Guest post by Randy Hickel,manager of worldwide healthcare business development, Printing and Personal Systems Group of HP.
Mobility and BYOD trends in healthcare are a hot topic. With more healthcare businesses transitioning work processes to mobile platforms for increased collaboration and productivity, data security can be a major concern.
It’s clear that advanced mobile technologies allow healthcare employees – who are constantly on the move – to connect from anywhere, anytime; however, mobility can pose several challenges. By engaging with a health IT mobility expert, healthcare organizations can plan and build the appropriate infrastructure to manage various mobile devices, secure data and promote fluidity between paper and digital documents.
Prepare your IT infrastructure for BYOD
Personal devices in the workplace are quickly becoming the norm, rather than a trend, even in the healthcare industry. Administrative and medical staffs more frequently use personal devices, such as smartphones or tablets, to connect to work networks or enterprise systems. According to the Pew Research Center, in January 2014, 58 percent of American adults had smartphones and 42 percent had tablets. And for the first time ever, Americans used smartphone and tablet apps more than PCs to access the Internet.
Mobility focused IT experts can help healthcare organizations develop a mobile printing strategy that manages the growing number and diversity of mobile devices in the workplace, ensuring that staff can print securely using their mobile devices.
The cost of IT security data breaches in the highly regulated healthcare industry is staggering, as it tops even the likes of financial services market. No one is immune. Nearly 94 percent of medical institutions report that their organizations have been victims of a cyber attack, according to findings by the Ponemon Institute. With the update last year to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and HITECH Act of 2009, signs of increasing expenses are again a reality. The annual cap on fines for security breaches has also skyrocketed from a maximum of $25,000 per year to $1.5 million.
With breaches in healthcare spanning from insider, nosey-neighbor snooping, to external, cyber-threats, such as malware, there is an obvious urgency for detection and remediation solutions that engage not only the hardened perimeter, but also the soft center, spanning all the way out to the ancillary systems which at once stood alone, but are now networked and part of the entire electronic healthcare ecosystem.
Establishing a single, integrated, active defense approach to bolster your security posture and mitigate insider breach, as well as cybercrime in healthcare, begins with a motion to break down internal barriers. Organizations need technology and organization leaders who champion a bridging the gap between the two influential and liable, yet often un-collaborating services providers responsible for protecting these domains: Privacy and compliance and enterprise IT security.
Coordinating the effort to monitor networks and applications to achieve a greater understanding of risky behavior is a giant step toward detecting early indicators of compromise and strengthening the weak links in your security practice. We recommend an assessment of the often overlooked, non-standard variety of electronic data carriers, which can fall into the category of the “Internet of Things,” those medical device end-points, video surveillance systems, x-ray machines and call contact systems. These must be treated as part of the entire electronic ecosystem to achieve a greater degree of data protection. They carry patient health information (PHI) and even intellectual business property, and are largely unprotected by traditional intrusion detection solutions. While often perceived as immune to breaches, they represent readily available ports of entry for an attacker.
A unified approach to end-user education and monitoring for early breach detection that fosters risk mitigation requires tight coordination between privacy and IT security. The challenge is in how. Functional groups are often siloed and share very little information with each other. This becomes a major issue in the event of a breach, as neither side is able to understand the full spectrum of the threat without the others’ data. Let’s take a look at a couple of examples.
For physicians’ practices in the 21st century, connectivity is the buzzword. Getting doctors connected to data, patients connected to healthcare providers, and practices connected to networks are just a few of the web-fueled scenarios coming down the pike.
The Health Information Technology for Economic and Clinical Health (HITECH) Act is a game changer and affects just about every aspect of modern medical care. HITECH, part of the American Recovery and Reinvestment Act of 2009, promotes the adoption and meaningful use of health information technology.
As is often the case with a shift this monumental, there are both benefits and challenges of connected healthcare that practice groups will have to address. First, let’s take a look at some of the benefits.
1. Join the Digital Revolution. Just as other industries that went digital years ago, healthcare benefits from the streamlining offered by a networked environment. Clinical interoperability of healthcare IT lowers costs and enhances efficiency by facilitating the comprehensive exchange of health information between care providers, hospitals and patients. The trend is toward innovation in healthcare as the industry as a whole responds to consumer demands and government reforms.
2. Safety in Numbers. As of 2013, more than 323,000 American medical practices and hospitals adopted EHRs and attested as meaningful users, indicating a 266 percent increase over 2012, according to CMS statistics. However, even with this upsurge in participation, those numbers represent only a small percentage of US hospitals that currently keep electronic records and contribute to the health information exchange. So, while the risk of being an early adopter is largely gone, your practice group could still be near the front of the adoption wave.
3. It’s easier. As you can see from the statistics in the previous point, healthcare IT adoption is in an early phase, and for most practices, there is a lack of centralization. To help elucidate the complexity of the system, look no further than the state of Florida, where there are at least 672 EHR vendors. Connecting health information digitally creates a central database that greatly simplifies the process of storing and retrieving all patient data. It’s like finding the needle in the haystack every time.
Patient-centered healthcare technology is putting the power of good health into patients’ hands. All of the changes in American healthcare regulations point to one top priority, and that’s patient centered care. Why does this matter? Because patients who are empowered to manage their own health are more likely to be proactive and, theoretically, therefore healthier.
Knowledge in the world of healthcare can be a great thing, and the technology community is responding with thousands of apps and other healthcare IT initiatives, such as activity tracking devices and websites designed to help consumers keep close track of their wellness.
Researchers at the Mayo Clinic provided FitBits to 149 post-surgical heart patients. The researchers determined that using the FitBit to monitor mobility wirelessly was “easy and practical, and led to a significant relationship between the number of steps taken in the early recovery period, length of stay and dismissal disposition. The research indicates that an activity monitor such as a FitBit could positively affect post-discharge outcomes by empowering patients to take their recovery into their own hands. Better discharge outcomes leads to lower costs in the long run. This is just one example of many.
In a letter to HHS Secretary Kathleen Sebelius, the College of Healthcare Information Management Executives (CHIME) and 47 other of the nation’s largest healthcare provider organizations issued a joint call for additional time and flexibility in the meaningful use program to ensure its continued success.
While underscoring the meaningful use program’s invaluable role in advancing technology adoption among hospitals and physicians, the letter states that strict adherence to current program requirements endangers overall success of the EHR program, disrupts providers’ healthcare operations and potentially jeopardizes patient safety.
“Given that we have just celebrated the anniversary of HITECH, we can look back at the last five years with great pride and take stock of how far we’ve come – as an industry and as a nation,” said CHIME President and CEO Russell P. Branzell FCHIME, CHCIO. “But we must look ahead and recognize the immense work in front of us. Now is the time to make much-needed course corrections to ensure that we continue this success well past HITECH’s 10th anniversary.”
The letter reiterates many points made by several organizations dating back to May 2013, including letters from CHIME; the American Hospital Association (AHA); the American Medical Association (AMA); the Medical Group Management Association (MGMA); the American College of Physicians (ACP); the American Academy of Family Physicians (AAFP); and the National Rural Health Association (NRHA).
The latest letter, the first to be issued jointly by more than 40 organizations, comes in response to concerns that the nation’s 5,000 hospitals and 550,000 eligible professionals must adopt the latest certified versions of EHR technology and meet more difficult program requirements to remain in compliance with the Medicare and Medicaid Electronic Health Record Incentive Program. Hospitals only have until July to adopt, implement, test and train staff to meet either Stage 1 or Stage 2 Meaningful Use requirements in 2014. Eligible professionals have until October to begin collecting data to attest to meeting program requirements.
In 2013, healthcare industry stakeholders, including associations, EHR vendors, practitioners and providers, raised significant concerns relating to the implementation timing of meaningful use Stage 2 and 3 criteria, including problems with interoperability, usability and regulatory failure to assess “value added” by implementation of meaningful use criteria to date. On December 6, 2013, federal officials announced that Centers for Medicare and Medicaid Services (“CMS”) were proposing a new timeline for the implementation of meaningful use stage criteria for the Medicare and Medicaid Electronic Health Record (“EHR”) incentive programs. The Office of the National Coordinator for Health Information Technology (“ONC”) further proposed a more regular approach for the update of ONC’s certification regulations.
Under the revised timeline, Stage 2 will be extended through 2016 and Stage 3 will begin in 2017 for those providers had completed at least two years in Stage 2. The goal of the proposed changes is twofold; to allow CMS and ONC to focus efforts on the successful implementation of the enhanced patient engagement, interoperability and health information exchange requirements in Stage 2, as well as evaluate data from Stage 1 and Stage 2 compliance, to date, to create and form policy decisions for Stage 3.
CMS expects to release proposed rulemaking for Stage 3 in the fall of 2014, which may further define this proposed new timeline. Stage 3 final rules would follow in the first half of 2015.
Despite CMS’s positive response to stakeholders concerns relating to the timeline for implementation of Stage 2 and Stage 3 meaningful use criteria, significant reservations continue to be enunciated, on a monthly basis, by providers at both Health information technology (“HIT”) policy committee and work group meetings. Providers continue to urge rule makers to institute consensus standards that could be adopted broadly across the healthcare industry to ensure both usability and interoperability.
In early 2013, former national coordinate Farzad Mostashar chastised electronic health record vendors for improper behavior in the marketing and sales of systems that continued to frustrate interoperability goals. This frustration with EHR vendors continues to be enunciated in HIT policy committee and work group meetings as recently as January of 2014.
Guest post by James Hofert, Roy Bossen, Linnea Schramm and Michael Dowell, all partners with Hinshaw & Culbertson.
New federal healthcare legislation and implementing regulations, seek to exert control over multiple aspects of patient care. The Health Information Technology for Economic and Clinical Health Act (“HITECH”)[i] with staged implementation through 2016, seeks to not only promote implementation of electronic health record systems (“EHR”), but also regulate electronic communications of health information by and between the patient, physician, hospitals and other healthcare institutions so as to enhance care quality, care coordination and reduce costs.
HITECH further envisions implementation of clinical decision support algorithms for the diagnosis and treatment of disease both during admission and after discharge. The Hospital Readmission Reduction Program[ii], effective October 1, 2012, consistent with the objectives of HITECH seeks to financially penalize hospitals for higher than standardized readmission rates for heart failure, acute MI and pneumonia. The Center of Medicine and Medicaid Service (“CMS”) intends to expand application of the program to readmission for COPD, elective total hip arthroplasty and elective total knee arthroplasty in 2015[iii]. Consistent with preventative care goals so as to mitigate further health care problems as found in HITECH, CMS has refused to adjust the re-admission penalty program to account for readmissions unrelated to the patient’s initial hospitalization even though the readmission could be considered to be outside the hospital’s or physician’s control[iv].
Are EHRs dead? Well, Healthcare IT News’ Eric Wicklund recently reported that EHR vendors “will have to find a way to modify their products to focus on data that the patient and his or her care team want, or they’ll become obsolete.” Will EHRs become so obsolete so soon after the height of their heyday? When further explained, some of the reasoning makes sense.
According to panelists at the Partners HealthCare’s 10th Annual Connected Health Symposium, we’re in the time of “para-EHR,” defined as all of the phone calls, texts, e-mails and other doctor-doctor and doctor-patient communications that are not entered into the EHR. They could include everything from Skype chats between doctors to Post-It notes to data residing on mobile devices and sensors.
As such, complete records are not being entered into the EHR, and most patient communication takes place outside the EHR setting. But, are EHR’s dead and flat line or do they have some life left in them? I posted the question to Jim Gerrity, director at Ciena.
Are EHRs dead? “The short answer is ‘no,’ however, what is contained in today’s EHR will most likely evolve. Let me expand on this a bit: Paper-based records are still the most widely used method in the healthcare industry, but that’s changing rapidly. EHRs are proving to significantly improve clinical efficiency and coordination and being adopted increasingly by healthcare institutions around the world. A relatively recent example in the U.S. was their great usefulness to provide continued care during and immediately after Superstorm Sandy … e-records backed up and accessible at disaster recovery sites. As one writer put it, EHRs are ‘ushering in a new era in how medical data is stored and shared.’ But is this transition to EHRs required?
Guest post Chris Shaw, senior vice president and general manager, OneSign Products Group at Imprivata.
The aging population and skyrocketing cost of care are driving healthcare organizations around the world to rethink their business and delivery models, and to develop more efficient ways to keep their populations healthy. In the United States, meaningful use objectives defined by the Department of Health & Human Services (HHS) under the Health Information Technology for Economic and Clinical Health (HITECH) Act have propelled hospitals to lead the way in the adoption of electronic health records (EHR) in order to optimize care delivery and improve patient outcomes.
At Chilton Hospital, an award-winning, nonprofit hospital in northwestern New Jersey, the benefits of digitization were clear, and the IT department was committed to making the shift to EHR, regardless of meaningful use and its incentives. Yet they anticipated resistance from their care providers, who were accustomed to finding all the patient information they needed in one paper chart. When Mark Lederman, Chilton CIO, joined the hospital in 2011, he knew that his team was going to have to find a way to implement the EHR system without forcing clinicians to log in and out of multiple applications dozens of times a day.
A recent Ovum study showed that almost 60 percent of employees bring some type of mobile device into the workplace. There are a few names for this, Bring Your Own Device (BYOD), Bring Your Own PC (BYOPC), Bring Your Own Phone (BYOP), User Introduces Unsecure Device onto My Network and Then Loses My Secure Data (UIUDOMNTLMSD).
Alright, so I made that last one up, but that is how most IT managers feel when the discussion is started about BYOD. An end user bringing a device to work is both a gift and a curse for any sized company. We see an increase in productivity but also the increased threat of data being lost or stolen. Having a strong mobile device management (MDM) strategy can help companies reap the benefits of BYOD while limiting the consequences.