The scenario is a nightmare for any hospital. Suddenly, all computer screens are stuck on a warning message: “All of your data has been encrypted. In order to unlock access to your system, you must pay $250,000 in Bitcoin.” Immediately, the entire hospital is plunged into a crisis. It is impossible for staff to look up patient conditions, or learn what treatments are required. Lives of patients are threatened. Your IT group has no idea what to do. This is the threat of so-called “ransomware” — hospital data is kidnapped until a ransom is paid.
Why do cyber-extortionists use Bitcoin? And what is Bitcoin? Bitcoin called a cryptocurrency, or a decentralized digital currency. It relies on a peer-to-peer system, which means there is no central point of control. It is open source software, so no company owns or controls Bitcoin. There is no intermediary for moving the currency from one party to another, no records, no taxes to pay, and no way to identify the party receiving the payment. All Bitcoin transactions are recorded in a giant ledger which is distributed from one network node to another. This ledger is called the blockchain. There are Bitcoin ATMs. The amount of Bitcoin is well over $10 billion dollars. In 2015, the UK bank Barclays announced it will accept Bitcoin. The price changes, but in November 2015, one Bitcoin was equivalent of around $500 dollars. There is no central repository, like a Central Bank (Federal Reserve), and no one controls the currency supply.
Bitcoin is a viable currency, and it is accepted for payment by many vendors. But it also is a favorite of criminals because there is no record of its use or transfer. No tracking, and of course no taxes. According to the FBI, “Criminals prefer Bitcoin because it’s easy to use, fast, publicly available, decentralized, and provides a sense of heightened security/anonymity.”
Ransomware, or “cyber extortion” is said to have originated in Eastern Europe in 2005. The scourge of ransomware is spreading rapidly. In the United States, attacks are expected to top $1 billion in 2016. But these estimates probably ignore the vast majority of Ransomware attacks that never are reported. According to the FBI(*), a typical ransomware payment is between $200 and $10,000. By early 2016, there were more than 4,000 reported ransomware attacks. The current rate is around 3,000 attacks per day. It is big business.
The names of ransomware programs read like a twisted hacker’s nightmare: CryptoWall, CTB-Locker, TeslkaCrypt, Samoas (SAMSAM), Locky (very popular), Conflickeer work, Chanitor, Nivdort bot, HummingBad, Triada, Ztorg, GameOverZeus. The Android OS is particularly vulnerable. There are a few groups of cyber extortionists known for exploiting ransomware. These include: the Cyber Caliphate Army (CCA), and the Brazil-based TeamXRat. But there is need to worry about these identities, because you will never know who hit you. Table 1 summarizes a few of recent ransomware attacks against hospitals.
How Hospitals Can Protect Against Ransomware
Unlike financial institutions, hospitals in general do not have as much experience in handling computer emergencies. Even though healthcare represents a large part of the economy, spending on cyber-security is less than 10% of overall security spending. In other words, the healthcare sector is under-investing in security. And this needs to change.
There are a number of steps hospitals can take to improve their defenses against ransomware. Any hospital might start with a ransomware audit. This audit would aim at developing a strategy or “Playbook” to improve network security, help educate healthcare employees on good security practices, putting in place a computer recovery plan, and developing a protocol to handle emergencies. A few options to consider are summarized in Table 2.
It is important to note that ransomware is not only an IT issue. There are important legal considerations. For example, if patient records are compromised, the healthcare provider must make notification. And this means tens of thousands of persons must be contacted, and in a timely manner.
No matter what measures a hospital takes against cyber-extortionists, the reality is that it is impossible to have 100% reliable protection against hackers. But there is much that can be done to (1) lower the chance of being hacked; and (2) ensure that if a ransomware incident takes place, it can be dealt with expeditiously and with the least harmful disruption to what is really important — helping patients.
(*) FBI, Criminals Continue to Defraud and Extort Funds from Victims Using Cryptowall Ransomware Schemes, Public Service Announcement, June 23, 2015. See also: U.S. Government, How to Protect Your Networks from Ransomware, Interagency Technical Guidance Document, n.d., available here.
The number of Medicare audits is increasing. In the last 5 years, audits have grown by 936%. As reported previously in RACmonitor, this increase is overwhelming the appeals system. Less than three percent (3%) of appeal decisions are given on time within the statutory framework.
It is peculiar that the number of audits has grown rapidly, but without a corresponding growth in the number of employees for RACs. How can this be? Have the RAC workers become more than 900% more efficient? Well, in a way they have. They have learned to harness the power of Big Data.
Since 1986, the world’s ability to store digital data has grown from 0.02 exabytes to 500 exabytes today. An exabyte is one quintillion bytes or 10e+18 bytes. Every day the equivalent 30,000 Library of Congresses is put into storage. Lots of data.
Auditing by RACs has morphed into using computerized techniques to pick targets for audits. An entire industry has grown up that specializes in processing Medicare claims data and finding “sweet spots” on which the RACs may focus their attention. In a recent audit, the provider was told that a “Focused Provider Analysis Report” had been obtained from a subcontractor. Based on that report, the auditor was able to target the provider.
A number of hospitals have been hit with a slew of Diagnosis-Related Group (DRG) downgrades from Internal Hospital RAC Teams camping out in their offices, continually combing through their claims data. DRG is a system that classifies any inpatient stay into groups for purposes of payment.
The question then becomes: How is this work done? How is so much data analyzed? Obviously these audits are not manual. They are Cyber Audits. But how?
An examination of patent data begins to shed light on the answer. For example, Optum, Inc. of Minnesota (associated with United Healthcare) has applied for a patent on “Computer implemented systems and methods of health care claim analysis.” (Application Number 14/449,461, Feb. 5, 2015) These are complex processes, but what they do is analyze claims based on a Diagnosis-Related Group (DRG).
The information system envisaged in this patent appears to be specifically designed to downgrade codes. It works by running a simulation that switches out billed codes with cheaper codes, and then measures if the resulting code configuration is within the statistical range averaged from other claims.
If it is, then the DRG can be down-coded so that the revenue for the hospital correspondingly is reduced. This same algorithm can be applied to hundreds of thousands of claims in only minutes. And the same algorithm can be adjusted to work with different DRGs. This is only one of many patents in this area.
When this happens, the hospital may face many thousands of down-graded claims. If it doesn’t like it, then it must appeal.
Medicare Audits as Asymmetric “Warfare”
Here, there is a severe danger for the hospital. The problem is that the cost of the RAC running the audit is thousands of time less expensive that what the hospital must spend to refute the DRG coding downgrade.
This is the nature of asymmetric warfare. In military terms, the cost of your enemy’s offense is always much smaller than the cost of your defense. That is why guerrilla warfare is successful against nation states. That is why the Soviet Union and United States decided to stop building Anti-Ballistic Missile (ABM) systems — the cost of defense is disproportionately greater than the cost of offense.
Hospitals face the same problem. Their claims data files are a giant forest in which these big data algorithms can wander around down-coding and picking up a substantial revenue stream for the auditor.
By using Artificial Intelligence (advanced statistical) methods of reviewing Medicare claims, the RACs can bombard hospitals with so many DRG downgrades (or other claim rejections) that it quickly will overwhelm the provider’s defenses.
We should note that the use of these algorithms is not really an “audit”. It is a statistical analysis, but not done by any doctor or health care professional. The algorithm could just as well be counting how many bags of potato chips are sold with cans of beer. It doesn’t care.
If the patient is not an average patient, and the disease is not an average disease, and the treatment is not an average treatment, and if everything else is not “average”, then the algorithm will try to throw out the claim for the hospital to defend. This has everything to do with statistics and correlation of variables and very little to do with understanding whether the patient was treated properly.
And that is the essence of the problem with Big Data audits. They are not what they say they are because they substitute mathematical algorithms for medical judgment.
In Part II we will examine the changing appeals landscape and what Big Data will mean for defense against these audits. In Part III we will look at future scenarios for the auditing industry and the corresponding Public Policy agenda that will face lawmakers.
The New York State office of the Medicaid Inspector General has an active program of auditing health care providers. After all of the auditing and consideration process has concluded, then a “final determination” is issued. Final determinations are defined in Title 18 of the New York Code Rules & Regulations Sec. 519.3(b): “Final determination is a final audit report or notice of agency action sanctioning a person, or requiring the repayment of overpayments or restitution.”Source: Barraclough NY LLC Analysis.
The graph above shows the number of final determinations for Medicaid audits in New York State from August 2010 until July of 2014. During this time, there are reports of 3,626 audits. There is an astonishing range in the number of audits for each sector. The greatest attention is on Long Term Care, Managed Care, and Hospitals account for 49% of all audits.
Out of the 3,626 audits, only a single Nurse, a single Clinical Psychologist, and single Podiatrist received an audit.
What is the rate of auditing? That is an auditing rate of around 77 audits per month, or 4 audits per working day in Albany.