Securing Remote HME Patients & Workers
As telehealth and remote connectivity become more prevalent in HME, providers must ensure they’ve locked up their data nice and tight. What are today’s security risks and how do providers counter them?
- By David Kopf
- Aug 01, 2021
While COVID-19 ramped up
the need for telehealth and remote connectivity
for HME patients and distributed
workforces, the drive to secure patients’
HME providers’ data predated the pandemic.
What are the data security challenges
for HMEs? How should they respond?
To examine the issue, Jerry Dennany, Chief
Technology Officer for industry software
company Brightree LLC (brightree.com), sat
down with HMEB to discuss the factors that
have been driving the need to secure remote
patients and staff; the increasing number of
healthcare data attacks; and how providers
can take steps to secure data both in terms
of technology and business processes.
HMEB: What are the factors that
are driving remote access for HME
employees? I imagine COVID has to
be one of them, but maybe you can
explain that a bit.
Jerry Dennany: There had been a
number of factors prior to COVID. One of
the big shifts was network access down
to the home. If we rewind 20 years ago,
it wasn’t possible to have almost guaranteed
access across the United States;
for almost every home to have some sort
of broadband connection allowing us to
either work from home or drive the point
of care right into the home.
And then COVID came along and it was
almost a sentinel event that forced the
issue, right? That goes for everyone from
back office employees all the way through
to knowledge workers, to the work-from-home
environment. So the technology
was ready and then COVID was that
HMEB: I imagine that this will have
some lasting impact given that, while
some employees might transition back
to working in the office or working at
providers’ store locations, others are
going to be staying at home.
Dennany: Yes. We’re seeing a lot of
companies tackle this across all industries
from a hybrid point of view and certainly
HMEs are doing so as well. Companies
are seeing efficiency and morale gains in
this shift, but burnout is also a large risk.
So workers have more difficult segregating
the different parts of their lives. The work-life, the personal life. And the
bottom line for companies is that the
operating models around remote working
teams has been proven out as possible
and sometimes optimal. And now we
need to move into optimization of that.
So, we’ve seen changes in more electronic
collaboration in workflows. Slack
and Microsoft Teams usage has skyrocketed,
HMEB: Let’s transition over to the
patients. What are the trends that
are driving remote connectivity for
Dennany: Well, again COVID, a sentinel
event. However, for patients, another
trend is providing patient engagement so
that patients can choose the modality in
which they want to communicate.
Previously in HME, you would go into
the HME provider, for sleep and CPAP for
example, and you would bring your little
chip in and download the data right there
in the office. With shifts towards remote
technology capabilities the machine can
do that remotely automatically.
That said, as we look towards resupply,
for example, we see the ability for us to
understand as an HME and as a market,
how does that patient want to interact?
Do they want a phone call? Do they want
a text message? Do they like an app like
experience? We’re really putting more options
in the hands of patients and changes
in technology have made that possible.
(And then again, COVID has really forced
the issue as many people don’t want to
necessarily engage face-to-face.)
HMEB: And I would imagine that remote
patient monitoring for certain types of
patient groups like sleep patients or
diabetes patients and now even some
respiratory patients is helping kind of
push things in that direction too.
Dennany: It is and it’s also creating a
deluge of data for providers to better
understand how these devices are being
used and what care can be provided. So in
addition to a lower touch, it’s also an opportunity
to provide better outcomes. It is
a really, really great time to be in healthcare
and a really great time to be in HME.
HMEB: Okay, let’s review: We have
workers and employees that are remote
accessing. We have patients that are
remote accessing. We have a lot of data
that’s going across a lot of lines. What are
the underlying security concerns here?
Dennany: Oh, there are plenty. And if we
look towards some of the industry data
on this. The U.S. Department of Health
and Human Services in 2020 reported well
over 600 significant breaches, and that’s
up from 500 or so in the previous year. So
incidents are climbing.
The severity of incidents is climbing too,
with two thirds of those breaches last year
were reported as “hacking” incidents,
where a system was broken into. There’s
also a significant number of unauthorized
disclosures in there. Lost and stolen on
encrypted computing devices.
So there’s a systems factor and a human
factor, and really I think where HMEs can
concentrate on is that human factor.
HMEB: Before we get into the factors,
can you quantify this? Do you have any
statistics that show the depth of the
problem when it comes to healthcare
Dennany: We should talk about it in terms
of volumes. With Brightree’s own systems
we’ve seen a more than 70 percent climb
just in 2021 over this time last year in the
number of attempted attacks through various
vectors. That can include everything
from phishing, malware and ransomware
attempts all the way to direct, attempted
attacks on the Brightree system itself.
And of course, we have security in
depth to protect from those, but we see a
significant lift in the number of “knocks on
the door” we get, so to speak.
HMEB: Wow. So it sounds to me like
anybody who’s thinking that ransomware
attacks and things like that are a
problem that only hospitals and large
facility-based care environments deal
with really needs to think again.
Dennany: Yes and I actually have a
personal story on this that affects me and
Brightree: As we just mentioned, phishing
attacks and email are a primary source of
attack and they can be used to distribute
malware or ransomware, but sometimes
it’s just information that’s being sought.
Recently, we experienced a cyber security
attacker who emailed our payroll team
and said, “Hey, I’m Jerry Dennany and I
want to change my direct deposit information
for my check.”
Because we focus on training all of our
employees regardless of role on HIPAA,
on cyber security, the finance team knew
to use a secondary method of confirming
the message. So they picked up the phone
— we have a phone tree — they called my
cell phone and they said, “Hey, Jerry did
you do this?” And of course I didn’t.
So, we prevented an incident, but it
shows that a lot of times, when we’re talking
about cyber security, people think of
systems at threat and it’s really about the human
interaction piece. Ensuring that we’re
doing the training and creating a culture of
appropriately questioning things, so that
even the finance team feels comfortable
picking up the phone and calling the CTO
to ask that question is really important.
HMEB: Wow! So here we have — right
in your lap — somebody trying to
stage one of these attacks. Knowing
that a whole lot of providers that use
Brightree, do you see specific types
of providers where ensuring remote
access security, whether for patients
or providers, is more of an issue than
others? Perhaps in size or product category
or types of referrals. Or is this a
pretty general threat?
Dennany: Well, I think there’s different
aspects to what is a general threat. Larger
providers tend to be larger targets as they
have more patients making that dataset
more valuable on the black market. But
larger providers also tend to have more
electronic and people defenses, and this
makes smaller providers a bit vulnerable
as they have somewhat less defense in
depth and there’s ways of protecting
either profile. So it’s not really related to a
type of business, but more related to size.
HMEB: You had mentioned that a lot
of these attacks have more to do, or
at least as much to do with people as
they do technology. I’m curious. How
do providers approach this problem
then both from a technological perspective
and from a workflow or sort
of procedural perspective?
Dennany: Like we were just talking
about HMEs have the most control over
the human side, but you have to protect
both aspects of this. From the human
perspective, training is key and a lot of it, security training and healthcare information
security training, can be purchased
relatively cheaply from several vendors on
the market today.
Then from the system side, be very careful
in your vendor selection. Select vendors
with strong security programs. If you’re a
small provider you’re probably relying on
outsourced IT or virtual CIO services — and
that’s great; that’s a good option for smaller
HMEs — but ensure that your virtual CIO
team has that strengthened cyber security,
as you’re dependent on them.
HMEB: Organizationally are there
things that providers need to do with
Dennany: I’m going to hit that same
drum again, but training employees
regularly. But also create a culture where
questions are allowed and encouraged if
they see something unusual. Remember,
caring for patient data is another aspect
of patient care, and your reputation as a
provider can really depend on how well
you carry out this critical task.
HMEB: I would imagine that today’s accreditation
standards for providers that
are Medicare suppliers, includes not
only HIPAA compliance, but good data
handling procedures, as well.
Dennany: Absolutely. And part of this that
people miss sometimes is from an audit
perspective. It’s not just having a process or
a documented process, but make sure you
do what you’re saying what you’re going to
do. The number one audit failure that we
see is failure to follow your own policy.
HMEB: That’s pretty eye-opening right
there. Are there other key pitfalls that
providers often fall into?
Dennany: Completion of documentation
is always something that I think gets a lot
of focus, but it doesn’t get as much focus
as following your own policy.
HMEB: Is the trend towards e-prescription
helping to reinforce data security?
Or are there other procedures that
providers need to integrate on top of
that to ensure secure e-prescription?
Dennany: I think anywhere you can
automate the workflow is going to have a
security benefit to it. And e-prescription
is a great example of that. It reduces the
human touch on data and reduces the
likelihood of data leak due to human
error. So I think it’s a really positive area
to uplift both from better referral source
relations, but also from a security profile
HMEB: I would imagine any sort of
push towards interoperability and standardized
data sharing probably has a
lot of security baked into it.
Dennany: It does. These systems are
designed up front with security in mind.
And so it takes it out of the human error
aspect of what we’ve been talking about
and into a system security, which has a lot
of concentration in that space.
HMEB: If you had to give any bottom
line advice to HME providers out there
who might not have emphasized data
security as much as they should, what
would you tell them?
Dennany: Absolutely find the right partner
in this, right? You can’t hit this journey
by yourself. Even Brightree, at our scale,
we pay a lot of attention to who we’re
picking to help us protect PHI in this data.
That’s a really key aspect of any information
This article originally appeared in the July/August 2021 issue of HME Business.