Readers Write: Five Strategies to Ensure Cybersecurity During COVID-19 And Beyond

Five Strategies to Ensure Cybersecurity During COVID-19 And Beyond
By Patrick Yee

Patrick Yee is chief technology officer of Ensocare of Omaha, NE.

.

To quote New Zealand-born novelist and playwright Anthony McCarten, “We’re living in extraordinary times.” To which I’ll personally add, “that call for extraordinary security measures.”

In March, the Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) issued COVID-19 HIPAA waivers to promote data sharing and telehealth, relaxing laws over the good faith use and disclosures of protected health information (PHI). The resulting explosion of COVID-19 demonstrates that providers need fast access to tools that identify, collect, track, and exchange data on the flux of infected patients.

Protecting the privacy and security of patient data is the health IT industry’s fundamental civic duty during a nationwide public health crisis. While a hospital’s core competency has never been and will never be information technology (IT), taking care of patients is.

As providers rightfully focus on saving lives, their IT teams have undergone a massive shift to working from home while tackling first-time coronavirus related challenges and juggling data security maintenance. Compounding the situation are short-staffed medical facilities where IT resources are needed the most.

Here are five strategies to help you protect and secure your organization’s patient data and network from cyber attacks.

Make sure your escalation procedures are sound.

A healthcare worker who spots a questionable issue must be free to report their concern so it can be addressed swiftly. Most every IT department has in place a reporting process, either a formal ticketing system or an on-call employee who accepts phone calls. Once the IT staffer quickly escalates the issue to the appropriate leader or medical professional, the healthcare worker can resume their day job. Whether the issues involve coronavirus or basic security breaches, e.g., an email phishing attack from an unfamiliar source, all team members, even those on the clinical side, should be empowered to bring up potential dangers to the appropriate parties.

Instruct your IT team to be extra diligent investigating unknown emails, links, and websites.

Cyberattacks targeting hospitals, practices, and healthcare organizations are on the rise dramatically, which can be at least partially be attributed to the exploitation of the coronavirus.

Unfortunately, remote workers are also being singled out. A recent McAfee report uncovered a correlation between the increased use of cloud services and collaboration tools during the COVID-19 pandemic, along with an increase in cyberattacks targeting the cloud. External attacks on cloud accounts grew 630% from January to April. Cisco WebEx, Zoom, Microsoft Teams, and Slack saw an increase of up to 600% in usage over the same period.

Healthcare staff members working remotely are more vulnerable and understandably distracted supporting COVID-19 patient care, which could make them easy prey for cybercriminals. The pandemic represents a huge opportunity for bad actors to compromise your systems with things like phishing emails that include faulty links and websites, ransomware attacks, and intrusions on sensitive data. Regularly remind your remote workforce to report suspicious activities by following your organization’s security protocols.

Review your intrusion detection strategy (IDS) or continue to monitor if you already have one.

An IDS is a network security technology that was originally built for detecting vulnerability exploits against a target application or computer. Intrusion prevention systems (IPS) add the ability to block threats in addition to detecting them, and have become the dominant deployment option for IDS technologies. More broadly, think of intrusion protection as personal computer security, but in a format that can look between different servers and flag suspicious activity. You should be reviewing and updating your technology and strategy regularly to ensure that you’ve kept up with all applicable best practices.

Ensure that your remote employees have corporate VPN and two-factor authentication services.

This telework protocol should already be part of your business continuity plan. It should be reviewed and updated periodically to ensure traffic is handled securely.

Home internet networks simply are not as secure as your office network. VPN and two-factor authentication services are recommended for remote connection to support the goal of making remote work as seamless as possible. Be aware that, short of completing mission-critical projects, at-home internet outages will not necessarily cause a security issue. A larger issue is whether the remote worker has the right modem installed to handle many different in-home users.

Encourage employees to use corporate laptops with encrypted hard drives that are not shared with family members.

Keep doing all of the good things you were doing before the pandemic.

Everything in your systems security plan is still valid with some possible changes for critical business continuity that should be maintained and exercised. HIPAA compliance might be relaxed, but security protocols remain doubly important in our current health crisis.

Readers Write: CMS’s E-Notifications Condition of Participation: Three Topics to Know

CMS’s E-Notifications Condition of Participation: Three Topics to Know
By Jay Desai

Jay Desai, MBA is CEO and co-founder of PatientPing of Boston, MA.

In March 2020, the Centers for Medicare and Medicaid Services (CMS) finalized the new Interoperability and Patient Access Rule, which creates a new Condition of Participation (CoP) that requires hospitals, psychiatric hospitals, and Critical Access Hospitals to share electronic Admission, Discharge, Transfer (ADT) based event notifications (e-notifications) with other providers across the continuum of care whenever patients have inpatient or emergency department care events.

To help these organizations prepare for the e-notifications CoP, a recent hospital executive survey was conducted to gauge industry awareness about the regulation (the survey results can be found in an online e-book called “The Route to Compliance. A Simplified Pathway”). Responses from hospital CIOs and compliance executives collected through dozens of conversations, virtual focus groups, and webinars revealed three key areas that need more awareness.

#1: The Requirements

According to the survey, which was conducted in May and June of 2020, just 17% of hospital CIOs or compliance personnel are familiar with the e-notifications CoP. The goal of the new CoP is to increase information sharing across the care continuum as a way to enable better care coordination leading to improved patient outcomes. This compliance requirement will go into effect on May 1, 2021 and adds to the list of CoPs hospitals must fulfill to successfully maintain their CMS provider agreement and certification. The fact that CMS used its most consequential regulatory lever, a CoP, to create the new e-notification requirement underscores the importance the agency places on increasing provider access to needed information.

Hospitals should answer how they or their third party intermediary solution will comply with the following requirements:

• Identify and send e-notifications to post-acutes.
• Meet cross-regional provider notification needs.
• Ensure appropriate data sharing rights, security, and trust.
• Send notifications in real time.
• Manage continuous provider-patient relationship changes.
• Demonstrate compliance to meet survey requirements.
• Ensure community-based providers have excellent user experience.
• Meet compliance by the May 1, 2021 deadline.

#2: Provider-Requested Notifications

This topic is particularly important to health systems with large provider and post-acute referral networks. Hospitals must send e-notifications to community-based providers that have established care relationships with patients and that need the information for treatment, care coordination, or quality improvement activities. This includes primary care practitioners, Federally Qualified Health Centers, Accountable Care Organizations, other entities identified by the patient as primarily responsible for their care, and post-acute providers (skilled nursing facilities, home health agencies, etc.). Identifying which providers have established care relationships is critical and requires that hospitals, or their intermediary, possess two foundational capabilities:

• Ability to collect patient-identified provider information at the point of care.
• Ability to obtain care relationship information from providers through a patient roster and notification request process.

The first capability allows hospitals to determine any providers with whom the patient wants their information shared by giving patients the ability to identify providers at the point of care. The second capability allows hospitals or intermediaries to determine any additional practitioners, groups / entities, or post-acutes that need to receive notifications for treatment, care coordination, or quality improvement activities. The roster and notification request process allows providers to identify their care relationships through rosters, e.g. patient panels or census lists, and receive e-notifications based on hospital care events that match to patients on those rosters. Having both of these capabilities gives hospitals the ability to determine the required providers that need notifications thereby eliminating e-notification gaps that would lead to non-compliance.

#3: Health Information Exchanges (HIEs) as Intermediaries

Hospitals have the option to use an intermediary, such as an HIE or vendor, to fulfill the e-notification function under this CoP. In the survey cited above, 60% of respondents familiar with the rule somewhat agree with the statement, “that their local HIE will ensure 100% compliance with the CoP.” Just 17% fully agreed with that statement. Given that HIE capabilities vary widely by state and region, compliance will depend on whether the HIE can fulfill the minimum requirements specified within the final rule. Those requirements include:

• Event types and timing. Notifications must be sent at the time of patients’ inpatient admission, discharge, and transfer and at emergency department presentation and discharge.
• Notifications recipients. Established PCPs, practice groups / entities, and post-acutes irrespective of geographic location that request notifications for treatment care coordination, or quality improvement activities.Practitioners, practice groups / entities, and post-acutes irrespective of geographic location that are identified directly by patients as primarily responsible for their care.
• Notifications content. Notifications must include, at minimum, patient name, treating practitioner name, and sending institution name.

Notifications also need to be sent in accordance with patients’ privacy preferences and applicable federal and state laws and regulations. Additionally, to minimize security incidents and inaccurate notifications, a high accuracy match rate is needed to ensure notifications are sent to appropriate providers. Ultimately, hospitals are accountable to meet compliance requirements even when e-notification functions are delegated and they should therefore ensure all minimum compliance requirements are met.

Given the significance of the new e-notifications CoP, hospitals should take time to carefully assess and validate internal or third-party capabilities against the new requirements to ensure they can meet compliance by May 1, 2021. With the proper solutions in place, hospitals can share real-time patient data with other community providers to support treatment and care coordination efforts, bolster value-based care initiatives, and, most important, improve health outcomes for patients while achieving e-notifications CoP compliance.

Readers Write: Achieving True Interoperability Transparency May Depend on Adopting a National Patient Identifier System

Achieving True Interoperability Transparency May Depend on Adopting a National Patient Identifier System
By Kevin Hutchinson

Kevin Hutchinson is CEO of Apervita of Chicago, IL.

Let me say one thing right out the gate: I am typically not a fan of forcing industry-wide uniformity via burdensome and overly instructive government mandates. However, sometimes there’s too much at stake in healthcare and the private sector just can’t agree on standards on their own. So was the case with e-prescribing over 15 years ago, and so is the case now with interoperability.

When I was founding CEO for Surescripts and before I was a member of the inaugural ONC-created National Health Information Technology Standards Committee, it was hard to get stakeholders to agree on standards, as the EHR industry was generally slow to adopt anything. However, after we created the initial standards for e-prescribing via the National Council for Prescription Drug Programs (NCPDP), set firm deadlines, and CMS tied e-prescribing to MIPPA incentives, the different factions within the healthcare industry (all of whom had different agendas) came together and abided by a system that largely still works today.

So it makes sense for CMS and ONC to impose strict mandates and timelines — albeit with some COVID-caused relaxation — for interoperability compliance, because the fragmentation of health records is as dangerous as it has ever been to patients. But while each deadline moves us closer to a more integrated and transparent system, it’s not until the payer-to-payer interoperability deadline in January 2022 where we’ll finally be in our best position to eliminate costly problems created by siloed health data. We may finally see some health record consolidation.

However, like all kinds of sweeping reforms, the devil is in the details. I believe that it might not be as “successful” as we expect it to be unless the federal government steps up and mandates a national patient identifier (NPI) system.

Just because one’s health insurer is sharing data with their previous insurer doesn’t ensure a holistic record. It’s not outlandish to think that any American could have up to 10 different health insurers over their lifetime, especially given rising health costs, socioeconomic inequities, and an increasingly volatile job landscape. That’s 10 different organizations with 10 different technology infrastructures, data protocols, and health IT standards. Not to mention the complexity of a patient’s health record strewn across multiple EHR systems, that change over time, as well as patients changing doctors creating new patient chart IDs and no standardized format for those patient chart IDs.

Who is responsible for making sure IDs match up? Who is responsible for identifying potential health record duplication errors? These are small data nuances that can have life-or-death consequences.

I can tell you first hand that even after national standardization, there have been instances in e-prescribing when records for John Doe I were assumed to be a part of John Doe II’s record, which could have resulted in life-threatening medical errors if not caught and corrected. NPIs would make life easier and safer for patients, payers, and providers, but yet they still aren’t part of the interoperability equation.

The NPI debate isn’t new. In fact, it’s been around for more than 20 years. But it seems like now we may actually be moving in the right direction. Late last year, representatives from many NPI-supporting organizations signed on to a letter urging Congress to take action, arguing, “The absence of a consistent approach to accurately identifying patients has also resulted in significant costs to hospitals, health systems, physician practices, long-term post-acute care (LTPAC) facilities, and other providers, as well as hindered efforts to facilitate health information exchange.” As a result, the House of Representatives voted to remove the ban on funding NPI organizations.

As for payers, some would likely argue that NPIs would help them as well. Many within the payer community think NPIs could improve member safety, reduce overutilization and fraud, and help them understand how members performed in previous payer’s quality-based programs.

However, NPI opponents will often counter with concerns over privacy and security, higher costs, and serious medical errors due to human error. The costs, they argue, would be incurred from building a new IT system from scratch while also having to align on policies and standards to govern it. To that argument, I would just remind critics that there have already been huge costs incurred because we haven’t achieved full interoperability yet, and then ask them to imagine the wasted money if all current mandates and compliance initiatives ended up not solving the core problems.

As for the medical errors argument, fragmented health records are much more dangerous. Again, I don’t think we can be as successful with interoperability without an NPI system.

But it’s that last and most prevalent argument on privacy and security that makes me raise an eyebrow. We constantly hear that we can’t have NPIs because if the number is compromised, the patient’s entire health record would be accessible in one location. That argument falls a bit flat for me. There are already medical record numbers on pretty much everything. In today’s interoperability world, we use easily accessible patient information (names, address, gender, dates of birth, etc.) to create a universal patient ID and match disparate patient information the best we can.

The whole argument on NPIs should really be fought on the cybersecurity front. Why not implement data encryption standards that lock data down to the field level, so that each piece of information in an NPI record is its own walled garden? We’ve already seen the mistakes made by other consumer industries such as banking, which many have responded with increasingly deep levels of data encryption. It’s completely logical and viable for the healthcare industry to implement the same level of security available in other industries to ensure our sacrosanct health information is protected. If we did, then that would be good for all and put an end to the security debate on NPIs.

Readers Write: Five ICU Lessons COVID-19 Has Taught Us

Five ICU Lessons COVID-19 Has Taught Us
By  S. Ram Srinivasan, MD, MBA

S. Ram Srinivasan, MD, MBA is chief medical officer of Advanced ICU Care of St. Louis, MO.

Since March, critical care teams across the country have been stretched to the limit as they rushed to care for the surge of COVID-19 patients in their ICUs. They were forced to deal with an unknown threat that would infect an unknown number of patients and require as yet undefined treatments.

In reflection over the past few months, telemedicine has proved its continuing value for them, providing additional care support during the pandemic. Implemented as a collaborative care model, tele-ICU leverages remote intensivist-led clinical teams and sophisticated technology-enabled care services to deliver a virtual front line of 24 x 7 care in support of clinicians that are at the bedside of critically ill COVID-19 patients.

We have learned these five key lessons so far with regard to ICU care of COVID-19 patients.

COVID-19 has thrust virtual care into the spotlight overnight, with no sign of slowing down.

Telemedicine adoption, which was steadily gaining traction over the past few years, has been quickly recognized as an essential, efficient, and effective element of our healthcare ecosystem. Across inpatient and outpatient environments, patients and providers have embraced virtual care during the COVID-19 pandemic as a convenient tool that enables care access despite distance, shelter at home, and threat of infection.

For critical care, telemedicine enables highly skilled, technology-enabled care teams to reach ever-larger patient populations and do so with significant demonstrated clinical efficacy. In the course of the pandemic, tele-ICU has provided critical support to both bedside teams and their patients across the country.

COVID-19 is a pandemic consisting of regional impacts. Almost no one faces the “average” pandemic impact.

During the peak of pandemic impacts in April, we had partner hospitals that were urgently adding ICU capacity. At times, they had all of their critical care patients on ventilators and remained braced for an overwhelming deluge that never came. Our care to a set of hospitals experiencing this full range of pandemic impacts enabled us to leverage the regional differences. We were able to dedicate significant real-time care to high-volume situations and help other hospitals learn from the hotspots and prepare accordingly.

Telemedicine access to external expert resources is a powerful force multiplier, especially during crisis.

At the outset of the pandemic, we fielded urgent requests for ICU care services from a range of hospitals and other entities. A variety of accelerated response capabilities, including rapid implementations of standard tele-ICU installations and utilization of surge-compatible technology solutions, were quickly introduced. Over the course of one month alone, more than 50 of our partner hospitals initiated, expanded, or extended tele-ICU capabilities in response to the unprecedented demands resulting from the COVID-19 pandemic.

Further, the opportunity to leverage skills that were not already on site and were not already overwhelmed, without waiting for updated licensure or to recruit volunteers from other regions, provided immediate assistance to care teams most at risk and those that were exhausted. In some cases, this ready access to critical care expertise allowed local teams to enlist other specialists in critical care under the coaching of remote specialists, relieving overworked personnel and immediately expanding their available staff.

The benefits of tele-ICU during the pandemic extend beyond outstanding clinical care.

The multiple threats of the COVID-19 crisis caused hospitals and hospital systems to significantly rethink how to deliver critical care support to their patients under trying conditions. For example, tele-ICU service extended beyond specialized care and also became a means of reducing clinician exposure to the disease and preserving personal protective equipment (PPE). In these instances, hospitals equipped with these remote clinical capabilities relied on the telemedicine team to utilize video to “visit” the ICU room virtually to assess a patient, rather than have a bedside nurse or provider don PPE and enter the patient’s room.

In addition, we have found that tele-ICU outreach by critical care clinicians is well suited to comfort patients by providing social interaction during their isolation. Remote teams can help make a scared and lonely patient more comfortable – and less frightened.

Concerns such as a lack of ventilators came and disappeared quickly, as COVID-19 proved to be a fast-moving disease with rapidly evolving care protocols.

COVID-19 was initially viewed primarily as a severe respiratory illness and was treated as such. However, further treatment experience revealed that the virus was a much more complicated threat than a respiratory illness. Since then, the critical care community has found that proning patients – that is, placing them on their stomachs for prolonged periods of time – helps increase the amount of oxygen that gets to their lungs. In fact, in many instances proning the sickest coronavirus patients, accompanied by alternative methods of supplying oxygen, became a preferred solution to the initial plans for accelerated intubation. Similarly, various medication regimens were tested and evolved.

In our role as critical care specialists, it was our responsibility to our partner hospitals and clinicians to continue to keep abreast of these rapid developments. Drawing on information across multiple sources and geographies, we then quickly provided this clinical intelligence to those in a hot spot while updating mutual care protocols.

Readers Write: Enabling Clinically Intelligent EHRs

Enabling Clinically Intelligent EHRs
By David Lareau

David Lareau is CEO of Medicomp Systems of Chantilly, VA.

A key takeaway from John Glaser’s recent article in the Harvard Business Review, “It’s Time for a New Kind of Electronic Health Record,” is that it is time for EHRs to leverage clinical intelligence for analysis of patient data and to address clinicians’ usability concerns.

Current systems were designed to track transactions to generate and justify billable events. They are, in fact, organized as a set of separate “buckets,” with different sections for procedures, medications, therapies, encounters, diagnoses, etc. There is no clinical coherence or correlation between the sections, so providers must search in multiple places to find information relevant to a problem.

Clinicians are highly trained knowledge workers whose expertise in determining what is clinically relevant is acquired through education and experience. They are trained to know what to look for, but current EHRs make it difficult to get a clinically cognitive view of relevant information.

The new kind of EHR advocated by Glaser will require a clinical relevancy engine that can filter a patient record in real time to identify data for any known or suspected condition or diagnosis. This “clinically coherent view” should include medications, lab orders and results, co-morbidities, therapies, symptoms, history, and physical exam findings. Ideally, it should support diagnostic filtering of dictated or free-text notes, as well as coded data such as SNOMED-CT, ICD10, CPT, LOINC, RxNorm, UNII, CVX, CTCAE, DSM5, and others.

It must do so quickly, on demand, with a single click at the point of care.

This new cognitive clinical computing approach requires a radically different method for organizing clinical data. First, data must be organized to support a clinician’s diagnostic thought process. Second, because of the need to process hundreds of thousands of potentially relevant data points and the relationships between them in sub-second times, graph database technologies must be used. Relational databases cannot provide the computational efficiency that is required to support highly trained clinical knowledge workers.

A clinical relevancy engine that is organized around clinical conditions or diagnoses will have millions of potential links between diagnoses and related clinical data points. Relational databases that join tables together were not designed to support data structures with millions of interconnected nodes. Graph database technologies, which are used for complex, connected data, are used by Amazon, Facebook, Google, and others to support large, evolving data structures.

A purpose-built clinical relevancy engine that uses graph database technology will support the clinical thought process by linking clinical concepts (or “nodes”) to each other, with relevancy scoring that enhances clinical decision-making and integrates with systems to maximize physician workflows. This engine enables a clinical user to get an instantaneous view of all information related to any patient presentation in a single view, incorporating both coded data and data points derived from chart notes by using diagnostic natural language processing (NLP) applied to free-text notes.

The old ways of building EHRs to support tracking of transactions for billing will not suffice in the world of value-based care, clinical risk mitigation, and outcomes-oriented reimbursement. Glaser’s proposed new kind of electronic health record must be built on a foundation of clinical intelligence.

Readers Write: Major Trade Shows Continue to Cancel or Go Virtual, So Now What?

Major Trade Shows Continue to Cancel or Go Virtual, So Now What?
By Jodi Amendola

Jodi Amendola is founder and CEO of Amendola Communications of Scottsdale, AZ.

As major healthcare and health IT conferences such as HIMSS, AHIP, RISE, MGMA and others continue to cancel their live events or go virtual, marketers and sales leaders are now faced with the new challenge of where to put the money that was originally slated for sleek exhibition booths, networking events, and all of the promotional activities leading up to these in-person events.

For many companies, trade shows eat up half of their marketing budget, so the decision about if and how to reallocate those dollars requires careful consideration in these uncertain, unprecedented, and budget-conscious times.

Trade shows get more expensive and more arduous to prepare for every year. But they are also one of the highest-value ways to network and to build new business relationships while renewing old ones. They can be a source of good leads that move the needle to influence important buying decisions. Importantly, for many companies, trade shows are where companies go to be seen.

Trade shows will eventually return, although when and in what form is still an unknown. In the mean time, they are not the only path to visibility and credibility with prospects, or even the most effective. What follows are some recommendations for re-allocating your trade show spend.

Public Relations

Most B2B sales have larger price tags and longer sales cycles than consumer products. Before making an investment in health IT, providers, health plans, and government agencies need to trust that a purchase will answer a need or solve a problem.

Coverage in credible media outlets is still where you get the biggest bang for your buck in B2B.

Peer-to-peer endorsements carry a lot of weight with buyers, and customer success stories — especially if you make the story almost entirely about the customer — are media gold. The same story can be approached from a number of angles to make it appealing to various media outlets with different audiences that align with your target markets.

You should also aim for getting thought leadership coverage—bylines, commentary, and other contributions on the big issues of the day. Thought leadership is most effective when it’s authentic and not afraid to take a stand, so avoid corporate-speak.

HIT leaders are increasingly interested in how PR impacts share of voice against the competition, and what the sentiment is in earned media coverage—positive, neutral, or negative. That can be measured, even by specific topics, with media monitoring and tracking tools such as Meltwater.

This measurement can help you understand how you’re dominating (or not) the most pressing conversations in the industry and media landscapes. Right now, the most pressing topic is of course COVID-19. You can assess your media reach compared to the competition on specific topics such as the pandemic. You can drill down even further on subtopics such as vaccine development, predictive analytics, and primary care that relate to COVID-19.

You can extend the shelf life of media wins by promoting your media placements to decision-makers and key influencers across social media and on your website, and by leveraging for lead gen and nurturing via e-newsletters, emails blasts with landing pages, electronic reprints for virtual conferences, and more.

Lead Generation Campaigns

Gated content, which requires whoever is interested to give up their name and email to obtain it, can capture far more qualified leads than those picked up at a trade show by a “claw” who really just stopped by for your cool giveaways. Examples of high-value content that can be placed behind a form for lead gen includes case studies, smart briefs, white papers, major reports and study results. and on-demand webinars, to name a few.

Targeted digital ad campaigns that promote the right content to the right audiences also are a powerful lead gen tool. One of the most exciting capabilities of digital advertising is how specifically you can target your outreach (as political campaigns like to do), but A/B testing is still needed. This is an area that often comes up short when trade shows need to be paid for, but now would be a great time to leverage those unused dollars to test these campaigns until they hit the right mark.

Marketing Asset Development

If there’s a bright spot in the time we’ve spent sheltering in place, it’s the interesting videos and podcasts we’ve discovered. For many of us, listening to a podcast at a certain time every day will be a permanent part of our schedule post-pandemic. Simply produced Zoom interviews are also likely to be a mainstay, having been validated by broadcast news channels while studios were closed.

Why not spend a portion of your newly freed trade show budget on commissioning some of these assets yourself? Over time, a series of thought leader podcasts or videos with provocative themes can elevate brands and thought leadership.

Surveys are another marketing asset to check off your marketing bucket list. Not only do they give you a current read on target audience sentiment, the findings can be newsworthy enough to promote via media outreach and nab more coverage.

When it comes to trade shows, nothing replaces human interaction. But now is the time to strategically reallocate those unused marketing dollars to take advantage of alternate strategies that can increase awareness and generate leads for your business.

Readers Write: An Interoperability Data Challenge — Out and Back Demonstrating Reflection

An Interoperability Data Challenge — Out and Back Demonstrating Reflection
By Brody Brodock

Brody Brodock is a principal with AdaptTTest Consulting of Raleigh, NC.

I want to offer up a challenge that will express the current state of interoperability within regional systems. The challenge involves the top N most frequently used values within domains, exchanged via C-CDA within your community of practice, reconciled and incorporated, then returned to the sender, where the originating sender then reconciles and incorporates the returned items.

This should be a simple task that any certified EHR can accomplish with 100% accuracy. However, if you get better than 80% success in the first part of the exercise, I will be greatly surprised. If you can successfully exchange above 50% on the second round, I will be impressed. I would even argue that two systems from the same vendor will be challenged.

We should keep this to the required domains: medications, problems, and medication allergies. Other domains should be left out to reduce complexity. This gets messy really quickly.

You will need to gather from your system:

• Problems. Problem text, problem code, problem code set, status, date added, date updated, and onset date.
• Allergies. Allergy category, allergy severity, reaction, reaction severity, allergy dates with specificity, status, and the codes for allergy and allergy reaction.
• Medications. This might get trickier as some systems load meds into different table sets depending on the order type (prescription or order). But essentially you need the medication name, medication code, status, date of entry, order expiration date, dose, dose form, frequency, SIG, PRN, and DAW.

Once you gather these extracts, (you might need to limit the period), you should slice and dice the data to tell you what the most frequently used (MFU) items are. You don’t generally need to associate the metadata to other data elements. Knowing that the top medication allergy is penicillin is sufficient, the top reaction might be hives — they don’t need to be associated in this round.

HIPAA note: watch out for names in the SIG, and purge any “zzz” names you come across.

Now that you have your list, take the top 10 from each and add them to your new patient. Then another set of patients that reflect the metadata objects: status, dates, reactions, severity, PRN, DAW, etc. If you have the ability to add free text med allergies, then submit a patient safety defect report to your vendor, but send the free text allergy anyway. Try “pentillacillian” with “anti fylaktic” — yes, I have seen that.

Medications should be a mix of your top 10 prescriptions, plus your next 10 with your top SIG, plus the next top 10 with all of your statuses. Add a couple that are tapered dose, vaccines with multiple dosages, and multiple formulations (albuterol syrup, pill, and rescue inhaler) all active.

Your CDS/DUR systems are supposed to alert for for all of these domains. Once you reconcile and incorporate these items into your system, pick a couple of items like penicillin with anaphylaxis and attempt to prescribe that. You should get an alert. A significant battery of CDS/DUR tests should be done with this data.

Now that you have built up the patients, have your development team automate them so they can be duplicated on demand. If you don’t have an automation team, ask your vendor for their scripts. These tests should be part of your standard operational and production qualification tests — OQ/PQ.

Now send these patients via a summary of care or a transfer of care (try both — they should be different) to your geographic neighbors. Whichever systems from which you receive transfers, referrals, and notes. They will be ambulatory, acute, ED, SNF, and specialty facilities. But more importantly, they will be different systems, or at least different configurations of like systems.

Take these C-CDAs and send them through your Direct HISP, email, or sneaker net (HIPAA rules apply and these must be fake patients). You can name them “MedicationTest-xxx” where xxx is an alpha counting scheme: aaa is the first, aab the second, all the way to zzz being patient 676. If you can create patients with numbers in them, I would be surprised, but go ahead and try one of those patients too. “Patient 0” shouldn’t be possible, so it will probably blow up on the receiving end.

The receiving facility should then bring in the C-CDA and perform reconciliation of the listed domains. Problems, medication allergies, and medications should now be in this patient’s record.

The expected result is 100% accuracy in the exchange. No conversions, no substitutions, no increased or decreased specificity, no “go fish” in presenting the user with a series of options to reconcile. These are the most frequently used, so there should be no problem.

Your actual results will not be even close to 100%. You will have allergies that switch category, reactions that aren’t recognized, medication APIs that are switched to brands, problems that are either more specific or less specific than the incoming problem, dates that will increase specificity from year or null to DD/MM/YYY:Time, and multiple formulations that will be considered duplicates (three albuterol formulations).

Now without further modification, the receiving facility should create the same type of C-CDA and return it to the originating facility. A full round trip. The record that is returned will look like a completely different patient than the one that you sent out. Statuses and dates will be converted to something else and your medication intolerance will suddenly become a medication allergy. All sorts of fun here.

This is why healthcare interoperability singlehandedly enables the fax industry.

This is the first part of a long and complex set of tests, a simple out and back. Yet the exchange will demonstrate how badly the industry needs to get its data house in order. The results will not change just because you were using different technology. If you are using FHIR to write data back into your solution, you are going to have the same problems.

Readers Write: Hospital Vital Signs: The EHR Doesn’t Know Everything

Hospital Vital Signs: The EHR Doesn’t Know Everything
By Keith Boone

Keith “Motorcycle Guy” Boone is informatics adept and SANER Project leader for Audacious Inquiry of Baltimore, MD.

In the fight against COVID-19, it is imperative to understand and monitor the vital signs of our healthcare system – the hospitals and health systems that are playing a critical role –  to ensure that we can provide patients with unfettered care as this global pandemic plays out.

To this end, numerous agencies at the local, state, and federal levels are attempting to monitor the pulse, EKG, respiration rate, and chemical balance of hospitals across the country for a better assessment of whether the hospitals we rely on to keep people safe are themselves up to the task. This information is needed to rapidly identify the hospitals that need supportive care as they face COVID-19 head to head.

Today’s data collection efforts are focused on extracting data from the EHR, which focuses on data elements such as bed numbers and bed types, ventilator use, and death rates. While this is a great place to start, the EHR is just one critical information system within a hospital.

Similar to how the body has many flows — or as these were once explained, humors — a hospital also has a network of systems that manage its overall wellbeing and operations.

• Asset tracking solutions monitor the physical inventory in a facility, and asset management systems can both pinpoint the location of a ventilator or anesthesia system and report its present operational status.
• Bed management solutions help a hospital streamline patient flow, ensuring that patients are getting into beds as fast as possible. They identify if beds that need cleaning are being turned around quickly and whether patients are being discharged efficiently.
• ICU and central monitoring solutions keep track of patient telemetry inside the ICU, bringing signals from the monitors and medical devices at the patient’s bedside to the central nursing station, possibly long before the information is available in the EHR.
• Inventory management solutions keep track of consumable medical supplies – simple service parts such as ventilator tubing,  medicines, lab test reagents, personal protective equipment, and the cleaning and disinfectant supplies that a hospital goes through faster than your most germophobic relative.
• Workforce management solutions track the flow of staff and are often linked with identity management solutions that grant privileges, identify credentials, and monitor access points.
• Some hospitals have command centers into which many essential data elements flow. These have compelling visual displays, dashboards, and teams of staff who manage hospital capacity, but they are rare outside of larger academic medical centers, and even the most advanced command centers may not be able to readily share data outside their own system. 

The list goes on and on. These systems collectively determine the pulse or heart rate of a hospital.

While a hospital’s EHR system may be considered the brain of an organization by many who think about hospital information systems – and that’s probably not a bad analogy – a critical failure in any one of these other systems can be debilitating to hospital operations. Though EHRs may be the highest level as the most business-critical decision-making element of a hospital, they cannot track all the functions of an organization that are essential for efficient and prolonged patient surge operations.

To truly understand the health of a hospital and its level of readiness for taking in a surge of critically ill patients requires tracking more than just what is going on in its brain. In our analogy, the heart, the lungs, and liver represent a hospital’s staff, supplies, and equipment. All of these are tracked by other systems.

Some of these systems connect to the EHR, and extracting data via the EHR rather than from the system directly is possible. However, in these instances, speed and clarity may be sacrificed for simplicity. The originating systems often know something well before it is shared with the EHR, just as your stomach responds to food without your brain having to decide how to handle it. Some of these data sources may have no direct connection to the EHR at all, yet their importance to the overall vitality of the system remains undiminished.

As we experience our 100-year pandemic event, the healthcare industry is learning that it didn’t think of everything that hospital leaders might need to know considering equipment or critical supply or staffing shortages. The magnitude of this response has drawn national attention to the critical infrastructure deficiencies in our healthcare, public health capacity, and surveillance systems.

But a silver lining in this endeavor is the rapid progress that is being made by passionate and committed individuals and organizations coming together to solve these complex data sharing and interoperability challenges. HL7 International is doing a tremendous job supporting their members by enabling the secure and rapid transfer of information about hospital bed capacity and availability of critical resources during public health emergencies. From May 13-15, they held a virtual connectathon to demonstrate projects in development. It is promising to see such rapid progress being made through data standardization using FHIR-based APIs.

As an industry, we need to support standards across the many information systems inside a hospital. We need to expose the critical vital signs these systems have to hospital leaders so they can work with public health and emergency response agencies to ensure that appropriate measures are being taken to address this pandemic. While we don’t yet have a consistent approach to sharing data from disparate sources within the healthcare system, it can be achieved.

Readers Write: Have You Lost Your Job?

Have You Lost Your Job?
By Jim Gibson

Jim Gibson is a recruiter with Gibson Consultants of Wilmington, NC.

I remember the first time I lost my job. It was terrifying. I was the sole breadwinner, with three small children and a mortgage.

If you’ve recently lost your job, I know how you feel and I hope the tips below will help.

In the days following my job loss, my emotions followed the usual course: surprise, hurt, anger, acceptance, and finally determination. That is, determination to find another job, a good one, one that would allow me to feel good about myself again. Although I had convinced myself that I was mentally tough, my ego was bruised – badly.

The days seemed like weeks and the weeks like months, but ultimately I got a better job, and it didn’t really take that long.

Then I became a recruiter and saw many others enjoy the same good fortune after enduring the pain and anxiety of a job loss. Not all, but many.

This includes 2008 – 2010, when a global economic collapse had many fearing another Great Depression.

People at all levels and in all industries were losing jobs. Companies were folding, retirement accounts were being depleted, and housing values were falling, for many their largest source of equity.

Financially healthy companies were laying off tens of thousands in anticipation of a recession. Talk about a self-fulfilling prophecy! Of course, the media were piling on, fanning the flames of fear and misery.

It was maddening,  and a hard time to be optimistic.

Yet, it ended. People found jobs and many were thrilled about where they ended up.

There are differences between then and now, but there are also similarities. We feel the weight of uncertainty, but we also believe this too shall pass. I do, and I believe many will end up in better positions.

It’s hard to account for why some people land on their feet more quickly than others, but you can improve your odds by keeping the following in mind.

• Self-agency. This is listed first because it’s the most important. You must believe that you have the power to improve the current situation.
• Clear your head. A mental transition from having a job to looking for a job takes a little time. It’s critical to decompress, find enjoyable distractions, spend time with loved ones, and get negative feelings under control before beginning a job search.
• Goal of two. Have a goal of choosing between two good job offers. This eases the pain if a prospective job opportunity disappears. It also can shorten the search by suppressing the temptation to go easy while the “sure thing” plays out … or doesn’t.
• View it as a job. A job search is a job. It’s good to clear the head, but when the search starts, it is your full-time job.
• Start with your brand. A career is usually the result of opportunities presented and accepted, not intentional paths. Being unemployed is a chance to change that by thinking carefully about what you enjoy and are good at, and what you don’t enjoy and don’t do well.
• Perhaps a couple of options. You may know what your next job will look like, or you may have the flexibility to do either of a couple of things (e.g., operations or a client-facing role, remaining in a hospital or joining a health plan.) More than one option requires different versions of your resume, cover letter, etc.
• Don’t rely on recruiters. Approaching recruiters is an inefficient approach. Most work on a limited number of open positions, so it’s hit-or-miss.
• Two-pronged approach. After identifying your ideal role(s), work your network and contact employers.
• Your network. This shows the value of your LinkedIn network. It’s also a great time to make new connections. Remember to spoon-feed connections with specifics about desired roles, organizations, etc.
• Employers. Build a comprehensive list of potential employers and hiring managers. Corporate websites and LinkedIn are good starting points, as are trade group sites (HIMSS, AHIP, etc.) If targeting vendors, the exhibitor page of the annual convention site is a gold mine.
• Don’t apply to job listings. Some will disagree, but I find this to be a colossal waste of time. People do get jobs this way, but it’s a low percentage activity. It’s so easy for people to apply that the number of applicants can be staggering. Even the perfect candidate’s application may get buried and never seen.
• A numbers game. This is a numbers game. Think 150-200 targets, not 20-25.
• Get organized. Developing a system for staying organized is essential. It allows for a methodical approach to managing a high volume of contacts.
• Physical activity. A job search is intense. Incorporating a regular regimen of physical activity will help periodically clear the mind in order to stay strong and on top of your game.
• Only one job is needed. This is a good thing to remember, especially as opportunities progress slowly and sometimes disappear.
• Expect to be ghosted. Anyone who has looked for a job knows that the most agonizing part is waiting while the other party remains silent and inaccessible. Expecting this, while pursuing other opportunities, eases the strain a bit.
• Don’t take it personally. Sometimes conversations stop abruptly or jobs mysteriously disappear without an explanation. It’s often because of events beyond your control. Don’t beat yourself up over this.
• Some days it will just plain stink These days need to be kept to a minimum, but they will happen. Shutting down the computer and taking the afternoon off is sometimes the smartest move.
• This is your career, but it’s not you. As difficult as it may be at times, you must try to keep your self-esteem intact. Looking around at your loved ones and surroundings can reinforce a sense of gratitude and perspective.

Finally, even though difficult in more ways than one, this can be a fulfilling challenge. After all, you’re selling the most irresistible product around – you!

Happy hunting.

Readers Write: How Health Systems Use Technology in New Ways to Adapt to COVID-19

How Health Systems Use Technology in New Ways to Adapt to COVID-19
By Terry Zysk

Terry Zysk is CEO of LiveProcess of Chelmsford, MA.

Saving the lives of patients and protecting care providers during the COVID-19 pandemic is an unprecedented healthcare management challenge. Unlike a hurricane that passes in a few days, COVID-19 could be with us for quite a long time.

Some of the innovative US hospitals I work with are solving pandemic-related problems by repurposing already deployed or quick-to-deploy technology. Creativity is allowing these health systems to adapt to the COVID-19 crisis.

According to McKinsey & Company, as major events occur, responsive healthcare organizations focus on five areas to ensure access to care delivery: workforce protection, supply chain and resource stabilization, customer and staff engagement, stress testing, and nerve center integration.

Similarly, health systems on the front lines of COVID-19 are using technology with roots in hospital emergency management to dynamically rebalance business operations, share information, and collaborate in virtual command centers.

A public health emergency response creates large-scale logistical issues. Hospitals are changing protocols, rethinking workflows, repurposing clinical areas and redistributing staff to adapt to a shift in demand.

All of these changes require intense coordination and collaboration.

To replace rumors and stress with accurate and timely information, health systems are pushing information out to engage healthcare workforces. They are reaching employees at all facilities at once while also developing proficiency in minimizing alert fatigue throughout a long-duration event.

As more masks and gowns are needed to protect the healthcare workforce, hospitals and healthcare coalitions are using emergency management technology to share guidance on the use of PPE, request PPE from community partners, and coordinate and track regional inventory.

CDC requirements for monitoring employee health involve daily communication with healthcare providers. One health system is performing virtual health checks by reaching out to hundreds of affected personnel with survey technology, and then displaying the results on a quickly developed business intelligence dashboard.

At another hospital, human resources specialists used event sidebar communications in emergency management technology to collaborate in a virtual command center and optimize the redistribution of staff.

When converting hospital rooms or even entire floors into other types – such as negative pressure and isolation rooms and reconfiguring spaces create more ICU beds — a healthcare coalition electronically surveys its 18 facilities on their room and bed inventory. With automatic roll ups, leadership teams are producing up-to-date daily reports with minimal labor and a short turnaround time.

Staffing coordinators are using trackable one-to-many notifications with multiple choice response options to fill high-demand roles quickly and efficiently, leveraging tools typically used for mobilization and coordination in natural disasters.

In these many ways, health systems and coalitions are adapting to the current situation with new processes and proficiencies by using existing technology in new ways. Their experiences may spur ideas that help your own health system improvise and adapt to COVID-19 and other disruptive situations.

Readers Write: Healthcare Crisis Underscores Strategic Importance of Strong IT Support

Healthcare Crisis Underscores Strategic Importance of Strong IT Support
By Rob Dreussi

Rob Dreussi is CIO of HCTec of Brentwood, TN.

Take a moment to thank those who work on the IT service desk. Who knew they would play an essential role in maintaining operational continuity and getting our patients and providers up and running on telehealth?

Every large-scale crisis exposes shortfalls and creates opportunities for improvement in healthcare. The COVID-19 pandemic has highlighted the need for hospitals to think differently and more strategically about their IT service desks.

EMR patient portal usage has increased as telehealth and other patient-facing solutions are being rapidly deployed. Maximizing that kind of technology, keeping it running, and supporting it properly requires people with specialized HIT skills, training, and experience. Technology may be the tool, but people and solid operating processes are required to make it work.

This crisis is a powerful reminder of the IT service desk’s higher purpose—helping providers and patients by either resolving their immediate problem or finding the best next-level person to assist them. A mature IT service desk employs a diverse team of experts, including agents, coaches, trainers, workforce analysts, quality analysts, and related technology SMEs. Collectively, this team enables healthcare providers and patients to leverage technology rather than be hindered by it.

However, IT service desks have struggled to meet the increased demands related to the COVID-19 pandemic because their resourcing plans are based on historical support volumes. Who could have predicted:

• Call volumes that are doubling and tripling.
• Supporting new applications almost overnight that typically would have been deployed over months.
• Assisting end users while they shifted in mass to working from home.
• Continuing to deliver services while the IT service desk itself shifted to working from home.
• Onboarding and training new agents 100% virtually.

Keeping up with all the change has been really hard.

The pandemic has put a spotlight on how the technical and user-facing skills that are needed for effective IT support have increased dramatically over the last decade. The demand for this dual skillset will only continue to increase as hospital clinical and overall operations grow increasingly reliant on technology. Already Meaningful Use and the movement toward value-based care have driven the adoption of complex clinical and business systems that require constant maintenance and inspire far greater security concerns.

Simultaneously, the expectations of providers and patients alike are rising, as we all have become accustomed to customer-friendly, tech-savvy support from companies like Amazon and American Express. As a result, the IT service desk’s role now includes representing the voice and brand of the health system. Delivering a strong overall experience — whether to patient, provider, or administrative user — is more critical than ever. In this new environment, the staffing, required skills and management of the IT service desk requires a more advanced and strategic approach.

It’s no surprise that COVID-19 has forced HIT support personnel to work overtime, late nights, and weekends. Their efforts are essential to ensuring that healthcare providers and their patients receive the support they need to improve delivery of care in a time when people need it most.

COVID-19 has made painfully obvious to a broader audience what we have always known — technology doesn’t always work as designed. It has also made it glaringly apparent that in healthcare we need people who understand how to effectively support technology so that patients and providers alike can leverage its power to improve care and outcomes.

Readers Write: Blowing the Whistle on Technology Fraud in the Healthcare Industry

Blowing the Whistle on Technology Fraud in the Healthcare Industry
By Joseph Gentile, Esq.

Joseph Gentile, JD, Esq. is a partner with Sarraf Gentile LLP of Great Neck, NY.

The healthcare industry has always been an area susceptible to fraud. In fact, government investigators estimate that in 2016, about $95 billion was improperly paid out by Medicare and Medicaid. That’s only a single year’s amount of fraud in just two of the government’s many healthcare programs.

With an aging population, increased healthcare spending, the passage of the CARES Act, and the government’s multi-trillion dollar effort to mitigate the health and economic effects of the COVID-19 pandemic, fraud in the healthcare industry will only increase. With social distancing become the new normal, the use of technology to deliver healthcare services will also increase. Fraud in this area will, therefore, likely increase.

As a result, the need for insiders to blow the whistle on technology fraud in the healthcare industry is more important than ever. Whistleblowers help ensure that these precious government dollars go towards stopping the harmful effects of the virus and shoring up our economy—and not to line the pockets of opportunists.

The best tool for combating this scourge is the False Claims Act (FCA), a Civil War-era law that was passed to address the fraudulent sale of decrepit horses, ill mules, and faulty rifles to the Union Army (which not only stole tax dollars, but endangered soldier’s lives). The FCA has since been expanded to cover most government dollars, including healthcare spending such as Medicare, Medicaid, and Tricare.

The FCA has been regularly used to fight technology fraud in the healthcare industry. Just last year, the Department of Justice announced a $57.25 million settlement against Greenway Health LLC (Greenway), a Tampa, Florida-based developer of electronic health records (EHR) software for causing its users to submit false claims to the government by misrepresenting the capabilities of its EHR product Prime Suite and providing unlawful remuneration to users to induce them to recommend Prime Suite. 

The US Attorneys whose offices prosecuted the fraud said it best. According to Christina E. Nolan of the District of Vermont, “These cases are important, not only to prevent theft of taxpayer dollars, but to ensure that the promise of health technology is realized in the form of improved patient safety and efficient healthcare information flow.” According to Byung J. “BJay” Pak of the Northern District of Georgia, “Medical professionals and patients depend on the security and competency of electronic health records as a means to improving both the quality and coordination of health care services… Vendors who falsify the viability of their products erode the integrity of public health systems and will be held accountable for their misrepresentations.” 

Cases like Greenway are just the tip of the healthcare fraud iceberg. Indeed, the FCA has been used to recover billions in healthcare fraud and was most recently used in the government’s historic $1.4 billion recovery from Reckitt Benckiser Group involving the marketing of Reckitt’s opioid addiction treatment drug Suboxone. Whistleblowers were awarded over $100 million.

While blowing the whistle may not be easy, the FCA encourages it by offering anti-retaliation protections for those who out the fraud as well as lucrative financial rewards. Where the government obtains a recovery as a result of fraud, the whistleblowers are generally awarded between 15% and 30% of the recovery. Because many FCA healthcare cases are large by nature, the FCA’s financial rewards to whistleblowers have been historically large as well.

Our healthcare industry is being tested like never before, and the people in it — especially those who are working to use technology to improve its delivery and accuracy — play a critical part in ensuring its effectiveness, now more than ever. Those same people can help ensure that the billions of dollars being spent on healthcare aren’t being wasted by fraud. Every dollar counts. Pplicing that is not only a civic responsibility, but legally protected conduct that can result in significant economic awards.

Readers Write: Strained but Secure

Strained But Secure
By Troy Young

Troy Young is chief technology officer of AdvancedMD of South Jordan, UT.

Healthcare providers are pressed to the max, working to deliver ample care to the increasing volume of patients infected with COVID-19. Employees rise to the challenge and learn to get the job done in vastly different circumstances, be it on the front lines, in the back office, or remotely.

While we all try to navigate the new realities this pandemic presents, computer hackers are exploiting them: “Don’t let a crisis go to waste” is their mantra. Indeed, the novel coronavirus crisis has led to a rise in cyber scams and other security breaches as healthcare providers move quickly to redistribute workloads and manage care overflow.

Hackers are using tactics that capitalize on emotions of fear and anxiety and behaviors of internet users looking to stay on top of the situation during these uncertain times. They entice healthcare workers to open malicious files and links by:

• Creating a sense of urgency.
• Implying or stating that the e-mail comes from a person of authority.
• Offering a resolution to a difficult problem (the current virus, shortage of medical supplies, people in need, and similar) in exchange for sensitive information.

These tactics are especially effective during a time of crisis, when urgent communications from employers, friends, family, and government agencies are filling inboxes. These e-mails may include fake virus tracker maps, hand hygiene instructional sheets, or online marketplaces for high-demand items. Hackers have impersonated the World Health Organization (WHO), for example, in recent phishing emails.

As is the case with security at any other time, employees are the first line of defense against cyberattacks that are predicated by false communication. Providers should review policies with staff—whether employees are on site or working from home—and adhere to standard security plans and general workflow processes during the pandemic. Some scams are so well concealed that employees get fooled. These are best practices to keep top of mind:

• Always be suspicious of unexpected emails. Check the sender’s email address.
• Always look closely at any URLs, even those that are supposedly from people within the organization. Check the link by typing it into the browser.
• Never open a file attached to an email that was unexpected, or one that looks suspicious in any way. Take a pause to think through the purpose of the email. Don’t feel rushed or pressured to take any action.
• Never provide personal information like usernames / passwords or financial information after clicking through an e-mail link.

Even if someone falls prey to a phishing attack, organizations can mitigate risk by following these precautions:

• Require multi-factor authentication (MFA, or two-factor authentication) on as many accounts as allow them, especially banking and e-mail accounts.
• Enable automatic software and operating system updates on computers and mobile devices.
• Download anti-virus and anti-malware software on the network and personal computers as well as mobile devices. Windows and MacOS include these by default; just confirm they’re enabled and up to date.
• Back up all data.

The current crisis has highlighted organizational weaknesses in healthcare security and privacy protocols amid the urgent need to respond to government lockdown mandates, patient emergencies, and employee shortages due to illness. Employers have been rushed to establish telecommuting capabilities for staff who don’t typically work from home: when the need to expand capacity outstrips the organization’s ability to apply the security and privacy measures, risk increases exponentially. Also, as telecommuting employees increasingly use virtual meetings to communicate with each other, the National Institute of Standards and Technology (NIST) has recently published guidance on protecting virtual meetings from eavesdroppers.

VPNs are commonly used by healthcare organizations with telecommuting staff to provide secure access to technology resources. Microsoft recently warned that hackers are attacking vulnerable networks and VPNs, having particular success with a ransomware campaign known as REvil (or Sodinokibi). Organizations that use VPNs should refer to guidance from the Department of Homeland Security to secure their VPN and network infrastructures.

The COVID-19 crisis has also dramatically increased the use of telemedicine, which has emerged as an essential tool for providing contactless patient care. Regarding penalties, HHS recently notified providers that OCR has relaxed enforcement of HIPAA privacy rules during the crisis. This is great news for clinicians and patients, but providers should still be deliberate about using technology that is HIPAA-compliant and be sure to have BAAs in place with their vendor of choice.

The uncertainties of this global pandemic has many of us feeling vulnerable right now. Let’s control what we can. That includes built-in cybersecurity protocols that keep patients, employees, and organizations secure.

Readers Write: EHR Vendor Priorities for Successful Innovation and Marketplace Development

EHR Vendor Priorities for Successful Innovation and Marketplace Development
By Seth Joseph

Seth Joseph, MBA is founder and managing director of Summit Health of Lincoln, RI.

With the release of the final interoperability and information blocking rules, one of the goals of the Office of the National Coordinator for Health IT is to establish an ecosystem of innovation. They mandate that electronic health records (EHR) vendors open up their APIs and effectively serve as the foundation — the platform — for marketplace development. 

But when it comes developing an EHR-based marketplace for innovation, there are a host of challenges under the ONC’s latest guidance,  from the short timeframe in which they are being asked to develop these marketplaces to a lack of experience in network development (i.e., growing sustainable, platform-based businesses). 

With these challenges in mind, what can EHR vendors be doing now to ensure they are in the best position to develop a successful marketplace for innovation?

Establish sound (neutral) governance structures and processes

EHR vendors must carefully think through and give plenty of consideration to developing governance rules, standardizing the rules of engagement for platform development and the governance processes first, then creating documentation around it. Accounting for these fundamentals at the beginning will ensure that there’s a repeatable, scalable process when onboarding new developers to the platform. 

For example, which developers are allowed on the EHR vendor’s platform and marketplace? How do they become certified? How can EHRs ensure that developers abide by all state and federal regulations regarding health data exchange and privacy and security, such as HIPAA?

There are also issues such as those that Amazon is facing in having to determine exactly if/what proprietary data can be used to compete with third-party app developers for the platform. What is allowed and how should the rules and regulations be managed?

The importance of having a strong governance process and operating guidelines becomes clear when considering the issue Apple faced in 2019 related to its app store search results. According to a New York Times analysis of six years of App Store user searches, Apple’s own apps ranked first in the results for at least 700 search terms in the store. That isn’t exactly a vote of confidence for third-party IOS app developers, or the kind of attention Apple wants on its marketplace.

While all of this due diligence will require legal, technical, and business development work, it’s a necessity, as marketplaces will not scale and networks cannot grow effectively without it.

Invest in support resources

Third-party developers will vary in their technical, business, and organizational maturity. From implementation support and technical resources to data management and standardization support, EHR vendors should invest in the necessary resources to ensure that marketplace vendors clearly understand the rules of the road and also are set up to do as well as possible. 

Third-party developer success leads to marketplace success. While EHR vendors may not believe that marketplace success is important to their success in the short term, they would be wise to consider why Airbnb is among the most highly valued lodging businesses. It’s not because it runs a better hotel than Hilton or Marriott (it doesn’t), but because it allows hosts and renters to connect and transact on its platform.

Expectations and investment

Turning a software business into a platform business can be exciting and promising, but it’s important to temper expectations. For instance, while 2018 revenue from Salesforce.com’s third-party developer platform was the business’s highest growth area (41% annual growth rate), that only represents 20% of the organization’s revenue overall. That took over a decade to reach since Salesforce.com’s developer marketplace has been in existence since 2007.

It’s especially important for executives who are managing the marketplace to set realistic expectations internally regarding likely marketplace growth over the next 3-5-year period, then determine how much and what kinds of investments will be required to support that. 

Bring in an unbiased, experienced marketplace manager

There are many reasons why EHR vendors are not in a great position to be managing platform-based marketplaces on their own, but all map back to their inexperience in network development.

For example, under the new rules, EHR vendors will have to respond to developer requests for access within 10 business days. How will those companies manage this process in appropriately screening for privacy, security, and technical concerns while also determining how to address developers who might compete with new functionality that the company itself is planning? How will the EHR vendor think about quality management, in terms of the impact of varying levels of developer and application quality and what that means to the EHR’s brand with its customers? 

Growing a marketplace also requires redundant instances of technology and managing multiple integrations and different types of partner relationships at once. EHR vendors are inexperienced in and ill-equipped in these areas.

Given these challenges, EHR vendors should strongly consider outsourcing the management of their EHR marketplace to an entity that has the right experience and knowledge of standing up and supporting third-party developer marketplaces.

In fact, an effective marketplace manager that works with multiple EHR vendors should be able to deliver increasing value to each one of them by standardizing processes, refining implementation approaches, and managing multiple developer relationships. This is similar to the value they deliver to third-party developers by allowing them to connect once and gain access to multiple EHRs.

For EHR vendors, the innovation train is pulling up to their platform. While conditions might not be ideal since time is scarce and marketplace development in healthcare is still in its infancy, now is the time for EHR vendors to prepare and ensure that when that train reaches its destination, there is a solid foundation from which to grow as a marketplace innovator.

Readers Write: Prognostication Is A Fool’s Errand

Prognostication Is A Fool’s Errand
By Jeremy Harper

Jeremy Harper, MBI is chief research information officer of Regenstrief Institute of Indianapolis, IN. The views and opinions expressed in this article are his personally and are not necessarily representative of current or former employers.

Regardless of how COVID-19 progresses, we have scenarios ranging from (a) everyone is going to die as the stock market goes to zero, to (b) we will be back and running at full steam in a matter of months. I’m optimistic that we will go back to work and keep moving, but less optimistic that we will successfully lower the curve enough to make a significant difference.

However, there will be permanent repercussions of the choices we’ve made so far, things we as employers haven’t had time to adapt to.

Employers need to prepare for the social impact of employees who have suddenly been moved to remote work arrangements en masse. Many employers have had people working remotely for a week and a half at this stage, and states are rolling out more stringent quarantines.

Below I attempt to predict the impact of remote work arrangements for our organizations.

One-Month Quarantine

People

If we have remote work for a month, I anticipate that most will re-integrate into their work routines with relish. Having children out of school also helps. It’s hard to be a full-time caregiver and a full-time employee. Even with dedicated efforts at sharing, it’s hard to balance the workload. People may enjoy the time off, but much like a vacation, they will return to the office and be glad for the peace of a single job.

Prepare your remote work policy, though, because people will be pointing to the last month to explain that if can be done for every one of their jobs.

Organization

Workflows haven’t changed. They might be re-envisioned online, but they have been optimized for in-person, office setups.

If you don’t see an end in sight, start preparing your IT to support wikis, group teleconferences, Slack etc. Optimization of the remote work arrangement is worth the expense.

In general, the organization just needs to grudgingly get through this time period.

Two-Month Quarantine

People

Employers must prepare for a mass outpouring of employees who point to their productivity over the past two months as justification for them to be remote for significant portions of their schedule. “What happens if I am only in the office Tuesday and Wednesday every week, or Thursday and Friday?” will be a common refrain. We still like the in-person interaction, just not every day.

Organization

We will start to see workflows shift and adapt towards an assumption of remote work and effort.

Some people will take vacations while maintaining their digital presence to avoid using vacation time. Vacation could look like visiting family and friends who they never have time to see in person. It might be the dream trip to Hawaii, although during a global quarantine, it probably won’t be to other countries.

Three-Month or More Quarantine

People

Employees will have adapted to a remote work arrangement, they are searching for alternative employment, or the government stipends will be sufficient for them to stay home. Not everyone can handle remote work arrangements. People will start moving to their dream locations, as in,  “I’ve always wanted to live in another state.”

Organization

We as employers have started to change our office policies to meet the need of this new normal. This is no longer waiving policies, it is rewriting them.

We will start to see employees migrating. They won’t all be in a single time zone. We will no longer have the ability to call them in person. They will want to have accommodations for their new time zone and their working later or earlier.

New collaboration tools that were mentioned in Month 1 become a necessity. You might have new opportunities to bring in global talent since if everyone is remote, you no longer need everyone to be based locally. Alternative arrangements for office buildings that are sitting closed will be considered and leases will be dropped.

Upcoming Societal Changes We Need to Discuss as a Community

The requirement for strong telemedicine arrangements outside COVID.

The obesity epidemic is not likely to be helped by quarantine.

Regulatory barriers.

Data analytics, collaboration, and productivity.

Readers Write: COVID-19: You Aren’t Ready

COVID-19: You Aren’t Ready
By Jeremy Harper

Jeremy Harper, MBI is chief research information officer of Regenstrief Institute of Indianapolis, IN. The views and opinions expressed in this article are his personally and are not necessarily representative of current or former employers.

Chief research information officer means that I design systems to connect clinicians, research, and IT for a living. I’m paid to think outside the box. 

I’ve been tracking coronavirus since mid-January. I want to acknowledge as I write this that as of March 19, 2020 we have about 10,000 individuals in the US who have been identified with this disease. We are not at a crises today, but we might be in a week. About 3,000 new cases were identified yesterday.

Our health systems are built upon a tower of electronic assumptions for patient care, triage, and scheduling. If you review the CDC pandemic preparation documentation, we are focused on minimization of the event in lowering the curve. I’m calling on the IT and informatics Industry to look beyond minimization to what happens if we fail. We are not ready.

A crises of this magnitude brings us back to a simpler time, one that requires a massive streamlining. We’re seeing vendors begin to release capabilities for streamlined remote visits, but we need to be prepared internally for our health system operations.

We can’t just focus on how our back office connects remotely, because if the worst happens, our health administration will be ignored in favor of saving lives. We’re going to be rushing to convert swaths of our hospital beds to ICU beds like Italy has done, or creating new hospitals like China did. We are going to see all those beautiful individual rooms that have been built at hospitals over the past 30 years doubled up. 

This will be a new health system in a matter of days, and we have not designed our systems to deal with this. As an executive consultant, I’ve participated in pandemic preparedness and emergency drills in numerous health systems. We are suddenly faced with a situation that has the potential to dwarf the worst-case scenarios we have envisioned.

Almost every report that you have spent years building will suddenly become useless. They will be repurposed for decisions they weren’t intended to support. AI/ML won’t solve this one for you, because this is something new, something that will break every model we have worked to build.

Think about your automated systems to alert clinicians to close charts. If people are dying in the hallways, it doesn’t matter. Closing charts, filling in discrete fields (this one kills me as a researcher — we need discrete data desperately to identify best practices), and most clinical decision support suddenly go out the window.

I’ll take a personal example of what we’re about to face on the clinical and administrative front. My father had an esophagectomy about five months ago. They caught the cancer early. He was asymptomatic, aside from a cancer that was going to kill him. His 10-hour “elective” surgery might not be taking place or might be delayed right now as health systems gear up for COVID-19. He has had strictures (throat closing off) since the surgery. He has already been informed that they might cancel his next appointment (where they put him under and stretch his throat) depending on patient load due to COVID-19.

If we see mass cancellations of these an other “elective” process items, then we’re going to need better reports that prioritize patient rescheduling that is based on acuity rather than who gets on the phone and connects first, or who knows how to manipulate the scheduling system the best. This isn’t Ebola, where simple screening questions and changing our triage process will cut it.

What you can do now:

• Start building reports to support your providers in triage to get the right people to the front of the line.
• Identify how we’re going to support a world where we might ask the public to donate CPAP/BIPAPs to keep people breathing through the disease.
• Stop assuming that you are dealing with a “business as usual, just remote” situation, and use this time to prepare for a world where the EMR is low on the priority list.
• Work with researchers to identify the data we need to get treatment recommendations out to the world quickly.
• Use your time and expertise to help groups in need.
• Figure out your best practices and start telling people about the changes you are making.

I have a full-time job. I do executive consulting on the side. I have a beautiful three-year-old and a wife I love. I know how hard it is to find more time during an “all hands on deck” situation. We are all in this together. Let’s be ready.

Readers Write: Walmart Health Centers Are Here — Here’s How to Respond

Walmart Health Centers Are Here — Here’s How to Respond
By Derek Baird

Derek Baird, MBA is SVP of Avia of Chicago, IL.

I recently wrote about Amazon’s looming threat to health systems and physician practices. I closed with a comment that Walmart poses an even greater threat. Many (actually, most) of you disagreed. Since we all have unexpected free time this week, I hope you’ll hear me out.

Walmart Health is back in the news, thanks to the opening of their second Health Center and a not-so-subtle statement from former Apple CEO John Sculley, “Walmart Health will cause a consumer revolution.” Those are bold words from a smart man (and healthcare investor). Note: John’s been wrong at least once. He drove Steve Jobs out of Apple.

Walmart has run pharmacies since the 1970s and a small number of retail clinics for many years. Last September they opened the first Walmart Health Center. It’s not your 1990s-style retail clinic crammed in a closet next to the pharmacy. The 10,000 square foot clinic sits next to a Walmart Supercenter in suburban Georgia. It provides services ranging from physical exams to dental visits to x-rays. Notably, it is staffed by physicians.

The second clinic opened in another Georgia suburb in January with a similar footprint and services. Mark Wahlberg was at the opening. Makes sense since he’s a model of men’s fitness. On the other hand, he owns a burger chain delivering saturated fat to the masses. Speaking of brand dissonance, purists like me grumble about Walmart providing healthcare services in the building next door to its lucrative tobacco counter. I doubt their shoppers share my scruples.

Not only does Walmart offer a super-convenient one-stop shopping option, the digital experience is great. It features all the stuff we admire in solutions from cooler companies like Amazon, Carbon, and 98point6: clean website UI, extended hours, online scheduling, transparent pricing, text reminders, etc.

One hundred fifty million Americans visit a Walmart every week, though most healthcare executives aren’t part of that cohort. We spend lot more time discussing Amazon and other technology offerings even though 90% of us live within 10 miles of a Walmart store. Many Walmart shoppers are commercially insured  — with $1,600 average deductibles — and are likely tempted by the sound of $40 for an office visit and $25 for a teeth cleaning. I know I am.

Out of the gate, Walmart’s model is differentiated, difficult to replicate, and a savvy marriage of physical and virtual assets. Like Amazon’s not-yet-launched offering, Walmart designed its services to address glaring flaws in traditional offerings. But unlike Amazon and other direct-to-consumer telehealth offerings, it’s not reliant on virtual care. In most markets, virtual care is still hampered by stubbornly low awareness, understanding, and adoption. It will be a lot easier for Walmart to launch virtual care than it will be for Amazon to replicate Walmart’s foot traffic. Let’s keep an eye on Whole Foods.

If you’re more likely to visit Sam’s Club than Walmart, then the Walton family has you covered, too. They launched a set of innovative healthcare packages—including family bundles—for members last year. The bundles include free generic medications, a Humana-supported provider network, and $1 virtual visits through, yes, 98point6.

Here’s the kicker. Unlike Walgreens or CVS, Walmart doesn’t appear interested in partnering with local health systems. These Health Centers are launching to make up for health system shortcomings. They will gladly displace primary care physicians sitting behind ineffective call centers, packed schedules, opaque pricing, and myChart logins.

Just like small town Main Street retailers, health systems will have to compete.

Here’s how to get started. First, aim to match Walmart on digital convenience. Your digital front door must make it just as easy to access care as it is to grab an appointment at the Health Center. Put your price list online. Offer virtual visits for those who don’t want to leave the couch. Offer virtual queuing (“save my spot”) for urgent care centers. Your goal here is to approach competitive parity. This will require an intentional, multi-year focus on convenient access and virtual care. If you don’t have your key executives focused on this effort, it’s time to pull together a task force and allocate substantial capital.

Next, leverage your incumbent advantages so you don’t have to match on price. You have brand equity, data, and locations that can be assets rather than liabilities. If you can marry your clinical expertise with personalized communications to patients, they will value that continuity and credibility.

Some good news: Walmart is not going to scale as quickly as Optum or CVS. They have two, soon to be three, locations. You have a little time to prepare. Unless you’re in Georgia.