Guest post by Jeff Robbins is president and CEO of LiveData, Inc.
Jeffrey Robbins
It is no secret that many of today’s best hospitals are still enmeshed in implementing and fine-tuning new, enterprise-wide electronic health record (EHR) systems. With purchase prices in the tens or even hundreds of millions of dollars, the EHR is a focal point of bringing technology to bear on the various challenges of delivering consistent, high quality care to an increasing number of patients.
Yet many hospital administrators and caregivers are finding that the level of effort (and expenditure) isn’t moving the needle as much as was expected. It turns out that this isn’t because of any specific failing on the part of the EHR vendors. Rather, it is because of a missing layer in today’s EHR technology stack.
This missing layer, workflow management systems, is software designed to coordinate specific action, create consistency, and deliver visibility by automatically connecting caregivers with relevant tasks and information. The EHR, by necessity, is focused on creating a heads-down log of all encounters. Workflow technology adds the missing heads-up displays, alerts and analytics that help drive use of the EHR during patient encounters.
One of the more complex interventions in healthcare is surgery. The choreography involving patients, caregivers, equipment, supplies and operating rooms at a busy hospital is demanding, and the added manual data-entry burden of new EHR implementations paradoxically adds to the risk of variability.
Perioperative workflow
Workflow technology can mean many things. At the planning level, one common device is using whiteboards and Post-It notes to create a basic map of tasks. This data gathering approach is an excellent team activity, and allows many stakeholders to collaborate and share knowledge about interdependencies.
The challenge posed by the complexity can be summarized as, “Where do we go from here?!” It is tempting to picture using a computer-based workflow diagramming tool to capture and enact this diagram. While the “state diagram” is a useful technology tool, the complexity of even this small detail should help highlight why the myriad states, conditions, and rules that could be brought to bear to deliver workflow technology benefits to complex interventions is, in a word, complex.
Where do we go from here?
Workflow technology, delivered via a workflow management system, is intended to implement the workflow processes built on the activities and preferences of stakeholders. By making aspects of these human processes “executable,” via executable process models, healthcare workflow technology can provide a form of power-assist to caregivers.
But, as we have seen, creating a computerized process model of a complex process will, of necessity, have to mirror some of that complexity, or risk oversimplification and the potential for harm to patients. This model is executed or consulted, in conjunction with caregivers, when they deliver care. These executable process models are at the heart of what distinguishes healthcare workflow technology from today’s EHR. Healthcare workflow technology drives workflow to achieve the consistency and quality required by our society’s burgeoning healthcare spend.
There is no doubt about it, healthcare as an industry is absolutely reliant on its systems environment and electronic information to the point that efficiency, safety and productivity are affected any time it suffers any disruption. Yet it seems we are destined to incur disruptions more often than not because of our own actions or in-actions.
This article takes a somewhat tongue in cheek look at some of the naïve or bad behaviors, misconceptions, short-sighted decisions and mistakes we make that contribute to making our own data security situation more difficult.
Misplaced Trust
The list of examples here is virtually endless, from having too much confidence in vendors to underestimating employees to naïve beliefs about the internet, social media and applications. Hundreds of hospitals blindly relied on a vendor to process their billings without once questioning the company’s security practices. They were surprised when their revenue cycle was interrupted when that company suffered a Ransomeware attack. Other healthcare entities have found themselves embroiled in breach investigations when subcontractors they never knew existed lost their data, some overseas.
Expressing surprise may be a realistic response, but it’s hardly an acceptable excuse for lack of due diligence. Few organizations watch the folks who represent the highest risk to their systems and information – those with elevated privileges. Examples abound of administrators who became saboteurs. What is amazing is the almost immediate reaction when these kinds of things happen. How could we not be auditing these folks? It should be pretty simple to answer this question when they are usually the ones responsible for auditing. And then there is the internet and social media. The first myth organizations fall victim to is, “we’re too small to attract anyone’s attention” or “no one is looking at us.”
Most attacks from the internet are indiscriminate automated probing of systems looking for anyone vulnerable. You’re right they are not looking for you specifically, but if you are connected they may find you. Last but not least, the naïve belief that there is actual privacy on social media and applications when they tell you there is. Weekly we hear about another app compromised or information leaked from a site thought to be secure. There is no such thing as foolproof security and apps, even ones named “secret” should be approached with caution.
Underestimating Risk
Organizations make bad decisions all the time based on misplaced or erroneous perceptions of risk, or just plain disregard for the risk. Bad decisions though, regardless of the reason, are still bad decisions. How about underestimating the risk from USB ports?
Organizations routinely underplay the fact that these ports unprotected can be the source of information loss or importation of malware. We encrypt mail, laptops, maybe even provide encrypted USB drives, but fail to manage the ports themselves. In complex environments it’s also easy to be overwhelmed with what seem like routine chores, like documenting all changes. Someone says it’s a routine change, it only affects one system, or the vendor is just applying a regular update… implying that it doesn’t have to go through change control and thus, does not get documented. There is also underestimating the risk when we acquire another entity. This risk comes in two forms. The first is the acquisition without the assessment, or rushing the acquisition so assessment is not possible, and assuming the risk blindly. Continue Reading
Guest post by Stephen Cobb, senior security researcher, ESET.
Stephen Cobb
Whatever you thought of President Obama’s penultimate State of the Union address, you have to admit it set some sort of record for the most words devoted to issues of data privacy and security (198 by my count). Furthermore, those words alluded to a raft of statements and announcements on these topics that were published in the days leading up to the speech. In short, it is clear that this President wants to make some changes with respect to cybersecurity and data privacy. What is not yet clear is how those changes will affect healthcare IT and the management of electronic health records. Will breach notification requirements change? Will penalties for breaches be increased?
The answers are not entirely clear at the moment. For a start, the President is a Democrat, but Republicans control the House and Senate. In other words, it is hard to know which of his proposals will be enacted. That said, it is better to look at them now and ask questions, engaging in the debates they are bound to provoke rather than wait and see what new laws finally emerge. For example, the President proposes to erect a single national 30-day data breach notification law in place of the scores of different state data laws that companies currently have to comply with. How will that affect electronic health records?
The answer may be “very little” and that could be good news for electronic health records and health IT. In its current form, the proposed Personal Data Notification & Protection Act does not disrupt existing federal notification requirements related to health data breaches. The draft legislation does not apply to HIPAA covered entities and business associates, nor the FTC covered vendors of personal health records. Here is a boiled down version of the current language which I have put in quotes to show it comes from the bill: “Nothing in this Act shall apply to business entities to the extent that they act as covered entities and business associates subject to the HITECH act (section 17932 of title 42), including the data breach notification requirements and implementing regulations of that act. Nor will it apply to business entities to the extent that they act as vendors of personal health records and third party service providers subject to the HITECH act.”
If the law were to be passed with that language intact, it would leave in place what many of us still think of as the HIPAA 60-day notification deadline, as well as the FTC 30/60-day PHR regime. And when you’re trying to comply with a regulatory regime, a lack of change can be good. Another way of looking at the breach notification issue is that the healthcare sector, while often maligned for leaking data, is actually a pioneer in notification. The HIPAA privacy and security requirements were in play even before California passed the first of the state breach notification laws, which now exist in some form in more than 40 states (creating the patchwork regulatory nightmare that the President’s unified federal law seeks to dissolve).
Guest post by Maureen Ladouceur, vice president, Health Systems Products, Marketing and Services, Quantia, Inc.
Maureen Ladouceur
According to a recent Physicians Foundation survey, 82 percent of physicians believe they have “little influence on the direction of healthcare.” At the same time, data suggests that physicians are the ones driving 80 percent of our increasingly unsustainable national healthcare spend.
There’s been plenty of speculation on the reasons physicians are feeling so disenfranchised – including their frustration with having to do things that don’t appear, to them, to have anything to do with good medicine. Things like onerous documentation, EHR training and quality report cards are just a few examples. Further, physicians are being asked to learn about marketing, customer service, leadership, management and cost effectiveness that have more to do with taking care of the system than taking care of patients.
In most cases it boils down to this: there’s too little time, too many distractions and too much change to the clinical and administrative guidelines that go along with being a practicing physician.
So how can health systems overcome these very real obstacles and engage their physicians in ways that keep them current and aligned? For starters, any physician engagement strategy has to be digital if it’s going to scale. And to be sustainable, it’s got to be convenient, credible and enjoyable—while giving physicians a voice (and thus, gaining their buy-in) on topics that will impact the future of their practice, their organization and the overall healthcare system.
Health systems looking to engage their physicians in ways that foster ongoing learning and inspire change can leverage a few proven best practices:
Make it convenient
With an estimated half of current medical knowledge becoming obsolete every five years, even the most experienced physician can’t keep up with all the changes in healthcare. Yet many bristle at the idea of spending time away from the office at symposiums, or submitting to onerous exams on content that may or may not be relevant to their practice.
Guest post by Ken Perez, vice president of healthcare policy, Omnicell.
Ken Perez
During much of 2014, there seemed to be a rising tide of negativism about the Centers for Medicare & Medicaid Services’ accountable care organization (ACO) programs. After losing nine of its participating organizations after its first year of operation, the Pioneer ACO model suffered some more high-profile departures in 2014.
In August, Sharp HealthCare, a five-hospital system in San Diego, Calif., exited the program, and the following month, three other ACOs—Franciscan Alliance in central Indiana, Genesys PHO in Flint, Mich., and Renaissance Health Network in Pennsylvania—also dropped out. Since the Pioneer program’s inception in January 2012, the total number of Pioneers has dropped by 41 percent, from 32 participants to 19.
The bad news wasn’t confined to the Pioneer program. An October 2014 survey by the National Association of ACOs (NAACOS) indicated that two-thirds of Medicare Shared Savings Program (MSSP) participants are “highly” or “somewhat” unlikely to remain in the ACO program as it currently stands. Clearly, the Medicare ACO ship certainly seemed to be sinking.
In an attempt to right the ship, on Dec. 1, 2014, CMS released a long-awaited 429-page proposed rule to modify the MSSP, seeking to retain as many of the current MSSP ACOs as possible and attract new participants to the program. The words “encourage” or “encouraging” appear almost 100 times in the document—with an eye, ultimately, toward greater ACO participation in risk-based models. However, in spite of CMS’s intention, NAACOS and the American Hospital Association’s initial responses to the proposed rule were generally critical. CMS is accepting public comments until Feb. 6, 2015, after which it will compose the final rule, a process which should take, if history is a guide, three to six months.
Guest post by Scott Zimmerman, president, TeleVox.
If you caught Maria Bartiromo’sinterview with ex-Apple CEO John Sculley in late December, you would have heard him say this to the Fox Business Network’s Global Markets Editor:
“Telehealth is going to be a booming industry.”
Why? Sculley pointed to consumers’ taking on more responsibility for their own healthcare, the result of a new awakening to its high costs. He sees this as a derivative effect of Obamacare, as patients confront greater out-of-pocket payments in the face of higher deductibles.
Sculley went on to compare his expectations for the success that he expects telehealth to experience to the success that ATMs and online banking have seen in the last 20 years: “People said, ‘I wonder if it will be successful. We all know it was. The same thing is going to happen in telehealth.”
The renowned tech titan is very much onto something here. Consumers – especially those with chronic conditions who grapple with the challenges of adhering to prescribed treatment plans – will want more efficient and lower-cost ways to more regularly engage with their healthcare providers as part of a continuous-care model. But there’s so much more that is influencing the move by medical professionals to complement in-office visits with remote patient engagement strategies and communications solutions.
One important reason is that healthcare providers and institutions have financial incentives for more aggressively managing patient cases. In the age of accountable care, hospitals want physicians who have ties to their healthcare systems to boost patient communications for care coordination, to help them steer clear of penalties for avoidable readmissions. The focus on rewarding quality of care delivered, rather than quantity of services provided, also increases the importance of doctors’ keeping closer tabs on how their patients are doing in between office visits.
It’s always better that physicians know as soon as possible if their patients are having problems complying with care instructions or experiencing other complications, but especially so under these new scenarios. By the time the next office visit rolls around, things may have worsened to a considerable extent, potentially leading to more tests, additional medications, or even the need for hospitalization – all of which can take its toll on meeting accountable care standards.
Progress Is Underway
Of course, it’s simply not possible for healthcare professionals to regularly call each patient who is suffering from a serious condition to see how he or she is doing between appointments.
The good news is that there is plenty of great content being generated throughout most health organizations to create engaging, effective member and patient customer communications, which we will call “customer communications” to include any recipient. The bad news is that the content is often locked away in siloed systems and workflows, making it very difficult for marketing, customer experience and mobile strategy teams to leverage information in a streamlined, cost-effective way. The result? Marketing promotions and graphics are only available for use in brochures, purchase history data is only accessible for billing, and so on. Content is trapped in the specific system it served originally, limiting its value to the organization.
These challenges can be overcome by implementing the newest concept in healthcare document creation: content lifecycle management (CLM). The goal of CLM is to enable business teams to create and manage correspondence themselves using portals configured for specific document types, such as healthcare plan summaries, coverage change notifications and benefits statements. Implementing a CLM approach can unlock valuable data, avoid dependence on the availability of IT resources, reduce costs, and speed time to market.
Employing a CLM approach requires achieving three important “C’s”: centralization, collaboration and control. Each of these areas plays a critical role in attaining effective communications that speak directly to the customer’s individual needs and desires.
Here’s a look at each of the three C’s:
Centralization
An important step to improving customer communications is centralizing access to content and templates so that they are readily available to business users. Making it possible to reuse content in multiple health plans and versions, for instance, rather than having substantial amounts of duplicate content that is not shared, will improve efficiency and reduce the amount of effort and time needed to update or change data across versions. Changing a plan benefit for example, can be accomplished in one step for hundreds of document versions, rather than having to replace the information in each individual file.
Collaboration
Participation from people outside the primary workflow is often required but can cause bottlenecks. A good collaboration tool sits atop the entire enterprise, integrating people automatically into the workflow on an ‘as needed’ basis. A browser-based system provides the greatest flexibility because it can be accessed by anyone regardless of location.
Guest post by Garret Grajek, chief security officer, dincloud.
A March 2014 study by the Ponemon Institute titled, “Ponemon Report on Patient Privacy & Data Security,” stated that cybercriminal attacks on healthcare organizations have doubled in the past three years. If you follow IT news at all, you know that healthcare organizations are also under attack, with some of the latest of these attacks being what experts classify as APTs (Advanced Persistent Threats). APT attacks distinguish themselves by being persistent attacks orchestrated by an organized (and usually well-funded) institution, either government or criminal, with a specific target and purpose for the attack.
APTs distinguish themselves from past “script kiddies” and accidental hackers who execute “crimes of opportunity” (e.g. they find a site that they can do an SQL injection and see what data they can download). Advanced persistent threats however follow the opposite workflow – they select a target and then use any and all mechanisms to obtain access to the data they desire.
You’re in healthcare – but should you care?
Healthcare IT systems are a target rich environment for advanced persistent threats attacks. What’s the reward? PHI (Personal Health Information) and PII (Personal Identification Information). PHI/PII for hackers is the gift that keeps on giving! With someone’s identity information, hackers can create multiple accounts – financial and other – for the purposes of fraud. This was seen in mid-August when Community Health Systems announced that it had fell victim to an APT attack earlier that year from an APT group based in China. Chinese hackers stole medical records for 4.5 million patients, according to a regulatory filing from the healthcare provider. And how can we forget the security breach at HealthCare.gov, the government’s health insurance marketplace.
Healthcare has the same type of information, and more. User identities, associated e-mail addresses, phone numbers, street addresses, and often insurance, credit, and other key PII information (like employer’s and spouse information), are held by health care providers. Attackers know this, and for these reasons, health care entities have become an easy target for advanced persistent threats attacks.
