Category: Uncategorized

The 2022 Verizon Data Breach Investigations Report (DBIR) found Internet-facing applications, such as web applications and mail servers, were among the most common methods for attackers to slip through organizational perimeters. Once the perimeter is successfully breached, attackers can trigger ransomware, stopping critical services while demanding a ransom payment. Web-based threats, such as malware and ransomware, are threats that originate from the Internet. Additional web-based threats include phishing campaigns, DDoS, worms and viruses, spyware, cross-site scripting, and SQL injections. Some of the ways HealthEdge defend against these threats are with geolocation technology, 24×7 alerting and monitoring, and vulnerability management.

Geolocation data allows system administrators to create Geofences that can limit or prevent access based on the source or destination of the traffic. For example, an embargoed country can be blocked from accessing the website, or a user can be prevented from accessing a page hosted in a sensitive country. While this does not prevent all attacks from the location, it does raise the bar of difficulty for an attacker.  

Additionally using this geolocation data security, teams can identify anomalous activity, or even spot a new superhero. If access is attempted from an authorized location but is not the “normal” location for that specific user, rules such as challenge questions, or designated timed lockouts will trigger before access is granted. If a user successfully logs in from New York, NY at 8 AM, and that same user tries to login from Los Angeles at 10 AM, we’ve either identified a super-hero, a user with access to a transporter, or a potentially compromised credential. No matter what’s happening the organizations 24×7 monitoring and alerting systems need to be activated so the activity can be investigated further.

Asset inventory and vulnerability management are also major components of a security program. At HealthEdge we routinely scan and test our environments, which helps us identify security weaknesses from things like system and software patches, device misconfiguration, and/or other vulnerabilities related to human error. Vulnerability management, with regular scans, ensure security is continuously assessed and improved for greater maturity.

Technology Enablers 

The 2022 Verizon DBIR state attackers view malicious exploits as “a numbers game.” If attacks can remain at a high rate, or even increase, eventually minimal access can be gained to advance their attack plans. With this level of persistence in mind, HealthEdge adopts a layered security approach with technology enablers used to strengthen each layer of defense.

• Web application firewall (WAF) tools protect web application servers by mitigating application layer attacks through analyses of each HTTP/S request. Application layer attacks, such as DDoS attacks, seek to disrupt services from the web application. WAF tools ensure only authorized data is transmitted and prevents malicious, or unsafe traffic, based on a set of configured security policies.
• Firewalls are used to restrict inbound and outbound traffic in a private network to mitigate web-based threats.
• Content filters are used to prevent malicious content from being delivered in the first place and assessed again at the point of click to ensure the content hasn’t become malicious.
• Source code analyzers are used to scan software for flaws and defects during the development cycles.

Stay tuned for next time where we will explore the value of using cyber intelligence alerts to complement our security strategy.

At health plans today, reports are often found in the form of spreadsheets – which offer a flat and siloed view of reimbursement insights. Analytics can be more informative when they have accurate real time data and provide multi-dimensional views. Health plans have a lot of data, and it is important to get the most out of it to drive informed decision making and positive change.

The Reimbursement Information Payers Need

It is important to fully understand how your health plan’s claims are performing during reimbursement. Having an overarching view of a health plan’s entire reimbursement use case will provide insights on where problems are starting and how they ultimately affect reimbursement. As a starting point, health plans should identify the areas that aren’t receiving enough information and identify blind spots. Additionally, it is helpful to have comparison data to flush out the areas where improvement is needed or has been needed for an extended time. Having reimbursement data in one place instead of siloed individual reports can help a health plan find and remediate issues faster.

The Big Issues

Health plans often struggle with issues surrounding provider education, medical economics, and finance. These issues may result in underpayments/overpayments or delayed claim adjudication resulting in late fees. When any issue arises, swift detection and resolution are imperative to ensure quality and accurate reimbursement, and prevention of abrasion between a health plan and its providers.

Highlighting Your Successes

It is just as important to understand the areas where your health plan is excelling. Maybe your health plan has recently cut down in over-payments. With this being the case, it is important for a health plan to understand what changes were made and if they can be applied to other places within reimbursement. Reflecting on effective and modern changes that positively impact reimbursement can be beneficial across a health plan’s claims ecosystem.

But what if …

Once areas needing improvement have been identified, it is important to simulate results before applying changes and answer the question ‘what if this change was made?’. This allows for health plans to make informed and confident decisions that will foster positive change into the claims ecosystem. A couple of examples include:

• Benchmarking
• Forecasting
• Contract Modeling

Better Insights Lead to Better Decisions for Claims Operations

Predicting the financial and operational impact of pricing edits and configuration changes to claims has been a challenge for decades. But advanced business intelligence solutions from HealthEdge’s payment integrity platform, Source, allow health plans to eliminate the guess work and adapt claims operations with confidence.

The Source Analytics Module allows leaders to:

• Accurately assess the impact of changes before applying to a particular product, region or provider contract
• Avoid unnecessary overpayments
• Improve provider relations through accurate communication of a new policy’s impact
• Reduce internal effort needed to manage and review results
• Proactively adapt to policy and rate changes to remain in compliance

 Learn more about Source Analytics here.

 

Upgrading existing software can be a daunting task to undertake, one that requires planning and freeing of resources to be successful. It’s one of the reasons health plans might put off keeping their systems up to date. But upgrading software presents an opportunity to evaluate current workflows while preparing your organization for growth.

In a recent ACAP Webinar entitled “It’s About the Digital Journey, Not the Destination” Dr. Christine Messersmith, CMO of Denver Health Medical Plan, discussed the decision to upgrade their GuidingCare system and how they optimized this opportunity with the support of the HealthEdge team.

Dr. Messersmith outlined some key considerations when planning an upgrade:

• Upgrading can be resource-heavy but it’s necessary for growth: Without it, you can’t take advantage of new features and prepare yourself for growth, but by resourcing properly and ensuring operational processes are streamlined, you can maximize what the product can do for your organization
• Be thoughtful and planful: Consider and plan for known challenges before beginning an upgrade, such as regulatory requirements and the need to re-evaluate and ensure the requirements are addressed.
• Don’t expect the software to fix workflow issues: Existing workflow challenges and inefficiencies may continue after an upgrade unless they are addressed. Be clear about anything that isn’t going well and work to ensure that erroneous workflows aren’t being embedded into the new product.
• Leverage the upgrade to uncover and solve internal issues: An upgrade can be an opportunity to uncover any challenges that exist and to solve them.

When Denver Health Medical Plan began planning for an upgrade, they knew that they wanted to optimize the opportunity. Several questions began to arise – what is the goal? what are we trying to accomplish? What things don’t we know about our system that we should? And so, they reached out to the HealthEdge team to leverage their knowledge and expertise through a service called .

During a , from the HealthEdge team go to the client site to sit with the end users and understand how they are currently using the system. They look for opportunities for improvement, which may take the form of additional training or different configurations of the software.

“As a vendor, we are your partners, and we want to make sure that you succeed. We want to be a partner of yours and the ultimate goal is to make sure that your members are taken care of,” says Jennie Giuliany, RN, Lead Clinician of Client Management at HealthEdge, who partnered with throughout the upgrade process.

Dr. Messersmith promotes taking advantage of the team that knows the software best – the vendor – and acknowledging that the users may often need to relearn a product to optimize it. “We identified opportunities that we didn’t know existed, things that were in our contract… that we weren’t really using. We figured out how to take ownership of the product.”

To learn more about Denver Health Medical Plan’s upgrade journey and how the HealthEdge team was able to help them optimize and accelerate their digital transformation, listen to this webinar or contact us.

Healthcare Spending in the US

In 2020, U.S. health care spending increased 9.7 percent to reach $4.1 trillion – a much faster rate than the 4.3% increase experienced in 2019. Of this, $359 billion was spent on prescription drugs, around 8% of the total expenditure.

Pharmaceutical Industry & Brand Drugs

The pharmaceutical industry in the US has many stakeholders and a wide variety of pricing structures, rebates, fees, discounts, and other types of payments. Over the last few years there has been a steady increase in Rx costs which has triggered renewed calls for greater visibility into the pricing, distribution, and payment process. More than half of total spending on brand medicines went to the supply chain, middlemen and other stakeholders in 2020 according to an analysis from the Berkeley Research Group (BRG).

The analysis by the BRG group illuminates how different stakeholders realized payments through the 340B program.

340B Program Overview

This program was originally enacted by Congress as part of the Veterans Health Care Act of 1992. The intention of this program was to provide assistance to the low income and uninsured population. The program provides hospitals and medical care providers discounts on outpatient drugs as rebates similar to Medicaid Drug Rebate Program.

Let’s take a look at how the program has evolved over the years:

1. Participation in the Health Resources and Services Administration (HRSA) grew by a staggering 4,228% during the period from 2010 to 2020
2. Now the 340B program is the second largest federal Rx program behind Medicare Part D
3. While the gross expenditure of generic drugs has shown a decreasing trend from 2015, brand drug sales show an increase starting from 2013 due to the 340B program
4. There is an exponential growth in hospitals and their outpatient clinics enrolled in 340B program from 2013-2020
   • The count went up from 3,994 to 94,000 Pharmacies at outpatient clinics
   • The margin of profits for brand drugs increased 12X during the time period from 2013 to 2020

The Pharmaceutical Supply Chain: Key Findings

• Manufacturers retain just over 37% and 49% of total spending on all Rx drugs in general and brand drugs respectively
• 2020 marked the first year when non-manufacturing stakeholders like pharmacy benefit managers (PBM’s), health plans, facilities, pharmacies, and others received more than 35% of spending on brand drugs between 2019 and 2020
• The growth of the 340B program resulted in an increase of 1,100% in the amount that facilities and pharmacies received from the sale of brand drugs between 2013 and 2020

Impact on Smaller Health Plans

Small and medium businesses makeup 409 of the country’s 493 health insurance plans. A lot of the plans are relatively new, with Medicare Advantage the growing trend. 35 percent of small and medium businesses offer a Medicare Advantage plan. Another 35 percent offer Medicaid, with 26 percent of that business in managed Medicaid.

While the larger health plans have the leverage to have contracts with more pharmacies and facilities with 340B Program coverage, the smaller plans might find it difficult to get contracts with those facilities and pharmacy chains. This in-turn leads to more out of pocket cost and more reimbursements to PBM’s from smaller health plans.

How can HealthEdge Help

HealthEdge provides health plans with the option to bring in pharmacy data to HealthRules DataLake. This data can be used to generate reports and dashboards to:

1. Identify the key providers who prescribe the bulk of brand name drugs
   • A single medical oncologist who practices at an outpatient clinic affiliated with a 340B hospital could prescribe $1 million of brand drugs per year
2. Identify the brand drugs where there is an alternate generic medicine available
3. Compare the cost and create an outreach program to include incentives in provider contracts for prescribing generic drugs
4. Savings of more than $5 million can be realized for a health plan with member count of 500K to 750K by reducing brand drug prescriptions by 15-20%
5. Savings of more than $10 Million can be realized for health plans with more than 1 million memberships by reducing brand name prescriptions by 10%

Learn more about HealthEdge’s core administrative processing system HealthRules Payer.

 

CMS regulations are constantly evolving – and the risks of non-compliance are steep. As the backbone of numerous health plan payers, HealthEdge is responsible for adhering to CMS’s constantly changing regulations.

How do we do that? We have a team of 11 CMS subject matter experts. These Payment Policy Analysts have a wealth of knowledge and are deeply entrenched in CMS and its ever-changing regulations. They spend all year researching, prepping, and implementing CMS regulations to ensure that Source – our payment integrity platform – stays compliant.

When we asked the team – how can a payer stay up to date on CMS regulations? These were their top 4 CMS compliance tips.

1. Understand the risks of non-compliance

CMS regulatory updates need to be completed accurately and on time. If this does not happen, it significantly impacts payers’ ability to process claims accurately and on time – which can lead to recruitment issues, overpayment, underpayment, increased member and provider abrasion, and decreased provider confidence in the payer.

Furthermore, CMS actively audits health plan payers to ensure compliance. Non-compliance with CMS regulations can result in fines and their star rating can be decreased.

2. Plan & Prepare

CMS updates can be released multiple times a year. With every upcoming CMS change, they release a proposal outlining the upcoming change. The time between the release of that proposal and the final rule varies.

As soon as a proposal is released, our team reviews it with a fine-toothed comb and begins preparations. With this, the team fully understands the upcoming changes and lays the internal foundation to be able to implement the changes as soon as the CMS final rule is released. This is critical to ensuring on time implementation of new CMS regulations.

3. Have Dedicated Resources

CMS regulations are complicated and specialized. HealthEdge manages this complexity with a team of expert Payment Policy Analysts. Having a dedicated team of experts is key to understanding, managing, and accurately adhering to CMS regulations.

4. Leverage Automated Technology

Regulatory compliance changes require constant vigilance. To maximize this, our team has implemented automated processes:

• Website monitors: this technology automatically scans the CMS website to look for changes that our Payment Policy Analysts need to be aware of
• CMS Notifications: Our team also subscribes to CMS notifications

The key here is to be proactive about looking for upcoming CMS regulatory changes.

Learn more

CMS regulatory compliance is a critical part of HealthEdge’s payment integrity platform Source. Source is a cloud-based platform that is the only prospective payment integrity solution that natively brings together up-to-date regulatory data, claims pricing and editing, and real-time analytics tools into a single IT ecosystem. This transformational approach allows payers to make payments with total confidence and make business decisions with real intelligence. Learn more here.

Industry Trend Comparison

The Department of Health and Human Services (HHS) has reported an 84% increase in the number of data breaches against health care organizations from 2018-2021, highlighting the growing concern of cybersecurity threats in healthcare. Data reported through the first half of the year is consistent with the rate of increase reported each year.

Top 3 Cybersecurity Threats in Healthcare

1. Basic Web Application Attacks (BWAA)

Web applications are ideal targets for adversaries – they are intentionally exposed publicly, are always available, and can be a door to a database containing potentially sensitive information.  Also known as application-layer attacks, these exploits take advantage of web services that are designed to receive requests and provide responses. When not properly secured, web applications may divulge information to an attacker in response to requests or through manipulation of the application’s logic.  The seven most common types of web application attacks are:

• Cross-site scripting (XSS)
• SQL injection (SQLi)
• Path traversal
• Local file inclusion
• DDoS attacks
• Cross-site request forgery (CSRF)
• XML external entity (XXE)

Source: HHS.Gov

The healthcare sector has seen the greatest increase in BWAAs relative to other industries, and web applications are to mission-critical to achieving the goals of HealthEdge. A layered defense strategy must be used to protect applications. HealthEdge employs a variety of protective and defensive measures that work together and complement one another to reduce possible opportunities for exploitation.

2. System and Network

Zero-day attacks take advantage of previously unknown vulnerabilities that, as a result, have no known patch available. The vulnerability is discovered by the security community at the same time that its exploit becomes known. Because no time exists between the discovery of the vulnerability and the patch, these exploits are collectively referred to as “zero-day vulnerabilities,” “zero-day exploits,” or simply “zero-days”. Because code and vulnerability scanners, security posture management tools, and behavior monitoring technologies rely on previously identified vulnerabilities and exploits, these normally useful tools are less effective as a means of prevention or detection of zero days. Instead, security teams strive to prevent large-scale damage and minimize collateral damage in the event that the initial defenses fail.

While there is no silver bullet to preventing zero-day attacks, the opportunities for exploit can be reduced through multiple controls and best practices:

• Data and network isolation – Prevent lateral movement such that if a single system is compromised, the damage or access is limited to that system.
• Penetration testing and bug bounty – Also known as security researchers, penetration testers or bug bounty-hunters are software engineers that get paid to intentionally attempt to exploit systems in any way to potentially find their own zero days and the bad guys to the punch.
• Patching deployment planning – Once zero days have been discovered “in the wild,” it is of critical importance that the patch is received, applied, tested, and deployed to the production environment. This requires internal technology teams to be at the ready and know their role to patch the system as soon as possible.
• Monitoring and alerting – This continuous effort is important in identifying strange activities and responding to events that are validated as security incidents. This is commonly achieved through firewalls that inspect the network’s traffic, access control monitoring, audit logging, and automation capability to detect and notify anomalous activities to stop malicious actors in their tracks.

 

3. Insider Threats

Another common threat that is central to the focus of security teams is the insider threat. An insider can be anyone who has authorized network, system, or application access, be it an employee, a third-party contractor, or business partner.

An insider threat does not imply that the insider is malicious, nor do insider threats require malicious or disgruntled actors at all. Instead, anyone who uses their authorized access, wittingly or unwittingly, to harm to the organization falls into this category. Threats include espionage, unauthorized viewing, modifying, disclosure of information, theft, loss, or unacceptable use of organizational resources or capabilities.  Administrative and technical controls must be implemented for all possibilities to mitigate risk.

• Annual training is just as important as regularly informing all users about current phishing campaigns, cybersecurity trends, and other current events. Strong organizational security threat awareness ensures each of us are aware of our responsibilities as the first layer of defense.
• Least privilege and minimum necessary principles ensure that a user account cannot gain access to information beyond the scope of the user’s job requirements, even if that account were compromised. This limits the total damage that can be done by any single individual.
• Access controls and regular validation of provisioned access ensures users are appropriately provisioned for their role and that access creep is minimized. Access controls requiring strong passwords and multifactor authentication help prevent account takeovers.
• Zero-trust architecture is a relatively new security concept with a slogan of “never trust, always verify.” The core belief of zero trust is that no user, system, network, or service operating outside or even within the security perimeter is implicitly trusted, even if they previously authenticate. In simpler terms, acquiring legitimate access to one system or network should never automatically confer access to another without additional validation. This security model limits damage that can be done if a single security control fails at any location within an organization’s ecosystem.

HealthEdge & Cybersecurity

HealthEdge understands what it means to be a good steward of customer data and we take this responsibility seriously. Our teams work around the clock to ensure maturity when it comes to pillars of security. Follow us next month when we dive further into cybersecurity threats in healthcare.