Guest post by Sergio Galindo, general manager, GFI Software.
With stolen medical data selling on the black market at a rate anywhere between 10 to 50 times that of stolen credit card numbers, hackers have a new favorite target – the healthcare industry.
The industry is a sitting duck, and hackers have declared open season. Indeed, we have seen several extremely high-profile penetrations of healthcare companies in the past months, and more are likely in the coming months. Anyone with medical insurance should pay attention to the increasing number of data security breaches.
Consider the three most high-profile security incidents that have recently struck the healthcare industry. Community Health Systems claims that no medical information was exposed when the insurer was hacked, but the breach affected some 4.5 million records within their systems. In February of this year, Anthem reported that a breach resulted in 80 million records stolen, and recently data attackers broke into Premera Blue Cross and obtained medical and financial data of 11 million of their customers, stealing both electronic health records (EHR) and protected health information (PHI).
While stolen credit card data may fetch between $1 and $2 per record, EHRs are far more lucrative for hackers, often going for $20 to $50 per entry. This value stems from several reasons:
EHRs can contain data that enables identity theft;
Stolen EHRs can be used to commit insurance fraud;
Users can use EHRs to obtain medical services and prescription medications; and
EHRs can also be used for extortion.
It’s worth noting that the value of stolen data increases relative to its longevity as a source of revenue. Credit card numbers are often replaced in 30 to 90 days (a new number issued); business information remains valid for up to three years (price lists, customer database), for example, while medical information can remain valid for more than 10 years. Social Security numbers have the longest ROI for cybercriminals because they last until the individual passes away (and even then they are still used).
As the comment period has come and gone (ended May 29, 2015) for meaningful use Stage 3, and as multiple organizations, like CHIME, and countless other individuals have taken the time to comment on the final rule, I thought it was a good time to ask the question: Does the meaningful use Stage 3 rule sail or sink?
Procuring responses to this question from a number of health IT insiders helps to identify some of the most pressing issues with the final stage of meaningful use, a topic that is almost second to none in regard to generating support or opposition from those in the sector.
The College of Healthcare Information Management Executives, in its comments on the rule, called federal plans for the third stage of meaningful use too ambitious and in need of several important changes, but still offered their support for a corresponding CMS proposal that would shorten meaningful use reporting in 2015 from a full year to any continuous 90-day period. In total, CHIME said meaningful use Stage 3 is “unworkable.”
“Were all requirements finalized as proposed, we doubt many providers could participate in 2018 successfully,” CHIME said. “And with so few providers having demonstrated Stage 2 capabilities, we question the underlying feasibility of many requirements and question the logic of building on deficient measures.”
Bennett Lauber
Bennett Lauber, chief experience officer, at The Usability People offered a slightly different take: “The MU3 program contains some well-needed enhancements to the Safety-enhanced design portion of the 2015 certification criteria. They have also proposed significant changes to the Safety-enhanced Design (aka usability) testing requirements. These new requirements might seem burdensome to some of the smaller EHR vendors, as they require 17 and not seven items to be usability tested and finally set a minimum number of participants for these studies and more. With everyone complaining about the (lack of) usability of healthcare software these additional requirements should be welcome as they force the vendors to perform real summative usability tests and as a result it eventually might actually save lives.
David Muntz
David Muntz, former principal deputy director of the ONC and current CIO of GetWellNetwork adds, “Getting to a common stage is a good thing, but there is still some concern expressed by those who are struggling with the move from Stage 1 and Stage 2 to the future state. The limit on adding new elements is a positive, though some of the thresholds that need to be met will be a concern to many, particularly those that require a provider to affect behaviors in the patients. Standardizing quality measures and adjusting the reporting period are good moves, but the possibility of requiring all vendors to have a complete set will delay release dates.
“The encouragement to add APIs for data exchange is a positive. More thought, however, is needed to the areas where open APIs can prove beneficial. Secure messaging is great, but the threshold for usage is really based on patient preference and may be a bit aggressive. The greatest disappointment was the continued use of specific features and functions without an alternative to deem features and functions based on a combination of appropriate process and outcome measures. A deeming approach would have given the users a great deal of latitude in how to implement features and functions that would have produced favorable outcome.”
Guest post by Matt Bramowicz, project coordinator, Translation Cloud LLC.
Consider this scenario: You rush into the hospital, your loved-one cradled in your arms. You had found them unconscious in the bathroom moments before and think you may know what had happened. You just have to tell the doctors so that they can treat them right away and save their life. Time is of the essence, though, and you fear the worst may happen if they don’t receive the right treatment immediately. The doctors run over and ask you over and over again, “What happened? Did they take anything? Do you know what is wrong?” You open your mouth to speak, but everything you say is met with confused looks. You can tell the doctors cannot understand anything you are saying. After multiple attempts, the doctors take your loved-one away into another room, knowing that they have not comprehended anything you were trying to tell them and are unsure what is wrong with your loved-one. You want to scream, because you know exactly what they need to do, but you can’t do anything about it. You gradually realize that this may be the last time you see your loved-one.
You may think it’s a scenario out of the Twilight Zone or some bad dream. However, it’s a regular occurrence for many people throughout this country.
Language barriers have long been an issue in the healthcare field. More than 46 million people in the United States do not speak English as their primary language, yet everyone needs medical care at one point or another. This language-gap can cause serious issues with miscommunication between the doctor and the patient, which can result in a lack of proper treatment and can even lead to potentially fatal medical-related errors.
Despite this serious issue, currently most hospitals provide only limited interpreting services, or more often than not, no services at all. In those circumstances, doctors must rely solely on the patient’s family members, friends or non-fluent bilingual staff members to help communicate with the patient or the patient’s family. These “ad hoc” interpreters are less likely to tell patients about medication side effects and more likely to misinterpret or omit questions asked by health care providers. This is not their fault, of course, as most individuals are not familiar with what information is pertinent, or even how to translate certain medical-related jargon. Despite their best efforts at being thorough, they may be unconsciously leaving out important details.
Alan Portela, CEO of AirStrip, has more than 25 years of experience in bringing medical technology solutions to market. Portela originally joined AirStrip as a senior advisor and member of the board of directors prior to his appointment as CEO in 2011. Prior to joining AirStrip, he was CEO and principal of Hybrid Clinical Transformation, LLC, where he developed EHR adoption strategies for the U.S. Military Health System and much of the Veterans Health Administration. He also served as president and chief strategist at CliniComp, Intl., and in senior executive roles in several innovative healthcare technology and service organizations.
AirStrip provides a vendor and data source-agnostic, enterprise-wide mobile interoperability platform that advances care collaboration and serves as a catalyst for health system innovation. Here he discusses mHealth trends; why and how it needs to change; interoperability; security and protecting against breach;and the biggest issues facing healthcare in the next year.
Can you tell us about yourself and your background prior to starting AirStrip? Why healthcare?
Prior to joining AirStrip, I was the president at CliniComp and responsible for the implementation of high acuity EHR systems at the U.S Military Health System, Veterans Health Administration (VA) and a number of prestigious healthcare organizations in the private sector. In my more than 25 years of experience in the healthcare industry, I have held several senior executive roles with innovative healthcare technology vendors and helped pioneer an mHealth company more than a decade ago that came out of UCLA Medical Center Department of Neurosurgery (Global Care Quest). Leading the industry via disruptive and continuous innovation has become a true passion. Each day I see how technology improves patient care, and I enjoy being an active part of that transformation.
What do you think the mHealth industry needs to change to better support doctors and patients today?
Mobile technology and clinical decision support tools will undoubtedly be the biggest contributors to the needed clinical transformation revolution, providing physicians with a means to deliver proactive quality care to millions of patients throughout the continuum of care. However, for clinical transformation to occur, the industry needs to establish – and enforce – interoperable standards so that data and technology can move seamlessly across systems and provide clinically relevant patient information at the moment of care regardless of where the caregivers and the patients are. Interoperability will remove the data silos that currently impede access to information, and allow for clinical decision support that lets clinicians provide the best care, improving overall patient outcomes and well-being. The fact that legacy vendors are not sharing data means that innovation is being stifled. Unfortunately, both the federal government and a handful of legacy vendors seem to be driving us deeper into the crisis by carrying the flag of interoperability, but only limiting requirements to minimal clinical data sets, which do not contribute to the move from volume to value-based reimbursement.
Guest post by Grant Kohler, vice president, Innovation and co-founder, REACH Health.
I began my healthcare career in the hospital setting. While working at Georgia Regents University (formally the Medical College of Georgia), my colleagues and I developed one of the nation’s first telestroke systems. It was rudimentary at first, literally pieced together on an IV pole from existing equipment: web-enabled video cameras, flatbed scanners for CT scans and spare CPUs, with a landline telephone to provide audio. Since then, I’ve worked with many facilities across the country to set up telemedicine platforms. Over that time, I’ve witnessed a variety of approaches to telemedicine.
One major transformation I’ve witnessed more recently: Many hospital systems are now choosing software-based platforms over hardware-based technologies. As I’ll explain shortly, this shift in thinking has important implications worth considering.
Core Technology: Software vs. Hardware
Telemedicine platforms are evolving rapidly with no signs of slowing. It is prudent to ensure that your hospital is in a position to take advantage of the rapid pace of improvements without being locked into a solution that hinders or prevents future technological enhancements or program expansion.
To appreciate the difference between focusing on software vs. hardware, consider the evolution of mobile phones. In 2007, the first smartphone was introduced. At the time, flip phones were considered leading edge. Less than five years later, flip phones were deemed antiquated by most. Why? The cell phone is a hardware-centric device and the smartphone is a software-centric device.
In the telemedicine industry, first-generation solutions such as tele-presence carts and robots began as single-function, hardware-centric devices. Even if they work satisfactorily for their narrow purpose, they lack the flexibility needed to support cost-effective upgrades and expansion for multiple service lines. Also, because the hardware is proprietary, it often isn’t subject to commoditization and is priced at a premium. As telemedicine technologies have evolved, software-centric platforms have become available and offer increased flexibility, including new capabilities and multiple endpoint options.
Support for Creating a Telemedicine Network – Thinking about the Subscribers
The literal goal of telemedicine is to create networks where provider hospitals offer specialty care or expertise to subscribing hospitals. Successful execution produces improved outcomes and patient satisfaction for a larger number of patients and creates economic benefits for both the provider and subscriber hospitals.
Your telemedicine platform can impact your ability to recruit hospitals into your network. In competitive markets where other provider hospitals are vying for the same potential subscribers, a well-designed telemedicine platform provides a recruiting advantage. If a large hospital balks at expensive hardware investments that easily become dated, a smaller hospital will have similar concerns but a tinier budget. Hospitals of all sizes seek to leverage maximum utility out of all investments with a minimal disruption to existing processes and workflows. With hardware-centric platforms, the inherent focus is often on the technology itself rather than the patient. This is unpalatable for most hospitals considering telemedicine, as their primary objective is better patient care.
Guest post by Shannon Snowden, senior technical marketing architect, Zerto.
Electronic health records (EHR) are the tie that binds together the patient with the caregivers. What happens when an extended outage or disaster happens? Caregivers still have to administer treatments regardless if the systems are online.
The longer the outage, the greater the negative impact to the quality of the end product or service. In the healthcare business, it is unacceptable. Every manually tracked record has to be added back into the EHR when it is available once again.
A big concern is that the manual records often get summarized with many of the details those electronic healthcare systems track are missing. These knowledge gaps ultimately could diminish the quality of patient care.
A contributing factor to the difficulty in finding a good disaster recovery solution is the technology necessary to support healthcare information systems (HIS) are complex, involve multiple servers that are tightly integrated and are quite unique from the perspective that the application vendor remains very involved with the customer on an ongoing basis.
This is the challenge faced by healthcare organization CIO/CTOs, IT directors and managers. How do you provide a sound business continuity solution that enables nearly no interruption in patient services is easy to manage and is within a realistic budget? What should be considered requirements for a healthcare information system disaster recovery solution?
Here is what to look for in a disaster recovery solution:
The use of electronic medical records (EMRs) is increasing liability risks for physicians. We have not yet seen the full impact of EMRs, because cases take three to four years to be filed from the time of the adverse event. However, we are beginning to see data that show EMRs are a contributing factor in malpractice suits.
In a study by The Doctors Company of 97 EMR-related closed claims from 2007 to 2014, user factors contributed to 64 percent of claims, while system factors contributed to the remaining 42 percent. EMRs can result in a weak defense by casting the user—the physician—in an unfavorable light.
In a recent presentation I gave at HIMSS, I outlined malpractice cases that involved EMRs that resulted in cumulative awards of more than $30 million and reviewed areas where EMRs present the greatest risks.
Risk 1: Copy-and-Paste
Copying and pasting previously entered information can perpetuate any prior mistakes or fail to document a changing clinical situation. In The Doctors Company study, 13 percent of cases involved pre-populating/copy-and-paste as a contributing factor. While it may be OK to use the copy-and-paste function to save time, whatever is pasted must also be edited to reflect the current situation. Similar to copy-and-paste is the practice of using templates. Some of the biggest pitfalls in these two functions are lack of individualized information on the patient, gender confusion, lengthy notes for each encounter that look like they have been enhanced by the computer, lots of blanks, repeated typos and other errors, and use of similar phrases sequentially.
Risk 2: Informed Consent
Physicians must take care to capture the electronic signature of the patient when loading an informed consent into the EMR. Make certain the signature is legible. Also check to be sure the scanned document is in the record and that the informed consent is documented in the notes.
The following is from a case that involved problems with informed consent in the EMR:
The news about ICD-10 continues to divide providers, one way or another, based on whom is asked and as my friends at NueMD have found, many are still unprepared and most don’t want want it to move forward. These are the primary findings of the recently conducted a third installment of the firm’s survey, “Attitudes toward ICD-10” that was designed to measure how healthcare professionals feel about the upcoming transition. In all, of the 1,000 respondents — primarily from small and medium-sized medical practices — the majority said they think there should be no transition to ICD-10.
The following graphics help explain the sentiment toward the new coding standard for clarification:
According to the results of the survey, NueMD’s data suggest that making the switch to ICD-10 will greatly improve provider’s ability to understand medicine, but can “also introduce some serious struggles for practices while they try to maintain cash flow through the transition.”
For example:
Expectations
Moving on to expectations, according to the survey, the majority of respondents said they are either highly or significantly concerned about the transition to ICD-10. The greatest concern remains for the training and education pf staff during the transition, for obvious reasons. However, payer testing and software upgrade costs are not far behind.
Respondents were most concerned about claims processing, with 65 percent saying they are either “highly” or “significantly” concerned with the transition.
