Need to step up your cyber security monitoring? TMLT and eSENTIRE can help

 by John Southrey, CIC, CRM

Director, Product Development and Consulting Services

For physicians or groups who want a higher level of cyber security monitoring, TMLT is now partnering with eSentire to offer 24-hour live monitoring of your computer network.

eSentire offers Managed Detection and Response (MDR) to shield your confidential information against cyber attacks. With MDR, security analysts monitor your network for suspicious behavior, allowing for rapid intrusion detection and response. Having this level of threat detection and incident response allows for immediate intervention before the attacker has accessed or copied exploitable data. Essentially, MDR acts as an intelligent circuit breaker in real time.

Health care organizations are increasingly the target of cyber attacks, and cyber criminals use a spectrum of attack vectors —ransomware, socially-engineered phishing attacks, and malware invasions — to access networks.

Other sophisticated attacks look for security holes in software that are unknown to the software vendors. These “zero day attacks” can go undetected by traditional data security tools and are carried out before the vendor becomes aware of them. Timely detection and response to these attacks is critical.

Microsoft’s Windows operating system was recently subjected to a “zero day” attack. On November 2, Microsoft announced it was releasing a software patch to address vulnerabilities found in Windows. These vulnerabilities were exploited by a hacking group reportedly linked to the Russian government who used socially-engineered emails to gain access to the computer networks of U.S. government agencies and military organizations. (1)

Because many health care organizations may take a “wait and see” approach to data security, they may not recognize when they have been breached. Often, it can take up to several weeks to detect and respond to incidents. (2)

Services such as MDR can mitigate the effects of “zero day” and other cyber breaches, thereby narrowing the window of opportunity for an attacker and detecting data breaches before they spiral out of control.

 Learn more about MDR

Please contact the TMLT PDCS team to learn more about eSentire and their services for physicians.


  1. Molina B, Weise E. Microsoft to block Windows flaw used by Russian hackers. USA Today. November 2, 2016. Available at Accessed December 5, 2016.
  2. In a survey of 223 US-based health care executives conducted by KPMG, only 13% reported tracking known cyber security attacks daily. Additionally, 25% stated they do not have or do not know their capabilities, in real-time, if their organization’s systems are being compromised. KPMG. Health Care and Cyber Security — Increasing Threats Require Increased Capabilities. 2015. Available at Accessed December 8, 2016.

Additional reading

  1. AV Test. Malware. Available at Accessed December 8, 2016.
  2. Security risk assessment. Available at Accessed December 8, 2016.
  3. Armor. A Guide to HIPAA compliance & risk management: A Proactive Approach To Data Security. Available at Accessed December 8, 2016.


Risk alert and closed claim study — Wernicke’s encephalopathy after bariatric surgery

The TMLT claims and risk management departments have seen an alarming increase in the number of claims filed related to Wernicke’s encephalopathy (WE) following bariatric surgery.

These claims involve allegations of failure to monitor thiamine levels in post-bariatric surgery patients and failure to treat symptoms of nausea, vomiting, visual disturbances, and motor impairments with thiamine supplementation.  Specialties included in these claims are general surgery, emergency medicine, internal medicine, and gastroenterology.

A high index of clinical suspicion is required when treating patients with a history of bariatric surgery presenting with symptoms suggestive of WE. Surgeons, emergency physicians, internists, gastroenterologists, and all health care professionals should be aware of the risk factors and symptoms associated with nutritional deficiencies to minimize any adverse effects. Early recognition of symptoms is important for ALL providers caring for this patient population.

Physicians who round on patients could be subjected to litigation if they do not order labs checking thiamine levels when a patient who has recently undergone bariatric or gastric surgery exhibits symptoms detailed in this risk alert.

Read more
Wernicke encephalopathy after bariatric surgery: a systematic review
Wernicke’s encephalopathy after sleeve gastrectomy: Literature review

Closed claim study: failure to diagnose thiamine deficiency

A 22-year-old woman came to a bariatric surgery center for treatment of her morbid obesity. She underwent extensive diagnostic testing and education before being scheduled for a sleeve gastrectomy. A general surgeon performed the procedure on June 25.

Physician action
The patient’s postoperative course was complicated by persistent dysphagia and gagging when eating (as opposed to vomiting). On August 6, the general surgeon ordered multiple studies that ruled out a structural cause for the patient’s symptoms. Nutrition/vitamin levels were not checked.

The patient claimed that on August 20, her mother called the bariatric surgery center and reported that the patient was unable to drink protein drinks or take her multivitamins. The mother asked the nurse if the patient could switch to a gummy vitamin that would be easier to swallow. Purportedly, the nurse said that a gummy multivitamin would be fine.

No one spoke to the general surgeon about this change or about the patient’s inability to keep protein shakes down. The general surgeon later testified that she would not have recommended the change to a gummy vitamin.

The patient’s mother called the surgery center on August 23 to report that the patient had continued nausea, vomiting, diarrhea, and was now experiencing double vision. The nurse from the surgery center advised that she had spoken to the general surgeon who said the symptoms should go away within three months of the surgery.

On August 25, the patient came to the emergency department of a local hospital with symptoms of blurred and double vision. She was discharged and told to follow up with the general surgeon. The patient’s mother called the surgery center on August 26 to report that her daughter was seeing double. The general surgeon prescribed Pedialyte popsicles, Gatorade, and protein shake supplements. She also scheduled another EGD for August 27. This study did not reveal any cause for the nausea and vomiting.

Over the next week, the patient and her mother repeatedly called the surgery center to report nausea, vomiting, and blurry/double vision. The general surgeon prescribed metoclopramide and promethazine.

On September 6, the patient reported weakness, difficulty walking, and blurry/double vision. The general surgeon ordered additional labs and all  results were reported as normal. Nutritional studies were not ordered.

The patient went to the ED on September 8 and was seen by a neurologist. He diagnosed Wernicke’s encephalopathy, and the patient was treated for thiamine deficiency. She recovered, but her visual disturbance is permanent and she has been determined to be legally blind. She also walks with an ataxic gait.

Lawsuits were filed against the general surgeon and the bariatric surgery center. The allegations included:

  • failure to recognize thiamine deficiency (general surgeon);
  • failure to treat the patient’s nausea, vomiting, visual disturbances, and motor impairments with thiamine supplementation (general surgeon);
  • failure to test the patient’s thiamine levels (bariatric surgery center); and
  • failure to tell the patient that her multivitamins must contain thiamine (bariatric surgery center).

Legal implications
The plaintiff’s expert — a board certified general/bariatric surgeon — testified that the standard of care required the defendant general surgeon to monitor the patient postoperatively for nausea, vomiting, and symptoms of dehydration or vitamin deficiency. Further, the tests ordered by the general surgeon did not address the patient’s nausea.

To support their allegations against the bariatric surgery center, the plaintiffs pointed to the center’s Patient Education Manual that stated, “ . . . the patient’s nutritional status after surgery is vitally important because vitamin deficiency can cause illness, weakness, and death . . . the Bariatric Center will monitor the post-operative nutritional status of the patient and draw lab work to monitor the patient’s lab values.” None of these labs were drawn.

Among the defense experts, there were mixed opinions about whether the general surgeon should have checked the patient’s vitamin levels in light of her progressively worsening symptoms. The general surgeon stated that nutritional testing should be performed three months after the surgery. For the first eight to 12 weeks, the patient is healing and should be taking protein shakes and vitamins. The general surgeon was not advised that the patient had changed her postoperative vitamins from a “complete” multivitamin to a gummy vitamin.

During the investigation of this claim, it was discovered that the patient had a minor surgical procedure (IUD removal) on August 21. During this procedure, the patient received an IV of 5% dextrose, which is contraindicated in patients who may have vitamin deficiencies because 5% dextrose can quickly deplete thiamine levels. This surgical procedure took place two days before the patient’s first documented report of a visual disturbance. The patient never reported the procedure to the general surgeon.

Both the patient’s treating neurologist and the plaintiff’s expert stated that giving 5% dextrose to a patient with low thiamine or borderline normal thiamine could push a patient into thiamine deficiency and Wernicke’s encephalopathy.

This case was settled on behalf of the general surgeon and the bariatric surgical center. The aforementioned liability issues, coupled with the permanent nature of the patient’s injury, led to the decision to settle this case.

Risk management considerations
According to the American Society for Metabolic and Bariatric Surgery, an estimated 196,000 bariatric procedures were performed in 2015. (1) These procedures have the potential for providing great benefit to patients, but they also come with risks.

Nutritional deficiencies are well known complications following weight loss surgery. “Wernicke-Korsakoff Syndrome is the best known complication of thiamine (vitamin B1) deficiency. The term refers to two different syndromes, each representing a different stage of the disease. Wernicke encephalopathy (WE) is an acute syndrome requiring emergent treatment to prevent death and neurologic morbidity. Korsakoff syndrome (KS) refers to a chronic neurologic condition that usually occurs as a consequence of WE.” (2)

“Wernicke-Korsakoff Syndrome (WKS) classically, but not always, presents with the clinical triad of confusion, ataxia, and nystagmus. Eighty-five percent of the survivors of the acute phase of Wernicke encephalopathy who remain untreated go on to develop Wernicke-Korsakoff Syndrome.” (3)

In the case presented, there were several instances where a breakdown in communication and patient care occurred.

  • The bariatric surgery center nurse did not consult with the general surgeon regarding the patient’s symptoms and the request for a medication adjustment. Had this step been taken, the physician could have had an opportunity to agree with the patient’s request or implement a different treatment plan.
  • The surgery center did not follow the guidelines for monitoring patients’ post-operative nutritional status, as stated in their Patient Education Manual.
  • Not ordering nutritional studies when the patient reported neurological symptoms was another missed opportunity.
  • The physician performing the removal of the IUD administered 5% dextrose intravenously in a patient with a history of bariatric surgery, which is contraindicated.
  • The patient did not tell the general surgeon about the IUD removal procedure.
  • A high index of clinical suspicion is required when treating patients with a history of bariatric surgery presenting to any health care provider with symptoms suggestive of WE.
  • While not an issue in this case, there have been cases in which the physician defendants contend that it was someone else’s responsibility to check the patient’s vitamin levels. Ultimately, there was a delay in getting the needed lab work and this led to catastrophic patient outcomes. Some of these physicians stated that they felt the patient seemed to be eating well, so checking nutrition was not necessary.
  • Cases have also been documented in which the appropriate lab work was ordered, but not completed. Developing and consistently following procedures for monitoring and acting on test results may prevent these results — or lack of results — from being overlooked.


  1. American Society of Metabolic and Bariatric Surgery. Estimate of bariatric surgery numbers, 2011-2015. Available at Accessed December 1, 2016.
  2. UpToDate. Wernicke encephalopathy. Available at Accessed December 1, 2016.
  3. Medscape. Wernicke-Korsakoff Syndrome. Available at Accessed December 1, 2016.

Risk alert: phishing emails being sent as official OCR communication

by Cathy Bryant

The Office of Civil Rights (OCR) is alerting physician practices, their business associates, and other HIPAA-covered entities about phishing emails that are being sent disguised as official OCR audit communication.

The emails are being sent on falsified U.S. Department of Health and Human Services (HHS) letterhead under the signature of OCR’s Director, Jocelyn Samuels.

The emails prompt recipients to click on a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program. The link leads to a non-governmental website marketing a firm’s cyber security services. In no way is this firm associated with the HHS or OCR.

The phishing email originates from the email address and directs individuals to a URL at This is a subtle difference from the official email address for our HIPAA audit program,, but such subtlety is typical in phishing scams.

  Official   Scam

Covered entities and business associates should alert their employees of this issue and note that official communications regarding the HIPAA audit program are sent from the email address

In addition, OCR has notified select business associates of their inclusion in Phase 2 HIPAA audits.  For more information on the HIPAA Phase 2 Audits, please visit the OCR’s audit program website.

TMLT provides Cyber Risk Management services to physicians. Learn more at our website.



FDA approves important labeling changes for Essure birth control device

In continuing effort to advise patients and physicians regarding permanent birth control options, the Food and Drug Administration (FDA) recently approved labeling changes for the Essure birth control device.

Bayer, the manufacture of Essure, will make label and packaging changes for the product, including a boxed warning and patient decision checklist to help patients receive and understand the benefits and risks of the device.

The boxed warning includes safety statements to clearly communicate significant side effects or adverse outcomes associated with Essure and information about the potential need for removal. The patient decision checklist highlights key risk and benefit information. Physicians are encouraged to review the checklist with their patients and co-sign it after the discussion.

Essure is a permanently implanted birth control device consisting of flexible, metal coils. To implant Essure, the flexible coils are inserted into the fallopian tubes. In about three months, tissue forms around the inserts, blocking sperm from reaching the eggs and preventing pregnancy. Essure is not immediately effective, and users must use another form of birth control for at least three months after the device is implanted.

These labeling changes come after some Essure users reported serious complications, including:

  • perforation of the fallopian tubes and/or uterus;
  • inserts traveling to the abdomen or pelvic cavity;
  • persistent pain lasting weeks or months after the procedure;
  • change in menstrual cycles (bleeding patterns);
  • symptoms similar to those of allergic reactions; and
  • symptoms similar to those in autoimmune diseases, such as joint pain and fatigue.

The FDA encourages health care providers to thoroughly discuss Essure and alternate available birth control methods with their patients, including the benefits and risks. The addition of the patient decision checklist can be used to facilitate these important discussions.

More information is found at the FDA website.

Authentication — a vulnerability in your practice?


by Cathy Bryant

Editor’s note: HHS requires physician practices to provide periodic cyber security awareness and training to all employees. (1) Please consider sharing this post with your staff to meet this requirement.

Under the ever-present threat of an attack by cyber criminals, health care entities are taking a closer look at ways to strengthen and safeguard their authentication methods.

Authentication is the process used to verify that someone or something is who or what they claim to be. It involves keeping unauthorized people or programs from gaining access to information by using login passwords or passphrases to access information on public or private networks, medical devices, servers, and software applications.

Please review the following information on authentication requirements and take a few minutes to reflect on the type of authentication you use. Could it be improved? And be sure to remind staff about the importance of authentication including, not sharing logins and passwords.

Authentication requirements
The Person or Entity Authentication standard of the HIPAA Security Rule requires authentication procedures to verify that a person or entity seeking access to electronic protected health information (ePHI) is the one claimed. Therefore, covered entities should do the following.

  1. Conduct an enterprise-wide risk analysis that identifies vulnerabilities to current authentication methods, the threats that can exploit the weaknesses, the likelihood of a breach occurring, and how a particular type of breach can affect the business.This process helps entities determine if the risk should be mitigated with a particular type of authentication; if they should keep the current authentication method in place and accept the risk; if they should transfer the risk by outsourcing authentication services to a business associate; or if they should avoid the risk altogether by eliminating the process associated with a particular authentication risk.
  1. Consider — based on the potential risks and vulnerabilities to ePHI — implementing a form of authentication that is reasonable and appropriate for the size, complexity, capability, technical infrastructure, hardware, and software security capabilities of your practice.
  1. Consider recommended methods of authentication, depending on the results of their risk analyses, including:Single-factor authentication – uses one of the three factors (i.e. something you know, are, or have) to attain authentication. For example, a password is something you know and is the only factor that would be required to authenticate a person or program. This would be considered a single-factor authentication.Multi-factor authentication – uses two or more factors to achieve authentication. For instance, a private key on a smart card that is activated by a person’s fingerprint is considered a multi-factor token. The smart card is something you have, and something you are (the fingerprint) is necessary to activate the token (private key). (2)

TMLT’s Product Development and Consulting Service team can help you and your staff with your cyber risk management plan, read more or ask a specific question.


  1. Cornell University Law School Legal Information Institute. 45 CFR 164.308 Administrative Safeguards. Available at
  2. U.S. Department of Health and Human Services Office for Civil Rights. What type of authentication is right for you? Cyber Awareness Newsletter. October 2016. Available at

Other resources
National Institute of Standards and Technology. Electronic Authentication Guideline. NIST 800-63.2. Available at

U.S. Department of Health and Human Services Office for Civil Rights. Security Rule Guidance Material. Available at