The Senate’s HELP committee passes S.1101, the Medical Electronic Data Technology Enhancement for Consumers Health Act (MEDTECH), which exempts several types of software from the FDA’s oversight as medical devices. The bill would prohibit the FDA from regulating EHRs, provider administrative systems, lifestyle apps, clinical lab testing software, and clinical decision support systems that don’t involve medical images or physiologic monitors.
From Blue Cheer: “Re: the PR firm’s case study on producing the HIMSS presentation of Jonathan Bush and John Halamka. The link you posted doesn’t work.” It appears the PR company pulled down the self-congratulatory article, but you can read “HIMSS 2016: The Power of a Well-Crafted Keynote” here via Google’s cache. It seems like glossy over-preparation using expensive PR people and the Athenahealth communications team, but at least J&J must have been well prepared.
From ac360: “Re: Community Health Systems. The newly promoted SVP/CIO appears to have been fired from EMC in 2002 for falsifying sales to earn bonuses and billing EMC work from a company he himself owned and not turning the money over to EMC. CHS must not have done much of a background check.” I’ll decline to comment since I don’t know anything other than what the 2002 WSJ article says. Firing someone – like filing a lawsuit that is later dropped — carries a minimal burden of proof and deprives interested parties of the chance to hear both sides of the story.
From Roy G. Biv: “Re: QuadraMed layoff. It was a barely double-digit RIF in R&D. Still, the company is losing customers and losing ground, so you might assume that a lower R&D priority signals a lack of aspiration to market relevance.”
From Long-Suffering Epic Director: “Re: Epic support problems. Epic 2015 is not live yet and we’re spending more time supporting it than Production. We have to drop everything because someone broke something, frequently when we loaded an urgent patch that would fix something. Frontline support wasn’t lacking in initiative 10 years ago. The people Judy and Carl have delegated to us in recent years seem more arrogant and less knowledgeable. We don’t get discussion about the problem and what can be done to fix it – we get speculation of what might be possible in a future release and a mélange of thoughts about what’s available in Model, what Kaiser does, and why can’t we be more like Model. What really sucks is that’s there is no real option. We’re dealing with a monopoly in this industry and the monopoly knows it.”
HIStalk Announcements and Requests
It’s a toss-up whether employers get their money’s worth in sending people to the HIMSS conference. New poll to your right or here: what kind of keynote speaker would you most like to see at the conference? Vote and then click the poll’s Comments link to suggest specific people or to add a category that I missed.
From another poll I ran, two-thirds of respondents say their companies didn’t make any sales in the past year as a result of exhibiting at HIMSS15. I used to cross-reference the current year’s list of exhibitors with the one from the previous conference to identity the exhibitors that didn’t think it was worth it, that went out of business, or that were acquired and no longer exist under their previous name.
Welcome to new HIStalk Platinum Sponsor TelmedIQ. The Seattle-based company offers a secure healthcare communications hub that brings together physicians, nurses, care administrators, and clinical technologies to improve patient care coordination. TelmedIQ simplifies clinician workflow through real-time messaging, quick access to contacts and groups, and the ability to set up workflows so that messages automatically go to the right person at the right time. It integrates with EHRs, on-call scheduling systems, and other systems to make clinical information available with just a swipe and a tap. Customers can replace “page and pray” pagers by turning any Android or iOS device into a secure, two-way mobile pager that can handle image files, audio, and video messages to individual users or to groups. Practices can take also advantage of a cloud-based medical answering service for after-hours coverage. The company offers a white paper on best practices for mobile secure text messaging. Thanks to TelmedIQ for supporting HIStalk.
Only 75 folks signed my petition asking HIMSS to adopt an anti-harassment policy for HIMSS17, so I’ll accept that as an endorsement of the status quo of self-policing. I’m surprised, given the significant number of attendees and poll respondents who expressed discomfort at the actions of others at HIMSS16, but I will defer to the majority.
A bunch of people have emailed me to say that their entire teams were sick after the HIMSS conference, usually complaining of sore throat, congestion, cough, and fatigue. Conferences offer the double whammy of breathing recycled airplane air and being squeezed in for a week with glad-handing strangers. It’s like putting your kid in a new daycare, where the herd carries less-defended bugs. All large conferences have this problem, although Las Vegas is probably the worst offender since attendees are forced to mingle with endless casino patrons just to get to and from conference events. There’s no solution other than washing your hands often, carrying and using hand sanitizer, and drinking a lot more water than you probably did there (especially given what the concession vendors charge for it). The “fist bump instead of a handshake” thing from the swine flu outbreak a few years ago was a good idea from a microbial standpoint, but didn’t catch on because it looks like a carefully groomed hipness affectation.
Monday is not just the usual Pi Day of March 14 (3.14) – it’s also correct to five digits at 3.14.16, although maybe that’s not as impressive as March 14, 2015 at 9:26:53.
I get a bit annoyed when I’m looking up someone’s LinkedIn profile to get a photo or previous employment for something I’m writing and they use LinkedIn’s messaging function to email me, “I saw that you looked at my profile. Can I help you?” like they caught me sitting on the hood of their car or something. If that bugs you, too, go to LinkedIn’s Manage Privacy & Settings, click the link labeled “Select what others see when you’ve viewed their profile,” and click the last option to go into complete private mode.
People are griping that Hollywood Presbyterian Medical Center was wrong to pay ransomware hackers $17,000 because that will encourage more such activity, but I disagree. It’s exactly like settling a nuisance lawsuit, which hospitals do all the time – if you can walk away unscathed for 1/100 of the cost of taking the risk that you can prove yourself right, that could be a good business decision, especially since patients were being affected. Some thoughts:
- The hospital’s systems had been down for more than a week, making it obvious that it couldn’t simply restore backups. Plus, the clock was ticking — ransomware usually sets a short time limit to pay up before the data is permanently destroyed and the amount increases every day until then. It’s a brilliant way to immediately monetize cyberhacking in a way that can scale infinitely.
- The hospital’s lack of a technical defense was moot by then – no amount of 20-20 hindsight was going to get their systems back. They had only one option. It’s like losing a storage system and then finding that your backups can’t be restored, except in this case, the backups were available, but just not for free.
- I doubt that the ransomware specifically targets hospitals, although I would be interested in how the software determines how much ransom to charge – maybe it’s based on the number of servers it finds on the network or something like that. No individual PC user would pay $17,000, so either the malware auto-detects the extent of infrastructure or the hacker manually steps in to determine the required toll.
- The hospital is also darned lucky that the anonymous hackers didn’t just take their money and walk away without restoring its systems.
- If the hospital didn’t completely rebuild its systems and networks, the hackers probably left themselves a back door by which to turn their one-time extortion license into a recurring revenue stream.
- For every public report of ransom demands being paid, at least 100 companies keep it quiet since it’s bad PR and maybe even illegal to be paying cybercriminals. The only reason the handful of high-profile examples came out was because the affected organizations had to explain to their public customers why their physical services were limited. We would never know if a hospital was hit by ransomware and simply paid up quickly and moved on, just like we don’t know how many of them routinely pay off frivolous nuisance lawsuits.
- Law enforcement isn’t going to be much help. They won’t be able to identify the hackers who are likely outside of US jurisdiction anyway and the amount of money demanded is too low to excite them.
- Cybercriminals are getting smarter in distributing their malicious email attachments and Office macros in emails that include the personal details of the recipient, often getting even cautious users to open attachments that claim to be a Fedex shipping receipt or an invoice that includes their name or address in the email body. When the payout is as high as the $17,000 that Hollywood Presbyterian paid, it is economically feasible for hackers to target specific hospital employees, Google their personal details, and email them directly with convincing emails. It’s no longer safe to assume that malware-containing emails will be laughably poorly composed with misspellings, fractured English, and obvious scam themes involving Nigerian princes or big inheritances. Ransomware could conceivably kill conventional email in which anyone who knows an email address can send anything they want to the recipient.
- Antivirus software vendors seem to struggle to keep up with malware variants. I was thinking that an enterprise solution might be to move all attachment-containing emails from untrusted senders (as defined by users) to a quarantine. Otherwise, once the email hits someone’s inbox, it’s probably going to be opened. A big challenge, though, is that anyone checking their personal email at work via a browser is bypassing much of the IT protective infrastructure. Ransomware can also be spread in from just visiting an infected website, perhaps leading us back to those early Internet days when IT departments used Websense or other filtering tools to block unapproved sites by default.
- Health systems should be huddling together right now to develop best industry practices for combatting ransomware, including ways to make sure that backups and mirrored data copies aren’t infected. We’re going to see a lot of ransomware attacks in 2016.
More members of the Greatest Musical Generation have left us, with the fifth Beatle George Martin and the amazing Keith Emerson of The Nice and Emerson, Lake, and Palmer passing away last week.
Mr. Lincheck sent photos of the robotics makerspace he created in the library using the Lego Mindstorms kit we provided in funding his DonorsChoose grant request. He held a box-unpacking ceremony when it arrived, adding that the students “sqealed and oooed” with every flap that was opened and have since built several robotics items and “do not want to stop.”
Also checking in was Ms. Norman from Utah, who is using the monitor and wall mount we provided to present students with information about graduation requirements, health screenings, and grades in multiple languages so she can “communicate to those otherwise that might have felt unappreciated or ignored.”
Last Week’s Most Interesting News
- McKesson sells its ambulatory PM/EHR products to E-MDs.
- Aetna lays off a significant percentage of employees working on iTriage and merges that business unit with its WellMatch business.
- A study finds that doctors spend 785 hours per year on quality measure reporting.
- Ambry Genetics makes the de-identified genetic data of 10,000 cancer patients available to researchers and decries the data-hoarding practices of its genetic testing competitors.
- The VA says it is reassessing its previous decision to stick with its self-developed VistA system, saying previous IT management failed to develop a sound strategic plan.
- A study finds that telemonitoring of discharged CHF patients didn’t reduce readmissions.
March 16 (Wednesday) noon ET. “Looking at the Big Picture for Strategic Communications at Children’s Hospital Colorado.” Sponsored by Spok. Presenters: Andrew Blackmon, CTO, Children’s Hospital Colorado; Hemant Goel, president, Spok. Children’s Hospital Colorado enhanced its care delivery by moving patient requests, critical code communications, on-call scheduling, and secure texting to a single mobile device platform. The hospital’s CTO will describe the results, the lessons learned in creating a big-picture communication strategy that improves workflows, and its plans for the future.
March 16 (Wednesday) noon ET. “The Physiology of Electronic Fetal Monitoring.” Sponsored by PeriGen. Presenter: Emily Hamilton, MDCM, SVP of clinical research, PeriGen. This webinar will review the physiology of EFM – the essentials of how the fetal heart reacts to labor. The intended audience is clinicians looking to understand the underlying principles of EFM to enhance interpretation of fetal heart rate tracings.
March 22 (Tuesday) 2:00 ET. “Six Communication Best Practices for Reducing Readmissions and Capturing TCM Revenue.” Sponsored by West Healthcare Practice. Presenters: Chuck Hayes, VP of product management, West; Fonda Narke, senior director of healthcare product integration, West Healthcare Practice. Medicare payments for Transition Care Management (TCM) can not only reduce your exposure to hospital readmission penalties and improve patient outcomes, but also provide an important source of revenue in an era of shrinking reimbursements. Attendees will learn about the impacts of readmission penalties on the bottom line, how to estimate potential TCM revenue, as well as discover strategies for balancing automated patient communications with the clinical human touch to optimize clinical, financial, and operational outcomes. Don’t be caught on the sidelines as others close gaps in their 30-day post discharge programs.
Contact Lorre about our post-HIMSS webinar sale.
Acquisitions, Funding, Business, and Stock
Cleveland’s Global Center for Health Innovation, a taxpayer-funded project intended to to boost tourism in which HIMSS is the major tenant, hires an outside firm to try to fill the 15 percent of its space that is vacant. The new plan calls for the money-losing building to be used as collaboration space between providers and vendors. The Center’s upcoming events schedule lists only two short lectures.
UnitedHealthcare launches a startup health insurance company called Harken Health, which focuses on individual coverage with unlimited, no-co-pay visits to PCPs who practice in the health centers it owns. Harken Health offers its policies on Healthcare.gov to residents of Atlanta and Chicago and plans to expand. It offers health coaching and classes and says healthcare needs fixed because “For far too long, the healthcare system has valued efficiency over empathy.” It sort of feels like McDonald’s opening a farm-to-table fine dining restaurant in a carefully crafted marketing ploy intended to steal business back from nimbler and more creative competitors, but we’ll see where it goes.
Government and Politics
Reuters names its top global innovators in government, with HHS taking fourth place overall and earning the top spot among the six US winners because of the contributions of its research arms (NIH, CDC, FDA, and the Public Health Service). The VA was #12.
Oracle sues HHS, demanding that it investigate the failed Cover Oregon insurance exchange, which Oracle sued for unpaid bills and by whom it was sued in turn for creating a flawed exchange. The company says the state’s actions are politically motivated.
Privacy and Security
Four PCs at Canada’s Ottawa Hospital are infected by what sounds like ransomware. The hospital was apparently successfully in simply reformatting the hard drives of the infected devices.
Doctors treating the Germanwings co-pilot who intentionally crashed a passenger jet in the French Alps thought he was potentially dangerous due to his long history of psychiatric illness, but decided they could get in trouble for reporting him under Germany’s strict privacy laws. Doctors in general blame their reluctance to alert authorities on lack of a formal definition of “imminent danger” and “threat to public safety.”
The folks from our nearby HIMSS conference booth neighbors Access sent over a photo of themselves temporarily kidnapping my standee for a photo op. Lorre says a lot of people dropped by our micro-booth to pose for selfies with the smoking doctor cutout, which amuses me in thinking of otherwise responsible adults beaming with their arms around cardboard.
A physician’s op-ed piece in the New York Times describes the feeling of reading the obituaries of patients who got so little of her time as a busy hospital resident, allowing her to see them as the people they were before they became patients. It made me wonder if one of the many standard intake and history forms shouldn’t ask more questions about the person filling them out – their accomplishments, aspirations, relationships, and values. The trouble would be that providers aren’t paid to read them, so they probably wouldn’t.
I’ll predict that we will hear a great deal this year about self-assessment health surveys. Consider the SF-36 health survey form, which asks people questions about their perceived level of health in covering areas such as their activity level, pain, and emotional issues. Insurers and providers need a non-encounter based early warning system for problems in patients whose health they are financially rewarded for maintaining. They could learn a great deal by asking these questions 2-4 times per year. Smartphone apps — instead of obsessing with conveniently measurable but nearly medically worthless data points such as steps walked — could administer an SF-36 type quiz at predetermined intervals to establish a baseline, then alert the user and their provider that their self-perceived health is slipping. Maybe the user automatically gets a coupon for a free Starbucks coffee or something like that for taking the time to give their provider an update. Creating such an app would be very easy, with little R&D required and no FDA issues to address. Patients know their health better than any EHR or provider, so it’s ridiculous to ignore their perceptions or to expect them to articulate them in a rushed office visit. This information would be a lot more useful than patient satisfaction surveys that end up being gripe sessions about parking lots, receptionist personality, and waiting rooms.
- TierPoint hosts a March Madness event March 18 in Charlotte, NC.
- Valence Health offers the business and technology roadmap it presented for provider-led health plan startups at the Provider-Led Health Plan Forum.
- Verisk Health will exhibit at Employee Healthcare Conference West March 16-18 in San Diego.
- Huron Consulting Group will exhibit and speak at the 2016 ACHE Congress on Healthcare Leadership March 14-17 in Chicago.
- WeiserMazars CEO Victor Wahba offers advice for young professionals.
- OTC = Safe? Why We Need to Ponder Pediatric Dosing Issues, Part 1 (First Databank)
- Monthly Melton: Unexpected (T-System)
- Female Leaders at VitalWare Share on International Women’s Day (VitalWare)
- HIMSS16 was a hit. (Voalte)
- Avoiding CMS Penalties – and Capturing New Revenue Streams – Through Proactive Patient Outreach (West)
- How Social Services and Healthcare are Linked (Xerox)
- HIMSS Conference Takeaways (ZirMed)
- The Secrets to Deploying, Updating, and Maintaining Evidence-based Guidance (Zynx Health)
- Adopting – and Adapting – to the CJR Payment Model, Part 1: Before the Inpatient Stay (XG Health Solutions)