Home » Readers Write » Recent Articles:

Readers Write: Big Data, Small Data, Meta Data, See Ya Latah

Big Data, Small Data, Meta Data, See Ya Latah
By Jim Fitzgerald


It’s the RESTful, object store, file and block make me snore, it’s still bits and bytes to me……(sorry, Billy)

I just got back from HIMSS. Big data, like savoir faire, is everywhere. The cynical side of me says that technology vendors just want to sell more disk or flash drives. The analytical technical businessperson somewhere inside me says that the real play for the people trying to sell you and me on big data is in the tool suites for managing, monitoring, sorting, searching, and processing big data. We will be lured in with open source tools like Hadoop, and then when the hook is deep enough, the vendor community will point out to us why we need their quasi-proprietary toolkit to enhance the “limited feature set” and “programmer required” aspects of Hadoop.

Don’t read me wrong. I think I am a fan of this. Why the qualification? Big data, taken to its logical extreme and paired with some artificial intelligence, can help my doctor process all the environmental, social, and lifestyle data related to me and correlate it with the highly structured “small data” in my electronic health record to zero in on, and advise on, the real underlying issues behind my health that go well beyond the “sick care symptom” I am presenting that day.

The vague and slowly clarifying healthcare zeitgeist around population health and “well care” probably won’t be realized without employing big data management techniques as an everyday tool. This apparent service to humankind will be aided and abetted by small and large chunks of data streaming up to the cloud from the “personal Internet of things” that I already own and the things I am considering, like Apple Watch.

The cautionary note comes from my informed-paranoid fear of Big Brother. I have Orwellian visions of the healthcare police showing up at my house and herding me into the quarantine van for a stint of “voluntary rehab” after some warehouse full of seemingly disconnected Facebook posts, Yelp reviews, sensor numbers, and Whole Foods Market receipts mistakenly puts me on a high-risk list for the next pandemic. I won’t even go off into the potential side rant on all my voluntary and involuntary surrenders of my privacy rights along the way, although I do think the court system should brace itself for the onslaught.

Let’s hope my paranoia amounts to nothing more than the receptionist not being a bit surprised that I showed up in the doctor’s office that day because the data-lake-fed-AI predicted I would and had already authorized my insurance and sucked all the available fresh data on me into a useful visualization for my clinicians.

What’s the difference between big data and small data? The short version is that big data is generally considered to be an unstructured collection of data objects. Unstructured in this usage implies that there is no classic structured database format imposed on the data. The unstructured data could be a song captured as MP3 or AAC, a simple list of my last 20 temperatures stored in my Apple Watch, or a photo just taken in the ED of the festering wound on my right leg.

Big data is generally big because it is a vast collection of objects. Sometimes big data is big because the individual objects are prodigious on their own, and are also known as BLOBs or binary large objects – for example, your favorite “Breaking Bad” episodes that are still sitting on your iPad. It could really be anything, including a file that has a structure and order of its own, but is being considered as part of a greater set of data molecules in a “data lake.”

Storing data as objects, most commonly done on the Internet with RESTful storage protocols, is an increasingly normal trick in the world of data storage and management. When we store data as objects, we don’t care all that much about structure, or about the nature of the data, or about its accessibility by a particular file system or operating system. That problem is shifted from its traditional place in the OS or the storage array and is moved to the app. (notice I did not say “application.”)

To the extent that we care about the objects in an object store (an allegedly safe place to put objects) we may tag them as they go in with meta data, which everyone who has followed the Edward Snowden story knows is “data about the data.” In fact, the object might get multiple tags. One might be a lookup address or unique ID in the object store and one or more others might be some common descriptor of what is in the object itself. Hence the chaos of unstructured data may in fact, have some external structure imposed on it by some rules-based system ingesting the data objects.

In truth, small data is still where the rubber meets the road in today’s healthcare information systems. The organization or structure of that data by the HCIS in a pre-defined database provides the accuracy and confidence clinicians need to treat me and administrators need to bill me. It generates the endless arguments and the grossly inefficient cottage industry that has sprung up around HIEs. (do we really need to argue on what the “first name” field means?)

Big data can provide inferential context for small data, but it cannot supplant the precise articulation or definitive metrics collected and presented, in context, to help treat me. Small data is so important that we protect it not only in context of its integral structure in a database, but also in some cases at the file system, operating system, and storage subsystem levels. In many cases via RAID technology, backups, and replicas we have so many copies of the same small data that it is really not very small at all; but hey, in the days of petabyte and zettabyte data lakes, a few terabytes looks more like a data puddle.

There is, however, an economic force in play here. Depending on whose numbers you believe, big data on object stores is four to 20 times cheaper to manage than an equivalent amount of small data being managed by a production application in a Tier 1 SAN. The “apps” which are slowly arriving in healthcare (and may continue to arrive) may be happy just to slam a bunch of tags on an object and call it a day. Then we will have “tag oceans” and “tag bagging” toolsets with cute animal logos, and the circle of data will continue to self-perpetuate.

Jim Fitzgerald is technology strategist and EVP at Park Place International.

Startup CEOs and Investors: Bruce Brandes

All I Needed to Know to Disrupt Healthcare I Learned from “Seinfeld”: Part V – Yada Yada Yada
By Bruce Brandes


Most every company talks about their elevator pitch, which is intended to be a brief summation of the business to intrigue one to want to learn more. My question is this: exactly how long are the elevator rides some people are taking? More broadly, in any sort of business interaction, how to you best balance brevity vs. meaty detail?

The Webster’s definition of the phrase “yada yada” is "boring or empty talk often used interjectionally, especially in recounting words regarded as too dull or predictable to be worth repeating." Anyone still recovering from the HIMSS conference can likely recall many conversations where yada yada would have been a very welcomed interjection.


Our old friend George Costanza once dated a woman who often filled in her stories with the expression yada-yada, leaving out much of the detail. Jerry praised her for being so succinct (like dating USA Today) but not knowing the full picture drove George crazy. So opens the debate: is yada yada good, or is yada yada bad?

As discussed in an earlier column, most pitches are too long and generic. A little yada yada to help you explain your company in 60 seconds or less is very good. In calculating how to consolidate your elevator pitch, reread the Webster’s definition above and be sure to yada yada overused, now almost meaningless buzzwords like “patient engagement,” “big data analytics,” or “telemedicine.”

Instead, focus on concisely describing why your company exists, what problem you solve, and how you deliver that solution in a way that is clearly superior or more simple than the masses. Even 60 seconds might seem like a long elevator ride to your audience if you do not make a compelling initial impression in the first 15. Without the yada yada, you are not getting a first meeting.

Better yet, if your solution is as vastly unique and compelling as you may perceive, perhaps its simplicity speaks for itself. Did Apple need to yada yada when it introduced the iPad?  In his book “Insanely Simple,” Ken Segal describes the cultural foundation which led to Apple’s development of transformational products so simple and obvious that a two-year-old or a 90-year-old could just intuitively understand them.  

For real game-changing solutions, an unspoken yada yada is implicit. For example, in philanthropy, the Human Fund’s mission statement – “money for people” – enticed Mr. Krueger with its understated stupidity.

However, the buyers of and investors in healthcare technology solutions are remiss to not press for the substantive details and validation of claims glossed over by the yada yada. How many HIStalk readers been burned by extrapolating assumptions from high-level vendor assertions only to later recognize in the fine print that some important information was omitted by a yada yada?

  • Q: Where does your system get all the data you are showing in your demo?
  • A: Once you sign the contract … yada yada yada … we integrate seamlessly with your EMR.

  • Q: How do you achieve your revenue projection of growing 20x in two years?
  • A: We had meetings with people at both HCA and Ascension about doing pilots … yada yada yada …. we forecast 300 hospitals next year.

Let’s try to yada yada some of the memorable events in healthcare IT history.

  • We acquired five more companies which will be integrated by next quarter … yada yada yada … we beat our forecasted revenue numbers. (every HBOC quarterly earnings call in the 1990s)
  • We closed on our acquisition of HBOC … yada yada yada … our market cap dropped $9 billion today. (McKesson 1999)


  • We are putting out an RFP to evaluate vendors and purchase a new enterprise electronic medical records system … yada yada yada … we bought Epic. (any academic medical center in the past 10 years)
  • We are making great progress on our successful Epic rollout … yada yada yada … we are announcing major budget cuts to protect our bond rating. (that same academic medical center three years later)

I contend that yada yada is both good and bad. Mastery of this notion leads to knowing when to use the figurative yada yada to establish appropriate interest, rapport, and trust. It is equally important to know how and when to effectively press for critical information which the symbolic phrase may be concealing.  

Bruce Brandes is managing director at Martin Ventures, serves on the board of advisors at AirStrip and Valence Health, and is entrepreneur in residence at the University of Florida’s Warrington College of Business.

Startup CEOs and Investors: Michael Burke

The Shifting Incentives of Startups
By Michael Burke


Mr. H asked a few startup CEOs to give his readers an “inside baseball view into a world that a lot of us will never see as employees” — the world of starting and running a startup company. In this post, I’ll try to honor the spirit of that request by describing how incentives in an early-stage startup create an environment that is simultaneously thrilling, rewarding, and terrifying. We’ll then discuss the challenge of maintaining a startup’s culture while these incentives change.

I’ll start first with a sweeping generalization:

An early-stage startup company’s incentives are more purely aligned with their customers’ incentives than any other size, stage, or structure of business.

Think about it. At this stage, it really doesn’t matter whether the founders want to build a great company, make the world a better place, or make a big pile of cash. They can’t do any of these things if they don’t focus exclusively on the success of their early customers. This singular focus is a luxury not afforded to companies of other stages. These purely aligned incentives create an environment of productivity and creativity like no other.

Does this alignment of incentives guarantee success? Absolutely not. I’ve noted in an earlier article that the odds of success for a startup are low. There are a million things that can go wrong. The alignment of incentives does, however, mitigate the risks to some degree.

Now I know that most companies of various stages consider their customers important and would assume on the surface that their interests are aligned with those of their customers. But until they’ve pledged their house and savings to guarantee a loan for working capital, they don’t know what a real incentive feels like. That’s the terrifying part.

Shifting Incentives and OPM

Incentives often change as a startup grows. The really great companies find a way to maintain the positive elements of their culture during these periods of change. It’s not easy to do.

There’s a phenomenon in the startup world that is repeated time and time again. A scrappy startup that was efficient with the little bit of capital it had gets a big chunk of money from a VC. Then they start to suffer from OPM (Other People’s Money) syndrome. They start to think that they really need those golf bags emblazoned with the company logo. They over-hire. They move away from making small, responsible bets to Vegas-style gambles. It’s not entirely their fault. Their incentives have shifted.

Because of their new outside investors (who may now have a controlling interest but almost certainly have preferential exit terms), they now have to hit a grand slam. The fund needs to generate a 10X return in 3-5 years. A base hit, double, or triple might cover the VC’s vig, but it won’t put any money in the founders’ pockets.

In order to generate this sort of return, companies are strongly incented to focus exclusively on short-term revenue growth and ignore long-term investments in people, product, and process. In a parallel universe, big public corporations often find that their incentives diverge with those of their customers when it comes to the obsession with quarterly earnings, sometimes at the expense of similarly necessary investments in people, product, or process.

Some companies manage to maintain their focus and keep their culture intact through these and other changes. As a result, they often deliver exceptional value to their customers.

Freedom and Responsibility

Most successful startups are usually characterized by a culture with freedom and responsibility at its foundation. The freedom isn’t just a cultural choice; it’s a requirement. Top-down management structures just don’t work in a startup. The glacial speed of command and control environments is absent the requisite flexibility, productivity, and creativity. Distributed, self-organizing environments are required in the early stages to learn quickly, fail quickly, and adapt quickly.

Responsibility is the opposite side of the freedom coin in a startup. It makes the selection of the startup team absolutely critical. Folks who are attracted to working in an early-stage startup seem energized by this environment of responsibility. There’s just no place to hide in a startup, and nearly every decision is important. You need folks who are willing to act and to take responsibility for their actions.

In the early days, this culture of freedom and responsibility often emerges organically as a byproduct of the nature of the work and the requirements placed on the team. As a company grows, however, it needs to be much more intentional if it wants to keep the magic going. When we were a few founders in a room, we didn’t have to worry about vacation policy. No one planned to go anywhere until the work was done anyway. Now, when we hire a new employee, we need to have an intelligent answer to the question. So our answer is: take whatever time you want. We care about results, not about punching the clock.

One of the really great things about a startup is that you get to collectively define a culture with a relatively small group of folks. That’s a very exciting and fulfilling process. Contrary to popular belief, this definition of culture doesn’t come from the top down. Don’t get me wrong — a founder/CEO can single-handedly screw up a company’s culture, but the CEO can’t define it unilaterally. A founder/CEO can be a part of the process of a company’s emerging culture, but only a part. In my view, the most influential part a CEO can play in the intentional cultivation of culture is in hiring decisions. Secondarily, a CEO can make sure the policies of the company appropriately support the required culture of freedom and responsibility. Policies are fine, but in a startup, it matters much more what you do than what you say.

No Shortcuts

The bottom line is that startups can’t focus on the finish line if they want to be successful. They have to find a way to set aside the numerous distractions and shifting incentives of fund raises and exit strategies and simply focus on building a great company that delivers great value to customers. Protecting their company’s culture is a big part of this. If they can maintain this focus, they increase their odds of long-term success dramatically.

Michael Burke is an Atlanta-based healthcare technology entrepreneur. He previously founded Dialog Medical and formed Lightshed Health (which offers Clockwise.MD) in September 2012.

Readers Write: Chicken or Egg?

April 27, 2015 Readers Write 3 Comments

Chicken or Egg?
By Niko Skievaski


HIStalk recently released these poll results: “Which #1 reason would cause you to avoid doing business with a startup?” (*n=350):

  • Fears that the company isn’t financially viable (47 percent )
  • Offering a product that solves a non-strategic problem (21 percent)
  • Lack of integration with existing IT systems (17 percent)
  • Lack of comparable reference sites (10 percent)
  • A CEO who doesn’t have poise, polish, or healthcare experience (5 percent)

These embody much of the technology adoption barriers facing healthcare. Startups are perceived as being unable to commit to long-term contracts and lack reference sites to build confidence in buyers– just as the first chicken couldn’t have been hatched without the egg from which it came. These things combined make for a very difficult landscape for healthcare technology startups to thrive in. So who lays the egg?

Fears that the company isn’t financially viable. It’s extremely costly for a health system to adopt new technology. Beyond the price tag, there are real costs associated with implementation and training necessary to successfully go live. The last thing they want is to be left hanging if your company goes under. Jason Bornhorst, who exhibited the last two years in the HIMSS startup neighborhood, said, “I’d estimate that about two-thirds of the companies that were here last year aren’t around any more.” The fact of the matter is that you need to have the resilience to ride the bone-breaking sales cycle. They’ve been practicing medicine without your software for 100 years; they can wait another 1-2. How do you bootstrap financial viability to last the long sales cycles and combat this perception? Raise more money, find alternative revenue sources, join an accelerator or two to buddy up with health systems, and surf the cycle efficiently.

Offering a product that solves a non-strategic problem. This isn’t so much a market failure as it is a customer development failure. Start a better startup. Don’t start a bakery because you’re a good baker. Start a bakery because there is excess demand for baked goods. I just hope that the buyers at health systems are delivering this intuition directly to the startup in addition to anonymous HIStalk polls.

Lack of integration with existing IT systems. Integration is a must. It’s not enough to say, “Use our product in a standalone capacity during the pilot and we’ll figure out integration later.” Providers hate double documenting and clicking. Forget switching windows. Their complaints bog down IT teams. Both of these groups will throw a block at your pitch if you don’t have a solid answer for interoperability with existing systems, both from a technical perspective as well as implementation. There’s a new wave of startups out there providing modern integration strategies for startups attempting to interoperate with the EHR.

Lack of comparable reference sites. One of the mantras I learned back at Epic is that every single customer should be able to be considered a reference site. It’s that level of customer service and do-anything-ness that makes them stand apart as a vendor. The space is too small to simply write off any customer as a lost cause. If a health system chooses to work with us, we need to do everything possible to make sure they’re a good reference site for future customers.

A CEO who doesn’t have poise, polish, or healthcare experience. Have you met Judy Faulkner, Chris Patterson, or Jonathan Bush?  Just a few examples of eccentric, throw-caution-to-the-wind type personalities who oversaw a successful EHR startups. But you need to know the audience of decision makers. If you’re new to healthcare, welcome to the wild world of buzzword bingo. Get conversational stat (yep, that’s a healthcare word). Read books, blogs, HIStalk.  Listen to podcasts. Go to HIMSS and actually listen to some sessions that relate to your domain. You wouldn’t buy a car from a guy that didn’t know the difference between a carburetor and catalytic converter. Be sure that you can demonstrate that this isn’t your first rodeo. Manufacture your “experience” by becoming an expert in the domain.

Mr. H, maybe a survey on top reasons to work with a startup next time?

Niko Skievaski is  co-founder of Redox.

Readers Write: The Journey to Value-Based Care: Lessons Learned from Aviation

April 27, 2015 Readers Write 1 Comment

The Journey to Value-Based Care: Lessons Learned from Aviation
By David Nace, MD


The Affordable Care Act (ACA) and healthcare reform have impacted providers in all aspects, from the way they are and will be paid to how they engage patients. To meet the deadlines and demands of an industry shifting to value-based care (VBC), physicians must change their thinking from independent to team-oriented in order to succeed in this new world.

VBC is empowering an evolution within the overall healthcare community, especially amongst physicians. This is enabling a focus on delivering high-quality of care to patients. The Meaningful Use and EHR certification programs have helped all provider organizations get closer to the more meaningful use of information technology, but the requirements also pose many challenges for providers.

These challenges should not be met with resistance. The physician community should embrace the call for change. Similar to the revolution of the aviation industry, reform required them to adapt to new methods of communication and technology to ensure safer flights.

Traditionally, physicians are independent and competitive in nature. They didn’t go through rigorous selection and testing over nearly eight years of higher education to merely coast by – they have an innate drive to be successful and help people. Value-based care, in theory, plays to their personality traits and gives them the motivation to achieve even higher goals.

However, physicians have a hard time trusting data or measures that they do not understand, especially when their evaluation is out of their control and input. For example, a 2014 survey of 4,000 physicians found 78 percent reported patient satisfaction ratings moderately or severely affected their job satisfaction and 28 percent considered quitting their job or leaving the medical profession.

To add to this statistic, most organizations do not have the appropriate communication, technologies, and data collection sources and processes put in place to understand the measurements being imposed on them. To tackle this challenge, hospital executives and physicians need to improve physician communications and transparency in regards to measurement.

Pilots faced a similar disconnect during the 1980s. Training a pilot occurred in an apprenticeship model — you learn from a “master” and through them learn their personal techniques and strategies. It really was a “master craftsman” mentality of mentorship.

This method of training and learning lead to a variations in practice and high accident and death rates associated with aviation. The practice was not based on teamwork or leveraging technology for standard operating procedure. There were no Global Positioning System (GPS) and Cockpit Resource Managements (CRM) utilized – it was all based on the techniques and approach of pilots. To understand the technologies imposed on them and to improve quality of flight, the way pilots were taught changed to a team-based approach that focused heavily on communication and transparency, data, and standard operating procedures.

There is a similar revolution coming to the world of medicine. Many of the physicians of tomorrow are beginning to prepare through team-based, information driven training. Young physicians in training are being proactive in understanding the methodologies and technologies of today and starting grass root movements — for instance, Primary Care Progress — to inform and inspire newcomers to the industry. Medical students are increasingly being trained in groups (versus one-on-one) to leverage the concept of teamwork and to better understand the evolving healthcare industry and their role in the transformation.

Change is inevitable in any organization. New rules, methods, and technologies will always cause a shift. These transformations should not and cannot be met with resistance, but with an open mind, as everyone needs to work together toward the end goal.

Pilots needed to adapt and alter their training and methodologies during flight to fly in a safer, more efficient manner. Similarly, providers must do the same with value-based care. The more collaboration, the smoother the ride will be.

David Nace, MD is vice president and medical director of McKesson Technology Solutions.

Readers Write: Why Some Physicians are Opting Out of Meaningful Use Attestation

April 3, 2015 Readers Write 3 Comments

Why Some Physicians are Opting Out of Meaningful Use Attestation
By Charles Settles


Since its inception, the Meaningful Use Incentive Program (MUIP) has paid out nearly $30 billion worth of incentives, but a rising number of physicians are opting out. Why?

2011, the first year of the MUIP, saw widespread interest. Nearly 200,000 eligible providers (EPs) and over 3,000 hospitals completed registration for either the Medicare or Medicaid versions of the program, according to the latest summary report from CMS. However, much of this original momentum appears to be lost. 2014 saw under 73,000 EPs and just 108 hospitals register across both programs.



Altogether, 515,158 registrations have been completed by EPs across both programs, with 415,550 unique EPs receiving an average of $25,190 in incentive payments. According to the CMS’s latest data, just over half of eligible providers have received an incentive payment. But what about the other (at least) 40 percent?

It can’t simply be a question of eligibility. According to Medscape’s 2014 EHR Report, only 22 percent of physicians are abandoning or have never supported the MUIP, but examining the CMS summary report suggests a much higher rate of attrition — only 23 percent of the 260,900 physician EPs who received a payment in 2013 received one in 2014. That translates to an attrition rate of just under 77 percent.

When considering the payments only by stage of the program, the numbers for physicians are even worse — only 5.7 percent of those physicians who received a payment for the first stage have received one for the second. More physicians will complete Stage 2 eventually, but the odds of making it to CMS’s 75 percent adoption rate target by 2018 appear to be growing shorter. The carrot simply hasn’t been enough.

The stick may not be enough either. If the 75 percent adoption rate target is not met, reimbursements stand to be cut by up to five percent. The average family physician, arguably the primary focus of the MUIP, receives about $100,000 per year from Medicare reimbursements, according to Dr. Jason Mitchell, former director of the American Academy of Family Physicians’ Center for Health IT. Since the penalties increase by one percent per year beginning with a one percent penalty in 2015, a physician receiving $100,000 annually could lose up to $10,000 in reimbursements through 2018. For some, the penalty is a small price to pay to not have to deal with requirements that they feel prevent them from delivering better patient care.

Dr. S. Steve Samudrala, medical director of America’s Family Doctors, was an early proponent of electronic health records, patient engagement, and other medical software systems. It seems ironic that Dr. Samudrala does not participate in the MUIP. Though his EHR (eClinicalWorks) is fully certified through Stage 2, Dr. Samudrala feels the reporting requirements for primary care physicians would prevent him from delivering the high quality, personal care his patients have come to expect.

He does acknowledge, though, that many independent primary care physicians have little choice in the matter — the incentives can make or break some smaller practices. Payments are shrinking, competition from hospital-owned groups is increasing, and medical practice brokers keep calling. Dr. Samudrala’s bet isn’t on incentives — he and a growing number of primary care physicians are proponents of what’s coming to be known as “direct primary care.”

The idea behind direct primary care, sometimes called “concierge medicine,” is to remove the expensive bureaucracy and processes associated with billing insurance or government programs and offer services directly to patients for a monthly or annual fee, supplemented by small co-pays. Though the number of successful direct primary care practices is small, and the trend doesn’t solely explain the number of physicians opting out of the MUIP, rising interest in the concept makes it worth mentioning.

Ultimately, the MUIP will likely be viewed as a success if widespread adoption of health IT was the goal. Adoption doubled between 2009 and 2013. Even if physicians don’t meet all the requirements to receive incentives, the benefits of health IT to providers, payers, and most importantly patients cannot be denied. We’ll likely see even more attrition from the MUIP with the announcement of the Stage 3 rules, but despite the growing disillusionment with the program, EHR and other health IT is here to stay.

Charles Settles is a product analyst at TechnologyAdvice.

Readers Write: Your Interfaces Suck Because You Want Them To

March 30, 2015 Readers Write 7 Comments

Your Interfaces Suck Because You Want Them To
By T. Ruth Hertz

Your interfaces suck because you want them to. Yup, that’s the stone cold reality. 

I am looking at you Mr. /Ms. CIO. You may talk all day about interoperability, data normalization, HIEs, standards, etc. but unless the right data in the right format gets to the right place at the right time, you are wasting time and money and possibly risking patient safety.

But wait, you say. We insist that all applications have HL7 interfaces – we even put it in the contract! Yes, maybe you do, but do you take the time to get and review detailed specifications before you sign the contract? Do you require the vendors to demonstrate interfacing their application with the ones you already have? Not just give you a list of other clients that have “the same systems as you” but actually connect their system to your engine and downstream application test environments? How well would the physicians at your institution react to being given a list instead of a demo and / or site visit?

Do you let your interface experts ask the tough questions during due diligence? If you do, does it matter when the answers are wrong or evasive? Or do you just accept it when the vendor says, “You can fix it in the engine?” Do the interface experts get to go on the site visit, see the interface in action, and talk to the folks that have had to actually make the interface work?

Let’s face the facts:

  • It is in the application software vendor’s best interest to not interface well with other vendors’ apps. Selling a suite of apps that work well together but not well with others makes buying their products as a set look like the smart thing to do.
  • Application software vendors can make their interfaces work. They have the source code and the underlying database. They just need a very good reason to do so – like “no sale” if they don’t.
  • Your interface staff time isn’t free. All the time spent on analyzing, designing, and building workarounds to compensate for deficiencies in the sending and/or receiving applications costs hard money. That time is also time lost from other projects.

It’s time that the decision-makers who buy healthcare apps put a stop to this madness and insist that true interoperability be delivered by the software vendors – or no sale.

Readers Write: A Prescription for Getting Face Time with Doctors at HIMSS

March 30, 2015 Readers Write 1 Comment

A Prescription for Getting Face Time with Doctors at HIMSS
By Chris Lundgren


It’s no secret that it’s getting harder and harder to get face time with doctors. But I’m a sales guy, so I always see a silver lining in everything.

In this scenario, the silver lining is that doctors are just like you and me. They can’t live without their gadgets. Recent studies have shown that 75 percent of doctors own a smartphone and 55 percent use both a tablet and smartphone in their daily work. So while you may have a more difficult time connecting in person with doctors, you can still be very much connected.

The key to engaging doctors today is to use technology when the time is ripe. The upcoming HIMSS conference is the perfect example. It has a huge audience and nearly 60 percent of the attendees are healthcare providers. Let me repeat: thousands and thousands of doctors gathered in one space to live and breathe technology for five days. If that isn’t a jackpot waiting to happen, I don’t know what is.

Problem is, doctors are going to be running from one panel to another at HIMSS, so you can’t expect to get face time with them if you haven’t engaged them prior to the conference. And the way to do that is – you guessed it – through their gadgets. Here’s what I recommend:

  1. Ask them how they’re doing. Doctors are always asking others how they’re doing. Now that the pressure is on doctors to improve patient outcomes and reduce healthcare costs in measurable ways, it’s time to ask doctors how they’re doing and what’s on their minds. A quick and easy way to do that is a survey that asks 1-3 questions such as, “What topic(s) are you most interested in at HIMSS?”, “What do you hope to gain from learning about that topic?”, and “What other concerns are on your mind?”
  2. Make them a HIMSS-only offer. Limited time offers work time and time again because they create a sense of urgency. If you want to ensure that you get some face time at HIMSS, make sure you’re prepared to make offers that will only be available at the conference. Use the results of the survey to develop the offer or gather qualitative insights from your sales reps – what have their conversations revealed about doctors’ needs right now? Take advantage of email marketing for its quick response, analytics, and segmentation capabilities.
  3. Impress them with knowledge. A recent study showed that doctors are always hungry for new research, case studies, and other clinical knowledge that can help them in their work. But here’s the catch (and also the opportunity): they’re often too busy to look for it on their own. Do the work for them by delivering valuable content. Remember, they’re busy, so don’t deluge them with a library of links. Try a short list of statistics or a link to an article to get the conversation started. Tip: Information related to patients is hot right now and there’s a treasure trove of relevant content with a quick search.

Digital engagement is an essential component to any physician communication strategy. However, to maximize the results of such a strategy, the focus should be on quality rather than quantity. In addition, integrating a quality digital campaign with the right mix of print, mail, and telemarketing can optimize any effort. Be sure to get your reps to follow up with doctors on the phone or via email after a campaign goes out. Using this multi-channel approach can boost revenue by more than 10 percent. Good luck at the conference.

Chris Lundgren is VP of strategic sales for Healthcare Data Solutions of Lincoln, NE.

Readers Write: Twenty Things Vendors Need to Know About ONC’s New 2015 (Stage 3) Certification Program, But Were Afraid to Ask

March 24, 2015 Readers Write 7 Comments

Twenty Things Vendors Need to Know About ONC’s New 2015 (Stage 3) Certification Program, But Were Afraid to Ask
By Frank Poggio

On March 23, late on a Friday afternoon, ONC published two drafts of the proposed revisions to the 2015 Test Criteria along with new Stage 3 provider MU attestation requirements. Two separate large documents were published:

  • Electronic Health Record Incentive Program, Stage 3 Draft Rule, (300+ page PDF)
  • 2015 Edition Health Information Technology (Health IT) Certification Criteria, ONC Health IT Certification Program Modifications (400+ page PDF)

The first covers the proposed rules for MU Attestation for Providers under Stage 3. The second addresses proposed test criteria and requirements for vendors and revised operating rules for the Accredited Certification Bodies (ACB).

Already there has been a great deal of discussion on the first MU requirements document since it impacts all providers, while the second document is aimed at vendors and system developers and has received little attention . I commented on the MU provider piece on HIStalk earlier this week and will focus now on the impact on vendors and system developers. Some of my vendor clients have been calling and emailing me asking, “What’s changed for us?” Others are afraid to ask.

Suffice it to say there are some major additions and revisions to the test criteria and process that will give system developers heartburn, or maybe a K51.914 (ICD10=ulcer).

Before I dive into the document, let’s remember that back in 2013 ONC disconnected the MU Stages from the certification test versions. The concept that a vendor is Stage 2 or Stage 3 certified is almost meaningless since a provider could MU attest to Stage 2 using either modified 2011 test criteria or the 2104 criteria. With the eventual issuance of these new 2015 criteria, for a short period providers can Stage 2 attest using a vendor’s 2014 certified product, or if available, the vendor’s 2015 certified product.

All 2015 Test Criteria are now referred to as the 170.315 regulations. At this time, these are just draft proposals that will be formally published in the Federal Register on March 30, 2015. Then after a 90-day comment period, some revisions will be made, with the final regulations issued in the July-August timeframe.

Using the last two cycles of draft rules versus final issued regulations, I predict that some 90 percent of what is now proposed will be adopted into law. So fasten your seat belts — here we go. Some highlights (or lowlights? are:

  1. Privacy and Security (170.315 d1-d7). There are some minor changes in several of these tests, such as access, time outs, integrity, device encryption and audit logs. But now under 2105 testing, they have become mandatory if a vendor wants to test out on other criteria, such as Demographics. The P&S tests were mandatory under 2011 (Stage1), then ONC made them optional for 2014, now they are back in the mandatory column. To paraphrase ONC, it’s all due to the never-ending march of data breaches. An added requirement to P&S which is stated in the MU regs, but not in any specific test criteria, is vendors now must attest to having completed a HIPAA risk analysis of their product whenever they install new releases or updates. Here’s why. In order for providers to be compliant with MU and HIPAA, they will have to get an attestation from the vendor before they install any update, the provider MU regulations state on page 64: EPs, eligible hospitals, and CAHs must conduct the security risk analysis upon installation of CEHRT or upon upgrade to a new Edition of certified EHR Technology.
  2. Demographics 170.315a4. ONC wants coding for language and ethnicity to support all 900 OMB codes and all RFC 5646 ethnicity codes. But ONC acknowledges that a drop-down list of 900 data elements might cause workflow problems, so they have said a full drop-down list is not required. You just need to show in a test you support all the codes and can tailor the list for each provider client.
  3. Vital Signs 170.315 a6. All values must have LOINC codes. Data elements have been expanded and pediatric vitals have separate criteria.
  4. Advance Directive (170.315 a17). Now you have to electronically capture and track the AD. No more just check a box and who cares what file drawer it’s in.
  5. Medical Implants (170.315 a20). Must now be tracked and reported.
  6. Social, Psychological, and Behavioral data must now be captured and tracked using LOINC and SNOMED coding. (170.315 a21).
  7. Clinical Decision Support tools must be linked to Knowledge Artifacts formatted in the HeD standard Release 1.2. (170.315 a22).
  8. New “decision support – service” (170.315 g6) certification criterion requires technology to electronically make an information request with patient data and receive in return electronic clinical guidance in accordance with an HeD 1.2 standard.
  9. New CDA standard (170.315 b1). The C-CDA standard is now the single standard permitted for certification and the representation of summary care records. An updated version, HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for ClinicalNotes (US Realm), Draft Standard for Trial Use, Release 2.076 includes the following changes: addition of new structural elements: new document sections and data entry templates: New Document Templates for: Care Plan; Referral Note; Transfer Summary. New Sections for: Goals; Health Concerns; Health Status Evaluation/Outcomes; Mental Status; Nutrition; Physical Findings of Skin, etc.
  10. CDA system performance (170.315 g6). As part of the focus on interoperability, ONC is requiring performance standards for data transfers of CCA/CCR. Data transmission of CDAs will be tested for volume and response times.
  11. XDM packing of View/Download/ Transmit and CCR/CCD with incorporation of industry APIs using the IHE-IT infrastructure standard.
  12. Data Portability has been broken out into Send /Receive as separate components (170.315 b6).
  13. Care plans (170.315 b9). ONC proposes to include the “assessment and plan of treatment,” “goals,” and “health concerns” in the “Common Clinical Data Set” for certification to the 2015 Edition. The “assessment and plan of treatment,” “goals,” and “health concerns” are intended to replace the concept of the “care plan field(s), including goals and instructions” which is part of the “Common MU Data Set” in the 2014 Edition.
  14. CQM (170.315 c1). Has been expanded into separate segments: filters, create, import, and calculate.
  15. Quality Management System (170.315g4-g5). Now includes an “access-ability technical component” in accordance with ADA. The QMS must be mapped to a federal guideline or industry standard. (No more home-grown QMS process/tools.)
  16. Safety Enhanced Design – SED (170.315g3). Expanded and requires specific and detailed usability test documentation. ONC recommends following NISTIR 7804176 “Technical Evaluation, Testing, and Validation of the Usability of Electronic Health Records” for human factors validation testing of the final product to be certified. They recommend a minimum of 15 representative test participants for each category of anticipated clinical end users who conduct critical tasks where the user interface design could impact patient safety.
  17. Authorized Testing Bodies (testing agencies) are now required to conduct surveillance (audits) on at least 5 percent of vendor installs (or max of 10) every year to verify that the certified system in fact meets each certified test criteria.
  18. Attestation for Price transparency. ONC wants vendors to disclose on their web site and in marketing materials material system limitations. The vendor must also disclose any material add-on costs such as transaction fees to support interfaces/interoperability, etc. and supply any requesting entity a reasonably accurate cost estimate of total system costs. That’s ANY requesting entity, not just prospects or for bid requests.
  19. ONC wants monthly reports from the testing agencies on provider complaints and counts of vendor updates and modifications. If the number of updates/modifications exceed a set number, ACB is to call vendor back in for re-testing.
  20. ONC predicts the rules and test criteria will be finalized by mid-summer and vendors will work “aggressively” in 2016-17 to modify products and meet the target date of 2018 to support Stage 3 provider attestations, which will require a full year of calendar data from providers.

ONC estimates that all vendors together will have to invest approximately $300 to $400 million to effect all these changes. They calculate there are 81 unique vendors with certified products, hence an average cost of $4-5 million each, which does not include the time and cost to go through the test process.

ONC states they will continue with the “Gap” test process, meaning if you passed a test criteria under 2014 and there were no (or minimal) changes for the 2015 criteria, you get a bye. Given the preceding, my advice is if you’re a vendor that is not yet 2014 certified, you really want to get it done sooner rather than later. My experience tells me that being 2014-certified for as many criteria as you can before the 2015 criteria are cast in stone will be a better place to be.

Lastly, ONC states that the 2105 Test Criteria and Stage 3 Provider MU Attestation rules will be the last Stage for MU, but that the rules and test requirements will continue to be revised and expanded as ONC deems necessary. I guess we can next expect Stage 3.1, along with revised test criteria 2015 dot 1,dot 2 … can anyone see a light at the end of this tunnel?

Frank Poggio is president of The Kelzon Group.

Readers Write: Ignorance of the Major EMR Software Vendors is Not Bliss

March 23, 2015 Readers Write 10 Comments

Ignorance of the Major EMR Software Vendors is Not Bliss
By Tyler Smith

11-6-2013 12-24-41 PM

We in healthcare IT have found ourselves in a pretty sexy industry. You know that is true when Silicon Valley is practically banging down the doors to get in and KPCB’s John Doerr states that he would really like to see an open source competitor to Epic created. Damn, so Valley money admits it is losing to a slowly built behemoth in Madison – not a brand spankin’ new startup it missed an angel round on.

Needless to say, HIStalk’s Startup columns are a quite timely addition to the blog. I particularly enjoyed reading Marty Feisenthal’s explanation of the elite JPM conference. Having heard about the conference from banker friends (not HIT colleagues), his column removed much of the mystique. Being a fellow Atlanta resident and having visited the Atlanta Tech Village before, I also have greatly appreciated Michael Burke’s articles on the experiences of an HIT founder in Atlanta.

I recently co-founded a startup that aimed to bring efficiency to the Epic staffing arena by using very simple tools already in place in other industries. I do not want to call it the Uber of Epic staffing – for fear of sounding like a hack – but the basic idea was a connection platform with ratings for Epic certified consultants. While we have put the project on hold due to some shakeups on our technical team and also due to slow buy-in from provider organizations (our target clients), the pause in the action has given me time to reflect on the current state of HIT startups – particularly those looking to nibble on the enterprise EMR vendors’ scope of services.

Along with Mr. H and most readers here, when anybody from the outside comes and brings a new idea to the HIT table, I am usually skeptical. For starters, most entrants do not understand the complexity of the hospital / provider organization buyer or the provider organizations’ importance in the system. In theory, I love the idea of patient advocacy and patient-centric apps, but if providers or the systems that house them aren’t buying it, you better have something that patients see as life or death (read: an HIV curing drug, not a sleep tracking app) if you want them to fight the entrenched stakeholders for you or with you to make your startup relevant or widely used to truly create positive clinical outcomes.

Secondly and most importantly, many of these outsiders do not understand the current state of the EMR vendor landscape, and if they do, they arrogantly think they can steal market share while the enterprise systems watch from the sidelines. True, Epic and Cerner’s UX can appear very basic from an end user stand point and it often appears that the enterprise systems do not appear to be covering even close to all the functions that could be automated in a hospital or healthcare delivery organization. However, it would be naïve to think that these vendors have no big plans to tackle all of these remaining un-automated functions in the near future. When they do, unlike many of the new startups, these vendors will be able to simply make an additional sale to their already heavy client lists instead of having to undergo the arduous process of breaking down the doors to just get on the approved software vendor list at a major healthcare system.

The truth is that healthcare IT is a B2B market, not a consumer market. Organizations do not make purchasing decisions overnight, and thus while an app may actually do something better than an organization’s EMR, it better be a lot better for a healthcare provider organization to consider even meeting with the startup’s sales team.

This is not to say that I think that clinical apps which could be potentially developed and which will lead to improved clinical outcomes should not be attempted. What I am really saying is that before delving into development, HIT startup founders should take a much more serious look into EMR current state.

Even more importantly, startups should also consider what logical next steps vendors will be taking in their product offerings and research timelines as the massive implementation phase winds down and optimization becomes a priority for the vendors’ in house development teams. If there really is a competitive advantage which the startup has over these behemoths in the development of an EMR related application, then by all means go for it. But if not, it is probably best developing something far outside of the current or near future EMR vendor scope.

Easy for me to say as I sit on the sidelines and consult on EMR projects, I know. And you can object and say I’m siding with the status quo. Regardless, it pays to do your homework on the massive vendors. They aren’t going to crumble and they certainly aren’t going to let their clients get on products that encroach on their turf without a very solid battle.

In closing, I would ask any hopeful HIT entrepreneur: what is your startup doing that an established EMR vendor could not accomplish without a system update or by adding a new application which would seamlessly integrate with their current lineup?

Tyler Smith is a consultant with TJPS Consulting and co-founder of Hitop.co.

Readers Write: For Cybersecurity, Prevention First, But Don’t Forget About the Treatment

March 16, 2015 Readers Write No Comments

For Cybersecurity, Prevention First, But Don’t Forget About the Treatment
By Terry Edwards


Cyber-attacks are nothing new. We’ve all seen the attacks on major retailers, entertainment giants, and financial institutions. Healthcare is gaining attention as the next industry under attack since cyber-criminals are finding unprecedented value in patient health records.

A patient record can sell for $50 to $150 per record on the black market, more than a credit card number or a Social Security number. This gives buyers the  ability to impersonate patients using all the personal information included in a health record to commit identity fraud or even obtain prescription drugs. In 2014, a record number of healthcare providers were hacked and a number of high-profile healthcare breaches have already made headlines in 2015.

The healthcare industry is taking these attacks seriously and working hard to protect itself against potential threats. However, it’s becoming more difficult for healthcare providers to ensure the continued integrity of patient data. Not only are hackers growing more advanced and nimble, but the number of vulnerabilities in the system is only increasing as the industry moves to population health management.

Care delivery is not quite as contained as it used to be. Patients can be treated in a variety of settings as their care teams grow in size. In addition, more types of devices are collecting and sharing patient data, offering more entry points for cyber-criminals to infiltrate. Healthcare organizations are also dealing with tight IT budgets, which in some cases only cover what’s necessary for regulatory requirements.

While it’s critical for healthcare organizations ramping up IT defenses to protect the data of their patients, to avoid a breach, organizations need to get back to the basics by focusing on the following:

  1. Develop an internal security committee to conduct a formal risk assessment and identify any areas at risk for a data breach. The committee needs to have the backing of the highest levels of the organization to demonstrate the commitment to protecting patient data.
  2. Following the risk assessment, the committee should develop an organization-specific risk management strategy to include processes, procedures, tools, and technologies.
  3. Educate the staff on the new processes and procedures. Implementing new procedures can be the biggest challenge for organizations. It’s not enough to deliver one training session and assume employees are following protocols. Instead, organizations must provide employees with frequent reminders to flag suspicious emails, keep their passwords protected, and encrypt any communication with protected health information.
  4. Reassess risk ongoing to make sure employees are following the appropriate processes and procedures and to identify any new vulnerabilities within the system. Cyber-criminals are constantly using new methods to find weaknesses in the system, so healthcare organizations must stay on their toes to keep technology up to date.

Even with the strongest security protocols in place, sometimes a cyber-criminal can find a way through. The experience of other industries shows that while customers are generally understanding when a breach occurs, they need assurance that the organization recognizes the breach and is taking steps to avoid another one. One of the biggest threats of a data breach for healthcare organizations is the potential hit to patient trust, the cornerstone of the patient-physician relationship. Healthcare organizations need to maintain that trust to deliver effective care.

To protect patient trust and the reputation of the organization following a breach, providers must put a treatment plan in place:

  1. Communicate early and often. Immediately following a breach, a healthcare organization must alert patients with details on what data may have been jeopardized, what actions they need to take (such as changing a password), and how the organization is working to protect the security of patient information. By giving patients as much information as possible, the healthcare organization can convey it is treating the issue seriously and is taking all necessary precautions to ensure another breach does not occur.
  2. Offer services to monitor and alert patients. By offering tools to monitor their credit and identity theft, healthcare organizations can show they’re concerned about minimizing any risk to patients. In addition to credit reporting, healthcare organizations should reach out to patients whose data was compromised to ensure patients are regularly reviewing their explanation of benefits for any fraudulent activity. Organizations can consider email guides, webinars, and in-person meetings to help patients understand how to review their accounts regularly and what to look for.
  3. Educate staff on how to handle patient inquiries. Some patients will have questions about the breach and may ask employees like receptionists or nurses who are not used to fielding those types of inquiries. Give employees guidance on how they should respond to upset or concerned patients so that they can get the correct information through appropriate channels.

It does not look like cyber-criminals will stop their attacks on healthcare organizations anytime soon, but with the right protocols and procedures in place, healthcare organizations can put their best defense forward and be prepared to respond in case of a breach.

Terry Edwards is CEO of PerfectServe.

Readers Write: Hacking the Healthcare Conference

March 13, 2015 Readers Write 1 Comment

Hacking the Healthcare Conference
By John Gomez

Outside it was 19 degrees and snow continued to fall as it had for the last few days. Inside the two-story brick building in downtown Asbury Park, NJ, a group of operators huddled around a set of whiteboards and large flat-screen TVs doubling as computer monitors that are connected to a variety of computer hardware.

One of the screens provided satellite images of a convention center. Another screen detailed the locations of all the hotels being used by attendees of a healthcare conference. Yet another screen highlighted the booth locations of the key exhibitors, with cross-references to their key clients, employees, and partners with their LinkedIn, Facebook, and Twitter account names and pages.

The operators had been developing cyber-attack plans for one of the largest healthcare information technology conferences in the world. The Alpha teams would focus on infiltrating the conference itself, while Bravo team members would exploit opportunities at hotels, restaurants, and the popular vendor-sponsored parties. The current debate was centered around if team members should register to attend the conference or simply swipe the passes of attendees and blend in with the crowd.

The last team, Command One, would provide command and control. It had already secured several adjoining suites at a hotel across from the convention center. The suite would provide real-time, 24×7 communications to the team members as well as manage the botnet and provide the initial command and control capabilities for the RAT software the field teams would be deploying.

The RATs being deployed by the field team were custom developed using a derivative of Stuxnet. This assured that the RATs would work across operating systems and devices. It also assured that the RAT would lie dormant for the most part except in some special cases.

One of those special cases was that if the RAT determined it was on a laptop, it would turn on the computer’s microphone and camera to record confidential conversations between vendors and clients as well as between vendor teams about their clients. The hope was to garner details that could later be used to exploit employees or other details that could lead to further compromises. RATs deployed to machines running a server operating system or Linux variant would replicate, eventually being introduced to a corporate network and then become active establishing themselves inside the corporate infrastructure of vendors and attendees.

Aside from the RATs, the Bravo teams had already visited area hotels and catalogued the wireless networks and their providers, deploying SDR and other toys to about 40 hotels. The goal was to eventually compromise the wireless networks using man-in-the-middle attacks and other techniques. In situations where they could not bypass the hotel’s wireless infrastructure, the team planned to compromise targets of opportunity being used in lobbies and public areas.

The team was now in its final planning stages. “Do we have the dummy business cards?”

The team had created a fictitious company, complete with a website, Delaware LLC, and 800 phone number complete with employee directory and voicemail. The team also had false employee IDs issued by the fictitious company. This allowed the team to play the role of a vendor attending the conference.

A subset of the team had spent the past two weeks becoming familiar with their cover of representing a new hospital system being created in the Midwest. The team included a fake CMIO, CIO, and VP of operations. The team developed LinkedIn accounts with complete work and educational histories as well as a fake website for the new healthcare system, with architectural renderings of their new 650-bed acute care facility and their upcoming regional clinical care centers.

At this point, you are probably wondering if what you are reading is an expose of a crack hacking team or simply a fictional piece of work. It is actually a little of both.

One of the things my team often does is to run simulated attacks on a variety of targets. We basically map out the entire attack and do all the prep work, short of launching the attacks. In this scenario, we decided to attack a healthcare conference.

The simulation was actually carried out over a period of three days. Everything you read is real. All the techniques, tools, and practices are the actual methods we would use to carry out a large scale cyber-attack against a healthcare conference. Our goal in doing this was to help develop suggestions for those attending any healthcare conference in hopes of making the lives of people like us much more difficult.

The above doesn’t include everything we would do or how we would do it, but what I did divulge is not all that sophisticated or uncommon. There is nothing in the story that isn’t already known or possibly already being undertaken by cyber-criminals, cyber-terrorists, or cyber-spies. Although we would never carry out this type of activity, there are those who would and probably will. Hopefully you will heed our counsel and employ the suggestions below, thereby keeping you and your organization a little safer.

  1. Share the wealth. One of the most important things you can do is educate others on the possible threats that exist when attending conferences of any size. An easy way to do that is forward this article to your teams. Like GI Joe once said, “Knowing is half the battle,” and that is especially true in the world of cyber-security. Most people don’t realize the sheer audacity that attackers employ. Hopefully the above story illustrates a little bit of that audacity.
  2. Encryption matters. All of your devices should use local file encryption, especially if you are going to be shipping them where they are out of your control. This also applies to any device that you are taking with you on the road — laptop, tablets, etc. All communication should be encrypted, even if you are using a closed network, but especially if you are connecting to the Internet.
  3. Stay In control. Do not leave your laptops or other computing devices in your hotel. If you are going to leave them behind, lock them in a safe and make sure the device is encrypted.
  4. Remove history. Delete your web browser history every day and also delete all previous wireless access points from your computing device history. For example, if your iPad is setup to automatically connect to your home wireless network, delete that before you go to a conference. Why? Because I can use the MAC address of your home network to find your home address. Don’t believe me? Email me your MAC address and we can bet a cafe mocha.
  5. Just say no to thumb drives and DVDs. If anyone — partner in crime, spouse, child, parent, boss, vendor, speaker (including George Bush) — offers to give you a thumb drive or DVD for any reason, just say no. Ask them to e-mail you the item, or better, print it out. If they e-mail it, do a virus scan and make sure it is from someone you met before the show. Otherwise, FedEx works great to mail you documents quickly. Thumb drives and DVDs can harbor malware. Even if you know the person, you don’t know where they got the thumb drive or how they made the DVD. Save yourself a lot of pain and just say no.
  6. Lock down machines. Vendors should lock their server rooms and demo equipment. You shouldn’t hire third-party security — you should be your own security during off hours. I know this sucks and is a burden, but it’s your technology. If the answer to this is that you wipe your equipment, good for you, but I am not after your equipment — I am after your data and network. Wipe away — chances are someone on your team will connect to your demo network.
  7. No demo networks. Don’t connect to demo networks. You don’t know what is on them no matter what your IT team tells you.
  8. Limit Wi-Fi. If you must use Wi-Fi, limit it to your hotel (it’s not the safest, but it’s better than a coffee shop or airport) and use a secure connection over a VPN. A better alternative, though not cheap, is your own personal hotspot over a secure connection.
  9. Wipe machines. After every conference, you should do a DoD-level format of all hardware used at the conference. This includes a visual inspection of the internals, if possible, to assure that nothing was added by your third-party, $10 per hour security resource.
  10. Lock down demo machines. Tape over webcams, disable USB drives, and put tape over the ports. Disable unused ports and other services. Hire someone to attack your demo environment.
  11. Establish a conference VPN. Set up a VPN just for the conference and require two-factor authentication using something like Google Authentication to connect back to your corporate resources. After the conference, disable the VPN system and never use it again.
  12. Establish BIOS passwords.
  13. Create a bootable DVD. A great option for vendors is to use a bootable DVD with your demo clients on them. Please don’t tell me that you use virtual machines and somehow that makes you safer. If you believe that, you have a lot to learn about cyber-security.
  14. Awareness. If something doesn’t feel, smell, or seem right, it probably isn’t. Conferences are highly social venues. It is important that you don’t forget that most of what happens to you is because you let it happen. This applies in the real and cyber worlds and is critical in both to maintain your personal security.
  15. Email invites and marketing. Vendors love to send you all kinds of invites, updates, tidbits, and other neat stuff via e-mail during a conference. I would suggest you unsubscribe or just delete mass e-mailing from any vendor. A better option is to inform your rep that you will only accept e-mails from them directly and would appreciate minimizing things you have to click on. Think this is overboard? Consider that Anthem was compromised with a single click in an e-mail message.
  16. Blips matter. Ever say, “That was strange,” or “What just happened?” and then things go back to normal? Often this is just an anomaly, but it could also be an indication that your computer device is under attack. Think about what you were doing right before the blip — surfing the web, opening an e-mail, connecting to a network, clicking a link, downloading something. Put things in context, and if you get nervous for any reason, say something to your IT team.

Hopefully if nothing else this article will get you to think and ask questions of your teams and how well you are prepared to attend a conference. Conference operators do all they can to provide a safe and secure environment. But in this day and age, there is only so much they can do. The real burden of security — physical and cyber — is on the shoulders of individuals. This is how it should be because security works best when it is a personal responsibility.

Take time to talk with your teams (exhibitor or attendee) about security best practices. The pre-meeting is a great time to brief your teams on security practices or invite someone to speak to them. You should also have a cyber-security response plan for the conference that includes who to speak to, what to do if there is a threat, and how to report information to the conference coordinators so that multiple incidents can be correlated and viewed through a broader lens.

The reality is that life has changed.

The simulation outlined in the opening of this article was simply that — a planning simulation for a real-world attack. The emphasis is on real-world attack planning. The only thing that kept us from carrying out that simulation is that we fight for good, but there are plenty of others out there who don’t — we call them the bad guys.

John Gomez is CEO of Sensato of Asbury Park, NJ.

Readers Write: Telehealth: Ready for Prime Time

March 11, 2015 Readers Write No Comments

Telehealth: Ready for Prime Time
By Jonathan Leviss, MD


Telephone rings. “Hello?” answers Sonia, age 73 with heart failure and living at home.

“Hello, Sonia. It’s Linda, your telehealth nurse. I received an alert that you gained two pounds a day for the last three days.” Further assessment reveals that over the last few days Sonia has eaten more salt than usual and has leg edema. Linda prescribes furosemide under protocol, educates Sonia about her diet, establishes a plan of care, and sends a report to Sonia’s cardiologist.

Why is Sonia’s tale becoming more common? Accountable care organizations (ACOs), patient-centered medical homes (PCMHs), and other models of value-based care and bundled payments require reducing readmissions, addressing problems before they require more expensive interventions, and reducing high cost utilization. Telehealth is now a proven solution for all three.

Telehealth means robust, real-time, patient management solutions including remote patient monitoring of blood pressure and glucose; self-reported symptoms and medication compliance; live video visits with clinicians and health coaches; alerts for risks of clinical compromise; the ability to organize actionable information into dashboards or into a provider’s EHR; and the power of analytics to predictably detect problems earlier and develop new treatment approaches.

These real-time tools connect patients to the right care in the right place at the right time, and most commonly, that connection occurs in the patient’s own home. Not only does this save provider, payer, and patient resources, it’s most convenient for the patient and often most effective.

The effectiveness of telehealth is no longer a matter of speculation. There is a growing body of rigorous research published in peer-reviewed journals that validates these benefits, including the following findings from AMC Health programs. This sampling of peer-reviewed studies demonstrates the significant value that evidence-based telehealth programs provide across care settings, disease states and patient populations.

  • Medical Care, January 2012. Geisinger Health Plan reduced all-cause 30-day hospital readmissions for high-risk patients by 20 percent by adding interactive voice response calls to their care management outreach.
  • Journal of Managed Care Medicine, November 2012. New York City Health & Hospitals Corporation combined personalized case management and real-time patient management solutions to enable Medicaid patients with poorly controlled Type 2 diabetes reduce HbA1c levels by a mean of 1.8 points.
  • Journal of The American Medical Association , July 2013. When Health Partners of Minnesota added telehealth and pharmacist management to their usual care for hypertension, 71.2 percent of the patients participating in the program had their blood pressure well-controlled after 12 months versus 52.8 percent of the control group.
  • Population Health Management, December 2014. Geisinger Health Plan significantly reduced hospital readmissions and cost of care for patients with heart failure. For every $1 spent to implement this program, GHP saved about $3.30, which translated to 11 percent per patient per month between 2008 and 2012.

As the healthcare market continues its transition to value-based care, this compelling evidence combined with exciting new technologies that expand how patients can engage in care virtually is fueling demand for customized telehealth programs ranging from full turnkey programs to the ability to seamlessly augment existing care management resources. To facilitate the adoption of telehealth, legislative and regulatory barriers are also being addressed:

  • The Tele-Med Act of 2013 (H.R. 3077), introduced to the House in September 2013, amends title XVIII of the Social Security Act to permit certain Medicare providers licensed in a state to deliver telemedicine services to Medicare beneficiaries in a different state.
  • The companion Telehealth Modernization Act of 2013 (H.R. 3750), introduced to the House in December 2013, calls for states to authorize health care professionals to deliver healthcare to individuals through telehealth.
  • The US Department of Veteran Affairs (VA) regularly offers telehealth services to qualifying veterans. In the just-ended federal fiscal year 2014, the VA’s national telehealth programs served more than 690,000 veterans and accounted for more than 2 million virtual visits.
  • The ACO Improvement Act (H.R. 5558) introduced on September 22, 2014, would permit ACOs to use remote patient monitoring and store-and-forward technology that delivers images to remote providers. The bill also strives to improve care coordination by improving the process through which data are shared between ACOs and the Medicare administration.

Not having visibility into a patient’s condition in real time when the patient is at home and outside of a clinical setting is like a chef overseeing a kitchen, but not being able to view the prep line. In the era of accountable care and pay for performance, the primary objective for patients with chronic conditions is to keep them healthy with fewer high-cost visits to the hospital or other clinical settings. Therefore, gaining at-home visibility is critical.

By incorporating proven telehealth services as part of a well-designed care plan, the entire care team can work with a patient to manage a chronic condition between clinician visits, altering treatments or creating early interventions to keep a patient healthier and reduce the spiraling cost of care.

As healthcare reform continues to drive providers to share risk and deliver greater value, understanding what is happening with their patients with chronic conditions outside the clinical setting is no longer a nice-to-have. It’s a must have. It’s time for telehealth to go mainstream.

Jonathan Leviss, MD is SVP/medical director of AMC Health; staff physician at Thundermist Health Center; and assistant clinical professor of health services, policy, and practice at Brown University School of Public Health.

Readers Write: The Pursuit of Health Optimization

March 11, 2015 Readers Write No Comments

The Pursuit of Health Optimization
By Jeff Margolis


For over 30 years I have been burdened with Crohn’s disease, a serious and currently incurable illness. It may seem ironic that I am on a crusade to enable all the “mostly healthy” people to achieve their highest possible health status at the lowest possible cost. After all, a number of excellent physicians, nurses, hospital staff, and technicians of all varieties performed skillfully in the US “sickcare” system with surgical and medical interventions that kept me alive.

These expensive interventions, which were largely paid for by my health insurance plan, would have otherwise financially disrupted me and my family. Let me be clear in saying that I am not ungrateful for the currently inefficient sickcare system nor do I have anything less than admiration for the efforts and capabilities of the medical professionals who comprise it. And yes, I am in a small minority that fully understands the critical role of our health insurance plans in weaving together the incredibly complex fabric of access and economics for our population.

I would be unequivocally grateful for a highly efficient and holistic “healthcare” system, whereby a cultural norm of admiration and rewards for each of us being skilled healthcare consumers would co-exist in a complementary way alongside our skilled medical professionals. After all, most of us in the population are healthy most of the time. In other words, except for the sickest of us who cannot care for ourselves at all at points in time, we have the opportunity to make choices and take actions every day that affect our health status and costs.

Our society has developed the cultural norm of seeking professional medical assistance when we become sick. How do you argue that such behavior is not rational? We start that behavior when we are young, throughout adulthood, and into our last days.

Let’s play this out in contrast a bit. When we are young and hungry, we typically rely on an adult to cook for us and feed us. Likewise, when we are children most of us (unfortunately not all) receive unconditional love whether or not our actions are deserving. Somehow, as we get older, we take responsibility for feeding ourselves when we’re hungry and we learn that loving relationships require effort to maintain. We generally learn to navigate abundant consumer options in order to get nourishment – ranging from five-star restaurants to growing our own food. We also pursue multiple pathways to personal relationships.

So, who decided that we should not be responsible, either individually or as a population, for the status of our health? And when was it decided that the way in which our actions impact our controllable health factors and costs was not our responsibility?

We have a challenge to solve in the affordability of healthcare and a huge opportunity to have a healthier population. Let’s begin by embracing the incredible array of consumer-facing resources that each of us healthcare consumers can wield — whether on our own or in coordination with our doctors and health plans. These resources, propelled by the digital age, include education and content about health benefits and care; methods of connecting to other consumers with common issues; wearable and carry-able devices that give us anytime access to capture and share health-related data; programs that increase our levels of fitness, nutritional, and physical well-being; programs that help us manage our known health challenges; methods that understand our motivations and lower our likelihood of developing depression or malaise; and capabilities to incentivize and reward us to do the right things.

The challenge is (and has been) that these types of consumer-facing resources are 1) fragmented into thousands of partial solutions; 2) constantly being innovated and updated in the marketplace; 3) disconnected from the way the current sickcare system operates; and 4) not contextually attached to any meaningful intrinsic or economic benefits for the healthcare consumer.

Stated another way, the well-intended ecosystem of things that a consumer can do to achieve their highest health status at the lowest possible cost exist in a state of confusion and chaos for the healthcare consumer. Further, the consumer is not incented or rewarded (i.e., paid for performance) to be skillful in matters of our health, as contrasted to the medical professionals to whom we turn.

The promise of health optimization platforms are both practical and staggering in its enormity. Think of it this way: If we place such a platform and its capabilities alongside the existing sickcare system (which remains essential for the aspect of our health that we cannot control as consumers), then we get a new kind mathematical equation in the US healthcare system. One where the sum of the parts becomes less than the whole – with that whole being the current three trillion dollar cost of US healthcare spend.

Jeff Margolis is chairman and CEO of Welltok of Denver, CO.

Readers Write: Understanding the Importance of Prioritizing e-Prescribing

March 4, 2015 Readers Write 1 Comment

Understanding the Importance of Prioritizing e-Prescribing
By Louis Hyman


As the industry awaits confirmation of a compliance deadline delay for the New York State e-prescribing mandate—which will require electronic prescribing of controlled and non-controlled substances—it’s important that providers don’t delay their preparation efforts, as this process can be time- and resource-consuming.

Under provisions of the New York State e-prescribing mandate and subsequent regulations (such as amendments to Title 10 NYCRR Part 80 Rules and Regulations), all prescriptions in the state must be transmitted electronically by authorized prescribers unless an exception exists. However, as many providers are struggling to meet compliance by the original March 27, 2015 deadline due to a myriad of challenges beyond their control, the New York legislature is working to pass a law to delay implementation of the mandate to March 27, 2016.

No matter the timing of the deadline, this mandate serves to be a game-changer for how providers share prescription information, and they should be aware that other states are closely watching New York’s rollout, with several already considering following suit.

The scope is intensified because the law covers both controlled and non-controlled medications and applies to all providers in New York State, including long-term and post-acute care organizations (LTPACs) and senior living facilities. Providers must start transitioning to the new requirement now to avoid significant penalties including fines, imprisonment, and/or professional license suspension or revocation.

As such, providers must make e-prescribing a priority in the midst of other major industry initiatives such as ICD-10 and Meaningful Use. However, e-prescribing easily can be incorporated into these efforts if organizations are already leveraging technology and staff training in their preparation.

To comply with the new mandate, healthcare organizations first must fully comprehend its scope. They need to look at its impact on provider, practice, and facility workflows, as well as how it ultimately affects patient or resident care. The following four best practices can help healthcare organizations engage providers and create a smoother transition:

  1. Generate physician awareness of the implications. Regardless of the care venue, it’s important to meet with physicians to raise their level of awareness and engage them in understanding the law’s full scope. Providers need to be clear on what is expected from them within the new e-prescribing workflows, just as they adapted workflows for EHR implementations to meet Meaningful Use requirements. Building physician awareness is even more critical among those organizations that have not yet implemented an EHR and may therefore require standalone computerized order entry or electronic prescribing technology. These providers may not be accustomed to any form of e-prescribing.
  2. Evaluate the workflows of all clinicians involved in the traditional prescribing process. This step is especially important in regard to the complex workflows in hospitals, skilled nursing facilities, and other senior living care settings. Because the law applies to both controlled and non-controlled medications and does not allow physicians to delegate the final steps within the prescribing process, four basic workflows need to be reviewed to understand how they will be impacted by e-prescribing. These workflows include: orders generated in-house for controlled medications, orders generated in-house for non-controlled medications, orders generated upon discharge for controlled medications, and orders generated upon discharge for non-controlled medications. Additionally, providers should examine specific workflows for nurses, physicians, and other clinicians. For instance, because telephone orders will no longer be accepted, healthcare organizations need to plan for physician availability during off hours and periods of high admission and discharge volumes.
  3. Engage caregivers in decisions. Because caregivers are key stakeholders, they should be included in the workflow evaluation to gain accurate insight into the overall impact of e-prescribing. It’s important for organizations to involve these individuals in any technology selection as well to ensure the appropriate tools are in place to support necessary workflows. As part of the selection process, engage caregivers in active testing of how their workflows are accommodated on a day-to-day basis. Beyond supporting workflows, healthcare organizations also should confirm the selected technology performs on a variety of platforms used by caregivers – such as tablets, smartphones, laptops, and PCs, as the physician may not always be on site.
  4. Train and practice e-prescribing. With workflows and technology in place, it’s now time to employ a robust training program to support efficiency and compliance by all caregivers. Providers should begin actively practicing e-prescribing as soon as possible to identify and resolve any issues prior to the compliance date.

Even with the possible New York State e-prescribing mandate deadline delay to March 27, 2016, New York providers need to make e-prescribing a priority. By focusing now on an e-prescribing strategy, healthcare organizations and providers across all care settings – including LTPACs and senior living providers – can realize the benefits to medication management and patient/resident safety while also maintaining compliance.

Louis Hyman is chief technology officer for SigmaCare.

Readers Write: Want to Read the Briefs in the Epic vs. Tata Consulting Case? That’ll Cost $0.10 Per Page (Unless We Do Something About It)

February 25, 2015 Readers Write 6 Comments

Want to Read the Briefs in the Epic vs. Tata Consulting Case? That’ll Cost $0.10 Per Page (Unless We Do Something About It)
By Reluctant Epic User

As Americans, we tend to assume that we have the most open and transparent courts in the world.  Unfortunately, that probably isn’t the case. The reality is that all of the public documents filed in a court case are locked behind the world’s largest paywall. Including the Epic Systems vs. Tata Consultancy Services Limited case

It doesn’t have to be this way. The courts give every person in America $15 per quarter in free downloads. The Free The Law project has created a clever workaround which places these documents in the public domain. 

Five of 82 documents in the Epic vs. Tata case are available to the public. You can increase that number. Follow these steps:

  1. Install the “RECAP the law” Firefox Extension.
  2. Open a PACER account as a view user (credit card required).
  3. Once you have an account open, go to the Western Wisconsin Court District site and log in.
  4. Click Query and enter 3:14-cv-00748 in the case number field.
  5. Click Docket Report, accept the default values, click run.
  6. Click on one of the document # hyperlinks which doesn’t have a “RECAP the law” logo by it (examples in green boxes).
  7. Read the document if you’re interested. If you aren’t, click back and find another one. At most, a document will cost $3.00. Therefore, don’t open more than four documents and you’ll stay under the $15 free limit.


Some of you may be wondering, why do this?  To date, documents like Epic’s Standard Consulting Agreement (circa 2005) have been unavailable to the general public. The case offers us the chance to get a glimpse behind the Epic’s veil of secrecy, something any HIT observer should happily support.

Since this will be an ongoing case, we’ll need people to regularly contribute. If you comment on this post, you’ll be updated on an ongoing basis as we gather all the documents we need.

Readers Write: Working Around Health IT: The Nurse, the Workaround, and the Question You Need to Ask

February 25, 2015 Readers Write 4 Comments

Working Around Health IT: The Nurse, the Workaround, and the Question You Need to Ask
By JoAnne Scalise, MSN, BSN, RN


Are nurses just BAD? (That’s not the question.)

Why are they so adamant about working around health information technology (HIT)? Is it to give the CIO chest pain? Annoy the IS people? Give their nurse leader heartburn?

How can a simple process — do this, then do this (perhaps multiplied a few or many more times) — turn into a spin with the Mad Hatter (teacup optional)?

It would be easy to leave it that “nurses don’t follow directions,” “nurses are difficult to deal with,” or my personal favorite, “nurses don’t like change” (of course, everyone else likes change!) Those crazy nurses are still wearing disco-era bellbottoms and a mullet. And if you are, that’s ok – it works for you. With 55 percent of the RN workforce at age 50+ (from a 2013 survey reported by the National Council of State Boards of Nursing and The Forum of State Nursing Workforce Centers), that may have been some of the best of times.

But what about making right now better? So much HIT is intended to make life better: for patients, for healthcare systems, and yes, for those crazy nurses. Better, as in efficient and safer for everyone – and in getting paid so we can take care of people tomorrow.

Even knowing that, why do nurses choose to work around the very things that could save their patient, their colleagues, their organization – and themselves? Why does an expert nurse scan a contraband wristband or label instead of the one on the patient for medication administration or specimen collection? Why circumvent the EHR when guidelines for use have been given? Why take that patient  (and personal and professional) risk?

This is the opening of dialogue. Not to defend what many call “the bad apple,” “the bad actor,” or those who just act “bad,” as in, “I don’t care about people” people. I’m not talking about nurses or specific roles. I’m referring to those outliers who are clear that they don’t care about patient safety or care, their colleagues, or healthcare. Those people are the rarest of the rare because they don’t last long in our system – we can’t tolerate bad apples or bad care. Bad is about behavior and not the person.

As a perennial patient safety student, I know that the professionals who have chosen to be entrusted with providing care to every one of us who enters the healthcare system do not take their responsibility lightly. As a nurse, I know (as do my clinician colleagues) that we have chosen wisely. Our responsibility to our patients and the healthcare system are our primary motivators. Care excellence is the goal we must fulfill in every patient encounter every day. Safety never sleeps.

Why then, the confounding issue of the workaround?

I have been fortunate to work with nurses around the country to help them keep their patients and themselves safe. I have had other departmental staff stand up and point their fingers at me and ask, “How are you going to make these nurses BEHAVE?” And this is with nurses in the room. On occasion, I even get the same question from the nurse leaders. Laboratorians, CIOs, and patient safety and quality professionals have other direct questions on the same topic. I’ve even been invited to speak to groups of lab leaders on “how to communicate with the nursing suite.” When presenting on the topic in national forums, the topic is often addressed in hushed tones by nursing and other leaders who share that the workaround is an “epidemic.”

Indeed, the workaround is a real and persistent danger and with exponential significance: the possible patient safety breach, the trust eroded for collaboration and communication, and the financial loss from the wasting of resources of the healthcare organization.

Health information technology spending was projected to top $6.8 billion in 2014, with individual hospitals and healthcare systems spending millions annually. Not using the purchased technology causes challenges in safety, in culture and process, in data collection and analysis, and in budgets. When enough end users simply “end it” and stop using the technology, the technology can end for that organization. With that end comes significant loss.

At the same time, some organizations decide to not engage the nurse or other end user for a variety of reasons, often because of time for conflict (“we can’t get caught up in nursing demands — they’re going to have to do it.”) I’ve been in meetings where the issue came up of end users (who were not represented or in attendance) and the statement was made, “We’re just going to ram it down their throats.” Tough love, but probably not so effective in the long run. Fortunately, they were eventually receptive to the benefits of end user inclusion and engagement in the decision process, with a very positive outcome.

When nurse and hospital leaders ask me, “What is the most important lesson you’ve learned about adoption?” I tell them that the most important lesson may seem to be a simple one. Engage your end users. You must engage them as you decide that you have an issue to solve. You must engage them before any technology decision is made. If you don’t, they will use the only opportunity that they have to influence this decision – and that is not to use it.

Some technology doesn’t make life easier. Not all technology is the best it can be. We all need to help make these products better through objective feedback and end user engagement in the decision process and ongoing use.

I believe we can support clinicians in moving from compliance to commitment, and not just in technology. I’ve developed a MAP (mindful leadership, authentic communication, personal accountability) to help you do just that so we can do less “around” and more “work.”

I’ll leave you today with what I think is the best question for responding to a workaround. So many times we ask, “Why won’t you do this?” The question implies resistance, and depending on how we say it, frustration and even accusation. The answers may tend to be defensive and deflect the true reason.

Ask instead, “Why can’t you do this?” You will get thoughtful and real answers that may benefit your practice and eventually improve the technology. And the work.

Let’s continue the conversation on how we can work through the workaround. I’ll bring my MAP.

JoAnne Scalise MS-Patient Safety Leadership, RN is the manager of nurse consulting for Sunquest Information Systems.

Founding Sponsors


Platinum Sponsors




















































Gold Sponsors













Reader Comments

  • Mark Hochhauser: Sanford Health's CEO has been replaced. https://www.startribune.com/sanford-replaces-ceo-after-controversial-email-a...
  • IANAL: That's a lot of money for eMDs though it isn't clear how the financing works. At face value it would take compugroup mor...
  • Anne: Apologies for how rudely that came across. I do still question why our health is the responsibility of our doctors, but...
  • Elizabeth H. H. Holmes: Incredible. What an awful posture to take, what an awful example to set. It just encourages others to lie that they had ...
  • @JennHIStalk: Katie, if you're still looking for health IT history resources, check out Vince Ciotti's HIStory here: http://histalk.co...

Sponsor Quick Links