The scenario is a nightmare for any hospital. Suddenly, all computer screens are stuck on a warning message: “All of your data has been encrypted. In order to unlock access to your system, you must pay $250,000 in Bitcoin.” Immediately, the entire hospital is plunged into a crisis. It is impossible for staff to look up patient conditions, or learn what treatments are required. Lives of patients are threatened. Your IT group has no idea what to do. This is the threat of so-called “ransomware” — hospital data is kidnapped until a ransom is paid.
Why do cyber-extortionists use Bitcoin? And what is Bitcoin? Bitcoin called a cryptocurrency, or a decentralized digital currency. It relies on a peer-to-peer system, which means there is no central point of control. It is open source software, so no company owns or controls Bitcoin. There is no intermediary for moving the currency from one party to another, no records, no taxes to pay, and no way to identify the party receiving the payment. All Bitcoin transactions are recorded in a giant ledger which is distributed from one network node to another. This ledger is called the blockchain. There are Bitcoin ATMs. The amount of Bitcoin is well over $10 billion dollars. In 2015, the UK bank Barclays announced it will accept Bitcoin. The price changes, but in November 2015, one Bitcoin was equivalent of around $500 dollars. There is no central repository, like a Central Bank (Federal Reserve), and no one controls the currency supply.
Bitcoin is a viable currency, and it is accepted for payment by many vendors. But it also is a favorite of criminals because there is no record of its use or transfer. No tracking, and of course no taxes. According to the FBI, “Criminals prefer Bitcoin because it’s easy to use, fast, publicly available, decentralized, and provides a sense of heightened security/anonymity.”
Ransomware, or “cyber extortion” is said to have originated in Eastern Europe in 2005. The scourge of ransomware is spreading rapidly. In the United States, attacks are expected to top $1 billion in 2016. But these estimates probably ignore the vast majority of Ransomware attacks that never are reported. According to the FBI(*), a typical ransomware payment is between $200 and $10,000. By early 2016, there were more than 4,000 reported ransomware attacks. The current rate is around 3,000 attacks per day. It is big business.
The names of ransomware programs read like a twisted hacker’s nightmare: CryptoWall, CTB-Locker, TeslkaCrypt, Samoas (SAMSAM), Locky (very popular), Conflickeer work, Chanitor, Nivdort bot, HummingBad, Triada, Ztorg, GameOverZeus. The Android OS is particularly vulnerable. There are a few groups of cyber extortionists known for exploiting ransomware. These include: the Cyber Caliphate Army (CCA), and the Brazil-based TeamXRat. But there is need to worry about these identities, because you will never know who hit you. Table 1 summarizes a few of recent ransomware attacks against hospitals.
How Hospitals Can Protect Against Ransomware
Unlike financial institutions, hospitals in general do not have as much experience in handling computer emergencies. Even though healthcare represents a large part of the economy, spending on cyber-security is less than 10% of overall security spending. In other words, the healthcare sector is under-investing in security. And this needs to change.
There are a number of steps hospitals can take to improve their defenses against ransomware. Any hospital might start with a ransomware audit. This audit would aim at developing a strategy or “Playbook” to improve network security, help educate healthcare employees on good security practices, putting in place a computer recovery plan, and developing a protocol to handle emergencies. A few options to consider are summarized in Table 2.
It is important to note that ransomware is not only an IT issue. There are important legal considerations. For example, if patient records are compromised, the healthcare provider must make notification. And this means tens of thousands of persons must be contacted, and in a timely manner.
No matter what measures a hospital takes against cyber-extortionists, the reality is that it is impossible to have 100% reliable protection against hackers. But there is much that can be done to (1) lower the chance of being hacked; and (2) ensure that if a ransomware incident takes place, it can be dealt with expeditiously and with the least harmful disruption to what is really important — helping patients.
(*) FBI, Criminals Continue to Defraud and Extort Funds from Victims Using Cryptowall Ransomware Schemes, Public Service Announcement, June 23, 2015. See also: U.S. Government, How to Protect Your Networks from Ransomware, Interagency Technical Guidance Document, n.d., available here.
RAC Medicare Audit Data From Senate Chairman Hatch
RAC Medicare Audits recovered over $3 billion
A large portion of the initial payment determinations are reversed on appeal. The Department of Health and Human Services Office of Inspector General reported that, of the 41,000 appeals made to Administrative Law Judges in FY 2012, over 60 percent were partially or fully favorable to the defendant.
In Fiscal Year 2014, Medicare covered health services for approximately 54 million elderly and disabled beneficiaries at a cost of $603 billion.
Of that figure, an estimated $60 billion, or approximately ten percent, were improperly paid, averaging more than $1,000 in improper payments for every Medicare beneficiary.
The Barraclough Blog features latest news on events and policies, as well as original Barraclough features and blogs about Litigation support for Medicare and Medicaid appeals and statistical overpayment extrapolations.
The Congress continues to try to fix Medicare’s arduous healthcare audit procedures, as the RAC audit process and healthcare providers continue to be locked into a claims remediation nightmare. The Audit and Appeal Fairness, Integrity, and Reforms in Medicare, or AFIRM, Act of 2015, was introduced on June 3, 2015.
Senator’s Wyden statement about the Finance Committee Markup of this bipartisan effort is that it “will streamline the appeals and audits process so cases are resolved quickly and at the earliest possible step.” The legislation provides for:
More HHS personnel resources pick up the pace in order “to keep up with the enormous increase in appeals.” The Office of Medicare Hearings and Appeals can currently adjudicate 77,000 appeals in a year, far below the 474,000 appeals OMHA received in 2014.
HHS can use its resources more efficiently and process more appeals because of a new track for lower-cost, less-complex cases to be considered by a different set of hearing officers than other cases.
Requiring CMS to better coordinate provider audits “to ensure the entire process is more transparent and efficient, including the creation of an independent Ombudsman position at CMS” in order to assist those considering appeals. Providers who consistently bill correctly are exempted for burdensome audits, as a reward for their business practices.
Although this markup provides some improvement by separating high value from low value cases, Barraclough LLC is dubious about the additional number of people on the CMS payroll to deal with the appeals backlog and the overall impact of the Audit and Appeals Ombudsman which has yet to be fully explained. RAC Audit Appeals would be better served with more data transparency, a change in RAC auditors contingency fee payments, and the quality of initial determinations.
For the full text of Senator Wyden’s statement, click here.
As the AFIRM legislation progress, Barraclough LLC will continue to analyze the impacts and make recommendations for the best course of action.
So the question that arises is this: Are contractors free to employ any accuracy they wish in their work, or are there standards that have been suggested or published by the Federal Government?
As it turns out, there appears to be some guidance from two sources.
In the May 5, 2010, report by the Acting Administrator and Chief Operating Officer of the Centers for Medicare & Medicaid Services (CMS) On page 3 of that report, the section titled “Precision-level requirements” states:
“[Office of Management and Budget] OMBCircular A-123, Appendix C, states that Federal agencies must produce a statistically valid error estimate that meets precision levels of plus or minus 2.5 percentage points with a 90-percent confidence interval or plus or minus 3 percentage points with a 95-percent confidence interval.”
There is a note in the document: Under these assumptions, the minimum sample size needed to meet the precision requirements can be approximated by the following formula, which is used in the examples:
Where n is the required minimum sample size and P is the estimated percentage of improper payments (Note: This sample size formula is derived from Sampling of Populations: Methods and Applications (3rd edition); Levy, P. S. & Lemeshow, S. (1999); New York: John Wiley & Sons; at page 74. The constant 2.706 is 1.645 squared.
In the CMS-issued Federal Register, 72 Fed. Reg. 50490, 50495 (Aug. 31, 2007), the error estimate should meet precision levels of plus or minus 2.5 percentage points with a 90-percent confidence interval, and the State error estimates should meet precision levels of plus or minus 3 percentage points with a 95-percent confidence interval.”
So it appears that these standards, which are fairly good, have been twice promulgated by the Federal Government.
Statistical extrapolation in Medicare and Medicaid audits can be problematical. They are not always done correctly, and it actually has been our experience that they frequently are not done correctly at all.
Steven E. Skwara identifies three challenges that can be made against statistical sampling in health care fraud cases:
Reproducibility. If the results can not be reproduced, then there is reasonable argument that the results are not scientific. Documentation is crucial.
Sample Size. Larger sample, more accurate results. There is a great deal of leeway given by Medicare courts.
Variability. This is not often looked for, but a high degree of variability in the data may signal problems. Ask your statistician.