Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Are ACOs More About Good Accounting and Reporting Than Improving Care?

Posted on August 28, 2015 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was recently reading David Harlow’s analysis of the recently released data from CMS on ACO performance and found a lot to chew on. Most people have found the results underwhelming unless they’re big proponents of ACOs and value based reimbursement and then they’re trying to spin it as “early on” and “this is just the start.” I agree with both perspectives. Everyone is trying to figure out how to reimburse for value based care, and so far we haven’t really figured it out.

These programs aside, after reading David Harlow’s post, I asked the following question:

The thing I can’t figure out with ACOs is if they’re really changing the cost of healthcare or if they’re mostly a game of good accounting and reporting. Basically, do the measures they’re requiring really cause organizations to change how they care for patients or does it just change how organizations document and report what they’re doing?

I think this is a massive challenge with value based reimbursement. We require certain data to “prove” that there’s been a change in how organizations manage patients. However, I can imagine hundreds of scenarios where the organization just spends time managing how they collect the data as opposed to actually changing the way they care for patients in order to improve the data.

Certainly there’s value in organizations getting their heads around their performance data. So, I don’t want to say that collecting the right data won’t be helpful. However, the healthcare system as a whole isn’t going to benefit from lower costs if most ACOs are just about collecting data as opposed to making changes that influence the data in the right way. The problem is that the former is a program you can build. The later is much harder to build and track.

Plus, this doesn’t even take into account that we may be asking them to collect the wrong data. Do we really know which data we need to collect in order to lower the costs of healthcare and improve the health of patients? There is likely some low hanging fruit, but once we get past that low hanging fruit, then what?

In response to my comment, David Harlow brought up a great point about many of the ACO program successes not being reproducible. Why does an ACO in one area improve quality and reduce costs and in another it doesn’t?

All of this reminds me of the question that Steve Sisko posed in yesterday’s #KareoChat:

There are a lot of things that seem to make sense until you dig into what’s really happening. We still have a lot of digging left to do in healthcare. Although, like Steve, I’m optimistic that many of the things we’re doing with ACOs and value based care will provide benefits. How could they not?

Why HIPAA isn’t Enough to Keep Patient Data Secure

Posted on March 21, 2014 I Written By

The following is a guest blog post by Takeshi Suganuma, Senior Director of Security at Proficio.
Takeshi Suganuma
Just meeting minimum HIPAA safeguards is not enough to keep patient data secure. This should come as no surprise when you consider that HIPAA was developed as a general framework to protect PHI for organizations ranging from small medical practices to very large healthcare providers and payers. After all, one size seldom fits all.

While HIPAA is a general, prescriptive framework for security controls and procedures, HIPAA disclosure rules and penalties are very specific and have increased impact as a result of the Omnibus Final Rule enacted last year. The CIOs and CSOs we talk to are not willing to risk their organization’s reputation by just implementing the minimum HIPAA safeguards.

The collection, analysis, and monitoring of security events is a prime example of where medium to large-sized organizations must do much more than just record and examine activity as prescribed by HIPAA.

The challenge to effectively monitor and prioritize security alerts is exacerbated by the changing security threat landscape. Unlike the visible incursions of the past, new attacks employ slow and low strategies. Attackers are often able to sys­tematically pinpoint security weaknesses and then cover all traces of their presence as they move on to penetrate the other critical IT assets.

Hackers are using multiple attack vectors including exploiting vulnerabilities in medical devices and printers. Networked medical devices represent a significant security challenge for hospitals, because their IT teams cannot upgrade the underlying operating system embedded into these devices. Many medical devices using older versions of Windows and Linux have known security vulnerabilities and are at risk of malware contamination.

Insider threats comprise a significant risk for healthcare organizations. Examples of insider threats include employees who inappropriately access the medical records, consultants who unintentionally breach an organization’s confidentiality, and disgruntled employees seeking to harm their employer. Insider activity can be much more difficult to pinpoint than conventional external activity as insiders have more privileges than an external attacker. Security event monitoring and advanced correlation techniques are needed to identify such suspicious behavior. For example, a single event, such as inappropriate access of a VIP’s medical records, might go unnoticed, but when the same person is monitored saving files to a USB drive or exhibiting unusual email activity, these correlated events should trigger a high priority alert.

The volume of security alerts generated in even a mid-size hospital is staggering – tens of millions a day. Without a tool to centrally collect and correlate security events, it is extremely difficult to detect and prioritize threats that could lead to a PHI data breach. Log management and SIEM systems are part of the solution, but these are complex to administer and require regular tweaking to reflect new security and compliance use cases.

Technology alone is just a starting point. Unfortunately, hackers don’t restrict their activities to local business hours and nor should the teams responsible for the security of their organization. Effective security event monitoring requires technology, process, and people. Many healthcare organizations that lack in-house IT security resources are turning to Managed Security Service Providers (MSSPs) who provide around-the-clock Security Operation Center (SOC) services.

The challenge for today’s security teams, whether internal or outsourced, is to accurately prioritize alerts and provide actionable intelligence that allows a fast and effective response to critical issues. Tomorrow’s goal is to move beyond reporting incidents to anticipating the types of suspicious behaviors and patterns of multi-stage attacks that could lead to data being compromised. Multi-vector event correlation, asset modeling, user profiling, threat intelligence and predictive analytics are among the techniques used to achieve preventive threat detection. The end game is a preemptive defense where real-time analysis of events triggers an automated response to prevent an attack.

The increasing cost of litigation and the loss of reputation that result from an impermissible disclosure of PHI are driving healthcare organizations to build robust security controls and monitor and correlate real-time security events. HIPAA guidelines are a great start, but not enough if CIOs want to sleep easily at night.