Month: September 2015

Health IT’s most pressing issues may be so prevalent that they can’t be contained to a single post, as is obvious here, the second installment in the series detailing some of the biggest IT issues. There are differing opinions as to what the most important issues are, but there are many clear and overwhelming problems for the sector. Data, security, interoperability and compliance are some of the more obvious, according to the following experts, but those are not all, as you likely know and we’ll continue to see.

Here, we continue to offer the perspective of some of healthcare’s insiders who offer their opinions on health IT’s greatest problems and where we should be spending a good deal, if not most, of our focus. If you’d like to read the first installment in the series, go here: Health IT’s Most Pressing Issues. Also, feel free to let us know if you agree with the following, or add what you think are some of the sector’s biggest boondoggles.

Michael Fimin, CEO and co-founder, Netwrix
The largest concern of any healthcare organization is protecting patient personal data. Every year healthcare entities of all sizes become victims of data leaks, fresh examples are both Anthem and Premera Blue Cross, and lose thousands of dollars mainly because of employee misbehave or human error. Being not an easy one to prevent, human factor sets IT pros a number of challenges to cope with:

1. Insider threat. Unfortunately, privilege abuse is a primary root cause for many data breaches. No matter if an employee is breaking bad or his credentials were stolen, sensitive data is put at risk. The only way to prevent insider threats is to have visibility into the IT infrastructure and be able to track any changes made to both security configurations and data. Monitor user activity and establish rigorous control over accounts with extended privileges. Regularly review all access rights to ensure that permissions are granted adequately to employees’ business needs.

2. Security of devices. In 2014 healthcare organizations suffered from physical theft or loss of electronic devices more than any other industry, said the Verizon 2014 DBIR. Without proper identity and authentication management personal data stored on these devices can be easily accessed by adversaries, leading to financial and reputational losses. If your employees’ laptop or tablets end up in the wrong hands, encryption, two-factor authentication and ability to manage the device remotely will protect your data, or at least will make hacker’s job much harder.

3. Employees’ negligence. Deliberate or accidental mistakes pose more danger to data integrity than you might think. A simple email with confidential data sent to the wrong address may lead to a huge data leak. Make sure that your employees are familiar with the company’s security policy and are aware of what they should do to maintain security each person in the company should clearly understand that integrity of information assets is their personal responsibility.

Dr. Barry Chaiken, chief medical information officer,Infor
Healthcare providers organizations invested billions of dollars purchasing and implementing electronic medical records with this investment driven by the economic incentives provided by the HITECH Act. Now that these systems are installed an up and running, organizations struggle to obtain real value from these investments. These systems were implemented with speed in mind rather than clinical transformation that improved quality and reduced costs. Now, organizations must embrace clinical transformation and change management to redo workflows and processes to effectively impact care. Organizations cannot justify their investment in EMRs unless they rework their EMR implementations to obtain true value from their deployment.”

Matthew Fisher, co-chair, health law group, Mirick O’Connell

One of the top health IT issues that I encounter is meeting compliance requirements with the HIPAA Security Rule. Security is a hot issue for health IT in light of the numerous breaches and other attacks that have occurred in order to gain access to protected health information. Health IT is at the forefront of these issues because the conversion to predominantly electronic data formats has created a number of vulnerabilities. Foremost among the vulnerabilities is the often outdated security systems or measures that may be in place. From a regulatory compliance perspective, particularly HIPAA, organizations must perform a comprehensive risk analysis of their operations. The results of the risk analysis, which should include identification, likelihood and threat level associated with each issue, form the backbone of an organization’s security policies. Under HIPAA, the Security Rule is designed to be somewhat flexible and scalable to each organization’s needs. As the brief description of the risk analysis shows, the results help an organization to determine how to meet the addressable elements of the Security Rule.

All of this places a lot of pressure on health IT to meet demands and protect organizations. As can be seen from breach fallouts, health IT can be at the top of the blame list. However, proactive attention to these issues can help alleviate the pain and put a organization ahead.

Dr. David Kibbe, president and CEO, DirectTrust

For me, the top issue for health IT is interoperability of information exchange: It should be very easy for health care professionals to move data and information across organizational boundaries and IT platforms, without extra effort, and in a manner that is electronic, secure, and identity-validated. Data exchange has to be vendor agnostic. That we don’t have this capability deployed everywhere in health care is less a problem of standards than a problem of business models and culture.

The reason this one issue is on the top of my list is because the lack of interoperable exchange of health information is a by-product of fee-for-service payment to doctors and hospitals; payment for volume not payment for quality. If you get paid by insurers even when tests and procedures need to be duplicated, because the data aren’t readily available to your “silo” of information from someone else’s “silo” of information, why bother to change? But health care payers are moving toward “value-based care” in which quality and efficiency are rewarded, providers are put at some level of risk for the costs of the care they deliver, and those who do poorly on such metrics as readmissions to hospital and patient satisfaction are penalized and paid less.

Value-based payment success requires that providers communicate with one another in a distinctly multi-vendor environment, one in which doctors and hospitals use EHRs from over 300 vendors. Yet many members of care coordination teams, such as those in long-term post-acute care and home health, don’t use EHRs at all.

Providers engaged in value-based payment simply can’t fumble the transitions of care made by their patients as they did under fee-for-service; if they do they’ll fail financially. The challenge they are facing is how to move data and information wherever and to whomever the patient goes to next, and regardless of which vendor’s EHR the next provider organization is using, so that care becomes much more coordinated and outcomes more predictable.

Direct exchange is an example of a standard that is open and available for use in over 40,000 health care organizations that use EHRs certified by ONC; that certification includes that the EHRs are Direct-enabled to both send and receive messages, and file attachments of any kind, and to and from any other certified EHR user. Direct messages are sent encrypted end-to-end, and the relying parties know precisely the identity of one another even before the message is transmitted. Attachments can be in any type of file format, including structured XML, Word, PDF, and in common file image file formats like .jpg and DICOM.

Why don’t we hear more about direct exchange in the media and press? Well, that’s because new technologies take time to become adopted, even when there are federal standards built into certifications. And, as the recent ONC report to Congress on Information Blocking pointed out, “… some [provider and EHR] business practices, though they may arguably advance legitimate individual economic interests, interfere with the exchange of electronic health information in ways that raise serious information blocking concerns.” Put even more simply, there still exist business and cultural incentives in health care to restrict information flows to protect private economic gain, even at the expense of the patients and the public at large.

As the incentives change because of value-based purchasing contracts becoming more widespread, we will see more and more health care providers and hospitals choosing to use interoperable health IT tools.

[Electronic Health Report]

Healthcare is not without its issues. Seemingly, for each source asked what the biggest problem the sector faces, there is a differing opinion on what’s most important. I’m often perplexed by the lack of cohesiveness shown toward the industry’s leading issues, too, and sometimes wonder how many of us could name the most pressing threats to the industry, as agreed upon by the community. There are clear problems – interoperability, lack of transparency, disparate systems working against each other — to name a few. So, in the following series, I’ve asked some insiders for their opinions on health IT’s greatest problems, and as you’ll see, they responses received vary greatly.

Scott Friedman, executive vice president, Sherpa Software

Healthcare IT struggles mightily with patient information that is not in the medical record system, but has leaked into other locations in the healthcare organization (cell phone emails, USB drives, employee desks, etc.). Healthcare organizations have moved Protected Health Information (PHI) into HIPAA compliant electronic health records (EHRs) systems, patients maintain electronic copies of their health information, which they give to their different providers as they move between appointments. This “patient distributed information” becomes PHI, with all its associated compliance and legal burdens for the health care organization.

There is liability associated with this, and information governance strategies available that reduce the associated risks. Patient distributed information is present on smartphones, tablets, laptops, and the like are not sanctioned EHR (such as email, file directories, etc.). These devices are not part of the organization’s HIPAA compliant system, and never can be. Most healthcare providers ignore the problem, which eventually leads to catastrophic security failures resulting in patient privacy breaches, and career damaging incidents for the healthcare IT department.

To eliminate the problem, IT needs to look to integrate an information governance framework that can:

• Interview employees to understand how they deal with and understand this issue.
• Audit, usually done with software systems, to provide objective evidence and quantification of the presence of PHI on your digital systems.
• Set specific policies and procedures employees can follow in each and every situation when they come into contact with “patient distributed information.”
• Provide raining and review of policies and procedures work.
• Automate the policies and procedures with software systems to ensure compliance.
• Surveil your digital systems is the best way to monitor and review your program, as well as seek to improve it.

Acknowledge the increasing presence of patient distributed information on your digital systems, and have a plan for how to address it. Look to information governance to establish a strategy and program to address patient distributed information. With the proper policies, procedures, training, and systems in place your organization will be able to effectively handle and mitigate the risks.

Steve Schick, senior director, education, LightCyber

One of the most pressing issues facing healthcare organizations today is the threat of a targeted data breach. While data breaches are a top concern for most companies and organizations, it is even more acute for healthcare. Healthcare data is some of the most valuable in the dark web, commanding a substantial premium over credit card details. Over the past year, there have been at least 95.5 million healthcare records in the U.S. stolen through big data breaches, representing nearly 30 percent of the U.S. population.

While nearly every healthcare organization is a target, there are very few that can properly defend against a targeted data breach. Most have an excellent level of preventative security, but no amount of prevention will keep a motivated cybercriminal out of a network. Both Gartner and the FBI agree that it is no longer possible to have 100 percent effective preventive security. Even the president of RSA, Amit Yoran, concluded world’s largest security conference with the cutting observation, “Our industry has adopted a defensive mindset that mimics the dark ages … beyond this irrational obsession with perimeters, the security profession follows an equally absurd path to detecting these advanced threats.”

The shocking news is that very few companies have the means to find a post-intrusion active data breach. The traditional preventative and malware-focused approaches do not work. The industry “standard” of six months to discover a data breach is evidence enough. Only with great luck will organizations be able to find active attackers if they are still chasing signatures of known malicious software and other statically defined technical artifacts. Larger organizations find themselves drowning in security alerts, most of them false-positives.

The best way to find an active data breach quickly and accurately is to look for the operational activities they have to use once they land in a network. In particular, reconnaissance and lateral movement are two kinds of behaviors that must be done and can be spotted if you know how to look for them. The new breed of active breach detection technologies seems to be a promising new way of finding these attackers. Unfortunately most healthcare organizations don’t yet know about these.

This year, healthcare IT must seriously look beyond just prevention to strategies and tools that will stop data breaches after an attacker has already made it into the network. Traditional approaches have proven to be immense failures for this problem. It’s time to consider a new approach to safeguard the systems and data these IT organizations are chartered to protect.

Amir Naftali, co-founder and chief technology officer, FortyCloud

Healthcare IT operations are very frequently computation and memory intensive. Operations like processing electronic personal health records, ?genetic data analysis and other healthcare related Big Data processing are all heavy CPU and memory consumers?.?

Therefore, IT are always on the lookout for a more powerful yet cost-effective solution. Today, cloud-based infrastructure services (IaaS) offer almost infinite virtual computation resources in an attractive and agile pay-per-use model.
These resources can be allocated almost anywhere around the globe.

Moving healthcare IT operations to infrastructure clouds seems, therefore, a like very natural step. An almost a perfect fit exists between the computation and business needs of Healthcare IT, and the compelling business model of IaaS.

However, the only caveat with this alliance is security. Healthcare IT operations deal with highly sensitive patient data, while public cloud infrastructure environments have security challenges that are inherent to the model itself. Furthermore, health-related security regulations, like HIPAA, make it impossible to adopt any leading public IaaS offering “as is” for healthcare IT operations. Therefore, to ensure that its data is secured in the cloud or hybrid environments, a CISO must supplement its cloud operations with an ISV solution that is not part of the initial cloud offering.?

Jonathan Kaplan MD, MPH, board certified plastic surgeon, Pacific Heights Plastic Surgery

Price transparency — patients want it, but doctors/facilities don’t want to provide it because the doctor/facility has no incentive. The pricing info that consumers do get is mostly just US averages. It’s almost impossible to get pricing for a specific service from a specific provider.

[Electronic Health Reporter]