Home » Advisory Panel » Recent Articles:

Advisory Panel: HIMSS conference, ransomware

March 23, 2016 Advisory Panel 1 Comment

What were the most interesting things you learned or saw at the HIMSS conference?

  • I met a number of CIOs from hospitals and health systems that either have already completed or were in the process of implementing Cerner financial and ambulatory products to result in integrated clinical and financial systems across inpatient and ambulatory. Cerner appears to continue gaining momentum and building some critical mass in their competition with Epic. VNA products continue to develop nicely. It appears there are good product options that are positioned to upset the traditional, monolithic PACS products.
  • I did not attend the HIMSS conference this year. If I attend the one in Orlando next year, it would be merely to see how off the wall they can be and how obscene and disconnected from the reality of practicing medicine today they have become. HIStalkapalooza may be the only reason for even flying there or paying for a hotel room since they are not even offering CMEs.
  • I was mostly impressed with the booths downstairs and in the side rooms. I saw some interesting applications of big data analytics finally starting to bloom. Check out Ayasdi (I have no relationship with their company). Generally it felt like there was a lot less energy and excitement than in previous years. I saw very few of my provider-side colleagues — mostly just vendors talking to other vendors (or consultants).
  • I focused on meeting with clinical decision support vendors and several that are building CDS data analytics tools, e.g., LogicStream, Stanson Health, MedCPU, Zynx, Appervita, Wolters Kluwer. Seems everyone is trying to figure out how to create some sort of dashboard that can help organizations manage their CDS alerting process. So many organizations have turned on way too many alerts and no one wants to, or perhaps is able to, make the decision to turn off excessive alerts that are overridden upwards of 95+ percent of the time. We really need to get this fixed soon or everyone will be ready to shoot their EHRs. LogicStream and Stanson Health’s data analytics platforms are both outstanding. Both appear to capture a significant amount of the data and display it in several different and useful ways. Stanson also offers their clients actual CDS content, whereas LogicStream is just the analytics platform. I heard several people asking Stanson to just sell them their analytics platform, but so far they only want to sell content and you get the platform to help you manage their content.
  • I spent the pre-conference day at the EHR-related patient safety symposium sponsored by AQIPS and ECRI among others. It was interesting to hear everyone talking about EHR-related safety issues and what we need to do to improve EHR safety. Seems that most orgs are still struggling with basic implementation and utilization and only the very mature orgs are worried about EHR-related safety. Heard a good talk by Joe Schneider on ways to avoid and manage EHR downtime that focused heavily on the ONC’s SAFER guides. If the ransomware problem doesn’t kill the EHRs, then I think EHR-related safety issues will become much more important over the next five years.
  • I didn’t go to HIMSS — it is less and less valuable each year. One long-time colleague went to his first this year and doesn’t plan to return.
  • Disappointing meeting — poor topics of education, too many vendors with chotchkeys, lack of enthusiasm for educational aspects and more towards having fun in Vegas was our perception.
  • I didn’t go to HIMSS and really haven’t heard anything (other than your posts, of course) about it from others, including vendors. I get the feeling that I didn’t miss a lot this year.
  • Population health is starting to fall into some discrete strategies, with products to match. I expect the diffuse "population health" to become several more discrete somethings like "narrow network strategy," "quality management (analytics and registries),” etc. Still looking for someone who really does it well. Interestingly, there were a lot of people talking about serious security, which I thought was excellent.  About dang time. Also, many organizations with a real cloud model getting traction with hospitals. When asked, it seems that the hospitals figure the data may well be safer with the vendor than with their own systems. Good way to get rid of liability is to not have the data stored on site?
  • The most interesting thing I saw was AccendoWave at the AT&T booth. In short, the equivalent of a thermometer for pain (based on EEG waves detected through a non-invasive headband). Even if you only differentiate drug seekers and malingerers from legitimate pain, that’s some great tech. I’m not sure what the most interesting thing I learned was. I got through about 19 hours of the education sessions this year, most of which had CME attached and were legitimate rather than vendor pitches, for which I was grateful.
  • I suppose the most entertaining things I learned might be worth mentioning: Halamka really emulates Steve Jobs and is almost as invested in brinksmanship as Eric Topol. Presenters from academic centers have an incredible degree of hubris and a pride in their “big data” volumes that is astounding. I guess “big” is a matter of perspective, but come on, folks, you’re talking about having data from one or a few facilities.
  • Themes this year seemed to be: usability, patient engagement, population health, and analytics/BI/big data. It was almost humorous how many different vendors were pitching solutions for “population health” and “value-based reimbursement” all doing different things and using different definitions.

Is your organization taking any steps related to ransomware?

  • This past year, we’ve had seven individual episodes of ransomware infections resulting in user and departmental network shares being encrypted. Luckily, we’ve been able to recover through simple data restores with little to no loss of data. These incidents, along with all of the other security news items in the industry, has our leadership more focused than ever on security. I still wonder if it’s enough. IS has been attempting to raise awareness amongst our leadership about the importance of developing a broader security program and I believe we make some relatively small progress every year. However, we still need more resources to move fast enough to keep up with the threats.
  • Reputation-based blocking of malicious links embedded in emails. Ransomware often infects the user’s computer after the user is tricked into clicking on a malicious link in a phish email. We subscribe to ProofPoint to analyze all email embedded links and attachments and then stop the malicious ones. This DOES NOT protect against malware downloaded via personal Web-based email, such as Hotmail, Gmail, Facebook, etc. We are considering blocking such services, but that is a tough row to hoe considering the culture.
  • Blocking of suspicious Web advertisers as much as we can. We plan to do more of this in the future. Malvertising is another way with which unsuspecting users browsing legitimate sites get hit with ransomware.
  • User education and awareness programs to make our community less susceptible to phishing emails. We plan to start using targeted awareness campaigns facilitated by products such as PhishMe in the future to increase user awareness. 
  • Things that we’re doing to address the infection payload: overlapping antivirus software. We have three different AVs on the email system, server environment, and desktop/laptop environment to hunt for and stop malware to include ransomware. Unfortunately, traditional AV is not super effective in detecting zero-day malware. Behavioral-based next generation AVs such as Cylance are not mature yet and are fantastically expensive, but we’re watching this space.
  • Robust backup process. We don’t pay ransom when we get hit with ransomware. We restore from backup. We use Crashplan to back up desktops and laptops.
  • Can we do more? Yes, but it would make our environment stricter. It’s a balancing act.
  • We are pretty much maintaining our patches, but we are as vulnerable to phishing as the next guy. You do what you can.
  • We are raising awareness from our board level down to the associates. The message to our board includes information about industry events and the outcome, what we are doing to minimize our risk, and how we would respond if infected with ransomware. Our associates are much more aware of the possible consequences of clicking bad email. We had an email phishing attack that resulted in an organizational-wide password expiration. This allowed for education of supervisors and managers as to why they were having them coordinate all associates changing their passwords. That level of awareness has already resulted in a more informed workforce and an increased number of reports of suspicious email.  We use real stories from other health systems to communicate our risk and it seems to work. Also, we have begun adding to our communication around events not only what IT will do to avoid a recurrence, but what our end users can do to help.  As far as technical prevention, we continue to strengthen our monitoring and blocking tools to protect our assets.
  • We’re constantly improving our security posture here, but it’s not like we’ve targeted ransomware specifically. However, we actually did see some within our organization. While running some scans from one of our newly deployed technologies, we found some ransomware on a handful of really old files (from 2002 and 2003). I’m not sure when it came in, no one was actually using those files so no one noticed the ransomware or inability to get to them. But, we just deleted them and restored them from backup and they open fine now. Not sure we needed them at all, but that’s another issue altogether.
  • We have a security vendor that provides us tools and accounting and as I understand it there have been layers of security improving in strength and coverage in IT. Also the organization is messaging to the physicians and employees how to avoid phishing and other types of targeted email based attacks.
  • We have a very aggressive information security and privacy protection strategy and always have. That said, when the bad guys really are out to get you (and they are out for all of healthcare), there is never enough precaution / preparation or defense-in-depth that’s deep enough. It’s a continuous race uphill. There are many key steps we are taking based on the latest round of evolving threats (ransomware being just one of many).
  • We are not taking any specific steps due to the recent activity. However, I have pressed our security team pretty hard on ensuring we are doing what we should be doing for our overall security program.  Our weaknesses were identified long before this latest publicized event, so we have a roadmap for all things infosec. We are covering this event in our next board meeting to remind them of our efforts and that even with a good program, we will always have risks.

    Advisory Panel: Favorite Vendor

    November 24, 2014 Advisory Panel 1 Comment

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This month’s question: Who is your favorite healthcare IT-specific vendor (product or services) right now and why?


    IMO, Intelligent Medical Objects. They have a team that we’ve seen be proactive in finding ways to help ease our physicians’ jobs. Their products are cost effective, especially when we point to amount of provider happiness they return. We’ve partnered with them for at least one beta partnership and are currently considering another, in part because of how easy they are to work with.


    I’m pretty happy with Allscripts right now. It’s a completely different company under Paul Black vs. Glen Tullman. Now that I’ve said that out loud, I’ve probably jinxed the relationship. 


    Epic delivers an adequate documentation system that automates workflow, can be integrated with other clinical and administrative systems, and scales to our very large care delivery system.

    Epic. Sorry, that might not be the politically popular answer. But they are continuously focused on making their products better and making their customers successful. And the idea that they are trying to block interoperability in some way is frankly nuts. The recent back-and-forth in the press on interoperability and who is the best or the most committed is mostly posturing in advance of the impending DoD contract. Could Epic do better in this area? Absolutely. Could Cerner and the rest of “CommonWell?” Absolutely. We need a common standard.

    Epic. They are the most focused on healthcare reform and the most ready to adopt and support the changes.

    I don’t have a favorite company right now as I am dealing with too many that I would like to get rid of.


    Favorite is Wairever. They offer Plexina, which is a content management tool that we use for developing and managing order sets. The tools they provide are fantastic and their responsiveness has been great.


    Fortified Health Solutions. They partner (and I do mean partner) with us to provide security monitoring and consulting. We’re much safer than we were a year ago because of their recommendations and guidance.




    My favorite vendors lately are Vocera and small nurse call vendor called Critical Alert Systems. They have been extremely engaging and get it – they both have engaged individually and collaboratively to figure out how we achieve our desired result. They have been candid, direct, and honest. I wish larger vendors would get off their high horse and act like they did when they were half their size. Every CEO should ask themselves: how did we act when we had half the customers and market share? My favorite services company lately is Beacon Partners. Ralph is easy to do business with, easy to interact, with and hasn’t let me down yet!


    Cerner is my favorite vendor as they are rescuing Siemens from the mud.  (I am a Siemens customer.)


    EClinicalWorks. They have many shortcomings, but are delivering a usable ambulatory EMR at a decent ROI. Their support folks respond and often can help solve problems.


    I am absolutely overwhelmingly impressed with Salesforce.com. They are not an HIT vendor, but they have shown me an ability to provide a malleable platform along with a team of leaders who really get it.


    Meditech. Provides the best level of support, especially with their task management system. Meditech has also become more proactive and letting clients know about software issues and severity of the issues. The stability of the system is still topnotch, with no unplanned downtime in our environment in over two years. Meditech also has a lower maintenance cost then many of our other vendors. Not that you asked, but the vendor that we struggle with the most is eClinicalWorks. Communication with eCW is very, very difficult and they don’t use their task management system very well.



    Microsoft Azure and Office 365. Removes a heavy load of keeping the lights on. CommVault — best solution to backup to Azure and have the ability to preform legal/investigative searches.



    There are two I would highlight. The first is the best staffing firm in the world, iMethods Inc out of Jacksonville, FL. They are the only firm I have worked with that realize that is a person with a resume versus a resume that happens to come with a person. The other company is dbMotion. We are working on a project with them right now where we will connect all of our community data and make it actionable at the point of care, where it is needed most. Great stuff there that will put our community in a great position for the future.

    Advisory Panel: ONC’s Leadership Exodus

    November 19, 2014 Advisory Panel 1 Comment

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This month’s question: What is your reaction to ONC’s recent leadership exodus?

    Back at the ranch, my team and I are implementing healthcare information technologies and give little thought to ONC’s entrances and exits. Cynically, I guess their departing leaders are chasing new money and will move to lobbying consulting.

    From my perspective, I don’t see us in a post-MU world yet. Maybe that’s because we are so focused on still getting all the Stage 2 requirements to work, but I don’t think we’ve moved into a stable time yet.

    I think it’s normal turnover when the top person leaves. That’s not to say that ONC is not undergoing an identity crisis. They need to re-invent themselves and I would think people at that level would enjoy that type of challenge. But they’re bureaucrats and I’m not, so I could be off. 

    ONC is in free-fall. The confusing series of announcements about Karen  DeSalvo’s departure that isn’t a departure is symptomatic of a larger problem. There doesn’t seem to be a plan. Turnover in government agencies at this level is pretty normal, but there usually isn’t a shortage of people ready to fill the gaps. Not so this time.

    My reaction is not of surprise at all. You have a very unpopular administration right now that is like a sinking ship. When non-politicals get involved, they don’t need to have their reputations tarnished by what is happening in Washington in general. The public may never get the truth behind the exodus, but it certainly looks like people that just want out of DC.

    I am not surprised. CMS leadership (if we can use that term) lacks real-world understanding. When Ebola rose as an issue, it would have been a wonderful excuse to suspend programs like MU2 under the guise of a national emergency. Instead, they took Karen out of the leadership position at ONC and reversed themselves soon afterward when the heat got too hot from the IT and Informatics community, among others. Of course, she now has two jobs and won’t be able to do either as well as they need to be done. This is not normal turnover. I think folks are looking at MU and realizing that with the incentive money essentially gone, everything from here on out will be very difficult. Like all human beings, the ONC staff are doing the calculations – work hard for little reward or find something else to do.

    I think this is a bit of “it’s harder to get all these (implementer) cats to cross the finish line then we wanted to believe” combined with the natural life-cycle of a run fast and free organization tied to stuffy CMS, and this has started to shut down the ask-for-forgiveness freedom that the recent leaders needed to stay interested.

    Not surprised and neither (turnover or identify crisis). I think it’s indicative of our current state, both in healthcare and the world. Few make long-term commitments or have a vision that lasts longer than three years. We want to make changes to fix the perceived problem right now and pad our resume but we aren’t willing to live with the consequences of our choices. We’ve lost any ability to do anything other than complete a few tasks and then take off for the next organization with the hopes of increasing our paycheck and retirement portfolio. Jaded? Yes. But you asked.

    I think these sort of non-career appointments have a high turnover rate. Most of the ONC heads have left after two years or so. I think this is a very difficult job. they have to be on their toes watching what they say 24×7. As for Karen D, I think she saw this as a perfect excuse to leave when the going is going to get very difficult, not that battling Ebola will be any easier. As for Jacob R, I think he was upset that he didn’t first get selected to be the National Coordinator before Karen D and then more recently get selected as at least the interim coordinator to replace her. I know I would have quit for that reason.

    Not surprised – matter of time and I suspect the timing was perfect for her. I also think this is a symptom of a significant identity crisis and I think the overall program is in jeopardy. The ONC turnstile is likely indicative of what it’s like to try reconcile vision, policy, and politics with the realities of an immature technology market with providers trying to figure out how to be successful in an uncertain world. This might be a revised definition of insanity. In summary, I don’t blame her as the job has involved into something that cannot be achieved under the current construct (and I thought CIOs had it tough these days).

    I think the changes occurring in ONC are higher than normal for government agencies. It could be the post-MU blues, but I think it is also the drain from pushing for HIT progress through tedious, laborious regulations which don’t always hit the mark.

    Not surprised. Didn’t see any major strategic announcement following Dr. DeSalvo’s assignment except a change in the org chart, which didn’t amount to much. Her heart has always been in helping people with health issues and not working for an agency distanced from the patients.

    This is an example of the government doing an about face and the government as well as ONC know they are doomed. They have no value to the healthcare system at this time with virtually zero leadership effect.

    Looks pretty much akin to the death throws of a wounded skunk … it ain’t pretty and someone is bound to get sprayed.

    As to Karen and Jacob’s departures, I was not surprise. Karen presented Grand Rounds here the week prior to her recent announcement and it was clear that she has much to offer this country. While the ONC role is an important one, many of us were so impressed with her candor, her transparency, her passion, and her commitment (in her own words) “to the poorest of the poor, and the sickest of the sick” that I believe she had to move into a more visible role. I’m not sure what’s next for her, but I genuinely believe we will see her move around, in a good way, for the years ahead. I hope she stays involved in ONC for a while (as the press releases seem to indicate). I hope HHS will work hard to seize this opportunity to reconsider some of the ways ONC could play are more collegial role, like the one Karen was creating,  promoting collaboration toward the ultimate roadmap that Karen was assembling.

    Ugh. I hope the interoperability focus/Jason report doesn’t get lost (why did she?)

    My feeling is that the personal movement shows that there is no plan. The government seems to be making it up as goes with no end game, which leads to staff unrest. The number of healthcare enterprises abandoning even trying to meet MU measures shows that the program should be reworked to focus on interoperability instead of focusing on the care delivery process.

    They did what they thought would “revolutionize” healthcare and perhaps realized the root causes of our systemic issues are different than what they thought. We now have EHRs and MU measures but you could argue that’s made a ton of money for vendors but had little impact on quality of care. In government work, it’s not surprising when g-men and g-women go take private jobs at some of the same corporations they had dealings with.

    I am concerned about the change in leadership. This new leader is the fourth in the last three years. That does not spell stability to regardless what CMS/ONC says about their stable team.

    Advisory Panel: Reactions to the Community Health Systems Data Breach

    September 3, 2014 Advisory Panel No Comments

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This month’s questions involve actions taken in response to news of the recent hacking of Community Health Systems via the Heartbleed exploit.

    What new actions or security reviews has news of the CHS breach caused in your organization?

    I have been asked to have a penetration test performed on our network by our COO. This level of attention is unprecedented. I owe the folks at CHS a thank you gift for raising awareness amongst the rest of our executive team.

    Asked my management team to review our systems again. I’m not positive the networking group reviewed their systems in April. I am now. 

    It’s a reminder that we must constantly scan our environment for vulnerabilities and remediate every exposure. We have decommissioned some hardware as a result of our Heartbleed assessment.

    We reviewed our current IE based connectivity i.e, Cisco (far better than Juniper).

    [from a vendor member] As a result of recent breaches such as Community and Sony, we are setting up IDS — intrusion detection — for our production environment. We are now getting daily reports on access activity from our prod environment, paying very close attention to foreign access attempts. We are also turning up our white hat vulnerability scanning of our code base before deploying to production. White hat is also doing proactive vulnerability testing in our prod environment. SQL injection, xsite scripting vulnerabilities are specifically targeted. We are doing everything possible to be proactive to protect all client data under our care.

    Gather details on the CHS breach. Ensure that we don’t have the same exposure. My understanding was the the Heartbleed vulnerability was unpatched on a VPN device (vendor omitted) and the device was configured for single-factor authentication only. From there, the attacker leveraged a known trojan backdoor to gain remote access to unpatched / unprotected Windows machines.

    The news of the latest breach pretty much is part of the background noise since there is a breach every couple of days.

    We are implementing a data loss prevention product to help mitigate the risks.

    No new technology, but increased education for our staff  to remind them that security involves all users. We also presented our information security plan to our board, which met this week.

    New actions, none. We had done sweeps using scripts to detect the Heartbleed SSL on our publicly-facing systems. We already have active security sweeps that detect Heartbleed vulnerabilities as well as any exploitation attempts.

    We are re-evaluating our ability to detect large outbound data flows.

    It actually happened at a good time. We were in the midst of our annual security audit when the news broke. We had just received initial results which showed our security posture. Tying the breach to our posture and presenting to executive leadership and the board gave our security program immediate credibility.

    We have been reviewing our policies for vendor-managed systems and will be setting a revised set of standards for all vendors to follow irrespective of whether they like it or not.  We culturally and procedurally need to move away from the mentality of, “This is vendor managed, so we don’t touch it.” 

    No new actions or reviews. Has led to heightened organizational awareness.

    No changes. We are already monitored by a third-party vendor and have security set around our perimeter.

    Review of all access privileges and more limited access to some previously given more global access. Creating more steps for some who have global access because we are asked to do things others used to do when they had access to the data.

    We have not changed anything since the CHS attack. We have not performed anything in addition to our current IT security assessment, which coincidentally is running right now.

    [from a vendor member] No new actions. We are already pretty paranoid. As a vendor organization with large payer and provider data sets, we’d be in big trouble if we breached. 

    We have re-examined our approach to Heartbleed, but recognize that all of our best efforts are sometimes not enough. We focused on remediation, but also on response should we have a problem.

    Initial reports suggest that the Heartbleed exploit was involved. Are you confident that your network equipment software has been updated?

    I am as confident as reasonably possible. We have outsourced most of our security monitoring to a third-party service and they have scanned and validated we are secure. 

    Yes. (two responses)

    We are confident that our actions have corrected identified issues. This seems to be a “known unknowns” kind of situation where we know about some system components not managed by us that could be vulnerable. Vulnerability scanning continues.

    Yes. We scan with Qualys monthly and before any new infrastructure is put onto the PRD network.

    Yes. We have the same Juniper SSL VPN and applied the update soon after the exploit was identified.

    When the Heartbleed exploit was publicized, we reviewed all our existing infrastructure and patched what we could. We continue to work with vendors to ensure that all needed patches have been installed.

    Public Internet facing, yes, we are protected. There are a number of free or custom scripted scanning engines to verify. We’ve done that with QualysGuard on the big-name side, custom scripts on our security team, and finally by pushing as many things though our F5 load balancer that was not as effected on the SSL off-loading side. Internally there are ton of HTTPS/SSL security administration pages that need updates still, this many months on.

    We initiated a remediation effort as soon as news of the Heartbleed vulnerability went public. While we feel pretty confident we have addressed the know vulnerability, we remain vigilant for suspicious activity.

    We ran a test that showed that we only had one Heartbleed exposure, on a semi-retired system, which we fixed.

    Not fully as we are completing our assessment, but believe our plans will largely address this.

    Confident yes. Certain, no.

    I hope so:) not confident.

    I am never confident that we have covered every possible point keeping software up to date. There is always a chance we have missed something that will expose us to an exploit. Not that we accept vulnerabilities, but we are realistic about what we can and cannot protect.

    [from a vendor member] We are pretty confident our network is up to date. It is amazing as a recently founded company (less than five years) with a hosted "cloud" model the amount of equipment in our office is down to laptops and a switch, one server for hardware experiments that is not hosting live data. Everything else is hosted and easy to control and evaluate. That is underappreciated in its effects in your efficiency and margins as an organization.

    One of our staff reads Finnish blogs and we found out early. The patch was installed quickly.

    We think so, but have chosen to take a more comprehensive look.

    Would your network monitoring procedures detect unusual user behavior or large data transfers?z

    We are missing some components of a perimeter security solution (IDS/IPS for one). This event has escalated the discussion and we are now pursuing the purchase of products and services to fill in a few gaps.

    Probably not. Our logs are so voluminous we can’t find the needles that are in the haystacks, let alone tie needles from multiple haystacks together. 

    Yes. We use intrusion detection and other monitoring techniques and have a 24×7 monitoring team to support detection.

    Not really, but large data transfer is generally inhibited or not allowed.

    Yes. DLP would detect/block any abnormalities at egress through the internet proxy.

    No. We have to implement our data loss prevention solution before we can detect those.

    We recently installed a new product from our core security vendor that looks unusual traffic on our network and has the ability to block traffic or workstation when it see something unusual. We feel this new system will be critical in responding events where no known malware or virus has been published.

    [from a vendor member] We hope so. Our tests have picked up this kind of behavior, but frankly I’m always impressed at the ingenuity of software developers. It is what we pay them for, but since they could write the rules for those tests, they usually have insight into how someone might take a shortcut. 

    Yes. We a security analytics platform based on real-time logs and network capture. There are a number of custom “content” detection methods we have on that solution. We detect abnormally large SSL handshakes, for example, an indicator of someone attempting to grab a full 256-bit data response from a vulnerable OpenSSL installation. When it comes to data exfiltration, we have the same security analytics platform plus a DLP platform, security operations center (SOC) rule sets, web filtering rules that would detect large transfers, and your general network operations center (NOC) monitoring.

    We believe they do.  However, continuing to re-evaluate and test our ability to detect large outbound data flows.

    Yes. Firewall alerts show large transfers. Geoblocking rules stop any transmissions to non-US IP addresses.

    Not completely as it currently stands.We are presently executing upon a set of strategies will address this and other matters in the coming months.

    Likely only very significant or large-scale activity.

    Yes, we have checks and balances in place.

    We have tools in place to detect abnormalities. However, we have not tested for this scenario … yet.

    We have mechanisms for detecting unusual user behavior and our software blocks large data transfers (Outlook). Anything more sophisticated than than that would not be seen. The traffic (network) software requires human monitoring to be useful and we are short-staffed in that area.

    Yes, I believe so. We have invested in tools and technologies, but in many ways, It just means we might detect something a bit more quickly than we might have otherwise detected. Not truly about prevention — just detection.

    What ONE recommendation would you offer to a hospital trying to assess or improve its security against cyberattacks?

    If you’re a small to mid-size healthcare organization, hire qualified professionals to evaluate, plan, and implement a full security program.

    You can’t have one. Cyber security is multiple layers of different locks with keys held by multiple people. 

    Address identified vulnerabilities without delay.

    Have a robust Intrusion Detection System – we use McKesson as our ISP.

    Diligence. More specifically, scan, patch, repeat. Strong password policies and two-factor authentication.

    Tools are available. Look at the products in that space and select and implement. It will take a senior-level network resource to do it right.

    Multi-layered security infrastructure and lots of training for staff.

    [from a vendor member] Cloud vendors are probably more secure and less likely to breach their data, which doesn’t seem to make sense until you really examine the required data flows and architectural components. And watch those appliances and browser plugins, but I’m sure they are ahead of those issues already. 

    Hire a SOC or some other Managed Security Service (MSS) based off a security solution that uses both log sources as well as network capture. If that is too much $$ for the analytics solution, at least hire a managed/outsourced SOC to watch your firewall/public Internet device logs. If a hospital can’t spend ~$10-30k per year to fund watching the front door, there are many other ways to breach that organization. 

    Ensure firewalls are secure and these firewalls are sensitive enough for certain levels of attack and then immediately be informed of the attack to  those who need to know.

    Take these threats seriously and prepare. Many in our healthcare industry seem to feel that these things only happen to financial institutions or commercial organizations. We’re the new target and, unfortunately, I think we’ll see more of these large breaches before healthcare finally takes security seriously.

    Take it seriously. Now even small hospitals are a target. You cant follow "security by obscurity" any more.

    Use common sense. When it’s been announced in every major public media source that there is a bug in the software that health systems use that leaves them vulnerable to data breaches, they should fix the bug immediately. We still regularly hear about unencrypted laptops being stolen. I wonder how many health systems there are out there that still haven’t fixed the Heartbleed bug and won’t until they have a breach?

    Invest in security in your org and engage the people to have heightened awareness of security risks. Bad things will happen; the bad guys have more money, more resources, and more time than many of us. It is important to know how to reduce exposure and be prepared for the bad events. In many ways, it is like the principles of a High Reliability Organization, ideas promoted by Drs. Weick and Sutcliffe.

    1. Be preoccupied by failure. Focus on what could go wrong.
    2. Be reluctant to simplify interpretations. Don’t jump to simple conclusions – try to understand the situation.
    3. Sensitivity to operations. Respect the folks close to the problem; they may be able to help you detect that something is going wrong.
    4. Commitment to resilience. Be prepared to bounce back; don’t give up.
    5. Deference to expertise. Engage the experts

    We have dedicated software, not hardware, for DDOS attacks, but those are pretty obvious when they are happening. Far and away it is the human factor, phishing, that is the danger, perhaps even more so from the IT department who considers themselves immune to this type of attack. I bet they are are just as gullible as every other user.

    Install an IPS. It is amazing to see what how many times a day you are scanned and/or attacked. The right technology will allow you to “see” the activity and defend against attack.

    Use an outside firm that has expertise in this area to do an annual assessment and also perform white hat hacking. You will be amazed at what is discovered and how this information can help position the organization to be as prepared as reasonably possible against attacks.

    I would love to believe that ONE recommendation would address our reality. This space is one of the most underrated in terms of complexity, cost, and risk. We have spent the past 18 months going through an exhaustive planning and education process to thoroughly assess where we are and where we need to be. There are technical parts for sure which need to be understood and addressed. These are the easiest to deal with because they are, by definition, known. The issue is, how to you reconcile an organization’s risk tolerance against a growing uncertain threat? This is not an easy topic to get organization leaders’ heads around. Take the recent situation at Children’s of Boston. Did any of us actually believe we providers would be the victim of an attack from a sympathetic group involving the care of a very tragic patient care situation? 

    We live in a different world at a very different time. We providers are all under a significant amount of pressure as we deal with all of what is happening in our space. I believe most of us have been making “best reasonable efforts” to do the right thing and safeguard the information which we need to be responsible for. We also need to invest in a wide variety of enablers to transform ourselves into what we believe is important. Everyone is becoming more sensitive as most people know that no one is immune to this threat and it’s just a matter of time. Unfortunately, it’s difficult to make the necessary investments to mitigate against most if not all of the threats given the economic pressures that we are all under. Interesting topic in very interesting times.

    Advisory Panel: Budget Challenges, Favorite Vendor

    June 18, 2014 Advisory Panel No Comments

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    What are your biggest capital and operational budgeting challenges and what creative solutions have you used to overcome them?

    Being able to retain talent and valuable people in a very competitive environment while facing lower reimbursements.

    We are receiving diminished funding for maintenance of infrastructure systems (storage, network, tools, etc.) while experiencing increasing demand for security solutions and acquisitive growth requiring unplanned support. We are shifting resources as needed to keep up with demand and we’re candidly disclosing the system availability risk levels we believe are rising as a result of delaying infrastructure maintenance. We’ve tapped philanthropic donors for “marquee” investments, leaving routine sources to the less-glamorous work. 

    Our hospital has seen volumes plateau and reimbursements decreasing. Our revenues are well below target and we are trying to cut expenses everywhere. Going into our next financial year, we are focusing on optimization efforts of existing systems and infrastructure replenishment. All other projects will have to show hard dollar ROI to be approved.

    [from a vendor member] We’re seeing that a number of our clients are employing advanced analytics to their administrative data to address and close gaps related to missing charges for devices, drugs or care provided. Leveraging their own historic HIS data with predictive modeling technologies, they’re bringing in millions of additional dollars in net revenue per year — an interesting and creative approach to addressing budget challenges.

    Like everyone else, we are expected to do less with more. We are located in a remote area and have little access to advanced IT talent. I located a vendor who provides DBAs (and other programmers) at less than $30/hour. We currently use them for SQL and Oracle DBA as well as a Citrix administrator, all 20 hours/week. There is no way that we could afford this support any other way.

    After an enormous EMR expense, the hospital is looking to cut down ongoing expenses, pointing out that IT is not a source of revenue. They seem most eager to trim optimization expenses, particularly in compensation to clinical experts and consultants. On the clinical side, we have done best with investing in fewer, but more involved subject experts ("a few good men and women"). They do well getting ad-hoc consensus and being the face of IT. On the consultant side, we have made the case that "a few good men and women" are essential to operations.

    As reimbursements are continuing their decline, we are under the same scrutiny as all other departments. What was once considered nearly untouchable is now under the microscope. Our biggest challenge does not come under a program or project specific area, it is everything we do. We are in the process of figuring out what we need as essential services and what can be shut down. This is not a small task as we have some platforms that do not scale well and causes us duplicative support and infrastructure services. In addition to that, the shadow IT problem is hard to fully identify and reduce spend on. This will be an ongoing challenge for us and I believe will become more acute for all providers in the next few years.

    Our board has a policy that project overruns over 5 percent have to be approved by them. We were replacing our pharmacy system and working on MU2 with the same set of resources. As MU2 came to be more complicated than anticipated, we pulled internal resources away from pharmacy and brought in more expensive outside resources. Pharmacy went live on time but $500K over budget. This is the only time in 20 years that I’ve had to go to the board for a project overrun. My point is that it demonstrates again what a huge distraction MU has and will continue to be along with potential career-limiting impact.

    I work for a provider organization that manufactures many of its own products. As such prior to my arrival we had begun experimenting with outsourcing development, at least the maintenance/break-fix items from the products we develop. Largely speaking, this wasn’t successful for many reasons.  Although the entire organization was cutting back and findings ways to get more efficient, I was able to position this as a means to eliminate the outsourced relationship, hire/onboard new personnel (still in process) to create a budget neutral situation where the organization’s experience was better with our own internal resources yet achieved a positive boost from a cultural perspective (we are hiring now vs. outsourcing). From a cost savings perspective, I focused my efforts on how technology could take out costs from the organization creating re-engineering opportunities. For example, driving efficiency through the applications used by our operational teams so they could cut headcount by 20 percent. Another example is how we are re-architecting our corporate fax solution (we fax many of our results back to our customers/partners) saving 40 percent in fax costs on an annualized fashion. Re-engineering through technology doesn’t necessarily have to include headcount reductions.

    Who is your favorite healthcare IT-specific vendor (product or services) right now and why?

    None really. One must not underestimate the power of IT vendors to disappoint. One CMO once advised me in advance that there is really a "curve of disillusionment" but what I did not anticipate is how much disappointment I was going to experience not from the IT product itself but from the people in the company.

    I continue to like Impact Advisors and their Epic consultation services. We have encountered novel integration challenges in our acquisitions and they seem to have been there/done that.

    Right we are very pleased with select vendors that spend time learning about our business and figuring out how to adapt their offerings for our benefit, challenging us along the way with how to think differently. The best example for us right now is CDW, which frankly was surprising to me when joining the team. CDW offers a basic fulfillment service for most equipment we purchase but they also bundle it with creative solutions like headcount to help drive our Sharepoint implementation as well as creative packaging such that we can avoid shipping/prep of equipment at our location rather pre-loading it at Sharepoint, including asset tagging, and direct shipping it to our destination. CDW has done a nice job understanding how they can help us and brings great value outside of basic order fulfillment service

    Aspen Advisors. They’ve done a few key projects for us that have come in on time and under budget.

    INHS (now Engage). Hands-down favorite. My biggest beef about vendors (product or service) is that they don’t have to live with what they deliver. If you are required to support what you implement or recommend, it seems to change your build and recommendations. INHS provides the IT systems for numerous hospitals and practices, so I know that when they build something for me (a non-INHS site) or make a recommendation, it is something that they can or have lived with in the past. They also understand that the build/recommendations have to be practical and executable and as non-invasive as possible to our customer. That frame of reference makes a significant difference. 

    Epic. Best support ever, and they seem committed to our success despite a rolling cast of characters. Very few issues are dropped, even when we don’t like the answers. They do prompt, customer-wide notification of clinical issues and potential near misses.

    The only vendor names that come to mind are the ones that are letting us down in a significant ways by their lack of proper development focus, ability to deliver on time, or just a general lack of indifference toward our needs as a customer.

    Epic. They are our EMR and provide great support

    Prominence Advisors. They are a small consulting firm full of "Epic all-stars" and have been tremendous in helping us with our Epic project.

    None of our vendors are standouts. They continue to deal with MU and it has distracted them.

    Advisory Panel: Web Hackers

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This question this time: Have web hackers ever impacted your operation?

    Hackers did once penetrate our organization. They never got close to any HIPAA-related data. What they did do is get into our phone systems so that they could make international calls for free for a short time until we shut things down.

    We have not seen any specific attacks or hacks. We have had several security audits, so I believe we are well documented and not just whistling past the graveyard. I know that larger providers in our area have had these types of attacks but I think we remain below the radar.

    Aside from a virus outbreak many years ago, we have not had any known breaches or attacks that have affected our operations.

    Our organization has not documented DDOS attacks, unauthorized network access, or server compromises. 

    Not yet. We do penetration testing / white hat hacking to help reduce our risks. I am not sure if any organization can ever reduce their risks to zero.

    No. The bigger issue has been phishing.

    So far, no. We use some network appliances that monitor and protect the perimeter. I’m sure it will happen some day!

    Fortunately we haven’t had any major attacks or unauthorized network access. Roughly five years ago we did experience a compromised windows 2003 server hosting DNS externally for our organization. It was a known OS vulnerability and we didn’t have it patched on time. At the end of the experience we ended up removing and rebuilding the server vs. attempting to correct the unauthorized access.

    We have not had any impact to date, though there have most certainly been attempts. I have a very talented IT security team that does an amazing job every day to keep us safe. I do have concerns, however, about the increasing attempts to hack us through biomedical devices. This is not an area where these vendors are very robust, so we are building capabilities to better monitor and support security in this area.

    No. However, we are concerned about our ability to monitor and discover these types of activities. We continue to focus our security efforts to create a multi-layered infrastructure and provide better discovery tools for our staff members. We also feel it is important to implement as many “self-healing” security services as possible (example: the system can “see” a phishing message and automatically create a rule that protects our users, even if they click on the link).

    Not hackers, but a virus. Lesson learned. Remove the exclusions from all application servers on a regular basis and run virus scan. Applications that will not run with AV scanning certain directories are places for a virus to take hold. Implementing an IPS and proper network design can help minimize the impact when something does take place.

    Advisory Panel: How Will the ICD-10 Delay Affect Your Organization?

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This question this time: How will the ICD-10 delay impact your organization?

    The ICD-10 delay will cost us more for the implementation. It could be up to $1 million in implementation resources. Our project team will extend for another year, upgrades will stay on track, and we will dual code for longer than planned. We have hired coders who only know ICD-10 and we have to retrain them for ICD-9 so that they can be productive. Unless our vendors come out with yet another ICD-10 version, we should be finished with upgrades by this summer and have a year or longer to test.

    [from a vendor member] The delay won’t impact our organization at all  We were ready a while back and so honestly the bad part of this is that all our hard work as compared to other vendors will somewhat go unrecognized. That said, it’s really not that bad since it just means our solution will be even better given the year delay.  Our clients who were already on the track for ICD-10 readiness are all staying focused on ICD-10 preparations regardless of the delay.

    Overall I am neutral on the delay. We have done a great deal of preparation, but most of that is helpful with ICD-9 or 10. It would have been a much bigger relief and benefit if MU Stage 2 were delayed. We had already begun an aggressive Clinical Document Improvement (CDI) program aligned with our ICD-10 project. We will continue that program and will also complete our Computed Assisted Coding (CAC) project as it is well underway and has the added impact of allowing us to outsource much of our coding function. Most of the software upgrades came with the MU S2 changes so that testing was needed. The places we will cut back on is training, testing, and outsourced project manager costs. The CDI related training will continue and coder training will be slowed. All other ancillary training and provider ICD-10 specific training will be put on hold. Testing with payers will be delayed for as long as it takes. Unfortunately, this does not really make any resources available to do all the other projects on the list!

    This hospital was in the midst of individual system testing and had worked with a few payers to do some combined testing when the delay was announced. Most systems had been upgraded and others were close. We had implemented computer-assisted coding in 2013 to ease the transition into dual coding and had that project live. We had purchased ICD-10 training content, had our coders trained, and had started scheduling provider training. I’d like to say the ICD-10 delay was good because of everything else we have going on in IS (MU Stage 2, an anesthesia go-live, new clinics opening, etc.) as well as all of the other pressures placed on our providers. The reality is that this organization is going to absorb even more expenses than planned due to the delay. The opportunity costs alone concern me. We could have done more productive things this past year that could have had positive impact to our bottom line or patient care. We will have some repeat work to be done in testing and training for the next run at things (unless it’s delayed again – ICD-11 anyone?) I’d like to see us push through and get the rest of the systems upgraded and get our providers trained. The rest of the organization wants to put everything off until we have to do it.

    The good news is that we have more time to modify application systems that fell behind schedule for ICD-10 updates. We will be adding more acceptance testing of system changes, especially for our physicians. On the coding side, we will expand our dual coding efforts to identify where improved clinical documentation is needed. Physician training will be delayed. The longer the work spans the higher the cost. So far we’ve estimated an impact of $500,000 to $1 million extra expense due to our need to extend resources.

    We are one of the few sites that are rejoicing over the delay. We were woefully late (I have not been here long) and were trying to do too much before the deadline. We will maximize the delay to our benefit.

    We were all ready, but stopped cold and now have some smart team members who can do other things. It also meant the government has lost all credibility in this area and we will not try and be too ahead of the curve next time. 

    The ICD-10 delay shouldn’t impact us terribly, so I don’t see it as good or bad. Our primary systems have been set up for dual coding for several months now. The majority of our coders are through a vendor, so our primary target is the physician population. The focus with the physicians to date has been better documentation rather than ICD-10 so we will continue this strategy. We are also implementing computer-assisted coding with a live date of June so that will continue as well.

    Time was tight for us but we were on track to be ready by 10/1. Although we had begun training, it was organizational / high level therefore we don’t see the time wasted. We are going to use the time to focus on more of the plumbing prior to launching additional training before the next requirement date kicks in. Overall we see the delay as good organizationally.

    It is good for us. Generally speaking, it is hard to see how the good of ICD-10 outweighs the bad. With everything else going on in healthcare and healthcare IT, having another year to prepare is a good thing. I have been somewhat surprised to see our professional organizations (CHIME, HIMSS, AHIMA) come out so strongly in favor of keeping it in 2014 when almost half of the provider organizations feel positive about the delay.

    We would have been ready for ICD-10 this fall. While the delay does give more time to test, etc. we see it as a negative. We will continue with our testing (integration underway) and will move forward with the majority of our plans this year regardless of the delay. Main impact is around the timing of training – this will be delayed and we have to now reassess our plans to keep ICD-10 “fresh” for those coders that were in process. Also, it causes us to have to extend our resource commitments – whether internal or consulting – which will cause additional expense. We also now have to reassess several large go-lives whose schedules were made based on ICD-10 happening this year.

    We have already implemented tools to support ICD-10 in our EHR and will use the delay time to get our users used  to more specific documentation to support ICD-10. Will shift our planned education push to meet new schedule.

    As an organization, we are not happy with the delay. We believed we were well positioned for October 1, but we were unsure how our payers, especially CMS, would be ready. The delay will cause us to slow down our physician education, but we are continuing our work on infrastructure like reports and having them ready to go. Concerned they may decide to skip ICD-10 and go to ICD-11 and have another delay.

    It gives us time to complete the required upgrades without the intense pressure and also focus on a clinical replacement. Being a McKesson Horizon customer, we have to select a new system.

    [from a vendor member] The delay is unfortunate and bums me out.  If folks weren’t ready, we need vendors who step up to take care of the transitions, not more delays. We were ready and spent a tremendous amount of effort to get ready so the biggest negative impact to us is all the things we could have done instead. What could we have done for caregivers instead of using our resources on ICD-10? High opportunity cost.

    Kill me now. This is the most ridiculous thing I have ever encountered in my health IT career. We make plans for big projects at least a year ahead of time. Much of our project planning for converting hospitals to Epic was designed around avoiding the immediate post ICD-10 period. Since CMS has been silent—are we to assume the next date is October 1, 2015? We need to make plans and are in a holding period once again. Does anyone have any credibility on this topic?

    We’re not stopping, but we are slowing down. We’re in the middle of a bunch of other projects (MU, physician documentation, revenue cycle revisions, massive system upgrades to non-clinical systems, etc.) that need attention. Most of our vendors will have compliant systems long before the deadline, so that all we really will have to do is flip switches. I consider this a neutral to positive. We’ve got limited staff resources to address everything and this gives us one space where we have a little breathing room.

    The ICD-10 delay gives us a chance to spend more time implementing and more thoroughly testing our solutions end to end. I for one was thankful for the delay as we just had too much going on at one time. The only question I have is whether or not the Feds will start leaning toward ICD-11 instead.

    Advisory Panel: Your Personal Mobile Device

    April 18, 2014 Advisory Panel No Comments

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This question this time: What brand/model of mobile device do you use most often and what do you like most and least about it?

    I use an iPhone and an iPad and I am happy with the fact that I can access my email from anywhere and can respond on the fly, but for the business of medicine it is cumbersome, difficult to type, not secure, and the constant need for iOS updates makes it difficult to use and upgrade apps. I do not like the "Walled Garden" approach from Apple that does not allow certain applications on their platform like Adobe Flash and it is also very expensive. I read somewhere  — on LinkedIn, I believe — that it seems only wealthy people use iPhones and it is almost like a statement of status, sort of the same stereotype that wealthy folks drink wine and the not-so-wealthy drink beer…just saying.

    Interestingly enough, I did not end up with an iPhone by my sheer choice, but it was rather imposed on me by Allscripts of all people. They bought my initial e-prescribing "I scribe" which I had on a Palm for free and when Allscripts bought them they, did away with the Palm. In order to preserve my data, I had no choice but to get an iPhone and there you have it: there is no such thing as "free" and consumer choice, is it really? Mr H touched on this on one of his posts: the fact that it looks unprofessional to respond to emails from the iPhone (folks do not correct spelling, grammar, and at times it looks like mutilating the English language) but I admit I am guilty of doing it myself because on the other hand, what is the sense of the whole mobility trend? I cannot always wait for access to a desktop to respond to my emails, but I promise to correct the spelling.

    Apple iStuff. They work as a consumer device (for which they are designed). I just wish they had enterprise devices.

    HP laptops >> iPhones>> iPads

    Personally I use an iPhone >iPad>>MacBook Air

    I have used an iPad for a few years but switched to a small Dell Iconia W5 last year. I thought the Microsoft OS would make life easier working with my corporate applications. The Iconia certainly beats lugging a laptop on and off aircraft as I travel but it still isn’t as easy as the iPad. Last month I picked up an iPad Air. The smaller size is great. I think the Iconia is going back on the shelf and the Air will be my travel companion going forward. Now if only I could find something the size and ease of the Air combined with the MS OS….

    Can’t live without my iPhone 5 and my iPad 2 (with a keyboard/case combo). Allows me to stay easily reachable and to work at home without lugging a laptop every night. What I like most about the iPad – Microsoft OneNote and the ability to keep all my data and projects current across devices and operating systems. This has been a huge help in organizing an extremely busy life. I literally walk into a meeting, pop open the iPad, and jump right in. I have all the meeting notes organized, all the action items up front, and I can take notes at the same speed as if I had a full keyboard. The search feature helps me quickly find pages by keyword. I share Notebooks with my team and that is working well, too. Note: I’m ordering some Microsoft Surface Pro 2s this week to trial for potential laptop/tablet replacement.

    Personally I use a HTC smart phone and an iPad. I’m not crazy about the phone mostly because of the battery life (or lack thereof). My contract is up so I need to make a decision on a new device, but I’m not sure at this point what I will choose. I am very fond of my iPad. I use it primarily for reading and distractions and very little for work. I know that Ed Marx said in one of his blog posts that he doesn’t trust anyone that uses paper, but I went back to a paper notebook for meetings. When I take my iPad, I don’t generally take a pen to the meeting. The majority of the time someone passes out paper and I need to make note on a section so that I can follow up later. If I could get the groups to move to a paperless culture I would use the iPad exclusively.  

    iPhone. I love the consistency between my Mac, iPad and iPhone. Battery life and the lack of a SD slot are the downside. I also never use Siri.

    Samsung Galaxy S3 and Nexus 7 tablet. The Samsung battery is dreadful, but other than that, both devices are excellent. Google’s services and products are nicely integrated. The processors are fast, multitasking works great, and the Android OS is very reliable. And I can’t live without Swype and Dragon.

    Apple iPhone 4S. I use maps, social media, email, calendaring, travel (airlines), weather, stocks, search, music, text, sports updates, news (around the world to help reduce spin), shopping (Amazon), restaurant ordering, restaurant reservations, and so on. There is not much I don’t like about it except for Siri. She is not very smart and does not take a clue when I am upset with her ;-). I find it works better without the protective film on the glass, to be sure.

    My iPhone 5 is my most used mobile device. I find it great for email use and I have several apps that I use for business and personal needs. My AT&T service is great for talking and browsing. With the latest iOS upgrade my battery life is terrible. 

    iPhone5. I love the iPhone. I will happily pay for something that is intuitive, quick, consistent, and has a lot of people writing for it. With that said, I am starting to see the Samsung users smirk as their product may take pictures better, get better Wi-Fi access, doesn’t charge extra for some little things. I am hoping the iPhone6 has some nice breakthroughs. But I will likely stick with Apple as the service has been phenomenal if I have any problems on any device and that is worth A LOT in  my book.

    I’m not a Mac person, but my iPhone is my most favored and trusted sidekick (iPad comes in a close second.) Portability is the best feature. Clearing out my email inbox while waiting for elevators, looking up info on Google on the fly, quickly populating and reviewing my ToDo list, and other mundane tasks are much faster and more fun. With aging eyes, the screen size on the iPhone is the biggest impediment, but any increase in size would make it harder to stash on my belt and therefore easier to lose.

    Apple iPhone4s. I like the Apple devices because most physicians use them and I can have an intelligent conversation with them about the pros and cons. I haven’t upgraded to the 5 series because my really cool case that looks like a cassette tape won’t fit the bigger phone. 

    Personally, I use Droid devices. I think the capabilities are superior to iPhones (at least at this minute)  I think the openness and “less control” that has been placed on the Droid market have created these newer capabilities.

    HIStalk Advisory Panel: IT Service Management

    April 14, 2014 Advisory Panel 1 Comment

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This question this time: Does your organization use a formal IT service management program such as ITIL, and if so, what results have you seen?

    Responses indicating no: 4.

    [from a practicing physician] No , I am not aware of any formal IT management program used by my now very large company, but that is not to say that they do not need one.

    We started with one, but we didn’t have the institutional memory to keep it alive. As new people came, it became increasingly difficult. Some good remnants remain, but only if somebody remembers to enforce them.

    Yes and no. We’re a small shop, so we use ITIL and other models as a source of best practices and implement what makes sense for us. We don’t want to reinvent the wheel, but a full-scale implementation in a small organization is not cost-effective. The processes, templates, etc., that we have pulled in are extremely useful and allow us to more efficiently manage a large workload with a small team.

    Not at this time. We have evaluated the use of ITIL and COBIT, but our plates are too full at this time to put any formal processes in place. Luckily the management team has experience with ITIL, so we apply the concepts to change management and service delivery as much as possible.

    We have begun to install ITIL. It has been challenging given we are short on resources and when busy, people tend to fall back into the old way of doing things. We have had success with incident management, which is a good thing.

    I was one of the first to enthusiastically jump on the ITIL bandwagon, many years ago, then I saw firsthand how the ITIL process became the goal, not a means to a goal. After two ITIL implementation attempts with two different teams, in which internal client satisfaction with IS declined and my employees became demoralized drones, I threw away any philosophy to implement the details of ITIL and instead focused on the concepts and the end goals. Those end goals are (1) internal customer satisfaction with IS; (2) IS employee satisfaction; and (3) achievement of both #1 and #2 at the lowest possible IS budget.  Since then, I’ve watched ITIL spread to other organizations and watched the same pattern that I experienced. There seems to be an inverse relationship, or at least a tipping point of inflection, between dogmatic adherence to ITIL and IS success and creativity.

    At this time we don’t have a formal service structure methodology. We are beginning to look at this due to our organization growing and that all areas now have a major IT component. We most likely would lean towards ITIL.

    Yes, we do. If you agree that using ITIL can be helpful and that every part of ITIL may not apply to your operations, it can provide consistency in support that many organizations need. We have found that it is helpful in many aspects of providing end-user services more consistently and more timely with much fewer variations.

    We do not use ITIL formally. We will soon be joining a larger system and they have adopted ITIL and we are comparing our current practices to this framework.

    We have been trained in the basics of ITIL and have incorporated several concepts and processes. We have not gone full out at this point.

    HIStalk Advisory Panel: IT Department Layoffs

    February 19, 2014 Advisory Panel 1 Comment

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This question this time: Has the IT department laid anyone off in the past year?

    Our local IT department had to let go of people, but the biggest loss we witnessed was the whole CIO’s team as well as the CMO being gone as the hospital chain got bought by a larger organization. Many of us are very apprehensive as "bigger does not mean better" always and the vacuum created may be filled in a hurry by hubris. The jury is still out on that one and  I will be happy to share any happy endings if we should have any.


    No layoffs. We have implemented approximately 20 applications the past 18 months and assumed responsibility for another six systems that had been managed by other departments. We added four FTEs to our staff the previous year and have 4-5 contractors at any given time.   

    We are still hiring, but have laid off a number of consultants.  

    No layoffs. We need all the people we have. 

    Are you kidding me? Our problem is not being able to keep good staff. But who can blame them? We underpay them compared to vendors, we overwork them, and we don’t let them be innovative. No wonder they are jumping to startups and vendors so quickly. We are learning and trying to improve on each of those issues, but it’s still new stuff for large healthcare organizations.

    Yes. Consequent to budget cutting. 

    No. We added staff.

    No layoffs this year, thank God.

    No, but some have left due to burnout and boredom and stress.

    No. There have been some reductions in other areas of the health system, However, they have not impacted IT. Justification for open and new positions is much more highly scrutinized, though.

    No layoffs so far.

    Not in the last year, fortunately.

    HIStalk Advisory Panel: IT Issues Physicians are Worried or Angry About

    February 14, 2014 Advisory Panel No Comments

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This question this time: What are the biggest IT-related issues your doctors are worried or angry about?

    The lack of basic IT support at the hospital level, the doctors complaining all the time about not having anybody on staff to help them when the system goes down, them needing to send an email to the "headquarters" and virtually having to wait for days when they may need to put an order right then and there in ICU. Our hospital IT department is almost nonexistent and consists of a clinical analyst and few hardware guys and it is basically rudimentary. As one doctor put it, "We need speed, speed, speed!”

    The increased documentation requirements of ICD-10. The increased direct interaction with the EMR for MU. The changes in their workflow necessitated by our EMR implementation.

    The biggest issues are around being forced to use the systems. There is nothing wrong with any of the electronic systems that we use. Our employed physicians aren’t unhappy as they understand the trade-off for their paycheck. The pushback is with the independent physicians.

    Biggest IT issue for doctors is lowered productivity. Since this is the new reality, most are resigned to it. At least for those who can successfully mentally separate IT from ICD-10, Meaningful Use, hospital and insurer intrusions into their practices, and Peyton Manning’s deer in the headlight performance.

    The two most common conversations I have with physicians are problems with their access to the hospital systems and concern about their EMR and whether or not it will interface with the hospital HIE or CIN (clinically integrated network). Access and usability issues are a huge headache for physicians in my current health system (and previous). It has to be reliable and fast. We can’t seem to get either right consistently. For the physician that drops in to round on patients, we have very little time with them. Depending on the call schedule of the practice, we may see them once a month or less often. An expired password can require a call to the Help Desk because they haven’t logged in during the time allowed to change the password. The physician planned to spend 30 minutes in the hospital seeing patients and instead they spent 30 minutes trying to resolve their access issue followed by another 30 minutes to see patients and now they are late for the office appointments. The other common access complaint I get is the fact that we require two-factor authentication and do not have true single sign-on. I have had two calls just this week from practices that are ready to sign a contract and they want to know if the software will be able to connect to our CIN. I usually have to call the vendor as I have never heard of many of the small ones.

    Too many clicks. Citrix. Texting PHI. Cost of IT.

    It seems as though it’s increasingly difficult to sort out direct IT issues from indirect ones. For example, many problems that are worrying or angering doctors are blamed on IT but really result from regulatory agencies and others who are using the advent of electronic records to impose an increasing number of inane demands on clinicians for data entry and documentation. Examples include Meaningful Use, ICD-10, and requirements of CMS and the Joint Commission, for those of us who work in hospitals. Billing related documentation is another big source of consternation. In the pre-EMR era, it was clear that no one could humanly keep all of the E&M coding requirements straight. Now with the ability to have EMR templates and the increased emphasis on "optimizing clinician productivity", we are encouraged to code what we’re actually doing rather than chronically under-documenting and under-coding. Meaningful Use and billing compliance also erect roadblocks for using other professionals to help optimize workflow. Many elements could realistically be obtained or entered by someone else (e.g., NP, PA, med student) but the attending has to do the documentation anyway rather than just confirm the information. In many EMR systems, this is less flexible and more time consuming than it was on paper, so the EMR is blamed. As physicians are staying later and later to finish their notes or signing them from home after dinner, the EMR is blamed. But it is the perfect storm of bureaucratic requirements that’s really at fault and ICD-10 hasn’t even hit yet!

    We are doing an EMR conversion this year, so that is their main worry. They don’t know enough about ICD-10 to be worried or angry about it yet … but the more we learn, the more we realize how asinine it is for primary care!

    Too many clicks. Workflow processes that put the physician’s work at risk: residents and mid-level providers who start a note which the attending physician later amends and extends (this much OK and was consensus workflow). Document is then altered by resident or mid-level provider subsequent to the attending’s note. “Locking” or “finalizing” note not available because of vendor’s implementation requires these functions apply generally and that breaks other workflows.

    Cumbersome medication reconciliation process. Workflows in ED and Surgery slow them down. These areas need optimization.

    The biggest thing I hear about is usability issues. Providers worries and anger won’t get any better until that is resolved.

    We are going Live with CPOM later this year and the majority of physicians that have approached me are worried, angry, or upset about the impact to the workflows they use every day. It has been a real eye-opener for some as they are brought to the table and see what the nurses and unit secretaries do with the paper-based orders they write. We also have a fair number of docs that can’t wait to do CPOM and are excited to be able to do this electronically from their home and office. They see it as a big quality of life win by not having to drive into the hospital and a big patient safety win by having all the relevant information in front of them when ordering medications, not to mention eliminating undecipherable handwriting . Not surprising is the latter group tend to be younger and more comfortable with technology than some of their counterparts.

    EHRs from different sites still can’t talk to each other without effort from the clinician changing screens. Frustrated and also workarounds continue to be major things so as to get to the necessary data with the patient sitting in front of them.

    Change management — MU2, ICD-10, and lower reimbursement with higher administrative overhead. None of our providers believe that there will be any demonstrable improvements in patient care as a result of ICD-10, and with the continued increase in non-patient care "bookkeeping," they’re questioning the value of remaining in this industry.

    Bad, buggy software that is difficult to use, not accurate or timely, and not improving over time.

    The rate of changes and workflows with EHR related to MU.

    HIStalk Advisory Panel: Analytics Success

    February 11, 2014 Advisory Panel 3 Comments

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This question this time: What are examples of major operational or clinical successes your organization has experienced in the past year from using analytics or data reporting tools?

    No operational successes of any kind as our medical staff as well as administration does not even know the meaning of analytics nor what to do with it. We lack even the basic reporting capabilities needed to know our observation and LOS. We did well with core measures and scored high and used that as a marketing tip, however we did not use any sophisticated tools to get there. The physicians do not get any personal performance data to look at to compare with their peers and are not used to looking at their own data at all. It is part of the reason why I believe the institution failed so miserably and ended up being acquired by a lager hospital chain.

    Improved GI lab throughput. Reduction in the use of blood products. Improvements in GI Billing process. Improvements in GI DNKA.


    Hard to know what success we have had from using analytics. If we decide, based on environmental scans and analytics to to focus on, say, total joint replacement, there will never be a time when we can say, "Ah, that was the right decision", even if your hospital is still afloat, or doing well. It may be that another service line or focus or workflow or supplier would have been better. Analytics comforts us into thinking we aren’t making a WAG, but there aren’t answers in the back of the book. On the more micro level, cost-benefit does help balance the budget.

    Over the past year we deployed reporting tools to our front-line providers, departments, sites, divisions and company-wide providing actual results compared to our goals for people, service, cost, quality, access, and primary care flow. Particularly in service and access we improved performance compared to baseline and moved closer to (and in some cases exceeded) goals. Patients report improved experiences and appointing wait times have come down. There’s probably a link between the two improvements. 

    We used some basic reporting tools to identify high risk patients who are overdue (e.g. diabetic with A1C over 8 not seen in six months). We then tried multiple methods of outreach and found email, letters and robocalls had minimal impact on this group. We finally found  success with having our call center staff call them during the late afternoon when there was low incoming call volume. Turns out they responded very well to real people calling them who could make their appointments right then!

    No use of data beyond mandated reporting: MU, Core Measures, etc.

    Using a SaaS population health data analytics tool, which blends CMS claims and EMR clinical data, to identify leakage of ACO patients outside our Network, which identifies opportunities for providing services not currently offered by our network in order to capture the lost revenue and reduce the expense to the CMS Medicare program.

    We’ve been able to push an Analytics Dashboard to each member of our clinical leadership team that allows them to have real-time data as to the patients on their units, the patients that were discharged yesterday, and so on. Dramatically reducing the turn-around time for actionable data and ‘teaching them how to fish” has resulted in greater satisfaction amongst them and allowed my folks to focus on other projects instead of grinding out repetitive reports.

    Minimizing the readmission rates in our high risk population such as those who had an MI or uncontrolled diabetic states  – two major clinical categories. Minimizing ER visits of high risk patients

    We have set up a few transitional care clinics where we try to work with patients, post discharge, to ensure that they get/take their meds, get in to their PCP’s office as ordered, and generally try to get them compliant with their treatment plan in order to keep them out of the hospital again. (Basically, trying to prevent re-admits). We are using a number of tools and reports to generate data to assist with this process, but we are investigating new ones (e.g., PHM systems) that are specifically designed to do this.

    Data on our clinical initiatives to improve clinical performance on readmissions, VTE prevention and early recognition of clinical deterioration have been very helpful in terms of showing benefits of these projects.

    Advisory Panel: Recent Vendor Experiences

    January 17, 2014 Advisory Panel No Comments

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This question this time: Can you describe a particularly good or bad experience you’ve with an IT-related vendor lately?

    Explorys has been great to work with as we focus on connecting our community physicians

    I have been very pleased with the responsiveness of our consultants and vendors to lower their fees in order to help us meet our budgetary needs around our $100 million plus implementation. It has become clear to me which vendors can be relied upon to become true partners in which are only in it for themselves.

    We’ve had a very tough time with Voalte. Call quality has been pretty awful and Voalte hasn’t been able to delve an app that addresses the problem. They keep telling us that the iOS7 version of their app will correct the problems, but they do not recommend that we deploy that version. Hmmm. 

    I’ve actually mentioned this vendor before, but they continue to provide major benefit to me. Virtual Procurement Services.  (VPS). They have saved our organization millions of dollars in capital and operating expenditures. It’s an interesting model, actually, probably worth one of your interviews.

    I continue to me amazed at the poor state our vendors are in as we prepare for MU Stage 2. They blame CMS and ONC and say the certification process is broken and that the regulations come out too late and are not fully baked, but the fact is they are sending us code that doesn’t work and isn’t ready for testing. Many of us are in jeopardy of not meeting MU S2 since we will have to wait until Q4 leaving no room for error. The vendors must do a better job getting us a product we can use as we face the challenges of implementing the processes and workflow changes that are required once the software works.

    A CDS vendor with a good presentation of a great product, concentrating on our EHR and our issues. They are Dutch, so they already know about ICD-10. I guess that identifies the company.

    Predixion Software, good experience related to analytics, supporting our clinical staff in better management of readmission rates.

    None of late. Still ramping up in the new gig and the only net new I have hired is the Advisory Board for ICD-10 help. We just started (I know, I know – this is way late but clearly one of the reasons I got hired!)

    On the good side, a vendor sent me a holiday gift card that could only be used for donation to a provided list of charities. You could donate on behalf of yourself, your organization, or anyone else. On the bad side, any and all vendors that send you half of something expecting that you will meet with them to get the other half of something that as a whole you couldn’t and wouldn’t accept in the first place.

    I was just discussing a system upgrade with a manager. The upgrade turns out to be a reimplementation. The ballpark cost provided by the sales guy/gal, that we budgeted, has now tripled. While I’m obviously not opposed to a vendor improving their product, I think they should be assuming some of the additional expense. While they are changing the system’s infrastructure to something “better” there is no acknowledgement that their previous infrastructure may have been somewhat lacking.

    Unfortunately all seemingly middle of the road/mediocre.

    I work for a vendor now, but when I worked in a hospital, I found Iatric to be the most responsive vendor we dealt with. They were professional and very quick in all responses. If we had a problem they would have their people work through the night to fix it. Literally every dealing I have ever had with anyone in that company has been positive.

    A general experience growing with vendors who really do not take time to know or understand customer needs. Let’s stop cold calling and cold emailing in health IT.

    Advisory Panel: 2014 Will Be the “Year of the …”

    January 17, 2014 Advisory Panel 2 Comments

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This question this time: In your opinion, 2014 will be the "Year of …"

    2014 will be the year of population management. Not really, but those two words will be used a lot.

    Informaticist. I think all healthcare organizations will be focused on how to turn data into information, whether through business intelligence, clinical or biomedical informatics, retrospective / real-time / predictive analytics. These efforts will take on new meaning as we continue to build accountable care organizations and networks

    Cuts to the budget.

    The year the Federal Government went too far trying to ‘fix’ healthcare.

    2014 will be the year of the HIE. Many words will be sprayed onto computer screens and into throw-away journals regarding connectivity and data availability, but there will be few objective studies, and I still will not be able to see the actual Xrays of the patient that was just transferred from another downtown hospital.

    Data analytics.

    I hope it will be the year of the non-buzzword, meaning that if one has not figured it out by now, whatever the buzz is about, rarely helps you in accomplishing the tasks at hand for your organization. Of course, we will hear ICD-10 and MU, but I would not call that buzz, it is just work that has to be done.

    "Year of the Hospital Financial Losses." I think there will be more hospitals showing financial deficits than at any other time in history.

    2014 will be the Year of the EMR App. We will see more and more apps which integrate nicely with EMRs and fill a special niche via content and/or workflow, which the giant and slow moving EMR vendors can’t do themselves. 

    EHR Equivocation. Until the vendors solve or at least do a better job on usability, understand their OWN product completely, and enlist the help of clinicians in design, we will see significant slowing in EHR adoption. We’ve seen most of the adopters that were able to provide the resources required for an enterprise wide EHR implementation already take the leap… in the end, the cost of an EHR still significantly outweighs the penalties for the foreseeable future.

    Year of patient engagement and ICD-10 chaos.

    For healthcare in general, Year of the Merger & Acquisition. For Healthcare IT, Year of the CIO turnover.

    I think it will be the year when interoperability and big data will continue to be little more than buzzwords. The difference between the two is that one day, in a somewhat distant future, interoperability will actually come to pass and make a difference. Big Data will never be more than a buzzword. Like smart watches, Google Glass will prove to be useful in some applications in healthcare, but will not be a game changer. The leadership of a few HIT companies will continue to watch with glass-eyed wonder at how the American taxpayer continues to fund the exponential growth of their personal bank accounts while the products they provide in exchange for those funds reach new heights of mediocrity. And those whose mortgages are paid by selling these mediocre systems will continue to defend to the last breath the promise that these systems will one day deliver on if we only give them another decade or two to work their magic because the years and years they have been given to prove their value so far just aren’t enough. At the same time, any impartial studies done on the ROI of these systems that cost the taxpayers billions will show little to no benefit to that oft intentionally forgotten constituent of the healthcare system- the patient. (Man, am I a cynic or what?) On a more optimistic note, I think the health insurance exchanges will actually start to show some positive ROI for the oft forgotten constituent.

    2014 will be the Year of EMR Optimization. Now that most IDNs are finished or far along with EMR implementation, they will turn increased attention and resources to making EMRs work more effectively to support critical business imperatives related to healthcare reform and the numerous changes we’re undergoing in response to industry pressures.

    2014 will be the year of a major data breach (hopefully not here). Most of the breaches I’ve heard about have been from lost/stolen computers or an organization doing something stupid, not an intentional penetration. Perhaps I’m just overreacting to the Target hack and in reality there is no interest in healthcare data. On the other hand, nobody that I’m aware of in health care has NSA-quality protection and I think it would be pretty easy.

    Regulatory mandate dictating the IT vision/budget

    Year of the “search for value in analytics.”


    Advisory Panel: Top 2014 Priorities and Concerns

    January 16, 2014 Advisory Panel 2 Comments

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This question this time: What are your organization’s top three IT priorities for 2014 and the concerns you have about executing them?

    (1) ICD-10.
    (2) Data center relocation to a CoLo.
    (3) Complete enterprise EHR rollout.

    The only one I’m really concerned about is ICD-10. There are just so many uncertainties around how the providers and the payers will make the transition.

    Our top three IT priorities for 2014 all revolve around our Epic platform.

    (1) We need to finish our enterprise-wide Epic implementation.
    (2) Once we survive our go-live, we will enter into an extended period of optimization of the system, which I anticipate will take at least three to four months.
    (3) Subsequent to that, we will begin to develop the capabilities within IT to begin to extend our Epic platform to other entities across our state.

    My biggest concern for all of these is the ability to maintain my current resource levels as well as adding new resources in order to address the organizational strategic outreach initiatives.

    (1) We are determining whether to stay on our current EMR platform or to switch.
    (2) ICD-10 is looming.
    (3) We are also focused on getting our remaining hospitals to Stage 7.

    (1) ICD-10. Significant work needs to be completed on all facets of this mandate. Vendor testing and validation, staff education (HIM, physicians, and billing), reporting requirements, and many more. Payors are not ready, IS vendors are not ready, and our staffs are stretched thin, so it remains my greatest concern in 2014.
    (2) MU Stage 2. So much is still not known. How will we meet the patient engagement goals (absurd for a community hospital with independent medical staff that also must meet the portal goal)? What will the CQMs require for new data collection? How will the medical staff deal with electronic medication reconciliation and the requirements of the Transitions in Care electronic documentation at the hospital while also dealing with a different system and set of requirements in their office? These questions remain and the vendors will not be ready until the last quarter leaving no room for error.
    (3) Pending affiliation. During all of this, we are entering into an affiliation that will dramatically change our organization and will, at some point in the near future, require a conversion to a new ERP system and EHR.

    After the massive expense of our EHR and in the face of ongoing financial financial struggles (real or perceived), there will be great pressure to hold down costs, perhaps even to find a revenue-generating activity for IT. The concern is that needed education and training will be shortchanged and clinician workflows that should be corrected promptly will be allowed to calcify, requiring even more resources in the future. Many of these workarounds reflect inadequate technical support (I never knew it could do that!) or training (I never knew it could do that!)

    (1) Ensuring readiness for regulatory items like ICD-10 and Stage 2 Meaningful Use).
    (2) Continuing to optimize our EMR investment via new high-value clinical decision support projects. 
    (3) Implementing new enterprise-wide revenue cycle solution.

    (1) ICD-10. 
    (2) Operational cost reductions (both IT and non-IT).
    (3) Growth through acquisition.

    (1) ICD-10.
    (2) MU Stage 2.
    (3) Financial resource management (conservation).

    The three are not compatible. I’ll need resources for both of the first two while being asked to use less at the same time. 

    (1) Our top IT priority is moving from Cerner to Epic, with the obvious concerns about data migration and workflow changes slowing us down initially.
    (2) Appropriately using analytics (from identifying high-risk patients for outreach, to looking for otherwise hard to find adverse events), with the dual concerns of (a) not having enough report writers, and (b) not having enough people to execute on what we find. 
    (3) Figuring out telehealth at our organization, with the concerns of (a) finding a technical model that works efficiently, and (2) finding a business model that makes sense (who will pay for it!)

    (1) Epic optimization. Hiring and retaining qualified Epic analysts is becoming very challenging in our region. Standard now is  work from home and significant yearly salary increases due to the local competition from institutions out of build phase so analysts are free to jump ship.
    (2) Windows XP support (lack thereof). The March 2014 move to Windows 7 has us very nervous – Epic and scores of integrated applications cannot be tested enough to quell the unease.
    (3) ICD-10. Ouch… how am I going to get providers that don’t document well to do an even better job next October? We discovered quite quickly that Epic support is still just nudging up their own learning curve.

    (1) MU Stage 2. 
    (2) ICD-10. 
    (3) Integrated financial and clinical systems.

    (1) ICD-10. Since ICD-10 success is based on physician documentation, it’s a wildcard as to how well you will do regardless of the education effort. 
    (2) MU Stage 2. MU Stage 2 criteria related to transitions of care will be particularly difficult since there are three components (i.e. 50 percent of discharges, 10 percent using CDA format, and a transaction to a different EHR.) Items 1 and 3 are easily achievable but 10 percent using CDA format could be difficult depending on where your patients transition (both inpatients and ambulatory). Many post-acute settings, for example, do not have an EHR capable of receiving this format.
    (3) Privacy and security. Privacy and security is just a matter of keeping up with the regulations. Competing for resources is difficult since this area doesn’t  get enough attention until you have a problem. With the final Omnibus rule in place, fines have increased, as will audits. Business associates will be particularly vulnerable, as well they should be. There are a considerable amount of other priorities for 2014 (e.g. ACO IT, EHR optimization) but these may have to wait.

    (1) Government regulations compliance.
    (2) M&A integration.
    (3) Growth initiatives.

    My main concern is having too many top priorities competing for finite resources, both in IT and operations.

    I’d be very surprised if anybody answers anything but:

    (1) MU2.
    (2) ICD-10.
    (3) Keeping the place running.

    (1) MU Stage 2. Vendor delays, expectation of patient engagement.
    (2) ICD-10. Inability of vendors to deliver on time; excessive fees (CAC).
    (3) Volume to value mandates (reporting, data exchange, etc.), a market mess.

    (1) Meaningful Use Stage 2 and 3. Concern about areas where we don’t have full control.
    (2) Expanding use of mobile and connected care connecting our enterprise and our community through mobile devices.
    (3) Maintaining security in a rapidly changing environment. Expecting more and more security breaches.

    Advisory Panel: Alarm Fatigue

    January 1, 2014 Advisory Panel 1 Comment

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This question this time: Is your organization using or considering IT solutions to the challenge of alarm fatigue?

    Note that while I was thinking specifically of physiologic alarms at the bedside, I didn’t state that explicitly, so some answers reflect clinical alerts in traditional IT systems. Seven responses indicated a “no” answer with no IT solutions being considered.

    We struggle to balance harm prevention and user design.  We are biased toward harm prevention.

    We haven’t found a good solution yet. We’re looked at things like alarms that start out low and increase in volume if not addressed, but many/most vendors haven’t embraced that idea yet. We’re looking at routing alarms to phones, but that also has challenges. If you find a good solution, let me know.

    We are currently considering a few IT solutions to address this, but no decision has been made to move forward.

    We are currently investigating tools to consolidate alarm management but we have not yet developed an RFP or even a vision for the future.

    We are currently investigating and likely to pilot a solution to integrate nurse call bells into nursing phones to improve the alarm fatigue of the ears. In the EHR environment, we are continually analyzing the alerts that fire for their utility, appropriateness, and actionability and working to reduce those that are more "noise" than "signal".

    Alarm fatigue happens when the technology was not supportive of the end user – it should not exist if each vendor really knew the topic and client being served.

    We have explored alarm management systems, but I was left with the realization that the devices can alarm on anything and it’s up to each organization to determine what’s important. I am not aware of any national standards.

    We learned early on to be very judicious with alarms and try and keep them to a minimum. As we’ve merged in some additional physician groups, the governance of managing alerts will get increasingly interesting however. I’d be curious what type of IT helps with alarm fatigue (i.e. do they make alarms more sensitive/specific somehow?)

    I wish !!! Turning off the drug duplicate alerts would be like manna from heaven as they are invariably uninformative and annoying. For example, renewing a drug always gives a duplicate alert even though the system obviously knows that if you click "Renew" it will automatically stop the current order and start the new one. But the current order is still active when the system compares the new order to the med list. Ergo, duplicate alerts gone wild. One of my other favorite alerts tells me that the patient is taking two non-phenothiazine antipsychotics.  If I was really concerned about duplication, I would want to know if they were taking two antipsychotics period. Whether it’s a non-phenothiazine makes no difference whatsoever.

    Primarily focused on refining medication alert rules to reduce unnecessary noise.

    I assume you are talking about actual alarms, vents and IVs and tube feeding pumps and such, not EMR alerts. Since noise levels can exceed OSHA standards 80 percent of the time in an ICU, we are keenly interested in the twin problems of noise from alerts and the false positive / false negative rates of the alerts. We do not have a good answer, but I would be happy to buy one that worked.

    We’re still trying to reliably deliver secondary alerting. Alarm fatigue getting some notice, but no definite intervention as of yet.

    Yes, considering FDB AlertSpace to achieve what should be included in their product in the first place (we’re on Epic/FDB).

    Advisory Panel: Telehealth Projects

    December 30, 2013 Advisory Panel No Comments

    The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

    If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

    This question this time: Is your organization running or planning telehealth projects?

    Assuming the term telehealth includes scope of technologies included in the HRSA definition, we run remote ICU monitoring across our WAN. In addition, we continue to expand the use of mobile clinics that roam around our geography. These clinics include videoconferencing between clinic providers, patients, and remote specialists. We are planning additional work with a national telehealth provider.

    No, my organization is still struggling to implement CPOE, keep the beds full, reduce readmissions, etc., etc., and we have not got that far yet.

    This shows up in our annual strategic plan every year and it’s there this year too. But I haven’t been able to generate much interest among my medical staff, even the members who travel hundreds of miles for outreach clinics. We run a telemedicine epilepsy clinic and we have the usual teleconferences, but that’s about it. So I’ve retained some consultants to explore options like e-visits, home monitoring, and video visits using webcams with the med staff.

    We have a few telehealth services we consume for a couple of specialties. For example, we have a small pediatric hospital and will perform remote echoes with specialists at a leading children’s facility for special patient cases. We do not have any plans to provide any additional telehealth services within our organization or service areas at this time.  

    Multiple coordinated efforts related to telehealth as we are approaching from a number of perspectives. More traditional eICU, using remote monitoring of multiple ICUs from a centralized location where critical care physicians and other clinicians are monitoring beds across multiple hospitals. Tele-psych consults in our emergency departments. Developing newer capabilities for virtual ambulatory visits, more acute or urgent care conditions where audio/video is effective in connecting a patient and a provider. Our EMR is really helping with efficiency in this service area and also with tele-psych and ICU areas. The key being that tele-X software, hardware can help best facilitate the patient encounter but it’s important to realize our EMR is needed for order entry, documentation, communication with the local hospital pharmacy, etc.

    We currently have a monitoring station set up in our ICU for pediatrics so that our patients can be “seen” by a specialist at a large teaching hospital in the state.  We are currently proposing to provide healthcare services to our local detention centers. If accepted, we’ll go the telehealth route.

    ANGELS – Antenatal & Neonatal Guidelines, Education, and Learning System – consists of 23 hospitals and clinics who receive clinical services from us, as well as 18 hospitals who participate in a tele-nursery with us as the hub. Neonatal mortality rates for Medicaid declined from 4.5 per thousand to 3.3 per thousand. ANGEL EYE – one-way video from NICU to authorized family members. AR SAVES – Stroke Assistance Through Virtual Emergency Support – consists of emergency support for 42 hospitals across the state. Increase delivery of TPA from <1 percent to 29 percent in participating hospitals. Other telemedicine services – psychiatry, pediatrics, geriatrics, rehab medicine, cardiology, internal medicine, burn, trauma, genetic counseling.

    We’re doing projects with telehealth, telepsych, home health monitoring, remote hospitalist consulting, and have others we’re thinking about. While telemedicine has been around for decades now, it seems to be really heating up lately.

    [from a vendor member] We are working with several organizations who are planning telehealth projects. However, it is like NLP at this point – all talk, no action.

    We are on the receiving end in that we use a telehealth service (neurology consults) in our ED. It works well, although the service and support has proved problematic. The cart contains all the video components, but when there was a problem, they had no local service techs. This left it to our staff to troubleshoot – if we were a smaller very rural hospital we may not have had the expertise to troubleshoot their equipment on our end. Overall the service has been a benefit to the hospital in that we have a shortage of these specialists to take call.

    We actually do a lot of telemedicine, both inside our health system and with external partners and that program is continually expanding. Our main service lines at this point are Neuro, Pediatrics, and Psychiatry. The primary locations served tend to be emergency departments in order to deliver otherwise unavailable specialty care to patients.

    Yes, for various disease states and ethnically diverse populations.

    A year and a half ago, we agreed to work with a vendor on a case study to determine if telehealth would positively impact outcomes. Telehealth was new to them and they struggled to develop a website for data collection and patient interaction. For the research study we needed IRB approval and a contract with us. Once the attorneys got involved, everything came to screeching halt. A year later, we have a contract and pending IRB approval. Perhaps in the near future we can begin the study with our diabetes and CHF patients.

    We have long offered telehealth via phone and web visits for mild, acute problems (e.g. URI, UTI), and we charge a separate fee for those. We are also now looking at using telehealth technology to do remote care at corporate clients.

    Vague talk only about telepsychiatry to local ERs and jails.

    Telehealth in use for burn, stroke, and psych consults. All working very well with different technology solutions including iPad and a mobile robot looking device.

    To meet requirements for Level 1 nursery, we have neonatology sub-specialists on tap, credentialed and available. This is a great solution to consultations that would otherwise require transfers. It is another question entirely whether early transfers are in the baby’s best interest; it may be that telehealth consultations get an actual consultation in the odd hours, where if the baby were in the actual institution providing the consultants, there would be more of the "I’ll see them in the morning" mentality. Of course, in that setting, the consultant is probably more comfortable with the nursing and ancillary staff, so it may be about the same outcome. Still, it feels good to have an actual clinician to clinician discussion about a specific case.

    We’re doing a lot of tele-stroke work. A real smart stroke neurologist with an interest in the technology. He’s serving other organizations and when not on site, he starts care using his tablet and the stroke robot in the ED supported by a stroke nurse-practitioner or neurosurgery PA.

    Virtual visits are part of our future plans, none running yet.

    We are rolling out telemedicine to support our network of six rural health clinics. This will be essentially to push the access to our specialists. Rollout is over next three months.

    Radiology uses NightHawk services from the other side of the globe for night preliminary reads, but that’s it.

    Text Ads


    1. Honestly, I autocorrected "62 Ventures" as "62 Vultures", and I considered posting snark about same! Is that on me? Is…

    2. $20 million to improve behavioral HIT? That's like 1/7th of a typical Epic install in one hospital. Seems like symbolic…

    3. Regarding the Particle Health - Epic Carequality Drama - it's important to note that most existing national networks separate out…

    4. Re: Tullman/62 Ventures Given his track record for acquiring companies, bungling day-to-day operations and then somehow selling to an unwitting…

    5. Was not the struggle of Teladoc foreseeable with the acquisition of Livongo?

    Founding Sponsors


    Platinum Sponsors










































    Gold Sponsors










    RSS Webinars

    • An error has occurred, which probably means the feed is down. Try again later.