Equifax setup a website,  https://www.equifaxsecurity2017.com/ So that you can check if your personal information was included in this latest breach. This page has a link to https://TrustedIDPremier.com which can check if your data saw part of the breach. You can sign up for their ID protection service from there if you’d like.

We’ve all probably heard of the recent, highly publicized Equifax breach and cyber extortion. In light of this are other breaches, you have probably also formed the impression that, if you are an adult in the U.S., your basic personal information is probably for sale somewhere. Unfortunately, you’re right. There is no airtight solution, but there are some things you can do.

1.     There are three main credit reporting agencies (CRAs) in the U.S.: Equifax, Experian, and TransUnion. Innovis is also growing in size. The information about you in a credit report from any one of these CRAs is almost the same. You are entitled to one free credit report from each of the three main CRAs per year. Consider obtaining one report from each CRA once every four months. You can do that here: https://www.annualcreditreport.com/. Check it carefully for errors and accounts that aren’t yours.

2.     Next, consider placing a credit freeze on your identity. You will also see this referenced as a security freeze. With a freeze in place, lenders need to obtain your permission before they can get a copy of your credit report, making it hard for identity thieves to open new accounts with your information. A credit freeze does not reduce your credit score, but will require you to lift the freeze when obtaining a mortgage, purchasing insurance, applying for a job, etc. You can learn more about the credit freeze process here: https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#what. Another good discussion is available here: http://consumersunion.org/research/consumers-unions-guide-to-security-freeze-protection/.

a.     Freeze quick links

                                               i.     Equifax – 800-349-9960, https://freeze.equifax.com

                                             ii.     Experian – 888-397-3742, https://experian.com/freeze

                                            iii.     TransUnion – 888-909-8872, https://transunion.com/freeze

3.     You can also place a fraud alert on your identity. It’s not as effective as a credit freeze, but does obligate a business to verify your identity before credit can be issued, although this process is far from perfect. More information on the types of fraud alerts and the process to put an alert in place is available here: https://www.consumer.ftc.gov/articles/0275-place-fraud-alert

4.     Opt out of pre-approved credit offers that can be taken from the mail stream and used for fraud. Begin the process at www.optoutprescreen.com. 

The question of whether or not to subscribe to a credit monitoring service, even a free one like Equifax is offering (for a year), comes down to personal choice. Despite the marketing hype, none of these services prevent identity theft. At best, credit monitoring services alert you after your identity is stolen. The steps above make it less likely that you will fall victim in the first place.

If you suspect you have been the victim of identity theft, a good response roadmap is available at https://identitytheft.gov/. 

As Hurricane Irma makes its way towards Florida and the Southeast U.S., now is the time to take action and be prepared to protect your computers, printers, files and data.

1. ENSURE YOU HAVE A BACKUP

• Don't wait until the day before a hurricane to backup your files! It's good practice to frequently backup your data files. We recommend a hybrid-cloud image-based backup that can be used to restore data and applications even if your server is destroyed, and that can restore data from different points in time.
• Print a copy of your important/emergency contacts and take them with you if you do not have access to them from your phone or computer, you'll have them available to use via a landline.
• RealTime Clients: Everyone who is on our Business Continuity Service – Your servers are backed up and replicated offsite daily. If there is a problem, we correct that as part of the service. As hurricanes approach your physical location, we’ll be talking with you and confirm things are backed up and replicated prior to you shutting your operations down as part of your storm prep.

2. SECURE YOUR EQUIPMENT

• COMPUTERS
  • Shutdown the operating system.
  • If connected to a surge protector or UPS - unplug from the wall outlet (or unplug power cables from the surge protector or UPS if wall outlet isn't accessible).
  • Unplug Ethernet cable from the back of computer or docking station.
• PRINTERS
  • Power off the printer.
  • If connected to a surge protector - unplug as described above.
  • Unplug the Ethernet cable from the back of the printer.
  • Unplug the phone cable from the back of the printer (if a fax line is connected).
• SERVERS AND NETWORK EQUIPMENT
  • Perform a normal shutdown of the servers. RealTime clients: Please coordinate with RealTime service desk. 
  • Unplug all connections - Take photos to document how things were prior to the event. 
  • Firewalls, Switches, Access Points - unplug them from power. Unplug the firewall from the internet connection as well. Ideally, unplug all the network connections (surges can travel through the network cabling).
  • Battery backups - power these off and then unplug them.
  • Phone systems - Check with your vendor to see what steps you can take to protect it.
     

3. PROTECT FROM WATER/WIND

When a major storm is predicted, elevate your CPUs, printers, servers, and other network devices, as well as other electrical appliances like space heaters, off of the floor.  For high winds, move computers away from windows.  If there is a possibility of water leakage, cover computer equipment with plastic.

4. CONTINUING OPERATIONS AFTER THE STORM

• If you are in the path, power and internet connectivity may be hard to come by for a few days. Generators can provide enough power to run your critical computer equipment – just be sure you are connecting up to something that can deal w/ the power fluctuations many generators have. Please ask RealTime before connecting things up to generators as they can damage sensitive equipment. Modern battery backups may have the capability to condition the power off of a generator – check with the manufacturer to confirm before trying this.
• 4G USB modems or Mifi can get you connected in an emergency. Everything you do may not work, but basic web browsing.
• Forward your phones – If the office is expected to be out a few days, most phone service providers have a way for you to forward calls to your business to a cell phone or alternate number. Get the steps now, before you need them.

5. BE PREPARED

Knowing what steps to take ahead of time will help you be prepared in the worst-case scenario. RealTime is committed to ensuring our clients are prepared with the proper technology to meet their current/future needs as well as advising them about safeguarding their business from weather-related, cyber and other disasters. 

If you would like further information about RealTime managing Information Technology for your business, contact us at info@realtime-it.com.

Proposed Changes to MIPS for 2018

1. HERE’S A PEEK!

As they promised, back in October 2016, CMS is continuing to propose modifications to the Quality Payment Program (QPP) established by their Final Rule.  You will recall that the QPP was authorized by Congress’s Medicare Access and CHIP Reauthorization Act (MACRA) of 2015.  Last week, CMS released its Proposed Rule for the CY2018 updates to the QPP. 

The Proposed Rule (https://www.federalregister.gov/documents/2017/06/30/2017-13010/medicare-program-cy-2018-updates-to-the-quality-payment-program) was issued on June 20, 2017; it’s a mere 1,058 pages long.  Full disclosure:  I have not read it in its entirety yet, but I have learned of a few highlights applicable to the MIPS track that I found quite interesting and wanted to share quickly with you.  There is certainly a whole lot more to discuss, but here are a few tidbits that might interest you enough to cozy up later to that thousand-page document (or keep your eyes open for my next blog?).

2. ATTENTION SMALLER PRACTICES! 

CMS is proposing to raise the low-volume threshold to exclude individual MIPS eligible clinicians or groups who bill $90,000 or less in Part B billing OR provide care for 200 or less Part B enrolled beneficiaries.  This is a significant increase from the low-volume exclusion rates in 2017 which excluded practitioners/groups who billed $30,000 or less and saw 100 or less beneficiaries.  This modification might significantly help small practices or providers who just don’t see that many Part B beneficiaries.

3. WANT TO AVOID COST PERFORMANCE HEADACHES?

Fingers crossed – you may avoid cost performance headaches for one more year entirely!  CMS is proposing to retain the weighting of the cost performance category at 0% again for 2018.  Originally, in the 2017 Final Rule, CMS said that in 2018, the cost performance category weight would increase to 10%, while the quality performance category weight reduced to 50%.  In this 2018 proposal, they have reversed themselves.  CMS does intend, however, to continue to report cost information to practitioners and groups so that these providers can learn as much as possible about how they are being scored and hopefully they will be able to work toward improvement in the following years.

CMS is proposing to allow multiple mechanisms for reporting within MIPS performance categories. In 2017, eligible clinicians can only use one mechanism (e.g. claims or data registry or EHR, etc.) within a performance category to report to CMS. In 2018, providers will be allowed to use more than one mechanism within a performance category. This might not sound like an exciting possible change, but I can see where it might be especially helpful in reporting quality performance measurements.

4. UPGRADING YOUR TECHNOLOGY COULD BE A VERY GOOD THING! 

CMS is proposing to offer a bonus to practices that use 2015 CERHT (certified electronic health record technology), instead of requiring its use, as previously expected. Our original expectation was that in the 2018 performance year, practitioners who reported under the advancing care information category would be required to use 2015 CERHT; the proposal under consideration for 2018 is now to allow both 2014 CERHT and 2015 CERHT again, but also to offer a reward to practices that upgraded to the 2015 CERHT for the entire performance period.

Speaking of performance periods, CMS is proposing a 12-month calendar year for the quality and cost performance categories. However, they are also proposing a 90-day performance period for advancing care information and improvement activities categories. This could be very helpful to practices as they continue to ramp up with EHR technology and learn what the improvement activities category is all about.

5. THERE IS STILL A 90 DAY OPTION IN 2018 FOR SOME CATEGORIES.

CMS is proposing a 15-point performance threshold in 2018 for eligible clinicians to avoid negative payment adjustments. In 2017, that performance threshold is 3 points.  CMS has suggested a proposed range for discussion of 6 to 33 points. A practice could meet 15 points by only reporting the required improvement activities.  

Another way a practitioner might meet this threshold would be to successfully report the advancing care information base score and submit only 1 additional quality measure that meets data completeness.  There are many other possible combinations; my point is, though it would require more effort than the 3-point threshold we have in the 2017 performance period, in my opinion, a 15-point threshold would not require a significant increase in effort.

6. NOW IS YOUR CHANCE FOR INPUT... 

You might notice that I have been constantly repeating “CMS is proposing….”  This is because the recently published rule is only a proposed rule.  We all now have 60 days (until August 21, 2017) to comment on what is being proposed (Yes, this means you!). If you want CMS to consider something other than what is in the proposed rule, now is your chance to tell them. If you think CMS is on the right track, and you like what they have proposed, you can tell them this also. Amazingly enough, CMS does collect every comment received through proper channels, AND they will summarize and respond to them later this year when they issue the FINAL regulations on the 2018 QPP program. 

You must submit your comments in the following ways (FAX submission is NOT allowed):

·       At Regulations.gov

·       By regular mail

·       By express or overnight mail

·       By hand or courier

-------------------------------------------------------------------------

For more information, you can refer to pages 1-3 in the Proposed Rule.  Here’s that link again to the Proposed Rule: https://www.federalregister.gov/documents/2017/06/30/2017-13010/medicare-program-cy-2018-updates-to-the-quality-payment-program

Or you can go to qpp.cms.gov.  Or you can email me etaylor@realtime-it.com, and I will help you.

There is obviously a lot more in the Proposed Rule than I have mentioned here. I will be reading this proposal and listening to the experts speak about it over the next days and weeks; I will pass along information as I learn it. In the meantime, let us know if we can help you!

It seems as if every week, sometimes every day, we hear about a data breach somewhere.  I had an attempted breach hit really close to home just recently.  Here’s what happened:

Our controller received an email that she had every reason to believe was from me.  My email address was spelled properly and the extension was correct.  Inside the email, the request was short and straightforward; the sender asked what information was needed to initiate a wire transfer and it was signed with my first name.  The controller did note that there was no email signature as we sometimes use, but internally I don’t always include that on my emails to her.

She responded to the request and very shortly received a second email instructing her to proceed with the sizeable wire transfer.  I was out of the office that day so she assumed that I was in a rush for the money.  However, at the very last minute, as she thought about the wording in the email, she said that it “just didn’t sound like me.”  The wording was too terse, too abrupt and there were no “please” or “thank you’s” as she and I usually include in our requests to one another.  She picked up the phone and called me.  The wire transfer was stopped.

The sender had masked his/her email address so that it appeared as an email from me.  Had our recipient hovered over the address, she might have been able to see the actual sender’s address.  In this case, however, this employee listening to that tiny voice in her mind saying that something wasn’t quite right is what saved the day.  This is the level of vigilance we must all maintain to keep our environments safe.

When in doubt, no matter how small, check it out.

-Elaine Taylor, RealTime CEO