Guest post by Alex Horan is the senior product manager at CORE Security.
In 2012 we saw an increasing number of health breaches across the country – and across continents. We saw an employee’s lost laptop turn into a healthcare records breach of more than 2,000 sensitive medical records of Boston Children’s Hospital patients. We heard how one weak password allowed a hacker to access the Utah Department of Technology Services’ server and steal approximately 780,000 patients’ health and personal information. We even read about Russian hackers encrypting thousands of patient health records and holding the information for ransom for thousands of dollars.
Healthcare fraud or medical identity theft put both individuals and healthcare organizations at huge and severe risk. Since 2010, Ponemon Institute has annually benchmarked the progressing and evolving issues of patient privacy and security. The third annual study, released in December 2012, found that healthcare organizations still face an uphill battle in their efforts to stop and reduce the loss or theft of protected health information (PHI) and patient records. What’s more, data breaches can have severe economic consequences – and the repercussion costs are only climbing. The study estimates the average price tag for dealing with breaches has increased from $2.1 million in 2010 to $2.4 million in 2012. The report projects that the economic impact of continuous breaches and medical identity theft could be as high as $7 billion annually, for the healthcare industry alone.
Guest post by Dan Tully, executive vice president, Conduit System.
IT is not a sink hole. IT is not a cost center. IT is not a fad. This is especially true when it comes to healthcare. In fact, carefully calculated IT investments can produce a range of strategic and operational benefits for healthcare/hospital administrators, practice managers and more, which include enabling advanced technology and accelerating innovation.
How you ask?
IT Investment Affects the Bottom Line
Strategic investment into IT operations is a foundation for building revenue. To understand how, one must look no further than your average mid-sized healthcare operation and how process can be improved:
Administration
Fluid output from nurses stations; simplified statistic, biometric and medication reporting; linking of disparate department systems
Human Resources
Streamlining the hiring processes; simplified expense report and vacation request procedures; compliance with complicated regulatory measures
Finance
Reliable monitoring of capital investments improved data and measurement capabilities; compliance with healthcare-related finance ruling
The up-front and hidden costs of downtime caused by unforeseen disaster can also be mitigated through proper investment in IT outsourcing. Organizations and practices operating on disk-to-disk backup are at a significant disadvantage compared to those employing more modern technology.
Implementing cloud-based solutions that combine local caches of files with full-time cloud backup boast advanced performance levels and functionality. It also allows for unlimited data growth, little to no network performance lags and true disaster recovery as the data can be pulled from the cloud and reconstituted anytime, anywhere.
Big Picture, Big Results
Average IT staffs are tasked with keeping the proverbial ship afloat on a daily basis. With an investment in managed IT services, on-site and high-level staff can focus on the above-mentioned projects that ultimately fuel growth and provide return on investment. If your operation needs to embark on a replacement/upgrade project that requires the complete attention of your IT staff, contract engineers and support teams can handle the daily minutiae. An added bonus? Relieving the burden can promote happiness, motivation and creativity among full-time employees.
Investment in IT Allows You to Focus on What You Do Best
Let’s face it – IT is a necessity. It’s essential no matter what part of the healthcare industry you belong. Overall investment in IT operations and support allows top officials to focus on what they do best: manage operations and improve patient outcomes. There’s certainly nothing trendy about that.
Guest post by Rachel Weeks, director at Courion Corp.
Medical records are confidential. Until a breach occurs and they are let loose on the public, which occurs more often than we think. We need to do better.
According to Ponemon Institute’s Third Annual Benchmark Study on Patient Privacy & Data Security, more than nine in 10 healthcare organizations have had at least one data breach in the past two years. Nearly half have had more than five data breaches in the same period. Breaches cost organizations more than $2 million on average over a two-year period, and the cost is rising. The potential annual cost is nearly $7 billion.[1]
As privacy and security concerns grow and technology becomes more sophisticated, you’d imagine breach rates would be on the decline. But more healthcare organizations are being victimized more often, according to the study, and most aren’t sure they can prevent or quickly detect all patient data loss or theft.
One contributor: data is simply becoming harder to control.
“Technologies that promise greater productivity and convenience such as mobile devices, file-sharing applications and cloud-based services are difficult to secure,” says the report. “Employee mistakes and negligence also continue to be a significant cause of data breach incidents. Another worry presented in this research is that sophisticated and stealthy attacks by criminals have been steadily increasing since 2010.”
You can’t blame the IT staff. There’s far more going on in the average healthcare organization than staff can reasonably handle.
Change is overwhelming
For years healthcare organizations have looked to traditional identity and access management (IAM) solutions to optimize efficiency and secure access to sensitive data. These IAM implementations typically started with user provisioning, a process that put controls in place to ensure users were given only the access rights they needed to do their job. Then, for governance, the organizations would perform periodic reviews or certifications – say, every three, six, nine, 12 months – to validate that those access rights were in line with policy.
But so much change can occur in the months between provisioning and certification: business changes, infrastructure changes, regulatory changes, new resources coming online, new roles and policies, not to mention hirings, firings and transfers, particularly in the healthcare industry with thousands of employees and many more contractors and affiliates. This creates an overwhelming amount of data detailing who has access to sensitive patient information. We call these intervals between provisioning and certification the “IAM security gap.”
As the Ponemon study says, “Many healthcare organizations struggle with a lack of technologies, resources and trained personnel to deal with privacy and data security risks.”
That’s an understatement.
However you characterize it, the IAM gap leaves an organization’s sensitive company information at risk to a range of threats, both internal and external. It can be months from the time someone gains inappropriate access rights or inadvertently accesses sensitive data to when the organization is able to discover it through periodic certifications. To date, existing IAM approaches have not provided the technology and flexibility to get a real-time view of policy and governance violations to help organizations efficiently manage the risk of improper access to patient data.
Closing the IAM Gap
Bridging the abyss between provisioning and certification requires clear understanding of what is actually happening in those billions of constantly changing access relationships created by changing people, computing resources, rights, duties and company policies. The challenge is somehow processing what human minds, or even relational databases, cannot. What’s missing is a real-time holistic view of access risk. The missing ingredient is access intelligence.
The only way to achieve access intelligence is by aggregating all the IAM data – the identity policy, activity, entitlement and resource data generated via those billions of constantly changing access relationships – into a data warehouse just like the ones you use for business intelligence in other areas of the organization. The data warehouse should embody advanced information security, policy and governance domain expertise. Then you need to constantly apply predictive analytics to that data to analyze access risk throughout your entire organization – literally every two minutes or so. Properly constructed, an access intelligence system like this can uncover deeply embedded policy violations or improper access. It can generate instant alerts on those violations, or produce graphical “heat maps” spotlighting looming risks and security breaches.
A system like this helps you find the needle in the haystack you wouldn’t otherwise discover. For example, a nurse might be authorized to search and retrieve his hospital’s pediatric records, but if he is suddenly retrieving records from oncology, dermatology and urology, well, that’s a potential problem that won’t show up without powerful analytics.
Such an access intelligence system can help healthcare organizations:
Identify risk in real time.
See where the greatest vulnerabilities lie.
See how access risk is changing.
Understand what is driving the risk.
Immediately remediate the risk.
Detect risk trends.
Predict future areas of risk.
Implement policies and preventive measures.
Fix the fundamental business process issue that creates security gaps before they become a problem.
With luck, Ponemon will have less to report in the years to come.
Rachel Weeks is a director at Courion Corp., the leader in risk-driven identity and access management.
[1] if every hospital/clinic in the country experienced the average impact
In the past decade, academics and industry experts have published conflicting reports on whether electronic health records (EHRs) actually save money. Recent studies based on large, historical data from diverse providers suggest that EHRs haven[i]’t decreased costs[ii][iii] – contrast this with cost benefit analyses published back in 2003 that predicted EHRs would save around $15,000 to $20,000 per primary care physician per year[iv][v]. In addition, multiple vendors, academics and industry experts have published positive case studies on how EHR provides a positive return on investment or saves money in areas such as billing and staffing costs.
So why the divergence? Are providers simply not achieving what we expected in 2003? Are the positive case studies overly selective? Is it a case of what’s true for some is not true for all?
EHRs actually enable more productivity and satisfy more demand, and this is what drives cost. For providers, this also means driving up revenues.
Supply and Demand
One reason healthcare costs have not uniformly decreased is that more (efficient) supply from EHRs leads to more demand.
Firstly, consider the Jevons Paradox: energy efficiency leads to greater consumption (e.g. as air conditioning becomes more efficient and affordable, more air conditioners are purchased.) Taking a healthcare analogy, data center capacity has grown exponentially and EHR functionality has improved in recent years. In response, providers are storing larger amounts of detailed patient data and accessing greater capabilities. For example, providers are integrating IT and medical devices for real time patient data monitoring, storage and beyond. Additionally, a 2012 study supports this theory in that physicians ordered 40 percent to 70 percent more radiology exams with EHRs than with paper records. The efficiency and capability of EHRs (supply) have driven up the demand.
Secondly, I’ll paraphrase Parkinson’s Law: work expands to fill the time available. Demand for services in (public) healthcare will always outstrip the supply. This is because there is a backlog of patients waiting for currently available services and once this backlog is cleared, expectations of what should be provided will increase. It is therefore important to recognize that current health care reforms may not automatically decrease costs with EMRs in place, as demand will then increase too.
Increased demand means increased cost.
Productivity
So if cost doesn’t uniformly decrease with EHRs, does anything improve? Productivity does. A 2009 Wisconsin Medical Journal Study[vi] found that physician productivity increased about 20 percent and remained at that sustained level of productivity following EHR implementation. This means that more patients were seen on a given day. Not bad, considering the average wait time to see a physician in the U.S. is 20 days.
Increased productivity, however, leads to increased costs.
Payers vs. Providers
Another way to explain the divergence may lie in who we’re actually talking about. Do we mean payers like Medicaid/Medicare or providers like primary care physicians or hospitals? Studies often reference cost but fail to discuss revenue increases that an EHR system delivers to providers. Seeing more patients means more revenue to providers. In addition, providers with integrated EHR and billing benefit by eliminating billing errors and enabling better revenue protection. Payers, however, don’t share these financial benefits as more procedures means their costs are rising. Indeed, payers may not realize the full cost savings of EHR until providers move away from pay-per-procedure to quality based payments. Quality based payments of course, are next to impossible without the enabling reporting capabilities of EHR systems.
So when we talk about the cost of EHR systems, it’s important to distinguish who we’re talking about. In addition, when comparing pre- and post-EHR situations, instead of simply asking: “What’s the cost?” we should also be asking “What do we get for this cost?”
David Farrell is an IT strategy specialist at PA Consulting Group, focusing on project management and strategy for healthcare providers. He has worked with accountable care organizations and county-run hospitals on both U.S. coasts, assisting clients in building business cases, managing project benefits and forecasting the long term infrastructure impact of EHR.
[iii] Electronic Medical Records: Lessons from Small Physician’s Practices, iHealth Reports, 2003 http://www.chcf.org/~/media/MEDIA%20LIBRARY%20Files/PDF/E/PDF%20EMRLessonsSmallPhyscianPractices.pdf
Guest post by Rick Little, vice president of Client Services, MedAptus.
Revenue cycle management. Right now you’re probably thinking this term sounds like some fancy business school jargon, so why should you care about it? Isn’t that an accounting issue? What does it have to do with healthcare IT?
Well, a lot actually. Applying health IT resources to revenue cycle management processes is a must-do now as the Affordable Care Act, Meaningful Use and the looming ICD-10 transition swing into full gear. In fact, now more than ever, technology solutions are needed to drive correct coding and billing compliance for an optimized revenue cycle. Without it, your organization will struggle into 2014 and beyond.
Here’s a quick look at how charge capture and management software helped The University of Texas MD Anderson Cancer Center prepare technologically and financially for all that the ACA, ICD-10 and other initiatives may bring.
More than eight years ago MD Anderson identified electronic charge capture as a technology capable of providing financial, administrative, and compliance improvements. MD Anderson Cancer Center is part of the University of Texas system and located in the heart of the Texas Medical Center. One of the largest employers in Houston, MD Anderson has more than 18,000 employees including more than 1,400 physicians, and served nearly 110,000 patients in 2011.
Back in 2004, when the organization identified improving its revenue cycle management as an initiative, here are some of the challenges it faced:
A huge sprawling campus
An in-house developed Electronic Health Record (EHR)
Old legacy systems for scheduling and billing
Limited use of order entry
Beyond automating and streamlining physician charge capture processes, MD Anderson also required its chosen software solution to integrate with its EHR, link together numerous legacy systems and drive reconciliation improvements across its many clinical areas.
MD Anderson began using charge capture and management technology from Boston-based MedAptus with 50 physicians piloting the company’s mobile Professional Charge Capture (Pro) in early 2005. After initial pilot results that demonstrated improved revenue and decreased charge lag, MD Anderson implemented MedAptus’ use across its entire enterprise. Today, more than 1,300 clinicians utilize Pro for their professional charge capture and management.
Since MD Anderson began using charge capture technology, many improvements have evolved out of their implementation. These include:
EHR Charge Entry
A vital component of the charge capture deployment at MD Anderson is integration with the hospital’s proprietary EHR, Clinic Station. Working together, MD Anderson and MedAptus created an interface directly within the EHR allowing providers to easily complete charging and charting tasks via a single sign-on and with the preservation of patient context between the two systems. This real-time, simultaneous entry has reduced errors, improved compliance, decreased time-to-billing and driven personal efficiencies.
Inpatient consultation charges
As MD Anderson evaluated areas for improvement within its revenue cycle processes, inpatient consultation charges stood out as an area for review. To improve capture here, a new interface from the consult scheduling system capable of creating consult visits within MedAptus was implemented. As a result, consult charge opportunities can now be consistently capitalized on by providers and MD Anderson is able to reconcile for anything that may have been missed for appropriate follow-up.
Reconciliation tools
In looking for help with charge reconciliation, MD Anderson needed a solution that provided support staff with full transparency of activity. In general, this staff consists of those tasked with reconciliation and those responsible for charge accuracy (typically coders). Regardless of organizational role, using MedAptus, staff are able to view the number of charges expected, submitted and missing at the provider, specialty and location level. They can also view the status of submitted charges as they are worked and approved by the coder group. Coders leverage the almost one million rules embedded within the MedAptus application which include Medicare edits, NCDs and LCDs as well as MedAptus proprietary and custom rules.
Once charges have been submitted for back-office review, the MedAptus configuration at MD Anderson allows charges to be “stamped” with specific data elements that are important to financial reporting across the MD Anderson enterprise. Prior to MedAptus, administrative staff needed to manually designate fields such as billing areas or revenue centers. Charge management automation has led to better staff productivity and increased accuracy of revenue reporting around this task.
Given all of the areas along the revenue cycle that charge capture and management technology can impact … still wondering why enhancing revenue cycle management processes is an IT challenge?
Rick Little is responsible for the implementation of software products and ongoing customer support services at MedAptus, including the implementation of MedAptus’ software solution at The University of Texas MD Anderson Cancer Center.
Ah, venture capitalists. You’ve got to love them. They insert themselves into a variety of topics and industries they know nothing about and pretend they can make everything better about whatever industry they ingest.
I worked for a VC-owned health IT firm for a few months following the sale of a division of a public company. What followed is round after round of layoffs, reduced investment into the product and cuts everywhere something could be cut.
But, I’m a capitalist at heart so I can’t really blame them. They’re out to make money. So am I.
But, what I find it somewhat ironic is that a VC is telling the world that in the near future, nearly 80 percent of what physicians do will be replaced by computers. What’s crazier, at least as far as I’m concerned is that he’s right, if not in whole at least in part.
According to Vinod Khosla is the founder of Khosla Ventures, “Much of what physicians do (checkups, testing, diagnosis, prescription, behavior modification, etc.) can be done better by sensors, passive and active data collection, and analytics. But, doctors aren’t supposed to just measure. They’re supposed to consume all that data, consider it in context of the latest medical findings and the patient’s history, and figure out if something’s wrong. Computers can take on much of that diagnosis and treatment and even do these functions better than the average doctor (while considering more options and making fewer errors). Most doctors couldn’t possibly read and digest all of the latest 5,000 research articles on heart disease. And, most of the average doctor’s medical knowledge is from when they were in medical school, while cognitive limitations prevent them from remembering the 10,000+ diseases humans can get.”
He continues: “Computers are better at organizing and recalling complex information than a hotshot Harvard MD. They’re also better at integrating and balancing considerations of patient symptoms, history, demeanor, environmental factors, and population management guidelines than the average physician. Besides, 50 percent of MDs are below average. Computers also have much lower error rates. Shouldn’t we take advantage of that when it comes to our health?!”
Perhaps what’s most intriguing about his argument is that is just makes sense. By automating the process and reducing the redundancies and inefficiencies, physicians can focus more on the relationship they need to build with their patients. Khosla says in his Fortune piece, that automating healthcare improves relationships. “Providing good bedside manner and answering certain questions can often be handled better by a person than a machine, but you generally don’t need a medical degree to do that.
Nurses, nurse practitioners, social workers, and other less expensive, non-MD caregivers could do this just as well as doctors (if not better) and spend more time providing personal, compassionate care.”
Finally, what may be his most bulletproof part of the argument is that a transition to automation is happening in several other markets or areas that are worthy of taking note of. For example (and I’m citing directly):
Most commercial flying is now done by auto-pilot, not by the captain. Algorithmic trading now drives most stock market volume.
Google’s (GOOG) self-driving car has had zero accidents driving 300,000 miles on normal streets. The same replacement of human involvement by computers will also happen in healthcare.
Because of automation, physicians supposedly will have more time to spend talking to their patients, making sure they understand, and “finding out the harder-to-measure pieces of information because they’ll spend less time gathering data and referring to old notes. And, they will be able to handle many more patients, reducing costs.”
The last point may be a bit of a stretch. I’m not sure any amount of automation can actually reduce costs.
But here’s the heart of the story, the heart of the entire current healthcare story: Where will the innovation come from.
“Innovation seldom happens from the inside because existing incentives are usually set up to discourage disruption. Pharma companies push marginally different drugs instead of potentially better generic solutions because they want you to be a drug subscriber and generate recurring revenue for as long as possible. Medical device manufacturers don’t want to cannibalize sales of their expensive equipment by providing cheaper, more accessible monitoring devices. The traditional players will lobby/goad/pay/intimidate doctors and regulators to reject innovation. Expecting the medical establishment to do anything different is expecting them to reduce their own profits. Granted, these are generalizations and there are many great and ethical doctors and organizations.”
Well put, Mr. Khosla!
What’s going to change it? People in need. Entrepreneurs. Those looking to innovate. Those looking to capitalize. VCs…
Guest post by: Sai Subramaniam, Ph.D., Business Head, Life Sciences & Healthcare at Persistent Systems
According to a recent report only 16 percent of hospitals have clinical decision support capabilities, but IT leaders call it a top priority for the next 12 months. Healthcare reform is all about achieving better quality care at lower costs, and clinical analytics is integral in delivering on this promise. For example, reducing 30-day r-eadmissions and hospital-acquired infections alone is expected to save more than $25 billion dollars in the healthcare system. Analytics on integrated claims and clinical data will allow health systems to pinpoint effective clinical and operational interventions. Here are five high-impact outcomes that health systems can achieve using clinical analytics.
30-day Re-admission Avoidance: Hospital re-admission rates are high for patients whether they are in Medicare, Medicaid or Private insurance plans. People with multiple chronic conditions and mental health conditions are at an increased risk of re-hospitalization because of inadequate care at discharge. Demographic and social factors also dictate if the care transition will be effective or not. Evidence-based rules allow stratification of patients based on these factors. This allows caregivers to give more attention to high-risk patients during hospital discharge.
Enhanced Surveillance and Preventive Care: Growing evidence suggests that education and health coaching will facilitate behavior change and achieve cost savings. The population in the program needs to be screened and stratified to identify at-risk patients. Predictive modeling and business rules can help to identify individuals who may not be diagnosed but have relatively high risk of developing diabetes in the future. Similarly, a cancer surveillance model based on linking environmental, genetic, and lifestyle factors can be used. This will allow early interventions and proactive follow-up care.
Improved Medication Adherence: Non-adherence is said to be responsible for more than 10 percent of hospital admissions and 40 percent of nursing home admissions. Patients on average don’t fill more than 25 percent of new prescriptions. Costs because of lack of medication adherence exceeds $100 billion. Predictive analytics on patients’ past prescription claims data will allow the health system to create an adherence score, and facilitate a proactive approach to managing compliance.
Unplanned Admission Avoidance: It’s important for health systems to identify patients with chronic conditions who may be at risk of emergency hospitalizations. For example, studies suggest that people with respiratory and cardiac comorbidities, with higher hospital utilization in prior years, have a higher probability of hospital admission. Determination of such factors along with socio-demographic characteristics, will allow application of predictive models to identify people at-risk.
Length of Stay Performance Management: Several factors impact the patient’s length of stay in the hospital. This includes demographic as well as hospital operational characteristics. There are standards for length of stay based on diagnosis related group and clinical disease factors. By comparing this with patient profiles, providers can utilize resources efficiently to provide optimal patient care. This will result in significant cost savings as better case management should help to reduce the average length of stay.
Dr. Sai Subramaniam is the Vice-President of Persistent Systems’ Life Sciences & Healthcare business. In this role, Sai is responsible for the overall business growth of Healthcare & Life Sciences business segments.
