Issue link: https://beckershealthcare.uberflip.com/i/977748
49 CIO / HEALTH IT BJC HealthCare exposes 33k patients' PHI By Julie Spitzer B JC HealthCare in St. Louis notified 33,420 patients a data server configuration error exposed stored scans of certain docu- ments on the internet without the appropriate security controls from May 9, 2017, to Jan. 23, 2018, a hospital spokesperson confirmed to Becker's Hospital Review. Hospital officials discovered the exposure during an internal security scan and immedi- ately reconfigured the server to the correct setting. According to the hospital's investiga- tion, no personal data was actually accessed. The scanned documents on the server includ- ed copies of patient driver's licenses, insur- ance cards and treatment-related documents collected during hospital visits between 2003 and 2009. Patient information — such as name, address, telephone number, date of birth, So- cial Security number, driver's license number, insurance information and treatment-related information — were potentially accessible. Although no BJC data was accessed, the hospital offered affected patients free iden- tity theft monitoring as a precaution. Patients whose data was stored on the server were mailed a letter that explained the situation, how to enroll in identity theft protection and where to direct any questions. n CFO attributes Texas hospital district's bond downgrade to Cerner issues By Jessica Kim Cohen and Alia Paavola L eadership at Odessa, Texas-based Ector Hospital District, which does business as the Medical Center Health System, attributed a recent bond downgrade to costs associated with its EMR im- plementation, the Odessa American reported. Here are five things to know about the downgrade. 1. Fitch Ratings downgraded Ector Hospital District's issuer default rat- ing to "BB+" from "BBB," due to several factors, including the health system's low operating margins, high capital needs assessment and its weak leverage position and weaker liquidity metrics. 2. In 2016, the Ector Hospital District's bond rating was "A-." This rating was downgraded to "BBB" in 2017. Former Medical Center Health Sys- tem CFO Jon Riggs attributed the 2017 downgrade to the implemen- tation of its Cerner EMR in April 2017, which cost about $55 million. 3. The health system's current CFO, Robert Abernethy, said the recent downgrades are reflective of various factors, including growing oper- ating losses and the Cerner implementation. He said it "really hurt us from an Accounts Receivable standpoint." 4. During a Feb. 13 meeting with the Ector County Hospital District board of directors, Medical Center Health System President and CEO Rick Napper acknowledged the initial EMR rollout included issues with system stabilization, revenue cycle management and reporting. However, he expects the total cost of the project to come in $8 million below budget. 5. Mr. Abernethy said the hospital district's goal is to get into the high "BBB" or "A-" rating range. The downgrade to "BB+" was minor and not unexpected, he said. "I think it reflects not only do we have a lot of room for improvement, but it also reflects the optimism that we're going in the right direction." n Most cyberattacks cause 4 hours of downtime: 7 things to know By Julie Spitzer P hysicians may need more cybersecurity training and education, according to an American Medical Association and Ac- centure survey. For the survey, AMA and Accenture tapped 1,300 physicians across the U.S. to find out about their experience and attitudes toward cybersecurity. Here are seven things to know. 1. More than 4 out of 5 physicians experienced some type of cyberattack, the most common being phishing (55 percent), followed by virus- es or malware (48 percent) and unauthorized employee access (37 percent). 2. More than half (55 percent) of physicians are very or extremely concerned about future cyberattacks, as opposed to 2 percent of physi- cians who are not at all concerned. 3. Most physicians (64 percent) said a cyberat- tack resulted in four hours or less of downtime, while others (4 percent) said an attack shut down their systems for more than two days. 4. In response to a cyberattack, most physi- cians said they notified internal IT groups (65 percent), notified or educated employees (61 percent) or implemented new written policies and procedures (59 percent). 5. About half (49 percent) of physicians said they have an in-house security official, while others outsource security management (26 percent) or share security management with another practice in their area (23 percent). 6. e plurality (37 percent) of physicians said privacy and security training content is devel- oped by the health IT vendor. 7. Physicians said the most helpful training tools are tips for good cyber hygiene (50 per- cent), simplified legal language of HIPAA (47 percent) and an easily digestible summary of HIPAA (44 percent). n