Health IT and Electronic Health Activate your FREE membership today |  Log-in

Community Blog

October 8, 2015  12:42 PM

Security of healthcare data in motion

Posted by: adelvecchio
cybersecurity, data encryption, data in motion, data privacy and security, healthcare data

Dr  Mathews (2)Guest post by Dr. Michael G. Mathews, president, COO, & co-founder, CynergisTek, Inc.

In previous articles, I covered the fundamentals of encryption using symmetric (shared secret), asymmetric (public-key), and mixing the two to create a hybrid approach to keeping data confidential. I also covered the concepts of data integrity (knowing a message has not been changed) and non-repudiation (verifying the sender is authentic). This installment focuses on the security of healthcare data in motion. The final segment in this series will focus on the security of healthcare data at rest.

At the risk of sounding like a broken record (as it seems all things security start with this), it is critical to understand the application data flow for the data being protected. Knowing the type of data being moved and where it originates and is destined, as well as if there are intermediate stops/routings along the way, helps inform what type of protection makes the best sense for the data. For example, an application that is moving data from point A to point B within the internal network might simply be an exercise in proper network architecture design to segment the traffic as best as possible from those who don’t need access to it. Since network segmentation as a mitigating control falls outside the realm of encryption, I’ll reserve that topic for a future article.

Any data leaving the internal network and going beyond the perimeter firewall certainly deserves a critical eye from a data confidentiality perspective to include non-traditional health IT applications such as Voice over Internet Protocol (VoIP). In the case of VoIP, depending on how calls are routed, the data portion of the call might live on the internal network or it might leave the internal network to a hosted private branch exchange. In the latter case, any conversations that include protected health information would be exposed to the Internet –potentially creating an unauthorized disclosure — without mitigating controls in place. In general, where it’s possible to enable data confidentiality, there’s rarely a reason not to do so.

One of the prominent options available for protecting the confidentiality of healthcare data is transport layer security or TLS — which, together with its predecessor secure sockets layer (SSL), are often collectively referred to as SSL. TLS takes a hybrid cryptography approach in that it uses asymmetric (public-key) cryptography to establish a secure initial communication channel in which it then negotiates a session key (symmetric) for further communications.

The benefit of using SSL/TLS is that, for discussion’s sake, it works at the application layer. This means that by the time the traffic hits the network, it’s encrypted. One detriment is that unless the application in question is written to support SSL/TLS, it’s not something that can be added after the fact, though there are workarounds that use SSL tunneling to make non-SSL/TLS-aware applications work with SSL/TLS. In recent years SSL/TLS have started to become more ubiquitous in applications, making accessibility to this route of protecting data much more favorable. Though it hasn’t been without its setbacks, with Heartbleed being the most widespread and serious.

The other widespread route is IP security or IPsec. In contrast to SSL/TLS, IPsec works at the network layer and, as such, it can be used to secure the confidentiality of any application, including those that don’t have security or privacy as integral features. Readers will most likely associate IPsec with site-to-site virtual private network (VPN) connections and even some implementations of end user VPN connectivity. IPsec depends on what are called security associations to establish the rules of the connection and the rules must match on each side of the connection to be successfully negotiated. Like SSL/TLS, IPsec also uses a hybrid approach to cryptography with initial key exchange either using a shared secret or a protocol-based key exchange to generate session keys for the communication to be protected.

September 23, 2015  1:07 PM

Patient safety and cloud-based MDM: A healthcare innovation

Posted by: adelvecchio
master data management, master patient index, MPI

Michael Morton - 5x7 @300dpi headshotGuest post by Michael Morton, CTO at Dell Boomi

Several healthcare issues are competing for attention, including the furor over how it is paid for; the increasing concern over patient privacy; fears related to the spread of specific diseases such as Ebola, MERS, and H7N9 bird flu; and the rise of antibiotic-resistant superbugs. With all this to consider, it’s easy to overlook a growing challenge that may be putting patients at risk every time they register at a new healthcare facility.

When a physician sends a patient to a specialist for treatment, the patient generally takes it for granted that they’ll receive the right tests and treatments for their ailment. After all, anything else could be catastrophic. But what if that patient has the same first name, last name and birthdate as several other members in their healthcare organization? Not likely, you say? In 2011, the Harris County Texas Hospital District database listed the medical records of nearly 2,500 people named Maria Garcia, 231 of them had the same birth date. In total, 69,807 people in that district shared a first and last name and date of birth. This can cause not only confusion; it’s an opportunity for improper care and treatment.

Many healthcare organizations rely on a combination of a healthcare-specific master patient index (MPI) and master data management (MDM) systems to cleanse their records and eliminate duplicates and errors. An MPI is a unique identifier, such as a medical record number, assigned to each patient. MDM technology, typically implemented as a software program and a set of processes (data stewardship), is commonly employed at healthcare organizations to maintain a single “golden” record across their various software systems, such as customer relationship management, enterprise resource management and human resources. Until recently, MDM was a limited, on-premises solution that lived behind the corporate — or healthcare organization –firewall. Such systems struggle in hybrid IT environments and including cloud-based data requires a complex, expensive and time-consuming development effort.

But as patient care increasingly takes place across multiple healthcare organizations without a single, standardized MPI system — and as the amount of data that each organization accumulates continues to skyrocket — reliance on disparate MPIs and on-premises MDM to manage the records simply isn’t sustainable. As it stands, according to a report published by the Bipartisan Policy Center, the patient matching error rate stands at 8% and can range up to 20%. And according to the Health IT Buzz Blog, published by the Office of the National Coordinator for Health Information Technology, an office of the U.S. Department of Health and Human Services, “One of the largest unresolved issues in the safe and secure electronic exchange of health information is the need for a nationwide patient data matching strategy ensuring the accurate, timely, and efficient matching of patients with their healthcare data across different systems and settings of care.”

Enter cloud-based MDM, which enables master data management to take place beyond the firewall, connecting any combination of on-premises and cloud-based data sources, including third party suppliers such as Hoover’s Inc. and Dun & Bradstreet, Inc., to establish and maintain golden records across multiple systems in near-real time. With cloud-based MDM and proper data stewardship — even in the absence of a national MPI — healthcare organizations have the potential to pull data from a vast number of sources, including other healthcare organizations and commercial vendors, to help ensure they properly identify each patient.

No one should have to suffer from a misdiagnosis or the wrong treatment simply because a healthcare organization hasn’t accurately identified the patient. Yet this problem will persist until we can break down the silos surrounding MPI, ensure a single, golden record for each patient, and share this information across the nation in real or near-real time. Cloud-based MDM is the most practical, most cost-effective and least disruptive way to accomplish this in the short term.

About the Author:
Michael Morton is the chief technology officer of Dell Boomi, where he is responsible for product innovation.

September 17, 2015  1:11 PM

Unlock the value of unstructured patient data

Posted by: adelvecchio
EHR, EHR data, Patient data, unstructured data

John Smithwick-RoundingWell headshotGuest post by John Smithwick, CEO of RoundingWell

Once upon a time, a visit to the doctor started with, “Tell me where it hurts” and ended with, “Take two of these and call me in the morning.” Getting patients diagnosed correctly and treated appropriately depends on providers gathering both quantitative data, which is typically structured, and qualitative data, which is typically unstructured. When comparing both types of data, it’s more challenging to manage and derive value from unstructured patient data.

Quantifiable, measureable data such as lab results, blood sugar levels and cholesterol are considered structured data. This type of data is objective and can be entered discretely into EHRs via predefined fields. Since the data is structured, software systems are able to understand the meaning of the data, interpret and report on it. Structured data can be put to use by clinicians at the point of care to aid their decision making.

Qualitative data — such as symptoms like pain, discomfort and fatigue — is considered unstructured data. This type of data is subjective to the patient and is often gleaned through conversations based on what the clinician asks and what the patient discloses.

If a patient encounter was like an academic exam, gathering structured data such as vitals would be the fill-in-the-blank portion of the test. Gathering unstructured patient data would be the essay portion. While it might seem like a simple exchange of niceties, these communications provide a lot of information to a clinician, such as whether a patient is experiencing depression, or that she’s experiencing shortness of breath upon standing.

Correct diagnoses and appropriate treatments are dependent on managing both structured and unstructured patient data. Managing structured and unstructured data also greatly influences the outcomes a healthcare organization is able to deliver. As the amount of reimbursements tied to outcomes increases, delivering outcomes becomes more important.
Managing structured data is usually handled well. It’s in the management of unstructured data where problems arise. There are two primary problems with unstructured data.

  • The first problem is process related. Unstructured data is not gathered consistently or systematically. A clinician only knows about symptoms if he asks the patient, which doesn’t always happen, or if the patient discloses the information, which, again, doesn’t always happen. When symptoms are overlooked or patients withhold information, clinicians can’t make the right diagnosis or give the best treatment.
  • The second problem is technical. Unstructured data is most often recorded in EHRs in free text fields or note fields. Data stored in this way is very difficult for software systems to interpret, understand and analyze.

The ballooning amount of data available is another issue. In 2012, worldwide digital healthcare data was estimated to be 500 petabytes. That’s an astounding number, and it’s only growing: the data is expected to reach 25,000 petabytes in 2020. It can be a daunting challenge for healthcare organizations to gain value from this mountain of data. And guess what? Industry consensus is that approximately 80% of all healthcare data is unstructured data.

So, what if technology could not only ensure patients were diagnosed correctly, but also automate the process? Cloud-based care management and patient engagement software are providing new ways for healthcare organizations to unlock the value of unstructured patient data. How? In essence, by creating “structured symptoms” — gathering patient-reported symptoms and discretely capturing them in a way the data can be analyzed.

These platforms systematically assess patients for symptoms and signs that patients might not get asked about by a provider and that they might not self disclose because they don’t think it’s important or they forget to mention it. Care management software then stores patient symptom info in a structured way, allowing this previously unstructured data to be analyzed and made actionable.

For example, consider the use of alerts which signal clinicians that a patient needs attention. Instead of discovering issues at a late stage, after a disease has had time to progress, clinicians are alerted early to leading indicators of a decline in a patient’s health status. In this way, delivery of care becomes less like fighting fires and more like preventing fires.

What’s the bottom line? Whether it’s gathered via care management software, EHR or patient-specific physician insights, all data should be structured and be ready for interpretation and analysis. This is especially critical in value-based models. For any risk-bearing entity, getting this complete picture is absolutely critical to give patients the right treatment at the right time, to improve outcomes and prevent adverse health events.

About John Smithwick:
John Smithwick is the CEO of RoundingWell. He co-founded RoundingWell in 2011 following four years at Nashville’s Healthways, where he led the design effort for its Web-based disease and lifestyle management product offerings. Prior to his work at Healthways, he worked in product management at Microsoft in Redmond, Wash. and in technology strategy consulting with Accenture in Boston, Mass. A graduate of the University of Richmond, he holds a master’s of business administration from the University of Pennsylvania’s Wharton School of Business.

September 10, 2015  11:49 AM

Five healthcare security strategies to adopt now

Posted by: adelvecchio
cybersecurity, Data breach, data breach security, Risk assessment

myers_lysaGuest post by Lysa Myers, security researcher, ESET

As the number of cyberattacks against healthcare organizations grows, I’m often asked whether there is any one policy or behavior that is to blame for this situation. My answer is emphatically no; security is an area of concern that many people are just starting to become aware of, much less understand and implement good security controls for. As a result, many organizations and their staff don’t have a realistic sense of what good security is and what they need to protect.

Here are five tips for organizations to more easily and effectively implement healthcare security strategies.

Security must be viewed like a puzzle

If attackers get any one piece of the puzzle, they should not be able to figure out the whole picture. For example, if user credentials are stolen through phishing or a lost or stolen device, there should be another factor of authentication in place so the attackers are stopped from logging in. If an attacker does manage to log in, there should be network segregation and limited privilege such that he cannot pivot into more sensitive areas of the company, or into sensitive databases.

There is no such thing as a “warning sign” of a breach

If there is a sign that you’ve been breached, it’s already too late — the attacker has already gotten into your system. Some people cite the presence of vulnerabilities as a sign of danger, but in truth, all systems have vulnerabilities. That would be similar to saying, “a common attribute for breaches is that the affected companies all have staff who consume oxygen.” It’s not the vulnerabilities that cause attacks, it’s the absence of good security.

To err is human

The most educated humans still make mistakes. Even security gurus can accidentally double click when they’re not supposed to. That said, those who are not educated about what secure behavior entails will certainly make more mistakes, or they may deliberately circumvent security controls. While attackers don’t need to go through humans to get into improperly secured systems, it can be the easiest way. Security education is something that should be provided early and often.

Legacy machines can cause big problems

Perhaps one of the more surprising aspects for healthcare organizations is how many machines in their offices run outdated (and very soon-to-be unsupported) Windows versions. Many hospitals have medical devices that still run Windows XP, which leaves a gaping hole from a healthcare security perspective. While this is occasionally unavoidable, it should be limited wherever possible and extra security measures should be taken with those machines until they can be updated.

Risk assessment should be ongoing

With tight security budgets, legacy systems and the need for users to have access that’s both fast and secure, it’s important for healthcare organizations to be extra vigilant about planning security controls. The best way to do this is to perform ongoing risk assessments to be updated as new assets come online, or as processes change, rather than updating them periodically. If you’ve never done a risk assessment and want to know how to begin, the National Institute of Standards and Technology published a guide for conducting risk assessments.

In future installments, I’ll expand on some of these strategies to help healthcare organizations improve their security posture.

September 3, 2015  10:58 AM

Unlock the chronic disease management potential in your appointment reminder system

Posted by: adelvecchio
appointment reminders, preventive care, texting

scott zimmermanGuest post by Scott Zimmerman, president, TeleVox

Healthcare providers know the statistics: Seven out of every ten deaths in the U.S. are linked to chronic illness, and approximately 45% of Americans have at least one chronic condition. The numbers are real and patients are the proof. There are a lot of challenges that come along with managing care for patients with chronic illnesses. Luckily, most providers already possess a tool that can make chronic disease management a little easier: an appointment reminder system.

Most healthcare providers have access to appointment reminder systems, but few have figured out how to effectively use them to drive improved health outcomes for patients with chronic conditions. The six-point checklist below provides suggestions for immediate actions to take to expand your use of appointment reminder technology and improve patient care.

1. Notify patients when they are due for preventive services.
The first step a practice can adopt to do more for patients with chronic conditions and stretch the value of appointment reminder systems is to send patients notices about preventive services. Prevention plays a major role in managing chronic disease. Whether you are working to prevent patients with chronic diseases from lapsing into acute conditions or trying to keep at-risk patients (and even healthy patients) from developing chronic conditions in the first place, regular visits, tests and screenings are essential. Unfortunately, most patients are not good about seeking preventive care and need a certain amount of coercion. An appointment reminder system can be used to notify people when they are due for preventive services, engaging them in managing their chronic conditions.

A healthcare provider that is getting preventive notifications right is Ochsner Health System, one of Louisiana’s largest healthcare delivery systems. Ochsner recognized many patients were not scheduling preventive screenings and tests and took action to change that. Its initial focus was on educating patients about their eligibility for colorectal cancer screenings. Using an appointment reminder system, Ochsner delivered automated phone notifications to a group of 3,137 people with recent orders for a colonoscopy or upper endoscopy. The conversion rate was an impressive 18.4% — meaning Ochsner scheduled 578 colorectal test screenings for its patients simply by explaining eligibility and asking people to set up appointments.

An organization can easily leverage the technology it already has in place to involve more of its chronic disease patient population in preventive care. That will have a big effect on the health of patients struggling with chronic diseases. Simply identify patient groups that are eligible for services and reach out to them with preventive care information and invitations.

2. Remind patients to keep their appointments.
Missed appointments pose a significant challenge when it comes to monitoring and managing the health of patients with chronic conditions. So this step — reminding patients to keep their appointments — is a no-brainer and something many healthcare providers are already doing well. If a healthcare organization is not successfully using automated notifications like text messages, voicemails, and emails to remind patients of upcoming appointments, it should make changes and implement reliable technology immediately.

Setting up reminders is as easy as running a report of upcoming appointments. You can choose any timeframe for reaching out to patients, but keep in mind that patients with multiple chronic conditions may need to arrange for transportation to get to their appointments. It’s helpful to schedule reminders early enough to allow patients that may have forgotten about their appointment to find transportation.

3. Make appointment cancellations available to patients with high needs.
Because chronic diseases require constant monitoring and sometimes sudden attention, patients with chronic conditions require easy access to appointments. To minimize the length of time patients with chronic conditions must wait for appointments, offer them appointment slots that other patients have vacated.

According to a study by The Commonwealth Fund, 71% of U.S. adults reported problems gaining access to needed healthcare. This included an inability to get timely appointments. Appointment accessibility can be improved by including an easy cancellation option on all appointment reminders and maintaining a short-notice call list of patients willing to take last-minute appointments. As a provider receives cancellation notices, they should contact high priority patients that are waiting to be seen and offer them the resulting openings.

It might go against instinct to give people a way out of appointments when your intention is to get them to show up, but don’t worry. Cancellations are only a lost opportunity when they are discovered at the very last minute. If a patient has decided not to keep an appointment, their caregiver is going to find out about it one way or another. Either they will find out when the patient does not arrive at the scheduled time or they can be warned ahead of time. With the first option — the no-show — the appointment time is lost. But if patients are allowed to offer advanced warning, would-be holes in a schedule can turn into appointments for patients with high needs.

United Regional Health Care System in Wichita Falls, Texas uses automated notifications to fill scheduling holes caused by cancellations. After using appointment confirmation calls for eight months, a total of 273 patients opted to cancel an appointment. However, because of the advanced notice, United Regional was able to refill 177 of those openings — which is a 65% appointment retention rate. By implementing similar processes, other providers can be more accessible to patients.

4. Follow up with educational information and support resources.
Caring for patients with chronic diseases is an ongoing process — care cannot end when a patient leaves a physician’s office. To help support patients and guide them through self-care between visits, use an appointment reminder system to deliver focused outreach campaigns to subsets of a patient population. For example, diet and weight management materials can be delivered to patients with diabetes.

The U.S. Centers for Disease Control and Prevention reported that the National Assessment of Adult Literacy — which measures the health literacy of adults living in the U.S. — rated only 12% of the population as having a “proficient” health literacy level. That means a lot of adults in the U.S. have difficulty understanding and using health information that is given to them. More good can be done for patients by repeatedly sending them text messages or emails containing information related to their disease, follow-up instructions, medication reminders and alerts, and other additional resources.

Design patient outreach around the questions commonly asked about chronic conditions like: What is the cause of this chronic illness? What is the prescribed treatment and why is it necessary? What role does medication play? What assistance can a patient get between visits and how can they get help when needed? Who should a patient contact if they have additional questions?

5. Reach out between visits to offer support and motivation.
The final step is to use technology to deliver motivation and support for patients as they work to self-manage their conditions. Most patients with chronic conditions — and those at risk for developing them — need to adopt some lifestyle changes, such as exercising more or quitting smoking. These types of behavioral changes aren’t always easy. Healthcare providers can help by inspiring patients to change unhealthy or risky behaviors. This could mean sending resources that encourage patients to incorporate healthier foods into their diets, or congratulating patients when they hit weight loss goals.

TeleVox found that patients really want to feel supported and encouraged by their physicians. According to our research, nearly 40% of patients say they would follow doctors’ orders if they got some kind of reminder or nudge from those doctors between their visits. This is significant because we also found evidence that about 83% of people do not do what their doctors tell them. So, an email or text reminder to take care of themselves could make a big difference.

If you are currently using an appointment reminder system for basic communication, you have the necessary technology to make improvements to your chronic disease management processes. Now it is up to you to implement changes — like the ones explained above — that will allow you to automatically reach out to patients and collaborate with them on how to prevent and manage illnesses.

About the Author:
Scott Zimmerman is a regularly-published authority on utilizing technology to engage and activate patients. He also spearheads TeleVox’s Healthy World initiative, a program that leverages ethnographic research to uncover, understand and interpret both patient and provider points of view with the end goal of creating a healthy world — one person at a time. Healthy World promotes the idea that touching the hearts and minds of patients by engaging with them between healthcare appointments will encourage and inspire them to follow and embrace treatment plans — and that activating these positive behaviors leads to healthier lives. Zimmerman possesses 20 years of proven performance in the healthcare industry, with domain knowledge in the surgical, interventional and pharmaceutical arenas. He currently serves as the President of TeleVox (, a part of West Corporation (, where the healthcare mission is to help organizations harness communications to expand the boundaries of where, when, and how healthcare is delivered.

August 27, 2015  10:28 AM

Non-repudiation and data integrity in healthcare

Posted by: adelvecchio
data integrity, Encryption, ePHI, HIPAA, hipaa security rule

Dr  Mathews (2)Guest post by Dr. Michael G. Mathews, president, COO, & co-founder, CynergisTek, Inc.

This second installment in a four-part series examines non-repudiation and data integrity healthcare; some of the lesser-known, fringe benefits of cryptographic algorithms that can help reduce fraud of e-prescribing medications and computerized physician order entries. The final two pieces in the series will focus on data in motion and at rest within healthcare.

In my previous article, I touched on the fundamentals of encryption using symmetric (shared secret) cryptography, asymmetric (public key) cryptography and combinations of the two to create a hybrid approach to keeping data confidential. Simply being able decode a message doesn’t guarantee the message wasn’t altered en route, nor that came from where it appeared to have originated.

Confidentiality of data was clearly the primary reason behind the initial implementations of encryption methodologies. Using crypto hash functions we can get a “signature” for any data set so that if it changes in any way — either in transit or while at rest — the changes will be known, making the data suspect. Drawing a parallel to the postal service, envelopes are designed to provide confidentiality over a postcard and the fact that the envelope is sealed is an indicator of data integrity. If an envelope arrives either unsealed or opened, it’s a visible sign that the contents could have been altered in some way or potentially disclosed.

For healthcare IT, the HIPAA Security Rule identifies integrity controls in the technical safeguards part of the rule with a focus on the unauthorized alteration or destruction of electronic protected health information (ePHI). Implementing a tool that uses of crypto hashes to keep track of the generated “fingerprints” of ePHI allows the tool to track any changes to that ePHI up to, and including, deletion. The rule is particularly broad here as it only identifies ePHI in general and stops short of calling out whether the scope in question is related to an EHR or all-encompassing within the environment. It also doesn’t identify any distinction between ePHI at rest and ePHI in transit.

Non-repudiation (digital signature) adds authentication and identification to the integrity controls within cryptography. It identifies if an encrypted message is really from the purported sender by confirming the message is unchanged from its original form after it was received and read. Returning to the postal analogy, think back to wax seals with signet rings. The wax seal served triple duty in this case, offering assurances of confidentiality, integrity, and non-repudiation of the message, at a somewhat reduced standard of assurance unlikely to be endorsed today.

Mechanically, a digital signature is very similar to a simple crypto hash for basic integrity controls as mentioned above. However, digital signatures make use of public key encryption and the user’s private key to generate the crypto hash so when the recipient verifies the message –using the user’s public key — the message is both verified for integrity (confirming that it’s unchanged) and authenticity (that it’s from whom it claims to be from). Digital signatures have evolved to take a much more prominent place in IT and help protect data integrity in healthcare. Within healthcare IT, electronic prescriptions allow physicians to attach electronic signatures for proof of authenticity, smart cards are used to grant access to workstations and restricted areas within the hospital and encrypted emails sail through the cloud into inboxes with digital signatures intact to ensure the recipient knows the message is authentic.

August 20, 2015  11:55 AM

Accountable care model depends on meaningful use of EHRs

Posted by: adelvecchio
Accountable Care Organizations, ACO, EHR incentives program, Meaningful use, Medicare reimbursement, Shared Savings Program

Richard RoyerGuest post by Richard Royer, CEO of Primaris

The Centers for Medicare and Medicaid Services (CMS) is trying to make the accountable care model a more compelling option for healthcare providers. The Affordable Care Act established the Medicare Shared Savings Program to improve care coordination and to incentivize providers and other healthcare institutions to participate in an accountable care organization (ACO).

By opting into the one-sided ACO track, an ACO can earn up to 50% percent of its shared savings, achieved by meeting quality performance standards. To entice providers to enroll in its two-sided ACO model, CMS sweetened the pot by offering as much as 60% percent of shared savings — the catch being the ACO is also responsible to repay a portion of any losses, based in part on its quality scores.

Participation in each of these programs is currently voluntary. But there is no denying the value-based and accountable care model they exemplify is the future, in both the public and private payer realms. Indeed, commercial insurers such as Cigna Corp. and Aetna Inc. have already launched their own versions of ACOs.

The adoption and meaningful use of certified EHRs underpins the whole concept of accountable care. These systems should serve as the source of data for dozens of clinical quality measures that ACOs must annually report to CMS. That data runs the gamut from recording preventive health measures, such as immunizations and mammography screenings, to tracking populations at risk for diabetes, hypertension and other chronic conditions.

But even if your institution isn’t participating in a public or private ACO, it’s important to consider ramping up your meaningful use of certified EHR technology. After all, any healthcare provider that wants to receive Medicare and Medicaid EHR incentives also needs to meet value-based care measurement thresholds.

Bring meaning to meaningful use

All that said, it appears there is still a ways to go to make the meaningful use of EHRs truly meaningful. Consider, for example, that according to a 2014 report by KLAS Research, based on a survey of 46 physician-led ACOs, EHR vendors earned an average 6.3 rating out of 9.0 for meeting ACO needs.

Fortunately, it is possible to improve EHR systems so healthcare providers in ACOs can more efficiently gather data to meet CMS reporting requirements and so any provider can be better positioned to receive payments from the Medicare and Medicaid EHR Incentive Programs, while avoiding possible penalties.

EHR systems can be optimized to help providers get ahead of healthcare quality issues, whether these practices are involved in ACOs or simply prepping for a future in which value-based and collaborative care models rule. That’s because EHR technology can be leveraged to give providers a better understanding of critical care points and associated risks, and give them an improved method of communicating required data to other partners in the medical chain.

Realize the value of the accountable care model

To get real value out of EHR systems, support meaningful use requirements, and position your organization for a future where accountable care is everywhere, it’s important to take the following steps:

  • Don’t just capture data. Capture it appropriately and accurately. EHR systems are only as smart as they are set up to be. And they won’t be very smart if you don’t correctly document what medical options you propose to patients, the education you share with them and the information you learn from them in an easily removable, communicable and reportable data format. That could translate into loading new templates or input forms into the EHR to ensure critical information is captured in a structured format, rather than simply in the notes field. That way, it can be easily and automatically reflected in a practice’s quality improvement efforts, such as screenings for flu vaccinations or smoking cessation.
  • Bring in the data reports and take action on them. One of the great things about EHRs is they potentially give healthcare organizations an improved capacity to plug gaps in treatment that can lead to accountable care gaffes, such as overlooking signals in patient data that wind up hurting the quality score related to hospital readmissions.
  • That capacity is easier to leverage if your practice has regular access to comprehensive and comprehensible data reports, making it simpler to spot problems affecting a fraction of the patients within a large population. Otherwise, that is no easy task, especially now that practices’ data volumes are exploding as samples and test results from external sources — such as labs or information from patients’ mobile healthcare devices — can directly import into EHR systems. But when the information is culled together so you can quickly spot a week-to-week roller coaster ride in a diabetic patient’s blood sugar levels, you can move quickly to correct the problem before the patient lapses into an acute condition.
  • Customize only where necessary. There are some situations where customizing your EHR system is unavoidable. Those are the only times where you should indulge in the practice. In other words, deploy customizations only for reasons of functionality, not aesthetics. For instance, many EHR systems don’t automatically include an interface to transmit immunization data to a state immunization registry, but adding one to your system is worth the investment given that providers must show they have performed at least one test of their certified EHR technology’s capacity to electronically submit such data.
  • When it comes to changing things like the location of a menu bar, though, skip it. That won’t be accounted for in the next general release of your vendor’s product, nor will the vendor have prepared it as an optional add-on that can be purchased for a reasonable fee. That means when upgrade time comes around, you’ll be undertaking the whole process again, and that can cost you thousands of dollars and increase the time it takes your practice to move onto the next version.
  • Consider where your expertise really lies. While the healthcare profession is changing and many physicians’ practices are being acquired by larger health systems, the industry still has more than its fair share of small practices. And most of them — perhaps your own — are without staff that is well-versed in technology or adept in the processes that optimize an EHR system for meaningful use. In those cases, it’s not a good idea to take the do-it-yourself approach to deploying EHR systems, and certainly not wise to follow that route to satisfy stage 1 or 2 criteria.
  • While trying on your own may seem reasonable, there’s a lot at risk if you hit significant stumbling blocks, including your cash flow. You may experience a decrease in returns from the Medicare Shared Savings Program or in meaningful use incentive payments. Many EHR systems also are responsible for triggering bills to patients or insurance companies. So, if issues arise with the system as you attempt to increase its meaningful use functionality — and those issues affect your ability to use the technology for other purposes — core revenue may be put in jeopardy. Under those circumstances, the old saying about asking for help when you need it could not be truer.

Are you ready to reap the value that comes from the meaningful use of an EHR system in a world moving to the accountable care model? Things are changing fast in the healthcare industry and the more prepared you are to meet those changes, the better off you’ll be.

About the author:

Richard A. Royer has served as the chief executive officer of Primaris since 2001. He has extensive administrative healthcare experience and is actively involved in a number of statewide healthcare initiatives. In 2006 he was appointed by the Missouri governor to the Missouri Healthcare Information Technology Task Force and chaired the resources workgroup. He also serves on the board of directors as treasurer for the Excellence in Missouri Foundation.

In his more than 35 years of medical business experience he has held positions as CEO at Cuyahoga Falls, Ohio, General Hospital; executive director of Columbia Regional Hospital in Missouri; and founder and president of Avalon Enterprises, a medical financial consulting firm.

July 15, 2015  2:18 PM

A primer on healthcare encryption

Posted by: adelvecchio
data encryption, Encryption

Dr  Mathews (2)Guest post by Dr. Michael G. Mathews, president, COO, & co-founder, CynergisTek, Inc.

Designed as a piece in a four-part series, this article will provide a brief primer on encryption before the remainder of the series addresses integrity and nonrepudiation, then encryption of data in motion and data at rest.

Historically, information security has addressed the confidentiality, integrity, and availability of data across a relatively broad base of domain expertise from compliance to business continuity, to identity and access management. One domain that is generally feared or lightly understood by many in the information security field — likely in part due to a general aversion to math — is encryption. That a generalization definitely holds true in healthcare. In this first installment of a four-part series, I will provide a basic primer (no pun intended) on cryptography to explain symmetric, public-key (asymmetric), and hybrid approaches to encrypt data.

Symmetric cryptography comes in many different cipher varieties, but they are unified by the fact the keys work like a traditional deadbolt on a home door — the same key is used to both lock and unlock. Key management works similarly as well; if someone else needs access, they would need to share the same key. Sharing of keys, physical or digital, is always a challenge in this mode of operation since losing or disclosing the key compromises that which is being protected.

Public key (asymmetric) cryptography relies on two different keys (a public and private key pair) that are related to each other. One key is used to encrypt data and the other to decipher data. The private key (used to decipher) is intended to be kept strictly private, where the public key (used to encrypt) is designed to be distributed widely among anyone who might need to share encrypted data.

A significant goal of public-key cryptography was to address the biggest issue of symmetric key management by removing the requirement to safeguard the key and its communication to those that need it. Due to the algorithmic design of public-key cryptography, it is more computationally demanding (and as a result, slower) than symmetric cryptography.

Combining the best parts of both types of cryptography to avoid the downfalls of the other creates the hybrid approach. Symmetric excels at speed and public-key excels at key distribution. Using the public-key model, an encrypted connection can be established without ever needing to share a key. Once the session is established, a symmetric key can be securely exchanged between the parties across the already encrypted channel. Typically, the symmetric key exchanged in this manner is deemed a “session key” and is considered a one-time use (disposable) key for protocols such as Secure Sockets Layer (SSL)/ Transport Layer Security (TLS). This method of key exchange can just as easily be applied to non-automated approaches (i.e. public-key encryption of email to share a symmetric key between two parties) to both key distribution and protection.

The cryptographic topics presented in this article are intended to fit a general need of keeping data confidential, but cryptography can be used for more than simply keeping prying eyes on the sidelines. In the next part of this series, I will cover cryptographic methods that help ensure the integrity and authenticate the originator (nonrepudiation) of data.

Part two: Data integrity and nonrepudiation in healthcare
Part three: Data in motion within healthcare
Part four: Data at rest within healthcare

June 3, 2015  1:07 PM

Five ways mobile devices move the patient engagement needle

Posted by: adelvecchio
HIMSS 2015, Mobile devices, Mobile devices and telehealth, Patient engagement, telehealth, wearable devices

John Smithwick-RoundingWell headshotGuest post by John Smithwick, CEO, RoundingWell

The rise of transformative technologies from EHRs to wearables is quickly making mobile devices a very real part of the healthcare journey. American adults spend an average of 43 hours per month using apps or surfing the Web on their phones, compared to just 22 minutes spent at an average doctor’s visit. Mobile devices make information instantly available to far more people, integrating them with our daily lives more than traditional desktop computers ever did.

Clinicians are also seeing how important mobile devices can be, not only for their patients, but as tools to help them deliver quality care in a more timely and cost-efficient manner. According to a survey released during the HIMSS 2015 conference, 54% of healthcare provider employees that use mobile devices to engage with patients have seen cost savings.

The rise of this collaborative approach to healthcare is one of the crucial steps in the journey toward a more time- and cost-efficient, value-based healthcare world. By utilizing mobile devices — which are already an ingrained part of people’s everyday lives — clinicians can tailor delivery of care, while also receiving data that can have an impact on patient outcomes.

Support ongoing, two-way conversations
The saturation of text messaging and social media has conditioned people to expect instantaneous communication. By deploying patient engagement technology, clinicians and patients can use mobile devices for secure, ongoing, two-way conversations that are more aligned with modern communication.

The ability to engage in an open-ended discussion can break down communication barriers, make patients more comfortable with physicians and transform patients into a resource for health information. In addition to increased patient satisfaction, establishing ongoing communication can also lead to earlier identification of potential adverse health events.

Share tailored, bite-sized content
We live in a hyper-connected world that is measured in 140 characters, and marked by messages that disappear after 24 hours. Health content is no exception: Care information must be delivered in small, digestible chunks relevant to patients and accessible anywhere, anytime.

Technology allows healthcare organizations share educational content — such as how to deal with a chronic condition — with the touch of a button, and helps them customize a treatment plan specific to each phase of every patient’s healthcare journey. Are you treating a diabetes patient who has just been discharged from the hospital after a life-threatening rise in blood sugar? Serve them with content that includes one low glycemic recipe a day. By using content to engage patients on a regular basis, clinicians can help proactively prevent readmissions and earn the trust of patients.

Remote monitoring
The number of hours available to engage with patients is often severely limited by the time it takes to chart all the information from a visit. While patients may get less than 30 minutes of a clinician’s time, a physician can spend as much as a third of a work day charting. Patient engagement technology allows physicians to reclaim some of those hours by making it easier to monitor patients from afar.

In addition to patient-provided health reports, HIPAA compliant monitoring devices allow physicians to monitor heart rate, blood glucose and other biometrics. In doing so, clinicians can spot health events and address them before they lead to a costly hospital visit.

Grant access to real-time data
Patients and providers are both hungry for real-time data — and patient engagement technology can provide it via mobile devices.

For clinicians, the ability to answer patient questions, check in and conduct health visits via mobile devices provides a stream of data that can be collected and analyzed on a rolling basis. These modern technologies help save time by eliminating many of the hours spent manually charting, faxing records and hand-entering medical data. For patients, this technology can integrate with some EHRs and other health information systems to provide a more complete picture of their health.

New ways to execute telehealth visits
Mobile devices also provide clinicians an avenue through which they can execute virtual visits in a way that enables the patient to see the face of their doctor (making the visit feel more real) and connect with physicians that might be out of state, while helping clinicians save money and resources. In fact, most clinicians can bring more dollars in the door without affecting patient satisfaction by using Current Procedural Terminology codes when practicing telehealth.

To stay relevant and solvent in this new world, healthcare organizations must start looking for technologies that integrate with the mobile lifestyle of patients and also deliver quality, easy-to-access data for physicians.

About the author:
John Smithwick is the CEO of RoundingWell. He co-founded RoundingWell in 2011 following four years at Nashville’s Healthways, where he led the design effort for their web-based disease and lifestyle management product offerings. Prior to his work at Healthways, he worked in product management at Microsoft in Redmond, Wash. and in technology strategy consulting with Accenture in Boston, Mass. A graduate of the University of Richmond, he holds a master’s of business administration from the University of Pennsylvania’s Wharton School of Business.

May 20, 2015  10:16 AM

The rise of patient-generated health data

Posted by: adelvecchio
Health Data Consortium, Health Datapalooza, Patient data, patient-generated data

booneGuest post by Chris Boone, Chief Executive Officer, Health Data Consortium

As the age of big health data emerges, a new category of data that can be leveraged by physicians and caregivers to discover more about their patients has arisen: patient-generated health data. While self-tracking — and the quantified self movement — is not a new phenomenon, the creation of technologies that can collect, store and analyze this data has given the movement new traction and momentum. With no one more interested in a successful health outcome than an individual with their own, patient-generated health data can provide clinicians a rich new vein of data to inform their decision-making.

A webinar hosted earlier this year entitled “Patient Generated Health Data: An Overview” brought together patient-advocate Scott Strange of Strangely Diabetic, Danny Sands, M.D., assistant professor at Harvard Medical School, Mandi Bishop, health plan analytics innovation practice lead for Dell, and Greg Meyer, director and distinguished engineer at Cerner Corp. They discussed the potential of leveraging patient-generated health data and data trends to improve and deliver integrated patient care, and what challenges lie ahead in achieving the reality of a comprehensive, person-centered view of an individual’s health.

This highly successful discussion will be continued at the session “Patient-Generated Health Data in the Real World” at Health Datapalooza 2015 with the same panelists and health cost transparency advocate Casey Quinlan as moderator. Other sessions that will discuss similar topics include “Leveraging the Potential of Patient-Generated Data: Progress and Opportunities,” to be moderated by Alison Rein, senior director for evidence generation and translation for AcademyHealth. “But What if I Want to Share? Contributing Your Own Data to Foster Public Good,” will be moderated by Niall Brennan, chief data officer for the Centers for Medicare and Medicaid Services. Another related session will be “Engaging Patients in Generating and Using Big Data,” along with many more.

Perhaps just as interesting as those sessions will be the ideas and collaborations generated from discussions between attendees about how to create integrated care through patient-generated health data. This year’s Health Datapalooza will continue to provide a forum for high-level cross-sector conversations between patients, providers, innovators and entrepreneurs, government, academics, and healthcare technologists.

To be a part of the conversation that will direct the potential of health data towards targeted and personalized healthcare, join us at Health Datapalooza from May 31-June 3 in Washington, D.C.

About the author:

Chris Boone is Chief Executive Officer of Health Data Consortium. He is a recognized expert in health systems, health informatics, health IT policy, and the use of electronic clinical data to generate clinical and scientific evidence for public policy, quality improvement, and patient-centered outcomes research efforts.

Prior to Health Data Consortium, Chris was a Vice President in Avalere Health’s Evidence Translation and Implementation practice, where he focused on developing evidence generation strategies for professional medical societies, consumer advocacy groups, and life sciences companies.

Chris holds a bachelor’s degree in Management Information Systems, a master’s degree in Healthcare Administration, and a doctorate in Public Affairs and Health Policy. Chris is also a fellow of the American College of Healthcare Executives (FACHE).

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: