Health IT and Electronic Health Activate your FREE membership today |  Log-in

Health IT Pulse

September 30, 2014  1:54 PM

Number of data breach response teams rises along with threats

Posted by: adelvecchio
data breach, data security

The most effective efforts to limit the damage inflicted by a data breach start before an incident occurs. This is something that security pros in many industries, including healthcare, have observed. Their desire to proactively temper the effects of security incidents is reflected in findings in the second annual survey on data breach preparedness, conducted by Ponemon Institute LLC and sponsored by Experian Data Breach Resolution. The survey report references previous Ponemon research, which indicated that business with established incident response plans could reduce the average cost of a data breach by $17 per stolen record.

The percentage of respondents with data breach response plans in place at their organizations rose from 61% in 2013 to 73% this year. That shift coincided with a 10% year-to-year increase in the number of respondents that reported experiencing a data breach. Healthcare was the second most represented industry in the survey, with its 13% second only to the financial services market, which comprised 19% of the total responses.

The results of another Ponemon data breach survey, sponsored by Informatica Corporation, were released earlier this year. Of 142 respondents employed in the healthcare and pharmaceutical fields, more than half reported that losing customer data was their biggest worry. Though a mere 9% said they thought patient data was in danger, double the respondents indicated they had experienced between two and five security breaches in the past year.

Healthcare data breaches can prove costly on multiple levels. Failure to comply with HIPAA policies can result in fines, on top of what providers spend to test and patch the holes where their security perimeter failed. The HHS Office of Civil Rights (OCR) investigated a data breach involving New York-Presbyterian Hospital (NYP) and Columbia University that left electronic health data of 6,800 individuals exposed. The two organizations submitted their breach report in 2010 and were ordered to pay $4,800,000 to those affected as a result of the OCR’s investigation.

September 29, 2014  3:07 PM

White hat hackers test data security

Posted by: DonFluckinger
Affordable Care Act, health care data breach, health data security,

Which do you want first on federal health insurance exchange sites initiated through the Affordable Care Act? The good news, or the bad news?

It turns out that the feds employed white hat hackers to test the data security of exchanges, according to a report from the HHS Office of the Inspector General (OIG) following an audit of data security practices and risk mitigation that took place from last February to last June.

The good news is, after reviewing the work, OIG found that personal data U.S. patients give the site is generally secure. The bad news? The hackers uncovered an unspecified “critical vulnerability” in a scan of the web application, which CMS said would be quickly patched.

Moreover, two more server vulnerabilities, known to CMS, hadn’t been fully addressed at the time of the audit. CMS was in the process of remediating these vulnerabilities at the time of the audit, but hadn’t completed the plan. Prior to the audit, CMS had notified OIG of the steps it was taking to patch the holes. Of the two server vulnerabilities, a less critical vulnerability that didn’t put users’ personal data at risk was getting addressed via a contractor. A more critical vulnerability had been patched by CMS itself between the time of the audit and last week, when the OIG published its report.

The vulnerabilities were not described in detail in the report, as a security precaution. The OIG report follows reports of a test-farm breach, a story broken by the Wall Street Journal. CMS said that no personally identifiable information was exposed in the incident. In a separate but unrelated announcement, CMS recently said that most of its patient-matching issues have been resolved.

September 25, 2014  3:23 PM

CMS FAQs clarify meaningful use attestation rules

Posted by: MonicaVallejo
CQMs, EHR incentive program, EHR incentives, meaningful use attestation, meaningful use stage 2

For providers working on stage 2 meaningful use attestation who have questions on criteria such as summary of care documents, clinical quality measures (CQMs) or when their EHR incentive checks will be in the mail, good news: CMS clarified these and some other questions via its FAQ page.

CMS regularly updates the Medicare and Medicaid EHR Incentive Programs FAQ section on its website to clarify meaningful use program attestation rules. The most recent changes and additions to the list include a new explanation of the summary of care document updates to seven FAQs on CQMs.

The summary of care explanation addresses the question of whether or not eligible parties may count a transition or referral of care toward the measure if an electronic summary of care document is created through a certified EHR and sent to a third party organization.

The updated CQM FAQs address data reporting required for incentive payments. They include deeper information for calculating data and creating reports. Each update answers similar questions such as how to report on CQMs with no collected data and how to use CQMs from an alternate core set to meet reporting requirements.

The updates also include a FAQ explanation that describes what happens when providers submit documentation, and the time frame in which providers can expect to receive their incentive payment checks.

September 24, 2014  3:09 PM

Patient portals work for family practices, journal study concludes

Posted by: ShaunSutner
Annals of Family Medicine, family practices, Meaningful use, patient portals

“By directly engaging patients to use a portal and supporting practices to integrate use into care, primary care practices can match or potentially surpass the usage rates achieved by large health systems.”

That conclusion was reached by 11 medical researchers whose new report on the success of patient portals – a critical feature of the meaningful use program – was published in the “Annals of Family Medicine.”

The team, led by Alex Krist, M.D., a faculty member at the Fairfax Family Medicine Center in Virginia, found after a three-year study ending in 2013 that practices that pursued thoughtful, pro-active strategies to get patients to use the portal achieved a patient use rate of 25.6%, with the rate increasing 1% a month over 31 months.

Other findings included:

-        That 23.5% of portal users signed up within one day of their office visit

-        Older patients and patients with two or more chronic conditions were more likely to use portals

-        Blacks and Hispanics were less likely to use portals

-        Usage by practice varied from 22.1% to 27.9% depending on how effectively the practices promoted the portals

Eight primary care practices in Virginia participated in the study, with each using a series of learning collaboratives with practice “champions” and redesigning workflow patterns to integrate use of portals in patient care, according to the study abstract.

All used an Allscripts EHR system and two separate patient portal systems, a commercial portal that that only provided secure patient messaging, and one plugging into EHR data.

The two-portal model came about because the practices were not successful in integrating the EHR with the portal, so the practices had to field two concurrent portals, including one created for the study, “MyPreventativeCare,” developed by Virginia Commonwealth University (VCU). Under meaningful use stage 2, portals should incorporate secure patient-doctor messaging.

The salient point the researchers discovered was that small and medium-sized primary care practices can engage patients to use portals by incorporating promotion into routine care.

“This approach appears to be more effective than mailing invitations and to match the results of more elaborate promotion efforts by large integrated health systems,” the report says.

Some medium-sized and large hospital systems trying to attest to the stage 2 portal measure have tried elaborate promotions such as contests with giveaways such as free vacations.

The study authors noted that VCU holds the intellectual property rights to its portal, but although the university and developers are entitled to the system’s revenue, the portal tested in the study is a noncommercial product and no revenues have been generated other than grant funding.

September 23, 2014  12:14 PM

Morton in, Fridsma out in separate ONC staff transactions

Posted by: adelvecchio
Alicia Morton, CCHIT, Doug Fridsma, Karen DeSalvo, National Health IT Week, ONC

Months after restructuring its internal organization, the ONC now has to adjust to two recent major staff changes. U.S. Navy Capt. Alicia Morton was announced as the next director of the ONC Health IT EHR Certification Program in an email sent to ONC staff from Steve Posnack, director of the ONC’s Office of Standards and Technology. Another memo, sent internally by the National Coordinator for Health IT Karen DeSalvo, M.D., relayed the news of Doug Fridsma’s resignation as ONC chief science officer to take a new position as president and CEO of the American Medical Informatics Association later this year. ONC forwarded both emails to media.

Fridsma joins Lygeia Ricciardi, former director of the Consumer eHealth Program and Office and Joy Pritts, ex-chief privacy officer, as ONC department heads that have departed since July. Lana Moriarty was named as Ricciardi’s acting successor in time to attend National Health IT Week, while a replacement for Pritts, a political appointee, has yet to be announced. In her announcement, DeSalvo notes that Fridsma was “a key technical advisor” to her and past ONC heads and credits him for his role in leading the design of the Standards & Interoperability Framework.

Alicia Morton’s career background was covered in Posnack’s email to ONC staff. Morton has served at ONC since 2005, working for CMS and the National Institutes of Health prior to that. She joined ONC in 2005 to lead their contract with CCHIT, an independent organization that formerly tested and certified EHRs under the ONC’s authorization. One of Morton’s duties at CMS, where she worked from 2003-2005, was overseeing the development of the Doctor’s Office Quality-Information Technology project. She follows Carol Bean as ONC certification director.

At a staff meeting in late May, DeSalvo revealed the ONC’s plan to reduce their number of internal offices from 17 to 10. DeSalvo explained the timing for the reshuffling was brought on by reductions to health IT investments under the HITECH Act. She also explained that the changes were made after consulting with senior staff members and past ONC staff, and would focus on stimulating interoperability and patient engagement.

September 22, 2014  8:34 AM

Department of Homeland Security branch implements eClinicalWorks

Posted by: MonicaVallejo
EHR, EHR systems, health information exchange

Medical professionals who manage care at all 23 U.S. Immigration and Customs Enforcement (ICE) detention facilities are now using eClinicalWorks‘ cloud EHR. The Massachusetts-based healthcare IT vendor was selected after a competitive bid process. According to the Federal Business Opportunities website, the contract will run through September 2019, and cost approximately $4.8 million.

ICE, an arm of the U.S. Department of Homeland Security, provides care for those held at detention facilities and oversees medical care provided to additional detainees housed at non-ICE Health Service Corps facilities. Before integrating eClinicalWorks, all sites used different systems making information exchange difficult.

The ICE Health Service Corps standardized its EHR system in all its facilities by implementing eClinicalWorks, allowing medical information to be shared across different locations. The EHR system will allow the federal agency to track patients’ records as they move within medical specialties in the same location and to track patient data as they go from one detention facility to another.

Harris Corporation, a communications and information technology company and the primary contractor, is working with eClinicalWorks and ICE to customize their new EHR system. Harris will also help integrate the new system with the current ones, including laboratory, radiology and pharmacy technology to extend the reach of the new system.

ICE’s new EHR system allows providers to utilize chronic and preventive care measures including those unique to ICE detention facilities, such as intake screening process flows, electronic medication administration and infirmary management.

Other government agencies seeking progressive and sustainable models for medical care quality improvements have turned to eClinicalWorks in the past. The company has implemented EHRs for correctional facilities, the New York City Department of Health and Mental Hygiene, as well as the Philadelphia and San Francisco public health departments.

September 18, 2014  3:43 PM

Republican congressman entertains hosts from across the health IT political divide

Posted by: ShaunSutner
FDA, Interoperability, m-health, Meaningful use, ONC

Congressman Michael Burgess, M.D., is something of an anomaly: a Republican politician who more or less supports adoption of electronic health records and meaningful use.

The key words here are “more or less.” One could say that the Texas lawmaker, who went into politics after 30 years as a practicing ob-gyn doc, likes EHRs a lot, but has merely learned to live with meaningful use even though he instinctively considers the Democratic administration’s health IT policy burdensome and expensive.

As a moderate GOP figure of some clout (he is founder and chairman of the bipartisan congressional healthcare caucus) and with a willingness to talk with Democrats, he has forged a working relationship with national health IT coordinator Karen DeSalvo, M.D.

And so it came to be that Burgess was invited to address a decidedly liberal crowd gathered in an ornate Washington, D.C. hotel ballroom during National Health IT Week for a day of discussion about patient engagement initiatives, hosted by ONC and graced by a DeSalvo keynote.

Now, as health IT is once again ensnared in political warfare on Capitol Hill – with vendors, CIOs and other players pitched against CMS and ONC to ease up on meaningful use – Burgess joined the chorus of cries to make meaningful use easier to do. A new bill would do an end-around the administration and force CMS to go back to a 90-day, rather than 365-day, attestation period for stage 2 for 2015.

“I hear from hospitals, I hear from doctors, I hear from patients, the problem is still there,” Burgess said.

However, Burgess appeared to somewhat grudgingly accept the meaningful use program itself, saying the health IT sector ought to at least wisely spend the program’s $35 billion in incentive funds.

Even so, Burgess took an interesting tack at the ONC-sponsored event, one that appeared designed to poke or provoke his hosts, whose latest overarching policy framework is promoting interoperability to the max to the virtual exclusion of meaningful use.

“Maybe the focus should have been on interoperability [before], and meaningful use coming later,” the congressman said. “But we are where we are.”

Burgess also took the standard conservative shot at the FDA, accusing the regulatory agency of stifling innovation by moving too slowly and regulating too much.

(In reality, the FDA recently effectively deregulated the booming market for mobile health and wellness apps and devices as Apple, Google, Microsoft and others roll out and beef up big m-health initiatives – raising safety worries among some critics.)

As he wound down his spiel, Burgess struck a conciliatory note.

“I know that young people who are going into medicine today are going to have tools at their disposal to alleviate suffering that doctors have not had in the past,” he said.

September 17, 2014  9:46 AM

Report documents health data security HIPAA compliance issues

Posted by: MonicaVallejo
health data security, HIPAA compliance, HIPAA data breach

Data security consultant and research firm the SANS Institute estimates that millions of healthcare IT systems are compromised and fail to meet HIPAA’s network security requirements in its Health Care Cyberthreat Report. The report was developed based on data related to healthcare organizations in the U.S. gathered over a 13 month-period by Norse, a global threat intelligence network that collects data on malicious traffic through its system of sensors that analyze more than 100 TB of traffic daily.

The network recorded malicious traffic coming from healthcare systems to develop the report and the results of the report show that compliance efforts aren’t even close to keeping up with data thieves. Business associates are also proving to be entry points for data vulnerabilities.

HIPAA network security rules require healthcare organizations to protect patient data, and to develop risk analyses to mitigate those threats. The report shows that a large number of healthcare organizations are out of compliance because they have been compromised and are sending malicious traffic.

Malicious events affect all types and sizes of organizations. The report listed the breakdown of the type of organizations that were compromised and the percentage of malicious traffic emanating from them:

  • Healthcare providers: 72.0%
  • Healthcare business associates: 9.9%
  • Other related healthcare entities: 8.5%
  • Health plans: 6.1%
  • Pharmaceutical: 2.9%
  • Healthcare clearinghouses: 0.5%

The report also shows that healthcare networks compromised by malicious data breaches are not restricted to desktops and servers, putting a spotlight on IT systems that support mHealth and bioengineering. Medical devices and applications such as connected medical endpoints, internet-facing personal health data and security systems are also part of the networks sending malicious traffic. According to the SANS report, 65% of malicious events came from network edge systems or devices such as firewalls, routers and VPNs.

The fact that security devices and applications are emitting the most malicious traffic is significantly troubling for healthcare organizations. The report suggests that assessment for system configuration and potential vulnerabilities should be an ongoing process of detection to prevent security breaches, followed by improvement and attestation that the improvements have been made.

September 16, 2014  1:06 PM

National Health IT Week’s opening DeSalvo

Posted by: DonFluckinger
Interoperability, Karen DeSalvo, National Health IT Week, patient advocacy, Regina Holliday

WASHINGTON, D.C. — Even by-the-book objective journalists can get behind the idea of patient advocacy and consumer engagement. No matter how fair, balanced and disengaged one can be, in the end we’re all patients.

That’s why National Health IT Week — a citywide event that can only be described as a loosely connected amalgam of events spread throughout D.C. catering to vendors, pols, healthcare providers, wonks, policymakers, consultants, analysts and other hangers-on — begins with what it should: patients.

At the week’s kickoff, the ONC’s 4th Annual Consumer Health IT Summit, attendees got to see National Coordinator for Health IT Karen DeSalvo, M.D. debut her jacket painted by patient advocate Regina Holliday. Holliday was in her usual spot, painting a picture of the day’s proceedings in the corner, behind her easel.

Attendees also got to meet two new federal officials whose mission is patient privacy and health data access, respectively, in new HHS Office for Civil Rights Director Jocelyn Samuels, and Lana Moriarty, ONC acting director for consumer e-health. In the other sessions, they got a full day’s measure of enthusiasm and federal backing for pushing health data access and interoperability initiatives.

Interoperability and national health IT infrastructure isn’t going to build itself; the next few days will see commercial stakeholders — provider CIOs and software vendors — tell their side of the story in what looks to be a grand, decade-long transition from paper to digital health records in the U.S. healthcare system. Their concerns are valid, as they delve into very serious matters of technology implementation on shoestring budgets and data security problems that amount to a spy-vs.-spy game with offshore hackers who will exploit any system vulnerability to find salable health data online. Then there are the issues of finding political common ground in an epoch of Capitol Hill toxicity where all sides loathe each other and, of course, finding public and private funding to pay for it all in moribund economic conditions.

But, it’s good to know that at least somewhere, patients come first. As they did this week. Let’s hope that idea sticks the whole year round, not just during National Health IT Week.

September 16, 2014  10:56 AM

ONC releases final 2014 EHR certification criteria

Posted by: adelvecchio
certified EHR technology, EHR certification, EHR standards, Karen DeSalvo

Providers and technology developers working towards meeting 2014 Edition electronic health record certification standards now have revised and optional criteria to fit into their agendas, after the ONC released a final rule that updates 2014 requirements. The ONC also decided not to wholly adopt the proposed 2015 Edition EHR certification criteria, instead opting to incorporate a subset of those rules as optional 2014 criteria.

The update, dubbed “2014 Edition Release 2″ came after a proposed rule, followed by a public comment period. The Release 2 consists of ten optional and two revised certification criteria to be part of the 2014 final rule.

The full report of the final rule — released on the Federal Register’s website — went into greater detail on what the rule update entails and what it will require of developers and providers. A low- cost estimate projected that EHR technology developers will spend just under $3 million combined between this year and next in testing their products and having them certified to meet the standards of the revised 2014 Edition certification criteria.

The changes affecting providers include an alteration that splits the computerized physician order entry criterion into three separate criteria according to their capabilities, whether they are medications, laboratory, or diagnostic imaging-based. An update to the “Transmission to public health agencies –syndromic surveillance” criteria permits any electronic method of collecting syndromic surveillance data for exchange.

“It provides more choices for health IT developers and their customers, including new interoperable ways to securely exchange health information. It also serves as a model for ONC to update its rules as technology and standards evolve to support innovation,” National Coordinator for Health IT Karen DeSalvo, M.D., said in an HHS news bulletin on the Release 2 update.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: