Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Bring Your Own EHR (BYOEHR)

Posted on July 23, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Nerd Doc recently offered a new term I’d never heard called Bring Your Own EHR (BYOEHR). Here’s the explanation:

As a tech nerd doc, the best advice I can give to CIOs/CMIOs is to find a framework for ambulatory practices that embraces a BYOEHR (Bring your own EHR) in the same vein of BYOD (Bring your own device). What I mean by that is allow providor choice in purchasing and implementing their own EHR while insuring that a framework is set up for cross communication to interlink records.

This is to fend off the trend to a one size (Epic) fits all approach in which no one is happy. C-level management needs to realize that if users (providers) are not happy, the promises of savings via efficiency simply will not happen.

I think we’re starting to hear more and more examples like this. We saw evidence of this in my previous post called “CIO Reveals Secrets to HIE.” That hospital organization had created an HIE that connected with 36 different EMRs. Think about the effort that was required there. However, that CIO realized that there was a benefit to creating all of those connections. The results have paid off with a highly used HIE.

I’m sure we’ll still see hospitals acquiring practices and forcing an enterprise EHR down their throats for a while. However, don’t be surprised if the cycle goes back to doctors providing independent healthcare on whatever EHR they see fits them best. Those hospitals that have embraced a BYOEHR approach will be well positioned when this cycle occurs.

A Primer On HIPAA Compliance For BYOD

Posted on June 13, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Here’s a statistic that caught me off guard: according to IDC Healthcare Insights, clinicians on average use 6.4 mobile devices in a day. That stat, courtesy of HIT Consultant, underscores the need for a smart and thorough security policy for clinicians who use their own devices at work.

Increasingly, healthcare organizations are crafting security policies for BYOD, but they vary greatly in how much such devices are allowed to access the hospital network, which hospital applications they can access and which devices can access the Internet, HIT Consultant notes.

However, according to Andrew Shearer, CTO at Care Thread, there’s some do’s and don’ts which should be common to all BYOD programs. Here’s some thoughts from Shearer, below.

DO:

Make sure your vendor and its sub-vendors are compliant with the new HIPAA Omnibus requirements

Be aware that under the new rules, HIPAA requirements now extend to business associates of entities that receive  protected health informatoin, such as contractors and subcontractors. Also new, not only vendors to healthcare organizations required to have business associate agreements, vendors must also hold BAAs with their sub-vendors.

Use two levels of security when users login to enterprise applications

Shearer recommends using Active Directory for the first level, allowing providers to use their hospital login credentials.  The second stage, he suggests, is to use a separate PIN for quick access to mobile apps which are in use, one which should disconnect when it goes idle.

Have the ability to remotely wipe a device if it is missing

This isn’t required by HIPAA, but it’s still an essential part of a strong mobile/BYOD security management program. Be prepared to do anything from deleting data in selected folders to turning the device into a brick (removing all programming or returning it to factor settings).

DON’T:

Allow PHI to be written to the mobile device

While it’s very common for clinicians to use mobile messaging apps to share patient information, such sharing is generally not HIPAA-compliant, Shearer notes.  In his view, the ideal healthcare communication app should allow access to messages and PHI only when the use is logged in.

Permit integration with insecure file-sharing / hosting services

Cloud-based hosting and file-sharing services like Evernote and Dropbox are very popular, but they’re not HIPAA compliant. To be HIPAA compliant, organizations must use multiple security protocols, including physical security, technical security in PHI storage and user authentication.

Ignore security updates

Make sure you do periodic audits of mobile devices to make sure any that transmit work-related information meet regulatory standards. Also, make sure apps on mobile devices are up to date, as older versions may not meet current security threats.

Telehealth, BYOD Gain Momentum In 2013

Posted on January 4, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I’ll be honest — I’m always a bit skeptical when I read on health IT trends appearing in a general-interest corporate IT magazine.  Ours is such a tricky business that the nuances often escape my brethren in the journalistic field, unless of course they specialize in the health IT business. But in this case, an eWeek piece has delivered some useful information, and even caught me off guard a bit.

The piece contends that BYOD issues and the use of telehealth are likely to shape the year in health IT:

BYOD:  Bring-your-own-device problems aren’t unique to healthcare by any means, but they’re certainly become a particularly high-profile issue in healthcare.

In the piece, eWeek quotes Dennis Schmuland, chief health strategy  officer for U.S. Health and Life Sciences at Microsoft, who argues that BYOD costs, including privacy, security and licensing for virtualization of software are so high that BYOD may actually be costing organizations big money. Good (and interesting) point.

Certainly, healthcare organizations can’t afford to let that keep happening in 2013, and this year, solutions are likely to emerge, Schmuland told the magazine.

Telehealth:  While they’re in their early stages right now, telehealth services such as American Well’s Online Care are likely to get a stronger footing this year, the eWeek article suggests.

Lynne Dunbrack, program director of connected health IT strategies at IDC Health Insights, notes that consumers are getting used to having videoconferencing at their fingertips, given the extent to which webcams are now embedded in laptops and video chat on mobile phones.

Now that they’re accustomed to videoconferencing, they’ll soon want to use this capability for telehealth visits with doctors, eWeek reports:

Sending a blood pressure reading and seeing a doctor online could be more convenient than taking off from work, Dunbrack noted.

“If you can just go in and have these quick visits, people would be more apt to make these appointments and keep them, and organizations will start to experiment with these services,” said Dunbrack.

In all candor, I think both Schmuland and Dunbrack are a bit ahead of the market. I doubt that we’ll see a huge expansion of telehealth this year, though there may be some additional uptake. And as for BYOD, I’m not expecting to see any comprehensive solution that providers can affordably adopt this year; after all, trends are still shifting and there’s tons of moving parts to consider. But I do think we will see some progress in both areas.  All told, the two have offered some useful fodder for thinking about 2013.

BYOD And HIPAA Compliance: Can You Have Both?

Posted on December 7, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

With doctors among the biggest fans of smartphones around, hospitals and medical practices are having to face the reality that Bring Your Own Device is here to stay. The question is, is BYOD so hard to manage that it all but guarantees HIPAA breaches?

On the one hand, BYOD seems to have arrived to stay. According to a recent report by KLAS Research surveying 105 CIOs, IT specialits and physicians, 70 percent said they used mobile devices to access their EMRs Even this small group was accessing virtually every major enterprise EMR via mobile, reports MobiHealthNews.

But the pressures on hospitals to corral BYOD security gaps are growing.  Hospitals will soon have to provide increased protection of patient health information under Meaningful Use Stage 2.  And the HHS Office of Civil Rights will be doing stepped up HIPAA-compliance audits, which gives hospitals even less leeway than they’d have had otherwise.

Of course, hospitals have been dealing with doctors bringing one device — a laptop — for quite some time. One might think this would have prepared hospitals for dealing with security-hole-ridden portable devices that staff and clinicians bring to work.  But as we all know, laptops have proven to be major sources of security breaches, most typically by being stolen when loaded down with unencrypted data.

BYOD on the mobile side is if anything a riskier proposition.  For one thing, doctors and executive staff are likely to own more than one device, such as a phone and a tablet, multiplying the risk that an unguarded device could be stolen and bled for information.  And managing mobile devices calls for IT to support two additional operating systems (iOS and Android) configured in whatever way the user prefers.

Folks, I know I’m not saying anything crashingly original, but I’d argue it’s worth repeating: It’s time for hospitals to stop waffling and develop comprehensive protocols for BYOD use. It’s clear that left alone, the problem is going to  get worse, not better.

BIDMC’s Encryption Program Tames BYOD Security Fears

Posted on August 14, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Beth Israel Deaconess Medical Center has begun what it calls an “aggressive” campaign to make sure every mobile device in use by its staff and students is encrypted. This is interesting in light of John’s recent post about encrypting devices to meet HIPAA.  The following update comes from the GeekDoctor blog maintained by Halamka, a resource worth reading in its own right.

The initiative, spearheaded by the indefatigable CIO John Halamka, MD, MS, is massive in scope, affecting as it does 18,000 faculty members and 3,000 doctors, plus a large student population. Costly and time-consuming though it may be, I think it’s an object lesson in what needs to be done to make “bring your own device” a safe and sustainable part of hospital computing.

“It is no longer sufficient to rely on policy alone to secure personal mobile devices,” Halamka said. “Institutions must educate their staff, assist them with encryption, and in some cases purchase software/hardware for personal users to ensure compliance with Federal and State regulations.”

Halamka and his team already began training staff regarding smart phone devices connecting with the Exchange e-mail system using ActiveSync. Under the new regime, those devices must now have password protection.

Next, the Information Systems team is beginning the massive task of encrypting all mobile devices. They’re starting with company-owned laptops and iPad-type tablets, but expect to move out into encrypting other tablets later.

While the process is understandably complex, broadly speaking the IS department is going to take every device currently owned by the institution and give it a complete going over for malware and vulnerabilities, make sure the configuration meets security standards, then fully encrypt it to meet HIPAA/HITECH safe harbor criteria.

The next phase of the program will extend the checkup and encryption process to any personally owned computers and tablets used to access BIDMC data. I’ll be interested to see if people get squeamish about that. There’s a big difference, emotionally, between letting IS strip your work device naked and sharing your personal iPad.  But clearly, if BYOD is to have a future, initiatives like this will need to go on at hospitals across the nation.

Kaiser’s Mobile Health Approach

Posted on July 10, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As I mentioned in my previous post about laptops and iPads in healthcare, I had the chance to meet with Kaiser at the Health 2.0 conference in Boston. I had a chat with Brian Gardner, head of the Mobile Center of Excellence at Kaiser Permanente and learned a bunch of interesting things about how Kaiser looks at mobile healthcare.

The first most interesting thing to note was that Kaiser currently does not support any sort of BYOD (Bring Your Own Device) at this time. Although, they said that they’ve certainly heard the requests from their doctors to find a way for the doctor to use their own mobile device. Since this means that all the mobile devices in use at Kaiser are issued by them, I was also a little surprised to find that the majority of their users are currently still using Blackberry devices.

Brian did say that the iPhone is now an approved Kaiser device. It will be interesting to check in with Brian and Kaiser a year from now to see how many Blackberry devices have been replaced with iPhones. I’m pretty sure we know exactly what’s going to happen, but I’ll have to follow up to find out. What is worth noting though is the time delay for an enterprise organization like Kaiser to be able to replace their initial investment in Blackberry devices with something like an iPhone or Android device. While I’m sure that many of those doctors have their own personal iPhones, that doesn’t mean they can use it for work.

I also asked Brian about the various ways that he sees the Kaiser physicians using their mobile devices. His first response was that a large part of them were using it as an email device. This would make some sense in the context of most of their devices being Blackberry phones which were designed for email.

He did say that Kaiser had done some video pilots on their mobile devices. I’ll be interested to hear the results of these pilot tests. It’s only a matter of time before we can do a video chat session with a doctor from our mobile device and what better place to start this than at Kaiser?

Of course, the other most popular type of mobile apps used at Kaiser were related to education apps. I wonder how many Epocrates downloads are used by Kaiser doctors every day. I imagine it gets a whole lot of use.

What I found even more intriguing was the way that Kaiser used to discover and implement apps. Brian described that many of their best apps have come from students or doctors who had an idea for an app. They then take that idea and make it a reality with that student or doctor working on the app. It sounded like many of these students or doctors saw a need and created an app. Then, after seeing its success Kaiser would spread it through the rest of the organization.

This final point illustrates so well how powerful mobile health can be now that the costs to developing a mobile health innovation is so low. Once you lower the cost of innovation the way mobile health has done, you open up the doors to a whole group of entrepreneurs to create amazing value.

Laptops End Up With Kids, iPads Don’t

Posted on June 8, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As I mentioned previously, I had the great opportunity to talk with Kaiser recently about their mobile initiatives at Health 2.0 Boston. It was a great chat with Brian Gardner, head of the Mobile Center of Excellence at Kaiser Permanente.

At one point in the conversation I asked Brian about Kaiser’s approach to devices. Did they allow physicians to bring their own device? Were they deploying their own devices and which devices did they use. Brian made a couple of comments that I found really intriguing.

First, he stated clearly that Kaiser issued all of their devices. They were looking at the BYOD (Bring Your Own Device) idea, but currently they didn’t support any BYOD options. Based on his response to this question I could tell that there were a lot of conversations about this topic happening at Kaiser. I got the feeling that they were likely getting quite a bit of pressure from their doctors to do something along these lines.

Brian then also provided what I find to be a really compelling observation. He commented that from their experience the laptops they issued to doctors always seemed to end up with their physician’s kids using them. I assume they could see this based upon the software the physician’s children installed on the laptop. Then, Brian observed that they hadn’t seen the same thing happening with the iPads they’d given out. He surmised that this was possibly because many of the doctors that got iPads saw it as a privilege and those doctors didn’t want to lose that privilege?

How intriguing no? Why is it that a laptop feels like a commodity and an iPad feels like a luxury item? One you don’t mind your children touching and the other is a luxury that your child shouldn’t touch.

I’d also extend this observation to say that working on a laptop feels like work. Using an iPad feels more like play. At least that’s the feeling I get. I imagine many doctors feel the same way. I wonder if that will change as the iPad starts to get more applications that really help you do work on it.