Look forward to seeing as many people participating in this all important topic of cyber security and privacy.
As we look in the rear view mirror back on 2014, the year that was supposed to change our coding and billing systems, we see that ICD-10 dominated the news with it’s postponement in April and CMS’ subsequent new date of October 1st, 2015. Over the last few weeks though, I’ve heard rumors of yet another delay, this time due to the new political climate in Washington, D.C. These rumors are unsubstantiated, so I would keep them as such. I would record it as a risk to the program for those seeking to restart their ICD-10 initiatives.
Healthcare provider and payer organizations were in “shock and awe” (shocked and many people saying “awww”) at the same time, and high number of provider organizations deciding to postpone their programs indefinitely until the new date was announced and many just restarting the programs either late in the year or planning on doing so in the beginning of the new year, 2015.
The mission of provider IT organizations changed. Just as it was in the pre and post-Y2k days, organizations now wanted to get actual intelligence or analytics from the large systems that they had implemented at such great cost. We came full circle and Analytics started coming to the forefront during the year and it matured after all of the interest, talk and presentations of Big Data, Business Intelligence and Analytics over the last few years. Leveraging actual data for case studies that I know of this year on Population Health Management and better response times in the ED.
In a recent article in Clinical Innovation and Technology, it was reported that ” as of November 2014, 11,478 eligible professionals and 840 hospitals have attested to Meaningful Use Stage 2. In total, 15,481 new EPs and 221 new hospitals have attested in 2014″. The healthcare provider ecosystem was able to move forward despite some inertia at the beginning of the year.
Many organizations also realized that their infrastructure needed to be updated with projects such as XP to Windows 7 migration; something that needed to occur due to the end support in April by Microsoft of their well known Microsoft XP Operating System.
Consumer health devices starting to get mainstream traction with products like Fitbit and Google Glass starting to look at possible mHealth applications for providers in the future.
The vision and ‘utopia’ of an Interoperable Healthcare ecosystem received a major boost with The Office of the National Coordinator for Health Information Technology releasing it’s “10-Year Vision to Achieve An Interoperable Health IT Infrastructure” by 2024. This would be a baseline for future infrastructure development across the United States and possibly even a starting point for world leadership in healthcare systems and infrastructure interoperability.
What a year it has been and we have so much yet to come in 2015 and beyond.
The healthcare IT headlines have been screaming about the lapses and dysfunction of information security. With the reported data breach at UPMC, the reported breach at Cottage Health System last year, the news from Healthcare IT News that “Nashville, TN based Cogent Healthcare also recently reported an incident when a site the organization was using to store patient data had its firewall down, that exposed the PHI of approximately 32,000 patients and the attack recently at Boston Children’s Hospital’s reportedly by the group known as Anonymous, brought to the forefront, the need for a better defense strategy of healthcare’s security infrastructure, protocol & policies across the spectrum.
How many provider CEOs, CIOs, CFOs and VPs of Medical Records think about their organization’s plans for organizational continuity if they should have to defend against hackers or update their infrastructure? H.ow many know of the ability to wipe data off a remote tablet or device? The physicians all want these lighter, “easier to use” devices that can help put in their clinical notes faster and allow them to see their 30 to 40 patients (depending on the physician) a day without lugging around the heavy laptop all day.
I’m sure that not many had really thought about a renowned hacker group trying to hack into and access the medical records of a children’s hospital (until now). I’m quite sure that when sitting in a board room and discussing the investment of time & organizational resources to defend against these possible situations, while it has been taken with the utmost seriousness, the prevailing thinking is “this won’t happen to us” attitude.
Well, it can and it will in this new, cyber age. In Healthcare IT News article, it mentioned Verizon reported that the majority of data breaches were from the theft or loss of unencrypted devices. Do we need to take healthcare information encryption to a whole new level?
In addition, is two factor authentication enough or do we need to start thinking about multi-factor authentication? When deploying the infrastructure for a healthcare provider in our region we focused on tap badges and deployment of tap badge readers versus fingerprint scans as part of the two factor (something you have, e.g. a badge and something you know, e.g. a password) authentication stipulated by the Ohio Board of Pharmacy requirement. Maybe the time is appropriate to think about a 3rd factor (something that the user is and add their finger print or retina scan…yes, I know, we’re getting into sci-fi realm here). All this will take time to finally get implemented and as costs of security and defense of systems mounts, so will the costs associated with our healthcare. Ohio for instance has probably spent close to a billion dollars taking into account all of the healthcare providers in the state and their implementations over the last few years of EHR and the supporting infrastructure to run it appropriately. This investment will take years to achieve the ROI. Imagine if we need to now, start thinking about further securing our healthcare information and needing new standards for that? Will this kill any push towards the cloud?
While organizations like Microsoft thought this through and are primed for this wave when they acquired Phone Factor in 2012, this latest wave of breaches, penalties and attacks on healthcare infrastructure will surely make more than a few to sit up and take notice, not only about the opportunity to improve in an insightful and cost effective way, but continue to prioritize patient safety through security. With HIPAA notification requirements having become more stringent as of the fall of 2013, care delivery organizations should seriously plan dress rehearsals or “fire drills” to prepare for a new age of information defense. Where’s an “ethical hacker” when you need one?
Over the last couple of years, the cloud (distributed) computing concept has received a lot of traction. It’s ability to leverage virtual, scalable hardware for information systems can alter the costs associated with the high cost of healthcare in the United States today. It has been a source of discussion by many in the mostly technology conservative care delivery industry.
At a recent discussion with a care provider’s IT infrastructure department, I discussed with them, the factors that would influence their adoption (or lack thereof) of cloud based infrastructure. Their first response (to my “What about leveraging the cloud?”) was, “Well, what do you mean when you say “Cloud”? We already have our own private cloud that we manage ourselves”. Further discussion on this yielded the apprehension of the team to adopt the cloud and all that it had to offer. Was it that they did not want to change? Or that change was arriving all too quickly on their doorstep and they did not have the opportunity to test it out to see if what the cloud offered would be beneficial to them?
One of the factors that came out during our discussion was that the cloud is ‘the’ perceived security risk. Your most precious asset, data is now not in your control. Loss of control is the factor there. Reliability and security must be top priorities in the planning and selection of cloud services for the healthcare industry. When building your requirements for the cloud adoption, ensure that your solution obviously meets HIPAA regulations first and foremost. Bandwidth issues will be something that would affect the quality of care you would receive as a patient. During an infrastructure deployment in 2012 for an Ambulatory infrastructure implementation, the team I was part of physically went to several clinics around the city to make sure that the standard two factor authentication tap badges and devices were deployed at all those locations prior to Ambulatory go live. At one clinic, we discovered that the authentication process took a long time to register, but this was due, in part we realized to their bandwidth connection. Where other clinics took less than a second or two, this one took as long as possibly 8-10 seconds, which is a life time when you are focused on many patients each day. If applications are stored in the cloud, IT departments fear that the speed of the “pipe” would slow considerably the further away the application is stored from the actual usage site. Essentially, performance issues are the concern.
Reliability and security are essential factors in building your requirements and with the new HIPAA Omnibus RUle, that gives Cloud Service providers better opportunity to show their customer prospects that they are now better served by it. Healthcare IT departments must carefully plan the deployment of a pilot phase for this initiative with technological champions at clinics where physicians, operational staff and other clinicians are open to new ideas and ways of reducing costs and increasing efficiency for the organization.
The PMO can work with the clinic champions, Network Services, Security, Change Management and EMR analysts to understand what their roles and responsibilities need to be to carefully and successfully roll out this project. After the billions of dollars spent over the last few years to achieve Meaningful Use Stage 1 at many hospitals and the purchase of software and infrastructure to support that software, the sunk cost of implementing those initiatives would deter many provider organizations from moving ahead with cloud based initiatives, unless they have been asked to make steep cuts in their IT budgets by hospital operations. Those cuts could necessitate the IT organization looking at alternative options to manage their budget and the adoption of the cloud has a chance. For systems integrators and cloud services vendors, the opportunity is to have a well thought out solution that you collaborate with your healthcare customers over and have patience, keep educating and collaborating with your provider customers and truly listen to their concerns by demonstrating to them that these concerns, while valid, would be functionally taken into consideration and part of your overall solution.
As we come to yet another year end, we reflect back on the year. There is a new leader at ONC, the ICD-10 transition is truly happening, Meaningful Use Stage 2 has had some changes, more healthcare provider organizations in the United States have implemented an Electronic Health Record and Patient Engagement initiatives are off to the races. IT Departments within provider organizations are busier than ever and many EMR experienced resources continue to turnover as the industry slowly matures.
With 2014’s imminent arrival and initiatives culminating during that time, good advice would be to stay focused, remember that stay ahead of the game and make sure to try and get as much done in advance as possible so that there is time for adjustments as you get closer to the dates that projects are required for completion. For ICD-10, vendors really need to bear in mind that they are holding up project completions across the country and need to be aware that if they want to charge customers to be ICD-10 compliant with their software, they risk potential loss of relationships with those customers. Most vendors have not charged their provider customers with an ICD-10 compliant version and that is the best thing that they could have done. If you don’t have an ICD-10 compliant version of your software by now or have a statement of readiness, recommendation would be to re-evaluate your vendor and product and think about alternatives.
Think about the cloud, think about what it would take to get there. This year is also about analytics. With all of this information now at your fingertips, think about how the organization can leverage this information to achieve better outcomes. XP to Win7 migration is around the corner. Be mindful of the risks associated with HIPAA. Think about the enterprise architecture your organization has. In 2014, this blog will discuss these topics, including a topic covering areas that cover the patient experience and security as well.
Until then, stay safe, enjoy your New Year’s celebrations and see you in 2014.
Let me check my phone and get back to you. I’m sure everyone knows it’s so much more than a phone now. It’s an alarm in the morning, the main form of media that you read with your first cup of coffee; your organizer as you see what you have in store for you during the day and your recorder of memories that you will treasure for a lifetime. With everything happening on a mobile device; from taking pictures of checks to deposit in a bank to reviewing details of your office visit in your medical record app, the question about security of your mobile device in a healthcare setting was bound to be raised.
BYOD policies have been developed over the last few years in order to take into account the loss or theft of devices in a healthcare setting and the consequences they have for a care delivery organization. The ability to auto wipe devices after a certain number of tries is a necessity and care providers may not like the thought of their device losing all of it’s data, but in terms of what the risks of continuing to have that information on the device and the fact that 4 character or digit passwords could be breached after 9,999 attempts is something that care organizations must have a mitigation plan in place. Too many times, the headlines talk about data breaches and the possible compromise of hundreds, if not thousands of medical records due to a provider organization not properly planning for such loss of devices; mobile or otherwise.
Secure messaging as well comes into this environment. There are many organizations now that need to leverage the benefits of secure text messages between the provider and patient and between providers as well. The ability to have secure and confirmed delivery, the data behind it to show how many patients leveraged this form of communication, the audit chain of the messages and last but not least, compliance with HIPAA is what secure messaging communication requires to overcome the regulatory and practice challenges at healthcare provider organizations, with the HIPAA Omnibus rule from September 2013 also added to that regulatory mix. The ability to be more in tune with your patients through this form of communication and be able to engage faster with them brings positive strides to patient engagement metrics.
Ultimately, being able to provide great patient care through technological advances such as practical and timely mobile health solutions is what healthcare information technology teams should collaboratively strive to accomplish.