Guest post by Lysa Myers, security researcher, ESET.
Risk assessment is something we all do, every day, in healthcare and in our daily lives. Consider crossing the road. Should you cross at the lights? Can you trust the traffic to obey the lights? Doctors perform risk assessments when prescribing medications or evaluating a patient for an operation. Unfortunately, risk assessment for electronic health records (EHRs) is not fully understood or implemented by some healthcare organizations, especially smaller facilities that lack dedicated IT or security staff. Yet, this type of risk assessment is increasingly important to the success of healthcare-related businesses.
How do you proceed if your organization lacks the expertise to complete an EHR risk assessment? Because this is such a complex topic, the answer to that question could easily fill volumes. But we all have to start somewhere, so I will provide a basic description to steer you in the right direction to do more in-depth research on your own.
How to do an EHR risk assessment
There are four basic steps – the time and effort they require depends upon the size and complexity of your organization, and the thoroughness of your assessment. You may wish to do your assessment in multiple passes over time, getting more in-depth as you go. This turns a huge headache that must be dealt with all at once into something more manageable that can be revisited to keep up with changes as they occur.
According to a letter sent to clients, posted to HISTalk, Matt Hawkins, current Greenway Medical president is leaving the organization to accept an “exciting new leadership opportunity” outside the company.
Details were not released in the letter as to whether Hawkins is staying with Vista Equity Partners, the parent organization of Greenway. Hawkins has been with Vista for several years, including stints leading Vitera Healthcare Solutions and SirsiDynix.
Tee Green, Greenway’s CEO, is expected to take the helm.
I’m not sure if Hawkins’ departure will be felt deeply at the company or if there will be any ripple effect at Greenway since the Vista leadership team pretty much manages daily operations of the organizations it owns. Perhaps the biggest effect this development could have for clients are possible changes in strategy related to the company’s legacy systems, like Intergy and Medical Manager.
Still, this is a pretty interesting development given that the purchase of Greenway and its merger with Vitera and Success EHS is still so current.
For the record, I reported to Hawkins while I was worked at Vitera in its PR department (a Sage Healthcare transplant transitioned over during the Vista transaction), but I was among the 400 to 500 laid off in 2012 as Vista restructured the company into its portfolio.
Hospitals and eligible professionals that have yet to meet their meaningful use requirements are facing a good news/bad news scenario. First the bad news: The clock is ticking, as major deadlines loom. The good news: It’s not too late to hop aboard the MU train, although some running might be required. If you’re among those seeking MU attestation this year, here are key points you need to know.
2014 Certified?
Before you take one more step, make sure your technology vendor is 2014 certified. Regardless of whether you are attesting to meaningful use Stage 1 or Stage 2, all eligible professionals (EPs) and eligible hospitals (EHs)/Critical Access Hospitals (CAHs) are now required to use an ONC 2014 Edition Certified technology to successfully attest to both MU1 and MU2.
You might have been under the impression that Stage 1 corresponds with the 2011 Edition and Stage 2 corresponds to the 2014 Edition. This is not the case, but your confusion is understandable.
What happened? When meaningful use was first introduced, the Centers for Medicare and Medicaid Services (CMS) published MU Stage 1 and the Office of the National Coordinator for Health Information Technology (ONC) published the 2011 Edition Certification; then MU Stage 2 and the 2014 Edition Certification Criteria were released within days of one another.
Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.
While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
With a flourish of congressional shenanigans lifted almost word for word from the teleplay of Netflix’s House of Cards, the HHS-mandated 2014 transition to use of the ICD-10 coding classification was brought to a screeching one year “delay.” We are left, once again, with “at least” another year of collecting healthcare information via ICD-9, an awful but omnipresent healthcare coding system. And more concerning, we are left with the impression that diligent and expensive work to comply with rules in a host of other areas, such as meaningful use of electronic health records, could become abruptly irrelevant. The result of the delay is that not only do we have a significant number of long-time objectors to the change to ICD-10, but they are also joined by a surge of rightfully angry and dubious ‘compliers’ who put in time and investment dollars to meet the deadline. But there are also some additional considerations given the amount of time that has passed as we prepare to make the trip.
Is this trip still worth the aggravation and expense?
The major underlying rationale of moving to ICD-10 remains laudable: to provide greater clarity to our understanding of healthcare practices through the use of better industry standard, diagnosis codes. With more granular, relevant and precise core codes at the foundation, medical quality and effectiveness studies utilizing these codes for analysis and program development were to have benefitted dramatically.
Given that our desire to advance healthcare value and improve outcomes through accountable care practices (‘fee-for-value’) we must acknowledge our dependence on much better information collection for analysis than is possible from ICD-9[1]. Significant questions remain however, as to whether the move to ICD-10, using codes predominantly still entrenched to support fee-for-service billing processes will get us where we want to go. While we can hope the enhanced and detailed nature of ICD-10 might yield greater insight into the real value of our activities, this remains a particularly frail hope in light of the way we use the codes as revenue cycle fuel.
Maintaining blood supplies to meet the needs of the hospitals in the region is a key mandate for the Rhode Island Blood Center. The Center collects 250 pints of blood from donors to meet this commitment. To make it easy for donors, more than 3,000 mobile blood drives are held annually throughout the community.
While we have nurses and lab technicians to take care of the donors’ physical needs, it is my job as the IT Systems Manager at Rhode Island Blood Center to take care of their personal information. We gather this information from each donor at the mobile clinics and store it on laptops, so it is essential that we have safeguards in place to ensure the data is properly secured.
Data security is a key concern for the majority of healthcare organizations in the US. And like most organizations, Rhode Island Blood Center must follow regulatory guidelines and protect patient data.
My department is responsible for the IT and telecommunications equipment used at the remote blood drives and the six Center locations. The typical set-up includes a large number of Center-owned laptops where donor information is stored.
While most people arrive at a clinic and see the positive results of a community coming together and helping each other – all I see are laptops loaded with confidential information for which Rhode Island Blood Center is ultimately responsible. I know if even one laptop is lost or stolen, confidential donor information could be at risk.
Data at Risk
Reviewing daily healthcare news, it is clear that data breaches are a huge issue for healthcare organizations across the US, but bad press isn’t the only issue – many organizations face large non-compliance fines and damage to their reputation that can never be restored.
Guest post by Judy Chan, president, HealthPro Consulting.
Burgeoning EHR implementations nationwide attributable to the meaningful use incentive program have created a surge in HIO and electronic health information exchange (eHIE).
Having health information available for electronic exchange is generally accepted as beneficial to patients, providers and payers. Providers can access patient information from other providers when they need it where they need it. Providers are able to avoid duplicating lab tests, scans and x-rays that save the payers dollars. Additionally, patients don’t need to remember what treatments were administered or drugs prescribed and can avoid unnecessary exposure to radiation.
In emergency situations, the benefits of having a patient’s health information available to emergency room staff are obvious. Patients who have experienced referrals in the course of diagnosis and treatment also readily see the advantage of not having to hand-carry all of their medical records from one doctor’s office to the next. The electronic exchange of health information among providers eliminates faxes, paper work and phone calls.
Patient’s perspective
What makes the exchange of health information frightening to patients?
1. Your health information is available to others who have a legitimate need.
2. Consent must be given by the patient to share their information
3. You must trust the distributor of your information
4. You should monitor your data on a regular basis and make corrections when necessary
5. Information could be accidentally released without your permission.
6. Your consent is electronically recorded by multiple systems.
Do these risks sound familiar? They should because they are not very different from the risks that credit rating agencies that have recorded your financial transactions for years.
A recent study by mobile engagement provider Mobiquity, Inc has found that while 70 percent of people use mobile apps on a daily basis to track calorie intake and monitor physical activities, only 40 percent share data and insights with their doctors.
Working with an independent research firm, Mobiquity’s “Get Mobile, Get Healthy: The Appification of Health & Fitness” study reveals the opportunity for healthcare professionals and organizations to leverage mobile to drive positive behavior change and healthier patient outcomes. According to the survey, 34 percent of mobile health and fitness app users said they would increase their use of apps if their doctors actively recommended it.
According to Mobiquity’s research,73 percent of people claim to be healthier by using a smartphone and apps to track their health and fitness. Fifty three percent discovered they were eating more calories than they realized. Sixty-three percent intend to continue, and even increase, their mobile health tracking in the next five years; 55 percent of today’s mobile health app users also plan to introduce wearable devices like pedometers, wristbands and smartwatches to their health monitoring in coming years.
Smartphone health tracking trumps social networking
For many, using a smartphone to track their health and fitness is more important to them than using their phone for social networking (69 percent), mobile shopping (68 percent), listening to music (60 percent) and making/receiving phone calls (30 percent).
But there’s room for improvement
What’s stopping people from using their health and fitness apps more? Doctor recommendations would be a big motivator, said 34 percent. Privacy was also a concern for 61 percent. But the chief reason people quit using these apps is simply because they forget – something that could and should be addressed by app developers to ensure health apps are less disposable.
“Our study shows there’s a huge opportunity for medical professionals, pharmaceutical companies and health organizations to use mobile to drive positive behavior change and, as a result, better patient outcomes,” said Scott Snyder, president and chief strategy officer at Mobiquity. “The gap will be closed by those who design mobile health solutions that are indispensable and laser-focused on users’ goals, and that carefully balance data collection with user control and privacy.”
Mobiquity commissioned independent research firm Research Now to survey 1,000 consumers who use, or plan to use, health and fitness mobile apps. The study was conducted between March 5-11, 2014.
A recent study by mobile engagement provider