Monthly Archives: December 2016

Patient misidentification a life-or-death crisis

Larry Ponemon

A serious and life-threatening problem in healthcare organizations is a medical error or adverse event due to the misidentification of patients. In the 2016 National Patient Misidentification Report of nurses, physicians, and IT practitioners, we examine the frequency and root causes of near misses, adverse event and sentinel events due to patient misidentification. We also survey CFOs and others in financial operations to determine the financial consequences of denied claims due to patient misidentification. A total of 460 individuals participated in this research.

How serious is the problem? Eighty-six percent of respondents say they have witnessed or know of a medical error that was the result of patient misidentification. The two primary root causes of patient misidentification are mistakes made when a patient is registered (63 percent of respondents) and the pressure to treat patients quickly (60 percent of respondents).

Difficulty in finding charts or medical records and finding duplicate medical records for a patient contributes to errors — 68 percent of respondents say when caring for a patient they have a hard time finding their chart or medical record almost all the time and 67 percent of respondents say when searching for information about the patient they find duplicate medical records for that patient almost all the time.

In addition to life and death consequences from making mistakes, healthcare organizations are losing money because of denied claims connected with patient misidentification. An analysis of costs associated with the denial of claims due to patient misidentification is provided in Appendix 1 of this report.  It shows that the average-sized hospital incurs reworking costs exceeding $71,000 per year. We also estimate the total cost of $1.2 million for rejected claims that resulted from patient misidentification.

Key takeaways from this study include the following.

Most patient misidentification starts at registration. Eighty-four percent of respondents strongly agree or agree that misidentifying a patient can lead to medical errors or adverse events. These include a near miss, sentinel event and even death.

Misidentification starts at the beginning of the patient’s experience.  Most misidentification occurs when the patient is being registered for a procedure (63 percent of respondents). Another primary cause for errors is the time pressure nurses, physicians and physicians assistants experience when treating patients (60 percent of respondents).

What leads to patient misidentification? According to 64 percent of respondents, a patient is misidentified in the “typical” healthcare facility very frequently or all the time. The following errors are very common in most healthcare facilities.

  • Inability to find a patient’s chart or medical record (68 percent of respondents)
  • A search or query that results in multiple or duplicate medical records for that patient (67 percent of respondents)
  • A wrong record is associated with the wrong patient because of the same name and/or date of birth (56 percent of respondents)
  • The wrong record is pulled up for a patient because another record in the registration system or EMR has the same name and/or date of birth (61 percent of respondents)

Correcting or getting additional patient information contributes to medical errors. Also putting patients at risk is the inability to quickly get information that is missing or incomplete in patient records. According to 37 percent of respondents, up to or more than one hour is spent contacting medical records or HIM department to get critical information about their patients.

What are the medical consequences of patient misidentification? Patient misidentification can result in errors in medication, blood transfusion and radiation that could have life and death consequences for patients. Ninety percent of respondents say medication errors could be fatal.

Research points to the need to improve the accuracy of patient registration. As part of this research, we surveyed CFOs and individuals involved in the healthcare facility’s revenue cycles. As with clinicians, the most common root cause is incorrect patient identification at registration such as an incorrect armband placement followed by reliance on homegrown or obsolete identification systems.

Denied claims from providing wrong patient information cost healthcare organizations. The patient identification process at registration can be cumbersome and challenging and can result in unintended duplicate medical records and overlays due to typing errors or miscommunication. Such errors can result in denied claims.

Sixty-five percent of respondents involved in the finances of healthcare organizations believe denied claims have a very significant or significant impact on accounts receivable. On average, hospitals have 30 percent of all claims denied and an average of 35 percent of these denied claims are attributed to inaccurate patient identification or inaccurate/incomplete patient information.

The use of biometrics can ensure proper patient identification. Seventy-two percent of respondents believe positively identifying a patient at registration through biometrics could improve cash flow for their hospitals. Positively identifying a patient at registration through biometrics could reduce denied claims (76 percent of respondents) by an average of 25 percent. It could also reduce the average number of days in accounts receivable (104 days) by an average of 22 percent. As a result of reducing denied claims, 80 percent of respondents say their hospital’s cash flow could improve by an average of 25 percent.

Healthcare executives and care providers believe the use of biometrics could reduce the consequences of patient misidentification. A positive (biometric) patient identification could reduce overall medical errors and adverse events, according to 77 percent of respondents. In fact, 50 percent of all deaths could be eliminated with such technology, according to respondents.

 

Click here to download the full report.

'Your money or your data!' – Most still have never heard of ransomware; while a majority of victims have paid up, IBM says

Bob Sullivan

There’s fresh evidence out Wednesday to show the ransomware epidemic has staying power. Why? Victims are paying ransoms for their data, that’s why.

Madison County, Indiana made headlines last week because it admitted a recent ransomware attack will cost taxpayers there $220,000 — some to the hackers, most for security upgrades.

But Madison County shouldn’t be singled out. Ransomware nightmares  — involving malicious software that encrypts victims’ data and won’t “give it back” unless a fee is paid —  are playing out everywhere.  The Carroll County, Arkansas, sheriff’s department admitted this week it had paid $2,400 to recover data held captive from the its law enforcement management system, which holds reports, bookings and other day-to-day operational data, according to Townhall.com.

The hits keep coming because victims keep paying; and victims keep paying because they seem to have no other choice.  Obviously, criminals keep will keep doing what works.

IBM researchers set out recently to understand the prevalence of ransomware. In a report released Wednesday, IBM’s X-Force said that the volume of spam containing ransomware has skyrocketed.  The FBI claims there were an average of 4,000 attacks per day in the first quarter of 2016.

And yet, IBM found that only 31 percent of consumers had even heard the term “ransomware.” Meanwhile, 75 percent said they “are confident they can protect personal data on a computer they own.”  Meanwhile, 6 out of 10 said they had not taken any action in the past three months to protect themselves from being hacked.

That’s head-in-the-sand stuff, folks. Forward your friends this story now — but don’t include it as an attachment, please.

Meanwhile, companies seem to be more realistic, and more frightened — 56 percent of companies surveyed by the Ponemon Institute said, in a separate study, they are not ready to deal with ransomware. (I have a business partnership with Larry Ponemon at PonemonSullivanReport.com).

All this matters because a majority of consumers and corporations actually say they’d pay to recover data encrypted by a criminal. Some 54 percent said they’d pay up to $100 to get back financial data, and 55 percent said they’d do so to retrieve lost digital photos. Not surprisingly, Parents (71 percent) are much more concerned than non-parents (54 percent) about family digital photos being held for ransom or access blocked.

(Back up those family photos, kids!)

Now, for the meat of the report.  Many corporations told IBM that they had already paid ransom for data — seven in ten of those who have experience with ransomware attacks have done so, with with more than half paying over $10,000, IBM said.  Many paid more.

  • 20 percent paid more than $40,000
  • 25 percent paid $20,000 – $40,000
  • 11 percent paid $10,000 – $20,000

“The perception of the value of data, and the corresponding willingness to pay to retrieve it, increases with company size. Sixty percent of all respondents say their businesses would pay some ransom and they’re most willing to pay for financial (62 percent) and customer/sales records,” the report said.

All this paying up flies in the face of law enforcement’s advice, which is to never pay.

“Paying a ransom doesn’t guarantee an organization that it will get its data back,” said FBI Cyber Division Assistant Director James Trainor in a report earlier this year. “We’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cybercriminals to target more organizations; it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding.”

Of course, the FBI is looking at the macro impact, while the victims are looking at a huge, immediate micro problem.

How can you protect yourself?  IBM says the main way ransomware arrives is through an unsolicited email with a booby-trapped attachment — usually a Microsoft Office document that asks for macro permissions. So don’t click on those and you’ve gone a long way towards protecting yourself. Here’s some other tips from IBM.

Banish unsolicited email: Sending a poisoned attachment is one of the most popular infection methods used by ransomware operators. Be very discerning when it comes to what attachments you open and what links you click in emails.

No macros: Office document macros have been a top choice for ransomware operators in 2016. Opening a document and that then requires enabling macros to see its content is a very common sign of malware, and macros from email should be disabled altogether.

Update and patch: Always update your operating system, and ideally have automatic updates enabled. Opt to update any software you use often, and delete applications you rarely access.

Protect: Have up-to-date antivirus and malware detection software on your endpoint. Allow scans to run completely, and update the software as needed. Enable the security offered by default through your operating system, like firewall or spyware detection.

Junk it: Instead of unsubscribing from spam emails, which will confirm to your spammer that your address is alive, mark it as junk and set up automatic emptying of the junk folder.

 

‘Your money or your data!’ – Most still have never heard of ransomware; while a majority of victims have paid up, IBM says

Bob Sullivan

There’s fresh evidence out Wednesday to show the ransomware epidemic has staying power. Why? Victims are paying ransoms for their data, that’s why.

Madison County, Indiana made headlines last week because it admitted a recent ransomware attack will cost taxpayers there $220,000 — some to the hackers, most for security upgrades.

But Madison County shouldn’t be singled out. Ransomware nightmares  — involving malicious software that encrypts victims’ data and won’t “give it back” unless a fee is paid —  are playing out everywhere.  The Carroll County, Arkansas, sheriff’s department admitted this week it had paid $2,400 to recover data held captive from the its law enforcement management system, which holds reports, bookings and other day-to-day operational data, according to Townhall.com.

The hits keep coming because victims keep paying; and victims keep paying because they seem to have no other choice.  Obviously, criminals keep will keep doing what works.

IBM researchers set out recently to understand the prevalence of ransomware. In a report released Wednesday, IBM’s X-Force said that the volume of spam containing ransomware has skyrocketed.  The FBI claims there were an average of 4,000 attacks per day in the first quarter of 2016.

And yet, IBM found that only 31 percent of consumers had even heard the term “ransomware.” Meanwhile, 75 percent said they “are confident they can protect personal data on a computer they own.”  Meanwhile, 6 out of 10 said they had not taken any action in the past three months to protect themselves from being hacked.

That’s head-in-the-sand stuff, folks. Forward your friends this story now — but don’t include it as an attachment, please.

Meanwhile, companies seem to be more realistic, and more frightened — 56 percent of companies surveyed by the Ponemon Institute said, in a separate study, they are not ready to deal with ransomware. (I have a business partnership with Larry Ponemon at PonemonSullivanReport.com).

All this matters because a majority of consumers and corporations actually say they’d pay to recover data encrypted by a criminal. Some 54 percent said they’d pay up to $100 to get back financial data, and 55 percent said they’d do so to retrieve lost digital photos. Not surprisingly, Parents (71 percent) are much more concerned than non-parents (54 percent) about family digital photos being held for ransom or access blocked.

(Back up those family photos, kids!)

Now, for the meat of the report.  Many corporations told IBM that they had already paid ransom for data — seven in ten of those who have experience with ransomware attacks have done so, with with more than half paying over $10,000, IBM said.  Many paid more.

  • 20 percent paid more than $40,000
  • 25 percent paid $20,000 – $40,000
  • 11 percent paid $10,000 – $20,000

“The perception of the value of data, and the corresponding willingness to pay to retrieve it, increases with company size. Sixty percent of all respondents say their businesses would pay some ransom and they’re most willing to pay for financial (62 percent) and customer/sales records,” the report said.

All this paying up flies in the face of law enforcement’s advice, which is to never pay.

“Paying a ransom doesn’t guarantee an organization that it will get its data back,” said FBI Cyber Division Assistant Director James Trainor in a report earlier this year. “We’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cybercriminals to target more organizations; it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding.”

Of course, the FBI is looking at the macro impact, while the victims are looking at a huge, immediate micro problem.

How can you protect yourself?  IBM says the main way ransomware arrives is through an unsolicited email with a booby-trapped attachment — usually a Microsoft Office document that asks for macro permissions. So don’t click on those and you’ve gone a long way towards protecting yourself. Here’s some other tips from IBM.

Banish unsolicited email: Sending a poisoned attachment is one of the most popular infection methods used by ransomware operators. Be very discerning when it comes to what attachments you open and what links you click in emails.

No macros: Office document macros have been a top choice for ransomware operators in 2016. Opening a document and that then requires enabling macros to see its content is a very common sign of malware, and macros from email should be disabled altogether.

Update and patch: Always update your operating system, and ideally have automatic updates enabled. Opt to update any software you use often, and delete applications you rarely access.

Protect: Have up-to-date antivirus and malware detection software on your endpoint. Allow scans to run completely, and update the software as needed. Enable the security offered by default through your operating system, like firewall or spyware detection.

Junk it: Instead of unsubscribing from spam emails, which will confirm to your spammer that your address is alive, mark it as junk and set up automatic emptying of the junk folder.