When most people visit their health professional, they go in confidence that they are in good hands and the confidentiality of their health issues and personal information is protected. After all, who can a person trust more than their doctor? Unfortunately, while patients are safe a majority of the time, there is the chance that a data breach could result in the release of private information.
This breach could be because of a computer hacker, a system breakdown, or even a natural disaster. In any case, the healthcare organization is responsible for keeping patient data secure. If they fail to do so, then they must do damage control and patients must do what they need to in order to protect themselves. Here is a breakdown of what is expected of these companies and what consumers should do in the event of a medical data breach.
The Responsibility of Health Companies
When the Health Insurance Portability and Accountability Act (HIPAA) was officially enacted in 2003, it set a precedent that health organizations must ensure that all patient information is private and confidential. Along with that came the HIPAA security rule, which says that the same organizations must perform risk analysis and have the proper safeguards in place so that data cannot be stolen or leaked to unauthorized individuals.
While many organizations have the proper barriers in place to protect the loss of data, there have been instances where significant breaches have resulted in major leaks. The data leaked in such a breach can include everything from patient names and addresses to Social Security numbers, which can be used to conduct identity theft. If you discovers that a breach has occurred and it affects your patients’ data, then you must take action. You should also prepare for your patients to do the same — often in the form of lawsuits.
Back in 2014, UCLA health was involved in a class-action lawsuit and had to pay out $7.5 million after hackers broke into their system and copied or stole the records of 4.5 million patients. Another such breach took place recently in 2019 when the teaching hospital at the University of Connecticut was infiltrated. In this instance, the hackers accessed employee email accounts, which also potentially contained patient records and Social Security numbers. The related class action suit is still pending.
It’s no secret that cyberattacks are escalating, rising in tandem with the growing sophistication of technology. One industry that has taken a massive hit by cyberattacks in recent years is the healthcare industry. The healthcare industry is increasingly reliant on technology and data connected to the internet, such as patient records, lab results, radiology equipment and hospital elevators. Now imagine if a cybercriminal encrypted an entire hospital’s data with a nasty ransomware. Doctors would be unable to pull up a patient’s medical records, or worse, utilize equipment connected to the internet to make a proper diagnosis.
Unfortunately, this is the reality that healthcare industry professionals are facing today. And while 92% of healthcare organizations are confident in their ability to respond to cyberattacks, there is a plethora of malicious activity that poses a great threat to their networks. Here are the main cybersecurity challenges faced by the industry today:
The Rise of Ransomware
You might recall the WannaCry attack of 2017, the ransomware worm that attacked hospitals as well as other industries by exploiting a weakness in Windows machines. This worm infected thousands of computers around the world and threw the United Kingdom’s National Health Service into chaos. This resulted in the Health Care Industry Cybersecurity Task Force to conclude that healthcare cybersecurity was in critical condition.
Why was the healthcare industry so impacted by this cyberattack? Many hospitals struggle to keep up when it comes to upgrading their operating systems due to the sheer volume of devices on the network. However, much of the software in a medical-specific device is often custom made, making system upgrades difficult. Additionally, manufacturers tend to avoid prematurely pushing out modifications that could potentially impact patient safety. For these reasons, medical machines continue to exist with outdated software, putting them at greater risk of cyberattacks such as ransomware.
Lack of Investment
Many organizations within the healthcare industry suffer from a lack of investment in cybersecurity solutions. Despite the number of breaches that occur, healthcare is behind other sectors when it comes to taking security measures. Only 4-7% of healthcare’s IT budget is allocated to cybersecurity, while other sectors allocate about 15% to their security practices. However, the finances associated with a cyberattack if these solutions aren’t put in place can take an even greater toll on an organization. Some hospitals and healthcare insurers see estimates of over $5 billion in costs as the result of cyberattacks on their systems. On top of the costs incurred finding a solution to fix these breaches, healthcare organizations then have to deal with fines from the Department of Health and Human Services Office of Civil Rights.
Securing Connected Devices
With the growing adoption of IoT, more and more devices are being connected and used in healthcare systems. However, as connected medical devices become more powerful and widely adopted, they become greater targets for malicious actors to exploit. According to the Cybersecurity in Healthcare report, over 16% of IT professionals can’t patch their own operating systems, leaving the network wide open for attack. Now imagine if a cybercriminal gained access to just one medical device on the exposed network. This could lead to the theft of sensitive patient data or even unauthorized access to an implanted device that could cause physical harm to the user.
By Dr. Chris Hobson, chief medical officer, Orion Health.
Dr. Chris Hobson
For nearly a decade, Health Information Exchanges (HIEs) have been looking for their long-term sustainable business model. This is part of the journey toward the future state of the HIE, which will be a ubiquitous healthcare utility that makes data available to all stakeholders across the healthcare landscape. Today, their work and future plans are driven by a desire to support value-based care initiatives, enhance interoperability, and leverage and manage a wider scope of data.
Representing a broad swath of HIEs, a 2019 Survey on HIE Technology Priorities uncovered various key trends and changing priorities in the sector. To become a sustainable healthcare information provider, HIEs must understand and leverage data to gain insights that improve patient outcomes while containing costs. Additionally, other trends include joining national exchanges, introducing value-added capabilities, enhancing integration of clinical and claims data, and growing payer participation in HIEs.
Participation in various national initiatives is an important driver for HIEs as it requires successful HIEs be more active across traditional geographic and state boundaries. Mechanisms for participation include the Trusted Exchange Framework and Common Agreement (TEFCA), the national eHealth exchange, Direct Trust and Carequality. Participation in Patient Centered Data Home, an event notification service that includes HIEs across the U.S. led by the Strategic Health Information Exchange Consortium (SHIEC), had the highest level of interest across all surveyed HIEs.
Like a utility, the next generation HIE must fit into the growing “Network of Networks” ecosystem, providing shared services to multiple HIEs (e.g. EMPI/record locator, patient directory, provider directory, data aggregation). This also means bringing together disparate entities into a local HIE network connecting a variety of different end-points – including practices, hospitals, systems, labs, long-term care facilities and more – while simultaneously making the local information shareable with other regional and national HIE networks. HIEs will need to support population-based use-cases and assist safety-net providers and small, independent providers to access larger interoperability initiatives across the U.S., such as TEFCA and the e-Health Exchange.
Five startups in the health information management (HIM) field pitched their ideas for a new product, service or business that harnesses health data and information to advance healthcare at the AHIMA19: Health Data and Information Conference. The winner, Drugviu, presented their population health platform that empowers communities of color to use their data to improve health outcomes.
The American Health Information Management Association’s (AHIMA) Pitch Competition, hosted in collaboration with MATTER, the health technology incubator based in Chicago, underscored the conference’s focus on innovation and change. The event served as an opportunity to inspire creative thinking at AHIMA19 and provide startups with a platform to present their health data and information solutions to a group of leading HIM experts.
Only six percent of clinical trials and research involves minorities. Drugviu, which received $5,000 for winning the competition, aims to end this under representation and improve health outcomes among minority communities by sourcing more minorities into clinical trials, providing education tailored to people of color and empowering people to share their medication experiences with their online community engagement platform.
Kwaku Owusu
“This award money will allow us to pursue our mission of expanding the data set of medication and health experiences to include minorities,” said Drugviu CEO Kwaku Owusu.
“Innovations that help connect people, health systems and ideas are key to improving health outcomes,” said AHIMA CEO Wylecia Wiggs Harris, PhD, CAE. “With the inaugural AHIMA pitch competition, we’re putting the power to impact health in the hands of enterprising HIM professionals who are developing solutions to advance the healthcare industry. We congratulate Drugviu on their impressive platform to engage more minorities in clinical trials and research.”
Valhalla Healthcare received second place, winning $2,500 for its product Allevia, a fully patient-driven, AI-powered intake solution that automates clinical documentation for healthcare providers. Uppstroms received third place and $1,500 for their machine-learning application that addresses upstream social risk for promoting better health.
Additional semi-finalists included:
Smarter Health: A digital health startup aimed at transforming the way people collaborate to improve value-based healthcare
Tapcloud: A remote patient monitoring and engagement platform that helps patients and their clinicians achieve better health outcomes
“The best solutions to improve the healthcare experience are developed through collaboration between entrepreneurs and industry leaders,” said MATTER CEO Steven Collens. “Winning this competition is a great recognition for Drugviu and gives them the opportunity to work closely with leading health information professionals to further develop their solution.”
It’s tough to see the big picture when you’re “inside the frame.” That’s the underlying principle behind enterprise portfolio management (EPM), a top-down way for healthcare organizations to select and manage multiple projects and resources across the entire enterprise to maximize project portfolio value.
With EPM, large projects are centrally evaluated to determine overall progress and effectiveness, actual project spend versus budget, and continued alignment with the larger, strategic objectives of the organization. EPM is particularly valuable for healthcare organizations which often run multiple large projects simultaneously and frequently encounter ongoing project resource conflicts.
That was the constraint faced by a rapidly growing healthcare system which quickly discovered it could no longer manage new large-scale projects as if it were its older, smaller organization. The healthcare system could readily assess individual projects but lacked a big-picture view of the type, size, duration and risk of all of its project investments. The result? Unplanned operational and financial impacts from conflicting projects which led to recurring staff frustration as well as delays in project implementations and the realization of project benefits.
In response, the healthcare system devised and implemented an EPM process to more effectively prioritize its project resource allocations, timing and capacity, and ultimately guide its project investment decisions. While establishing an EPM system took time and resources up-front, it has helped the organization standardize the decision-making information presented to review and approval authorities and improved internal visibility into inflight work and capacity constraints in the system. The lessons learned by this healthcare system around EPM can serve as a guide to other healthcare organizations seeking similar gains in major project processes and outcomes.
Four Key Steps for EPM Success
You’ll first want to determine if an EPM approach is appropriate for your organization. The answer is likely “yes” if you’re regularly encountering any of the following:
Projects which are frequently delayed, leading to additional remediation costs, uncollected revenue and/or a delayed return on investment
Projects which spiral into “turf battles,” pitting business units, departments or teams against one another
Projects which do not or no longer align with and support organization-wide business goals
Projects which do not or will not deliver long-term value to the organization
Once you’ve determined the need to institute an EPM approach, you’ll have a much higher likelihood of success if you adhere to the following four fundamental recommendations.
Ensure top-level buy-in across the enterprise – Understand that instituting EPM processes may represent a significant change to some within your organization. As with any significant change, some individuals may be resistant to EPM, no matter its merits, unless they’re brought on board early in the process to understand EPM and help establish it within the organization.
To gain top-level buy-in, consider facilitating brainstorming workshops with your organization’s senior executives to define the EPM scope, scale and desired outcomes. Ultimately, your goal is to design and develop a multi-phased, enterprise-wide rollout strategy for EPM, to facilitate gradual understanding and adoption of EPM by staff. A phased rollout strategy might include adding a new project intake and vetting process, standardizing project proposal documentation and creating a project inventory listing key criteria for evaluation.
The American Health Information Management Association (AHIMA) recognized recipients of the 2019 AHIMA Triumph Awards at the Appreciation Celebration at Chicago’s Navy Pier during the AHIMA19: Health Data and Information Conference. This honor is presented to members who have demonstrated excellence in their dedication and service to the health information management profession.
“The AHIMA Triumph Awards recognize the contributions of health information management (HIM) leaders who have enriched the field by preparing future HIM professionals, encouraging fresh HIM talent and leadership and contributing to our knowledge base,” said AHIMA CEO Wylecia Wiggs Harris, PhD, CAE. “We are pleased to honor the following individuals with these awards.”
Distinguished Member Award
Cassi L. Birnbaum, MS, RHIA, CPHQ, FAHIMA, was named Distinguished Member, AHIMA’s highest honor. Birnbaum has been a dedicated volunteer for more than 30 years and has served as a past Board president/chair of AHIMA and as an AHIMA director. She led and guided the industry and profession through a successful transition to ICD-10, information governance, analytics, informatics and CDI strategies. She is currently employed by the University of California San Diego (UCSD) Health System as system-wide director of HIM/revenue integrity, as well as adjunct faculty member for San Diego Mesa College and UCSD Extension academic programs.
Advocacy Award
AHIMA is proud to have selected the Ohio Health Information Management Association (OHIMA) as the recipient of the 2019 AHIMA Advocacy Triumph Award. OHIMA advocated for the HIM profession by creating a short, animated video showcasing the diverse job settings, skills and functions that make up the HIM profession to aid potential students, human resource departments and the general HIM profession in understanding the field. Kristin M. Nelson, MS, RHIA; Lauren W. Manson, RHIA; and the OHIMA Board are credited with leading this strategic advocacy project.
Educator Award
Marquetta M. Massey, MBA, RHIA, was honored with the Educator Award. Massey has been an instructor at Central Piedmont Community College (CPCC) in Charlotte, N.C. since 2012 and a program chair since 2015. In 2018, she received a CPCC award for “Best Instructional Video” based on her use of creative teaching tools and methods used in her online courses. Massey is recognized for her “student-first” stance and persistent and widespread use of technology to enhance her students’ learning experience. As a mentor and active member, Massey encourages students to become involved with AHIMA and their local state association.
Emerging Leader Award
Kenneth H. Lugo-Morales, MS, RHIA, received the Emerging Leader Award. Lugo-Morales directs the Health Information Management Department at the San Jorge Children and Women’s Hospital in San Juan, Puerto Rico, where he has successfully implemented a committee resulting in greater chargemaster accuracy and improved documentation and coding outcomes. He is a former president of the Puerto Rico Health Information Management Association (PRHIMA) and is a CSA Delegate to the AHIMA House of Delegates.
Innovation Award
Patricia S. Coffey, RHIA, CPHIMS, CPHI, was honored with the Innovation Award. She is currently employed by the National Institutes of Health (NIH) as chief of the HIM department in the Clinical Center. Coffey helped influence NIH gender identity efforts, cutting-edge patient engagement and efforts to facilitate the collection and management of critical research data while ensuring the integrity of clinical data and patient information. Before transitioning to electronic medical records was a national initiative, she positioned the HIM department at NIH to transition to a completely paperless medical record.
Leadership Award
Chrisann K. Lemery, MSE, RHIA, CHPS, FAHIMA, received the Leadership Award. She has served in various leadership capacities including president, past president and board member of the Wisconsin Health Information Management Association (WHIMA) and secretary of the AHIMA Board of Directors and Speaker of the House of Delegates. Lemery served on the award-winning HIPAA Collaborative of Wisconsin (HIPAA COW) Board of Directors as well as government-appointed committees addressing electronic health records and medical record copy fees. She has given more than 70 presentations sharing her knowledge.
Mentor Award
Tressa A. Lyon, RHIT, received the Mentor Award. Lyon is currently the HIM manager at Norman Regional Hospital in Norman, Okla., and a member of the executive board for the Oklahoma Health Information Management Association (OkHIMA). She has been involved with professional committees and projects including the Medical Decision-Making Committee, the Patient Portal Committee and the Outcomes and Efficiencies Team. Lyon serves as a mentor for many colleges and universities in Oklahoma and through OkHIMA.
Rising Star Award
Laura A. Shue, MPA, CHDA, CPHIMS, was awarded the Rising Star Award. Shue received a master’s in public administration with a concentration in healthcare administration from Eastern Michigan University. She earned her CHDA in 2012 and CPHIMS in 2016. Shue currently serves as the HIM operations director for Michigan Medicine where she has engaged in wide-scale efforts to reduce medical record delinquencies and improve EHR functionality, and has advocated for quality, data management, data analytics and management development. She is currently president-elect of the Michigan Health Information Management Association (MHIMA).
Access to data and the interoperability of health information has the power to change the face of healthcare, according to Alexandra Mugge, deputy chief health informatics officer at the Centers for Medicare & Medicaid Services (CMS).
Addressing leaders in health information management (HIM) at the AHIMA19: Health Data and Information Conference, the American Health Information Management Association’s (AHIMA) annual conference, Mugge outlined CMS’ Interoperability and Patient Access Initiative efforts and what the agency will focus on next.
“We believe electronic data exchange is the future of healthcare, and interoperability is the foundation of value-based care,” Mugge said. “CMS is dedicated to advancing interoperability throughout healthcare.”
Emphasizing that the privacy and security of health records underpins all CMS activity on interoperability, Mugge pointed to several initiatives in 2019 aimed at improving data exchange among providers, payers and patients, including:
The CMS interoperability and patient access proposed rule addressing new policies to expand the exchange of information across all aspects of healthcare
The Office of the National Coordinator for Health Information Technology (ONC) 21st Century Cures Act proposed rule
The Blue Button 2.0 initiative, an application programming interface (API) containing four years of Medicare Part A, B and D data for 53 million Medicare beneficiaries that allows patient access to their health information.
Looking ahead to 2020, Mugge said CMS will focus on addressing challenges to patient matching, updating provider directories, expanding data elements to be standardized and incorporating behavioral and public health social determinants in healthcare.
HIM professionals are essential to ensuring access to health information where and when it is needed, Mugge said, adding that HIM professionals are responsible for shaping the data that ultimately comes together as a part of a patient’s complete healthcare picture.
“CMS is a valued contributor to our ongoing support of interoperability and its benefits to patients, providers and payers,” said Wylecia Wiggs Harris, AHIMA CEO, PhD, CAE. “AHIMA stands in alignment with the goals of interoperability in helping people to live healthier lives and creating access to health information that empowers people to impact health.”
The digitization and expansion of access to data and health information will continue to change healthcare, making this an exciting time in the industry, Mugge added.
“Patients are no longer passive participants in their care, they now have the ability to be empowered consumers of the healthcare industry through access to data that puts them in the driver’s seat to make the best and most informed decisions about their health,” Mugge said. “And providers who have historically been forced to work with incomplete information can now unlock large amounts of data about their patients that will improve care.”
By John Schneider, chief technology officer, Apixio.
John Schneider
Signed into law nearly a quarter century ago, the Health Insurance Portability and Accountability Act (HIPAA) has not aged well in the information technology world. HIPAA itself is largely misunderstood. I don’t know how many times I’ve heard someone tell me about the “Health Information Privacy Act.” However, it’s easy to understand where the confusion comes from. Who hasn’t heard a story about a ransomware attack, data breach, or privacy violation in the news? And it’s not just happening in the healthcare domain—it’s happening everywhere.
The truth of the matter is that security and privacy breaches in healthcare and other industries are a common occurrence. This has resulted in an unhealthy preoccupation by the healthcare community with the security and privacy provisions in the HIPAA legislation that fall under Title II Administrative Simplification. This too is easy to understand—unlike other industries that seemingly get off Scot free after a breach, the healthcare industry is held to an actual standard, and there are penalties for not meeting this standard that can be reputationally and financially ruinous.
To fully understand the healthcare community’s preoccupation with the HIPAA Title II provisions, we need a little background on what HIPAA is. HIPAA has five provisions called Titles. The two key provisions are Title I, HIPAA Health Insurance Reform, and Title II, HIPAA Administrative Simplification. All of the security and privacy regulations stem from Title II, but “Administrative Simplification” doesn’t exactly shout out “security and privacy” (although the Privacy Rule and Security Rule are 2 of the 5 sections in Title II). Title II doesn’t even provide regulations—it simply hands that responsibility off to the Department of Health and Human Services (HHS) to create such regulations as it sees fit, so ultimately, these are the regulations that we’re contending with and are driving behavior that’s limiting the value of data we’re collecting in healthcare.
Let’s first look at the two types of regulations that cause the most adverse behavior.
Sharing Constraints: There are a number of requirements in privacy regulations that constrain sharing, and many are common-sense business-use rules that protect patients effectively. There are also some regulations that state that covered entities (regulation-speak for providers) should only share data they have with other business associates that are directly participating in the care and management of the patient. These effectively prevent the use of healthcare data to create new and innovative products because product development isn’t related to patient care or management.
Punishments for Breaches: Breaches can be financially painful or even ruinous for a business. The penalties associated with breaches make executives think twice about the use of the data they have, even with business associates helping them manage care, because the risk to them is very real. What this means in the real world is that it can take a long time for a new business with a good idea to improve healthcare delivery to gain traction because the holders of data are reluctant to give these businesses the data they need.
These issues are real and are having negative effects in the healthcare industry. However, these same issues are not impeding innovation in other industries that have just as much (or more) private information. What gives here? Healthcare isn’t getting a fair shake.
There are a number of inequities in healthcare that we should take issue with:
There’s an uneven playing field. Think about where the data is in healthcare. It’s largely in the hands of the providers. They effectively own this data, even though technically it belongs to patients. Small startups have no access to this data. They have to hunt for providers willing to share. Often, the cost of sharing are onerous business terms. The larger the cache of data, the more advantaged you become, and in an industry like healthcare that is ostensibly rallied around social good, this should not be okay.
If you do get data, you might become a target. There are many examples where companies (for example, Google this past year) are harassed for doing innovative research for no other reason than they’re visible and have deep pockets. The problem is that we have obsolete regulations that are being used to make a point that isn’t valid in our modern context.
Most of the data we’ve accumulated isn’t used for innovation. The data outlook in healthcare has come a long way in the last ten years since the HITECH act was passed. Electronic medical records have gone from being sparsely used to nearly universal, but most of this data goes unused beyond the walled gardens of the medical record systems they live in. Artificial intelligence and machine learning applications depend on large, real-world datasets and could be put to use to build technology and resources to identify distinct risk profiles, analyze the effectiveness of treatment protocols across specific patient populations, or surface insights that can dramatically improve the speed and quality of care. But only the few commercial entities that have access to data can play in this space.
When most people visit their health professional, they go in confidence that they are in good hands and the confidentiality of their health issues and personal information is protected. After all, who can a person trust more than their doctor? Unfortunately, while patients are safe a majority of the time, there is the chance that a data breach could result in the release of private information.
It’s no secret that cyberattacks are escalating, rising in tandem with the growing sophistication of technology. One industry that has taken a massive hit by cyberattacks in recent years is the healthcare industry. The healthcare industry is increasingly reliant on technology and data connected to the internet, such as patient records, lab results, radiology equipment and hospital elevators. Now imagine if a cybercriminal encrypted an entire hospital’s data with a nasty ransomware. Doctors would be unable to pull up a patient’s medical records, or worse, utilize equipment connected to the internet to make a proper diagnosis.
The 