Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

MD Anderson Fined $4.3 Million For HIPAA Violations

Posted on June 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

An administrative law judge has ruled that MD Anderson Cancer Center must pay $4.3 million to the HHS Office of Civil Rights due to multiple HIPAA violations. This is the fourth largest penalty ever awarded to OCR.

OCR kicked off an investigation of MD Anderson in the wake of three separate data breach reports in 2012 and 2013. One of the breaches sprung from the theft of an unencrypted laptop from the home of an MD Anderson employee. The other two involved the loss of unencrypted USB thumb drives which held protected health information on over 33,500 patients.

Maybe — just maybe — MD Anderson could’ve gotten away with this or paid a much smaller fine. But given the circumstances, it was not going to get away that easily.

OCR found that while the organization had written encryption policies going back to 2006, it wasn’t following them that closely. What’s more, MD Anderson’s own risk analyses had found that a lack of device-level encryption could threaten the security of ePHI.

Adding insult to injury, MD Anderson didn’t begin to adopt enterprise-wide security technology until 2011. Also, it didn’t take action to encrypt data on its devices containing ePHI during the period between March 2011 and January 2013.

In defending itself, the organization argued that it was not obligated to encrypt data on its devices. It also claimed that the ePHI which was breached was for research, which meant that it was not subject to HIPAA penalties. In addition, its attorneys argued that the penalties accrued to OCR were unreasonable.

The administrative law judge wasn’t buying it. In fact, the judge took an axe to its arguments, saying that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” noting that its leaders “not only recognized, but [also] restated many times.” That’s strong language, the like of which I’ve never seen in HIPAA cases before.

You won’t be surprised to learn that the administrative law judge agreed to OCR’s sanctions, which included penalties for each day of MD Anderson’s lack of HIPAA compliance and for each record of individuals breached.

All I can say is wow. Could the Cancer Center’s leaders possibly have more chutzpah? It’s bad enough to have patient data breached three times. Defending yourself by essentially saying it was no big deal is even worse. If I were the judge I would’ve thrown the book at them too.

Exec Tells Congress That New Health Data Threats Are Emerging

Posted on June 20, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A senior security executive with a major academic health system has told Congress that in addition to attacks by random attackers, healthcare organizations are facing new threats which are changing the health security landscape.

Erik Decker, chief security and privacy officer with the University of Chicago Medicine, testified on behalf of the Association for Executives in Healthcare Information Security in mid-June. He made his comments in support of the reauthorization of the Pandemic and All-Hazards Preparedness Act, whose purpose is to improve the U.S. public health and medical preparedness for emergencies.

In his testimony, Decker laid out how the nature of provider and public health preparedness has changed as digital health technology has become the backbone of the industry.

He described how healthcare information use has evolved, explaining to legislators how the digitization of healthcare has created a “hyper-connected” environment in which systems such as EHRs, revenue cycle platforms, imaging and ERP software are linked to specialty applications, the cloud and connected medical devices.

He also told them about the increasing need for healthcare organizations to share data smoothly, and the impact this has had on the healthcare data infrastructure. “There is increasing reliance on these data being available, and confidential, to support these nuanced clinical workflows,” he said. “With the adoption of this technology, the technical ecosystem has exploded in complexity.”

While the emergence of these complex digital health offers many advantages, it has led to a growth in the number and type of cybersecurity problems providers face, Decker noted. New threats he identified include:

* The development of underground markets and exchanges of sensitive information and services such as Hacking-as-a Service
* The emergence of sophisticated hacking groups deploying ransomware
* New cyberattacks by terrorist organizations
* Efforts by nation states to steal intellectual property to create national economic advantages

This led to the key point of his testimony: “We can no longer think of preparedness relative only to natural disasters or pandemics,” Decker said. “It’s imperative that we acknowledge the criticality of cybersecurity threats levied against the nation’s healthcare system.”

To address such problems, Decker suggests, healthcare organizations will need help from the federal government. For example, he pointed out, HHS efforts made a big difference when it jumped in quickly and worked closely with healthcare leaders responding to WannaCry attacks in mid-2017.

Meanwhile, to encourage the healthcare industry to adopt strong cybersecurity practices, it’s important to offer providers some incentives, including a financial subsidy or safe harbors from enforcement actions, he argued.

5 Steps to Ensure Revenue Integrity After Implementing a New EHR

Posted on June 18, 2018 I Written By

The following is a guest blog post by Lisa Eramo, a regular contributor to Kareo’s Go Practice Blog.

In the rush to implement EHRs for Meaningful Use incentives, many practices lost sight of what matters most for continued success—revenue integrity, says Joette Derricks, healthcare compliance and revenue integrity consultant in Baltimore, MD. Revenue integrity—the idea that practices must take proactive steps to capture and retain revenue—isn’t a novel concept. However, it’s becoming increasingly important for physician practices operating in a regulatory-driven environment, she adds.

Revenue integrity is also an important part of ensuring smooth cashflow during and after the transition to a new EHR, says Derricks. This is a time when revenue opportunities are easily overlooked as practices adjust to new navigation, templates, and more, she adds.

Revenue integrity is all about compliance, says Derricks. “It’s about taking a holistic approach to operational efficiency, regulatory compliance, and maximizing reimbursement,” she adds. “It’s about doing things the right way.”

Maximizing reimbursement isn’t about ‘gaming’ the system to upcode. Rather, it’s about implementing processes and procedures to ensure that practices are paid for all of the services they perform without leaving money on the table or generating revenue that payers will later recoup, she explains.

Derricks provides five simple steps practices can take to ensure revenue integrity following an EHR implementation:

1. Review EHR templates. Do templates include the most specific CPT and ICD-10-CM codes? And do physicians understand the importance of avoiding unspecified codes, when possible?

2. Examine the interface between the EHR and practice management system. Do the codes that physicians assign in the EHR feed correctly into the practice management system? For example, when a physician performs an E/M service in addition to a procedure, does the EHR map both codes to the practice management system for billing purposes? Does the practice management system correctly bundle and unbundle services, when appropriate?

3. Run your numbers frequently. Ideally, practices will perform a monthly data analysis to help gauge performance and identify potential missed revenue opportunities, says Derricks. For example, she suggests running a report of the practice’s top 20 billing codes in a particular month. Then, compare those codes with the top 20 codes the practice billed that same month in the previous year. What has changed, and why? And have these changes benefited or hurt the practice? For example, practices may see new codes in that list because they added chronic care or transitional care management, both of which provide additional revenue. Or practices may discover a system glitch that incorrectly bundled services that are separately payable, thus causing a revenue loss.

“Everybody can play the ‘I’m too busy’ game, but this is too important to fall into that trap,” says Derricks. “I applaud the office manager or practice administrator who recognizes the value of constantly being on the lookout for system-wide improvements and analyzing their own numbers.”

Some practice management systems provide robust billing analytics that can help practices identify the root cause of billing errors and omissions. Working with a consultant is another option, says Derricks. Consultants provide unbiased input regarding inefficiencies and vulnerabilities and can provide a ‘fresh set of eyes’ necessary to effect change. They also often have access to benchmarking tools and other resources that can help practices identify revenue gaps and delays, she adds.

For example, Derricks suggests performing an assessment for revenue gaps and roadblocks to reduce the workflow process errors that delay revenue. Download the assessment.

4. Provide physician training. Physicians need thorough training on how to use the EHR properly so as to avoid data omissions, says Derricks. They also need annual training on new CPT and ICD-10-CM codes as well as new documentation requirements, she adds.

5. Create an environment that promotes compliance. This requires a top-down approach from physicians and practice managers, says Derricks. “Everyone should have their eyes open and feel comfortable being able to address concerns,” she says. “It should be an open-door policy in terms of looking at processes versus putting your head down.”

About Lisa Eramo
Lisa Eramo is a regular contributor to Kareo’s Go Practice Blog, as well as other healthcare publications, websites and blogs, including the AHIMA Journal. Her focus areas are medical coding, clinical documentation improvement and healthcare quality/efficiency.  Kareo is a proud sponsor of Healthcare Scene.

Stanford Survey Generates Predictable Result: Doctors Want EHR Changes

Posted on June 11, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I know you’re going to have trouble believing this, but many PCPs think EHRs need substantial changes.

Such is the unsurprising conclusion drawn by a survey conducted by The Harris Poll on behalf of Stanford Medicine. The poll, which took place between March 2 and March 27 of this year, surveyed 521 PCPs licensed to practice in the U.S. who have been using their current EHR system for at least one month.

The physicians were recruited via snail mail from the American Medical Association Masterfile. Figures for years in practice by gender, region and primary medical specialty were weighted where necessary to bring them into line with their actual proportions in the population of PCPs in the U.S.

According to the survey, about two-thirds of PCPs think EHRs have generally improved care (63%). Two-thirds said they were at least somewhat satisfied with their current systems, though only 18% were very satisfied.

Meanwhile, a total of 34% were somewhat or very dissatisfied with their system, and 40% of PCPs said that EHRs create more challenges than benefits. Also, 49% of office-based PCPs reported that using an EHR detracts from their clinical effectiveness.  Forty-four percent of PCPs said that primary value of EHRs is data storage, while just 8% said that the biggest benefits were clinically-related.

To improve EHRs’ clinical value, it will take a lot of effort, with 51% saying they think EHRs need a complete overhaul.  Seventy-two percent of PCPs said that improving user interfaces could best address their needs in the immediate future.

Meanwhile, 67% of respondents said that solving interoperability problems should be the top priority for EHR development over the next decade, and 43% reported wanting improved predictive analytics capabilities.

Nearly all (99%) of PCPs said that EHR capabilities should include maintaining a high-quality record of patient data over time, followed closely by providing an intuitive user experience. Also, 88% said that providing clinical decision support at the moment of care was important, followed by identifying high-risk patients in their patient panel (86%).

When asked what EHR features they found most satisfying, they cited maintaining a high-quality patient record (73%), offering patients access to medical records (71%), sharing information with providers across the care continuum (65%) and supporting practice/revenue cycle management needs (60%).

However, EHRs still have a long way to go in offering other preferred capabilities, including changing and adapting in response to user feedback, improving patient-provider interaction, coordinating care for patients with complex conditions and engaging patients in prescribed care plans through mobile technologies. Vendors, you have been warned.

Health IT Leaders Fear Insider Security Threats More Than Cyberattacks

Posted on June 8, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A recently-published survey suggests that while most health IT security leaders feel confident they can handle external attacks, they worry about insider threats.

Cybersecurity vendor Imperva spoke with 102 health IT professionals at the recent HIMSS show to find out what their most pressing security concerns were and how prepared they were to address them.

The survey found that 73% of organizations had a senior information security leader such as a CISO in place. Another 14% were hoping to hire one within the next 12 months. Only 14% said they didn’t have a senior infosec pro in place and weren’t looking to hire.

Given how many organizations have or plan to have a security professional in place, it’s not surprising to read that 93% of respondents were either “very concerned” or “concerned” about a cyberattack affecting their organization. The type of cyberattacks that concerned them most included ransomware (32%), insider threats (25%), comprised applications (19%) and DDoS attacks (13%). (Eleven percent of responses fell into the “other” category.)

Despite their concerns, however, the tech pros felt they were prepared for most of these threats, with 52% that they were “very confident” or had “above average” confidence they could handle any attack, along with 32% stating that their defenses were “adequate.”  Just 9% said that their cybersecurity approach needed work, followed by 6% reporting that their defenses needed to be rebuilt.

Thirty-eight percent of the health IT pros said they’d been hit with a cyberattack during the past year, with another 4% reporting having been attacked more than a year ago.

Given the prevalence of cyberthreats, three-quarters of respondents said they had a cybersecurity incident response plan in place, with another 12% saying they planned to develop one during the next 12 months. Only 14% didn’t have a plan nor was creating one on their radar.

When it came to external threats, on the other hand, respondents seemed to be warier and less prepared. They were most worried about careless users (51%), compromised users (25%) and malicious users (24%).

Their concerns seem to be compounded by a sense that insider threats can be hard to detect. Catching insiders was difficult for a number of reasons, including having a large number of employees, contractors and business partners with access to their network (24%), more company assets on the network or in the cloud than previously (24%), lack of staff to analyze permissions data on employee access (25%) and a lack of tools to monitor insider activities (27%).

The respondents said the most time-consuming tasks involved in investigating/responding to insider threats included collecting information from diverse security tools (32%), followed by tuning security tools (26%), forensics or incident analysis (24%) and managing too many security alerts (17%).

IBM Watson Health Layoffs Suggests AI Strategy Isn’t Working

Posted on June 6, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

IBM Watson Health is apparently making massive cuts to its staff, in a move suggesting that its healthcare AI isn’t working.

Watson Health leaders have argued that AI (which Watson Health leaders call “cognitive computing”) as the solution to many of the healthcare industry’s problems. IBM pitched Watson technology as a revolutionary tool which could get to the root of difficult medical problems.

Over time, however, it’s begun to look like this wasn’t going to happen, at least for the present. Among other high-profile goofs, IBM Watson has struggled with applying the supercomputing tech to oncology, which was one of its main goals.

Now IBM Watson Health has slashed up to 70% of its staff, according to sources speaking to The Register. The site reports that most of the layoffs are cutting staff within companies IBM has brought in an effort to build out its healthcare credentials. These include medical data company Truven, acquired in 2016 for $2.6 billion, medical imaging firm Merge, bought in 2015 for $1 billion and healthcare management firm Phytel, the site reports.

The cuts reflect a major strategic shift for Watson Health, which was one of IBM’s flagship divisions until recently. Having invested heavily in businesses that might have helped it dominate the health IT world, it now appears to be rethinking it’s all in approach.

That being said, no one has suggested that IBM Watson Health will disappear in a poof of smoke. IBM corporate leaders seem dedicated to an AI future. However, if this report is correct, Watson Health is being reorganized completely. Not too much of a surprise since given how hyped it was, it would have been almost impossible for it to live up to the hype.

To me, this suggests that rolling out healthcare AI tools might call for a completely different business model. Rather than applying brute force supercomputing tools to enterprise healthcare issues, it may be better to build from the ground up.

For example, consider Google’s approach to healthcare AI supercomputing. UK-based DeepMind is building relationships and products from the ground up. Working with the National Health Service DeepMind Health is bringing mobile tools and AI research to hospitals. Its mobile health tools include Streams, a secure mobile phone app which feeds critical medical information to doctors and hospitals.

In my opinion, the future of AI in healthcare will look more like the DeepMind model and less like IBM Watson’s top-down approach. Building out AI-based tools and platforms for physicians and nurses first just makes sense.

“Shadow” Devices Expose Networks To New Threats

Posted on June 4, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new report by security vendor Infoblox suggests that threats posed by “shadow” personal devices connected to healthcare networks are getting worse.

The study, which looks at healthcare organizations in the US, UK, Germany, and UAE, notes that the average organization has thousands of personal devices connected to their enterprise network. Including personal laptops, Kindles and mobile phones.

Employees from the US and the UK report using personal devices connected to their enterprise network for multiple activities, including social media use (39%), downloading apps (24%), games (13%) and films (7%), the report says.

It would be bad enough if these pastimes only consumed network resources and time, but the problem goes far beyond that. Use of these shadow devices can open up healthcare networks to nasty attacks. For example, social media is increasingly a vector of malware infection, where bad actors launch attacks successfully urging them to download unfamiliar files.

Health IT directors responding to the study also said there were a significant number of non-business IoT devices connected to their network including fitness trackers (49%), digital assistants like Amazon Alexa (47%), smart TVs (46%), smart kitchen devices such as connected kettles of microwaves (33%) and game consoles such as the Xbox or PlayStation (30%).

In many cases, exploits can take total control of these devices, with serious potential consequences. For example, one can turn a Samsung Smart TV into a live microphone and other smart TVs could be used to steal data and install unwanted apps.

Of course. IT directors aren’t standing around and ignoring these threats and have developed policies for dealing with them. But the report argues that their security policies for connected devices aren’t as effective as they think. For example, while 88% of the IT leaders surveyed said their security policy was either effective or very effective, employees didn’t even know it was in effect in many cases.

In addition, 85% of healthcare organizations have also increased their cybersecurity spending over the past year, and 12% of organizations have increased it by over 50%. Most HIT leaders appear to be focused on traditional solutions, including antivirus software (60%) and cybersecurity investments (57%). In addition, more than half of US healthcare IT professionals said their company invests in encryption software.

Also, about one-third of healthcare IT professionals said the company is investing in employee education (35%), email security solutions and threat intelligence (30%). One in five were investing in biometric solutions.

Ultimately, what this report makes clear is that health IT organizations need to reduce the number of unauthorized personal devices connected to their network. Nearly any other strategy just puts a band-aid on a gaping wound.

Alexa Voice Assistant Centerpiece Of Amazon Health Effort

Posted on June 1, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t know about you, but until recently I had thought of the Amazon Echo is something of a toy. From what I saw, it seemed too cute, too gimmicky and definitely too expensive for my taste. Then I had a chance to try out the Echo my mother kept in her kitchen.

It’s almost embarrassing to say how quickly I was hooked. I didn’t even use many of Alexa’s capabilities. All I had to do was command her to play some music, answer some questions and do a search on the Amazon.com site and I was convinced I needed to have one. Its $99 price suddenly seemed like a bargain.

Of course, being a health IT geek I immediately wondered how the Alexa voice assistant might play a part in applications like telemedicine, but I was spending too much time playing “Name That Song” (I’m an 80s champ) to think things through.

But I had the right instincts. It’s become increasingly clear that Amazon sees Alexa as a key channel for reaching healthcare decision-makers.

According to a story appearing on the CNBC website, Amazon has built a 12-person team within the Alexa voice-assisted division called “health & wellness” whose focus is to make Alexa more useful to healthcare patients and providers. Its first targets include diabetes management, care for mothers and infants and aging, according to people who spoke anonymously with CNBC.

Of course, this effort would involve working through HIPAA rules, but it’s hard to imagine that a company like Amazon couldn’t buy and/or cultivate that expertise.

In the piece, writers Eugene Kim and Christina Farr argue that the mere existence of the health & wellness group is a clear sign that Amazon plans to bring Alexa to healthcare. As long as the Echo can share and upload data in a secure, HIPAA-compliant fashion, the possibilities are almost endless. In addition to sharing data with patients and clinicians, this would make it possible to integrate the data with secure third-party apps.

Of course, a 12-person unit is microscopic in size within a company like Amazon, and from that standpoint, the group might seem like a one-off experiment. On the other hand, its work seems more important when you consider the steps Amazon has already taken in the healthcare space.

The most conspicuous move Amazon has made in healthcare came in early 2018, when it announced a joint initiative with Berkshire Hathaway and J.P. Morgan focused on improving healthcare services. To date, the partnership hasn’t said much about its plans, but it’s hard to argue that something huge could emerge from bringing together players of this size.

In another, less conspicuous move, Alexa took a step towards competing in the diabetes care market. In the summer of 2017, working with Merck, Amazon offered a prize to developers building Alexa “skills” which could help people with diabetes manage all aspects of their care. One might argue that this kind of project could be more important than something big and splashy.

It’s worth noting at this point that even a monster like Google still hasn’t made bold moves in healthcare (though it does have extraordinarily ambitious plans). Amazon may not find it easy to compete. Still, it will certainly do some interesting things, and I’m eager to see them play out. In fact, I’m on the edge of my seat – aren’t you?

Physician Burnout, a Healthcare Issue Unique to Our Healthcare Providers

Posted on May 25, 2018 I Written By

The following is a guest blog post by Justin Campbell, Vice President, Strategy, at Galen Healthcare Solutions.

I Can’t Get No Satisfaction…but I try, and I try, and I try, and I try – Rolling Stones

Justin CampbellIn a 2018 Medscape survey exploring the professional satisfaction of providers, 42 percent of 15,000 survey respondents reported feeling burnt out with their jobs, up from an overall rate of 40 percent in 2017. In recent years, physician burnout has become a serious industry issue, with national policy discussions ensuing on how to best combat the problem. Researchers have drawn correlations between physician burnout and higher medical error rates, lower overall quality of care, and increased clinical staff turnover. Year after year, the underlying drivers of dissatisfaction have remained consistent: overwhelming charting requirement, long work hours, and cumbersome EHRs.

As health IT leaders, one question we should be asking ourselves is how we can best apply our EHR expertise to help reduce physician burnout. To answer this question, let us look to the doctors we aim to help. When physicians are at the bedside, they analyze a patient’s condition and formulate a care plan accordingly. They look to diagnostic test results, review trended vitals, pain scores, and nursing assessments, and consult with specialists in a massive data gathering exercise all aimed at quantifying the problem and crafting a treatment plan.

Providers are telling us there is a problem, and they are consistently identifying the primary underlying causes. IT department leaders have a direct influence over many of the drivers of physician burnout, so it is time for us to dig into the details, measure the problem, and craft a treatment plan. How do we measure and manage physician burnout?

There’s Gold In Those EHR Audit Logs

The Office of the National Coordinator’s EHR Certification Requirements mandate that all certified EHRs be capable of generating an audit log detailing all user activity, stored in a database alongside user credentials and a date and time stamp. At first glance, these unassuming audit logs appear to provide little actionable insight, but buried in the data there is value. When audit logs are compiled across several months, data analysts will quickly see that they have a rich dataset that can be sliced and diced to expose the EHR navigation and module utilization trends of key physician populations.

Analyzing patterns within EHR audit logs will allow savvy data analysts to determine the average length of time providers spend working in the EHR. This information can be calculated at the individual level or aggregated across all providers.

Source: Galen Healthcare Solutions

Knowing how long providers are spending on administrative tasks in the EHR is valuable information for a number of reasons. First and foremost, this information can be used as a benchmark to measure the impact of future software updates or optimization projects. Any significant changes to provider workflow should be retrospectively reviewed to understand how it impacts the average time providers spend in the EHR. First, do no harm.

Analyzing user activity logs at the individual level also helps identify highly efficient EHR users within each specialty. The EHR workflow patterns of these EHR champions can be modeled. Peers can be educated on how to adjust their own workflows to mirror specialty-specific champions, reducing their own daily EHR burden. These “quick win” workflow adjustments are changes that can be adopted by clinical staff immediately, before extensive EHR optimization efforts are undertaken.

Audit log analysis can also highlight which EHR modules providers spend the most time in. In most cases, updating user preferences and optimizing the information displayed on EHR screens can expedite chart navigation. Simplified documentation templates and macros training can expedite the documentation process. A library of evidence-based order sets and targeted clinical decision support algorithms can minimize time spent entering orders.

Analyzing utilization trends at the EHR module level exposes the workflow tasks that are consuming a disproportionate amount of provider time.

Don’t. Stop. There.

EHR audit log analysis can reveal how much time providers are spending in the EHR, and where specifically they are spending that time. It can identify physician champions, and highlight those that are struggling. Audit log analysis can be used to measure EHR-induced physician burnout and support system-wide optimization efforts aimed at improving satisfaction.

Beyond this, EHRs offer a wealth of additional datasets that can help highlight inefficiencies in clinical workflows. Traditional health IT data analytics typically aims to uncover problems in care quality or revenue cycle management, but analysis focused on EHR workflow improvement is just as noble an effort, and one providers have long been seeking.

Gain perspectives from HDO leaders who have successfully navigated EMR clinical optimization and refine your EMR strategy to transform it from a short-term clinical documentation data repository to a long-term asset by downloading our EMR Optimization Whitepaper.

About Justin Campbell
Justin is Vice President, Strategy, at Galen Healthcare Solutions. He is responsible for market intelligence, segmentation, business and market development and competitive strategy. Justin has been consulting in Health IT for over 10 years, guiding clients in the implementation, integration and optimization of clinical systems. He has been on the front lines of system replacement & data migration and is passionate about advancing interoperability in healthcare and harnessing analytical insights to realize improvements in patient care. Justin can be found on Twitter at @TJustinCampbell and LinkedIn.

About Galen Healthcare Solutions
Galen Healthcare Solutions is an award-winning, #1 in KLAS healthcare IT technical & professional services and solutions company providing high-skilled, cross-platform expertise and Gold sponsor of Health IT Expo. For over a decade, Galen has partnered with more than 300 specialty practices, hospitals, health information exchanges, health systems and integrated delivery networks to provide high-quality, expert level IT consulting services including strategy, optimization, data migration, project management, and interoperability. Galen also delivers a suite of fully integrated products that enhance, automate, and simplify the access and use of clinical patient data within those systems to improve cost-efficiency and quality outcomes. For more information, visit www.galenhealthcare.com. Connect with us on TwitterFacebook and LinkedIn.

 

The State Of Healthcare Cybersecurity (Part 2)

Posted on May 22, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In Part 1 of this series, which drew data from a study by Black Book Market Research, I described how insecure healthcare leaders felt their cybersecurity protections to be. I also noted that a large number of providers are struggling to recruit senior health IT experts, and as a result are basically winging it when it comes to breach protection.

Healthcare organizations’ data security problems run deeper than that, however, the study suggests. Not only are C-level execs finding security investments to be troublesome, IT managers responding to the survey admit that they, too, feel that they are not fully prepared to defend their institution’s data.

To begin with, 74% of surveyed CIOs admitted that they failed to evaluate the total cost of ownership before signing a deal with a cybersecurity solution or service provider, and 89% said they bought their cybersecurity solution to be compliant with security regs, and often, not necessarily to reduce security risks.

And the failure to protect critical information doesn’t stop there.  For example, 57% of IT managers said that they hadn’t taken stock of the full variety of cybersecurity solutions that currently exist, notably mobile security environments, intrusion detection, attack prevention, forensics and testing.

Also, many healthcare institutions seem to react only after they’ve been invaded. According to Black Book, 58% of hospitals didn’t select their current security vendor until after a data security incident, and 32% of healthcare organizations hadn’t scanned for vulnerabilities before an attack.

What’s more, 83% of healthcare organizations haven’t staged a cybersecurity drill which included an incident response process, which arguably leaves them particularly unprepared. Not only that, when an attack comes, some won’t catch it right away, as 29% said they don’t have an adequate solution to instantly detect and respond to cyberattacks.

Meanwhile, 16% of respondents reported being uncomfortable working with vendors that do a hard sell when they find security flaws and vulnerabilities. These insecurities aren’t surprising given that 60% of healthcare enterprises haven’t formally identified specific security objectives and requirements and integrated them into a strategic and tactical plan for breach prevention.

Given how unfocused many security plans are, it’s not surprising that 22% of provider organizations believe their cybersecurity position will worsen between now and the second quarter of 2019. Only 12% of hospitals and 9% of physician organizations reported that they expected to see cybersecurity improvements.

The bottom line here is that if the Black Book research is correct, many healthcare organizations are frighteningly unprepared to protect their data, much less survive a serious attack relatively unscathed. For everyone’s sake, let’s hope that providers wise up to the need for strategic, substantial investments in security technology and staff.