Health IT and Electronic Health Activate your FREE membership today |  Log-in

Community Blog

September 11, 2013  10:40 AM

Avoid Tootsie Pop security, practice defense in depth

Posted by: adelvecchio
defense in depth, network security, security information and event management

Dr  Mathews (2)Guest post by Michael Mathews, PhD, president and COO, CynergisTek, Inc.

This is part two of a four-part series of posts where I look at perimeter security, network security, host security, and finally administrative security as distinct elements in overall information security architecture and the best way to evaluate the current state of each.

A standard question we ask when working with clients is how they go about assessing their organization’s information security architecture. Previously, we examined the perimeter and how to address perimeter security in an ever-changing technical environment. The second element, working our way from the outside of the network to the inside, is what we call network security. Network security and segmentation is often deemed unnecessary in the modern switched network since many associate segmentation of the network with performance-optimization exercises rather than as a security feature. But this is actually the first place where the tenet of defense in depth starts to take shape within an enterprise architecture.

Early in the history of the Internet, it was rare to find a firewall or “bastion host” in place. When these became commonplace, it created the “Tootsie Pop” model of network security — defense with a hard, crunchy outside and a soft, chewy inside. Adding structure and implementing access controls to the internal network doesn’t need to create an overly complex maintenance nightmare to provide a simple, yet effective, added layer of security to the architecture. The fundamental premise behind the idea is that certain assets deserve more consideration than simply being on the inside of a “trusted” network. Studies have long shown that more than 80% of security incidents involve insiders (a huge and very timely case in point being Edward Snowden). Creating additional zones of security within the internal network that have basic access control in place to help safeguard more important information assets goes a long way toward the goal of defense in depth.

In addition to carving out areas of the network that have tighter access controls in place, network security also includes technical tools such as network intrusion detection/prevention, event correlation and security information and event management, data loss prevention, encryption of sensitive data in transit, etc. Unlike the evolving nature of the perimeter over time, what we consider the internal network does not evolve quite as fluidly, but the technologies to help us police and defend it are definitely constantly evolving. For that reason, staying on top of the “bleeding edge” technologies is important to see what the next generation of tools for network security will bring, while still focusing on current generation tools to help address current threat vectors.

An important note here is that controls in this arena should never be evaluated simply on the basis of “Is this a duplication?” but viewed as a question of “How can we augment a capability existing at a different layer in our architecture?” Provided the controls are not completely overlapping, but complimentary in nature, the results should help further the goal for defense in depth as well as provide additional tools, data/metrics, and capabilities to the organization.

September 4, 2013  12:29 PM

Part 2: HIPAA at the edge: Preparing for interoperability

Posted by: adelvecchio
application programming interfaces, electronic data interchange, Interoperability, NIST

ruby raleyGuest post by Ruby Raley, director of healthcare solutions, Axway

In the eighties, when organizations first used electronic data interchange (EDI) to open up integration at the enterprise’s edge, systems weren’t exactly agile — organizations had to recompile, retest, and re-engage with their partners whenever anything was updated.

Enterprise application integration (EAI) and business process management emerged in the nineties, and organizations were able to reuse the interfaces they offered their partners.

EAI was succeeded by service-oriented architecture (SOA) in the next decade. SOA made collaborating web services — like simple object access protocol — possible.

But even SOA had problems. Architects had to build a framework that developers had to be trained in, and whole libraries of interfaces and structures had to be set up. Only a mature IT organization could use it as an agile, cost-effective long-term option.

Today representational state transfer (REST) is the new de facto architectural model for mobile enablement, cloud enterprise enablement, and for reusing enterprise service capabilities on new endpoints. Unlike SOA, REST:

  • Doesn’t have framework-knowledge demands
  • Allows the enterprise to enable a user at the edge to use an endpoint to deploy services and issue commands (i.e., get, put, post, and delete)
  • Is stateless
  • Features caching
  • Enables layers
  • Uses less bandwidth
  • Scales to billions of conversations

All of these enhancements call for application programming interfaces (API) management and platforms — a suite of analytics, traffic control, and performance tools that offer the best ways for your organization to:

  • Ease its way into this new world
  • Reconcile the legacy of old SOA services, old remote procedure calls, and legacy EDI structures to meet the demands of mobile and cloud
  • Build out a reliable, centrally-manageable structure
  • Govern APIs during the development lifecycle and in operations

To make the most of API, you must first map out your current policies, determine what’s missing, and do a risk assessment using the National Institute of Standards and Technology guidelines. You’ve got to ensure that policy was respected, adhered to, and used correctly, and that your network can successfully sustain the scrutiny of an audit — the hallmark of effective governance.

Next, you must issue credentials. Recognize, however, that credentialing is now a much more complicated issue than ever before, and that you’ll need to decide which manner of credentialing is right for your organization. Will you:

  • Use secure email attachments with a health information service provider (HISP) to enable users to securely share documents?
  • Use an online certificate status protocol to validate a healthcare provider’s good standing and their HISP membership?
  • Use federated IDs to allow a healthcare provider to log in with the same credentials they use to log into their own network?

There are a variety of security protocols, alignment, and brokering tasks to consider, and they all fall into a common pattern. When you understand that pattern, the value of API management and platforms will be clear.

Once all of the above is in place and a foundation is set, you’re ready for interoperability: the holy grail of health IT. In my next post, I’ll explore how an organization can use a multiphase-delivery roadmap to chart a course to a future where connected, collaborative-care communities can engage their patients’ healthcare activities and ensure that primary care providers always have up-to-date information.

August 28, 2013  10:59 AM

Mind your Ps and Qs to make use of big data in healthcare

Posted by: adelvecchio
Affordable Care Act, Big data, HITECH Act

Dr JainGuest post by Anil Jain, M.D., senior VP and chief medical information officer, Explorys, Inc.

I’m sure you’ve heard the expression “mind your Ps and Qs.” Now, I’m not asking you to mind your “pints and quarts” from where this old English pub expression is thought to have originated, but rather the Ps and Qs in aligning big data in healthcare.

The first set of Ps: Value-based care (i.e., outcomes-based rather than volume-based reimbursement) has created a use case for greater alignment between the provider, payer and plan for the betterment of the patient. But let’s not forget pharmaceutical and product manufacturers. As industry embraces pay-for-performance, there is a desire to demonstrate cost effectiveness and outcomes to achieve reimbursement. The alignment between these Ps theoretically will increase effective care, outcomes and satisfaction while reducing redundancy and ineffective treatment. These Ps will generate vast amounts of big data — defined by the three Vs:  volume, velocity and variety. At Explorys, we will occasionally add veracity and value.

Data alone will not lead to this alignment. Here we need a second set of Ps: People, process and politics. The various stakeholders need to work at developing several joint processes that drive towards a common politically-attainable, appropriately and credibly-priced product.  Perhaps in a value-based healthcare economy — price is another “p.” Examples I’ve seen that try to align the two sets of Ps include programs where pharmaceutical companies and payers come together to support disease management among diabetics, asthmatics and chronic pulmonary obstructive disease patients to supply otherwise expensive therapeutics and diagnostics, collect much needed patient reported outcomes and educate patients and providers.

Our data suggests that as many 10-15% of diabetics and perhaps 25% of hypertensive patients may have unrecognized diseases. These patients are not identifiable for intervention by providers in disease management programs until much later in their disease course and are not available for drug treatment, something that has been noted by pharmaceutical companies. Patients, providers, pharma and payers clearly have an interest in earlier recognition of illness. There is compelling data which suggests that delayed diagnoses lead to greater mortality, morbidity and associated health expenditures. A unified healthcare big data platform that aligns these Ps and respects the politics (i.e., data governance) is critical to successfully identifying these opportunities in real-time.

However, aligning these sets of Ps and a unified data platform is not easy and has been the crux of portions of the Affordable Care Act and interoperability standards promoted by meaningful use part of the HITECH provisions of the American Recovery and Reinvestment Act of early 2009. Promoting EHRs, programs such as accountable care organizations, shared savings programs, bundled care initiatives, patient centered medical homes and patient centered outcomes research institute is a start, but there is still a great deal of work that needs to be done to further this alignment.

If done well, what do we get if we mind our Ps?  We get to mind our Qs: Quality and qost.  Now, I cheated with the spelling of qost (i.e. cost) but you get the idea.

August 21, 2013  10:18 AM

Avoid making your mobile health app a PR disaster

Posted by: adelvecchio
mhealth apps, Mobile applications, Patient portals

th_1375478863_landman2Guest post by Zachary Landman, M.D., chief medical officer, DoctorBase

It’s quite clear that patients and physicians alike are demanding mobile access. “A mandate has been issued and progressive vendors are reacting,” reports Doug Brown, managing partner of Black Book Market Research, in response to a growing body of evidence suggesting fast paced growth in the mobile application industry. No matter what metrics are cited, whether it is a 500% increase in mobile healthcare applications by the end of 2014 to predictions of 500 million mobile healthcare users by the end of 2015, the market is growing extremely rapidly. In fact, the federal government just released the Research and Markets mHealth trends report that shows the industry is poised for a compound annual growth rate of 61% by 2017, ultimately reaching a value of $26 billion.

While rushing to address patient and physician concerns, numerous healthcare vendors have delivered patient portal applications that are poorly adopted and receive scandalous reviews. This has damaged their brand and caused irreversible harm.

John Sung Kim, CEO at DoctorBase, which specializes in mobile portals and patient engagement, notes that “many healthcare provider organizations, being new to the world of smartphone apps, don’t fully comprehend the amount of marketing, testing and UI [user interface]/UX [user experience] that needs to go into the successful rollout of any business-related app.”

Take, for example, two large industry titans who recently unveiled their mobile portal applications in the iTunes store. Without delving into the specifics of each application, four main themes of failed portal application rollout are evident.

Branding – The name of the healthcare portal may appear to be an insignificant aspect of the overall development. However, when 63% of users find the apps they later install by searching the App Store for a specific app, naming becomes of the utmost importance.  For example, a large West coast healthcare vendor recently released an app that goes by an acronym that is also a commonly searched term on, where it means vigorous intercourse — probably not the best way to engage the next generation of patients.  Furthermore, the app is being aggressively marketed in digital and print media as the acronym.

The app’s logo in the iTunes store simply displays the acronym, which would be fine, except that when patients go to search the acronym, no results populate. This is because in the iTunes store, the app is listed under its full name. As you can imagine, it is a PR nightmare. After significant development and marketing expenditures, the app has had poor patient adoption and an (unfriendly) viral campaign regarding its name — not the best way to kick start your mobile platform. The most effective ways to sell your product is to be simple. You should instill a sense of trust, health, and empowerment in your customers, and your product should be easily searchable.

Usability –Frequently, mobile applications are too difficult to routinely use. While security is important, complex and lengthy registration requirements requiring novel usernames and passwords not only lead to fewer single-use registrations, but they lead to far fewer re-engagements as patients misplace or forget their credentials. Health vendors, physician groups, and any other group marketing healthcare apps looking to steer patients toward mobile communication should clearly direct patients to the portal or download link on the welcome page. That should be followed by a seamless registration process that permits integration with previously created social media sites such as Facebook, etc. The longer and more difficult it is to register the first time, the less likely it is that patients will revisit.

Functionality – The key to any mobile portal or application is its substance. How and, more importantly, why patients access your portal is a fundamental question. Communication is a key issue that I hear about time and time again from patients. Medical records and lab results are nice features that are rarely used. Without context and guidance, they’re meaningless, anxiety provoking or worse. Patients want to communicate with their physician, physician’s extender, and the office.

Appointments, questions, and advice are all fundamental aspects of true portal functionality. However, true functionality also implies adoption by the provider team and a system of closed loop communication that confirms patients received the information and services they desire. Before rolling out a patient-focused app, significant time and energy should be spent educating the healthcare teams responsible for how mobile messaging will improve their care and save time and money.

Reliability – This is simple. Rolling out apps prior to sufficient end user testing only leads to disasters. Develop. Test. Beta Test. Run it on multiple platforms. Use target audiences. Limit questionable features at the outset. Users are incredibly skilled at finding flaws and breaking your product. Users are the “Jedi” of mobile app crashers. Regardless of the number of tests or how many iterations of testers were used, they will somehow use “the force” to find flaws in engineering and coding. And as we all know, a crashed app will lead to angry users and a tarnished brand. Patients correlate errors in IT with errors in medical records, electronic communication, and substandard care.

While there is no magic bullet for effective mobile app creation or marketing, following certain principles will help avoid common and damaging pitfalls. Use commonly searched and appropriately spelled words for improved app store searchability, limit user registration to fewer than three clicks (four at the most) to limit the amount of end user activation energy. The development timeline should be geared toward a multiplatform user experience, and you should ensure that it’s safe, secure, and reliable.

Zachary Landman, M.D., is the chief medical officer for DoctorBase, a developer of scalable mobile health solutions, patient portals and patient engagement software. He earned his medical degree from UCSF School of Medicine. As a resident surgeon at Harvard Orthopaedics, he covered Massachusetts General Hospital, Brigham and Women’s Hospital and Beth Israel Deaconess Medical Center.

August 13, 2013  9:43 AM

CDS vs. diagnostic tools: Which is better at eliminating diagnostic errors now?

Posted by: adelvecchio
CDS, clinical decision support, IBM Watson

Peter_Bonis_WKH UTDGuest post by Peter Bonis, M.D., vice president of product strategy of UpToDate, part of Wolters Kluwer Health

There are two issues related to diagnostic error upon which much of the medical community has achieved consensus: It is a pervasive and potentially deadly problem and health information technology holds great potential for reducing harm related to an incorrect diagnosis.

Indeed, several tools have already been developed and ongoing advances in computational science may ultimately produce approaches that surpass the best human cognitive skills. Advanced technology such as IBM’s Watson offer a provocative glimpse at how computers and human caregivers could one day interact to improve the quality and safety of care.

However, the question remains when technology will achieve such a vision. Current commercially available tools that can assist in generating a differential diagnosis have not yet proven to be highly effective in reducing the burden of diagnostic error in clinical practice. There are a number of limitations to existing technology and the way in which it can be incorporated into the workflow. In fact, many of these systems received a barely passing grade in a study published in December, 2011 by the Journal of General Internal Medicine.

Furthermore, helping clinicians achieve a comprehensive differential diagnosis (and ultimately a correct diagnosis) represents only a subset of the opportunity that health IT has to offer in reducing cognitive errors. Multiple studies have demonstrated that two out of every three clinical encounters generates a question that, if answered, would change five to eight care management decisions each day. Unfortunately, only 40% of questions are routinely answered, and sometimes not with the best, most current medical knowledge. Existing clinical decision support (CDS) tools not only assist clinicians in generating a differential diagnosis, but they also address the broader need for cognitive support in diagnosis and management-related decisions.

CDS allows clinicians to answer approximately 90% of their questions. Dozens of studies have demonstrated a link between CDS and clinically substantial changes in diagnosis, management and acquisition of medical knowledge. CDS has been directly linked to improved health outcomes, including shorter patient stays in hospitals and lower mortality rates. It has a proven impact on increased quality, safety and efficiency of care by providing actionable, detailed, evidence-based answers to clinical questions at the point of care.

Proper care cannot be achieved without a correct diagnosis. Better tools and changes to workflow will continue evolving to reduce potentially tragic outcomes associated with diagnostic errors. However, the dialogue surrounding what is still evolving — differential diagnosis software — should not overshadow what is already here: CDS at the point of care.

August 7, 2013  11:10 AM

Mobile capture apps key to improving healthcare

Posted by: adelvecchio
iPad, mHealth, mhealth apps

Drew_Hyatt_VP_Mobile_Apps_KofaxGuest post by Drew Hyatt, vice president, mobile applications, Kofax

With the widespread adoption of mobile applications for everything from business productivity to reference information to entertainment, the first mobile healthcare applications — primarily diet and exercise trackers — hardly seemed like a revolution. But mobile healthcare has rapidly developed to include highly sophisticated remote patient monitors, video conferencing, online consultations, personal healthcare devices such as heart rate monitors, and wireless access to patient records and prescriptions.

The potential of smart mobile capture solutions to improve healthcare is enormous, both in terms of patient benefits and cost savings. A new report from the Groupe Speciale Mobile Association, in collaboration with PricewaterhouseCoopers1, found mobile healthcare could save $400 billion in healthcare costs over the next five years.

Another report from Deloitte LLP2 predicts that remote monitoring technologies will save nearly $200 billion over the next 25 years by managing chronic diseases in the U.S. Mobile-based healthcare applications can reduce medical visits by 10% by monitoring patients for emergency indicators. The research also indicates that home monitoring could replace face-to-face meetings, which could provide as much as 25% in savings and offer a clear improvement in patient experience.

Mobile healthcare is also used to train medical professionals. As part of the iMedEd Initiative at the University of California at Irvine School of Medicine, each student is issued an iPad with digital access to course information, including electronic textbooks, diagnostic tools such as digital stethoscopes, and mobile ultrasound units. The iPads can also access patient medical records within the limitations of an encrypted security system.3

Perhaps one of the greatest contributions of mobile healthcare is in developing countries, where there is support for ad hoc and manual versions of automated systems that are commonly used in the developed world.

Francis Collins, M.D., National Institutes of Health director, sees universal benefits in developing countries. According to Collins, “Many opportunities to improve health very much depend upon cell phone technologies, since cell phones are so rapidly expanding in many parts of the world that otherwise don’t have much access to communication.”4

Given that 80% of the world’s population has access to a mobile device5, recent interest and investment in mobile healthcare applications is bound to spark new innovation.

Smart mobile apps deliver significant value to enterprises and agencies embracing mobility. They also provide a distinct advantage to health organizations and medical professionals looking to improve the accuracy of captured patient information while maintaining document security and chain of custody. These solutions turn a smartphone or tablet into a sophisticated scanning device capable of capturing information and extracting critical data.

Smart mobile apps enable healthcare institutions to leverage their customers, constituents, and employees as contributors and participants in the care process, leading to better engagement and patient care.

1. Connected Life: The impact of the Connected Life over the next five years; II. mHealth, Saving Lives and Money, PricewaterhouseCoopers Private Limited, February 2013

2. mHealth in an mWorld: How mobile technology is transforming health care, 2013 Deloitte Development LLC.,

3. Mobile devices vital to education of medical students, February 17, 2013 By Greg Slabodkin

4. Mobile Technology and Health Care, From NIH Director Dr. Francis S. Collins, NIH MedLine Plus Magazine

5. mHealth, McKinsey and Company,

August 1, 2013  11:57 AM

Assessing information security architecture

Posted by: adelvecchio
information security

Dr  Mathews (2)Guest post by Michael Mathews, PhD, president and COO, CynergisTek, Inc.

A standard question we ask when working with clients is how they go about assessing their organization’s information security architecture. An integral part of our risk assessment engagements is a thorough architecture assessment. We like to explain it as working logically from outside of the organization to the inside, all the way up to executive management. In a four-part series of posts, I’ll look at perimeter security, network security, host security, and administrative security as distinct elements in an overall information security architecture and explain the best way to evaluate the current state of each.

Perimeter security is likely the most familiar concept in information security, as most people have at least heard of a firewall and the resulting concept of trusted and untrusted networks. But as time evolves, the topic of perimeter security too evolves. At its core, perimeter security seeks to protect an organization from threats outside its four walls (including virtual location walls).  Since the birth of the Internet, security professionals have been focused on the threats associated with connecting our systems to a larger, untrusted network, but the nature of technology being ever-evolving means that along the way, the definition of the “perimeter” has expanded.

Not only have organizations become more virtualized in their locations and employee office allowances/expectations, but with the introduction of radio waves and the widespread adoption of WLAN technology, even the concept of ingress/egress has changed drastically. Focus on enterprise-wide authentication and authorization for access to the radio-waves became paramount in an effort to construct virtual walls around this new, highly desirable technology.

Prior to WLAN becoming mainstream, points of ingress/egress were almost exclusively limited to the realm of “the telco” (i.e. WAN circuits and dial-up modems), which explains why almost all of us technical security geeks had to wear a part-time telco hat in addition to our full time InfoSec hat. As “always on” connections became more ubiquitous, focus shifted from modems to virtual private networks, and again, the view and nature of the threat associated with the perimeter shifted. No longer was it safe to assume that an authenticated remote user was a known commodity or that he was alone in his access to the network. Access control as high up the open systems interconnection stack was now a permanent fixture in the discussion around remote access.

Given these few examples, it’s easy to picture the definition of the perimeter continuing to evolve over time. In fact, it would be naïve not to recognize that. The most important part of evaluating perimeter security — as part of an overall enterprise architecture assessment — is to recognize that because of technology advances the definition of the perimeter is subject to change faster than any other single element within the architecture. Being open to and knowledgeable about what currently comprises the perimeter, as well as its security best practices are key elements to ensuring a thorough information security architecture assessment.

July 19, 2013  1:00 PM

Know your mobile data blind spots: Keys to increasing outcomes

Posted by: EmilyHuizenga
Mobile devices, Network optimization

3ba83dbGuest post by Andy Willett, Senior Vice President, NetMotion Wireless

We all know about the rapid adoption rate of mobile technology in healthcare — and the positive impact it’s having on clinician productivity and patient care. However, as the number and scope of these mobile initiatives grows, organizations are becoming more reliant on the connectivity provided by public wireless networks. The problem? These networks sit in a blind spot, putting critical performance information out of sight.

Everyone knows that you can’t manage what you can’t see. For networking professionals, this has traditionally meant tapping into a large portfolio of products and services that provide visibility into how their internal wired networks and applications are performing. But cellular (or mobile broadband) networks are an exception.

While mobile healthcare workers rely on public cellular connections every day to serve patients, how these networks are performing is a huge blind spot for IT departments and support staff. The result is manual troubleshooting of dropped or poor connections, frustrated employees and operational procedures that don’t work as intended, putting an organization’s large investment in mobility at risk.

Survey identifies gaps in mobile networks

While some healthcare organizations might have a general understanding of where their weaknesses lie, a new study by Rysavy Research and NetMotion Wireless of more than 400 networking professionals from healthcare and other field-centric industries pinpoints exactly where many mobile deployments are coming up short.

The survey defined cellular data deployments as those where mobile employees are accessing mission critical applications in the field. Questions were limited to the usage of cellular data only (not voice) by employees on company-owned devices such as laptops, tablets or handhelds. Here’s what the respondents had to say:

Improving connection reliability was the primary challenge, cited three times more often than other requirements, including security and cost control. And, as we all know, in today’s mobile healthcare environment, without a reliable, high performing connection, clinicians aren’t armed with the information they need to do their jobs and serve their patients.

Respondents also cited a lack of tools to help troubleshoot connectivity problems, such as slow data transfers. In fact, more than half of the respondents reported they have no tools for troubleshooting cellular connections at all. Some respondents said they rely mostly on talking with the end user (“How many bars do you see now?”) or calling their carrier’s help desk. In short, they rely on anecdotal information, and lack any kind of analytical data or tools that will lead to improvements in connection quality.

A large number of respondents said they find the process of selecting a cellular carrier to be challenging, largely because they weren’t sure which carriers delivered the best coverage for their area. The generic coverage maps provided by operators are not enough to make a decision; they don’t reflect a healthcare organization’s unique mobile deployment profile, nor are they detailed enough. And conducting periodic drive testing is expensive, time consuming, and only captures a snapshot in time.

Additionally, 40% of respondents admitted it was difficult to track mobile inventory. This group complained about the time that manual methods like Excel spreadsheet can take and the lack of automated inventory tools. One-third report the problem is a lack of visibility into either the use of the modem, or the identity of the modem’s user.

Nearly half admitted they had no systematic method for gathering data on their cellular deployments. So when asked about their ability to measure certain aspects of cellular data use, including 2G/3G/4G usage, disconnection rates, application use and coverage quality, it wasn’t surprising that very few indicated they couldn’t measure any one of them. In fact, nearly one-half said they could not measure a single factor.

Solutions can improve mobile deployments

These findings confirm that healthcare organizations need the ability to gather real-world performance information. This is the only way they will be able to systematically measure, troubleshoot and optimize connectivity in the field, and ensure they are getting the most out of their mobile investments.

Some vendors have identified this gap and are bringing to market tools that IT staff can use to better monitor and optimize their mobile deployments. With these solutions, healthcare providers will be able to reduce IT support demands and extend technology and service contract investments, all while increasing employee productivity. To get started, providers need to ensure their mobility management strategies include the following capabilities:

  • Detailed visibility into network signal quality and the type of technology that is being delivered to field users
  • Reports that highlight adapters that are performing poorly
  • A granular view into what applications and processes are consuming your bandwidth
  • Tools that enable managers to take action centrally, without touching the mobile device, to fix connectivity issues

These capabilities provide the foundation from which healthcare organizations can understand definitively how well their mobile deployment is working, and ensure their field clinicians are always getting the best connectivity possible.

NetMotion is an enterprise mobility management software company that helps organizations address management and security challenges created when connecting mobile field workers to mission critical applications over wireless networks.

July 16, 2013  1:00 PM

Patient privacy: The BYOD risk in healthcare organizations

Posted by: Jenny Laurello
BYOD, byod security, Data breach, data breach security, Mobile devices

Anders LofgrenGuest post by Anders Lofgren, director, mobility solutions, Acronis

Few industries have it harder than healthcare when it comes to managing the influx of mobile devices in the workplace. Employees who bring in smartphones or tablet computers can cause a big problem for IT teams that are trying to ensure the confidentiality of patient data. Laptops can get hacked, iPads stolen and phones misplaced. With bring your own device (BYOD) so pervasive now, there’s a much higher risk of sensitive information being leaked.

One survey from nonprofit (ISC)² showed that many healthcare IT professionals feel they’re too understaffed to address new IT threats, with 59% saying that privacy violations are their biggest worry. In part, this is due to the growing number of healthcare workers embracing BYOD — especially now that 60% of physicians use their mobile phone in the workplace on a daily basis.

It’s not just IT that’s anxious about BYOD, though. Patients are also worried about employees using their own devices in healthcare facilities. According to a study from PricewaterhouseCoopers LLP, 39% of consumers are concerned that their caregivers are storing confidential data on mobile devices. This concern over BYOD means institutions that suffer data leakage could also suffer consumer backlash. Not only that, but keeping patient data as secure as possible — across all platforms — is becoming more important than ever, thanks to recent regulations.

The cost of a breach

There’s no question healthcare organizations have embraced BYOD as 85% of hospitals allow employees to use personal devices at work. But, this could prove to be a problem, as new regulations such as meaningful use stage 2 compliance guidelines are putting more emphasis on secure electronic communications.

Thanks to these rules, facilities can expect more frequent and thorough audits. In September 2012, Massachusetts Eye and Ear Infirmary was fined $1.5 million by the Office for Civil Rights, because a laptop with patient data was stolen. If such stolen devices fall into the wrong hands, the consequences can be far greater than a simple fine.

Healthcare IT teams have to start thinking strategically about security if they want to safely accommodate BYOD habits. Banning mobile devices from a hospital network could hurt productivity and encourage employees to find less secure workarounds. Yet, it’s clear that something has to be done, especially considering so many mobile devices are leaving the office at night.

Healthcare organizations must find a way to empower employees’ use of mobile devices without risking patient privacy, security or data issues.

A new mobile world

This is where Mobile Device Management (MDM) comes into play. By mandating that all employees enroll their mobile devices in the hospital network, IT teams can see how employees are accessing and using their devices, making it easier to ensure that each one is in compliance with regulations.

Organizations should secure data with mobile file management (MFM), in addition to securing mobile devices. Doing so will enable IT teams to determine who can access sensitive files and how files can be used, putting a stop to the free-for-all exchange of data. Most importantly, MFM allows IT to perform remote wipes of sensitive information from mobile devices.  This is helpful in cases where an employee is fired or resigns from an organization while still in possession of a device containing confidential data.

With BYOD firmly rooted in healthcare organizations across the country, implementing MDM and MFM policies can help maintain patient privacy, while ensuring that employees can keep using their mobile devices seamlessly and effectively.

July 12, 2013  1:00 PM

Transforming big data into laser-focused guidance

Posted by: Jenny Laurello
Big data, Data analytics, EHR

Dr JainGuest post by Anil Jain, M.D., senior VP and chief medical information officer, Explorys, Inc.

Although slower than other industries, healthcare organizations have begun to embrace big data strategies in an attempt to become data-driven entities.  And it’s no wonder — as time goes on, providers are facing more and more healthcare data.

 Electronic health records, accountable care models and new technologies

First, the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs, funded by the American Reinvestment and Recovery Act in 2009, served as a catalyst for increased implementation of electronic medical records both in the ambulatory and inpatient setting. Recent statistics from the Office of the National Coordinator (ONC) indicate that EHR adoption has doubled over a one-year period, yielding significant data from EHRs.

Second, emerging reimbursement models and payment reforms (e.g. accountable care organizations) encouraged in the Affordable Care Act of 2010 have made it important for healthcare organizations to be able to quickly examine multiple pieces of data. The goal has shifted to maximizing quality and minimizing cost of the care, all the while maintaining the patient experience.  Moreover, the alignment of physicians with hospitals and hospitals with other hospitals often requires integrating disparate data in order to get a full picture.

Finally, there has been an explosion of smart medical equipment (e.g. beds, intravenous pumps, telemedicine, implantable devices, patient portals, and imaging) that yield more and more data. As this voluminous data comes to a healthcare system with velocity and variety, traditional storage databases may not be enough to manage it, which is why organizations need a big data strategy.

Meanwhile, studies in the pre-personalized medicine era found that clinicians typically utilize two million pieces of information to manage patients. How can we sustain that, as even more data becomes available?

Making data useful 

It seems storing and retrieving data is only the initial necessary component of a big data strategy. The other is the ability to rapidly analyze and present actionable information gleaned from big data. Just ask any clinician how challenging it is to find the actual recommendation from a typical progress/consult note (i.e. data) in an EMR.

Thus, the millions of beams of varying colored light that represent big data need to be strategically condensed to a few laser beam focused prescriptive analytics that tell the healthcare provider what must be done at what time for optimal care. For example, a heart failure readmission prediction model that incorporates hundreds of clinical and administrative pieces of patient-specific data to generate a recommended action at the time of admission or discharge would be more sustainable than a screen full of clinical data.  Another example would be to combine data from a variety of sources such as socioeconomic, adherence, compliance and clinical data to intervene only on appropriate patients in a resource sensitive care management program.

A successful big data strategy puts very little data in front of clinicians in exchange for prescriptive analytics backed up by actionable information.

Before coming to Explorys, Dr. Jain spent 16 years at the Cleveland Clinic, leading several health IT innovations, including programs to support research and quality informatics and creating interactive dashboards to monitor the meaningful use of electronic health records.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: