September 17, 2014 9:46 AM
Posted by: MonicaVallejo
health data security
, HIPAA compliance
, HIPAA data breach
Data security consultant and research firm the SANS Institute estimates that millions of healthcare IT systems are compromised and fail to meet HIPAA’s network security requirements in its Health Care Cyberthreat Report. The report was developed based on data related to healthcare organizations in the U.S. gathered over a 13 month-period by Norse, a global threat intelligence network that collects data on malicious traffic through its system of sensors that analyze more than 100 TB of traffic daily.
The network recorded malicious traffic coming from healthcare systems to develop the report and the results of the report show that compliance efforts aren’t even close to keeping up with data thieves. Business associates are also proving to be entry points for data vulnerabilities.
HIPAA network security rules require healthcare organizations to protect patient data, and to develop risk analyses to mitigate those threats. The report shows that a large number of healthcare organizations are out of compliance because they have been compromised and are sending malicious traffic.
Malicious events affect all types and sizes of organizations. The report listed the breakdown of the type of organizations that were compromised and the percentage of malicious traffic emanating from them:
- Healthcare providers: 72.0%
- Healthcare business associates: 9.9%
- Other related healthcare entities: 8.5%
- Health plans: 6.1%
- Pharmaceutical: 2.9%
- Healthcare clearinghouses: 0.5%
The report also shows that healthcare networks compromised by malicious data breaches are not restricted to desktops and servers, putting a spotlight on IT systems that support mHealth and bioengineering. Medical devices and applications such as connected medical endpoints, internet-facing personal health data and security systems are also part of the networks sending malicious traffic. According to the SANS report, 65% of malicious events came from network edge systems or devices such as firewalls, routers and VPNs.
The fact that security devices and applications are emitting the most malicious traffic is significantly troubling for healthcare organizations. The report suggests that assessment for system configuration and potential vulnerabilities should be an ongoing process of detection to prevent security breaches, followed by improvement and attestation that the improvements have been made.
September 16, 2014 1:06 PM
Posted by: DonFluckinger
, Karen DeSalvo
, National Health IT Week
, patient advocacy
, Regina Holliday
WASHINGTON, D.C. — Even by-the-book objective journalists can get behind the idea of patient advocacy and consumer engagement. No matter how fair, balanced and disengaged one can be, in the end we’re all patients.
That’s why National Health IT Week — a citywide event that can only be described as a loosely connected amalgam of events spread throughout D.C. catering to vendors, pols, healthcare providers, wonks, policymakers, consultants, analysts and other hangers-on — begins with what it should: patients.
At the week’s kickoff, the ONC’s 4th Annual Consumer Health IT Summit, attendees got to see National Coordinator for Health IT Karen DeSalvo, M.D. debut her jacket painted by patient advocate Regina Holliday. Holliday was in her usual spot, painting a picture of the day’s proceedings in the corner, behind her easel.
Attendees also got to meet two new federal officials whose mission is patient privacy and health data access, respectively, in new HHS Office for Civil Rights Director Jocelyn Samuels, and Lana Moriarty, ONC acting director for consumer e-health. In the other sessions, they got a full day’s measure of enthusiasm and federal backing for pushing health data access and interoperability initiatives.
Interoperability and national health IT infrastructure isn’t going to build itself; the next few days will see commercial stakeholders — provider CIOs and software vendors — tell their side of the story in what looks to be a grand, decade-long transition from paper to digital health records in the U.S. healthcare system. Their concerns are valid, as they delve into very serious matters of technology implementation on shoestring budgets and data security problems that amount to a spy-vs.-spy game with offshore hackers who will exploit any system vulnerability to find salable health data online. Then there are the issues of finding political common ground in an epoch of Capitol Hill toxicity where all sides loathe each other and, of course, finding public and private funding to pay for it all in moribund economic conditions.
But, it’s good to know that at least somewhere, patients come first. As they did this week. Let’s hope that idea sticks the whole year round, not just during National Health IT Week.
September 16, 2014 10:56 AM
Posted by: adelvecchio
certified EHR technology
, EHR certification
, EHR standards
, Karen DeSalvo
Providers and technology developers working towards meeting 2014 Edition electronic health record certification standards now have revised and optional criteria to fit into their agendas, after the ONC released a final rule that updates 2014 requirements. The ONC also decided not to wholly adopt the proposed 2015 Edition EHR certification criteria, instead opting to incorporate a subset of those rules as optional 2014 criteria.
The update, dubbed “2014 Edition Release 2″ came after a proposed rule, followed by a public comment period. The Release 2 consists of ten optional and two revised certification criteria to be part of the 2014 final rule.
The full report of the final rule — released on the Federal Register’s website — went into greater detail on what the rule update entails and what it will require of developers and providers. A low- cost estimate projected that EHR technology developers will spend just under $3 million combined between this year and next in testing their products and having them certified to meet the standards of the revised 2014 Edition certification criteria.
The changes affecting providers include an alteration that splits the computerized physician order entry criterion into three separate criteria according to their capabilities, whether they are medications, laboratory, or diagnostic imaging-based. An update to the “Transmission to public health agencies –syndromic surveillance” criteria permits any electronic method of collecting syndromic surveillance data for exchange.
“It provides more choices for health IT developers and their customers, including new interoperable ways to securely exchange health information. It also serves as a model for ONC to update its rules as technology and standards evolve to support innovation,” National Coordinator for Health IT Karen DeSalvo, M.D., said in an HHS news bulletin on the Release 2 update.
September 11, 2014 4:02 PM
Posted by: ShaunSutner
, electronic health records
, Meaningful use
, Republican senators
They haven’t gone away.
The six Republican senators who unleashed a manifesto last year questioning the basic tenets of meaningful use, HIPAA enforcement and even the efficacy of electronic health records are still hanging around Capitol Hill.
Indeed, their 27-page “Reboot” tract will form the basis for a closed-door meeting during next week’s National Health IT Week between the senators’ policy staffers and College of Health Information Management Executives (CHIME) and the Association of Medical Directors of Information Systems (AMDIS) members and leadership and policy experts.
CHIME’s president and CEO, Russell Branzell, has told SearchHealthIT that the health IT advocates will be there to listen and respond to questions.
In essence, they most likely will be playing defense on the $35 billion meaningful use program the senators are attacking and which could become a big political issue in the next big presidential and senate election cycle, which kicks off next year in advance of the 2016 elections.
A more fascinating scenario would find the health IT leaders somehow allied with team “Reboot” to get some of their meaningful use wish-list items done, such as easing deadlines for CMS reimbursement penalties for failing to attest to meaningful use, getting a year off without losing EHR incentive funds, or even making 2015′s reporting period something less than the 365 days as required now. We’ll find out after the meeting what actually does transpire.
In 2016, in addition to the presidency, 34 Senate seats will be contested. It would not be a surprise if the Affordable Care Act and the critical IT underpinnings the 2009 HITECH stimulus bill set in place for it, will rise again as fodder for GOP sallies against the now ruling Democrats.
In that vein, the Reboot meeting next week could be seen as the start of that fight, even if the health IT forces arrayed around the table – including Branzell – opt to go on the offense and not just settle for defending the struggling meaningful use initiative.
What isn’t debatable is that the Republicans’ contention that interoperability isn’t working has already had an impact at the highest levels of CMS and the Office of the National Coordinator for health IT policy.
A good chunk of ONC’s slate of sessions at the week of health IT goings on is devoted to interoperability, and most of ONC chief Karen DeSalvo’s current portfolio appears to be pointed at interoperability.
As for patient privacy, the GOP critics want more of that. It will be interesting to see how forcefully Jocelyn Samuels, the new Office for Civil Rights director, enforces HIPAA in the last two years of the Obama administration. She could also use the National Health IT Week forum as a platform to telegraph the long-awaited audit program.
And while the Reboot meeting might be tense, CHIME and AMDIS leaders are also scheduled to meet privately with Senate Finance Committee leadership staff in a bipartisan and therefore likely more amicable session – even though it will be about money.
September 3, 2014 4:14 PM
Posted by: ShaunSutner
, Meaningful use
Delay, delay and delay again.
That seems to be the implementation option of choice for the federal government’s healthcare IT policy in recent years.
It’s hard to see exactly what forces pushed the Centers for Medicare and Medicaid Services to finalize its latest proposed delay on the eve of the 2014 Labor Day weekend: putting off stage 3 of meaningful use until 2017 and allowing providers to use 2011 certified EHRs for stage 2 attestation this year instead of 2014 certified EHRs, which was the original plan.
Previous 2014 postponements have included two abrupt moves last spring, when Congress forced CMS to delay ICD-10 until Oct. 1. Prior to that, at HIMSS CMS announced it would grant meaningful “hardship exceptions” to providers that showed their EHR vendors aren’t ready, which let providers collect their EHR incentive checks without attesting to stage 2, judged on a case-by-case basis by federal authorities.
The recent move was slammed by, among others, two heavyweight groups not normally known for sharing the same side of an argument – the College of Healthcare Management Executives (CHIME), and the American Medical Association.
So who likes this deferment?
Not athenahealth, Inc. of Watertown, Mass., which like many of its cloud-based EHR vendor peers, makes attesting to meaningful use central to its marketing strategy, and whose customers all are in prime position to attest to stage 2 by the end of the year, according to company executives. The company was certified in June 2013 for stage 2.
“Most people are generally kind of glad the delay went into effect, but we’re not happy about it,” said Matt Hoenigsberg, athenahealth product marketing manager. “It actually just punishes the people who were ahead of the game.”
Hoenigsberg asserted that vendors with cloud offerings – such as athenahealth, CareCloud, eClinicalWorks LLC, Practice Fusion, Inc. and CureMD Healthcare - can develop software more nimbly than their traditional software counterparts. It’s considerably easier and faster to upgrade to current certification standards. So when meaningful use is delayed or rules governing the use of certified EHRs are loosened, traditional software vendors get a break and cloud vendors lose their competitive edge.
Basically, the delay allows providers who were unable to upgrade to 2014-certified software this year to still use their 2011-certified software to do the easy stage 1 meaningful use measures, which mainly involve collecting patient medical information.
And it excuses these organizations and practitioners from the tougher patient engagement measures such as using electronic referrals to third-party providers and getting patients to view, download and transmit secure messages on patient portals.
As for the 365-day meaningful use reporting period still mandated for many providers next year if they want to avoid CMS penalties, it was one part of meaningful use where CMS stood firm and didn’t delay or defer previously established timelines.
Most players in the industry anticipated that, though it would be safe to say they were disappointed. The alternative was a 90-day reporting period like 2014′s, which offered breathing room for implementing 2014 certified EHR upgrades.
It might not be the end of the delays, as CMS and the Office of the National Coordinator (ONC) of healthcare information technology leaders head into the coming months of the Obama administration’s lame duck-dom.
Healthcare provider CIOs have to wonder, however as they plan budgets and purchasing decision for 2015 and beyond, what toll these delays are taking on the program, and if they are diluting it. After enough delays, looming above all of the procrastination could be a more serious specter: The future of meaningful use itself.
September 2, 2014 12:58 PM
Posted by: adelvecchio
, EHR implementation
The U.S. Department of Defense issued a request for proposals to update their legacy health IT systems, including their EHR. The project is expected to come with a multi-billion dollar price tag and put modernized systems in place by the end of 2016.
Proposals are due to the Department of Defense (DoD) on Oct. 9, 2014 and all questions must be submitted by September 8. The request was a finalization of three updates made to the draft proposal which is part of the DoD’s Healthcare Management Systems Modernization (DHMSM) Program.
In an April appearance before the Senate Appropriations Committee Subcommittee on Defense, DHMSM Program Executive Officer Christopher Miller stated the goals of the DoD’s healthcare program. He said the DoD holds a “steadfast commitment to the modernization and interoperability of our EHRs.” He mentioned the importance of exchanging interoperable data with U.S. Department of Veterans Affairs (VA) EHRs, as well as with private providers.
The DoD has long been exploring investments in a new EHR system. Last October, the agency announced the beginning of a search to replace their legacy EHR with a system that was compliant with stage 1, at a minimum. That was conducted when the DoD and VA were jointly working towards implementing an integrated EHR to be shared between the two departments. The DoD’s current EHR odyssey stretches back at least as far as 2005 — when the last revision was made to a previous plan to replace their Armed Forces Health Longitudinal Technology Application.
Earlier this year, the U.S. Government Accountability Office (GAO) released the findings of its research into the DoD and VA’s EHR plans. The GAO report, released after the two departments scrapped plans to adopt an integrated EHR, stated “VA and DOD have not substantiated their claims that the current approach [to deploy separate EHR systems] will be less expensive and more timely than the single-system approach.” The GAO also noted that, as of February, the departments had not disclosed their strategy for navigating previously identified barriers to health IT collaboration. The GAO cited problem areas in enterprise architecture and IT investment management.
August 28, 2014 3:04 PM
Posted by: MonicaVallejo
, meaningful use stage 2
CMS and ONC are encouraging providers to use the provider user guide for the National Institute of Standards and Technology (NIST) EHR Randomizer software, a tool that aims to help providers meet the meaningful use stage 2 transitions of care core objective.
To meet this core objective, providers must satisfy three measures: Measures 1 and 2 require providers to make summary of care records available, which cover patient transitions or referrals.
To meet measure 3, providers are required to conduct at least one successful electronic summary of care exchange with a provider who uses a different vendor’s EHR system. If providers can’t participate in this type of exchange or are unable to document it, they must conduct at least one successful test during the reporting period by exchanging a summary of care with an authorized test EHR. The EHR Randomizer tool satisfies the interoperability requirement of the “authorized test EHR” piece of the meaningful use measure.
The EHR Randomizer’ user guide walks providers through registration as well as instructions on how to complete a successful document exchange with a test EHR. The Randomizer automatically pairs the provider EHR with a different authorized test EHR.
Physicians must send a summary of care record in Consolidated Clinical Document Architecture (C-CDA) format that does not contain real patient information to the test EHR. The test vendor has 24 hours to respond with an email notifying the provider whether the exchange failed or succeeded. If the test is successful, providers can use this email as proof of having met the transitions of care measure 3. In the case of a test failure, the process can be repeated until the test EHR vendor and the provider troubleshoot all errors and meet measure 3 successfully.
August 27, 2014 1:52 PM
Posted by: ShaunSutner
, data analytics
, population health management
The hot field of using data analytics to divine medical trends as part of population health management, while seeing strong growth, is still in its formative stages, according to a new report from Chilmark Research.
The Cambridge, Massachusetts firm — which specializes in market analysis of advanced healthcare IT systems — reports that healthcare organizations using analytics are still struggling with reimbursement models.
Meanwhile, the report notes that major EHR vendors are moving into the data analytics space previously occupied mainly by best-of-breed companies.
“Vendors can be roughly divided into two categories: best-of-breed and platform-play vendors depending on their particular products and marketing strategies,” the report’s author, Cora Sharma, said in a release accompanying the report. “It is currently a best-of-breed market, with providers adapting vendor solutions to meet a particular need created by a specific payment contract. Vendors aspiring to be become enterprise-wide platforms find ‘enterprise-thinking’ HCOs [healthcare organizations] in short supply.”
For the report, Chilmark surveyed 19 vendors, including EHRs like Epic Systems Corp. and Cerner Corp., as well as non-EHRs such as Verisk Health Inc. and Optum, UnitedHealth Group Inc.’s platform.
The 133-page report came up with 11 general market and industry findings for the data analytics space.
- The trend toward value-based reimbursement is less “shaky,” but the market remains mostly concerned with quality measure compliance and penalties from the Centers for Medicaid and Medicare Services.
- There is an influx of data across clinical and claims-based worlds. “Future, external stores of data — user-generated data, home monitoring data, unstructured data, data still in paper form — remain untapped and underutilized,” Sharma writes.
- Data aggregation problems persist.
- The market more and more is putting data warehousing and analytics into the power user category. In the future, analyzing patient data and predicting risk will have to become more sophisticated.
- Workflow, engagement and action remain unconquered frontiers. Data-driven workflow, care management and patient engagement are wide open for innovation.
- Population health management vendors now number nearly 100. The market is crowded.
- Best-of-breed companies still dominate the market.
- A push into services is going on, with software as a service pervasive.
- There has been an increase in investment in provider-focused care management tools, as opposed to older payer-centric care management tools. In other words, there is more reliance on underlying data platforms.
- Clinical and claims-based vendors continue to come together.
- While it is popular for vendors to claim to be the only company to allow providers to make data “actionable,” or triggering specific actions such as automated patient outreach, “no vendor has so far succeeded in truly redefining data-driven workflow and patient engagement on a large scale.”
Download the full report here.
August 26, 2014 1:15 PM
Posted by: adelvecchio
, Todd Park
U.S. Chief Technology Officer Todd Park is expected to step down by year’s end — according to a report from Fortune.com. Park has served in his position since 2012 when he was appointed by President Barack Obama, replacing Aneesh Chopra. Previously, Park served as HHS CTO from 2009-2012.
The White House has yet to announce Park’s replacement. Park is planning to move to Silicon Valley by the end of this month, where he will continue to serve as CTO and focus on recruiting talent, Federal News Radio reported. Prior to accepting his post in Washington D.C., Park co-founded both health IT vendor athenahealth Inc. and Castlight Health Inc., an online healthcare information shopping service.
Park’s name was in the spotlight during the troubled launch of the national health insurance site Healthcare.gov. The site was slowed and crashed in the days following the commencement of insurance-exchange enrollment driven by the Affordable Care Act. Park stated that heavy traffic loads were responsible for the site’s malfunctions. More than eight million users visited the site over a four-day period and at times traffic exceeded 250,000 users per minute — a number that was four times greater than the official projection.
Park played a role in creating the Presidential Innovation Fellows program. The program was designed to bring in professionals outside of government and stimulate cooperation between them and federal innovators. In a blog post, Park wrote the program goals of the Innovation Fellows were to “save taxpayers money, fuel job creation, and improve the return government is delivering to the American people.”
One of the first five projects of the innovation program involved health IT, spreading the adoption of Blue Button, a system that allows patients to electronically access their health information. His hope was to spread Blue Button into the consumer realm, after the Veterans’ Administration found success in using Blue Button for ex-military patients who needed to move data between the Department of Veterans Affairs and civilian healthcare providers.