Vanessa Bisceglie discusses the many services offered to healthcare providers by CareVitality, a subsidiary of EHR & Practice Management Consultants, Inc.
Vanessa is highly specialized in Cybersecurity, Care Management, Ambulatory Healthcare IT and MACRA/ Quality Payment Program which has two pathways: MIPS and APM where she guides her team of consultants and care managers to assist providers in their transition to value-based care and performs Security Risk Analysis for over 100+ clients in the last 10 years. These are all the main focus areas of CareVitality. She founded CareVitality to help providers transform their practices by optimizing their existing technology and provides additional care teams to improve patient outcomes and generate additional revenue to their practice while staying focused what truly matters to providers which is providing patient care. CareVitality continues to offer cybersecurity support many of their clients nationally as well.
Neal Howard: Hello and welcome to this Health Suppliers Segment on Health Professional Radio. I’m your host Neal Howard, thanks for joining us. Our guest this morning is Vanessa Bisceglie, she’s here to discuss the services offered to healthcare providers at CareVitality. Welcome to the program, thank you so much for joining us this morning.
Vanessa Bisceglie: Thank you Neal for having me, I appreciate it. Well at CareVitality, we specialize in acute areas. Half of our business here comes in through cyber security work so we’ve been doing security risk analysis as well deeper testing, doing vulnerability scans, penetration testing, probably act as an ethical hacker to help clinics and healthcare organizations understand where their vulnerabilities are, where they could be breached to help them avoid the breach. We’re specialists in the system which makes it terrific because we can actually go right into the settings within the system and help them set that up to standard requirements. And then we also go and help them from the clinic side or the practice side or the hospital side because that’s where most of the vulnerabilities and the breaches happen. So we’ve been doing that for 10 years and that’s with a growth of 2% a year, we probably get a clinic every day calling us and probably a new clinic that has been breached every month. So it’s very interesting, people don’t always realize, they think it if their system is hosted in the cloud, they don’t always realize that most of the breaches are happening because of what’s happening at the user level and with the people in our office are doing.
Neal: So we’re talking nationwide. Are you in one location?
Vanessa: We can this internationally. This piece, but a lot of our clients do come from the United States area so we could do this. We have headquarters all across the country, but yeah.
Neal: So you’re a global organization.
Neal: Do you find that most of the breaches, when you say at the user level, are these breaches accidental? Are they, some of the cause of glitches or are most of them deliberate and malicious? Or are we just talking a little leaks and cracks that you’re able to secure?
Vanessa: I would say 75% are accidental and the 25% are deliberate. And a lot of the times, the deliberate ones, clinics could be able to detect earlier with doing specific checks on who they’re hiring, but they don’t always do that. So I help them understand all the different checks that they should be doing and what should be included in those checks before hiring. But the other ones are particularly, people are just downloading things – malware, ransomware, they’re clicking on goofy emails. People don’t know how to identify these things. It’s a whole myriad of different things that they’re just doing accidentally and the hackers are able to go up into the system, get all the health information is stored.
Neal: How often does CareVitality have to reach out to legitimate businesses, legitimate organizations because something or someone has latched on to something that is a legitimate but tits’ piggy backed with something and now you have to go to a legitimate company and let them know that, “Hey, you’ve been breached thereby breaching my client so we’re reaching out to you.” Is that something that you do?
Vanessa: No, we’re not usually contacted because you’re saying that if our client gets hacked and we’re reaching out to the client? Or we’re reaching out to the client because they’ve been hacked?
Neal: No. Well sometimes, as you say, people are doing things, they’re downloading something. Now this is something that I’ve heard of, hackers attaching their spyware, malware to legitimate sources so that when you download a legitimate source. So once you discover something like that, do you then reach out to that legitimate source and say “Hey, this is happening with your business because my business discovered it with my client.”
Vanessa: We haven’t had that happen yet but I’m sure it could happen. I even have done situations where clients don’t always tell me that they’ve been breached and I’m doing the work. They think that the breach is over with. That happened in November and I’m actually doing the work looking in the system system level and they’re locked out of so many different things that they don’t even know were important. It was because the hacker blocked them from doing things. And a lot of times when clinics come to me, if they’re not associated with the hospital to let a private clinic because they are also worried, this is their livelihood. And with each patient health record is based on one of the institute studies recently is worth $402 on the black web when it is stolen. Because it is a fact that it has, in these clinical systems, it’s much bigger than being stolen from a Target or a retail store or other things because it has the clinic … information, the billing side, the financial, the demographics, the insurance. So the impersonations can be done so much better when it is stolen in one of these systems and that’s why it’s worth the most out of any type of health organization like any type of vertical in the whole business side. Because if you think about it, even if a typical doctor has 3,000 records for patients, that’s worth 1.2 million. So you think about how many providers that’s an estimate, that’s what the database is worth. Providers don’t always realize that, but that’s what they’ll go and sell it for. I think that’s why the business in this area has increased 50% a year because now more and more people are having problems. It’s becoming more obvious. We just rather them come to us before they have an issue than after they have an issue. Because of the obvious reason, right, once you have an issue with one.
Neal: When it’s too late.
Vanessa: One practice came to us and her fine is now between $100-700,000 because she thought it was just one patient. She didn’t do the right thing she was supposed to do once a breach happened and it went on for three three weeks and she didn’t even realize it was going on. So now the breach got bigger so it’s something that I think people just do because they just don’t want to have a problem and they care about their business and they don’t want it to happen. I’ve been doing it for 10 years and CareVitality is partnered or endorsed by the AMA (American Medical Association), the American Osteopathic Association, many state medical societies across the United States as well as medical malpractice insurers promote us for this service. We have over 30 IPAs, PHOs, we have over 30 partners across the country that promote us for this because of our longtime experience doing thousands of these really helps practices understand what’s happening out there that they wouldn’t get from a generalist that just kind of doesn’t understand healthcare systems. We go very specific into the actual system that they have and even open up the system to see how certain things are set up that could create not only security issues but legal issues from a malpractice side of things.
Neal: What about people bringing items or devices into a practice? Do you deal with those issues or are you just dealing with the practices infrastructure there at the facility? What about people bringing in laptops, cellphones and connecting them there?
Vanessa: Oh yeah, we discuss all of that. Absolutely. And then now we get into social media, which is a new thing. It’s just fascinating because every year there’s different things that are going on and we bring that down to the client to educate them so that they’re aware. People do some of them, the most things that they don’t even realize could create the biggest problem. It’s not only the fact that sometimes you could trust your employee so you give them nice access and abilities but you don’t think that, “Okay, that’s your employee. You really have to always worry about it. It could be what did they do while they’re on the Internet? What were they doing there that created you to have an issue? They may not have done it.” Like we said, it’s 75% of it happens unconsciously or not realizing they’re doing something wrong while they’re using your computer and puts your information in jeopardy. So a lot of it is I help them tighten down in the system access to make sure who has what type of access because what could happen if someone else got a hold of that computer when a staff member leaves at the end of the day and they’ve got all night to play on there. So that’s one huge area that I really get excited about and it’s extremely interesting and a lot of the times the providers themselves like to do analysis with me because it’s very eye opening. A lot of things that happened for them in their business are things that people can take with them on a daily basis, even in their personal use. Usually they also have me do trading seminars or people on the team do training seminars to exactly hone in on the issues that they’re having within the organization so that the staff members don’t do them again and explain to them why because every question that we do when we do the analysis, there’s a reason, there’s been a problem somewhere with somebody.
Neal: Where can we go online to get some more information and in wrapping up, what about consultations? Is that something that you offer before actually getting into the grind of finding out what the problem is?
Vanessa: Yeah, we do. We do all different types of stuff, we even do some things complimentary right in the beginning that we could talk about that usually is eye opening that they don’t realize that they’re doing today. They can always go to carevitality.com or go to 800-376-0212 and press extension 1 for the cybersecurity. There is also another area that we focus on here, that’s the other 50% of our business. Do you have time for that?
Neal: Sure, absolutely.
Vanessa: Okay. So the security risk analysis was pretty much required by law, if providers had a certain segment of Medicare patients through something that was called ‘meaningful use.’ Now as many providers understand that are seeing Medicare patients, which is a good majority, they’ve changed a lot in 2015 in the United States that it’s moved towards MACRA, which includes the quality payment program which has two paths, which is called APM and MIPS. And as part of that, in order to get the full bonus criteria that you can get this coming year, it’s 2019, they can get a potential positive payment adjustment at all the claims that they see in 2020 – 2021 by 7%. If they don’t do things properly or do … a bit for security and do it incorrectly, then they will get a 7% decrement in their pay. So it’s pretty serious and with these new initiatives, they took a lot of the old initiatives, we work with clients on which was meaningful use which was using their electronic health record systems in the proper manner so that they were documenting things in the right area. They were submitting things called PQRS which are quality measures and they also had a value based modifier program. So they rolled those old programs prior to 2017 into the new program that started in 2017 for the quality payment program. A lot of our clients attest to MIPS or have to do what’s called MIPS measures, but in those measures, what they added to this new law that got passed in 2015 but started in 2017 is providing additional care management and care coordination. So what Medicare has done in the United States is they reimburse providers for providing additional care services outside of the office. So to follow up with the patients when in between office visits to making sure they adhere to what the provider would like them to follow to help maintain or improve their health with different chronic conditions that they have as well as also they reimbursed those doctors for following patients after they leave the ER to make sure that they … the hospital. So say for instance, they’re being discharged in the hospital and they get discharge instructions so they would like the practices now to provide additional support and call them after they’ve left to review their discharge instructions to see if they have any issues.
Neal: Is that an added exposure to that information because these added services that they’re going to get reimbursed for? Is that an added security exposure?
Vanessa: Not as much as an added security exposure, but the security work that we do is intertwined with this law. So because that part of doing, following this MIPS for instance, which is one of the programs that they like them to do, otherwise their payment will be reduced. It’s really not much of a choice, I mean 7% is significant. So what’s intertwined here is, but it is too, like a lot of what’s going on in a way is that providers are deciding or if they have already decided, if I’m going to provide this additional support now that I get reimbursed, do I want to do this with office staff and have to hire on additional staff to deal with this outside of the office work or do I want to work with a care management vendor like CareVitality. So that’s why we’re discussing what we do, that could manage and monitor our patients when they leave. Sometimes practices just want to focus on what’s going on inside of the office and hand off the out of the office stuff to a vendor that can work right with them. So from a security angle here, it’s very important to pick a vendor who understand security very well because it’s not just care management, it’s also compliant and doing things properly. Because if you’re billing for these codes at anytime, you could get audited for them so you want to make sure it’s someone who knows what they’re doing, providing the right type of resources to help your patients and understands how to keep your information securely.
Neal: And once again, that website?
Neal: Great. Well Vanessa, thank you for joining us here on the program for this Health Supplier Segment. It’s been a please and lots and lots of great services there at CareVitality at carevitality.com
Vanessa: Thank you.