Home » Readers Write » Recent Articles:

Readers Write: Answering Your Questions about Electronic Prescribing of Controlled Substances

October 29, 2014 Readers Write No Comments

Answering Your Questions about Electronic Prescribing of Controlled Substances
By David Ting

image

Last week, Imprivata sponsored a webinar with HIStalk about electronic prescribing of controlled substances (EPCS) during which we reviewed the DEA requirements, the benefits, and the scope of work involved in implementing an EPCS solution. I was joined by Sean Kelly, MD, an emergency physician at Beth Israel Deaconess Medical Center in Boston and chief medical officer at Imprivata, and William Winsley, MS, RPh, the former executive director of the Ohio State Board of Pharmacy.

The webinar was very well attended. We received a number of excellent questions. Here are a few of them.

Q: Which two-factor authentication method is most often used for EPCS?

A: This depends on the clinical workflow requirements, but we are finding that many customers want to use a combination of solutions. For example, in high-traffic, high-use areas of the acute care hospital, many customers are opting for fingerprint biometric identification combined with passwords for ease of use. However, many prescribers also want the ability to e-prescribe outside the hospital walls, so customers are also enabling the use of one-time password (OTP) tokens for EPCS.

Q: Is there a process one must follow to register as the person who will credential and enroll prescribers for EPCS?

A: The DEA allows hospitals that are DEA registrants to do this on their own through their credentialing office. This is referred to as institutional identity proofing. Private practices must undergo individual identifying proofing. In this case, the designated physician works with a third-party Credential Service Provider (CSP) to obtain the necessary approvals to receive the proper credentials for EPCS two-factor authentication.

Q: Does the DEA allow EPCS signing in batches?

A: Yes, by patient. A provider can sign multiple prescriptions for a single patient simultaneously whether they are controlled or non-controlled substances. Many EMRs and prescribing systems will separate controlled and non-controlled substances, so if a provider is prescribing controlled substances, it will automatically prompt them to enter the necessary two-factor authentication credentials.

Q: The DEA ruling is “interim.”Is it likely to change?

A: Although the DEA ruling allowing EPCS is “interim,” it is unlikely to change. The DEA and other agencies have a number of rules that have been in interim status for quite some time, and in this case, the DEA has not given any indication that it will change anytime soon if at all. This is especially true for the two-factor authentication requirements.

David Ting is founder and chief technology officer at Imprivata. The webinar recording can be viewed here.

View/Print Text Only View/Print Text Only
October 29, 2014 Readers Write No Comments

Readers Write: Stuff Doctors Leave on Workstations in the Doctor’s Lounge Late at Night (And Other Times)

October 29, 2014 Readers Write No Comments

Stuff Doctors Leave on Workstations in the Doctor’s Lounge Late at Night (And Other Times)
By anotherdoctorgregg

image

The image above caught my eye when I sat down at a workstation in the doctor’s lounge. I bet whoever left it there thought he or she was making a completely anonymous search, though I could see everything, including visited hyperlinks. We do try to teach our medical staff about using shared workstations, but there is a strong feeling of anonymity even as we are told there is no privacy at work.

One of our gastroenterologists is unhappy with his current employment, at least as judged by the number of versions of his CV on various workstations, complete with cover letters to other institutions. I don’t know whether he is unaware his CV and job hunt letters are on not only one, but multiple workstations, or if he is making a not-so-subtle statement about his job satisfaction to his current employers. I have also seen bankruptcy documents, child custody agreements, wrong-headed letters of complaint to Audi dealerships, and adorable pictures of kids dressed up for prom.

If you think you can’t be tracked and you are not leaving a trail of the most personal information on semi-public workstations, you are probably wrong. In 1997, a graduate student was able to identify Massachusetts Governor William Weld’s health information — even though the state medical database was supposedly de-identified — by correlating the elements of the medical database with voter registration rolls in Cambridge. Although this was probably a fluke, re-identification in a doctor’s lounge might be easier.

We do try to clean up the desktop screens of hospital workstations, mostly so it is easy to find the icons that we want to be found. In a parallel effort to raise awareness about not leaving personal (sometimes very personal) information on workstations through saved files and browser histories, I collected a little data.

The doctor’s lounges require keycard access, so the workstations in there are used almost exclusively by physicians. The information I gathered came from the histories of Internet Explorer (purged every couple of days) and other browsers (Chrome and Firefox) installed by users as non-administrators. With those disclosures, here is a sampling of what doctors look at, at work.

There were 1,052 entries over three days. The first thing to notice is the complete absence of porn. Overall, searches were at worst only mildly embarrassing, with nothing to trigger HR’s attention.

Forty-eight percent of visits were to a practice portal or billing system, 21 percent were to sports sites (cricket scores beating football scores, which either speaks to our physician demographics or penetration of the ESPN mobile app), and 13 percent were visits to medical sites (UpToDate and Medscape being the most common.) The remainder were visits to Google and foreign language and news sites that reflected our demographics.

There were a few visits to the county probate court, checking on malpractice and divorce cases (the search terms are displayed if you reopen the window from the history). One person Googled, “I have water coming into my basement right now.” I know it was a she since she discussed night call plumber’s fees at lunch the following day.

I could also identify my plumber-needing friend by her search history. Users leave sequences in their histories like <foreign language site><another site><same foreign language site>, narrowing the presumptive visitors to just the doctors who speak that language. Also, site visits bracketed by practice EMR portal visits linked the sites in between to specific individuals if you look at the call schedule. The call schedule will generally narrow down the potential users to just one.

Overall, I estimate about 40 percent of the browser history in doctor’s lounges can be associated with a specific person. This is an estimate since I only asked a few directly. The message is that even an otherwise anonymous Google search can probably be linked directly back to a hospital user, even by non-administrators, so surf accordingly.

View/Print Text Only View/Print Text Only
October 29, 2014 Readers Write No Comments

Readers Write: Hospitals Move to Define Role of Secure Texting in Clinical Alarm Management

October 27, 2014 Readers Write 1 Comment

Hospitals Move to Define Role of Secure Texting in Clinical Alarm Management
By Todd Plesko

image

In 2010, The Joint Commission identified improvement in staff communication as a National Patient Safety Goal. A recent Spyglass survey found that 67 percent of hospitals, despite forbidding the practice, report that nurses are using personal smartphones to support clinical communications and workflow because they are dissatisfied with the options provided by hospital IT.

Of those exchanging data, 80 percent of the messages are not secure nor HIPAA compliant. Hospitals found guilty of a data breach can be fined $1.5 million per incident, so it’s not surprising that hospitals are acting swiftly.

There are more than 70 vendors today competing to solve this need. They are primarily segmented by the markets and users they are targeting; e.g. physician-to-physician, physician-to-nurse, physician-to-patients. These single-function secure text messaging apps were initially an attractive fix to HIPAA anxieties because they are cheap and quick to implement, but their myopic view of communications often contributes to the burgeoning problem of alert and alarm fatigue.

As of July 1, hospitals seeking accreditation from The Joint Commission are required to prioritize clinical alarm safety. Even though the new National Patient Safety Goal recommends that hospitals begin with the largest offenders – patient monitors and medical devices – forward-thinking hospitals are taking a closer look at the full gambit of interruptions experienced by front-line nurses and asking how solutions designed to address alarm fatigue will impact overall clinical workflow.

Alarm fatigue is rooted in more than just patient monitors and medical devices. It is the result of multiple systems communicating alarms, alerts, text messages, and phone calls simultaneously without regard to priority or urgency. Really, “interruption fatigue” much more accurately describes today’s care environment.

Hospitals have traditionally viewed alarm fatigue and secure text messaging as two unrelated pain points with separate solutions. This has resulted in an accidental architecture embodied by multiple solutions with overlapping functionality that have become increasingly difficult for hospital IT and users to manage.

Single-purpose integrations often lack sophistication and the intelligence necessary to serve as the traffic cop between multiple systems that compete for attention, interrupt workflows, and contribute to alarm fatigue. They are concerned with the singular goal of delivering the alarm, alert, or text message they were designed to transmit.

Consider that most clinically relevant communications originate from a patient event: a nurse call alert, a smart IV pump, a patient monitor alarm, a bed exit, critical lab, or stat order alert. When a clinician is texting about a patient, they must ensure that the subject of the conversation is properly identified, an important feature that single-function texting apps are incapable of providing automatically. All text messaging apps targeting healthcare are secure, but few are centered on the patient and their role in the overall communications workflow.

If a healthcare provider organization is going to be successful with patient-centric text messaging, then this is only possible with an enterprise platform that delivers relevant information with patient context along with the alarm, alert, or text message that the recipient receives. Optimally, alarms and alerts would include a dynamically-generated list of possible staff members to call or message about the patient event to further enhance communications. Patient-centric messages need to be displayed properly based on priority level and integrated into the overall communications workflow to ensure that the recipient is able to identify and respond effectively to the most critical needs first.

Hospitals are beginning to recognize that identifying improvements in staff communications and managing the interruptions generated by alarms, alerts, and text messages are twin problems that should be addressed as a single project. A next-generation alarm safety and event response platform is required to support this level of clinical collaboration.

Todd Plesko is CEO of Extension Healthcare of Fort Wayne, IN.

View/Print Text Only View/Print Text Only
October 27, 2014 Readers Write 1 Comment

Readers Write: Navigating EHR Disillusionment: Strategies for Maximizing Value

October 27, 2014 Readers Write 1 Comment

Navigating EHR Disillusionment: Strategies for Maximizing Value
By Joel French

image

EHRs are a necessary but small component of what provider networks require to financially prosper in competitive markets being rapidly transformed by narrow networks, contracting reimbursement rates, and risk-bearing payment arrangements. As digitization proliferates, acute and ambulatory providers have become more vocal with EHR criticisms, including a lack of interoperability, workflow disruptions, and adverse impact to physician productivity. Many physicians now view themselves as data entry clerks.

Research from the American College of Physicians, Deloitte, and Physician’s Foundation finds that physicians have mixed opinions on EHRs, with significant downside sentiment. In the Deloitte study, 75 percent of physicians say EHRs are not cost-effective and do not save time.

One might assert the US health industry is suffering from Gartner’s Trough of Disillusionment regarding EHRs, defined as the period when “interest wanes as experiments and implementations fail to deliver.” This disillusionment exists because individual and organization expectations of EHRs exceed what they were actually designed to do. History abounds with examples of beliefs that were widely (if not universally) viewed as true, only to be later disproved by practical experience or fuller knowledge.

The point of view that integrated EHRs should be central to a health systems’ competitive strategy is one common view that is easily disproved by examining this assertion under the lens of basic business logic. By definition, a competitive advantage gives an organization an edge over its rivals and an ability to generate greater value (value is generally expressed in terms of market share growth, profitability, or enterprise value). The more sustainable the competitive advantage, the more difficult it is for competitors to neutralize the advantage.

As it relates to EHRs, once most or all hospitals in a geographic market have implemented such a tool, that tool itself ceases to be a competitive advantage. It should be better understood as a fundamental business input or asset, not materially dissimilar to facilities, medical equipment, or business licenses. Table stakes, as some might say.

Executives who have invested in EHRs hoping to derive investment returns above their cost of capital must first come to grips with the following truth: EHRs were designed to solve specific problems within the confines of a health system, but nearly all incremental revenue and contribution margin opportunities originate outside health systems in care communities. Trying to retrofit or adapt EHRs designed for use inside the walls of an enterprise for use outside the walls and across a community is fraught with risk and tantamount to believing the world is flat.

In 1837, Hans Christian Andersen wrote a fairy tale, now widely known, called “The Emperor’s New Clothes.” The metaphorical point applies to any situation wherein the overwhelming majority of observers willingly share in a collective ignorance of an obvious fact, despite individually recognizing the absurdity. The notion that implementing the same EHR as your competitors or peer group would somehow provide a sustainable competitive market advantage is completely devoid of classical business logic any first semester college freshman understands.

Today, an increasing cackle of honest voices are murmuring that the Emperor is naked. Those voices will only get louder as more organizations experience bond rating downgrades or executive removals attributable to expensive and unsuccessful EHR experiences.

To be sure, EHRs are necessary and are typically superior to the analog predecessors they replaced. They can be effective tools for clinical documentation, intelligent alerting, retrieval of patient data, and order entry/results return within the setting for which they were intended – the hospital or the clinic. Their deficiencies are exposed when care teams need to coordinate across not just physical settings, but differing organizational boundaries.

The migration to value-based care is accelerating, requiring fundamentally news ways of working to increase revenue while simultaneously keeping populations healthy. Nearly all at-risk payment models – such as episodic bundling, avoidable readmission penalties, Medicare Shared Savings, and ACOs – require better orchestration of care transitions across organizational boundaries. Successful health systems in the new health economy must therefore utilize technologies to integrate electronically and economically with scores of market trading partners, many of whom will have heterogeneous technologies and fragmented corporate ownership.

To grow, health systems must exploit all their channels – not just employed physicians, but also independent providers and other stakeholders – in order to access new referral sources, effectively coordinate care for patients with chronic conditions, and reduce unit costs. There are key EHR deficits critical to health system business objectives. These will require supplementary tools to bridge functionality gaps.

With average revenue from inpatient admission volumes down 4.9 percent in 2013, health systems need a technology strategy to support outpatient revenue growth. Health systems will live or die based on their ability to find technology solutions beyond the EHR, enabling them to uncover the economic value of independent providers in their communities by delivering differentiated value to those practices.

Introducing a network layer that smartly aligns the hospital’s capacity with the community’s demand for services is not only possible, but necessary. Today’s cloud-based tools for functions such as referrals, scheduling, and analytics can create attractive investment returns against EHR cost centers that some have come to view as permanent sink holes.

These tools extend the life of EHRs and introduce accretion by supplying what they lack – the ability to quickly grow outpatient volume, curtail network revenue leakage, and lift contribution margins. Integrating these tools with EHRs adds new value to the EHR, potentially creating the investment returns originally hoped for at the time of purchase.

The industry is still a long way from experiencing Gartner’s Plateau of Productivity with EHRs, but progressive health system executives are realizing limitations of EHRs and are increasingly turning to complementary cloud technology solutions that complement them and unlock value. Health systems that survive and thrive will be those that innovate to meet industry demand, which at this point requires thinking beyond EHRs. 

Joel French is CEO of SCI Solutions of Campbell, CA.

View/Print Text Only View/Print Text Only
October 27, 2014 Readers Write 1 Comment

Readers Write: Driving Interoperability by Putting People at the Center of Health Technology

October 27, 2014 Readers Write 3 Comments

Driving Interoperability by Putting People at the Center of Health Technology
By Joseph Frassica, MD

image

During a recent earthquake in Charlottesville, VA, people heard the news of the earthquake long before they actually felt the tremors. In healthcare, even getting information to travel across departments in a hospital, or from a hospital to a primary care physician, can sometimes be challenging.

Many healthcare organizations present “interoperability” as the silver bullet that will resolve an organization’s data problems. But how can the industry implement effective, interoperable solutions that allow clinicians to get the information when they need it most, and no matter where they are?

I see three key steps the healthcare industry must take in order for information to travel securely and seamlessly to improve interoperability:

  1. Embrace collaboration. As a first step, the healthcare industry – including hospitals, specialists, practice groups, vendors, home health agencies, and so on – needs to work together to provide the best possible care for patients. For too long, we kept our blinders on and treated patients when they entered into the hospital domain. Instead, the industry needs to change its mindset to think of the patients’ journey throughout the health continuum and work with other caregivers to make that process seamless. Accountable care models are already helping usher in this important change.
  2. Encourage openness. Vendors of all types and sizes must work toward openness and subscribe to open standards. Vendor-agnostic and flexible technologies allow critical patient information to travel faster and get where it’s needed. By embracing open standards wholeheartedly, the industry can begin to lay the foundation necessary to drive innovation in healthcare technology and in patient care. Open standards can enable providers to share EMRs securely and can also provide greater access and insights.
  3. Think beyond the EHR. Hospitals and health systems have made big investments in getting their EHRs up and running, and the technology is important for modernizing health care. But EHRs are not the be-all and end-all of patient data. They barely scratch the surface. To improve population health, healthcare organizations need to think beyond data collection and more about how this data can be used to improve patient outcomes across the health continuum. Healthcare systems need to think about how this data can be analyzed to present a more comprehensive, complete, and integrated picture of a patient and their medical history. Providers can then begin to use this data for predictive analytics, which will enable them to identify and manage trends across a population. By analyzing this data, physicians can make more confident diagnoses and develop preemptive treatment plans.

As healthcare becomes more and more connected, the amount of data and information entering the healthcare picture will only increase, and will become even more critical to realize the promise of interoperability as time goes on. By taking steady steps toward interoperability, the healthcare industry can fully liberate and share data seamlessly, giving physicians the quality insights they need to predict, prevent, and treat disease with better results.

Joseph Frassica, MD is CMIO/CTO, Patient Care and Monitoring Solutions, of Philips Healthcare.

View/Print Text Only View/Print Text Only
October 27, 2014 Readers Write 3 Comments

Readers Write: What Healthcare Revenue Cycle Leaders Can Learn from Apple Pay

October 20, 2014 Readers Write 2 Comments

What Healthcare Revenue Cycle Leaders Can Learn from Apple Pay
By Joshua Silver

image

It often feels like the healthcare industry is just as much about patience as it is about patients. Waiting for final regulations to be approved; waiting to be seen in a doctor’s office; waiting for new EHR systems to be rolled-out; waiting for the final, final, final ICD-10 rollout deadline; just plain waiting.

The waiting game spills over into the consumer technology space too, especially when it comes to mobile payments. Despite the media popularizing the notion of replacing a traditional wallet with a smartphone-based digital wallet nearly a decade ago, mobile payments have yet to become mainstream.

As I watched the recent announcement about Apple Pay, I couldn’t help but think to myself that we might finally be at the tipping point for mobile payments. The payments platform, which Apple bundled into the latest iPhone and iOS 8 operating system, allows consumers to easily pay using their phone in brick-and-mortar retail stores, as well as securely pay for digital goods.

Apple has a proven track record of taking existing consumer technology and repackaging it in such a way that it’s adopted by the masses. When they launched the iPod in 2001, portable MP3 players had already been commercially available for several years, but weren’t widely popular. A few years later, in 2007, when they brought the mobile Web to millions with the iPhone, Apple was building on BlackBerry’s 10-year history in the space. The question remains: can Apple do for mobile payments what it’s done for MP3 players and smartphones?

Additionally, the timing is key as the payments processing industry is poised to transition from magnetic swipe credit cards to “Chip and Signature” EMV-based credit cards. (Visa and MasterCard regulations mandate the switch for nearly all merchants by October 2015.) This macro industry change, coupled with Apple’s long list of banking partners, means that already nearly more than 220,000 stores are equipped to support Apple Pay.

As Apple Pay launches nationwide in October 2014, it’s time for healthcare providers to drop their patience and help their patients by supporting new, consumer-friendly payment technologies. Historically, the healthcare industry has largely taken a “wait and see” approach when new technologies hit the market. However, as healthcare providers face the daunting (and expensive) challenge of getting patients to pay, there is perhaps no other industry that can benefit as much from the recent developments in payment processing technology.

As the options for patient payments continue to diversify and become increasingly complex (nowadays, there is online bill pay, Apple Pay, EMV credit cards, PIN debit cards, eChecks – not to mention the more esoteric options like BitCoin), it’s more important than ever that healthcare providers focus on their core competencies (providing great medical care and a simple billing experience) rather than trying to learn the ins and outs of payment processing. Healthcare providers should look to partner with market-leading vendors who offer comprehensive patient payment platforms. Perhaps surprisingly, it’s rarely the banks.

It’s absolutely critical to use a platform that consolidates all payment types (credit, debit, eChecks — even paper checks) into a single posting report and, if possible, one that will combine all payment types into a single reconciled daily deposit. There is enough complexity in the business office without adding the burden of reconciling additional daily deposits.

With all of the recent news about mega-breaches of cardholder information (Target, Home Depot, JP Morgan Chase, etc.), consumers are beginning to question the status quo of payments, digging deeper into the security of their payment data, and holding the merchants responsible. The last place they expect to find payments innovation is in healthcare. Now is a great time to wow them and get ahead of the market. 

Joshua Silver is VP of product development of Patientco of Atlanta, GA.

View/Print Text Only View/Print Text Only
October 20, 2014 Readers Write 2 Comments

Readers Write: Digital Patient Engagement Tools to Achieve “Top Box” Medication-Related HCAHPS Scores

October 20, 2014 Readers Write No Comments

Digital Patient Engagement Tools to Achieve “Top Box” Medication-Related HCAHPS Scores
By David Medvedeff, PharmD, MBA

image

Improving HCAHPS performance is a never-ending struggle for hospitals, one that has taken on greater urgency as results are linked to CMS’s Hospital Value-Based Purchasing (VBP) program. The HCAHPS Survey is the basis of the “Patient Experience of Care Domain” under VPB, which makes up 30 percent of a facility’s total performance score.

A particularly thorny problem has been improving patient communications regarding medication, which is measured based on HCAHPS responses to three questions:

  1. Before giving you any new medicine, how often did hospital staff tell you what the medicine was for?
  2. Before giving you any new medicine, how often did hospital staff describe possible side effects in a way you could understand?
  3. When I left the hospital, I clearly understood the purpose for taking each of my medications.

In the most recent published results, 36 percent of reporting hospitals failed to achieve “top box” scores, which reflect the most positive responses to questions related to patient experience with communications about medications. Improvements in patient education and health literacy can go a long way toward boosting these scores, as well as medication adherence post-discharge.

Consider this: a study by the National Assessment of Adult Literacy found that just 12 percent of the more than 19,000 respondents demonstrated proficient health literacy. Another study, published in the Journal of General Internal Medicine, found that 79 percent of patients misinterpreted one or more of the 10 most common prescription label instructions they encountered.

To combat the grim reality of poor health literacy, hospitals must account for all aspects of medication adherence. For example, the CDC highlights the “access to care and patient education material” as two of the largest problems in medication adherence, as well as the “inability to access or difficulty accessing the pharmacy.”

Digital patient engagement solutions address these issues by delivering medication information to patients when and where they most need it. For example, videos outlining proper usage, expected benefits, and potential side effects can be embedded into the hospital’s website. Links to prescription-specific videos can then be sent to patients via text or email for viewing on any computer, tablet, or smartphone. Videos can also be supplemented with text reminders to take or refill prescriptions to further enhance compliance.

It is crucial that video content be comprehensive and current to ensure all pertinent information is included. Content should also be based upon trusted information, such as guidelines from the Food and Drug Administration (FDA) as well as patient packet inserts, medication guides, and consumer medication information.

Ultimately, digital patient engagement solutions remove the barriers that complex text often puts in the way of comprehension and medication adherence. Convenient access via multiple channels also means patients are never without the information they need to successfully and properly administer their medication, improving HCAHPS scores while reducing the risk of medication error and improving care outcomes.

David Medvedeff, PharmD, MBA is CEO of VUCA Health of Lake Mary, FL.

View/Print Text Only View/Print Text Only
October 20, 2014 Readers Write No Comments

Readers Write: The Elephant in the Room: Provider Validation

October 20, 2014 Readers Write No Comments

The Elephant in the Room: Provider Validation
By Miranda Rochol

image

I’ve seen and heard a lot of discussion about EHRs and identity proofing – the process of verifying that a provider is who he or she claims to be. Identity proofing has been a hot topic in healthcare for years, starting with the Medicare Modernization Act (MMA) of 2003, when e-prescribing was promoted as a vital part of reducing prescription errors and enhancing patient safety. Prior to that, e-prescribing was a novel concept. 

Today, the majority of office-based physicians (73 percent) send e-prescriptions and nearly all community pharmacies (95 percent) receive them. This wouldn’t have been possible without EHRs or identity proofing. Equally important but less talked about is the critical step of provider validation, which happens before identity proofing.

The concept of provider validation grew in importance when the DEA issued an Interim Final Rule (IFR) and made legal the electronic prescribing of controlled substances (EPCS). Strict regulation of controlled substances now means that validation of DEA numbers is more than just protocol — it’s critical. Because some providers are only authorized to write prescriptions for certain controlled substances, EHRs must ensure that their systems are equipped to validate provider DEA (and other credentials) in real time.

The most logical time to validate a DEA number is when a provider actually writes a prescription for a controlled substance. Since DEA numbers expire or become invalid, a provider’s DEA number should be verified each time he or she writes a prescription. This is the most effective way to ensure compliance with federal regulations and verify that a prescriber is legally authorized to write prescriptions for particular substances.

Failure to validate providers for e-prescribing of controlled substances is serious. EPCS is subject to the same laws that govern written, oral, and faxed prescriptions of controlled substances. Providers who illegally distribute or dispense controlled substances could have their license suspended or revoked and are subject to imprisonment for 5-15 years and fines from $100,000-$2 million.

EHRs should care about this for a number of reasons. The EHR space has become incredibly crowded and competitive. Adoption rates have skyrocketed, but customers have more vendor choices. What’s important to healthcare providers and organizations today are cost, usability, and compliance. Provider validation is a vital part of the compliance equation.

Beyond meeting Meaningful Use requirements, EHR companies must also start thinking strategically about their customers’ long-term needs and how to elevate their position from “vendor of the day” to “services partner of tomorrow.” This is where providing value-added services like provider validation and partnerships with data providers are key.

Lastly, EHRs with provider validation and other functionalities that meet both clinical and compliance needs could attract new fans among hospitals and health systems. Having an EHR that meets both clinical and compliance needs is one way healthcare organizations are attracting physicians, whose adoption of new technologies is integral to improving patient outcomes and public health.

Miranda Rochol is VP of product and strategy for Healthcare Data Solutions (HDS) of Irvine, CA.

View/Print Text Only View/Print Text Only
October 20, 2014 Readers Write No Comments

Readers Write: Harnessing Data to Support Population Health Management and the Evolution of Next-Gen Population Health Management

October 15, 2014 Readers Write No Comments

Harnessing Data to Support Population Health Management and the Evolution of Next-Gen Population Health Management
By Larry Schor

image

Accountable healthcare delivery is in the midst of a three-stage evolution as organizations increasingly turn to the promise of health IT and data to improve patient care and the bottom line.

First-generation accountable care is all about meeting process quality measures and closing gaps in care. At this stage, provider compensation is loosely tied to compliance with standards of care and protocols for specific common conditions, such as immunizations or screenings for diabetes and glaucoma. However, during this phase, financial rewards predominantly come in the form of bonuses for achieving quality measures with little or no downside financial risk.

As the industry currently evolves from first-generation toward middle-generation accountable care, new complexities are emerging. As such, healthcare organizations must manage clinical risk and begin assuming limited financial risk for identified patient populations.

Because both upside bonuses and limited downside financial risks exist at this stage, it is imperative that patients are clinically well controlled. Clinical data, therefore, becomes increasingly important for understanding risk. The historic reliance on claims data will no longer suffice. It is at this second stage of maturity that next-gen population health management becomes a critical strategy for managing population health because it effectively blends clinical and financial data.

Once healthcare organizations achieve next-gen population health management, mature accountable care — which is characterized by high-performing networks operating under full global risk arrangements — can be realized. This advanced care delivery model focuses on optimization and lowest total cost of care, achieved through high patient engagement as the result of personalized outreach and full next-gen population health management. The benefits of this stage of maturity will be realized through more comprehensive and precise analytics to personalize patient care, especially for those with chronic conditions.

While national initiatives are encouraging the forward momentum of accountable care, a bird’s eye view of the industry reveals that most healthcare organizations are in the very early stages of this cultural shift. Despite evolving reimbursement models that are gradually incentivizing quality outcomes and efficiency, organizations still must invest in the necessary infrastructure and embrace new workflows.

Electronic health record implementation provides one example. To date, even the most sophisticated EHRs usually are implemented as little more than electronic versions of existing processes and workflows. What is needed instead are more comprehensive and precise analytics to segment patients and personalize patient care.

Traditional analytics match demographic and claims data against quality measures, but engage all patients with similar conditions in the same manner. All patients identified with Type 2 diabetes, for instance, might be offered the same form of educational outreach. While EHRs today offer transactional clinical decision support at the point of care—some even are even adding managed care modules—they lack the capability to support the data-driven workflow of a distributed care coordination team. They are not designed to ensure top-of-license performance by all participants in the cycle of care, whether they are charged with managing a patient’s financial, clinical, or social welfare.

With new analytics, however, healthcare organizations can begin to offer a more tailored approach to care based on reviewing more comprehensive claims, clinical, and psychosocial data. As such, future success with population health management requires a data management infrastructure designed to capture an exploding volume and variety of data in real-time, much of it outside the claims stream.

Going forward, the strongest organizations will be those that most effectively harness, integrate, and analyze multiple types of data to inform the care of patient populations at the point of care. For example, claim clickstream data may reveal what treatments patients were provided in the past, but not necessarily whether they worked. Psychosocial data—such as whether a patient drives or has adequate social support—can have a massive impact on the success or failure of care, but is often embedded within provider documentation. Pharmacy, lab, and real-time clinical biometric data from devices such as wireless glucometers and scales is essential to effective care management.

Simply put, a real-time, 360-degree view of the patient, plan of care, evidence-based guidelines and psychosocial data results in more targeted, effective population health management, which in turn leads to better, more accountable care.

Effectively improving population health and the bottom line will require that data be translated into structured content readily available for analysis. Healthcare organizations today must take advantage of technology that allows storage and maintenance of data at its finest-grain level. It is no longer adequate to extract data, drop it into a data warehouse, and run pre-defined reports. This solution simply isn’t agile enough to answer new questions or handle increasing data volumes.

Instead, data must be conditioned, as data hygiene is extremely important for effectively using data out of the chute. Moreover, natural language processing also is becoming increasingly valuable for extracting actionable data from physician notes.

Cloud-based storage strategies, however, have proven most effective for supporting greater volumes of new data. Cloud environments offer an on-demand infrastructure capable of finding the right signals through the data noise that is expanding as the velocity, volume, and variety of data increases. Overall, healthcare organizations must employ technologies capable of clearly identifying relevant data and revealing that data at the point of care in a way that is quickly and easily consumable by providers.

Information is becoming a driver of consumer and clinical value in healthcare. In the near future, the use of data to enable effective population health management will align healthcare organizations with the cost and care quality goals so vital under accountable care reimbursement models. The most successful healthcare organizations, therefore, will be those that find new ways to use technology to leverage a wide range of patient data to improve both the bottom line and patient care.

Larry Schor is SVP of Medecision.

View/Print Text Only View/Print Text Only
October 15, 2014 Readers Write No Comments

Readers Write: Are You a “Check the Box” Executive?

October 15, 2014 Readers Write 1 Comment

Are You a “Check the Box” Executive?
By Dana Sellers

image

Over the Labor Day weekend, CMS released an update for Stage 2 Meaningful Use that provides some relief to providers struggling to fully implement the 2014 requirements. That’s great, but here’s the problem: Meaningful Use is not just an exercise to check some boxes off.

It’s more than implementing CPOE. It’s more than getting your physicians to use a problem list. It’s more than the incentive dollars. It’s about getting value beyond the implementation.

If your organization attested in 2012, you have been continuously collecting discrete standardized and coded data for close to two years. You’ve done the heavy lifting and you’re continuing to do so for Stage 2. Now you have a foundation that provides a common data platform across the organization with standardized vocabularies, regardless of different EHRs or other operational systems.

While you may be awash with all kinds of data, Meaningful Use provides specific clinical data that you can focus on. You have a means to ensure that all parts of the organization can begin to measure the same things the same way.

In a recent project, we turned our new cadre of Quintiles researchers and biostatisticians loose on a bunch of clinical data. We imposed one important ground rule: we limited the data to things that were already being collected for Meaningful Use. We asked if they could find anything interesting. In a matter of weeks, they discovered significant findings that relate directly to outcomes and cost.

Here’s the cool part. Every organization that has attested for Meaningful Use has the data needed to do the same kind of study.

Are you looking at Meaningful Use as a check-the-box exercise, or are you looking to drive real value? Have you considered the possibilities of using your current data foundation in order to improve workflow and processes?

For example, changing how the patient intake process occurs, not only for better collection of data, but also for safety and care coordination. Can you move beyond monitoring clinical process measures to conducting analytics that will drive insights for better care and outcomes?

It takes the organization thinking about Meaningful Use as a foundation for value. It requires change.

  • Break down organizational silos. No single department owns the challenges facing organizations around quality, cost, and performance. Yet multiple departments and stakeholders often try to answer the same types of questions, resulting in inefficient processes as well as conflicting answers. Create cross-departmental, multi-disciplinary teams to address these challenges.
  • Get data governance in place. Information transformation requires that data is consistent, accurate, and timely. This foundational data is a start, but still requires an organizational structure and process to provide direction and decision-making to create common definitions and apply common standards across multiple stakeholders and departments.
  • Start with the foundation. There is tremendous value in the foundational MU data. Begin to explore beyond the standard Meaningful Use process objectives. Use this foundation to evaluate how well standards are applied. Explore for other clinical insights like impacts of the use of evidence-based orders on specific disease-based populations in this data set.

Meaningful Use is not an IT project or task to cross off a project list. It is a foundation for an information journey to value.

Dana Sellers is CEO of Encore, A Quintiles Company of Houston, TX.

View/Print Text Only View/Print Text Only
October 15, 2014 Readers Write 1 Comment

Readers Write: What to Ask When Deciding to Take the CMS 68 Percent Settlement Offer

October 15, 2014 Readers Write No Comments

What to Ask When Deciding to Take the CMS 68 Percent Settlement Offer
By Bill Malm

image

The October 31 deadline for providers to decide whether or not to take the 68 percent settlement offer from CMS is quickly approaching. This settlement enables any provider to withdraw their pending inpatient appeals in exchange for a timely partial payment which equals 68 percent of the net allowable amount. CMS is offering this settlement in order to reduce the volume of inpatient status claims currently pending in the appeals process and to alleviate the administrative burden to both providers and Medicare.

Many healthcare organizations have already submitted their request to take this agreement, but if your hospital is still weighing the pros and cons of doing so, some key factors for consideration include the following.

  • Does your hospital have significant dollars at risk or a high volume of outstanding appeals? Hospitals with a large number of appeals and/or a significant amount of revenue tied up in the appeals process may benefit from seeing the appeals through the ALJ process. Interest payments alone could outweigh any reason to settle.
  • Was your hospital’s appeal strategy based on an internal review process that appealed only strong cases, writing off weaker cases? Hospitals that had a denial review strategy and chose to appeal only those cases with a reasonable likelihood of success may not want to agree to a 32 percent reduction in payment and forfeit the Limitation on Recoupment 935 interest. On the other hand, hospitals that appealed cases indiscriminately are promised 68 percent of the net payable amount. In the end, this may result in a higher payment for these organizations.
  • What was your hospital’s recoupment strategy? Is the expected interest on a successful appeal financially substantive or marginal? If your facility allowed immediate recoupment of overpayments following receipt of Demand Letters, then your claims are not subject to 935 interest. Conversely, 935 interest is owed when claims were involuntarily recouped and you prevail at the ALJ level. For claims that wait years for an ALJ hearing, this payment could be substantial.
  • How badly do you need your money? This may seem like a silly question, but keep in mind that strong appeals and long wait times will likely result in payments with greater than 100 percent value, but it may be a very long time before you see that money. Can you afford to wait? Hospitals that accept the settlement can expect reimbursement within 60 days of a fully executed agreement.
  • What is the cost associated with pursuing your appeals? Hospitals with high costs associated with the pursuit of appeals may want to consider the settlement.  Those costs might include consultants, attorneys, and expert witnesses. The cost of internal personnel time and resources should also be considered.

Deciding whether or not to take this settlement depends on a variety of circumstances. The final decision should be based on a position of financial strength and a strategic choice rather than a short-term stopgap out of necessity.

Bill Malm is senior manager of revenue integrity communications at Craneware.

View/Print Text Only View/Print Text Only
October 15, 2014 Readers Write No Comments

Readers Write: I-STOP May Be the Biggest Health IT Game-Changer of All

October 8, 2014 Readers Write No Comments

I-STOP May Be the Biggest Health IT Game-Changer of All
By Tony Schueth

image

Over the years, e-prescribing has needed and seen its share of enabling game-changers as it competes against the sub-minute it takes to write a paper prescription. But none may be bigger than the New York state law, I-STOP, that requires all prescriptions to be transmitted electronically by March 27, 2015.

More impactful than Meaningful Use, the Medicare Prescription, Drug Improvement and Modernization Act (MMA), or the Medicare Improvements for Patients and Providers Act (MIPPA)? Potentially yes, but not necessarily in a positive way or limited to e-prescribing

In August 2012, the governor of New York signed the Senate Bill 7637/Assembly Bill 10623: Internet System for Tracking Over-Prescribing (I-STOP) Act into law. At the time, New York’s Attorney General Eric Schneiderman said, “I-STOP will be a national model for smart, coordinated communication between healthcare providers and law enforcement to better serve patients, stop prescription drug trafficking, and provide treatment to those who need help.”

Unlike other states where it is optional, New York prescribers are required to check the New York State prescription drug monitoring program registry database before writing a prescription for any controlled substance. I-STOP has other provisions, as well, such as improving safeguards for distribution of prescription drugs prone to abuse; medical education courses, public awareness efforts; and establishment of an unused medication disposal program.

The State of New York obviously sees e-prescribing as part of a bolder effort to curb prescription drug abuse. Kudos to the state legislators for getting that. Electronic prescriptions flow through a secure, closed channel from prescriber to pharmacy. Each step of the process is electronically logged. It is unquestionably a vast improvement over paper in reducing fraud and impeding diversion.

A law of this magnitude from a bellwether state is impactful in many ways. Other states are surely watching and, should it be successful, will likely follow. But if it’s not successful, there will be implications, too.

The impact begins with pushing along the nascent effort of e-prescribing of controlled substances (EPCS). Although the DEA passed an interim final rule in 2010 permitting such an effort, its uptake has been slow. According to Surescripts, as of July 31, 570,000 EPCS prescriptions were transmitted via their network year to date. That puts EPCS adoption at far less than one percent since about 500 million of our 3.85 billion retail prescriptions are for controlled substances.

As a recent case study supports, the biggest challenge for EPCS is that physicians still don’t know that they can prescribe controlled substances electronically and pharmacists aren’t aware they can accept them in that manner. This lack of awareness keeps physicians and pharmacists – especially independents – from requesting such functionality from their vendors. As a result, too many EHR, e-prescribing, and pharmacy vendors assign a lower priority to EPCS with what little bandwidth they have outside of Meaningful Use, ICD-10, and NCPDP SCRIPT 10.6.

According to Surescripts, only 14 prescriber vendors are certified for EPCS. While those include three of the top five EHRs and the “ePrescribing inside” markets share leaders DrFirst and NewCrop, version issues, client factors, up-sell challenges, and other considerations mean that only a  small number of EHRs are EPCS-enabled.

Nationwide, the pharmacy side is not there yet, either. While the two largest chains are able to receive and process controlled prescriptions electronically, many of the smaller chains and independents are not. According to Surescripts, 31,000 of 67,000 pharmacy locations are enabled for EPCS.

After enhancing their products to meet the New York guidelines, however, both EHRs and pharmacy software vendors should find taking their EPCS solutions elsewhere to be less of a challenge.

All that said, nationwide, it will continue to be the classic, “Which comes first, the chicken or the egg?” situation. To get past that, it takes education and coordination, which are elements of I-STOP.

For the education component, I-STOP charged a workgroup of stakeholders and the Department of Health with responsibility to guide public awareness measures. Our EHR clients tell us they aren’t hearing from their New York customers, so are physicians in New York unaware of I-STOP? A simple Google search on I-STOP yields a few articles, most from when it launched. Hopefully, a huge campaign is planned.

The prescriber consequences are significant, especially for physicians. According to the New York Bureau of Narcotic Enforcement (BNE), non-compliance is punishable by a $2,000 fine, imprisonment not exceeding one year, or both. Furthermore, it is considered to be professional misconduct by the applicable professional boards, which could lead to suspension or revocation of professional licenses.

With government mandates, enforcement is always a question. People who know the BNE and New York’s Attorney General Office say they wouldn’t hesitate to enforce this, especially given the larger objective of curbing fraud and abuse. To be sure, I wouldn’t want to be the vendor that caused the $2,000 fine or any of the more serious consequences.

From a coordination perspective, there’s nothing like a mandate and deadline to get everyone on the same page. But the consequences are to the prescriber, not the pharmacy, and the EHR vendors just have to deal with upset clients.

So, how is it going? We don’t have the most up-to-date data about New York specifically. As of December 31, 2013, 62 percent of physicians in New York were routing prescriptions, according to Surescripts. While a lot can change in a year, 38 percent of physicians are not prescribing electronically, and as noted earlier, fewer than one percent are e-prescribing controlled substances nationally. Only one of the top two EHRs in New York is EPCS-certified through Surescripts, so the others have a lot of ground to cover by March 27, 2015.

What if large numbers miss the deadline? Issuing fines to that many prescribers will be a logistical — not to mention political — challenge. They could issue an ICD-10 or MU Stage 2-like extension or waivers. However, there’s a lot of frustration out there about those delays. New York issuing such outs or just not enforcing the law could further lessen the impact of all mandates, arguably making I-STOP the biggest game-changer ever, and not just for e-prescribing.

Tony Schueth is CEO of Point-of-Care Partners of Coral Springs, FL.

View/Print Text Only View/Print Text Only
October 8, 2014 Readers Write No Comments

Readers Write: A CIO’s Perspective on the Options for Health System Analytics

October 8, 2014 Readers Write 1 Comment

A CIO’s Perspective on the Options for Health System Analytics
By Gene Thomas

image

Buying an EMR is an important decision, but choosing an analytics solution is far more important. In today’s healthcare marketplace, installing an EMR is table stakes. Granted, it’s necessary and expensive table stakes, but it’s still just the starting point.

The real key to transforming healthcare performance lies in analytics and the humans that use and make data-driven decisions. An EMR captures the data. Analytics uses that data to deliver the insight needed to improve the quality and cost of care.

Improving quality and cost is on everyone’s mind. At the organization where I serve as CIO, Memorial Hospital at Gulfport in Mississippi, it is a critical priority. The majority of our volume comes from Medicare and Medicaid beneficiaries and the uninsured. We are a not-for-profit, single-hospital system. We have to focus on costs and quality in order to continue to serve our community.

Fortunately, we’re advancing steadily along the path of putting infrastructure in place to drive the necessary improvement. We rolled out our integrated EMR this spring and we are now implementing our analytics solution.

I started this article by stating how important analytics is. Choosing what type of analytics solution to implement was not a decision we took lightly. I want to outline here the factors we considered as we made that choice.

I wouldn’t say that selecting our EMR solution was easy, but the fact that there were only a handful of viable options certainly simplified the process. Choosing an analytics solution was a different story. A wide variety of analytics solutions are available and they all claim to drive quality and cost improvement. We looked at BI tools. We researched multiple vendors with point solutions that address areas like capitated payments, fee-for-quality, and ACOs.

Ultimately, we decided that the right solution for our enterprise-wide analytics strategy would be an enterprise data warehouse (EDW). But even then there were several possible paths to take. We could build our own EDW, we could adopt our EMR vendor’s emerging EDW solution, or we could implement an EDW solution from a third-party analytics specialist vendor.

We quickly dismissed the option of building it ourselves. We simply didn’t have the time or resources for a trial-and-error, homegrown approach. That left us to decide between our EMR vendor’s EDW and a specialist’s solution. We went with the specialist’s solution.

Our EMR vendor’s EDW was relatively inexpensive and there was something attractive about the convenience of having one less vendor to manage. Still, I approached their EDW offering with some skepticism. I trusted their ability to handle all of the transactional functionality that is an EMR vendor’s core competency, but analytics is not part of that core competency.

Ultimately, we set three criteria as essential in an vendor. Any analytics vendor we selected would have to demonstrate the following.

A significant track record with analytics

EMR vendors really don’t have an analytics track record. Their analytics experience lies mainly in tactical operational reporting. They can easily tell me how many of my patients are on a certain medication, but my improvement initiatives will require much greater sophistication.

Specialist vendors, on the other hand, have been living and breathing nothing but analytics for years (and sometimes even decades). The best ones can share concrete examples of how their solutions have driven measurable quality and cost improvement.

The agile data architecture required to handle big data

Our EMR vendor is obviously an expert on transactional systems architecture, but that doesn’t translate to expertise in architecting a powerful analytics solution that runs on a completely different type of database. With so much volatility in healthcare today, I wanted to be sure I had a flexible architecture for analytics that could expertly adapt to new rules, standards, vocabularies, and use cases.

The ability to integrate data from multiple systems, including competitors

This was a huge consideration for us. EMR vendors are generally unwilling or unable to pull data from external sources, particularly competitive systems. We needed a solution that was source-system neutral and only the third-party analytics specialists could deliver that. Integrating data from just about any system you can imagine is their core competency. My understanding is that some EMR vendors have recognized the need to allow integration of data from beyond the EMR, but they are years behind the specialists in terms of doing this well.

I recently came across a 2013 survey by CHIME that found that 80 percent of CIOs believe analytics is an important strategic goal, but that only 45 percent feel they have a handle on it. I don’t claim to be an expert on analytics, but I hope that this brief account of my experience so far will be helpful to some.

My biggest piece of advice to any colleague that has yet to tackle analytics is to get started as soon as possible. I believe that CIOs need to change. Our focus can’t be just on the bits, bytes, databases, and servers. All of that is still an important element of what we do, and I have a staff that takes care of those details, but my focus as CIO is to provide data and information to all stakeholders—our executives, our clinicians, our patients, and more—to help drive better outcomes. That means a top area of focus for me is on analytics.

Gene Thomas is chief information officer of Memorial Hospital in Gulfport, MS.

View/Print Text Only View/Print Text Only
October 8, 2014 Readers Write 1 Comment

Readers Write: Communicating Across the Continuum

October 8, 2014 Readers Write No Comments

Communicating Across the Continuum
By Steve Whitehurst

image

As consumerism continues to permeate the healthcare industry, hospitals must place more emphasis on how they treat their patients across the entire care continuum, inside and outside the four walls of their facility. To do this, patients must be addressed at every touch point in order to fully meet their needs and sustain their satisfaction.

Though increasingly important, many hospitals struggle with supporting patients’ 24/7 communication needs due to limited staff, reduced budgets, and unclear communication expectations. Yet without a communication plan in place, interacting with and keeping patients engaged and satisfied can be very difficult, thereby limiting a hospital’s ability to sustain an enhanced patient experience, increase patient satisfaction, keep patients compliant with their care plans, and build brand loyalty—not to mention it can potentially increasing the risk for readmission.

By creating a comprehensive communication strategy leveraging a mixture of communication services leveraging live operators and clinicians as well as automated technology platforms across the continuum, hospitals can effectively manage their interactions with patients inside and outside the facility’s walls to increase both care quality and patient experience.

With Meaningful Use incentives and other regulations driving the implementation of patient portals, many healthcare organizations are pouring resources into electronic communication platforms that use email or direct messaging to communicate with patients. Although these methods certainly improve engagement, they are not always effective at reaching all patients or providing personalized attention.

For instance, most patient portals are capable of delivering educational material to patients. However, there’s no way of knowing whether the patient actually reads and understands the information unless someone directly asks and engages the patient in conversation. Whether face-to-face or over the phone, once personal interactions are lost, the organization loses its ability to make sure patients are adhering to their medications and complying with their care plans.

Conversely, hospitals that employ high-touch communication strategies, such as the following, can engage patients across the continuum to promote more favorable outcomes, in addition to realizing measurable improvements in patient satisfaction and HCAHPS scores.

  • Live voice follow-up after discharge. One of the most effective methods for reaching patients, this communication tactic enables organizations to know when they’ve reached patients and provide personalized communication to their patients by asking and answering questions, ensuring patients are adhering to their medication and care plans, and providing additional education. Statistics show that patient satisfaction improves when communication services like live voice are leveraged at specific touch points in a patient’s care continuum.
  • Communication to support care coordination. For patients with complex conditions, multiple comorbidities, or who are high-risk for readmission, communication services can improve care coordination by going beyond discharge follow-up to help patients navigate their care plans. These services, for instance, can help patients with medication management (including medication reconciliation and adherence), disease management, and health coaching. As an example, when patients are prescribed new medications or receive changes to previous prescriptions, it can be difficult to figure out which medications should be taken, when they should be taken, and specific side effects to look for. Care coordination follow-up support can help patients navigate these questions, ensuring they take medications in the most appropriate way. Likewise, these services can also identify barriers patients may have in obtaining or taking their medications and offer solutions to help with adherence.
  • Answering services. Inbound services that receive calls from patients provide opportunities for healthcare organizations to address questions or concerns immediately rather than waiting for providers to return phone calls. When these services are managed by highly trained teams qualified to listen to and answer patient concerns, it allows organizations to meet patients’ needs more efficiently in a timely manner, thus increasing patient satisfaction levels.
  • Automated services. Although live voice interactions are most effective for facilitating conversations between patients and providers, automated services can be useful for routine patient outreach, such as reminding patients to schedule and attend upcoming appointments or refill prescriptions. By leveraging automated services in appropriate situations, organizations can concentrate their human resources on more meaningful interactions with patients.

Whether managed in-house or outsourced, a comprehensive communications plan will enable hospitals to continue the patient-provider conversation long after patients leave the facility, enhancing their experience throughout the entire care continuum.

Steve Whitehurst is the vice president and general manager of Stericycle Communication Solutions.

View/Print Text Only View/Print Text Only
October 8, 2014 Readers Write No Comments

Readers Write: Will You be Shocked by Shellshock?

October 1, 2014 Readers Write No Comments

Will You be Shocked by Shellshock?
By John Gomez

Here is a riddle for you. What is old yet new, and at the same time scary yet contained, while being known yet potentially a big surprise?

If you answered Shellshock, you collect $200 and go to the front of the class. Shellshock is a new computer exploit that was discovered in the past few weeks, but “new” isn’t exactly right. The actual vulnerability, which may compromise Linux- and Unix-based systems, has actually been around for 25 years. While newly discovered, it is actually rather old.

Shellshock is scary because it allows someone to take over a Linux- or Unix-based computer (such as your Mac, iPhone, iPad, BSD, Red Hat, Ubuntu system) and bypass all security. This is accomplished by accessing the old-school command line shell known as Bash and executing commands that to most of us make no sense at all in this day of graphical interfaces.

Want to see if your Mac, Linux, or Unix system is vulnerable? Open a terminal or command shell and type in the following (no, it won’t give me super secret ninja access to your system):

env x='() { :;}; echo vulnerable’ bash -c ‘echo this is a test’

If you see the word “vulnerable” after you hit enter, your system is at risk.

Before you get worried, keep in mind that in most cases, if you have a firewall up and running, you are more than likely safe (assuming your firewall isn’t at risk of Shellshock, but that is beyond our focus in this article). 

Shellshock exists because a programmer 25 years ago made a coding error in a fundamental part of the operating system. Shellshock isn’t some trick or hack — it’s just exploiting a bug. Unlike a worm or virus that is purpose built, Shellshock is really just a how-to for hackers to embrace.

Most vendors of Unix/Linux-based systems such as Apple, Red Hat, and others have already released patches to fix the bug. The challenge you face is making sure that you deploy these patches quickly. A smart hacker could take control of your system and prevent the patch from being effective, so time isn’t on your side. You need to move fast.

You can ask your security team to check their IDS and other logs to see if someone has attempted to gain access to your system using the Shellshock vulnerability. If your team sees active Shellshock scans, you should really do a triple check of your systems and determine if you were penetrated. It isn’t easy to figure out, and more than likely you should get professional support if you suspect you were scanned and successfully attacked.

We have covered why Shellshock is old yet new and scary yet contained. What about known and yet a surprise? It is known simply because we know the targets. Most hackers are going to attack web, database, and other IP-based servers on your network that run on Linux/Unix. Where is the surprise?

The surprise is that what may be most vulnerable are those things we think of the least. Most connected devices we find in a healthcare environment (from a lab to a clinic to a retail pharmacy to a doctor’s office and everything in between) are based on some form of Linux/Unix. This not only includes your medical devices and diagnostic equipment, but also things like your security system, CCTV cameras, and smart door locks.  

Being we live in the age of the Internet of Things (IOTS), chances are that if your device or system has an IP address or a call-home feature, it is running some form or Linux/Unix. That means that you could be in a for a big surprise if a hacker gains control of your MRI, CT scanner, or something less critical like your CCTV cameras.

The good news in all this (if there is good news) is that most devices run a form of Linux/Unix known as BusyBox, which is not vulnerable to Shellshock. Also, most devices in healthcare environments do not make use of Bash, which is the component that is vulnerable.  

That said, you really shouldn’t just hope that your devices are running BusyBox or that Bash isn’t present. It would be wise and prudent (and some may say legally responsible) to evaluate your risk by contacting your vendors to see what devices are vulnerable. Ask the vendor directly what they intend to do and how quickly if they have an at-risk system. Don’t be surprised if many of your device vendors don’t know if they are at risk or not — many deploy Linux/Unix systems and cannot clearly detail if Bash is enabled or not.

If the device you are concerned about involves patient care, you have a critical decision to make and need to clearly understand if there was an attack. For the most part, patient care devices such as an MRI are behind (or should be behind) several layers of network protection or only have a one-way connection using a trusted tunnel. While hoping that is true, check, double-check, and triple-check because lives are at stake.

You should also make sure your physical security organizations understands the impact of Shellshock on their systems. In this IOTS world, many of the devices that could be vulnerable may have nothing to do with traditional IT. For instance webcams allowing security teams to monitor infrastructure are IP based and many are now accessible to security officers from smartphones. Most webcams have built-in web servers based on Linux/Unix and live on your network in some form or fashion.  It is important that those who are responsible for non-IT/HIT electronic devices also make sure that their devices are secure and not vulnerable to Shellshock.

Lastly, you should be checking with your HIPAA business associates to understand their response to Shellshock. You have an ongoing requirement to ascertain your BA’s ability to protect patient health information. Like Heartbleed, Shellshock is considered a significant threat and could easily be used to compromise PHI. Failure to assure that your BA is taking steps to secure your PHI on their networks from Shellshock could be an issue for your organization.

So there you have it. Shellshock is all at once old and new, scary and contained, and known. Because of this brave new world of connected everything, it could very well provide you with the surprise of your life.

John Gomez is CEO of Sensato of Asbury Park, NJ.

View/Print Text Only View/Print Text Only
October 1, 2014 Readers Write No Comments

Readers Write: Feeling the Pain of Meaningful Use? Try Vicodin

September 29, 2014 Readers Write No Comments

Feeling the Pain of Meaningful Use? Try Vicodin
By David Ting

image

Meaningful Use Stage 2 requirements state that eligible professionals must transmit more than 50 percent of all permissible prescriptions electronically using a certified EHR system, an increase from a 40 percent threshold in Stage 1.

Although the use of e-prescribing continues to increase (Surescripts reports adoption rates of about 73 percent), many CIOs and other healthcare leaders I meet think they will struggle to achieve the 50 percent threshold without including controlled substances, which are almost always prescribed using paper-based prescriptions.

In today’s frenetic healthcare environment in which clinicians are constantly pressed for time, many default to a single workflow of using paper prescriptions for all medications for simplicity. This decreases utilization of e-prescribing and makes it harder to meet the required 50 percent threshold. In addition, it decreases patient safety and provider efficiency and results in greater inconvenience for patients who are forced to not only pick up a prescription at the provider’s office, but also endure longer wait times at the pharmacy.

For those CMIOs feeling the pain of trying to meet Meaningful Use e-prescribing requirements, Vicodin might provide the answer.

In August, DEA issued a ruling to reclassify hydrocodone combination products such as Vicodin from a Schedule III to a Schedule II controlled substance. This ruling puts tighter controls on how these highly addictive medications can be prescribed. For instance, doctors can prescribe a maximum three-month supply (previously it was six months) before patients need another prescription to be written.

Consider that in 2012, 135 million prescriptions were written for hydrocodone combination products in the US. The ruling could conceivably double this number, which would increase the total number of prescriptions for controlled substances by 25 percent or more. This increase in volume will exacerbate the challenges created by the inability to e-prescribe controlled substances, particularly as it relates to dual workflows for prescribers and the consequential impact on meeting Meaningful Use requirements.

For this ruling to be successful and have the desired impact on reducing drug abuse, systems like electronic prescribing of controlled substances (EPCS) must be implemented to ensure the tighter restrictions are enforced without creating barriers for physicians to write and refill prescriptions for patients truly in need. EPCS makes it far more difficult to obtain highly addictive prescription medication for illicit purposes without placing any undue burden on patients with legitimate needs.

Now that EPCS is allowed by the DEA, providers can choose to include controlled substances as part of their equation for Meaningful Use, as long as the decision applies to all patients and for the entire reporting period. With an EPCS system in place, healthcare providers and organizations can more easily meet Meaningful Use Stage 2 requirements for e-prescribing while also realizing all of the additional benefits of EPCS. 

David Ting is founder and chief technology officer of Imprivata of Lexington, MA.

View/Print Text Only View/Print Text Only
September 29, 2014 Readers Write No Comments

Readers Write: The Key to Transitioning from PQRS to Risk-Sharing Agreements

September 29, 2014 Readers Write No Comments

The Key to Transitioning from PQRS to Risk-Sharing Agreements
By Mason Beard

image

If you, Dr. X, report on quality for your Medicare patients, you’ll get a nice bonus. That’s how PQRS started out—a purely pay-for-reporting initiative.

The bar for this program was set fairly low to encourage providers to meet the requirements. But in its crafty way, the federal government has steadily shifted the program away from the carrot and toward the stick. In fact, the incentive phase of the program ends next year. Providers who don’t measure up will simply experience the stick. In other words, the government has moved its focus from reporting to performance.

I don’t want to paint CMS as conniving to punish poorly performing providers. The truth is that PQRS has been a very successful program and is driving an important focus on the quality of care delivered to Medicare beneficiaries. Another quite evident truth is that CMS is not stopping here.

CMS isn’t just creating government programs and regulations; they’re trying to change provider behavior to rally around outcomes reporting and better care. They’re pushing providers inexorably toward value-based reimbursement (VBR). Reading the tea leaves of what’s happening with PQRS—and considering the proposed Merit-Based Incentive Payment System (MIPS)—the government is going all in on this.

Technology can help providers who are doing PQRS reporting prepare to move successfully into more sophisticated VBR arrangements. From the beginning of PQRS (PQRI at the time), it was evident that providers would need HIT tools to help them track, measure, and report on quality measures. PQRS has been around long enough that there are now a variety of tools providers can use to help them fulfill this requirement.

Not all of these tools can help providers meet PQRS requirements and transition to more sophisticated VBR arrangements using the same infrastructure. Make no mistake — such a transition is essential. To manage it successfully, organizations don’t need a point solution, they need a platform.

Here’s why. The new PQRS, the MIPS of the future and other VBR arrangements don’t focus on reporting outcomes; they focus on improving outcomes. The only way organizations will be able to improve outcomes is by implementing what I call the 4 As:

  • Aggregation. Providers need to be able to gather clinical and administrative data from the disparate technologies across their system.
  • Analytics. Providers need some level of analytics to understand their population, identify gaps in care, and assess risk.
  • Action. Providers can’t just aggregate data and analyze it and then not do anything about it. They need some system in place to engage their patient population (via care management workflows, automated outreach, reminder letters, etc.) and fill gaps in care.
  • Accountability. They need to be able to prove the value back to the stakeholder. Simply put, this means reporting the outcomes for a variety of initiatives to CMS and other payers.

It’s important to note that PQRS point systems only address the fourth A: accountability. (Even then, they may not have the flexibility to adapt to the various reporting initiatives that will be required by multiple payers as time goes on). If a PQRS solution only addresses the fourth A, it can’t prepare an organization for risk. It doesn’t create processes that move the organization away from a fee-for-service world.

A platform, on the other hand, enables provider organizations to enter the value-based world. Performing PQRS reporting on a platform is the perfect starting point. As providers fulfill the PQRS reporting requirements, they can layer in processes that help them transition from a reporting workflow to a more proactive workflow focused on population health management. With the aggregated data and intelligence they build up around their performance in the process, they become equipped to enter into VBR arrangements with commercial payers.

A platform delivers an easy, turnkey way to branch out from PQRS to address other, more sophisticated payer initiatives. The time to plan for this transition is now because the stakes are rising. Every plan—both government and commercial—is developing some kind of risk- or performance-based initiative. With a platform, providers don’t have to take the plunge immediately. They can first dip their toes in the waters of PQRS and then move steadily into a world of improved outcomes and value-based reimbursement.

Mason Beard is senior vice president of solutions and co-founder of Wellcentive of Alpharetta, GA.

View/Print Text Only View/Print Text Only
September 29, 2014 Readers Write No Comments

Founding Sponsors


 

Subscribe to Updates

   

Search


Loading

Tweets

NextGen ONE

Report News and Rumors

No title

Anonymous online form
E-mail
Rumor line: 801.HIT.NEWS

Archives

Sponsor Quick Links

7ads6x98y

Platinum Sponsors


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Gold Sponsors


 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Follow

Reader Comments

  • The PACS Designer: For the guess on who will win the EHR race Mr. H. forgot: Affiliated/Anonymous- TPD!...
  • Concerned: Regarding DOD Bid and PwC - You seem to have it all figured out. The government (your money and my money) should pay Ju...
  • JANK: Whew that was a long read! How do you find the time to do this yet have a full-time (wink wink) job? You MUST have staff...
  • Jay Alicea: A great and timely read....
  • Stephanie Marlowe: I'm interested in the future that Google is promising. It is interesting that they over all have the biggest say in tech...

Text Ads