Impact Insights

Week in Review 8/22/2014

A large number of national and local news sources reported on a large-scale hacking attack affecting millions of individuals who have interacted with Community Health Systems.

The Tennessee-based healthcare company Community Health Systems (CHS) was the victim of hackers who illicitly gained access to an estimated 4.5 million patient records in April and June. The compromised records included names, addresses, birth dates, telephone numbers and Social Security Numbers. The Company and its forensic expert, Mandiant (a FireEye Company), believe the attacker was an “Advanced Persistent Threat” group originating from China who used highly sophisticated malware and technology to attack CHS systems. The attacker was able to bypass the company’s security measures and successfully copy and transfer certain data outside the company.  CHS has completed eradication of the malware from its systems and finalized the implementation of other remediation efforts that are designed to protect against future intrusions of this type. Federal authorities and Mandiant state that this intruder has typically sought valuable intellectual property, such as medical device and equipment development data. However, in this instance the data transferred was non-medical patient identification data related to CHS physician practice operations.  This data is considered protected under HIPAA. CHS is providing appropriate notification and will also being offering identity theft protection to those affected.

Impact Advisors’ Thoughts: Community Health Systems runs 206 hospitals across 29 states. It is a Fortune 500 company with $7.2 billion in annual revenue and a pending $3.6 billion acquisition of Health Management Associates, which would make the company the largest for-profit hospital operator in the United States.

There are several things are particularly concerning about this breach.

  • While the APT teams hacking has been followed for over four years, the theft of personal identifiers represents a significant departure from previous breaches. Mandiant reported in their 2014 M-Trends report that the Chinese teams had been moving to broader business operations data, not just product plans.
  • Community Health Systems is a very large, for-profit hospital operator. Presumably CHS has stronger security measures than many other smaller systems.
  • The breach followed an FBI warning in April that the healthcare industry’s cybersecurity is “lax.”

Our own Derek Jones offered the following advice for health systems:

  • Firewalls and intrusion systems are not enough. Health systems require more advanced security practices and must invest in more security intelligence.
  • End user training for information security practices is critical.
  • Systems need to be proactive about monitoring security logs and network endpoints for unusual patterns and respond quickly.

Information security is sure to be a big challenge for health systems of all sizes for the foreseeable future.

Medicare to Pay Physicians to Coordinate Care for Chronically Ill Patients.

Beginning in January, “Medicare will pay monthly fees to doctors who manage care for patients with two or more chronic conditions,” the New York Times reported. Officials claim that “such care coordination could pay for itself by keeping patients healthier and out of hospitals.” CMS Administrator Marilyn B. Tavenner stated, “Paying separately for chronic care management services is a significant policy change.”

Impact Advisors’ Thoughts: Two-thirds of Medicare beneficiaries have at least two chronic conditions, and they account for 93% of Medicare spending. While the fee for care management only applies to traditional Medicare patients, this represents a significant policy shift offering even more evidence that the paradigm shift to population health management is gaining steam.

A survey of 62 ACOs finds that many lack tools for risk management and patient engagement and haven’t made much IT progress in the last year.
Every respondent said they have problems getting data from external organizations as they struggle with interoperability, workflow integration, and infrastructure maintenance. Few of them use secure messaging, referral management tools, self-scheduling, remote monitoring, smartphone apps, or telemedicine. Most do not coordinate care via an HIE.

Impact Advisors’ Thoughts: ACO participants are among the most advanced systems in terms of IT adoption. This survey elucidates that even among early adopters IT and Analytics maturity lags behind the needs of the health system to successfully navigate ACOs and risk-based contacting. Over 30% of new payor contracts are risk-based to some extent, and all major insurers have expressed intent to rapidly rollout these types of contracts over the next few years. To succeed systems will need to significantly invest in and mature IT and Analytics infrastructure and support as well as operational and data governance. They will also need to rapidly develop a strategy for integrating external data.

Image 4