Home » Readers Write » Recent Articles:

Readers Write: Twenty Things Vendors Need to Know About ONC’s New 2015 (Stage 3) Certification Program, But Were Afraid to Ask

March 24, 2015 Readers Write 7 Comments

Twenty Things Vendors Need to Know About ONC’s New 2015 (Stage 3) Certification Program, But Were Afraid to Ask
By Frank Poggio

On March 23, late on a Friday afternoon, ONC published two drafts of the proposed revisions to the 2015 Test Criteria along with new Stage 3 provider MU attestation requirements. Two separate large documents were published:

  • Electronic Health Record Incentive Program, Stage 3 Draft Rule, (300+ page PDF)
  • 2015 Edition Health Information Technology (Health IT) Certification Criteria, ONC Health IT Certification Program Modifications (400+ page PDF)

The first covers the proposed rules for MU Attestation for Providers under Stage 3. The second addresses proposed test criteria and requirements for vendors and revised operating rules for the Accredited Certification Bodies (ACB).

Already there has been a great deal of discussion on the first MU requirements document since it impacts all providers, while the second document is aimed at vendors and system developers and has received little attention . I commented on the MU provider piece on HIStalk earlier this week and will focus now on the impact on vendors and system developers. Some of my vendor clients have been calling and emailing me asking, “What’s changed for us?” Others are afraid to ask.

Suffice it to say there are some major additions and revisions to the test criteria and process that will give system developers heartburn, or maybe a K51.914 (ICD10=ulcer).

Before I dive into the document, let’s remember that back in 2013 ONC disconnected the MU Stages from the certification test versions. The concept that a vendor is Stage 2 or Stage 3 certified is almost meaningless since a provider could MU attest to Stage 2 using either modified 2011 test criteria or the 2104 criteria. With the eventual issuance of these new 2015 criteria, for a short period providers can Stage 2 attest using a vendor’s 2014 certified product, or if available, the vendor’s 2015 certified product.

All 2015 Test Criteria are now referred to as the 170.315 regulations. At this time, these are just draft proposals that will be formally published in the Federal Register on March 30, 2015. Then after a 90-day comment period, some revisions will be made, with the final regulations issued in the July-August timeframe.

Using the last two cycles of draft rules versus final issued regulations, I predict that some 90 percent of what is now proposed will be adopted into law. So fasten your seat belts — here we go. Some highlights (or lowlights? are:

  1. Privacy and Security (170.315 d1-d7). There are some minor changes in several of these tests, such as access, time outs, integrity, device encryption and audit logs. But now under 2105 testing, they have become mandatory if a vendor wants to test out on other criteria, such as Demographics. The P&S tests were mandatory under 2011 (Stage1), then ONC made them optional for 2014, now they are back in the mandatory column. To paraphrase ONC, it’s all due to the never-ending march of data breaches. An added requirement to P&S which is stated in the MU regs, but not in any specific test criteria, is vendors now must attest to having completed a HIPAA risk analysis of their product whenever they install new releases or updates. Here’s why. In order for providers to be compliant with MU and HIPAA, they will have to get an attestation from the vendor before they install any update, the provider MU regulations state on page 64: EPs, eligible hospitals, and CAHs must conduct the security risk analysis upon installation of CEHRT or upon upgrade to a new Edition of certified EHR Technology.
  2. Demographics 170.315a4. ONC wants coding for language and ethnicity to support all 900 OMB codes and all RFC 5646 ethnicity codes. But ONC acknowledges that a drop-down list of 900 data elements might cause workflow problems, so they have said a full drop-down list is not required. You just need to show in a test you support all the codes and can tailor the list for each provider client.
  3. Vital Signs 170.315 a6. All values must have LOINC codes. Data elements have been expanded and pediatric vitals have separate criteria.
  4. Advance Directive (170.315 a17). Now you have to electronically capture and track the AD. No more just check a box and who cares what file drawer it’s in.
  5. Medical Implants (170.315 a20). Must now be tracked and reported.
  6. Social, Psychological, and Behavioral data must now be captured and tracked using LOINC and SNOMED coding. (170.315 a21).
  7. Clinical Decision Support tools must be linked to Knowledge Artifacts formatted in the HeD standard Release 1.2. (170.315 a22).
  8. New “decision support – service” (170.315 g6) certification criterion requires technology to electronically make an information request with patient data and receive in return electronic clinical guidance in accordance with an HeD 1.2 standard.
  9. New CDA standard (170.315 b1). The C-CDA standard is now the single standard permitted for certification and the representation of summary care records. An updated version, HL7 Implementation Guide for CDA Release 2: Consolidated CDA Templates for ClinicalNotes (US Realm), Draft Standard for Trial Use, Release 2.076 includes the following changes: addition of new structural elements: new document sections and data entry templates: New Document Templates for: Care Plan; Referral Note; Transfer Summary. New Sections for: Goals; Health Concerns; Health Status Evaluation/Outcomes; Mental Status; Nutrition; Physical Findings of Skin, etc.
  10. CDA system performance (170.315 g6). As part of the focus on interoperability, ONC is requiring performance standards for data transfers of CCA/CCR. Data transmission of CDAs will be tested for volume and response times.
  11. XDM packing of View/Download/ Transmit and CCR/CCD with incorporation of industry APIs using the IHE-IT infrastructure standard.
  12. Data Portability has been broken out into Send /Receive as separate components (170.315 b6).
  13. Care plans (170.315 b9). ONC proposes to include the “assessment and plan of treatment,” “goals,” and “health concerns” in the “Common Clinical Data Set” for certification to the 2015 Edition. The “assessment and plan of treatment,” “goals,” and “health concerns” are intended to replace the concept of the “care plan field(s), including goals and instructions” which is part of the “Common MU Data Set” in the 2014 Edition.
  14. CQM (170.315 c1). Has been expanded into separate segments: filters, create, import, and calculate.
  15. Quality Management System (170.315g4-g5). Now includes an “access-ability technical component” in accordance with ADA. The QMS must be mapped to a federal guideline or industry standard. (No more home-grown QMS process/tools.)
  16. Safety Enhanced Design – SED (170.315g3). Expanded and requires specific and detailed usability test documentation. ONC recommends following NISTIR 7804176 “Technical Evaluation, Testing, and Validation of the Usability of Electronic Health Records” for human factors validation testing of the final product to be certified. They recommend a minimum of 15 representative test participants for each category of anticipated clinical end users who conduct critical tasks where the user interface design could impact patient safety.
  17. Authorized Testing Bodies (testing agencies) are now required to conduct surveillance (audits) on at least 5 percent of vendor installs (or max of 10) every year to verify that the certified system in fact meets each certified test criteria.
  18. Attestation for Price transparency. ONC wants vendors to disclose on their web site and in marketing materials material system limitations. The vendor must also disclose any material add-on costs such as transaction fees to support interfaces/interoperability, etc. and supply any requesting entity a reasonably accurate cost estimate of total system costs. That’s ANY requesting entity, not just prospects or for bid requests.
  19. ONC wants monthly reports from the testing agencies on provider complaints and counts of vendor updates and modifications. If the number of updates/modifications exceed a set number, ACB is to call vendor back in for re-testing.
  20. ONC predicts the rules and test criteria will be finalized by mid-summer and vendors will work “aggressively” in 2016-17 to modify products and meet the target date of 2018 to support Stage 3 provider attestations, which will require a full year of calendar data from providers.

ONC estimates that all vendors together will have to invest approximately $300 to $400 million to effect all these changes. They calculate there are 81 unique vendors with certified products, hence an average cost of $4-5 million each, which does not include the time and cost to go through the test process.

ONC states they will continue with the “Gap” test process, meaning if you passed a test criteria under 2014 and there were no (or minimal) changes for the 2015 criteria, you get a bye. Given the preceding, my advice is if you’re a vendor that is not yet 2014 certified, you really want to get it done sooner rather than later. My experience tells me that being 2014-certified for as many criteria as you can before the 2015 criteria are cast in stone will be a better place to be.

Lastly, ONC states that the 2105 Test Criteria and Stage 3 Provider MU Attestation rules will be the last Stage for MU, but that the rules and test requirements will continue to be revised and expanded as ONC deems necessary. I guess we can next expect Stage 3.1, along with revised test criteria 2015 dot 1,dot 2 … can anyone see a light at the end of this tunnel?

Frank Poggio is president of The Kelzon Group.

Readers Write: Ignorance of the Major EMR Software Vendors is Not Bliss

March 23, 2015 Readers Write 10 Comments

Ignorance of the Major EMR Software Vendors is Not Bliss
By Tyler Smith

11-6-2013 12-24-41 PM

We in healthcare IT have found ourselves in a pretty sexy industry. You know that is true when Silicon Valley is practically banging down the doors to get in and KPCB’s John Doerr states that he would really like to see an open source competitor to Epic created. Damn, so Valley money admits it is losing to a slowly built behemoth in Madison – not a brand spankin’ new startup it missed an angel round on.

Needless to say, HIStalk’s Startup columns are a quite timely addition to the blog. I particularly enjoyed reading Marty Feisenthal’s explanation of the elite JPM conference. Having heard about the conference from banker friends (not HIT colleagues), his column removed much of the mystique. Being a fellow Atlanta resident and having visited the Atlanta Tech Village before, I also have greatly appreciated Michael Burke’s articles on the experiences of an HIT founder in Atlanta.

I recently co-founded a startup that aimed to bring efficiency to the Epic staffing arena by using very simple tools already in place in other industries. I do not want to call it the Uber of Epic staffing – for fear of sounding like a hack – but the basic idea was a connection platform with ratings for Epic certified consultants. While we have put the project on hold due to some shakeups on our technical team and also due to slow buy-in from provider organizations (our target clients), the pause in the action has given me time to reflect on the current state of HIT startups – particularly those looking to nibble on the enterprise EMR vendors’ scope of services.

Along with Mr. H and most readers here, when anybody from the outside comes and brings a new idea to the HIT table, I am usually skeptical. For starters, most entrants do not understand the complexity of the hospital / provider organization buyer or the provider organizations’ importance in the system. In theory, I love the idea of patient advocacy and patient-centric apps, but if providers or the systems that house them aren’t buying it, you better have something that patients see as life or death (read: an HIV curing drug, not a sleep tracking app) if you want them to fight the entrenched stakeholders for you or with you to make your startup relevant or widely used to truly create positive clinical outcomes.

Secondly and most importantly, many of these outsiders do not understand the current state of the EMR vendor landscape, and if they do, they arrogantly think they can steal market share while the enterprise systems watch from the sidelines. True, Epic and Cerner’s UX can appear very basic from an end user stand point and it often appears that the enterprise systems do not appear to be covering even close to all the functions that could be automated in a hospital or healthcare delivery organization. However, it would be naïve to think that these vendors have no big plans to tackle all of these remaining un-automated functions in the near future. When they do, unlike many of the new startups, these vendors will be able to simply make an additional sale to their already heavy client lists instead of having to undergo the arduous process of breaking down the doors to just get on the approved software vendor list at a major healthcare system.

The truth is that healthcare IT is a B2B market, not a consumer market. Organizations do not make purchasing decisions overnight, and thus while an app may actually do something better than an organization’s EMR, it better be a lot better for a healthcare provider organization to consider even meeting with the startup’s sales team.

This is not to say that I think that clinical apps which could be potentially developed and which will lead to improved clinical outcomes should not be attempted. What I am really saying is that before delving into development, HIT startup founders should take a much more serious look into EMR current state.

Even more importantly, startups should also consider what logical next steps vendors will be taking in their product offerings and research timelines as the massive implementation phase winds down and optimization becomes a priority for the vendors’ in house development teams. If there really is a competitive advantage which the startup has over these behemoths in the development of an EMR related application, then by all means go for it. But if not, it is probably best developing something far outside of the current or near future EMR vendor scope.

Easy for me to say as I sit on the sidelines and consult on EMR projects, I know. And you can object and say I’m siding with the status quo. Regardless, it pays to do your homework on the massive vendors. They aren’t going to crumble and they certainly aren’t going to let their clients get on products that encroach on their turf without a very solid battle.

In closing, I would ask any hopeful HIT entrepreneur: what is your startup doing that an established EMR vendor could not accomplish without a system update or by adding a new application which would seamlessly integrate with their current lineup?

Tyler Smith is a consultant with TJPS Consulting and co-founder of Hitop.co.

Readers Write: For Cybersecurity, Prevention First, But Don’t Forget About the Treatment

March 16, 2015 Readers Write No Comments

For Cybersecurity, Prevention First, But Don’t Forget About the Treatment
By Terry Edwards


Cyber-attacks are nothing new. We’ve all seen the attacks on major retailers, entertainment giants, and financial institutions. Healthcare is gaining attention as the next industry under attack since cyber-criminals are finding unprecedented value in patient health records.

A patient record can sell for $50 to $150 per record on the black market, more than a credit card number or a Social Security number. This gives buyers the  ability to impersonate patients using all the personal information included in a health record to commit identity fraud or even obtain prescription drugs. In 2014, a record number of healthcare providers were hacked and a number of high-profile healthcare breaches have already made headlines in 2015.

The healthcare industry is taking these attacks seriously and working hard to protect itself against potential threats. However, it’s becoming more difficult for healthcare providers to ensure the continued integrity of patient data. Not only are hackers growing more advanced and nimble, but the number of vulnerabilities in the system is only increasing as the industry moves to population health management.

Care delivery is not quite as contained as it used to be. Patients can be treated in a variety of settings as their care teams grow in size. In addition, more types of devices are collecting and sharing patient data, offering more entry points for cyber-criminals to infiltrate. Healthcare organizations are also dealing with tight IT budgets, which in some cases only cover what’s necessary for regulatory requirements.

While it’s critical for healthcare organizations ramping up IT defenses to protect the data of their patients, to avoid a breach, organizations need to get back to the basics by focusing on the following:

  1. Develop an internal security committee to conduct a formal risk assessment and identify any areas at risk for a data breach. The committee needs to have the backing of the highest levels of the organization to demonstrate the commitment to protecting patient data.
  2. Following the risk assessment, the committee should develop an organization-specific risk management strategy to include processes, procedures, tools, and technologies.
  3. Educate the staff on the new processes and procedures. Implementing new procedures can be the biggest challenge for organizations. It’s not enough to deliver one training session and assume employees are following protocols. Instead, organizations must provide employees with frequent reminders to flag suspicious emails, keep their passwords protected, and encrypt any communication with protected health information.
  4. Reassess risk ongoing to make sure employees are following the appropriate processes and procedures and to identify any new vulnerabilities within the system. Cyber-criminals are constantly using new methods to find weaknesses in the system, so healthcare organizations must stay on their toes to keep technology up to date.

Even with the strongest security protocols in place, sometimes a cyber-criminal can find a way through. The experience of other industries shows that while customers are generally understanding when a breach occurs, they need assurance that the organization recognizes the breach and is taking steps to avoid another one. One of the biggest threats of a data breach for healthcare organizations is the potential hit to patient trust, the cornerstone of the patient-physician relationship. Healthcare organizations need to maintain that trust to deliver effective care.

To protect patient trust and the reputation of the organization following a breach, providers must put a treatment plan in place:

  1. Communicate early and often. Immediately following a breach, a healthcare organization must alert patients with details on what data may have been jeopardized, what actions they need to take (such as changing a password), and how the organization is working to protect the security of patient information. By giving patients as much information as possible, the healthcare organization can convey it is treating the issue seriously and is taking all necessary precautions to ensure another breach does not occur.
  2. Offer services to monitor and alert patients. By offering tools to monitor their credit and identity theft, healthcare organizations can show they’re concerned about minimizing any risk to patients. In addition to credit reporting, healthcare organizations should reach out to patients whose data was compromised to ensure patients are regularly reviewing their explanation of benefits for any fraudulent activity. Organizations can consider email guides, webinars, and in-person meetings to help patients understand how to review their accounts regularly and what to look for.
  3. Educate staff on how to handle patient inquiries. Some patients will have questions about the breach and may ask employees like receptionists or nurses who are not used to fielding those types of inquiries. Give employees guidance on how they should respond to upset or concerned patients so that they can get the correct information through appropriate channels.

It does not look like cyber-criminals will stop their attacks on healthcare organizations anytime soon, but with the right protocols and procedures in place, healthcare organizations can put their best defense forward and be prepared to respond in case of a breach.

Terry Edwards is CEO of PerfectServe.

Readers Write: Hacking the Healthcare Conference

March 13, 2015 Readers Write 1 Comment

Hacking the Healthcare Conference
By John Gomez

Outside it was 19 degrees and snow continued to fall as it had for the last few days. Inside the two-story brick building in downtown Asbury Park, NJ, a group of operators huddled around a set of whiteboards and large flat-screen TVs doubling as computer monitors that are connected to a variety of computer hardware.

One of the screens provided satellite images of a convention center. Another screen detailed the locations of all the hotels being used by attendees of a healthcare conference. Yet another screen highlighted the booth locations of the key exhibitors, with cross-references to their key clients, employees, and partners with their LinkedIn, Facebook, and Twitter account names and pages.

The operators had been developing cyber-attack plans for one of the largest healthcare information technology conferences in the world. The Alpha teams would focus on infiltrating the conference itself, while Bravo team members would exploit opportunities at hotels, restaurants, and the popular vendor-sponsored parties. The current debate was centered around if team members should register to attend the conference or simply swipe the passes of attendees and blend in with the crowd.

The last team, Command One, would provide command and control. It had already secured several adjoining suites at a hotel across from the convention center. The suite would provide real-time, 24×7 communications to the team members as well as manage the botnet and provide the initial command and control capabilities for the RAT software the field teams would be deploying.

The RATs being deployed by the field team were custom developed using a derivative of Stuxnet. This assured that the RATs would work across operating systems and devices. It also assured that the RAT would lie dormant for the most part except in some special cases.

One of those special cases was that if the RAT determined it was on a laptop, it would turn on the computer’s microphone and camera to record confidential conversations between vendors and clients as well as between vendor teams about their clients. The hope was to garner details that could later be used to exploit employees or other details that could lead to further compromises. RATs deployed to machines running a server operating system or Linux variant would replicate, eventually being introduced to a corporate network and then become active establishing themselves inside the corporate infrastructure of vendors and attendees.

Aside from the RATs, the Bravo teams had already visited area hotels and catalogued the wireless networks and their providers, deploying SDR and other toys to about 40 hotels. The goal was to eventually compromise the wireless networks using man-in-the-middle attacks and other techniques. In situations where they could not bypass the hotel’s wireless infrastructure, the team planned to compromise targets of opportunity being used in lobbies and public areas.

The team was now in its final planning stages. “Do we have the dummy business cards?”

The team had created a fictitious company, complete with a website, Delaware LLC, and 800 phone number complete with employee directory and voicemail. The team also had false employee IDs issued by the fictitious company. This allowed the team to play the role of a vendor attending the conference.

A subset of the team had spent the past two weeks becoming familiar with their cover of representing a new hospital system being created in the Midwest. The team included a fake CMIO, CIO, and VP of operations. The team developed LinkedIn accounts with complete work and educational histories as well as a fake website for the new healthcare system, with architectural renderings of their new 650-bed acute care facility and their upcoming regional clinical care centers.

At this point, you are probably wondering if what you are reading is an expose of a crack hacking team or simply a fictional piece of work. It is actually a little of both.

One of the things my team often does is to run simulated attacks on a variety of targets. We basically map out the entire attack and do all the prep work, short of launching the attacks. In this scenario, we decided to attack a healthcare conference.

The simulation was actually carried out over a period of three days. Everything you read is real. All the techniques, tools, and practices are the actual methods we would use to carry out a large scale cyber-attack against a healthcare conference. Our goal in doing this was to help develop suggestions for those attending any healthcare conference in hopes of making the lives of people like us much more difficult.

The above doesn’t include everything we would do or how we would do it, but what I did divulge is not all that sophisticated or uncommon. There is nothing in the story that isn’t already known or possibly already being undertaken by cyber-criminals, cyber-terrorists, or cyber-spies. Although we would never carry out this type of activity, there are those who would and probably will. Hopefully you will heed our counsel and employ the suggestions below, thereby keeping you and your organization a little safer.

  1. Share the wealth. One of the most important things you can do is educate others on the possible threats that exist when attending conferences of any size. An easy way to do that is forward this article to your teams. Like GI Joe once said, “Knowing is half the battle,” and that is especially true in the world of cyber-security. Most people don’t realize the sheer audacity that attackers employ. Hopefully the above story illustrates a little bit of that audacity.
  2. Encryption matters. All of your devices should use local file encryption, especially if you are going to be shipping them where they are out of your control. This also applies to any device that you are taking with you on the road — laptop, tablets, etc. All communication should be encrypted, even if you are using a closed network, but especially if you are connecting to the Internet.
  3. Stay In control. Do not leave your laptops or other computing devices in your hotel. If you are going to leave them behind, lock them in a safe and make sure the device is encrypted.
  4. Remove history. Delete your web browser history every day and also delete all previous wireless access points from your computing device history. For example, if your iPad is setup to automatically connect to your home wireless network, delete that before you go to a conference. Why? Because I can use the MAC address of your home network to find your home address. Don’t believe me? Email me your MAC address and we can bet a cafe mocha.
  5. Just say no to thumb drives and DVDs. If anyone — partner in crime, spouse, child, parent, boss, vendor, speaker (including George Bush) — offers to give you a thumb drive or DVD for any reason, just say no. Ask them to e-mail you the item, or better, print it out. If they e-mail it, do a virus scan and make sure it is from someone you met before the show. Otherwise, FedEx works great to mail you documents quickly. Thumb drives and DVDs can harbor malware. Even if you know the person, you don’t know where they got the thumb drive or how they made the DVD. Save yourself a lot of pain and just say no.
  6. Lock down machines. Vendors should lock their server rooms and demo equipment. You shouldn’t hire third-party security — you should be your own security during off hours. I know this sucks and is a burden, but it’s your technology. If the answer to this is that you wipe your equipment, good for you, but I am not after your equipment — I am after your data and network. Wipe away — chances are someone on your team will connect to your demo network.
  7. No demo networks. Don’t connect to demo networks. You don’t know what is on them no matter what your IT team tells you.
  8. Limit Wi-Fi. If you must use Wi-Fi, limit it to your hotel (it’s not the safest, but it’s better than a coffee shop or airport) and use a secure connection over a VPN. A better alternative, though not cheap, is your own personal hotspot over a secure connection.
  9. Wipe machines. After every conference, you should do a DoD-level format of all hardware used at the conference. This includes a visual inspection of the internals, if possible, to assure that nothing was added by your third-party, $10 per hour security resource.
  10. Lock down demo machines. Tape over webcams, disable USB drives, and put tape over the ports. Disable unused ports and other services. Hire someone to attack your demo environment.
  11. Establish a conference VPN. Set up a VPN just for the conference and require two-factor authentication using something like Google Authentication to connect back to your corporate resources. After the conference, disable the VPN system and never use it again.
  12. Establish BIOS passwords.
  13. Create a bootable DVD. A great option for vendors is to use a bootable DVD with your demo clients on them. Please don’t tell me that you use virtual machines and somehow that makes you safer. If you believe that, you have a lot to learn about cyber-security.
  14. Awareness. If something doesn’t feel, smell, or seem right, it probably isn’t. Conferences are highly social venues. It is important that you don’t forget that most of what happens to you is because you let it happen. This applies in the real and cyber worlds and is critical in both to maintain your personal security.
  15. Email invites and marketing. Vendors love to send you all kinds of invites, updates, tidbits, and other neat stuff via e-mail during a conference. I would suggest you unsubscribe or just delete mass e-mailing from any vendor. A better option is to inform your rep that you will only accept e-mails from them directly and would appreciate minimizing things you have to click on. Think this is overboard? Consider that Anthem was compromised with a single click in an e-mail message.
  16. Blips matter. Ever say, “That was strange,” or “What just happened?” and then things go back to normal? Often this is just an anomaly, but it could also be an indication that your computer device is under attack. Think about what you were doing right before the blip — surfing the web, opening an e-mail, connecting to a network, clicking a link, downloading something. Put things in context, and if you get nervous for any reason, say something to your IT team.

Hopefully if nothing else this article will get you to think and ask questions of your teams and how well you are prepared to attend a conference. Conference operators do all they can to provide a safe and secure environment. But in this day and age, there is only so much they can do. The real burden of security — physical and cyber — is on the shoulders of individuals. This is how it should be because security works best when it is a personal responsibility.

Take time to talk with your teams (exhibitor or attendee) about security best practices. The pre-meeting is a great time to brief your teams on security practices or invite someone to speak to them. You should also have a cyber-security response plan for the conference that includes who to speak to, what to do if there is a threat, and how to report information to the conference coordinators so that multiple incidents can be correlated and viewed through a broader lens.

The reality is that life has changed.

The simulation outlined in the opening of this article was simply that — a planning simulation for a real-world attack. The emphasis is on real-world attack planning. The only thing that kept us from carrying out that simulation is that we fight for good, but there are plenty of others out there who don’t — we call them the bad guys.

John Gomez is CEO of Sensato of Asbury Park, NJ.

Readers Write: Telehealth: Ready for Prime Time

March 11, 2015 Readers Write No Comments

Telehealth: Ready for Prime Time
By Jonathan Leviss, MD


Telephone rings. “Hello?” answers Sonia, age 73 with heart failure and living at home.

“Hello, Sonia. It’s Linda, your telehealth nurse. I received an alert that you gained two pounds a day for the last three days.” Further assessment reveals that over the last few days Sonia has eaten more salt than usual and has leg edema. Linda prescribes furosemide under protocol, educates Sonia about her diet, establishes a plan of care, and sends a report to Sonia’s cardiologist.

Why is Sonia’s tale becoming more common? Accountable care organizations (ACOs), patient-centered medical homes (PCMHs), and other models of value-based care and bundled payments require reducing readmissions, addressing problems before they require more expensive interventions, and reducing high cost utilization. Telehealth is now a proven solution for all three.

Telehealth means robust, real-time, patient management solutions including remote patient monitoring of blood pressure and glucose; self-reported symptoms and medication compliance; live video visits with clinicians and health coaches; alerts for risks of clinical compromise; the ability to organize actionable information into dashboards or into a provider’s EHR; and the power of analytics to predictably detect problems earlier and develop new treatment approaches.

These real-time tools connect patients to the right care in the right place at the right time, and most commonly, that connection occurs in the patient’s own home. Not only does this save provider, payer, and patient resources, it’s most convenient for the patient and often most effective.

The effectiveness of telehealth is no longer a matter of speculation. There is a growing body of rigorous research published in peer-reviewed journals that validates these benefits, including the following findings from AMC Health programs. This sampling of peer-reviewed studies demonstrates the significant value that evidence-based telehealth programs provide across care settings, disease states and patient populations.

  • Medical Care, January 2012. Geisinger Health Plan reduced all-cause 30-day hospital readmissions for high-risk patients by 20 percent by adding interactive voice response calls to their care management outreach.
  • Journal of Managed Care Medicine, November 2012. New York City Health & Hospitals Corporation combined personalized case management and real-time patient management solutions to enable Medicaid patients with poorly controlled Type 2 diabetes reduce HbA1c levels by a mean of 1.8 points.
  • Journal of The American Medical Association , July 2013. When Health Partners of Minnesota added telehealth and pharmacist management to their usual care for hypertension, 71.2 percent of the patients participating in the program had their blood pressure well-controlled after 12 months versus 52.8 percent of the control group.
  • Population Health Management, December 2014. Geisinger Health Plan significantly reduced hospital readmissions and cost of care for patients with heart failure. For every $1 spent to implement this program, GHP saved about $3.30, which translated to 11 percent per patient per month between 2008 and 2012.

As the healthcare market continues its transition to value-based care, this compelling evidence combined with exciting new technologies that expand how patients can engage in care virtually is fueling demand for customized telehealth programs ranging from full turnkey programs to the ability to seamlessly augment existing care management resources. To facilitate the adoption of telehealth, legislative and regulatory barriers are also being addressed:

  • The Tele-Med Act of 2013 (H.R. 3077), introduced to the House in September 2013, amends title XVIII of the Social Security Act to permit certain Medicare providers licensed in a state to deliver telemedicine services to Medicare beneficiaries in a different state.
  • The companion Telehealth Modernization Act of 2013 (H.R. 3750), introduced to the House in December 2013, calls for states to authorize health care professionals to deliver healthcare to individuals through telehealth.
  • The US Department of Veteran Affairs (VA) regularly offers telehealth services to qualifying veterans. In the just-ended federal fiscal year 2014, the VA’s national telehealth programs served more than 690,000 veterans and accounted for more than 2 million virtual visits.
  • The ACO Improvement Act (H.R. 5558) introduced on September 22, 2014, would permit ACOs to use remote patient monitoring and store-and-forward technology that delivers images to remote providers. The bill also strives to improve care coordination by improving the process through which data are shared between ACOs and the Medicare administration.

Not having visibility into a patient’s condition in real time when the patient is at home and outside of a clinical setting is like a chef overseeing a kitchen, but not being able to view the prep line. In the era of accountable care and pay for performance, the primary objective for patients with chronic conditions is to keep them healthy with fewer high-cost visits to the hospital or other clinical settings. Therefore, gaining at-home visibility is critical.

By incorporating proven telehealth services as part of a well-designed care plan, the entire care team can work with a patient to manage a chronic condition between clinician visits, altering treatments or creating early interventions to keep a patient healthier and reduce the spiraling cost of care.

As healthcare reform continues to drive providers to share risk and deliver greater value, understanding what is happening with their patients with chronic conditions outside the clinical setting is no longer a nice-to-have. It’s a must have. It’s time for telehealth to go mainstream.

Jonathan Leviss, MD is SVP/medical director of AMC Health; staff physician at Thundermist Health Center; and assistant clinical professor of health services, policy, and practice at Brown University School of Public Health.

Readers Write: The Pursuit of Health Optimization

March 11, 2015 Readers Write No Comments

The Pursuit of Health Optimization
By Jeff Margolis


For over 30 years I have been burdened with Crohn’s disease, a serious and currently incurable illness. It may seem ironic that I am on a crusade to enable all the “mostly healthy” people to achieve their highest possible health status at the lowest possible cost. After all, a number of excellent physicians, nurses, hospital staff, and technicians of all varieties performed skillfully in the US “sickcare” system with surgical and medical interventions that kept me alive.

These expensive interventions, which were largely paid for by my health insurance plan, would have otherwise financially disrupted me and my family. Let me be clear in saying that I am not ungrateful for the currently inefficient sickcare system nor do I have anything less than admiration for the efforts and capabilities of the medical professionals who comprise it. And yes, I am in a small minority that fully understands the critical role of our health insurance plans in weaving together the incredibly complex fabric of access and economics for our population.

I would be unequivocally grateful for a highly efficient and holistic “healthcare” system, whereby a cultural norm of admiration and rewards for each of us being skilled healthcare consumers would co-exist in a complementary way alongside our skilled medical professionals. After all, most of us in the population are healthy most of the time. In other words, except for the sickest of us who cannot care for ourselves at all at points in time, we have the opportunity to make choices and take actions every day that affect our health status and costs.

Our society has developed the cultural norm of seeking professional medical assistance when we become sick. How do you argue that such behavior is not rational? We start that behavior when we are young, throughout adulthood, and into our last days.

Let’s play this out in contrast a bit. When we are young and hungry, we typically rely on an adult to cook for us and feed us. Likewise, when we are children most of us (unfortunately not all) receive unconditional love whether or not our actions are deserving. Somehow, as we get older, we take responsibility for feeding ourselves when we’re hungry and we learn that loving relationships require effort to maintain. We generally learn to navigate abundant consumer options in order to get nourishment – ranging from five-star restaurants to growing our own food. We also pursue multiple pathways to personal relationships.

So, who decided that we should not be responsible, either individually or as a population, for the status of our health? And when was it decided that the way in which our actions impact our controllable health factors and costs was not our responsibility?

We have a challenge to solve in the affordability of healthcare and a huge opportunity to have a healthier population. Let’s begin by embracing the incredible array of consumer-facing resources that each of us healthcare consumers can wield — whether on our own or in coordination with our doctors and health plans. These resources, propelled by the digital age, include education and content about health benefits and care; methods of connecting to other consumers with common issues; wearable and carry-able devices that give us anytime access to capture and share health-related data; programs that increase our levels of fitness, nutritional, and physical well-being; programs that help us manage our known health challenges; methods that understand our motivations and lower our likelihood of developing depression or malaise; and capabilities to incentivize and reward us to do the right things.

The challenge is (and has been) that these types of consumer-facing resources are 1) fragmented into thousands of partial solutions; 2) constantly being innovated and updated in the marketplace; 3) disconnected from the way the current sickcare system operates; and 4) not contextually attached to any meaningful intrinsic or economic benefits for the healthcare consumer.

Stated another way, the well-intended ecosystem of things that a consumer can do to achieve their highest health status at the lowest possible cost exist in a state of confusion and chaos for the healthcare consumer. Further, the consumer is not incented or rewarded (i.e., paid for performance) to be skillful in matters of our health, as contrasted to the medical professionals to whom we turn.

The promise of health optimization platforms are both practical and staggering in its enormity. Think of it this way: If we place such a platform and its capabilities alongside the existing sickcare system (which remains essential for the aspect of our health that we cannot control as consumers), then we get a new kind mathematical equation in the US healthcare system. One where the sum of the parts becomes less than the whole – with that whole being the current three trillion dollar cost of US healthcare spend.

Jeff Margolis is chairman and CEO of Welltok of Denver, CO.

Readers Write: Understanding the Importance of Prioritizing e-Prescribing

March 4, 2015 Readers Write 1 Comment

Understanding the Importance of Prioritizing e-Prescribing
By Louis Hyman


As the industry awaits confirmation of a compliance deadline delay for the New York State e-prescribing mandate—which will require electronic prescribing of controlled and non-controlled substances—it’s important that providers don’t delay their preparation efforts, as this process can be time- and resource-consuming.

Under provisions of the New York State e-prescribing mandate and subsequent regulations (such as amendments to Title 10 NYCRR Part 80 Rules and Regulations), all prescriptions in the state must be transmitted electronically by authorized prescribers unless an exception exists. However, as many providers are struggling to meet compliance by the original March 27, 2015 deadline due to a myriad of challenges beyond their control, the New York legislature is working to pass a law to delay implementation of the mandate to March 27, 2016.

No matter the timing of the deadline, this mandate serves to be a game-changer for how providers share prescription information, and they should be aware that other states are closely watching New York’s rollout, with several already considering following suit.

The scope is intensified because the law covers both controlled and non-controlled medications and applies to all providers in New York State, including long-term and post-acute care organizations (LTPACs) and senior living facilities. Providers must start transitioning to the new requirement now to avoid significant penalties including fines, imprisonment, and/or professional license suspension or revocation.

As such, providers must make e-prescribing a priority in the midst of other major industry initiatives such as ICD-10 and Meaningful Use. However, e-prescribing easily can be incorporated into these efforts if organizations are already leveraging technology and staff training in their preparation.

To comply with the new mandate, healthcare organizations first must fully comprehend its scope. They need to look at its impact on provider, practice, and facility workflows, as well as how it ultimately affects patient or resident care. The following four best practices can help healthcare organizations engage providers and create a smoother transition:

  1. Generate physician awareness of the implications. Regardless of the care venue, it’s important to meet with physicians to raise their level of awareness and engage them in understanding the law’s full scope. Providers need to be clear on what is expected from them within the new e-prescribing workflows, just as they adapted workflows for EHR implementations to meet Meaningful Use requirements. Building physician awareness is even more critical among those organizations that have not yet implemented an EHR and may therefore require standalone computerized order entry or electronic prescribing technology. These providers may not be accustomed to any form of e-prescribing.
  2. Evaluate the workflows of all clinicians involved in the traditional prescribing process. This step is especially important in regard to the complex workflows in hospitals, skilled nursing facilities, and other senior living care settings. Because the law applies to both controlled and non-controlled medications and does not allow physicians to delegate the final steps within the prescribing process, four basic workflows need to be reviewed to understand how they will be impacted by e-prescribing. These workflows include: orders generated in-house for controlled medications, orders generated in-house for non-controlled medications, orders generated upon discharge for controlled medications, and orders generated upon discharge for non-controlled medications. Additionally, providers should examine specific workflows for nurses, physicians, and other clinicians. For instance, because telephone orders will no longer be accepted, healthcare organizations need to plan for physician availability during off hours and periods of high admission and discharge volumes.
  3. Engage caregivers in decisions. Because caregivers are key stakeholders, they should be included in the workflow evaluation to gain accurate insight into the overall impact of e-prescribing. It’s important for organizations to involve these individuals in any technology selection as well to ensure the appropriate tools are in place to support necessary workflows. As part of the selection process, engage caregivers in active testing of how their workflows are accommodated on a day-to-day basis. Beyond supporting workflows, healthcare organizations also should confirm the selected technology performs on a variety of platforms used by caregivers – such as tablets, smartphones, laptops, and PCs, as the physician may not always be on site.
  4. Train and practice e-prescribing. With workflows and technology in place, it’s now time to employ a robust training program to support efficiency and compliance by all caregivers. Providers should begin actively practicing e-prescribing as soon as possible to identify and resolve any issues prior to the compliance date.

Even with the possible New York State e-prescribing mandate deadline delay to March 27, 2016, New York providers need to make e-prescribing a priority. By focusing now on an e-prescribing strategy, healthcare organizations and providers across all care settings – including LTPACs and senior living providers – can realize the benefits to medication management and patient/resident safety while also maintaining compliance.

Louis Hyman is chief technology officer for SigmaCare.

Readers Write: Want to Read the Briefs in the Epic vs. Tata Consulting Case? That’ll Cost $0.10 Per Page (Unless We Do Something About It)

February 25, 2015 Readers Write 6 Comments

Want to Read the Briefs in the Epic vs. Tata Consulting Case? That’ll Cost $0.10 Per Page (Unless We Do Something About It)
By Reluctant Epic User

As Americans, we tend to assume that we have the most open and transparent courts in the world.  Unfortunately, that probably isn’t the case. The reality is that all of the public documents filed in a court case are locked behind the world’s largest paywall. Including the Epic Systems vs. Tata Consultancy Services Limited case

It doesn’t have to be this way. The courts give every person in America $15 per quarter in free downloads. The Free The Law project has created a clever workaround which places these documents in the public domain. 

Five of 82 documents in the Epic vs. Tata case are available to the public. You can increase that number. Follow these steps:

  1. Install the “RECAP the law” Firefox Extension.
  2. Open a PACER account as a view user (credit card required).
  3. Once you have an account open, go to the Western Wisconsin Court District site and log in.
  4. Click Query and enter 3:14-cv-00748 in the case number field.
  5. Click Docket Report, accept the default values, click run.
  6. Click on one of the document # hyperlinks which doesn’t have a “RECAP the law” logo by it (examples in green boxes).
  7. Read the document if you’re interested. If you aren’t, click back and find another one. At most, a document will cost $3.00. Therefore, don’t open more than four documents and you’ll stay under the $15 free limit.


Some of you may be wondering, why do this?  To date, documents like Epic’s Standard Consulting Agreement (circa 2005) have been unavailable to the general public. The case offers us the chance to get a glimpse behind the Epic’s veil of secrecy, something any HIT observer should happily support.

Since this will be an ongoing case, we’ll need people to regularly contribute. If you comment on this post, you’ll be updated on an ongoing basis as we gather all the documents we need.

Readers Write: Working Around Health IT: The Nurse, the Workaround, and the Question You Need to Ask

February 25, 2015 Readers Write 4 Comments

Working Around Health IT: The Nurse, the Workaround, and the Question You Need to Ask
By JoAnne Scalise, MSN, BSN, RN


Are nurses just BAD? (That’s not the question.)

Why are they so adamant about working around health information technology (HIT)? Is it to give the CIO chest pain? Annoy the IS people? Give their nurse leader heartburn?

How can a simple process — do this, then do this (perhaps multiplied a few or many more times) — turn into a spin with the Mad Hatter (teacup optional)?

It would be easy to leave it that “nurses don’t follow directions,” “nurses are difficult to deal with,” or my personal favorite, “nurses don’t like change” (of course, everyone else likes change!) Those crazy nurses are still wearing disco-era bellbottoms and a mullet. And if you are, that’s ok – it works for you. With 55 percent of the RN workforce at age 50+ (from a 2013 survey reported by the National Council of State Boards of Nursing and The Forum of State Nursing Workforce Centers), that may have been some of the best of times.

But what about making right now better? So much HIT is intended to make life better: for patients, for healthcare systems, and yes, for those crazy nurses. Better, as in efficient and safer for everyone – and in getting paid so we can take care of people tomorrow.

Even knowing that, why do nurses choose to work around the very things that could save their patient, their colleagues, their organization – and themselves? Why does an expert nurse scan a contraband wristband or label instead of the one on the patient for medication administration or specimen collection? Why circumvent the EHR when guidelines for use have been given? Why take that patient  (and personal and professional) risk?

This is the opening of dialogue. Not to defend what many call “the bad apple,” “the bad actor,” or those who just act “bad,” as in, “I don’t care about people” people. I’m not talking about nurses or specific roles. I’m referring to those outliers who are clear that they don’t care about patient safety or care, their colleagues, or healthcare. Those people are the rarest of the rare because they don’t last long in our system – we can’t tolerate bad apples or bad care. Bad is about behavior and not the person.

As a perennial patient safety student, I know that the professionals who have chosen to be entrusted with providing care to every one of us who enters the healthcare system do not take their responsibility lightly. As a nurse, I know (as do my clinician colleagues) that we have chosen wisely. Our responsibility to our patients and the healthcare system are our primary motivators. Care excellence is the goal we must fulfill in every patient encounter every day. Safety never sleeps.

Why then, the confounding issue of the workaround?

I have been fortunate to work with nurses around the country to help them keep their patients and themselves safe. I have had other departmental staff stand up and point their fingers at me and ask, “How are you going to make these nurses BEHAVE?” And this is with nurses in the room. On occasion, I even get the same question from the nurse leaders. Laboratorians, CIOs, and patient safety and quality professionals have other direct questions on the same topic. I’ve even been invited to speak to groups of lab leaders on “how to communicate with the nursing suite.” When presenting on the topic in national forums, the topic is often addressed in hushed tones by nursing and other leaders who share that the workaround is an “epidemic.”

Indeed, the workaround is a real and persistent danger and with exponential significance: the possible patient safety breach, the trust eroded for collaboration and communication, and the financial loss from the wasting of resources of the healthcare organization.

Health information technology spending was projected to top $6.8 billion in 2014, with individual hospitals and healthcare systems spending millions annually. Not using the purchased technology causes challenges in safety, in culture and process, in data collection and analysis, and in budgets. When enough end users simply “end it” and stop using the technology, the technology can end for that organization. With that end comes significant loss.

At the same time, some organizations decide to not engage the nurse or other end user for a variety of reasons, often because of time for conflict (“we can’t get caught up in nursing demands — they’re going to have to do it.”) I’ve been in meetings where the issue came up of end users (who were not represented or in attendance) and the statement was made, “We’re just going to ram it down their throats.” Tough love, but probably not so effective in the long run. Fortunately, they were eventually receptive to the benefits of end user inclusion and engagement in the decision process, with a very positive outcome.

When nurse and hospital leaders ask me, “What is the most important lesson you’ve learned about adoption?” I tell them that the most important lesson may seem to be a simple one. Engage your end users. You must engage them as you decide that you have an issue to solve. You must engage them before any technology decision is made. If you don’t, they will use the only opportunity that they have to influence this decision – and that is not to use it.

Some technology doesn’t make life easier. Not all technology is the best it can be. We all need to help make these products better through objective feedback and end user engagement in the decision process and ongoing use.

I believe we can support clinicians in moving from compliance to commitment, and not just in technology. I’ve developed a MAP (mindful leadership, authentic communication, personal accountability) to help you do just that so we can do less “around” and more “work.”

I’ll leave you today with what I think is the best question for responding to a workaround. So many times we ask, “Why won’t you do this?” The question implies resistance, and depending on how we say it, frustration and even accusation. The answers may tend to be defensive and deflect the true reason.

Ask instead, “Why can’t you do this?” You will get thoughtful and real answers that may benefit your practice and eventually improve the technology. And the work.

Let’s continue the conversation on how we can work through the workaround. I’ll bring my MAP.

JoAnne Scalise MS-Patient Safety Leadership, RN is the manager of nurse consulting for Sunquest Information Systems.

Readers Write: Big Data / Shmig Data

February 20, 2015 Readers Write 4 Comments

Big Data / Shmig Data: Thoughtflow 2015 and the Coming Age of Incessant Data
By Samuel R. Bierstock, MD, BSEE


In the years following the Institute of Medicine’s “Crossing the Quality Chasm,” there was widespread acknowledgement that we could do a better job in caring for our patients and a shared belief that the path to accomplishing that task lay in the adoption of clinical information systems. That idea was great, but actual attainment of the goal was hindered by the failure of vendors and designers of electronic clinical information systems to fully understand the full vantage point of their target end users. Clinicians simply resisted the structured workflows that designers assumed would make for acceptance. There followed more than a decade of physician resistance, dismal adoption rates, and billions of dollars spent in implementation efforts to encourage clinician utilization of EHRs.

It was not the long anticipation of the attrition of aging computer-resistant retiring physicians, nor was it their replacement by tech-savvy young doctors that caused the uptick in the number of clinicians using electronic health records (EHRs). It took the good-old US government and the mandates of Meaningful Use to do that.

Unfortunately, neither can the increased adoption of EHRs by physicians be attributed to a better job in the design of clinical workflow processes by vendors. In fact, if anything, the financial pressures on hospitals fearing loss of Meaningful Use dollars and associated penalties resulted in pressure being exerted on physicians to use whatever hospital EHR systems were in place in spite of negative impact on clinical efficiencies and the ability of physicians to get their work done. As a result, we embarked upon and remain in a period of administrative / medical staff friction wherein hospital administrators need their medical staffs to be using their EHRs while many physicians feel impeded in simply getting their work done and view hospital pressure as purely financially motivated.

In 2003, I first described what I felt was the missing essential ingredient to physician adoption of EHRs. The widely heralded and sought-after workflow support was not the answer. Workflow is a mechanical approach to a goal or task – “do this, then do that” and “click here, then click there.” It seemed clear to me that what needed to be supported was not workflow, but Thoughtflow, a concept I defined as the process by which a clinician identifies, accesses, prioritizes, and acts upon data and information.

In 2006, my article entitled “Thoughtflow — The Essential Ingredient for Physician Adoption of Implemented Technologies: Why Clinicians Have Still Not Adopted Clinical Technology and Where Vendors and Clinical Leadership have had it All Wrong” received a very widespread and supportive response. While a great many changes in EHR design could have helped support Thoughtflow, they were slow in coming and for the most part inadequately based on a true understanding of what it is like to practice medicine. A decade later, they remain essentially missing.

Are more physicians using EHRs today? Yes. Do they find that EHRs make their lives easier or their professional work more efficient? Clearly, no.

Emergency rooms represent the ultimate environment for needed efficiencies in the delivery of care. Emergency rooms with EHRs in use have an average of 35 to 40 percent drop in physician efficiency and up to 40 percent increase in the number of patients who leave without being seen due to long waiting room times.

The 2013 KLAS report showed that the largest EHR hospital vendor is consistently rated in last place on virtually all parameters of clinical efficiency by physician users.

While I think it can be said that vendors have failed to recognize the need to support Thoughtflow and to build in creative feature functionality to truly support the way clinicians think and act, in fairness it must be pointed out that technologies essential to success in this regard have simply not been available. Today however, they are.

  • Voice recognition software has steadily improved with respect to both accuracy and reliability.
  • Language processing tied to vocabulary standards and ICD-9 / 10 coding and increasingly accurate optical character recognition allow for ever-improving accurate extraction of structured data from unstructured data in a variety of formats (dictated notes, PDF documents, etc.)
  • Increasingly maturing clinical decision support systems that are integrated into clinical documentation systems can be linked directly to order sets and treatment protocols – effectively presenting clinicians with what they need to choose from, refine, and work from.

In short, the technology exists to anticipate the needs of the clinician quite literally from the spoken word to suggested action. Coupled with innovative and creative designs, capabilities such as these can minimize the age-old pariahs of EHRs — the number of required clicks and the amount of multiple-screen navigation required to accomplish both simple and complex tasks.

Aside from these issues regarding EHRs, it is obvious that the healthcare industry is about to be revolutionized by wearable, implantable, and digestible devices resultant from the exponentially explosive micro and nanotechnology world. Literally, devices appear every six months that were inconceivable only six months previously. Examples are too numerous to list, but consider Intelligent pill bottles that report if medication has been taken, watches that can produce a full six-lead EKG from one point of contact with the skin, shirts and vests that measure and report the amount of fluid in the lungs, cell phone apps that create and display ultrasound images and even X-rays, necklaces and bracelets that report sleep and ambulatory patterns, vital signs, falls, position — and on and on. The vast majority of these are applicable to ambulatory people, the elderly requiring remote monitoring for hypertension, cardiovascular disease, and diabetes.

Hospitals need this data to mitigate against the risk of readmission. HIE, ACOs, and population management entities need this data for trend analysis, quality of care assessment, and predictive analytics. Clinicians need this data to track their patients’ progress and intervene as required.

The concept of big data is about to appear minuscule compared to the barrage of data we are about to be capable of capturing. We are not talking about big data. We are talking about incessant data.

The data must be delivered in a way that enhances care by those responsible. The last thing an internist wants is 24-7 data pouring in with the blood sugar levels of all of his or her diabetic patients. The data is going to have be in standardized format and integrated with the EHR in use in a fashion that it is properly absorbed into the patient record, run through appropriate knowledge engine algorithms, and delivered in a useful fashion only if caregiver awareness is of essential importance or an action is required. It must support Thoughtflow so that it can be efficiently applied to and enhance workflow patterns — not congest them and thereby diminish efficiencies and make clinicians’ lives harder in getting their work done.

There is also to consider the additional data that is going to hit servers as we get better and better at extracting structured data from unstructured data (PDF documents, dictated documents, free text documentation, and eventually handwritten notes).

And let’s not forget the data coming from the increasingly popular use of micro- and nano-technological wearable devices used by the healthy and sports-minded population. Most or all of this data is on the servers of the companies selling heart monitoring watches, intelligent sneakers, devices that count steps, report posture, and record sleep and wake patterns. Eventually I believe this data will be important to population managers in retrospect, in real time and for predictive analytics, and also available to clinicians in the same manner and with the same challenges accompanying data related to active disease and health problems.

All of this data has to be delivered in a way that enhances Thoughtflow or it will become a barrage of information to be sorted through and further compromise the efficiencies of caregivers, care delivery entities, quality assessors, payers, and analytic models.

As monolithic, stagnant EHRs that dominate the healthcare market remain encased in mechanical workflows, innovative EHRs will have to maximally utilize evolving technologies to support clinical Thoughtflow if we are going to be able to derive maximal benefit from the coming exponentially explosive amount of incessant data.

Sam Bierstock, MD, BSEE is the founder of Champions in Healthcare. The term “Thoughtflow” as applied in healthcare is a registered trademark with all rights for commercial use reserved by the owner.

Readers Write: Becoming an Influencer in the HIT Industry

February 13, 2015 Readers Write 3 Comments

Becoming an Influencer in the HIT Industry
By Frank Myeroff


With all the noise out there, you have to call attention to yourself and be known for something if you want to stand out. In other words, you need to brand yourself within the healthcare IT industry to become known as an “influencer”.

An influencer is an individual who has above-average impact on a specific niche process. An Influencer is a person who is well connected and who is regarded as influential and in-the-know; someone who can give advice, direction, knowledge, and opinions about that niche.

Here’s how to get started:

  1. Find a specific niche. Focus on a specific topic within healthcare IT and be perceived as the “go-to person” for that topic. Also, try to go deeper within a niche. Can you specialize even more? Conquer one area completely and you will find that your audience will come to you. For example, you can become well known for the ability to disseminate government HIT initiatives or even international HIT news stories.
  2. Invest 10,000 hours. In his book “Outliers”, Malcolm Gladwell says that you need 10,000 hours to get good at anything. Has healthcare IT engrossed you over the last decade to the point that you’ve invested 10,000 hours in becoming better?
  3. Get in front with social media. In today’s world, social media is dominating, so it’s a good idea to use your name as a brand and promote it well. To be successful, you must build your brand using Twitter, Facebook, and LinkedIn.
  4. Create a LinkedIn Group. This is a great way to engage like-minded professionals and attract new members and connections. LinkedIn Group discussions should be topical and timely as well as find answers to burning questions.
  5. Start blogging. Write blogs that people find different, useful, and informational. As part of blogging, make a video or record a podcast. Also, think about how to be a guest blogger on other relevant blog sites. Be creative. Your goal is to provide meaningful content that will resonate with your specific audience.
  6. Accept speaking engagements. If you’re comfortable in front of an audience and have the ability to be an interesting presenter, hit the speaker circuit. Trade shows such as HIMSS or other HIT business forums and summits usually have a call for speakers about a year in advance of the event. Make sure you provide a unique, timely, and interesting topic to be considered. In addition, offer to be interviewed by hospitals and healthcare IT publications. These can be of benefit by showing your credibility when vying for a speaking engagement.
  7. Send press releases. Sending good content in a press release format can be powerful and will give you high visibility especially if sent through a distribution service such as PR Web. A PR Web press release can help you get reach and publicity on the Web and across social media. As a result, your press will be seen by a large number of journalists with HIT publications as well as provide SEO for your website or blog.
  8. Create and run a seminar or webinar. Recently our marketing department attended a luncheon and seminar hosted by a trade show display house. The presentation was all about the hottest trends in the trade show industry. They did not try to sell us anything. Instead, they positioned themselves as the go-to people or thought leaders for the trade show industry. As a result, we trusted their knowledge and purchased a pop-up banner for our upcoming HIT shows, events, and summits.
  9. Help others succeed. For each action, take a look for ways to partner and co-brand with other experts. There’s power in numbers. Also, when you gain the respect of other experts, you get the benefit of being referred to their contacts. For example, we know of an RN who is considered an influencer because he spends time helping other RNs to understand health policy, procedures, and technology. The information he provides is tried and true. The RNs trust his information, and in turn, they give him a louder and stronger voice. In other words, they became his brand advocates.
  10. Be available. The more you get yourself out there, you increase your chances of being recognized and asked for your expert opinion. Make sure you’re easy to find. Always give publications, journalists, and prospective customers your contact information and let them know that you will make yourself available to them at their convenience.

Building your own personal brand and becoming an Influencer takes time and dedication. But if you establish yourself strongly in the HIT industry, in time you will be a sought-after resource and derive the visibility and long-lasting relationships you desire.

Frank Myeroff is president of Direct Consulting Associates of Cleveland, OH.

Readers Write: A Healthcare Tale of Two Continents

February 13, 2015 Readers Write No Comments

A Healthcare Tale of Two Continents
By Ted Reynolds


An interesting byproduct of growing up American is that we tend to view everything from one perspective – our own. That’s not surprising given our standing in the world and the influence our culture seemingly has.

Over the last year, I had the unique opportunity to work on a significant electronic medical record (EMR) implementation in Europe that forced me to look beyond my singular, American view. What a revelation! During my time working on this engagement, I learned to view healthcare differently and gained knowledge that has proven invaluable to my ongoing work stateside.

While there are some similarities, there are also striking differences in how the US and Europeans approach and deliver healthcare. I thought it might be interesting to compare and contrast these approaches so you can benefit as well from my journey across the pond.

Let’s start with the similarities. My main observation is that change is certain and swift in both the US and Europe. The status quo on both sides is giving way to new ways of thinking, partly driven by technology.

We have greater access to larger amounts of data today, and as a result, the unprecedented opportunity to improve care and outcomes while reducing costs. With healthcare costs continuing to climb in the US and economic recovery slow worldwide, we simply cannot afford to continue with the old models of care delivery.

My experience working in Europe gave me a unique “outside looking in” perspective on American healthcare.

For instance, the big US EMR wave has passed. According to the December 2014 HIMSS Level 7 survey, nearly two-thirds of hospitals now have computerized provider order entry (CPOE) and an EMR implemented. In this area, the US is well ahead of our European counterparts, so we have more patient data than ever before.

However, many organizations have yet to recognize the promised results out of these systems despite significant investment. The focus for US healthcare today has turned towards reducing costs, improving quality through performance improvement and optimization efforts, and making better use of the available data through analytics.

Another US trend is increased merger, acquisition, and affiliation activity among providers. I believe this will most probably affect the one-third of organizations that have not yet implemented new EMR technology. They will likely seek to join with (or at least establish an extended EMR relationship with) stable organizations in order to remain competitive and control costs. IT issues surrounding these new arrangements are enormous. Among the top concerns we’ve seen in these arrangements are the initial loss of control and resulting service levels from the hosting organization.

Finally, call it what you will — accountable care, population health, value-based care, pay-for-performance, etc. — rising healthcare premiums and deductibles will continue to drive the migration from fee-for-volume to fee-for-value. This change will have substantial IT implications – some known, others yet to be seen. Some of the most visible are:

  • Health information exchanges (HIEs) or other forms of data interchange between disparate systems will no longer be a “nice to have.” The downside of our EMR implementation wave is that we now realize the problems associated with absence of real data interchange. This issue must be addressed if we are to recognize the full potential of electronic data.
  • Data analytics become essential. The healthcare industry must unravel the data to information to knowledge to real action transformation in order to demonstrate value. Data analytics will help hospitals and health systems better understand and apply best practices to enable care standardization among providers – a key step necessary to thrive in a landscape heavy on bundled payments and other shared risk plans.
  • Revenue cycle technology replacement and optimization will become an increasing priority as many were originally implemented in reaction to Y2K. These outdated systems cannot adapt to the variations and requirements that new risk-based contracts bring and must be upgraded to new, more flexible systems.

Conversely, the EMR wave in Europe has just begun.

Several large American integrated vendors are starting to work their way across the pond and into new markets. It will be interesting to see if they take some of the lessons learned in the US market (especially around interoperability) and apply them there.

Some of these transitions may be eased in a socialized medicine environment, which has one reimbursement model for an entire country – as opposed to the large variety of complex reimbursement models in the US. A single reimbursement model has the opportunity to significantly streamline billing.

Although the revenue cycle and financial applications in Europe vary greatly from those here in the US, the clinical workflows are very similar. On one of the large EMR implementations I worked on in Europe, the hospital used 90 percent of the American vendor’s clinical model workflows as-is.

On the other hand, Europe’s procurement cycle is extremely long, similar to that of US federal and state organizations. Given the rapid pace of change in healthcare today, I would expect to see Europeans accelerate that process over time.

Many European countries are ahead of the US in establishing national health identifiers and national provider registries. This puts them in a much better position to share data about patients across providers. They are also doing a better job of delivering high quality outcomes at lower costs.

Finally, due to the size of the various national markets, you do not see the proliferation of large, homegrown software vendors as observed in the US. This has made these countries targets for established American EMR vendors such as Cerner and Epic.

My takeaway from my time working in the European healthcare market and the opportunity to attain an “outside looking in” perspective on the US market is quiet simple. We both have much to learn and can learn a lot from each other.

Ted Reynolds is senior vice-president of CTG and is responsible for CTG Health Solutions

Readers Write: Patient Discipline, Or is it Simply Willpower?

February 11, 2015 Readers Write 6 Comments

Patient Discipline, Or is it Simply Willpower?
By Helen Figge


The dust seems to be settling a bit these days, with overwhelming sighs of relief about the redefining of MU2, ICD-10 continuing the saga onward but slower, and the unending chatter about the patient portal and how we need to get patients to use it in order to reap the benefits of the various regulations and mandates in place forcing doctor’s and caregivers alike to make us all healthier. Couple that to our worries that once we have the collected data, we then are able to analyze the data in a way that actually benefits the end user – you and me – the healthcare consumer. Just as worrisome is the safety of the data and its security.

The quandary to all of this at times is that we are still a very sickly society. More than one-third of US adults are obese. Obesity-related conditions include heart disease, stroke, type 2 diabetes, and certain types of cancer, which are some of the leading causes of preventable death. The estimated annual medical cost of obesity in 2008 was $147 billion, while the medical costs for people who are obese is about $1,429 higher than those of normal weight.

Surely we have many of the technologies in place to help counteract these serious statistics — various forms of health information technology solutions that actually can assist clinicians to take better care of their patients. The technology is in place, now we need to best utilize it, right?

One term continues to be said and that is patient engagement — engaging the patient to care, which is deemed as one of the cornerstones for healthcare success in making us healthier than ever before. The baseline theme common to many in the patient engagement framework is managing information and making it available to both the patient and care team in a manner that supports care decisions, improves bi-directional communication, and optimizes outcomes. This is the nirvana we strive to accomplish in healthcare, and we appear to be doing so as we move forward in time.

We are seeing more and more patient engagement opportunities available to the healthcare consumer. These are in the forms of weight loss programs, reminders to eat and exercise, Facebook clubs, and many other forms of enticing the patient to care.

Despite the benefits of patient engagement solutions and the investments currently being made, convincing the patient to care might be the more difficult aspect to all of this and will require innovation. Lack of health literacy in a large portion of the population, fragmented end-user market, poor access to healthcare, and security of patient data again stated are still hindering growth of this market to convince the patient.

These efforts boil down to one common thread: self-motivation or self-discipline by the healthcare consumer. Without the engaged patient, the various interventions prescribed by their caregivers will go unnoticed and fall short of the clinicians’ effort to effectively prescribe. But how do you self-motivate or educate a person on self-discipline and have it, not withstanding lifelong tendencies, become a normal part of one’s life?

I take myself as an example. I don’t know how many times on a cold, dreary day I rather would have laid in bed than get my running shoes on and take a quick two-mile run up and down the road before any of the neighbors saw me, thinking to themselves, “What is she doing out in the dark with a flashlight in this hour?” It’s because I work for a living and I had to fit my run in before work and before life started.

But in the end, I did it, and do so faithfully. I disciplined myself knowing it was good for me. The alternatives are less than appealing. Forget that the doctor that says it is good for your blood pressure and weight and bones or the envy or guilt often times put on us by our peers because they do it. I do it for me and the motivation comes from within, not someone reminding me it is good for me. That is the discipline we need in healthcare as consumers if all of these tactics to entice us to take care of ourselves takes hold.

In order for patient engagement to work and before entities heavily invest in programs and concepts to “educate” the consumer about their health, we need to get to the root cause of self-discipline. Someone needs to understand how we discipline ourselves to take care of our health. That is where sustainable healthcare lies for us now and in future generations — teaching us the discipline, and in turn, the next generation.

Eventually we will not have the ability to be reminded to take care of ourselves by an outside party. Funding may run out, people may tire of the phone call to eat right that day or sustain from a cigarette else you will end up on oxygen and die a slow and painful death. We will need to learn from these efforts via patient engagement tactics, and in turn, use those pieces of information to further our own reasoning of, “Why do I need to do it?”

Whether it is home glucose monitoring, INR readings, blood pressure readings, or any of the other mobile device readings, what we do with the data to infuse the practices into everyday life will determine the long-term outcomes of healthcare success. Determining the outcomes of all of the healthcare reforms, reimbursements, and penalties really come down to one simple fact: will the healthcare consumer heed their doctor’s advice, listen to directions, and follow the protocol to keep them alive, make them well, or to keep them well?

It boils down to discipline. Are you disciplined enough not to be reminded to take care of yourself, or are you like most Americans who need to be cajoled, bribed, and threatened in order to take control of your own health destiny? Only your self-discipline can answer that question.

Helen Figge is SVP of global strategic development for Lumira.

Readers Write: What is a Health Information Handler?

February 11, 2015 Readers Write No Comments

What is a Health Information Handler?
By Lindy Benton


Recently I received a query from a healthcare professional wondering about the definition of a “health information handler” and their benefits. I’ve long desired to do a presentation on the subject so as to discuss their reason for being, their importance. and how they tangibly serve health systems. Given the lack of awareness surrounding the topic, perhaps it’s an appropriate time for a refresher on the subject.

First, a little history. The Center for Medicare & Medicaid Services (CMS) manages the health information handler program. CMS defines a health information handler as “any organization that handles health information on behalf of a provider.”

Providers and hospitals usually engage relationships with health information handlers (as third-party vendors) so they — the providers — are able to electronically submit claims data and health record attachments to payers and Medicare contractors in support of claims adjudication.

These health information handlers also are often called claim clearinghouses, release of information vendors, and health information exchanges. Most also offer electronic submission of medical documentation (esMD) gateway services.

EsMD is still a work in progress, an ongoing experiment spearheaded by CMS to support electronic exchange of information between health systems and Medicare audit contractors. Prior to esMD, providers had just two ways in which to respond to documentation requests from Medicare review audit contractors – mail or fax. EsMD fixed that problem. 

The program has been in effective for more than three years – Phase One went into effect on September 15, 2011. Phase Two will allow providers the ability to receive electronic documentation requests when their claims are selected for review. CMS has yet to launch Phase Two.

To date, tens of thousands of medical records and other health information have been submitted through esMD in response to audit requests. More specifically, though, according to AHIMA, the esMD program directly impacts health information manager professionals. For these folks — who typically pull and send medical records in response to CMS audits — the process can be slow, frustrating, and costly. The esMD program and the health information handler entities that facilitate the record exchange are working to simplify that process, AHIMA states.

The esMD gateway is not set up like a typical website, though. Not everyone who wants to submit information via the gateway can simply jump on, upload files, and press the “send” button. To interact with CMS through esMD, organizations need access to the portal. The gateways are costly to develop and maintain, so hospitals and providers turn to health information handlers to facilitate the exchange process.

Health information handlers build and service an esMD gateway for multiple provider participants and submit electronic documentation on a provider’s behalf. As more providers use health information handlers to simplify their audit processes, electronic health information exchange also will increase in usability.

Documentation requests from Medicare’s audit contractors are the primary requests received by health information professionals. Auditors request additional claims information from hospitals to verify or “ensure” that coding and claims are submitted properly. If claims are coded incorrectly, hospitals must return funds to Medicare. The program was designed to reduce incorrect Medicare payments and to recollect overpayment, identify underpayments by hospitals, and prevent future issues with payments. EsMD supports this effort and enables health information handlers to support the flow of information.

Overall, the recovery program has been a success from the perspective of CMS. Medicare’s recovery auditors returned more than $3 billion to the program in 2013. Providers may disagree, but in the very least they are able to more easily satisfy exchange of crucial information to support their billing practices with Medicare.

From a business and enterprise perspective, the move by CMS to launch the program has meant the growth of a number of health information handler firms that offer a variety of services and skill sets. In addition to providing exchange capabilities, some allow for capture of information, scanning, storage, and transmission in a secure manner. The health information handlers also track data sent and acknowledge and verify that it has been received by auditor through the gateway. Health information handlers are considered business associates of the organizations they serve and are required by CMS to follow HIPAA rules.

According to a Government Health IT piece earlier this year, overall the esMD program is still not streamlined, but there is traction here and despite ongoing setbacks more and more providers are using the program. CMS even reported that more than 500,000 records were sent through esMD in 2013 and more than 30,000 hospitals, physicians, and medical equipment providers use esMD for auditor medical record requests.

Because of the advent of esMD and health information handlers, hospitals and health systems are gaining speed in the processing of their audit documents as well as allow for the exchange of secure information between health system and Medicare auditors. The time saved in responding to the information requests is a huge benefit. There’s also the ability to address sensitive audits rather than sending information through mail or unreliable fax servers. This alone typically cuts down the time required to submit the documents for review and reduce potential penalties.

An example of this can be found at Boca Raton Regional Hospital in Florida. Established in 1967, just five years ago it faced a variety of Medicare audits and penalties. Now the not-for-profit 400-bed hospital is seeing a complete turnaround. 

One significant change is how the hospital now manages responses to Medicare audits. According to hospital officials there, the previous process had been cumbersome and meant printing, sorting, packaging, and mailing documents to Medicare to support claims and to adjudicate their bills. Since one patient record can fill a box or more, hospitals are left paying for all materials, labor, and shipping involved, enormous financial considerations for every organization.

The Medicare audit process has drastically improved because of Boca Raton Regional Hospital being able to submit documents electronically and denials related to untimely submission of records has disappeared entirely. For example, Medicare allows 45 days from the date of request for hospitals to respond, but Medicare still sends documentation requests by paper. Typically, by time the request gets to the proper department in the hospital, more than 10 days has elapsed. Managing the entire process requires a very strict time requirement and hospitals often fail to return records to Medicare on time, which means hospitals can no longer appeal. By automating the process and securely depositing electronic attachments to Medicare’s official information portal, Boca Raton Regional Hospital has prevented the loss of at least $350,000.

There are hurdles to widespread implementation, though, as hospitals resist using the solutions because they’re overwhelmed with current technology. They’re already so invested in other projects that many are unable to see the benefits of bringing on additional solutions and being able to exchange information with CMS. A prevailing thought is that those managing hospital IT departments simply are overwhelmed and growing ever more nonchalant about the idea that technology is going to save them or their employers any more than already has been promised.

In fact, recent reports have begun to surface claiming that CIOs at struggling health systems have little faith that new technologies, on top of recently implemented systems like EHRs, will do much good for them since these other solutions – the EHRs – had such little positive effect on their organizations’ bottom lines. Simply put, they’re sensing a bit of personal doom and are growing tired of all the hype. It’s unfortunate.

Also, for payers, despite the obvious benefits of encouraging health information handler relationships with physicians, esMD and electronic exchange are not a top priority considering all the issues they are managing, not the least of which is the current federal insurance overhaul. Perhaps time will change this, but for the foreseeable future, esMD is likely not going to gain the traction is needs to become an industry standard.

What is fortunate, though, is that service providers like health information handlers are having a positive impact on the healthcare environment and are bringing down some pretty mighty horses while also helping bring about better workflows, improved efficiencies, and increased profitability. Despite the lack of awareness surrounding these healthcare partners and their impact across the sector, many are still unaware of the health information handler’s purpose and the very term by which they are defined.

Lindy Benton is CEO of MEA|NEA.

Readers Write: Innovative Examples of Patient Engagement Programs

February 11, 2015 Readers Write 1 Comment

Innovative Examples of Patient Engagement Programs
By Zach Watson


For providers looking to increase patient engagement, it can be difficult to distinguish the abstract from the actionable. Patient engagement has become a veritable pillar of new reimbursement models, new government programs, and in some measure, the quality of a physician’s practice.

But will better patient engagement truly reduce the use of medical services? If so, who is finding success, and how?

Patient engagement falls into three broad categories: changing the role of the patient and the patient’s family in the care team, using technology to retrieve information from the patient, and fundamentally altering the environment and manner in which patients receive care.

Let’s examine each of these categories in greater detail.

Patients as Care Managers

At this point, saying the healthcare system is fragmented is a truism. Efforts are underway to improve care coordination through information exchange via electronic health records and other medical software, but many of these initiatives are invisible to patients. Which is to say, they can’t engage with what they can’t use.

Consequently, one of the most effective ways to engage patients is to reposition them as a member of the care team. Instead of the patient playing a passive role in the care she receives, this new model depends on an egalitarian relationship between the providers and patients.

Patients have a large role in the decision making process, and with better information exchange, they can act as the manager of their care plan rather than merely the recipient.

The San Diego-based Sharp Rees-Stealy Medical Centers expertly executed this model in 2013. Following MCG Chronic Care guidelines, the medical group created a multi-disciplinary team that identified high-risk patients for heart failure during their early interactions with the healthcare system and then provided personalized care.

The patients have greater control of the way their care is administered and they don’t have to repeat their diagnosis to different physicians as they move across the continuum of care. The result? A 49 percent reduction in 30-day heart failure readmission rates.

Technology for Collaboration

Patients with chronic diseases consume a disproportionate amount of healthcare resources, but managing these patients can be difficult without adequate technology. That’s why initiatives like the Collaborative Care Network were founded: to help physicians and patients better control the use of acute services.

Founded by a widespread group of pediatric gastroenterologists, the Collaborative Care Network used to be a patient registry where physicians shared treatment strategies and data with patients suffering from rare inflammatory diseases. The network improved remission rates by 25 percent, but the physicians took the program a step further and encouraged patients to contribute ideas for treatment and research they’d like to have done.

Now patients actively share vital sign data and keep their medication doses recorded so physicians can closely monitor outcomes. As of 2012, the CCN boasted roughly a quarter of the US’s pediatric gastroenterologists, and the response rate of patients who received daily messages on their phones was 94 percent.

Care Direct to the Patient

It’s no coincidence that the stress of juggling Meaningful Use and clinical quality measures criteria while keeping a business afloat makes it more difficult for independent physicians to spend the optimal amount of time with their patients. With that in mind, it shouldn’t come as a surprise that a number of physicians — roughly 10 percent — are entertaining a concierge model.

By reserving insurance payments for only acute episodes of care, physicians can charge patients a monthly or annual fee to have access to their services around the clock. What better way to engage patients than by visiting them in their own homes and making sure all their questions are answered before the appointment is over?

The concierge model takes other forms beyond the “doctor at your door” service. The Mayo Clinic recently entered the digital concierge market with its mobile app Better. For about $50 a month, patients have access to video chats with nurses, a symptom-check list that takes into account the patient’s health history, and other healthcare services.

At times patient engagement may seem esoteric, but the truth is that it applies to any instance where the patient can be more empowered in their care. To truly reduce healthcare costs, the system will need to reduce the rate of use. That means trusting patients with greater management of their own care while providing a more unified set of services when patients do need comprehensive medical attention.

Zach Watson is the content manager at TechnologyAdvice.

Readers Write: Fact and Fiction About Anthem’s Breach

February 9, 2015 Readers Write 10 Comments

Fact and Fiction About Anthem’s Breach
By John Gomez

Anthem has quickly created a surge of inquires across the wire, leaving many CIOs wondering how they can keep ahead of the cyber-security challenges that continue to evolve. I suspect no one is surprised to learn about the existence and extent of the attack on Anthem. More than likely, many in our industry continue to wait for the “big one.” That in and of itself is a rather scary state of affairs. Most of us are not surprised and we don’t collectively believe this is as bad as it will get.

The Anthem breach is an ongoing criminal investigation led by the FBI with the assistance of FireEye and Mandiant, so nobody knows all of the details. As was the case with the Sony Pictures breach, sources will make statements without the evidence that only the FBI possesses. Here’s what we know today.

Anthem reported the breach publicly within eight days of discovery. Approximately 80 million customer and employee records may have been stolen, but the common thinking is that the actual number may be higher and that there is a high probability that other critical data was also compromised by the attackers.

The customer and employee data stolen was complete — name, home address, email address, date of birth, medical history, employer information, family relationships, and much more. That valuable information allows attacks to continue against the individuals whose information was compromised.

The concern with Anthem is that this is a move by a foreign state to amass profiles on individuals and use that information in future operations. That’s one theory, but equally likely is that the breach was profit driven since complete records are worth well over $100 on black markets.

Attribution — figuring out who did it — is one of the most difficult things to do in the world of cyber-forensics. Companies specialize in attribution, but their success rate is low, often less than 50 percent. The amount of computing power, resources, and advanced algorithms required to perform attribution at a higher level of success is mind boggling. While a theory exists as to who carried out the Anthem attack, it could be proved wrong as the evidence unfolds.

Current intelligence points to one of two groups with ties to China — Deep Panda and Axiom. Both groups have previously carried out verified attacks that had sophisticated intelligence-gathering objectives.

Deep Panda has developed a five-year strategic attack plan that includes objectives specifically focused on healthcare targets. Axiom has a specific and focused attack plan that includes government agencies, electronics and integrated circuit manufacturers, Internet-based services companies, software vendors, journalism and media organizations, NGOs, healthcare providers, biomedical device manufacturers, pharmaceutical companies, and academic institutions.

It appears that Anthem may have been compromised by parallel attacks. The first focused on employees with phishing attacks that allowed the attackers to deploy malware via their corporate email accounts. The second attack appears to have been via DNS compromises used to deposit malware.

Credible cyber-security operators rarely call an attack “sophisticated” or “advanced” unless they are trying to make headlines. Anthem’s attackers had a plan, were extremely patient, and were focused on their victim. Their attack was sophisticated and advanced, but due to tactics and practices, not because they used a new generation of attack technology. Anthem was mostly likely beaten by off-the-shelf technology and practices, the same techniques that attackers would use in penetrating any healthcare organization.

The preliminary investigation suggests that Anthem’s attackers used malware known as Poison Ivy or HiKit or some combination or derivative of those tools. Both malware applications are attributed to Chinese developers. Steps can be taken to determine whether an organization has been compromised by those tools, and if found, a cyber incident response team should be contacted immediately.

Anthem was tested for exploits by attackers over months or even years. Its employees fell for a phishing attack that compromised their machines. In parallel, perimeter systems were also compromised. Malware allowed the attackers to monitor network traffic, take over webcams, and capture confidential date over a long period. Some believe that Anthem was an attack pivot from which its clients or vendors could be compromised.

I suspect that we will learn that Anthem also had weak passwords (fewer than 15 characters), didn’t use dual-factor authentication, relied on third parties for DNS, and very possibly had its supply chain compromised.

Company executives can miss a few quarterly financial goals, run late on a few initiatives, and even run over budget a couple of times. But if they have a major breach, their career is over. Target’s CEO resigned after its breach and just last week the top film executive at Sony Pictures stepped down. I suspect we will see something similar at Anthem.

There is a saying in special operations: don’t be that guy. Don’t be the person who takes the easy road or embraces mediocrity. Get  mad and assertive about cyber-security. Rethink vulnerabilities, test systems, learn what you don’t know, share information with the community, and become vocal.  We have a choice — we can either wait to be attacked or we can decide that enough is enough.

John Gomez is CEO of Sensato of Asbury Park, NJ. Intelligence Analyst Laura Walker contributed to this article.

John will host a free, HIStalk-sponsored Q&A webinar on the Anthem breach on Friday, February 13 at 2:00 p.m. Eastern. 

Readers Write: Paving the Way for Patient Voice at Health Industry Events

February 5, 2015 Readers Write 4 Comments

Paving the Way for Patient Voice at Health Industry Events
By Simone Myrie


There is a revolution happening in healthcare. Once willing to accept their role as passive recipients of healthcare, patients are increasingly being recognized and acknowledged as consumers of healthcare.

What do I mean by this? Individuals are taking on the responsibility of shopping for their own healthcare and purchasing technology to help them better manage their health. Additionally, policy changes are propelling the shift towards consumer-centric care delivery. More emphasis is being placed on reimbursement for patient satisfaction, value-based care delivery, and increased information sharing and communication with consumers.

If health industry leaders want to rethink their approaches in response to this shift, they need to make sure they have truly engaged patients — now consumers – well represented at their major conferences and being included as active participants in the conversation about healthcare. Arguably, HIMSS is the biggest annual health conference in America. I applaud the Walking Gallery for partnering with HIStalk to sponsor a patient scholarship competition to allow for more patient attendance at HIMSS15.

Patients and their caregivers have long shouldered the responsibility of managing their health outside the four walls of the care setting. They have a wealth of information and are stewards of that information, a role that is mutually beneficial to providers. Technology is also changing the way they track, manage, and share their health information.

We know that today, 21 percent of Americans are using technology to track their symptoms. We also know that 58 percent of consumers are more likely to stay with their providers if they offer online access to their clinical health information.

Giving individuals access to their data will be critical in the more competitive, value-based healthcare system of the future. This is why the Blue Button Initiative continues to remind health industry leaders that patient expectations are changing. They want to collaborate more and are activated and engaged in ways we’ve never previously seen.

More people than ever before – regardless of pre-existing conditions or employment status – are gaining access to affordable healthcare, largely because of the Affordable Care Act. The latest numbers report 9.5 million Americans have purchased health insurance through the health insurance exchanges. More importantly, much like any other purchase that they would make, consumers are demanding choice in healthcare.

To meet that expectation, HHS has reported that over 90 percent of consumers will be able to choose from three or more issuers on the exchanges, up from 74 percent in 2014. Consumers can also choose from an average of 40 health plans for 2015 coverage, up from 30 in 2014 based on data at the county level.

With the expanded pool of Americans gaining access to healthcare services, health plans now have to rethink their marketing strategies so that they appear attractive to a new group of stakeholders beyond employers. They now have to sell themselves to individuals, a historic change in the system.

While healthcare leaders convene to talk the latest in care delivery — or better yet, patient engagement — it makes sense to have more consumers present contributing to the dialogue about them. Unfortunately, these conferences often prove to be cost prohibitive for the average individual. HIStalk and the Walking Gallery are leading by example with the latest patient scholarship competition. I suspect they will see a large group of applicants.

Given the crucial role of the individual in the new healthcare system, I hope that more patient scholarships will become the norm at every health industry conference. In the discussion of how to take healthcare into the future, we can’t afford to miss the individual consumer’s voice.

Founding Sponsors


Platinum Sponsors


























































Gold Sponsors












Reader Comments

  • Eat Bubbles: Just another bubble waiting to burst......
  • IANAL: They display pharmaceutical ads to doctors. Similar to how practice fusion made money but doximity has lower risk becaus...
  • DoximityDoubter: Though I was good at math in engineering school, my skills have obviously atrophied with the transition to medical train...
  • Neil Young Remembers: Judgement is okay in life and death matters like this, especially since tolerance and forbearance with guys like that di...
  • J Brody Brodock: I think the thing I am more concerned about than the belittling of a state or the "silly"ness of posting it on social me...

Sponsor Quick Links