Transcription Trends: Cyberattack on Nuance Offers Teaching Moment
By Lee DeOrio
For The Record
Vol. 29 No. 7 P. 5
In the face of a crisis, it's often a good idea to take a step back and learn from the moment. Perhaps that's not feasible until after the fact—it certainly isn't in this case—but to place odds on it never happening again is foolish.
On June 27, Nuance numbered among the worldwide victims who fell prey to the NotPetya virus. To say HIM was left scrambling for answers would be an understatement. For its part, Nuance began working around the clock to rectify the situation, offering alternatives for customers based on the product purchased while telling others to hold tight while it worked to return to normal operations. Progress has been made, but certain clients continue to be offline, with some turning to other vendors for help.
How long the downtime persists is anyone's guess. Neither is it certain how many data may have been lost.
As to be expected, the incident sparked strong reactions throughout the industry, from transcriptionists voicing their concerns and displeasures on the MTStars website to seasoned experts and longtime observers.
For HIM directors, it's been a trying, stressful time, with some having to manually insert transcribed documents into their EHR. At Hillsdale Hospital in Hillsdale, Michigan, providers were forced to handwrite documentation. According to Tracy Rowland, RHIA, CDIP, Hillsdale medical record department manager and privacy officer, it created a situation that "made for some very unhappy campers. Some refused and used their own recording devices and were trying to send me their .wav files."
Rowland says the hospital didn't have a means of transcribing its documentation although hospitalists were able to use the HIS [hospital information system] electronic documentation system. The crisis called for extreme measures. "I had an inpatient coder who was a transcriptionist in another life, but since this happened just before a major summer holiday, she was gone on vacation. I had her transcribing when she came back," Rowland says. "We had old equipment in storage; we dusted it off and put it to work."
"One of the most important roles of an HIM director is to ensure timely delivery of patient records for continuity of care," says Noel Tauzin, vice president of worldwide health care documentation services at M*Modal. "Ensuring the proper prerequisite health care documentation is available to the patient's care team is a major concern, especially urgent in the event of a patient requiring immediate medical care. Anything that hampers the workflow of patient records is a major stressor for an HIM director. The cyberattack impacted many facilities, with their HIM directors scrambling for alternative means to ensure health care documentation is available to the teams providing patient care for their patients."
It can be argued that HIM has never seen such a widespread event. "No one could imagine such a large vendor being shut down completely," says Dale Kivi, MBA, vice president of business development at FutureNet and a member of For The Record's editorial advisory board. "Unfortunately, the daily Nuance updates are seen as offering little if any relief unless they are a former Emdat client or one of their largest revenue producers. All others know that they will need to stand in line and apparently are not being given any timetable or frame of reference for how long it might take before they could expect to come back online."
"I can't imagine how stressful this has been on the HIM managers at these facilities," says Michael Miller, vice president of client services at Dolbey Systems. "I can remember in 2003 when the Northeast experienced the widespread electrical blackout; we had servers that were down for hours due to a backup generator failure. It took a long time for those customers to forgive us for that outage. That was hours—not days and weeks. Dictators largely don't care what the cause is. They have to cancel elective surgeries. Their schedules are interrupted. They can be generally unkind, to put it mildly, in the treatment of the people they hold responsible for an outage like this."
For HIM directors who didn't have the option of turning elsewhere for help, the situation was especially dire. "Because there are many long-term contracts and interfaces with Nuance already built, it is difficult to quickly have another transcription organization step in to only help for a few days," says Bob McClelland, chief operating officer at Infraware.
"Clearly, the inability for doctors to dictate and transcriptionists to transcribe puts an incredible strain on HIM directors. There's really no practical way to have a backup plan for dictation and transcription comparable to a backup electrical generator that kicks in immediately whenever there's a power outage," says Jay Vance, CMT, CHP, AHDI-F, vice president of operations and compliance officer at WahlScribe.
As might be expected, many vendors were willing to pick up the slack when the news broke." We've been busy with the customers we share with Nuance," Miller says. "These are hospitals that have our dictation platform, Fusion Voice, and have needed more licenses to fend for themselves during Nuance's outage. They are the lucky ones because they still have their own dictation capture. My former customers that turned off their systems when dictation volumes went down—they are the ones that are hardest hit. They outsourced it all, literally put all their eggs in one basket."
M*Modal and FutureNet, among others, noted they also were helping meet market needs by supporting impacted facilities.
Besides documentation concerns, HIM managers also faced heat from a revenue perspective, says K.B. Anand, CEO of Acusis. "HIM directors had no idea when and how the documentation would be completed and subsequently sent for coding and billing," he says. "The challenges due to statutory regulations, the question on how the providers would be able to catch up with the documentation once an alternate solution is available, etc, increased the complexity of the situation."
Rowland can relate firsthand to the revenue cycle concerns caused by the cyberattack. "Utilization review [UR] needed the information to call insurance companies. Even if the provider had handwritten the notes, the UR reviewer could not read the documentation," she says. "This experience definitely shows how we have become reliant on the electronic medium that CMS has tied to meaningful use incentives. A catch-22!"
McClelland says the attack on Nuance illustrates the need for health care organizations to have multiple documentation options. "The clients who are signed with us on a small level simply increased their volume coming to InfraWare and were not nearly as affected," he says.
While some health care organizations may believe having such flexibility is a luxury, it's one they would be wise to invest in, says Kivi, who adds that there must also be a backup plan for all services and technology in place. "Although no one wants to manage any more vendors than they have to, keeping a secondary vendor live—even in an extremely limited capacity—enables you to continue operations when disaster happens," he says. "Some vendors are known for including exclusivity in their contracts. In today's environment, that should not be accepted from anyone."
Miller notes that anyone can fall victim to a malware attack. "Switching to another vendor solves your problem temporarily. What happens if that vendor has the same problem?" he says while acknowledging that providers must have a backup plan to avoid a single point of failure. "Ultimately, the best solution is what they all once had: Own your own data," Miller says. "Dictate to your own system. If you must outsource, you have the flexibility to route that work elsewhere if your vendor has issues. Your doctors can keep working. If having a dictation system to meet all your volumes is out of reach, at least have a small-scale backup ready to deploy. For most hospitals, a small backup system would cost a fraction of the revenue lost in a single day during this outage."
M*Modal CIO Marty Serro recommends organizations have several layers of protection, including the following:
• Dictation capture: Mission critical to patient care, making a local backup dictation-capture system absolutely essential.
• Dictations playback and management: Hospitals must be able to readily access already-dictated clinical findings during a crisis.
• Speech recognition: Cloud based, but not 100% cloud dependent, with flexibility to be rolled back to local recognition when needed.
• Transcription workflow: System should enable emergency transition to third-party workflow without having to reconstruct all configurations.
• Transcription services: Partner with a reliable organization that has the capacity to scale and support your needs in times of emergency.
• Highest security standards: A comprehensive security framework program covering all aspects of the business along with a business continuity plan ensuring that the business can operate when a catastrophic event occurs.
According to Betsy Ertel, AHDI-F, CEO of SpeedType, health care organizations would be wise to have several fall-back options. "My theory is that you can never back up too much or diversify your digital operations in too many directions," she says. "A company's dependability and customer service solely rely on its backup securities. That is the backbone of a company operation. When the ball drops, other resources have to be available for access."
Unfortunately, it took a situation of this magnitude to perhaps open providers' eyes, Anand says. "They were without a bulletproof vest when it was most needed," he says. "The most important and the direct lesson learned was that relying on a single vendor is always a risk—irrespective of their capacity and robustness. In an area like patient documentation, which is equally critical for patient care and revenue cycle management, one needs to have a plan B."
Having a plan B ready to go is already on Rowland's mind. "Our future backup plan will be to rely on the electronic documentation to ensure that we have this information available for continuing care and not have transcription delays," she says.
Once the dust settles and operations return to normal, all health care organizations—including those not affected by the Nuance outage—must reassess their security processes, experts say.
"This is a reminder to all of us in health care that we're no longer floating below the radar in terms of cybersecurity threats," says Maureen M. Hetu, MBA, regional CIO of Trinity Information Services. "We need to remain vigilant in maintaining appropriate cybersecurity hygiene, ensuring that our colleagues adequately understand the risk of phishing attempts, that our organizations have practical and appropriate business continuity plans—and that our business associates do the same. Otherwise, this type of business disruption could be devastating."
"Every organization needs a comprehensive security framework program covering all aspects of the business along with a business continuity plan ensuring that the business can operate when a production-disruptive, catastrophic event occurs," Serro says.
The incident magnifies the need for organizations to dedicate resources to compliance efforts. "If, in fact, the malware infection that crippled Nuance was facilitated by obsolete or unpatched software and/or a lack of adequate employee education regarding how e-mail can be used to spread computer viruses, this would shine a very bright light on what can happen if proper HIPAA/HITECH compliance is lacking," Vance says. "Not only is a proper risk assessment a requirement under the law—as bothersome and time-consuming as it may be—it is [also] in reality the primary tool for identifying potentially devastating vulnerabilities in an organization's infrastructure and processes. Every covered entity and business associate should be extremely motivated by Nuance's experience to take immediate steps to conduct a thorough risk assessment and address high-risk vulnerabilities posthaste."
"Systems need to run on the most up-to-date operating systems, utilize the latest network blocking technologies, and continuously monitor for emerging threats," Serro says. "Constant monitoring and updating of security patches is essential. Deploying intrusion detection and intrusion protection systems in all data centers with GEO IP filtering is essential. Enterprise antivirus solutions need to be in place for all platforms and employee assets. Geographical IP filtering on e-mail systems should be standard protocol."
Security should be top of mind when health care organizations select a vendor, Kivi says. "It would be wise to choose a vendor who goes through independent third-party annual security audits, such as SOC II, and has demonstrated the ability to swiftly restore from backups," he says.
— Lee DeOrio is editor of For The Record.