Two issues are creating vexing health IT puzzles to solve: healthcare identity management for per diem employees who come and go on a daily basis, and how to stanch what may be ongoing security leaks in the wake of a data breach.
Why restrict yourself to doing the same old tricks on credit card processors when there's a goldmine to be had in healthcare organizations?
Two IT outsourcing companies, the University of Pittsburgh Medical Center (UPMC)'s CloudConnect Health IT and Co3 Systems, Inc., both nimble application service providers (ASPs), are attempting to solve those problems. Their most attractive selling point to CIOs might not be cost or lack of internal support needed to maintain these services, but instead scalability that can keep up with the frequent mergers and acquisitions that often hamper an IT staff's ability to keep up.
In the same way that solo docs and smaller group practices are more willing to entrust their businesses to cloud EHR and practice-management tools, smaller healthcare providers are typically more willing to embrace Software as a Service (SaaS) tools, also known as the ASP model.
"In our experience, it has to do with the size and maturity of the infrastructure; the smaller they are and the less mature their IT infrastructure is, the more interested they are," said Ted Julian, chief marketing officer for Co3, which provides HIPAA compliance and data breach response in the form of SaaS tools. "Both of those things are not necessarily required. You sometimes come across very, very large but relatively young companies who have no interest in doing things on premises."
Co3: HIPAA risk assessments and data breach response
One piece of health IT that Co3 offers isn't such a hard sell to CIOs: Data breach risk assessment along with its "break glass in emergency" cousin, data breach response. Julian said that many clients sign up for Co3 services specifically because it's their own networks that are compromised in most breach scenarios. That and because the healthcare provider can tap into experiences of other Co3 customers, which the company rolls into its online tools as it gathers more data from them. Furthermore, because their systems aren't "out-of-the-box" applications, nimble SaaS service providers can often more quickly update their apps to reflect regulatory updates as they are released than their traditional software brethren.
Online tools for risk assessments help healthcare providers imagine more potential data breach and disaster scenarios than they probably could come up with themselves, Julian said, because they integrate the collective knowledge of many providers. Tools like Co3's can also "drill" a data breach response, away from the provider's own network. This practice can gauge more details of a healthcare provider's readiness more closely than role-playing tabletop exercises in a conference room, the typical drill.
"These guys have it tough," Julian said of provider CIOs and their health information management and compliance co-workers. "The regulatory requirements around patient information are legendarily substantial. The difference in the last two to three years is the ferocity and persistence of the cyber attacks they face. The bad guys have figured out that patient data is incredibly valuable, and why restrict yourself to doing the same old tricks on credit card processors when there's a goldmine to be had in healthcare organizations?"
It takes one to know one: UPMC owns ID management as a service
While healthcare identity management covers the comings and goings of every employee in an organization, for healthcare IT leaders, per diem employees that come and go daily are the most challenging component of it. Nurses, doctors and allied support staff might work on a provider's premises for a day or two. Or they might work almost full-time for a period, moving from building to building or department to department several times within a week. Quickly credentialing (and de-credentialing) them for physical building access as well as EHR login is not only a sensible business security practice, but also a bedrock component of HIPAA compliance programs.
Keeping up IT support for clinical data access in this just-in-time staffing era, though, isn't easy. Monitoring and controlling access to patient data for HIPAA compliance is hard enough, but certain populations such as pediatric and behavioral health patients require compliance with additional state laws regarding patient data as well. That makes ID management and auditing access to EHR data even more crucial for operating a healthcare business.
UPMC owns and operates more than 20 hospitals and 400 outpatient facilities throughout Pennsylvania. It developed its own ID management system after surveying out-of-the-box options for its massive, geographically diverse system that processes 7,000 identity changes per week and requires access management to 165 software applications.
It worked so well that UPMC began offering its system as an outsourcing option for other healthcare providers under the name CloudIdentity, from the wholly owned UPMC subsidiary CloudConnect Health IT. Its target customer is small to midsized healthcare providers with up to 10,000 employees.
Read the rest of this outsourcing series
Part I: Health IT outsourcing an option for large providers
Part II: Outsourcing helps to include rural providers
Part III: Geofencing outsourced to Indian firm
"We looked at the market for identity management and what we found is that, basically, we'd have to cobble together various IT solutions to implement something effective, and it would have cost about $6 million," said Stacy Carbaugh, vice president for sales and marketing for UPMC's CloudConnect Health IT. Ultimately, the health system partnered to develop its own ID management by customizing Oracle tools. It also developed an EHR monitoring tool with FairWarning, an ASP that serves 1,100 hospitals globally.
Chris Arnold, FairWarning vice president of product management and engineering, said that health IT experience is necessary for this particular facet of outsourcing services because healthcare is more complicated than other market sectors when it comes to tracking personnel on the network. Typically, he said, health systems manage employees in a decentralized fashion for per diem nurses, floating specialist physicians and hospitalists, with multiple human-resources applications spread across multiple locations. Scalable ID management from an ASP vendor helps clients keep up as needs expand and change.
For his part, Carbaugh hopes that UPMC's reputation will help make the notion of outsourcing ID management more palatable to other health systems, added to the fact UPMC is using the system itself. Or, in software developer parlance, UPMC is "eating its own dog food."
"We are responsible for implementing and supporting the CloudIdentity solution," Carbaugh said, adding that some CIOs who aren't yet comfortable outsourcing this facet of health IT may soon change their minds. "Costs may force them to be more comfortable with it at some point. In many instances, a cloud environment may be more secure than their own."