Another Cyber Attack In The News: Medac’s Compliance and Data Security Efforts & Why They Are Important To You

By Matthew Harrison, RHIA, CPC, CCP

Chief Compliance Officer 

With the most recent round of cyberattacks gaining global attention, we’d like to share some critical compliance initiatives Medac is committed to, and offer an opportunity for you to connect with us and let us know how we can serve you better.  As your business partner, Medac’s (or any billing service’s) sustainability has a direct impact on the sustainability of your business.  Medac is committed to an active, comprehensive compliance program to ensure we remain a viable and strong business partner for years to come.  You can read the paragraphs below for additional detail, but here are the key points:

  1. Corporate Compliance Plan with Active Compliance Program

Ensures we are monitoring ongoing risks, constantly identifying and correcting issues, while taking steps to prevent future issues. Medac’s senior compliance leadership boasts nearly 100 years of total experience in anesthesia-specific compliance.

  1. HIPAA Risk Analysis Conducted by Approved Third-Party Auditor

Ensures we are compliant with the HIPAA Privacy and Security Rule and are actively identifying and closing any gaps or risk areas.  The HIPAA laws are not new, but aggressive enforcement of them is new and far-reaching. 

  1. SOC II Type II Certification

Ensures we are protecting all data in our networks in accordance with the ever-changing industry standard security controls.  These controls help us to detect, mitigate, prevent, and respond to attacks like those currently in the news.

  1. PCI-DSS Level III Certification

Ensures we are compliant with Payment Card Industry Data Security Standards, protecting your patient’s financial identities.

Why is an Effective Compliance Program Important?

It is easy for an organization to set up a compliance program.  It is far more complicated to administer an “effective” compliance program.  Compliance risks change regularly.  New areas of concern arise out of nowhere.  Employees make mistakes.  Systems and processes can fail.  No organization will ever be perfect from a compliance standpoint, but in order to be effective, a compliance program must be active, responsive, and able to implement changes to prevent future risks from materializing.  Medac has taken great strides to enhance our internal monitoring and risk management and response programs.  We are taking actions on a daily basis to respond to potential HIPAA and False Claims Act risks, among others, to ensure our operations are compliant with the laws governing our business – and that our team has mechanisms in place to identify and resolve any instances where a person or process allows the laws to be bypassed.

New clinical, billing, and payment trends are constantly emerging.  There is often little-to-no guidance on these new techniques. The government is gaining $12 on every dollar spent on fraud and abuse.  These programs are growing rapidly and are becoming more and more specialized and sophisticated. Just because something isn’t on the radar today doesn’t mean it won’t be tomorrow.  Medac’s experts are trained to assess these situations and provide guidance that will help you avoid potential recoupments, audits, or investigations in the future.

HIPAA is 20 Years Old – Why is it Such a Hot Topic Now?

Primarily, because even after 20 years, most organizations have failed to implement proper controls to safeguard Protected Health Information (PHI).  This has come to light due to a recent government commitment to give HIPAA the “teeth” it lacked for the past 20 years.  These teeth are heavy fines and penalties (2017 fines on target to double the fines from 2016 , and be more than 7x the fines from 2015).  While most organizations have taken steps to implement HIPAA, most have substantial gaps that leave them highly vulnerable to breaches.  Medac has contracted with an outside agency to conduct a comprehensive HIPAA risk assessment.  This is an unbiased view of where Medac is strong and where Medac must improve – along with a roadmap with defined tasks and timelines to address any areas where strengthening is needed.  This is all about Medac identifying and closing the gaps that put both Medac and you, as our client, at risk.

What is SOC II Certification and Why Does Medac have it?

“Cyber security” is a term we will only hear more in the coming years.  In a world where your refrigerator or car can be hacked and used against you, our core business platforms must be well-protected from those who wish to exploit any data security weak-points we possess to steal or leverage valuable data against us.  Without proper data security, this data can be stolen or simply held hostage, as we saw in the news this weekend, and as we saw in the 2016 Hollywood Presbyterian Hospital incident, where the hospital’s entire system was locked and held hostage while the attackers requested a ransom to restore operations.  The same attack was attempted against Medac during that time period. However, Medac was able to identify the attack, isolate it, and prevent any damage. This is because Medac has controls in place to protect the data entrusted to us and we are continually enhancing the tools, technology, and workflows to strengthen Medac’s network security.   You have no way to assess every nook and cranny of Medac’s operations, so the SOC certification is an independent validation that Medac is taking appropriate steps to improve data security on our networks, thus protecting you from potential exposure of PHI, and decreasing the likelihood that Medac would succumb to a crippling attack that would impact our ability to serve you.

Why Do You Need a Billing Partner Strong in These Areas?

Trusting your business operations to Medac (or any billing service) requires substantial faith in us to remain a viable and strong business partner.  If Medac succumbs to data security threats, HIPAA breaches, or other regulatory issues, you will undoubtedly be impacted.  In today’s environment, cyber security vulnerabilities and HIPAA breaches are essentially guaranteed to happen.  How a company mitigates, detects, and responds to these issues will separate those who will remain viable partners from those who will succumb to the negative pressures, fines, and penalties imposed by the government.

Something You Might Not Know:  Cyber Innovation Center in Medac’s Backyard

The United States Army Cyber Command Headquarters was recently moved to Fort Gordon in Augusta, GA, co-locating it with the Army Joint Forces Cyber Headquarters, and NSA-Georgia, also operating out of Fort Gordon.  In response, the state of Georgia established the Georgia Cyber Innovation and Training Center, bringing together academia, private industry, and government to establish data security standards and practice protocols for responding to cyber threats.  The new cyber innovation center is being built less than one mile from Medac’s headquarters, in the center of Augusta’s medical district.  Medac’s proximity to this talent pool, flood of the newest information and resources in cyber security, and regional culture of focus on cyber-security has been and will continue to be a great benefit to Medac in our own efforts to achieve and maintain higher levels of security preparedness.  For more information on the Georgia Cyber Innovation and Training Center, visit this link:  https://gov.georgia.gov/press-releases/2017-01-11/deal-announces-new-georgia-cyber-innovation-and-training-center

Medac has taken aggressive and concrete steps to ensure our organization is aware of the requirements governing our business and is in a strong position to face the challenges facing today’s healthcare companies.  Our team is constantly striving to provide the best data security.  If there are specific ways we can serve you better, please let us know.

For more information on Medac’s offerings, methods and capabilities,

contact Vice President Jimmy Patrick: (706) 650-0705 or jpatrick@medac.com

                 • MEDAC – Committed to Continuing Client Education •

The information presented herein reflects general information that is current as of the date it was first published.  In light of changes that may occur in the health care regulatory and compliance environments, the author’s presentation of this information might become outdated.  Please check with your individual legal and/or compliance advisor(s) prior to taking any significant actions based upon the information and advice presented.