EHR review sites seem to have taken hold. Press releases and announcements galore, they proliferate the web like nearly other consumer review-based site. In the latest round, one of the newest sites, EMR-Matrix, essentially announced its existence and that its staff and leadership would be present at one of healthcare’s largest tradeshows – HIMSS.
What better a place to try to sell its product where the very companies that it will likely hold hostage through its so-called independent review will be present.
According to the company’s release, “The new website offers a way for doctors and health systems to evaluate, test and read reviews of electronic medical record software systems, as well as provide feedback on their own experiences with their existing EMR and practice management systems. Unlike other sites, EMR-Matrix is user content driven and strives to provide the most candid feedback possible about each EMR system.”
I absolutely believe that the (free) market needs dedicated resources that help consumers find the best products at the best prices while exposing a company’s weaknesses and touting its greatest successes, but I’m not in favor of sites bent on trying to manipulate the system.
I may be in the minority, but I don’t believe in review sites, and I don’t use them. Too often, the reviews are skewed toward the negative, the sounds of the blathering loudmouth without a better venue to employ turns to the web and spouts off. They do almost nothing to keep me from experiencing something I want to experience. Certainly, I don’t believe an un-vetted review site about electronic health records is going to do much to sway my opinion one way or another about the quality of a product being professionally produced by a software vendor, but it may sway the opinions of others.
Essentially, the site is taking the business model that Software Advice utilizes and is trying to position itself as another unbiased source of information that also uses aggregated customer reviews to provide the “true” sentiment of a system and its capabilities.
If nothing else, this is just another form of KLAS, which I’ve always been suspect of. Based on my experiences in house at an EHR vendor, I’ve seen the data used to compile the reports and with the conclusions these types of reports drawn, there is a great deal left to the imagination. Companies – Allscripts is an example – that choose not to subscribe to the KLAS and, therefore, forgo receiving the KLAS reports should earn everyone’s respect. They don’t bow to the peer pressure of inclusion and they understand that for the most part, the reports or worth far less than the paper they’re printed on (even though vendors pay upwards of $60,000 to see them). Nevertheless, the data in the reports are suspect and thin, and given the strangle hold KLAS has on vendors, to not subscribe is virtual suicide for the vendor (Allscripts is big enough not to have been too deeply affected, though its products are never anywhere near the top of the rankings in the KLAS reports).
That said, EMR-Matrix and others that come along might do more damage than good. If nothing else, in my opinion, at face value, they seem to be out to capitalize on the market. Let’s hope the consumers of health IT and EHRs see through this thinly veiled attempt, but there’s still some skepticism on my part that this will be the case. My blogger colleagues have agreed with me so I hope those in the market for a new EHR will actually do a little shopping around and testing rather than simply relying on a site such as this.
Unfortunately, some of the collateral damage of a site like this is like that of a “bad” restaurant — once the review hits the web, it pretty much lives there forever. For people like me in PR, and those around me who are actually dedicating their lives to developing what we believe are good, solid, high-quality products to better healthcare, physician’s practices and patients’ lives, we lose because of sites like this. We’re the ones who lose sleep. We’re the ones that lose our jobs. We’re the ones who lose – because of a site that’s pairing the information provided with those seeking it, as relevant.
Ah, venture capitalists. You’ve got to love them. They insert themselves into a variety of topics and industries they know nothing about and pretend they can make everything better about whatever industry they ingest.
I worked for a VC-owned health IT firm for a few months following the sale of a division of a public company. What followed is round after round of layoffs, reduced investment into the product and cuts everywhere something could be cut.
But, I’m a capitalist at heart so I can’t really blame them. They’re out to make money. So am I.
But, what I find it somewhat ironic is that a VC is telling the world that in the near future, nearly 80 percent of what physicians do will be replaced by computers. What’s crazier, at least as far as I’m concerned is that he’s right, if not in whole at least in part.
According to Vinod Khosla is the founder of Khosla Ventures, “Much of what physicians do (checkups, testing, diagnosis, prescription, behavior modification, etc.) can be done better by sensors, passive and active data collection, and analytics. But, doctors aren’t supposed to just measure. They’re supposed to consume all that data, consider it in context of the latest medical findings and the patient’s history, and figure out if something’s wrong. Computers can take on much of that diagnosis and treatment and even do these functions better than the average doctor (while considering more options and making fewer errors). Most doctors couldn’t possibly read and digest all of the latest 5,000 research articles on heart disease. And, most of the average doctor’s medical knowledge is from when they were in medical school, while cognitive limitations prevent them from remembering the 10,000+ diseases humans can get.”
He continues: “Computers are better at organizing and recalling complex information than a hotshot Harvard MD. They’re also better at integrating and balancing considerations of patient symptoms, history, demeanor, environmental factors, and population management guidelines than the average physician. Besides, 50 percent of MDs are below average. Computers also have much lower error rates. Shouldn’t we take advantage of that when it comes to our health?!”
Perhaps what’s most intriguing about his argument is that is just makes sense. By automating the process and reducing the redundancies and inefficiencies, physicians can focus more on the relationship they need to build with their patients. Khosla says in his Fortune piece, that automating healthcare improves relationships. “Providing good bedside manner and answering certain questions can often be handled better by a person than a machine, but you generally don’t need a medical degree to do that.
Nurses, nurse practitioners, social workers, and other less expensive, non-MD caregivers could do this just as well as doctors (if not better) and spend more time providing personal, compassionate care.”
Finally, what may be his most bulletproof part of the argument is that a transition to automation is happening in several other markets or areas that are worthy of taking note of. For example (and I’m citing directly):
Most commercial flying is now done by auto-pilot, not by the captain. Algorithmic trading now drives most stock market volume.
Google’s (GOOG) self-driving car has had zero accidents driving 300,000 miles on normal streets. The same replacement of human involvement by computers will also happen in healthcare.
Because of automation, physicians supposedly will have more time to spend talking to their patients, making sure they understand, and “finding out the harder-to-measure pieces of information because they’ll spend less time gathering data and referring to old notes. And, they will be able to handle many more patients, reducing costs.”
The last point may be a bit of a stretch. I’m not sure any amount of automation can actually reduce costs.
But here’s the heart of the story, the heart of the entire current healthcare story: Where will the innovation come from.
“Innovation seldom happens from the inside because existing incentives are usually set up to discourage disruption. Pharma companies push marginally different drugs instead of potentially better generic solutions because they want you to be a drug subscriber and generate recurring revenue for as long as possible. Medical device manufacturers don’t want to cannibalize sales of their expensive equipment by providing cheaper, more accessible monitoring devices. The traditional players will lobby/goad/pay/intimidate doctors and regulators to reject innovation. Expecting the medical establishment to do anything different is expecting them to reduce their own profits. Granted, these are generalizations and there are many great and ethical doctors and organizations.”
Well put, Mr. Khosla!
What’s going to change it? People in need. Entrepreneurs. Those looking to innovate. Those looking to capitalize. VCs…
Having spent most of my career on one side of a note pad while looking at a source on the other, I’ve often wondered if others have felt the way I have about trying to connect with the story tellers I’ve come to rely upon for my professional endeavors.
As professional reporter and freelancer, I’ve spent much of my life trying to connect with and extrapolate information from those who have it to give and turn that information into compelling stories for the world to read. And, in many cases, even as a public relations professional who worked for an EHR vendor to tell stories to the media about our technology and how physicians used it to improve practice efficiencies and establish their electronic health records, I asked myself the same question: Am I connecting with those I’m speaking with while I work to paint their pictures with my words.
Even now, as a blogger and freelance PR professional I continue to ponder the same question. And, I’ve wondered, if I feel this way when I’m writing a story and the only thing coming between me and my source is a pad of paper, how must it be then for physicians that are now using computers to take notes and build cases histories for their patients during their exams?
One day this argument will be settled as a new generation of docs enters the workplace and take over practices left by their predecessors as they will never know an exam room without some sort of technology – computer or mobile device – but one can’t but help feel (at least now in the infancy of the true EHR days) that there has been a change in the way your physician practices now that he or she has a computer next to your exam table in the exam room.
I’ve noticed that the doctor seems to be some great distance away from me as if I’m having a conversation with someone 1,000 miles away. It’s the same thing as when you are in a conversation with someone while you are toying around your iPhone or Blackberry. You’re there physically, but in mind you are a long way away.
The same can be said for drivers who chose to talk on their phones. Clearly, the individual is behind the wheel letting their body’s muscle memory carry them through the task of shifting, steering and turning, but their cognitive thoughts are in the place of purgatory somewhere between the road in which they are driving and the person on the other end of the line.
With this in mind, just how much is being conveyed and captured by the physician who’s tapping away at their keyboard while their trying to guide you through the eight-minute office visit?
Speaking from the perspective of a professional journalist who has made a career of trying to capture the facts, figures and stories of those sitting next to me while I’m typing or writing away, I can safely say that much is being lost. This is especially true since shorthand and transcription is a skill not being taught at our top medical schools and residency programs throughout the United States. Heck, we can’t even get our young med students trained on using electronic health records prior to graduating into real life so why should we expect our doctors to have the skills of a professional journalist or court reporter.
So, if I still have problems at times with connecting to sources even with nearly 15 years of experience, I can guarantee you that physicians, who don’t make a living at capturing the heart of a story or even its most important elements, that not all of a patient’s most important information will end up in their health record.
As 2013 gets underway, we are in the midst of a health information revolution. As many healthcare providers continue to struggle to implement electronic health record systems and meet meaningful use requirements, the promises of this revolution may seem distant, even non-existent. Indeed, many providers rightly complain that implementing EHR systems has only brought increased expense and declining productivity as they adjust to the new systems. The promises of interoperability, better outcomes, reduced medical errors and lower costs in many cases have not yet been realized.
For others, the promised benefits of electronic health information may be closer at hand. For example, The Wall Street Journal recently reported that two big names in healthcare – UnitedHealth Group, Inc. and Mayo Clinic – will form a new research company to mine de-identified health data from millions of health claims and medical records to identify best practices. This seemingly reflects a realization of one of the touted benefits of electronic health information – to change the way healthcare is provided and to reduce costs by analyzing health outcomes information.
Notwithstanding the electronic growing pains within certain quarters of the provider community, digital health is flourishing and driving the health information revolution. While the provider and payor communities were formerly the sole source of health information, consumer demand for digital health and control over health information is moving the center of the health information universe more toward individuals (the new paradigm) and away from providers and payors (the old paradigm). Both patients and providers report increased use of the Internet to diagnose medical conditions. Digital health services provided via the Internet, smart phones, cable, Bluetooth-enabled devices and other wireless technologies are putting health information at consumers’ fingertips and unlocking it from the confines of providers and payors.
Consumers want their devices to do more, and make health information and services available to them as easily as they may use their phones to search for a restaurant. Smart phone chip manufacturer Qualcomm has established a $10 million prize to develop a mobile medical computing device, inspired by the tricorder device from “Star Trek.” Smart phones and many medical devices now include multiple sensors that can be employed for a variety of health-related purposes and health-related sensors are increasingly being incorporated into clothing and home monitoring equipment. These activities are generating massive amounts of digital health information, facilitated by declining costs of data storage available through the cloud and other low-cost digital storage media.
While providers may no longer be relied upon as the sole source of medical information, they will continue to be relied upon for their medical judgment. Because of the exponentially increasing availability of health information, including genomics information, which is relevant to clinical decision-making, providers will have a significantly higher burden to digest and analyze this available information and manipulate it in the clinical setting. Look for increased use of and demand for data analytics tools in the clinical setting.
In the meantime, our regulatory regime for data privacy and security, including HIPAA and HITECH, is based on the old paradigm and severely inhibits the health information revolution. Ironically, HIPAA, which was intended to address privacy and security in a digital age, stands as a major impediment to digital health. It does so, in part, because it assumes that health information rightly resides with providers and payors (HIPAA-covered entities), rather than with their business associates (including many digital health companies) or consumers. Indeed, with limited exceptions, HIPAA requires that any business associate of a HIPAA-covered entity either return to the covered entity or destroy patient information where feasible when the relationship between the business associate and the covered entity ends.
That requirement effectively constrains information from easily following the consumer, a major objective and promise of the health information revolution. For example, HIPAA makes it difficult for a wellness company to continue to serve an individual if that individual changes health plans or the wellness company stops doing business with the individual’s health plan. In 2013, look for increased pressure to reform HIPAA to allow information to be more readily accessed by consumers and digital health companies. The more than 500 pages of new HIPAA Omnibus regulations that were issued on January 17, 2013, do not change this underlying assumption or effectively address the new paradigm of a patient-centered health information universe.
At the same time, increased use of mobile media by healthcare providers continues to challenge those who are responsible for protecting that health information. Theft or loss of mobile media, including smart phones, laptops, tablets and flash drives, continue to be among the largest source of data breaches, prompting the federal government recently to issue specific guidance on how to use such devices in compliance with HIPAA. (See,
This guidance recommends limiting offsite use of mobile media that may contain health information. While this position is understandable, it reflects the old paradigm view that information remains within the control of the providers and payors and ideally not leave the controlled environment of their facilities. Healthcare facilities and other companies that use mobile media containing patient information will continue to face challenges with implementing use of such devices, given the current regulatory regime.
Drew Gantt leads Cooley LLP’s Health Care and Life Sciences Regulatory Practice. Gantt is a partner in Cooley LLP’s Business Department and a member of Cooley’s Life Sciences Practice Group. His practice focuses on healthcare and life sciences regulatory counseling, complex transactions and strategic business advice.
I’m not unique in that during this time of year I love to take a look at predictions made by some of the industry’s “best” and see if their predictions make sense, are surprising in a good way or if they are surprising in a stupid way.
With that in mind, I came across an interesting piece in Canadian Manufacturing of all places that features several intriguing predictions by analyst firm Gartner that I think are worth a look here as they have peripheral relation to healthcare.
So, here we go. Gartner’s top IT predictions include:
By 2015, big data demand will reach 4.4 million jobs globally, but only one-third of those jobs will be filled. According to the report: “The demand for big data is growing, and enterprises will need to reassess their competencies and skills to respond to this opportunity. Jobs that are filled will result in real financial and competitive benefits for organizations. Note that enterprises need people with new skills—data management, analytics and business expertise and nontraditional skills necessary for extracting the value of big data, as well as artists and designers for data visualization.”
In a market like healthcare, where highly skilled jobs are often difficult to fill, we should understand this prediction to be very true and one not to take too lightly. Some of these job vacancies will be at health system that needs the data to meet federal reporting requirements. The individuals with these skills will have a great deal of clout as they eventually move into the job market.
Employee-owned devices will be compromised by malware at more than double the rate of corporate-owned devices. “Corporate networks will become more like college and university networks, which were the original “bring your own device” (BYOD) environments. Because colleges and universities lack control over students’ devices, they focus on protecting their networks by enforcing policies that govern network access. Gartner believes that enterprises will adopt a similar approach and will block or restrict access for those devices that are not compliant with corporate policies. Enterprises that adopt BYOD initiatives should establish clear policies that outline which employee-owned devices will be allowed and which will be banned.”
BYOD continues to rear its head so don’t be caught unawares. AS Gartner predicts, you must have a plan for mobile device management and personal device use in the workplace. Ignorance is not bliss, in this case, and since employees are currently using their own devices in the healthcare setting where very important personal information can be exposed, develop a policy, stick with it and let your employees know you have one in place. Circulate it!
By 2016, wearable smart electronics in shoes, tattoos and accessories will emerge as a $10-billion industry. “The majority of revenue from wearable smart electronics over the next four years will come from athletic shoes and fitness tracking, communications devices for the ear, and automatic insulin delivery for diabetics. CIOs must evaluate how the data from wearable electronics can be used to improve worker productivity, asset tracking and workflow.”
Healthcare will play a role in how wearable electronics and traceable devices are used to track the health of individuals, especially in outpatient and in-home care. The data from these devices will flow directly into your EHR and become part of the patient record. Physicians will be forced to learn the benefits of these devices and patients are going to need to accept it.
By 2014, market consolidation will displace up to 20 percent of the top 100 IT services providers. “The convergence of cloud, big data, mobility and social media, along with continued global economic uncertainty, will accelerate the restructuring of the $1 trillion IT services market. By 2015, low-cost cloud services will cannibalize up to 15 percent of top outsourcing players’ revenue, and more than 20 percent of large IT outsourcers not investing enough in industrialization and value-added services will disappear through merger and acquisition. CIOs should re-evaluate the providers and types of providers used for IT services, with particular interest in cloud-enabled providers supporting information, mobile and social strategies.”
The prediction smacks of the ongoing discussion about the EHR vendor market and how much longer it can contain the number of players. Certainly, we’re seeing deterioration of this segment now, though it has been expected to erode more quickly than it has. Expect there to be fewer EHR vendors in the next 12 months, and realize that no vendor is too big to fail (see Allscripts). Prepare early and do your due diligence before signing the dotted line.
I’d love to know your thoughts. Do you agree with these predictions and my assessments? What are yours?
In a great new white paper, “Essential Enterprise Mobile Security Controls,” sponsored by Blackberry and posted by Tech Target, mobile device security is the feature show. As it continues to be the main event for mobile technology, mobile devices will continue to be used to carry high-value personal and company information, as expected.
When personal devices are disconnected from company networks, security risks were relatively low, according to the report, but as the technology permeates and its use becomes even more closely connected to the work environment, the risks to security increase significantly.
Apparently things have been pretty slow until now, but that’s not likely to last. The turning point is here and hackers are on the move, including on iPhones, as well as the Android market place. Given these continual threats, and the importance of the data healthcare organizations protect, the need for improved mobile security controls an imperative for any organization looking to leverage mobility for competitive advantage.
According to the report, “A key challenge for improving mobile security is to understand what tools are available and how they can be leveraged.”
The following is a list of must-have mobile device security controls to protect workers and organizations, again according to Blackberry:
Device security. Remote lock, wipe and backup/recovery can help reduce the risk associated with lost or stolen devices. According to SearchSecurity.com, lost and stolen devices rank among organizations’ top mobile security concerns, and for good reason: “The easiest way to lose data via a mobile device is to lose the device itself. Every enterprise sanctions (or doesn’t prohibit) BYOD must ensure that any supported device can be locked and erased remotely, and that valuable data is backed up to a location under the organization’s control.”
Network security. The increased number of smartphones and other devices that are carried into the enterprise by end users increases the threat to corporate networks.” Attackers have started seeking ways to use unsecured mobile devices as a means to leapfrog into otherwise protected areas of the network, including databases.
Malware defense. The oncoming wave of mobile malware requires protection, like antivirus, personal firewalls, Web filtering and anti-spam. “It’s becoming necessary to invest in mobile add-ons from traditional antimalware vendors, or consider a mobile device management (MDM) product that can, among other things, facilitate the extension of anti-malware to a variety of mobile devices.”
Threat intelligence. Large enterprises should invest in threat monitoring tools and research teams, and train them on how to not only identify mobile threats, but enable rapid response. These functions can be closely tied to existing log analysis and security information and event management (SIEM) processes. “The most important tactic here is to develop a baseline of “normal” mobile device activity and use analytics and real-time monitoring to spot deviations that may be a sign of an attack.”
Centralized management. Central management tools provide a “single pane of glass” to set and enforce policies and perform many other security-related functions across all mobile devices. This is becoming an increasingly important capability in organizations where multi-platform support is essential.
Data encryption. Files, contacts and email need to be encrypted on mobile devices in the event of loss or theft. Each platform comes with different encryption challenges, some requiring additional encryption application for the data that lives on the device. While the market for mobile encryption for data in motion is immature, new options are emerging all the time.
Over-the-air capabilities. Mobile security requires over-the-air provisioning and configuration to ensure that workers always have the latest security capabilities without burdening IT, forcing them to physically touch each device. As demand grows for an increasingly diverse landscape of mobile devices, this feature is crucial for enterprises that need to scale their mobile security provisioning efforts.
According to the report, and this is a nice summation of the report (and I quote): “Mobile security is still in its infancy, but the trends around connectivity, device evolution and worker mobility means organizations must start planning their mobile security strategy now, and that process begins with assessing what mobile security controls are needed and developing a plan to put those controls into action.”
There’s a special place in my heart for electronic health records. Having worked with one of the largest vendors (at the time; the company has since shed about 20,000 of its physician users) I understand their capabilities and how they can benefit a practice beyond just how they are marketed. EHRs are one of the reasons I started this blog, in fact. If I could spend more time on them and keep people interested in this site, I would, but not everyone feels that way I do about them so I’m forced to broaden my horizons and cover a variety of other topics.
Alas, I also feel we’re entering their final days glory days. I believe 2013 will be the year of transition in which we as a market decide that EHRs are foundational and that other, new technologies are emerging that will either make EHRs better or render them essentially useless. Until then, though, I’ll allow myself to continue to focus on them from time to time and hopefully you’ll find the information relevant, which brings me to today.
Found an interesting piece in Executive Insight magazine by Meditab’s VP of Marketing, Kirk Treasure. Though Treasure makes the claim (like most EHR vendors continue to do) that EHRs are increasingly important to the continued streamlining and delivery of patient services, but he says, because of a recent KLAS report, that practices and health systems are becoming dissatisfied with their EHR vendors and their systems.
This really comes as no surprise and has been expected. Some of this has to do with vendors trying to get by on the status quo while some of this has to do with crippling meaningful use regulation. Some of it has to do with promises not kept or promising too much (which is usually the case), but again, there’s nothing surprising here. It’s where we are in the market.
According to Treasure, there are two reasons for this wave of provider dissatisfaction.
One: “Many physicians are basing their decision primarily on cost factors, not realizing that cheaper is not necessarily better.”
Two: “Many practices are not 100 percent comfortable with their own internal processes, and as a result, purchase an EHR system that does not satisfy their needs.”
Treasure warns those in the market for an EHR to take their time to evaluate their needs and future goals of the practice then look at what they can realistically afford to invest in a system. “It’s important to weigh out whether or not a perceived expensive initial cost will save you money in the long-run,” he said.
“Next, analyze your workflow to see which processes you would like to maintain and what areas you would like to improve,” he added. “This will help in cultivating efficiency and organization throughout the practice, while ensuring that your EHR system supports your goals.”
Treasure continues his golden advice. Vendors need to look for systems that meet the specific requirements of their practice and to understand that there is no “one-size-fits-all solution,” even within the same medical specialty. Once a list of vendors has been narrowed down, check references (this is an absolute must) and try to speak with several clients that have been using the system for at least a year. According to Treasure, “They can tell you about any obstacles encountered during the implementation, their support experience and the benefits from making the switch.”
Here are some other suggestions to purchase the right EHR system for your practice and avoid a costly mistake, from Treasure:
• Understand the total cost of ownership of each vendor’s pricing structure. For example, some cloud-based vendors provide EHR services on a subscription basis. Paying $400-$600 a month for a five-year contract period would result in a $30,000 commitment plus the initial investment for implementation and training. Alternatively, the total cost of ownership for a server-based office system with a $10,000 upfront cost and a $200 monthly maintenance would only be $22,000.
• Look for hidden costs in the contract, such as additional fees for in-person training, document management services, EDI setup, or annual maintenance fees in addition to the monthly support costs. Also, watch for provisions that allow the vendor to increase fees during the course of the contract.
• Ask the vendor if the system will accommodate any potential changes in your practice model. This could include, for example, joining an accountable care organization (ACO), adding telemedicine services or expanding upon the practice concentration in the future (i.e. bariatric, weight management, etc.).
• Consider the EHR system from the point of view of the patient, as well as the physician and office staff. For example, is the EHR system easy to use in the examination room? Does it provide reports on waiting times or other service delivery issues?
• Be sure that you “own” the data under the terms of the contract. Some vendors charge a fee for exporting the data to a new system before the contract expiration date.
• See if there are provisions that would allow you to get out of a contract after six months or a year. This is essential if the system ends up not working for you.
• Finally, be sure you are comfortable with the vendor. In many cases, a smaller or mid-size company can provide a higher level of personal service. That’s an important consideration in helping physicians and office staff take advantage of the many potential benefits of deploying an EHR system customized to the needs of the practice.
Guest post by: Jared Rhoads, Senior Research Specialist in CSC Healthcare.
There is no gentle way to put it—cyber criminals from around the world are out to steal your personal health and financial information. And, if recent studies are an accurate reflection of the state of security in the healthcare industry then criminals have ample opportunity to do harm.
The past five years has seen rapid growth in the digitization of healthcare records and the online sharing and transmission of personal and financial data. Healthcare organizations have taken many of their information capabilities online, and they have embraced new technologies like portable media and mobile computing. However, they have not always been able to keep up with leading edge security practices.
Experts warn that the healthcare industry lags in addressing known problems and implementing basic remedies. Many hospitals and practices, for example, have been slow to encrypt their data sources properly and to deploy basic network monitoring. An investigative report by The Washington Post found cases of medical staff at hospitals using unsecured computers to connect both to internal networks and the public Internet. A 2012 government review of industry security cautioned that the way in which some organizations offer remote connectivity to physicians could introduce additional security risks.
Inadequate security practices have enabled cyber crime activity to thrive. According to the federal government, an unprecedented 21 million Americans have had information from their medical records lost or stolen since 2009. Nearly three-quarters of healthcare organizations report having experienced some kind of data breach or security incident in the past 12 months, and 94 percent of report at least one data breach in the past two years.
While not every data breach is necessarily a case of cyber crime, the incentives attracting cyber criminals to the scene are high. According to the World Privacy Forum, a stolen medical record now has a street value of roughly $50, compared to $14-18 for a credit card number or $1 for a Social Security number. Thieves use the rich medical and financial information to commit various forms of identity theft, including receiving free care, filing false patient claims to payers, and forging prescriptions.
Fortunately, medical-related cyber crime is receiving increased attention and awareness is on the rise. Healthcare organizations are beginning to move beyond simple risk assessments and venture into implementing more sophisticated anti-cyber crime solutions.
To address vulnerabilities and combat cyber crime, organizations need to take aggressive action and augment their security strategy using a variety of new approaches and technologies. Here are six ideas that all healthcare organizations can consider in 2013:
Implement automated network monitoring tools. Use automated tools to assess network vulnerabilities and monitor for breaches and unauthorized activity. Monitor key egress points to see what is being sent outside the walls of the organization, where and when it is being sent, and to whom it is being sent.
Deploy adaptive multi-factor authentication. Biometric patient identification systems based on fingerprints, palm vein patterns and other physical attributes can help guard against certain types of medical identity theft and insurance card fraud. User authentication requirements should also change dynamically based on where users are logging in from and what they are trying to access.
Consider outsourcing some or part of your security needs. Researchers at the Ponemon Institute have found that roughly a third of health organizations admit that they do not have the technology, budget or trained personnel necessary to handle today’s security challenges. Managed security service providers (MSSPs) offer a cost-effective way to have 24-hour network monitoring, incident tracking and immediate incident response.
Offer training, guidance, and approved versions of mobile apps for employees. Role-based employee training on mobile device security and guidance is critical to maintaining good security practices. Additionally, hospitals can offer enterprise versions of mobile apps and provide safely partitioned areas of the network for the apps to run upon.
Patch, secure, and monitor medical devices. Medical devices such as IV pumps, pacemakers, and bedside equipment are a new target of choice for cybercriminals seeking to wreak non-financial havoc. To combat this threat, ensure that devices are virus-free prior to installation, and encourage biomedical engineering teams to communicate freely with IT support teams.
Consider cyber insurance. New insurance products are coming to market that are designed specifically with healthcare organizations and HIPAA-covered entities in mind. Policies can defray breach-related costs, such as legal defense, privacy notification and even federal fines and penalties.
Cyber crime is a serious threat to health IT security, and it is unfortunately not going away anytime soon. However, by moving beyond the simple risk assessment and adopting a multi-faceted security strategy, prudent healthcare organizations can take significant steps to protecting their patients’ information and mitigating risk.
Jared Rhoads is a Senior Research Specialist in CSC’s Healthcare group. He consults, researches, and writes on a broad array of topics relating to healthcare technology, trends, and legislation.
Guest post by: Sarah Armstrong, a consultant at ARRYVE, a strategy consulting firm.
A recent study published by the RAND Corporation indicates that implementation of electronic health records (EHR) has not yielded the cost reduction predicted in 2005[i]. Their study identified process efficiency and patient safety savings as two primary outcomes of EHR implementation, leading to a forecasted $81 billion annual drop in healthcare costs. Instead, costs have risen significantly. RAND cites a number of reasons for this: sluggish adoption of health IT systems, coupled with the choice of systems that are neither interoperable nor easy to use; and the failure of healthcare providers and institutions to reengineer care processes to reap the full benefits of health IT.
While the latter can be attributable to the inability or unwillingness of care providers to change, the former places blames on the institutions’ IT departments and software companies. These parties know that disparate EHRs leave a significant gap, but providers are not empowered to bridge the gap. Furthermore, software companies may struggle to differentiate themselves should they modify their product to be compatible with that of a competitor. Assuming either option presented a real possibility, modified software products and altered care processes lie years down the road at best.
If something breaks, you fix it. Fixing this problem will not be easy, however, and many opinion pieces point to our federal government as the catalyst required to affect change. But instead of a major, time-consuming overhaul by the producers and users of health IT, I propose we consider incremental ways to mitigate some of the effects of the problem. I see great opportunity for 2013 to be a year not of rigorously planned change, but of simple workarounds. Specifically, these workarounds would be performed by the people most affected by 1) poor or nonexistent interoperability of EHRs and 2) their caregiver’s inability to effectively use the technology: patients.
Consider the primary problem that arises from non-interoperable health IT systems: incomplete patient data. This problem manifests itself in many ways. For patients, treatment options may be redundant, medicines prescribed may counteract each other, and they may find themselves repeating information they already gave another provider. For providers, if their patients seek care outside their facility and do not fully report their medical history, the current state of health IT does not afford them a way to see the full picture. Additionally, the quality of a provider’s aggregate patient data diminishes.
I would argue that incomplete patient data has long been a problem associated with paper medical records. So why the recent finger pointing at EHRs? Could the problem be attributed to behavioral changes on the part of both providers and patients? Within the past five years, I have changed primary care physicians twice. I have listed the names of my previous physicians, but neither has asked me to obtain my old records. Because I have not been asked to procure these, I have not troubled myself with the task.
A patient unfamiliar with health IT or health information privacy laws might think that listing their previous physician’s name (or current specialists’ names) automatically transfers their medical record. Unless a patient signs for a record transfer, caregivers must rely on what is optimistically a factual and complete patient history form that is often filled out during the minutes before an initial visit. Years of medical care are rewritten according to one’s ability to recall vaccinations, test results, and allergies, as well as the accuracy of a data analyst inputting the record into the patient’s brand spanking new, and likely abbreviated, EHR.
Patients want the best care and we look to our caregivers to tell us what to do. We may not always listen (e.g., quit smoking, exercise, etc.), but people consistently identify their physician as the person they trust most. A simple but powerful mitigation plan for addressing incomplete patient data could be to involve patients more closely in their care:
In addition to obtaining high-level health information in the intake form, ask new patients to procure their old records. Evaluate the records and input the most important details into the EHR.
When calling with appointment reminders, ask patients to bring all current medications and supplements to the medical center. An easy task for many, it can only help providers diagnose and suggest treatment options.
During the visit, ask if the patient has sought care elsewhere. A simple question, it would likely jog one’s memory that, yes, they did see the eye doctor for an annual exam or received a flu shot at the pharmacy since their last visit.
Providers would also benefit from involving patients more closely in their care. Not only do they have countless reasons to deliver care based on complete data, but many also want to publicize to prospective patients that they provide quality care. Complete patient data helps legitimize providers’ quality claims. For example, by asking all female patients about recent cancer screenings, they can truthfully state the percentage of patients who are current on these screenings. Without asking this question, a primary care clinic might report a lower percentage of current screenings among its patients than is accurate, since they would not take into account those performed by outside providers (e.g., OB/GYN, dermatology, etc.).
When discussing the ineffectiveness of EHRs, invite all affected parties to the table. I have confidence that behavior modifications aimed at mitigating the side effects of a rapidly evolving landscape, keeping the best interests of everyone at heart, will serve us all well. I dare say that the cumulative effect of millions of small modifications will reach further and quicker than one major change by software manufacturers or Uncle Sam.
Sarah Armstrong is a consultant at ARRYVE, a strategy consulting firm, with a diverse mix of industry experience ranging from healthcare to software. Healthcare engagements have encompassed strategic planning, process design, revenue cycle, compensation planning, market analysis, quality management and regulatory compliance at academic medical centers, children’s hospitals, and both primary care and pediatric practices.
[i] Arthur L. Kellerman and Spencer S. Jones, What It Will Take To Achieve The As-Yet-Unfulfilled Promises of Health Information Technology, Health Affairs, 32, no. 1 (2013):63-68
Guest post by: Sai Subramaniam, Ph.D., Business Head, Life Sciences & Healthcare at Persistent Systems
According to a recent report only 16 percent of hospitals have clinical decision support capabilities, but IT leaders call it a top priority for the next 12 months. Healthcare reform is all about achieving better quality care at lower costs, and clinical analytics is integral in delivering on this promise. For example, reducing 30-day r-eadmissions and hospital-acquired infections alone is expected to save more than $25 billion dollars in the healthcare system. Analytics on integrated claims and clinical data will allow health systems to pinpoint effective clinical and operational interventions. Here are five high-impact outcomes that health systems can achieve using clinical analytics.
30-day Re-admission Avoidance: Hospital re-admission rates are high for patients whether they are in Medicare, Medicaid or Private insurance plans. People with multiple chronic conditions and mental health conditions are at an increased risk of re-hospitalization because of inadequate care at discharge. Demographic and social factors also dictate if the care transition will be effective or not. Evidence-based rules allow stratification of patients based on these factors. This allows caregivers to give more attention to high-risk patients during hospital discharge.
Enhanced Surveillance and Preventive Care: Growing evidence suggests that education and health coaching will facilitate behavior change and achieve cost savings. The population in the program needs to be screened and stratified to identify at-risk patients. Predictive modeling and business rules can help to identify individuals who may not be diagnosed but have relatively high risk of developing diabetes in the future. Similarly, a cancer surveillance model based on linking environmental, genetic, and lifestyle factors can be used. This will allow early interventions and proactive follow-up care.
Improved Medication Adherence: Non-adherence is said to be responsible for more than 10 percent of hospital admissions and 40 percent of nursing home admissions. Patients on average don’t fill more than 25 percent of new prescriptions. Costs because of lack of medication adherence exceeds $100 billion. Predictive analytics on patients’ past prescription claims data will allow the health system to create an adherence score, and facilitate a proactive approach to managing compliance.
Unplanned Admission Avoidance: It’s important for health systems to identify patients with chronic conditions who may be at risk of emergency hospitalizations. For example, studies suggest that people with respiratory and cardiac comorbidities, with higher hospital utilization in prior years, have a higher probability of hospital admission. Determination of such factors along with socio-demographic characteristics, will allow application of predictive models to identify people at-risk.
Length of Stay Performance Management: Several factors impact the patient’s length of stay in the hospital. This includes demographic as well as hospital operational characteristics. There are standards for length of stay based on diagnosis related group and clinical disease factors. By comparing this with patient profiles, providers can utilize resources efficiently to provide optimal patient care. This will result in significant cost savings as better case management should help to reduce the average length of stay.
Dr. Sai Subramaniam is the Vice-President of Persistent Systems’ Life Sciences & Healthcare business. In this role, Sai is responsible for the overall business growth of Healthcare & Life Sciences business segments.