Readers Write: Demystifying Population Health

Demystifying Population Health
By Jeff Wu

Population health was once again a major topic of this year’s HIMSS conference. We saw even more vendors offering products, services, and solutions aimed at helping organizations deal with the challenges population health management presents.

Unfortunately, population health is such a broad domain that no singular solution really encompasses all of it. As a result, vendor offerings tend to only address a specific challenge. The wide and varying offerings across vendors adds confusion to the topic.

Population health shouldn’t be an industry buzzword that’s approached with trepidation. Instead, we need to understand the categories of challenges we are trying to address and the process for developing interventions to solve them. Let’s start by taking a look at the three categories that population health management interventions fall into.

• Government or mandated interventions. For many organizations, this is the primary (and perhaps only) component of their population health strategy. Some initiatives, like becoming an accountable care organization, encompass requirements that address items that will be discussed below. For many organizations, this may be enough.
• Enterprise population health interventions. These encompass interventions that are applied to the full population of an organization’s patients. Immunization and vaccination interventions or physical activity interventions are broadly applied to an organization’s full patient population. As organizations begin to try to standardize care, interventions aimed at variation reduction are also encompassed here.
• Cohort, group, or sub-population health interventions. This class of interventions is the most varied and covers any intervention that addresses a sub-population of patients. Some examples of interventions in this category include health maintenance for diabetes patients, preventative care efforts like breast cancer screening in women over 50, and depression/PTSD screening for military veterans.

Population health management evolves linearly in three stages that borrow some classical tools from epidemiological tracking.

1. Passive surveillance. Passive surveillance involves the retrospective analysis of a specific issue. This is the evaluation of data that already exists. Passive surveillance addresses questions like, "How many of our diabetic patients got a glucose test in the last six months?" or, "How many of our patients got flu vaccines last month?" Most analysis starts from this level of surveillance. It’s important to note that the majority of organizations are just getting to this point in their analytical journey. Implementation of the EHR tools necessary to do this level of surveillance are finally settling and getting to a state that allows for this to happen. To date many ‘organized’ population health based initiatives focus only on this type of surveillance. CMS’s MSSP ACO initiative is a classic example of this, where an organization participating in the MSSP ACO need only report their measures for the first year to receive their financial incentive.
2. Active surveillance. The next evolution is active surveillance. If passive surveillance identified how many patients got flu vaccines last month, active surveillance would try and answer the question how many of our patients got a flu vaccine last week or yesterday. If passive surveillance told us which of our diabetes patients got a glucose test in the last six months, active surveillance would try to address which ones are being well controlled. In the epidemiological world, passive surveillance relies on existing data, while active surveillance implies a program that generates more recent and/or new data. This could be as simple as querying the medical record or running a report more frequently for simple cases or designing a whole new workflow and data elements to monitor for more complex cases.
3. Prescriptive intervention. Once a population or initiative is identified, prescriptive intervention is what an organization uses to address the problem. This is where the art of evidence-based medicine comes in. We now have a lot more data to develop more fine tuned and effective interventions. Things like smoking cessation no longer have to be just a pamphlet, a discussion with a provider, and then a check box in the medical record. Full care teams can be coordinated and then patients can be monitored to help them with compliance.

As the industry and technology continues to advance, so do the tools at our disposal. Sentinel surveillance and predictive analytics offer some exciting opportunities to do more earlier. Additionally, the increased volume of data allows us to start taking a more in-depth look at cost-effectiveness and variation reduction between treatments for diseases.

It’s imperative to remember that every organization’s population health strategy will necessarily be different. This is because each organization’s population of patients is different. The vendor perspective often approaches organizations with packaged solutions, when in reality, it’s almost impossible for these solutions to be “one size fits all.” Even a product geared to a specific population health goal will require nuanced configuration to be effective for an individual organization.

Here in Madison, Wisconsin, population health interventions for UW Health are drastically different than Dean St. Mary’s or Group Health Co-op. UW is an academic medical center that draws high-acuity patients from across Wisconsin, while Dean has the region’s only obstetrics practice and GHC handles only primary care needs. While these organizations may benefit from adopting collaborative population health initiatives like the MSSP ACO (which both Dean and UW are a part of), their intervention focuses differ significantly based on their unique patient populations. Seldom can a product or solution apply to both, and even more rarely will it work for both.

As the industry continues to shift care delivery to encompass a population-based perspective, we are constantly introducing changes to our workflows, our assumptions, and most importantly, our expectations. These changes introduce uncertainty and apprehension, but they are also our greatest opportunity. It’s important to realize that population health management isn’t actually anything new. We’ve been here before—we’re just upping the scale.

Jeff Wu is a population health researcher at the University of Wisconsin-Madison.

Readers Write: New Discoveries in Health IT Diagnoses

New Discoveries in Health IT Diagnoses
By Niko Skievaski

Over the past decade, we’ve spent billions to digitize healthcare. Health IT was to bring us the same exponential efficiency gains that computers and the Internet brought nearly every other industry. But now that rooms of paper have transitioned into rooms of servers and swarms of software vendors attempt to surf the wakes of legacy EHRs, the acute impact of this stoic transition begin to appear. Some of these newly diagnosed alignments are approaching risk of epidemic.

I am writing this to discuss our findings from a 300-vendor study attempting to understand the root causes, and most importantly, the prevention measures individuals can take when confronted with known early symptoms.

Type 1 and 2 MU (further mutations into Type 3)

An early stage MU diagnosis was a catalyst to much of the following conditions. In 2009, it first appeared in populations incentivized to spread it via certified EHR technology. If caught early, although not curable, it could have been contained and controlled. However, it soon became chronic and subsequently categorized as type 2. And it looks now as though a more progressive mutation is afoot, growing beyond incentivized  to penalized attestation.

Hyperactive Click Finger

Most commonly affecting the right index finger, hyperactive click finger (HCF) resulted from premature adoption of EHRs as spurred by type 1 MU. Market driven adoption would have controlled click counts to safe levels as sovereign end users would have chosen vendors based on efficiency gains,rather than subsidy. A regimen of optimization efforts led by EHR therapists is a potential solution that some patients have found effective. However, these therapies are usually administered at extremely high hourly costs and repeated consults are inevitable.

Acute Alert Fatigue

As MU progressed to type 2, clinical decision support combined with CPOE brought on acute alert fatigue in provider populations. This is commonly misdiagnosed as Bipolar Disorder or mild Tourette’s. Comorbidities frequently include HCF. EHR vendors have backed off heavy alerts and periphery vendors are beginning to set precedence with FDA clearance for forceful support. Additionally, alerts are normally hard-coded based on known errors and omissions, thus avoiding opportunity for proactive machine learning.

I14Y Virus

An infectious disease has been uncovered: I14Y Virus (interoperability influenza). Red blood cells clump together and bind the virus to infected cells, making it extremely difficult to share data between inhabitants. Additionally, the inconsistencies in data models create often insurmountable barriers for new software entrants that could otherwise bring increased efficiency and quality. New therapies, including acronyms like FHIR and SMART, are beginning to change public perception of the disease, yet it is still unclear to most of us what the heck they actually mean. Private middle layers are starting up to tackle known I14Y opportunities and a race to the cure is among us. The cure standard will be defined by what is adopted, not what is agreed upon in committees.

Hyperportalitis

Patients and providers are affected by hyperportalitis similarly. Yet it affects each population quite differently. Upon surfacing symptoms, patients simply disengage, causing aggregated MU. Affected providers, under mandate to comply, simply write usernames and passwords on sticky notes under keyboards, or in severe cases, on the frames of their computer screens. This exacerbates conditions leading to potential risk of HIPAAppendicitis.

HIPAAppendicitis

Despite repeat training videos depicting hospital elevators polluted with oral PHI leaks, we still run a high population risk of HIPAAppendicitis. This creates risk-averse symptoms of committee meeting purgatory and sluggish adoption of innovative cloud-based software therapies.

This is by no means a comprehensive study. I welcome review from my distinguished peers who subscribe to this journal, as well as subsequent research and inquiry. There will be an open comment period prior to the amendment of ICD-10.

Niko Skievaski is  co-founder of Redox.

Readers Write: Is Health IT Guilty of Being a Worm in Horseradish?

Is Health IT Guilty of Being a Worm in Horseradish?
By Nick van Terheyden, MD

A survey conducted at HIMSS15 found that patient satisfaction and patient engagement rank among the top priorities for CIOs. In fact, they rank above improving care coordination, streamlining operational efficiencies, and achieving Meaningful Use.

The tides are clearly changing. We’ve all been talking about what the shift to a value-based care model means for healthcare organizations. What we haven’t been talking about is how this shift is transforming our patients into “prosumers.”

There’s a saying, “To a worm in horseradish, the world is horseradish,” meaning we are predominantly aware of that which we are surrounded by on a daily basis. Health IT, in all its intricacies and expansiveness, has become hyper focused on making sense of its nebulous infrastructures, working hard to prepare healthcare organizations for next new wave of regulations. Our world, while not horseradish, is composed of goals and milestones that are 100 percent contingent upon these systems.

But, as yet one more unintended consequence of this pursuit, we have become myopic. The business of healthcare is no longer simply confined to a hospital or an IDN site map.

Patients are reaching for their phones, not to call their doctors, but to research their symptoms. They’re educated buyers, looking up reviews before seeing a new specialist, just as they would before buying the latest gadget on Amazon. And, as we enter the era of the Internet of Everything (IoE), they want their wearable devices to meaningfully connect as simply as when they use their phones to play songs from the playlist on their laptop.

It becomes a challenge of sustaining the momentum of the moment. As the wearable trend continues to grow, it is not merely enough to count steps or measure the amount of UV rays absorbed. That won’t keep patients engaged. We need statistics and personal health trends that can be used to foster a richer, ongoing dialogue between patients and their physicians.

Consider the positive health implications for patient who receives a treatment plan from her doctor, which is entered into the EMR during the visit and connected to a three-question daily check-in for three months via a mobile device. The patient could provide a thumbs-up, thumbs-down, or neutral rating (think Pandora playlist) on how the treatment is working, with perhaps an option to enter free text should she choose to expound upon her responses. These daily reports could be aggregated into trends and reviewed by a clinician to make adjustments to the treatment plan as needed, extending patient care beyond confines of the four walls and the 12 minutes of an office visit.

Connectivity and personalization is the zeitgeist. CIOs know this. We are all unique snowflakes, and as more and more people submit their genes for analysis and mapping, we’re proving the increased drive for individuality. While the industry is pushing for population health (a laudable vision indeed), patients are looking not to be considered in aggregate, but to be treated with the same personalized attention they experience when they go to a favorite restaurant where the wait staff recalls their usual order or when they go to a website that remembers all their previous preferences. It’s about not starting from square one every time.

Patients aren’t going to tolerate the disconnect in healthcare forever. And as digital natives, some generations won’t tolerate it at all. The day is coming where a patient will ask her doctor, “Did you notice that that my headaches seemed to lessen on those days I go to the gym? I’m wondering if there’s a connection?” If her physician isn’t paying attention to her, she will find a physician, or perhaps even an intelligent medical assistant, who will.

Nick van Terheyden, MD is CMIO at Nuance Communications.

Readers Write: Big Data, Small Data, Meta Data, See Ya Latah

Big Data, Small Data, Meta Data, See Ya Latah
By Jim Fitzgerald

It’s the RESTful, object store, file and block make me snore, it’s still bits and bytes to me……(sorry, Billy)

I just got back from HIMSS. Big data, like savoir faire, is everywhere. The cynical side of me says that technology vendors just want to sell more disk or flash drives. The analytical technical businessperson somewhere inside me says that the real play for the people trying to sell you and me on big data is in the tool suites for managing, monitoring, sorting, searching, and processing big data. We will be lured in with open source tools like Hadoop, and then when the hook is deep enough, the vendor community will point out to us why we need their quasi-proprietary toolkit to enhance the “limited feature set” and “programmer required” aspects of Hadoop.

Don’t read me wrong. I think I am a fan of this. Why the qualification? Big data, taken to its logical extreme and paired with some artificial intelligence, can help my doctor process all the environmental, social, and lifestyle data related to me and correlate it with the highly structured “small data” in my electronic health record to zero in on, and advise on, the real underlying issues behind my health that go well beyond the “sick care symptom” I am presenting that day.

The vague and slowly clarifying healthcare zeitgeist around population health and “well care” probably won’t be realized without employing big data management techniques as an everyday tool. This apparent service to humankind will be aided and abetted by small and large chunks of data streaming up to the cloud from the “personal Internet of things” that I already own and the things I am considering, like Apple Watch.

The cautionary note comes from my informed-paranoid fear of Big Brother. I have Orwellian visions of the healthcare police showing up at my house and herding me into the quarantine van for a stint of “voluntary rehab” after some warehouse full of seemingly disconnected Facebook posts, Yelp reviews, sensor numbers, and Whole Foods Market receipts mistakenly puts me on a high-risk list for the next pandemic. I won’t even go off into the potential side rant on all my voluntary and involuntary surrenders of my privacy rights along the way, although I do think the court system should brace itself for the onslaught.

Let’s hope my paranoia amounts to nothing more than the receptionist not being a bit surprised that I showed up in the doctor’s office that day because the data-lake-fed-AI predicted I would and had already authorized my insurance and sucked all the available fresh data on me into a useful visualization for my clinicians.

What’s the difference between big data and small data? The short version is that big data is generally considered to be an unstructured collection of data objects. Unstructured in this usage implies that there is no classic structured database format imposed on the data. The unstructured data could be a song captured as MP3 or AAC, a simple list of my last 20 temperatures stored in my Apple Watch, or a photo just taken in the ED of the festering wound on my right leg.

Big data is generally big because it is a vast collection of objects. Sometimes big data is big because the individual objects are prodigious on their own, and are also known as BLOBs or binary large objects – for example, your favorite “Breaking Bad” episodes that are still sitting on your iPad. It could really be anything, including a file that has a structure and order of its own, but is being considered as part of a greater set of data molecules in a “data lake.”

Storing data as objects, most commonly done on the Internet with RESTful storage protocols, is an increasingly normal trick in the world of data storage and management. When we store data as objects, we don’t care all that much about structure, or about the nature of the data, or about its accessibility by a particular file system or operating system. That problem is shifted from its traditional place in the OS or the storage array and is moved to the app. (notice I did not say “application.”)

To the extent that we care about the objects in an object store (an allegedly safe place to put objects) we may tag them as they go in with meta data, which everyone who has followed the Edward Snowden story knows is “data about the data.” In fact, the object might get multiple tags. One might be a lookup address or unique ID in the object store and one or more others might be some common descriptor of what is in the object itself. Hence the chaos of unstructured data may in fact, have some external structure imposed on it by some rules-based system ingesting the data objects.

In truth, small data is still where the rubber meets the road in today’s healthcare information systems. The organization or structure of that data by the HCIS in a pre-defined database provides the accuracy and confidence clinicians need to treat me and administrators need to bill me. It generates the endless arguments and the grossly inefficient cottage industry that has sprung up around HIEs. (do we really need to argue on what the “first name” field means?)

Big data can provide inferential context for small data, but it cannot supplant the precise articulation or definitive metrics collected and presented, in context, to help treat me. Small data is so important that we protect it not only in context of its integral structure in a database, but also in some cases at the file system, operating system, and storage subsystem levels. In many cases via RAID technology, backups, and replicas we have so many copies of the same small data that it is really not very small at all; but hey, in the days of petabyte and zettabyte data lakes, a few terabytes looks more like a data puddle.

There is, however, an economic force in play here. Depending on whose numbers you believe, big data on object stores is four to 20 times cheaper to manage than an equivalent amount of small data being managed by a production application in a Tier 1 SAN. The “apps” which are slowly arriving in healthcare (and may continue to arrive) may be happy just to slam a bunch of tags on an object and call it a day. Then we will have “tag oceans” and “tag bagging” toolsets with cute animal logos, and the circle of data will continue to self-perpetuate.

Jim Fitzgerald is technology strategist and EVP at Park Place International.

Startup CEOs and Investors: Bruce Brandes

All I Needed to Know to Disrupt Healthcare I Learned from “Seinfeld”: Part V – Yada Yada Yada
By Bruce Brandes

Most every company talks about their elevator pitch, which is intended to be a brief summation of the business to intrigue one to want to learn more. My question is this: exactly how long are the elevator rides some people are taking? More broadly, in any sort of business interaction, how to you best balance brevity vs. meaty detail?

The Webster’s definition of the phrase “yada yada” is "boring or empty talk often used interjectionally, especially in recounting words regarded as too dull or predictable to be worth repeating." Anyone still recovering from the HIMSS conference can likely recall many conversations where yada yada would have been a very welcomed interjection.

Our old friend George Costanza once dated a woman who often filled in her stories with the expression yada-yada, leaving out much of the detail. Jerry praised her for being so succinct (like dating USA Today) but not knowing the full picture drove George crazy. So opens the debate: is yada yada good, or is yada yada bad?

As discussed in an earlier column, most pitches are too long and generic. A little yada yada to help you explain your company in 60 seconds or less is very good. In calculating how to consolidate your elevator pitch, reread the Webster’s definition above and be sure to yada yada overused, now almost meaningless buzzwords like “patient engagement,” “big data analytics,” or “telemedicine.”

Instead, focus on concisely describing why your company exists, what problem you solve, and how you deliver that solution in a way that is clearly superior or more simple than the masses. Even 60 seconds might seem like a long elevator ride to your audience if you do not make a compelling initial impression in the first 15. Without the yada yada, you are not getting a first meeting.

Better yet, if your solution is as vastly unique and compelling as you may perceive, perhaps its simplicity speaks for itself. Did Apple need to yada yada when it introduced the iPad?  In his book “Insanely Simple,” Ken Segal describes the cultural foundation which led to Apple’s development of transformational products so simple and obvious that a two-year-old or a 90-year-old could just intuitively understand them.  

For real game-changing solutions, an unspoken yada yada is implicit. For example, in philanthropy, the Human Fund’s mission statement – “money for people” – enticed Mr. Krueger with its understated stupidity.

However, the buyers of and investors in healthcare technology solutions are remiss to not press for the substantive details and validation of claims glossed over by the yada yada. How many HIStalk readers been burned by extrapolating assumptions from high-level vendor assertions only to later recognize in the fine print that some important information was omitted by a yada yada?

• Q: Where does your system get all the data you are showing in your demo?
• A: Once you sign the contract … yada yada yada … we integrate seamlessly with your EMR.

• Q: How do you achieve your revenue projection of growing 20x in two years?
• A: We had meetings with people at both HCA and Ascension about doing pilots … yada yada yada …. we forecast 300 hospitals next year.

Let’s try to yada yada some of the memorable events in healthcare IT history.

• We acquired five more companies which will be integrated by next quarter … yada yada yada … we beat our forecasted revenue numbers. (every HBOC quarterly earnings call in the 1990s)
• We closed on our acquisition of HBOC … yada yada yada … our market cap dropped $9 billion today. (McKesson 1999)

• We are putting out an RFP to evaluate vendors and purchase a new enterprise electronic medical records system … yada yada yada … we bought Epic. (any academic medical center in the past 10 years)
• We are making great progress on our successful Epic rollout … yada yada yada … we are announcing major budget cuts to protect our bond rating. (that same academic medical center three years later)

I contend that yada yada is both good and bad. Mastery of this notion leads to knowing when to use the figurative yada yada to establish appropriate interest, rapport, and trust. It is equally important to know how and when to effectively press for critical information which the symbolic phrase may be concealing.  

Bruce Brandes is managing director at Martin Ventures, serves on the board of advisors at AirStrip and Valence Health, and is entrepreneur in residence at the University of Florida’s Warrington College of Business.

Startup CEOs and Investors: Michael Burke

The Shifting Incentives of Startups
By Michael Burke

Mr. H asked a few startup CEOs to give his readers an “inside baseball view into a world that a lot of us will never see as employees” — the world of starting and running a startup company. In this post, I’ll try to honor the spirit of that request by describing how incentives in an early-stage startup create an environment that is simultaneously thrilling, rewarding, and terrifying. We’ll then discuss the challenge of maintaining a startup’s culture while these incentives change.

I’ll start first with a sweeping generalization:

An early-stage startup company’s incentives are more purely aligned with their customers’ incentives than any other size, stage, or structure of business.

Think about it. At this stage, it really doesn’t matter whether the founders want to build a great company, make the world a better place, or make a big pile of cash. They can’t do any of these things if they don’t focus exclusively on the success of their early customers. This singular focus is a luxury not afforded to companies of other stages. These purely aligned incentives create an environment of productivity and creativity like no other.

Does this alignment of incentives guarantee success? Absolutely not. I’ve noted in an earlier article that the odds of success for a startup are low. There are a million things that can go wrong. The alignment of incentives does, however, mitigate the risks to some degree.

Now I know that most companies of various stages consider their customers important and would assume on the surface that their interests are aligned with those of their customers. But until they’ve pledged their house and savings to guarantee a loan for working capital, they don’t know what a real incentive feels like. That’s the terrifying part.

Shifting Incentives and OPM

Incentives often change as a startup grows. The really great companies find a way to maintain the positive elements of their culture during these periods of change. It’s not easy to do.

There’s a phenomenon in the startup world that is repeated time and time again. A scrappy startup that was efficient with the little bit of capital it had gets a big chunk of money from a VC. Then they start to suffer from OPM (Other People’s Money) syndrome. They start to think that they really need those golf bags emblazoned with the company logo. They over-hire. They move away from making small, responsible bets to Vegas-style gambles. It’s not entirely their fault. Their incentives have shifted.

Because of their new outside investors (who may now have a controlling interest but almost certainly have preferential exit terms), they now have to hit a grand slam. The fund needs to generate a 10X return in 3-5 years. A base hit, double, or triple might cover the VC’s vig, but it won’t put any money in the founders’ pockets.

In order to generate this sort of return, companies are strongly incented to focus exclusively on short-term revenue growth and ignore long-term investments in people, product, and process. In a parallel universe, big public corporations often find that their incentives diverge with those of their customers when it comes to the obsession with quarterly earnings, sometimes at the expense of similarly necessary investments in people, product, or process.

Some companies manage to maintain their focus and keep their culture intact through these and other changes. As a result, they often deliver exceptional value to their customers.

Freedom and Responsibility

Most successful startups are usually characterized by a culture with freedom and responsibility at its foundation. The freedom isn’t just a cultural choice; it’s a requirement. Top-down management structures just don’t work in a startup. The glacial speed of command and control environments is absent the requisite flexibility, productivity, and creativity. Distributed, self-organizing environments are required in the early stages to learn quickly, fail quickly, and adapt quickly.

Responsibility is the opposite side of the freedom coin in a startup. It makes the selection of the startup team absolutely critical. Folks who are attracted to working in an early-stage startup seem energized by this environment of responsibility. There’s just no place to hide in a startup, and nearly every decision is important. You need folks who are willing to act and to take responsibility for their actions.

In the early days, this culture of freedom and responsibility often emerges organically as a byproduct of the nature of the work and the requirements placed on the team. As a company grows, however, it needs to be much more intentional if it wants to keep the magic going. When we were a few founders in a room, we didn’t have to worry about vacation policy. No one planned to go anywhere until the work was done anyway. Now, when we hire a new employee, we need to have an intelligent answer to the question. So our answer is: take whatever time you want. We care about results, not about punching the clock.

One of the really great things about a startup is that you get to collectively define a culture with a relatively small group of folks. That’s a very exciting and fulfilling process. Contrary to popular belief, this definition of culture doesn’t come from the top down. Don’t get me wrong — a founder/CEO can single-handedly screw up a company’s culture, but the CEO can’t define it unilaterally. A founder/CEO can be a part of the process of a company’s emerging culture, but only a part. In my view, the most influential part a CEO can play in the intentional cultivation of culture is in hiring decisions. Secondarily, a CEO can make sure the policies of the company appropriately support the required culture of freedom and responsibility. Policies are fine, but in a startup, it matters much more what you do than what you say.

No Shortcuts

The bottom line is that startups can’t focus on the finish line if they want to be successful. They have to find a way to set aside the numerous distractions and shifting incentives of fund raises and exit strategies and simply focus on building a great company that delivers great value to customers. Protecting their company’s culture is a big part of this. If they can maintain this focus, they increase their odds of long-term success dramatically.

Michael Burke is an Atlanta-based healthcare technology entrepreneur. He previously founded Dialog Medical and formed Lightshed Health (which offers Clockwise.MD) in September 2012.

Readers Write: Chicken or Egg?

Chicken or Egg?
By Niko Skievaski

HIStalk recently released these poll results: “Which #1 reason would cause you to avoid doing business with a startup?” (*n=350):

• Fears that the company isn’t financially viable (47 percent )
• Offering a product that solves a non-strategic problem (21 percent)
• Lack of integration with existing IT systems (17 percent)
• Lack of comparable reference sites (10 percent)
• A CEO who doesn’t have poise, polish, or healthcare experience (5 percent)

These embody much of the technology adoption barriers facing healthcare. Startups are perceived as being unable to commit to long-term contracts and lack reference sites to build confidence in buyers– just as the first chicken couldn’t have been hatched without the egg from which it came. These things combined make for a very difficult landscape for healthcare technology startups to thrive in. So who lays the egg?

Fears that the company isn’t financially viable. It’s extremely costly for a health system to adopt new technology. Beyond the price tag, there are real costs associated with implementation and training necessary to successfully go live. The last thing they want is to be left hanging if your company goes under. Jason Bornhorst, who exhibited the last two years in the HIMSS startup neighborhood, said, “I’d estimate that about two-thirds of the companies that were here last year aren’t around any more.” The fact of the matter is that you need to have the resilience to ride the bone-breaking sales cycle. They’ve been practicing medicine without your software for 100 years; they can wait another 1-2. How do you bootstrap financial viability to last the long sales cycles and combat this perception? Raise more money, find alternative revenue sources, join an accelerator or two to buddy up with health systems, and surf the cycle efficiently.

Offering a product that solves a non-strategic problem. This isn’t so much a market failure as it is a customer development failure. Start a better startup. Don’t start a bakery because you’re a good baker. Start a bakery because there is excess demand for baked goods. I just hope that the buyers at health systems are delivering this intuition directly to the startup in addition to anonymous HIStalk polls.

Lack of integration with existing IT systems. Integration is a must. It’s not enough to say, “Use our product in a standalone capacity during the pilot and we’ll figure out integration later.” Providers hate double documenting and clicking. Forget switching windows. Their complaints bog down IT teams. Both of these groups will throw a block at your pitch if you don’t have a solid answer for interoperability with existing systems, both from a technical perspective as well as implementation. There’s a new wave of startups out there providing modern integration strategies for startups attempting to interoperate with the EHR.

Lack of comparable reference sites. One of the mantras I learned back at Epic is that every single customer should be able to be considered a reference site. It’s that level of customer service and do-anything-ness that makes them stand apart as a vendor. The space is too small to simply write off any customer as a lost cause. If a health system chooses to work with us, we need to do everything possible to make sure they’re a good reference site for future customers.

A CEO who doesn’t have poise, polish, or healthcare experience. Have you met Judy Faulkner, Chris Patterson, or Jonathan Bush?  Just a few examples of eccentric, throw-caution-to-the-wind type personalities who oversaw a successful EHR startups. But you need to know the audience of decision makers. If you’re new to healthcare, welcome to the wild world of buzzword bingo. Get conversational stat (yep, that’s a healthcare word). Read books, blogs, HIStalk.  Listen to podcasts. Go to HIMSS and actually listen to some sessions that relate to your domain. You wouldn’t buy a car from a guy that didn’t know the difference between a carburetor and catalytic converter. Be sure that you can demonstrate that this isn’t your first rodeo. Manufacture your “experience” by becoming an expert in the domain.

Mr. H, maybe a survey on top reasons to work with a startup next time?

Niko Skievaski is  co-founder of Redox.

Readers Write: The Journey to Value-Based Care: Lessons Learned from Aviation

The Journey to Value-Based Care: Lessons Learned from Aviation
By David Nace, MD

The Affordable Care Act (ACA) and healthcare reform have impacted providers in all aspects, from the way they are and will be paid to how they engage patients. To meet the deadlines and demands of an industry shifting to value-based care (VBC), physicians must change their thinking from independent to team-oriented in order to succeed in this new world.

VBC is empowering an evolution within the overall healthcare community, especially amongst physicians. This is enabling a focus on delivering high-quality of care to patients. The Meaningful Use and EHR certification programs have helped all provider organizations get closer to the more meaningful use of information technology, but the requirements also pose many challenges for providers.

These challenges should not be met with resistance. The physician community should embrace the call for change. Similar to the revolution of the aviation industry, reform required them to adapt to new methods of communication and technology to ensure safer flights.

Traditionally, physicians are independent and competitive in nature. They didn’t go through rigorous selection and testing over nearly eight years of higher education to merely coast by – they have an innate drive to be successful and help people. Value-based care, in theory, plays to their personality traits and gives them the motivation to achieve even higher goals.

However, physicians have a hard time trusting data or measures that they do not understand, especially when their evaluation is out of their control and input. For example, a 2014 survey of 4,000 physicians found 78 percent reported patient satisfaction ratings moderately or severely affected their job satisfaction and 28 percent considered quitting their job or leaving the medical profession.

To add to this statistic, most organizations do not have the appropriate communication, technologies, and data collection sources and processes put in place to understand the measurements being imposed on them. To tackle this challenge, hospital executives and physicians need to improve physician communications and transparency in regards to measurement.

Pilots faced a similar disconnect during the 1980s. Training a pilot occurred in an apprenticeship model — you learn from a “master” and through them learn their personal techniques and strategies. It really was a “master craftsman” mentality of mentorship.

This method of training and learning lead to a variations in practice and high accident and death rates associated with aviation. The practice was not based on teamwork or leveraging technology for standard operating procedure. There were no Global Positioning System (GPS) and Cockpit Resource Managements (CRM) utilized – it was all based on the techniques and approach of pilots. To understand the technologies imposed on them and to improve quality of flight, the way pilots were taught changed to a team-based approach that focused heavily on communication and transparency, data, and standard operating procedures.

There is a similar revolution coming to the world of medicine. Many of the physicians of tomorrow are beginning to prepare through team-based, information driven training. Young physicians in training are being proactive in understanding the methodologies and technologies of today and starting grass root movements — for instance, Primary Care Progress — to inform and inspire newcomers to the industry. Medical students are increasingly being trained in groups (versus one-on-one) to leverage the concept of teamwork and to better understand the evolving healthcare industry and their role in the transformation.

Change is inevitable in any organization. New rules, methods, and technologies will always cause a shift. These transformations should not and cannot be met with resistance, but with an open mind, as everyone needs to work together toward the end goal.

Pilots needed to adapt and alter their training and methodologies during flight to fly in a safer, more efficient manner. Similarly, providers must do the same with value-based care. The more collaboration, the smoother the ride will be.

David Nace, MD is vice president and medical director of McKesson Technology Solutions.

Readers Write: Why Some Physicians are Opting Out of Meaningful Use Attestation

Why Some Physicians are Opting Out of Meaningful Use Attestation
By Charles Settles

Since its inception, the Meaningful Use Incentive Program (MUIP) has paid out nearly $30 billion worth of incentives, but a rising number of physicians are opting out. Why?

2011, the first year of the MUIP, saw widespread interest. Nearly 200,000 eligible providers (EPs) and over 3,000 hospitals completed registration for either the Medicare or Medicaid versions of the program, according to the latest summary report from CMS. However, much of this original momentum appears to be lost. 2014 saw under 73,000 EPs and just 108 hospitals register across both programs.

Altogether, 515,158 registrations have been completed by EPs across both programs, with 415,550 unique EPs receiving an average of $25,190 in incentive payments. According to the CMS’s latest data, just over half of eligible providers have received an incentive payment. But what about the other (at least) 40 percent?

It can’t simply be a question of eligibility. According to Medscape’s 2014 EHR Report, only 22 percent of physicians are abandoning or have never supported the MUIP, but examining the CMS summary report suggests a much higher rate of attrition — only 23 percent of the 260,900 physician EPs who received a payment in 2013 received one in 2014. That translates to an attrition rate of just under 77 percent.

When considering the payments only by stage of the program, the numbers for physicians are even worse — only 5.7 percent of those physicians who received a payment for the first stage have received one for the second. More physicians will complete Stage 2 eventually, but the odds of making it to CMS’s 75 percent adoption rate target by 2018 appear to be growing shorter. The carrot simply hasn’t been enough.

The stick may not be enough either. If the 75 percent adoption rate target is not met, reimbursements stand to be cut by up to five percent. The average family physician, arguably the primary focus of the MUIP, receives about $100,000 per year from Medicare reimbursements, according to Dr. Jason Mitchell, former director of the American Academy of Family Physicians’ Center for Health IT. Since the penalties increase by one percent per year beginning with a one percent penalty in 2015, a physician receiving $100,000 annually could lose up to $10,000 in reimbursements through 2018. For some, the penalty is a small price to pay to not have to deal with requirements that they feel prevent them from delivering better patient care.

Dr. S. Steve Samudrala, medical director of America’s Family Doctors, was an early proponent of electronic health records, patient engagement, and other medical software systems. It seems ironic that Dr. Samudrala does not participate in the MUIP. Though his EHR (eClinicalWorks) is fully certified through Stage 2, Dr. Samudrala feels the reporting requirements for primary care physicians would prevent him from delivering the high quality, personal care his patients have come to expect.

He does acknowledge, though, that many independent primary care physicians have little choice in the matter — the incentives can make or break some smaller practices. Payments are shrinking, competition from hospital-owned groups is increasing, and medical practice brokers keep calling. Dr. Samudrala’s bet isn’t on incentives — he and a growing number of primary care physicians are proponents of what’s coming to be known as “direct primary care.”

The idea behind direct primary care, sometimes called “concierge medicine,” is to remove the expensive bureaucracy and processes associated with billing insurance or government programs and offer services directly to patients for a monthly or annual fee, supplemented by small co-pays. Though the number of successful direct primary care practices is small, and the trend doesn’t solely explain the number of physicians opting out of the MUIP, rising interest in the concept makes it worth mentioning.

Ultimately, the MUIP will likely be viewed as a success if widespread adoption of health IT was the goal. Adoption doubled between 2009 and 2013. Even if physicians don’t meet all the requirements to receive incentives, the benefits of health IT to providers, payers, and most importantly patients cannot be denied. We’ll likely see even more attrition from the MUIP with the announcement of the Stage 3 rules, but despite the growing disillusionment with the program, EHR and other health IT is here to stay.

Charles Settles is a product analyst at TechnologyAdvice.

Readers Write: Your Interfaces Suck Because You Want Them To

Your Interfaces Suck Because You Want Them To
By T. Ruth Hertz

Your interfaces suck because you want them to. Yup, that’s the stone cold reality. 

I am looking at you Mr. /Ms. CIO. You may talk all day about interoperability, data normalization, HIEs, standards, etc. but unless the right data in the right format gets to the right place at the right time, you are wasting time and money and possibly risking patient safety.

But wait, you say. We insist that all applications have HL7 interfaces – we even put it in the contract! Yes, maybe you do, but do you take the time to get and review detailed specifications before you sign the contract? Do you require the vendors to demonstrate interfacing their application with the ones you already have? Not just give you a list of other clients that have “the same systems as you” but actually connect their system to your engine and downstream application test environments? How well would the physicians at your institution react to being given a list instead of a demo and / or site visit?

Do you let your interface experts ask the tough questions during due diligence? If you do, does it matter when the answers are wrong or evasive? Or do you just accept it when the vendor says, “You can fix it in the engine?” Do the interface experts get to go on the site visit, see the interface in action, and talk to the folks that have had to actually make the interface work?

Let’s face the facts:

• It is in the application software vendor’s best interest to not interface well with other vendors’ apps. Selling a suite of apps that work well together but not well with others makes buying their products as a set look like the smart thing to do.
• Application software vendors can make their interfaces work. They have the source code and the underlying database. They just need a very good reason to do so – like “no sale” if they don’t.
• Your interface staff time isn’t free. All the time spent on analyzing, designing, and building workarounds to compensate for deficiencies in the sending and/or receiving applications costs hard money. That time is also time lost from other projects.

It’s time that the decision-makers who buy healthcare apps put a stop to this madness and insist that true interoperability be delivered by the software vendors – or no sale.

Readers Write: A Prescription for Getting Face Time with Doctors at HIMSS

A Prescription for Getting Face Time with Doctors at HIMSS
By Chris Lundgren

It’s no secret that it’s getting harder and harder to get face time with doctors. But I’m a sales guy, so I always see a silver lining in everything.

In this scenario, the silver lining is that doctors are just like you and me. They can’t live without their gadgets. Recent studies have shown that 75 percent of doctors own a smartphone and 55 percent use both a tablet and smartphone in their daily work. So while you may have a more difficult time connecting in person with doctors, you can still be very much connected.

The key to engaging doctors today is to use technology when the time is ripe. The upcoming HIMSS conference is the perfect example. It has a huge audience and nearly 60 percent of the attendees are healthcare providers. Let me repeat: thousands and thousands of doctors gathered in one space to live and breathe technology for five days. If that isn’t a jackpot waiting to happen, I don’t know what is.

Problem is, doctors are going to be running from one panel to another at HIMSS, so you can’t expect to get face time with them if you haven’t engaged them prior to the conference. And the way to do that is – you guessed it – through their gadgets. Here’s what I recommend:

1. Ask them how they’re doing. Doctors are always asking others how they’re doing. Now that the pressure is on doctors to improve patient outcomes and reduce healthcare costs in measurable ways, it’s time to ask doctors how they’re doing and what’s on their minds. A quick and easy way to do that is a survey that asks 1-3 questions such as, “What topic(s) are you most interested in at HIMSS?”, “What do you hope to gain from learning about that topic?”, and “What other concerns are on your mind?”
2. Make them a HIMSS-only offer. Limited time offers work time and time again because they create a sense of urgency. If you want to ensure that you get some face time at HIMSS, make sure you’re prepared to make offers that will only be available at the conference. Use the results of the survey to develop the offer or gather qualitative insights from your sales reps – what have their conversations revealed about doctors’ needs right now? Take advantage of email marketing for its quick response, analytics, and segmentation capabilities.
3. Impress them with knowledge. A recent study showed that doctors are always hungry for new research, case studies, and other clinical knowledge that can help them in their work. But here’s the catch (and also the opportunity): they’re often too busy to look for it on their own. Do the work for them by delivering valuable content. Remember, they’re busy, so don’t deluge them with a library of links. Try a short list of statistics or a link to an article to get the conversation started. Tip: Information related to patients is hot right now and there’s a treasure trove of relevant content with a quick search.

Digital engagement is an essential component to any physician communication strategy. However, to maximize the results of such a strategy, the focus should be on quality rather than quantity. In addition, integrating a quality digital campaign with the right mix of print, mail, and telemarketing can optimize any effort. Be sure to get your reps to follow up with doctors on the phone or via email after a campaign goes out. Using this multi-channel approach can boost revenue by more than 10 percent. Good luck at the conference.

Chris Lundgren is VP of strategic sales for Healthcare Data Solutions of Lincoln, NE.

Readers Write: Twenty Things Vendors Need to Know About ONC’s New 2015 (Stage 3) Certification Program, But Were Afraid to Ask

Twenty Things Vendors Need to Know About ONC’s New 2015 (Stage 3) Certification Program, But Were Afraid to Ask
By Frank Poggio

On March 23, late on a Friday afternoon, ONC published two drafts of the proposed revisions to the 2015 Test Criteria along with new Stage 3 provider MU attestation requirements. Two separate large documents were published:

• Electronic Health Record Incentive Program, Stage 3 Draft Rule, (300+ page PDF)
• 2015 Edition Health Information Technology (Health IT) Certification Criteria, ONC Health IT Certification Program Modifications (400+ page PDF)

The first covers the proposed rules for MU Attestation for Providers under Stage 3. The second addresses proposed test criteria and requirements for vendors and revised operating rules for the Accredited Certification Bodies (ACB).

Already there has been a great deal of discussion on the first MU requirements document since it impacts all providers, while the second document is aimed at vendors and system developers and has received little attention . I commented on the MU provider piece on HIStalk earlier this week and will focus now on the impact on vendors and system developers. Some of my vendor clients have been calling and emailing me asking, “What’s changed for us?” Others are afraid to ask.

Suffice it to say there are some major additions and revisions to the test criteria and process that will give system developers heartburn, or maybe a K51.914 (ICD10=ulcer).

Before I dive into the document, let’s remember that back in 2013 ONC disconnected the MU Stages from the certification test versions. The concept that a vendor is Stage 2 or Stage 3 certified is almost meaningless since a provider could MU attest to Stage 2 using either modified 2011 test criteria or the 2104 criteria. With the eventual issuance of these new 2015 criteria, for a short period providers can Stage 2 attest using a vendor’s 2014 certified product, or if available, the vendor’s 2015 certified product.

All 2015 Test Criteria are now referred to as the 170.315 regulations. At this time, these are just draft proposals that will be formally published in the Federal Register on March 30, 2015. Then after a 90-day comment period, some revisions will be made, with the final regulations issued in the July-August timeframe.

Using the last two cycles of draft rules versus final issued regulations, I predict that some 90 percent of what is now proposed will be adopted into law. So fasten your seat belts — here we go. Some highlights (or lowlights? are:

1. Privacy and Security (170.315 d1-d7). There are some minor changes in several of these tests, such as access, time outs, integrity, device encryption and audit logs. But now under 2105 testing, they have become mandatory if a vendor wants to test out on other criteria, such as Demographics. The P&S tests were mandatory under 2011 (Stage1), then ONC made them optional for 2014, now they are back in the mandatory column. To paraphrase ONC, it’s all due to the never-ending march of data breaches. An added requirement to P&S which is stated in the MU regs, but not in any specific test criteria, is vendors now must attest to having completed a HIPAA risk analysis of their product whenever they install new releases or updates. Here’s why. In order for providers to be compliant with MU and HIPAA, they will have to get an attestation from the vendor before they install any update, the provider MU regulations state on page 64: EPs, eligible hospitals, and CAHs must conduct the security risk analysis upon installation of CEHRT or upon upgrade to a new Edition of certified EHR Technology.
2. Demographics 170.315a4. ONC wants coding for language and ethnicity to support all 900 OMB codes and all RFC 5646 ethnicity codes. But ONC acknowledges that a drop-down list of 900 data elements might cause workflow problems, so they have said a full drop-down list is not required. You just need to show in a test you support all the codes and can tailor the list for each provider client.
3. Vital Signs 170.315 a6. All values must have LOINC codes. Data elements have been expanded and pediatric vitals have separate criteria.
4. Advance Directive (170.315 a17). Now you have to electronically capture and track the AD. No more just check a box and who cares what file drawer it’s in.
5. Medical Implants (170.315 a20). Must now be tracked and reported.
6. Social, Psychological, and Behavioral data must now be captured and tracked using LOINC and SNOMED coding. (170.315 a21).
7. Clinical Decision Support tools must be linked to Knowledge Artifacts formatted in the HeD standard Release 1.2. (170.315 a22).
8. New “decision support – service” (170.315 g6) certification criterion requires technology to electronically make an information request with patient data and receive in return electronic clinical guidance in accordance with an HeD 1.2 standard.
9. New CDA standard (170.315 b1). The C-CDA standard is now the single standard permitted for certification and the representation of summary care records. An updated version, HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for ClinicalNotes (US Realm), Draft Standard for Trial Use, Release 2.076 includes the following changes: addition of new structural elements: new document sections and data entry templates: New Document Templates for: Care Plan; Referral Note; Transfer Summary. New Sections for: Goals; Health Concerns; Health Status Evaluation/Outcomes; Mental Status; Nutrition; Physical Findings of Skin, etc.
10. CDA system performance (170.315 g6). As part of the focus on interoperability, ONC is requiring performance standards for data transfers of CCA/CCR. Data transmission of CDAs will be tested for volume and response times.
11. XDM packing of View/Download/ Transmit and CCR/CCD with incorporation of industry APIs using the IHE-IT infrastructure standard.
12. Data Portability has been broken out into Send /Receive as separate components (170.315 b6).
13. Care plans (170.315 b9). ONC proposes to include the “assessment and plan of treatment,” “goals,” and “health concerns” in the “Common Clinical Data Set” for certification to the 2015 Edition. The “assessment and plan of treatment,” “goals,” and “health concerns” are intended to replace the concept of the “care plan field(s), including goals and instructions” which is part of the “Common MU Data Set” in the 2014 Edition.
14. CQM (170.315 c1). Has been expanded into separate segments: filters, create, import, and calculate.
15. Quality Management System (170.315g4-g5). Now includes an “access-ability technical component” in accordance with ADA. The QMS must be mapped to a federal guideline or industry standard. (No more home-grown QMS process/tools.)
16. Safety Enhanced Design – SED (170.315g3). Expanded and requires specific and detailed usability test documentation. ONC recommends following NISTIR 7804176 “Technical Evaluation, Testing, and Validation of the Usability of Electronic Health Records” for human factors validation testing of the final product to be certified. They recommend a minimum of 15 representative test participants for each category of anticipated clinical end users who conduct critical tasks where the user interface design could impact patient safety.
17. Authorized Testing Bodies (testing agencies) are now required to conduct surveillance (audits) on at least 5 percent of vendor installs (or max of 10) every year to verify that the certified system in fact meets each certified test criteria.
18. Attestation for Price transparency. ONC wants vendors to disclose on their web site and in marketing materials material system limitations. The vendor must also disclose any material add-on costs such as transaction fees to support interfaces/interoperability, etc. and supply any requesting entity a reasonably accurate cost estimate of total system costs. That’s ANY requesting entity, not just prospects or for bid requests.
19. ONC wants monthly reports from the testing agencies on provider complaints and counts of vendor updates and modifications. If the number of updates/modifications exceed a set number, ACB is to call vendor back in for re-testing.
20. ONC predicts the rules and test criteria will be finalized by mid-summer and vendors will work “aggressively” in 2016-17 to modify products and meet the target date of 2018 to support Stage 3 provider attestations, which will require a full year of calendar data from providers.

ONC estimates that all vendors together will have to invest approximately $300 to $400 million to effect all these changes. They calculate there are 81 unique vendors with certified products, hence an average cost of $4-5 million each, which does not include the time and cost to go through the test process.

ONC states they will continue with the “Gap” test process, meaning if you passed a test criteria under 2014 and there were no (or minimal) changes for the 2015 criteria, you get a bye. Given the preceding, my advice is if you’re a vendor that is not yet 2014 certified, you really want to get it done sooner rather than later. My experience tells me that being 2014-certified for as many criteria as you can before the 2015 criteria are cast in stone will be a better place to be.

Lastly, ONC states that the 2105 Test Criteria and Stage 3 Provider MU Attestation rules will be the last Stage for MU, but that the rules and test requirements will continue to be revised and expanded as ONC deems necessary. I guess we can next expect Stage 3.1, along with revised test criteria 2015 dot 1,dot 2 … can anyone see a light at the end of this tunnel?

Frank Poggio is president of The Kelzon Group.

Readers Write: Ignorance of the Major EMR Software Vendors is Not Bliss

Ignorance of the Major EMR Software Vendors is Not Bliss
By Tyler Smith

We in healthcare IT have found ourselves in a pretty sexy industry. You know that is true when Silicon Valley is practically banging down the doors to get in and KPCB’s John Doerr states that he would really like to see an open source competitor to Epic created. Damn, so Valley money admits it is losing to a slowly built behemoth in Madison – not a brand spankin’ new startup it missed an angel round on.

Needless to say, HIStalk’s Startup columns are a quite timely addition to the blog. I particularly enjoyed reading Marty Feisenthal’s explanation of the elite JPM conference. Having heard about the conference from banker friends (not HIT colleagues), his column removed much of the mystique. Being a fellow Atlanta resident and having visited the Atlanta Tech Village before, I also have greatly appreciated Michael Burke’s articles on the experiences of an HIT founder in Atlanta.

I recently co-founded a startup that aimed to bring efficiency to the Epic staffing arena by using very simple tools already in place in other industries. I do not want to call it the Uber of Epic staffing – for fear of sounding like a hack – but the basic idea was a connection platform with ratings for Epic certified consultants. While we have put the project on hold due to some shakeups on our technical team and also due to slow buy-in from provider organizations (our target clients), the pause in the action has given me time to reflect on the current state of HIT startups – particularly those looking to nibble on the enterprise EMR vendors’ scope of services.

Along with Mr. H and most readers here, when anybody from the outside comes and brings a new idea to the HIT table, I am usually skeptical. For starters, most entrants do not understand the complexity of the hospital / provider organization buyer or the provider organizations’ importance in the system. In theory, I love the idea of patient advocacy and patient-centric apps, but if providers or the systems that house them aren’t buying it, you better have something that patients see as life or death (read: an HIV curing drug, not a sleep tracking app) if you want them to fight the entrenched stakeholders for you or with you to make your startup relevant or widely used to truly create positive clinical outcomes.

Secondly and most importantly, many of these outsiders do not understand the current state of the EMR vendor landscape, and if they do, they arrogantly think they can steal market share while the enterprise systems watch from the sidelines. True, Epic and Cerner’s UX can appear very basic from an end user stand point and it often appears that the enterprise systems do not appear to be covering even close to all the functions that could be automated in a hospital or healthcare delivery organization. However, it would be naïve to think that these vendors have no big plans to tackle all of these remaining un-automated functions in the near future. When they do, unlike many of the new startups, these vendors will be able to simply make an additional sale to their already heavy client lists instead of having to undergo the arduous process of breaking down the doors to just get on the approved software vendor list at a major healthcare system.

The truth is that healthcare IT is a B2B market, not a consumer market. Organizations do not make purchasing decisions overnight, and thus while an app may actually do something better than an organization’s EMR, it better be a lot better for a healthcare provider organization to consider even meeting with the startup’s sales team.

This is not to say that I think that clinical apps which could be potentially developed and which will lead to improved clinical outcomes should not be attempted. What I am really saying is that before delving into development, HIT startup founders should take a much more serious look into EMR current state.

Even more importantly, startups should also consider what logical next steps vendors will be taking in their product offerings and research timelines as the massive implementation phase winds down and optimization becomes a priority for the vendors’ in house development teams. If there really is a competitive advantage which the startup has over these behemoths in the development of an EMR related application, then by all means go for it. But if not, it is probably best developing something far outside of the current or near future EMR vendor scope.

Easy for me to say as I sit on the sidelines and consult on EMR projects, I know. And you can object and say I’m siding with the status quo. Regardless, it pays to do your homework on the massive vendors. They aren’t going to crumble and they certainly aren’t going to let their clients get on products that encroach on their turf without a very solid battle.

In closing, I would ask any hopeful HIT entrepreneur: what is your startup doing that an established EMR vendor could not accomplish without a system update or by adding a new application which would seamlessly integrate with their current lineup?

Tyler Smith is a consultant with TJPS Consulting and co-founder of Hitop.co.

Readers Write: For Cybersecurity, Prevention First, But Don’t Forget About the Treatment

For Cybersecurity, Prevention First, But Don’t Forget About the Treatment
By Terry Edwards

Cyber-attacks are nothing new. We’ve all seen the attacks on major retailers, entertainment giants, and financial institutions. Healthcare is gaining attention as the next industry under attack since cyber-criminals are finding unprecedented value in patient health records.

A patient record can sell for $50 to $150 per record on the black market, more than a credit card number or a Social Security number. This gives buyers the  ability to impersonate patients using all the personal information included in a health record to commit identity fraud or even obtain prescription drugs. In 2014, a record number of healthcare providers were hacked and a number of high-profile healthcare breaches have already made headlines in 2015.

The healthcare industry is taking these attacks seriously and working hard to protect itself against potential threats. However, it’s becoming more difficult for healthcare providers to ensure the continued integrity of patient data. Not only are hackers growing more advanced and nimble, but the number of vulnerabilities in the system is only increasing as the industry moves to population health management.

Care delivery is not quite as contained as it used to be. Patients can be treated in a variety of settings as their care teams grow in size. In addition, more types of devices are collecting and sharing patient data, offering more entry points for cyber-criminals to infiltrate. Healthcare organizations are also dealing with tight IT budgets, which in some cases only cover what’s necessary for regulatory requirements.

While it’s critical for healthcare organizations ramping up IT defenses to protect the data of their patients, to avoid a breach, organizations need to get back to the basics by focusing on the following:

1. Develop an internal security committee to conduct a formal risk assessment and identify any areas at risk for a data breach. The committee needs to have the backing of the highest levels of the organization to demonstrate the commitment to protecting patient data.
2. Following the risk assessment, the committee should develop an organization-specific risk management strategy to include processes, procedures, tools, and technologies.
3. Educate the staff on the new processes and procedures. Implementing new procedures can be the biggest challenge for organizations. It’s not enough to deliver one training session and assume employees are following protocols. Instead, organizations must provide employees with frequent reminders to flag suspicious emails, keep their passwords protected, and encrypt any communication with protected health information.
4. Reassess risk ongoing to make sure employees are following the appropriate processes and procedures and to identify any new vulnerabilities within the system. Cyber-criminals are constantly using new methods to find weaknesses in the system, so healthcare organizations must stay on their toes to keep technology up to date.

Even with the strongest security protocols in place, sometimes a cyber-criminal can find a way through. The experience of other industries shows that while customers are generally understanding when a breach occurs, they need assurance that the organization recognizes the breach and is taking steps to avoid another one. One of the biggest threats of a data breach for healthcare organizations is the potential hit to patient trust, the cornerstone of the patient-physician relationship. Healthcare organizations need to maintain that trust to deliver effective care.

To protect patient trust and the reputation of the organization following a breach, providers must put a treatment plan in place:

1. Communicate early and often. Immediately following a breach, a healthcare organization must alert patients with details on what data may have been jeopardized, what actions they need to take (such as changing a password), and how the organization is working to protect the security of patient information. By giving patients as much information as possible, the healthcare organization can convey it is treating the issue seriously and is taking all necessary precautions to ensure another breach does not occur.
2. Offer services to monitor and alert patients. By offering tools to monitor their credit and identity theft, healthcare organizations can show they’re concerned about minimizing any risk to patients. In addition to credit reporting, healthcare organizations should reach out to patients whose data was compromised to ensure patients are regularly reviewing their explanation of benefits for any fraudulent activity. Organizations can consider email guides, webinars, and in-person meetings to help patients understand how to review their accounts regularly and what to look for.
3. Educate staff on how to handle patient inquiries. Some patients will have questions about the breach and may ask employees like receptionists or nurses who are not used to fielding those types of inquiries. Give employees guidance on how they should respond to upset or concerned patients so that they can get the correct information through appropriate channels.

It does not look like cyber-criminals will stop their attacks on healthcare organizations anytime soon, but with the right protocols and procedures in place, healthcare organizations can put their best defense forward and be prepared to respond in case of a breach.

Terry Edwards is CEO of PerfectServe.

Readers Write: Hacking the Healthcare Conference

Hacking the Healthcare Conference
By John Gomez

Outside it was 19 degrees and snow continued to fall as it had for the last few days. Inside the two-story brick building in downtown Asbury Park, NJ, a group of operators huddled around a set of whiteboards and large flat-screen TVs doubling as computer monitors that are connected to a variety of computer hardware.

One of the screens provided satellite images of a convention center. Another screen detailed the locations of all the hotels being used by attendees of a healthcare conference. Yet another screen highlighted the booth locations of the key exhibitors, with cross-references to their key clients, employees, and partners with their LinkedIn, Facebook, and Twitter account names and pages.

The operators had been developing cyber-attack plans for one of the largest healthcare information technology conferences in the world. The Alpha teams would focus on infiltrating the conference itself, while Bravo team members would exploit opportunities at hotels, restaurants, and the popular vendor-sponsored parties. The current debate was centered around if team members should register to attend the conference or simply swipe the passes of attendees and blend in with the crowd.

The last team, Command One, would provide command and control. It had already secured several adjoining suites at a hotel across from the convention center. The suite would provide real-time, 24×7 communications to the team members as well as manage the botnet and provide the initial command and control capabilities for the RAT software the field teams would be deploying.

The RATs being deployed by the field team were custom developed using a derivative of Stuxnet. This assured that the RATs would work across operating systems and devices. It also assured that the RAT would lie dormant for the most part except in some special cases.

One of those special cases was that if the RAT determined it was on a laptop, it would turn on the computer’s microphone and camera to record confidential conversations between vendors and clients as well as between vendor teams about their clients. The hope was to garner details that could later be used to exploit employees or other details that could lead to further compromises. RATs deployed to machines running a server operating system or Linux variant would replicate, eventually being introduced to a corporate network and then become active establishing themselves inside the corporate infrastructure of vendors and attendees.

Aside from the RATs, the Bravo teams had already visited area hotels and catalogued the wireless networks and their providers, deploying SDR and other toys to about 40 hotels. The goal was to eventually compromise the wireless networks using man-in-the-middle attacks and other techniques. In situations where they could not bypass the hotel’s wireless infrastructure, the team planned to compromise targets of opportunity being used in lobbies and public areas.

The team was now in its final planning stages. “Do we have the dummy business cards?”

The team had created a fictitious company, complete with a website, Delaware LLC, and 800 phone number complete with employee directory and voicemail. The team also had false employee IDs issued by the fictitious company. This allowed the team to play the role of a vendor attending the conference.

A subset of the team had spent the past two weeks becoming familiar with their cover of representing a new hospital system being created in the Midwest. The team included a fake CMIO, CIO, and VP of operations. The team developed LinkedIn accounts with complete work and educational histories as well as a fake website for the new healthcare system, with architectural renderings of their new 650-bed acute care facility and their upcoming regional clinical care centers.

At this point, you are probably wondering if what you are reading is an expose of a crack hacking team or simply a fictional piece of work. It is actually a little of both.

One of the things my team often does is to run simulated attacks on a variety of targets. We basically map out the entire attack and do all the prep work, short of launching the attacks. In this scenario, we decided to attack a healthcare conference.

The simulation was actually carried out over a period of three days. Everything you read is real. All the techniques, tools, and practices are the actual methods we would use to carry out a large scale cyber-attack against a healthcare conference. Our goal in doing this was to help develop suggestions for those attending any healthcare conference in hopes of making the lives of people like us much more difficult.

The above doesn’t include everything we would do or how we would do it, but what I did divulge is not all that sophisticated or uncommon. There is nothing in the story that isn’t already known or possibly already being undertaken by cyber-criminals, cyber-terrorists, or cyber-spies. Although we would never carry out this type of activity, there are those who would and probably will. Hopefully you will heed our counsel and employ the suggestions below, thereby keeping you and your organization a little safer.

1. Share the wealth. One of the most important things you can do is educate others on the possible threats that exist when attending conferences of any size. An easy way to do that is forward this article to your teams. Like GI Joe once said, “Knowing is half the battle,” and that is especially true in the world of cyber-security. Most people don’t realize the sheer audacity that attackers employ. Hopefully the above story illustrates a little bit of that audacity.
2. Encryption matters. All of your devices should use local file encryption, especially if you are going to be shipping them where they are out of your control. This also applies to any device that you are taking with you on the road — laptop, tablets, etc. All communication should be encrypted, even if you are using a closed network, but especially if you are connecting to the Internet.
3. Stay In control. Do not leave your laptops or other computing devices in your hotel. If you are going to leave them behind, lock them in a safe and make sure the device is encrypted.
4. Remove history. Delete your web browser history every day and also delete all previous wireless access points from your computing device history. For example, if your iPad is setup to automatically connect to your home wireless network, delete that before you go to a conference. Why? Because I can use the MAC address of your home network to find your home address. Don’t believe me? Email me your MAC address and we can bet a cafe mocha.
5. Just say no to thumb drives and DVDs. If anyone — partner in crime, spouse, child, parent, boss, vendor, speaker (including George Bush) — offers to give you a thumb drive or DVD for any reason, just say no. Ask them to e-mail you the item, or better, print it out. If they e-mail it, do a virus scan and make sure it is from someone you met before the show. Otherwise, FedEx works great to mail you documents quickly. Thumb drives and DVDs can harbor malware. Even if you know the person, you don’t know where they got the thumb drive or how they made the DVD. Save yourself a lot of pain and just say no.
6. Lock down machines. Vendors should lock their server rooms and demo equipment. You shouldn’t hire third-party security — you should be your own security during off hours. I know this sucks and is a burden, but it’s your technology. If the answer to this is that you wipe your equipment, good for you, but I am not after your equipment — I am after your data and network. Wipe away — chances are someone on your team will connect to your demo network.
7. No demo networks. Don’t connect to demo networks. You don’t know what is on them no matter what your IT team tells you.
8. Limit Wi-Fi. If you must use Wi-Fi, limit it to your hotel (it’s not the safest, but it’s better than a coffee shop or airport) and use a secure connection over a VPN. A better alternative, though not cheap, is your own personal hotspot over a secure connection.
9. Wipe machines. After every conference, you should do a DoD-level format of all hardware used at the conference. This includes a visual inspection of the internals, if possible, to assure that nothing was added by your third-party, $10 per hour security resource.
10. Lock down demo machines. Tape over webcams, disable USB drives, and put tape over the ports. Disable unused ports and other services. Hire someone to attack your demo environment.
11. Establish a conference VPN. Set up a VPN just for the conference and require two-factor authentication using something like Google Authentication to connect back to your corporate resources. After the conference, disable the VPN system and never use it again.
12. Establish BIOS passwords.
13. Create a bootable DVD. A great option for vendors is to use a bootable DVD with your demo clients on them. Please don’t tell me that you use virtual machines and somehow that makes you safer. If you believe that, you have a lot to learn about cyber-security.
14. Awareness. If something doesn’t feel, smell, or seem right, it probably isn’t. Conferences are highly social venues. It is important that you don’t forget that most of what happens to you is because you let it happen. This applies in the real and cyber worlds and is critical in both to maintain your personal security.
15. Email invites and marketing. Vendors love to send you all kinds of invites, updates, tidbits, and other neat stuff via e-mail during a conference. I would suggest you unsubscribe or just delete mass e-mailing from any vendor. A better option is to inform your rep that you will only accept e-mails from them directly and would appreciate minimizing things you have to click on. Think this is overboard? Consider that Anthem was compromised with a single click in an e-mail message.
16. Blips matter. Ever say, “That was strange,” or “What just happened?” and then things go back to normal? Often this is just an anomaly, but it could also be an indication that your computer device is under attack. Think about what you were doing right before the blip — surfing the web, opening an e-mail, connecting to a network, clicking a link, downloading something. Put things in context, and if you get nervous for any reason, say something to your IT team.

Hopefully if nothing else this article will get you to think and ask questions of your teams and how well you are prepared to attend a conference. Conference operators do all they can to provide a safe and secure environment. But in this day and age, there is only so much they can do. The real burden of security — physical and cyber — is on the shoulders of individuals. This is how it should be because security works best when it is a personal responsibility.

Take time to talk with your teams (exhibitor or attendee) about security best practices. The pre-meeting is a great time to brief your teams on security practices or invite someone to speak to them. You should also have a cyber-security response plan for the conference that includes who to speak to, what to do if there is a threat, and how to report information to the conference coordinators so that multiple incidents can be correlated and viewed through a broader lens.

The reality is that life has changed.

The simulation outlined in the opening of this article was simply that — a planning simulation for a real-world attack. The emphasis is on real-world attack planning. The only thing that kept us from carrying out that simulation is that we fight for good, but there are plenty of others out there who don’t — we call them the bad guys.

John Gomez is CEO of Sensato of Asbury Park, NJ.

Readers Write: Telehealth: Ready for Prime Time

Telehealth: Ready for Prime Time
By Jonathan Leviss, MD

Telephone rings. “Hello?” answers Sonia, age 73 with heart failure and living at home.

“Hello, Sonia. It’s Linda, your telehealth nurse. I received an alert that you gained two pounds a day for the last three days.” Further assessment reveals that over the last few days Sonia has eaten more salt than usual and has leg edema. Linda prescribes furosemide under protocol, educates Sonia about her diet, establishes a plan of care, and sends a report to Sonia’s cardiologist.

Why is Sonia’s tale becoming more common? Accountable care organizations (ACOs), patient-centered medical homes (PCMHs), and other models of value-based care and bundled payments require reducing readmissions, addressing problems before they require more expensive interventions, and reducing high cost utilization. Telehealth is now a proven solution for all three.

Telehealth means robust, real-time, patient management solutions including remote patient monitoring of blood pressure and glucose; self-reported symptoms and medication compliance; live video visits with clinicians and health coaches; alerts for risks of clinical compromise; the ability to organize actionable information into dashboards or into a provider’s EHR; and the power of analytics to predictably detect problems earlier and develop new treatment approaches.

These real-time tools connect patients to the right care in the right place at the right time, and most commonly, that connection occurs in the patient’s own home. Not only does this save provider, payer, and patient resources, it’s most convenient for the patient and often most effective.

The effectiveness of telehealth is no longer a matter of speculation. There is a growing body of rigorous research published in peer-reviewed journals that validates these benefits, including the following findings from AMC Health programs. This sampling of peer-reviewed studies demonstrates the significant value that evidence-based telehealth programs provide across care settings, disease states and patient populations.

• Medical Care, January 2012. Geisinger Health Plan reduced all-cause 30-day hospital readmissions for high-risk patients by 20 percent by adding interactive voice response calls to their care management outreach.
• Journal of Managed Care Medicine, November 2012. New York City Health & Hospitals Corporation combined personalized case management and real-time patient management solutions to enable Medicaid patients with poorly controlled Type 2 diabetes reduce HbA1c levels by a mean of 1.8 points.
• Journal of The American Medical Association , July 2013. When Health Partners of Minnesota added telehealth and pharmacist management to their usual care for hypertension, 71.2 percent of the patients participating in the program had their blood pressure well-controlled after 12 months versus 52.8 percent of the control group.
• Population Health Management, December 2014. Geisinger Health Plan significantly reduced hospital readmissions and cost of care for patients with heart failure. For every $1 spent to implement this program, GHP saved about $3.30, which translated to 11 percent per patient per month between 2008 and 2012.

As the healthcare market continues its transition to value-based care, this compelling evidence combined with exciting new technologies that expand how patients can engage in care virtually is fueling demand for customized telehealth programs ranging from full turnkey programs to the ability to seamlessly augment existing care management resources. To facilitate the adoption of telehealth, legislative and regulatory barriers are also being addressed:

• The Tele-Med Act of 2013 (H.R. 3077), introduced to the House in September 2013, amends title XVIII of the Social Security Act to permit certain Medicare providers licensed in a state to deliver telemedicine services to Medicare beneficiaries in a different state.
• The companion Telehealth Modernization Act of 2013 (H.R. 3750), introduced to the House in December 2013, calls for states to authorize health care professionals to deliver healthcare to individuals through telehealth.
• The US Department of Veteran Affairs (VA) regularly offers telehealth services to qualifying veterans. In the just-ended federal fiscal year 2014, the VA’s national telehealth programs served more than 690,000 veterans and accounted for more than 2 million virtual visits.
• The ACO Improvement Act (H.R. 5558) introduced on September 22, 2014, would permit ACOs to use remote patient monitoring and store-and-forward technology that delivers images to remote providers. The bill also strives to improve care coordination by improving the process through which data are shared between ACOs and the Medicare administration.

Not having visibility into a patient’s condition in real time when the patient is at home and outside of a clinical setting is like a chef overseeing a kitchen, but not being able to view the prep line. In the era of accountable care and pay for performance, the primary objective for patients with chronic conditions is to keep them healthy with fewer high-cost visits to the hospital or other clinical settings. Therefore, gaining at-home visibility is critical.

By incorporating proven telehealth services as part of a well-designed care plan, the entire care team can work with a patient to manage a chronic condition between clinician visits, altering treatments or creating early interventions to keep a patient healthier and reduce the spiraling cost of care.

As healthcare reform continues to drive providers to share risk and deliver greater value, understanding what is happening with their patients with chronic conditions outside the clinical setting is no longer a nice-to-have. It’s a must have. It’s time for telehealth to go mainstream.

Jonathan Leviss, MD is SVP/medical director of AMC Health; staff physician at Thundermist Health Center; and assistant clinical professor of health services, policy, and practice at Brown University School of Public Health.

Readers Write: The Pursuit of Health Optimization

The Pursuit of Health Optimization
By Jeff Margolis

For over 30 years I have been burdened with Crohn’s disease, a serious and currently incurable illness. It may seem ironic that I am on a crusade to enable all the “mostly healthy” people to achieve their highest possible health status at the lowest possible cost. After all, a number of excellent physicians, nurses, hospital staff, and technicians of all varieties performed skillfully in the US “sickcare” system with surgical and medical interventions that kept me alive.

These expensive interventions, which were largely paid for by my health insurance plan, would have otherwise financially disrupted me and my family. Let me be clear in saying that I am not ungrateful for the currently inefficient sickcare system nor do I have anything less than admiration for the efforts and capabilities of the medical professionals who comprise it. And yes, I am in a small minority that fully understands the critical role of our health insurance plans in weaving together the incredibly complex fabric of access and economics for our population.

I would be unequivocally grateful for a highly efficient and holistic “healthcare” system, whereby a cultural norm of admiration and rewards for each of us being skilled healthcare consumers would co-exist in a complementary way alongside our skilled medical professionals. After all, most of us in the population are healthy most of the time. In other words, except for the sickest of us who cannot care for ourselves at all at points in time, we have the opportunity to make choices and take actions every day that affect our health status and costs.

Our society has developed the cultural norm of seeking professional medical assistance when we become sick. How do you argue that such behavior is not rational? We start that behavior when we are young, throughout adulthood, and into our last days.

Let’s play this out in contrast a bit. When we are young and hungry, we typically rely on an adult to cook for us and feed us. Likewise, when we are children most of us (unfortunately not all) receive unconditional love whether or not our actions are deserving. Somehow, as we get older, we take responsibility for feeding ourselves when we’re hungry and we learn that loving relationships require effort to maintain. We generally learn to navigate abundant consumer options in order to get nourishment – ranging from five-star restaurants to growing our own food. We also pursue multiple pathways to personal relationships.

So, who decided that we should not be responsible, either individually or as a population, for the status of our health? And when was it decided that the way in which our actions impact our controllable health factors and costs was not our responsibility?

We have a challenge to solve in the affordability of healthcare and a huge opportunity to have a healthier population. Let’s begin by embracing the incredible array of consumer-facing resources that each of us healthcare consumers can wield — whether on our own or in coordination with our doctors and health plans. These resources, propelled by the digital age, include education and content about health benefits and care; methods of connecting to other consumers with common issues; wearable and carry-able devices that give us anytime access to capture and share health-related data; programs that increase our levels of fitness, nutritional, and physical well-being; programs that help us manage our known health challenges; methods that understand our motivations and lower our likelihood of developing depression or malaise; and capabilities to incentivize and reward us to do the right things.

The challenge is (and has been) that these types of consumer-facing resources are 1) fragmented into thousands of partial solutions; 2) constantly being innovated and updated in the marketplace; 3) disconnected from the way the current sickcare system operates; and 4) not contextually attached to any meaningful intrinsic or economic benefits for the healthcare consumer.

Stated another way, the well-intended ecosystem of things that a consumer can do to achieve their highest health status at the lowest possible cost exist in a state of confusion and chaos for the healthcare consumer. Further, the consumer is not incented or rewarded (i.e., paid for performance) to be skillful in matters of our health, as contrasted to the medical professionals to whom we turn.

The promise of health optimization platforms are both practical and staggering in its enormity. Think of it this way: If we place such a platform and its capabilities alongside the existing sickcare system (which remains essential for the aspect of our health that we cannot control as consumers), then we get a new kind mathematical equation in the US healthcare system. One where the sum of the parts becomes less than the whole – with that whole being the current three trillion dollar cost of US healthcare spend.

Jeff Margolis is chairman and CEO of Welltok of Denver, CO.