Home
Our Publications
Advertise
Contact Us
Archives
Subscriptions
Corporate
Member Options
Accounting and IT Forensics
By: LYNNE JETER
Accounting and IT Forensics | Rhonda W. Sides, Dr. Terry Saltsman, Crosslin & Associates, “Accounting and IT Forensics: What It Means for Your Practice,” Mid-South Medical Group Management Association, MGMA.

Healthcare Experts Share What It Means for Medical Practices

Thanks to the advent of the Information Age and rapidly improving technology making not-that-old models obsolete, data can be fairly easily tracked and found by the wrong people on laptops, networks, desktop drives, USBs, cell phones, scanners and copy machines with scanning capabilities.

Many physicians aren’t aware of their vulnerability for embezzlement and theft of cash, assets and data, which could lead to lawsuits or a threat of litigation, and most practices don’t recognize how relaxed controls generally are around medical/clinical, personnel/HR, and financial data, according to Rhonda W. Sides, CPA, principal for healthcare services and business valuation/litigation support services, and Terry Saltsman, PhD, principal for IT assurance, both from Crosslin & Associates, in Nashville, Tenn. The duo shared insight into medical practice security challenges in the recent presentation of “Accounting and IT Forensics: What It Means for Your Practice” for Mid-South Medical Group Management Association (MGMA) members in Memphis.

“Electronic data allows manipulation and deceit at many levels,” said Sides. “There are ways to prove this, and it can hurt … or help defend your business.”

If the practice makes the decision to introduce a digital-based billing program, or Electronic Health Records (EHR), for example, it can be implied that the doctor is assuming risk, said Saltsman.

“The risk assumed is broader than in the past because historically a thief had to break into the facility and pilfer the actual records,” he said. “Today, the thief has been replaced by the hacker who can sit at a computer anywhere in the world and use software tools to defeat the practice’s firewall. Further, a hacker can take an insurance company’s website, copy it completely, and create an incredible data collection tool. Simply clicking on a piece of spam that refers to the website can provide the hacker with valuable information that can be used to defeat the practice’s firewall. Once the firewall has been breached, the network is open for a complete download of the medical records, which can be accomplished in just a few hours.”

According to the Centers for Medicare & Medicaid Services (CMS), in 1999, about 60 percent of practices were still using paper records and sending daily billings through the United States Postal Service.

“Between 1999 and 2004,” Saltsman pointed out, “the demographic of practices using digital billing and EHRs flipped, so that by 2004, 60 percent of practices were sending their daily billings to the insurance companies via the Internet. Today, 90 percent of all practices are using some form of electronic means to track billing, health records, or both.”

Physician practices may avoid fraud and embezzlement and protect clinicians from improper and illegal activities. Money invested now for preventive measures translates to money not spent later on negative events that could stymie the growth of the medical practice, said Sides.

“Have your practice vulnerabilities checked now,” she suggested. “Have your network firewall and data applications ‘penetrated’ to see if you’re a sitting duck for a perpetrator, and then have those gaps closed up by IT security professionals.”

Other preventive measures that Sides recommended:

· Buy fidelity bond coverage for your practice.

· Provide mandatory training on a periodic basis that’s not only related to the healthcare regulatory environment, but also to incorporate basic internal controls over assets and data into your corporate business environment.

· Require employees to sign their attendance at these training sessions, along with their agreement to comply with the practice’s policies, much like a Medicare Compliance Plan’s Code of Conduct.

· Establish policies about the limited or prohibited use of outside email accounts, social media pages, et cetera on the practice’s network.

· Investigate hostility and disgruntled employee incidents. Most labor/employment disputes/litigation arise from some circumstance that has been occurring and finally erupts.

· Hire IT professionals that have the knowledge and experience to set up proper controls around your practice’s protected medical and financial data.

“A very common misperception is that all IT professionals have the same skill sets,” Sides said. “IT professionals have a variety of skill sets and areas of expertise and focus just like CPAs, lawyers, and physicians. A physician practice typically has an outside IT contracted individual or company they work with or a large practice typically has an in-house IT employee. But for IT security issues required in today’s business world, this expertise may not necessarily be with (those) with whom a practice employs for routine IT assistance. It’s highly recommended that physicians invest in outside IT professionals to secure their networks and provide periodic check-ups to ensure compliance and protection.”

Other preventive measures easily implemented that aren’t usually well enforced include mandatory password changes, retention policies for record keeping and timeframes for deletion of emails and other electronic data, and routine segregation of duties where feasible.

With the extra-large memories on networks these days, it can take many months to write over a deleted email completely, Sides said.

“Saving tons of data for too long not only makes your system operate slower, but it also can hurt you in litigation in two ways: first, saving lots of emails that can be misinterpreted and pulled into evidence against you, and second, cost you more money when litigation IT forensics must crawl through all the data to find evidence related to a particular case,” he explained.

Another proven recommendation, Sides said, is having a surprise random audit conducted on accounting controls, especially smaller practices where a true check and balance segregation of duties system may not be possible.

“Also highly recommended is for doctors to know how to access their accounting and bank records—especially when they are online only—and actually take a hard look at them sometimes with a different eye,” she said. “Some physicians sign their checks; many don’t unless they’re over a certain amount. Take the time to look at where your money is going and ask yourself: does it look right? Does it make sense? Most practice embezzlements are committed by a long-time trusted employee with fiduciary authority.”

When catastrophic events like a hacking occur, said Saltsman, the practice has an immediate need for IT forensics.

“IT forensics can be viewed as having two components,” he said. “First, there’s a security peg where the practice’s firewall and network are reviewed for weaknesses. This is different from having the Value Added Reseller (VAR) of the network and billing/EHR software reviewing the components because a forensic firm comes to the table with the same set of tools as most hackers. Second, there’s the investigative arm … the part that comes into play when something’s gone wrong and a detailed review of the IT systems might be required.”

From an IT perspective, the need for IT forensics comes into play several ways, Saltsman said, such as an outside hacker breaking into the system and downloading valuable medical and financial information.

“There are also issues involving money being removed from the practice,” he said. “Often, the doctor only has a vague hint that something’s wrong financially. An IT forensic team can identify if financial records are being digitally altered, if checks are being written to suspect accounts, or if practice data is being abused in any other way.”

Policies are needed because the strength of any digital billing system and EHR is the human being sitting at the system, Saltsman emphasized.

“Policies tell the employees how they should conduct themselves while using the practice’s net infrastructure,” he said. “Policies also tell your VARs how to conduct themselves when working on your system.”

Because digital billing and EHR are complex systems, the practice needs a set of directions telling the employees how to use the system, explained Saltsman.

“As always, every set of procedures will differ from one practice to the next,” he said. “What’s needed are firm standardizations; without them, the smallest tweak of a system, or simple trust toward the wrong employee can unleash a string of dire consequences.”

Procedures with the firewall are also important, Saltsman said.

“Consider the firewall the front door of the practice,” he said. “Following documented procedures can provide the right amount of instruction to properly protect the digital assets of the practice year after year.”

The main effort to protect the practice’s digital assets comes from the doctors.

“Because doctors are normally the owners of the practice, they have to step up and ask the hard questions,” he said. “The doctor must be willing to bring in subject experts like IT forensic specialists and fraud accountants to periodically investigate key financial and digital infrastructure. A turnkey forensic firm can scale the investigation toward appropriate avenues that will best harden the practice’s policies and procedures to resist criminal intent.”

Related:
 
Copyright © and Trademark ™ 2007 All Rights Reserved
Copyright Statement | Privacy Statement | Terms of Service
Making Web Design Easy Since 2001
Newspaper Software, Magazine Software, HOAs, Trade Associations & Community Website Software  |  Email Marketing, E-Commerce