Healthcare interoperability has a long way to go, but at HIMSS15, the CommonWell Alliance and others will demonstrate an increasing capability to locate patients and their records across previously incompatible electronic health records systems.
The buzz at the HIMSS15 conference in Chicago April 12 – 15 will be about interoperability, which will join the remaining noise and buzz from last year's HIMSS about population health. The two are linked: No interoperability, and pop health will never scale. Without population health as an outcome, interoperability is just a lot of expensive infrastructure-building without ROI.
Healthcare has always had some level of interoperability, but historically it's been expensive and had great difficulty keeping up with changing technology and business demands.
The IEEE defines interoperability which is the capability of systems to work together without special effort on the behalf of the user. In the computing industry, the goal is all about "out-of-the-box" interoperability. Pundits point to TCP/IP, the ubiquitous Internet protocol that comes out of the box in every computer and server, and most mobile devices these days.
Healthcare interoperability has a long way to go before its world-changing TCP/IP-equivalent moment emerges. ONC has a draft 10-year roadmap to get us there, and the 10-year clock hasn't even started ticking yet. Meaningful Use Stage 3 attempts to implement a standard here and there, but falls far short of getting the job done in its current draft form.
E-prescribing works today. The ROI on e-prescribing was clear, and compared to moving entire medical records around, it was relatively simple to implement. The success of e-prescribing is cause for hope.
Just this week, I successfully linked my HealthVault personal health record to my LabCorp test results. The toughest part was logging into HealthVault, which I normally use on my iPhone, so the login and password information wasn't top of mind. But I can now see two years' worth of lab data next to the readings I enter myself into HealthVault on my iPhone. That's interoperability that works today.
At HIMSS, the CommonWell Alliance will demonstrate an increasing capability to locate patients and their records across previously incompatible EHRs, and will start publicly showing ways to move not just entire records, but discrete pieces of records, without requiring hospital IT to sift through a lengthy document-oriented update that contains the most relevant and valuable nuggets of fresh data about a patient.
Seven geographies across five states are currently implementing CommonWell record locator and patient matching services. Those are the same two services CommonWell demoed at last year's HIMSS, now being deployed at scale for the first time, according to Jitin Asnaani, CommonWell's new executive director.
Jitin Asnaani
Executive Director, CommonWell
The new CommonWell demo will show how Fast Interoperability Health Resources (FHIR), the emerging HL7 standard at the center of so many interoperability initiatives, can be used to fetch or push those discrete pieces of data I mentioned, such as a recent immunization or vaccination, between providers. (When I tried to get my flu shot last fall, my doctor was out of the vaccine, so I went down to the local pharmacy to get it. But the fact that I got vaccinated never made its way back to my doctor until I told him, months later.)
Asnaani, who in previous jobs built ONC's Standards and Interoperabilty Framework and Athenahealth's interoperability and population health platforms, envisions the FHIR capability allowing pharmacists to send patient record updates, such as reports that a patient on a heart medication is feeling dizzy.
That is if the physician receiving these updates decides he trusts the word and work of the pharmacist, I pointed out to him.
After we spoke, I also wondered if a day would come that a doctor who chose not to incorporate that report into the record would become liable for his decision not to trust that pharmacist, if it was later found that the dizziness presaged a more serious adverse event.
Technology demos aside, we may have a long way to go before these extended care team members are trusted, and treated as colleagues—if not peers—by doctors who don't know them, unless the organizations involve elect to enter into more formal trust relationships.
A Rare Sight
That's where the traditional calls to action, to make healthcare more like the Internet, run into trouble. The Internet can truly be a wonderful, sharing place. It is also the home of innumerable thieves, con men and predators.
We have yet to see an end to the ways crooks can game systems ranging from Medicare to social security, ably abetted by the latest round of medical identity thefts. And they're not just gaming them as pretend-patients, but also as pretend-providers. It's harder to prove a negative, that interoperability not only works, but can't be spoofed or hoodwinked. At HIMSS, ask how the technology you're seeing demoed takes that into account.
While you're on the lookout for CommonWell sightings, swing by the Intermountain or Cerner booths for a look at the latest work of the Healthcare Interoperability Consortium, or HSPC. There you will see a truly rare sight: data being pulled out of Epic EHRs and into demonstration-modified Cerner EHRs.
Even though Epic is part of HSPC, apparently we won't be treated yet to seeing the opposite happening in Epic's booth at HIMSS. It's still encouraging to see that Epic is on board with this effort, unlike CommonWell.
HSPC magic is not yet out of the box, and it's limited to a few specific applications, such as managing sepsis, but HSPC's interoperability demo offers a potentially very nice complement to the CommonWell services. HSPC is actually building an app store where the apps in question will run on more than one EHR. HSPC apps may also end up in the app stores of Epic, Allscripts or others, and help spread Intermountain's sepsis-fighting protocols to other healthcare systems. Tests employing those protocols have already reduced Intermountain's sepsis mortality rates from around 25% to about 5%.
One other interesting tidbit I just learned: HSPC's new bylaws call for a majority of its board members to be drawn from providers, not vendors. CommonWell may represent more than half the market share of inpatient EHRs in the US today, but it is, foremost, a vendor-led organization.
HIMSS also has a whole exhibit area set aside, the Interoperability Showcase, where a bunch more things will be working together on vendor-neutral ground, accompanied by interesting talks, so check that out too. The HL7 booth will also have many excellent interoperability talks.
So happy hunting at HIMSS for that elusive out-of-the-box interoperability. I look forward to the day when I go to the exhibits and see bits of everyone's technology and data running and being accessed in everyone else's booths.
Physician practices and ambulatory care sites have been gravitating to the cloud for years, but Web-based services are now finding hospital-based and even industrywide applications.
This article first appeared in the March 2015 issue of HealthLeaders magazine.
While no cloud-based electronic health record software of note for hospitals has yet to emerge on the scene, cloud-based ambulatory EHRs continue to gain traction, storage remains a strong cloud option, and intriguing new analytics options are tapping the versatility of cloud technology.
On the ambulatory front, cloud adoption has been underway in individual physicians' offices for the past five years, driven by vendors such as athenahealth and Practice Fusion. Lately, these software-as-a-service offerings, deployed as a single instance of software in data centers where multiple users share a common database with appropriate access controls, are finding their way into larger healthcare settings.
At Valley View Hospital in Glenwood Springs, Colorado, CIO Dick Escue, is a vocal proponent of cloud technology. In an August 2014 Wall Street Journal op-ed, he argued that healthcare IT needs a major rehab, and the cloud is a component.
The proposed rule aims "to create more transparency on cost and quality information, bring electronic health information to inform care and decision making, and support population health," says HHS Secretary Sylvia M. Burwell.
The Centers for Medicare & Medicaid Services on Friday afternoon released the proposed rule for Stage 3 of Meaningful Use.
The agency, in a media statement announcing the move, said the proposed rules "will give providers additional flexibility, make the program simpler, and drive interoperability among electronic health records, and increase the focus on patient outcomes to improve care."
"The flow of information is fundamental to achieving a health system that delivers better care, smarter spending, and healthier people," said US Department of Health and Human Services Secretary Sylvia M. Burwell in a statement. "The steps we are taking today will help to create more transparency on cost and quality information, bring electronic health information to inform care and decision making, and support population health."
The announcement was accompanied by the release of two documents: a 301-page proposed rule on requirements for hospitals and providers, and a 431-page proposed rule on new 2015 Edition EHR certification requirements. Public comment on both proposals is due by May 29.
Under the proposed rules, eligible professionals, eligible hospitals, and critical access hospitals would have to meet new criteria to qualify for Medicaid EHR incentive payments. Providers would also be required to meet new criteria to avoid Medicare payment adjustments based on program performance beginning in payment year 2018.
"This Stage 3 proposed rule does three things: it helps simplify the Meaningful Use program, advances the use of health IT toward our vision for improving health delivery, and further aligns the program with other quality and value programs," said Dr. Patrick Conway, MD, CMS acting principal deputy administrator and chief medical officer. "And, in an effort to make reporting easier for health care providers, we will be proposing a new Meaningful Use reporting deadline soon."
"ONC's proposed rule will be an integral component in the shared nationwide effort to achieve an interoperable health system," said Karen DeSalvo, MD, national coordinator for health IT. "The certification criteria we have proposed in the 2015 Edition will help achieve that vision through provisions that consider the range of health IT users and uses across the care continuum, including those focused on interoperable standards, data portability, improved transparency, privacy and security capabilities, and increased oversight through ONC's Health IT Certification Program."
Since the Meaningful Use program began in 2011, more than 433,000 eligible professionals and eligible hospitals, representing about 60% of eligible professionals in either the Medicare or Medicaid programs and about 95%of eligible hospitals, have received an incentive payment.
The Stage 3 proposed rule's scope is generally limited to the requirements and criteria for Meaningful Use in 2017 and subsequent years. CMS is considering additional changes to Meaningful Use beginning in 2015 through separate rulemaking.
Among the highlights of the proposed Meaningful Use Stage 3 rule:
Starting in 2018, all providers will report on the same definition of Meaningful Use at the Stage 3 level, regardless of their prior participation.
While Stage 3 will be the final Meaningful Use stage, ONC and CMS will continue to modify the program's requirements in subsequent years to achieve further aims of the program.
Starting in 2017, hospitals and providers will attest on a calendar year reporting period. Currently, hospitals attest on a fiscal year reporting period. CMS says the change will simplify reporting. The agencies may still require hospitals to report in the October 1–December 31, 2016 period "depending on future rulemaking."
Starting with Stage 3, providers are being required to implement five clinical decision support interventions related to four or more quality measures and report that as part of their Meaningful Use attestations. Such reporting is consistent with the intent of Stage 3 to move beyond process compliance toward improving clinical outcomes, using the care coordination and health information exchange technology made possible in Meaningful Use certified products.
The proposed rule will further align Meaningful Use with other CMS quality reporting programs that use certified EHRs, such as Hospital Inpatient Quality Reporting (IQR) and the Physician quality Reporting System (PQRS).
Medicaid providers demonstrating Meaningful Use for the first time will be able to report in any continuous 90-day period, instead of reporting in a calendar quarter.
Providers may remain on 2014-Edition certified EHRs through 2017. If they wish, they may opt to move to 2015-Edition certified EHRs for the 2017 calendar year in order to begin attesting for Stage 3 a year early, while others opt to remain at Stage 2 in 2017. In 2018, Stage 3 attestation would be mandatory for all.
While many menu options in Stage 2 become mandatory in the proposed Stage 3, numerous recommendations in the proposal provide various circumstances where providers may skip or fail certain objectives and still avoid certain downward payment adjustments.
Responding to criticisms of Stage 2's requirement that patients need to view or download health records via patient portals, the agencies propose to certify certain application program interfaces (APIs) for certified EHRs which will enable patients to use third-party applications, such as PHRs, to view and download their medical record data, and thus allow providers to fulfill these requirements that way as well as via portals.
Critical and Cautious Reaction While the weekend left little time for interested organizations to fully evaluate proposed rule, early reactions sounded a cautionary tone.
"They've kind of thrown the gauntlet down and said everybody will be there by 2018," says Russ Branzell, chief executive officer of the College of Healthcare Information Management Executives (CHIME). "The question is then, if you're delayed or you've had other problems or conversions, can people really make it? I'm mostly talking about the providers, not the hospitals. Can they really make it to Stage 3 by 2018? Or will they just give up, which we saw some pretty serious indications of giving up the last fiscal year for everybody."
Still, Branzell praises some flexibility introduced by the Stage 3 proposal. "You don't have to use a specific way of reporting transitions of care [and] coordination of care." He cites the failure of many public health information exchanges, despite five years of funding and development, as a reason for providing more flexibility on Meaningful Use's interoperability requirements.
In a statement, the American Medical Association said it is evaluating the proposed rules. The organization "hopes that policymakers have included recommendations from our blueprint to improve the Meaningful Use program for patients and physicians," said president-elect Steven J. Stack MD. "This includes making the program more flexible, removing requirements that are making it difficult for physicians to successfully participate, and increasing focus on the functional interoperability of EHRs. We want to see this program succeed and will continue ongoing dialogue with policymakers to ensure Meaningful Use delivers intended advances in patient care and practice efficiencies."
The American Hospital Association is taking a more negative stance.
"Hospitals are implementing electronic health records at a brisk pace in order to improve patient health and healthcare, but they must do so under the crushing weight of government regulations," stated Linda E. Fishman, AHA senior vice president of public policy analysis and development.
The proposed rule "demonstrates that the agency continues to create policies for the future without fixing the problems the program faces today," Fishman stated. "In January, CMS promised to provide much-needed flexibility for the 2015 reporting year, which is almost half over. Instead, CMS released Stage 3 rules that pile additional requirements onto providers. It is difficult to understand the rush to raise the bar yet again, when only 35% of hospitals and a small fraction of physicians have met the Stage 2 requirements."
AHA and CHIME urged CMS to release the 2015 flexibility rules immediately. Those rules, which CMS officials indicated are being written, would shorten the 2015 fiscal year reporting requirements for Meaningful Use from 365 days to 90 days.
The American College of Cardiology, in a statement, took issue with the proposed move to have all providers in 2018 start with Stage 3-level reporting, even if it was their initial year of participation.
"Implementing an EHR system in a physician practice or a hospital is not as simple as flipping a switch; it takes time, financial investment, careful consideration and planning, as well as education for all staff," said Kim Allan Williams Sr., MD, president of the 49,000-member medical society. "The program must take this learning curve into consideration."
Hospitals are ill-equipped to own and operate their own cell-signal-extending equipment inside their facilities. The right network service provider can get the job done and raise reliability to carrier-grade levels.
Wi-Fi has been an essential element of information technology infrastructure for nearly 20 years, but in the quest for ever-more-reliable IT, healthcare organizations are opting for in-building cellular networks which increase uptime and could possibly save lives.
It wasn't that many years ago that hospitals banned the use of mobile phones inside hospitals, initially out of fear that they would interfere with everything from delicate medical equipment to someone's pacemaker. Many of those fears were overblown, but over time, interference among devices seems to have been lessened by smarter embedded radios, coupled with a diminishing number of reports of interference.
Users flat-out demanded to use their cell phones in hospitals. And just as over time, it has become OK to use mobile phones upon landing and while taxiing to the airport gate, mobile phone restrictions in hospitals gradually evaporated.
The question then turned to how to get stronger cellular signals in those areas of the hospital where reception was poor.
"Hospitals are great big thick dark facilities with areas that have lead-lined walls and steel mesh and all sorts of things that are just the ultimate enemy for a cell phone," says James Plugfelder, senior director of IT, network, and communications at Banner Health.
This can pose problems.
"A good example is an obstetrician who's got a mother that just about to give birth," Plugfelder says. "It could be now, could be next day, but she's already in the hospital, and he's sitting in a meeting room having a conference, and the mother goes into distress, and they reach out to his cell phone, and it doesn't work, because he's in a basement conference room, and they can't get a hold of him. That's actually a real story, and those are the things that my team is all about—humans and devices communicating with each other."
In order to improve service in basements and heavily shielded areas, hospitals had to think well beyond the capacity of the neighborhood's local cell towers. But gone are the days when some slap-dash, in-building cellular signal-booster could perform this task, in hospitals or in any building, for that matter.
Since the cellular frequencies are spectra licensed by the Federal Communications Commission, such boosters were illegal anyway, unless sanctioned by the carriers who license those frequencies from the federal government.
But hospitals are ill-equipped by themselves to negotiate with cellular carriers, or to own and operate their own cell-signal-extending equipment inside their facilities.
So Banner turned to ExteNet, a company which acts as interface to the carriers. ExteNet also builds, installs, owns, and operates in-building, distributed-antenna cell services, not only for hospitals, but for a variety of venues such as sports, entertainment, and hospitality services.
Seven Nines
By adding ExteNet equipment and services, Banner could aim for a goal that had eluded the health system despite the fact it had 7,000 wireless access points of its own covering 14 million square feet of hospital.
Until that point, Banner's "patient-grade networking" initiative had achieved "five-nines [99.999%] reliability," Plugfelder says. That meant Banner network users could expect no more than five minutes and 15 seconds of unplanned downtime per year. "That is still too much of an impact on patients' lives for us to consider it," he says. "So we actually shoot for a seven-nines [99.99999%] outage, which is 3.15 seconds of downtime per year."
The flexibility of wireless is part of the solution. "When you've got a wired network, you do have a physical machine with a physical cable that plugs into a physical port somewhere, and when that goes down, you've lost your connection," Plugfelder says.
"In the lovely world of wireless, if we lose any particular single component in our network, wireless clients actually adapt pretty nicely, because they can simply roam to another functioning piece of our network. So in some cases, even though it's more complex, we've had some real good luck with patient-grade networking on the wireless side."
But if Banner were to rely simply on unlicensed spectra, something as mundane as a rogue microwave oven could clobber the network. (Microwave ovens, though normally shielded, can act as giant transmitters on the same frequency as Wi-Fi or Bluetooth when those ovens are damaged or malfunctioning.)
In smaller, single-floor clinics of perhaps 200,000 square feet, reamplifying cell signals from a nearby tower can be a fairly straightforward way to enhance cellular service inside. "When you're getting into million-square-foot facilities, not only do you need to make the signal brighter, but you might need more bandwidth than what that cell tower can handle," Plugfelder says.
The ExteNet gear is engineered in a way that handles the load of users inside the building, but doesn't interfere with the carriers' existing outdoor services.
Gradually, Banner is bringing up all four major U.S. cellular carriers on this hardware, starting with Verizon. Each carrier has its own particular set of technical criteria, which is why it isn't as simple as flipping a single switch to bring up all four at once.
I asked Plugfelder how Banner calculates its return on investing in ExteNet's services. "One way we do it is to take a look at it the negative way, and that's to say, what's the cost of downtime in heartbeats? What really drives our team is, what's the cost of this in regards to patient lives?"
Which brings up the hard-to-reach obstetrician story again. And as Plugfelder points out, Banner is also leading the way in efforts such as its eICUs, where an outage in a "five-nines" situation could impact 1 in 166 alerts during a 14-hour window.
"That's significantly more risky than you commuting for 30 years, [and] more risky than you Bungee-jumping or hot air ballooning or SCUBA diving," he says.
Thus the move to "seven nines" and enhancing in-building cellular coverage.
So the next time a vendor tells you that cellular is going away and everything is going to exist on some mythical "medical-grade" unlicensed spectra product or service, tell them about Banner, which has a 10-year agreement with ExteNet, and expects the need for licensed cellular spectra to be there that long.
Of course, Wi-Fi isn't going away. The two wireless approaches will also complement each other, as they have done in the past.
The ONC's Interoperability Standards Advisory gives providers some things they can start demanding from their vendors and service providers, and gives those same vendors and service providers some notion of which products and services customers will actually buy.
Are your health IT systems using SNOMED-CT? How about RxNorm? How about the HL7 Consolidated CDA?
Steve Posnack, Director,
Office of Standards and Technology,
ONC
Until May 1, you have a chance to weigh in on these and numerous other industry standards which, as likely as not, will eventually find their way into regulation as required technical standards in health IT systems in the U.S.
But so many providers and vendors demanded it, that this non-regulatory advisory document found its way out at the same time as the Roadmap, offering solace to the health IT community which for ages has yearned for ONC to put some stakes in the ground. Some are already baked into Meaningful Use, but some are not, and some are just better defined in the Standards Advisory.
And while the work of the Roadmap itself will ultimately have the larger, more profound impact on the future of health IT interoperability, the Standards Advisory gives providers some things they can start demanding from their vendors and service providers, and gives those same vendors and service providers some notion of which products and services customers will actually buy.
The deadline for comments on the Roadmap closes at 5PM ET time on April 3, but you have until 5 PM ET time on May 1 to comment on the Standards Advisory.
Last month, I met with Steve Posnack, director of ONC's office of standards and technology, in Washington D.C. "One of the things that came out of the early part of the roadmap process from the vision paper coming out [last summer] was there was a lot of stakeholder engagement," he told me.
"We did listening sessions [and] an online public comment experience, and in that experience, with different stakeholders, there were questions of [such as], 'Where do we go to find standards? What can we use for X? What can we use for Y? Can ONC help? Can ONC provide guidance?'"
The Standard Advisory, to be updated annually each December, is an "interactive, collaborative process with the industry to identify standards," Posnack says. "It all evolved in real time, as we were looking at some of the elements of the three-, six- and ten-year Roadmap milestones, and what we could provide to the industry to get the conversation going."
Being an advisory document and not a regulatory one, it is a chance for the health IT industry to get some standards right without all the regulatory overhead that goes into rulemaking and publishing proposed rules in the Federal Register. "It's an opportunity for us in a more incremental way to work with the industry to give them a body of work that everyone can rely on," Posnack says.
After the public comment period on the 2015 Standards Advisory closes on May 1, ONC's Health IT Standards Committee will have its own opportunity to weigh in on the document, before it is finalized, well in time for the 2016 Standard Advisory to be written for an initial December release.
"Our intent would be to issue this on an annual basis, so people have an expectation, some predictability, that every December is when we plan on putting out the next one, that they would be available for public consumption," Posnack said.
Although ONC chief Karen DeSalvo, MD, describes the Standards Advisory as "sub-regulatory" instead of "non-regulatory," it's probably a distinction without a difference, even in Washington. The point is that nothing in the Standards Advisory is regulatory.
But, as ONC looks for things that could be adopted as criteria for certifying future products and services to advance interoperability, the Standards Advisories already vetted by this cooperative process between government and the governed are a natural place for ONC to look.
For instance, if ONC wants to write a regulation governing e-prescribing, it could look to the Standards Advisory. Posnack says the public "has an expectation that we're going to look to the advisory first, and not necessarily be a surprise to anyone, that things we're going to be picking off are going to be there."
That's not to say that all the answers are in the Standards Advisory. For example, there are at least two ways to transfer data from one EHR information silo to another. One such standard is Direct, listed in the Standards Advisory as "a simple way for participants to 'push' health information directly to known, trusted recipients."
But elsewhere in the document, an alternative of sorts, HL7's Fast Healthcare Interoperability Resources (FHIR) is offers as "data element based query for clinical health information." Though the protocols are different, they could both be used to accomplish the same take of moving EHR data from silo A to silo B.
"Direct is going to be great for some purposes, and FHIR is going to be great for others," Posnack says. "And they're each going to rely on other standards that we've named in there, to be paired with them to get the job done."
Standards being standards, it will also be true that once you go one way or the other, the pairings you end up choosing will make things a bit more complicated than just choosing individual standards from the list.
Dependencies, which complicate life for IT administrators and programmers everywhere, rear their heads at this point. No one ever said interoperability made things simpler in the short run. No doubt, some in the public comment period will call for less optionality, but as the ONC considers that, it also runs the risk of alienating some group or other with its own pet standards.
Grumbling in Congress is already kicking in. "Instead of offering specific objectives, deadlines, and action items, ONC's roadmap falls short on the nitty gritty technology specifics that vendors and providers need when developing IT products," wrote Senators John Thune, Lamar Alexander, Pat Roberts, Richard Burr and Mike Enzi in Health Affairs on March 4.
Get ready for a severe irony alert: This is the same Congress that has done so much already to stymie healthcare interoperability by prohibiting any sort of national patient ID from being created. I and a lot of providers would suggest that before Congress passes harsh judgment on this current round of Roadmap and Standards Guidance efforts, it look to wrestling with the very real work of crafting a national ID we all can live with.
For now, the Standards Advisory, and even the Roadmap itself, are quiet on the subject, since they are restricted by law from doing anything about it.
One more hopeful thing DeSalvo mentioned and Posnack confirmed while I was in Washington: ONC has a "certification sandbox" website where developers can access and test their products and services against some ONC implementations of various implementations of standards.
"Ultimately, our hope is that we can, again as a coordinator, help the industry consolidate testing assets," Posnack says. "We don't need to have them all on our website, but we can point people to the right places."
So while we're laboring to get healthcare's three-, six-, and ten-year interop Roadmap defined, and figure out where software certification itself is headed, it's nice to know there's also a place that vendors and others can all go to test out some things today. Since heavy regulations aren't coming any time soon if at all, it's the best interoperability game in town right now.
The massive Anthem data breach reported last month has been having a ripple effect throughout the healthcare industry. Security experts offer five steps to take now.
Worries about data security have been piling up in the minds of CIOs the past three weeks like record-setting snows falling on New England.
"Security is an incredibly hot topic," says Marc Probst, chief information officer at Intermountain Healthcare. "Anthem takes it to a whole new level of consciousness."
Probst, of course, is referring to revelations last month that Anthem suffered a breachof 80 million member and employee records. Since the revelations, healthcare and related organizations have been subjected to an unprecedented number of scams and schemes, as bad guys, armed with names, social security numbers, and income data have tried to defraud insurance companies of various benefits, including bogus workman's comp claims.
Due to the interconnectedness of healthcare, this means that the Anthem breach has been having a ripple effect throughout most of U.S. healthcare, and that has Probst, other security consultants, and even trade associations such as HIMSS sounding the alarm as never before.
It's hard for them to even be heard among the noise of an entire industry of security vendors and consultants seeing dollar signs, and the whole thing threatens to dissolve into a constant drone of background warnings and whining. So what can really be done?
Here are five concrete suggestions.
1. Update SSL Certificates After talking to consultants such as CynergisTek's Mac McMillan and email security expert Hoala Greevy, I would recommend that every organization visit the SSL Labs Web site to see if its SSL certificates are up to date and that it is running the latest version of SSL/TLS to enable trusted, encrypted secure transactions over the Internet.
There's no indication that out-of-date SSL/TLS code led to the Anthem breach, but not addressing this defect could cause potential provider or payer partners to doubt your sincerity about at least locking the doors and closing the windows on your digital domains, even if you've got stronger measures working somewhere inside.
"If [potential partners] run that scan, they would get an appreciation for whether or not that person that they're getting ready to connect could potentially be a vulnerability, a back door into their environment," McMillan says.
In my own informal survey, I found several major payers who currently receive an "F" grade from SSL Labs for running an outdated version of SSL or for possessing a vulnerability to attacks. In response, one payer says that the SSL Labs test doesn't actually show the defense-in-depth capabilities of a Web site that would prevent attackers from getting very far despite the reported SSL vulnerability.
Still, McMillan says, "when we go in and test hospitals, we routinely find old SSL certificates, old versions of SSL. They just don't keep up. It's very common to find two or three different versions of SSL in their environment and more than half of them are obsolete."
2.Adopt the DMARC Standard It is time for healthcare as an industry to adopt the Domain Message Authentication Reporting, or DMARC standard. DMARC standardizes how email receivers perform email authentication using the well-known SPF and DKIM mechanisms.
Using DMARC, senders will experience consistent authentication results for their messages at various email providers, and experts tell me it greatly reduces the odds of phishing attacks from being launched from outside or from within healthcare organizations.
A recent survey by one DMARC security company, which scanned myriad email headers, reported that that emails which appear to be from healthcare companies are four times more likely to be fraudulent when compared to social media companies, due to healthcare's lagging adoption of DMARC.
Here too, we don't know if failure to act contributed to the Anthem breach. But since these attacks appear to be more sophisticated than yesterday's simplistic security-certificate and phishing attacks, the healthcare industry can't stop there.
3. Reconsider the Penalties Policy makers in Washington, starting with ONC, need to consider whether current statutes, which throw the penalty book at organizations for data breaches, are in fact exacerbating the problem and robbing these organizations of the very resources they need to boost their security efforts.
"Currently the government's practice is one of, 'we're just going to penalize the providers and payers any time a breach occurs or if we find some kind of a deficiency within that organization,'" Probst says.
"I understand why they do that, but given the breadth of what's happening, given the fact that the DoD's been hacked, wouldn't it be a nice time to change the focus from that massive stick—lots of time spent justifying why you did or didn't do what you did—to one of, 'how do we work together to solve the problem?'"
4. Communicate Better and Sooner As we are rethinking the carrot-and-stick approach, it's time for healthcare to have a real-time mechanism for disseminating threat data to healthcare organizations.
"That's a real challenge," says Lisa Gallagher, vice president of technology solutions at HIMSS. "If we're going to expect that healthcare organizations are going to be looking at four or five different sources of threat data, it's not going to work."
Organizations such as CERT and the members-only HITRUST group provide some insights, and a myriad of security companies will promise to bring threats to your attention faster and better than anyone else will, but providers don't have time or resources to check half a dozen sources daily.
They need a single source, and that source needs to efficiently disseminate not just the findings of healthcare organizations, but of the top security agencies in the US, including the NSA and the FBI.
5. Address Encryption and Access Control
Healthcare needs to have a conversation about encryption and access control. It's cost-prohibitive to encrypt everything, which is why it isn't a ubiquitous practice. Anthem has taken some knocks for not encrypting its 80 million records, but typically, data centers haven't encrypted at that scale.
Access control is offered as an alternative of sorts, the thinking being, if a bad guy does get in, the credentials he steals or spoofs should only allow him to get at a smaller number of unencrypted records, not 80 million. Data loss prevention technology can at least tell executives how much data is going out the door, and escalate alarms while a breach is in progress.
Finally, everyone going to HIMSS next month should visit the show's new Cyber Security Command Center, a nice complement to the Interoperability Showcase, to quiz their cybersecurity knowledge. Even once we know what caused the Anthem breach, security is going to remain everyone's problem for a long time to come.
The healthcare industry has yet to transition to a paperless model, but leading organizations have been achieving some success.
This article first appeared in the January/February 2015 issue of HealthLeaders magazine.
While electronic health records are helping to move the industry toward being paperless, the goal remains elusive, if not unlikely. Complicating the effort is that certain documents, including those created and forwarded by payers, researchers, and administrators, live outside the electronic health record.
The EHRs themselves have limited capabilities to search and organize scanned paper records, many of which are still stored as images, while others go through optical character recognition (OCR) or intelligent character recognition (ICR) in order to be indexed and searched.
Two efforts that promise to unlock and organize unstructured text are natural language processing (NLP) and IBM's Watson, a set of parallel-processing, cloud-based machine learning technologies. But while these futuristic technologies evolve toward maturity, providers are finding simpler tools to index, organize, search, and present information culled from unstructured, machine-readable documents as a way to coordinate care, speed compliance, and accelerate research such as clinical trials.
But will the massive data breach really signal that business as usual is over when it comes to healthcare data security?
That sound you hear is the lingering sound of last week's breach of 80 million member and employee records from Anthem sucking all the oxygen out of the healthcare IT conversation.
Anthem faces a minimum of $100 to $200 million in costs to fix the harm done by unknown criminal hackers who managed to exfiltrate names, social security numbers, and income data of customers and employees.
That financial liability could go much higher. USA Today reports that attorneys have filed lawsuits in four states: Indiana, California, Alabama and Georgia. Others are certain to follow.
But will the breach really signal that business as usual is over where it comes to healthcare data security? Less than two months ago, I highlighted the cautionary end-of-year advice of a variety of security firms, all hopeful that past breaches at Sony, Home Depot, Target, and Community Health Systems served as healthcare's wake-up call. But not so fast, apparently.
Anthem may have had appropriate safeguards in place, and if so, will not face civil penalties. But it is far from clear that appropriate safeguards were in place. Consider the following:
More than 90% of data breaches in the first half of 2014 were preventable, according to the Online Trust Alliance.
Anthem (then Wellpoint) was fined $1.7 million by HHS in a 2010 breach which affected 612,000 people.
One report offers certain evidence that the Anthem breach began as long ago as April 2014. This suggests that Anthem was afflicted by an advanced persistent threat (APT). More on that in a second.
As in December, security experts quickly jumped in last week to offer a range of explanations and speculation for the press to digest. One such firm, Cigital, has admirers well beyond healthcare, having consulted with financial institutions, insurance companies, and other IT heavy hitters.
Last Friday, I asked internal CTO John Steven if he thought the Anthem breach had the earmarks of an APT. His answer: Maybe, but it may be more complicated than that.
More than 80% of the attacks organizations face are at the application level, which means the attacker has not only mapped the target company's network, but is looking at specific applications and is attacking those applications directly, using the way the application is built.
"Many of these applications were never written with security hygiene in mind, so they're able to be penetrated without [APT] kind of persistence" or the backing of a rogue nation-state that APT often can require, Steven says.
Cigital itself retains Anthem as its health insurer. "Given the complexity of operations in the healthcare industry and the variety of regulations, which focus heavily on identity and access management, an enormous amount of resources are spent on security architecture," Steven says.
"As a result, successful attacks on healthcare organizations are even more surprising than attacks on retail or other industries.
"Organizations should focus more time and attention on hardening key systems rather than blanketing their entire portfolio with commodity assessments. Counter the threat with the correct weapon: SaaS scans aren't ever going to stop concerted attackers."
A lot of initial reaction focused on the possibility that Anthem did not encrypt its data, trusting it to be protected behind a firewall. But access control is the game these days. Steven notes that an encrypted laptop is prey to wholesale data exfiltration if the attacker is able to guess the password of the laptop.
Some media accounts suggest some Anthem employees were phished—fed bogus emails that sent them to Web pages that delivered malicious payloads to the employees' computers. These payloads very well could have included key loggers that captured logins and passwords. Once in, it's as if the attackers had logged into that encrypted laptop, and at that point, had widespread access privileges to grab and exfiltrate entire databases.
Even if Anthem didn't have these problems, too many companies have yet to institute fine-grained, role-based access controls that limit the damage a key logger can do. For example, such access controls could restrict lower-level employees' ability to see medical records they are not entitled to or expected to see.
On the provider side, team-based care makes it difficult for employee access to be so restricted, says George McCulloch, executive vice president of membership and professional development at CHIME. McCulloch, former deputy CIO at Vanderbilt, is also CHIME's point staff person during the formation of the Association for Executives in Healthcare Information Security (AEHIS), which launched last year.
"We're seeing a lot of breaches where people inside, either people that are not happy at their jobs, they disclose information, or, in a lot of cases, [launch] spear phishing attacks," McCulloch says. "It's a very challenging environment. There are lots of threats. There are a lot of holes to plug. And it's a question of people, process, and technology."
As McCulloch talks to CISOs around the U.S., a common theme he's finding is that they lack adequate funding to acquire security technology and the qualified people to manage that technology.
"The other big component is education of employees about things they should and shouldn't do, particularly if it's a phishing attack or something from the outside," he says.
With some CIOs—including Anthem's, according to one report I read—lacking deep security experience, more health systems are hiring CISOs to oversee implementation of the finer-grained access controls needed to protect against sophisticated attacks, yet still permit free flow of information between authorized users and patients.
Ultimately, a combination of algorithms and alert security personnel will be more closely looking for unusual data access patterns—weak signals that indicate the beginning of an APT and a prolonged breach, McCulloch says.
The Anthem breach also comes at the very moment when healthcare appears to be about to embrace the cloud as other industries have done. While a company of Anthem's resources will probably continue to lift its own weight when it comes to security, many smaller hospitals may be less able to harden their data centers than existing cloud-based service providers.
After all, without security, cloud computing is a dubious value proposition. So I don't expect this particular breach to derail the move to the cloud, at least not just yet.
Moving forward, expect to see AEHIS, HITRUST and security consultants unleash a fresh wave of educational Webinars, in-person trainings, and peer-to-peer networking opportunities to share and spread best practices in secure computing.
On the software development side, this breach, or the next one, or the one after that, will finally bring the kind of secure coding mindset to healthcare IT that Microsoft learned the hard way more than a decade ago.
It just may be that grander technology ambitions of healthcare get put on hold for a similar period of time, until the industry gets this right.
The good news is that CMS intends to relax the Meaningful Use reporting period for 2015 to 90 days. The bad news is that although the ICD-10 implementation deadline is on the horizon, the head of CHIME says he "wouldn't say it's 100% by any means."
Three perennial hot topics in healthcare IT were in play late last week, and for a change, there was some good news for providers.
First, CMS announced in a blog post that it intends to relax the Meaningful Use reporting period for 2015 to 90 days, as had been requested by CHIME for several months. This proposal must be submitted as a notice of proposed rulemaking (NPRM) and go through public comment, but there is every reason to believe it will survive the proposal stage and be rapidly finalized.
Second, as expected, ONC published its Interoperability Roadmap Version 1.0, which started sketching the outlines of some "rules of the road" needed to get providers and vendors on the same page regarding the work remaining to exchange basic clinical data, in part by defining sufficient structure to allow sending, receiving and using shared records.
Third, looming in the background, CIOs were working to sign contracts for the coming year's work on ICD-10, not knowing for certain whether once again, Congress will act to delay implementation from its current date of October 1, 2015.
On the first development, CHIME president Russell P. Branzell told me Monday that CMS's willingness to move from a 365-day reporting period to 90 days indicates a willingness to fix the Meaningful Use program in light of some preliminarily low attestation rates for stage 2, and sets the stage for a more realistic stage 3 requirement set. CMS submitted details about stage 3 recently to the Office and Management Budget.
Russell P. Branzell
While no one yet knows exactly what is in stage 3—it was originally going to be the stage where outcomes were produced after EHR interoperability happened in stage 2—there is clearly less urgency about mandating all the original aspirations for stage 3 in the same way they were before former ONC chief Farzad Mostashari departed and current head Karen DeSalvo assumed his role.
It was Mostashari who had announced ONC's decision to let non-governmental entities have their chance to define interoperability rules of the road. But Branzell sees something more akin to the rules of the electrical industry emerging. "There's no clear government mandate that our light sockets and our electrical sockets look like they do," he says.
Clarity of Direction "That was actually a public/private partnership that they did along the way, and I think we can do the same thing now that there's a clear direction that we will have a clear list down, hopefully to a detailed level of standards that we can all agree upon."
Branzell says the Interoperability Roadmap, itself open to public comment until April 3, gives the healthcare IT industry a new clarity of direction, and will flesh out some requirements in Meaningful Use stage 2 that were just too vague.
As an example, he offered the laboratory data exchange standard, LOINC.
"It says in there you have to use LOINC," Branzell says. "But lots of people will say, I use LOINC, but I still can't exchange lab data. Well, maybe if we get to LOINC with defined detail and requirements such as 'you must be able to transfer a complete CBC from one record to another based on the LOINC standard,' that's a little different than saying LOINC is a standard. That's what we're hoping will occur through an adoption of a clear requirements book. I don't want LOINC listed on one line. I want a chapter on LOINC in that book."
The public comment period on the roadmap will be lively. For instance, Branzell says one big unsolved problem is the persistent lack of a way to identify and match patient IDs across systems. John Halamka, CIO of Beth Israel Deaconess Medical Center, is concerned that the proposed roadmap's quality measures, in ONC's new standards guidance document, released at the same time last week, prematurely prescribes quality measures before such measures are mature enough.
"Don't Keep Doing This to Us Every Year" As far as ICD-10, Branzell says, "right now we're still hearing everything is go ahead, it's going to happen, but I wouldn't say it's 100% by any means. Regardless, it's January, and people have to put these systems in place and buy the solutions and get the consultants and get the coders and the abstractors and all that stuff in place."
But although Branzell doesn't foresee a standalone bill in Congress that could delay ICD-10 again, there are other opportunities for such language to be inserted in the continuing resolution Congress will have to pass by October 1 to keep the government operating, or even, to have its implementation once again tied to the SGR "doc fix."
With that, Branzell made what is becoming a perennial plea to ICD-10 opponents. "Every year you're costing us millions and millions and millions of dollars of rework, so either do it, or don't delay it for another 12 months," he says. "That's crazy. Either delay it for five years or just take it off the table, but don't keep doing this to us every year."
Don't count CHIME out on this next skirmish. Fresh from the organization's victory on relaxing the Meaningful Use reporting requirements, it just could be that Washington is listening to providers with fresh ears. As unlikely as it seems.
The software provider will use Beth Israel Deaconess Medical Center's electronic health records system as the basis of a commercial product.
Athenahealth Tuesday said it has purchased WebOMR, a cloud-based, meaningful use stage 2-certified EHR. It was developed by and has been in use at Beth Israel Deaconess Medical Center across three decades.
Financial terms of the sale were not disclosed, but Boston-based Beth Israel Deaconess will continue to use WebOMR, retains licensing rights to the software for the next 20 years, and will make available five of its EHR developers to Athenahealth for the next year as Athenahealth pursues the development of a commercial product based on WebOMR.
Jonathan Bush
Chairman and CEO
Athenahealth
Beth Israel Deaconess Medical Center CIO John Halamka, MD, differentiates the deal from similar EHR technology sales such as when GE purchased technology from Intermountain, or when McKesson bought Vanderbilt technology.
"In those cases, it was more about taking code and making that a commercial product," Halamka said in an interview. "In our case, it's more about taking… 30 years of know-how of workflow, and algorithms, and business logic."
The deal originated four months ago when Athenahealth, based in Watertown, MA, approached Halamka, which he deemed "a wonderful alignment of incentives."
By turning over its code, Beth Israel Deaconess IT resources can focus on innovations, while Athenahealth acquires what chairman and CEO Jonathan Bush has sought since the inception of the company: Eventual entry into the mainstream, cloud-based, inpatient EHR market for hospitals.
"On a scale of one to ten, this is an 11 for us," said Bush in an interview. "Our pattern as we've gotten a little bigger has been the sort of acqui-hire process, where we acquire some customers, acquire some folks who have already spent 5 or 10 years perfecting an idea, and then build it into our larger network and sales footprint."
John Halamka, MD
CIO, Beth Israel Deaconess
Medical Center
Further Into the Cloud As part of the agreement, the 58-bed Beth Israel Deaconess Hospital-Needham community hospital will serve as the alpha development site for Athenahealth's new inpatient offerings. BIDHC, comprised of 185 providers across 38 Massachusetts locations, will begin a phased implementation of Athenahealth's athenaOne suite of EHR, revenue cycle management, and patient engagement services.
WebOMR's roots stretch back to 1998, when Halamka became CIO of BIDMC. "Our approach has been cloud-hosted, but we didn't call it cloud then, we called it multi-tenancy Web hosting," Halamka says.
The deal comes as healthcare IT, and corporate IT in general, continues to expand into cloud services. "It becomes much more like an app store for health. It's worked so well for Facebook and Apple and Google," he says, "why not healthcare?"
Traditional inpatient EHR software is locally hosted and is updated infrequently, with two years typically passing between versions. Cloud-based software such as Athenahealth's can support frequent updates via centralized hosting, requiring no local software reinstallation in the process.
Both BIDHC and Athenahealth are integrating other components into their respective systems. In BIDHC's case, it will continue to run Meditech EHR software in community hospitals, and eClinicalWorks EHR software in private practices it does not own, but has partnered with, Halamka says. "We'll deploy the inpatient functionality in Needham when it's ready."
"We'll watch how successful Athena's implementation of our intellectual property goes, and then let the best man win. We'll continue to run Meditech in our community hospitals, and later on, the Athena services as they become available."
"Five years from now," he says, "I go for value—whatever vendor is offering the agile, cloud-hosted, high-quality, low-cost platform. It's too early to tell what that will mean for any incumbent vendors, but I would hope that we get to parsimony—the smallest number of vendors providing us the services we need."
Making It Scale
In Athenahealth's case, it will be integrating not only its own ambulatory and care coordination suites, but also its recently-acquired, cloud-based RazorInsights EHR software for hospitals with 50 beds or fewer. RazorInsights does not yet handle all the paperwork, patient handoffs, and insurance coordination that it will when fully integrated with the rest of Athenahealth's software and with WebOMR, Bush says.
A major marketing push into larger hospitals will come only after Athenahealth has proven the technology at scale through its efforts in smaller hospitals and by alpha testing for quality, safety, and efficiency at BIDHC, he adds. The new services "won't be released to the world until we're sure they're usable and that the clinicians are satisfied with them."
"If we only sold to smaller institutions for the next two or three years, that would sort of be fine with me," Bush says. But Athenahealth will rapidly ramp up its development cycle as it progresses. "The major change to Razer will be the physician user experience, the screens the doctor sees, will be athenaClinicals screens.
"Most of our stuff is actually seeing operational workflows and opportunities for improvement that the client would never have the vision to see. Not that they lack personal vision, but they actually can't see all the work across all the institutions that are like them in one view," Bush says.
Not Like Epic "You sign up for Epic, you drop $200 million today, and in four years you're live on everything. If it takes us three and a half years to get to the same feature parity that you're looking for, with all of the service and none of the capital expenditures, then you could conceivably go live on the same day."
Established, traditional client/server EHRs such as Epic and Cerner are here to stay, Bush notes. "Epic and Cerner are dominant players of a prior era. We'll never be as whatever as Epic is, whatever they are. They've got their 31 systems, the one database, and the special way they get all the departments to come out to their special resort and get trained on working together like the Outward Bound program. They're the best in the world at that, and no one could take them on, including us. It's just that that is not an industry category that society needs or should want anymore."
"My hope is, that you're going to get this agility in [the] service that is going to make a highly usable, increased efficiency, safe, quality EHR experience for all—inpatient, outpatient, skilled nursing facility, urgent care," Halamka says. "It shouldn't matter where you are, or what you're running.
"If this all succeeds, we'll innovate and the core will be developed at scale by a much larger organization."
Halamka noted that there are no royalties involved, and after money flows from the software purchase to BIDHC, the organization becomes a paid subscriber to Athenahealth's services. He also noted that the deal "does not afford any personal benefits to me or any of my staff from the transaction."
Over the course of its three-decade existence, webOMR was recognized as one of the first hospital-built, inpatient and outpatient EHR systems, as well as the first self-built EHR system to achieve meaningful use certification by the federal government, the two organizations said in a joint statement.
