I hope that everyone is having a safe and blessed Thanksgiving holiday. For many of us, these last few days have been a chance to connect and reconnect with friends and family members around the dinner table. We all have our traditions that we follow at this time of year, and our traditions and the people we share them with provide us with a sense of belonging and connectedness that we often take for granted. There’s a lesson there for us about the way we do business.

When I was growing up, my mother stayed at home to manage the household and raise her three kids. The moms in our neighborhood in Charles City, Iowa would often meet for coffee each week in one of their homes. Coffee was a time for sharing the details of their lives, supporting one another through ups and downs, and telling stories while swapping child rearing tips, recipes, and opinions. It was a supportive group outside of their own households that each woman belonged to.

When Mom died in 2008, most of her coffee friends were there at her funeral. None of those ladies lived in the old neighborhood anymore. Times had changed, and so had they, but the powerful bonds of their tiny coffee community from long ago remained strong.

Every organization should seek to create a strong sense of belonging among its customers. You must provide compelling services and innovative solutions to customer problems at a good price. That’s a given, but successful organizations know that they’re dependent on more than a series of transactions. We need people to choose to belong with us over the long haul. To do so, we have to make sure that they feel valued.

Build personal relationships. Connect your customers to their peers, to experts, to solid information, to innovative ideas, and to keen insights. Leave them with great feelings about the experiences that they share with you. Make them feel like they belong with you.

People want to belong. It’s an innate human need. They want to be part of a community. It was true among the neighborhood moms in Charles City, Iowa in 1970. It’s true for all of us today. The people you do business with want to belong to a group, a community which benefits them both quantitatively and qualitatively. The bonds of such a community are strong and lasting. The bonds we share over the Thanksgiving holiday keep us coming back year after year. The bonds of Mom’s coffee group lasted decades after the coffees had ended and her friends had moved away.

That’s the power of community. If we can provide our customers with that sense of belonging, they’ll stay with us forever.

We all exercise freedom of choice every day of our lives. We choose our partner, how to spend our time, and where we buy our groceries. We choose the shows we watch, which religion we’ll follow (if any at all), and which sports teams we’ll cheer on.

The people you serve in your organization exercise their freedom of choice every day as well. Every person you do business with has a choice. They can choose to work with you, or they can choose to do business with someone else. They can also choose to pursue new ventures that simply don’t include you. What they choose ultimately determines the fate of your company.

Your employees have choices to make each day as well. They can find another job tomorrow and leave you with the task of finding a replacement for them. They can opt into your mission and your values, fully engaged with their work, or they can put forth minimal effort and just collect a paycheck.

You must make your organization the easiest and best option all of the time, not just on the date of someone’s hire or at the point of sale. Seek to create an environment, a community, where customers, employees, and teammates make “permanent” choices. You want them to choose you in much the same way that you and I have a favorite team or a favorite style of music. Those things don’t change from game to game or each time we listen to music. We choose them once, or once in a while, and then we stick with them.

Creating that kind of loyalty isn’t just about building a brand. It’s about building a community where people are welcomed, where they are comfortable, and where they know they can count on you to be there for them.

When I wrote about cybersecurity last week, I attempted to sound an alarm bell for healthcare providers about the magnitude of the threat we face as we seek to protect our businesses and their data from cybercriminals. Today, I want to follow up with a story that should scare you. It definitely scares me.

Our company invests heavily in IT security, and we’ve done a pretty good job of making our systems and data secure. One of the things we do is hiring an outside firm to do system penetration testing. Essentially, we hire a professional hacking team to try to break into our systems however they can, and then we use their findings to enhance our security measures and reduce our vulnerability. It’s something that everyone should have done on a regular basis.

During the test, our security consultants tried to crack as many of the passwords established and used by our employees to access our network and systems as they could. We were fairly confident in the strength of our passwords. After all, we require them to be at least eight digits long with a combination of letters, numbers, and special characters. We also force all employees to change their passwords every ninety days.

Our confidence was quickly revealed to be hubris. During a 48 hour period of focused effort, our consultants were able to identify 63% of our 1,000+ employee passwords. They “guessed” the private passwords of nearly two out of every three employees! OMG.

After the test was completed, I was informed that many of our employees, perhaps most of them, had chosen passwords that are easy to remember. They use things like “Packers#12”, “Hogwarts!23” and “Fall2019!” for ease. Unfortunately, a password that is easy for an employee to remember is just as easy for a hacker to crack. We’re fortunate that we also use multi-factor authentication as an added layer of security, but we’re taking steps to improve our passwords as well.

I raise this issue today so that you, like me, can be energized to pay more attention to cybersecurity before you have a major incident. You can refer back to my last post for specific recommendations. You can also check out and download the cybersecurity playbook written by Jeremy Kauten, VGM’s CIO. It contains a wealth of information about who hackers are, why they want the protected health information that our businesses collect, and what you can do to stop them from getting it.

If you’re a provider of healthcare, then it’s likely that you’re not allocating enough leadership and resources toward protecting your company from cybercrime.

Cybercrime against healthcare providers receives a fair amount of attention in the media and in industry circles. People are aware of the threat. They talk about it, and most even worry about it, but the actual threat posed by cybercrime far exceeds the effort and resources put forth to combat it in my opinion. This mismatch between the threat level and resources expended poses an enormous threat to our industry and the people who rely on it for their healthcare needs.

There’s a strange stigma that surrounds getting hacked. If someone breaks into your car, you talk about it to everyone. If someone hacks into your systems, you don’t tell anyone. Ever. That’s probably because it’s unpleasant, complicated, and involves technology in a way that we don’t always readily understand. Many hacks aren’t required to be reported because they are settled with the payment of ransom. The silence that surrounds cybercrime means that most of us fail to recognize the enormity of the threat.

I find that it’s helpful to sort healthcare cybercrimes into two buckets. First, and most commonly, there are hacks that expose patient records to bad guys and get reported as HIPAA breaches. The numbers of this type of breach have and will continue to rise. In fact, they’ve doubled in the past year alone. The second bucket of cybercrimes is filled with “successful” ransom incidents, whereby the victims have paid ransom to recover data or access to their own systems again.

There are far more ransomware incidents in healthcare than reported HIPAA breaches. Unfortunately, since HIPAA violations require public reporting and the ransoms very often don’t, misconceptions are created. Ransom incidents are growing at an alarming rate. It is estimated that one quarter of all healthcare providers have paid a ransom to cybercriminals. Eleven billion dollars have been paid in ransom this year alone, and it isn’t even over yet. Just because ransomware attacks are out of sight doesn’t mean we can safely ignore this risk.

Healthcare is the favorite target of cybercriminals because healthcare providers possess valuable information about patients (social security numbers, addresses, etc.), while at the same time being generally under-invested in protection against such crimes. Listen, folks: You’re not up against a nerdy kid living in their parents’ basement. You’re up against the military and intelligence arms of several large and powerful nations. Much of this cyberwar is being waged by foreign governments or government sponsored organizations against American businesses and consumers in an attempt to transfer American wealth overseas. This is not something to take lightly. The US government is doing precious little to protect us, leaving the responsibility for defending ourselves up to you and I.

I am sounding the alarm bell here and now: It is highly likely that you are not devoting enough resources to protect yourself against cybercrime. I’m not a cybersecurity expert, so I’m not here to tell you all the technical answers to this problem, but I will offer some of the lessons I’ve learned as a leader in a healthcare organization.

1. Addressing this problem is a journey, not a destination. We all want a silver bullet. We want a simple answer, be it a software or service, that we can buy, set, and forget to protect ourselves. That is not the way this stuff works. You will actually need to buy several dozen products and take ongoing action to move toward adequate security, and the things you need will evolve over time.
2. It will be costly to protect your organization. You must find a way to re-allocate financial resources, creating a robust budget for strengthening your cybersecurity defenses.
3. Your employees and their behaviors are your biggest cyber threat. You heard me. Your employees, no matter how well intentioned, are likely to be the weakest link in your defenses. Hackers don’t just manipulate systems. They manipulate people. A human-centric cyber protection plan is an absolute necessity.
4. If you are a leader, you are probably exacerbating the cyber threat. Establishing a culture that values cybersecurity comes from the top. Set the tone. Lead by example. This Achilles heel will most likely manifest itself when people in the organization are asked by your IT department to change a behavior or practice. Examples might include using two factor authentication or locking out external drives and devices. People often resist these changes because they’re inconvenient, and if you fail to stand strong for making the right security moves, your organization will be exposed.
5. Take a long term view. Payers are increasingly vigilant when it comes to cyber protection, and that will be flow down to you as a provider. If you don’t put the right security in place, you’ll soon find that you won’t be able to do business directly with many payers or referral sources.
6. Listen to the people who know. Chances are your IT people know and have told you some things that need to be done differently. Do yourself a favor and listen to them.

The branch that won’t bend is easily broken. – Chinese Proverb

Recently, I had an important project to do, and, unfortunately, things didn’t go so well. I ended up doing a very poor job, and the product that I provided fell well short of expectations. I wish that I could say that being a CEO means that you never do substandard work, but I’m afraid that just isn’t the case. My shortcoming, my failure on this assignment, was a plain and simple lack of preparation. I was quite frustrated with myself in the aftermath of this project, and my post-mortem analysis led me to reflect deeply on what exactly had happened.

Strong preparation is one of the keys to doing good work. If we prepare properly and rigorously for a meeting, a call, a presentation, or an interview, then we’re far more likely to be successful. I am usually a beneficiary of preparation. I do it well, and that typically leads to good outcomes. Unfortunately, in this case, rigidity got the better of me. You see, I have a ritual that I go through when it comes time to prepare for a major project. I schedule time for it, and then I go through a useful set of routines and processes. My preparation rituals have served me well over the years.

On this particular project, however, my failure to adjust to changing circumstances did me in. The task required collaboration, and I was working with a team. When the time arrived for my scheduled preparation, certain files and materials were not available to me because I hadn’t requested them yet. I made one effort to reschedule the prep, but something came up. I failed to accommodate these and other disruptions, I didn’t collaborate as well as I probably should have, and in the end I just never recovered.

I completed the assignment with a substandard product because I was too rigid, too set in my ways of doing things. When my routine was disrupted, I allowed it to scuttle the whole effort.

We all have rituals. We have systems and processes for getting things done, and patterns that have been useful to us in the past. That’s fine as long as we don’t let habits become handcuffs. We can’t let the way things were dominate our perception of the way things are now. The world changes every day, and you can’t successfully navigate it if you’re constantly staring at your rear view mirror. I learned a lot about myself, the way I work, and the way I’ll need to work in the future through this mistake. I’m sharing it with you in the hope that you can learn the same lessons a little less painfully.

For the first one-hundred and forty-four years of America’s existence, women were not allowed to vote. In 1920, ninety-nine years ago this summer, women finally won the right to vote in the United States via ratification of the Nineteenth Amendment to the U.S. Constitution. That was a really long wait!

Our history classes teach us about Susan B. Anthony’s role in leading the fight for women’s suffrage. What you might not know is that Anthony began her quest in the 1850’s, almost seventy years before the Nineteenth Amendment. Susan B. Anthony died in 1906, long before women won the vote. It was another extraordinary but lesser-known woman who picked up the mantle and led the movement during those last fourteen years. Carrie Chapman Catt, who grew up in my hometown of Charles City, Iowa, leveraged her tenacity, charm, and courage to execute a strategy that ultimately gave women the right to make their voices heard in American politics.

The Iowa-girl spent that hot summer of 1920 in Tennessee, which was the final battleground state. The Volunteer State was their last chance for victory. Failure to pass the legislature in Tennessee would have killed the Nineteenth Amendment, but Catt and company worked tirelessly and won the day. Tennessee ratified, and women finally had the vote. That’s your history lesson for today!

Earlier this week I had the honor to present the 2019 HME Woman of the Year Award to Wendy Russalesi, the Chief Compliance Officer at AdaptHealth. We at VGM created the HME Woman of the Year Program four years ago to recognize the incredibly important role women play in our industry. Like the right to vote, better late than never. We’re extremely proud of the program and the amazing women who have been finalists and award winners. Congratulations to Wendy!

You can learn more about Wendy, the award, and the other impressive finalists at https://www.vgm.com/HMEWomanOfTheYear.

I’m going to take a bit of a risk this week and talk about Obamacare. The Affordable Care Act, a/k/a Obamacare, was signed into law in 2010. This “reform” of our healthcare system remains an emotional flashpoint for many on both sides of the aisle, but at the same time is often misunderstood. If we can, I’d like to set aside the emotional baggage that surrounds the law for a moment and try to take a look at the actual impact that Obamacare has had on our country and our industry since it was passed:

• About 20 million more Americans have insurance coverage because of the ACA. We know two things about people being insured: First, they are much better able to pay for healthcare than uninsured people. Second, the data tells us that insured people use significantly more healthcare resources than uninsured people. Insuring more people creates more paying customers for healthcare providers, including those in the DMEPOS industry.
• The increase in the number of people with insurance is primarily because more people are on Medicaid. Prior to the ACA, about 13% of Americans had insurance coverage through Medicaid. That figure has since grown to 21%. An additional effect has been that nearly 7 in 10 people on Medicaid receive their coverage under MCOs (managed Medicaid plans that are run by private insurance companies) rather than under state-run plans. The proportion of Medicaid enrollees using MCOs has doubled since the passing of Obamacare.
• Intriguingly, the mandates requiring individuals to have health coverage and businesses with more than fifty employees to provide it really didn’t have much of an effect. The percentage of the population insured through employer sponsored group plans has actually declined from 54% to 49% since the coming of Obamacare. Most of this decline came about because more people reached the age of 65 than reached the age of 18 during that time period, which led to a swelling of the Medicare rolls. The remainder is probably due to a shift of the working poor from employer plans to Medicaid. A slightly larger proportion of people got insured under individual plans after the ACA, but it was a relatively small impact.
• Just like with Medicaid, there are more privately managed Medicare plans today, too. One-third of Medicare beneficiaries are opting to be covered under Advantage plans, which is about fifty percent more than prior to Obamacare.
• There is, and has been, much dialog about shifting healthcare from pay for volume to pay for performance, with many efforts to evangelize for that objective. Despite this, it mostly remains an unfulfilled aspiration. Almost all healthcare reimbursement is still pay for volume. The pay for performance crusade is aimed at reducing the overall costs for healthcare, and it does remain a promising idea for the future. However, to date, it has gotten relatively little traction. Advocates of pay for value plans like to proclaim that more than a third of healthcare payments already fall under this payment structure. This is deceptive, as most of the actual reimbursements made under those types of arrangements are, in fact, fee-for-service with a tiny element of pay for performance. The shift to MCO in Medicaid, which does lower costs, is probably the biggest side-effect of the ACA impacting costs. Unfortunately, this is generally achieved by rationing through inconvenience. That’s one way to bring down costs, but it’s got to be one of the least desirable ways to do it.
• Taxes were higher after Obamacare, but they’ve now been lowered, so that probably shouldn’t be a part of the discussion anymore.
• There is more money spent on regulation and compliance today than prior to Obamacare.
• Many young people stay on their parents plans until age 26, which is a popular provision of Obamacare.
• For a relatively small group of people, pre-existing conditions are no longer a barrier to insurance coverage because of the ACA. This is often misunderstood, since people with pre-existing conditions have been protected for at least a decade prior to the ACA. As long as those people carried health insurance continuously, they had full protection for pre-existing conditions long before the ACA came into being.
• There are many other provisions of the ACA that impacted narrow bands of people or narrow industry segments.

There were two major problems that led to the ACA in the first place – (1) there were far too many uninsured people in America, and, (2) healthcare costs were too high and increasing rapidly.

The law has driven significant progress toward solving the uninsured problem by reducing the ranks of people without insurance by 20 million and shifting the burden of paying for their healthcare from private healthcare providers to the government. On the other hand, Obamacare has largely failed to deliver results with respect to lowering costs, outside of working around the edges to slow cost inflation in some areas.