Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Healthcare CIOs Focus On Optimizing EMRs

Posted on March 30, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Few technical managers struggle with more competing priorities than healthcare CIOs. But according to a recent survey, they’re pretty clear what they have to accomplish over the next few years, and optimizing EMRs has leapt to the top of the to-do list.

The survey, which was conducted by consulting firm KPMG in collaboration with CHIME, found that 38 percent of CHIME members surveyed saw EMR optimization as their #1 priority for capital investment over the next three years.  To gather results, KPMG surveyed 122 CHIME members about their IT investment plans.

In addition to EMR optimization, top investment priorities identified by the respondents included accountable care/population health technology (21 percent), consumer/clinical and operational analytics (16 percent), virtual/telehealth technology enhancements (13 percent), revenue cycle systems/replacement (7 percent) and ERP systems/replacement (6 percent).

Meanwhile, respondents said that improving business and clinical processes was their biggest challenge, followed by improving operating efficiency and providing business intelligence and analytics.

It looks like at least some of the CIOs might have the money to invest, as well. Thirty-six percent said they expected to see an increase in their operating budget over the next two years, and 18 percent of respondents reported that they expect higher spending over the next 12 months. On the other hand, 63 percent of respondents said that spending was likely to be flat over the next 12 months and 44 percent over the next two years. So we have to assume that they’ll have a harder time meeting their goals.

When it came to infrastructure, about one-quarter of respondents said that their organizations were implementing or investing in cloud computing-related technology, including servers, storage and data centers, while 18 percent were spending on ERP solutions. In addition, 10 percent of respondents planned to implement cloud-based EMRs, 10 percent enterprise systems, and 8 percent disaster recovery.

The respondents cited data loss/privacy, poorly-optimized applications and integration with existing architecture as their biggest challenges and concerns when it came to leveraging the cloud.

What’s interesting about this data is that none of the respondents mentioned improved security as a priority for their organization, despite the many vulnerabilities healthcare organizations have faced in recent times.  Their responses are especially curious given that a survey published only a few months ago put security at the top of CIOs’ list of business goals for near future.

The study, which was sponsored by clinical communications vendor Spok, surveyed more than 100 CIOs who were CHIME members  — in other words, the same population the KPMG research tapped. The survey found that 81 percent of respondents named strengthening data security as their top business goal for the next 18 months.

Of course, people tend to respond to surveys in the manner prescribed by the questions, and the Spok questions were presumably worded differently than the KPMG questions. Nonetheless, it’s surprising to me that data security concerns didn’t emerge in the KPMG research. Bottom line, if CIOs aren’t thinking about security alongside their other priorities, it could be a problem.

KPMG: Most Business Associates Not Ready For Security Standards

Posted on October 17, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

A new study by consulting firm KPMG has concluded that two-thirds of business associates aren’t completely ready to step up to industry demands for protecting patient health information. Specifically, the majority of business associates don’t seem to be ready to meet HITRUST standards for securing protected health information. Plus, it’s worth noting that HITRUST certification doesn’t mean your organization is HIPAA compliant or protected from a breach. It’s just the first steps and many aren’t doing it.

HITRUST has established a Common Security Framework which is used by healthcare organizations (as well as others that create, access, store or exchange sensitive and/or regulated data). The CSF includes a set of controls designed to harmonize the requirements of multiple regulations and standards.

According to KPMG’s Emily Frolick, third-party risk and assurance leader for KPMG’s healthcare practice, a growing number of healthcare organizations are asking their business associates to obtain a HITRUST CSF Certification or pass an SOC 2 + HITRUST CSF examination to demonstrate that they are making a good-faith effort to protect patient information. The CSF assessment is an internal control-based approach allowing organizations such as business associates to assess and demonstrate the measures they are taken to protect healthcare data.

To see if vendors targeting the healthcare industry seemed capable of meeting these standards, KPMG surveyed 600 professionals in this category to determine their organization’s security status. The survey found that half of those responding weren’t ready for HITRUST examination or certification, while 17.4% were planning for the CSF assessment.

When asked how they were progressing toward meeting HITRUST CSF requirements, just 7% said they were completely ready. Meanwhile, 8% said their organization was well along in its implementation process, and 17.4% said they were in the early stages of CSF implementation.

One the biggest barriers to CSF readiness seems to be having adequate staff in place, ranking ahead of cultural, technological and financial concerns, KPMG found. When asked whether they had the staff in place to meet the standard, 53% said they did, but 47% said they did not have “the right staff the right level skills to execute against the HITRUST CSF.” That being said, 27% said all four factors were at issue. (Interestingly, 23% said” none of the above” posed barriers to CSF readiness.)

Readers won’t be surprised to learn that KPMG has reason to encourage vendors to seek the HITRUST cert and examination – specifically, that it works as a HITRUST Qualified CSF Assessor for healthcare organizations. Also, KPMG works with very large organizations which need to establish high levels of structure in how they evaluate their health data security measures. Hopefully this means they go well beyond what HITRUST requires.

Nonetheless, even if you work with a relatively small healthcare organization that doesn’t have the resources to engage in obtaining formal healthcare security certifications, this discussion serves as a good reminder. Particularly given that many breaches take place due to slips by business associates, it doesn’t hurt to take a close look at their security practices now and then. Even asking them some commonsense questions about how they and their contractors handle data is a good idea. After all, even if business associates cause a breach to your data, you still have to explain the breach to your patients.