NC HIEA Update March 2024

Cybersecurity After Change Healthcare Data Breach, Patient Safety Improved by HIE Data Access, NC HealthConnex Data Helps MCO

Author: Jessica Hagins

Cybersecurity Top of Mind for Healthcare Professionals as Change Healthcare Data Breach Effects Linger

The effects are still being felt from a cyberattack on Change Healthcare on Feb. 21 that forced the organization to disconnect its systems. While those systems are back online, delayed claims payments are still being processed, and the company is still working to fully restore all its services.

The shutdown caused disruptions to providers’ operational workflows and claims processing. Patients were unable to receive quotes for services or, in some cases, access vital prescriptions. A first round of lawsuits from patients started coming in the second week of March.

Change Healthcare has set up a website to inform the public of its response to the cyberattack. The FBI, CISA and U.S. Department of Health and Human Services also have recommendations for mitigating any effects of this particular attack.

The breach was attributed to ALPHV/Blackcat, a group of cybercriminals who claimed they stole 6TB of data from sources connected to Change Healthcare, including Medicare, CVS Caremark, MetLife, Health Net and Tricare, the U.S. military healthcare program.

It is believed that ALPHV Blackcat employed a series of phishing emails appearing to notify victims of a compromise to their data. Employees in the health care sector were the most common target of this latest attack by the group.

Change Healthcare processes 15 billion health care transactions annually. It is estimated that one of every three patient records is handled by Change Healthcare in some way. UnitedHealth Group, which owns Change Healthcare, says that it has paid $2 billion so far in financial advances for providers.

The widespread fallout of this latest breach highlights the tremendous importance of being vigilant about cybersecurity in health care organizations.

According to an IBM report, 95 percent of breaches are caused by human error. This means cybersecurity is the responsibility of every provider and employee in any organization. The N.C. Department of Information Technology’s Enterprise Security and Risk Management Office offers a few best practices to ensure your security.

 

Watch Out for Phishing

Phishing is when a cybercriminal poses as a legitimate party to get people to engage with malicious content or links in an email. It is one of the most popular tactics among cybercriminals today with 80 percent of cybersecurity incidents stemming from a phishing attempt.

Keep an eye out for typos, poor graphics and other suspicious characteristics that can indicate a phishing email. Hover over links to see the URL (a website address beginning with “http” or “https”) to see if it matches the website it says you are going to.

You can see if a North Carolina state government website, such as the NC HIEA’s site, is legitimate by looking for the “s” after “http” in the website address and “nc.gov” as the domain. An email from the NC HIEA will also have the nc.gov extension.

If you think you have spotted a phishing attempt, be sure to report the incident to your internal IT team or service provider so that they can remediate the situation and prevent others from possibly becoming victims. Read more about a recent phishing attempt identified as appearing to come from NC Medicaid.

 

Keep Secure Passwords and Update Them Regularly

Having unique, long and complex passwords is one of the best ways to immediately boost your cybersecurity, yet only 43 percent of the public says that they “always” or “very often” use strong passwords.

Password cracking is one of the go-to tactics that cybercriminals use to access sensitive information. If you are a “password repeater,” once a cybercriminal has hacked one of your accounts, they can easily do the same across all of them.

Your IT team or service provider may have a recommended time period for when you should change your password. When it is time to change your password, make sure to not recycle old passwords or use similar passwords, such as changing “MyPassword1” to “MyPassword2.”

If you need to update your password to the NC HealthConnex Clinical Portal, you can contact the SAS Help Desk at HIESupport@sas.com, call 919-531-2700 or follow this password reset link.

 

Enable Multifactor Authentication

Multifactor authentication (MFA) prompts a user to input a second set of verifying information such as a secure code sent to a mobile device or to sign-in via an authenticator app. In some cases a biomarker, such as your face or fingerprint, is used as a second verification. According to Microsoft, MFA is 99.9 percent effective in preventing breaches.

Your EHR may have MFA set up before you log in. If you have access to any systems using NCID, a code is sent to your phone to allow you to finish the login process.

 

Activate Automatic Updates

Make sure devices (laptops, tablets and mobile phones) are always up to date with the most recent versions of software, which often includes bug fixes and addresses vulnerabilities. Enable these updates to install automatically whenever possible.

For more information, tips and guidance on staying safe online, visit CyberSecureNC.

To learn more about cybersecurity in the health care industry, please see the Cybersecurity Act of 2015, Section 405(d) and Health Industry Cybersecurity Practices.

You can also join us on July 17, 2024, for a special Teletown Hall on privacy and security featuring a representative of the NCDIT’s Office of Privacy and Data Protection.

 

Patient Safety Ongoing Priority for NC HIEA and Other Health Information Exchange Organizations

Cybersecurity plays a huge part in keeping patients safe from a medical standpoint as well as a financial one. As we saw in the Change Healthcare breach, the shutdown caused some patients to have delayed treatment and lack of access to critical medications.

The NC HIEA treats protected health information with the utmost care, meeting the standards set by state and federal laws. In addition to protecting and securing this data, we are working with our participating providers to ensure the data itself is high quality. The interoperability of health data among providers is also critical for delivering better health outcomes across the care continuum.

While connecting to NC HealthConnex is mandated by the state, access to this data is only possible with a Full Participation Agreement and credentials to the NC HealthConnex Clinical Portal, single sign-on or a bidirectional integration with your EHR.

According to a new study by Epic Research, access to health data from outside facilities, such as that found in a health information exchange, is associated with a reduced risk of code blue events in the emergency department. Having access to patient records from outside providers was associated with a 34 to 63 percent reduction in a code blue event, depending on the age of the patient. This includes a 51 percent reduction for patients older than 65.

One study found that HIEs also help care coordination with home discharge by reducing information discontinuity in fragmented readmissions, which happen when a patient is readmitted to a different hospital than they were previously discharged from. With a shared HIE, beneficiaries had a 9 to 15 percent higher chance of discharge home with home health than when HIE data was unavailable. Beneficiaries with Alzheimer disease even had a 23 percent reduced chance of dying during readmission compared with fragmented readmission to hospitals without a shared HIE.

A 2021 study found that the lack of interoperability among EHRs led to increased clinician workload, duplication of testing and greater health care costs. Insufficient transfer of information or incorrect information can lead to safety incidents, such as adverse drug events.

Researchers evaluating an HIE in Kansas found that 79 percent of patients received care at more than one health care facility. After integrating HIE data with those facilities’ EHRs, they found that 15 percent of nearly 13,000 quality measure calculations changed. This more complete and accurate view of patients can improve quality reporting and patient safety.

A lack of information on patients transferring to a new facility can even lead to patients not receiving instructions on care when they return home. Doctors can easily know when to follow-up with patients who had treatment at an outside facility by receiving Admission, Discharge and Transfer (ADT) alerts NC*Notify, the event notification service of NC HealthConnex.

For information on how to acquire or utilize NC HealthConnex services such as the Clinical Portal or NC*Notify, visit our website, email us at hiea@nc.gov or call our outreach team at 919-754-6912.

 

Local MCO Wins Healthcare Innovation Award, Credits NC HealthConnex as Contributing to Success

Cary Medical Management, a Managed Care Organization out of Cary, NC, has been named the first-place winner of the annual Innovator Awards Program by the editors of Healthcare Innovation. The group has been featured in our newsletter in the past for its innovative and highly successful use of the electronic health information within NC HealthConnex to improve workflows, improve patient care and increase reimbursements.

Dr. Siu Tong, the CEO of CMM, credits the data found in NC HealthConnex with helping them have a more complete picture of their patients, create more accurate risk scores and achieve timelier follow-up with patients after a hospital admission or discharge event.

“I tested it with 975 patients, and 68 percent of patients ended up with a higher score, based on our using [NC HealthConnex] information, than without,” said Dr. Tong. “We did not know how sick the patients were. Often, we [would] have not known all the drugs and drug interactions and disease interactions.”

Clifford Tse, CMM’s vice president of business development, also credits the event notification service NC*Notify with helping them achieve this award. “We get direct data feeds from the HIE, with notifications to the providers, and we’re able to schedule patients in very soon after their hospital discharges, with care managers from CMM reaching out to just-discharged patients based on ADT alerts from [NC HealthConnex].

Christie Burris, former executive director of the NC HIEA and current State Chief Data Officer, credits the richness and breadth of the data in NC HealthConnex with helping CMM with their successful patient care.

“North Carolina has about 14 million unique patient records in a centralized repository, and continues to grow,” said Burris. “The NC*Notify ADT notifications is one of our foundational services. CMM has providers who are credentialed to the portal and can query and exchange but are also receiving NC*Notify alerts. Over time, our data repository has continued to grow.”

 

Employee Spotlight

Brittani Adams

Provider Relations Specialist

Brittani has worked with the NC HIEA since 2018, providing support and assistance to health care providers and organizations onboarding to NC HealthConnex. She is responsible for processing provider agreements, resolving issues, record keeping and reporting. She also is entrusted to process all patient opt-out requests.

Brittani frequently communicates directly with providers, answering questions and keeping providers informed of upcoming quarterly user audits and the need to update the Direct Secure Messaging Provider Directory.

Brittani has a passion for delivering exceptional customer service and strives to maintain positive relationships with participants throughout onboarding to deliver the mission and vision of the NC HIEA.

 

Connex Kudos

"Before, nearly 40 percent of discharges were not readily available for our care coordinator. NC*Notify reduces cost and human suffering." – Primary Care Practice