Skip to Main Content

insightsarticles

Trusting privileged accounts in the age of data breaches

05.21.19

Who has the time or resources to keep tabs on everything that everyone in an organization does? No one. Therefore, you naturally need to trust (at least on a certain level) the actions and motives of various personnel. At the top of your “trust level” are privileged users—such as system and network administrators and developers—who keep vital systems, applications, and hardware up and running. Yet, according to the 2019 Centrify Privileged Access Management in the Modern Threatscape survey, 74% of data breaches occurred using privileged accounts. The survey also revealed that of the organizations responding:

  • 52% do not use password vaulting—password vaulting can help privileged users keep track of long, complex passwords for multiple accounts in an encrypted storage vault.
  • 65% still share the use of root and other privileged access—when the use of root accounts is required, users should invoke commands to inherent the privileges of the account (SUDO) without actually using the account. This ensures “who” used the account can be tracked.
  • Only 21% have implemented multi-factor authentication—the obvious benefit of multi-factor authentication is to enhance the security of authenticating users, but also in many sectors it is becoming a compliance requirement.
  • Only 47% have implemented complete auditing and monitoring—thorough auditing and monitoring is vital to securing privileged accounts.

So how does one even begin to trust privileged accounts in today’s environment? 

1. Start with an inventory

To best manage and monitor your privileged accounts, start by finding and cataloguing all assets (servers, applications, databases, network devices, etc.) within the organization. This will be beneficial in all areas of information security such as asset management, change control and software inventory tracking. Next, inventory all users of each asset and ensure that privileged user accounts:

  • Require privileges granted be based on roles and responsibilities
  • Require strong and complex passwords (exceeding those of normal users)
  • Have passwords that expire often (30 days recommended)
  • Implement multi-factor authentication
  • Are not shared with others and are not used for normal activity (the user of the privileged account should have a separate account for non-privileged or non-administrative activities)

If the account is only required for a service or application, disable the account’s ability to login from the server console and from across the network

2. Monitor—then monitor some more

The next step is to monitor the use of the identified privileged accounts. Enable event logging on all systems and aggregate to a log monitoring system or a Security Information and Event Management (SIEM) system that alerts in real time when privileged accounts are active. Configure the system to alert you when privileged accounts access sensitive data or alter database structure. Report any changes to device configurations, file structure, code, and executable programs. If these changes do not correlate to an approved change request, treat them as incidents and investigate.  

Consider software that analyzes user behavior and identifies deviations from normal activity. Privileged accounts that are accessing data or systems not part of their normal routine could be the indication of malicious activity or a database attack from a compromised privileged account. 

3. Secure the event logs

Finally, ensure that none of your privileged accounts have access to the logs being used for monitoring, nor have the ability to alter or delete those logs. In addition to real time monitoring and alerting, the log management system should have the ability to produce reports for periodic review by information security staff. The reports should also be archived for forensic purposes in the event of a breach or compromise.

Gain further assistance (and peace of mind) 

BerryDunn understands how privileged accounts should be monitored and audited. We can help your organization assess your current event management process and make recommendations if improvements are needed. Contact our team.

Related Industries

Related Professionals

Read this if your agency is planning to procure a services vendor.

In our previous article, we looked at three primary areas we, or a potential vendor, consider when responding to a request for services. In this follow-up, we look at additional factors that influence the decision-making process on whether a potential vendor decides to respond to a request for services.

  • Relationship with this state/entity―Is this a state or client that we have worked with before? Do we understand their business and their needs?

    A continuing relationship allows us to understand the client’s culture and enables us to perform effectively and efficiently. By establishing a good relationship, we can assure the client that we can perform the services as outlined and at a fair cost.
  • Terms and conditions, performance bonds, or service level agreements―Are any of these items unacceptable? If there are concerns, can we request exceptions or negotiate with the state?

    When we review a request for services our legal and executive teams assess the risk of agreeing to the state’s terms and compare them against our existing contract language. States might consider requesting vendors provide exceptions to terms and conditions in their bid response to open the door for negotiations. Not allowing exceptions can result in vendors assuming that all terms are non-negotiable and may limit the amount of vendor bid responses received or increase the cost of the proposal.

    The inclusion of well-defined service level agreements (SLAs) in requests for proposals (RFPs) can be an effective way to manage resulting contracts. However, SLAs with undefined or punitive performance standards, compliance calculations, and remedies can also cause a vendor to consider whether to submit a bid response.

    RFPs for states that require performance bonds may result in significantly fewer proposals submitted, as the cost of a performance bond may make the total cost of the project too high to be successfully completed. If not required by law that vendors obtain performance bonds, states may want to explore other effective contractual protections that are more impactful than performance bonds, such as SLAs, warranties, and acceptance criteria.
  • Mandatory requirements―Are we able to meet the mandatory requirements? Does the cost of meeting these requirements keep us in a competitive range?

    Understanding the dichotomy between mandatory requirements and terms and conditions can be challenging, because in essence, mandatory requirements are non-negotiable terms and conditions. A state may consider organizing mandatory requirements into categories (e.g., system requirements, project requirements, state and federal regulations). This can help potential vendors determine whether all of the mandatory requirements are truly non-negotiable. Typically, vendors are prepared to meet all regulatory requirements, but not necessarily all project requirements.
  • Onsite/offsite requirements―Can we meet the onsite/offsite requirements? Do we already have nearby resources available? Are any location requirements negotiable?

    Onsite/offsite requirements have a direct impact on the project cost. Factors include accessibility of the onsite location, frequency of required onsite participation, and what positions/roles are required to be onsite or local. These requirements can make the resource pool much smaller when RFPs require staff to be located in the state office or require full-time onsite presence. And as a result, we may decide not to respond to the RFP.

    If the state specifies an onsite presence for general positions (e.g., project managers and business analysts), but is more flexible on onsite requirements for technical niche roles, the state may receive more responses to their request for services and/or more qualified consultants.
  • Due date of the proposal―Do we have the available proposal staff and subject matter experts to complete a quality proposal in the time given?

    We consider several factors when looking at the due date, including scope, the amount of work necessary to complete a quality response, and the proposal’s due date. A proposal with a very short due date that requires significant work presents a challenge and may result in less quality responses received.
  • Vendor available staffing―Do we have qualified staff available for this project? Do we need to work with subcontractors to get a complete team?

    We evaluate when the work is scheduled to begin to ensure we have the ability to provide qualified staff and obtain agreements with subcontractors. Overly strict qualifications that narrow the pool of qualified staff can affect whether we are able to respond. A state might consider whether key staff really needs a specific certification or skill or, instead, the proven ability to do the required work.

    For example, technical staff may not have worked on this particular type of project, but on a similar one with easily transferable skills. We have several long-term relationships with our subcontractors and find they can be an integral part of the services we propose. If carefully managed and vetted, we feel subcontractors can be an added value for the states.
  • Required certifications (e.g., Project Management Professional® (PMP®), Cybersecurity and Infrastructure Security Agency (CISA) certification)―Does our staff have the required certifications that are needed to complete this project?

    Many projects requests require specific certifications. On a small project, maybe other certifications can help ensure that we have the skills required for a successful project. Smaller vendors, particularly, might not have PMP®-certified staff and so may be prohibited from proposing on a project that they could perform with high quality.
  • Project timeline―Is the timeline to complete the project reasonable and is our staff available during the timeframe needed for each position for the length of the project?

    A realistic and reasonable timeline is critical for the success of a project. This is a factor we consider as we identify any clear or potential risks. A qualified vendor will not provide a proposal response to an unrealistic project timeline, without requesting either to negotiate the contract or requesting a change order later in the project. If the timeline is unrealistic, the state also runs the risk that the vendor will create many change requests, leading to a higher cost.

Other things we consider when responding to a request for services include: is there a reasonable published budget, what are the minority/women-owned business (M/WBE) requirements, and are these new services that we are interested in and do they fit within our company's overall business objectives?

Every vendor may have their own checklist and/or process that they go through before making a decision to propose on new services. We are aware that states and their agencies want a wide-variety of high-quality responses from which to choose. Understanding the key areas that a proposer evaluates may help states provide requirements that lead to more high-quality and better value proposals. If you would like to learn more about our process, or have specific questions, please contact the Medicaid Consulting team.

Article
What vendors want: Other factors that influence vendors when considering responding to a request for services

Read this if your agency is planning to procure a services vendor. 

Every published request for services aims to acquire the highest-quality services for the best value. Requests may be as simple as an email to a qualified vendor list or as formal as a request for proposal (RFP) published on a state’s procurement website. However big or small the request, upon receiving it, we, or a potential vendor, triages it using the following primary criteria:

  1. Scope of services―Are these services or solutions we can provide? If we can’t provide the entire scope of services, do we have partners that can?
    As a potential responding vendor, we review the scope of services to see if it is clearly defined and provides enough detail to help us make a decision to pursue the proposal. Part of this review is to check if there are specific requests for products or solutions, and if the requests are for products or solutions that we provide or that we can easily procure to support the scope of work. 
  2. Qualifications―What are the requirements and can we meet them?
    We verify that we can supply proofs of concept to validate experience and qualification requirements. We check to see if the requirements and required services/solutions are clearly defined and we confirm that we have the proof of experience to show the client. Strict or inflexible requirements may mean a new vendor is unable to propose new and innovative services and may not be the right fit.
  3. Value―Is this a service request that we can add value to? Will it provide fair compensation?
    We look to see if we can perform the services or provide the solution at a rate that meets the client’s budget. Sometimes, depending upon the scope of services, we can provide services at a rate typically lower than our competitors. Or, conversely, though we can perform the scope of services, the software/hardware we would have to purchase might make our cost lower in value to the client than a well-positioned competitor.

An answer of “no” on any of the above questions typically means that we will pass on responding to the opportunity. 

The above questions are primary considerations. There are other factors when we consider an opportunity, such as where the work is located in comparison to our available resources and if there is an incumbent vendor with a solid and successful history. We will consider these and other factors in our next article. If you would like to learn more about our process, or have specific questions, please contact the Medicaid Consulting team.
 

Article
What vendors want: Vendor decision process in answering requests for services

Read this if you are a bank with over $1 billion in assets.

It’s no secret COVID-19 has had a substantial impact on the economy. As unemployment soared and the economy teetered on the edge of collapse, unprecedented government stimulus attempted to stymie the COVID-19 tidal wave. One tool used by the government was the creation of the Paycheck Protection Program (PPP). Part of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, the PPP initially authorized the lending of $349 billion to encourage businesses to keep workers employed and cover certain operating expenses during the coronavirus pandemic. The PPP was then extended through August 8, 2020 with an additional $310 billion authorized.

Many financial institutions scrambled to free up resources and implement processes to handle the processing of PPP loan applications. However, such underwriting poses unique challenges for financial institutions. PPP loans are 100% guaranteed by the US Small Business Administration (SBA) if the borrowers meet certain criteria. Establishing appropriate controls over the loan approval and underwriting process is more a matter of ensuring compliance with the PPP, rather than ensuring the borrower can repay their loan.

Federal Deposit Insurance Corporation Improvement Act of 1991 compliance 

Banks with total assets over $1 billion as of the beginning of their fiscal year must comply with the Federal Deposit Insurance Corporation Improvement Act of 1991 (FDICIA). Amongst other things, FDICIA requires management perform an assessment and provide a resulting attestation on the operating effectiveness of the bank’s internal controls over financial reporting (ICFR) as of the bank’s fiscal year-end. Although this attestation is as of year-end, management must perform testing of the bank’s ICFR throughout the bank’s fiscal year to obtain sufficient evidence regarding the operating effectiveness of ICFR as of year-end. Key controls over various transaction cycles are typically housed in a matrix, making it easy for management and other users, such as independent auditors, to review a bank’s key ICFR. 

Internal control documentation

If the process for originating PPP loans is different from the bank’s process for traditional loan products, it’s likely the internal controls surrounding this process is also different. Given that $659 billion in PPP loans have been granted to date, it is possible PPP loans may be material to individual banks’ balance sheets. If PPP loans are material to your bank’s balance sheet, you should consider the controls that were put in place. If the controls are deemed to be different from those already documented for other types of loans, you should document such controls as new controls in your FDICIA matrix and test accordingly.

As noted earlier, the risks a financial institution faces with PPP loans are likely different from traditional underwriting. If these unique risks could impact amounts reported in the financial statements, it’s smart to address them through the development of internal controls. Banks should assess their individual situations to identify any risks that may have not previously existed. For instance, given the volume of PPP loans originated in such a short period of time, quality control processes may have been stretched to their limits. The result could be PPP loans inaccurately set up in the loan accounting system or loan files missing key information. Depending on the segregation of duties, the risk could even be the creation of fictitious PPP loans. A detective internal control that could address inaccurate loan setup would be to scan a list of PPP loans for payment terms, maturity dates, or interest rates that appear to be outliers. Given the relatively uniform terms for PPP loans, any anomalies should be easily identifiable. 

Paycheck Protection Program loan fees

Aside from internal controls surrounding the origination of PPP loans, banks may also need to consider documenting internal controls surrounding PPP loan fees received by the SBA. Although the accounting for such fees is not unique, given the potential materiality to the income statement, documenting such a control, even if it is merely addressing the fees in an already existing control, exhibits that management has considered the impact PPP loan fees may have on their ICFR. 

The level of risk associated with PPP loan fees may differ from institution to institution. For instance, a bank that is calculating its PPP loan fees manually rather than relying on the loan accounting system to record and subsequently recognize income on these fees, inherently has more risk. This additional level of risk will need to be addressed in the development and documentation of internal controls. In this example, a periodic recalculation of PPP loan fees on a sample basis, including income recognition, may prove to be a sufficient internal control.

With the calendar year-end fast approaching, it is time to take a hard look at those FDICIA matrices, if you haven’t already done so:

  • Consider what has changed at your bank during the fiscal year and how those changes have impacted the design and operation of your internal controls. 
  • Ensure that what is happening in practice agrees to what is documented within your FDICIA matrix. 
  • Ensure that new activities, such as the origination of PPP loans, are adequately documented in your FDICIA matrix. 

With Congress considering another round of PPP loans, there is no time like the present to make sure your bank is ready from an ICFR perspective. If you have questions about your specific situation, or would like more information, please contact the FDICIA compliance team

Article
Do your FDICIA controls "CARES" about the Paycheck Protection Program?

Read this if you are a member of a State Medicaid Agency’s leadership team.

Monday’s NESCSO-hosted conversation was a breath of fresh air in our COVID-19 work-from-home experience. Seeing familiar faces presenting from their home offices reminded me that, yes, we are truly all in this together—working remotely, and focused on how best to foster an efficient and effective Medicaid program for our state clients and members. Over the past several years I have written a “Reflections” blog, summarizing the week-long MESC event while flying home. Today, I am posting my reflections on the first forum NESCSO sponsored in lieu of their August conference that was cancelled this year due to the global pandemic. Following are my major takeaways.

The main speakers were Karen Shields, Deputy Director from the Center for Medicaid and CHIP Services, and Julie Boughn, Director, Data Systems Group also for the Center for Medicaid and CHIP Services. There were several other guests that joined in this two-hour forum, some from the Data Systems Group, and some from the states.

Crisis as a learning tool

Karen Shields reinforced that we will be better and stronger as a result of the crisis that faces us, and encourages us to use the current crisis as a learning tool. She stressed the importance of how we are leveraging our creativity and innovation to keep moving forward. She said to start with the end in mind, be a team player, and keep in mind these three important points of focus for CMS:

  1. Share what works, share what doesn’t. Prioritize.
  2. Systems development needs to be agile. Partnership is critical. States needs to be “elbow deep” with others. Everyone is allowed to speak. 
  3. Re-usability is key! Push back on those who say we cannot reuse.

During the Q&A session, Karen discussed how to maintain consistency by turning to action and using lessons learned. Resist the urge to “fall back.” Let’s keep moving forward. She underscored how they will continue the all-state calls as there are lots of topics and conversations needed to explore deficits of need. 

Support systems and policies

Julie Boughn opened by stressing what an important layer of support systems provide policies. She said COVID is not a system issue—the systems supporting the approach to address the virus are working and a big part of contributing to helping alleviate the issues the pandemic presents. She noted an appropriate quip that “Without systems, policies are just interesting ideas on pieces of paper.”

She underscored that healthcare and all that goes with supporting it is never static. The Medicaid arena is in a world of increasing change, requiring the supporting systems to adapt to make payments correctly and facilitate the provision of benefits to the right people. CMS has been focused on, and continues to bring our focus to outcomes, especially in the IT investments being made. Promote sharing and re-use of those investments.

During the Q&A, Julie reinforced the priority on outcomes and spoke to outcomes-based certification (OBC). There was a question on “What happens to modularity in the context of OBC?” She said that they are completely compatible and naturally modular, and to think about how a house can be built but not be completely done. Build the house in chunks of work, and know what you’re achieving with each “chunk”. Outcomes are behind everything we do.

Engage with your federal partners

In the next presentation, CMS modeled a dialogue that demonstrated how states can engage with their federal partners. CMS wants to continue changing the relationship they have with states. They also reminded the audience of what CMS is looking for; as Ed Dolly, the Director for the Division of State Systems within the Data and Systems Group said during the conversation, “Do you understand the problem trying to be solved?” Define your final outcome, and understand that incremental change drives value. In addition to communicating the problem, focus on speed of delivery (timeliness), and engage in back and forth exchange on what best measures can be used, as well as the abilities to capture the measures to report progress. The bottom line?  “When in doubt, reach out!”

The remainder of the forum featured representatives from the State System Technology Advisory Group (S-TAG), Private Sector Technology Group (PSTG), and Human Services Information Technology IT Advisory Group (HSITAG). They discussed a variety of IT topics.

Technology outlook

The S-TAG had representation from an impressive list of states—West Virginia, Washington, Wyoming, Vermont, and Massachusetts. They spoke to how they envision their technology response to changes in policy now and in the next 12-18 months. There was too much to present here, and I recommend reviewing the recording once NESCSO posts it. Initiatives included: Provider enrollment, electronic asset verification, electronic visit verification, integrated eligibility systems, modularity implementations, migration to the cloud, pharmacy systems, system integrator, certification, strategic planning, electronic data interchange upgrades, payment reform, road map activities, case management, care management, T-MSIS, and HITECH.

HSITAG spoke about the view across the health and human services spectrum—Where are we today? Where will we be tomorrow? COVID has tested our IT infrastructure and policy. Is there an ability to quickly scale up? Weaknesses in interoperability became exposed and while it seemed Medicaid was spared in the headlines, the need to modernize is now much more apparent. Modularity showed its value in more timely implementations. There is concern over an upcoming increase in the Medicaid population. Are we equipped for the short term?

For the long-run, where we will be “tomorrow” in the 12-18 month view, there will be a bigger dependency on the interrelations between all programs. Medicaid Enterprise Systems can and should look at whole systems, focusing on social determinants of health. Data and program integrity will be key, as the increased potential of fraud in the midst of challenging state budgets. We will need to respond quickly with limited resources.

Keep relationships strong

PSTG spoke of how when COVID hit, it caused them, like the rest of us, to modify their goals. They spoke about relationships and the importance of maintaining them with clients and colleagues, questions of productivity, what things that we have learned will we carry into the post-pandemic era, will we remain flexible, and how will we “unwind” all the related changes that will not be carried forward. Looking forward, PSTG wants to support the growing of the outcomes-based culture, evolve the state self-assessment (currently an active workgroup), and how to be less prescriptive to allow for more flexibility on “how” vendors get to solutions.

I was grateful to be able to join this event, and hear that we are in this together—we will get through it and we will keep moving forward. I felt this was a good start to what I hope will be the first of many MESC 2020 forums. The session felt like it ended too quickly even though we covered a lot of ground. I am excited about the thought of hearing about new ideas, improving our understanding of upcoming changes CMS is sponsoring, and engaging in the innovative thought that will keep us moving toward a better tomorrow. Thanks to NESCSO for sponsoring this event and bringing us together.

Please contact our Medicaid Consulting team for more information on if you have any questions.

Article
MESC 2020: Where we are today and where we will be tomorrow

Read this if you are a Maine business or organization that has been affected by COVID-19. 

The State of Maine has released a $200 million Maine Economic Recovery Grant Program for companies and organizations affected by the COVID-19 pandemic. Here is a brief outline of the program from the state, and a list of eligibility requirements. 

“The State of Maine plans to use CARES Act relief funding to help our economy recover from the impacts of the global pandemic by supporting Maine-based businesses and non-profit organizations through an Economic Recovery Grant Program. The funding originates from the federal Coronavirus Relief Fund and will be awarded in the form of grants to directly alleviate the disruption of operations suffered by Maine’s small businesses and non-profits as a result of the COVID-19 pandemic. The Maine Department of Economic & Community Development has been working closely with affected Maine organizations since the beginning of this crisis and has gathered feedback from all sectors on the current challenges.”

Eligibility requirements for the program from the state

To qualify for a Maine Economic Recovery Grant your business/organization must: 

  • Demonstrate a need for financial relief based on lost revenues minus expenses incurred since March 1, 2020 due to COVID-19 impacts or related public health response; 
  • Employ a combined total of 50 or fewer employees and contract employees;
  • Have significant operations in Maine (business/organization headquartered in Maine or have a minimum of 50% of employees and contract employees based in Maine); 
  • Have been in operation for at least one year before August 1, 2020; 
  • Be in good standing with the Maine Department of Labor; 
  • Be current and in good standing with all Maine state payroll taxes, sales taxes, and state income taxes (as applicable) through July 31, 2020;
  • Not be in bankruptcy; 
  • Not have permanently ceased all operations; 
  • Be in consistent compliance and not be under any current or past enforcement action with COVID-19 Prevention Checklist Requirements; and 
  • Be a for-profit business or non-profit organization, except
    • Professional services 
    • 501(c)(4), 501(c)(6) organizations that lobby 
    • K-12 schools, including charter, public and private
    • Municipalities, municipal subdivisions, and other government agencies 
    • Assisted living and retirement communities 
    • Nursing homes
    • Foundations and charitable trusts 
    • Trade associations 
    • Credit unions
    • Insurance trusts
    • Scholarship funds and programs 
    • Gambling 
    • Adult entertainment 
    • Country clubs, golf clubs, other private clubs 
    • Cemetery trusts and associations 
    • Fraternal orders 
    • Hospitals, nursing facilities, institutions of higher education, and child care organizations (Alternate funding available through the Department of Education and Department of Health and Human Services for hospitals, nursing facilities, child care organizations, and institutions of higher education.)

For more information

If you feel you qualify, you can find more details and the application here. If you have questions about your eligibility, please contact us. We’re here to help. 

Article
$200 Million Maine Economic Recovery Grant Program released

Read this if your company is seeking assistance under the PPP.

The rules surrounding PPP continue to rapidly evolve. As of June 22, 2020, we are anticipating some additional clarifications in the form of an interim final rule (or IFR) and additional answers to frequently asked questions (FAQ). The FAQs were last updated on May 27, 2020. For the latest information, please be sure to check our website or the Treasury website.

A few important changes:

  1. The loan forgiveness application, and instructions, have been updated.
  2. There is a new EZ form, designed to streamline the forgiveness process, if borrowers meet certain criteria.
  3. Changes now allow for businesses to use 60% of the PPP loan proceeds on payroll costs, down from 75%.
  4. Businesses now have 24 weeks to use the loan proceeds, rather than the original eight-week period (or by December 31, 2020, whichever comes earlier).
  5. The rules around what is a full-time equivalent (FTE) employee and the safe harbors with respect to employment levels and forgiveness have been clarified.
  6. Entities can defer payroll taxes through the ERC program, even if forgiveness is granted.

These changes are designed to make it easier to qualify for loan forgiveness. In the event you do not qualify for loan forgiveness, you may be able to extend the loan to five years, as opposed to the original two years.

The relaxation on FTE reductions is significant. The reductions will NOT count against you when calculating forgiveness, even if you haven’t restored the same employment level, if you can document that:

  • you offered employment to people and they refused to come back, or
  • HHS, CDC, OSHA or other government intervention causes an inability to “return to the same level of business activity” as of 2/15/2020.

As of June 20, 2020, there was still an additional $128 billion in available funds. The program is intended to fund new loans through June 30, 2020. 

We’re here to help.
If you have questions about the PPP, contact a BerryDunn professional.

Article
PPP loan forgiveness: Updates

Read this if you are a leader at a state Medicaid agency, Long-Term Care Hospital, Rural Health Clinic, Federally Qualified Health Center, or intermediate care facility.

The new fact sheet from CMS provides state and local governments that may be developing alternate care sites with information on how to receive payments for acute inpatient and outpatient care through federal programs, including Medicare, Medicaid, and the Children’s Health Insurance Program (CHIP).

CMS notes that it is easiest for an existing enrolled hospital or health system to obtain payments through CMS programs for covered health care services furnished at the ACS by treating the ACS as a short-term extension of their current ‘brick-and-mortar’ facilities. 

State and local governments that want to build a hospital ACS have three options if they wish to be paid by CMS for providing covered hospital inpatient and outpatient services:

  1. Transfer operation and billing for care delivered in the ACS to a hospital or health system which is enrolled
  2. Enroll the ACS as a new hospital in CMS programs
  3. As an alternative, instead of making facility payments, enrolled physicians or other non-physician practitioners may bill for covered services that they furnish at the ACS

CMS guidance to states on implementing the optional COVID-19 testing group 

CMS has provided new guidance to states who may be planning to implement the Optional COVID-19 Testing Group, which was established by the Families First Coronavirus Response Act (FFCRA) for uninsured individuals in order to furnish COVID-19 testing and associated services.

  • The guidance from CMS outlines the different requirements connected with implementing the uninsured group, inclusive of eligibility and enrollment, data reporting, and claims. 
  • The guidance also describes flexibilities available to help states achieve implementation of the new group and strategies to meet related requirements. 
  • For more information related to the eligibility requirements and the Federal Medical Assistance Percentage (FMAP) available for coverage, states can also refer to Section B of the FFCRA and Coronavirus Aid, Relief, and Economic Security (CARES) Act Frequently Asked Questions (FAQs) posted April 13, 2020.

CMS announces enhanced enforcement actions based on nursing home COVID-19 data and inspection results

Earlier in the month of June, CMS released new guidelines related to enforcement for nursing homes who may have violations of infection control practices.

  • CMS intends to apportion $80 million in CARES Act funding to states in order to increase infection control surveys. With CARES Act funding, states will be required to carry out on-site surveys of nursing homes with previous COVID-19 outbreaks, in addition to nursing homes with newly confirmed cases.
  • CMS will make technical assistance available in support of this effort through Quality Improvement Organizations (QIOs) for nursing homes to assist in establishing best practices for infection control.
  • States are required to submit 100% of focused surveys of their nursing homes to CMS by July 31, 2020. It should be noted that submission delays may result in reductions to a state’s Cares Act allocation for FFY 2021.

HHS announces 45-day compliance deadline extension for providers

On May 22, The Department of Health and Human Service (HHS) announced a 45-day extension to the deadline for providers who are receiving payments from the Provider Relief Fund to accept the necessary terms and conditions of the payments.

  • Should providers wish to keep funds—which may have been automatically dispersed—they must agree to the terms and conditions of the Provider Relief Fund.
  • In order to support impacted facilities there is $50 billion in available COVID-19 relief funding for distribution to providers that bill for Medicare beneficiaries.
  • The announcement from HHS gives providers 90 days from the original receipt date of a payment to accept the terms and conditions.  Alternatively, providers may choose to return the funds.

HHS announces $4.9 billion distribution to nursing facilities impacted by COVID-19

HHS has announced it has begun the distribution of additional relief funds to Skilled Nursing Facilities (SNFs) in order to address ongoing needs related to COVID-19. Such needs include labor, improving testing capacity, and obtaining personal protective equipment as well as additional expenses specifically linked to the COVID-19 pandemic.

  • HHS intends to make the fund distributions to SNFs on both a fixed and variable basis. 
  • Each eligible SNF will receive a fixed dissemination of $50,000 in addition to an allotment of $2,500 per bed. All certified SNFs with six or more certified beds will be eligible for this distribution.
  • Recipients of these funds must attest that they will use Provider Relief Fund payments for allowed purposes under the terms and conditions as well as agree to comply with future audit and reporting requirements.

We’re here to help. If you have more questions or want to have an in-depth conversation about your specific situation, please contact the Medicaid consulting team

Article
CMS releases new guidance on Alternate Care Sites, the optional COVID-19 testing group, and more

Read this if you are a CIO, CFO, Provost, or President at a higher education institution.

In my conversations with CIO friends over the past weeks, it is obvious that the COVID-19 pandemic has forced a lot of change for institutions. Information technology is the underlying foundation for supporting much of this change, and as such, IT leaders face a variety of new demands now and into the future. Here are important considerations going forward.

Swift impact to IT and rapid response

The COVID-19 pandemic has had a significant impact on higher education. At the onset of this pandemic, institutions found themselves quickly pivoting to work from home (WFH), moving to remote campus operations, remote instruction within a few weeks, and in some cases, a few days. Most CIOs I spoke with indicated that they were prepared, to some extent, thanks to Cloud services and online class offerings already in place—it was mostly a matter of scaling the services across the entire campus and being prepared for returning students and faculty on the heels of an extended spring break.

Services that were not in place required creative and rapid deployment to meet the new demand. For example, one CIO mentioned the capability to have staff accept calls from home. The need for softphones to accommodate student service and helpdesk calls at staff homes required rapid purchase, deployment, and training.

Most institutions have laptop loan programs in place but not scaled to the size needed during this pandemic. Students who choose to attend college on campus are now forced to attend school from home and may not have the technology they need. The need for laptop loans increased significantly. Some institutions purchased and shipped laptops directly to students’ homes. 

CIO insights about people

CIOs shared seeing positive outcomes with their staff. Almost all of the CIOs I spoke with mentioned how the pandemic has spawned creativity and problem solving across their organizations. In some cases, past staffing challenges were put on hold as managers and staff have stepped up and engaged constructively. Some other positive changes shared by CIOs:

  • Communication has improved—a more intentional exchange, a greater sense of urgency, and problem solving have created opportunities for staff to get engaged during video calls.
  • Teams focusing on high priority initiatives and fewer projects have yielded successful results. 
  • People feel a stronger connection with each other because they are uniting behind a common purpose.

Perhaps this has reduced the noise that most staff seem to hear daily about competing priorities and incoming requests that seem to never end.

Key considerations and a framework for IT leaders 

It is too early to fully understand the impact on IT during this phase of the pandemic. However, we are beginning to see budgetary concerns that will impact all institutions in some way. As campuses work to get their budgets settled, cuts could affect most departments—IT included. In light of the increased demand for technology, cuts could be less than anticipated to help ensure critical services and support are uninterrupted. Other future impacts to IT will likely include:

  • Support for a longer term WFH model and hybrid options
  • Opportunities for greater efficiencies and possible collaborative agreements between institutions to reduce costs
  • Increased budgets for online services, licenses, and technologies
  • Need for remote helpdesk support, library services, and staffing
  • Increased training needs for collaborative and instructional software
  • Increased need for change management to help support and engage staff in the new ways of providing services and support
  • Re-evaluation of organizational structure and roles to right-size and refocus positions in a more virtual environment
  • Security and risk management implications with remote workers
    • Accessibility to systems and classes 

IT leaders should examine these potential changes over the next three to nine months using a phased approach. The diagram below describes two phases of impact and areas of focus for consideration. 

Higher Education IT Leadership Phases

As IT leaders continue to support their institutions through these phases, focusing on meeting the needs of faculty, staff, and students will be key in the success of their institutions. Over time, as IT leaders move from surviving to thriving, they will have opportunities to be strategic and create new ways of supporting teaching and learning. While it remains to be seen what the future holds, change is here. 

How prepared are you to support your institution? 

If we can help you navigate through these phases, have perspective to share, or any questions, please contact us. We’re here to help.

Article
COVID-19: Key considerations for IT leaders in Higher Ed