[Transcript] Episode 506: One Year After the Change Healthcare Breach: What Group Practices Must Learn

Evan Dumas

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to episode 506: One Year After the Change Healthcare Breach: What Group Practices Must Learn.

 

Liath Dalton 

Yes, and normally we will say should, or put things in softer language. But there really are a number of “must” takeaways from this breach and its impact, which continues to reverberate across the healthcare landscape, from small practitioners to large practitioners, and I know many of you have some trauma, and understandably so, from the impact it had to your practices, to getting claims paid or not paid, and having to manage that operationally, and then fielding concern from your team members about security of client info and how they should respond to clients.

 

Liath Dalton 

And so it was a huge mess, and obviously we don’t want that scale of breach to occur again in future. But part of what was highlighted was sort of all of the interdependence and interconnections within the healthcare ecosystem. So there are certain things that are beyond your control, but there are a number of crucial things that are within your control, and that’s what we’re going to be focusing on today.

 

Liath Dalton 

So Evan, can you give us the kind of quick recap of what happened, like what and what went awry, what the cause of it was, because that, of course, leads into what group practice owners can do to be proactive.

 

Evan Dumas 

Yeah, so early 2024 Change Healthcare, this really big clearinghouse that handles payment processing and other things, a lot of transactions, for about 15 billion transactions each year, they were hit with a ransomware attack.

 

Evan Dumas 

And so a ransomware attack, for those of you who don’t know, is one where malicious people get access to your system and they shut the whole thing down, saying, Hey, we have your data, and unless you pay us money, we’re going to release it to the world or destroy it, or whatever. Usually just release it to the world, because it’s private information. And so they were hit with that. And they were like, I don’t know, should we pay? Should we pay? And then there was this whole debacle of, yes, they did pay. And then someone else also ransomed them because they also had the data. And so it was this big mess.

 

Evan Dumas 

But anyways, the whole system shut down. And so pretty much, like, one in three healthcare providers weren’t able to submit billing or do transactions. And it kind of really was a huge like, oh no, I guess we’ve had our eggs all in one basket time. And so that ransomware attack just debilitated the healthcare industry. It has hit about a, they’re now saying, 190 million individuals have been affected, and that’s just only like the current revised account, which it just came out, I think, last month.

 

Evan Dumas 

Mhm.

 

Evan Dumas 

So there’s a chance it’s even more because they had to try to find out how many people were involved. These are some big numbers.

 

Liath Dalton 

Huge, right? And what was the way that the hackers,

 

Evan Dumas 

Oh yeah.

 

Liath Dalton 

gained, gained access.

 

Evan Dumas 

Yeah. So there was one server in their massive system of servers that didn’t have multi factor authentication on. And so some malicious actor was able to get access to that server, give themselves admin privileges, and then from there, start downloading critical sensitive data and make a huge repository of it.

 

Speaker 1 

Yeah, absolutely crazy. So I mean, the key failure was that lack of multi factor authentication. Of course, there were other systemic issues that are kind of beyond what we’re focusing on today, like some of those centralized data vulnerabilities of course, the lack of robust security frameworks as well, that is something that that folks in our space are able to control to an extent, but the primary failure was that the multi center factor authentication was not in place.

 

Liath Dalton 

So that leads us to what are, what are the lessons for group practices? Now, one key piece that can can get overlooked or kind of handled in a ‘do it once and consider it done’ way where it’s not managed on an ongoing basis, is really employee training, right?

 

Evan Dumas 

Yeah, definitely.

 

Liath Dalton 

Your workforce are your first line of defense. And they also are often going to be the first target.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And we’re seeing this with continued social engineering and phishing campaigns, where employees are often the weakest lead but are the first target. So what do you do about that?

 

Liath Dalton 

Well, HIPAA has the answers here, in a way, because HIPAA has both the training requirement, that workforce members are given security awareness training on how to protect, how to apply the appropriate behavioral safeguards and follow the technical administrative and physical safeguards for Protected Health Information that they have access to or are handling on a day to day basis.

 

Liath Dalton 

So they need that foundational security awareness training for those systems, and then to also know what the sort of standard modes of attack are and where the vulnerabilities are, and how their behavior can either be the primary weakness or the main defense that that stops an issue from arising. And then beyond that, there’s also the Security Reminder standard within HIPAA, which is that reminders about current threats and sort of calling back to found that foundational training need to be made on an ongoing on a regular basis.

 

Liath Dalton 

So it’s really about creating an overall security culture within the practice, equipping people with the knowledge and support that they need to be a team player, but also instilling within them that security culture and nurturing that, that culture. And a way that we have talked a lot about being able to be effective with that and not have it be something that just feels like, you know, arbitrary requirements or performative requirements, is that it really needs to be framed with client care being what is central, right? That at the beginning and end of the day is what this is all about.

 

Liath Dalton 

And so if the way that training is approached and reminders are approached and the general security culture of the practice is engaged with and talked about, is that this is a core aspect of client care. This is something, safeguarding client info is something that we have a not only a legal and ethical responsibility to do, but it is also something that is key to the therapeutic relationship and alliance. And so, yes, some of the things that actually you know, the logistics of how we safeguard that, might feel onerous at times, but they are actually necessary for this goal that everyone can can get behind and is behind, and that’s that is definitely the most effective way to approach it.

 

Liath Dalton 

So things that are supportive of that, that we found in practice and heard from, from feedback in from many of the group practice clients that we work with, are that one kind of key weakness in the way that HIPAA and security training are typically approached is that it’s a one and done. Or if it’s a training is done on a continual basis, normally just annual, or maybe biannual, that the same training is just repeated. And so folks kind of glaze over, right? And feel like, oh, I’ve already already done this, this is just a kind of rote thing that we have to do. It doesn’t actually translate to day to day operations or using trainings that aren’t specific to the practice context that your workforce are doing their work in, right?

 

Liath Dalton 

We want something that specifically addresses their role, their practice context, and is speaking in the language of this all being about centering client care. So that employee training is really vital to address, and that’s something you are have have within your power and ability to to manage.

 

Evan Dumas 

Yes, definitely.

 

Liath Dalton 

So, making sure folks have that foundational security awareness training, and then doing regular security reminders as well. And we’ll put in the show notes you’ll find resources for a foundational security awareness training, and for some recommendations on how to effectively and efficiently manage ongoing security reminders. So that’s something that your security officer is going to want to be taking charge of and we’ve got some good resources for that as well.

 

Liath Dalton 

So then, another component that is a must is realizing that the basics matter in terms of your security measures. So a core component of that is really systems configuration, right Evan?

 

Evan Dumas 

Your settings, hitting the right buttons.

 

Liath Dalton 

Yes, you want the systems that contain client info to have all of the security configurations in place that support keeping that information within the system, and not having vulnerabilities where it’s easy for outsiders to get to it or kind of penetrate the system.

 

Liath Dalton 

And there are a few key things that we need to be thinking about in in terms of this. One, is really just fundamental, and that is that purely having HIPAA compliance- compatible systems, where you have a BAA in place with the service provider, is only a small portion of what makes that system compliant or not.

 

Liath Dalton 

So how systems are used and how systems are configured actually make up the bulk of what their compliance consists of. The having a Business Associate Agreement in place and a system being compliance-compatible is just part of it. And in our busy reality, where there are so many demands, it can be too easy to overlook actually setting up, going through and configuring each system that contains client info.

 

Liath Dalton 

We don’t want to think, oh, I’ve got the BAA, it’s HIPAA compliant, good, good to go right? And that is exactly what’s happening when multi-factor authentication as a requirement, as a system requirement, is not put in place in configurations. Because, technically speaking, any cloud based system that is handling Protected Health Information where you have a BAA in place, having multi factor authentication as a requirement, or having that functionality available is a requirement of those systems, but it isn’t on by default. Right, Evan?

 

Evan Dumas 

No, no, no.

 

Liath Dalton 

It has to be configured. So if you, if you have one takeaway in terms of what settings you should be looking at, multi factor authentication is the the kind of lowest hanging fruit and and place to start. So put it on the to do list and to make sure that every system that contains client info has MFA as a requirement.

 

Evan Dumas 

Exactly. Yep.

 

Liath Dalton 

Of course, there are additional measures that get more granular, and this is something that we talk about a lot with regards to Google Workspace in particular, and we’ll also include some resources in the show notes for for that. Because we have a Google Workspace Configuration Help Center that goes over some of those security fundamental configurations above and beyond multi factor authentication. So do, do, check that out.

 

Liath Dalton 

And then a simple thing that you can do with regards to your EHR is also doing a review of the role based access permissions and making sure that all of your team members have the appropriate roles assigned to them, and therefore the appropriate access levels to PHI. Remembering that HIPAA has the minimum necessary standard, which means folks should not, for example, to give a concrete scenario of what we’re talking about here, within the EHR, clinicians really should not be should not have access to other clinicians’ clients records. They should only have access to their clients,their assigned clients’ records. And they shouldn’t even have access to the demographic information about other providers clients.

 

Liath Dalton 

So having the access level set up in such a way as to facilitate and ensure that is important. And that also reduces what we refer to as the surface area of risk exposure in the event that someone’s log in credentials are compromised, and that multi factor is bypassed and someone gets into someone’s account and is able to access the EHR. You want to minimize the impact of that, which is going to be done by following that minimum necessary standard. It makes the difference between potentially the data of every client of the practice being breached, and a smaller subset, right?

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

So that’s, that’s one more concrete example of what can be done. Now, the the next piece will come as no surprise, or if you’ve been listening to us or are part of the PCT community, this won’t be a surprise, and that is that the Change Healthcare breach really emphasized the importance of risk analysis and risk mitigation planning, and Evan this is your primary domain. So, I’ll let you speak a little bit to how a proper risk analysis functions and really does work to shore up a practice, where it’s not just something that is done for performative compliance.

 

Evan Dumas 

Oh yeah. Proper risk analysis is one that should feel a little challenging, because you’re looking at everything. You’re not saying, oh, I don’t know about that, so let’s skip it. It’s like, no, it’s got to be accurate and thorough. So, you, what we do and what other people do, I hear, because you can get risk analyses in other places. But you take a look at everything through the eyes of HIPAA, and how is it? And even if there is one circumstance where you’re like, Oh, we’re pretty good, except for this one, you’re like, well, that that’s a no, because it’s not 100%, it’s not that set. And it’ll also expose you to some things you didn’t know you needed to do.

 

Evan Dumas 

So it’s, it’s kind of like a shortcut to training for a lot of folks, because they’re like, Whoa, I didn’t know I needed to do this. And I’m like, yep, you do. And now you know. So that’s great, so we can mitigate that down the road. But it is first looking at everything and seeing, okay, do I need, like, how is it currently set in this moment in time? Do I have the behaviors, do I have the policies? But then also it’s the plan, it’s the mitigation plan for, okay, how am I going to take care of this? How I’m going to paste that, put it into my work week? And you know, you want it to be accurate and thorough, and you want it to cover all your bases.

 

Evan Dumas 

So, you know, sure, we touch on multi factor authentication, but we touch on how PHI is handled all over the place. We touch on the confidentiality, availability and integrity of PHI, the three sort of cornerstones of what HIPAA wants you to protect. And so by addressing that, look at your whole practice, you get a nice sort of overview. And they say to do this once a year. So that you can get a sense, or more often, if you make any big changes, but just to know that you took a look at it, rather than just sitting there mindlessly worrying about, are you in compliance with HIPAA, which is what a lot of people do, is like, well, take a look, get educated. Have someone guide you through it, and take a look with you, so it’s less scary, and that way you can finally know, rather than have it be an unknown to like, be concerned about.

 

Liath Dalton 

Exactly. And one way that I like to think of the risk analysis and risk mitigation planning process is really as a needs assessment and a treatment plan for your practice. And something that is unique in the risk analysis world, about the way PCT does risk analyses is that we look at two categories of risk. Both the in-practice risk, which is operationally, in the day to day goings on of your practice, and how PHI comes into the practice, where it lives within the practice, and how it flows out of the practice.

 

Evan Dumas 

Yeah,.

 

Liath Dalton 

Are the standards for the required safeguards being being met, just operationally,whether it’s codified in written security policies or procedures or not. And then formal compliance is the and do you have that comprehensive set of written security policies and procedures that specify how each of the required standards for technical, administrative, and physical safeguards are being applied within the practice?

 

Liath Dalton 

And having those two distinct categories of risk be evaluated is super useful for a couple reasons. One, it is documenting the good work that you are already doing.

 

Evan Dumas 

True, right. Yeah.

 

Liath Dalton 

Because right, Evan, how many practices do we work with that may not have done a formal compliance process, may not have even done a formal risk analysis yet, but still have had a lot of intentionality.

 

Evan Dumas 

Oh, yeah.

 

Liath Dalton 

Exactly.

 

Evan Dumas 

Yeah, pretty much everyone.

 

Liath Dalton 

And that gets accounted for and documented in in the risk analysis in this way. But then it also gives us a much more useful output, and because anything that is an in-practice risk is going to be prioritized over something that is not an in-practice risk and is purely a formal compliance risk. Meaning you’re doing things right in practice, it just hasn’t been codified yet.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

Because, again, the whole goal of this is to actually safeguard client information. The primary way we do that is through the in-practice compliance piece. So that’s why it is beneficial to address risk analysis in this way. And I think the experience you have when you’re conducting risk analysis, Evan, is that it also feels really it’s more empowering for folks too, right? If they’re, if they’re also seeing that their good work is accounted for, and it feels like the mitigation items really make sense and align with the practice’s real needs.

 

Evan Dumas 

Yeah, definitely. I mean, you know, people never like to see the reds of like, the oh, I know I wasn’t doing that, because it is hard to look at reality when we, like, have acknowledged HIPAA, and put it in, put it on paper. But we’re also putting down the things that you’re already doing, and also the things you don’t need to do. Like, look, here’s a whole risk category that doesn’t even apply to you. You didn’t even know that you, like, got good scores on it, because you don’t need to take care of it.

 

Liath Dalton 

Exactly. So risk analysis is, is one way of you know, making the unknowns known, and then having a specific plan for how to address them, to to resolve security gaps. Having, one component of that, is also having an incident response plan, and that includes what to do when, and not if, but when, a cyber attack or security threat becomes activated within the practice context.

 

Liath Dalton 

And then another key component of having this this full compliance process, is to have redundancy and backup strategies in place which ensure operational continuity even in a breach scenario.

 

Liath Dalton 

And the pieces for operational continuity are different in terms of data availability andbackups than meeting HIPAA availability standard, because that’s long term. But what happens in the short term period where a key system becomes unavailable? How do you still continue operations and meet client care needs? What are the pieces of data that are critical to that, and what is your backup strategy for that? So that’s something that that we are always addressing through the compliance process and program with with group practices, and have sort of some some key strategies and areas where that can be addressed. So if you’re doing PCT’s full group practice HIPAA program, that’s a core component of that.

 

Liath Dalton 

So again, just kind of the the main takeaways in terms of proactive steps for group practices to take away as we look back at the whole debacle that was the Change Healthcare breach and what its impact was, and how to try and prevent that from occurring again, immediate actions are: enforcing multi factor authentication in all your systems that contain client info; making sure that your staff have a fundamental HIPAA security awareness training that addresses these real world threats of phishing and social engineering in particular; making a plan if you don’t yet have one, for ongoing security awareness reminders for your team.

 

Liath Dalton 

And then at the kind of higher level: your ongoing security compliance engagement, making sure that you have done that formal quote, thorough and accurate HIPAA security risk analysis, and that you’re working on implementing the risk mitigation items that are identified,

 

Evan Dumas 

Yeah.

 

Liath Dalton 

and that everything gets codified into comprehensive security policies and procedures that are implemented in practice. And I really want to again emphasize the in practice implementation, because that is the key to what makes a security compliance and risk management program successful, is that it has to be implemented in practice. It can’t be just, you know, written policies and procedures that are kept in a in a drawer, in a binder somewhere or in more, more likely these days, just some files in Google Drive or Dropbox that don’t actually get referenced and followed.

 

Liath Dalton 

So another key aspect of in practice implementation goes back, it’s interdependent with or interconnected to, having the systems configurations managed and periodically checked as well, and then making sure that employees are trained on how to appropriately use systems, and understand that they have a responsibility in their usage of the systems, and that that is what is crucial to making and keeping it compliant.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So do check out the show notes,

 

Liath Dalton 

because it’s going to be chock full specific resources related to each of these key, key points. But just a kind of final note or call to action of be proactive and protect your practice rather than feeling overwhelmed by the sort of threat landscape and what compliance entails, take it in manageable steps. That’s why we’re trying to specify what those specific action items are for you. But it is, as Evan said, much better to know and be able to take action than just worry and not have a full picture of what’s going on and how to manage it effectively.

 

Evan Dumas 

I will.

 

Evan Dumas 

Yeah, exactly.

 

Liath Dalton 

So thanks for joining us, and we hope you found this useful. We’ll chat to you folks next week.

 

Evan Dumas 

Yeah, talk to you next time, everybody,

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.