Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Medical Device Security At A Crossroads

Posted on April 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As anyone reading this knows, connected medical devices are vulnerable to attacks from outside malware. Security researchers have been warning healthcare IT leaders for years that network-connected medical devices had poor security in place, ranging from image repository backups with no passwords to CT scanners with easily-changed configuration files, but far too many problems haven’t been addressed.

So why haven’t providers addressed the security problems? It may be because neither medical device manufacturers nor hospitals are set up to address these issues. “The reality is both sides — providers and manufacturers — do not understand how much the other side does not know,” said John Gomez, CEO of cybersecurity firm Sensato. “When I talk with manufacturers, they understand the need to do something, but they have never had to deal with cyber security before. It’s not a part of their DNA. And on the hospital side, they’re realizing that they’ve never had to lock these things down. In fact, medical devices have not even been part of the IT group and hospitals.

Gomez, who spoke with Healthcare IT News, runs one of two companies backing a new initiative dedicated to securing medical devices and health organizations. (The other coordinating company is healthcare security firm Divurgent.)

Together, the two have launched the Medical Device Cybersecurity Task Force, which brings together a grab bag of industry players including hospitals, hospital technologists, medical device manufacturers, cyber security researchers and IT leaders. “We continually get asked by clients with the best practices for securing medical devices,” Gomez told Healthcare IT News. “There is little guidance and a lot of misinformation.“

The task force includes 15 health systems and hospitals, including Children’s Hospital of Atlanta, Lehigh Valley Health Network, Beebe Healthcare and Intermountain, along with tech vendors Renovo Solutions, VMware Inc. and AirWatch.

I mention this initiative not because I think it’s huge news, but rather, as a reminder that the time to act on medical device vulnerabilities is more than nigh. There’s a reason why the Federal Trade Commission, and the HHS Office of Inspector General, along with the IEEE, have launched their own initiatives to help medical device manufacturers boost cybersecurity. I believe we’re at a crossroads; on one side lies renewed faith in medical devices, and on the other nothing less than patient privacy violations, harm and even death.

It’s good to hear that the Task Force plans to create a set of best practices for both healthcare providers and medical device makers which will help get their cybersecurity practices up to snuff. Another interesting effort they have underway in the creation of an app which will help healthcare providers evaluate medical devices, while feeding a database that members can access to studying the market.

But reading about their efforts also hammered home to me how much ground we have to cover in securing medical devices. Well-intentioned, even relatively effective, grassroots efforts are good, but they’re only a drop in the bucket. What we need is nothing less than a continuous knowledge feed between medical device makers, hospitals, clinics and clinicians.

And why not start by taking the obvious step of integrating the medical device and IT departments to some degree? That seems like a no-brainer. But unfortunately, the rest of the work to be done will take a lot of thought.

ROI for EMR: Does It Even Make Sense Now?

Posted on December 20, 2013 I Written By

James Ritchie is a freelance writer with a focus on health care. His experience includes eight years as a staff writer with the Cincinnati Business Courier, part of the American City Business Journals network. Twitter @HCwriterJames.

There’s a new data point to add to the debate over EMR return on investment.

Norton Healthcare Inc. in Louisville, Ky., has experienced a $12 million increase in federal reimbursement since it started using Epic, Louisville Business First reported. The health system, which operates five hospitals and a network of outpatient sites, is three years into a five-year, $200 million implementation.

Sounds like the beginning of some pretty good ROI. Or does it?

It’s hard to say.

ROI for records systems is notoriously hard to pin down. The word is that many hospitals don’t even try. And they might be onto something.

A revenue boost is a good sign. It’s often a result of improved coding and lower claims denial rates, as Colin Konschak of health care consulting firm Divurgent and Garrett Blair of Norfolk, Va.-based health system Sentara Healthcare recently wrote. And of course, there are the federal incentives for using an EMR — for hospitals, as much as $11 million over four years.

There’s also the rise in productivity that EMRs are expected to cause. At first, an EMR can slow down clinicians’ workflow and cost them and their organization money. But in time, the system could increase productivity.

But revenue is only part of the equation. Cost savings are the more important — and harder to calculate — factor.

Here are a few ways, as described by Konschak and Blair, that EMRs can help hospitals to save:

  • Less need for transcription.

  • Reduced use of staff time for copying and filing.

  • Reduced — often by 50-70 percent — use of preprinted forms.

  • Potentially lower malpractice premiums because of more complete documentation.

Many other potential benefits are probably real but are even less straightforward to measure. Features such as clinical decision support and electronic medical administration records, for example, could lead to reductions in medical errors — the types of mistakes the federal government no longer pays for. But measuring the money you saved from the errors you didn’t make is fairly abstract.

Many hospitals do little if anything to measure the return on their EMR investment, according to a study released by Beacon Partners last year. Healthcare Scene’s John Lynn wrote a few months ago that CIOs likely view the systems as a “necessary requirement of being a hospital today,” somewhat like cleaning supplies. So they don’t see the need to measure ROI.

To me, the “investment” part of ROI suggests that you have a choice. You put money into something now with the hope — but no guarantee — of a payoff later.

Building an imaging center on the edge of town or buying a surgical robot would probably be considered investments. Maintaining your buildings or upgrading your phones would not.

Doing something the government is making you do is not an investment. Given the reimbursement penalties that will eventually kick in for organizations that stick with paper, it’s hard to imagine that many hospital executives see EMR adoption as a matter choice.

The idea of ROI for EMR is probably outdated, a holdover from the days when having a system was optional. Hospital leaders are shopping for EMRs with an eye toward getting the best value for their money — just the way they shop for cleaning supplies, furniture or legal services.

You could say that as a society we’ve invested in the idea of EMRs and that we’re hoping for a payoff in terms of better outcomes and lower costs. But that doesn’t predict much about whether any particular hospital or doctor will see a dollar-and-cents ROI.

At Norton in Louisville, it sounds like they’re happy just to be recovering some of what they’re spending.

“It really does improve the continuity of care,” Norton’s chief medical officer, Dr. Steve Heilman, told Business First.

For now, it sounds like Norton is on track.

(Note: I work for Business First as a freelancer but didn’t write the story linked here.)