The Board’s Role in Cybersecurity

(Originally published in Nasdaq’s MarketInsite, March 30, 2017, and written by Gordon Clark, President and CEO of iProtean)

 

Cyberattacks. They are perhaps the most vexing security threats facing businesses today. To have a computer connected to the outside world is by definition to be vulnerable. Yet an analysis published in The NTT Group’s 2016 Global Threat Intelligence Report reported that only 23 percent of organizations are capable of responding effectively to a cyber incident. The challenges of being prepared are compounded by the sheer volume, sophistication, and shifting nature of the attacks. Threats are constantly evolving. Defenses need to evolve with them.

 

Hospitals, health insurance companies, law firms, private equity firms, and others with access to sensitive patient, client or personally identifiable information are, unfortunately, inviting targets. TrapX™, a cybersecurity defense firm, reported in its 2016 Year-End Health Care Cyber Breach Report that major cyberattacks on healthcare institutions increased by 63 percent over the prior year. The same report cites 123,869,931 documented cases of patient records being breached over the 2015 to 2016 timespan. Highly regulated industries, such as the financial and business services sectors, witnessed the highest volume of attacks. With the exception of health care, these industries face the highest per capita data breach resolution costs. At $402 per record, the average cost of a healthcare data breach was considerably higher than breaches in the financial services industry, which run on average $264 per compromised record. The proliferation of these attacks is likely to continue.

 

Financial services companies face a real threat to the confidentiality and trust inherent in the firm-investor relationship. For healthcare organizations, there is an added risk. It has been widely reported that the information contained in a medical record makes it approximately four times more valuable on the black market than a social security number. And while IT security at hospitals primarily focuses on data breaches, the infiltration of IT systems can also cause problems in areas such as planned surgeries, diagnostic procedures, and the operation of medical devices. Consequently, for hospitals, the risks from cyberattacks go beyond the financial and reputational. They can also endanger patients.

 

The magnitude of the cybersecurity threat clearly makes it a board level issue. Understandably, however, the arcane nature and technical complexity of the subject can cause the eyes of many board members to glaze over the details. It’s important, though, for all board members, regardless of technical background or inclination, to participate in ensuring the right policies and practices are in place and followed.

 

As cybersecurity specialist Martin Liutermoza, AVP of Information Security Engineering for Nasdaq put it, “Boards need to educate themselves and we need to help educate them on what security actually is and what it means. They need to understand what they are trying to protect.” He added, “That includes having a sense for the access points where hospitals are most vulnerable, such as Electronic Health Record (EHR) systems, web-enabled medical devices, mobile devices, and third-party vendors that connect to the hospital’s network.”

 

As with other issues, the board’s focus belongs on strategy, policy, and management oversight. The board adage of NIFO – noses in, fingers out – applies. It’s important for boards to ask the right questions and ensure the answers pass the smell test. Implementation, and the technical plans that go with it, are the responsibility of management.

 

For boards, here are some key areas for exploration:

 

  1. Understand how cybersecurity and, on a broader basis, IT security, fit within the organization’s overall enterprise risk management program.
  2. Have management explain where the organization is most vulnerable and what steps are being taken to mitigate those vulnerabilities.
  3. Understand the reporting structure, systems, controls, and measures management has in place to protect the organization from major cyber threats.
  4. Have management explain the extent to which the organization is using advanced technological tools to identify and stop attacks in real time.
  5. Have management ensure adequate staffing, budgeting, and training are in place to prevent and respond to attacks.
  6. Review management’s response plan to potential attacks and data breaches.
  7. Have an outside IT security expert conduct an audit on an annual basis and present findings to the board.
  8. Set a schedule with management for regular updates. Decide whether to have the briefings made to the full board or a committee of the board.

 

No matter how well an organization is prepared, it cannot fully prevent cyberattacks. What it can do is have the right plans and systems in place to block some attacks and significantly mitigate the effect of others. In the words of Nasdaq’s Martin Liutermoza, “Having the right preparation and crisis recovery plan is going to keep people out of a lot of nightmares.” It’s the board’s responsibility to ensure those plans are in place.

Nasdaq’s Board and Leadership Solutions have a unique collaboration with iProtean, an e-learning company that provides online governance education and information to hospital directors. Bringing over 50 years of combined experience in healthcare governance information and education, the iProtean leadership team understands the specific needs of hospital and health system board members. The company is committed to helping directors make a meaningful difference in their communities.

 

 

Nasdaq Corporate Solutions helps organizations manage and master the two-way flow of information with their audiences. Around the globe, market leaders rely upon our unmatched suite of advanced technology, analytics and consultative services to maximize the value of their work—from investor relations and corporate governance to public relations and communications.

 

 

 

iProtean subscribers, the advanced Mission & Strategy course, When the Dust Settles, featuring Marian Jennings and Dan Grauman, is in your library. Marian and Dan discuss the complexities of moving to a value-based healthcare organization, key features necessary to ensure the board and leadership stay ahead of the curve, the importance of thoughtful and thorough assessment of options available to the organization, the risks inherent in new investments and changes in board recruitment and development.

 

Coming soon: the advanced Finance Course, Financial Risks & Strategic Implications of APMs, featuring Marian Jennings and Seth Edwards.

 

 

For a complete list of iProtean courses, click here.

 

 

For more information about iProtean, click here.

 

MACRA and What It Means

(Excerpts from a presentation by Seth Edwards, Premier, Inc. at the iProtean Symposium, March 2017)

 

Helpful Acronyms and Definitions:

MACRA: Medicare Access and Chip Reauthorization Act of 2015

QPP: Quality Payment Program—basically, a regulation that enacts the MACRA legislation

MIPS: Merit-based Incentive Payment system—one of two tracks created under MACRA for clinicians to participate in Medicare

AAPM: Advanced Alternative Payment Model: the other track created under MACRA for clinicians to participate in Medicare

Clinicians: physicians, nurse practitioners, nurse anesthetists, registered nurses and other physician extenders included as part of QPP

 

 

MACRA legislation, passed in 2015, put in place reforms on how physicians will be paid. It moves physician payment from a volume-based reimbursement system to a value-based reimbursement system.

 

We’re seeing a number of strategies in the market to be successful under MACRA, or at least to put in place the foundation to be successful under MACRA. A lot of it is related to driving clinically integrated networks and using them to share resources across different provider groups so that you’re not just going it alone.

 

Being successful in this model requires quite a bit of investment, not only of money, but also of resources and time on behalf of each clinician practice. So finding ways to be able to work together through clinically integrated networks, or through assistance from a health system or other provider types is critical, and something we’re seeing a lot of organizations pursuing. It not only helps with the Merit-based Incentive System (MIPS), but it also lays a foundation that you can build upon to move into an Advanced Alternative Payment Model (AAPM) in the future. So if you want to use a clinically integrated network as a vehicle to move towards an ACO, or a bundled payment model, you’ll have a lot of the infrastructure in place to be able to do so.

 

MIPS vs AAPM

 

There are inherent advantages and disadvantages between being in a MIPS and an AAPM. It really depends on where your organization is currently, and where you are planning to head in the future in terms of a population health strategy.

 

MIPS puts in place clinicians’ reimbursement, from +/- 4 percent in 2019 to +/- 9 percent in 2022 and beyond, and it depends on how well the clinician performs. So if you feel like you’re a high quality, high performing provider, being in MIPS can provide you with a lot of opportunities to get an upward adjustment that can be much greater than what you would get under an AAPM.

 

Conversely, if you pursue an AAPM, you get a guaranteed 5 percent bonus, assuming you meet the requirements to be considered an AAPM. So, there is certainty in that model, but you can’t go above the 5 percent. On top of that, you’re at risk outside of MACRA for any losses that you would generate above an expected expenditure. So, you have a potential to have to write CMS a check, even though you have a guaranteed 5 percent bonus through MACRA. And oftentimes that 5 percent bonus is not going to cover the amount of exposure that you have to take on under an AAPM to be successful.

 

So, it’s really a difficult consideration. Do you want to be in MIPS and have a risk for 4 – 9 percent upward or downward adjustment? Or do you want to be in AAPM, get the guaranteed 5 percent bonus, but then have a potential to have to write CMS a check if you spend more than you expected?

 

Impact on the Hospital/Health System

 

As a board member, you should know that MACRA has an impact on the long term viability of your health system, not only looking at how you support your employee clinicians, should you have some, but also how you are engaging with independent clinicians within your marketplace. MACRA sets up a dynamic where there are incentives to align with your clinicians, to be able to help them, but then it also puts in place a need to align with clinicians ahead of other organizations. These “disruptor organizations,” as we call them, could potentially set up an accountable care organization with the clinicians, leave your health system out of it and then your organization will be viewed as a “cost center.”

 

MACRA will have a major impact on how you are going to work with clinicians in the future, as well as how you are going to continue to evolve with the new payment models. As we’ve seen, there is no new money coming into health care, and so working with clinicians and together moving towards population health models that will help you be successful under value-based reimbursement will be a key critical differentiator for your health system.

 

 

 

iProtean subscribers, the advanced Mission & Strategy course, When the Dust Settles, featuring Marian Jennings and Dan Grauman, is in your library. Marian and Dan discuss the complexities of moving to a value-based healthcare organization, key features necessary to ensure the board and leadership stay ahead of the curve, the importance of thoughtful and thorough assessment of options available to the organization, the risks inherent in new investments and changes in board recruitment and development.

 

 

For a complete list of iProtean courses, click here.

 

 

For more information about iProtean, click here.

MACRA and Medicare: Hospitals May Experience Large Payment Cuts

A study in Health Affairs’ April issue found that hospitals might experience larger-than expected Medicare payment cuts under the Medicare Access and CHIP Reauthorization Act (MACRA).

 

The report’s authors estimated that “MACRA will decrease Medicare spending on physician services by −$35 to −$106 billion (−2.3 percent to −7.1 percent) and change spending on hospital services by $32 to −$250 billion (0.7 percent to −5.1 percent) in 2015–30. The spending effects are critically dependent on the strength of incentives in the alternative payment models, particularly the incentives for physicians to reduce hospital spending and physician responses to MACRA payment rates.”

(“The Medicare Access And CHIP Reauthorization Act: Effects On Medicare Payment Policy And Spending, Abstract, Health Affairs, April 2017)

 

The authors said that while MACRA ended a contentious “cycle of deep uncertainty about Medicare payment rates for physicians under the sustainable growth rate (SGR) reimbursement formula,” it sparked a different kind of uncertainty.

 

A RAND Corporation senior policy researcher and co-author of the study said losses would result from physicians responding to payment models in ways that reduce the use of hospital care, such as avoiding admissions and readmissions. (“MACRA to Cut Medicare Pay to Hospitals Most: Study,” HFMA Weekly, April 8, 2017)

 

Basically, physicians may see their Medicare payments increasing very slowly over the next 10 years, and the only way to speed up those reimbursements is to participate in alternate payment models. One of the objectives of these models is to keep patients out of hospitals. Thus, the biggest effect from MACRA could be a decrease in hospital revenues.

 

What Should Hospitals Do?

 

To address the possibility of decreasing inpatient revenues, financial experts suggest hospitals should “re-engineer their operations to make margins on their Medicare business as well as their commercial business.” This will include increasingly moving patients to outpatient facilities that offer lower cost delivery, embracing ambulatory surgery centers and other appropriate care outside of the hospital.

 

Of course, the traditional steps hospitals recommended for hospitals include:

 

  • Reducing costs
  • Increasing outpatient revenues
  • Improving the management of the health of the populations they serve
  • Integrating quality of care measures, electronic health records and clinical improvement activities
  • Managing physician cost incentives
  • Expanding the use of physician extenders
  • Determining a MACRA strategy for employed physicians
  • Developing a multi-year strategy for building the needed infrastructure to move forward under different payment models

 

The future of Medicare payment related to MACRA remains an uncertainty. However, a Healthcare Financial Management Association executive noted, “the [Health Affairs] study cemented the truism that the futures and fortunes of hospitals and physicians are inextricably linked.” (“MACRA to Cut Medicare Pay to Hospitals Most: Study,” HFMA Weekly, April 8, 2017)

 

(Note: Next week’s blog/newsletter will feature a detailed look at MACRA by Seth Edwards, Premier, Inc.)

 

 

iProtean subscribers, the advanced Mission & Strategy course, When the Dust Settles, featuring Marian Jennings and Dan Grauman, is in your library. Marian and Dan discuss the complexities of moving to a value-based healthcare organization, key features necessary to ensure the board and leadership stay ahead of the curve, the importance of thoughtful and thorough assessment of options available to the organization, the risks inherent in new investments and changes in board recruitment and development.

 

 

 

For a complete list of iProtean courses, click here.

 

 

For more information about iProtean, click here.

Uncompensated Care Still Causes Concerns for Providers

A major rating agency expects enrollment declines in the health exchange marketplaces created by the Affordable Care Act (ACA), thus increasing the level of uncompensated care for hospitals in 2018. Fitch Rating announced its prediction several days after the American Health Care Act (AHCA) was pulled from a planned March 24 vote in the U.S. House of Representatives.

 

The managing director at Fitch noted, “Everyone was in agreement—Democrats and Republicans—that the exchanges weren’t very healthy in 2017.” (“After AHCA, Uncompensated-Care Concerns Remain,” HFMA Weekly News, March 31, 2017)

 

Changes that affected the exchanges from 2016 to 2017 include:

  • Decrease in enrollment in the exchanges by about 500,000
  • Sharp increase in average premiums
  • Departure of some larger insurers from the marketplaces

 

The Fitch executive said in an interview that things are likely to be worse in 2018, “given that there is even more uncertainty now around the future of the ACA, what the [Trump] administration might do to defund portions of it or destabilize the exchanges even more than they already are. All that taken together is bad news for hospitals in that it probably means fewer exchange-covered lives.” (“After AHCA, Uncompensated-Care Concerns Remain,” HFMA Weekly News, March 31, 2017)

 

Uncertainty about future changes to the ACA as well as potential decisions by the administration has caused concern for hospitals and insurers, according to experts. For example,

  • CMS’s proposed rule changes to the ACA; e.g., new enrolment limits, network adequacy standards and timelines for qualified health plan certification
  • A decision by the administration on how it will handle subsidies that reduce out-of-pocket expenses for approximately 30 percent of ACA marketplace enrollees who are eligible for such subsidies based on income
  • Potential spillover in Medicaid-expansion states of people who drop marketplace plan coverage but who may earn too much to qualify for Medicaid coverage

 

Fitch had warned in an earlier note (March 16) that not-for-profit hospitals faced a “considerable” increase in uncompensated care under the AHCA. Those costs have been declining in recent years under the ACA. For example, uncompensated care for a group of the largest for-profit hospital companies has dropped by an average of 250 basis points since the start of the ACA’s insurance expansion, Fitch noted. (“After AHCA, Uncompensated-Care Concerns Remain,” HFMA Weekly News, March 31, 2017)

 

 

 

iProtean subscribers, the advanced Mission & Strategy course, When the Dust Settles, featuring Marian Jennings and Dan Grauman, is in your library. Marian and Dan discuss the complexities of moving to a value-based healthcare organization, key features necessary to ensure the board and leadership stay ahead of the curve, the importance of thoughtful and thorough assessment of options available to the organization, the risks inherent in new investments and changes in board recruitment and development.

 

 

 

For a complete list of iProtean courses, click here.

 

 

For more information about iProtean, click here.