• The UK, June 2024: a Russian gang (Qilin) attacked pathology service provider Synnovis, causing serious disruption to NHS care in London and the South East, including the cancellation of thousands of appointments and elective procedures. The situation was made even worse by the publication of sensitive patient data on the dark web
• The USA, February 2024: a major ransomware attack on the medical invoicing and payment company, Change Healthcare, led to severe cashflow problems for practices and delays for patients who needed medication or essential care. It also had severe financial consequences for Change Healthcare: the company later admitted it had paid a ransom of $22 million for stolen medical and financial data, while parent, UnitedHealth, said it expected the attack to cost “between $1.35 billion and $1.6 billion this year”
• France, January 2024: in the space of five days, around 33million people – nearly half the population – were affected by cyberattacks on healthcare payment providers, Viamedis and Almerys. It’s thought to be the largest ever cybersecurity breach in France

According to the Lancet medical journal, there’s been an “alarmingly rising trend of cyberattacks targeting healthcare”. This can be explained by several factors, including the amount of sensitive personal data held and shared by organisations as well as reliance on “outdated technologies and software”.

The UK Government announced a Cyber Security and Resilience Bill in the King’s Speech but cases like these show that we all need to be proactive in combatting cybercrime. The consequences for not doing so are extremely serious in terms of patient care, as well as the reputational and financial impact.

In August, for example, the Information Commissioners Office (ICO) provisionally decided to fine the Advanced Computer Software Group £6million. This is because initial findings showed “serious failings” in the company’s information security prior to a ransomware attack in 2022 that disrupted NHS services. The ICO said it expected “all organisations to take fundamental steps to secure their systems, such as regularly checking for vulnerabilities, implementing multi-factor authentication [also known as two-factor authentication or 2FA] and keeping systems up to date with the latest security patches.”

The CEO of UnitedHealth was also criticised at a Senate Finance Committee hearing after admitting that Change Healthcare systems were compromised by a server that didn’t have 2FA in place.

At Healthcode, we’ve already introduced 2FA as an option for customers, and we’re pleased that a growing number of you are already using this additional security check to access your account (a code generated on an authenticator app or sent by text).

However, cybercriminals don’t stand still and neither should we. That’s why, from September we’re leading the way by making the use of 2FA mandatory to access your Healthcode Account for any of our products and services. You can find everything you need to set up 2FA here and then be reassured that your account is protected. It’ll also help you demonstrate compliance with IT security best practice during audits and when applying for accreditation, such as the Government backed Cyber Essentials scheme.

Most of us are already using 2FA in our daily lives (it’s now required for NHSmail user accounts) and it’s an essential safeguard for private healthcare organisations too. We’re proud to have set the industry standards for IT security and resilience and mandating 2FA is another way we can all stay one step ahead.

The post Why we’re going further to protect your practice and patient data from cybercrime with 2FA appeared first on Healthcode.

The NCSC warned that the development of cybercrime marketplaces “lowers the barrier to entry” for criminals who might not otherwise have the technical skills to get involved in this kind of activity. It gave the example of malware-as-a-service which can be bought as a package, “eliminating the need to create and develop the software as well as reducing the knowledge threshold required to operate the malware”.

Whatever the size of your practice or clinic, it’s essential that you take the risk of cyber-attacks seriously. After all, the personal data you hold is highly sensitive which means the ICO expects you to think carefully about your IT security or risk reputational damage and an eye-watering fine.

Measures like installing security software, keeping software up to date with the latest security patches, maintaining IT security policies, encrypting data and staff training will help ensure your systems are secure but what about the companies that process your data? As a data controller, you’re responsible for ensuring that third-party providers’ IT security meets best practice standards.   

We already go to great lengths to protect customers’ data so it doesn’t fall into the wrong hands:

• Full end-to-end encryption on all our systems
• Resilient enterprise quality system infrastructure designed to minimise any impact from system failures
• Security by design – we’ve embedded security and data protection into our system and product development process 
• Access to services controlled with an industry-standard authentication and authorisation solution
• Compliance with recognised IT security compliance frameworks – we’ve had ISO 27001 certification since 2009 and we’re signed up to the government-backed Cyber Essentials scheme too 
• Resilience testing to identify potential security weaknesses and ensure that our platforms are secure, resilient and up to date
• A staff training programme covering information security and data protection, as well as phishing email tests to check awareness
• Data stored on a secure UK-based computing platform with a daily back-up copy as part of our disaster recovery process
• Products and services that help healthcare organisations share information securely, from the Clearing Service to Secure Messaging and file sharing

No one can be complacent about data security – the NCSC warning shows that new threats are emerging all the time – but you can be confident that we’ll always keep pace with the latest tactics of cyber criminals and be ready to repel them on your behalf.

Discover More

We’ve set out our commitment to data security and our Privacy Policy on the website but if you’ve any questions please contact our Customer Services team.

The post We have your back in the cyber arms race appeared first on Healthcode.

There were an estimated 1.7 million computer misuse offences in the year ending March 2021 according to the Office for National Statistics, up by 85% from the year ending March 2019. Cases of unauthorised access to personal information, which included large-scale data breaches, rose by 162%.

This should concern healthcare providers because the amount of personal data they hold makes them a tempting target. A recent cyber security breaches survey by the Government showed that 58% of private businesses hold personal data about customers but this rises to 80% in the health, social work and social care sector and 82% in the finance and insurance sector. Healthcare organisations consistently report the highest number of data breaches to the Information Commissioner’s Office (ICO). The latest statistics from the ICO for 1 July – 30 September 2021 show there were 435 data security incidents in the healthcare sector, compared with 313 for education and 259 for finance, insurance and credit.

Data security oversights can be extremely costly. In addition to the potential disruption and embarrassment, the ICO could also impose a financial penalty if it finds that you had not done enough to protect users’ sensitive personal data.

However, you can boost your defences by following these steps:

• Invest in security software to protect practice systems from malware such as viruses and ransomware. The software should be set to automatically scan files and webpages and whole system scans should be carried out frequently.
• Don’t use old operating systems, software, internet browsers and apps which are no longer supported by the provider as they will be inherently less secure.
• Maintain a Data Protection Policy to ensure your practice complies with data protection law. This is a set of principles, rules and guidelines which ensures everyone understands their data protection responsibilities.
• Have a practice IT security policy covering aspects of security such as internet and email use, passwords and the safe use of mobile devices (encryption).
• Provide regular training in cyber security for staff and make them aware of the latest threats eg suspicious emails. Non-compliance with the policy should be a disciplinary matter.
• Ensure each person has their own username and password that controls their level of access. Passwords should be changed regularly and never shared.
• Encrypt the sensitive information you send or share and don’t use standard unencrypted email to communicate confidential information as it is inherently insecure.
• Keep track of how data is processed and stored so you are more likely to identify a breach quickly and can take prompt action.
• Ensure all access is logged for security and audit purposes and that staff have a valid reason to access personal and patient data as part of their work.
• Back up your systems so that you can restore your data and get back up and running quickly eg in the event of a cyber-attack.
• Report personal data breaches to the ICO within 72 hours of becoming aware of them, unless you can show that the breach is unlikely to pose a risk to individuals’ rights and freedoms (for healthcare organisations, reporting is advisable). Serious cyber-security incidents can be reported to the National Cyber Security Centre (NCSC) which also has advice on how to manage incidents.
• Talk to an IT security professional about your IT security measures. The NCSC has guidance and resources for small businesses or you could sign up to the Government’s Cyber Essentials scheme which should help you guard against cyber-attacks. You can find best practice information for healthcare organisations on the ICO website and NHS Digital (important if you have access to NHS patient data and systems).
• Ask service providers about the measures they have in place to protect your data. You might comply with data protection law but do they?

How do we protect your data?

As a provider of online services for more than 20 years, we process vast amounts of sensitive health and financial data on your behalf. Here are some of the measures we take to ensure our systems and procedures are watertight and present the maximum deterrent for cyber criminals:

Encryption – our systems have full end-to-end encryption.
Enterprise quality – our system infrastructure is designed to minimise any impact from system failures and is stored on our UK-based computing platform. 
Data protection by design – we’ve embedded ICO principles into all our system and product development projects, from ePractice and The PPR to online appointment booking. Access to services is controlled with an industry-standard authentication-authorisation solution.
Commitment to IT security standards – our internal policies, procedures and controls comply with ISO/IEC 27001:2013 (we first achieved the relevant ISO/IEC accreditation in 2009). We’re also certified under the Cyber Essentials scheme after demonstrating best practice across all aspects of cyber security including configuring systems to minimise vulnerability to cyber attack.
Resilience testing – we regularly audit our security measures to identify potential weaknesses and ensure that our platforms are secure, resilient and up to date. 
Disaster recovery – we take a daily back-up copy of data which is securely stored on our UK-based computing platform.
Products and services – we provide encrypted services to help healthcare organisations share information securely, from the Clearing Service to Secure Messaging and file sharing.

The post Act to shield personal data appeared first on Healthcode.

Of course, electronic invoicing has additional benefits for practices too, such as knowing that your invoice has been successfully submitted online to the correct department and is likely to be processed and paid more quickly than an invoice sent by post. 

But why stop there? Submitting electronic invoices is just one aspect of financial and patient management that can be automated. But by opting for one of Healthcode’s subscribed plans – ePractice Lite and Pro – you can save time and reduce costs on a variety of routine tasks.

Here are a few other examples of how technology can boost admin efficiency.

Verify patients’ insurance policy details

Rather than calling around to check someone’s policy number and address, you can use Membership Enquiry to look up their details online against the insurer’s database and confirm that they are a member of a valid scheme.

Take advantage of invoice short-cuts

If you treat patients in a hospital setting, it’s likely you will be able to search for them on the system and generate an invoice pre-populated with the correct patient and episode details. All you need to do is add your own fee. Invoice auto-population is possible thanks to Healthcode’s secure integration and relationships with insurers and hospitals.

Allocate payments received

Payments from an insurer can be assigned to the correct invoice in a few clicks using payment tracking or bulk payments when the amount received covers several invoices. If there is a shortfall, the system prompts you to re-allocate the debt and create a shortfall letter which automatically shows the invoice details and outstanding balance.

Obtain up-to-date financial information

When it comes to practice finances, uncertainty can be damaging. By contrast, easy access to accurate information puts you in control. It’s even better if you can choose from a range of reporting options, including chargeable activity, invoices, payments and outstanding debtors.

Want to know more?

To find out how our ePractice Lite and Pro plans can help automate your day to day invoicing tasks contact our Business Development team.

If you’re already using ePractice see what potential you can unlock by signing up for our free ePractice tutorials with our Healthcode Academy. They’ll guide you using your own data to make the training as relevant as possible.

The post Automate Your Routine appeared first on Healthcode.

In Part 1 of this series, we explained why a specialist practice management solution will enable you to run all aspects of your practice from one place and how to get started.

The next step is to look at what’s out there and how it meets your needs and budget. When it comes to researching software vendors the internet is a good place to start but do ask colleagues for recommendations too.

Step 4: Check system functionality

A practice management system should enable you to efficiently carry out the routine admin tasks within your independent practice, including:

Patient management

• Register patients and confirm their insurance status and demographic information
• Secure patient database
• Flag patients and produce personal letters
• Patient notes and alerts

Diary management

• Fix and rearrange appointments
• Manage schedules for clinics, theatre, etc
• Set-up recurring sessions

Billing and payments

• Submit validated electronic bills to insurers and produce paper bills
• View outstanding invoices
• Reconcile bulk payments from insurers
• Manage shortfalls and reallocate outstanding amounts

Document management

• Produce appointment reminders
• Automatically generate shortfall letters
• Batch print letters

Reporting

• Create comprehensive financial reports such as outstanding invoices by payor, payment summaries and activity summaries
• Export reports to other software e.g. Excel to further analyse and remove any patient identifiable data so they can be shared

Step 5: How secure is the system?

Failure to take reasonable steps to protect patient data could leave you vulnerable to cyber criminals, cause serious reputational damage and incur a hefty financial penalty from the Information Commissioner’s Office. Password protection and data encryption should be a minimum requirement for any secure practice management solution. Healthcode’s security page will give you further details.

If you rely on any third party supplier to process or store data on your behalf, do make sure they have appropriate information security safeguards in place. Ask about the arrangements for storing data – will it be held in a cloud or a private dedicated infrastructure and if so, where? Does it comply with UK GDPR Regulations?

Step 6: What support can you expect?

The provider must be able to offer the right level of support through installation and beyond. Ask yourself:

• Will they offer initial training?
• Do they provide ongoing technical support, including site visits if required?
• If the system crashes, how quickly can they guarantee a response?
• Is data back-up and recovery included and if so, what assurance is there that data will be stored securely?
• How will system updates be managed and will additional support will be provided?

Want to know more?

If you want to see what ePractice, our practice management software, can offer you why not book a demo with our Business Development team.

The post Healthcode’s 9-Steps To a Practice Management Solution – Part 2 appeared first on Healthcode.