EHR and Health IT Consulting
39.7K views | +7 today
Follow
EHR and Health IT Consulting
Technical Doctor's insights and information collated from various sources on EHR selection, EHR implementation, EMR relevance for providers and decision makers
Your new post is loading...
Your new post is loading...
Scoop.it!

‘Action First’ Vital in Health Information Exchange

‘Action First’ Vital in Health Information Exchange | EHR and Health IT Consulting | Scoop.it

The conversation within the health IT industry and federal agencies is geared toward health information exchange (HIE) and improving data sharing through EHR systems. More healthcare providers and EHR vendors are joining forces to fully implement the exchange of data between hospitals, laboratories, physician practices, pharmacies, public health agencies, and other entities.


CommonWell Health Alliance, an organization dedicated to developing a vendor-neutral platform for effective health data exchange, recently announced the addition of five new members to its team. Jitin Asnaani, Executive Director of CommonWell Health Alliance, recently spoke with EHRIntelligence.com about the organization’s mission of making significant inroads with HIE development.


“The addition of five members who joined CommonWell will improve healthcare data exchange for everybody. Specifically, it raises our ability to connect into acute care settings, ambulatory care settings, and opening the doors to connecting to other care settings,” Asnaani said. “One of the fundamental principles behind CommonWell is that all healthcare data should be focused around the person.”


The inclusion of these additional members will expand data exchange in radiology, eye care, cardiology, post-acute care and more. The movement toward nationwide healthcare exchange is growing, as more healthcare systems and EHR vendors have begun showing interest in information exchange, according to Asnaani.


“We’ve seen a surge of interest [in HIE] over the last couple of years since we formed,” stated Asnaani. “The promise of value-based reimbursement models and greater quality of care to the patient, the healthcare industry is realizing that being able to hoard data and create your own unique view of the patient dependent on the storage of data [is no longer beneficial]. I think we’re seeing that this is eroding. We’re looking towards being able to unlock the data, create a new view of the patient, and do so affordably across the US.”


One new member of CommonWell Health Alliance, PointClickCare, joins as another vendor of cloud-based software. The Executive Director mentioned the advantages of both premise-based and cloud-based EHR technology.


“From my perspective, there are advantages to both cloud-based and premise-based technology models. I think one of the advantages of cloud-based business models is that it is easier to deploy software and functionalities to your customers because of more direct control of the environment in which the software is deployed,” said Asnaani. “Premise-based can have its own set of advantages such as the ability to more easily customize the software to align with the goals of the customer.”


Asnaani also spoke about the major benefits of effective healthcare data exchange and how discussions have centered around HIE development over the last several years. However, while interest in data exchange is high, not enough activities are taking place to advance EHR interoperability.


“Health information exchange and interoperability are concepts that have been discussed for a long time,” Asnaani explains. “They have been a topical focus for the last several years. What some people don’t realize is that there is much more discussion around those topics than there is actual action.”


“CommonWell’s distinguishing factor is that we started and have continued to go down the path of action first and discussion as a complement,” he continued. “We have built real software and services that are serving real clients in the real world for real information exchange.”


HIE development has many key advantages particularly with regard to patient care. The ability to access data in real time enables providers to improve quality of care, reduce medical errors, and account for drug allergies or other key health issues.


“Health information exchange fundamentally enables better care of patients,” said Asnaani. “When a provider needs information that will make a difference in the diagnosis or create a solution for the best care possible, they are often lacking of the data that they need. Health information exchange and real-world interoperability enables that provider to get the data they need to take the best care they can of their patients.”


CommonWell also supports patient-centered care through effective health information exchange and feels that it will lead to greater confidence in providers and ease for patients. With patient engagement initiatives playing a key role in meaningful use requirements, HIE development could be an important part of improving the patient experience.


“It’s not about where the data is. It’s about who the data corresponds to. Our aim is that every person enrolled in CommonWell has data that can be accessed by whoever is taking care of that person no matter where [the data] resides,” Asnaani stated.


more...
No comment yet.
Scoop.it!

Healthcare Industry Reacts to Stage 3 MU Proposed Rule

Healthcare Industry Reacts to Stage 3 MU Proposed Rule | EHR and Health IT Consulting | Scoop.it
On March 20, the Centers for Medicare & Medicaid Services (CMS), the Office of the National Coordinator for Health IT (ONC), and the U.S. Department of Health and Human Services (HHS) announced that the latest proposed ruling on Stage 3 Meaningful Use requirements have been released for public comment.

The announcement emphasizes how the proposed rules will give providers more flexibility under the EHR Incentive Programs and increase EHR interoperability to improve the access and sharing of patient health information.2015-01-12-chime-small

The healthcare industry as a whole is currently processing the proposed ruling and preparing to contribute during the comment period. Some public statements about the Stage 3 Meaningful Use proposed ruling from leading organizations have been released.

A statement from the College of Healthcare Information Management Executives (CHIME) said: “CHIME is closely evaluating both the CMS Meaningful Use rule and the ONC certification rule. Based on our initial review, we are pleased to see flexibility built into the Stage 3 proposed objectives. We are still trying to understand the implications of moving all Medicare providers to a single definition of MU by 2018, but are encouraged by the potential for this policy to simplify and streamline the long-term viability of Meaningful Use. While we and other stakeholders have been critical of the program over the last two years, we have always underscored how vital Meaningful Use is to modernizing our nation’s healthcare system. We look forward to digging further into the rule, looking for elements that will allow providers to build on their IT investments, specifically in the areas of care coordination, patient engagement and interoperability.”

“We do, however, urge CMS to quickly publish the proposed rule alluded to in Dr. Conway’s January 29 announcement. We were encouraged by the signals to shorten the 2015 EHR reporting period from 365 to 90 days and make other program improvements through a follow-on rule. We call on CMS to propose policy changes to the ‘all-or-nothing’ construct, lengthen timing between required Stage upgrades, and consider much-needed revisions to the hardship exception categories. These changes will enable far better participation among providers, which will in turn, keep them on a path towards improved care through health IT.”

With the inclusion of some more policy changes, CHIME recognizes that Stage 3 Meaningful Use regulations will play a pivotal role in expanding health IT adoption across the country and thereby improving the quality of care. Another statement comes from the American College of Cardiology President Kim Allan Williams Sr., M.D., on the organization’s reaction to the proposed ruling.

“The American College of Cardiology has long supported the adoption of electronic health records (EHRs) as a mechanism for improving patient outcomes,” Williams said. “The EHR Incentive Program as currently structured has been focused more on ‘checking the box’ than changing care delivery to achieve the goal of improved patient care.”

“Although the ACC is still reviewing the proposed regulations, the College is concerned by the proposal to require all providers, even first-time participants, to report for a full calendar year,” the American College of Cardiology President continued. “Implementing an EHR system in a physician practice or a hospital is not as simple as flipping a switch; it takes time, financial investment, careful consideration and planning, as well as education for all staff. The program must take this learning curve into consideration.”

Some players within the healthcare industry find the EHR reporting period of a full calendar year problematic and are urging CMS to transition to a 90-day reporting period instead.

Additionally, there may be too many regulations that are being put forth to advance the meaningful use of health IT systems instead of addressing the various problems in the medical industry today. A statement from the American Hospital Association (AHA) underscores this point.

“Hospitals are implementing electronic health records at a brisk pace in order to improve patient health and health care, but they must do so under the crushing weight of government regulations,” Linda E. Fishman, Senior Vice President of Public Policy Analysis and Development at AHA, said in a public statement. “The release of today’s rule demonstrates that the agency continues to create policies for the future without fixing the problems the program faces today. In January, CMS promised to provide much-needed flexibility for the 2015 reporting year, which is almost half over. Instead, CMS released Stage 3 rules that pile additional requirements onto providers. It is difficult to understand the rush to raise the bar yet again, when only 35 percent of hospitals and a small fraction of physicians have met the Stage 2 requirements.”

“We urge CMS to release the 2015 flexibility rules immediately. Information technology holds the promise of enhancing care for patients and communities,” Fishman continued. “America’s hospitals are committed to adopting technology but need today’s problems to be addressed to make progress for patients and communities.”
more...
No comment yet.
Scoop.it!

UCLA Health to integrate genomic data into EHR in pilot

UCLA Health to integrate genomic data into EHR in pilot | EHR and Health IT Consulting | Scoop.it

UCLA Health will soon begin a pilot project with Seattle-based startup ActX that will integrate genomic patient data into its Epic EHR system, with the eventual intent of applying precision medicineto a large-scale patient base.

ActX, founded in 2012 and just out of stealth mode six months ago, collects a patient’s genetic information by way of a saliva sample, and then analyzes the information in real time. The data is integrated into an EHR – already, ActX is working with Allscripts and Greenway Health – and physicians will receive an alert about a medication and possible side effects, or warn of potentially serious risks for cancer.

Think of it as a 23andMe that is integrated into an EHR and available to the patient.

Molly Coye, chief innovation officer at UCLA Health, which operates four hospitals, said that’s precisely what intrigued the academic health system.

“Our goal is to try to bring precision medicine to a much larger proportion of patients,” she told MedCity News. “Right now it tends to be focused particularly on people with cancer, and even then on a low number of patients.”

She added that genomic data combined with an EHR could have “real clinical meaning for a larger number of patients than we could have known about five or 10 years ago.”

The pilot will begin in the coming weeks on 50 patients that the health system thinks will be a good fit, Coye said. Depending on initial success, it will be expanded to a greater number.

“If successful, and our physicians are enthusiastic about it, we’ll rapidly make it available more widely,” she said, adding that most UCLA Health pilots range from three-to-six months.

ActX co-founder and CEO Andrew Ury, a physician who has worked extensively in the EHR space, said up until now, few if any genomic data collectors have been integrated into an EHR. Dr. Ury previously worked for Practice Partner, which was acquired by McKesson in 2007.

As he sees it, EHR integration is the only way to harness genomic data on a large scale while at the same time providing the results for patient.

“We believe the way to do that is to build it into the everyday tool, the EHR,” he said. “The consumer factor is because we have to get the patient’s genomic data in order to make it work, so we offer access to affordable DNA sequencing. In order to that, we involve the patient.”

Given that UCLA Health uses an Epic system, which dominates the hospital market, Coye said the potential to reach a mass of patients is significant, and that such an EHR add-on could someday be a standard feature if it proves successful.

“They’re actually working with Epic, so decision support means a lot more if it pops up in the EHR,” Coye said. “This is going to be a game changer, I think. That’s the real promise that everyone recognizes about genetic testing,  that this will become a standard. It’s just a question of how you do it early on.”

Importantly, Coye cited the autonomous nature of ActX in how it’s available to both patient and physician.

Dr. Ury elaborated on the potential of precision medicine and EHR integration from a clinical standpoint.

“What this means is that if a patient’s genetic data is on file, because we’ve analyzed it, each time the physician writes a prescription in the EHR, it’s going to see if a drug is going to work, or if there’s an adverse reaction,” he said. “If there is an issue, the physician will get an alert.”

The data, and its use within an EHR, can also help physicians better determine if a patient is at higher risk of a genetic disease or a certain type of cancer. With that knowledge, more effective medications and treatments can be determined far earlier than before.

Coye said UCLA Health hopes the pilot can bring precision medicine to primary care and a further breadth of specialists “across a wide variety of clinical conditions.”

ActX is so far privately funded and has about 25 employees and independent contractors, including scientists, pharmacists, genetic counselors, physicians and software developers, according to Dr. Ury.

Dr. Ury noted that it’s “the dawn of precision medicine,” referring to the $235 million initiative championed by President Obama and overseen largely by the NIH.

“While genetics can’t predict everything, genetics can predict more and more and whether a patient has a side effect,” he said. “We think this is the future.”


more...
No comment yet.
Scoop.it!

Behavioral Health EHR Adoption Shows Promise in Survey

Behavioral Health EHR Adoption Shows Promise in Survey | EHR and Health IT Consulting | Scoop.it

In today’s healthcare sector, implementing EHR systems has become a way of life. It is nearly impossible for a medical office to avoid EHR adoption, said Jennifer D’Angelo, Chair of the new HIMSS Long Term Care and Behavioral Health Task Force and Vice President of Information Services for Christian Health Care Center.

“From an interoperability standpoint, and from a reimbursement standpoint, it’s being required,” D’Angelo told Behavioral Healthcare. “All levels of care will need to have an EHR for care coordination among all providers.”

A survey of Behavioral Healthcare readers shows that most of the respondents find their EHR systems satisfactory and are using them extensively. Only a small percentage (9.1%) are “very unsatisfied” with their current EHR technology. In fact, 72.5 percent feel neutral or satisfied with their EHR system.

The survey points toward the majority of behavioral health specialists viewing EHRs as technology that enhances patient care. While most have adopted EHR systems, some have yet to make the transfer often due to low funding for this particular expenditure. Some of the common reasons for not adopting an EHR are: financial (41.3%), no need for it (32.5%), haven’t found the right one (13.8%), and staff resistance (5.0%).

Others may continue to shop for better health IT technology, especially if their current systems do not line up with meaningful use requirements. Physicians are more likely to adopt EHR technology with features that achieve meaningful use in order to receive financial incentives from the Centers for Medicare & Medicaid Services (CMS). For example, some vendor’s health IT systems may be capable of meeting Stage 1 Meaningful Use requirements but not Stage 2.

Other potential disadvantages of EHRs that the survey highlighted are:

(1)   time consuming

(2)  causes confusing

(3)  difficulty getting data reports

(4)  costly

D’Angelo recommends that hospitals and clinics have support onsite during the first couple of weeks during EHR implementation in order to resolve any potential end-user issues quickly and efficiently. Despite the potential problems associated with EHR technology, there are significant benefits that physicians are seeing. Survey respondents reported a number of benefits including:

(1) improving patient care

(2) reducing paper-based records

(3) boosting staff efficiency

(4) helping guarantee reimbursement

The best EHRs offer a more streamlined workflow process for a variety of tasks including pulling up patient files, recording new visitor data, and finding key information quickly.

EHR consultant Eileen Casella Rider explains that EHR technology that is developed with the input of healthcare staff members tends to work better in a care setting than those built solely from a technical standpoint. Rider goes on to say that some clinicians may not have superior computer skills, which may lead to confusion and emphasizes the need for extensive training on EHR systems.

A final aspect of the survey finds that, out of all respondents who knew their EHR server choice, 34 percent use the software-as-a-service (SaaS) option. Experts claim that SaaS is the server of the future and will only increase in popularity. This type of feature allows clinicians to run their EHR system through the cloud.

These survey results display the tangible benefits of EHR technology in the medical care setting.


more...
No comment yet.
Scoop.it!

Top 10 EHR vendors in physician offices

Top 10 EHR vendors in physician offices | EHR and Health IT Consulting | Scoop.it

There's little question that Cerner and Epic are the giants in the EHR field. Epic is dominant not only in the scope of its market share but also in the depth of its client base. Mayo Clinic announced last month that it would be abandoning its three current EHR systems in favor of a new contract with Epic, which will now be the healthcare icon's sole EHR provider and strategic partner. Jilted in the deal were GE and Cerner, who were the providers of Mayo's current systemsalthough if you tallied the figures when Cerner acquired Siemens' EHR unit for $1.3 billion, it still had the largest US market share of any vendor, with 1,132 acute care hospitals. 

But a more granular look at market share amongst physician offices shows a slightly different market picture.



Epic is still on top, but only by a percentage point (eClinicalworks is close on its heels). And as you might expect, Epic's client base skews heavily towards larger practices, dominating the 41+ practice market at 54%. On the lower end of the scale (1 - 3), Epic, eClinicalworks, Allscripts and Practice Fusion are all within a percentage point or two of one another. 

Cerner, notably, is way down the list across the board in the physician practice world, taking just 3.5% of the overall market. So is athenahealth, at 3.3% overall and just 0.4% and 0.8% in the 26 to 40 and 41 and up segments. This tallies with the cloud-based vendor's ongoing investments in the inpatient market, however: In January, the cloud-based provider purchased start-up RazorInsights to move into the 50-bed and under sector, a niche that accounts for one-third of all hospitals in the US; and last week the company announced that it has purchased WebOMR, Beth Israel Deaconess' cloud-based, stage 2-certified EHR, for commercial development in the hospital setting.


more...
No comment yet.
Scoop.it!

Breaking Down the Health IT Impacts of Stage 3 Meaningful Use

Breaking Down the Health IT Impacts of Stage 3 Meaningful Use | EHR and Health IT Consulting | Scoop.it

The Centers for Medicare and Medicaid Services (CMS) released its proposed rule for Stage 3 meaningful use on March 20, revealing the hotly anticipated provisions for the final phase of the EHR Incentive Programs.


Raising the bar on some of the toughest aspects of Stage 2 while requiring healthcare providers to make some significant leaps in EHR adoption and care delivery by 2018, the Stage 3 meaningful use framework poses some difficult questions for eligible providers and hospitals struggling with interoperability and the burdens of leveraging EHRs for patient care.


From health IT interoperability to privacy and security to big data analytics, the impacts of Stage 3 will touch nearly every aspect of the healthcare industry in the next few years.

What are some of the key issues providers must keep in mind as 2018 approaches and the EHR Incentive Programs eventually come to an end?


Top 8 goals of the Stage 3 meaningful use proposed rule


The objectives and thresholds in Stage 3 urge providers to new heights in patient care by encouraging more extensive use of health information exchange, e-prescribing, clinical decision support, and computerized provider order entry (CPOE).  CMS also hopes to increase patient engagement substantially over Stage 2 levels and promote the coordination of care through expanding access to personal health information.  Read a summary of the eight major objectives included in CMS’ plan for the industry.


Interoperability key to Stage 3 meaningful use requirements


Industry-wide EHR interoperability is the ultimate goal of the EHR Incentive Programs, and Stage 3 hopes to bring providers closer to widespread health information exchange than ever before.  “The flow of information is fundamental” to better care, healthier patients, and reduced costs, says HHS Secretary Sylvia Burwell, but the path towards meaningful interoperability has been a difficult one.  Stage 3 intends to address some of the major barriers to interoperability by raising thresholds and benchmarks for health information exchange.


Can Stage 3 meaningful use CEHRT bring on big data analytics?


Stage 3 brings some major changes to the way EHR technology is certified and designed in accordance with the EHR Incentive Programs’ growing emphasis on healthcare analytics and population health management.  With the newly-named “health IT modules” presenting opportunities and challenges for providers seeking to gear up for the optional 2015 Edition Certified EHR Technology (CEHRT) criteria, how will the new provisions for EHR development allow the technology evolve into meaningful tools for big data analytics and effective care coordination?


How does Stage 3 meaningful use affect health data privacy?


As CMS turns its attention to interoperability and increased data exchange, patient privacy and security measures will become ever more important to the industry.  Continued confusion over meaningful use and the HIPAA Security Rule has left many providers asking questions about how they can protect their patients’ electronic personal health information (ePHI) in the face of data breach after data breach.  Learn how Stage 3 hopes to simplify patient data privacy and security measures for providers in this breakdown of the Stage 3 proposal from HealthITSecurity.com.


What does the Stage 3 meaningful use rule mean for analytics?


How will Stage 3 build on existing infrastructure to encourage healthcare analytics to thrive?  By leveling the playing field and requiring providers to meet all the same measures in 2018.  This controversial proposal may leave some lagging organizations in the lurch, but with the help of the ONC’s Common Clinical Data Set, it would create rich opportunities for informaticist and population health managers.  Will Stage 3 be the push the industry needs to expand its budding analytics capabilities?


ONC proposes 2015 health IT certification criteria rules


The 2015 CEHRT criteria, released in conjunction with the Stage 3 rule, have significant implications for healthcare privacy and security.  By opening up the certification program to include new types of health IT, and therefore new types of patient data, the ONC plans to achieve widespread interoperability.  How will federal rule makers ensure that personal health information is sufficiently protected without overburdening providers and EHR developers?



more...
No comment yet.
Scoop.it!

New Medical Tech Not Hard to Swallow, Just to Implement

New Medical Tech Not Hard to Swallow, Just to Implement | EHR and Health IT Consulting | Scoop.it

The "always on" smartphone world of today matched with personal digital diagnostic technologies in development by the likes of Microsoft, Apple, Google, and other digital powerhouses promise to revolutionize chronic disease management and empower population health to stratospheric levels.

The development initiatives using data created and transmitted via smartphones using wearable, clothing embedded, ingestible, and other personal sensors are limited more by imagination than technology.

Just one little problem: The ability to convert another tsunami of new patient data into usable and actionable information for physicians using existing EHR technology is more than a decade in the rearview. The existing system platforms are static warehouses, not digital highways.

Further, each EHR's warehouse is an island unto itself because it uses a different layout, nomenclature, and even language designed to make changing to a competitor as difficult as possible by making data migration to a new system an expensive and daunting process. Until Congress stepped in, exorbitant ransoms imposed by some EHR companies to translate the data into the standard language are effectively bad memories.


The Wall of Interoperability


Still, federal law, which prescribes that all EHR data is to be contained in a standard format called a CCDA (Consolidated Clinical Document Architecture, if you must know), to be certified. The law, however, has more loopholes than grandma's knitting.

That makes the new healthcare information highways, population health, and similar programs that convert EHR warehoused data into usable information for physicians and other healthcare providers (among a host of other enabling and time-saving features), the ultimate solution hobbled by that EHR industry manufactured wall to data called "interoperability."

Circumventing EHR companies by automating removal of the CCDAs out of EHR systems has been solved by a very clever few, as has even making them interactive, but it comes at a cost because each version of each EHR has to be done separately.

To achieve a single-keystroke model (inputting data only one time), which is not only desirable but the only way to get people to use it, tons of EHR data has to be machine translated into a common language, delimited, mapped, parsed, validated, and, finally, populated into a common platform so that it can be made into something useful for providers. Every day. That takes lots of time, money, and skill, which can be undone by EHR companies at will every time they issue an upgrade, new version, or even a simple update — and expensively redone.


In return, providers get useful, time-saving tools that can allow them to do much more in much less time, which is the key to a reasonable quality of life for physicians.

That makes effective population health, let alone enhancing it by new wireless, personal smartphone app-enabled diagnostics, equivalent to baking a cake by having to get and process the raw ingredients from farmers and dairies instead of a cake mix from the supermarket.

The obvious solution, of course, is to pull the data directly into the information manufacturers' systems, circumventing the EHR warehouses, which will be hoisted by their own petard in the open ocean without a paddle because information systems cannot be EHR-specific to be effective.


In the end, there is a bright future for developers, physicians, healthcare providers and, especially, patients.

EHR companies? They took a different road. The survivors will join the program, and the time to do so is so very close.


more...
No comment yet.
Scoop.it!

Why Are So Many Big Health IT Companies from Small Cities?

Why Are So Many Big Health IT Companies from Small Cities? | EHR and Health IT Consulting | Scoop.it

I was reading over something on HIStalk the other day that talked about how many major healthcare IT and EHR companies have come out of small cities. In fact, when you think about the EHR world, there are only a handful of EHR companies that have come out of the tech hub of the world, Silicon Valley, and they’ve all been started within the past 10 years.

In the article HIStalk mentioned the town Malvern, Pennsylvania. I hadn’t even heard of the town, but a look at Wikipedia has Siemens Healthcare, Ricoh Americas, and Cerner as among the companies based in Malvern. I think the Cerner mention in the list must be because Cerner just purchases Siemens Healthcare, so they are now claiming them. However, Cerner is definitely a Kansas City based company. Either way though, Kansas City is not a HUGE city either and certainly hasn’t been the hub of technology (although, I know they have some cool tech things happening now, like most cities).

The healthcare IT behemoth, Epic was founded in Madison, Wisconsin and now has headquarters in Verona, Wisconsin. If you aren’t in healthcare IT, my guess is that you’ve probably never even heard of Verona.

Those are just a few examples and I’m sure there are many more. Why is it that so many of the large healthcare IT companies have come from small cities? Will that trend continue or will large cities like San Francisco, Boston, New York, and LA start to dominate?

I’m a bit of a young buck in this regard. So, I don’t have the answer. Hopefully some of my readers do. I look forward to hearing your thoughts. Is there an advantage to being from a small town when going into healthcare? It’s exciting to me that healthcare innovation can come from anywhere. I hope that trend continues.


more...
No comment yet.
Scoop.it!

Electronic health records and data abuse: it's about more than medical info

Electronic health records and data abuse: it's about more than medical info | EHR and Health IT Consulting | Scoop.it

On the heels of the recent announcement that medical insurance firm Anthem was breached, we look at the nuance and impact of a medical record breach versus a medical data breach. They are certainly related, but digging through troves of data containing primarily identity information is significantly different to an attack that focuses on specific treatment of a specific patient.

If an attacker can harvest name, social security number, phone, address, email and the like, that haul has a much wider potential audience than, say, whether or not a patient underwent a specific medical procedure. A stolen medical record containing a lot of detail may sell for a lot of money, but that market is more specialized than the broader market for general identity data.

To help folks visualize the different levels of data that thieves might want to swipe from a medical facility, and then abuse, my colleague, Stephen Cobb, created this diagram of a generic electronic health record.

Level one is pretty basic info, things that are fairly easily knowable about you without any hacking, normally sourced through Open Source Intelligence (OSINT) gathering. However, grabbing a big fat collection of such data might still earn a bad guy some black market bucks, say if a spammer needed fresh targets.

The illegal earnings potential goes up a notch if you can grab Level 2 data. Scammers can use that to carry out several kinds of identity theft, creating fake IDs, opening credit card accounts, committing tax fraud (filing fake returns to get a refund) or even use it to answer challenge questions to online accounts, thereby pivoting the attack to new digital beachheads. Even Level 2 data is enough to commit some types of medical ID theft, though the bad guys have no clue how healthy or sick you really are (here’s a pretty scary case of what can be done with just a stolen driver’s license).

Level 3 data just makes all of the above that much easier; plus, it enables new forms of badness. Some crooks prefer taking over an established account to opening a (fake) new one. the number of electronic records or EHRs that actually contain financial or payment data is not clear, but obviously a lot of healthcare entities do handle it at some point, making them a target for digital thieves who turn around and sell it on carder forums.

When you get to Level 4 data, the badness takes on a new dimension. If an attacker has a patient’s full (or partial) history, it’s easy to imagine matching up a willing bidder who has a need for a similar medical procedure with a donor record to (roughly) match, in an attempt to get pinpointed specific services they would otherwise have difficulty receiving.

But the options for selling medical history-style Level 4 records may be much narrower in scope than, say, bulk repackaging and resale on the underworld markets of lower levels, appealing to any buyer who wants to assume an identity, spread a wider net and attack other properties, or engage in fraudulent activity which is then blamed on you (if it’s your record that was compromised).

Of course, the threatscape may well change as the EHR becomes more universal. With the proliferation and sprawl of third party providers who are somehow tapped into a cohesive health ecosystem, there will always be various specialized smaller providers whose business is targeted to a specific subset. That’s not bad, it’s just how the health segment does business; in many cases it leverages strengths of one organization to help another. But it does imply a larger potential attack surface, which has implications for security if the data sprawl is not carefully managed. For example, if an attacker can gain a beachhead in one of the providers in the ecosystem, will they then have an elevated trust relationship with other systems within this ecosystem?

And here’s the rub: having instant digital access to all of a patient’s medical data (or other sensitive information) wherever a doctor happens to physically be is a wonderful tool, but now we have many more endpoints in question with security environments to understand and corral. This implies an ongoing need, not just for really smart endpoint protection, but also strong encryption, and authentication, as well as sane network segmentation, vigilant network monitoring and reliable disaster recovery.


more...
No comment yet.
Scoop.it!

Interoperability and the Future of Care Delivery - HITECH AnswersHITECH Answers

Interoperability and the Future of Care Delivery - HITECH AnswersHITECH Answers | EHR and Health IT Consulting | Scoop.it

The healthcare industry has done a remarkable job of replacing traditional paper charts with electronic health records (EHRs). Information that used to be sharable only by the most rudimentary means — it’s been said that fax machines lasted so long only because of healthcare — is now captured and stored electronically in a readily transmittable form.

That’s powerful stuff. Think of all the ways we as individuals move information electronically through email, online destinations, and the applications we access as part of daily life that would have been impossible less than two decades ago. That convenience is coming fast to health information, and the race is on to put that information to beneficial use through interoperability.

“EHR interoperability” can take many forms. It can refer to the ability of dissimilar EHRs to exchange health records, its most commonly understood meaning. It can also refer to the ability for EHRs to interact with dissimilar devices and with applications that are well beyond the realm of the health record itself. Interoperability is all of these things and more, coming together to advance care in ways that were unimaginable in the days of paper charting.

Interoperability among EHRs

In the first phase of electronification, health data was captured and stored in individual EHRs operating as providers’ personal information silos. The next task is to enable those EHRs to exchange patient data efficiently and securely with each other.

Meaningful use Stage 2 is a driving force in this aspect of interoperability. Stage 2’s consolidated clinical document architecture (C-CDA) requires EHRs to exchange diagnoses, allergies and medications in real time, a great first step (and another good reason to upgrade to a Stage 2-certified EHR). More complete information exchange is still needed, and the industry is making great progress in this arena, largely thanks to such cooperative initiatives as the CommonWell Health Alliance and Healtheway Carequality program. We should ultimately see all clinical data necessary for quality care shared among EHR systems, so it won’t matter whether a person is receiving care near home or while traveling across the country — his or her pertinent information will be available at the point of clinical decision-making in any location.

Interoperability with dissimilar devices and applications

Delivering patient data from one EHR to another is one piece of the interoperability puzzle; clinical information is often needed for decision-making beyond the reach of EHR-connected computers. Mobile devices are leading the way in putting patient data in the hands of providers wherever it’s needed via apps on tablets and smartphones. Patients also need remote access to health data, a role filled by the patient portal, which is fast growing in importance for patient engagement. As portals and EHR-to-EHR interoperability advance further, healthcare consumers will be able to manage information across multiple providers from a central location, just as today it’s possible to go online and personally manage finances by moving assets across accounts and institutions.

Interoperability with patient populations

The exchange of electronic health records with other EHRs, mobile devices and portals is all about individual care, which of course is tremendously important. Equally important is patient engagement for purposes of population health management, which occurs outside the walls of care facilities and patient appointments. Shifting payer models increasingly hold physicians accountable for outcomes, and tools that leverage EHR data are beginning to assist in that regard. We’re nearing an era in which each time a patient with a chronic condition makes an appointment, the provider will know whether or not that patient is overdue for a screening test, a foot exam or any other measure needed to fulfill a recommended preventive care program…and can administer that care at the same time.

These are just some of the ways interoperability is beginning to transform healthcare, and innovation is accelerating. In the not-too-distant future, “health IT interoperability” will largely be taken for granted, with information flowing in beneficial ways we can only dream of now — and as we are all consumers of healthcare, we’ll all benefit tremendously from breakthroughs to come.


more...
No comment yet.