More Highlights from the 2020 HFMA and NEHIA Compliance & Internal Audit Conference

By | December 14, 2020

By Amber Fecik, Manager, Deloitte & Touche LLP and Amelia Abba, Manager, Deloitte & Touche LLP

As noted in previous blogs, the MA-RI Chapter of HFMA teamed up with the New England Healthcare Internal Auditors (NEHIA) organization on December 2nd and 3rd to put on NEHIA’s annual Compliance and Internal Audit Conference.  A few additional highlights from the conference include:

  • Tony Ollman, Partner at Baker Tilly US, provided tips and tricks for identifying construction fraud and how project controls can help mitigate fraud risk. Tony highlighted the following:
    • Accounts Payable (AP) functions should scrutinize construction invoices in the same manner as all other invoices, despite their complexity and the fact that a facilities employee may be reviewing the invoices as well. AP reviewers should look for anything that seems unusual, such as rounded numbers, items that seem cut and pasted, and unknown signatures.
    • Invoice reviewers should also look for contingency fees attached to each line item in an invoice and understand if such fees are permissible based on the contract signed.
    • Project managers should carefully monitor for advanced billing (i.e., billings in excess of progress) as problems can arise when construction companies get too far ahead.
    • Other items to be on the lookout for include when a construction company bills overtime for salaried workers, applies inflation rates when the current economic environment does not justify such increases, and charges equipment rental fees for equipment that is sitting on the project unused (companies should compare what they are paying for renting equipment versus the fair market value).

Presentation by Tony Ollman on Construction Fraud and Construction Risk


  • Anthony Sirvaro, Vice President and Chief Information Security Officer (CISO) for Lifespan, summarized medical security risks in today’s healthcare environment and provided mitigation strategies to minimize the risk of hackers accessing systems. Key takeaways included:
    • The “Internet of Things” (IoT) Devices include things such as printers, infusion pumps, MRI machines, CT Scanners, X-Rays, and laundry machines. These devices are typically easy to hack because of their operating systems, lack of encryption, insecure protocols, lack of outbreak containment ability (due to the set-up of the device), regulatory non-compliance, and/or access to third-party systems.
    • Organizations should ensure they have a formal risk acceptance process in place. Risk documentation, including the risk register and mitigation plan, are extremely important for maintaining a detailed record evidencing risk awareness and action taken in the event there is a breach/ransomware attack.
    • Risk mitigation solutions include manual or automatic encryption, containing and isolating systems, network access controls (i.e., blocking all known ransomware spreading ports if they aren’t needed), and establishing a ransomware kill switch.
    • Phishing emails are the #1-way hackers get into systems, so phishing education and campaigns are important in preventing phishing attempts.

Presentation by Anthony Siravo on Medical Device Security Risks and Mitigation


You can view Tony and Anthony’s full presentations here:

We hope to see everyone at the conference next year!  Have a safe and happy holiday season.