Industry Insider: Looking Ahead to 2024

The changes, trends and issues that should be on facility leaders’ radars.

From major reimbursement changes to existential threats to procedures that are moving to outpatient facilities (robotics, complex spine and GYN cases), here’s what surgical leaders can expect next year.

CMS’ about-face

An early holiday present from Centers for Medicare & Medicaid Services means that ambulatory surgery centers can now provide total shoulder replacements and other procedures to older Americans on federal health insurance who want to recover in the comfort of their own homes. The change goes into effect Jan. 1. The CMS changes are part of an exciting year for the outpatient surgery industry, which also faces ever-present cybersecurity challenges, new CMS requirements designed to measure patient experiences and a growing migration of procedures, such as lung biopsies, that were once inpatient-only experiences.

The CMS decision to include two surgical codes that will add total shoulder replacements to its ASC-approved list was a pleasant surprise. The agency that administers the money for Medicare coverage for Americans at least 65 years old did not include total shoulder arthroplasty in its preliminary proposal release in September.

Ambulatory Surgery Center Association (ASCA) CEO Bill Prentice says the additions are welcome additions to the ASC world. ASCA and other industry advocates note that many of the procedures in question have been safely performed in ASCs on patients with commercial insurance for years.

“ASCA staff and members have been talking with CMS officials for years about the safety and efficacy of adding procedures like total shoulder arthroscopy and total ankle arthroscopy to the ASC Covered Procedures List,” says Mr. Prentice. “We are thankful to the agency for adding those and more than 30 other procedures for 2024, but there is more work to be done to ensure Medicare beneficiaries have access to all the care they can appropriately receive in surgery centers.”

In all, CMS added 11 CPT codes to its ASC-approved list that weren’t in the federal agency’s proposed Final Rule for 2024. Stakeholders successfully lobbied CMS during the public comment period that followed. In addition to the two codes for total shoulder replacements, codes were added to allow Medicare reimbursement for total ankle replacement, as well as codes pertaining to hip tendon incision, meniscal knee replacement and repeat thyroid surgery, according to a CMS announcement of its plan for next year. Twenty-six new dental codes are included as well.

The addition of total shoulders gives outpatient orthopedic providers hope that it will give a boost to ASC business, as happened with CMS’ approval of total knees in 2019 and total hips in 2021. The ASCA website notes its officials met with top CMS brass to advocate for total shoulders and other replacements to be added next year. In October, for example, ASCA board member David Weinstein, MD, met with CMS Chief Transformation Officer Doug Jacobs, MD. Dr. Weinstein, an orthopedic surgeon, asked Dr. Jacobs why he was allowed to perform total knee and hip procedures for Medicare recipients in ASCs, but not total shoulder replacements. “Dr. Weinstein referenced research showing stellar outcomes of total shoulder arthroplasty performed in the outpatient setting” on non-Medicare patients, according to the website.

Crunch time for OAS CAHPS

The Outpatient and Ambulatory Surgery Consumer Assessment of Healthcare Providers and Systems (OAS CAHPS) survey may not be mandatory for HOPDs and ASCs in 2024, but any facilities that aren’t making this reporting a top priority may very well find themselves in a terrible predicament. The stakes for non-compliance are extremely high. Any HOPD or ASC that doesn’t conduct and submit OAS CAHPS as part of the quality reporting requirement in 2025 will receive a reduction of 2.0 percentage points in their annual fee schedule update.

What’s worse, this isn’t one of those DIY projects that surgical facility leaders can use their resourcefulness to pull together quickly. HOPDs and ASCs must use a CMS-approved vendor — something that will take time, effort and due diligence. “It’s crucial for facilities to get going on OAS CAHPS,” says Kathy Wilson, RN, MHA, executive director of the ASC Quality Collaboration, an organization that has been bringing together leaders from the ASC industry and organizations with a focus on healthcare quality and safety to develop standardized quality measures appropriate to ASCs since 2006. “They need to start, get registered and identify a vendor.” Ms. Wilson adds that the entire OAS CAHPS process is extremely dependent on the vendor, and leaders must carefully vet the available ones — all of which have received extensive CMS training — and understand their offerings and costs.

They need to know that cybersecurity is like taking care of a child — you’ve got to pay attention.
Benjamin Posner

If you haven’t already identified a vendor for this major undertaking, you’d better hurry, says Becky Ziegler-Otis, CASC, assistant executive director of the ASC Quality Collaboration. “We’re talking about a relatively small list of vendors here, so if you wait until the last minute, you’re not going to get the job done,” she says.

Cybersecurity vulnerabilities

Another enormous concern for surgical leaders in 2024 is cybersecurity. Attacks in 2023 were incessant and increasingly sophisticated, and as each month passed another facility or health system would announce a breach of their data.

The most useful tool for cybercriminals is increasingly turning out to be the people who work at the targeted facilities themselves, according to Benjamin Posner, principal and virtual chief information officer of Dedicated IT, a managed service provider (MSP) in Lake Park, Fla., that focuses primarily on healthcare, including serving a number of orthopedic, ophthalmology and GI ASCs. He says the weakest link in cybersecurity is the human factor. Cybercriminals are employing tactics like phishing emails — messages from senders that seem legitimate but are actually from cybercriminals who are relying on the recipient making a careless mistake.

These messages contain links and attachments that, when the user engages with them, can secretly download ransomware to the user’s machine that can then spread throughout your network. They also frequently prompt the user to log in to their employer’s network. The criminals simply watch the user type their username and password and now they can log in themselves, poke around and cause chaos.

“Get your staff some training,” recommends Mr. Posner. “They need to know that cybersecurity is like taking care of a child — you’ve got to pay attention. You can’t just willy-nilly click on wherever you want because something looks exciting. You pay attention to your patients, and you need to pay just as much attention to their records and their data, because it’s not yours, it’s theirs. You’re entrusted with the lives and information of individual human beings.”

Another emerging attack type is social engineering, particularly impersonation attacks — where a criminal pretends to be someone the recipient trusts via what look like legitimate emails or text messages. Criminals are also now increasingly using AI and “deepfakes” to spoof the voices and even appearances of people the target knows. These deceitful communications often involve an urgent request that can result in hasty actions such as wiring money, giving away passwords and other internal information, or clicking on links or files that deliver ransomware to the user’s machine.

“Because there’s that sense of urgency, it triggers human nature to hurry up and try to help, so they wind up giving out the information,” says Mr. Posner. “If anything comes through electronically with any sense of urgency, don’t respond to it immediately. If it really couldn’t wait, that person would be on the phone with you, and then you could authenticate who they really are.”

The ransomware and other malicious code cybercriminals are using is getting more innovative. Mr. Posner sees more instances of undetected “lay-in-wait” malicious code. “These bad guys are really creative,” says Mr. Posner. “They’ll trap a little breadcrumb on a machine from an employee clicking on the wrong thing that just sits there and waits like a Trojan horse. Periodically, it’ll replicate, and then six months to a year down the road the criminals activate them. Now they have access, and chances are you won’t know how they breached you in the first place.” He says that makes it important to maintain activity logs for your network for up to a year, as opposed to the more common 30 to 90 days.

Eugene Rosales, client executive with Netgain Technology, an IT and cloud services provider in Minnetonka, Minn., is a 30-year information technology IT veteran who has worked exclusively in the healthcare sector for the last two decades, including with about 20 ASCs. “I hate selling out of fear, but I don’t need to anymore because everywhere you look, there are fears everywhere, and things are constantly getting worse and worse,” he says. “Our security platform is constantly monitoring so many different attacks, whether it’s phishing, internal attacks, spoofing.”

Mr. Rosales agrees with Mr. Posner about the biggest threat to ASCs and HOPDs. “It’s the actual people who work at your center opening up emails they shouldn’t,” says Mr. Rosales. “We push clients to educate and train internal staff to follow security protocols — multifactor authentication, not sharing passwords, constant training.”

Mr. Rosales says employees must learn how to spot phishing emails, including looking for slight misspellings of company and domain names, hovering over links to see if they actually go to legitimate websites, and pausing to think clearly when emails strike an urgent tone. “We train employees to see small, slight differences so they understand it’s not a legitimate email,” he says. “Artificial intelligence is getting so good that the emails are getting better; it’s no longer the case where the emails have a misspelled heading, for example. They’re going to get tougher to stop.”

Mr. Rosales says ASCs should also develop disaster recovery plans to continuity in the event of a successful attack. “What are the next steps?” she says. “What does your MSP handle? What does your internal team handle? Who gets notified? Are there secondary plans in place to work remotely?” Both Mr. Posner and Mr. Rosales say cybersecurity insurance and offsite, encrypted backups of your data are crucial, as is working with IT security consultants to fortify and maintain your defenses.

“It’s not if an attack is going to happen, because it will,” says Mr. Rosales. “It’s how you mitigate the risk, and the biggest way to do that is for your people to have proper training, a managed service provider that’s very security-focused, and the right policies and procedures in place.”

“It’s not that an attack could kill your business. It will,” says Mr. Posner. “So secure your systems as best as possible. Yes, it’s going to be a costly endeavor, but it pales in comparison to losing patient records and going out of business. The money you spend now on cybersecurity is minuscule in comparison to what you’ll spend if you have a breach, and the losses you’ll incur — not just financially, but in terms of the trust of the public.”

Ever-expanding same-day services

While same-day spine surgeries, robotic GYN (See "What’s New in Gynecologic Surgery?” ) and cardiovascular cases tend to get the lion’s share of the attention, the migration from complex inpatient to minimally invasive outpatient procedures are happening everywhere due to advances in technology, technique and pain control.

Same-day minimally invasive lung biopsies are a great example of this evolution in care. Temple Health in Philadelphia recently opened a brand new, state-of-the-art bronchoscopy suite that utilizes a robotic platform where cone-beam CT and augmented fluoroscopy offer providers real-time imaging of the patient’s airway throughout the entire biopsy, allowing for more targeted procedures, better samples and expedient, same-day discharge. The benefits of the integrated care patients receive at Temple’s bronchoscopy suite — where the team is equipped with a critical care pulmonologist, a fellow, a nurse, a respiratory therapist and an anesthesia provider — can’t be understated. The suite performs more than 1,200 bronchoscopies per year. “We can treat and perform diagnostic or therapeutic interventions much more quickly,” says Hernan Alvarado Jr., MBA, RRT, RPFT, AVP of respiratory care, bronchoscopy, pulmonary diagnostic services at Temple Health. “As a result, patient access has increased dramatically.”

“Biopsies weren’t always performed same-day, but the technology has become much more advanced, which benefits the patients tremendously,” adds Patty Evans, BS, RRT, manager of the pulmonary function lab and bronchoscopy/pulmonary rehab program at Temple.

The accurate, expedient and convenient biopsies Temple performs are vital for multiple reasons, especially when it comes to one particular segment of the population: transplant patients. “We have the number-one lung transplant program in the country, and we need to do surveillance bronchoscopy on transplant patients, and we need to follow-up at the one-, three- and six-month marks because the tissue sample can show rejection,” says Ms. Evans. “It’s crucial to manage transplant patients’ pulmonary function.” OSM