2017 MA & PDP Spring Conference & Webcast will be held on Wednesday, May 10, 2017from 9:30 AM – 4:30 PM EDT. Register here.
The PDP Audit & Enforcement Conference & Webcast event will be held on Thursday, May 11, 2017 from 9:30 AM – 4:30 PM EDT. In-person registration closes Monday, April 24, 2017 at6pm EST. Register here.
2017 Data Validation Training for Contractors is now available. Registration Information: Go to the MLN Learning Management System (LMS) click on “Create Account’” enter information for all the required fields (with the red asterisks) and click “Create.” See the March 22, 2017 HPMS memo for additional information.
CY2017 Part C Reporting Requirements
On March 22, 2017 CMS released the CY2017 Part C Reporting Requirements and Technical Specifications. Please note that two sections have been suspended, Sponsor Oversight of Agents and Private Fee-For Service (PFFS) Plan Enrollment Verification Calls. These documents are posted on the HPMS Plan Reporting site and on the external CMS website.CY2017 Part D
On March 22, 2017 CMS released updated CY2017 Part D Reporting Requirements Technical Specifications. Please note the Enrollment and Disenrollment section was revised to reflect the four new data elements (Elements 1.P. through 1.S.) that apply only to MA organizations approved by CMS to offer seamless conversion enrollment.
These documents are posted on the HPMS Plan Reporting site and on the external CMS website.
Complaints Tracking Module (CTM) Redesign Plan User Guide
In conjunction with the March 18, 2017 release of the redesigned CTM within HPMS, CMS has updated the Plan User Guide to assist users in preparing for the module’s release. The Complaints Tracking Module User Manual provides Medicare Advantage, Cost, PACE, Demonstration, and Prescription Drug Plan Organizations with step-by-step instructions on how to manage complaints received on behalf of beneficiaries and providers. The instructions address how to access, view, search for, download, upload, and resolve complaints; document actions on complaints; request or view Centers for Medicare & Medicaid Services (CMS) action on complaints; view reports; and access specific documentation and files. The Plan User guide is attached to the March 14, 2017 HPMS email.
Civil Money Penalty Enforcement Actions for 2016 Program Audits
On March 1, 2017, the Centers for Medicare and Medicaid Services (CMS) released their list of plan audit results for Part C and Part D Sponsor violations found during the 2016 Program Audit. CMS also posted a series of Civil Monetary Penalty (CMP) letters on its website. Of the 37 plans audited in 2016, 17 received CMPs totaling $7.3 million. A high level of findings included:
- Misclassification of cases
- Timeliness of medical and drug prior authorizations and appeals
- Improper dismissal of requests
- Quality of care grievances
- Formulary administration
- Transition policy
- Denial rationale and audit rights
- Hold harmless
See our March 13, 2017 blog Civil Monetary Penalties Continue at CMS for Medicare Advantage Plans that summarizes the findings.
Insider Threats Are a Fact of Life and Are Not Going Away.
The continuous headlines of data breaches and leaks caused by insiders, in both the private and public sectors, starts to feel like a broken record. Combatting insider threats is one of the greatest cyber challenges facing organizations today. They are stuck between a rock and a hard place, needing to give people access to valued information and systems to do business but also making the organization vulnerable to a potential compromise if any one of those people missteps. Access implies an inherent level of trust between employer and employee, or client and vendor. The written or unwritten contract between the parties is that access is being provided for the individuals to do their jobs, and they in turn will not use it for anything outside those boundaries. It is also explicitly stated or implicitly implied that the employee or contractor will not intentionally or negligently expose critical assets which would elevate the risk of loss.
It takes time and effort to minimize exposure to insider threats. Here are some tips to make the process a bit easier and more efficient:
- Create well defined, concise policies and procedures that govern access, user responsibilities and what to do if an incident occurs.
- Create a culture that embraces cyber security by (over) communicating and highlighting the importance of security at every possible opportunity. We all know the “if you see something, say something” mantra, because we’ve seen it and heard it repeatedly. The same principle applies for corporate environments.
- Provide security awareness education for all users that is relatively short and targeted based on policy violations.
- Build cyber security into business processes. Many of us consider cyber security when building applications, but often overlook how our employees and contractors are doing their jobs. Incorporate cyber security into everyday business processes for all parties who interact with your valuable assets to reduce non-malicious but risky behavior.
- Actively manage access, especially privileged access. The access provided to users is the attack surface that insiders (and bad actors when compromised) go after to do damage. Minimize access to valued assets for those individuals to the least privileges required and closely manage privileged accounts. Access control management is not a onetime shot. It needs to be reviewed and reduced regularly, based on changes in the organization and in people’s roles.
- Know your crown jewels and mission critical systems. Managing the attack surface, including user access and vulnerabilities in general, is even more critical when it comes to your most important assets. However, before you can take extra measures to protect these very important corporate assets, you need to know what they are and where they reside.
- Implement active and passive controls that block sensitive data from leaving the organization and monitor user behavior to identify anomalies. Anomaly detection is the only way to identify when a user, who is not necessarily setting off any policy alarms, is doing something unusual and is therefore a risk. However, anomaly detection alone is not enough. To prioritize the most critical threats and minimize false positives, correlate behavioral analytics with other elements of risk including associated vulnerabilities that could enable the threat to succeed, financial or mission impact to the organization if the asset were compromised, and asset value. Also, get qualification from application owners who govern the assets under attack to provide input into whether unusual activity is in fact business justified. Pay extra attention to higher risk populations like third parties.
Insider threats are a fact of life and are not going away. Careless users, who create most of the noise in detection tools, all too often don’t have the education or the means to securely do their jobs. Malicious insiders and compromised accounts can be tricky to identify and stop because they often get lost in the noise. However, with the right cyber hygiene up front in addition to tools and processes utilized on an ongoing basis, the impact of insider threats can be greatly reduced and mitigated.
Grossman, Steven (2017, March 30). “How to Improve Your Chances of Staying Out of the Insider Threat Headlines” Retrieved from http://www.securityweek.com/how-improve-your-chances-staying-out-insider-threat-headlines (accessed March 30, 2017)