchase drugs (at costs numbering in the millions of dollars for a group or physician) and then bill for treatments used. These Medicare data only show the payments, with an inference that these payments represent net income made by the physician from the Medicare program.

What steps can a practice administrator take to address these public perceptions (and, in some cases, misperceptions) and support their physicians who are profiled by local and national media?

  • Route all questions about the data through 1 voice in your group, preferably the practice administrator, so physicians are not put on the defensive discussing financial matters when they are trying to care for patients
  • Develop a short, concise statement that is made available to staff, patients, or anyone interested. This statement should include support for transparency, but also note the flaws and challenges with the data as it is presented
  • Look to resources for more detailed statements related to the data release that support your own position. These re­sources may also offer help in crafting an opinion piece or letter to the editor for your local market (Table).


Table

Both of the vulnerabilities noted here come from the outside, all while your group tries to continue serving its patients in their fight against cancer. Most of the burden of coordinating and addressing these vulnerabilities falls on the practice management team at a time when clinical and administrative staff members are already overstretched dealing with operational and fiscal issues. That is what makes the practice manager position so critical in 2014, and illustrates the depth of knowledge and skills needed to navigate running a practice today. We will get past these challenges, as we do all the others, and working together will help to ease the burden.

References
1. Fowler B. End of Microsoft Windows XP support means trouble for some. Long Beach Press Telegram. April 7, 2014. www.presstelegram.com/technolo gy/20140407/end-of-microsoft-windows-xp-support-means-trouble-for-some. Accessed April 25, 2014.
2. Centers for Medicare & Medicaid Services. Press release. Historic release of data gives consumers unprecedented transparency on the medical services physicians provide and how much they are paid. http://www.cms.gov/Newsroom/MediaReleaseDatabase/Press-releases/2014-Press-releases-items/2014-04-09.html. Published April 9, 2014. Accessed April 25, 2014.
3. Centers for Medicare & Medicaid Services. Medicare Provider Utilization and Payment Data: Physician and Other Supplier. http://www.cms.gov/Research-Statistics-Data-and-Systems/Statistics-Trends-and-Reports/Medicare-Provider-Charge-Data/Physician-and-Other-Supplier.html. Updated April 23, 2014. Accessed April 25, 2014.
4. Hoyer M, Kennedy K; for USATODAY. First look at Medicare data in 35 years. USATODAY. April 10, 2014. www.usatoday.com/story/news/nation/2014/04/09/government-releases-medicare-physician-pay ment/7462923/. Accessed April 25, 2014.