In the age of the digital hospital and the connected patient, security will likely improve the less it depends on providers.
Everything from HIPAA to patient engagement treats physicians as the white hot sun of the healthcare universe, holding everything together and keeping it all in stable orbit. They are accountable for health outcomes, for patient satisfaction, for guiding patients to online portals, and for coordinating with care teams to keep data secure — even as mobility and EHR dominance complicates every node in the connectivity chain. All this digital chaos brings more diminished security.
Only as Strong as the Weakest Link
Every business out there has learned — usually the hard way, or by watching someone else learn the hard way — that whatever the security infrastructure, users are the weakest link. More devices means more users, and more connectivity and data-sharing means more weak spots all along the chain. By design, the EHR system adds vulnerability to healthcare data security through a long chain of users.
Patients don’t have a systemic, accountable role in all of this. Our whole approach fosters passivity on the part of the patient and paternalistic assumptions on the parts of caregivers and policymakers. We give tacit acknowledgement of this imbalance whenever malpractice law or tort reform is mentioned — and promptly left behind in the face of other, patient-exculpatory programs and initiatives.
Patients are a part of this. Clearly they are invested in their own security — the costs of health data breaches contribute to the rising costs of care, besides exposing personal financial and medical information that can carry its own universe of costs.
Patients are implicated, but they must also be accountable for security in the new high tech healthcare system.
An Old Problem with New Importance
Getting patients included in the evolution and delivery of healthcare requires engagement. The same goes for digital security. The ethical and financial dilemmas of the security situation is an expensive distraction for administrators and caregivers, but it is a learning opportunity that could empower patients. A new emphasis on digital security and privacy could be the start of a cascade of engagement with further questions of use and responsibility for outcomes.
Already, patients are key players in making telemedicine effective. Access is on the shoulders of the patients, and utilization depends on their technical literacy. The incentives–time and money savings, improved access to care–are powerful, but come with the obligation to learn the platform through which remote care is delivered. Utilizing any telehealth solutions requires patients to think about what information they want to share, whether they trust the new platform, communicating effectively with their provider, and gaining confidence for the new medium.
This same model can be applied more broadly to EHRs, and the patient role in the digital healthcare system.
Guest post by Abhinav Shashank, CEO and c0-founder, Innovaccer.
Former US President Abraham Lincoln once said, “Give me six hours to chop down a tree and I’ll spend four hours sharpening the ax.” After having a look at the efficiency of the US healthcare system, one cannot help but notice the irony. A country spending $10,345 per person on healthcare shouldn’t be on the last spot of OECD rankings for life expectancy at birth!
A report from Commonwealth Fund points how massive is US healthcare budget. Various US governments have left no stone unturned in becoming the highest spender on healthcare, but have equally managed to see most of its money going down the drain!
Here are some highlights from the report:
The US is third when it comes to public spending on health care. The figure is $4,197 per capita, but it covers only 34 percent of its residents. On the other hand, the UK spends only $2,802 per capita and covers 100 percent of the population.
With $1,074, the US has the second highest private spending on healthcare.
In 2013, US allotted 17.1 percent of its GDP to healthcare, which was highest by any OECD country. In terms of money, this was almost 50 percent more than the country on the second spot.
In the year 2013, the number of practicing physicians in the US was 2.6 per 1000 persons, which is less than the OECD median (3.2).
The infant mortality rate in the US was also higher than other OECD nations.
Sixty-eight percent of the population above 65 in the US is suffering from two or more chronic conditions, which is again the highest among OECD nations.
The major cause of these problems is the lack of knowledge about the population trends. The strategies in place will vibrantly work with the law only if they are designed according to the needs of the people.
What is Population Health Management?
Population health management (PHM) might have been mentioned in ACA (2010), but the meaning of it is lost on many. I feel, the definition of population health, given by Richard J. Gilfillan, president and CEO of Trinity Health, is the most suitable one.
“Population health refers to addressing the health status of a defined population. A population can be defined in many different ways, including demographics, clinical diagnoses, geographic location, etc. Population health management is a clinical discipline that develops, implements and continually refines operational activities that improve the measures of health status for defined populations.”
The true realization of population health management (PHM) is to design a care delivery model that provides quality coordinated care in an efficient manner. Efforts in the right direction are being made, but the tools required for it are much more advanced and most providers lack the resources to own them.
If population health management is in place, technology can be leveraged to find out proactive solutions to acute episodes. Based on past episodes and outcomes, better decision could be made.
The concept of health coaches and care managers can actually be implemented. When a patient is being discharged, care managers can confirm the compliance of the health care plans. They can mitigate the possibility of readmission by keeping up with the needs and appointments of patients. Patients could be reminded about their medications. The linked health coaches could be intimated to further reduce the possibility of readmission.
Guest post by Ben Oster, product manager, AvePoint.
Balancing the strategic needs of a business with the user-friendliness of its systems is a daily struggle for IT pros in every industry. But for healthcare organizations, safeguarding the data living in these systems can be especially daunting. According to a study by the Ponemon Institute, healthcare is a minefield for various security hazards. Within the last two years, 89 percent of healthcare organizations experienced at least one data breach that resulted in the loss of patient data. As healthcare businesses and the patients they serve adopt a mobile-first approach, providers must strike a balance between innovation and risk to prevent patient data (and internal information) from falling into the wrong hands.
The use of mobile devices and apps certainly enhance patient-provider relationships, but these complex information systems present new concerns surrounding compliance, security, and privacy. As employees and patients increasingly adopt smartphones, tablets, and cloud-based software into their daily lives, healthcare leaders must prioritize users’ needs while mitigating security risks. Mastering this dynamic requires healthcare companies to balance mobility trends like BYOD and cloud computing with regulatory requirements like HIPAA.
To lower the risk of data breaches, healthcare organizations need to defend their systems by identifying, reporting on, and safeguarding sensitive data. Here are a few steps the healthcare industry can take to join the mobile revolution without compromising security:
Start with discovery – Traditionally, healthcare organizations have taken a “security through obscurity” approach to protecting data. In other words, relying on the ambiguity of the data in their systems to ward off malicious attacks and breaches. But as technology emerges that personalizes patients’ end-user experience – such as online patient portals and electronic medical records – the less obscure healthcare organizations’ data becomes. With patients and medical staff accessing this data through a range of devices and workflows, knowing precisely what content exists in a healthcare organization’s infrastructure is essential to security. That’s why discovery is the first step to safeguarding content. Healthcare IT teams should also roll out internal classification schemas to determine which user groups need access to this data. By categorizing content based on these factors, healthcare companies can lay the framework for a truly secure system.
Guest post by Adam Klass, chief technology officer, VigiLanz.
Here are some downright chilling patient safety statistics keeping healthcare leaders up at night: Each year more than one million hospital patients – that’s 136 per hour, every day – are affected by sepsis, and 280,000 die. In addition, 82 people in hospitals are affected every hour, every day, by hospital-acquired infections (HAI), and 217 experience a preventable Adverse Drug Event (ADE).
The good news is that an emerging category of technology known as enterprise intelligence resources (EIR) can empower clinicians to more quickly and effectively tackle these infections and ADEs – and even prevent them from occurring in the first place. By integrating and analyzing massive amounts of data generated by multiple sources, EIRs are not only able to identify at-risk patients, but also to tell frontline clinicians in real-time what is happening – and likely to happen – with their patients. Equally important, the EIRs fit seamlessly into clinicians’ workflows, generating only essential alerts.
Built on flexible, interoperable data architectures, EIR platforms extend the value of existing EMRs by integrating real-time clinical and business intelligence with predictive analytics to address sepsis, HAIs and ADEs as well as a wide range of other patient safety and public health risks such as deep vein thrombosis (DVT), venous thromboembolism (VTE), C. difficile (C.Diff), MRSA, surgery site infections, Ebola and MERS. Armed with EIR-provided actionable insights, clinicians can optimize appropriate interventions that improve patient outcomes, reduce patient safety risk and support quality initiatives.
Time is of the absolute essence in addressing patient safety risk, particularly in the case of sepsis. Research has shown that the earlier the intervention, the significantly lower the mortality and morbidity. EIRs can help significantly reduce sepsis risk by enabling clinicians to:
Identify at-risk patients earlier. Based on historical hospital data, an EIR can create a profile and scoring system to calculate a sepsis risk score for each patient, flagging those whose risk exceeds a pre-defined threshold.
Automatically track at-risk patients. The EIR closely monitors patients’ sepsis diagnostics and vital signs, and automatically updates their risk scores in the EMR.
Deliver appropriate alerts. The EIR notifies clinicians when interventions are required and continues to monitor patients so treatment can be adjusted according to defined protocols.
Implementing this approach has been shown to reduce sepsis occurrence by double digits. Most importantly, patients’ lives are saved. At the same time, reducing sepsis occurrence can also significantly reduce costs, given that sepsis accounts for 40 percent of ICU spending and nearly $29 billion in healthcare expenditures.
Have you ever sought medical care from multiple providers for the same condition? Then you probably already know how difficult it can be to coordinate care from one practice or facility to the next. One provider may not necessarily have access to the test results ordered by another provider, and even getting a prescription filled can be a hassle — you have to wait while the pharmacist fills your prescription and hope that he or she doesn’t misread the prescribing doctor’s terrible handwriting.
But all of that is changing; for many patients across the country, it has already changed, thanks to the Health Information Technology for Clinical Health (HITECH) Act of 2009. This law was enacted to encourage the transition to electronic health records (EHRs) in medical practices, hospitals, and other health facilities. Researchers agree that the use of EHRs can have many benefits for providers and patients alike, including improved patient outcomes, reduced costs, streamlined administration, and even improved ability to perform medical research.
What Are EHRs?
An EHR is an electronic record of a patient’s medical history that combines test results, diagnoses, and other data accumulated as the patient moves from one provider to another. Your EHR is meant to be longitudinal in nature, meaning that the record represents a lifetime picture of your health history.
Unlike a medical record, which is maintained by a single provider, an EHR is comprehensive; since it includes information compiled from every provider who works with you, it will offer each provider all of the information necessary to make your next treatment decision. That means no more re-ordering an expensive test you’ve already taken somewhere else, and no more waiting for test results to be faxed over from another doctor’s office.
Advantages of EHRs
Ideally, EHRs will someday travel with you. When all providers have made the transition to using EHR systems such as RevenueXL, you’ll be able to get the same quality of care from providers anywhere in the country. They’ll simply be able to check your EHR for pertinent medical information, and even update it so that your providers back home will be able to adjust your care accordingly. Even if you’re incapacitated, your EHR will ensure that providers around the country will be alerted to your medication list and existing medical conditions.
EHRs should make life easier for everyone involved in your care. You’ll be able to:
Schedule doctor’s appointments online
Ask medical questions via email
Request prescription refills electronically
Access test results whenever you want
Keep track of scheduled appointments
The use of EHRs should streamline the many administrative tasks associated with patient care. EHR system software will prompt your doctor to file necessary Medicare and insurance paperwork, will help them keep track of which best practice guidelines apply to your specific case, and will reduce numerous costs.
With the yearly bluster and promise of HIMSS, I still find there have been few strides in solving interoperability. Many speakers will extol the next big thing in healthcare system connectivity and large EHR vendors will swear their size fits all and with the wave of video demo, interoperability is declared cured. Long live proprietary solutions, down with system integration and collaboration. Healthcare IT, reborn into the latest vendor initiative, costing billions of dollars and who knows how many thousands of lives.
Physicians’ satisfaction with electronic health record (EHR) systems has declined by nearly 30 percentage points over the last five years, according to a 2015 survey of 940 physicians conducted by the American Medical Association (AMA) and American EHR Partners. The survey found 34 percent of respondents said they were satisfied or very satisfied with their EHR systems, compared with 61 percent of respondents in a similar survey conducted five years ago.
Specifically, the survey found:
42 percent of respondents described their EHR system’s ability to improve efficiency as difficult or very difficult;
43 percent of respondents said they were still addressing productivity challenges related to their EHR system;
54 percent of respondents said their EHR system increased total operating costs; and
72 percent of respondents described their EHR system’s ability to decrease workload as difficult or very difficult.
Whether in the presidential election campaign or at HIMSS, outside of the convention center hype, our abilities are confined by real world facts. Widespread implementation of EHRs have been driven by physician and hospital incentives from the HITECH Act with the laudable goals of improving quality, reducing costs, and engaging patients in their healthcare decisions. All of these goals are dependent on readily available access to patient information.
Whether the access is required by a health professional or a computers’ algorithm generating alerts concerning data, potential adverse events, medication interactions or routine health screenings, healthcare systems have been designed to connect various health data stores. The design and connection of various databases can become the limiting factor for patient safety, efficiency and user experiences in EHR systems.
Healthcare, and the increasing amount of data being collected to manage the individual, as well as patient populations, is a complex and evolving specialty of medicine. The health information systems used to manage the flow of patient data adds additional complexity with no one system or implementation being the single best solution for any given physician or hospital. Even within the same EHR, implementation decisions impact how healthcare professional workflow and care delivery are restructured to meet the constraints and demands of these data systems.
Physicians and nurses have long uncovered the limitations and barriers EHRs have brought to the trenches of clinical care. Cumbersome interfaces, limited choices for data entry and implementation decisions have increased clinical workloads and added numerous additional warnings which can lead to alert fatigue. Concerns have also been raised for patient safety when critical patient information cannot be located in a timely fashion.
Solving these challenges and developing expansive solutions to improve healthcare delivery, quality and efficiency depends on accessing and connecting data that resides in numerous, often disconnected health data systems located within a single office or spanning across geographically distributed care locations including patients’ homes. With changes in reimbursement from a pay for procedure to a pay for performance model, an understanding of technical solutions and their implementation impacts quality, finances, engagement and patient satisfaction.
Electronic health records (EHRs) were supposed to transform the healthcare industry in the same way that digital technology has transformed the rest of our lives – organize and simplify. EHRs held the promise of easier access to patient health history, greater patient engagement, and improved clinical decision making and outcomes. And yet, despite the potential, electronic health records thus far have proven to be just another industry headache. Doctors contend with complicated and incompatible systems that stifle collaboration and enhanced patient care. Patients lack adequate access to their own records and methods to conveniently communicate with their care team.
While patients and doctors struggle, EHR system vendors benefit from the stagnant and uncompetitive market, charging exorbitant installation and maintenance fees, with no real incentive to innovate. It is a broken system, but it can be fixed, with the tech industry’s penchant for disruptive innovation. There is great opportunity for tech companies to develop fixes that will benefit customers and reignite development in digital healthcare.
Electronic medical records are currently locked away in walled gardens that inhibit vital information exchange between care team members and patients. These walls need to be broken down to allow for the collaboration that patients expect between their care team members. EHRs based on Software-as-a-Service (SaaS) platforms would allow vendors and medical providers to cut installation and maintenance costs, while offering genuine compatibility and simplicity. SaaS platforms are also cost efficient, with transaction-based business models that only require subscription and access fees. A SaaS health record system would be cost-effective, compatible, and ultimately serve the doctors and their patients.
Currently, one patient can have several associated identifiers from different physicians, hospitals and EHR vendors. Data is often duplicated and workflow becomes complicated for providers. An industry-wide standard could work, but there is no guarantee that a solution can be selected and implemented nationwide in a timely manner. An outside approach would offer much-needed perspective and an injection of fresh ideas into the conversation. Silicon Valley could assist by developing simpler, tech-based solutions, with industry stakeholders providing input. For instance, a master patient index, successfully driven by heuristic real-time matching algorithms, would offer similar functionality to the universal account log-ins offered by Facebook and Google and further simplify access to electronic health records.
EHRs should behave more like part of a “clinical network” that combines simplified workflows with stronger communications. Lab tests, referrals, pre-authorizations and results can be delivered instantly, retooling today’s overcomplicated systems with a more effective transactional eco-system. The network simplifies physicians’ day-to-day activities, and aggregates the collected data into an electronic health record. Tapping into the success of social and business platforms, such as Facebook Messenger and Slack, secure communication between patients and their complete care team, built around these universal health records, adds a layer of proactive care management that was previously unattainable.
Guest post by Chris Strammiello, Vice President of Global Alliances & Strategic Marketing, Nuance.
The growing use of smart devices at the point of care exacerbates the dual, yet contradictory, challenges confronting hospital IT directors and compliance officers: Making patients’ health information easier to access and share, while at the same time keeping it more secure.
A major problem is that there are just too many touch points that can create risk when sharing protected health information (PHI) inside and outside of the hospital. In addition to securing communications on cell phones, tablets and laptops, these tools can send output to smart multi-function printers (MFPs) that not only print, but allow walk-up users to copy, scan, fax and email documents. This functionality is why the Office of the National Coordinator for Health Information Technology now defines MFPs as workstations where PHI must be protected. These protections need to include administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.
Accurate, Effective and Secure Use of Patient Information at Point of Care
Hospitals need to adopt an approach that automatically provides security and control at the smart MFP from which patient information is shared and distributed. This approach must also support the use of mobile computing technologies, which are helping to bring access to patient information and electronic health records (EHR) to the point of care. Advanced secure information technology and output management solutions can help hospitals protect patient health information as part of achieving HIPAA-compliant use of PHI with software by adding a layer of automated security and control to both electronic and paper-based processes. These solutions can minimize the manual work and decisions that invite human error, mitigate the risk of non-compliance and help hospitals avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.
With this approach, vulnerabilities with capturing and sharing PHI are reduced with a process that ensures:
Authorization — only authorized staff can access specific devices, network applications and resources with password or smartcard based authentication. Network authentication is seamlessly integrated with the document workflow and to ensure optimal auditing and security, the documents containing PHI are captured and routed to various destinations such as email, folders, fax and EHR systems.
Authentication — user credentials must be verified at the device, by PIN/PIC code, proximity (ID), or by swiping a smart card access documents containing PHI. Once authenticated, the solution controls what users can and cannot do. It enables or restricts email or faxing and prohibits documents with PHI from being printed, faxed or emailed.
Encryption — communications between smart MFP’s and mobile terminals, the server and destinations, such as the EHR, are encrypted to ensure documents are only visible to those with proper authorization.
File destination control — simultaneously monitors and audits the patient information in documents, ensuring PHI is controlled before it is ever gets to its intended destination.
Content filtering — automatically enforces security policies to proactively prevent PHI from leaving the hospital by filtering outbound communications and intercepting documents – rendering misdirected or intercepted information unreadable to unauthorized users.
Guest post by Tom Giannulli, MD, MS, chief medical information officer, Kareo
Quality assurance (QA) in healthcare is exactly what the name implies — the process of implementing programs to improve and assure quality care for patients. In a hospital, these programs are often quite robust and monitored closely, but in a small practice, the picture can be quite different.
Smaller practices have limited resources and staff. There is already a huge burden to stay compliant in so many areas while keeping up changes to reimbursement and other programs like meaningful use. Often, there isn’t much time left over for QA.
Unfortunately, measuring and monitoring patient satisfaction and outcomes is becoming more important as reimbursement shifts to a more value-based model and patient expectations change. Whereas patients once stayed with the same doctor forever, now the majority would change providers for a wide range of reasons. While 80 percent of healthcare providers think that patients depart because of relocation or change in insurance, the reality is far different. Nearly 60 percent of patients switch physicians because of better service or treatment from a new provider.
For practices that are stretched for time, dollars and staff, technology can play a valuable role in improving the patient experience, compliance, and outcomes. Ultimately as the industry shifts to value-based reimbursement it can also help the practice improve revenue. Here’s how:
It’s obvious from the varying responses below that there are a plethora of health IT issues affecting a number of areas in and throughout hospitals. In reviewing a number of healthcare issues, the following thought leaders offer what they feel are the top IT issues in healthcare.
As is often the case in profiles such as this, the responses are diverse and varied. Do you agree with their assessments?
I work with hospitals nationwide and I find that the top issues facing the hospital are:
1. How to align the interests of the physician with the hospital in a world where the hospital takes risk? Physicians used to get paid by “time and material” in the old world and the hospital got paid by “contracted costs.” The new reality has both the physician and the hospital getting paid a fixed amount to then manage the cost of healthcare on a “fixed price” for lack of a better word. IT challenges: The tools in the “time and material” world are unsuitable to manage the new reality in a “fixed price” world. This is a top challenge.
2. Real-time P & L — If you ask a hospital CFO what the profitability of the current patients in Unit 10, they would give you a blank stare. This is because the do not know what they are going to get paid (the DRG or diagnosis-related group reimbursement) much less what their current costs are. Thus, the lack of visibility into managing costs creates havoc. IT challenges: Systems that can develop a view into costs and projected revenue require a lot of specialized people to provide the information even in hospitals that have a partial solution. Most hospitals do not know where to turn for new ways of thinking. This is a big IT challenge.
Doug Nebeker, owner and technical expert, Power Admin LLC Staying on top of compliance and auditing tasks is a top issue facing hospital IT departments today. As more and more data moves into the digital space, IT departments can easily become overwhelmed as staff gets bogged down with the tedious task of trying to keep track of what’s happening where in the system. Network monitoring software is seeing a boom as a result, quickly becoming an IT necessity for managing increasingly complex network auditing and compliance processes. Technology is meant to help, not hinder, and so as we continue to utilize it in new ways we must ensure our process management keeps pace.
Hospitals and other healthcare organizations will always have the need to exchange “unstructured” data. While there is a large focus on meaningful use, ICD and other mandates, many hospitals and organizations are not taking into account the need to quickly, affordably and securely transmit unstructured data while also staying HIPAA compliant. One of the main issues is that public cloud services are not HIPAA compliant. Healthcare organizations can work around this by extending their existing fax server solutions to the hybrid cloud, allowing both custom and popular EHR applications to communicate with each other via a private secure network, guaranteeing delivery with military grade end-to-end encryption. By eliminating the need for costly and cumbersome network fax systems, such as fax boards and recurring telephony fees, hospitals can leverage the hybrid cloud to swiftly manage all business-critical fax communications while staying HIPAA compliant.
David S. Finn, CISA, CISM, CRISC, ISACA professional influence and advocacy committee member, health IT officer, Symantec
Healthcare is undergoing fundamental changes in reimbursement, care delivery models and the technology required to make these changes. Technology and information is no longer an adjunct to the business of healthcare — it is a strategic imperative. This information, however, is among the most regulated and protected information under the law. The data must be shared more widely with more people and organizations, all the while with stricter security and privacy controls. At a high level, the most critical issues facing health IT are:
1. Security and Privacy
Healthcare, historically, has not invested in nor staffed appropriately in terms in of Privacy and Security. Providers and business associates need to catch up with other regulated industries and those targeted for the value of their data.
2. Data Management
The digitization of healthcare has led to the massive collection of data. As healthcare becomes more dependent on this data, the storage, protection, back-up and recovery of the data is critical. It must include disaster recovery/business Continuity.
3. Interoperability and Information Exchange
Affordable Care Organizations (ACO), health information exchanges (HIE) and new care delivery models (home care, remote monitoring and other requirements) will drive information exchange.