Home » Readers Write » Recent Articles:

Readers Write: Protecting the Network with Endpoint Security

September 17, 2014 Readers Write No Comments

Protecting the Network with Endpoint Security
By Jeff Multz


CIOs are forever struggling to ensure that technology helps their businesses run efficiently and effectively and that their networks are protected. That’s a heavy undertaking for any business, but especially for healthcare organizations, as medical professionals rely on a bevy of computer devices (including their own.) These devices have become high targets for threat actors who are increasingly attacking endpoints (laptops, workstations, and mobile devices) to break into networks of healthcare and financial institutions.

The FBI recently issued an alert following a highly publicized attack on a US hospital group that warned healthcare companies they are being targeted by hackers.

"We are seeing an increase in attacks within healthcare," said Ann Patterson, senior vice president and program director of the Medical Identity Fraud Alliance. "The healthcare sector’s security and privacy controls differ from more secure industries, such as financial services, and [healthcare organizations] may be easier targets."

Why is healthcare so attractive to threat actors? A few reasons.

  • Nation states are after the intellectual property of medical equipment and pharmaceutical companies so they can copy their products and sell them more cheaply.
  • Threat actors are also after personal identifiable information (PII) of healthcare providers, which attackers use to open up new credit card accounts under the names of patients. That PII includes a patient’s name, address, phone number, Social Security number, date of birth, and billing information.

Because it is often difficult to evade network detection devices such as firewalls and intrusion detection/prevention systems (IDS/IPS), attackers are going directly to the end user via phishing or watering hole attacks to break into networks. The trusting souls who click on the links or attachments inside these emails have no idea that when they do, that malware is automatically downloaded.

While there have been new innovations in protecting the network from outsiders, there’s been a dearth of innovation in endpoint security technology. Since antivirus (AV) software is not very effective, it has become quite easy for attackers to infect endpoints. Defenses for endpoints are still mostly malware-signature based, so threat actors run pre-attack tests to see which signatures are being detected and which ones aren’t.

This ploy has worked so well that attackers sell their testing services to other attackers, running a service similar to that of VirusTotal, which scans malware for detection rates. However, unlike VirusTotal, the threat actors don’t share the results with AV vendors.

With about 200,000 new pieces of malware being created each day, according to Kaspersky Labs, and much of the malware being polymorphic, signature-based threat detection methods can’t keep up with the pace of new malware creation.

It’s hard to keep endpoints, especially personally owned endpoints, up to date with the latest patches. There are more applications than ever that people download onto their devices and all these applications have flaws, making them easy targets for attackers. Additionally, Web-based technologies are being designed so users can do anything over the Web using HTTP or HTTPS, which subverts perimeter-based controls and makes the Web an easy way to deliver malware.

With the Internet of Things (IoT) growing daily, the front line of attack has moved from servers to the endpoint. This year alone, IDC expects shipments of smart-connected devices (PCs, tablets, and smartphones) to surpass 1.7 billion units worldwide. Organizations are being attacked via their endpoints, yet have no idea they’ve been compromised.

The average time it takes for organizations to discover they have been compromised is 229 days and 69 percent of the discoveries are made from outside sources, such as federal authorities, the FBI, or private security companies.

An organization must be able to see all activity taking place on the endpoints so they can remove attackers as soon as they enter the network. The only way an organization can know whether it has been compromised is to continuously monitor the network and the endpoints. It needs to see what’s going on at the endpoint and tie that to what is going on across the network. Anomalous activity must be spotted as soon as it occurs.

An organization should be able to determine what happened when the affected system ran, who the system communicated to, what changed on that system, what the lateral movement was, and what tools were used. Endpoint activities should continuously be collected and logged. The information should be fed into a system that takes an end-to-endpoint view of all that has occurred, providing full visibility into a network. Organizations can then take that information and adapt their infrastructure, user training, and applications accordingly to defend the network.

As soon as anomalous activity is spotted, an investigation should be initiated. If the investigation reveals that an endpoint was compromised, the system can provide a blueprint of all activity that has occurred, and all activity as it is occurring, so the threat can be contained as quickly as possible.

The 2014 SANS Health Care Cyberthreat Report found that endpoint devices not only provide challenges for securing them and the network they are connected to, but also for recovering from an incident. Continuously scanning endpoint devices that are connected to a network can tell an organization exactly where the infection is hiding in the endpoint and how to remediate it. Breaches can often be remediated without being wiped or re-imaged, alleviating the possibility of inadvertent data loss during a wipe.

Work stations are critical attack vectors, and organizations that have a multitude of high target endpoint devices must always be on high alert for attacks. For now, there is only one way to do that. Gartner calls the solution Endpoint Threat Detection & Response, also known as Advanced Endpoint Threat Detection. It should be mandatory for any organization that needs to protect its business.

Jeff Multz is director of North America Midmarket for Dell SecureWorks of Atlanta, GA.

Readers Write: The Engaged Patient – Are They Really?

September 12, 2014 Readers Write 8 Comments

The Engaged Patient – Are They Really?
By Helen Figge


Sorry to be the bearer of mediocre news, but despite the growing conversations around the value of engaging patients in their own healthcare, the term “patient engagement” is a really cute flavor of the month healthcare buzz phrase.

Many seem to be confused by what “patient engagement” means. It lacks a standardized approach to its interventional aspects or for a better sense rules of engagement.

The major thrust for patient engagement legitimacy comes in most part to the expansion of health insurers rewarding providers based on services that support the improvement of a patient’s health and wellbeing. Likewise, the anticipation that engaging the patient will reduce the utilization of healthcare resources plays into this concept. Finally, healthcare providers were vocal concerning the 10 percent patient engagement threshold originally mandated in Stage 2 of Meaningful Use and these “squeaky wheels” enabled a pushback to 5 percent.

The legitimacy behind engaging the patient appears evident because investing in the healthcare consumer who utilizes our healthcare resources (you and me) and turn creating healthier assets is the overarching goal of better health. This in turn fundamentally assumes we lower costs of healthcare. So, from this point of view, “investing” in consumers of healthcare and helping them to be more effective partners in our own care makes good sense practical sense, right? 

One would think and hope so. Based on several research sources, it is indeed possible to meet the requirements to support these patient initiatives through various technologies on the market today, like the patient portal, yet only a small percentage of providers are currently supporting these efforts.

The basic question is how do we engage patients to want to stay in control of their own health’s trajectory? What motivates and stimulates and excites someone to want to get and keep control of his or her own health destiny?

This is the one question gone awry, because the majority of consumers consistently participating in their health is quite low, with the majority of less than 5 percent consistently engaged if at all in their healthcare. Many practitioners are finding out that each and every one of us is motivated by something different when it comes to our own healthcare.

My dad was a great example of a non-compliant chronic disease sufferer who, when he felt better stopped taking his meds. Only when his blood glucose reading recordings were hooked up to his senior citizen daily calendar for dating (he was 87) did he remember to record his blood sugar readings for his care coordinator. One could say my dad’s health was directly stimulated by his desire to see which eligible senior citizen lady friend was going to the senior center that night for bingo.

In order for any patient engagement opportunity to be successful, each and every engagement might have to be customizable with each step in the care process to create a meaningful role for patients and their families and specifically tailored in such a way that helps patients acquire the knowledge and skills they need to effectively manage their health and do so in a consistent manner.

We also need to realize that some patients are not prepared to take on any type of role in their healthcare and might not be able to cope with their various illnesses regardless of the enticement. This is oftentimes a concern with those suffering from chronic diseases, where they will need to engage for the duration of their lives to keep and maintain their health.

I equate this type of patient engagement to eating your favorite food every day until after a while, boredom sets in. Your favorite food loses its luster. You just stop eating it and substitute another. When patients are unable to manage these types of often complex tasks, the result is less control over a person’s health and well being and ultimately higher health care and human costs.

If patient engagement has a chance to really hit the numbers we hope it will, it is important to tailor the care and instructions a patient has to support that care. In healthcare, we tend to provide the same amount of support regardless of the patient population or skill set at hand. We always try to standardize approaches, which 99 percent of the time is great, but patient engagement is that 1 percent where it just can’t be done. This is the reason for the low numbers in patient engagement we are seeing firsthand today. Each patient needs to be motivated in his or her own way to accomplish the empowerment needed for successful personal intervention.

Finally, another point to consider in all of this when trying to motivate a patient to “engage” in their own care is that it cannot be monetarily based. Patients are not motivated by financial incentives direct or otherwise for long-term behavior change. It is documented that highly engaged patients with the skills and knowledge respond better to the monetary gains of engaging in their healthcare, while some less than enthusiastic patients accept defeat much easier and accept their disease states and the sequelae of them regardless of intervention and assume it is what it is and thus accept any increased cost incurred by the disease state to be inevitable.

So when considering patient engagement, consider the patient first and foremost because patient engagement is based on the patient’s active and sustained participation in managing their health. It is a marathon race, not a sprint. Only through this mechanism will this lead to better health outcomes.

Proactive action to change and maintain our health into productive health behaviors is the mainstay of the effort. At its center is the concept of taking an active role in our own health and healthcare. We know objectively it can be measured using various tools like the Patient Activation Measure (PAM). This testing helps to identify a patient’s engagement level and used as a tool for improving activation for health and wellness, although I’m not sure how helpful it is right now given the lower-than-expected statistics of patient engagement overall.

The evidence suggests that increasing a patient’s engagement in their own health trajectory can have an impact on controlling costs and helping patients to become healthier – to live longer with fewer complications. The problem is that no one has come up with a standardized approach as to how to engage a patient for long-term success to any disease resolution. 

Maybe we need to interview each patient and see what drives him or her to wake up each morning. For my 87-year-old dad, it was trying to find a date for bingo night at the senior citizen center. Only after he answered his blood glucose reading did the senior citizen screen pop up. Maybe we need to do something like this for each and every patient. 

Helen Figge, PharmD, MBA is VP of clinical integrations of Alere Accountable Care Solutions

Readers Write: State-Based Health Insurance Exchanges

September 12, 2014 Readers Write No Comments

State-Based Health Insurance Exchanges
By Jason Deck


I was invited recently to join a forum at Northwestern University to discuss the state-based health insurance exchanges (HIX). It included leaders of the state exchanges, legislators, consultants, insurance industry executives, and physicians. Topics included policy discussion, pricing and transparency issues, and growth plans. 

I came away with one resounding thought: there are an awful lot of very smart people working tirelessly on the challenge of ensuring that all Americans have affordable access to healthcare. It is inspiring to witness.

Christine Ferguson, director of the Rhode Island exchange, made a powerful statement: “Nothing like this has ever been attempted before. Ever.” She was referring to the task of overhauling the extremely complicated incumbent system of healthcare delivery by bringing together public and private sector interests, policy making, technology, and care providers. It is a daunting task.

How they did it depends on the state, all of which had to have some version of a working exchange in place and functional by October 1, 2013. Some states chose to build their own, while others partnered with the federal government’s Healthcare.gov. That was not a perfect process, but given the complexities and the timeframe under which these states were operating, I will posit that the result was a success.

Much of the discussion in our forum revolved around the way forward. Three key themes emerged:

  1. Integrated eligibility platforms
  2. Consumer outreach and education
  3. Financial viability

A key tenet of the Affordable Care Act is the insurance subsidy offered to individuals and families below 400 percent of the poverty limit. When individuals go to their state’s HIX to shop for and purchase an insurance policy, one of the early and important steps is to determine whether they qualify for a subsidy. Their eligibility is determined in part by first confirming the individual is not eligible for Medicaid. 

The insurance exchanges and Medicaid applications are not integrated except in a few states, so applicants must register themselves with the HIX, then go to Medicaid and apply specifically to be denied. They then receive a denial number to bring back to the HIX to continue their eligibility application.

Confused? Everyone is. Integrating these systems will deliver a quantum leap in the end user experience and ease of registration.

Which brings us to the second key initiative: consumer outreach and education.

The HIX executives who spoke at the forum agreed they had an early wave of low-hanging fruit their exchanges would enroll, but that they were quickly (and happily) working their way through that population. The next frontier is more difficult — small business owners and individuals with some resistance to buying health insurance.

To that end, the exchanges invest heavily in community outreach with sophisticated marketing programs, local offices, advertising, branding campaigns, etc. The results are promising. There was a productive conversation about which techniques are delivering the best results in new enrollment. Without exception, every HIX executive to whom I spoke named education and outreach as a top-of-mind concern.

On a related note, I was pleasantly surprised at the general tone the HIX leadership uses with regard to their constituents. They talk about improving the quality of the products and service, ensuring that call center wait times are kept short, and agents are trained to educate the customer. Many of these exchanges are organized under a government agency, but their leadership sure talks like private sector business leaders.

The federal government invested funds to build these exchanges, but not for their ongoing operations (there were more than a few jokes about the feds serving as the VC investor to the exchanges.) Jokes aside, the need to become financially solvent is a real issue and the audience proved creative in their approaches.

Many great ideas were exchanged, ranging from implementation of user fees, advertising strategies, use of insurer assessments, and excise taxes. While each state will ultimately land on its own model for its P&L management, the normal issues of operating costs, well-forecasted growth, and disciplined budgeting will be increasingly important to the HIX executives as they move from their launch phase into steady state.

The forum provided a great opportunity for many stakeholders in the development of state-based health insurance exchanges to discuss their progress, lessons learned, and ideas for the future. There will be bumps in the road to be sure, but we all have much to be excited about as the evolution to a more efficient and transparent health insurance ecosystem continues.

Jason Deck is vice president of strategic development of Logicworks.

Readers Write: Lessons Learned from the CHS Breach

September 3, 2014 Readers Write 2 Comments

Lessons Learned from the CHS Breach
By John Gomez

In early 2014, a group of security researchers began to suspect that some implementations of SSL — a commonly used method to encrypt data — were not as secure as the name would imply. Their thesis was rather elegant, actually more art than science, but fascinating just the same.

They hypothesized that although the cryptographic algorithms may well be secure and protect over-the wire data (data sent across a network) from prying eyes, the actual programming used to implement the algorithms may have flaws. If there was a flaw in the underlying implementation — such as how memory is managed, for instance — then SSL could become a tool for nefarious agents to exploit and compromise network security.

On April 1, 2014, two groups of security researchers (Neel Mehta of Google and Codenomicon) announced that such a flaw did exist in SSL, specifically in OpenSSL. This vulnerability came to be known as Heartbleed.

Within hours of the vulnerability being announced, sites around the world were compromised, including the Canadian Revenue Agency, Mumsnet in the UK, and others. Early estimates showed that well over a million sites and X.509 certificates were at risk of attack. On April 12, 2014, University of Michigan reported that a server in China had attacked a decoy server at U of M with advanced tools to exploit the Heartbleed vulnerability.

The revelation of the Heartbleed impact created shock waves. Some, like the Electronic Frontier Foundation, called it “catastrophic,” and Forbes columnist Joseph Steinberg declared, “Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.”

Within days of the disclosure, the Federal Bureau of Investigation released a private industry notice (or PIN) to the healthcare industry that stated, “The healthcare industry is not as resilient to cyberintrusions compared to the financial and retail sectors, therefore the possibility of increased cyberintrusions is likely.”

Flash back to February 2014, when a group of hackers known as Unit 61398 was suspected of launching cyberattacks against a variety of US industries, specifically the financial, transportation, energy, and healthcare sectors. Unit 61398 is believed to be, according to cybersecurity firm Mandiant, a top-secret unit of the People’s Liberation Army based in Shanghai.

Since February 2014, it has been learned that Unit 61398 is not specifically tasked with cyberattack missions, but it is believed to have developed highly sophisticated software and hardware tools that could be used for cyberwar, typically known as cybermunitions. Speculation is that these tools are made available to independent hacker groups for “testing purposes only,” although this has never been confirmed.

One such group believed to have gained access to these tools is APT 18, a well known and highly sophisticated group of Chinese hackers with branches in Shanghai, Hong Kong, Singapore, and the United States. APT is shorthand for a type of cyberattack known as Advanced Persistent Threat. APT 18 specializes in conducting those attacks.

It is believed that within hours of the Heartbleed disclosure on April 1, APT 18 started customizing the tools from Unit 61938. One they possibly created is a Remote Access Tool (or RAT.) A RAT works by using a carrier to gain access to network systems, usually by rather simple means. For example, a RAT can be deployed inside a network as a result of a user watching a video, reading an e-mail, or opening a file.

A highly common way of distributing a RAT is through a trusted third-party communication, which is typical in exchanges between business associates and covered entities in healthcare. A RAT could also be deployed to a medical device with a vulnerable call-home feature and network access.

The RAT allows remote control of a network, servers, devices, and much more. Just like a real rat, a cyber-RAT is infectious and can cause severe damage. The current thinking is that APT 18 targeted Community Health Systems (CHS) and successfully introduced a RAT before CHS could apply the Heartbleed patches to all of its systems. This is speculation, but highly probable.

It is also probable that APT 18 was successful because it had started targeting the healthcare industry in February 2014. Heartbleed was a fortunate development. It is also believed that CHS is not the only targeted healthcare entity and APT 18 may have compromised other healthcare organizations that may not have discovered the compromise yet. APT 18 may have used other vulnerabilities to infiltrate the CHS system, but for purposes of this article, we will continue to embrace the common thinking that Heartbleed was the key mechanism.

Criticizing CHS would be wrong. It acted quickly and there’s no evidence that it was negligent or dismissive. A better use of our time as an industry would be to learn from the CHS experience. The healthcare information technology sector is under attack by sophisticated enemies who will continue to persist their attacks on healthcare infrastructure as a means to undermine patient confidence in our ability to provide quality care and security.

We should be thankful that the CHS breach was limited to data because a RAT can take over an MRI, CT scanner, or EMR system to impact patient safety. Other cybersecurity researchers have demonstrated how to attack X-ray machines and other medical devices. The risk of attack on medical devices prompted the FDA to issue a memorandum on security to medical device manufacturers in June 2013. Although some manufacturers have responded to the memo in a positive manner, some have ignored its warning.

The most important lesson we can take away from the CHS breach is that we as an industry, to echo the FBI PIN, are “…not as resilient as other industries.” Which leaves us with the question: how do we improve our security stance and become more resilient?

Security takes money and a lot of it. There is no way to sugarcoat that fact or to make it more politically correct. NBC News recently reported that the annual cost of healthcare breaches is approximately $5.9 billion. Being secure means educating the board of directors and making it a core investment of the healthcare organization. There is no cheap answer or strategy.

Then, consider how to become aggressive about cybersecurity. Not assertive, but aggressive. Here’s an analogy.

Think of a healthcare system as a castle. Castles had multiple layers of security — intelligence, physical deterrence, internal and external defensive tools and strategies, propaganda, community allegiance, and, “Oh, crap, everything has failed” plans.

The safest castles — the ones that truly focused on protecting their inhabitants, allowing them to pursue a happy and high quality life — had the best layers of coordinated defense and offense. The castles that simply deployed the basics — a moat, drawbridge, some pots of tar, and maybe a few archers — soon learned that a persistent and determined attacker, like APT 18 or others like them, would eventually defeat these strategies.

In today’s terms, that means if you have firewalls, intrusion detection, penetration testing, DLP and similar tools, and policies and procedures, you either have been breached or you will be breached, just like the simpleton castle that did only the basics. A Level III castle.

If you take things up a notch, maybe employ a CISO, get advanced tools, and offer community education and compliance monitoring, you’re on the right track. Still, the odds are that you will get taken out. Your castle is a bit more sophisticated as a Level II castle. You added some alligators to the moat, armed the citizens, and took survival a bit more seriously. A good job, but you could do better. You are assertive, not aggressive.

The best castles invest in leading edge tools, form regional security councils to share ideas and help each other, create crisis response plans, educate their business associates, and use tools for real-time compliance monitoring, data discovery, classification and categorization, and locking down medical and mobile devices. This is a Level I castle. Just like in medieval times, it has not only strong external defenses, but also internal mazes, secret passages, trap doors, nightingale alarms, and have remote forces that can respond at a moment’s notice to surround the enemy.

It’s true that someone can get into even a Level 1 castle, but a Level I castle will survive longer than a Level II or III castle. In fact the odds are that a Level I castle will repel attacks and be standing after an APT or coordinated persistent attack.

If you had to put your family and loved ones in a castle that was going to be attacked, you would choose the Level I castle. You would do anything to safeguard the lives of those you love. In this day and age and within our industry, cybersecurity is not about privacy any longer. It is about safeguarding patient lives.

It doesn’t matter how the CHS attack happened. It is a wake-up call. Vendors, providers, and allied health entities need to build a Level I castle because they are at risk of coordinated and focused attacks. APT 18 is just one of hundreds of organized entities and thousands of independent attackers who are targeting healthcare and your castle.

To give you an example of how the stakes have been raised, ISIS (yes, the Middle East terror group) has several hundred computer programmers and hackers on their payroll. Take a few moments to let your mind wander about the damage a group like ISIS could cause to your castle. Some of those attackers will be happy with just taking data, while others won’t be happy until they take a patient’s life. 

CHS has shown that life for all of us in healthcare information technology has changed. The only remaining question is, whose castle will be next?

John Gomez is CEO of Sensato of Asbury Park, NJ.

Readers Write: Lessons on How to Survive in Healthcare

August 14, 2014 Readers Write 3 Comments

Lessons on How to Survive in Healthcare
By Nick van Terheyden, MD


From Samsung to Google to salesforce.com, the flurry of tech companies making a healthcare play over the past few months has left me both excited and dismayed. Excited because these companies have, in their own ways, revolutionized the way people interact with technology. Dismayed because of the steep hill they must climb and their battle to truly make their mark in the healthcare space.

We’ve seen it before. Tech companies dipping their toe in the water and then jumping back when they start sinking ankle-deep and losing their footing. From my 25+ years sitting at the intersection of medicine, technology, and policy, here’s my advice to these tech giants looking to make their mark in healthcare.

  • Get out of your comfort zone and consider the clinician. One of the biggest misses for these tech companies entering into healthcare is they’re expecting the patients to drive the revolution. That’s where they’re comfortable – with consumers. But so much happens on the clinical data side that needs to be factored in. Data needs to flow both ways. Even more importantly, doctors and nurses are drowning in a morass of technology and data that in many ways is hindering their ability to do their jobs effectively and with the passion they had when they entered the field. Add on the fact that working with and interpreting information gathered by a clinician about patients is not a pure art or science. That makes it hard to create consistency in working with it. While a patient app, sensor, or portal is nice, any company entering into healthcare needs to pay as much attention to the clinician as to the patient.
  • Build trust. We’re not making widgets. Google can’t mine healthcare data the way it mines ads and shopping data. It’s one of the major reasons they’re feeling the pain — it doesn’t fit into their core business. Healthcare data comes with all sorts of security and regulatory challenges, but even more important is that the healthcare consumer is a different kind of consumer and implicitly trusts their healthcare professional. They are already wary of ads targeted to their own needs – layer in data about their prostate exam and it becomes even more personal and they’re on the defensive. People interacting with the healthcare systems are typically vulnerable, stressed, and sometime scared. They need to trust their sources. Companies like Apple and industries like banking have built enormous trust with consumers, but replicating that in healthcare requires a different approach.
  • Stop looking for standards and release data from hostage. For these companies to be successful, they need to learn to operate outside of the world of data standards. Google was wildly successful moving into email, successfully because the iMac and Simple Mail Transfer Protocol (SMTP) made it easy. There’s no such advantage in healthcare. There are so many variations of standards – from Health Language 7 (HL7) to Clinical Document Architecture (CDA) to the Continuity of Care Record (CCR) and Digital Imaging and Communications in Medicine (DICOM) – that even when they do exist, they’re insufficient for sharing. But there may be an opportunity for Google or another company to actually create a new standard and have it take off. While Google is good at navigating and working with large amounts of data (i.e. Google Maps is constantly updating itself to have the most accurate information), the truth is that patients are ultimately going to own their healthcare data. For anything to change and for progress to be made, it all needs to be easily shared. How companies can turn a profit from shared data remains to be seen.

The more innovation in healthcare, the better for all of us. We need it more than ever. But any new entrant into the space needs a little Healthcare 101 to be successful and to make a difference in the lives of patients, clinicians, and their caregivers. 

Nick van Terheyden, MD is chief medical information officer of Nuance Communications of Burlington, MA.

Readers Write: The Looming Leadership Shortage

August 14, 2014 Readers Write 3 Comments

The Looming Leadership Shortage
By Frank Myeroff


Executives all the way up to CEOs and CIOs are expressing concerns about the looming leadership shortage in the US and around the globe. Because this shortage will hinder business growth, companies are in hot pursuit of professionals who demonstrate leadership potential at a greater rate. They are also willing to invest more resources in leadership programs. In fact, a survey conducted by The Conference Board and Right Management (talent, career, and management experts) indicates that businesses plan to spend 37 percent more on leadership programs this year than they did in 2013.

We’ve identified 10 principles of successful leaders:

  1. Vision. A leader has the ability to share a dream and direction that inspires others to follow.
  2. Trust. Without trust, vision can’t happen. A leader must walk the talk in order for people to give up what they know and venture into the unknown.
  3. Participation. A true leader can unleash the potential in others and get the best from them as they work to accomplish company initiatives.
  4. Learning. Leaders have a thirst for continuous training. Applying this knowledge creates real customer value.
  5. Respect. True leaders respect and have a deep appreciation for people’s differences, and as a result, are able to cultivate more committed employees.
  6. Innovation. Creativity and innovation are essential elements to building a successful company. Leaders need to express original ideas and ingenuity to motivate and inspire others to follow suit.
  7. Honesty. The hallmark of a good leader is integrity, honesty, and morality. We need leaders who have a deep sense of purpose and are true to their core values.
  8. Community. Today’s leaders need to be measured over and above the success of the company. They need to do for others and show involvement in their community.
  9. Courage. An effective leader must have the courage to see difficult situations through to the end and accept responsibility for the outcome of decisions.
  10. Selflessness. Leaders should be servants who facilitate the success of others. They spark action in others by seeing the value of others. In return, others start to think more highly of themselves and their abilities.

Today’s leadership training programs extend well beyond traditional classroom instructor-led activities. More resources are being allocated to a full spectrum of leadership learning initiatives.

  • Coaching. Often senior managers will serve as coaches to develop the capabilities of high-potential performers and help them achieve explicit workplace objectives and goals. Coaches have a vested interest in improving specific skills and interpersonal relationships that pertain to specific jobs because it impacts the company’s bottom line.
  • Action learning initiatives such as business challenges and simulations. Action initiatives enable trainees to jump right into the real world of upper management. Most business simulations are used for business acumen training and development. Learning objectives include strategic thinking, financial analysis, market analysis, operations, teamwork, and leadership.
  • Critical thinking and cognitive ability assessments. Administering these types of assessments will measure the learning capacity as well as the problem solving and decision making ability of an individual.

The bottom line is that the demand for quality leadership in the US and around the world is expected to far outpace the supply. Organization should identify potential leaders and implement new and effective leadership training programs in order to stay competitive and improve performance of both people and the company.

Frank Myeroff is president of Direct Consulting Associates of Cleveland, OH.

Readers Write: For Small Practices, The Time Is Right for Business Intelligence

August 14, 2014 Readers Write 1 Comment

For Small Practices, The Time Is Right for Business Intelligence
by Matt Barron


Small medical offices are dealing with increased patient volumes, Meaningful Use, Accountable Care Organizations, ICD-10, and declining reimbursement. Accordingly, physicians are spending less time with patients and more time dealing with the noise that surrounds the business of medicine.

Many small practices already have a critical solution at hand — they just need a better way to access and use it. The solution is big data, a trendy term for all the digital information medical practices already have in the form of electronic health records, billing records, practice management information, and more.

The trick is that big data alone doesn’t do much, and until recently, the software that small medical practices need to turn all that data into meaningful business intelligence was too expensive and difficult to use.

Now business intelligence software is more advanced and ready to address the needs of small medical practices that have  been wary of adopting cutting edge software because it was too costly and cumbersome.

Let’s take a look at a few ways BI software can help boost the financial health—and the quality of patient care—at small practices:

  1. Market segment analysis. To help practices find and generate more revenue, the latest software enables geographic analysis that determines where patients are coming from so practices can better target their marketing efforts.
  2. Claims management. Advanced tools make it simpler to increase first-time reimbursement capture and support follow through on denied and underpaid claims.
  3. Financial overviews. Financial overviews and details on the state of the practice are available in seconds with automatic comparisons to key performance indicators. Physicians can view revenue cycle performance, and find out how many days it takes to collect on accounts receivable. Armed with this information, they can institute best practices, make comparisons among various payers, and increase the overall productivity of their practices.
  4. Compliance support. The latest business intelligence software is designed to work with and address new requirements and regulations. It’s ICD-10 compliant and can be used to track progress toward demonstrating Meaningful Use and earning stimulus money.
  5. Individualized patient care. Physicians can create customizable health plans to manage patient conditions based on demographics, diagnoses, lab results, and more. They can check on whether the plans are being followed, automatically determining whether patients had their tests taken and viewing the results. By setting up alerts and reminders, physicians can also see which patients are most prone to a chronic disease, how many risk factors they have, and what actions can be taken to successfully manage the disease or avoid it altogether.
  6. Aggregate patient care. Physicians can track patient health trends over time and send reminders to patients automatically, providing medical advice and suggestions. On a broader level, the latest software makes it possible to uncover patient population trends and spot disease outbreaks, even determining by ZIP code which population segments are most at risk.

Today’s business intelligence software is more powerful, more affordable, more secure, and far easier to use.

Matt Barron is COE leader of business intelligence and consulting at ADP AdvancedMD of South Jordan, UT.

Readers Write: Make It Happen

August 6, 2014 Readers Write 4 Comments

Make It Happen
By Mike Carr


I’ve been in healthcare IT for more than 25 years. While I’ve known and appreciated the impact we have on people’s lives, I had a recent personal experience that made me see the impact of what we do firsthand and reminded me of why we do what we do.

Unfortunately, my mom suffered a severe stroke in June from which she never recovered.  I was at the hospital with her for almost six days.  During that time, I got to know the nursing staff, therapists, neurologists, and palliative care team pretty well. This was an amazing team of healthcare providers and the best I’ve seen in all my years in healthcare – every one of them. They all treated my mom like she was part of their family. 

The entire palliative care team took the time to meet with our family to explain that my mom probably wouldn’t recover and the options we had. Almost everyone, including the chief neurologist, had tears in their eyes. This amazing group of people really cares about their patients.

During my mom’s remaining time in the hospital, all of her medical information, including any significant changes in her condition, was available to me whenever I asked. The EHR, PACS, etc. was all at her bedside. 

On one occasion, when I requested that she get additional pain medication beyond the standing order, the nurse immediately entered the request into the system. The doctor approved it and entered the order from his mobile device and my mom had her medication from the medication cart in about five minutes. To make that possible, someone understood the importance of a patient getting pain medication quickly, reviewed the relevant processes, integrated those systems, developed the workflows, and implemented the technology to make it all happen. 

I think it’s important, on a daily basis, to keep in mind why we do what we do and our role in making it happen. The medication order example is just one small example of how we can help improve patient care, but it made a huge difference for my mom at the time. The recent experience my family and I had with this amazing group of healthcare providers and their ability to effectively use technology to make decisions and treat patients made a very difficult time a little easier.

Shortly after my mom passed away, someone sent me this. I think these are pretty good words to live by.  


– Regina Brett

The one thing I would add: and make it happen. By understanding the importance of what we do and its impact on patients and clinicians, we can take the steps to review the processes, integrate the systems, develop the optimal workflows, and implement the technology to make it all happen.

Mike Carr is director at Aspen Advisors of Pittsburgh, PA.

Readers Write: How to Actually Get Patients to Engage with a Portal

August 6, 2014 Readers Write 9 Comments

How to Actually Get Patients to Engage with a Portal
By Zach Watson


From increased interoperability requirements to percentage benchmarks for online patient usage of digital assets, Meaningful Use Stage 2 has several requirements that are making eligible professionals sweat. Let’s address the latter of the two.

From a high-level view, getting more than five percent of patients to download, transmit, or view health information online should be low-hanging fruit. But as the Mayo Clinic famously found out, simply creating this type of functionality doesn’t guarantee engagement. Of a reported 240,000 patients who signed up for portal accounts, less than 12,000 had actually logged in 2013. In contrast, Nashville’s own Vanderbilt experienced significant success with getting patients to interact with their portal. During 2012, they reported 193,969 unique logins.

And for truly outrageous engagement numbers, one need look no further than Kaiser Permanente. A reported 4.4 million of Kaiser’s 9.1 million members use the online portal.

Meeting Stage 2 engagement requirements is doable. The disconnect arises from providers simply implementing technology without truly integrating it. Online portal access should be introduced in the context of the patient-physician relationship, not as an extra feature that patients can access should the compulsion strike.

Here are three actionable methods for crossing the five percent chasm:

  1. Get a mobile app. It’s well known that electronic health record functionality varies by product, so it’s natural that patient portal capabilities will too. Part of granting patients greater access to their medical records lies in the intuitiveness with which they can retrieve said information. If they are asked to type in a username and password from the web browser on their phone, it’s unlikely they’ll go through the trouble. Mobile applications are becoming standard across all business verticals because they are formatted for ease of use. If a patient portal doesn’t come with a mobile app for patients to download, the physician implementing it should demand one. Kaiser launched their mobile app in 2012. Patients downloaded it over 450,000 times last year.
  2. Do a walk-through. Patient satisfaction is inherently tied to interaction with the physician or other clinician. To create an environment in which patients will be receptive to new information, have a knowledgeable staff member walk patients through how to login and use the portal. Explain the benefits of scheduling appointments and refilling prescriptions online. Perhaps even have the patients navigate the portal for 60 seconds or so to make sure they’re comfortable finding all the information. Will this affect clinic time? Yes. Will it help meet Stage 2 criteria? Absolutely.
  3. Create some marketing. It doesn’t have to be anything too spectacular, but some signs in the waiting room detailing the benefits of patient portals can certainly spark some interest from patients who are waiting.

This type of online access isn’t unexplored territory. Patients already enjoy this freedom with their bank accounts, credit reports, and so on. They want to be able to schedule appointments online. Make sure they know that they can.

Who knows, maybe they’ll download the app while they’re in the waiting room.

The key is to embrace patient portals – and other information technology for that matter – as a foundational element to the way healthcare works going forward. It’s already a reality. Patients simply need to be shown how easy it is to use.

Zach Watson is an analyst at TechnologyAdvice of Brentwood, TN.

Readers Write: Why Payers Are Seeking More Consumer “Likes”

August 6, 2014 Readers Write 1 Comment

Why Payers Are Seeking More Consumer “Likes”
By Scott Rotermund


It’s no secret that payers are not well liked among consumers. In fact, recent data shows that only seven percent of consumers trust their health plan, only slightly better than the likes of oil and tobacco companies.

Additionally — and maybe even more importantly — when looking for health advice, only 18 percent of consumers turn to their health plan, which is startlingly close to employers at 12 percent. With a reputation for being stuck in concrete towers locked away from the real world, health insurance companies are increasingly working to connect with consumers and up their likability.

In their defense, health insurance companies earned a sour reputation of being the evil ogre denying claims because of how the market defined their role. It was a check and balance in the clinical system of physicians prescribing care and health plans assessing the value of it.

Now, with the rollout of Obamacare — be it good or bad — the payer’s role has changed along with its business model. Health plans are looking at the entirety of their populations rather than those seeking treatment. That is going from the 15 percent of its population that is in the “sickcare” system at any given time to 100 percent of the population, a startling and overwhelming change.

This shift is driven by the moral and economical desire to 1) prevent people from sliding into the sickcare system by keeping them healthy, and 2) build brand loyalty to retain low risk members. Retention is a primary focus for health insurance organizations, as the health insurance industry is now similar to the car insurance industry. People can shop around and receive premium reductions for good health just as they do for good driving. Innovating and transforming the customer experience is more important than ever as consumers are empowered to choose the payer of their choice.

How does an entire industry change its reputation from being the school principal to class president? It starts by building an emotional connection and providing something that genuinely impacts their life. It’s not passing out free one-size-fits-all t-shirts, but connecting with consumers on an individual level and getting them to take action.

Playing a more active role in optimizing consumers’ health is a huge leap for payers and inherently may not be immediately welcomed by consumers. Here are some down and dirty tips for health plans looking to become the cool kids in healthcare:

  • You can’t appease the masses. Take a personalized approach to supporting consumers in achieving their health and wellness goals. Similar to what we are seeing in the clinical setting with personalized medicine, personalized healthcare will have a greater impact and results. This is challenging when you managing a population of millions, which leads into the next tip.
  • If it works … partner with it. Some national plans have allocated millions into wellness and prevention programs and have not seen significant uptake. Take a card from cross industry collaborations like Apple and Mercedes and forge partnerships with companies that already have the asset or relationship you are looking to build. Companies that have a consumer mindset and can deliver an experience that may be outside a health plans’ expertise. Today’s on-demand, multi-mobile consumer expects to have a solution that speaks directly to them, about them. By leveraging a health optimization platform to deploy a personalized, interactive experience, payers have an effective and efficient way to support consumers in improving their health. Plus, a true integration platform will allow payers to plug in existing programs such as video health coaches or other digital resources so those investments to date pay off too.
  • Provide optimal rewards for optimal health. While one may assume that it’s human nature to take care of yourself, its been proven that incentivizing consumers for healthier behaviors pays off for everyone. In a recent survey, 96 percent of consumers said they would be healthier if rewarded. From premium reductions to badges, incentive-based tools can be the extra motivation consumers need to make a healthy choice or address chronic decisions. Payers can build a more “rewarding” relationship with consumers by celebrating both participation and outcomes with their members.

These activities are helping payers power up their relationship and the health of their population. Consumers will soon view their insurers as health advocates guiding them through an increasingly complicated healthcare system and toward a healthier way of life. 

Scott Rotermund is co-founder and chief growth officer of Welltok of Denver, CO.

Readers Write: From Rice Fields to Big Data

July 30, 2014 Readers Write 1 Comment

From Rice Fields to Big Data
By Ping Zhang


My journey into technology was a long road. The first 15 years of my life were spent in the Hunan province in rural southern China. My family had no running water, and more often than not, we went to bed hungry.

At five, I started working with my father in the rice paddies. I planted rice seeds while my father manually built rice rows and dug irrigation canals. Everything was done by hand. It wasn’t until I was 11 that I saw my first technological advancement — a tractor — on my way to school.

At age 15, I rode on a train for the first time on my way to college. It was only then that I realized the promise of technology and how it could save my father’s back and hands from the brutal years of manual labor.

My passion for mathematics helped me earn my bachelor’s degree at 19 in China. After the 1989 events in Tiananmen Square, I decided to try to migrate to the United States. In 1990, I landed in Fayetteville, Arkansas with only my bags and a hundred American dollars to pursue my PhD at the University of Arkansas at Fayetteville. My wife followed soon after.

Eighteen months after moving to the US, I had my first experience with the American healthcare system. Early one Friday evening in 1992, my wife suddenly felt a sharp pain in her stomach. We rushed to the emergency room. We waited and waited – and waited some more. Three hours later, she was finally seen by an OB/GYN doctor.

It turned out that she had an ectopic pregnancy. She had been pregnant, but the fertilized egg had become lodged in one of her Fallopian tubes. Two liters of blood had accumulated as she waited for treatment. She had come close to losing her life.

The next day, the doctor cleared her for discharge with a clean bill of health, leaving us with a bill of a few thousand dollars. One of her Fallopian tubes had been torn open and the other had become so clogged with lost blood that it would likely permanently block any egg. We were told the chances of her ever having a child were slim.

The experience was shocking, scary, and life altering. Thankfully, after years of infertility treatments, she was able to give birth to two beautiful boys.

That horrible experience was over 20 years ago, but I still remember it like it was yesterday. Part of the reason is that I have spent many of those past 20 years working within the healthcare system to change it myself. I want to share three key lessons I have learned over this long journey.

The quality of healthcare is too low

The state of service in American healthcare is far below where it needs to be and where it could be, especially with its skyrocketing costs. But what if our healthcare system operated under a free competition model, much like the retail industry? No department store would ever have its customers regularly wait for hours in line to buy its products – because no one would go to that store any more (and they would book it in the other direction with haste).

Under a similar system for healthcare, providers would have to work much harder and more effectively to attract and adequately serve consumers. Open competition would lead to greater efficiency, lower cost, better quality of service, and more choices for consumers.

More innovation and disruption

Innovation and disruption must be encouraged. Over the past two decades, I learned about the underlying principles of world-class innovation from Silicon Valley. I had mentors who constantly encouraged me to break out of the box, experiment, and try something new and different. Healthcare is clearly not where it should be. We must find a better solution for something as vital to societal and individual wellbeing. Healthcare still needs a Steve Jobs and Apple-like innovation revolution to make it more clinically effective for the consumer and cost effective for all.

For example, what would healthcare look like if we could receive updates and monitor our health through a Fitbit device or health app the same way we receive ESPN notifications on an iPhone today? What if technology motivated us to pay the same amount of attention to our health as we do with our social media networks, and with the same ease? These are the simple concepts that will help us all live longer and save hundreds of lives.

Top-down is not enough; consumers need to become more invested

Consumers themselves must do more to control their own outcomes. As an immigrant to the US, I knew that I had to work much harder than my peers to succeed. Consumers today should adopt a similar drive and approach to their health. Rather than waiting for doctors to treat and prescribe “fixer” medications, we need to work more diligently to lead healthier, more proactive lifestyles – and we have the information and technology to do so at our fingertips.

What was once monopolized by professionals with years of training (and extremely costly) is now available at the nearest Best Buy or app store for just a couple of hundred dollars — or nothing at all. Look to wearable biometric devices as an example; those gadgets can accurately monitor an individual’s health, diagnose risky behaviors based on behavioral research from big data findings, and provide information on how to live a healthier, lower-risk life.

I am thrilled that my sons get to reap the benefits of a wonderfully innovative country that is slowly, but surely, transforming its healthcare system for the better. Sooner rather than later, as my boys grow into husbands and fathers, we will move past the times when emergency care is almost as painful as the medical ailment that necessitates the visit. And if we don’t, we’re doing something very wrong.

Ping Zhang, PhD is SVP of product innovation and chief technology officer of MedeAnalytics of Emeryville, CA.

Readers Write: 20th Century Man

July 30, 2014 Readers Write 4 Comments

20th Century Man
By Barry Wightman


"I work in healthcare during the day, then I go home to the 21st century."

Dave Levin, MD, founder/CEO of Tres Rios Group (@DaveLevinMD), uttered these stinging words at last week’s OnBase + Epic User Forum in Cleveland. Thanks to our friends at Nordic Consulting (@Nordicwi), who tweeted this in real time on the jungle network raising, I’m sure, a knowing smile on many a grey-haired regular Joe technology type such as myself in health IT-land. Now, I’m not here to comment Dr Levin’s presentation, but with that tasty, snarky comment, he hit on something I’ve been wanting to get off my chest for a while now.

It’s all déjà vu all over again.

And it starts with an old Kinks song.

No, really.


Good old Ray Davies, on the fine Muswell Hillbillies elpee of 1971, sang, “I’m a 20th century man but I don’t want to be here….” (cue chiming guitars and thumping drums.)

And here we are in healthcare’s 2014 and those words still ring true. And we’re faced with vast data centers that don’t interoperate well, processes and workflows that haven’t changed much since, well, let’s say the ‘90s.

Some folks complain about EHRs, saying they’ll never work – which is like attacking the telephone as a useless gadget in 1910. Yes, healthcare is conservative, slow to change, and it is a vast, terribly complex industry. But still.


See, I come out of the high-end computing and communications world of the last 40 years and we all know about the technology revolutions that came out of that time.

And it all had to do with the decentralization of power.

Power to the people.

Here’s what happened:

  • Big iron, mainframe computing was overthrown, or, at least changed forever by personal computing. The data center data processing IT gatekeepers of the ‘60s/’70s, the men in the white coats (not docs) lost their complete control. Big mainframe data centers were then called “glass houses” – complex and unknowable, sealed safely away from the actual user rabble. Then user peasants with pitchforks began throwing rocks.
  • Distributed processing was invented in the ‘70s/‘80s – in which mini computers and personal computers were bought by company departments, who, fed up by the long delays and general stick-in-the-mudness of corporate IT, took matters into their own hands. Lotus 1-2-3! Excel! WordPerfect! Soon, IT was surrounded. Some bit of chaos ensued. Luddites were outraged.
  • Interoperability became an issue. Can I get my 1980s IBM 3081 mainframe or Cray supercomputer to talk with all these blazingly fast minicomputers and those crazy PCs and their newfangled servers? Can I get this application to communicate with that application on a batch or maybe even real-time basis? Will this data jive with that data? Oh man. There was even a huge Silicon Valley trade show called Interop. Big business. You can look it up.

And, over time, it all began to work. Standards emerged: TCP/IP, the Open Systems Interconnection (OSI) Model, designed to facilitate application-to-application communications. Forums and user groups were founded. Requests for comments solicited. Hardware and software vendors cooperated. Open systems mostly won. Proprietary systems mostly lost. Not bad.

And new business empires were built. Microsoft, Cisco, Apple, and an endless army of startups who followed in their wake disrupted markets as they went, changing the world.

Fast forward to now. Healthcare. We’ve been there before.

Thing is we’re still there. Maybe about 1990. EMR/EHR monsters have emerged: Epic, athena, Cerner, et al. The big payors – you know the list. Crazy startups in new markets are bubbling under – population health, mhealth. And there are user revolutionaries out there – visionary clinics and system departments who are moving ahead on their own, confounding CIOs and IT (with whom I have much sympathy – which reminds me of another old tune).

And just like in 1990, with the World Wide Web just around the corner, then gestating in gov, mil, and edu domains, everything changed.

And we won’t have to live in the 20th century with the Kinks. (Not that that’s a bad thing.)

And Dr. Dave Levin will be happy.

And so will we.

It’s gonna happen.

Barry Wightman is VP of marketing of Forward Health Group of Madison, WI and the author of Pepperland.

Readers Write: Bench, Bonus and Bondage: The Sorry Side of IT Consulting

July 23, 2014 Readers Write 3 Comments

Bench, Bonus and Bondage: The Sorry Side of IT Consulting
By Mike Lucey


If I could lose 20 pounds, I would be ready to model swimwear. That’s a nasty image for those who know me, but if I were serious, hiring a personal trainer would make sense. Or better yet, a personal exerciser!

Why not both? One person to tell me what to do and another to go and do it. I might not get the results I want, but much less effort. Think of what I would save in sneakers and tee shirts!

This wacky logic seems to be in play in our industry when it comes to hiring consultants. When I moved into consulting, it was because I figured I had some unique smarts and skills that a hospital would need. Once my smarts became their smarts or my skills were no longer needed, off I would go to the next guy. For this I would get a nice rate and the fun of doing new projects.

But what I am finding is hospitals have some consultants who offer guidance, and then other “consultants” who do the work, work that hospitals really need to be doing themselves. Part of why this happens can be found in the way consulting companies can market their services.

Bench: To start a consulting company, scrape up a pile of resumes, format them nicely, and throw them at every hospital problem you hear about until some of them stick. Now you have consultants working. As these consultants roll off projects, they go to the Bench. Yikes! Good news: you now have consultants ready for the next project. Bad news: every hour they sit on the bench they cost money (until you pull the bench out from under them). A way companies can lighten the bench is to give bonuses to the consultants that are still working to find work for the benchwarmers.

Bonus: Let your working consultants know that they will get a bonus for every benchwarmer they place. This is where the worm turns. Now those consultants you hired to solve a problem are to some degree degraded or distracted by the incentive to be a sales guy. The inclination to teach a hospital employee how to solve the next problem conflicts with an inclination to pull in a colleague from the company. Good for these companies, maybe not so good for the hospital.

Bondage: With each additional placement, each incremental bump in the billable hours (and bump in that bonus income), the idea of ending the engagement becomes more ugly and the motivation to extend more attractive. It is stressful to see a project end and face the uncertainty of the next job, stress that is magnified with the addition of each colleague and the bonus income they represent. Suddenly maintaining my value as a smart guy may depend on maintaining a certain amount of client ignorance and so client dependence – knowledge bondage.

This is how you end up with a consultant who is not just the captain of your hospital softball team, but the batting champ three years running.

We consultants have a great part to play as our industry continues to change. We bring real value helping hospitals make decisions, helping them act on those decisions, and providing resources when big projects need extra hands. That value is based on smarts, skills, and experience that hospitals don’t yet have, but can gain with our input. 

When that value wanes, not to worry — I’m off to the next project. Or I always have the modeling gig to fall back on. (note to self: find my Ab-Master.)

Mike Lucey is president of Community Hospital Advisors of Reading, MA.

Readers Write: Is DIY Network Security a Good Idea?

July 23, 2014 Readers Write No Comments

Is DIY Network Security a Good Idea?
By Jason Riddle


Patients and clients count on healthcare providers, payers, and business associates to protect their electronic health records. For optimal care, patients need to feel comfortable divulging personal information that could cause them injury—financially, emotionally, and/or physically—should it be illegally accessed or corrupted by hackers or malware.

Additionally, covered entities are required by HIPAA/HITECH laws to maintain a certain level of network security. Violation of these regulations could result in stiff fines, a disruption in operations, and a general loss of goodwill among the people who do business with them.

Many small to medium-sized organizations are managing some if not all of their network security on their own. Here is one question they often ask:

Do we have enough protection for our patients’ data, or do we need to hire outside professionals to do the job for us?

While there is no right or wrong answer to this, there are a few factors that need to be considered.

HIPAA/HITECH was designed with built-in flexibility so that organizations could make their own decisions about their level of investment in network security. For example, a large organization may choose to hire an outside cyber security firm to monitor their networks around the clock, but a three-person doctor’s office might be hard pressed to put such an aggressive solution in place. Office for Civil Rights (OCR) auditors who are responsible for monitoring HIPAA compliance recognize that organizations of various sizes make decisions based on practical restraints.

As covered entities make decisions for (or against) increasing security, the reasoning and conclusions should systematically be written down. OCR auditors generally take into consideration all well-documented justification.

One way to think about whether or not to hire an outside vendor to assist with network security is to recognize that a solution doesn’t have to be all or nothing. For example, some companies will hire an independent third party to conduct an initial security risk analysis. This gives them the objectivity where it counts—identifying vulnerable areas and obtaining guidance on how to address them.

Once the fix-it plan is set, the internal IT team can assume the responsibility of maintaining the network’s security from there on out. This hybrid solution can oftentimes save money. Cyber security professionals will likely identify problems faster and provide guidance to tools that are both free and/or low cost.

If an organization is committed to a DIY network security solution — whether starting out with the help of professionals or taking it all on independently — it takes more than someone who is just an IT whiz to manage a network security program. There are six main areas that a security officer must be well versed in to carry out the required responsibility:

  1. Understanding HIPAA compliance. A security officer must understand the HIPAA/HITECH regulations and what compliance really means. This includes (but is not limited to) regular security risk analyses, documenting all security measures. and reporting any breaches that may have occurred.
  2. Securing the data. Firewalls and antivirus software are a must, but that’s just the minimum. Some of the other areas to be addressed are data encryption, regularly scheduled reviews of all logs (on the firewall and the server), restricted access, and regular data backups.
  3. Securing the facility and equipment. Physical access to computer equipment must be controlled at all times. Doors to the server room should be locked. When appropriate, screens should be protected from nosy passers-by. The security officer should have an eye for the logistics of the facility and areas that might pose a risk to keeping patient data secure.
  4. Monitoring mobile access. Decisions need to be made about how employees are able to access data from mobile devices. Types of data that can be obtained wirelessly might need to be limited, and employees will need to be aware of the whereabouts of their mobile devices at all times.
  5. Training the staff. A lot of security breaches are the result of human error. Everyone in the organization needs regular reminders that they are handling sensitive data and to be aware of actions they might be taking to jeopardize it.
  6. Understanding relationships with business associates. Responsibility for protecting client and patient data extends to everyone that has access to it. If a third party does the billing, for example, it’s critical that they are compliant as well.

A DIY network solution for healthcare organizations is not necessarily a bad idea. But it does need to be a well thought out one. Patients and clients are counting on it.

Jason Riddle is practice leader with LBMC Managed Security Services of Nashville, TN.

Readers Write: EMR vs. EHR

July 23, 2014 Readers Write 2 Comments

By Steve Blumenthal, JD


HIStalk has asked me to explain the difference between an EMR (electronic medical record) and an EHR (electronic health record). Clearly, HIStalk needs to get out more. But I’m a nerdy lawyer and analyzing defined terms ranks up there with reading blogs about who’s being cast in the “Star Wars” reboot.

Let’s start with the source of most healthcare IT terminology, the feds—specifically, ONC. ONC’s website (healthIT.gov) says that an EMR is “a digital version of a paper chart that contains all of a patient’s medical history from one practice.” On the other hand, an EHR is “a digital version of a patient’s paper chart.” So, clearly an EMR and EHR are differ…. Wait a sec. Is it me, or do those definitions look remarkably similar?

I think I’ve figured it out. An EMR and EHR are both a digital version of a patient’s paper chart, but an EMR only has one practice’s patient chart. So, if I never see a physician other than my internist at Vanderbilt, Vandy’s electronic record system is an EMR with respect to me. However, my daughter has seen two doctors in different practices within Vandy’s health system, so Vandy’s electronic record system would be an EHR (not an EMR) with respect to her. No, that can’t be right.

Wait, ONC has more to say. An EHR is “more than just a computerized version of a paper chart in a provider’s office.” Whew, that clears up everything. An EHR is more than an EMR. Now I can go home and finally hang the curtains in the guest bedroom.

On second thought, that didn’t clear up anything. The curtains will just have to wait another year.

“EHR systems are built to share information with other health care providers and organizations—such as laboratories, specialists, medical imaging facilities, pharmacies, emergency facilities, and school and workplace clinics—so they contain information from all clinicians involved in a patient’s care.” I think we’ve found something. “Built to share information” is the key. I feel an analogy coming on.

An EMR is an earthworm, a useful creature that burrows into the earth, carrying organic material down into lower levels, breaking down dead plant material, and aerating the soil. But an earthworm is not transformative. Its life is spent toiling in the soil as an earthworm (and usually ending underneath a person’s shoe or in a bird’s gullet). On the other hand, an EHR is a caterpillar, a worm-like larva that will eventually transform into a beautiful butterfly (or somewhat less attractive moth or fruit fly). An EHR is designed for great things—collecting and distributing data from EMRs and other sources like butterflies cross-pollinating fields of flowers.

The difference between an EMR and an EHR isn’t what they are today. Let’s face it, given the interoperability issues with most EHRs today, they’re pretty much toiling in the same soil as EMRs. The difference lies in what an EHR is designed to become. That’s why the “Base EHR” definition in ONC’s EHR certification regulations says that an EHR must, in addition to including patient health information, have the capacity to do more—to provide clinical decision support, support physician order entry, capture and query information relevant to health care quality, and exchange electronic health information with other sources.

It’s actually kind of inspirational when you think about it. If you’ve got a kid, you’ve read “The Very Hungry Caterpillar.” Sure, the caterpillar eats a couple tons of food that could otherwise have been used to feed impoverished children, but then he spins a cocoon and, a short time later, becomes a beautiful butterfly. So maybe we’re spending a lot of resources on EHRs right now, but the payoff will be amazing in the end.

Unfortunately, the process of changing from a caterpillar into a butterfly is, well, disgusting. As “Scientific American” puts it, “First, the caterpillar digests itself, releasing enzymes to dissolve all of its tissues. If you were to cut open a cocoon or chrysalis at just the right time, caterpillar soup would ooze out.”


(For those of you wanting to double-check me on my quotes from ONC’s website, see here and here.

Steven E. Blumenthal is an attorney with Bone McAllester Norton PLLC of Nashville, TN.

Readers Write: Medication Electronic Prior Authorization, the Next Big Thing for EHRs

July 16, 2014 Readers Write 3 Comments

Medication Electronic Prior Authorization, the Next Big Thing for EHRs
By Tony Schueth


Electronic prescribing (ePrescribing) has surpassed the tipping point, where more prescriptions are being written electronically than on paper. Now the industry must start thinking about the next big thing that will take ePrescribing to the next level and address one of healthcare’s most inefficient processes: prior authorization (PA) of prescriptions.

With ePrescribing considered table stakes in an electronic health record (EHR), software developers should be thinking about innovations that will take ePrescribing from a humdrum utility to a must-have. Electronic prior authorization (ePA) for the pharmacy benefit offers that innovation opportunity.

EPA is the #1 ePrescribing capability desired by physicians, according to market research conducted by NCPDP’s ePA Task Group. In order to foster a standardized approach to satisfy this demand, NCPDP approved an electronic data interchange (EDI) standard for ePA last year.

By design, the ePA transaction can be integrated with the EHR ePrescribing work flow, enabling prescribers to complete the prior authorization process within two minutes as compared with the manual process, which involves many phone calls and faxes that can take days to weeks to complete (15 days, on average). Considering that specialty medications dominate the drug pipeline and require prior authorization up to 95 percent of the time, the need for ePA is urgent.

Seven states have mandated the use of ePA beginning in late 2014 and eight others are engaged in ePA regulatory activity. In May, the National Committee on Vital Health Statistics (NCVHS) recommended that the Department of Health and Human Services adopt the NCPDP transaction as the standard for medication PAs. NCVHS recommendations regarding ePrescribing and related transactions often become requirements for payer participation in Medicare Part D.

The coming regulatory mandates afford EHR vendors the opportunity to be ahead of the curve. Rather than scrambling to meet multiple state regulatory deadlines at the last minute, vendors can take advantage of the interval between Meaningful Use (MU) Stages 2 and 3 to begin development of ePA functionality while there is still breathing room to concentrate on work flow enhancements.

The availability of ePA may sway some physicians in their EHR choice. Recently, Surescripts found that 28 percent of physicians surveyed would switch their EHR for one that supports ePA. While this percentage may be exaggerated based upon a single feature, there is no question that a robust replacement market for EHRs exists. Many physicians are looking to transition from early purchases of basic EHRs to more sophisticated solutions.

EDI networks such as Surescripts have begun offering ePA connectivity, while such established ePA services vendors as CoverMyMeds have introduced APIs to ease EHR integration. Some service providers offer connectivity for all ePAs – even if a pharmacy benefit manager or other payer isn’t electronically enabled, electronically initiated ePAs are delivered via fax.

The time is right. EPA is a logical and useful enhancement that physicians desire. A transaction standard that ensures compatibility is in place. Regulators are beginning to mandate its use. The number of PAs is growing. EDI networks and service vendors are eager to ease integration.

With the rare opportunity posed by the MU Stage 2 delay, vendors can roll out a new feature that is a “win-win-win-win” benefit for physicians, patients, payers, and EHR vendors.

Tony Schueth is founder, CEO and managing partner at Point-of-Care Partners of Coral Springs, FL.

Readers Write: Data Exchange with C-CDA: Are We There Yet?

July 16, 2014 Readers Write 8 Comments

Data Exchange with C-CDA: Are We There Yet?
By Brian Ahier


Do you think you have all the interoperability criteria to meet current and future stages of the EHR Incentive Programs? A new study published in JAMIA found that most providers don’t.

The study concluded that providers likely are lacking critical capabilities. It found that some EHR systems still don’t exchange data correctly using Consolidated Clinical Document Architecture (C-CDA), which may prevent providers from receiving future Meaningful Use (MU) incentives.

After sampling several platforms used to produce Consolidated Clinical Document Architecture (C-CDA) files, the research team from the Substitutable Medical Applications and Reusable Technology (SMART) C-CDA Collaborative — funded by the ONC as part of the SHARP research program — found a number of technical problems and obstacles which prevented accurate data exchange between different EHR systems.

There is already wide-scale production and exchange of C-CDA documents among healthcare providers this year due to the EHR incentive program and for meeting Meaningful Use requirements. Indeed, live production of C-CDAs is already underway for anyone using 2014 Certified EHR Technology (CEHRT). C-CDA documents enable several aspects of Meaningful Use, including transitions of care and patient-facing download and transmission.

Stage 2 Meaningful Use requires that providers be capable of producing C-CDA files, which contain both machine-readable and human-readable templates used to exchange patient data between EHRs during transitions of care. While all 2014 CEHRT must have the ability to create these files, some vendors are unfortunately not using the basic XML and HL7 technology correctly.

To find out how these variations affect providers and their participation in Stage 2, the researchers sampled 107 healthcare organizations using 21 EHR systems. They examined seven important elements of the documents: demographics, problems, allergies, medications, results, vital signs, and smoking status, all of which are required to be included in the C-CDA for Stage 2. They found errors in the XML that conflicted with HL7 standard usages, rendering the document ineligible to meet the Stage 2 rules for interoperability.

One key takeaway from this research is that live exchange of C-CDA documents is likely to omit relevant clinical information and increase the burden of manual review for provider organizations receiving the C-CDA documents. Common challenges included omission or misuse of allergic reactions, omission of dose frequency, and omission of results in interpretation. Unfortunately, only some of these errors can be detected automatically.


The team found 615 errors and data expression variation across 11 key areas. The errors included “incorrect data within XML elements, terminology misuse or omission, inappropriate or variable XML organization or identifiers, inclusion versus omission of optional elements, problematic reference to narrative text from structured body, and inconsistent data representation.”

"Although progress has been made since Stage 1 of MU, any expectation that C-CDA documents could provide complete and consistently structured patient data is premature," the researchers warned. The authors also note that more robust CEHRT testing and certification standards could prevent many of these troubling errors and variations in the technology and that the industry may also benefit from the implementation of data quality metrics in the real-world environment.

The researchers recommended several steps to improve interoperability: providing richer, more standardized samples in an online format; requiring EHR certification testing to include validation of codes and vocabulary; reducing the number of data elements that are optional; and improving monitoring to track real-world document quality.

The researchers make the case for using a lightweight, automated reporting mechanism to assess the aggregate quality of clinical documents in real-world use. They recommend starting with an existing assessment tool such as Model-Driven Health Tools or the SMART C-CDA Scorecard. This tool would form the basis of an open-source data quality service that would:

  • Run within a provider firewall or at a trusted cloud provider
  • Automatically process documents posted by an EHR
  • Assess each document to identify errors and yield a summary score
  • Generate interval reports to summarize bulk data coverage and quality
  • Expose reports through an information dashboard
  • Facilitate MU attestation

"However, without timely policy to move these elements forward, semantically robust document exchange will not happen anytime soon," the authors stated. “Future policy, market adoption and availability of widespread terminology validation will determine if C-CDA documents can mature into efficient workhorses of interoperability,” the report concludes. It would seem that if policy changes are not put in place, there could be risk in the Meaningful Use program not actually being all that meaningful.

This month CMS released the proposed 2015 Physician Fee Schedule. Among other things,it includes proposals to revise the physician supervision requirements for Chronic Care Management (CCM) services and proposes to require CCM practitioners to use EHRs certified to meet at least the 2014 Edition Meaningful Use criteria, which require the ability "to capture data and ultimately produce summary records according to the HL7 Consolidated Clinical Document Architecture standard."

Since this new proposed rule includes expanding the use of the certification program beyond Meaningful Use and specifically mentions the C-CDA standard, I thought I would ask Joshua Mandel, one of the authors of the study, for his thoughts.

"It’s not too surprising that CMS’s efforts to improve chronic care management would build on Meaningful Use requirements," he said. "In the section you’ve quoted, CMS, is simply saying that Eligible Providers would need to use MU-certified systems (just as they must use MU-certified systems to attest for MU incentive payments). And so C-CDA capabilities come along for the ride in that decision. I can certainly say C-CDA is better than nothing; and C-CDA 1.1 is a specification that exists and has been implemented today, so it’s a natural choice here."

While there are challenges in implementing and making good use of C-CDA documents, there is little doubt that HHS is continuing to drive the use of these standards forward through various policy levers. The ability to exchange relevant clinical information for transitions of care is a key enabler in transforming our healthcare system to paying for quality instead of quantity.

Despite these challenges, we are beginning to see success in the marketplace. Building on this success and continuing to improve content standards is critical if true interoperability is to become a reality.

Brian Ahier is director of standards and government affairs for Medicity, A Healthagen Business of Salt Lake City, UT.

Subscribe to Updates



Text Ads

Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS



Founding Sponsors


Platinum Sponsors




































































Gold Sponsors





















Reader Comments

  • Just a Reader: In theory, what Ed is saying is true. However, in reality, I cannot see this working. About every three months I am draw...
  • Informatics RN: Healthe Athlete is designed for athletic directors, team trainers and doctors, and the like. It is not a tool that would...
  • Robert D. Lafsky, M.D.: Agree. This was really good. Rarely see the level of thought and organization described here....
  • Dave Holland: I agree with you whole heartedly. Although it may take longer than 5 years, it will happen. If you don't morph you wil...
  • Darren Dworkin: Ed - Great post, you raise a bunch of topics CIOs and organizations should be thinking about. Sincerely, Darren, Ge...

Sponsor Quick Links