October 27, 2015 11:42 AM
Posted by: adelvecchio
, cloud security
, healthcare data
Guest post by Doug Pollack, CIPP/US, chief strategy officer, ID Experts
Chances are that your healthcare organization has already chosen to use cloud computing as part of its IT infrastructure, and with good reason: Cloud computing is a cost-effective way to grow IT capacity, and software services available through the cloud can make a workforce more productive. And your IT team has worked with your service providers to protect data in the cloud. All good, right? But here’s the rub: A new study from cloud security vendor Skyhigh Networks shows the average healthcare organization is using more than 10 times more cloud services than the IT organization knows about. Think about that, more than nine out of 10 services used in the course of business are unmonitored and unsecured. That amounts to one huge security hole, and cybercriminals are jumping in to exploit this new threat to healthcare information.
Foggy about the cloud
In a recent report from the Ponemon Institute, the Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data, survey respondents identified cloud usage as a primary security concern for the healthcare industry. A third of respondents rated public cloud service use as a top security threat to their organizations. Employee negligence was listed as the top threat, at 70%, and cyberattacks came in second at 40%.
In fact, the cloud security threat is likely bigger than most organizations realize. According to MedCity News, the Skyhigh study found that the average healthcare organization uses 928 different cloud services, 60 that are known to IT and 868 –about 93% — are “shadow services” that are not known or tracked by the IT, infosec, privacy, or compliance functions. While the volume of untracked cloud computing is troubling, it is not surprising. Statistics from the study reveal how much of today’s everyday communication and collaboration happens online:
- On average, an employee uses 28 distinct cloud services, including seven collaboration services, four content-sharing services, three social media services and four file-sharing services.
- The average organization shares documents with 826 external domains, including business partners and email providers such as Gmail.
- Almost 28% of users have uploaded sensitive data to a file-sharing service.
- The average organization is connected to 1,586 business partners via the cloud. A significant number of these may also be partners of partners, and hence unknown and unaccounted for. It’s best to assume that every employee of every partner is also using multiple cloud services.
The bottom line is that you can’t protect data you can’t see, and you can’t see a lot of what’s in the cloud.
Crime lurks in the cloud
It’s interesting that the Ponemon study respondents listed cloud computing behind employee negligence and cyberattacks on its list of security worries. The truth is that the three work hand-in-hand to put organizations at risk.
Virtually every security study this year has shown that cyberattacks are now the top cause of data breaches, and most are multi-stage attacks that begin with social engineering, proceed to gain network access with stolen passwords or malware, then exfiltrate sensitive information. As Dan Munro recently pointed out in Forbes, “The latest techniques for cyber theft at scale are less about breaching networks from the outside — and all about social engineering to capture privileged access from the inside. Consumer cloud services like LinkedIn, Snapchat, Zappos, Evernote… have all had significant data breaches.”
Cloud services expose employees to all kinds of social engineering. The Skyhigh report found each cloud user is tracked by an average of four analytics and advertising services, and cybercriminals are increasingly using these services to deliver “malvertising” that can lead users to spoofed sites and capture their passwords. Tracking also enables “watering hole” attacks where criminals impersonate users at a favorite site and trick other users into revealing information.
Employees may also download apps containing malware to their workstations or personal devices, giving criminals a foothold from which to attack. Even social media passwords can give criminals enough access to steal information. Skyhigh found an attack that used Twitter to exfiltrate data 140 characters at a time. While employees may not be outright negligent in these situations, most are certainly unaware their social media usage may be putting their employer’s data at risk.
Once criminals gain access to information in the cloud, stealing data is relatively easy. The Skyhigh report revealed that only 15% of cloud services supported multi-factor authentication and only around 9% encrypted data stored at rest. More than 57% of the sensitive data in the cloud is in Microsoft Office files. When breaches involving cloud data happen, not only do organizations face the normal risks, they also face potential regulatory penalties of having unsecured data. A CipherCloud data security report found that 64% of cloud security challenges stem from the areas of audit, compliance, and privacy regulations.
Safety tips for the cloud
Ironically, one of the motivations for adopting cloud computing has been to improve security. Lost devices have historically been a major cause of data breaches, and real-time access to data in the cloud eliminates the need to store large data sets on individual devices. Unfortunately, the threat balance has shifted toward cyberattacks. Cloud services provide an easy entrée for cybercriminals, and the genie is out of the bottle: Cloud services are not going away anytime soon. But there are steps an organization can take to help protect against cloud-based attacks. In Health Data Management, cloud security vendor Porticor Ltd. offered some tips for improving cloud security on the IT and compliance side:
- Consider extending identity and access management solutions to the cloud.
- Obtain business associate agreements from all vendors, including cloud vendors and service providers, and make sure the agreement clearly defines the associate’s compliance responsibilities.
- Have the IT department occasionally perform penetration tests and request audits and certifications from cloud vendors. The Cloud Security Alliance offers multiple levels of security certifications for cloud-based vendors, and some of their certification levels include independent audits.
All of these steps will help improve security, but most of what happens in the cloud is in shadow services that employees and partners use and can’t be controlled or monitored. These risks can be lowered by granting users access to the minimum amount of information necessary to perform a given task. Staff and business partners should also be taught good security practices. But the siren call of the Web is strong, and since what people do in the cloud can’t be controlled, cloud-based risks have to be planned for in the same way as any other security incident or breach.
Regardless of where the data lives, if thorough data inventories and risk analyses have been done, an organization will know what protected health and personal information it holds and the risks of it being compromised. If a solid incident response plan is in place, an organization should be prepared for a cloud-based attack.
In the end, both risk and protection depend on people.
October 15, 2015 1:55 PM
Posted by: adelvecchio
, data breach security
, Data security
, health data security
Guest post by Rick Kam, CIPP/US, president and co-founder, ID Experts
Passengers on the London Underground are told to “mind the gap,” a warning to watch for the space between the train door and station platform. Healthcare organizations need to mind their own privacy and security gaps when it comes to protecting sensitive medical information.
According to the latest Gemalto NV Breach Level Index, the healthcare sector had the most data breaches in the first half of 2015, accounting for 21% of total incidents across all industries. Healthcare also had the largest number of records breached, at 84.4 million records, or 34%. The nature of these gaps has changed over the years — for instance, criminal attacks are now the leading cause of data breaches in healthcare, according to Ponemon Institute’s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. Data breaches, particularly those caused by a criminal element, have caused medical identity theft to nearly double in five years.
The link between data Breaches and medical identity theft
According to the Wall Street Journal, medical identity theft is on the rise because of the surge in electronic health records and healthcare data breaches. But it’s more than the digitization of health records. Medical data is everywhere, due to a plethora of devices, from tablet computers to medical implants and even Fitbits and Apple watches that are recording health data and transmitting it over the Internet.
As noted in Forbes, healthcare data breaches are also on the rise because financial services and retail sectors have developed better strategies for protecting their data. This includes the use of EMV cards that use a chip instead of a magnetic stripe. As a result, many hackers are turning to the more vulnerable healthcare industry.
In addition, medical information is simply more profitable on the black market. The Dark Web offers cybercriminals multiple global marketplaces in which to sell stolen personal information, including healthcare records. According to the FBI, healthcare records can fetch as much as $60 to $70, as opposed to about $5 for credit cards.
This is all converging to create a perfect storm for getting this data. It’s more available, it’s worth more, and healthcare organizations aren’t as good at protecting the data because they haven’t had to be.
As Shantanu Agrawal, M.D. director of the Center for Program Integrity at the Centers for Medicare and Medicaid Services, told the Wall Street Journal, “Data breaches are increasing and becoming more common.”
Smart, strategic data protection
To protect patients against the harms of medical identity theft, the healthcare sector must step up its data protection measures. While there is no such thing as zero risk in today’s connected, digitized world, health plans, hospitals and other entities that hold medical information can mount a strategic defense against cybercriminals.
For instance, in an interview earlier this year, Dwayne Melancon, chief technology officer of Tripwire, recommended following the example of financial institutions that classify and segregate their data. “You…have to have good segregation of data,” he said, “where you make sure that only a select group of people can access sensitive data, that there are lots of controls around it.”
Melancon also cautioned healthcare organizations to spend their security dollars wisely. “A dollar spent on security doesn’t mean it’s worth spending,” he said. He added that security spending should be part of a risk framework, and not done to “just add window dressing.”
In other words, healthcare organizations must mind the gap.
October 8, 2015 12:42 PM
Posted by: adelvecchio
, data encryption
, data in motion
, data privacy and security
, healthcare data
Guest post by Dr. Michael G. Mathews, president, COO, & co-founder, CynergisTek, Inc.
In previous articles, I covered the fundamentals of encryption using symmetric (shared secret), asymmetric (public-key), and mixing the two to create a hybrid approach to keeping data confidential. I also covered the concepts of data integrity (knowing a message has not been changed) and non-repudiation (verifying the sender is authentic). This installment focuses on the security of healthcare data in motion. The final segment in this series will focus on the security of healthcare data at rest.
At the risk of sounding like a broken record (as it seems all things security start with this), it is critical to understand the application data flow for the data being protected. Knowing the type of data being moved and where it originates and is destined, as well as if there are intermediate stops/routings along the way, helps inform what type of protection makes the best sense for the data. For example, an application that is moving data from point A to point B within the internal network might simply be an exercise in proper network architecture design to segment the traffic as best as possible from those who don’t need access to it. Since network segmentation as a mitigating control falls outside the realm of encryption, I’ll reserve that topic for a future article.
Any data leaving the internal network and going beyond the perimeter firewall certainly deserves a critical eye from a data confidentiality perspective to include non-traditional health IT applications such as Voice over Internet Protocol (VoIP). In the case of VoIP, depending on how calls are routed, the data portion of the call might live on the internal network or it might leave the internal network to a hosted private branch exchange. In the latter case, any conversations that include protected health information would be exposed to the Internet –potentially creating an unauthorized disclosure — without mitigating controls in place. In general, where it’s possible to enable data confidentiality, there’s rarely a reason not to do so.
One of the prominent options available for protecting the confidentiality of healthcare data is transport layer security or TLS — which, together with its predecessor secure sockets layer (SSL), are often collectively referred to as SSL. TLS takes a hybrid cryptography approach in that it uses asymmetric (public-key) cryptography to establish a secure initial communication channel in which it then negotiates a session key (symmetric) for further communications.
The benefit of using SSL/TLS is that, for discussion’s sake, it works at the application layer. This means that by the time the traffic hits the network, it’s encrypted. One detriment is that unless the application in question is written to support SSL/TLS, it’s not something that can be added after the fact, though there are workarounds that use SSL tunneling to make non-SSL/TLS-aware applications work with SSL/TLS. In recent years SSL/TLS have started to become more ubiquitous in applications, making accessibility to this route of protecting data much more favorable. Though it hasn’t been without its setbacks, with Heartbleed being the most widespread and serious.
The other widespread route is IP security or IPsec. In contrast to SSL/TLS, IPsec works at the network layer and, as such, it can be used to secure the confidentiality of any application, including those that don’t have security or privacy as integral features. Readers will most likely associate IPsec with site-to-site virtual private network (VPN) connections and even some implementations of end user VPN connectivity. IPsec depends on what are called security associations to establish the rules of the connection and the rules must match on each side of the connection to be successfully negotiated. Like SSL/TLS, IPsec also uses a hybrid approach to cryptography with initial key exchange either using a shared secret or a protocol-based key exchange to generate session keys for the communication to be protected.
September 23, 2015 1:07 PM
Posted by: adelvecchio
master data management
, master patient index
Guest post by Michael Morton, CTO at Dell Boomi
Several healthcare issues are competing for attention, including the furor over how it is paid for; the increasing concern over patient privacy; fears related to the spread of specific diseases such as Ebola, MERS, and H7N9 bird flu; and the rise of antibiotic-resistant superbugs. With all this to consider, it’s easy to overlook a growing challenge that may be putting patients at risk every time they register at a new healthcare facility.
When a physician sends a patient to a specialist for treatment, the patient generally takes it for granted that they’ll receive the right tests and treatments for their ailment. After all, anything else could be catastrophic. But what if that patient has the same first name, last name and birthdate as several other members in their healthcare organization? Not likely, you say? In 2011, the Harris County Texas Hospital District database listed the medical records of nearly 2,500 people named Maria Garcia, 231 of them had the same birth date. In total, 69,807 people in that district shared a first and last name and date of birth. This can cause not only confusion; it’s an opportunity for improper care and treatment.
Many healthcare organizations rely on a combination of a healthcare-specific master patient index (MPI) and master data management (MDM) systems to cleanse their records and eliminate duplicates and errors. An MPI is a unique identifier, such as a medical record number, assigned to each patient. MDM technology, typically implemented as a software program and a set of processes (data stewardship), is commonly employed at healthcare organizations to maintain a single “golden” record across their various software systems, such as customer relationship management, enterprise resource management and human resources. Until recently, MDM was a limited, on-premises solution that lived behind the corporate — or healthcare organization –firewall. Such systems struggle in hybrid IT environments and including cloud-based data requires a complex, expensive and time-consuming development effort.
But as patient care increasingly takes place across multiple healthcare organizations without a single, standardized MPI system — and as the amount of data that each organization accumulates continues to skyrocket — reliance on disparate MPIs and on-premises MDM to manage the records simply isn’t sustainable. As it stands, according to a report published by the Bipartisan Policy Center, the patient matching error rate stands at 8% and can range up to 20%. And according to the Health IT Buzz Blog, published by the Office of the National Coordinator for Health Information Technology, an office of the U.S. Department of Health and Human Services, “One of the largest unresolved issues in the safe and secure electronic exchange of health information is the need for a nationwide patient data matching strategy ensuring the accurate, timely, and efficient matching of patients with their healthcare data across different systems and settings of care.”
Enter cloud-based MDM, which enables master data management to take place beyond the firewall, connecting any combination of on-premises and cloud-based data sources, including third party suppliers such as Hoover’s Inc. and Dun & Bradstreet, Inc., to establish and maintain golden records across multiple systems in near-real time. With cloud-based MDM and proper data stewardship — even in the absence of a national MPI — healthcare organizations have the potential to pull data from a vast number of sources, including other healthcare organizations and commercial vendors, to help ensure they properly identify each patient.
No one should have to suffer from a misdiagnosis or the wrong treatment simply because a healthcare organization hasn’t accurately identified the patient. Yet this problem will persist until we can break down the silos surrounding MPI, ensure a single, golden record for each patient, and share this information across the nation in real or near-real time. Cloud-based MDM is the most practical, most cost-effective and least disruptive way to accomplish this in the short term.
About the Author:
Michael Morton is the chief technology officer of Dell Boomi, where he is responsible for product innovation.
September 17, 2015 1:11 PM
Posted by: adelvecchio
, EHR data
, Patient data
, unstructured data
Guest post by John Smithwick, CEO of RoundingWell
Once upon a time, a visit to the doctor started with, “Tell me where it hurts” and ended with, “Take two of these and call me in the morning.” Getting patients diagnosed correctly and treated appropriately depends on providers gathering both quantitative data, which is typically structured, and qualitative data, which is typically unstructured. When comparing both types of data, it’s more challenging to manage and derive value from unstructured patient data.
Quantifiable, measureable data such as lab results, blood sugar levels and cholesterol are considered structured data. This type of data is objective and can be entered discretely into EHRs via predefined fields. Since the data is structured, software systems are able to understand the meaning of the data, interpret and report on it. Structured data can be put to use by clinicians at the point of care to aid their decision making.
Qualitative data — such as symptoms like pain, discomfort and fatigue — is considered unstructured data. This type of data is subjective to the patient and is often gleaned through conversations based on what the clinician asks and what the patient discloses.
If a patient encounter was like an academic exam, gathering structured data such as vitals would be the fill-in-the-blank portion of the test. Gathering unstructured patient data would be the essay portion. While it might seem like a simple exchange of niceties, these communications provide a lot of information to a clinician, such as whether a patient is experiencing depression, or that she’s experiencing shortness of breath upon standing.
Correct diagnoses and appropriate treatments are dependent on managing both structured and unstructured patient data. Managing structured and unstructured data also greatly influences the outcomes a healthcare organization is able to deliver. As the amount of reimbursements tied to outcomes increases, delivering outcomes becomes more important.
Managing structured data is usually handled well. It’s in the management of unstructured data where problems arise. There are two primary problems with unstructured data.
- The first problem is process related. Unstructured data is not gathered consistently or systematically. A clinician only knows about symptoms if he asks the patient, which doesn’t always happen, or if the patient discloses the information, which, again, doesn’t always happen. When symptoms are overlooked or patients withhold information, clinicians can’t make the right diagnosis or give the best treatment.
- The second problem is technical. Unstructured data is most often recorded in EHRs in free text fields or note fields. Data stored in this way is very difficult for software systems to interpret, understand and analyze.
The ballooning amount of data available is another issue. In 2012, worldwide digital healthcare data was estimated to be 500 petabytes. That’s an astounding number, and it’s only growing: the data is expected to reach 25,000 petabytes in 2020. It can be a daunting challenge for healthcare organizations to gain value from this mountain of data. And guess what? Industry consensus is that approximately 80% of all healthcare data is unstructured data.
So, what if technology could not only ensure patients were diagnosed correctly, but also automate the process? Cloud-based care management and patient engagement software are providing new ways for healthcare organizations to unlock the value of unstructured patient data. How? In essence, by creating “structured symptoms” — gathering patient-reported symptoms and discretely capturing them in a way the data can be analyzed.
These platforms systematically assess patients for symptoms and signs that patients might not get asked about by a provider and that they might not self disclose because they don’t think it’s important or they forget to mention it. Care management software then stores patient symptom info in a structured way, allowing this previously unstructured data to be analyzed and made actionable.
For example, consider the use of alerts which signal clinicians that a patient needs attention. Instead of discovering issues at a late stage, after a disease has had time to progress, clinicians are alerted early to leading indicators of a decline in a patient’s health status. In this way, delivery of care becomes less like fighting fires and more like preventing fires.
What’s the bottom line? Whether it’s gathered via care management software, EHR or patient-specific physician insights, all data should be structured and be ready for interpretation and analysis. This is especially critical in value-based models. For any risk-bearing entity, getting this complete picture is absolutely critical to give patients the right treatment at the right time, to improve outcomes and prevent adverse health events.
About John Smithwick:
John Smithwick is the CEO of RoundingWell. He co-founded RoundingWell in 2011 following four years at Nashville’s Healthways, where he led the design effort for its Web-based disease and lifestyle management product offerings. Prior to his work at Healthways, he worked in product management at Microsoft in Redmond, Wash. and in technology strategy consulting with Accenture in Boston, Mass. A graduate of the University of Richmond, he holds a master’s of business administration from the University of Pennsylvania’s Wharton School of Business.
September 10, 2015 11:49 AM
Posted by: adelvecchio
, Data breach
, data breach security
, Risk assessment
Guest post by Lysa Myers, security researcher, ESET
As the number of cyberattacks against healthcare organizations grows, I’m often asked whether there is any one policy or behavior that is to blame for this situation. My answer is emphatically no; security is an area of concern that many people are just starting to become aware of, much less understand and implement good security controls for. As a result, many organizations and their staff don’t have a realistic sense of what good security is and what they need to protect.
Here are five tips for organizations to more easily and effectively implement healthcare security strategies.
Security must be viewed like a puzzle
If attackers get any one piece of the puzzle, they should not be able to figure out the whole picture. For example, if user credentials are stolen through phishing or a lost or stolen device, there should be another factor of authentication in place so the attackers are stopped from logging in. If an attacker does manage to log in, there should be network segregation and limited privilege such that he cannot pivot into more sensitive areas of the company, or into sensitive databases.
There is no such thing as a “warning sign” of a breach
If there is a sign that you’ve been breached, it’s already too late — the attacker has already gotten into your system. Some people cite the presence of vulnerabilities as a sign of danger, but in truth, all systems have vulnerabilities. That would be similar to saying, “a common attribute for breaches is that the affected companies all have staff who consume oxygen.” It’s not the vulnerabilities that cause attacks, it’s the absence of good security.
To err is human
The most educated humans still make mistakes. Even security gurus can accidentally double click when they’re not supposed to. That said, those who are not educated about what secure behavior entails will certainly make more mistakes, or they may deliberately circumvent security controls. While attackers don’t need to go through humans to get into improperly secured systems, it can be the easiest way. Security education is something that should be provided early and often.
Legacy machines can cause big problems
Perhaps one of the more surprising aspects for healthcare organizations is how many machines in their offices run outdated (and very soon-to-be unsupported) Windows versions. Many hospitals have medical devices that still run Windows XP, which leaves a gaping hole from a healthcare security perspective. While this is occasionally unavoidable, it should be limited wherever possible and extra security measures should be taken with those machines until they can be updated.
Risk assessment should be ongoing
With tight security budgets, legacy systems and the need for users to have access that’s both fast and secure, it’s important for healthcare organizations to be extra vigilant about planning security controls. The best way to do this is to perform ongoing risk assessments to be updated as new assets come online, or as processes change, rather than updating them periodically. If you’ve never done a risk assessment and want to know how to begin, the National Institute of Standards and Technology published a guide for conducting risk assessments.
In future installments, I’ll expand on some of these strategies to help healthcare organizations improve their security posture.
September 3, 2015 10:58 AM
Posted by: adelvecchio
, preventive care
Guest post by Scott Zimmerman, president, TeleVox
Healthcare providers know the statistics: Seven out of every ten deaths in the U.S. are linked to chronic illness, and approximately 45% of Americans have at least one chronic condition. The numbers are real and patients are the proof. There are a lot of challenges that come along with managing care for patients with chronic illnesses. Luckily, most providers already possess a tool that can make chronic disease management a little easier: an appointment reminder system.
Most healthcare providers have access to appointment reminder systems, but few have figured out how to effectively use them to drive improved health outcomes for patients with chronic conditions. The six-point checklist below provides suggestions for immediate actions to take to expand your use of appointment reminder technology and improve patient care.
1. Notify patients when they are due for preventive services.
The first step a practice can adopt to do more for patients with chronic conditions and stretch the value of appointment reminder systems is to send patients notices about preventive services. Prevention plays a major role in managing chronic disease. Whether you are working to prevent patients with chronic diseases from lapsing into acute conditions or trying to keep at-risk patients (and even healthy patients) from developing chronic conditions in the first place, regular visits, tests and screenings are essential. Unfortunately, most patients are not good about seeking preventive care and need a certain amount of coercion. An appointment reminder system can be used to notify people when they are due for preventive services, engaging them in managing their chronic conditions.
A healthcare provider that is getting preventive notifications right is Ochsner Health System, one of Louisiana’s largest healthcare delivery systems. Ochsner recognized many patients were not scheduling preventive screenings and tests and took action to change that. Its initial focus was on educating patients about their eligibility for colorectal cancer screenings. Using an appointment reminder system, Ochsner delivered automated phone notifications to a group of 3,137 people with recent orders for a colonoscopy or upper endoscopy. The conversion rate was an impressive 18.4% — meaning Ochsner scheduled 578 colorectal test screenings for its patients simply by explaining eligibility and asking people to set up appointments.
An organization can easily leverage the technology it already has in place to involve more of its chronic disease patient population in preventive care. That will have a big effect on the health of patients struggling with chronic diseases. Simply identify patient groups that are eligible for services and reach out to them with preventive care information and invitations.
2. Remind patients to keep their appointments.
Missed appointments pose a significant challenge when it comes to monitoring and managing the health of patients with chronic conditions. So this step — reminding patients to keep their appointments — is a no-brainer and something many healthcare providers are already doing well. If a healthcare organization is not successfully using automated notifications like text messages, voicemails, and emails to remind patients of upcoming appointments, it should make changes and implement reliable technology immediately.
Setting up reminders is as easy as running a report of upcoming appointments. You can choose any timeframe for reaching out to patients, but keep in mind that patients with multiple chronic conditions may need to arrange for transportation to get to their appointments. It’s helpful to schedule reminders early enough to allow patients that may have forgotten about their appointment to find transportation.
3. Make appointment cancellations available to patients with high needs.
Because chronic diseases require constant monitoring and sometimes sudden attention, patients with chronic conditions require easy access to appointments. To minimize the length of time patients with chronic conditions must wait for appointments, offer them appointment slots that other patients have vacated.
According to a study by The Commonwealth Fund, 71% of U.S. adults reported problems gaining access to needed healthcare. This included an inability to get timely appointments. Appointment accessibility can be improved by including an easy cancellation option on all appointment reminders and maintaining a short-notice call list of patients willing to take last-minute appointments. As a provider receives cancellation notices, they should contact high priority patients that are waiting to be seen and offer them the resulting openings.
It might go against instinct to give people a way out of appointments when your intention is to get them to show up, but don’t worry. Cancellations are only a lost opportunity when they are discovered at the very last minute. If a patient has decided not to keep an appointment, their caregiver is going to find out about it one way or another. Either they will find out when the patient does not arrive at the scheduled time or they can be warned ahead of time. With the first option — the no-show — the appointment time is lost. But if patients are allowed to offer advanced warning, would-be holes in a schedule can turn into appointments for patients with high needs.
United Regional Health Care System in Wichita Falls, Texas uses automated notifications to fill scheduling holes caused by cancellations. After using appointment confirmation calls for eight months, a total of 273 patients opted to cancel an appointment. However, because of the advanced notice, United Regional was able to refill 177 of those openings — which is a 65% appointment retention rate. By implementing similar processes, other providers can be more accessible to patients.
4. Follow up with educational information and support resources.
Caring for patients with chronic diseases is an ongoing process — care cannot end when a patient leaves a physician’s office. To help support patients and guide them through self-care between visits, use an appointment reminder system to deliver focused outreach campaigns to subsets of a patient population. For example, diet and weight management materials can be delivered to patients with diabetes.
The U.S. Centers for Disease Control and Prevention reported that the National Assessment of Adult Literacy — which measures the health literacy of adults living in the U.S. — rated only 12% of the population as having a “proficient” health literacy level. That means a lot of adults in the U.S. have difficulty understanding and using health information that is given to them. More good can be done for patients by repeatedly sending them text messages or emails containing information related to their disease, follow-up instructions, medication reminders and alerts, and other additional resources.
Design patient outreach around the questions commonly asked about chronic conditions like: What is the cause of this chronic illness? What is the prescribed treatment and why is it necessary? What role does medication play? What assistance can a patient get between visits and how can they get help when needed? Who should a patient contact if they have additional questions?
5. Reach out between visits to offer support and motivation.
The final step is to use technology to deliver motivation and support for patients as they work to self-manage their conditions. Most patients with chronic conditions — and those at risk for developing them — need to adopt some lifestyle changes, such as exercising more or quitting smoking. These types of behavioral changes aren’t always easy. Healthcare providers can help by inspiring patients to change unhealthy or risky behaviors. This could mean sending resources that encourage patients to incorporate healthier foods into their diets, or congratulating patients when they hit weight loss goals.
TeleVox found that patients really want to feel supported and encouraged by their physicians. According to our research, nearly 40% of patients say they would follow doctors’ orders if they got some kind of reminder or nudge from those doctors between their visits. This is significant because we also found evidence that about 83% of people do not do what their doctors tell them. So, an email or text reminder to take care of themselves could make a big difference.
If you are currently using an appointment reminder system for basic communication, you have the necessary technology to make improvements to your chronic disease management processes. Now it is up to you to implement changes — like the ones explained above — that will allow you to automatically reach out to patients and collaborate with them on how to prevent and manage illnesses.
About the Author:
Scott Zimmerman is a regularly-published authority on utilizing technology to engage and activate patients. He also spearheads TeleVox’s Healthy World initiative, a program that leverages ethnographic research to uncover, understand and interpret both patient and provider points of view with the end goal of creating a healthy world — one person at a time. Healthy World promotes the idea that touching the hearts and minds of patients by engaging with them between healthcare appointments will encourage and inspire them to follow and embrace treatment plans — and that activating these positive behaviors leads to healthier lives. Zimmerman possesses 20 years of proven performance in the healthcare industry, with domain knowledge in the surgical, interventional and pharmaceutical arenas. He currently serves as the President of TeleVox (www.televox.com), a part of West Corporation (www.west.com), where the healthcare mission is to help organizations harness communications to expand the boundaries of where, when, and how healthcare is delivered.
August 27, 2015 10:28 AM
Posted by: adelvecchio
, hipaa security rule
Guest post by Dr. Michael G. Mathews, president, COO, & co-founder, CynergisTek, Inc.
This second installment in a four-part series examines non-repudiation and data integrity healthcare; some of the lesser-known, fringe benefits of cryptographic algorithms that can help reduce fraud of e-prescribing medications and computerized physician order entries. The final two pieces in the series will focus on data in motion and at rest within healthcare.
In my previous article, I touched on the fundamentals of encryption using symmetric (shared secret) cryptography, asymmetric (public key) cryptography and combinations of the two to create a hybrid approach to keeping data confidential. Simply being able decode a message doesn’t guarantee the message wasn’t altered en route, nor that came from where it appeared to have originated.
Confidentiality of data was clearly the primary reason behind the initial implementations of encryption methodologies. Using crypto hash functions we can get a “signature” for any data set so that if it changes in any way — either in transit or while at rest — the changes will be known, making the data suspect. Drawing a parallel to the postal service, envelopes are designed to provide confidentiality over a postcard and the fact that the envelope is sealed is an indicator of data integrity. If an envelope arrives either unsealed or opened, it’s a visible sign that the contents could have been altered in some way or potentially disclosed.
For healthcare IT, the HIPAA Security Rule identifies integrity controls in the technical safeguards part of the rule with a focus on the unauthorized alteration or destruction of electronic protected health information (ePHI). Implementing a tool that uses of crypto hashes to keep track of the generated “fingerprints” of ePHI allows the tool to track any changes to that ePHI up to, and including, deletion. The rule is particularly broad here as it only identifies ePHI in general and stops short of calling out whether the scope in question is related to an EHR or all-encompassing within the environment. It also doesn’t identify any distinction between ePHI at rest and ePHI in transit.
Non-repudiation (digital signature) adds authentication and identification to the integrity controls within cryptography. It identifies if an encrypted message is really from the purported sender by confirming the message is unchanged from its original form after it was received and read. Returning to the postal analogy, think back to wax seals with signet rings. The wax seal served triple duty in this case, offering assurances of confidentiality, integrity, and non-repudiation of the message, at a somewhat reduced standard of assurance unlikely to be endorsed today.
Mechanically, a digital signature is very similar to a simple crypto hash for basic integrity controls as mentioned above. However, digital signatures make use of public key encryption and the user’s private key to generate the crypto hash so when the recipient verifies the message –using the user’s public key — the message is both verified for integrity (confirming that it’s unchanged) and authenticity (that it’s from whom it claims to be from). Digital signatures have evolved to take a much more prominent place in IT and help protect data integrity in healthcare. Within healthcare IT, electronic prescriptions allow physicians to attach electronic signatures for proof of authenticity, smart cards are used to grant access to workstations and restricted areas within the hospital and encrypted emails sail through the cloud into inboxes with digital signatures intact to ensure the recipient knows the message is authentic.
August 20, 2015 11:55 AM
Posted by: adelvecchio
Accountable Care Organizations
, EHR incentives program
, Meaningful use
, Medicare reimbursement
, Shared Savings Program
Guest post by Richard Royer, CEO of Primaris
The Centers for Medicare and Medicaid Services (CMS) is trying to make the accountable care model a more compelling option for healthcare providers. The Affordable Care Act established the Medicare Shared Savings Program to improve care coordination and to incentivize providers and other healthcare institutions to participate in an accountable care organization (ACO).
By opting into the one-sided ACO track, an ACO can earn up to 50% percent of its shared savings, achieved by meeting quality performance standards. To entice providers to enroll in its two-sided ACO model, CMS sweetened the pot by offering as much as 60% percent of shared savings — the catch being the ACO is also responsible to repay a portion of any losses, based in part on its quality scores.
Participation in each of these programs is currently voluntary. But there is no denying the value-based and accountable care model they exemplify is the future, in both the public and private payer realms. Indeed, commercial insurers such as Cigna Corp. and Aetna Inc. have already launched their own versions of ACOs.
The adoption and meaningful use of certified EHRs underpins the whole concept of accountable care. These systems should serve as the source of data for dozens of clinical quality measures that ACOs must annually report to CMS. That data runs the gamut from recording preventive health measures, such as immunizations and mammography screenings, to tracking populations at risk for diabetes, hypertension and other chronic conditions.
But even if your institution isn’t participating in a public or private ACO, it’s important to consider ramping up your meaningful use of certified EHR technology. After all, any healthcare provider that wants to receive Medicare and Medicaid EHR incentives also needs to meet value-based care measurement thresholds.
Bring meaning to meaningful use
All that said, it appears there is still a ways to go to make the meaningful use of EHRs truly meaningful. Consider, for example, that according to a 2014 report by KLAS Research, based on a survey of 46 physician-led ACOs, EHR vendors earned an average 6.3 rating out of 9.0 for meeting ACO needs.
Fortunately, it is possible to improve EHR systems so healthcare providers in ACOs can more efficiently gather data to meet CMS reporting requirements and so any provider can be better positioned to receive payments from the Medicare and Medicaid EHR Incentive Programs, while avoiding possible penalties.
EHR systems can be optimized to help providers get ahead of healthcare quality issues, whether these practices are involved in ACOs or simply prepping for a future in which value-based and collaborative care models rule. That’s because EHR technology can be leveraged to give providers a better understanding of critical care points and associated risks, and give them an improved method of communicating required data to other partners in the medical chain.
Realize the value of the accountable care model
To get real value out of EHR systems, support meaningful use requirements, and position your organization for a future where accountable care is everywhere, it’s important to take the following steps:
- Don’t just capture data. Capture it appropriately and accurately. EHR systems are only as smart as they are set up to be. And they won’t be very smart if you don’t correctly document what medical options you propose to patients, the education you share with them and the information you learn from them in an easily removable, communicable and reportable data format. That could translate into loading new templates or input forms into the EHR to ensure critical information is captured in a structured format, rather than simply in the notes field. That way, it can be easily and automatically reflected in a practice’s quality improvement efforts, such as screenings for flu vaccinations or smoking cessation.
- Bring in the data reports and take action on them. One of the great things about EHRs is they potentially give healthcare organizations an improved capacity to plug gaps in treatment that can lead to accountable care gaffes, such as overlooking signals in patient data that wind up hurting the quality score related to hospital readmissions.
- That capacity is easier to leverage if your practice has regular access to comprehensive and comprehensible data reports, making it simpler to spot problems affecting a fraction of the patients within a large population. Otherwise, that is no easy task, especially now that practices’ data volumes are exploding as samples and test results from external sources — such as labs or information from patients’ mobile healthcare devices — can directly import into EHR systems. But when the information is culled together so you can quickly spot a week-to-week roller coaster ride in a diabetic patient’s blood sugar levels, you can move quickly to correct the problem before the patient lapses into an acute condition.
- Customize only where necessary. There are some situations where customizing your EHR system is unavoidable. Those are the only times where you should indulge in the practice. In other words, deploy customizations only for reasons of functionality, not aesthetics. For instance, many EHR systems don’t automatically include an interface to transmit immunization data to a state immunization registry, but adding one to your system is worth the investment given that providers must show they have performed at least one test of their certified EHR technology’s capacity to electronically submit such data.
- When it comes to changing things like the location of a menu bar, though, skip it. That won’t be accounted for in the next general release of your vendor’s product, nor will the vendor have prepared it as an optional add-on that can be purchased for a reasonable fee. That means when upgrade time comes around, you’ll be undertaking the whole process again, and that can cost you thousands of dollars and increase the time it takes your practice to move onto the next version.
- Consider where your expertise really lies. While the healthcare profession is changing and many physicians’ practices are being acquired by larger health systems, the industry still has more than its fair share of small practices. And most of them — perhaps your own — are without staff that is well-versed in technology or adept in the processes that optimize an EHR system for meaningful use. In those cases, it’s not a good idea to take the do-it-yourself approach to deploying EHR systems, and certainly not wise to follow that route to satisfy stage 1 or 2 criteria.
- While trying on your own may seem reasonable, there’s a lot at risk if you hit significant stumbling blocks, including your cash flow. You may experience a decrease in returns from the Medicare Shared Savings Program or in meaningful use incentive payments. Many EHR systems also are responsible for triggering bills to patients or insurance companies. So, if issues arise with the system as you attempt to increase its meaningful use functionality — and those issues affect your ability to use the technology for other purposes — core revenue may be put in jeopardy. Under those circumstances, the old saying about asking for help when you need it could not be truer.
Are you ready to reap the value that comes from the meaningful use of an EHR system in a world moving to the accountable care model? Things are changing fast in the healthcare industry and the more prepared you are to meet those changes, the better off you’ll be.
About the author:
Richard A. Royer has served as the chief executive officer of Primaris since 2001. He has extensive administrative healthcare experience and is actively involved in a number of statewide healthcare initiatives. In 2006 he was appointed by the Missouri governor to the Missouri Healthcare Information Technology Task Force and chaired the resources workgroup. He also serves on the board of directors as treasurer for the Excellence in Missouri Foundation.
In his more than 35 years of medical business experience he has held positions as CEO at Cuyahoga Falls, Ohio, General Hospital; executive director of Columbia Regional Hospital in Missouri; and founder and president of Avalon Enterprises, a medical financial consulting firm.