September 21, 2011

Nifty Licensing Agency Contact Resource

Want to know who the various healthcare provider licensing entities are for a given state? Palmetto GBA has made that a piece of cake now. Their new database of licensing requirements (primarily for use by DME suppliers) includes the licensing bodies for each state. For example, here's what they show for New York:

1)New York State Board of Pharmacy
Phone: 518-474-3817 extension 130 extension 130
Web: http://www.op.nysed.gov/prof/pharm/
- Registered Pharmacy Establishment Certificate
2)New York State Board of Pharmacy, Office of the Professions
Phone: 518-474-3817 extension 250 extension 250
Web: http://www.op.nysed.gov/prof/od/
- Ophthalmic Dispenser License
3)New York State Board of Respiratory Therapy
Phone: 518-474-3817 extension 120 extension 120
Web: http://www.op.nysed.gov/prof/rt/
- Respiratory Therapist
4)New York State Education Department, Office of the Professions
Phone: 518-474-3817 extension 591 extension 591
Web: http://www.op.nysed.gov/prof/
- Optometrist License
- Physician License
5)New York Department of Health
Phone: 518-402-1016
Web: http://www.nyhealth.gov/
- Ambulatory Surgical Center
- Home Health License
- Hospital License
- Nursing Home Administrator License
- Nursing Home License

Another table shows the type of provider with a link to the number (as listed above), and still another nifty feature lets you choose a healthcare product or service from a dropdown, and jumps you to a listing of the various licensing requirements. Kudos!

HIPAA Hacked: ALL YOUR MEDICAL RECORDS ARE BELONG TO US

The origin of ALL YOUR (insert asset here) ARE BELONG TO US#sslsecurityhack SSL/TLS, the encryption system that has been keeping online credit card transactions and HIPAA-sensitive communications safe for over a decade, has broken down. As shown by researchers at a recent conference, a simple tool now gives hackers access to your PayPal transactions and much more. Gonna be fixed? Possibly not for many months, even years, since any change to the SSL/TLS protocols causes ecommerce to break for any number of sites, depending on the server or browser involved in the transaction. The hack is truly a killer app.

Just google SSL/TLS HIPAA and you'll find hundreds of applications that use Secure Sockets Layer/Transport Layer Security technology to secure electronic medical records transactions. (Here's an ironic example of the misinformation out there, labeled "Completely Secure Collection of Web Form Data using SSL".)

An article in The Register reports that a couple of researchers announced a demo of their tool, called BEAST (Browser Exploit Against SSL/TLS), at a Buenos Aires security conference last week. BEAST performs a "plaintext-recovery" attack, exploiting a (previously theoretical, but known) weakness in TLS. During encryption, the TLS protocol scrambles each subsequent block of data based on the previous encrypted block. It had long been theorized that an attack could manipulate the process to make educated guesses about the contents of the plaintext blocks. If a guess is correct, the block cipher will get the same hash for a new block as it used for the previous one, resulting in identical cipher-text. Security just goes POOF.

At the moment, BEAST requires a little under two seconds to decrypt each byte in an encrypted cookie, used by a web browser to secure an online transaction session. Doing the math, a 1,000-byte cookie would take maybe half a minute, but researchers Thai Duong and Juliano Rizzo have now announced that they've tweaked the process down to about ten seconds. That's plenty quick to grab whatever users are sending, decypher it, and, well, steal it.

So, what are browser makers doing to plug this new hole? One word: Nothing. What's the hold up? Well, although this "theoretical" hack has been understood for years, a secure transaction involves just too many parties to get it all straightened out without knocking out millions -- perhaps billions -- of transactions for perhaps an extended period of time. For instance, the Firefox and Chrome browsers (according to w3schools.com, Firefox gets 40.6% of traffic, while Internet explorer gets just 22.4%, and Google Chrome gets 30.3% as of August, 2011) use the open source Network Security Package to implement HTTPS. But there are other security packages out there, and IE uses one of them. Any change would require simultaneous change to all packages. And that's not the half of it; the servers use multiple SSL implementation platforms, such as OpenSSL, and all of those would have to change at the same time. The offending protocol, TLS 1.0, has been available in an upgraded version (1.1 and 1.2) since 2006, but getting all the ducks lined up just isn't happening.  While IE 8 and up include support for TLS 1.1 and 1.2, which do not appear to have the vulnerability, it is not the default, and still relies on servers to accept the protocols without falling back to 1.0.

“The problem is people will not improve things unless you give them a good reason, and by a good reason I mean an exploit... It's terrible, isn't it?” said an analyst with the security firm Qualys.

There appear to be no reliable estimates of the percentage of HIPAA electronic transactions that are secured using SSL with TLS 1.0, but considering that, in the absence of a broadly implemented general browser-server solution, any TLS v1.2 implementations would require proprietary code at both the server and client sides, and transactions running under the hackable version would likely be the overwhelming majority. As of early 2011, Microsoft's .Net framework did not support the updated TLS protocols, suggesting that any EMR, EHR, eligibility and billing applications developed at that time may not support them either. Time to call your vendor?
Check Comments below for updates...

    September 11, 2011

    91 Charged With $295 Million Medicare Fraud

    Ninety-one doctors, nurses and others were charged in a blockbuster sting operation, with arrests unfolding over three weeks and culminating in 70 arrests last week. In 2007, a strike force was set up between the Department of Justice and the Department of Health and Human Services to identify and build federal fraud cases to fight criminal abuse of federal healthcare programs. U.S. Attorney General Eric Holder said that arrests were made in eight US cities involving more than $295 million in stolen funds.

    Almost half of those charged were part of a Florida ring that recruited healthcare providers to refer patients to a mental health center, in some cases threatening residents of a halfway house with eviction if they refused the unnecessary care. Another case involved $3.4 million in unnecessary physical therapy by two Brooklyn physicians.

    On September 1, officials in Detroit charged 18 physicians, nurses, clinic owners and other medical professionals for submitting $28 million in false claims to Medicare. Just one day earlier, the owner of a Houston, Texas durable medical equipment business was sentenced to 97 months in prison for his role in a Medicare fraud scheme.

    In all, the strike force, known as Health Care Fraud Prevention and Enforcement Action Team (HEAT), has charged 1,140 defendants who collectively have falsely billed the Medicare program for more than $2.9 billion.

    When providers have been convicted of fraud and certain other infractions and delinquencies, their names are placed on the List of Excluded Individuals/Entities (LEIE) database. CarePrecise compiles this data into its comprehensive database of U.S. healthcare providers, identifying excluded providers' NPI numbers, phone and fax numbers.

    Read the full story on the HHS website.

    September 9, 2011

    U.S. Doctors Earn Big, Drive Up Costs

    According to a new study published in Health Affairs, America's approximately 1.1 million physicians are paid dramatically higher fees than those in all of the other more than 230 Organisation for Economic Co-Operation and Development countries. Per capita, our physicians are paid $1,599; other countries averaged significantly less than that -- about 81% less -- or about $310. The difference, nearly $1,300, is a major factor in driving up U.S. healthcare costs, and, according to the report, is the the main cause of higher overall spending in America on physicians' services.

    The disparity comes into stark focus in the area of specialists' fees. While U.S. primary care docs earned significantly higher than their foreign counterparts -- averaging $186,582 annually -- orthopedic physicians earned $442,450. As an example, the study compared physicians’ fees paid by public and private payers for hip replacements in Australia, Canada, France, Germany, the United Kingdom, and the United States, finding that much higher fees were paid to U.S. orthopedic physicians for hip replacements (70 percent more for public payers, 120 percent more for private payers) than public and private payers paid these specialitsts in other countries. The study concludes that "the higher fees, rather than factors such as higher practice costs, volume of services, or tuition expenses, were the main drivers of higher U.S. spending, particularly in orthopedics."

    According to August, 2011 CarePrecise data, of the approximately 1.1 million U.S. physicians, about 35,500 practice as orthopedists and orthopedic surgeons, with another 378,000 specialists practicing in the high fee taxonomies. Only about 160,000 U.S. physicians serve in family practice.