Safe guarding against healthcare data breaches is a proactive approach to protecting your practice, not a reactive one.
As has been noted recently by Healthcare It News, healthcare data breaches occur frequently, and as I have previously reported, most of them are inside jobs.
That aside (I’m not trying to dismiss the importance of this fact, just trying to move this piece along as I know your time is limited), many can be prevented by employing the proper information systems like two-factor authorization, but nevertheless, the costs of cleaning up after a breach is most more expensive than they are to prevent.
According to Healthcare IT News, healthcare data breaches are incredibly expensive procedures which are piled upon by investigations, notifications and follow up. With that, let’s take a look at some steps that you can take to safeguard against data breaches.
According to the magazine:
Cast a wide net: Ensure you assess your practice’s capabilities for dealing with a data breach. Establish a plan, bring in the practice’s appropriate leaders who can drive the practice forward and work to educate employees of the importance of data integrity. “This might include subject matter experts from cross-functional areas like IT and operations to human resources, or compliance and legal to other key supervisors or managers,” writes Healthcare IT News.
Here are a few additional points from the magazine’s report: • establish protocols for tasks • create timelines • establish communication among the team to ensure everything runs as smoothly as possible.
Know thy data: Take stock of your data. Start with reviewing current and past projects, reviewing current documentation and how your practice typically gathers information. “One of the key components of any assessment is determining how personal health information (PHI) and electronic personal health information (EPHI) are received, stored, transmitted, accessed or disclosed. Once you have fully scoped your assessment, you can begin gathering the relevant data.”
Address your practice’s vulnerabilities: Known or unknown, this is the time in which you begin to putting your plan in place. This is the point of your plan in which you push play.
Document everything: Since you’ll need everything in writing as part of the process, you’ve got to prepare by making sure all of your processes, data and processes are in writing. According to the magazine, “Not only do those reports then become a historical document for an organization’s administration to refer to in the future, they’re also proof that a provider has performed due diligence around responsibilities for storing confidential data.”
Follow up and engage often: Don’t just put a process in place, but follow up on it. Adjust the process as needed and address any potential red flags immediately. Not doing so is paramount to failure. Silence is consent and if you become aware of an issue that you don’t address essentially is guilt by association.
Check your progress: Take stock of your risk assessment on a regular basis, “especially after a change in technologies, administration, regulations, or business operations.”
The meaningful use of data collected in an electronic health record continues to be the stump speech of Farzad Mostashari, National Coordinator for Health Information Technology.
He’s been pushing the message for months: those achieving or working toward meaningful use attestation need to get beyond just the financial incentives of the program, he says.
Physicians and their healthcare systems need to dig deeper and realize the importance of the data that they have at their hands. They need to realize just how to leverage the data to improve their patient’s health outcomes and lead those in their care down an educational path about the importance of their involvement in their care and how electronic systems can help improve their interaction with their care providers.
For meaningful use to work, those in the community need to make sure they’re using the data collected meaningfully. Meaningful use is a tool and it should be used as one; but unlike a simple jack knife, it’s a multi-purpose, multi-blade, do-it-all Swiss Army knife.
If used correctly, as a means for change rather than a singular solution for incentives, Mostashari believes that meaningful use can actually lead to population health management (the real reason behind meaningful use), more patient engagement (this is yet to be determined) and the creation of health information exchanges (yes, but we need interoperable systems before we see wide spread use of data outside their silos).
His ambitions are correct, and collectively, there is a fundamental agreement that meaningfully using EHRs will help accomplish all of these goals (though patient engagement may remain the stickiest of wickets). The problem here, though, seems to be that even though most physicians want to dive into the deep pool of big data, but they just don’t seem to be able to catch their breath.
In all walks of life we face the day-to-day grind of ongoing and seemingly never ending tasks that drive us further away from our goals. However, it’s different in healthcare. I just can’t seem to think of any other professional group (other than members of the military and police forces) under so much constant pressure to produce positive, long-term results for the people they serve.
In addition to making life and death decisions, our physicians and healthcare leaders are constantly facing the deluge of regulation and reform (meaningful use, ICD-10, HIPAA and even to a certain extend malpractice and 5010).
Healthcare professionals are overrun by details that have taken them into the weeds. Their days are long and their time is short. We can argue if electronic health records actually save them time and money. Depending with whom you speak, each person has an opinion as to its effect. Add everything I previously mentioned and it’s simply overwhelming.
I firmly believe that in a best case scenario, we’d be able to meet all of Mostashari’s proposed goals. Big data would (and can) lead to a changed system and provide real and personal stories of improved health outcomes. I believe that if we could clear away the clutter, we could begin building upon the foundation and create the best, most comprehensive, patient-serving healthcare system that produces results and actually changes lives.
But, for now, we live in a database world where no matter how meaningful we use them there’s still much left to be desired.
My time spent with a major EHR vendor was to educate members of the healthcare community (physicians, nurses, practice leaders, hospital administrators, etc.) and the general public (patients, consumers, people like you and me) about the benefit of electronic health records and how to navigate the EHR implementation process.
As you can figure, most of the talking points included operational efficiencies of the systems, how practices could improve their practices and save money without paper, how they could create the opportunities for bringing in more patients by using EHRs, and so on and so forth.
What is rarely talked about by the vendor community (and given my former seat at the messaging table, I think I’m qualified to make this statement) is the inherent challenges faced when implementing an electronic health record system.
That said, the following are some of the biggest hurdles practice face when they begin the EHR implementation process:
Training: You need training of your system. You need more than eight hours. You need more than 16 hours. Implementing an EHR is a major undertaking and it can take months, if not longer than a year, to truly implement. Even after that, you may need additional training.
Don’t make the mistake of contracting for the least amount of training offered by your vendor. Don’t be fooled into thinking less training means you’re saving money. The money you save on training now will be spent later when your staff fails to truly understand how to use the system. Purchase more than enough training and consider training super users who become true experts in the use of the electronic health record.
You must make sure you secure internal buy in. You need to establish an education program for your staff and create communication channels for your staff so that you can ensure the greatest level of buy in. during this process, explain the needs for the system and why the practice is moving in this direction. If this is a re-boot for your practice and you’re implementing a second or third system, discuss the reasons for the change and why it’s important to the health of the business.
Like employees, you must educate patients. The importance of this statement has never been as true as it is now especially give the move toward patient engagement through meaningful use Stage 2. Engaging patients in the EHR implementation will help create external advocates for your practice, as well as will lead you down the road toward educating them about the benefits of tools like patient portals. Education is key here. Work to create patient champions. Do not brush them off as individuals who are either not interested in the technology or as unsophisticated enough to understand the scope of your work. Doing so may lead to an epic fail of your long-term plans for a unified, smooth running, meaningful used practice.
Lack of a pre-implementation plan may kill the project from the start. An implementation plan means you’ll be able to perform a workflow analysis. Workflow analysis reveals practice inefficiencies and provide you insight into where you need to focus your efforts during implementation efforts. An implementation plan allows you to redesign processes, look for ways to create additional practice efficiency, increase patient and staff satisfaction, and align your goals with your long-term practice plans.
Lack of vendor transparency. Those who don’t seek it may find themselves owned by their vendor partners. You must ask questions, demand answers and don’t take their word for it. Vendors want long-term contracts that are sometimes as gray as possible. Review the contracts, never treat vendors as your friend (or, at least during the negotiation process) and ensure the best deal for your practice. Seek optimizations and customizations. Ask for referrals; call the referrals. Go on site visits, but make sure they’re not all hand picked by the vendor. To accomplish goal, consider reaching out on the web and aligning with practices in your area that use the system you’re thinking of purchasing. Do some independent research.
Un-needed long-term vendor contracts. Don’t sign long-term contracts unless it makes absolute sense. Some vendors require contract lengths in unreasonable lengths of time, like seven years. Granted, implementation is a major undertaking, but a seven-year contract is unnecessary and only serves the vendor. Be cautious of a deal of this magnitude. You wouldn’t sign a seven-year lease for a car, a property or anything else. Take a vendor move like this as a sign the vendor has plans to lock you for its own personal gains – to make itself attractive to potential buyers or to boost quarterly reports – not your own.
Waste in government is common place. As a former government employee, I’m sure I’ve even helped contribute to some of the shortfall in a very small way (even if it was on a state level). But, it appears the money wasted in healthcare is pretty robust, according to a new report by PBS News Hour. (Perhaps I’ve double dipped in the wasted money pool since my government experience was gained in a healthcare organization).
According to the News Hour piece, via the Institute of Medicine, the healthcare industry wastes more than $750 billion a year (or it did in 2009). The money was lost in a variety of areas. Specifically: unnecessary services, inefficiently delivered care, excess administrative costs, inflated prices, missed prevention opportunities and fraud.
What’s wonderful about the PBS piece, though, is how well it illustrates how other industries would be affected if they operated as “efficiently” as healthcare.
Here are a few eye openers (and I’m quoting the piece directly):
Banking: ATM transactions would take not seconds but perhaps days or longer as a result of unavailable or misplaced records.
Home Building: carpenters, electricians and plumbers each would work with different blueprints, with very little coordination.
Shopping: product prices would not be posted, and the price charged would vary widely within the same store, depending on the source of payment.
Automobile Manufacturing: warranties for cars that require manufacturers to pay for defects would not exist. As a result, few factories would seek to monitor and improve production line performance and product quality.
Airline Travel: each pilot would be free to design his or her own pre-flight safety check, or not to perform one at all.
Fun stuff, huh? Let’s look at how PBS took it a step further.
Let’s put it in perspective: of every dollar spent in healthcare, 30 cents is wasted. And where could all that money go?
The wasted money is enough to cover the salaries of all of the major league baseball player’s salaries more than 260 times, All Stars and all.
The $750 billion could cover the price tag for the 2012 London Olympic Games more than 50 times.
That wasted money could cover the healthcare of all U.S. veterans from the last 51 years could easily be covered.
Think students have a tough time trying to pay for their college educations? The $750 billion in wasted healthcare costs could cover the tuition of all 17 and 18 year olds for four years including room and board. That’s staggering, simply staggering.
If you’re into the Defense Department, the waste could cover its entire budget for a year.
Maybe foreign aide is more your thing. How about this: The healthcare waste could cover everything we’ve given to other countries in aide since 1974, with quite a bit left over.
If none of those facts hit home, perhaps this one will: All the waste in the industry could cover all the healthcare costs of uninsured Americans (in 2008) more than six times.
The good thing about waste is that it typically turns out to be someone else’s treasure. Something to think about or maybe that’s the point.
Mobile device management is vitally important. Mobile devices are not going away and they continue to affect the professional setting, and managing the safety of mobile devices is important to organizations.
As a business leader with an enterprise to protect, one of the most important, and possibly easiest, steps to take is managing the safety of mobile devices. There is no way to avoid, or ignore, employee’s personal use of mobile devices in your “public” setting.
75 percent of mobile users believe it’s critical to their jobs to use a mobile device. Employees feel that using mobile devices makes their jobs easier, and they feel more productive. Employers also feel that allowing their employees to use the devices means their employees are always connected and always on.
85 percent of IT managers believe that the introduction of a mobile ecosystem has made the companies they manage more productive. With the exception of having to implement policies to monitor, protect and mange employee’s personal devices, mobile devices also help save companies money and create efficiencies.
Smartphones and laptops are the obvious front runner as the device most used in the workplace, but personal tablets are increasingly becoming more common in the professional setting.
According to CDW, 25 percent of mobile device users use tablets at work; 69 percent of tablet users use their own tablet at work.
The trend is expected to rise by 117 percent in the next two years. No surprise here. If you are surprised by this point then you might be wondering why this is so important.
Why? I’ll let Leiva-Gomez sum it up, as it does so aptly: “The CDW report concludes that 67 percent of IT managers aren’t even familiar with the concept of Mobile Device Management. Are you?”
MDM is much too important to ignore. Not taking an active role in its implementation or its management could put you and your practice’s health information in jeopardy. If swiped, stolen or ripped off, there’s also a pretty good chance you’ll face violations and fines for your HIPAA breeches.
If for no other reason, let this be a motivation for you. An ounce of prevention is worth a pound of cure, or so I’m told.
Is health IT a crystal ball? Nope; not yet. For all of its good, health IT still lacks in so many ways. Health IT may save the masses, but not necessarily the individual at this point. As it matures and grows, no doubt it will fill some voids, but as far as its current capabilities, the information collected in the form of electronic health records, for example, is still nothing more than a repository of information gathered from the past.
What we need are technologies that hint or predict health outcomes before they happen. I’m not talking about broad brush analysis, but individual predictions for each person with a record.
Who wouldn’t want their medical cases charted and entered into an EHR if it could help physicians determine which conditions were going to impact them down the road.
It’s not lost on me that on the current road map, if all healthcare data is aggregated, there’s a hope that a population’s data may provide insight into predicting what’s in store for the said population.
To cite IBM, “As digital records and information become the norm in healthcare, it enables the building of predictive analytic solutions. These predictive models, when interspersed with the day-to-day operations of healthcare providers and insurance companies, have the potential to lower cost and improve the overall health of the population. As predictive models become more pervasive, the need for a standard, which can be used by all the parties involved in the modeling process: from model building to operational deployment, is paramount.”
Even though current forms of data collection are merely meant to gather information to help establish standard approaches to most types of care in which the care system will use to treat the majority of patients (evidence-based care, essentially) as a way to reduce costs to the system (health insurance providers not excluded), there is little push for technologies that could actually help determine, at the individual level, what may affect us and how to treat it before it becomes chronic or life threatening.
Let’s be clear: I’m not talking about predicting the obvious. For example, in cases where years of overeating and lack of exercise are present, no one needs to predict what the outcome is likely to be. I’m referring to other types of conditions that are, for the most case, unavoidable: MS, cancer, Alhzeimer’s, and so on.
Whoever begins to develop these technologies is going to set the market and turn healthcare on its head. These people, or this person, will be considered genius and their effects on millions of lives great. It might be science fiction of me to think this will ever happen, but it gives me hope to think it could happen.
Until then, if such a day ever comes, we have to wait and hope for the best like a dear friend of mine who recently was diagnosed with brain cancer. Ironically, she has always been an advocate for healthful living, living an active lifestyle, working with a major organization dedicated to lobbying for and providing hope to those affected by cancer, and even championing healthcare technology as a means to improve patient health outcomes and our health as a society.
But given all of these efforts, despite the wise choices she’s made to live healthy and help others, there was little that could be done to predict that she too would be in this situation, where if predictive technologies existed she could have benefited.
Now, because there is not a predictive crystal ball, despite all the technological gains we’ve made, she, like everyone else, must react rather than act.
Sad to think that even after all the billions being spent in healthcare technology and with all of the apparent advances, as individuals, are we really better off?
There’s no surprise that healthcare mobile technology is changing the industry. The movement has been underway for as long as the technology has allowed, and as the technology becomes more sophisticated, so do the ways the technology gets used.
In a recent annual research study by the Manhattan Group published by HIT Consultant, we continue to get a much clearer picture of how the U.S. physicians are using the Internet and mobile technologies in the workplace.
For the study, called “Taking the Pulse 2012,” 3,015 physicians in 25 specialties were surveyed.
Here are some of the high points.
In the United States, more than 85 percent of physicians use smartphones in the practice setting. This is up from 81 percent in 2011 and up from 72 percent in 2010. That’s 13-point jump in use of the devices in two years, but really, the number is not surprising. The devices help physicians in multiple ways, personally and professionally, there’s little doubt the increased use will continue and grow.
Next up: Tablet adoption among physicians has nearly doubled in the last years from 35 percent to 62 percent from 2011 to 2012. Clearly, that’s amazing. Of those, more than 80 percent are iPads.
Of all the tablets being used by physicians, more than half have used them at the point of care.
Regarding patient interaction and engagement, according to the Manhattan Group, 39 percent of practicing physicians communicate with patients via electronic means including email, secure messaging, instant messaging or video conferencing.
Personally, that number is higher than I expected, but it’s obviously only to grow much larger, especially as patient portals are implemented and meaningful use stage 2 looming.
Physicians also spend an average of 11 per week online for professional purposes, and those with three screens available to them – smartphone, laptop and desktop — spent more time in front of those screens than did their counterparts with just one or two screens.
What does all this data mean? You don’t need me to tell you that healthcare mobile technology is growing. It’s clearly safe to say that those of us (I’ll put myself in this group) that say healthcare is way behind the rest of society in technology use may not be able to make this claim any/much longer.
Mobile device use is exploding in all areas of our lives; healthcare is no exception. Physicians, like the rest of society, are seeing the benefits of the technology and taking steps to implement these devices into their work lives.
I believe we’re getting to the point where healthcare mobile technology will finally surpass the age of electronic health records and the shift in conversation will center around mobile health.
Like the conversations we been having for years about market/vendor contraction, the same goes for mobile health in that we’ve been talking about it for some time. Well, unlike vendor contraction, the days of mhealth are upon us and we’re seeing how a technology actually is changing a profession.
Healthcare big data is a big story, and it’s only going to continue being one. It’s a story I like and am intrigued by, but it’s not very sexy. Because of this, the only pieces of information about it seems to be very technical.
Until we actually see how big data changes lives, there’s just not going to be warm and fuzzy stories about it. So, cold and technical it is; nonetheless, I’m still fascinated.
In searching information about the subject, because I too want to know more from a ground floor level, it was nice to come across a nice piece about big data on the Cleveland Clinic’s website.
So, getting right into it, here’s an interesting piece of trivia about healthcare big data directly from the Clinic: “The amount of data collected each day dwarfs human comprehension and even brings most computing programs to a quick standstill. It is estimated that 2.5 quintillion bytes of data are created daily, so much that 90 percent of the data in the world has been created in the last two years.”
Healthcare big data is essentially large amounts of data that’s difficult to manipulate using standard, typical databases. Essentially, big data is very large pieces of information that ultimately, when captured can analyzed, dissected and used to monitor segments within a given sect.
Healthcare big data, it is thought, is what will drive change in care outcomes. What’s interesting, though, is that even though there’s a tremendous amount of data available for use, it’s just not being collected in a structured manner.
Collecting structured data is a must if we are going to begin putting some muscle to the bone of the new healthcare ecosphere we’re putting in place. You don’t have to take my word for it; IDC Health Insights research director Judy Hanover spoke of the same subject recently here.
But, to prove my position, I’ll let Cleveland Clinic make the point: “Unfortunately, not enough of this deluge of big data sets has been systematically collected and stored, and therefore this valuable information has not been aggregated, analyzed or made available in a format to be readily accessed to improve healthcare.”
Also according to the Clinic, if all of the data currently available were used and analyzed, it would be worth about $300 billion a year, reducing “healthcare expenditures by almost 8 percent.”
At the heart of healthcare big data is the hope that it can eventually help providers become predictors. Essentially, big data is like a big crystal ball, or so it’s been said.
According to Cleveland Clinic: “In this way, analytics can be applied to better hospital operations, track outcomes for clinical and surgical procedures, including length of stay, re-admission rates, infection rates, mortality, and co-morbidity prevention. It can also be used to benchmark effectiveness-to-cost models.”
Predictive analytics: That’s what it’s all about.
With all of the attention being given big data and warnings about being prepared for big data so it doesn’t sneak up on you – like meaningful use and ICD-10 – are valid and should be taken seriously.
Efforts are currently underway and available for big data processing and by managing data, “This dynamic data management technology makes data analysis more efficient and useful. Access to these data can also significantly shorten the time needed to track patterns of care and outcomes, and generate new knowledge. By leveraging this knowledge, leaders can dramatically improve safety, research, quality, and cost efficiency, all of which are critical factors necessary to facilitate healthcare reform,” writes Cleveland Clinic.
Big data is a catalyst for change, and without sounding caustic, will be a bigger deal than electronic health records currently are. Without a commitment to it, practices and healthcare systems will be left behind.
Regular readers of this blog will know that I spend a good deal of time focusing on managing mobile device data security in healthcare information technology, and the impacts of how breaches ultimately affect patients.
As such, I’m developing a strong interest in BYOD and the policies that need to be set in place to protect the information that all of us as consumers, myself included, hope remains safe.
So, I came across a piece recently by SecurEdge Networks that I think resonates, offering some of the best tips for managing mobile device data in the healthcare environment.
Though it’s a top 10 list, I’ll focus on what I think are some of the most important points. Feel free to let me know if you agree, or if you have other tips worthy of the list.
According to SecurEdge Networks, at number one of the list is basic security. It’s a must. Basic security typically comes down to simple use of strong passwords. In addition, staff members must be required to change their password after a certain amount of time, and a system must automatically lock after a certain period of inactivity.
Containerization of data, specifically on mobile devices, allows for the separation of personal and professional data. Setting up containers allows a personal device to be used in the workplace while protecting all of the company’s data in a secure container that can be wiped in the case of a lost or stolen device.
Next, limit which apps can be downloaded to a mobile device used in the workplace. There are tools available that completely block installation of outside apps on corporate and personal mobile devices, helping reduce the exposure to viruses or malware. According to SecurEdge Networks, “Having a corporate app store that has only pre-screened apps for the platform included is an effective tool for securing mobile devices that are used to access confidential information.”
Next up, one of the most basic steps one can take in a BYOD environment is to ensure that basic security software is installed. “Anti-virus and anti-malware programs should be installed and software firewalls should be put in place for each device,” cites SecurEdge Networks.
Finally, in what may be the most important tool available practices and hospitals engaging in a BYOD program is remote wiping. If a device is lost or stolen, having the capability to remotely wipe the device is essential. Some companies even go so far as remotely wiping any data on the corporate side of the device when it leaves a set geographical area. Since the data isn’t stored on the mobile device, this is an easier process. Personal data can also be wiped, which is attractive to employees who may have some initial resistance to having their devices accessed by their employer.
As noted by SecurEdge, employees who are allowed to use their personal devices in the workplace are often happier, more productive and always on. “Allowing employees to bring in their own devices can be an effective policy, boosting productivity and reducing operating costs.”
On this subject, there’s more to come; stay tuned.
Fund next year’s Post-it notes. You can. Through crowdfunding; which seems to have become one of the market’s hottest concepts.
There are other crowdfunding platforms available to the philanthropic among us who wish to contribute to the greater good however we can. Among them is the well-know mainstream effort known as Kickstarter. Then there’s Medstartr, the crowdfunder focused explicitly on healthcare products.
Enter Health Tech Hatch. Probably the newest kid on the block; perhaps or perhaps not the least well known in the space.
It’s approach to crowdfunding, to “fund next year’s Post-it notes” as it were, is one of the most inspiring I’ve seen on the topic. It’s a simple concept, but there’s a passion behind this one that I haven’t found elsewhere. It conveys to me the possibility that big ideas can become big things, and you, as a passionate supporter of a cause, can take part in the development of the idea for a contribution of a few simple dollars.
Health Tech Hatch is similar to others. Those with an idea can post a project to request funding for a variety of things including apps, programs and other items directed toward the betterment of healthcare as a whole.
Health Tech Hatch, though limited in scope and size, and seemingly with a limited track record for producing fully funded projects (I suspect it’s only a short time before that happens), the service is an effective and needed addition to the crowdfunding landscape. And, the service works exactly like its counterparts: Investors only pay if their project is fully funded, and Hatch works to bring entrepreneurs step by step through the process of finding funding.
Additionally, Hatch defines the process for a successfully funded project, including:
A well-thought-out budget
Creative, thoughtful rewards for funders
A realistic timeline
A name that stands out
An informative, entertaining video
A pretty picture
An enthusiastic write-up
An intriguing company description
On top of this, Hatch provides for the opportunity to test a campaign, using the experience of its advisory committee, to ensure a project has the best possibility of funding success.
According to Hatch, “Crowdfunding is all about collaboration, pooling resources to support someone else’s efforts … the process is a two-way street: We help entrepreneurs carve out a pathway to present their ideas to the world, while enabling funders to provide feedback, offer moral support and above all, finance next year’s Post-It — in both the for-profit and nonprofit worlds.”
Given the overwhelming amount of attention services like Hatch continue to receive (this site not excluded), it’s apparent that crowdfunding will play an overwhelming role in the development of new technology designed to serve the healthcare community, be it patients or providers. We’re discovering that sometimes taking the lead means we have to get involved. Healthcare technology continues to evolve away from a single provider (vendors) of technology. Individuals want to move the market, and perhaps crowdfunding through sites like Hatch create innovation, and reinforce the concept that big ideas can create big things.
Sites like Hatch help us believe that with a little effort and a little involvement, individuals can actually create the Post-It notes of tomorrow.