Securing Remote HME Patients & Workers

As telehealth and remote connectivity become more prevalent in HME, providers must ensure they’ve locked up their data nice and tight. What are today’s security risks and how do providers counter them?

hand presenting locked cloudWhile COVID-19 ramped up the need for telehealth and remote connectivity for HME patients and distributed workforces, the drive to secure patients’ HME providers’ data predated the pandemic. What are the data security challenges for HMEs? How should they respond?

To examine the issue, Jerry Dennany, Chief Technology Officer for industry software company Brightree LLC (, sat down with HMEB to discuss the factors that have been driving the need to secure remote patients and staff; the increasing number of healthcare data attacks; and how providers can take steps to secure data both in terms of technology and business processes.

HMEB: What are the factors that are driving remote access for HME employees? I imagine COVID has to be one of them, but maybe you can explain that a bit.

Jerry Dennany: There had been a number of factors prior to COVID. One of the big shifts was network access down to the home. If we rewind 20 years ago, it wasn’t possible to have almost guaranteed access across the United States; for almost every home to have some sort of broadband connection allowing us to either work from home or drive the point of care right into the home.

And then COVID came along and it was almost a sentinel event that forced the issue, right? That goes for everyone from back office employees all the way through to knowledge workers, to the work-from-home environment. So the technology was ready and then COVID was that sentinel event.

HMEB: I imagine that this will have some lasting impact given that, while some employees might transition back to working in the office or working at providers’ store locations, others are going to be staying at home.

Dennany: Yes. We’re seeing a lot of companies tackle this across all industries from a hybrid point of view and certainly HMEs are doing so as well. Companies are seeing efficiency and morale gains in this shift, but burnout is also a large risk.

So workers have more difficult segregating the different parts of their lives. The work-life, the personal life. And the bottom line for companies is that the operating models around remote working teams has been proven out as possible and sometimes optimal. And now we need to move into optimization of that.

So, we’ve seen changes in more electronic collaboration in workflows. Slack and Microsoft Teams usage has skyrocketed, for example.

HMEB: Let’s transition over to the patients. What are the trends that are driving remote connectivity for patients?

Dennany: Well, again COVID, a sentinel event. However, for patients, another trend is providing patient engagement so that patients can choose the modality in which they want to communicate.

Previously in HME, you would go into the HME provider, for sleep and CPAP for example, and you would bring your little chip in and download the data right there in the office. With shifts towards remote technology capabilities the machine can do that remotely automatically.

That said, as we look towards resupply, for example, we see the ability for us to understand as an HME and as a market, how does that patient want to interact? Do they want a phone call? Do they want a text message? Do they like an app like experience? We’re really putting more options in the hands of patients and changes in technology have made that possible. (And then again, COVID has really forced the issue as many people don’t want to necessarily engage face-to-face.)

HMEB: And I would imagine that remote patient monitoring for certain types of patient groups like sleep patients or diabetes patients and now even some respiratory patients is helping kind of push things in that direction too.

Dennany: It is and it’s also creating a deluge of data for providers to better understand how these devices are being used and what care can be provided. So in addition to a lower touch, it’s also an opportunity to provide better outcomes. It is a really, really great time to be in healthcare and a really great time to be in HME.

HMEB: Okay, let’s review: We have workers and employees that are remote accessing. We have patients that are remote accessing. We have a lot of data that’s going across a lot of lines. What are the underlying security concerns here?

Dennany: Oh, there are plenty. And if we look towards some of the industry data on this. The U.S. Department of Health and Human Services in 2020 reported well over 600 significant breaches, and that’s up from 500 or so in the previous year. So incidents are climbing.

The severity of incidents is climbing too, with two thirds of those breaches last year were reported as “hacking” incidents, where a system was broken into. There’s also a significant number of unauthorized disclosures in there. Lost and stolen on encrypted computing devices.

So there’s a systems factor and a human factor, and really I think where HMEs can concentrate on is that human factor.

HMEB: Before we get into the factors, can you quantify this? Do you have any statistics that show the depth of the problem when it comes to healthcare data security?

Dennany: We should talk about it in terms of volumes. With Brightree’s own systems we’ve seen a more than 70 percent climb just in 2021 over this time last year in the number of attempted attacks through various vectors. That can include everything from phishing, malware and ransomware attempts all the way to direct, attempted attacks on the Brightree system itself.

And of course, we have security in depth to protect from those, but we see a significant lift in the number of “knocks on the door” we get, so to speak.

HMEB: Wow. So it sounds to me like anybody who’s thinking that ransomware attacks and things like that are a problem that only hospitals and large facility-based care environments deal with really needs to think again.

Dennany: Yes and I actually have a personal story on this that affects me and Brightree: As we just mentioned, phishing attacks and email are a primary source of attack and they can be used to distribute malware or ransomware, but sometimes it’s just information that’s being sought.

Recently, we experienced a cyber security attacker who emailed our payroll team and said, “Hey, I’m Jerry Dennany and I want to change my direct deposit information for my check.”

Because we focus on training all of our employees regardless of role on HIPAA, on cyber security, the finance team knew to use a secondary method of confirming the message. So they picked up the phone — we have a phone tree — they called my cell phone and they said, “Hey, Jerry did you do this?” And of course I didn’t.

So, we prevented an incident, but it shows that a lot of times, when we’re talking about cyber security, people think of systems at threat and it’s really about the human interaction piece. Ensuring that we’re doing the training and creating a culture of appropriately questioning things, so that even the finance team feels comfortable picking up the phone and calling the CTO to ask that question is really important.

HMEB: Wow! So here we have — right in your lap — somebody trying to stage one of these attacks. Knowing that a whole lot of providers that use Brightree, do you see specific types of providers where ensuring remote access security, whether for patients or providers, is more of an issue than others? Perhaps in size or product category or types of referrals. Or is this a pretty general threat?

Dennany: Well, I think there’s different aspects to what is a general threat. Larger providers tend to be larger targets as they have more patients making that dataset more valuable on the black market. But larger providers also tend to have more electronic and people defenses, and this makes smaller providers a bit vulnerable as they have somewhat less defense in depth and there’s ways of protecting either profile. So it’s not really related to a type of business, but more related to size.

HMEB: You had mentioned that a lot of these attacks have more to do, or at least as much to do with people as they do technology. I’m curious. How do providers approach this problem then both from a technological perspective and from a workflow or sort of procedural perspective?

Dennany: Like we were just talking about HMEs have the most control over the human side, but you have to protect both aspects of this. From the human perspective, training is key and a lot of it, security training and healthcare information security training, can be purchased relatively cheaply from several vendors on the market today.

Then from the system side, be very careful in your vendor selection. Select vendors with strong security programs. If you’re a small provider you’re probably relying on outsourced IT or virtual CIO services — and that’s great; that’s a good option for smaller HMEs — but ensure that your virtual CIO team has that strengthened cyber security, as you’re dependent on them.

HMEB: Organizationally are there things that providers need to do with their staff?

Dennany: I’m going to hit that same drum again, but training employees regularly. But also create a culture where questions are allowed and encouraged if they see something unusual. Remember, caring for patient data is another aspect of patient care, and your reputation as a provider can really depend on how well you carry out this critical task.

HMEB: I would imagine that today’s accreditation standards for providers that are Medicare suppliers, includes not only HIPAA compliance, but good data handling procedures, as well.

Dennany: Absolutely. And part of this that people miss sometimes is from an audit perspective. It’s not just having a process or a documented process, but make sure you do what you’re saying what you’re going to do. The number one audit failure that we see is failure to follow your own policy.

HMEB: That’s pretty eye-opening right there. Are there other key pitfalls that providers often fall into?

Dennany: Completion of documentation is always something that I think gets a lot of focus, but it doesn’t get as much focus as following your own policy.

HMEB: Is the trend towards e-prescription helping to reinforce data security? Or are there other procedures that providers need to integrate on top of that to ensure secure e-prescription?

Dennany: I think anywhere you can automate the workflow is going to have a security benefit to it. And e-prescription is a great example of that. It reduces the human touch on data and reduces the likelihood of data leak due to human error. So I think it’s a really positive area to uplift both from better referral source relations, but also from a security profile perspective.

HMEB: I would imagine any sort of push towards interoperability and standardized data sharing probably has a lot of security baked into it.

Dennany: It does. These systems are designed up front with security in mind. And so it takes it out of the human error aspect of what we’ve been talking about and into a system security, which has a lot of concentration in that space.

HMEB: If you had to give any bottom line advice to HME providers out there who might not have emphasized data security as much as they should, what would you tell them?

Dennany: Absolutely find the right partner in this, right? You can’t hit this journey by yourself. Even Brightree, at our scale, we pay a lot of attention to who we’re picking to help us protect PHI in this data. That’s a really key aspect of any information security strategy.

This article originally appeared in the Jul/Aug 2021 issue of HME Business.

HME Business Podcast