The Freedom Trailblazer




e-Newsletter

Who Can Remember $877yaijfn&3yf?

By Tom Powers
StrataDefense

It’s time to discuss everyone’s favorite topic: Passwords.  Not only do we need to discuss passwords, we should also cover password policies while we are at it. As a service provider we are often asked questions like “What makes a good password policy?” Considering that a password policy can make or break both your account as well as your organization, it is imperative to address this from the standpoint of true security. As we progress through this article, we will lay out what an attacker will attempt and how implementing a strong password policy will work to slow down their attempts to penetrate the network or stop them all together.

First and foremost, password length. Conventional password rules recommend that we use an 8-character (or less) password. If we are operating under these recommendations, you’re already at risk. Tools that are widely available for download on the internet, such as Hashcat, can break an 8-character password in less than 60 seconds.  The use of short, easily guessable passwords can lead to a common attack where an attacker will attempt to password guess your Outlook Web Access with known patterns. For example, as we enter the days of Summer many users gear their passwords towards the season. Attackers are wise to this and have been identified by using passwords like:

  • Summer2018!
  • Brewers2018!

What is a Good Password Length?
Typically, it is recommended that password policies require at least 14-characters, as it can take thousands of years to crack, but who can remember $877yaijfn&3yf? Simply put: nobody. 

We recommend the use of passphrases for your logons. Pick a topic, like movie quotes, and use your favorite movie lines. For example, a good password is: !No Luke I Am Your Father!  That’s a 26-character password that is secure and easy to remember. Users can use everything from comic book heroes, motorcycle facts, to pop culture quotes. The subject of the passphrase does not really matter, the part that matters is the use of passphrases which makes long password combinations easier to remember and easier to type. Not to mention, if using your favorite movies, it will make it easier to change passwords when you are referencing your favorite movie quotes.

Now that we have addressed password length, the next question is always about how frequently passwords should change. Recent changes in NIST’s stances on this topic have definitely muddied the waters on this topic. NIST has shifted to recommending that users should not have to regularly change their password if they are using passphrases, however if an attacker has gained access to your system it is fairly easy to get those aged credentials to work. This is why we encourage our customers to continue to regularly change their passwords on a 60 – 90-day interval.

Managing Passwords

For users, and especially network administrators, managing the ever-increasing list of credentials is a daunting task. For most users, a list managed in a notebook and stored “securely” in the desk drawer is their way of tackling this nuisance. Sadly, this is a better option than the cubicle wall covered in Post-It notes or the unprotected Excel workbook.  We recommend the use of a secure password vault to store your sensitive credentials and associated challenge question answers. If your organization already has a password vault that you could use, start using it immediately because the spreadsheet called Passwords.xlsx is an easy target for an attacker to confiscate and even easier to bust through any password protection a user may have implemented on it.

A good option for a password vault is an application called KeePass.  It encrypts all of your passwords in a single file that can be backed up to a network share for recovery in the event of a hard drive failure in addition to being able to sync the file to Google Drive for access on a mobile phone when away from the office. There are many other products in the password vault space, KeePass is just one that our office implements because of its ease of use and price point (hint: it’s free).

The use of a password vault can help in keeping users from reusing password. Most password vaults have a way to suggest passwords and can even alter their requirements for the suggested passwords based on user requirements. Continual education of the risks associated with the reuse of passwords can also help in stopping this bad practice of “one password for everything” mentality that is all too common.

To ensure that your employees are adopting the use of password vaults, like KeePass, one thing that we have done in the past is employ the cleaning service to help search for lingering Post-It notes by offering them $5 for every password they find. One time we used this approach, the cleaning staff found 240 passwords and cost around $1,200.

Attention: Network Admins

For years we have been told that you must have two accounts: one for everyday use, and one for domain admin use. Those days are officially gone. With attack tools, like Mimikatz, an attacker has the ability to steal administrative credentials from a compromised machine’s memory that were last used up to 8 hours ago.

In order to limit the attack landscape, administrators should be shifting towards a tiered administrative account structure that creates secure perimeters around groups of workstations and servers. The first phase is creating an administrative account explicitly for workstations and ultimately has no rights to even log onto servers. From there you will want to group servers by functional role (domain controllers, mail servers, file servers, SQL servers, etc.), feel free to be as detailed as necessary when creating these groups.  As you create these functional groups, you will then create a separate set of administrative credentials for each of these groups. Finally, you will restrict your domain administrator to only be able to log on to your domain controllers.  Going forward, each administrator will have a regular set of credentials and then a series of administrative credentials that are only to be used for their specifically targeted machines. Once fully implemented, you will have effectively removed an attacker’s ability to escalate to admin-level privileges.

Passwords are the key to keep both your users and the network safe from unauthorized access. Following these simple, easy to use recommendations you can greatly reduce your risk of compromise with minimal effort from the users and the network administrators.

Top of Page

About the Author

Tom Powers currently serves as President & CEO of StrataDefense, a cybersecurity firm headquartered in Wausau, WI focused solely on securing financial networks. With more than 24 years in the technology arena, 20+ years in the financial and healthcare industries, and several technology industry certifications Tom has developed a passion for developing solutions to protect the critical networks that StrataDefense serves. He has a passion for securing his client networks, driving penetration testers insane, pina coladas, and getting caught in the rain.
 
•    Infragard, Member (2014 – Present)
•    Offensive Security Certified Professional (in process)
•    Certified Ethical Hacker
•    Microsoft Certified Trainer
•    Microsoft Certified Professional
•    Microsoft Certified Systems Engineer
•    Cisco Certified Networking Associate

Upcoming events

The Healthcare Industry is in Desperate Need of Healing

By Halee Fischer-Wright, MD
Medical Group Management Association (MGMA)

Nearly every industry in the United States has become part of the on-demand economy, where consumers can get what they want, when they want it, and sometimes before they even realize they want it. Media, banking, grocery shopping—just about everyone has had to adapt to the Amazon effect.

Healthcare is slowly being pulled into this vortex of convenience and effectiveness. Within the last year, 71 percent of all medical practices have reported making changes to reduce patient wait times, according to a poll the Medical Group Management Association did last year. That is a good thing.

But it is not nearly enough. We are not close to getting the outcomes we say we want: better care and more satisfied patients at lower costs.

I know healthcare is a notoriously complex system with costs nearing 20 percent of our total GDP. Somehow, some way, healthcare needs to get a lot more efficient, and that means reimbursement will be tied to delivery of actual outcomes.

The frontline players—patients and physicians—will have to be bigger drivers of the change we need. Patients are going to have to demand more and doctors are going to have to deliver more on outcomes and accept that part of their compensation is going to be tied to that.

In fact, I would suggest that physicians build their data analysis and communication skills to articulate what measures and metrics actually do promote better health and better outcomes, long before those benchmarks are set for us. After all, big tech, payers, and investors are perhaps more incentivized than we are to manage costs. Healthcare is a big, juicy market to “disrupt.”

Here’s what the industry needs to keep in mind through this transition:

Focus on outcomes


In the search for quality, are physicians asking the right questions? We stuff our EHRs with data, but is it the right information and is it being used to the greatest effect? Data does not inevitably create discernment.

We need to reverse engineer the process. Let’s start with the desired end result and work backward from there to build processes and compensation models that reinforce the desired outcome, rather than what we’re doing now. My fear is that we’re waiting for someone else to do it for us. Or, perhaps more accurately, to us.

According to a 2016 MGMA poll, “Only 26 percent of physician compensation plans are tied to quality metrics.” That makes us sitting ducks in the eyes of efficiency players in the technology and logistics world.

Even as there is this disconnect, physicians are asked to manage too many metrics—4,000 data points at our last count, which doctors are forced to enter manually into EHRs after each appointment. Yet, we haven’t stepped back to ask whether or not these metrics are actually helping us to deliver the outcomes we want. I believe doctors want to influence clinical outcomes, but that’s hard to do when spending twice as much time on paperwork than with patients.

When organizations create compensation plans that base 5 percent or 10 percent of physician payments on myriad metrics that might not be ultimately relevant to patient health, the entire process becomes top heavy and difficult to manage. Of course, business people want to build compensation plans around what can be measured, but as physicians, we need to call for a focus on the measures that truly indicate patient health as our true yardstick of success.

There is no single solution

Every insurer, every physician, and every patient has their own idea about what constitutes quality. That’s OK to an extent, as the definition will and should vary. It’s not neat, but we have to accept that this will be the case and move forward from there.

Adding more quality markers won’t help, but that doesn’t necessarily mean that removing the ones we don’t agree with either. We must enable physicians to determine for themselves what quality looks like, stop spending time and money trying to define it with too much granularity, and instead focus on what can be done with the available tools.

To achieve mass customization in healthcare, we must accept fluidity and flexibility. Compensation plans will be a dynamic blend of base pay, production, and then enhanced compensation or a bonus tied to achieving certain patient outcomes that are unique to each organization’s and individual’s need.

And that’s where metrics come in. Once those outcomes are determined, doctors should work within their systems to discern what measurable metrics truly indicate how they are delivering on those outcomes compared with other physicians.

Build a better model

As much as we hear about the move from quality to value in healthcare, we are still a fee-for-service compensation industry (with a few exceptions). There are lot of different players making a lot of money with the current system, and it’s all based on the same productivity model of compensation. The more patients you see, the more money you make.

It’s the model we have, whatever we might think of it, and it’s not going anywhere anytime soon. But we cannot rest on our fee-for-service laurels. We can begin by using the tools at our disposal to accelerate change.

We know that healthcare can’t be run on algorithms. Health technology is not going to save us, although it can fill in much-needed gaps. The human element is essential to achieving better patient outcomes. We have to think our way out of this, putting the patient at the center of our efforts, not the technology.

When you’re sick and vulnerable, you want the intimacy of human interaction, and that is impossible to reproduce with digital tools. Our compensation models need to reinforce this. Better care with better satisfied patients at lower costs can be achieved if we put patients first and incentivize our doctors—and frankly the rest of the system—to make those outcomes paramount.

Top of Page

About the Author


Halee Fischer-Wright, MD, is a healthcare leader, physician, speaker, author, and president and CEO of MGMA.

Thank you Business Resource Sponsors

Emergency Evacuation

By Brian Courtney, RPLU, AAI
The Safegard Group, Inc.

Originally publish on The Safegard Group, Inc. website

Regardless of whether you operate from a high-rise building or an industrial complex, or you rent, own or lease your property, your first priority is to protect the health and safety of everyone in your facility. One common means of protection is through the use of an Emergency Evacuation Plan.

Planning for emergencies is critical in assisting you in assigning responsibilities and procedures when responding to fire, chemical, weather, utility or medical emergencies. A plan will also further assist you in developing preventative actions.

If you already have an evacuation plan, make certain your plan has accommodated any changes. If you don’t have a formal plan, we urge you to develop one. Plans compel you to think through the best course of action in an emergency.

Develop your Emergency Evacuation Plan
Here are some items that should be included when developing your plan:
  • Determine conditions under which an evacuation would be necessary.
  • Establish a clear chain of command.
  • Designate who has the authority to order an evacuation.
  • Designate specific areas where personnel should gather after evacuating. Take a head count.
  • List the names and last known location of personnel not accounted for. Confusion in the assembly areas can lead to unnecessary and dangerous search and rescue operations.
  • Establish procedures for assisting non-English speaking workers and those with disabilities.
  • Post evacuation procedures and clearly identify primary and secondary escape routes.
  • Conduct training. Failing to practice can undermine even the best plans. Practice increases the likelihood of a confident and orderly evacuation. Coordinate plans with your local emergency management office.
The details involved in evacuation planning range from major to minor, but decisions have to be made, written down, presented and practiced regularly.

Employees need to know what to do, and know it so well that they can put the plan into action even when they are rattled. Being prepared for a catastrophe lessens the potential for injury, lost lives and property damage.


Top of Page

About the Author


Brian Courtney joined The Safegard Group, Inc. in April 2005 and serves as a Producer for the company. He is primarily responsible for the direction of client services to the professional services industry.

Brian began his career at the height of the medical malpractice crisis. Working with a large regional insurance broker, Brian served clients in the professional service industries placing various coverages, such as Malpractice Liability, Directors & Officers Liability, and Employment Practices Liability. Prior to joining The Safegard Group, Brian joined a large national insurance brokerage firm where he gained considerable experience in risk management serving the needs of large professional organizations.

Currently, Brian is helping many of his clients with Risk Management initiatives, such as Risk Assessments, Data Breach Incident Response Planning, Contractual Risk Transfer, Insurance Protection, Loss Control, Claims Management and a host of other related services. Brian has conducted seminars on topics, such as Cyber Security, Disaster Recovery Planning, Sexual Harassment, Workplace Violence and Group Captive Insurance.

Next Issue - August 6th

Please submit articles for review by July 16th to info@mmgma.com

For more information on advertisement please email  info@mmgma.com

PRACTICE RESOURCES

How to Access Practice Resources:
Sign into your account.
Click on the Practice Resources of the menu.



Barriers to Effective Communication

By Mallory Earley, JD
ProAssurance  

To ensure an effective physician-patient relationship and provide quality care, you must be able to communicate with your patients.

Physicians may encounter difficulties in three situations: when a patient is hard of hearing, has limited English proficiency, or is illiterate. Federal law requires physicians to make reasonable accommodations for hard of hearing and Limited English Proficiency (LEP) patients. If proper accommodations are not afforded to these individuals, serious consequences, including medical professional liability lawsuits, can occur. Here are some risk management strategies which can be applied to reduce miscommunication with hard of hearing, LEP, and illiterate patients.  

Hard of Hearing Patients

The Americans with Disabilities Act (ADA) strictly prohibits any discrimination against individuals who are hard of hearing in places of public accommodation. Under Title III of the Act, a physician’s office is defined as a place of public accommodation.1 As such, it is required to make reasonable accommodations for hard of hearing patients. Since the standard is reasonable accommodation, there is not a bright-line rule which states what each practice must do for each patient. Appropriate accommodations will vary based on the circumstances of each patient’s case and his or her needs. For example, one patient may want to write notes to facilitate communication with the provider while another may require a qualified sign-language interpreter for every visit.

Discuss communication preferences with hard of hearing patients in advance. Their options can include: a qualified interpreter on site, note taking, computer-aided transcription services, or devices such as telephone handset amplifiers and Telecommunications Devices for the Deaf (TDDs). If you have a large number of hard of hearing patients it may be effective to hire an interpreter. Then set aside a block of time when the interpreter will be present to accommodate these patients.

Regardless of the method of assistance your patient chooses, ensure the type of aid to facilitate communication is accurate, effectively conveys medical terminology, and maintains the patient’s confidentiality of protected health information. 

Limited English Proficiency (LEP) Patients

Another breakdown in communication can occur with LEP patients. Title VI of the Civil Rights Act prohibits discrimination on the basis of race, color, or national origin. This Act requires physicians to ensure that non-English speaking patients have equal access to healthcare.2 You and your office staff need to take reasonable steps to make sure LEP patients have meaningful access to care.

Once you determine your office’s need for language or interpreting services, choose the services that best meet your patient’s needs and office’s resources. Your practice may also want to include a preferred language section on office intake forms so patients can tell your practice if they require accommodation.

Your options for communicating with LEP patients can include: hiring bilingual staff if English is not the dominate language in your area; using a telephone or video conferencing interpretation service; contracting with companies to provide qualified interpreters who will come to your office; or written translation services.

Some patients ask their family or friends to translate which can be helpful. However, it remains the physician’s responsibility to ensure that the communication is accurate and effective. For example, if minor children translate for a parent, they may lack the knowledge or maturity to effectively convey the medical information. An adult family member or friend may not be comfortable telling the patient certain information or could fail to tell the patient important items. In certain circumstances, referring the patient to a physician better suited to communicate with the LEP patient could be an option. However, this does not need to be the sole method for accommodating LEP patients in your practice. 

As with any patient, the doctor must ensure accurate communication of any medical terminology. When using an interpreter, the physician should stress the importance of confidentiality and document in the medical record the type of interpretive services used.

Minimally Literate Patients

Minimally literate patients may be difficult to identify in your practice.

One article defines health literacy as “the degree to which individuals can obtain, process, and understand the basic health information and services they need to make appropriate health decisions.”3 If patients cannot understand their medical information, they may be unable to follow their treatment plans, take medications as prescribed, or make educated decisions about their care. Some may turn to litigation to resolve their issues.

According to one estimate, nearly half of Americans have some type of limited ability to understand medical terminology and have difficulty understanding and acting on health information. Nearly forty million Americans cannot read complex medical texts, and ninety million have difficulty understanding them.4 With training, your front office staff may be able to help identify and assist minimally literate patients at check-in. Patients who avoid filling out new patient information, miss appointments, or mishandle medications may have literacy challenges. They also may bring a family member along to read their paperwork, or say they have poor eye sight and forgot their glasses. 

There are a few risk management tips when caring for minimally literate patients. Physicians and medical staff should avoid using complex medical terms. Instead of assuming a patient understands what has been said, physicians can ask questions and have the patient explain the instructions or care plan. Physicians can help minimally literate patients by using pictures or illustrations to assist patients in understanding treatment plans. If a patient brings a family member or friend to the appointment, enlist the help of the other person to aid in the patient’s comprehension. As with any patient, ask if he or she has questions at the end of the appointment. A little bit of extra time during the appointment could help prevent follow-up appointments or subsequent treatments and improve the health of the patient. Ensure that your educational materials and forms are easy to read and understand. Use plain language in short sentences and avoid medical jargon. 

Noncompliant Patients

Noncompliant patients also can pose a risk management risk to a physician practice. These patients may miss scheduled appointments, not follow treatment guidelines, or ignore medical recommendations for further testing or scans. Although there can be many reasons for noncompliance, open and honest communications with the patient may help you reach a compromise.

Some patients may not follow through due to financial limitations.5 Others may not understand the importance of compliance in their treatment goals. Regardless of the reasons, physicians and office staff must document any noncompliance in the medical record.  Proper tracking and follow up procedures for missed appointments will indicate a potential problem with a patient that must be addressed. If the patient continues to be noncompliant with appointments or treatment options, the practice may consider dismissing the patient.

Sources:
1    Americans with Disabilities Act of 1990, Pub. L. No. 101-336, 104 Stat. 328 (1990).
2    Civil Rights Act of 1964, Pub. L. 88-352, 78 Stat. 241 (1964).
3    Nielsen-Bohlman et al., Health Literacy: A Prescription to End Confusion, Institute of Medicine (Eds. National Academies Press 2004).
4    Ibid.
5   
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2912714/

Top of Page

About the Author


Mallory B. Earley, JD, is a Senior Risk Resource Advisor for ProAssurance. She researches legal and professional liability issues for insured physicians and other healthcare providers. Mrs. Earley is a licensed attorney who litigated domestic and civil cases in private practice. She obtained her BA in History and Psychology from Samford University and her Juris Doctorate from Cumberland School of Law at Samford University. She is an active member in the Birmingham Bar Association and the Alabama Bar Association.  
email: mearley@proassurance.com


A Good Practice Leader is a Good Listener

By Lisa Grabl
Originally posted on Physicians Practice

Lisa Grabl is president of the locum tenens division of CompHealth, a division of CHG Healthcare.

One of the greatest attributes a leader can have is the ability to listen. Listening to your staff and peers and then taking action on what you hear is often the key to keeping an engaged and happy workforce. I have found in my own work a few things that have made listening easier and providing feedback on that listening more effective.

Be Approachable


The easiest way to receive feedback is being in a position where employees trust you and are willing to share. For most leaders, this may take some work. Many think they are very approachable but spend most of their time locked away in meetings or their office. Don’t expect approachability to mean people will naturally come to you. You need to go to where the people are and strike up conversations.

Let people see you as not just the supervisor or boss, but rather a real person. Setting aside a regular time to get out and just talk with employees is key to building approachability.

Be Transparent

If you are open and honest with your employees, they are more likely to be open and honest with you. Generally, unless there are legal or privacy issues keeping you from sharing something, let employees know what is going on with the practice.

Whether it’s the current state of the business, plans for a future expansion, or new goals, share them. Employees want to feel like they are part of the company so don’t leave them in the dark.

One-On-Ones

Regular one-on-one meetings with employees are a great way to get direct feedback. However, just meeting with an employee doesn’t necessarily mean they will be engaged. Instead of taking charge of the one-on-one, let the employee drive the conversation. These meetings are a great opportunity for employees to lead the discussion and bring up topics they have questions about, are concerned about or are passionate about.

Focus Groups

Focus groups are another way to receive immediate qualitative feedback. Identify a problem in your facility and bring together a small group of employees to find out how they would solve problems and other ideas they have for improving your work.

Employee Surveys

Another good way to get feedback from employees is through surveys. This is especially true for those employees who feel more comfortable submitting their feedback anonymously.

However, the key to a good survey is making it realistic. Don’t ask questions if you have no intention of acting on the feedback you receive. Also, make sure you are ready to report on and share all the results.

Act on Feedback

The key for all of these listening tools is acting on the feedback you receive. Whether in a one-on-one meeting or in a big employee survey, you need to outline how you are going to respond. You also need to share with your employees the things you are doing to address their comments. Whether it’s something as simple as installing a pebble ice machine or something bigger like expanding maternity and paternity leave, let your employees know that you not only listened to their feedback but implemented it as well.

When we were trying to decide the location of our new headquarters, we surveyed our employees to find out where they wanted it located. We then used that feedback to decide on our final location. We used similar means to determine what amenities the building should include and added things like standing desks, a cafeteria, and a health clinic—all due to employee feedback.

Listening and acting on what you hear is key to engaging your employees and knowing what you need to do to keep them happy and productive.

Top of Page

Terms of Use | Privacy Policy

©  2015 - 2018 Massachusetts MGMA, Inc.
Powered by Wild Apricot Membership Software