The trusted source for
healthcare information and
The coming year will see increased liability risks related to cybersecurity and cost-cutting measures, analysts say. Risk managers should take a proactive approach to preventing trouble on several fronts.
Hospitals and health systems in 2018 face a mix of risks from familiar issues and threats from new developments in the industry, analysts say. The best response for all risks is to be proactive and get ahead of the risk before it creates trouble in the organization.
Broad changes in the healthcare industry, most notably the push to value-based care, put pressure on hospitals to do more with less, says Tim Feldman, MM, vice president and general manager of healthcare compliance with Wolters Kluwer Legal & Regulatory U.S. in Boston. That creates potential risks.
Healthcare organizations are pushing their clinicians to practice at the highest end of their licensure, and while that can be safe and proper, it carries potential risks that should be monitored.
“Nurse practitioners and physician assistants are doing more and primary care physicians providing assessments and services that they might previously have pushed up to a specialist,” he says. “Everyone is trying to do more as a way to contain costs and use the right setting for care, but that requires controls so that people are operating at the uppermost limits of their licensure and not beyond.”
Limits vary by state, so risk managers must ensure that clinicians are not pushed to operate beyond the scope of practice allowed in their particular states, he says.
Cybersecurity increasingly is important for healthcare organizations, says Darci L. Friedman, JD, CHPC, CSPO, PMC-III, content strategy and author acquisitions manager with Wolters Kluwer Legal & Regulatory. Cyberthreats continue to threaten financial losses, damage to reputation, regulatory penalties, and even malpractice claims, she says.
“The number-one risk in 2018 is cybersecurity. Organizations need to be planning and be proactive. I would even go so far as to say that healthcare organizations should have a separate cybersecurity risk management program, taking all the precautions they can,” she says. “A fundamental part of that program is not planning for an ‘if’ scenario, but planning for ‘when’ you have a cyber breach. That will have you teed up for when it happens, and you can execute your plan.”
A good cybersecurity plan starts with proper budgeting, Friedman says. That is a challenge for many risk managers.
“Often in smaller organizations, cybersecurity is only a collateral piece of an IT professional’s job. It needs to be a much more important part of a hospital or health system’s operations and the budget has to reflect that,” Friedman says. “It starts with the budgeting, because the risk manager can be eager to do all the right, proactive things to protect the institution, but unable to do those things without the necessary funds.”
“Bring your own device,” or BYOD, policies are a growing concern in cybersecurity, Friedman says. Some organizations have permitted or even encouraged staff and physicians to use their own electronic devices at work as a convenience or cost-savings measure, but that creates substantial risk by complicating the security measures that would otherwise be applied to in-house systems, she says.
“If you have BYOD, you need to have policies and procedures in place with appropriate training on how they use their own devices, the rules and limitations, and you need to provide encryption on the device,” she says. “It also would be best to provide an app that allows you to remotely wipe the device if it is lost, but that is going to be a problem for a lot of people with their personal devices. Not having that ability to make the device safe when it is lost or stolen compromises your overall cybersecurity program.”
Patient identity theft is a major concern, and the resulting liability could be shared by the healthcare organization that did not adequately secure the data, Friedman says. Patient data are among the most highly sought items on the black market, with law enforcement reporting that a full set of patient information sells for as much as $300, she notes.
Friedman points out that cyberliability usually is not covered by general liability insurance policies. Risk managers should understand whether their particular policy will cover cyber-related losses and, if not, consider obtaining cyberliability insurance, she says.
Third-party vendor management is another major issue, Feldman says, as more services are outsourced.
“That means you have commingling of IT systems and data, and you have people coming in and out of the hospital every day providing services from contract nursing to food services and cleaning,” he says. “All of that exposes you to more risk in terms of privacy and cybersecurity, risks that you were able to control more tightly when you had a lot of those services in-house.”
Even hospitals and health systems using software and processes to monitor and manage cyber risks should reassess whether they are up to date in 2018, Friedman says.
“Is it something older, or a more modern program? Things change rapidly in this field and something that was cutting-edge a few years ago probably isn’t now,” she says. “We’ve moved away from static, point-in-time data and are now in the era of dynamic, continuous, ongoing analysis.”
These issues are in the news all the time, but healthcare organizations still can be slow to implement the proper safeguards, Feldman says. It can take an incident at their own facilities to wake them up.
“Too often, you have healthcare leaders following the strategy that ignorance is bliss. They say that if they don’t look too hard, then they won’t really know their vulnerabilities and they won’t have to do anything about them,” he says. “They wait until something happens and then they focus on remediation, whereas the much better approach is to focus on prevention. No longer is not knowing an acceptable excuse for failure to act.”
Feldman notes that government regulators do not treat healthcare organizations equally when there is a cyberbreach or other compliance failure. Efforts, or lack of efforts, to avoid that problem can determine how regulators respond, he says.
Document efforts carefully and be prepared to show your work to investigators, he advises. Don’t assume that a cyberbreach or other issue means you failed and your precautions don’t matter.
“If there are auditable logs showing you did your risk assessments, reviewed vendors, did background checks and credit checks, all those things you can and should do but the problem still occurred, they’re not going to come at you the same way they would with someone that didn’t bother,” he says. “The government is not out to get someone who did all they could to avoid an issue. There will be much greater fines and punitive measures for those organizations that did not take a proactive approach.”
Just as risk managers worked to make patient safety a regular topic and high priority at board meetings, they should do the same now with cybersecurity, Feldman says. Risk managers also should look for ways to integrate themselves and their priorities into other hospital departments, Friedman suggests.
“I see a lot of merging of risk management, compliance and regulatory, and internal auditing. They should be working together holistically to address cybersecurity and a lot of other issues like third-party vendors and telehealth, because a lot of these issues span across several departments,” she says. “Risk managers need to think about integrating into existing business processes and not forcing an artificial risk management process onto a department or site. That’s how you’re going to get better adoption.”
The opioid crisis also will bring risks to healthcare organizations in 2018, says John C. Ivins, Jr., JD, partner with the Hirschler Fleischer law firm in Richmond, VA. Many states are revising their prescribing guidelines to make them much stricter, thereby introducing liability risks for healthcare organizations, he says.
“They include things like physical exam information that must be in the chart, to communications you’re supposed to have when prescribing an opioid, and data that must be added to the chart at the point of refill,” he says. “All of these things should prompt risk managers to have policies in place that govern compliance with these requirements, and programs to ensure that these new requirements are understood and acknowledged by any physician on staff or with privileges.”
This may require bylaw changes for medical staff, and the risk manager may have to be the one suggesting those updates, Ivins says.
Medical malpractice case filings will continue to decline or remain at the current low level in 2018, says Bruce Klores, JD, an attorney with the law firm of Stein Mitchell in Washington, DC. Those cases that are filed likely will be meritorious with serious damages, he says, but few will ever get to trial.
Malpractice premiums should decrease based on lower indemnity payments and the bull market, Klores says. (See the stories in this issue for more on malpractice trends.)
“The most common cases will remain against OB/GYNs, primarily because errors in that field result in the greatest damage. However, as the population ages, cases against primary care providers will likely increase for failure to treat serious conditions such as cardiovascular disease earlier — which then result in stroke, disability, or death,” Klores says. “The aging population will also result in more filings in the nursing and rehabilitative facility settings.”
Pharmacy cases, including those where physicians or prescribers are added, will increase for a variety of reasons, he says. In addition to opioid claims, personal or individualized medicine claims will slowly increase predominantly in drug/gene interaction, gene expression profiling, and predisposition genetic testing, he says.
Risk managers should consider the implications of certain National Practitioner Data Bank information becoming public and anticipate how that information may affect claims of negligent granting of privileges, he says.
Evidence-based guidelines also are receiving attention, he notes, which means healthcare providers will be held responsible for adhering to them.
“Risk managers can prepare by understanding the trends facing them. Education, standards, and monitoring opioid prescriptions are essential,” Klores says. “Patient screening, drug choice, and adherence monitoring of opioids will all be under the microscope.”
Financial Disclosure: Author Greg Freeman, Editor Jill Drachenberg, Editor Jonathan Springston, Editorial Group Manager Terrey L. Hatcher, and Nurse Planner Maureen Archambault report no consultant, stockholder, speaker’s bureau, research, or other financial relationships with companies having ties to this field of study. Consulting Editor Arnold Mackles, MD, MBA, LHRM, discloses that he is an author and advisory board member for The Sullivan Group and that he is owner, stockholder, presenter, author, and consultant for Innovative Healthcare Compliance Group.