Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Being Honest About Your Reasons For Cybersecurity Decisions

Posted on August 16, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

This week, a team of McAfee researchers released a paper outlining a terrifying exploit. The paper describes, in great technical detail, how a malicious attacker could flip a cardiac rhythm display from 80 beats per minute to zero within less than five seconds.

This might not lead to severe harm or death, but it’s possible that other very negative outcomes could occur, notes Shaun Nordeck, MD, who’s quoted in the report. “Fictitious cardiac rhythms, even intermittent, could lead to extended hospitalization, additional testing, and side effects from medications prescribed to control heart rhythm and/or prevent clots,” he notes.

The paper does point out that if the bedside monitor is working normally, nurses have access to other accurate data, which could diminish the impact of such disruptions to some extent. However, the potential for adverse events is clearly higher than normal if someone scrambles a patient’s vitals.

Unfortunately, this is far from the only attack which wasn’t possible before connected devices became the norm. At various points, we’ve seen that pacemakers, insulin pumps and even MRIs can be hacked externally, particularly if their operating systems aren’t patched as required or haven’t put even basic security protections in place. (Think using “password” as a password.)

But while these vulnerabilities are largely known at this point, some healthcare organizations haven’t begun to tackle them. Solving these problems takes work, and costs money, The best-intentioned CIO might not get the budget to fix these problems if their CEO doesn’t see them as urgent.

Or let’s say the budget is available to begin the counterattack. Even if everyone agrees to tackle connected device vulnerabilities, where do we begin the counterattack? Which of these new connected health vulnerabilities are the most critical?  On the one hand, hacking individual pacemakers doesn’t seem profitable enough to attract many cybercriminals. On the other, if I were a crook I might see the threat of meddling with a hospitals’ worth of patient monitors to be a great source of ransom money.

And this brings us to some tough ethical questions. Should we evaluate these threats by how many patients would be affected, or how many of the sickest patients?  How do we calculate the clinical impact of vital signs hacking vs. generating inaccurate MRI results? To what extent should the administrative impact of these attacks be a factor in deciding how to defeat these challenges, if at all?

I know you’re going to tell me that this isn’t an all or nothing proposition, and that to some extent standard network intrusion detection techniques and tools will work. I’m not disputing this. However, I think we need to admit out loud that these kinds of attacks threaten individual lives in a way that traditional cyberattacks do not. For that reason, we need to get honest about who we need to protect — and why.

Healthcare CIOs Focused On Patient Experience And Innovation

Posted on August 2, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Not long ago, 22 healthcare CIOs had a sit-down to discuss their CEOs’ top IT-related priorities. At the meeting, which took place during the 2018 Scottsdale Institute Annual Conference, the participants found that they were largely on the same page, according to researchers that followed the conversation.

Impact Advisors, which co-sponsored the research, found that improving patient experiences was priority number one. More than 80% of CIOs said patient engagement and better patient experiences were critical, and that deploying digital health strategies could get the job done.

The technologies they cited included patient-facing options like wearables, mobile apps and self-service tools. They also said they were looking at a number of provider-facing solutions which could streamline transitions of care and improve patient flow, including care coordination apps and tools and next-generation decision support technologies such as predictive analytics.

Another issue near the top of the list was controlling IT costs and/or increasing IT value, which was cited by more than 60% of CIOs at the meeting. They noted that in the past, their organizations had invested large amounts of money to purchase, implement and upgrade enterprise EHRs, in an effort to capture Meaningful Use incentive payments, but that things were different now.

Specifically, as their organizations are still recovering from such investments, CIOs said they now need to stretch their IT budgets, They also said that they were being asked to prove that their organization’s existing infrastructure investments, especially their enterprise EHR, continue to demonstrate value. Many said that they are under pressure to prove that IT spending keeps offering a defined return on investment.

Yet another important item on their to-do list was to foster innovation, which was cited by almost 60% of CIOs present. To address this need, some CIOs are launching pilots focused on machine learning and AI, while others are forming partnerships with large employers and influential tech firms. Others are looking into establishing dedicated innovation centers within their organization. Regardless of their approach, the CIOs said, innovation efforts will only work if innovation efforts are structured and governed in a way that helps them meet their organization’s broad strategic goals.

In addition, almost 60% said that they were expected to support their organization’s growth. The CIOs noted that given the constant changes in the industry, they needed to support initiatives such as expansion of service lines or building out new ones, as well as strategic partnerships and acquisitions.

Last, but by no means least, more than half of the CIOs said cybersecurity was important. On the one hand, the participants at the roundtable said, it’s important to be proactive in defending their organization. At the same time, they emphasized that defending their organization involves having the right policies, processes, governance structure and culture.

Health IT Leaders Fear Insider Security Threats More Than Cyberattacks

Posted on June 8, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A recently-published survey suggests that while most health IT security leaders feel confident they can handle external attacks, they worry about insider threats.

Cybersecurity vendor Imperva spoke with 102 health IT professionals at the recent HIMSS show to find out what their most pressing security concerns were and how prepared they were to address them.

The survey found that 73% of organizations had a senior information security leader such as a CISO in place. Another 14% were hoping to hire one within the next 12 months. Only 14% said they didn’t have a senior infosec pro in place and weren’t looking to hire.

Given how many organizations have or plan to have a security professional in place, it’s not surprising to read that 93% of respondents were either “very concerned” or “concerned” about a cyberattack affecting their organization. The type of cyberattacks that concerned them most included ransomware (32%), insider threats (25%), comprised applications (19%) and DDoS attacks (13%). (Eleven percent of responses fell into the “other” category.)

Despite their concerns, however, the tech pros felt they were prepared for most of these threats, with 52% that they were “very confident” or had “above average” confidence they could handle any attack, along with 32% stating that their defenses were “adequate.”  Just 9% said that their cybersecurity approach needed work, followed by 6% reporting that their defenses needed to be rebuilt.

Thirty-eight percent of the health IT pros said they’d been hit with a cyberattack during the past year, with another 4% reporting having been attacked more than a year ago.

Given the prevalence of cyberthreats, three-quarters of respondents said they had a cybersecurity incident response plan in place, with another 12% saying they planned to develop one during the next 12 months. Only 14% didn’t have a plan nor was creating one on their radar.

When it came to external threats, on the other hand, respondents seemed to be warier and less prepared. They were most worried about careless users (51%), compromised users (25%) and malicious users (24%).

Their concerns seem to be compounded by a sense that insider threats can be hard to detect. Catching insiders was difficult for a number of reasons, including having a large number of employees, contractors and business partners with access to their network (24%), more company assets on the network or in the cloud than previously (24%), lack of staff to analyze permissions data on employee access (25%) and a lack of tools to monitor insider activities (27%).

The respondents said the most time-consuming tasks involved in investigating/responding to insider threats included collecting information from diverse security tools (32%), followed by tuning security tools (26%), forensics or incident analysis (24%) and managing too many security alerts (17%).

The State Of Healthcare Cybersecurity (Part 2)

Posted on May 22, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In Part 1 of this series, which drew data from a study by Black Book Market Research, I described how insecure healthcare leaders felt their cybersecurity protections to be. I also noted that a large number of providers are struggling to recruit senior health IT experts, and as a result are basically winging it when it comes to breach protection.

Healthcare organizations’ data security problems run deeper than that, however, the study suggests. Not only are C-level execs finding security investments to be troublesome, IT managers responding to the survey admit that they, too, feel that they are not fully prepared to defend their institution’s data.

To begin with, 74% of surveyed CIOs admitted that they failed to evaluate the total cost of ownership before signing a deal with a cybersecurity solution or service provider, and 89% said they bought their cybersecurity solution to be compliant with security regs, and often, not necessarily to reduce security risks.

And the failure to protect critical information doesn’t stop there.  For example, 57% of IT managers said that they hadn’t taken stock of the full variety of cybersecurity solutions that currently exist, notably mobile security environments, intrusion detection, attack prevention, forensics and testing.

Also, many healthcare institutions seem to react only after they’ve been invaded. According to Black Book, 58% of hospitals didn’t select their current security vendor until after a data security incident, and 32% of healthcare organizations hadn’t scanned for vulnerabilities before an attack.

What’s more, 83% of healthcare organizations haven’t staged a cybersecurity drill which included an incident response process, which arguably leaves them particularly unprepared. Not only that, when an attack comes, some won’t catch it right away, as 29% said they don’t have an adequate solution to instantly detect and respond to cyberattacks.

Meanwhile, 16% of respondents reported being uncomfortable working with vendors that do a hard sell when they find security flaws and vulnerabilities. These insecurities aren’t surprising given that 60% of healthcare enterprises haven’t formally identified specific security objectives and requirements and integrated them into a strategic and tactical plan for breach prevention.

Given how unfocused many security plans are, it’s not surprising that 22% of provider organizations believe their cybersecurity position will worsen between now and the second quarter of 2019. Only 12% of hospitals and 9% of physician organizations reported that they expected to see cybersecurity improvements.

The bottom line here is that if the Black Book research is correct, many healthcare organizations are frighteningly unprepared to protect their data, much less survive a serious attack relatively unscathed. For everyone’s sake, let’s hope that providers wise up to the need for strategic, substantial investments in security technology and staff.

More Than 1.1 Million Patient Records Breached During Q1 of 2018

Posted on May 14, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Well, this isn’t a pretty picture. According to research by Protenus, roughly 1.3 million patient records were breached between January and March of this year. (The actual number is 1,129,744 records, for those who like to be precise.)

During that quarter, the healthcare industry saw an average of at least one data breach per day, racking up 110 health data breaches during this period, according to the Protenus Breach Barometer.

The researchers found that the single largest breach taking place during Q1 2018 was an intrusion involving an Oklahoma-based healthcare organization. The breach, which exposed patient billing information for 279,856 patients, resulted from an unauthorized third-party gaining access to the health system’s network.

If you assume that the other breaches were also executed by external cyberattackers, think again. According to the data, healthcare staffers represented a far bigger risk of being involved with security violations.

The data suggests that such insiders were most likely to illegally access data on the family members, a problem which accounted for 77.1% of privacy violations in the first quarter of this year. Accessing records on coworkers was the second most common insider-related violation, followed by accessing neighbor and VIP records.

Not only that, Protenus researchers found that if a healthcare employee breaches patient privacy once, there’s a greater than 20% chance they will breach privacy again in three months’ time. Worse, there’s a greater than 54% chance they will do so again in a years’ time. That’s a pretty nasty form of compounding risk.

Not only that, do healthcare institutions catch breaches right away? According to Protenus research, it takes healthcare organizations an average of 244 days to detect breaches once they take place. As readers know, some of these events involve information being exposed to the Internet, offering private information to the public via an unprotected interface. Also pretty ugly, and also a source of lousy PR for the organization.

This research is a sobering follow-up to the company’s year-end report for 2017. Last year, according to Protenus research, there was an average of one health data breach per year in 2017. The 407 incidents it identified affected 5,579,438 patient records.

The largest breach taking place in last year involved a rogue insider, a hospital employee, who inappropriately accessed billing information on 697,800 patients. The rest of the top 10 largest data breaches largely sprang from insider errors.

Wow. If it wasn’t evident already, it’s pretty clear now that healthcare organizations need to tighten up their internal data security measures and training substantially.

While there will always be some folks who want to snoop on celebrity records to find imaging medical information on their ex, and some who plan to sell the information outright, a greater number simply need to be reminded what the rules are. (Or so I assume and fervently hope.)

Cybersecurity Lapses Might Be Killing Patients

Posted on April 4, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Nobody would argue that data breaches are good for patients. After all, health data management is challenging enough without having to deal with outside attacks. But could they actually be killing patients? One researcher argues that this is indeed happening.

According to research by Dr. Sung Choi of Vanderbilt University’s Owen Graduate School of Management, hospital data breaches are linked to more than 2,100 patient deaths per year.

One key reason for this phenomenon is that data breaches create distractions for doctors which can extend far beyond the actual incident. This seems to be associated with an increase in patient mortality rates, he said. He also noted that it can be costly for hospitals to address images created by the data breach, which may divert resources better spent in patient care.

What’s more, breaches trigger a whirlwind of administrative activities, including remediation efforts, regulatory increase in litigation in the years that follow. This presents yet another distraction from focusing on care delivery.

To conduct his analysis, Dr. Choi used data from CMS and HHS, comparing patient care data at hospitals that have and have not experienced a data breach. He found that there were 305 hospital breaches between 2012 and 2016, exposing 14 million records.

One of the metrics Dr. Choi reviewed was the proportion of who died within 30 days of being heart attack patients who die within 30 days after being admitted to hospital. He found that this rate increased by 0.23% with one year after the breach, and by 0.36% two years after the breach. This adds up to an additional 2,160 additional patient deaths each year, he said.

What’s more, hospitals that experienced a health data breach took far longer to administer an ECG to newly-admitted patients, the data analysis concluded.

It’s worth noting that this phenomenon is not well documented as of yet. While data breaches are clearly correlated with some additional patient deaths, Dr. Choi seems to concede that he hasn’t found a direct causal relationship between breaches and mortality across the board.

Still, it stands to reason that cybersecurity problems would have some impact on patient care quality. Now that we’re armed with this data, we have even more compelling reasons to avoid breaches. Let’s hope that the hospital industry’s track record on health data security improves in the near future.

Cybersecurity Report Card:  Better Performance, But Not Great

Posted on March 29, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new research report from HIMSS has concluded that while healthcare organizations are improving their cybersecurity programs, there’s still a number of things they could do better.

The study drew on responses from 239 health information security professionals. Their responses were gathered from December 2017 to January 2018. While respondents came from a number of settings, the largest number (31.5%) were with hospitals, multi-hospital systems or integrated delivery networks.

One key point made by the study was that significant security incidents are projected to continue to grow in number, complexity and impact. That’s reflected by responses from survey participants, 75.7% of whom said that their organizations experienced a significant security incident in the past 12 months.

The top threat actors attacking these organizations included online scam artists deploying phishing and spear phishing attacks (37.6%), followed by negligent insiders (20.8 %) or hackers (20.1%). In many cases, the initial point of security compromise was by email. Time it took to discover the incident included less than 24 hours (47.1%), one to two days (13.2%) and 3 to 7 days (7.4%).

Despite these risks, and the effort required to protect their data, healthcare organizations with cybersecurity programs are improving their performance. They’re devoting more resources to those programs (55.8% of current IT budgets), responding to problems identified by regular risk assessments (with 83.1% adopting new and improved security measures in the wake of those assessments) and regularly conducting penetration testing and security awareness training.

On the other hand, HIMSS found that most healthcare organizations, cybersecurity programs still need improvement. For example, staffers face major obstacles in remediating and mitigating security incidents, particularly having too few cybersecurity personnel on board and a lack of financial resources. HIMSS also noted that educating and testing “human components” for security vulnerabilities is critical, but may not be included in many efforts.

In some cases, organizations don’t have formal insider threat management programs. While many respondents (44.9%) said they do have insider threat management programs and policies in place, another 27% said those programs were informal. And 24.2% said their organization had no insider threat management program at all.

In addition, risk assessments vary widely across the industry. Popular sources used to gather cyber threat intelligence include US CERT alerts and bulletins (60%) and HIMSS resources (53.8%), but many others are used as well.

The net of all of this seems to be that while healthcare organizations have gotten smarter where cybersecurity is concerned, they need to invest more in specialized personnel, improve staff training, remediation and risk assessments and stay alert. As the number of attacks continues to grow, nothing else will get the job done.

Health IT Leaders Spending On Security, Not AI And Wearables

Posted on December 18, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

While breakout technologies like wearables and AI are hot, health system leaders don’t seem to be that excited about adopting them, according to a new study which reached out to more than 20 US health systems.

Nine out of 10 health systems said they increased their spending on cybersecurity technology, according to research by the Center for Connected Medicine (CCM) in partnership with the Health Management Academy.

However, many other emerging technologies don’t seem to be making the cut. For example, despite the publicity it’s received, two-thirds of health IT leaders said using AI was a low or very low priority. It seems that they don’t see a business model for using it.

The same goes for many other technologies that fascinate analysts and editors. For example, while many observers which expect otherwise, less than a quarter of respondents (17%) were paying much attention to wearables or making any bets on mobile health apps (21%).

When it comes to telemedicine, hospitals and health systems noted that they were in a bind. Less than half said they receive reimbursement for virtual consults (39%) or remote monitoring (46%}. Things may resolve next year, however. Seventy-one percent of those not getting paid right now expect to be reimbursed for such care in 2018.

Despite all of this pessimism about the latest emerging technologies, health IT leaders were somewhat optimistic about the benefits of predictive analytics, with more than half of respondents using or planning to begin using genomic testing for personalized medicine. The study reported that many of these episodes will be focused on oncology, anesthesia and pharmacogenetics.

What should we make of these results? After all, many seem to fly in the face of predictions industry watchers have offered.

Well, for one thing, it’s good to see that hospitals and health systems are engaging in long-overdue beefing up of their security infrastructure. As we’ve noted here in the past, hospital spending on cybersecurity has been meager at best.

Another thing is that while a few innovative hospitals are taking patient-generated health data seriously, many others are taking a rather conservative position here. While nobody seems to disagree that such data will change the business, it seems many hospitals are waiting for somebody else to take the risks inherent in investing in any new data scheme.

Finally, it seems that we are seeing a critical mass of influential hospitals that expect good things from telemedicine going forward. We are already seeing some large, influential academic medical centers treat virtual care as a routine part of their service offerings and a way to minimize gaps in care.

All told, it seems that at the moment, study respondents are less interested in sexy new innovations than the VCs showering them with money. That being said, it looks like many of these emerging strategies might pay off in 2018. It should be an interesting year.

Nuance Takes Page from Healthcare Clients in Petya Outage Aftermath

Posted on November 6, 2017 I Written By

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He is currently an independent marketing consultant working with leading healthIT companies. Colin is a member of #TheWalkingGallery. His Twitter handle is: @Colin_Hung.

On June 27th the Petya Malware (or NotPetya or ExPteya) struck Nuance Communications (NASDAQ: NUAN). For days the company’s eScription speech-recognition platform were unavailable, forcing thousands of healthcare clients to find alternatives for their medical transcription. During the crisis and in the weeks that followed, Nuance borrowed a page from their healthcare clients: not offering false hope and deconstructing the incident to learn from it.

At the recent CHIME Fall Forum in San Antonio Texas, I had the opportunity to sit down with Brenda Hodge, Chief Marketing Officer – Healthcare and Ed Rucinski, Senior Vice President of World Wide Healthcare Sales of Nuance to talk about the Petya outage and where the company is headed.

“The challenge we faced with Petya brought us all together as a company,” explained Ed. “When our systems went offline, the entire organization rallied together. We had engineers and support staff who slept at the office on couches and cots. We had developers who went with less than 2hrs of sleep for 4 days straight because they wanted to help clients and bring our systems back online as quickly as possible. We became a nameless and rank-less organization working towards a common goal.”

As the outage went from minutes to hours to days, Nuance resisted the temptation to offer false hope to its clients. Instead, the company opted to be truthful and transparent. Nuance sent emails and directly called clients to let them know they had suffered a cyber attack, that the full extent of the damage was not known and that they did not know when their systems would be back online. The company did, however, commit to providing regular updates and being available to answer questions and address concerns.

The following is an abbreviated excerpt from a Nuance communication posted online by one of its clients:

Nuance corporate systems were unfortunately affected by a global cyber attack today. We went into immediate security protocol by shutting down our hosted production systems and platforms. There is no update at this time as to when the accounts will be back online but we will be holding regular calls throughout the day and night to gain insight into the timeline for resolution and I will update you again when I have more info. We are sorry for the inconvenience this outage has caused and we are working diligently to get things back online.

Clinicians are coached never to give patients in crisis or their families false hope. They calmly explain what happened, state the facts and talk about potential next steps. They do not, however, say that “things will be alright”, even though they know that is what everyone desperately wants to hear. Nuance used this same protocol during the Petya outage.

The company also used protocols similar to those used following an adverse event.

Healthcare is complex and despite the best efforts and best intentions of care teams, errors occur. These errors are referred to as adverse events. Adverse events that impact patient safety or that cause actual harm to patients are thoroughly documented, deconstructed and analyzed by clinical leaders as well as risk managers. The lessons gleaned from these unfortunate events are captured and used to improve operations. The goal is to prevent or mitigate the impact of similar events in the future.

After their systems were fully restored, the Nuance team embarked on a thorough review of the incident – from technical procedures to client communication protocols.

“We learned a lot through this incident” says Hodge. “We got a first-hand education on how sophisticated malware has become. We’ve gone from viruses to malware to ransomware to coordinated nation-state attacks. That’s what Petya really is – a coordinated attack on company infrastructure. Now that we have been through this type of attack, we have put in new processes and technologies to prevent similar attacks in the future. Most importantly we have made investments in improving our response to these types of attacks.”

Nuance has gone one step further. They have committed to sharing their painful lessons learned with other companies and healthcare institutions. “Like it or not, we are all in this together”, continued Hodge. “The Petya attack came on the heels of the WannaCry ransomware attack that impacted many of our healthcare clients – so there was a lot of empathy from our clients. In fact this whole incident has created a sense of solidarity in the healthcare technology community. Cyber attacks are not going to stop and we need to come together as an industry so that we are as prepared as we can be for the next one.”

“It’s unfortunate that it took an incident like this to show us what we are made of,” says Rucinski. “We had executives making coffee and fetching lunch for the support teams. We had leaders offering to run errands for staff because they knew they were too tired to keep up with those types of things. In the end we found out we truly embody the values and principles that we have hanging on posters around the office.”

Health IT Continues To Drive Healthcare Leaders’ Agenda

Posted on October 23, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new study laying out opportunities, challenges and issues in healthcare likely to emerge in 2018 demonstrates that health IT is very much top of mind for healthcare leaders.

The 2018 HCEG Top 10 list, which is published by the Healthcare Executive Group, was created based on feedback from executives at its 2017 Annual Forum in Nashville, TN. Participants included health plans, health systems and provider organizations.

The top item on the list was “Clinical and Data Analytics,” which the list describes as leveraging big data with clinical evidence to segment populations, manage health and drive decisions. The second-place slot was occupied by “Population Health Services Organizations,” which, it says, operationalize population health strategy and chronic care management, drive clinical innovation and integrate social determinants of health.

The list also included “Harnessing Mobile Health Technology,” which included improving disease management and member engagement in data collection/distribution; “The Engaged Digital Consumer,” which by its definition includes HSAs, member/patient portals and health and wellness education materials; and cybersecurity.

Other hot issues named by the group include value-based payments, cost transparency, total consumer health, healthcare reform and addressing pharmacy costs.

So, readers, do you agree with HCEG’s priorities? Has the list left off any important topics?

In my case, I’d probably add a few items to list. For example, I may be getting ahead of the industry, but I’d argue that healthcare AI-related technologies might belong there. While there’s a whole separate article to be written here, in short, I believe that both AI-driven data analytics and consumer-facing technologies like medical chatbots have tremendous potential.

Also, I was surprised to see that care coordination improvements didn’t top respondents’ list of concerns. Admittedly, some of the list items might involve taking coordination to the next level, but the executives apparently didn’t identify it as a top priority.

Finally, as unsexy as the topic is for most, I would have thought that some form of health IT infrastructure spending or broader IT investment concerns might rise to the top of this list. Even if these executives didn’t discuss it, my sense from looking at multiple information sources is that providers are, and will continue to be, hard-pressed to allocate enough funds for IT.

Of course, if the executives involved can address even a few of their existing top 10 items next year, they’ll be doing pretty well. For example, we all know that providers‘ ability to manage value-based contracting is minimal in many cases, so making progress would be worthwhile. Participants like hospitals and clinics still need time to get their act together on value-based care, and many are unlikely to be on top of things by 2018.

There are also problems, like population health management, which involve processes rather than a destination. Providers will be struggling to address it well beyond 2018. That being said, it’d be great if healthcare execs could improve their results next year.

Nit-picking aside, HCEG’s Top 10 list is largely dead-on. The question is whether will be able to step up and address all of these things. Fingers crossed!