Today the white house announced what has been awarded to the different states to support Health Information Exchange and assist care providers with training and technical support with Electronic health records.
This makes the state of North Carolina one of the 41 states to get $ 12.9 million dollars in funding to facilitate HIE for the state. While there are several other already established health record exchange initiatives, the NC HWTF (North Carolina Health and Wellness Trust Fund) has greater potential to get a strong NC HIE started.
In addition, with the establishment of the regional extension centers and their awarded 13.6 Million dollars available through North Carolina Area Health Education Centers Program (AHEC) North Carolina care providers will have better access to onsite technical assistance to help with the adoption of electronic health records.
For a full list of grants awarded visit: http://www.whitehouse.gov/the-press-office/sebelius-solis-announce-nearly-1-billion-recovery-act-investment-advancing-use-heal
Friday, February 12, 2010
Thursday, February 4, 2010
Top 10 EHR failure contributing factors
With the Economic Stimulus bill recently enacted into law by president Obama, and recent relaxation of the Stark Rules allowing hospitals to subsidize up to 85% of implementation costs of HER many are renewing their interest in an EHR purchase. But while many are excited about the encouraging subsidize available, others are still fearful on undertaking such a complex project after many “horror stories” they hear.
One must wonder what is really the source and true factors that contribute to the de-installations and or lack of return on investment on EHR. By reviewing these items, we can separate fact from fiction and expose what can be done to avoid these pitfalls.
The following are the top 10 biggest contributors to an EHR failure for certain products available in the market place:
1. Lack of strong follow up from the EHR vendor:
After Go live date some of practices begin to sense that the honeymoon period is over. Faced with new workflow challenges and staff not always sure what to-do and resort to a best guess on how to perform certain tasks, frustration grows and lack of confidence of the product begins to show.
2. Lack of training:
With a constant reminder of budgets and economic downturn some practices often resorting to less training and more self discovery tends to be another step into dangerous waters. With Computer Illiteracy many realize that they are still not comfortable with the product and don’t know enough to resolve some of the obstacles that accompany such products.
3. Unreliable infrastructure:
While many of the subsidies have reduce actual implementation/training and licensing costs of an EHR, weak and unreliable IT back bone infrastructure tends to offset the efficiencies that are meant to be gained. Far too many cases slow response, unreliable wireless and reoccurring system outages leave a terrible after taste of the EHR when it should be the one of the lack of infrastructure.
4. Not very user friendly:
While all care providers and clinical staff understand that when they are seeing patients all their attention is rightfully given to their patient, but too often they fall victim to the overwhelming screens, 2 dozen buttons to click or all flashing indicators reminding you that you have more work to follow up on.
5. Lack of interoperability:
It is clear that interoperability is “essential” for coordination of care and reduction of medical errors due to lack of information, and unfortunately many software makers lack to capital and expertise to arm their products with the ability to enable practice to participate in exchanging electronic health records within their community or just simply with a nearby hospital or IDN. In addition, it has been stated time after time that the ARRA’s ultimate goal is to promote exchange healthcare information to improve patient care.
6. Slow and painful ROI:
Statistic after statistic shows us that adoption rates for EHR have been slow, despite the growing enthusiasm. In some cases incentive payments can provide a boost, but often we find that citing a positive ROI is largely anecdotal. While upfront costs can range from 10,000 to 25,000.00 per provider in costs, it can take from 3 to 4 years before an actual positive ROI is seen in some cases.
7. Same engine under the hood for years:
As a developer I am guilty of trying to recycle applications I have created in the past and just performing a facelift on the interface. Unfortunately this trend has contributed to lack of new functionality and features for some of the products being used today. By simply changing a 10 year old product screen from black DOS screen to a “windows” based program with still the same engine under it. Many practices are still facing outdated functionalities and lack of new and much improved and newly discovered efficiencies.
8. Lack of sufficiency data visualizations:
Whether a healthcare organization is looking to identify the most common CPT codes used, performing internally RAC audits, or simply identifying trends in patient outcome measures, medical organizations are looking to EHR vendors to answer the calling. But with very few able to provide access and usable data, many are faced with the reality that data visualization is nothing but a dream. It is hard to truly understand the power information, but as stated in a recent article in the BusinessWeek written by Maria Popova: “Ultimately, data visualization is more than complex software or the prettying up of spreadsheets. It's not innovation for the sake of innovation. It's about the most ancient of social rituals: storytelling. It's about telling the story locked in the data differently, more engagingly, in a way that draws us in, makes our eyes open a little wider and our jaw drop ever so slightly. And as we process it, it can sometimes change our perspective altogether. “
9. Lack of or unreliable integration:
In the current healthcare environment, there are many connecting devices, entities and stakeholders. Whether you are ordering blood work or waiting for a pathology report to be downloaded integration is the glue that holds it all together. In certain cases missing labs, down interfaces and failure of communication can lead to dangerous and risky outcomes for the practice. Many of these situations lead to frustration and mistrust of the technology and products.
10. Loss of confidence:
At the center of it all, lack of staff buy-in poses the most common management mistake made that leads to complete EHR implementation failure. Many leaders discover after working hard on making sure the right product was selected for the right price that their staff is not confident in the adopted direction of the management. This leads the practice to face significant struggles. Ultimately, every staff member needs to buy-in to the change, and for this to occur successfully it is important to involve everyone in the process and ensuring they are part of the solution.
It is commonly cited that the practice should hold most of the blame for the failures of EHR projects and implementation. But who are we kidding here; it is like asking an IT engineer to manage a busy restaurant’s kitchen just because they watched few episodes of hell’s kitchen. The burden of a successful EHR should be shared amongst the product vendors who have far more experience in project management and technology as well as the team effort of an EHR committee from within the practice. Both parties must commit to proper education up front, continued education and follow ups to ensure that the product is being used the way it should be. The success of the project will benefit both vendor and customer.
In conclusion, while many of the indicated struggles above are contributing factors to failures of some of the EHR implementations out there. It is important to know that not all products have these challanges. In addition, many of the items listed can be resolved by taking the appropriate corrective measures. When in doubt always contact your vendor or a qualified healthcare IT export to assist you and your organization ensure that you are in the right path.
Friday, October 30, 2009
Healthcare Round II, ARRA has passed now let’s see what AHCAA has to offer
There is a new kid in town and his name is AHCAA (Affordable Health Care of America Act)!!! This bill might send some software vendors back to redesign their booth and replace "Guaranteed stimulus money from ARRA" to something like "Our products are now more affordable than the free OpenSource as part of the AHCAA"
Travelling to conferences recently showed me an interesting trend, and that is of software vendors providing along with their package a "Guaranteed Certifiable Product" or "Guaranteed Stimulus Money". While some of the requirements have been described, it is alarming to see that this trend is spreading like wild fire and gaining momentum. Much of the concerns should be around how practices will gather the resources and the right stakeholders to apply meaningful use and implement policies and procedures as part exchange of electronic health records.
So, while we are coming to a better understanding of the ARRA HITECH, we are now facing a new round of recommendations and new potential incentives. On October 29th, 2009 House Speaker Nancy Pelosi announced a new Bill by the 111th Congress titled: Affordable Health Care for America Act".
After reviewing some of the sections that are relating to health care technology or HITECH, I discovered some very encouraging items in the bill. I will just list the very basic AHCAA HITECH summary of the areas I got through reading:
Travelling to conferences recently showed me an interesting trend, and that is of software vendors providing along with their package a "Guaranteed Certifiable Product" or "Guaranteed Stimulus Money". While some of the requirements have been described, it is alarming to see that this trend is spreading like wild fire and gaining momentum. Much of the concerns should be around how practices will gather the resources and the right stakeholders to apply meaningful use and implement policies and procedures as part exchange of electronic health records.
So, while we are coming to a better understanding of the ARRA HITECH, we are now facing a new round of recommendations and new potential incentives. On October 29th, 2009 House Speaker Nancy Pelosi announced a new Bill by the 111th Congress titled: Affordable Health Care for America Act".
After reviewing some of the sections that are relating to health care technology or HITECH, I discovered some very encouraging items in the bill. I will just list the very basic AHCAA HITECH summary of the areas I got through reading:
- The bill recommends that a study be conducted to see if providing higher rates of reimbursements or other incentives would increase the adoption of certified EHR.
- The secretary will have until January 1st, 2012 to develop a plan to integrate clinical reporting on quality measures which would include the following items:
o The development of measures that can demonstrate meaningful use of HER, and clinical quality of care furnished to an individual.
o The collection of health data to identify deficiencies in the quality and coordination of care for individuals eligible for benefits.
- Extension of Incentive payments from Act 42 USC 1395w -4(m) (1) where 2010 payments would be replaced by 2010, then instead of 2009 inserting 2010.
- Promoting low-cost electronic health records software packages that are available for use. Examples (can anyone say Medsphere is loving the AHCAA) which is based on the package of the Veterans Administration.
This was an abvious expectation from any bill that was upcoming. Making the push for electronic health records part of a public option, the motives are to encourage the adoption of EHR after many healthcare providers showed some resistance ARRA plans.
Between requiring electronic clinical data reporting, to adopting meaningful use, it to note that adopting some Electronic Health Record system will improve coordination of care, reduce medical error, and provide faster access to data when it is most needed. At this stage the only debatable factor of any EHR package is whether it offers a true Positive ROI.
This is the challenge that much of the current vendor must prove to the rest, otherwise everyone will look to OpenSource and vendors will lose a substantial market share.
Tuesday, October 6, 2009
How can the billing department increase efficiency
The billing or financial department:
Much of the practice’s income depends on this department. This is the team in the organization that ensures that your money is tracked down and retrieved from the Payers and challenging patients. So how can we assist through technology and how can different solutions enable them to be more efficient.
Easy to look up EOB:
First we will start by implementing an open source OCR product Click here. That’s right 0$ solution that will reduce the look up time of an EOB by at least 50%. A billing staff member can locate a document simply by searching the DOS (Date of service) or simply the patient insurance id and with the results displayed in a Google fashion.
Post patient payments electronically:
Next stop is to reduce or even eliminate the need to manually post payments. Now this solution depends on the organization’s billing system whether the PMS or HIS supports electronic remit (X12N 835 format) or not. This is the format that payers return their EOB. Fortunately that format can be utilized to post patient payments as well that have been made electronically through a web portal or from processed check payments. This dramatically reduces overhead by requiring staff to spend less time doing data entry.
Deposit payments from your office:
Let’s be honest here, checks will be around for few more years, just like when we were told that with Check Cards checks will cease to exist. Well, I am sure checks will continue to survive for a little longer. So, let’s see how we can still be more efficient around them. How about reducing or eliminating the couriers services for check deposits. If you can today deposit a check simply by taking a picture of it through your phone(ImageNet Mobile Deposit(TM)), then medical practices have got to be able to use the remote deposit feature that’s offered with many of today's banks.
Elegability Check:
Ok, if a practice is still not utilizing these services that are offered by most clearing houses, then this is the appropriate time to try them out. It is a very powerful tool, especially when it reduces your claim denials and patient balances that end up going to collections with 20% of your potential revenue.
While there are many additional ways to create efficiencies through out the practice, the billing department is a great place to realize cost savings immediately without major adjustments. Whether you employ claim adjudication, document management or simply outsource statement printing, it is very important to continuously talk to your vendors and stay connected with what is the latest and greatest.. This will ensure that you are constantly evaluating and implementing what matters to your practice.
Much of the practice’s income depends on this department. This is the team in the organization that ensures that your money is tracked down and retrieved from the Payers and challenging patients. So how can we assist through technology and how can different solutions enable them to be more efficient.
Easy to look up EOB:
First we will start by implementing an open source OCR product Click here. That’s right 0$ solution that will reduce the look up time of an EOB by at least 50%. A billing staff member can locate a document simply by searching the DOS (Date of service) or simply the patient insurance id and with the results displayed in a Google fashion.
Post patient payments electronically:
Next stop is to reduce or even eliminate the need to manually post payments. Now this solution depends on the organization’s billing system whether the PMS or HIS supports electronic remit (X12N 835 format) or not. This is the format that payers return their EOB. Fortunately that format can be utilized to post patient payments as well that have been made electronically through a web portal or from processed check payments. This dramatically reduces overhead by requiring staff to spend less time doing data entry.
Deposit payments from your office:
Let’s be honest here, checks will be around for few more years, just like when we were told that with Check Cards checks will cease to exist. Well, I am sure checks will continue to survive for a little longer. So, let’s see how we can still be more efficient around them. How about reducing or eliminating the couriers services for check deposits. If you can today deposit a check simply by taking a picture of it through your phone(ImageNet Mobile Deposit(TM)), then medical practices have got to be able to use the remote deposit feature that’s offered with many of today's banks.
Elegability Check:
Ok, if a practice is still not utilizing these services that are offered by most clearing houses, then this is the appropriate time to try them out. It is a very powerful tool, especially when it reduces your claim denials and patient balances that end up going to collections with 20% of your potential revenue.
While there are many additional ways to create efficiencies through out the practice, the billing department is a great place to realize cost savings immediately without major adjustments. Whether you employ claim adjudication, document management or simply outsource statement printing, it is very important to continuously talk to your vendors and stay connected with what is the latest and greatest.. This will ensure that you are constantly evaluating and implementing what matters to your practice.
Tuesday, September 29, 2009
P4P Quality measure with CPT is not in our future
History
“The system is broke”, is a far more common phrase we continue to hear. Whether it is a politician eager to promote more support for healthcare reform, or a patient who is too frustrated due to the sheer volume of bills they get from 10 different entities, just to have one procedure for appendix removal. Even physicians who are penalized for using too many CPT codes or procedure count to treat a complex condition and get penalized from the payers for it under their P4P programs are saying it.
So this begs the question, is P4P Quality measures with CPT the right thing? We are seeing that many of these programs have not shown a tremendous adoption from physicians. Take the PQRI initiative, statistics have shown an average of $700.00 return per physician which is relatively low comparing it to the costs the practice has incur. This begs the question, is it worth looking at P4P programs and worrying about implementing them? Is the technology available to measure the outcomes of patient treatment over time?
Is it possible that physicians will be paid based on treatment outcome?
Well, if you review the ARRA and what 2015 will bring you will a clear indication as part of the meaningful Use goals to be“clinical outcome measures, efficiency measures and safety measures”, you will realize that there is a tremendous emphasis on outcome measures this might not mean that you care providers would be required to follow the recommendations, but it will mean that if CMS does make the outcome measure as a mean to reimburse you on patient treatment, then as we know Payers will usually just follow.
What are the current facts?
The good news this possible change would not affect the way physicians provide care. Many care providers do see and treat the patient based on some mental measurements and grading if the patient is or is not improving. But it does get sticky when a group needs to report on it on paper. Take for example a patient being treated for a broken wrist. We can measure the outcome of the treatment based on the level of Pain, we can track the range of movement of the wrist after the cast is done and we can measure the improvement on the amount of time it took to have the cast off. While in many cases the person’s body will dictate some of those results, but we can still benchmark the treatment outcome.
However, when you consider the patients with chronic disease such as End-Stage-Kidney disease then the complexity increases tremendously. During a recent presentation by CTG, they had a very interesting approach to this challenge. They basically created a Master Patient Complexity index that they can use measure the patient condition through well defined scientific measures such as: Age, Hemoglobin, Creatinine, Bun, BMI, Calcium, Potassium and so forth. With a plot as radar spokes as shown here(Values are based on fictitious data and do not represent actual patient information).
Result and the impact of this direction
This can potentially result in a shift of paradigm. Physicians may not be paid on how many procedures done, but the improvement of their patient’s overtime using a proven Master Patient Complexity index. The current recommended model by CTG looks very promising and may as well be a starting point. There have been implementations of similar models by other groups such as Mayo Clinic. This would also mean that EMR/PMS products would need to have a different approach to how payors are billed and properly display the progress or patient treatment outcome of time. It is just another fun day for BI (Business Intelligence) and health analytics.
Conclusion:
While physicians continue to focus on providing care to their patients one must remember that doctors do have to be compensated appropriately. Using CPT for a way to measure care quality is definitely not an acceptable method of measuring the improvement on quality care, so considering other approaches is a must, and looking for technology as a tool to facilitate makes more sense than ever. It also means that physicians must become more involved in product and measure development. This will ensure that future EMR products will answer to the providers needs, improved measures to assist patients with complex conditions and create an efficient reimbursement system.
“The system is broke”, is a far more common phrase we continue to hear. Whether it is a politician eager to promote more support for healthcare reform, or a patient who is too frustrated due to the sheer volume of bills they get from 10 different entities, just to have one procedure for appendix removal. Even physicians who are penalized for using too many CPT codes or procedure count to treat a complex condition and get penalized from the payers for it under their P4P programs are saying it.
So this begs the question, is P4P Quality measures with CPT the right thing? We are seeing that many of these programs have not shown a tremendous adoption from physicians. Take the PQRI initiative, statistics have shown an average of $700.00 return per physician which is relatively low comparing it to the costs the practice has incur. This begs the question, is it worth looking at P4P programs and worrying about implementing them? Is the technology available to measure the outcomes of patient treatment over time?
Is it possible that physicians will be paid based on treatment outcome?
Well, if you review the ARRA and what 2015 will bring you will a clear indication as part of the meaningful Use goals to be“clinical outcome measures, efficiency measures and safety measures”, you will realize that there is a tremendous emphasis on outcome measures this might not mean that you care providers would be required to follow the recommendations, but it will mean that if CMS does make the outcome measure as a mean to reimburse you on patient treatment, then as we know Payers will usually just follow.
What are the current facts?
The good news this possible change would not affect the way physicians provide care. Many care providers do see and treat the patient based on some mental measurements and grading if the patient is or is not improving. But it does get sticky when a group needs to report on it on paper. Take for example a patient being treated for a broken wrist. We can measure the outcome of the treatment based on the level of Pain, we can track the range of movement of the wrist after the cast is done and we can measure the improvement on the amount of time it took to have the cast off. While in many cases the person’s body will dictate some of those results, but we can still benchmark the treatment outcome.
However, when you consider the patients with chronic disease such as End-Stage-Kidney disease then the complexity increases tremendously. During a recent presentation by CTG, they had a very interesting approach to this challenge. They basically created a Master Patient Complexity index that they can use measure the patient condition through well defined scientific measures such as: Age, Hemoglobin, Creatinine, Bun, BMI, Calcium, Potassium and so forth. With a plot as radar spokes as shown here(Values are based on fictitious data and do not represent actual patient information).
Result and the impact of this direction
This can potentially result in a shift of paradigm. Physicians may not be paid on how many procedures done, but the improvement of their patient’s overtime using a proven Master Patient Complexity index. The current recommended model by CTG looks very promising and may as well be a starting point. There have been implementations of similar models by other groups such as Mayo Clinic. This would also mean that EMR/PMS products would need to have a different approach to how payors are billed and properly display the progress or patient treatment outcome of time. It is just another fun day for BI (Business Intelligence) and health analytics.
Conclusion:
While physicians continue to focus on providing care to their patients one must remember that doctors do have to be compensated appropriately. Using CPT for a way to measure care quality is definitely not an acceptable method of measuring the improvement on quality care, so considering other approaches is a must, and looking for technology as a tool to facilitate makes more sense than ever. It also means that physicians must become more involved in product and measure development. This will ensure that future EMR products will answer to the providers needs, improved measures to assist patients with complex conditions and create an efficient reimbursement system.
Monday, September 28, 2009
ARRA or stimulus Health IT calculator
The American Recovery and Reinvestment Act of 2009 (ARRA) has far-reaching effects in healthcare. Stakeholders affected range from patients, private physicians, and large hospital networks. The Act includes a planned expenditure of $34 billion for HIT, with $32 billion going to hospitals and physicians, as an incentive to adopt certified, interoperable Electronic Health Records (EHRs).
I have been getting a lot of requests to help calculate the potential incentives available for a practice. Many administrators and executives are asking if this pay for us to go paperless or pay for a full EMR implementation? Well, as easy as it may seem, you have to analyze your own numbers. As a lawyer told a colleague today about first home buyers. "You will get up to 8,000 dollars". The keyword there is "UP TO". So, for many practices the notion that each provider will get the max allowed amount will be depending on a lot of things. For many of the work I have been doing, I have developed a small cheat sheet or a calculator that can help shed some light on what dollars you may be getting based on Medicaid or Medicare provision. If you are interested feel free to email me the answer to the following questions and I will send you the results with some projections.
Email me or post a comment to this blog and I will respond.
A place to start:
For Medicare
____:Year when meaningful use
____:Number of MDs in your practice
____:#total allowable for Medicare Patients for 2008
For Medicaid
____:Year when meaningful use was
____:Number of MDs in your practice
____:%of patients with Medicaid
____:#Avg. Technology Costs
____:number of Midwives or PA or NP
____:Yearly maintenance and technology costs after implementation
I have been getting a lot of requests to help calculate the potential incentives available for a practice. Many administrators and executives are asking if this pay for us to go paperless or pay for a full EMR implementation? Well, as easy as it may seem, you have to analyze your own numbers. As a lawyer told a colleague today about first home buyers. "You will get up to 8,000 dollars". The keyword there is "UP TO". So, for many practices the notion that each provider will get the max allowed amount will be depending on a lot of things. For many of the work I have been doing, I have developed a small cheat sheet or a calculator that can help shed some light on what dollars you may be getting based on Medicaid or Medicare provision. If you are interested feel free to email me the answer to the following questions and I will send you the results with some projections.
Email me or post a comment to this blog and I will respond.
A place to start:
For Medicare
____:Year when meaningful use
____:Number of MDs in your practice
____:#total allowable for Medicare Patients for 2008
For Medicaid
____:Year when meaningful use was
____:Number of MDs in your practice
____:%of patients with Medicaid
____:#Avg. Technology Costs
____:number of Midwives or PA or NP
____:Yearly maintenance and technology costs after implementation
Friday, September 11, 2009
Are your patients' health information protected enough to save you from the FTC or the new HIPAA under ARRA rules
With the new burden of newer fines and higher penalties from the modified HIPAA under the ARRA, and the new FTC “Red Flag” regulations, now healthcare organizations must re evaluate their current security protocols and infrastructure to keep the HIPAA auditors at bay.
In today’s fast moving technology, it is very hard for anyone to ensure that the next web site they visit will not install harmful Trojans, that can potentially logged every key stroked, or simply steal some files from their computer that could contain private health information.
Everyday Americans fall victim to identity theft because of information being stolen from computers in healthcare environments. And that includes having their health records used or insurance information to obtain health services and procedures. We are accustomed to hearing that most data breaches occur at large scale operations such as the heartland breach that hackers had potential access to the personal data of 600 million or more cardholders, even few years before that, the story of the chain TJX that had more than 45 million customers data compromised. But all these are extremely hard to accomplished, and require sophisticated and most advanced hackers. But what if you were told that your doctor’s office would be the next target right now, right out of their parking lot? Or what If a simple URL can land one of your nurses on the wrong web site that will automatically install a Trojan, which in turn will gain access to health data.
There are several threats you should be aware of as a consumer or a healthcare administrator. Again, the intent of this article is not to force you completely get rid of your computers and wireless networks, but it is to provide you with information that can assist in understanding your environment and the potential areas that may need to be reviewed.
Internal Threats:
The internal threads to your patient data can be identified in many areas. Just to give you an example, last week I visit with few technicians over a medium healthcare office, and as we were going through the DR planning (Disaster Recovery Planning), I asked about the offsite back up. To my surprise I received the following statements “We are covered on that, I take the tapes with me home”, I did not put too much though into it as I asked the next question assuming that the answer would have been yes. “Well, I am sure the backups are password protected and you are encrypting it right!”. Wrong, I received the following reply “Why? They are already in a tape, you think a thief will know how to restore from a tape”. Puzzled and disappointed I began to explain that it would be wiser to find a more secure method to store the sensitive patient information, and explaining how that can really jeopardize the practice and potentially open the door for possible law suits. After I went back to the office, I did a simple search in Google for “How to restore from a tape” and found the following: Results 1 - 10 of about 3,720,000 for How to restore from a tape. (0.16 seconds) . It was clear to me that there was a disconnect between the IT and Privacy and Security requirements. It is critical that sensitive data must be secured, and should not be transported offsite on laptops, tapes or hard drives without the appropriate encryption and protection.
Another internal threat would be the viruses or Trojans that find their ways into computers that are either unprotected or simply have expired Antivirus. Many of these infections originate from web sites that the users visited by mistyping a URL or simply clicking on the wrong link from a personal email. This has been a commonly used method by hackers to gain access to private information on computers through Trojans, key loggers and other remote control methods.
In a world where there are all too many horror stories of scammers, we begin to hear about cases of patients using factitious identity or posing as someone else, and using their insurance cards to gain access to cosmetic or medical procedures where the victim becomes responsible for picking up the tab. We are in an environment where a patient rushing their child to be seen for an illness and they say “their spouse has the insurance card” while the front desk feels obligated to let them be seen, and later come to the realization that the practice now has to write-off the costs of the procedures and treatment after realizing that their insurance was terminated or was not even for the right person. An insurance card does not present the practice with a picture ID, and in many cases where a valid license is and can be a requirement for the patient, many seem to not require that verification and increase the risk of false identity. This becomes a bigger issue as much of the current proposed health reform where the practice will not be able to bill the victim for the balance nor their insurance for a case stolen of identity.
External:
For the most part all health organizations have some sort of firewall already established. This is the device that protects them from outside intruders. But without the right hardware, you are left with a firewall that a hacker can easily discover the default password to, and remotely gain access to your network, or even
With that being said, I have found numerous times where health organizations use a common tool that allows them to logon remotely to their servers such Microsoft Remote desktop (RDP) without VPN (Virtual private network). That means that the server is exposed to the internet through a specific port that hackers can attempt to use to gain access. Some cases Brute force is used (where a dictionary of password is used to try several combinations of passwords for the administrative user), others just a matter of a previous employee still having an active account can gain access, take the data and sell it for profit.
While the above two require fairly advanced knowledge of hacking, there are always few simple ones that can truly be a very easy way to tap into your system or infrastructure. Wireless!!! In many cases if you approach a hospital the wireless infrastructure is so advanced and robust that you can actually detect if there is any attempt to connect to the network without being on the safe list of devices allowed, you can even detect if someone plugs in a new wireless network within the hospital wireless range. But the challenge here again, is that we are discussing the vulnerability of some of our small to mid practices. The ones that simply can not justify the cost of a $800 or more for a single access point. These are the cases where a simple low cost access point, that you plug and play allows you to get on a “secured” wireless can easily be cracked. WEP (some of the commonly used encryption methods by small practices) has poor architecture, and has been identified in the hacker community you can find posts that show you “How To Crack 128-bit Wireless Networks In 60 Seconds”.
The consequences:
In previous years, the above threats would have most likely been considered urgent but not important. Let’s face it, there was no real threat out there to begin with. As a matter fact, even the office that was meant to enforce the HIPAA rules had not levied a single penalty against any HIPAA-covered entity in nearly five years since they began its implementation. What has changed that would force everyone to really take a good look on their current security and privacy readiness. Well, as part of the new ARRA few modifications to the law have been made under (Sections 13409-13411):
• Congress gave state attorneys general authorization to enforce the HIPAA thought civil enforcement actions
• It makes the business associates directly responsible for complying with key HIPAA privacy and security provisions. This meant that the cleaning crew, the third party IT support provider, software vendor, accountant and anyone that comes in contact with your infrastructure or medical and insurance information is sharing the responsibility and potentially liable.
• Fines have dramatically increased under the ARRA fines. You maybe imposed to pay up to 50,000 dollars per violation per calendar year and up to 1.5 million dollars.
• HHS is required to impose civil monetary penalties in circumstances where it finds that a HIPAA violation was willful.
• The criminal provisions were expressly made applicable to individuals.
• The HHS Secretary is now required to conduct periodic audits for compliance with the HIPAA Privacy and Security Rules.
Things to do to help you:
• Implement Password expiration and complexity policies
• Implement strict internet use policies for employees
• Ensure that your IT team properly secures your patient data repository services
• Run periodically security auditing tools
• Ensure that you are using antivirus on every piece of equipment that is connected to your network including cell phone as well.
• Ensure that your backups are password protected, encrypted and properly stored
• Ensure that your business associates agreements reflect the new changes and explain to your vendors what they mean and that their liability insurance covers the extent of the fines and costs that can be a result of data breach
• Ensure that your wireless is using stronger encryption method
• Require patients to present photo ID during registration and ensure you have a B&W copy of it (Color copies are illegal in NC).
• Use biometric check-in devices that ensure the identity of the patient if you are looking for a secure and fast way to identify and check-in patients
• Use network appliances that add an additional layer of protection against SPAM, email viruses and block unwanted traffic from web sites.
• Train and educate staff on proper internet use
Conclusion
Whether you are still using paper charts or completely paperless, patient privacy and security must be a high priority in your list, whether the ARRA enforces the new rules or not. Your clients your patient’s data protection must be addressed. It is like having health insurance, without it, you are taking major risks. There are several organizations that provide you with assistance or HIPAA audits. Some of which are freely available online. Your help desk and engineers need to understand the consequence as well as the importance of implementing the right technologies that are proactive in detecting intrusion as well as protecting all assets in your infrastructure.
Reda Chouffani
In today’s fast moving technology, it is very hard for anyone to ensure that the next web site they visit will not install harmful Trojans, that can potentially logged every key stroked, or simply steal some files from their computer that could contain private health information.
Everyday Americans fall victim to identity theft because of information being stolen from computers in healthcare environments. And that includes having their health records used or insurance information to obtain health services and procedures. We are accustomed to hearing that most data breaches occur at large scale operations such as the heartland breach that hackers had potential access to the personal data of 600 million or more cardholders, even few years before that, the story of the chain TJX that had more than 45 million customers data compromised. But all these are extremely hard to accomplished, and require sophisticated and most advanced hackers. But what if you were told that your doctor’s office would be the next target right now, right out of their parking lot? Or what If a simple URL can land one of your nurses on the wrong web site that will automatically install a Trojan, which in turn will gain access to health data.
There are several threats you should be aware of as a consumer or a healthcare administrator. Again, the intent of this article is not to force you completely get rid of your computers and wireless networks, but it is to provide you with information that can assist in understanding your environment and the potential areas that may need to be reviewed.
Internal Threats:
The internal threads to your patient data can be identified in many areas. Just to give you an example, last week I visit with few technicians over a medium healthcare office, and as we were going through the DR planning (Disaster Recovery Planning), I asked about the offsite back up. To my surprise I received the following statements “We are covered on that, I take the tapes with me home”, I did not put too much though into it as I asked the next question assuming that the answer would have been yes. “Well, I am sure the backups are password protected and you are encrypting it right!”. Wrong, I received the following reply “Why? They are already in a tape, you think a thief will know how to restore from a tape”. Puzzled and disappointed I began to explain that it would be wiser to find a more secure method to store the sensitive patient information, and explaining how that can really jeopardize the practice and potentially open the door for possible law suits. After I went back to the office, I did a simple search in Google for “How to restore from a tape” and found the following: Results 1 - 10 of about 3,720,000 for How to restore from a tape. (0.16 seconds) . It was clear to me that there was a disconnect between the IT and Privacy and Security requirements. It is critical that sensitive data must be secured, and should not be transported offsite on laptops, tapes or hard drives without the appropriate encryption and protection.
Another internal threat would be the viruses or Trojans that find their ways into computers that are either unprotected or simply have expired Antivirus. Many of these infections originate from web sites that the users visited by mistyping a URL or simply clicking on the wrong link from a personal email. This has been a commonly used method by hackers to gain access to private information on computers through Trojans, key loggers and other remote control methods.
In a world where there are all too many horror stories of scammers, we begin to hear about cases of patients using factitious identity or posing as someone else, and using their insurance cards to gain access to cosmetic or medical procedures where the victim becomes responsible for picking up the tab. We are in an environment where a patient rushing their child to be seen for an illness and they say “their spouse has the insurance card” while the front desk feels obligated to let them be seen, and later come to the realization that the practice now has to write-off the costs of the procedures and treatment after realizing that their insurance was terminated or was not even for the right person. An insurance card does not present the practice with a picture ID, and in many cases where a valid license is and can be a requirement for the patient, many seem to not require that verification and increase the risk of false identity. This becomes a bigger issue as much of the current proposed health reform where the practice will not be able to bill the victim for the balance nor their insurance for a case stolen of identity.
External:
For the most part all health organizations have some sort of firewall already established. This is the device that protects them from outside intruders. But without the right hardware, you are left with a firewall that a hacker can easily discover the default password to, and remotely gain access to your network, or even
With that being said, I have found numerous times where health organizations use a common tool that allows them to logon remotely to their servers such Microsoft Remote desktop (RDP) without VPN (Virtual private network). That means that the server is exposed to the internet through a specific port that hackers can attempt to use to gain access. Some cases Brute force is used (where a dictionary of password is used to try several combinations of passwords for the administrative user), others just a matter of a previous employee still having an active account can gain access, take the data and sell it for profit.
While the above two require fairly advanced knowledge of hacking, there are always few simple ones that can truly be a very easy way to tap into your system or infrastructure. Wireless!!! In many cases if you approach a hospital the wireless infrastructure is so advanced and robust that you can actually detect if there is any attempt to connect to the network without being on the safe list of devices allowed, you can even detect if someone plugs in a new wireless network within the hospital wireless range. But the challenge here again, is that we are discussing the vulnerability of some of our small to mid practices. The ones that simply can not justify the cost of a $800 or more for a single access point. These are the cases where a simple low cost access point, that you plug and play allows you to get on a “secured” wireless can easily be cracked. WEP (some of the commonly used encryption methods by small practices) has poor architecture, and has been identified in the hacker community you can find posts that show you “How To Crack 128-bit Wireless Networks In 60 Seconds”.
The consequences:
In previous years, the above threats would have most likely been considered urgent but not important. Let’s face it, there was no real threat out there to begin with. As a matter fact, even the office that was meant to enforce the HIPAA rules had not levied a single penalty against any HIPAA-covered entity in nearly five years since they began its implementation. What has changed that would force everyone to really take a good look on their current security and privacy readiness. Well, as part of the new ARRA few modifications to the law have been made under (Sections 13409-13411):
• Congress gave state attorneys general authorization to enforce the HIPAA thought civil enforcement actions
• It makes the business associates directly responsible for complying with key HIPAA privacy and security provisions. This meant that the cleaning crew, the third party IT support provider, software vendor, accountant and anyone that comes in contact with your infrastructure or medical and insurance information is sharing the responsibility and potentially liable.
• Fines have dramatically increased under the ARRA fines. You maybe imposed to pay up to 50,000 dollars per violation per calendar year and up to 1.5 million dollars.
• HHS is required to impose civil monetary penalties in circumstances where it finds that a HIPAA violation was willful.
• The criminal provisions were expressly made applicable to individuals.
• The HHS Secretary is now required to conduct periodic audits for compliance with the HIPAA Privacy and Security Rules.
Things to do to help you:
• Implement Password expiration and complexity policies
• Implement strict internet use policies for employees
• Ensure that your IT team properly secures your patient data repository services
• Run periodically security auditing tools
• Ensure that you are using antivirus on every piece of equipment that is connected to your network including cell phone as well.
• Ensure that your backups are password protected, encrypted and properly stored
• Ensure that your business associates agreements reflect the new changes and explain to your vendors what they mean and that their liability insurance covers the extent of the fines and costs that can be a result of data breach
• Ensure that your wireless is using stronger encryption method
• Require patients to present photo ID during registration and ensure you have a B&W copy of it (Color copies are illegal in NC).
• Use biometric check-in devices that ensure the identity of the patient if you are looking for a secure and fast way to identify and check-in patients
• Use network appliances that add an additional layer of protection against SPAM, email viruses and block unwanted traffic from web sites.
• Train and educate staff on proper internet use
Conclusion
Whether you are still using paper charts or completely paperless, patient privacy and security must be a high priority in your list, whether the ARRA enforces the new rules or not. Your clients your patient’s data protection must be addressed. It is like having health insurance, without it, you are taking major risks. There are several organizations that provide you with assistance or HIPAA audits. Some of which are freely available online. Your help desk and engineers need to understand the consequence as well as the importance of implementing the right technologies that are proactive in detecting intrusion as well as protecting all assets in your infrastructure.
Reda Chouffani
Subscribe to:
Posts (Atom)
Posts
