Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

E-Patient Update: Clinicians May Be Developing Strong EMR Preferences

Posted on December 8, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Not long ago, I wrote about a story from another publication, one which engaged in a bunch of happy talk about how EMR companies were improving their user interfaces. At the time, I expressed a great deal of skepticism about this claim, suggesting that the vendors had misled the reporter into believing that user aspects of EMRs were changing for the better across the industry.

While I stand by my original skepticism to some degree, I have to say that I got a surprise recently when I heard some nurses discussing two major EMR platforms. The one they were using, they said, was awful and awkward to use. Apparently, they missed the other terribly.

Now, at the time I was a patient in the emergency department, so I didn’t have a chance to ask them any questions about their preferences, but I was struck by the conversation because I knew which vendors they were discussing. However, they could have been talking about any enterprise EMR.

Clinicians developing preferences

I don’t mention this exchange to praise one EHR over another. I bring this up merely because this is the first time, having spent a lot of time in medical environments due to chronic illness, that I’d heard any front-line clinician express a preference for one enterprise EMR over the other.

In the early days of widespread EMR adoption, I could scarcely find a clinician who didn’t hate the system they were working with, much less one who truly liked it and wanted to use it. Eventually, I began to find that many clinicians thought the system they worked with was more or less okay, though I rarely found any screaming fans for any system in particular.

Now, I’m arguing that we may be at a new stage in clinician adoption of EMRs. The point I am making is that now, some of the clinicians with whom I’ve had contact showing some enthusiasm about one EMR or another.

No big surprise: Experience breeds preference

The truth is, when you think about it, it’s not surprising that clinicians have finally developed preferences (rather than the lists of EMRs which they truly hate). After all, it’s been going on 10 years since the HITECH Act was passed and the money started to flow into EMR subsidies.

Since then, clinicians have had the opportunity to work with multiple EMR platforms at various facilities, and informally at least, develop a catalog of the strengths and weaknesses. Nurses and doctors know which interfaces they like, whether tech support tends to respond when they have a problem with the particular system, whether any analytics tools they provide are worth using and so on.

Given this fact it’s hardly surprising that they’ve figured out what they like and what they don’t, and which vendors seem to suit those needs. After this much time, why wouldn’t they?

As I see it, this is something of a turning point in the industry, a new moment in which clinical professionals have learned enough to know what they want from an EMR. I don’t know about you, but speaking as an e-patient, I think this is a very good thing. The more empowered clinicians feel, the better the work they will do.

The Benefits Of Creating Data Stewards

Posted on December 7, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Maybe I’m behind the times, but until today I’ve never heard of the notion of a “data steward” for healthcare organizations. An article I read today from the Journal of AHIMA IGIQ blog has given me some ideas on the subject to ponder, however.

The blog author lays out a role which combines responsibility for data structure and consistent data type definitions — in other words, which sees that datatypes are compared on an apples-to-apples basis and that data categories make sense and relate to each other appropriately.

In the article, “Data Stewards Play an Important Role in the Future of Healthcare,” writer Neysa Noreen, MS, RHIA, notes that providers are already struggling to categorize and describe types of medical data, much less leverage and benefit from them. But while we need to impose such a level of discipline, it isn’t easy, she notes.

“[Creating a workable data structure] it is a complex process with many challenges,” Noreen writes. “There are many data terms and concepts, roles and structures to decipher from information governance and data governance to data integrity,” which is why we need to put data stewards and place in many organizations, she suggests.

Though the idea of the data steward isn’t new, “emphasis on data comparison and quality has increased their necessity,” Noreen argues. “Data stewards are essential to ensure that standard data sets and definitions are implemented and used for data integrity and quality.”

The question then becomes what qualifications and skills a data steward should have. According to Noreen, data stewards aren’t necessarily IT experts. What they will need is to have a thorough understanding of the data itself and how to extract value from that data on the broadest level.

Data stewards will often turn out to be people who are already working with data in some other manner, which will allow them to know what organization needs to do to resolve discrepancies between data definitions, according to Noreen. Such a past also gives them a head start in figuring out how data can be organized and leveraged effectively into classes.

Given their knowledge of data standards and definitions, as well as a history of working with the data sets the organization has, data stewards will be in a good position to make data use more efficient. For example, they will be able to review and compare data requests on an institutional level, identifying data redundancy in finding opportunities for cost-efficiencies.

Having given this some thought, I find it hard to argue that most healthcare organizations could benefit from having a data steward in place. Providers may begin by starting with a committee that handles this function, rather than creating one or more dedicated positions, but eventually, the scope of such efforts will call for specialized expertise. Expect to see these positions pop up often in the future.

The Future Of Telemedicine Doesn’t Depend On Health Plans Anymore

Posted on December 6, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

For as long as I can remember, the growth of telemedicine depended largely on overcoming two obstacles: bandwidth and reimbursement. Now, both are on the verge of melting away.

One, the availability of broadband, has largely been addressed, though there are certainly areas of the US where broadband is harder to get than it should be. Having lived through a time when the very idea of widely available consumer broadband blew our minds, it’s amazing to say this, but we’ve largely solved the problem in the United States.

The other, the willingness of insurers to pay for telemedicine services, is still something of an issue and will be for a while. However, it won’t stay that way for too much longer in my opinion.

Yes, over the short term it still matters whether a telemedicine visit is going to be funded by a payer –after all, if a clinician is going to deliver services somebody has to pay for their time. But there are good reasons why this will not continue to be an issue.

For one thing, as the direct-to-consumer models have demonstrated, patients are increasingly willing to pay for telemedical care out-of-pocket. Customers of sites like HealthTap and Teladoc won’t pay top dollar for such services, but it seems apparent that they’re willing to engage with and stay interested in solving certain problems this way (such as, for example, getting a personal illness triaged and treated without having to skip work the next day).

Another way telemedicine services have changed, from what I can see, is that health systems and hospitals are beginning to integrate it with their other service lines as a routine part of delivering care. Virtual consults are no longer this “weird” thing they do on the side, but a standard approach to addressing common health problems, especially chronic illness.

Then, of course, there’s the most important factor taking control of telemedicine away from health plans: the need to use it to achieve population health management goals. While its use is still a little bit lopsided at present, as healthcare organizations aren’t sure how to optimize telehealth initiatives, eventually they’ll get the formula right, and that will include using it as a way of tying together a seamless value-based delivery network.

In fact, I’d go so far as to say that without the reach, flexibility and low cost of telehealth delivery, building out population health management schemes might be almost impossible in the future. Having specialists available to address urgent matters and say, for example, rural areas will be critical on the one hand, while making specialists need for chronic care (such as endocrinologists) accessible to unwell urban patients with travel concerns.

Despite the growing adoption of telemedicine by providers, it may be 5 to 10 years or so before it has its fullest impact, a period during which health plans gradually accept that the growth of this technology isn’t up to them anymore. But the day will without a doubt arise soon enough that “telemedicine” is just known as medicine.

EHR, Patient Portals and OpenNotes: Making OpenNotes Work Well – #HITsm Chat Topic

Posted on December 5, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 12/8 at Noon ET (9 AM PT). This week’s chat will be hosted by Homer Chin (@chinhom) and Amy Fellows (@afellowsamy) from (@MyOpenNotes) on the topic of “EHR, Patient Portals and OpenNotes: Making OpenNotes Work Well.”

There are now nearly 100 health systems across the United States using secure patient portals to share visit notes with more than 20 million of their patients. And as the saying goes, if you’ve seen one OpenNotes implementation, you’ve seen one OpenNotes implementation.

No two health systems approach OpenNotes in the same way, and much of the variation stems from human resistance to change. Change is hard; whether it involves assuring and supporting clinicians in their move toward sharing notes or whether it’s surmounting technical challenges within the electronic health record.

We know the electronic health record is here to stay. We’re not going back to paper. And we know that when patients are offered online access to the medical information in their records, including access to notes, these patients continue to want that access and they share its benefits.

At their annual meeting in November 2017, the American Medical Informatics Association (AMIA) announced a formal collaboration with OpenNotes, stating, “The evidence-base is clear: providing patients access to their physician’s notes improves physician-patient communication and trust, patient safety, and perhaps even patient outcomes.”

So how do we bridge resistance to change? And as OpenNotes expands, how do we guide health systems to ensure the best possible patient experience?

Join us as we dive into this topic during this week’s #HITsm chat using the following questions. Homer Chin and Amy Fellows will be on hand to share key learnings from vendors and health IT teams that have been making OpenNotes work over the past few years.

Reference Materials:

Topics for This Week’s #HITsm Chat:

T1: What cultural barriers to OpenNotes adoption and use exist within the #healthcare IT profession vs. the clinical/medical community? #hitsm

T2: Given that OpenNotes is a movement and not a discrete software product, what are the technical challenges for implementing OpenNotes inside the patient portal? #hitsm

T3: If you’re currently implementing OpenNotes in your health system: What advice and/or cavetats can you share with colleagues? #hitsm

T4: If you haven’t implemented OpenNotes at your health system: What’s holding you back? What do you believe are the key challenges impeding implementation? #hitsm

T5: What customization strategies and/or tips do you have for helping patients navigate healthcare portals to find their #medical record notes? #hitsm

BONUS: What type of “OpenNotes-related” functionality should #EHR vendors be including in their product(s) to serve both clinicians AND patients? #hitsm

Upcoming #HITsm Chat Schedule
12/15 – What’s Keeing HealthIT from Soaring to the Cloud?
Hosted by David Fuller (@genkidave)

12/22 – Holiday Break

12/29 – Holiday Break

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Slow Learners Teach Big Lessons – $2 Million State HIPAA Penalty

Posted on December 4, 2017 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

Editor’s Note: We’d like to welcome Mike Semel as the latest addition to the Healthcare Scene blog team.  We’ve been working with Mike for quite a while as a guest blogger, so it’s great to have Mike now covering security and privacy with us in a more formal capacity.  Check out all of Mike Semel’s EMR and HIPAA blog posts.

I think it is fair to call people slow learners if they get caught violating HIPAA:

  • after they published 50,000 patient records to the Internet for a 2-year period, so patients Googling themselves found their medical records,
  • and THEN DID IT AGAIN DURING THE INVESTIGATION for the first incident.

Duh.

On November 22, California Attorney General Xavier Becerra announced a $2 million settlement with Cottage Health System and its affiliated hospitals for violating both state and federal privacy laws. The settlement came after two separate data breaches where more than 50,000 patient records were made publicly available online. The state settlement is on top of a $4.125 million class-action settlement with its patients, that Cottage Health’s insurance company is trying to recover, because it said Cottage Health was not truthful on its insurance application.

It’s bad enough that from 2011 until 2013 (after it was notified by a patient that he found his medical records online), Cottage Health had a server with protected health information that was not encrypted, password protected, protected by firewalls, or protected against unauthorized access.

What is truly stunning is that, in 2015, during the federal investigation for the first incident, Cottage Health reported that it made another 4,596 patient records available online.

I have been the Chief Information Officer in a hospital, and know how bad executive and departmental management and oversight would have to be to create an environment where that can happen once, let alone twice.

Based on the complaint provided by the California Attorney General, there are a lot of lessons you can learn from this penalty.

LESSONS

1. It not just the OCR. This HIPAA penalty was issued by a state Attorney General. The federal HITECH Act (2009) gave state AG’s the authority to enforce civil penalties for violations of the HIPAA Privacy and Security Rules. It doesn’t take the federal Office for Civil Rights to go after you. It could be your state Attorney General, who is probably motivated by wanting to impress voters for his campaign to be governor or senator someday.

2. Know your state laws. California’s Confidentiality of Medical Information Act and Unfair Competition Law were also cited in the penalty. Forty-eight states, plus DC and Puerto Rico, have their own laws protecting Personally Identifiable Information. Some, like California, have state laws that protect medical records beyond the scope of HIPAA. State laws have different patient notification requirements than HIPAA’s maximum of 60 days. In California, patients must be notified within just 15 days.

3. Management should pay attention to security and compliance, before it has to sign $6 million in checks, plus legal fees. From the IT department to the executive suite, this penalty is proof that management was not validating the organization’s security and compliance.

Cottage Health isn’t a small, rural hospital with 25 beds, trying its best, with limited resources, to serve a community. According to its 2016 Annual Report, Cottage health generated over $746 million in revenue and had 3,120 employees.  Seventeen of them are Vice Presidents.

At least Cottage Health’s CEO didn’t publicly blame his IT guy, like the former CEO of Equifax did in front of Congress. Maybe he realizes he could have avoided spending $6 million by having better management.

4. Patients are Consumers, who are protected against Negligence & Unfair Business Practices. The $4 million settlement plus the $2 million penalty are proof that management was ignoring the commitment it made to its patients every day in the Cottage Health Notice of Privacy Practices.

Our Pledge
We understand that medical information about you and your health is personal, and we are committed to protecting it.

The Federal Trade Commission forced the closure of a small medical lab because it said the lab violated its prohibition of Unfair Business Practices by not protecting patient information.

There is a lawsuit in Connecticut where the state appeals court certified a Notice of Privacy Practices as a contract with a patient.

Yes, patients (and now their lawyers) really do read those notices. Treat yours with respect because it is a contract, not a brochure.

5. Don’t Assume Your HIPAA Compliance Program is Working. Not having policies, procedures, basic IT security like passwords and firewalls, means that a lot of Cottage Health managers and executives had to be asleep at the switch. Not complying with the HIPAA Security Rule, effective since 2005, which protects electronic data, means that Cottage Health’s compliance program was a mirage. I can imagine their compliance and security staff telling management that they had everything handled. Management believed them. Over 50,000 patients and an Attorney General disagree.

6. Prevent the Triggering Event. This wildfire started with a small spark. An IT engineer configured a server and plugged it into the network. Things as simple as checklists could have prevented the negligent publication of the medical records to the Internet.

The NIST Cybersecurity Framework (NIST CSF) is a 41-page document simple enough for even small organizations to use to improve their data security.

Bring in a qualified independent third party to evaluate your compliance and security against the HIPAA rules and the NIST CSF, and give the report directly to the CEO. Not a good use of the CEO’s time? It’s much better than the CEO’s involvement after an investigation has started.

7. If You Are Being Investigated, Don’t Let the Same Problem Happen Again. Duh.

Healthcare Costs Video

Posted on December 1, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In all the crazy discussions that are happening about healthcare, it’s always frustrating to me that so few of them talk about healthcare costs. Politicians are talking a lot about healthcare insurance and coverage. Those in healthcare IT talk about meaningful use, MACRA, and over regulation. No doubt there are challenges associated with insurance coverage and with health IT regulation. However, none of them will move the needle on how much healthcare is costing this nation.

Sometimes it takes a little bit of humor to illustrate the point and that’s what this video from Adam Ruins Everything does with healthcare costs:

Not exactly a Fun Friday video like we usually do, but kind of. The saddest part of this video though is near the end when she asks what can be done to fix the problem and he says nothing. Rolling back healthcare costs is the real issue with healthcare today and there are a lot of entrenched interests that want nothing to do with it.

Machine Learning, Data Science, AI, Deep Learning, and Statistics – It’s All So Confusing

Posted on November 30, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It seems like these days every healthcare IT company out there is saying they’re doing machine learning, AI, deep learning, etc. So many companies are using these terms that they’ve started to lose meaning. The problem is that people are using these labels regardless of whether they really apply. Plus, we all have different definitions for these terms.

As I search to understand the differences myself, I found this great tweet from Ronald van Loon that looks at this world and tries to better define it:

In that tweet, Ronald also links to an article that looks at some of the differences. I liked this part he took from Quora:

  • AI (Artificial intelligence) is a subfield of computer science, that was created in the 1960s, and it was (is) concerned with solving tasks that are easy for humans, but hard for computers. In particular, a so-called Strong AI would be a system that can do anything a human can (perhaps without purely physical things). This is fairly generic, and includes all kinds of tasks, such as planning, moving around in the world, recognizing objects and sounds, speaking, translating, performing social or business transactions, creative work (making art or poetry), etc.
  • Machine learning is concerned with one aspect of this: given some AI problem that can be described in discrete terms (e.g. out of a particular set of actions, which one is the right one), and given a lot of information about the world, figure out what is the “correct” action, without having the programmer program it in. Typically some outside process is needed to judge whether the action was correct or not. In mathematical terms, it’s a function: you feed in some input, and you want it to to produce the right output, so the whole problem is simply to build a model of this mathematical function in some automatic way. To draw a distinction with AI, if I can write a very clever program that has human-like behavior, it can be AI, but unless its parameters are automatically learned from data, it’s not machine learning.
  • Deep learning is one kind of machine learning that’s very popular now. It involves a particular kind of mathematical model that can be thought of as a composition of simple blocks (function composition) of a certain type, and where some of these blocks can be adjusted to better predict the final outcome.

Is that clear for you now? Would you suggest different definitions? Where do you see people using these terms correctly and where do you see them using them incorrectly?

The Present Bias Problem with Medication Adherence

Posted on November 29, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently met Matthew Loper, the founder of a startup company called Wellth. The company is using behavioral economics to improve healthcare outcomes. They’re literally paying patients cold hard cash to take their medications. Plus, they have some pretty cool technology that uses just the smart phone to track medication adherence.

I must admit that I’ve seen hundreds of medication compliance companies over the years. While the approach each took was intriguing, all of them seemed to have some major obstacle to adoption. Some were too expensive. Some would never be adopted by patients. Some would never be adopted by healthcare providers, etc.

With this in mind, I was intrigued by a few slides that Matthew Loper from Wellth showed me about the medication adherence market and why the startups in that space have had limited success to date. First, he started off with this slide which illustrated the problem:

I’m not sure I agree totally with the concept of chronic patients not doing what’s rational. Instead, I think this slide illustrates that many chronic patients make short term versus long term decisions when it comes to their care. No doubt these short term decisions are very rational decisions in their minds. However, this data illustrates the Present Bias problem we have with medication adherence.

Matthew’s next slide illustrated really well how most current medication adherence solutions don’t solve the present bias problem:

I thought this slide categorized the medication adherence companies I’ve seen really well. It also explains why most of them aren’t very effective. Then, Matthew went on to suggest that paying patients to adhere to their care plan does overcome the Present Bias challenge:

You can talk with Wellth if you want to get more details on their work and the results of their pilots. It’s still early in their journey, but the concept seems to be producing some quality results. Plus, I love their efforts to use the cash incentive long enough to create a habit which then is sustained well after the payments stop. Pretty fascinating approach.

No doubt there are a lot more complexities associated with medication adherence. For example, this approach doesn’t take into account people who are motivated by money. However, it’s surprising how even rich people want to get a good deal. It will also take some time to see how much money is required to truly motivate someone to be compliant and if that cost is less that the amount of money saved. Not to mention, how do you even quantify how much money was saved when someone is more adherent to their care plan.

These challenges aren’t unique to Wellth, but to every healthcare IT solution working on this problem. It’s also why many of them have a hard time making the case for their solution. Turns out that purchasers of these solutions have a present bias problem as well. However, as more studies are done and as we get better at tracking a patient’s health, we’ll better be able to understand the long term benefits of things like medication adherence.

What do you think of Wellth’s approach to medication adherence? Should we be paying patients when they adhere to their care plan?

Using Technology to Fight EHR Burnout – #HITsm Chat Topic

Posted on November 28, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 12/1 at Noon ET (9 AM PT). This week’s chat will be hosted by Gabe Charbonneau, MD (@gabrieldane) on the topic of “Using Technology to Fight EHR Burnout.”

We live in confusing times. The marriage of technology and medicine is on the cusp of game changing breakthroughs. There is so much promise with deep learning/AI, big data, and the exponential growth in processing speed and storage, just to name a few. So, how is it that we are yet to get out of the dark ages when it comes to the EHR?

Physician burnout is a real problem. It seems like there is a new article put out weekly on the topic. Study after study points fingers of blame at the EHR. The pain from data entry and systems that don’t flow for clinicians is at an all time high. “Too many clicks”, and too many docs spending “pajama time” charting at home.

It has to get better.

While tech has been identified as a top contributor to the problem, it also has the potential to be a huge part of the solution.

Join us as we dive into this topic during this week’s #HITsm chat using the following questions.

Topics for This Week’s #HITsm Chat:

T1: Why is the EHR such a major driver of burnout in medicine? We’ve heard the common answers of “too many clicks” and increased clerical burden, but what else? Let’s dig deeper. #hitsm

T2: Who is happiest with their EHR and why? What can we learn from them? #hitsm

T3: What current technologies are the best for reducing EHR burnout? #hitsm

T4: What is the most exciting emerging technology for decreasing EHR burnout? #hitsm

T5: When should we expect to see the first wave of major improvements in EHR user experience for clinicians? What will it look like? #hitsm

Bonus: How can we take steps today to start moving the burnout needle in the right direction? #HITsm

Upcoming #HITsm Chat Schedule
12/8 – EHR, Patient Portals and OpenNotes: Making OpenNotes Work Well
Hosted by Homer Chin (@chinhom) and Amy Fellows (@afellowsamy) from @MyOpenNotes)

12/15 – What’s holding HealthIT from soaring to the Cloud?
Hosted by David Fuller (@genkidave)

12/22 – Holiday Break

12/29 – Holiday Break

We look forward to learning from the #HITsm community! As always, let us know if you’d like to host a future #HITsm chat or if you know someone you think we should invite to host.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Vanderbilt Disputes Suggestion That Larger Hospitals’ Data Is Less Secure

Posted on November 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Ordinarily, disputes over whose data security is better are a bit of a snoozer for me. After all, if you’re not a security expert, much of it will fly right over your head, and that “non-expert” group definitely includes me. But in this case, I think the story is worth a closer look, as the study in question seems to include some questionable assumptions.

In this case, the flap began in June, when a group of researchers published a study in JAMA Internal Medicine which laid out analysis of HHS statistics on data breaches reported between late 2009 to 2016. In short, the analysis concluded that teaching hospitals and facilities with high bed counts were most at risk for breaches.

Not surprisingly, the study’s conclusions didn’t please everyone, particularly the teaching-and high-bed-count hospitals falling into its most risky category. In fact, one teaching hospitals’ researchers decided to strike back with a letter questioning the study’s methods.

In a letter to the journal editor, a group from Nashville-based Vanderbilt University suggested that the study methods might hold “inherent biases” against larger institutions. Since HHS only requires healthcare facilities to notify the agency after detecting a PHI breach affecting 500 or more patients, smaller, targeted attacks might fall under its radar, they argued.

In response, the authors behind the original study admitted that the with the reporting level for PHI intrusions starting at 500 patients, larger hospitals were likely to show up in the analysis more often. That being said, the researchers suggested, large hospitals could easily be a more appealing target for cybercriminals because they possess “a significant amount of protected health information.”

Now, I want to repeat that I’m an analyst, not a cybersecurity expert. Still, even given my limited knowledge of data security research, the JAMA study raises some questions for me, and the researchers’ response to Vanderbilt’s challenge even more so.

Okay, sure, the researchers behind the original JAMA piece admitted that the HHS 500-patient threshold for reporting PHI intrusions skewed the data. Fair enough. But then they started to, in my view at least, wander off the reservation.

Simply saying that teaching hospitals and hospitals with more beds were more susceptible to data breaches simply because they offer big targets strikes me as irresponsible. You can’t always predict who is going get robbed by how valuable the property is, and that includes when data is the property. (On a related note, did you know that older Toyotas are far more likely to get stolen than BMWs because it’s easier to resell the parts?  When I read about that trend in Consumer Reports it blew my mind.)

Actually, the anecdotes I’ve heard suggests that the car analogy holds true for data assets — that your average, everyday cyber thief would rather steal data from a smaller, poorly-guarded healthcare organization then go up against the big guns that might be part of large hospitals’ security armament.

If nothing else, this little dispute strongly suggests that HHS should collect more detailed data breach information. (Yes, smaller health organizations aren’t going to like this, but let’s deal with those concerns in a different article.) Bottom line, if we’re going to look for data breach trends, we need to know a lot more than we do right now.