Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

2 Major Problems with MACRA

Posted on May 4, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Everyone’s started to dive into the 10 million page MACRA (that might be an exaggeration, but it feels about that long) and over the next months we’ll be sure to talk about the details a lot more. However, I know that many healthcare organizations are tired of going through incredibly lengthy regulations before they’re final. Makes sense that people don’t want to go through all the details just for them to change.

As I look at MACRA from a very high level, I see at least two major problems with how MACRA will impact healthcare.

Loss of EHR Innovation
First, much like meaningful use and EHR certification, MACRA is going to suck the life out of EHR development teams. For 2-3 years, EHR roadmaps have been nothing but basically conforming to meaningful use and EHR certification. Throw in ICD-10 development for good measure and EHR development teams have basically had to be coding their application to a government standard instead of customer requests and unique innovations.

Just today I heard the Founder of SOAPware, Randall Oates, MD, say “I’m grieving MACRA to a great degree.” He’s grieving because he knows that for many months his company won’t be able to focus on innovation, but will instead focus on meeting government requirements. In fact, he said as much when he said, “We don’t have the liberty to be innovative and creative.” And no, meeting government regulations in an innovative way doesn’t meet that desire.

I remember going to lunch with a very small EHR vendor a year or so ago. I first met him pre-meaningful use and he loved being able to develop a unique EHR platform that made a doctor more efficient. He kept his customer base small so that he could focus on the needs of a small group of doctors. Fast forward to our lunch a year or so ago. He’d chosen to become a certified EHR and make it so his customers could attest to meaningful use. Meaningful use made it so he hated his EHR development process and he had lost all the fire he’d had to really create something beautiful for doctors.

The MACRA requirements will continue to suck the innovation out of EHR vendors.

New Layers of Work With No Relief
When you look at MACRA, we have all of these new regulations and requirements, but don’t see any real relief from the old models. It’s great to speak hypothetically about the move to value based reimbursement, but we’re only dipping our toe in those waters and so we can’t replace all of the old reimbursement requirements. In some ways it makes sense why CMS would take a cautious approach to entering the value based world. However, MACRA does very little to reduce the burden on the backs of physicians and healthcare organizations. In fact, in many ways it adds to their reporting burden.

Yes, there was some relief offered when it comes to meaningful use moving from the all or nothing approach and a small reduction in the number of measures. However, when it comes to value based reimbursement, MACRA seems to just be adding more reporting burdens on doctors without removing any of the old fashioned fee for service requirements.

MACRA is not like ICD-10. Once ICD-10 was implemented you could see how ICD-9 and the skills required for that coding set will eventually be fully replaced and you won’t need that skill or capability anymore. The same doesn’t seem to be true with value based care. There’s no sign that value based care will be a full replacement of anything. Instead, it just adds another layer of complexity, regulation, and reporting to an already highly regulated healthcare economic system.

This is why it’s no surprise that many are saying that MACRA will be the end of small practices. At scale, they’re onerous. Without scale, these regulations can be the death of a practice. It’s not like you can stop doing something else and learn the new MACRA regulations. No, MACRA is mostly additive without removing a healthcare organization’s previous burdens. Watch for more practices to leave Medicare. Although, even that may not be a long term solution since most commercial payers seem to follow Medicare’s lead.

While I think that CMS and the people that work there have their hearts in the right place, these two problems have me really afraid for what’s to come in health IT. EHR vendors the past few months were finally feeling some freedom to listen to their customers and develop something new and unique. I was excited to see how EHR vendors would make their software more efficient and provide better care. MACRA will likely hijack those efforts.

On the other side of the fence, doctors are getting more and more burnt out. These new MACRA regulations just add one more burden to their backs without removing any of the ones that bothered them before. Both of these problems don’t paint a pretty picture for the future of healthcare.

The great part is that MACRA is currently just a proposed rule. CMS has the opportunity to fix these problems. However, it will require them to take a big picture look at the regulation as opposed to just looking at the impact of an individual piece. If they’re willing to focus MACRA on the big wins and cut out the parts with questionable or limited benefits, then we could get somewhere. I’m just not sure if Andy Slavitt and company are ready to say “Scalpel!” and start cutting.

Managing Your Large Medical Equipment Purchases

Posted on May 3, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

On Thursday, May 5, 2016 at Noon ET (9 AM PT) join us for a live video interview with Nancy Hannan, Philips Relationship Director at Augusta University Health System (formerly known as Georgia Regents) where we’ll be discussing the unique approach Nancy and her team at Augusta University Health System have taken to acquisition and management of their large medical purchases through a unique alliance with Philips.
2016 May - Managing Your Large Medical Equipment Purchases-blog
The great part is that you can join my live conversation with Nancy and even add your own comments to the discussion or ask her questions. All you need to do to watch live is visit this blog post on Thursday, May 5, 2016 at Noon ET (9 AM PT) and watch the video embed at the bottom of the post or you can subscribe to the blab directly. We’ll be doing a more formal interview for the first 20-30 minutes and then open up the Blab to others who want to add to the conversation or ask us questions. The conversation will be recorded as well and available on this post after the interview.

We hope you’ll join us live or enjoy the recorded version of our conversation. Nancy has some really great insights to share from the unique alliance between Philips and Augusta University Health System. We’ll talk about the challenges they faced in managing and replacing old medical equipment and the proactive efforts they’re taking to ensure that their patients and providers are getting the highest quality, safest care possible.

If you’d like to see the archives of Healthcare Scene’s past interviews, you can find and subscribe to all of Healthcare Scene’s interviews on YouTube.

The Downside of Interoperability

Posted on May 2, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

It’s hard to argue that achieving health data interoperability is not important — but it comes with risks. And I’ve seen little discussion of the fact that interoperability may actually increase the chance that a major attack could hit a wide swath of healthcare providers. It might be extreme to suggest that we put off such efforts until we step up the industry’s security status, but the problem shouldn’t be ignored either.

Sure, data interoperability is a critical goal for healthcare providers of all stripes. While there’s room to argue about how it should be accomplished, particularly over whether providers or patients should drive health data management, there’s no question it needs to get done. There’s little doubt that most efforts to coordinate care will fall flat if providers are operating with incomplete information.

And what’s more, with the demand for interoperability baked into MACRA, we pretty much have no choice but to make it happen anyway. To my knowledge, HHS has proposed neither carrot nor stick to convince providers to come on board – nor has it defined “widespread” interoperability to my knowledge — but the agency has to achieve something by 2018, and that means change will come.

That being said, I’m struck by how little industry concern there seems to be about the extent to which interoperability can multiply the possibility of a breach occurring. Unfortunately, security is only as good is the weakest link in the chain, and data sharing increases the length of the chain exponentially. Of course, the risk varies a great deal depending on who or what the data-sharing intermediary is, but the fact remains that a connected network is a connected network.

The problem only gets worse if interoperability is achieved by integrating applications. I’m no software engineer, but I’m pretty sure that the more integrated providers’ infrastructure is, the more vulnerabilities they share. To be fair, hospitals theoretically vet their partners, but that defeats the purpose of universal data sharing, doesn’t it?

And even if every provider in the universal data sharing network practices good security hygiene, they can still get attacked. So it’s not a matter of requiring participants to comply with some network security standard, or meet some certification criteria. Given the massive incentives these have to steal health data (and lock it up with ransomware), nobody can hold out forever.

The bottom line is that I believe we should discuss the matter of security in a fully-connected health data sharing network more often.

Yes, we almost certainly need to press ahead and simply find a way to contain the risks. We simply can’t afford our fragmented healthcare system, and data interoperability offers perhaps the best possible chance of pulling it back together.

But before we plunge into the fray, it only makes sense to stop and consider all of the risks involved and how they should be addressed. After all, universal interconnection exposes a virtually infinite number of potential points of failure to cybercrooks. Let’s put some solutions on the table before it’s too late.

Darth Vader Explains Many Doctors’ Views of Hospital Administrators

Posted on April 29, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It’s Friday and so you know we like to have a little fun on Friday. This week it comes from the slightly funnier than placebo ZDoggMD. Best known for his humorous medical raps, he’s recently launched what he calls the ZVLogg and a number of other humorous and educational (sometimes) video parodies. Just imagine an SNL for doctors. That’s basically it. Here’s his latest example which is hilarious (and sad) if you’re a doctor and slightly less hilarious if you’re a hospital administrator. Enjoy!

Medical Device Security At A Crossroads

Posted on April 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As anyone reading this knows, connected medical devices are vulnerable to attacks from outside malware. Security researchers have been warning healthcare IT leaders for years that network-connected medical devices had poor security in place, ranging from image repository backups with no passwords to CT scanners with easily-changed configuration files, but far too many problems haven’t been addressed.

So why haven’t providers addressed the security problems? It may be because neither medical device manufacturers nor hospitals are set up to address these issues. “The reality is both sides — providers and manufacturers — do not understand how much the other side does not know,” said John Gomez, CEO of cybersecurity firm Sensato. “When I talk with manufacturers, they understand the need to do something, but they have never had to deal with cyber security before. It’s not a part of their DNA. And on the hospital side, they’re realizing that they’ve never had to lock these things down. In fact, medical devices have not even been part of the IT group and hospitals.

Gomez, who spoke with Healthcare IT News, runs one of two companies backing a new initiative dedicated to securing medical devices and health organizations. (The other coordinating company is healthcare security firm Divurgent.)

Together, the two have launched the Medical Device Cybersecurity Task Force, which brings together a grab bag of industry players including hospitals, hospital technologists, medical device manufacturers, cyber security researchers and IT leaders. “We continually get asked by clients with the best practices for securing medical devices,” Gomez told Healthcare IT News. “There is little guidance and a lot of misinformation.“

The task force includes 15 health systems and hospitals, including Children’s Hospital of Atlanta, Lehigh Valley Health Network, Beebe Healthcare and Intermountain, along with tech vendors Renovo Solutions, VMware Inc. and AirWatch.

I mention this initiative not because I think it’s huge news, but rather, as a reminder that the time to act on medical device vulnerabilities is more than nigh. There’s a reason why the Federal Trade Commission, and the HHS Office of Inspector General, along with the IEEE, have launched their own initiatives to help medical device manufacturers boost cybersecurity. I believe we’re at a crossroads; on one side lies renewed faith in medical devices, and on the other nothing less than patient privacy violations, harm and even death.

It’s good to hear that the Task Force plans to create a set of best practices for both healthcare providers and medical device makers which will help get their cybersecurity practices up to snuff. Another interesting effort they have underway in the creation of an app which will help healthcare providers evaluate medical devices, while feeding a database that members can access to studying the market.

But reading about their efforts also hammered home to me how much ground we have to cover in securing medical devices. Well-intentioned, even relatively effective, grassroots efforts are good, but they’re only a drop in the bucket. What we need is nothing less than a continuous knowledge feed between medical device makers, hospitals, clinics and clinicians.

And why not start by taking the obvious step of integrating the medical device and IT departments to some degree? That seems like a no-brainer. But unfortunately, the rest of the work to be done will take a lot of thought.

The Need for Speed (In Breach Protection)

Posted on April 26, 2016 I Written By

The following is a guest blog post by Robert Lord, Co-founder and CEO of Protenus.
Robert Protenus
The speed at which a hospital can detect a privacy breach could mean the difference between a brief, no-penalty notification and a multi-million dollar lawsuit.  This month it was reported that health information from 2,000 patients was exposed when a Texas hospital took four months to identify a data breach caused by an independent healthcare provider.  A health system in New York similarly took two months to determine that 2,500 patient records may have been exposed as a result of a phishing scam and potential breach reported two months prior.

The rise in reported breaches this year, from phishing scams to stolen patient information, only underscores the risk of lag times between breach detection and resolution. Why are lags of months and even years so common? And what can hospitals do to better prepare against threats that may reach the EHR layer?

Traditional compliance and breach detection tools are not nearly as effective as they need to be. The most widely used methods of detection involve either infrequent random audits or extensive manual searches through records following a patient complaint. For example, if a patient suspects that his medical record has been inappropriately accessed, a compliance officer must first review EMR data from the various systems involved.  Armed with a highlighter (or a large excel spreadsheet), the officer must then analyze thousands of rows of access data, and cross-reference this information with the officer’s implicit knowledge about the types of people who have permission to view that patient’s records. Finding an inconsistency – a person who accessed the records without permission – can take dozens of hours of menial work per case.  Another issue with investigating breaches based on complaints is that there is often no evidence that the breach actually occurred. Nonetheless, the hospital is legally required to investigate all claims in a timely manner, and such investigations are costly and time-consuming.

According to a study by the Ponemon Institute, it takes an average of 87 days from the time a breach occurs to the time the officer becomes aware of the problem, and, given the arduous task at hand, it then takes another 105 days for the officer to resolve the issue. In total, it takes approximately 6 months from the time a breach occurs to the time the issue is resolved. Additionally, if a data breach occurs but a patient does not notice, it could take months – or even years – for someone to discover the problem. And of course, the longer it takes the hospital to identify a problem, the higher the cost of identifying how the breach occurred and remediating the situation.

In 2013, Rouge Valley Centenary Hospital in Scarborough, Canada, revealed that the contact information of approximately 8,300 new mothers had been inappropriately accessed by two employees. Since 2009, the two employees had been selling the contact information of new mothers to a private company specializing in Registered Education Savings Plans (RESPs). Some of the patients later reported that days after coming home from the hospital with their newborn child, they started receiving calls from sales representatives at the private RESP company. Marketing representatives were extremely aggressive, and seemed to know the exact date of when their child had been born.

The most terrifying aspect of this story is how the hospital was able to find out about the data breach: remorse and human error! One employee voluntarily turned himself in, while the other accidentally left patient records on a printer. Had these two events not happened, the scam could have continued for much longer than the four years it did before it was finally discovered.

Rouge Valley Hospital is currently facing a $412 million dollar lawsuit over this breach of privacy. Arguably even more damaging, is that they have lost the trust of their patients who relied on the hospital for care and confidentiality of their medical treatments.

As exemplified by the ramifications of the Rouge Valley Hospital breach and the new breaches discovered almost weekly in hospitals around the world, the current tools used to detect privacy breaches in electronic health records are not sufficient. A system needs to have the ability to detect when employees are accessing information outside their clinical and administrative responsibilities. Had the Scarborough hospital known about the inappropriately viewed records the first time they had been accessed, they could have investigated earlier and protected the privacy of thousands of new mothers.

Every person seeks a hospital’s care has the right to privacy and the protection of their medical information. However, due to the sheer volume of patient records accessed each day, it is impossible for compliance officers to efficiently detect breaches without new and practical tools. Current rule-based analytical systems often overburden the officers with alerts, and are only a minor improvement from manual detection methods.

We are in the midst of a paradigm shift with hospitals taking a more proactive and layered approach to health data security. New technology that uses machine learning and big data science to review each access to medical records will replace traditional compliance technology and streamline threat detection and resolution cycles from months to a matter of minutes. Making identifying a privacy breach or violation as simple and fast as the action that may have caused it in the first place.  Understanding how to select and implement these next-generation tools will be a new and important challenge for the compliance officers of the future, but one that they can no longer afford to delay.

Protenus is a health data security platform that protects patient data in electronic medical records for some of the nation’s top-ranked hospitals. Using data science and machine learning, Protenus technology uniquely understands the clinical behavior and context of each user that is accessing patient data to determine the appropriateness of each action, elevating only true threats to patient privacy and health data security.

Patient Portal Security Is A Tricky Issue

Posted on April 25, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Much of the discussion around securing health data on computers revolves around enterprise networks, particularly internal devices. But it doesn’t hurt to look elsewhere in assessing your overall vulnerabilities. And unfortunately, that includes gaps that can be exposed by patients, whose security practices you can’t control.

One vulnerability that gets too little attention is the potential for a cyber attack accessing the provider’s patient portal, according to security consultant Keith Fricke of tw-Security in Overland Park, Kan. Fricke, who spoke with Information Management, noted that cyber criminals can access portal data relatively easily.

For example, they can insert malicious code into frequently visited websites, which the patient may inadvertently download. Then, if your patient’s device or computer isn’t secure, you may have big problems. When the patient accesses a hospital or clinic’s patient portal, the attacker can conceivably get access to the health data available there.

Not only does such an attack give the criminal access to the portal, it may also offer the them access to many other patients’ computers, and the opportunity to send malware to those computers. So one patient’s security breach can become a victim of infection for countless patients.

When patients access the portal via mobile device, it raises another set of security issues, as the threat to such devices is growing over time. In a recent survey by Ponemon Institute and CounterTack, 80% of respondents reported that their mobile endpoints have been the target of malware the past year. And there’s little doubt that the attacks via mobile device will more sophisticated over time.

Given how predictable such vulnerabilities are, you’d think that it would be fairly easy to lock the portals down. But the truth is, patient portals have to strike a particularly delicate balance between usability and security. While you can demand almost anything from employees, you don’t want to frustrate patients, who may become discouraged if too much is expected from them when they log in. And if they aren’t going to use it, why build a patient portal at all?

For example, requiring a patient to change your password or login data frequently may simply be too taxing for users to handle. Other barriers include demanding that a patient use only one specific browser to access the portal, or requiring them to use digits rather than an alphanumeric name that they can remember. And insisting that a patient use a long, computer-generated password can be a hassle that patients won’t tolerate.

At this point, it would be great if I could say “here’s the perfect solution to this problem.” But the truth is, as you already know, that there’s no one solution that will work for every provider and every IT department. That being said, in looking at this issue, I do get the sense that providers and IT execs spend too little time on user-testing their portals. There’s lots of room for improvement there.

It seems to me that to strike the right balance between portal security and usability, it makes more sense to bring user feedback into the equation as early in the game as possible. That way, at least, you’ll be making informed choices when you establish your security protocols. Otherwise, you may end up with a white elephant, and nobody wants to see that happen.

Healthcare Big Data Humor

Posted on April 22, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It’s Friday and so it’s always a good time for a little Fun Friday to humor to kick off your weekend. This week’s edition is dedicated to all those working through the piles of healthcare data.

Healthcare Big Data Humor - Too Much Focus on Data

I’ve seen this at a few organizations. Although, I think the other problem is likely even more challenging in healthcare. We have all this data and all of this opportunity, where do we start?

Enjoy your weekend!

Are We Controlled By Software?

Posted on April 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This is a powerful question and an important one for our health. I’ll admit up front that I’m a major lover of technology and the way it has impacted my life for good. I fundamentally believe that technology has the potential and opportunity to improve so many things in our lives. That includes our health and wellness.

However, David Chou asks a very good question about how much software (and more broadly technology) control our lives. The cartoon is interesting as well since it talks about software eating our relationships. To some extent that’s true. I’ve known a lot of kids that have grown so in love with video games that they have a hard time relating to people. That’s a major problem. I know many people who have unsafe technology addictions.

While I think it’s true that technology can control our lives, ruin our relationships, and even cause health issues, I don’t think we should lay the blame at the feet of the technology. We’re all human and are given the opportunity to choose what we allow to control us.

I think right now about my kids currently running around outside in this wash area with the neighbor kids playing some game they made up with wizards and dragons (Don’t ask me!). Each Saturday I take my kids to the park while I play ultimate frisbee. Next to the fields are these massive piles of dirt and my kids can’t wait to go play in these piles of dirt. They build forts, tunnels, tracks for balls, and just goof around on them. They have the time of their lives. This stands in stark contrast to the jokes people post on Facebook that say “When I was a kid, this was our playground” on top of a picture of dirt. I guess that’s still my kids playground despite all the technology that’s available.

Don’t get me wrong. My kids love technology too, but trying to say that software controls our lives or is eating our relationships is a fallacy. If it is, it’s because we’re letting it do it. If we let it do it, then yes our relationships will suffer and that will impact our health.

Of course, the alternate view of all this is that some of the very best and most popular technologies in use today actually are about connecting people. Think about all the various social media. I know and interact with thousands of people I’d have never know if it weren’t for Twitter. Technology can often facilitate the building of relationships. Plus, it can extend and deepen a relationship with someone who would have otherwise fallen off the map.

A principle I’ve learned over and over again is that most technology has a double edged sword. It’s how you implement it and how you use it that determines it’s value. Plus, you have to remember that sometimes the best solutions aren’t technical. Just because you can do something using technology doesn’t mean you should. That said, technology can improve a lot of things if implemented appropriately. You’d think these concepts would be common sense, but you know they often say that common sense isn’t so common.