Guest post by Michael Howard, worldwide security practice lead, managed services, printing and personal systems group, HP.
As the information technology landscape continues to rapidly evolve, healthcare providers increasingly find themselves faced with new challenges on how to best serve their patients and protect their privacy. The Health Insurance Portability and Accountability Act (HIPAA), which introduced privacy and security regulations in 1996 for providers that use electronic transmission of data, made securing patient data a prominent issue.
If you are skeptical about potential costs associated with implementing a new security strategy in your office, consider this startling fact: According to the Ponemon Institute, the average cost per incident of corporate information theft is $5.5 million1. That number alone should be reason enough for providers to consider upgrading their security protocols. While computers and servers are often the first pieces of technology to be secured within the IT infrastructure, paper documents and printers are often overlooked. With the extensive amount of security offerings available, IT managers can have greater confidence that patient records remain safe. Below are the top three ways that healthcare providers can better secure their print infrastructure:
Store medical records in the cloud
Recent data from the U.S. Department of Health and Human Services indicates that paper still accounts for a large percentage of HIPAA breaches. Between Jan. 1, 2011 through April 15, 2014, 500 patient data breaches have been reported with 203 related to paper (more than 40 percent)2. One easy way to reduce the likelihood of a paper breach – and to save time spent shuttling from one file cabinet to another – is to transfer your hard copy medical records to an electronic health record (EHR) format and store them in the cloud. Securing the paper to digital data process can be a less painful process by implementing a software solution that makes it easy for users to scan documents, convert them to electronic files and then distribute them to predetermined destinations. Not only will you simplify the data storage and retrieval process, but you will also save office space by reducing the need for file cabinets and limit excess paper.
As many healthcare providers are in the process of transitioning from paper to EHRs, it is important to be well informed on what happens to your data once it enters the cloud. Most cloud-based solutions offer bank-grade encryption for data transfer, in addition to highly protected data centers. By saving your EHRs to the cloud, you will be able to update patient records in real-time and reference past prescriptions and treatment plans while in the room with your patient. This promotes more personalized and convenient care and helps reduce duplications and inaccuracies.
Guest post by Jay Savaiano, director, worldwide healthcare business development, CommVault.
Healthcare professionals are inundated with an abundant amount of ways that they can access and store clinical data. Healthcare IT departments are given the task of making sure the delivery of that clinical data is readily available and can be accessed via a myriad of devices, as well as in a secure manner that meets the compliance standards that the entire enterprise has agreed on upholding. The deluge of data and the ever-changing ways that the data is accessed is creating some major challenges and concerns for the majority of professionals who are responsible for managing the nation’s healthcare information stream.
In a recent nationwide survey of healthcare IT managers in enterprise organizations, 75 percent of respondents – up 14 percent from last year – indicated they were concerned about the protected health information (PHI) residing in Bring-Your-Own-Cloud (BYOC) solutions, such as Box or Dropbox. A large number of BYOC solutions even offer the first 2GB of storage for free, which may speak to their popularity.
Today, smart phones, tablets and computers that have helped proliferate the popularity of “Bring-Your-Own-Device” programs all come out of the box with some sort of free cloud-based storage solution. Though Intel and ReadWrite report that 49 percent of U.S. IT managers “Strongly Agree that BYOD Improves Worker Productivity,” when you couple BYOC with BYOD together and add protected health information to the mix, healthcare organizations can be opening themselves up to a tremendous amount of liability.
With the policies inherent in clinical applications themselves, it is easy to maintain the security of the content, which is often structured and rarely stored locally. However, the challenge revolves around the unstructured data with PHI. For example, if a clinician maintains a spreadsheet of basic patient data and he or she places that spreadsheet in a BYOC-type solution, both the clinician and the healthcare organization are putting themselves in a liable position. Only when cloud-based solutions are authorized by the healthcare facility and meet the organization’s compliance criteria – which can and usually dictates the cloud provider is willing to sign a business associate agreement in support of HIPAA – are the organization and clinician able to limit the potential liability impact. There can still be other factors that create new liability, but by making the limitation of rogue cloud storage a priority, healthcare organizations can better protect themselves against a potential data breach and subsequent lawsuit.
Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.
While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
Maintaining blood supplies to meet the needs of the hospitals in the region is a key mandate for the Rhode Island Blood Center. The Center collects 250 pints of blood from donors to meet this commitment. To make it easy for donors, more than 3,000 mobile blood drives are held annually throughout the community.
While we have nurses and lab technicians to take care of the donors’ physical needs, it is my job as the IT Systems Manager at Rhode Island Blood Center to take care of their personal information. We gather this information from each donor at the mobile clinics and store it on laptops, so it is essential that we have safeguards in place to ensure the data is properly secured.
Data security is a key concern for the majority of healthcare organizations in the US. And like most organizations, Rhode Island Blood Center must follow regulatory guidelines and protect patient data.
My department is responsible for the IT and telecommunications equipment used at the remote blood drives and the six Center locations. The typical set-up includes a large number of Center-owned laptops where donor information is stored.
While most people arrive at a clinic and see the positive results of a community coming together and helping each other – all I see are laptops loaded with confidential information for which Rhode Island Blood Center is ultimately responsible. I know if even one laptop is lost or stolen, confidential donor information could be at risk.
Data at Risk
Reviewing daily healthcare news, it is clear that data breaches are a huge issue for healthcare organizations across the US, but bad press isn’t the only issue – many organizations face large non-compliance fines and damage to their reputation that can never be restored.
A new security risk assessment (SRA) tool to help guide health care providers in small to medium sized offices conduct risk assessments of their organizations is now available from HHS.
The SRA tool is the result of a collaborative effort by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Office for Civil Rights (OCR). The tool is designed to help practices conduct and document a risk assessment in a thorough, organized fashion at their own pace by allowing them to assess the information security risks in their organizations under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The application, available for downloading at www.HealthIT.gov/security-risk-assessment also produces a report that can be provided to auditors.
HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems. Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. A vigorous risk assessment process supports improved security of patient health data.
Eric Munz, vice president of business process crowdsourcing at Lionbridge Technologies, where he manages and leads the delivery of in-person, telephonic and video crowd-enabled interpretation solutions to meet the unique needs of customers across a broad range of industries, discusses here the need for interpretation services in health systems.
He also touches upon interpretation mandates for hospitals, the struggles large and small health systems face with interpreting to ensure the best patient care; he discusses the benefits of using a secure interpretation solution; and provides advice for implementing such a solution.
What are interpretation mandates for hospitals? How has equal access to language changed recently with ACA?
There are about 10 different places in the Affordable Care Act (ACA) that require hospitals to develop and implement a system that provides interpretation services to patients with limited English proficiency (LEP), to have equal access to healthcare. For example, Section 1557 of the Patient Protection and Affordable Care Act focuses on non-discriminatory policies and procedures, including those based on the grounds of language and national origin.
Now, healthcare facilities are facing a renewed struggle to provide such interpretation services because of the influx of LEP patients newly enrolled in insurance plans under the ACA. According to the UCLA Center for Health Policy Research, 36 percent of newly insured individuals under the ACA in the state of California are LEPs — compared to only 9 percent of LEP patients prior to the ACA enactment. That is a dramatic increase in non-English speaking patients to serve.
Other states facing a jump in patients speaking foreign languages include Texas, Arizona and Florida. Across the nation, healthcare providers must be at the ready to interpret more than 300 languages to remain compliant. Otherwise, they risk incurring monetary penalties.
Why is it often a struggle to deliver interpretation for patients in large and small hospitals alike?
A big city hospital could serve patients representing a dozen different languages or more on any given day. That presents a very practical logistical problem for facilitating so many different conversations in so many different languages. This is why many facilities partner with vendors to provide on-site interpretation, but these interpreters often work on an on-call basis, delaying treatment. They also often charge two-hour minimum rates for their service even if it’s a 30-minute conversation. In a rural hospital, there simply may not be someone with the skillset to speak a particular language within the geographic area.
For these reasons, the biggest challenge for hospital management is determining how to efficiently meet the demand for interpretation services, which are required by law, while remaining cost conscious throughout the process.
As someone passionate about patient engagement and using health IT and other technologies to improve care, I continue hear a great deal about how solutions can actually benefit population health. Even at the most recent HIMSS conference, “patient engagement” as a term clearly has become one of this year’s biggest buzz phrases.
Conference sessions were dedicated to the topic, vendors marketed their services to solving some of the issues associated with it and seemingly everyone in attendance had an opinion for what needs to be done or at least has some strategies for bringing more patients — or their data — directly into the care sphere.
Problem is, from my perspective, that, unfortunately, too much is still being said about population health and not nearly enough about individual health. In theory, I understand why this must be, but in practicality, I don’t understand the seemingly lack of attention individuals are receiving. Obviously, if population health outcomes improve then that must logically mean individual health outcomes are improving.
And while I understand that not everyone or every need can possibly be addressed, that doesn’t mean we shouldn’t be trying to fill those needs. The current conversations about improved population health remind me of a common business/life solution when addressing a major problem: How does one eat an elephant? One bite at a time. Likewise, it would seem the same approach could be taken to achieve improve population health outcomes: One individual patient at a time.
That said, I asked some folks within the health IT community how technology affects individual patient outcomes. Though some of the ideas here are still high level, perhaps they are a step in the right direction. Here are some of the responses I received:
What are the real-world benefits of electronic health records, for example, to a specific individual? To answer that question, let’s take a look at a fictional person we’ll call “Bill.” Bill is quite elderly and has a variety of age-related illnesses. He lives in Ohio, and decides spend the winter with his daughter in Florida.
Bill’s daughter, Susan, arranges for her father to be seen by a local specialist during his stay. Susan tries to get a voluminous paper file transferred from Ohio to the new doctor in Florida, but there are delays: phone messages are missed, handwriting is misread, and no one has time to copy and mail 100 pages of medical records.
In the end, Susan is unable to get her father’s records transferred in time for the appointment with the new physician. As a result, an unnecessary test is performed, and a drug is prescribed that had caused an allergic reaction in the past.
In the future, EHRs will enable the Florida clinic to have electronic access to the same records available in Ohio. Already, Medicare and some commercial carriers have websites that list physician visits, patient complaints, diagnoses made, lab/diagnostic tests performed, and drugs prescribed. Eventually, such websites may include a full medical profile, including doctor’s notes, lab results, x-ray images and more.
Dean Wiech, managing director of Tools4ever, a global provider of identity and access management solutions, has worked in healthcare for more than 25 years. Here, he discusses how IAM enhances the ROI for health systems, and how the solutions make patient care more efficient, how they work in healthcare, and how systems and records can be made more secure — for patients and providers — because of the technology.
Tell me about yourself and your experience in healthcare.
I have been actively selling software solutions in the healthcare market for 25 years. I have sold and/or managed teams in about 50 percent of the country. I have always focused on solutions that provided a definable ROI based on productivity and time savings.
Tell me about Tools4ever. How does the company serve the space? Tell me about your products and how they are used in healthcare.
Tools4ever is a company that focuses on the identity and access governance space. We assist the healthcare market in insuring that the lifecycle of user accounts are managed in a timely and accurate manner. We also have solutions that save care providers time by eliminating repetitive login tasks and avoiding the need to call the help desk for password resets
How is Tools4ever different than some of the competitors in your space?
I believe our primary differentiator is time to implement. We can get the basics up in running in a few days to a few weeks, depending on the solution. The majority of our competitors take months to years to complete an install. The result is the healthcare organization can realize a much quicker benefit from the product and a quicker ROI.
What’s your footprint like in healthcare and who are some of the organizations you work with? How do you help them?
We have numerous hospitals and long-term care providers across the country. One example is South County Hospital in Rhode Island. It utilizes our Self Service Reset Password Management (SSRPM) solution to allow end users to reset forgotten network passwords. We then synchronize that password to several other solutions to allow a reduction in the number of credentials the employee needs to remember.
Another example is a major university hospital in New York City. It uses our user management solution for several tasks. The most recent example is provisioning patients to the network to allow them to view their records on a mobile device provided by the hospital for the duration of their stay. We also implemented a password self-service reset function to allow the patients to reset their passwords without a further burden on the help desk.
Received the following study recently that is quite interesting; thought it worthy of sharing:
Emergency department physicians are less likely to admit patients to the hospital when they have readily available electronic access to those patients’ health records, Weill Cornell Medical College researchers have found.
Its study, published March 12 in Applied Clinical Informatics, illustrates the value of combining multiple providers’ digital patient charts into a single source for health care providers – particularly in an urgent setting like the emergency department. With information such as previous test results, prescriptions and other patient history immediately accessible, providers are able to treat patients more efficiently and effectively than when they lack that data.
“New York State has made significant investments in health information exchange,” said Dr. Joshua Vest, an assistant professor at Weill Cornell and the lead author on the study. “Our study shows that providing physicians, nurses and allied health care professionals such as physician assistants real-time access to community-wide, longitudinal health records does in fact benefit patients.”
With federal and New York State government backing, hospitals and medical practices across the state are investing millions of dollars to make health records sharable among physicians when they need the information. The digitized charts contain doctors’ notes from every patient visit; family medical history; immunization records; lab results; medication history; allergies; reminders for preventative care and more.
Sending text messages has become a common method of communication among teenagers, adults, and more recently, medical professionals. Physicians are discovering that texting provides a quick and efficient way to communicate with colleagues, patients, and office or hospital staff. A recent survey by QuantiaMD of 38,000 physicians found that approximately “83 percent of physicians own at least one mobile device and about one in four doctors are ‘super mobile’ users who leverage both smartphones and tablet computers in their medical practices.”
As patients and healthcare providers increasingly use mobile devices to communicate with each other, concerns are raised about the security of electronic protected health information (e-PHI). The Health Insurance Portability and Accountability Act (HIPAA) Security Rule allows healthcare providers to communicate electronically with patients, but it also outlines standards to protect individuals’ e-PHI with appropriate safeguards to protect confidentiality, integrity and security of e-PHI. The following identifies security issues raised by texting of PHI between healthcare providers or provider and patient and how unsecure texting may violate the HIPAA Security Rule and create liability for healthcare providers.
As a general rule, texting of PHI by healthcare providers is strongly discouraged. Texting, or traditional short message service (SMS) messaging, is non-secure and non-compliant with HIPAA because data stored on personal mobile devices is not encrypted and is usually stored within the computer memory or on a smartphone SIM card or memory chip. The lack of encryption and the easily accessible storage methods allow any e-PHI communication on a mobile device to be retrieved and shared by anyone with access to the mobile device. This means that messages containing PHI can be read by anyone, forwarded, remain unencrypted on phone company servers, and stay forever on the sender and receiver’s phones.
Another reason why physician-patient texting is discouraged is that standard texting/SMS limits the message to 160 characters. This limited text field may cause critical information or options to be eliminated. According to a recent policy statement from the American College of Physicians and the Federation of State Medical Boards, physicians should understand text messaging is “not analogous to e-mail because of its abbreviated format and the greater possibility of missed messages.” Physicians are urged not to use text messaging even with established patients “except with extreme caution and with patient consent.”