Guest post by Travis Good, M.D., CEO and co-founder of Catalyze, Inc.
Even if a bit delayed, the power and value of cloud-based technologies is starting to seep into healthcare. With each new cloud-based technology piloted or taken to scale by a healthcare organization, other institutions and corporations become more willing to roll the dice on deploying cloud-based technology. While still slow, it is happening, but not where you may think. Instead of found in the typical core applications of EHR or practice management systems, we find cloud-based technologies being introduced into the innovative health technology areas of virtual care delivery and patient self-reporting. Those areas are breaking down the barriers to cloud adoption in healthcare and that pace is increasing.
Cloud-based technology acceptance, along with everything else in the healthcare industry is moving faster than ever before. Accountable care, bundled payments, patient satisfaction, continuous care and the consumerization of healthcare are catalyzing changes to a very large, slow moving, highly regulated and risk averse industry. Technology and technology enabled services are essential for riding out these waves of change.
Every healthcare segment has seen these paradigm shifts and is trying to carve out a piece of the new pie. Large medical centers and health systems want to commercialize tools created in-house. Payers are building technology geared toward new forms of care delivery and price transparency, while biopharma is building technology to deliver continuous care powered by data from its core products – devices and medicines. All three of these healthcare segments can build technologies that utilize cloud computing and thus reap the following benefits:
A more nimble organization
Consumption of only the resources needed
Access to technology and apps across geographic barriers
Compliance and Cloud Computing
With recent changes to HIPAA that went into affect as part of the HITECH and HIPAA Omnibus Rule in 2013, a surge in compliance interest has developed, especially with compliance as it relates to cloud computing. The HIPAA Omnibus Rule created a new segment within the string of compliance leading back to covered entities. The new “subcontractor” segment is something of which every healthcare compliance officer must be aware. In much the same way as a business associate processes, transmits or stores ePHI for a “covered entity,” a subcontractor will also process, transmit, or store ePHI for “business associates.” And, subcontractors, like business associates, are required to sign business associate agreements (BAAs). These agreements outline the obligations of each party in meeting different aspects of HIPAA compliance rules, and delegate the risk based on different types of possible ePHI breaches.
In creating this new “subcontractor” entity, the Omnibus Rule accounted for the paradigm shift in technology development and cloud computing. The most commonly used example of a subcontractor is found in a cloud hosting provider like Amazon (AWS) or Rackspace; yet, many other types of services exist that could be considered subcontractors.
As data and services are being accessed via Web services (typically APIs), a huge number of BLANK-as-a-Service offerings have emerged. Many modern applications utilize third-party APIs for features and functionality to speed time-to-market, while adding value to users. Using simple to consume APIs, modern applications can tap into databases, messaging (SMS, Push, email or voice), usage metrics, logging, customer support, data sources, backup and so forth.
Guest post by Lysa Myers, security researcher, ESET
In my last post, I discussed the steps to performing a healthcare IT risk assessment. Once you’ve determined the risks within your environment, an important part of addressing those risks is to set up policies about acceptable use – formally known as Acceptable Use Policies (AUP) – for your staff members and then to train your staff accordingly.
The weakest link in most security chains is the human element, namely people thwarting protections put in place, intentionally or by mistake, or simply through lack of understanding. But how do you set up policies and train people if neither you nor the people on your staff are particularly security-savvy?
Trainings and Templates
If you’re starting at or near ground zero when it comes to information security knowledge, the first question to ask is: Would be better to train someone to become your security guru, or to simply improve overall knowledge within the organization and establish common-sense usage policies?
Unless you have someone in your organization who is dedicated to IT tasks, it may be difficult to mandate security training, but it’s wise to have a security-conscious person handling your infrastructure. At a minimum, when you train the rest of your staff on their security roles and responsibilities, your IT personnel should go through at least as much training: they will likely be in charge of setting up the protections that are to be used by the rest of the organization.
If you have a smaller healthcare organization, you can still create an AUP, without a security guru. In fact, having a less complex organization simplifies the definition process. In this case, something which is focused on healthcare and yet very simple, where you can “fill in the blanks” could be quite helpful: HealthIT.gov provides a template that could work well for smaller organizations.
Guest post by Egor Kobelev, software delivery manager — healthcare, DataArt.
There are a lot of organizational and technical challenges health information exchanges (HIEs) struggle with while trying to deploy and maintain their platforms. One of the most complex organizational and administrative challenges is to achieve sustainability. While that is often an ultimate goal for HIEs, there is a huge amount of smaller technical challenges to meet, and the way those challenges are responded to often makes a difference for future HIE sustainability.
One of those typical tasks in the industry is a patient look up and mapping. There is a well-known issue when it comes to any sort of health data integration – the lack of a global unique patient identifier. Thousands of existing healthcare providers and payers use their own internal identifiers and there is no easy way to establish a relation between these. Social Security Numbers or similar national identifiers, while useful in some of scenarios, are not suitable for the purposes of healthcare record identification, primarily because of the risks of HIPAA rules violation.
The good part of the story is the amount of talks regarding a National Patient Identifier (NPI). For instance, HIMSS is proactively driving the initiative of introducing NPI, so that eventually patient mapping, which is currently a challenge, will be routine. However, the reality is that we are pretty far away from having NPI legislated and deployed in healthcare organizations nation-wide. At the same time, as many as 8 percent to 14 percent of patient records have errors caused by mismatching patient identifiers, which in turn causes hundreds of millions of dollars in spending to repair and reconcile the records. So, while we are waiting for NPI to come, what would be a solution which is HIPAA compliant, provides high accuracy, throughput, and minimizes manual interventions at the same time?
Guest post by Steve Jourdan, founder and CEO, BedWatch.
It’s a broken record – we need innovation in healthcare. Being the largest economy in the world by a significant margin, with a number of resources at our disposal, one would think that our ability to deliver healthcare services would also rank at or near the top. In fact, we don’t rank well at all. A Bloomberg ranking from last year finds the U.S. healthcare market ranked 46th in the world in terms of efficiency, with the second highest healthcare costs per capita reported.
But, innovation equals risk, and risk is a four letter word in healthcare, for good reason. Margins are thin, enforcement and compliance efforts related to HIPAA are increasing, and, ultimately patient care hangs in the balance at a time when reimbursement models are shifting from fee-for-service to being outcome-based. It makes perfect sense that healthcare organizations take a conservative approach to their business.
However, continuing to do the same thing will not move us forward. Private industry and even the federal government are taking advantage of these advancements. Technology is here, but it needs to be embraced; current technologies need to be adopted by healthcare for the benefit of everyone.
If I can perform secure online banking and investing directly from my smart phone, provided by the highly-regulated financial industry, why do I have to wait to receive healthcare services because health workers are using the technological equivalent of a Big Chief Pad and no. 2 pencil?
There is great promise in current mobile and cloud computing technologies, in that they are more accessible, easier to use, more secure, more scalable and can enable people to be more effective. The technology advancements we need are already here.
That said, use of current technology is only half of the solution. The other half is the people side of the equation. A culture of improvement must be embraced by the organization from the top down in order for significant improvements to be realized.
There’s little argument that overwhelming responsibility is placed on practice leaders to protect the security of patient records. Maintaining the accuracy, privacy and control of this data is one of the most crucial roles within the care setting. Given the high level of risk for exposure of this information and because of expanded enforcement of HIPAA, practices managing the release of information (ROI) must be more vigilant now than they have been in the past. Their processes for handling ROI need to meet not only the requirements of the law, but what’s in the best interest of the practices’ patients.
Along with a significant rise in HIPAA enforcement, practices must remain sensitive of how they handle the data that’s released to third parties. Redaction of personal information from records is one important way practice administrators can improve security, though it’s not the only way. Automating the removal of PHI by integrating redaction solutions with existing practice technology – such as electronic health records – searching and removing any protected information becomes electronic, eliminating a manual, repetitive process.
Removing risks associated with the release of PHI is possible with automated solutions that can remove data fields like patient name, dates of service, medication lists and other general information in the health record. But, even though solutions exist to automate the redaction of protected PHI, most organizations process records manually even as they migrate to electronic systems in other areas. Continue Reading
Two healthcare organizations have agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network. The monetary payments of $4,800,000 include the largest HIPAA settlement to date.
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of New York and Presbyterian Hospital (NYP) and Columbia University (CU) following their submission of a joint breach report, dated Sept. 27, 2010, regarding the disclosure of the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.
NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. The entities generally refer to their affiliation as “New York Presbyterian Hospital/Columbia University Medical Center.” NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.
The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the Internet.
Guest post by Michael Howard, worldwide security practice lead, managed services, printing and personal systems group, HP.
As the information technology landscape continues to rapidly evolve, healthcare providers increasingly find themselves faced with new challenges on how to best serve their patients and protect their privacy. The Health Insurance Portability and Accountability Act (HIPAA), which introduced privacy and security regulations in 1996 for providers that use electronic transmission of data, made securing patient data a prominent issue.
If you are skeptical about potential costs associated with implementing a new security strategy in your office, consider this startling fact: According to the Ponemon Institute, the average cost per incident of corporate information theft is $5.5 million1. That number alone should be reason enough for providers to consider upgrading their security protocols. While computers and servers are often the first pieces of technology to be secured within the IT infrastructure, paper documents and printers are often overlooked. With the extensive amount of security offerings available, IT managers can have greater confidence that patient records remain safe. Below are the top three ways that healthcare providers can better secure their print infrastructure:
Store medical records in the cloud
Recent data from the U.S. Department of Health and Human Services indicates that paper still accounts for a large percentage of HIPAA breaches. Between Jan. 1, 2011 through April 15, 2014, 500 patient data breaches have been reported with 203 related to paper (more than 40 percent)2. One easy way to reduce the likelihood of a paper breach – and to save time spent shuttling from one file cabinet to another – is to transfer your hard copy medical records to an electronic health record (EHR) format and store them in the cloud. Securing the paper to digital data process can be a less painful process by implementing a software solution that makes it easy for users to scan documents, convert them to electronic files and then distribute them to predetermined destinations. Not only will you simplify the data storage and retrieval process, but you will also save office space by reducing the need for file cabinets and limit excess paper.
As many healthcare providers are in the process of transitioning from paper to EHRs, it is important to be well informed on what happens to your data once it enters the cloud. Most cloud-based solutions offer bank-grade encryption for data transfer, in addition to highly protected data centers. By saving your EHRs to the cloud, you will be able to update patient records in real-time and reference past prescriptions and treatment plans while in the room with your patient. This promotes more personalized and convenient care and helps reduce duplications and inaccuracies.
Guest post by Jay Savaiano, director, worldwide healthcare business development, CommVault.
Healthcare professionals are inundated with an abundant amount of ways that they can access and store clinical data. Healthcare IT departments are given the task of making sure the delivery of that clinical data is readily available and can be accessed via a myriad of devices, as well as in a secure manner that meets the compliance standards that the entire enterprise has agreed on upholding. The deluge of data and the ever-changing ways that the data is accessed is creating some major challenges and concerns for the majority of professionals who are responsible for managing the nation’s healthcare information stream.
In a recent nationwide survey of healthcare IT managers in enterprise organizations, 75 percent of respondents – up 14 percent from last year – indicated they were concerned about the protected health information (PHI) residing in Bring-Your-Own-Cloud (BYOC) solutions, such as Box or Dropbox. A large number of BYOC solutions even offer the first 2GB of storage for free, which may speak to their popularity.
Today, smart phones, tablets and computers that have helped proliferate the popularity of “Bring-Your-Own-Device” programs all come out of the box with some sort of free cloud-based storage solution. Though Intel and ReadWrite report that 49 percent of U.S. IT managers “Strongly Agree that BYOD Improves Worker Productivity,” when you couple BYOC with BYOD together and add protected health information to the mix, healthcare organizations can be opening themselves up to a tremendous amount of liability.
With the policies inherent in clinical applications themselves, it is easy to maintain the security of the content, which is often structured and rarely stored locally. However, the challenge revolves around the unstructured data with PHI. For example, if a clinician maintains a spreadsheet of basic patient data and he or she places that spreadsheet in a BYOC-type solution, both the clinician and the healthcare organization are putting themselves in a liable position. Only when cloud-based solutions are authorized by the healthcare facility and meet the organization’s compliance criteria – which can and usually dictates the cloud provider is willing to sign a business associate agreement in support of HIPAA – are the organization and clinician able to limit the potential liability impact. There can still be other factors that create new liability, but by making the limitation of rogue cloud storage a priority, healthcare organizations can better protect themselves against a potential data breach and subsequent lawsuit.
Two entities have paid the U.S. Department of Health and Human Services Office for Civil Rights (OCR) $1,975,220 collectively to resolve potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. These major enforcement actions underscore the significant risk to the security of patient information posed by unencrypted laptop computers and other mobile devices.
“Covered entities and business associates must understand that mobile device security is their obligation,” said Susan McAndrew, OCR’s deputy director of health information privacy. “Our message to these organizations is simple: encryption is your best defense against these incidents.”
OCR opened a compliance review of Concentra Health Services (Concentra) upon receiving a breach report that an unencrypted laptop was stolen from one of its facilities, the Springfield Missouri Physical Therapy Center. OCR’s investigation revealed that Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets and other devices containing electronic protected health information (ePHI) was a critical risk.
While steps were taken to begin encryption, Concentra’s efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization. OCR’s investigation further found Concentra had insufficient security management processes in place to safeguard patient information. Concentra has agreed to pay OCR $1,725,220 to settle potential violations and will adopt a corrective action plan to evidence their remediation of these findings.
Maintaining blood supplies to meet the needs of the hospitals in the region is a key mandate for the Rhode Island Blood Center. The Center collects 250 pints of blood from donors to meet this commitment. To make it easy for donors, more than 3,000 mobile blood drives are held annually throughout the community.
While we have nurses and lab technicians to take care of the donors’ physical needs, it is my job as the IT Systems Manager at Rhode Island Blood Center to take care of their personal information. We gather this information from each donor at the mobile clinics and store it on laptops, so it is essential that we have safeguards in place to ensure the data is properly secured.
Data security is a key concern for the majority of healthcare organizations in the US. And like most organizations, Rhode Island Blood Center must follow regulatory guidelines and protect patient data.
My department is responsible for the IT and telecommunications equipment used at the remote blood drives and the six Center locations. The typical set-up includes a large number of Center-owned laptops where donor information is stored.
While most people arrive at a clinic and see the positive results of a community coming together and helping each other – all I see are laptops loaded with confidential information for which Rhode Island Blood Center is ultimately responsible. I know if even one laptop is lost or stolen, confidential donor information could be at risk.
Data at Risk
Reviewing daily healthcare news, it is clear that data breaches are a huge issue for healthcare organizations across the US, but bad press isn’t the only issue – many organizations face large non-compliance fines and damage to their reputation that can never be restored.