Healthcare ISAC News 4/8/00

[Healthcare ISAC]

Healthcare ISAC News - www.info-security.net To subscribe to our list, write to [EMAIL PROTECTED] Welcome to this weeks edition of the HISAC news. First, the Top 10 list of all detects during the first week of April are posted at the HISAC. They may be viewed, along with the Y2K stats, January, and March (February is still in analysis) at http://www.info-security.net/ISAC/h_isac.html, along with several other pieces of great work submitted by analysts around the world. If you're interested in participating in our Top 10 list, please forward a summary (Top 10-20) or your intrusion detection logs to us at [EMAIL PROTECTED] or [EMAIL PROTECTED].   Next, we posted a terrific high-level HIPAA presentation from Internet Security Systems (ISS). It was written by Dave Cole, an ISS consultant. You can view the presentation (approx 1.5Mb) at ISS's David Cole presents at the HISAC site. We expect to post a more technical version written by the HISAC's Dr. Jim Webb sometime in the next few days.   Next, for the Darwin Awards. You know them -the folks that had it made, but would rather break the law for more money?   I Found this article posted in a small newspaper, The Post and Courier, Charleston, SC on April 5:   MUSC doctors settle lawsuit BY: JONATHAN MAZE Of The Post and Courier Physicians at the Medical University of South Carolina will pay the federal government and four former employees $ 5.2 million over five years to end a billing fraud lawsuit, according to a settlement finalized in U.S. District Court on Tuesday. The deal also includes a compliance provision that allows the government to keep its eye on MUSC and its physicians group, University Medical Associates - which don't admit guilt in the agreement. But, while the settlement effectively ends a lawsuit after more than three years, the $ 5.2 million may not be the only penalty that arises from the billing fraud investigation. Specifically, attorneys confirmed Tuesday that the Department of Health and Human Services is considering taking "administrative action" against certain MUSC doctors. The Office of Inspector General is investigating individual physicians. No charges have been levied against any doctor who, at worst, would face exclusion from federal health care programs - effectively meaning that they couldn't serve patients who pay their bills through Medicare or Medicaid. U.S. attorneys said the inspector general's investigation arose from information gathered during the MUSC billing fraud investigation.  The settlement agreement refers to a letter to the university and UMA, dated April 3, identifying individuals subject to the investigation. A copy of that letter was not provided to The Post and Courier on Tuesday, with both federal and university attorneys citing an ongoing investigation. Aside from that issue, Tuesday's settlement allows the university to place one of the biggest lawsuits in its history in the past tense - a benefit that, for many, far outweighs the monetary payment. "We fought this thing for three years," said MUSC General Counsel Joe Good. "We've spent a tremendous amount of money on attorneys. It's been extremely disruptive for a number of physicians." Dr. Ray Greenberg, MUSC's new president, said he's pleased the issue has been resolved because a lawsuit like this can be distracting. "In my own personal opinion, in protracted litigation, nobody wins," Greenberg said. "Reaching as prompt a resolution as possible is beneficial to everybody." Four former employees sued in 1996 under the False Claims Act, charging that MUSC and UMA over-billed Medicare, Medicaid and the CHAMPUS military health care program. There were different types of accusations, but the most common involved the university billing for service provided by physicians even when those doctors were out of town. In many cases, a resident provided the care. The employees also said they were either fired or reprimanded for raising billing questions. In December 1997, the federal government partially joined the case, taking over the billing fraud allegations. In March, UMA agreed to pay the former employees $ 500,000 to settle the retaliation portion of the case. The government and MUSC went into mediation in February and agreed to a base portion of a settlement that month. They continued discussing the details well into Tuesday morning before informing U.S. District Judge Weston Houck that they reached a deal. The settlement allows both sides to avoid a long, expensive trial. During a trial, the federal government would have to argue each individual claim - which could number in the thousands - to prove it was fraudulent. The defense would have to argue that each was not. A trial could have taken three months and cost the university hundreds of thousands of dollars, some have estimated. "It would have made the O.J. Simpson trial look small," Good said. Under the agreement, UMA will pay $ 1 million within three days. It will pay the rest in five annual installments of $ 840,000 plus interest at current rates. The four whistleblowers in the case - former employees Teri Abbott-Burdick, Cinda Gridley, Richard Koonz and James Salvo - will receive 23 percent of the penalty, or $ 1.2 million. The False Claims Act allows whistleblowers to sue for alleged fraud and receive a portion of any penalty the government recoups. The payment schedule was important for the university because of its current funding difficulties, officials said. "We needed to conserve funds for use by the Medical University," said Bruce Shaw, a Columbia attorney for UMA. MUSC officials were quick to note that the penalty was low compared with billing fraud settlements at other academic health centers - from $ 8.6 million at University of Virginia to $ 30 million at University of Pennsylvania. The settlement amount is just below average for False Claims Act deals. According to Taxpayers Against Fraud, a False Claims Act watchdog group, the average settlement is $ 5.8 million. According to a university news release, the settlement represents two-tenths of 1 percent of the estimated $ 2 billion MUSC has collected as payment for services over the past nine years. U.S. Attorney Rene Josey called the deal "adequate" and cautioned against comparing it to others around the country. He said it was the biggest health care fraud settlement in South Carolina history. "It's fair enough to compensate the taxpayers," he said. "It's not so punitive as to hinder the university." Josey, the university and attorneys for the four employees all said that the compliance agreement was the most significant part of the settlement. The agreement contains several requirements: Training and education of all employees on proper billing procedures, including billing staff, doctors and residents, within 90 days. Reporting compliance efforts to HHS every year. Establishing a compliance disclosure program providing procedures for employees, patients and others to report fraud without fear of retaliation. Appointing compliance officers and a compliance committee. Implementing screening procedures for ineligible employees, including doctors who have been excluded from Medicare. MUSC or UMA could face further penalties if they break the compliance agreement. University officials said they are already complying with many of these requirements. Shaw said they will not be a major burden on the university.  "We wanted this to be a showcase compliance agreement for the country," Shaw said. Josey agreed the compliance agreement is vital and said he's confident it will work. He noted this is the second time in seven years that the university and UMA have paid a False Claims Act settlement. In 1993, MUSC and UMA paid the federal government more than $ 1 million to settle a five-year billing dispute at the Institute of Psychiatry. "Given this litigation and other claims history, their board and administration should know how important it is to comply," Josey said. Meanwhile, attorneys for the four whistleblowers said their clients got what they wanted - to make sure problems don't happen in the future. "It's important to them that people who continue to work there won't be subject to the same abuse," said David Freeman, lead attorney for the whistleblowers. "The compliance issue is key to that." After everything was completed in what has been a contentious case, attorneys for both sides didn't quite stop debating, turning their attention to the complexity of government regulations. University officials contended, as they have all along, that the issue boiled down to the constantly changing federal rules and regulations, saying that it is often impossible to determine exactly what those regulations say. But the plaintiffs' attorneys disagree, saying that many of the regulations have been around for years. "What mystifies me is why it took them so long to figure out what's right," said Carl Muller, an attorney for the four employees. "You don't bill for something you don't do."   My comments: Sound familiar? The HISAC wants to find a way to help. The Forrester Research group this week sent a report out talking about why physicians don't like the Internet. This could be a reason to argue against computerization. However, one thing to keep in mind here is this --if your procedures are bad prior to computerization, they're going to be fast and bad under computerization. You're simply hiding the bad processes in the speed. This is where HIPAA comes in. HIPAA, although restructuring the way we do business, is actually outlining a set of 'best practices' to be implemented within the community. This is a good thing. HIPAA actually will seemingly allow us to work with existing technology, for the betterment of information security. Need help? Here's a draft of a GAO report talking about some of the factors that must be considered during for implementation of standards on information security in any sector http://cryptome.org/ai00135t.htm. Need more help? Contact the HISAC with your questions or submissions at [EMAIL PROTECTED].   In the news Guilty Plea Entered In Fatal-Abortion Trial; Patient bled to death after doctor sent her home ; The San Francisco Chronicle ; APRIL 7, 2000, FRIDAY, FINAL EDITION ; 731 words 'Flea-Market' Surgery Alleged in Miami ; APBnews.com ; April 6, 2000, Thursday ; 604 words Two booked in '97 burglary of clinic ; The Advocate (Baton Rouge, LA.) ; April 5, 2000, Wednesday METRO EDITION ; 206 words MUSC doctors settle lawsuit ; The Post and Courier (Charleston, SC) ; April 5, 2000, Wednesday, POST AND COURIER EDITION ; 1330 words Dishwasher charged in New Jersey shooting ; St. Petersburg Times ; April 05, 2000, Wednesday, 0 South Pinellas Edition ; 364 words Date-rape drug stolen from vet clinic ; The Denver Post ; April 4, 2000 Tuesday 2D EDITION ; 260 words Former cop admits to theft from Bountiful hospital ; The Deseret News (Salt Lake City, UT) ; April 2, 2000, Sunday ; 256 words "911 Virus" This week I'd have to say I received no less than a hundred reports of infection with the 911 Virus. Let me offer some insights on this. The 911 Virus, (actuall the Chode virus), appears to have initially shown up on April Fools day. This was not a joke. Several of the submissions I'd received stated they actually had police knocking on their door. Several others simply stated they'd found the bug, based on the update from their virus scanner, and were taken care of. For those of you that have not seen the original reporting, I saved both the FBI report and the SANS initial report at the HISAC. You can view them at http://www.info-security.net/ISAC/Alerts/alerts.html. Great job by the FBI for getting the word out, and SANS for acting quickly in the analysis.       Until next week,   Jeff Stutzman Healthcare ISAC www.info-security.net   To subscribe, write to [EMAIL PROTECTED]