Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The Fundamental Challenge of ACOs

Posted on March 31, 2014 I Written By

Kyle is CoFounder and CEO of Pristine, a VC backed company based in Austin, TX that builds software for Google Glass for healthcare, life sciences, and industrial environments. Pristine has over 30 healthcare customers. Kyle blogs regularly about business, entrepreneurship, technology, and healthcare at kylesamani.com.

I’ve been openly bullish on ACOs and capitated payment models. The only way to achieve the triple aim – quality, cost and access – is to create a system that is structurally incentivized towards those ends. The fee-for-service model will never be structured in a way that incentivizes the triple aim. On the other hand, ACOs do.

Early ACO data is mixed. Although some organizations succeeded in lowering costs and improving outcomes, about 1/3 dropped out of the ACO program entirely, and another 1/3 reported no significant cost or quality changes. Only 1/3 were “successful.”

Why? Why did some organizations succeed where others failed? What did each organization do differently? It’s been proven that some organizations can succeed under this model. But not everyone.

ACOs are disruptive to fee-for-service payment models. ACOs invert incentives. They invert how every employee should think about their job in the context of the larger care delivery system. In ACOs, healthcare professionals are implicitly asked to think about preventative care, which tends to lead towards both cost and quality improvements. On the other hands, in a fee-for-service model, healthcare professionals are only incentivized to simply treat the patient in front of them with no regard for prevention or cost.

When the board of directors of a given organization recognizes the need to change the course of a business, the board usually replaces the CEO. After a new strategy is devised, the new CEO typically replaces most of the executives and lays off a significant number of the existing staff. This accomplishes a few things:

1) reduces the burn, making the organization leaner and more capable of pivoting
2) replaces lots of senior and middle management, who were trained and wired around the old business model, and who may conspire against the new model if they don’t believe in it
3) sends a signal to the remaining staff that management is serious about change

Although this plan doesn’t guarantee success, it’s fairly common in large organizations because it can create impetus to break from the inertia of the status quo. The only thing worse than going after the wrong business model is maintaining one that’s failing.

This of course begs the question, how are providers adopting ACOs? Management at provider organizations that have adopted the ACOs are early adopters. They are pioneers. They are leaders. They can see a new, better, ACO-based future. The last thing management at these organizations is going to do is fire themselves after deciding to transition to an ACO.

In light of the above, I am particularly impressed by the early success of the ACO program. Only 1/3 dropped out. Given the fundamental change at hand, I would consider the early data a harbinger of better changes to come. I suspect that almost all of the remaining ACOs will see more significant improvements in years 2 and 3 as they mature and refine processes around value.

You might be an #HITNerd If…

Posted on March 30, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

You might be an #HITNerd If…

you know that blue button is not a funny ICD-10 code.

Find all our #HITNerd references on: EMR and EHR & EMR and HIPAA.

NEW: Check out the #HITNerd store to purchase an #HITNerd t-shirt of cell phone case.

Note: Much like Jeff Foxworthy is a redneck. I’m well aware that I’m an #HITNerd.

My Optimism for Healthcare IT – #DoMoreHIT

Posted on March 28, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As I posted about previously, I took part in the Dell Healthcare Think Tank event last week. This was my second year participating in the event, and I thoroughly enjoyed the stimulating discussion. In many ways it makes me wish that there was a health IT conference that was 2 days of stimulating discussion like we had, but with a larger mix of people. Would be a great experience.

At the end of the event, we were asked to summarize our thoughts about the event and where we were headed with healthcare IT. Here’s the video of my response:

Sometimes it’s easy to get bogged down in the meaningful use or ICD-10 mire (especially given all the ICD-10 delay talk). That’s natural since they are important issues. However, as I say in the video, I think we’re just getting started when it comes to the impact for good that IT will have on healthcare. Sure we have challenges, but the opportunities and potential is much greater than the challenges.

If you missed the live stream of the event, you can watch the recording here. Also, they had an artist capturing the event as we talked. Check them out below (click on the image to see the larger size):

To ICD-10 Delay or Not To ICD-10 Delay

Posted on March 27, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

UPDATE: It looks like this bill has passed the house with a voice vote. I believe it still needs to be passed by Congress and not be vetoed by the President.

UPDATE 2: Late on 3/31/14, the Senate passed the bill which delays ICD-10 by a vote of 64 – 35. Barring a veto from the President, the bill will go forth and the ICD-10 implementation date will be moved to October 1, 2015. All of the discussion for the bill was around the SGR fix with no conversation around the ICD-10 delay. It’s unlikely that the President would even consider a veto of this bill.

We’d already stoked the ICD-10 delay fires in Kyle Samani’s post on “Why ICD-10?” before the news came out yesterday that a one year ICD-10 delay was put in an SGR bill. Word on the street was that the bill would be put up for a vote today. However, I hear now that the vote on the bill is going to be delayed at least until tomorrow.

The reports are saying that this bill was developed by John Boehner and Harry Reid which likely means they have enough votes to make it a reality. I read that Nancy Pelosi said on CSPAN that the bill wasn’t perfect, but needed to be passed. My only question is whether the delay in voting is because they’re still trying to cull votes for the bill or something else.

As I suggested in my post linked above, my guess is that congress is hearing from both those for delaying ICD-10 and those who oppose delaying ICD-10. I bet they consider the response a wash and so it won’t sway them either way. Plus, I bet that most in Congress are only talking about the SGR portion of the bill without much discussion on the ICD-10 delay.

This decision is going to cut many people. Let me share a few of the comments I’ve read.

First, from the LinkedIn AHIMA group, here’s a coder perspective on the delay:

I think of the coder who is a single mom struggling from pay check to pay check who had to spent $500 (or more) to take a course and another $60 on the proficiency exam, spent time away from caring for her family to prepare for the implementation only to have the rug pulled right from under her. The $560 is likely her discretionary income for the month. Who is thinking or her?

Don’t tell us there will absolutely be NO delays, allow us to spend our hard earned money to prepare, and then say “just kidding– we are going to tease you with another year — make you spend more money — promise no delays — then change our mind again!” “Oh, and the check is in the mail.” Yes ladies and gentleman, this is our government working “for the people.” And I ask, why does Congress even care about ICD-10? Do they even have a clue what they are voting for or against? They are trying to quietly slip it into a bill so that no one notices. I could be wrong, but it sounds like the work of a single lobbyist and Senator/Congressman. I would like to know the name of the person who put that language into the bill. Democracy at its finest!

Now a perspective that is likely shared by the thousands of ill-prepared practices and hospitals (although, my guess is that it was their larger organizations that lobbied for it, not the individual practices and hospitals that aren’t prepared):

As bad an idea as it is, a majority of practices, and a significant number of hospitals, health systems and other providers are, or feel, very un-prepared for the transition, and so have lobbied for delay. D.C. insiders say it’s a done deal.

On the other side is the prepared health IT vendors that think that a delay is letting the ill prepared off the hook. One EHR vendor sent me an email with this message:

This really is a pain to a vendor like us that is all ready to launch and take good care of our clients with ICD-10. Everything we programmed came out great and we are ready to go.

This feeling doesn’t just apply to health IT vendors that have procrastinated, but to all the procrastinators:

Why prolong the inevitable, again? The procrastinators should be penalized, not the rest of us who’ve been preparing for it.

What we all want most is certainty. HHS came out with certainty during HIMSS when they said that there would be no more delays with ICD-10. Unfortunately, HHS doesn’t control congress.

I’ve been reading a lot of reports that a delay in ICD-10 would cost billions of dollars. I’m not sure I trust those numbers, but it’s no surprise that those numbers don’t take into account the impact and cost of ICD-10 being implemented. Personally, I see costs in ICD-10 going forward and costs in ICD-10 being delayed. I’m not sure we can quantify either number accurately.

Obviously, this is a fast moving story, so I’ll update this post with any updates as I get them. Feel free to leave comments with updates as well.

Surviving 2014: The Toughest Year in Healthcare

Posted on March 26, 2014 I Written By

The following is a guest blog post by Ben Quirk, CEO of Quirk Healthcare Solutions.
Ben Quirk
How bad is 2014 for the healthcare industry? We’ve all read about ICD-10, EHR incentives, Medicare cuts, and the Affordable Care Act. But the most telling moment for me occurred during this year’s HIMSS conference in Orlando. There was quite a bit of B2B enthusiasm, but among the civilians it was mostly a lot of stunned looks and talk about how to get through the year. Here are some of my observations:

ICD-10. CMS has made it abundantly clear there will be no further delays to the October 1 deadline for ICD-10 implementation. This is possibly the most significant change to the healthcare industry in 35 years, affecting claims payment/billing systems, clearinghouses, and private and public software applications. Anyone who provides or receives healthcare in the US will be touched by this in some way.

In a recent poll of healthcare providers conducted by KPMG, less than half of the respondents said they had performed basic testing on ICD-10, and only a third had completed comprehensive tests. Moreover, about 3 out of 4 said they did not plan to conduct tests of any kind with entities outside their organizations.

Incorrect claims denial will be the most likely result. CMS will not process ICD-9 Medicare/Medicaid claims after October 1, and there is a high potential for faulty ICD-10 coding or bad mapping to ICD-9 codes. Error rates of 6 to 10 percent are anticipated, compared to an average of 3 percent under ICD-9. ICD-10 will result in a 100 to 200 percent increase in denial rates, with a related increase in receivable days of 20 to 40 percent. Cash flow problems could extend up to two years following implementation. This will be a costly issue for providers, and a very visible issue for patients.

We advise our clients to be proactive in their financial planning. This should include preparation for delayed claims adjudication and payments, adjustments to cash reserves, or even arranging for a new/increased line of credit. Having sufficient cash on hand to cover overhead during the final quarter of 2014 could be very important, as could future reserves to cover up to six months of payment delays. Companies not in a position to set aside reserves should consider working with lenders now before any issues arise.

Meaningful Use. As with ICD-10, CMS has stated there will be no delays to MU deadlines in 2014. That means providers who have never attested must do so by September 30, or else be subject to penalties in the form of Medicare payment adjustments starting in 2015. Providers who have attested in the past will have a bit longer (until December 31), but the penalties are the same.

There is much dissatisfaction with the government’s “all or nothing” approach to MU, where even the slightest misstep can invalidate an otherwise accurate attestation. While the ONC has proposed a more lenient model for EHR certification in coming years, everything will be measured against a hard deadline in 2014.  CMS is offering some mitigation through hardship exemptions, based on rules that are somewhat broad at this point. Providers should consider applying for an exemption if no other options are available.

We advise against taking shortcuts or rushing to beat the clock on MU. Up to ten percent of eligible professionals and hospitals will be subject to audit, and large hospitals may have millions of dollars at stake. Being prepared for an audit means more than just making sure an attestation is iron-clad; internal workflow and communication are also important. A mishandled audit notification can result in a late response and automatic failure.  Data security should also not be overlooked. Medical groups have failed audits due to lapsed security risk assessments as required under HIPAA.

Medicare Payment Cuts. Medicare Sustainable Growth Rate (SGR) cuts continue to hover over Medicare providers. Enacted by Congress in 1997, the SGR was intended to control costs by cutting reimbursements to providers based on prior year expenditures. But every year costs continue to rise, as do ever-worse SGR cuts (almost 24% in 2015). And every year Congress prevents the cuts via so-called “doc fix” legislation.

In early 2014 there was surprising bi-partisan agreement on a permanent doc fix, whereby Medicare reimbursements would be based on quality measures rather than overall expenditures. However, the legislation was derailed by linking it to a delay of the ACA’s individual mandate. As of mid-March there is still no permanent or temporary solution. Congress will almost certainly intervene to prevent SGR cuts, but by how much is uncertain.

The ACA. As the cost of insurance has increased over the past decade, high-deductible plans have become more and more common. Due to the Affordable Care Act, this trend has become the norm. Media outlets focus on the impact to consumers, and argue about whether more “skin in the game” leads to better choices or less care. What we’re hearing from the front lines is much more concrete: high deductibles are having a negative impact on revenues.

Very few people understand their liabilities under a typical health insurance plan. Last year George Loewenstein, a health-care economist with Carnegie Mellon University, published a survey showing that only 14 percent of respondents understood the basics of traditional insurance policies. At the same time, hospitals report that about 25 percent of bad debt originates from patients who are currently insured. With millions of new enrollees in high-deductible plans and an ongoing economic slump, the situation can only get worse.

The ACA had a further impact by reducing the amount of Disproportionate Share Hospital (DSH) charity funds available, based on a projected increase in insurance coverage.  But with some states not participating in Medicaid expansion, combined with an increase in patients lacking the knowledge or resources to manage large medical expenditures, the reduction in funds comes at exactly the wrong time.

Providers can cope by adjusting revenue cycle processes. For example, new programs should focus on estimating patient liabilities pre-arrival, educating the patient at check-in, and instituting proactive billing/collection at the point of service. In general, providers must pay more attention to the self-pay process, focusing on patient education and offering transparent, easy-to-use billing and payment methods.

Value Modifier. This program has not been a worry for most providers thus far. Not because it won’t have an impact on revenue, but because they don’t know about it. A little-known provision of the ACA, the Value-Based Payment Modifier mandates adjustments to Medicare reimbursement based on quality and cost measures. The program is being phased in, and so far has applied only to group practices of 100 or more Eligible Professionals (EPs). In 2014, smaller groups of 10 or more EPs will be subject to the legislation. These groups must apply and report to the program by October 1. Otherwise, they will be subject to a 2 percent cut in Medicare reimbursements starting in 2016.

One of the most important aspects of the program is its definition of “eligible professional” when defining the size of a group practice. For the purposes of Value Modifier, eligible professionals include not only physicians but also practitioners and therapists. That means that a practice with 8 physicians, a nurse practitioner, and a physical therapist would qualify as a practice with 10 EPs.

Value Modifier is part of the growing trend toward quality-based reimbursement. Even commercial payers are considering some version of the program. The scoring calculations are complex and poorly understood, so we advise clients to get up-to-speed as soon as possible. Groups with high quality and low cost will receive incentives rather than cuts, with additional upward adjustment for services to high-risk beneficiaries. Groups that are not paying attention may be surprised by an additional hit to revenue in 2016. In addition, quality scores will eventually be published to the general public on the Medicare.gov Physician Compare website.  Sub-par or missing scores could have a negative financial impact on a practice.

Conclusion

These are only the most high-profile impacts to the healthcare industry during the current year. Much else flows from them: changes to workflow, to computer systems, to financial expectations. Tremendous pressures are coming to bear within a limited timeframe.  We’re seeing an industry in the midst of tectonic change, with 2014 as the fault line. It’s unclear whether these disruptions will be for better or worse. But there certainly will be winners and losers, and those who plan ahead are most likely to survive.

______________________

Ben Quirk is CEO of Quirk Healthcare Solutions, a consulting firm specializing in EHR strategic management, workflow optimization, systems development, and training. The company’s clients have enjoyed remarkable success, including award of the Medicare Advantage 5-star rating. Quirk Healthcare presents a weekly webinar series, Insights, to inform clients and the general public about government programs and industry trends. Mr. Quirk is also Executive Director of the Quirk Healthcare Foundation, a learning institution which fosters innovation in the healthcare industry.

ICD-10 – Is Everyone Ready? – ICD-10 Tuesdays

Posted on March 25, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The following is a guest post by Barry Haitoff, CEO of Medical Management Corporation of America.
Barry Haitoff
One of the biggest challenges to revenue a practice will face in 2014 is the move to ICD-10 on October 1, 2014. One of the biggest challenges with ICD-10 is that it impacts the entire healthcare ecosystem. This means that revenue flow could be impacted if any one part of the healthcare billing continuum isn’t ready.

The first key step every organization can take to prepare for the switch to ICD-10 is to do an audit of which systems, people, and processes will be impacted by the change. Second, you should evaluate the ICD-10 readiness of each system, people and process. Finally, you should make a plan for how you’ll ensure that each piece of the puzzle is ready for ICD-10.

Here’s a quick look at some of the places you’ll want to look when doing an audit of your ICD-10 readiness:
EHR Software
This is an obvious one. We all know that the EHR vendor needs to be ready for ICD-10. However, as John posted previously, Is Your EHR Ready for ICD-10, Not Just Say They’re Ready? it’s really easy for an EHR vendor to say they’ll be ready for ICD-10. At the core of being ready for ICD-10 is just being able to use a new code. Every EHR vendor will be able to enter the new code. Instead of asking if they are ready for ICD-10, you should ask your EHR vendor what interface they’ve created for you to be able to find the ICD-10 codes. You’ll want to get in and test this new interface for finding codes well before the ICD-10 deadline so they can make any changes to the software.

Providers
Every doctor I know understands they they’re going to have to be ready for ICD-10. They’ve heard about the expanded set of codes and how finding the right code is likely going to take extra time. What many doctors haven’t realized yet is that with increased coding specificity, the doctor’s documentation is going to have to change as well. Coding 101 is that the coding has to match the documentation. This will require every doctor to change the way they document their visit even if it’s only a small change.

Billing Software
This is another obvious one and many of the lessons mentioned above about EHR software apply to billing software. However, you’ll definitely want to make sure that your billing software is ready for ICD-10. Can you imagine the impact to your organization if they’re not ready? You might not think this is possible, but I’ve heard some billing software already announce that they’re not planning to revise their software for ICD-10.

Billers and Coders
This is the group that seems most prepared for ICD-10. Most people realize that the coders or billers in their organization need to be ready for ICD-10. Unfortunately for many organizations, that’s where they think all the ICD-10 preparation needs to happen. As this list shows, they are so wrong. However, if you haven’t invested in getting your billers and coders ready for ICD-10, then you better start doing so now. In some cases you may have an older coder that chooses to retire instead of learning ICD-10. Make sure you learn if this is the case now instead of October 1st.

Billing Company
It’s really hard to imagine a billing company not being ready for ICD-10. It’s a basic fundamental of them being a business. If they can’t do ICD-10 they’ll be out of business. However, it makes sense for you to check with them to see what they’ve done to prepare for ICD-10. You’re their customer and it never hurts to hold them accountable. If they don’t thank you up front, they’ll thank you on October 1st when they’re ready for the change.

Labs and Radiology
You’d think that these wouldn’t be that big of an issue since we’re just talking about a new code that gets sent to the lab or radiology. However, if they’re not expecting ICD-10 codes, your patients could run into issues. Plus, many of you have interfaces which send this information automatically. You’ll want to make sure that these interfaces can handle the new codes as well.

Payors
This is probably the most important one and also one of the most challenging. It is the most important, because if they’re not ready for ICD-10 that could mean that you stop getting paid. In many organizations, a hit to their cash flow could have serious ramifications. My guess is that some of you don’t think that this could ever really happen. I assure you that it could happen. Certainly they’ll eventually fix whatever issues they have and they’ll get rolling with ICD-10. Although, will it take them a week, a month, a couple months, to fix whatever issues they may be experiencing? Can you handle not getting paid for a week, month, or multiple months? The challenge is that there’s no simple way for you to know if the payors are indeed ready for ICD-10. The best advice I can offer is a famous statement, “The squeaky wheel gets greased.” Don’t be afraid to make some noise to make sure they’re ready.

Hospitals and HIE
Many vendors are starting to build interfaces with their hospital or an outside HIE (Health Information Exchange). If you have one of these interfaces, you’ll want to make sure that it can support the new ICD-10 codes. Don’t forget to check and test both sides of the interface for their ICD-10 readiness.

Other ICD-10 Readiness Advice
When assessing the readiness of the various entities listed above (and you will likely have others), it’s important that you ask the right questions to make sure you get the right answers. Much like when you’re evaluating between EHR vendors, you want to avoid asking Yes/No questions. For example, if you ask your EHR vendor, “Are you ready for ICD-10?” then you will quickly get a response of Yes. If instead you ask, “What have you done to get ready for ICD-10?” you will get a much more informative answer that helps you understand their true ICD-10 readiness.

Also, when doing your assessment of their readiness, don’t forget to also verify that they can handle ICD-9 for those situations where an organization still hasn’t moved to ICD-10. Yes, it’s crazy that some government organizations aren’t moving to ICD-10. However, it’s the stark reality, so make sure that when needed to you can still support ICD-9 as well.

In all of this, there’s a challenging balance between doing your training too early or too late. If you train your doctors on ICD-10 too early, then they’re likely to forget it by the time October 1st rolls around. However, if you wait until the ICD-10 deadline approaches, the resources for ICD-10 won’t be available. Can you imagine what it will be like to try and hire an ICD-10 coder or ICD-10 trainer in September?

Medical Management Corporation of America, a leading provider of medical billing services, is a proud sponsor of EMR and HIPAA.

Why Everyone Better Learn About ACOs

Posted on March 24, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

While I wasn’t working in healthcare at the time, I’ve heard a number of doctors say that doctors missed out on being part of the HMO process. Their voice wasn’t part of the process and they suffered as a consequence of that decision. As I consider that idea, I wonder if doctors aren’t in the same position again with ACOs.

I was reminded of this as I was reading through this whitepaper called ACO & Collaborative Care – The Basics. The whitepaper digs into a number of good ACO discussions, but I was struck by one of the opening phrases:

Health reform IS REAL and NOT GOING away.

That struck me, because I think many doctors are just hoping that this shift to ACOs and value based reimbursement will just go away. Certainly some of this hope is founded since ACO is such a nebulous concept and we’re not sure how it’s going to be implemented. However, just because a concept isn’t totally defined doesn’t mean that it’s not going to be the future of healthcare. I assure you that this shift in reimbursement isn’t going anywhere.

The fact that ACO is a nebulous concept is exactly why doctors should get involved in the process of defining an ACO. When there’s uncertainty, there’s opportunity. The question is whether the opportunity is going to be taken by doctors or by someone else. Ideally all parties will be involved and there will be a give and take. However, I think currently physician voices are underrepresented and they’ll suffer for it.

One other thing that the ACO & Collaborative Care – The Basics whitepaper points out nicely is that you can’t just go out and buy an ACO. There’s no off the shelf ACO solution that will solve your problems. It’s not a software. It’s not a program. It’s not an organization. It’s likely going to include all of those things and that means that it takes some planning, coordination and collaboration. You’re not going to be ready for it if you’re not part of the ACO conversation.

EHR Adaptation, Film to Digital, and Box

Posted on March 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


I agree completely that patient expectations are changing. I think we’re going to see a dramatic shift in the patient experience. What I’m not as sure about is whether the EHR will be the one to meet those changing expectations. EHR software is distracted with other things and they’re not well positioned to handle the change.


I’m not sure I’d really classify this as a pivot. I think Viztek is doing pretty well with their PACS. They’re not going to stop doing that anytime soon. It is an interesting diversification for the company. Although, I was more intrigued to think about what we could learn from the PACS experience going from film to digital. We need more people writing about those learnings.


Those are two big powerhouses that Box brought on board. I’d heard a lot about box and its efforts in healthcare. This illustrates how important healthcare is to Box’s future.

Why HIPAA isn’t Enough to Keep Patient Data Secure

Posted on March 21, 2014 I Written By

The following is a guest blog post by Takeshi Suganuma, Senior Director of Security at Proficio.
Takeshi Suganuma
Just meeting minimum HIPAA safeguards is not enough to keep patient data secure. This should come as no surprise when you consider that HIPAA was developed as a general framework to protect PHI for organizations ranging from small medical practices to very large healthcare providers and payers. After all, one size seldom fits all.

While HIPAA is a general, prescriptive framework for security controls and procedures, HIPAA disclosure rules and penalties are very specific and have increased impact as a result of the Omnibus Final Rule enacted last year. The CIOs and CSOs we talk to are not willing to risk their organization’s reputation by just implementing the minimum HIPAA safeguards.

The collection, analysis, and monitoring of security events is a prime example of where medium to large-sized organizations must do much more than just record and examine activity as prescribed by HIPAA.

The challenge to effectively monitor and prioritize security alerts is exacerbated by the changing security threat landscape. Unlike the visible incursions of the past, new attacks employ slow and low strategies. Attackers are often able to sys­tematically pinpoint security weaknesses and then cover all traces of their presence as they move on to penetrate the other critical IT assets.

Hackers are using multiple attack vectors including exploiting vulnerabilities in medical devices and printers. Networked medical devices represent a significant security challenge for hospitals, because their IT teams cannot upgrade the underlying operating system embedded into these devices. Many medical devices using older versions of Windows and Linux have known security vulnerabilities and are at risk of malware contamination.

Insider threats comprise a significant risk for healthcare organizations. Examples of insider threats include employees who inappropriately access the medical records, consultants who unintentionally breach an organization’s confidentiality, and disgruntled employees seeking to harm their employer. Insider activity can be much more difficult to pinpoint than conventional external activity as insiders have more privileges than an external attacker. Security event monitoring and advanced correlation techniques are needed to identify such suspicious behavior. For example, a single event, such as inappropriate access of a VIP’s medical records, might go unnoticed, but when the same person is monitored saving files to a USB drive or exhibiting unusual email activity, these correlated events should trigger a high priority alert.

The volume of security alerts generated in even a mid-size hospital is staggering – tens of millions a day. Without a tool to centrally collect and correlate security events, it is extremely difficult to detect and prioritize threats that could lead to a PHI data breach. Log management and SIEM systems are part of the solution, but these are complex to administer and require regular tweaking to reflect new security and compliance use cases.

Technology alone is just a starting point. Unfortunately, hackers don’t restrict their activities to local business hours and nor should the teams responsible for the security of their organization. Effective security event monitoring requires technology, process, and people. Many healthcare organizations that lack in-house IT security resources are turning to Managed Security Service Providers (MSSPs) who provide around-the-clock Security Operation Center (SOC) services.

The challenge for today’s security teams, whether internal or outsourced, is to accurately prioritize alerts and provide actionable intelligence that allows a fast and effective response to critical issues. Tomorrow’s goal is to move beyond reporting incidents to anticipating the types of suspicious behaviors and patterns of multi-stage attacks that could lead to data being compromised. Multi-vector event correlation, asset modeling, user profiling, threat intelligence and predictive analytics are among the techniques used to achieve preventive threat detection. The end game is a preemptive defense where real-time analysis of events triggers an automated response to prevent an attack.

The increasing cost of litigation and the loss of reputation that result from an impermissible disclosure of PHI are driving healthcare organizations to build robust security controls and monitor and correlate real-time security events. HIPAA guidelines are a great start, but not enough if CIOs want to sleep easily at night.

Getting Beyond the Health IT Cheerleaders, BS, and Hype Machine

Posted on March 20, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

My friend Shahid is chairing a healthcare IT event series called HealthIMPACT (10% discount for Healthcare Scene readers with the code IMPACT10) and the first one of the year is taking place in Houston on April 3. Given his no-nonsense attitude and low tolerance for hype, it looks like it will be a great place for healthcare technology enthusiasts and buyers to get actionable advice on what’s real, what’s BS, what to buy, what not to buy, and perhaps most importantly, which guidance is worth following. Shahid tells me that the following important topics will be covered at the Houston event:

  • How IT can support the overarching financial, operational, and clinical goals of your organization
  • HIEs in your region and provider participation in them
  • Technologies that support value driven care and population health management
  • Cloud based systems in healthcare
  • Programs that drive patient engagement
  • Leadership strategies that drive innovation
  • Predictive analytics that improve care delivery
  • EHR implementation and meaningful use
  • ICD10 compliance, readiness and physician training

If you’re a buyer of technology, it’s certainly worth attending. If you’re selling technology and want to learn how to reach the buyers or need to talk to buyers directly it’s also worth attending. Shahid’s come up with an interesting “mini focus group” model that allows technology vendors to sit directly with buyers and pick their brains. A very interesting model that’s worth exploring.

Not only are the topics pretty relevant but he seems to have been able to convince some pretty well known Speakers to join him:

  • Edward Marx, Senior Vice President and CIO, TEXAS HEALTH RESOURCES
  • George Conklin, Senior Vice President and CIO, CHRISTUS HEALTH
  • Pamela Arora, Vice President & CIO, CHILDREN’S MEDICAL CENTER
  • Theresa Meadows, Senior Vice President and CIO, COOK CHILDREN’S HEALTH CARE SYSTEM
  • Chris Belmont, Vice President & CIO, UT M.D. ANDERSON CANCER CENTER

Register online here and reference code IMPACT10 to receive a 10% discount for being a Healthcare Scene reader.