Tag: CyberForce|Q

MHA CEO Report — Cybersecurity Takes Center Stage

Issues in Healthcare, Top Issues - Healthcare, MHA Rounds

“There are only two types of companies: those that have been hacked, and those that will be.”  Robert Mueller

“Dear Health Care Leaders,

As you know, last month Change Healthcare was the target of a cyberattack that has had significant impacts on much of the nation’s health care system. The effects of this attack are far-reaching; Change Healthcare, owned by UnitedHealth Group (UHG), processes 15 billion health care transactions annually and is involved in one in every three patient records. The attack has impacted payments to hospitals, physicians, pharmacists, and other health care providers across the country. Many of these providers are concerned about their ability to offer care in the absence of timely payments, but providers persist despite the need for numerous onerous workarounds and cash flow uncertainty.”

So began a letter dated March 10 from Xavier Becerra, the Secretary of the U.S. Department of Health and Human Services (HHS), referencing what is emerging as one of the most extensive and impactful cyberattacks in U.S. history. The scrutiny directed at Change’s parent company UnitedHeath Group – from Congress, HHS, the media and others – is only just beginning, and there is no telling what sort of new regulations, penalties and associated policy change will be the end result. In the meantime, the MHA has stepped up to support our members by sharing as much information and intelligence as possible, and by advocating for flexibility and relief from both private payers and the state Medicaid program.

America’s hospitals are no strangers to external events creating seismic upheaval in our daily operations. Sometimes those events emanate from the world of public policy and politics, sometimes they come in the form of a localized natural disaster or tragic mass casualty event, and no one needs to be reminded of the impact of the global COVID-19 pandemic. But in the wake of the Change Healthcare crisis, there is no doubt cybersecurity now deserves to be on the top of the list of concerns for hospital leaders across the country, and right here in Michigan.

For some time now, the FBI has stated that healthcare organizations are the top target of cybercriminals across the globe, and these attacks have increased significantly in the last two years. Data sharing requirements in healthcare and the connectivity of health information – while well-intended – creates many potential risks for cybercriminals to exploit. Hospitals take these attacks extremely seriously. They are threat-to-life crimes because of the impact they can have on patient safety and access to care, and are formally treated as such by the FBI.

Again, this is not a new issue. A year and a half ago, cybersecurity was the topic for my CEO Report, where we expressed the potential for cybercrimes to cripple an organization. At that time, we saw how multi-national organizations with U.S.-based operations were impacted when Ukrainian government and critical infrastructure organizations were victims of cyberattacks during the Russian invasion of Ukraine. Yet again, we saw how the breach of one organization can cause rippling consequences for an entire industry; one that accounts for 17.3% of our nation’s Gross Domestic Product.

This is why the MHA has been engaged on this topic for many years and goes to great lengths to assist our members. The MHA was closely involved in the creation of the Michigan Healthcare Security Operations Center (HSOC) to help monitor and react to cyber risks with participating member organizations. We also partner with MHA Service Corporation Endorsed Business Partner CyberForceQ, a leader in the field, to assist members who need cybersecurity assistance. For the first time, we also have our very own MHA Vice President and Chief Information Security Officer, Mike Nowak, who works closely with the HSOC, our member CISOs and our external partners in this space. And Jim Lee, our senior vice president, data policy & analytics, continues to lead our MHA Health Information Technology Strategy Council, which is providing meaningful insight on the impact of this latest attack.

It can take months for a third-party review to determine what information was breached and ultimately taken. But from the hospital perspective, it is clear the Change Healthcare cyberattack is yet another example of a breach that initiates with an outside vendor, and those vendors are not always completely transparent and forthcoming with those organizations directly impacted by the breach. One thing we know for sure: our hospitals are victims in these situations and should be treated as such. We want to work with state and federal policymakers and regulatory agencies to prevent cyberattacks, and to root out and punish the criminals who perpetrate these crimes. We will be very concerned about any proposals that unfairly punish hospitals or create new barriers to our ability to provide timely access to quality care.

Our members are going to great lengths to mitigate potential risk. However, more can be done at a federal level to thwart bad actors. Hospitals and health systems are part of critical infrastructure, so our law enforcement agencies need the funding and staff to defend against cybercriminals. The American Hospital Association urged the government to use all diplomatic, financial, law enforcement, intelligence and military cyber capabilities to disrupt these criminal organizations, much like what was done in the global fight against terrorism in the wake of 9/11.

Thankfully, it appears our hospitals and health systems in Michigan have been able to manage this crisis better than counterparts in other states. The work of the MHA and our partners has helped make Michigan a leader in this space and to be prepared to respond to these situations. Our cybersecurity efforts are constantly at work, 24/7 year-round, mirroring the same cadence of our hospitals and their patient care. Yet the human component of healthcare is the most vulnerable. It only takes one individual to not notice a phishing or social engineering attempt for yet another failure that can impact hundreds of organizations, thousands of healthcare workers and tens of thousands of patients. This is why we must remain constantly vigilant as the cyber threat landscape continues to grow.

As always, I welcome your thoughts.

MHA CEO Report — The State of Healthcare

MHA Rounds, Issues in Healthcare, Top Issues - Healthcare

“Mankind’s greatest achievements have come about by talking, and its greatest failures by not talking. It doesn’t have to be like this. Our greatest hopes could become reality in the future. With the technology at our disposal, the possibilities are unbounded. All we need to do is make sure we keep talking.”
 Stephen Hawking

The new year always brings two traditional speeches from lawmakers: Gov. Whitmer just recently delivered her annual State of the State address, while President Biden will share the annual State of the Union address on March 7. While the economy, housing, education, border security, climate change and other important issues are featured in these speeches, the reality is that healthcare remains a top concern for millions of Americans, and therefore will continue to be front and center for elected officials and candidates at the state and federal level throughout this election year.

The bottom line is that the fragility of the healthcare continuum was exposed during the pandemic and four years later, the aftershocks can still be felt. Let’s touch on just a few issues that dictate the state of healthcare in 2024:

Healthcare Workforce

Michigan hospitals employ roughly 219,000 people and are desperately trying to hire thousands more in every corner of the state. A survey we conducted last year showed there were over 27,000 job openings in Michigan hospitals. Hospitals are often the largest employer in their respective communities and serve as critical economic engines. It takes longer to deliver care when hospitals don’t have enough staff, impacting the experience of patients and families.

Much like other industries in Michigan, healthcare has a supply and demand issue, but we feel it in a uniquely acute manner: the aging population not only contributes to an exodus of talent from the field, but it increases demand for healthcare services at the same time. And because we are classic “price-takers” when it comes to a huge share of our business (i.e. Medicare and Medicaid tell us what they are going to pay), our ability to pass rising labor (and supply chain) costs along to consumers is extraordinarily limited. The financial performance of hospitals across the state and country has been negatively impacted as a direct result, and it fuels our advocacy efforts related to our ongoing viability.

Healthcare needs to continue to refill the talent pipeline and we’re making progress on these efforts. From the MI Hospital Careers campaign to the individual partnerships created between health system and secondary-education institutions, the effort is being made to increase the supply of future professionals. I’m encouraged to hear Gov. Whitmer’s proposal for tuition-free community college for all Michiganders who graduate from a Michigan high school. We have been active in advocating for such a policy to improve the number of students pursuing these pathways to address the nursing shortage.

Behavioral Health

Behavioral healthcare in Michigan continues to be in crisis. We need to fund, support and reform our systems to better meet the behavioral healthcare needs of our communities.  Responding to MHA advocacy, the Michigan Legislature provided $50 million in grant funding last year to increase access to pediatric inpatient behavioral health services. We are encouraged by what our member hospitals have planned to improve access, but more needs to be done. This will be a focus area for us in Lansing through the rest of the year, specifically looking at solutions that include continuing to expand care locations, clarifying insurance coverage policies and increasing the number of providers.

Prescription Drug Affordability

Increasing prescription drug costs are a key driver of escalating healthcare costs. These increased costs are not just experienced by patients at their local pharmacies, but hospitals are also large purchasers of prescription drugs and are experiencing the same costs, threatening their viability. Data shows drug costs rose by 36.9% from 2019 to 2021 and currently account for the largest portion of healthcare insurance premiums, costing 22.2 cents for every dollar.

With these dramatic cost increases, the 340B drug pricing program has never been more important. This critical program allows safety net hospitals and other community care organizations to access certain outpatient prescription drugs at discounted prices. It does not require any state taxpayer dollars and has contributed to supporting access to care to Michigan’s most vulnerable patients for more than 30 years. We’re hopeful to see legislation passed to protect these hospitals and the benefits they provide, such as supporting OB services, financial assistance programs for low-income patients or lowering the cost of prescription drugs.

Emerging Technology and AI

Technology continues to provide many opportunities and growth for healthcare. It can serve as a “force-multiplier” that allows our staff to work smarter, extending their impact. If used correctly, technology can improve the patient experience, care delivery, worker satisfaction and more. We’re already seeing it with the dramatic growth in the utilization of telehealth and the emergence of artificial intelligence (AI) applications throughout healthcare. Technology can help expand access to care for many of our rural or disadvantaged residents who are confronted with a variety of social barriers.

We’re seeing great innovation when it comes to technology and I expect even more in the years ahead. The “disruptors,” that is to say, the large, global companies known for their technological innovation (and deep financial resources) are increasingly turning their attention toward the $4 trillion American healthcare market. These entities could be viewed as a potential threat to traditional healthcare providers, payors and others in the health ecosystem – but could also be viewed as potential collaborators and strategic partners. Without a doubt, the future delivery and financing model will be shaped in some way by this development.

At the same time, the rise of sophisticated technology and the inter-connectedness between healthcare entities, their patients and the rest of the world gives rise to the specter of cybercrime. This topic is worthy of its own special focus (stay tuned for more on that in the months ahead), but for now, let me just point to the fact that the MHA was proud to be ahead of the game in this regard, helping to launch our own healthcare-focused cybersecurity operations center right here in Michigan with MHA Endorsed Business Partner CyberForceQ.

These are just a few of the countless, complex issues that will impact Michigan healthcare in the year ahead. Plenty to be concerned about, for sure. But I remain fundamentally optimistic and hopeful about the future. Our healthcare workers are committed and resilient. And our policymakers continue to acknowledge the dependent relationship their communities have with healthcare. While I know better than to predict much of anything in an election year, I feel confident in predicting healthcare will continue to help make Michigan a better place, no matter what the political winds bring our way. All we need to do is continue our most human connection – let’s keep talking with each other and craft a positive future together.

As always, I welcome your thoughts.

Strategic Action Planning Session with MHA Service Corporation Board

Member News

The MHA Service Corporation (MHASC) board focused on supporting MHA Strategic Action Plan priorities to address workforce support and innovation, viability, behavioral health improvement, health equity and more during their Oct. 18 planning session. The board discussed healthcare market strategies to identify and grow solutions for MHA members and clients. MHA members are invited to register for the upcoming Nov. 9 virtual membership meeting for more information on the association’s efforts to address these ongoing priorities.

The MHASC board discussed current and future strategic priorities to enhance cutting-edge and cost-effective solutions for member hospitals. Specifically, the board discussed how innovations can support advocacy priorities to address workforce staffing shortage issues. The MHASC board also welcomed Eric Wallis, DNP, senior vice president and system chief nursing officer, Henry Ford Health, Detroit, as a new director providing clinical innovation expertise. The board also honored Deloris Hunt, chief human resources officer, Michigan Medicine, for her upcoming retirement and thanked her for serving as chair of the MHA Human Resources & Workforce Council.

The board was joined by Eric Eder, CEO, CyberForce|Q, for an overview of the Healthcare Security Operations Center (HSOC) history and how it has helped participants improve their security posture as threats increase. The MHASC is planning to launch new endorsed business partnerships and innovative solutions in the coming months.

The MHASC’s mission is to deliver innovative solutions that help improve value and performance through its Data Services, Unemployment Compensation Program and Endorsed Business Partner program addressing various business needs including workforce, supply chain, revenue cycle, strategic growth solutions and more. Visit the MHA Business Services webpage to learn more about resources available.

Members with questions regarding the MHASC Board may contact Ruthanne Sudderth at the MHA.

MHA CEO Report — Time to Focus on Cybersecurity

Member News, MHA Rounds

The world-altering powers that technology has delivered into our hands now require a degree of consideration and foresight that has never before been asked of us.” ― Carl Sagan

A long-held practice utilized by businesses of all stripes is the ubiquitous SWOT (strengths, weaknesses, opportunities and threats) analysis. For a hospital or health system in 2022, there is no shortage of candidates to fully stock the “threat” category. In this column, I want to draw attention to one that deserves increased attention because of its potential to cripple an organization in an instant: cybersecurity.

The wonders of technology have dramatically improved healthcare in Michigan and beyond. Advancements include imaging technology that identifies serious disease at a much earlier stage, robotic devices that permit surgical interventions that were previously considered too risky to attempt, remote patient monitoring and telehealth, and electronic medical records that facilitate better tracking and coordination for patients across various sites of care — the list is impressively long.  And amid our current workforce shortage crisis, we often describe technology in healthcare as a “force multiplier” that can supplement and extend our limited staffing resources to help ensure adequate access to care.

Make no mistake, healthcare still has one foot on the proverbial dock and one foot in the proverbial boat. That is, many of our communications and services remain in the “analog” world, while a growing share have become electronic, digitized and inter-connected. This phenomenon — coupled with the fact that the personal health information we collect and store has more value on the black market than any other data — has painted a neon target on our back for a growing cadre of cybercriminals and adversarial nation states. It is no accident the FBI has identified healthcare as the number one target of these bad actors. And simply put, a cyberattack on a hospital is a “threat to life” crime. We must act accordingly.

The statistics on healthcare attacks are enough to keep any executive up at night. An attack on a midsize hospital creates an average shutdown time of 10 hours and costs on average $45,700 per hour, according to an Ipsos report. In the same report, 49% of the respondents said their annual compliance budget for cybersecurity wasn’t enough. According to IBM, a data breach at a healthcare organization costs more than any other sector at $10.1 million. And the threat continues to grow, as healthcare cyberattacks have increased by 84% from 2018 to 2021, according to Critical Insight. Michigan hospitals, health insurance companies, physician offices and others have been the victims of ransomware attacks and related cybercrime in recent years.

If this wasn’t bad enough, a spotlight was shone on cybersecurity this past spring during Russia’s invasion of Ukraine, when cyberattacks on the Ukrainian government and critical infrastructure organizations had the potential to ripple across multi-national organizations and infect U.S.-based operations, including healthcare. Experts believe this scenario will be part of every future global conflict. And unfortunately, for many hospitals and health systems who welcome patients from multiple foreign countries, and who have business partners outside the United States, the practice of “geo-fencing,” or blocking all incoming email traffic from outside the country, is not always a viable approach.

So where can hospitals and health systems turn for help? At the national level, the American Hospital Association anticipated this trend several years ago and employs John Riggi as the national advisor for cybersecurity and risk. John has been a resource for the MHA in the past and as a former leader within the FBI’s cybercrime division, he maintains close ties with all the relevant government agencies.

And here at the MHA, we are also very committed to strengthening our own cyber defenses, while doing the same for our members. We have appointed Mike Nowak to serve as our own Chief Information Security Officer. Several years ago, Mike and his team helped to launch, and have subsequently helped to operate, the Michigan Health Security Operations Center (Mi|HSOC) for hospitals and health systems. Created for healthcare providers by healthcare providers, this first of its kind entity has the proven ability to prevent, detect, analyze and respond to cybersecurity events. Operating 24/7/365, the Mi|HSOC has developed strong relationships and communication with law enforcement at various levels, including the Michigan State Police Cyber Division, FBI and Secret Service.

An organization that helped form the Mi|HSOC is CyberForce|Q, which is now an MHA Service Corporation Endorsed Business Partner. In addition to sharing tactical information on emerging threats with the members of the security operations center, CyberForce|Q offers a variety of additional cybersecurity services to our members and other healthcare clients.

The bottom line — the MHA and our partners have helped Michigan become a leader in this space. By mitigating potential risk, physicians, nurses and staff of our member hospitals have the best opportunity to provide exceptional patient care without any external interruptions. While the advocacy, policy and safety and quality areas of the association often receive public attention, our cybersecurity efforts are constantly at work, often without much notice, to protect healthcare in Michigan.

But we need your help. I am the farthest thing from an expert in this field, but one thing I have learned is that the “human factor” is the most critical element of our defenses — and therefore the most vulnerable. Think twice before opening a suspicious email or text message, safeguard your electronic devices and passwords and take the time to educate yourself on all of the best practices to follow in the midst of this new, online world. The health of your patients and communities may depend on it.

As always, I welcome your thoughts.