Epic's Payer Platform, connected with Anthem Health OS, will drive data-driven insights.
Insurer Anthem is collaborating with EHR giant Epic to increase and improve bi-directional health information exchange, Anthem recently announced.
"As an organization committed to a digital-first approach, we know that enhancing the interoperability of health data is critical in redefining the future of healthcare," said Ashok Chennuru, chief data and insights officer at Anthem. "This effort helps bring the industry into the next step of its evolution where the right information gets to the right people at the right time—resulting in a more seamless healthcare experience and consumers receiving the care they need—where and when they need it. Our work with Epic stands to benefit more than 14.7 million consumers served by Anthem's affiliated health plans who see clinicians using Epic's software."
The bi-directional exchange moves clinical data, in addition to admissions, discharge, and transfer (ADT) data from hospital stays, via Epic's Payer Platform.
The collaboration integrates Epic's Payer Platform with Anthem's Health OS, Anthem's operating system enabling seamless health plan-provider collaboration.
"By better bridging communications between providers and health plans, this connection is making it possible for patients to receive timely access to appropriate care," said Alan Hutchison, vice president of population health and payer strategy at Epic. "This effort will also give clinicians more time to focus on delivering care and improve quality for consumers."
The initiative is intended to help close clinical and medication gaps in a patient's care. Anthem intends to use health information provided by clinicians in analyses that lead to data-driven insights, the company said.
Anthem insights will be able to be returned to the care team—in near real-time—to flag potential treatment decisions, resulting in higher-quality care, the company said.
Administrative processes, such as prior authorization, will be streamlined. Providers can send prior authorizations through Epic, instead of using phone or fax. This streamlined process will allow health plans to make quicker decisions and electronically communicate back to the provider, lessening administrative burden and allowing staff to spend more time on care.
In addition, Anthem will notify providers when patients are discharged from hospitals, encouraging providers to expedite follow-up care.
Health systems and providers such as The MetroHealth System, based in Cleveland, Ohio, which operates four hospitals, four emergency departments, more than 20 health centers and 40 additional sites, are among the initial group of health systems using the new interface. MetroHealth's initial focus on Payer Platform will be centered on care management and improving follow-up care, Anthem said in a statement.
"Being able to better communicate and reduce the amount of time we need to spend on administrative processes will allow our clinicians to spend more time delivering care," said David Kaelber, MD, PhD, MPH, chief medical informatics officer at MetroHealth. "Improving exchange and interoperability of data will help us give consumers the healthcare experience they have come to expect."
As one part of the Anthem Health OS strategy, the insurer also plans to integrate near real-time data with claims data and health information that Anthem receives from sources including health information exchanges, labs, and other partners. This integration lets providers have a longitudinal view of a consumers' health, to help clinicians make more informed decisions.
Altura FQHC is among those providers where tech means abandoned phone calls are dropping.
Lengthy telephone hold times have frustrated patients long before the COVID-19 pandemic. New technology lets providers move those patients into texting sessions before patients simply hang up their phones.
The technology works with Cisco and GoToConnect office phone systems in two ways. First, it can prompt on-hold callers to opt to continue the call via texting instead; second, it can sense when callers have abandoned calls, and send them texts inviting them to get answers via text instead of a return call.
Arnie Reynoso, chief information officer, Altura Centers for Health. Photo courtesy of Altura Centers for Health.
One provider that has found the technology to be beneficial to its patient experience is Altura Centers for Health, a federally qualified health center (FQHC) serving populations in California's Central Valley.
"As a nonprofit FQHC, finding the appropriate staff or staffing levels is kind of hard, because we have a very fixed budget," says Arnie Reynoso, chief information officer of Altura. "As our patient population increased, we saw an increase in actual abandonment rates."
Altura was already using technology from WELL Health to send texts to patients, and then integrated the technology with its phone systems. Within 90 days, its call abandonment rate dropped from 20% to 15%, a drop of nearly 1,000 abandoned calls per month, Reynoso says.
"For our patient demographics, they're usually [working] eight to five, or sometimes two jobs," Reynoso says. "So being on hold is quite precious time."
Patients benefit from being able to move to asynchronous texting communication that allows them to periodically check back and keep a conversation going with their providers, Reynoso says.
Initial use during the pandemic proved the value of the technology to Altura.
"During COVID, we were short-staffed, yet we were still able to handle the volume we typically handle," Reynoso says.
A typical engagement begins while the patient is on hold. The provider's phone system prompts the patient to press the star key on the phone, which triggers a pre-recorded response that the provider will follow up with the patient via text message.
The system is also able to detect if the patient response is coming from a landline, in which case it will check available records and attempt to locate a mobile number for the patient, then text to that mobile number.
If staff cannot locate a mobile number, they follow up with an actual return phone call to the patient, Reynoso says. "It hasn't been a huge issue," he says.
When surveyed, between 90% and 95% of Altura patients say they appreciate the ability to reach their providers via text, Reynoso says.
Front office and call center staff, who are typically the personnel who patients are initially contacting, approve of the shift to texting. Such staff "would love for everyone to utilize the texting feature," Reynoso says. "It's less burdensome, and it allows them to handle multiple patients almost simultaneously, in a sense."
The increased usage of texting has another benefit to Altura's patient engagement goals: it increases usage of the FQHC's patient portal.
Once enough patients were connected to Altura's texts via mobile messaging apps, Altura was able to massively send text messages and reminders to patients, including prompts to utilize the patient portal, or select URLs to initiate medical record requests, Reynoso says. Texting "eliminates the need to actually make a phone call and talk to someone," he adds.
In the last six months, Altura has seen an increase in call volume, and also a slight increase in patients opting to continue calls via text messaging, Reynoso says.
Once patients are aware they are connected to Altura via messaging apps, often these patients "don't even initiate a call anymore," Reynoso says. "They just text us to request an appointment or a medical record. It's pushed them in that direction."
In the future, Altura plans to expand the capabilities of its texting interface, so that, for instance, patients could self-schedule appointments. The technology is capable of doing this, but "we need to iron out the details," Reynoso says. Similar issues, as well as security considerations, are behind not yet permitting prescription refills via texting, he adds.
WELL Health's technology also integrates deeply with multiple vendors' EHR technology, says founder and CEO Guillaume de Zwirek. It also brings in ADT data and interfaces with scheduling, referrals, and orders interfaces, he adds.
All told, the technology is already deployable to 30 million patients nationwide, and is in use by Houston Methodist, Cedars Sinai, and MemorialCare Health System, among others, de Zwirek says.
All this is possible without requiring patients to download another app, and this is by design, de Zwirek says.
"Apps are important for high-utilizers" with chronic conditions, he says. "For the 90% of people who visit the health system three times a year, you need to reach them where they are," which is texting, and maybe only move some of them to apps if they acquire chronic conditions, he adds.
EMR acquisition spiked in the fourth quarter, after being put on hold during the COVID-19 lockdown in the first half of 2020.
The COVID-19 pandemic allowed electronic medical record (EMR) company Epic to continue to gain a greater share of the U.S. acute care market last year, according to the 2021 U.S. Hospital Market Share report from KLAS.
Cerner, on the other hand, saw a second consecutive year of net market share decreases. A 37-hospital organization chose to move to Epic; 31 of the hospitals were using Cerner, accounting for more than half of Cerner's 2020 hospital losses.
During the past six years, Cerner has lost a total of seven large customers, representing more than 28,000 beds, KLAS reported.
That single, large win in Q1 2020 for Epic included almost 7,000 beds. Epic's 2020 wins involved 46 hospitals and more than 15,000 beds. A sizable number of those wins came from large organizations of 10 hospitals or more, most of whom switched from Cerner, MEDITECH, or Allscripts.
Over the past five years, Epic gained an average of 90 hospitals a year. "The solution's stability and deep integration have made it the preferred choice among large organizations, whose smaller regional partners often follow suit in order to gain improved collaboration," according to the report.
KLAS, a Salt Lake City–based research and insights firm, reports market share among the top EMR companies serving 5,495 acute care hospitals as follows:
The report also captured each EMR company's account gains and losses during 2020:
Epic gained 101 facilities
Azalea Health gained 4 facilities
Cerner lost 19 facilities
MEDHOST lost 12 facilities
CPSI lost 12 facilities
Allscripts lost 1 facility
MEDITECH last 9 facilities
"2020 was not Epic's biggest year for market share growth—that was 2015, when 144 hospitals went to Epic—but their growth has never so decisively outpaced the competition's," the report stated.
Three hospitals left Epic in 2020, but all were due to merger and acquisition activity, the KLAS report stated.
EMR purchasing was up in 2020, despite the COVID-19 pandemic, fueled mostly by decisions among large organizations as well as standalone community hospitals, KLAS reported. EMR purchasing took a back seat as cases ramped up and the U.S. went into lockdown but rebounded some in Q3 and then spiked in Q4 as organizations reinstated budgets and revived tabled HIT initiatives.
Despite its tug-of-war with Epic to retain large customers, Cerner has seen strong success competing for community hospitals, and its 2020 wins came primarily from smaller organizations and hospitals drawn to Cerner's pricing and competitive functions, KLAS reported.
The net new hospitals that signed with MEDITECH in 2020 were all under 100 beds each, and about 75% of them have around 25 beds. MEDITECH lost 62% of the legacy customers that made a decision in 2020. A quarter of those legacy customers that moved to a different vendor in 2020 did so because of M&A activity. Some who left MEDITECH cited price as a barrier, but more frequently, healthcare organizations passed on MEDITECH's Expanse platform due to limited adoption of non-core modules, such as population health management.
EMR decisions among small standalone hospitals saw an uptick in 2020, according to KLAS. Cerner was chosen twice as often as the next closest competitor. These hospitals often select the Cerner Millennium platform, most often through Cerner's CommunityWorks model. A majority of MEDITECH's wins in this market were competitive, showing that Expanse is resonating with smaller hospitals.
Although Allscripts had no wins among small standalone organizations in 2020, the company has announced a streamlined version of the Sunrise platform intended for community hospitals. Across all sizes of hospital, 2020 was stable for Allscripts compared to previous years.
The KLAS report is based on acute care EMR purchasing activity, such as executed contracts, that occurred in the United States from January 1–December 31, 2020. It includes EMR market share data for acute care hospitals and for non-acute care, rehabilitation, and other specialty hospitals, such as surgical and orthopedic facilities. The data comes from multiple sources, including publicly available information, thousands of conversations KLAS has with provider organizations, and vendors. The full report is available for download on the KLAS website.
Spur-of-the-moment care and research is enabled by posing questions in plain English.
Clinicians and researchers are benefitting from new self-serve analytics software in use at Intermountain Healthcare.
The Utah-based system, which operates 24 hospitals and 215 clinics in Utah, Idaho, and Nevada, has been using software from MDClone to investigate everything from cardiology to genetics to hyperbaric medicine, according to officials at the health system.
The software taps Intermountain's electronic health record (EHR) system to perform English-like queries on the 3 million lives of current patients, but also on an enterprise data warehouse on Intermountain patients dating back 25 years, says Jeffrey L. Anderson, MD, a clinician and research physician at Intermountain, and immediate past director of cardiovascular research at the Intermountain Medical Center Heart Institute.
The MDClone software tools are also being applied to Intermountain's HerediGene™ population study, which the healthcare system says is the largest single-population genome study in the world, Anderson says.
The population study is being undertaken with deCODE genetics, a biopharmaceutical company based in Ireland.
"We're being courted by many companies, to see if we have the patients they would like to test with their new therapeutics," Anderson says. "So we need to answer questionnaires. And what we need to do is find out really who we have in the Intermountain system and within a certain distance that can come in and potentially participate in these intervention trials."
The prior way to perform these queries relied on the expertise of Intermountain data analysts, whose very expertise made them so popular, researchers had to "get in line, and wait weeks, even months to have an analysis done," Anderson says.
The new analytics tool allows untrained investigators to pose sophisticated queries without knowledge of the structure of the underlying databases and tables where the data is stored.
Previously, such queries would require sophisticated knowledge about table structures, plus a working knowledge of Structured Query Language (SQL), says Viet Le, a researcher and physician assistant in cardiology at Intermountain, who studies mobile health technologies and cardiovascular genetics.
"MDClone is democratizing our ability to query quickly, to allow us as clinicians to ask very important questions at the point of care," Le says.
In certain cases, in the previous arrangement, researchers could forget the original impetus for the question they posted to expert analysts in the gap of time between submitting the question and receiving an answer, Le says.
This level of ad-hoc query is particularly useful to formerly frustrated researchers at Intermountain, such as the hyperbaric medicine department.
Kayla Deru, who started in the department as a secretary, became a department researcher, and developed research skills to the extent that she recently joined the Intermountain Connect Care team, Intermountain's telehealth division.
The hyperbaric department "never had analytical support, ever," Deru says. "I'm not a statistician, or a computer programmer. These intellectual curiosity questions, or even patient care questions, tend to be fairly time-sensitive. And you don't want to wait for six months, a year, or never, to find out the answer to your question."
The technology works by creating a history of each patient's interaction with the health system, not limited to EHR data, but also including admissions, discharges, transfers, genomics data, claims data, and administrative data. This data is organized as events on patient timelines, making it easier for would-be analysts to query. Natural language processing (NLP) brings in unstructured notes from physicians.
This timeline approach makes it much easier for researchers to search for and find data related to readmissions, queries that would otherwise have required intimate knowledge of underlying data structures, according to Jon D. Morrow, MD, senior vice president and physician executive at MDClone.
One area of inquiry pursued by Deru allowed clinicians to look at connections between carbon monoxide poisoning and blood clots, and on-the-fly results from queries help accelerate the presentation of research papers, Deru says.
In another example, Le used the ad-hoc queries to investigate histories of elevated lipids on relatively young patients coming through Intermountain's cath lab. "I would prefer we catch these individuals before they have their first [adverse] event," Le says.
This ability to quickly ask and get answers back also is helping Intermountain to rapidly respond to opportunities to host clinical trials, and thus to become one of the early places where a particular breakthrough treatment becomes available.
"It seriously has helped our department and other departments in our system enormously well" in this regard, says Lindell Weaver, MD, medical director of the Intermountain Hyperbaric Medical Center at Intermountain's LDS Hospital.
Another area where the queries of Deru and other researchers aided clinicians was focusing on the importance of blood pressure control and renal function to patients with diabetes and a risk of foot ulcers and amputations, Weaver says.
At the Heart Institute, another set of ad-hoc queries zeroed in on patients with hypertriglyceridemia to examine how many had experienced pancreatitis and found that half the patients had done so. "Those are numbers we could not have gotten otherwise," Anderson says.
Finding this connection in the traditional way that would have allowed the Heart Institute to qualify as a candidate site to offer a new therapeutic would have taken "weeks or months to do," Anderson says.
"These trials come along all the time in premier medical centers and medical systems," Anderson says. "That's just part of our everyday existence to try to be on the cutting edge when new therapeutics come along."
Ultimately, tools like this will remove the kind of monopoly on data analysis that more highly skilled but short-staffed data analyst staffs have enjoyed until now, according to officials at MDClone.
Medically Home Group is already serving patients from both healthcare giants, to provide patient convenience and to free up traditional hospital beds.
Mayo Clinic and Kaiser Permanente are betting on a services company to make it easier for patients to recover from more acute medical conditions at home, instead of in traditional hospitals.
In an announcement, the startup, Medically Home Group, announced that Mayo and Kaiser are partnering in "unprecedented collaboration to allow more patients to receive acute level of care and recovery services in the comfort, convenience, and safety of their homes."
Both Mayo and Kaiser are successfully using Medically Home's care delivery model for their patients today, and over time, are increasing the number of patients being cared for via Medically Home's technology.
The announcement stated that both healthcare giants have made "significant strategic investments" in Medically Home Group, based in Boston.
Medically Home's care delivery model is governed by a 24/7 medical command center. The company staffs clinicians and an integrated care team who can deliver care to patients at their bedside.
Technology and services provided by the company are designed to deal with a "significant range of clinical conditions at the higher end of the clinical acuity spectrum that is typically treated in traditional hospital settings."
These conditions include infections, chronic disease exacerbation, emergency medicine, cancer care, acute levels of COVID-19 care, and transfusions.
Medically Home says this model has been used during the COVID-19 pandemic to help combat patient isolation and loneliness, and to allow family members to be at a patient's bedside at home. This capability has allowed hospitals to balance increased demand for their own hospital beds.
The Medically Home platform integrates with the patient's electronic healthcare while providing integrated communication, monitoring, and safety system technology in the home, the company said.
"Patients expect and deserve high-quality care and excellent outcomes in a convenient and comfortable setting, even when faced with complex medical challenges," said Gianrico Farrugia, MD, president and CEO at Mayo Clinic. "Our partnership with Kaiser Permanente and Medically Home will create the next generation of patient-centric, compassionate health care that seamlessly integrates advanced technology with clinical expertise."
"This partnership is a significant step in our commitment to providing the right care in the right setting for every patient as we continue to help lead the transformation of health care," said Greg Adams, chair and CEO of Kaiser Foundation Health Plan Inc. and Hospitals.
In Q3, the Ripple app will gain a biometric facial recognition alternative to the login name and password.
In a break with tradition, a Wisconsin healthcare system is using cutting-edge digital technology to reach out to patients and non-patients alike during the pandemic.
The initiative is the first to incorporate identity based on facial recognition and other identity management services provided by Mastercard, the financial services company, in conjunction with the startup that built the digital-first app for ThedaCare, the Wisconsin health system, which serves a community of 600,000 residents in 18 counties.
The tech push helps ThedaCare move ahead while national efforts to identify patients remain stymied, says Jim Albin, chief information officer of ThedaCare.
"It's answering a broader question, which is, how do you identify a patient and individual across all the different venues of care," Albin says.
Mastercard and app designer b.well Connected Health, will activate the facial recognition feature by early in the third quarter of 2021 in Ripple, ThedaCare's "front door" app for Apple iOS devices, Android devices, desktops, or laptops, to patients and to the larger community. Ripple, built by b.well for ThedaCare, was introduced in June 2020.
Prior to the biometric sign-in, Ripple required a traditional login and password, which is still available if necessary. "To really have a handle on patient care being delivered to our communities, we have to transcend all the different organizations that that patient touches," Albin says.
Jim Albin, chief information officer, ThedaCare (Photo courtesy of ThedaCare)
ThedaCare and b.well's intent is to give patients, as well as non-patients in the community who are interested in keeping track of their health, the ability to log in with a glance, in a single place, incorporating all their disparate medical records.
"We've been dealing with health information exchanges for years, and they have always faltered because of this very same issue of patient identification," Albin says.
The underlying b.well technology utilizes healthcare industry standards to be easily integrated with the electronic health records in use by physicians, as well as specialists, in a way that previously would have required patients to maintain multiple logins and passwords in order to view their medical records, Albin says.
Albin describes ThedaCare as "a typical sort of Midwestern provider" with a payer mix of Medicare, Medicaid, commercial, and private insurance. ThedaCare also operates a nationally recognized accountable care organization (ACO) carrying risk-type agreements. Ripple represents another step for ThedaCare into managing population health, he adds.
"That will be the predominant model going forward, where patients interact with health systems, but also, health systems are charged with truly taking care of their communities, whether they're patients or not."
That's why Ripple was also designed for community members not part of the healthcare system. "You can be a Ripple participant and not be a patient of ThedaCare," Albin says. "We're looking at it as a tool for us to reach out to our communities and to make sure that they know we're there and we have their back."
ThedaCare has seven hospitals, two in urban environments, and the other five in rural locations. Ripple helps those in smaller rural communities, by giving them state-of-the-art information on healthcare, COVID-19, and other access points to care in their communities, Albin says. "We're proud of that, and our presence in the rural environment," he adds.
Independent physicians in the ThedaCare community can also utilize Ripple for their patients. "Currently, we are bringing information in from third-party insurance companies, from pharmacies, from a lot of different places," Albin says. "The momentum is building."
Last summer, while the COVID-19 pandemic raged, "we didn't know how bad it was going to be, but we did think that Ripple provides an open conduit with comprehensive information to patients," Albin says. "It's become indispensable now, as we're distributing information on the latest in COVID."
The innovation represented by Ripple indicates the changing role of information technology in healthcare, Albin says.
"Our job traditionally is to make sure the lights are on," he says. "We have good information being distributed, good tools for our providers, and there will be tools like Ripple that are out there moving in new directions, allowing us to jump out of our health system to the public in general."
b.well itself is a company founded by a former United HealthCare official whose daughter suffered a near-fatal event "because two electronic medical records couldn't communicate with one another," says founder and CEO Kristen Valdes.
"We are the off-the-shelf digital transformation platform," Valdes says. "We are particularly aligned to folks who have not build their own solutions, and who do not have agile development teams, where they can do this easily." The b.well app can be delivered with the brand of the customer, such as ThedaCare, she adds.
In part, the company exists because of the assumption that the first patient encounter with a physician practice may occur through telehealth, Valdes says.
The b.well app, in all its manifestations, assumes the patient has a mobile phone. The patient's mobile phone number, as well as the biometric token of a photo of their face easily taken by today's smart phones, provide healthcare with identifiers beyond traditional driver's license and insurance cards, Valdes adds.
Correction: An earlier version of the story incorrectly stated that Mastercard had been an investor in b.well.
Rising threat of ransomware during pandemic is putting more lives on the line in healthcare.
As the pandemic continues to dominate business decisions across industries, healthcare CISOs and CIOs are continuing to develop strategies and technology approaches to maintain some semblance of business continuity and patient care.
According to Joe Leonard, former military intelligence officer and current CTO and VP of security strategy for cybersecurity firm GuidePoint Security, there’s been a noticeable shift in how hospitals and healthcare organizations look at security. From a budget burden to a patient care enabler, the security posture of a hospital is fundamental to its ability to grow and treat patients.
In an interview with HealthLeaders, Leonard explains the intricacies of blending healthcare IT operations with proactive cybersecurity measures during this pandemic.
HealthLeaders: How has the pandemic focused C-suites and hospital boards to look at cybersecurity as a patient care driver?
Joe Leonard: C-suites/hospital boards cybersecurity awareness is heightened as a ransomware attack during the pandemic could potentially cause loss of life of a patient. During the pandemic, it is critical that life support machines and medical-grade devices stay operational and there is no impact to patient care. C-suites and hospital boards should be evaluating their security programs and asking questions about how they are protecting the patients that they provide services for.
The pandemic has created many challenges, as we have had to stay socially distant, and that has impacted our ability to properly evaluate our security posture. What were the security risks when we sent many healthcare providers outside the healthcare facility to administer the vaccine?
As we go forward, our patient care model should be designed to scale up quickly and provide support from anywhere, but we need to protect patient information, so security should be designed into our healthcare solutions. As we approach the post-pandemic phase, C-suites will need to reevaluate the patient care support model (on-site, remote, hybrid) they are providing, and review that security is integrated into these support models. Our security testing model will become more complex as we work in a hybrid world.
Joe Leonard, CTO and VP of security strategy, GuidePoint Security (Photo courtesy of GuidePoint Security)
HL: How might this continue to progress as employees return to offices in a hybrid capacity?
Leonard: As we approach the post-pandemic phase, a hybrid model is very likely to become the standard model. New tools will need to be developed to support a "work from anywhere" model, which provides an on-premise or off-premise healthcare support model. Many workers will be able to work remotely and leverage technology like telehealth to assist patients. Telehealth will grow and patients will get more options and better services as doctors can be engaged remotely for assistance. Telehealth testing capabilities will expand and provide better healthcare to patients.
We will witness an evolution that evolves just as we did going from a thermometer we put in our mouths to a contactless infrared thermometer. The remote workforce will be more agile and able to assist patients quickly. The hybrid model will make us more flexible and give us the ability to provide patient care from anywhere. The COVID pandemic was an example of how we scaled up remote sites all over the United States to support testing more patients as our hospitals couldn't handle the number of patients.
HL: Where are security programs making investments as we enter the next phase of the pandemic?
Leonard: C-suites and hospital boards are concerned about security. The question they ask is, "How secure are we?" In some cases, the healthcare organizations really don't know. They don't have the tools to really evaluate their organization's security posture. It is imperative to have a comprehensive security program that tests the organization's people, process, and technology controls and identifies the risk and the impact to the organization. The risks should be prioritized based on the risks to the healthcare facility, and a remediation plan should be developed. The items that are remediated should be retested to validate the remediation worked.
The security program should have a continuous security testing model, and there should be quarterly business reviews with the executive team to review the organization's overall progress and plan to reduce the risks. HIPAA, PCI [payment card industry data security standard], and PII [personally identifiable information] are normally a part of most healthcare organizations, and should be included as part of the comprehensive security program. Ransomware is a top concern, so tabletop exercises should be developed to test the healthcare organization's response to an attack such as ransomware. Phishing testing needs to happen at frequent intervals, and security awareness training needs to be a part of the comprehensive security program.
HL: How can security be "baked into" all healthcare tech products and services, and reduce or eliminate the need for physicians and other provider staff to become security experts?
Leonard: The best security controls are "transparent" and require little to no input from the user. In the healthcare environment, seconds could be the difference between life and death. The healthcare products need to be evaluated for ease of use, and security needs to be baked in, but it shouldn't slow people down trying to save someone's life. When technology is evaluated, we're often excited about all the great features, but we overlook items that are critical, like manageability, maintenance, and useability. Many times I have seen products implemented that failed because the product was too disruptive to the organization. Products should be brought in and should be evaluated against many use cases to ensure the service will be great and that the product can actually be supported.
HL: What enhancements or improvements can be made to further this process from a regulatory standpoint? What new rules and regulations can help tame the healthcare cybersecurity monster?
Leonard: Over the past 16 years, a majority of the HIPAA assessments I have sold have lasted 6 to 8 weeks, and then a report was delivered with the remediation recommendations and findings. In most cases, we would go back in one year and do the same thing over again. I believe one year is too long between reviews of the overall healthcare security posture. I would recommend an enhancement to start performing quarterly reviews to track the HIPAA risk assessment remediation work that was performed. What I have witnessed is that a majority of healthcare organizations do a HIPAA risk assessment once a year, then they work on the remediation for the next year, followed by another yearly HIPAA assessment. The HIPAA security rule and privacy assessment should be done annually (mandatory), and the results should be reported.
Providers face education of workforce; penalty phase remains a mystery.
Faced with the threat of penalties if they do not comply, healthcare providers are figuring out as best they can how to comply with new information blocking rules that took effect April 5, but one size definitely does not fit all.
One month in, many questions remain, and some providers find themselves in the middle between how patients want to receive their medical records, and how electronic health record (EHR) vendor suppliers want to provide them.
"We're required to follow this information blocking rule, but a lot of our software vendors are not prepared to do that," says Randi Terry, director of IS at Munson Healthcare, a nine-hospital system in northern Michigan.
This is despite the fact that some of the EHR software in question, which Terry declined to name, attests that its EHR software meets the certification standards promulgated by the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Information Technology.
A big example of lack of preparation centers around patient demand for interoperability with Apple Health, a longitudinal health record and tracking app preinstalled on millions of Apple iPhones. The information blocking rules say that if a patient requests their data in digital form, one way it can be provided is through a link between the EHR vendor's software and the application programming interface for Apple Health, known as HealthKit.
"Vendors say, 'Yep, can't do that,' " Terry says. "Or if they do it, they give us a 37-page document, and say, 'tell your patient to go talk to Apple Health.' There's no patient in the world that's going to follow through." Munson has been trying to get this particular certified EHR vendor to implement the link for three years, Terry adds.
Other EHRs, including Epic, have provided interoperability with Apple Health for several years, according to Terry, who also is a member of the policy steering committee of the College of Healthcare Information Management Executives (CHIME), which meets regularly to discuss, among other things, issues around implementing the April 5 information blocking rule.
Standard Interface Coming in 2023
The situation is set to improve in 2023, when EHR providers will be required to support an ONC-certified, standardized application programming interface (API) defined by the HL7 organization as Fast Healthcare Interoperability Resources (FHIR), providing a lingua franca between applications such as Apple Health and EHR software, and between different vendors' EHR software.
In the meantime, providers are required to find some other way to digitally share requested patient medical records, in order to appear to be complying with the April 5 rule. "It's very definitely an issue that we're facing right now," Terry says.
In addition, providers are still in the dark about the precise date when enforcement of the April 5 requirements will begin, says Andrew Tomlinson, director of federal affairs at CHIME.
"We don't want enforcement until we have the education piece," Tomlinson says.
"This whole information blocking [rule] is a fundamental shift in how we have to educate every person in healthcare," Terry says. "It's a fundamental shift in the way we release records, and that's really difficult."
Initial steps at Munson include providing scripts to all offices, for those answering the phone, who may be receiving requests for medical records, Terry says.
Requests are being considered on a case-by-case basis, with the general rule being what is best for the patient, she adds.
Areas of Friction are Causing Provider Concern
Three areas of particular friction are disparities of action based on organization size, confusion over which organizations the April 5 rule covers, and the rule's insistence that lab results be delivered to patients without a waiting period for a clinician consult, which the ONC's Information Blocking FAQ cites as an example of information blocking.
Smaller healthcare organizations and medical practices, where a physician may double as a chief information officer, "are going to feel that stress" of having to abide by the April 5 rule, lacking the number of resources that large healthcare providers can apply to conformance, Tomlinson says.
Another area of friction arises because many U.S. healthcare organizations believe that just because they do not participate in CMS payments or incentives to purchase certified EHR software, they are not subject to the provisions of the rule.
Instead, the information blocking rule applies to all U.S. providers, Tomlinson says.
"That's part of the education gap," he says. "Even if they don't collect Medicare or Medicaid, they still have to comply with these requirements."
Those providers who are not necessarily familiar with programs run by CMS or ONC are now having to familiarize themselves with those programs, because of the information blocking rule, Tomlinson says.
"For [the] information blocking [rule] and interoperability to work, it has to be everyone," he says. "We can't leave any provider behind. We have to go together as one, or it won't work, long term."
An earlier effort to provide a national registry of all providers, through which C-CDAs could flow via Direct messaging, remains a hit-and-miss way to find and forward or receive patient records between providers. This is true even though any HIPAA-covered provider, or provider who bills Medicare, is required to have a national provider identifier number in the National Plan and Provider Enumeration System (NPPES). "It's kind of a misnomer to say that everybody is now putting their Direct Trust addresses in NPPES, because they're not," Terry says. Smaller providers are among those most missing in the NPPES database, she adds.
Yet another promising method is the growth of national data exchanges such as CommonWell, Terry says. Munson uses CommonWell to keep track of "snowbird" patients who winter over in Florida and Arizona, she says. Munson has also successfully tested Carequality, another vendor-driven national healthcare data interoperability framework.
The requirement to release lab results when they are available runs counter to many organizations' waiting periods before patients get to see their lab results. "ONC has outlined in their FAQ that an organizational policy of a delay from releasing the results does not comply with [the] information blocking [rule]," Tomlinson says.
Additional Complexities
There are some exceptions to the April 5 rule, one being preventing harm, and corner cases will likely result in an initial surge of use of those exceptions, Tomlinson says. Examples include EHR records of teenagers, some portions of which teenagers can by rights withhold from their parents, even though the supporting EHR software has no way to send only selected portions of the records.
A further complication involves the dates by which the FHIR API must be implemented. Right now, both EHR vendors and providers are expected to turn on this interoperability by December 31, 2022. "Providers need time to be able to implement those new pieces of health IT," Tomlinson says. Fortunately, recent clarifying rules state that providers will be able to attest during any 90-day period in 2023, he adds.
Providers can also demonstrate compliance by transmitting medical records as C-CDA documents. If patients request the digital files via a technical means that the provider does not have, providers are permitted to pass along the costs of such delivery, such as building or purchasing a patient portal or buying a Zip drive, Tomlinson says. If the patient doesn't want to spend that money, provider and patient can negotiate an alternate digital delivery format, he adds.
Lastly, says Tomlinson, ONC needs to do a better job of showing providers how to document the process of attempting to comply with the rules, and documenting procedures once a provider actually receives notice of an information blocking complaint.
"The information blocking requirements are about attempting to get patients their data when they need it," Tomlinson says. "We can provide the education and the policies and procedures, and the understanding, but we do need a little bit more understanding of what exactly [ONC] may be looking for."
Bogus 'Required Security Assessment' originated from outside government, and healthcare orgs should alert their workers.
Social engineering took a new twist this week when a non-governmental website posed as the federal government and attempted to harvest sensitive information from healthcare organizations.
The ruse was revealed via a notice emailed to subscribers of the U.S. Department of Health & Human Services’ Office of Civil Rights (OCR) announcement mailing list.
"OCR has been made aware of postcards being sent to healthcare organizations informing the recipients that they are required to participate in a ‘Required Security Risk Assessment’ and they are directed to send their risk assessment to [the spurious website]," the OCR announcement stated. 'The link directs individuals to a non-governmental website marketing consulting services.'
OCR added that 'this postcard notification did not come from OCR or the U.S. Department of Health & Human Services. This communication is from a private entity—it is NOT an HHS/OCR communication. HIPAA covered entities and business associates should alert their workforce members to this misleading communication."
Covered entities and business associates can confirm that a communication is from OCR by looking for the OCR address or email address, which will end in @hhs.gov, on any communication that purports to be from OCR, and asking for a confirming email from the OCR investigator’s hhs.gov email address, according to OCR.
The addresses for OCR’s HQ and Regional Offices are available on the OCR website, and all OCR email addresses will end in @hhs.gov.
Organizations that have additional questions or concerns can send an email to OCRMail@hhs.gov.
The OCR said that suspected incidents of individuals posing as federal law enforcement should be reported to the Federal Bureau of Investigation.
During the COVID-19 pandemic, criminals have focused in particular on financial relief and healthcare domains, according to the recently released fourth annual reportby Keysight Technologies on cybersecurity.
Regulatory focus on fining providers is misplaced, according to a device security expert.
The attack surface of healthcare in the cybersecurity realm is forecast to explode in size in the next few years, in large part due to the proliferation of internet-attached medical devices.
The Global Internet of Medical Things market is expected to grow at a compound annual growth rate of 18.5% from 2021 to 2027 to reach $284.5 billion by 2027, according to UnivDatos Market Insights. A rise in connected medical devices and the emergence of new technologies is resulting in the growth of the market.
MedCrypt is a San Diego-based company that provides proactive security for healthcare technology. MedCrypt's platform brings core cybersecurity features to medical devices with a few lines of code, to ensure devices are secure by design. MedCrypt announced a $5.3 million Series A funding round in May of 2019, bringing the total funds raised to $9.4 million with participation from Eniac Ventures, Section 32, Y Combinator, and others.
Recently, Seth Carmody, PhD, vice president of regulatory strategy at MedCrypt, answered questions from HealthLeaders about the connected medical device security threat.
HealthLeaders: Carrots and sticks seem to be the only tools the government possesses to improve digital security in healthcare. Is there a third way?
Seth Carmody: There have been a few attempts to incentivize security, but the incentive is fine-based and focuses, not on security debt relief, but on the management of the risk that security debt brings. Governments and regulators need to continue to provide sticks and carrots like the IoT Cybersecurity Improvement Act of 2020 and FDA (U.S. Food & Drug Administration). The FDA’s Postmarket Cybersecurity Guidance (December 2016) incentivizes medical device vendors to participate in cyber-risk information sharing through a variety of ways, such as through Medical Device Information Sharing Analysis Organizations (ISAOs).
These types of incentives will drive healthcare to build technology securely, but because their domain is healthcare, efforts will be expensive and may fall short. Therefore, it’s necessary for the tech sector to lead a “shift left” movement and provide seamless, secure by design, out-of-the-box technology that healthcare can use to build their innovative healthcare products.
HL: So much of what healthcare faces in this cybersecurity crisis is a crisis of education. Many breaches seem to be traceable to social engineering. What interesting or novel efforts exist to improve the education effort?
Carmody: Security is a harsh discipline and not kind to amateurs. If I’m a financial analyst at some firm and I work with spreadsheets all day, and my organization’s security posture depends on me to also be a security analyst and not open potentially malicious spreadsheets, then it’s game over. Are we surprised with the results of trying to make everyone a security expert? Education can only go so far. Security can’t be hard for people just trying to get their own job done.
HL: As the internet of things proliferates, economic forces that prevent medical devices from being secure by design are going to be a bigger and bigger problem. What carrots or sticks can be brought to bear on medical device manufacturers to assure security despite those economic forces?
Carmody: We need a healthcare supply chain, shift left strategy, where lawmakers and regulators require [that] healthcare technology vendors' technology must be secure by design. We need the upstream tech supply chain to supply technology to those vendors that is secure by design and can be integrated securely and easily. We need arbiters of security that can assess, at scale, the adequacy of security that removes the burden from the consumers (hospitals, clinicians, and patients). Lastly, when things go wrong, we should notice, and liability should be shared by the producers of the technology, not just the consumers of technology.
HL: Are the breach reporting systems defined by HIPAA up to the mission? As HIPAA continues to evolve, are there things you would do to fix those systems?
Carmody: HIPAA largely punishes the consumer of healthcare technology debt, where problems manifest, not the producer who controls the amount of security debt in products they make. Therefore, HIPAA exerts limited upstream economic pressure on healthcare tech vendors who optimize to satisfy the letter of the law such as encrypting only Protected Health Information (PHI) data versus command data.
The HIPAA Security Rule has been in effect for over 14 years, but a 2019 study from CynergisTek reports the healthcare industry has only managed to achieve 72% compliance with it, which may seem like a good score, but one that doesn’t measure risk or actual security. Data show that breaches are increasing. In other words, we’re not any better at security.
HL: What lessons have you learned from the COVID-19 pandemic about what's working, what isn't, and how the health tech industry is rising to the challenge, with so many more lives on the line?
Carmody: At a time when healthcare is critically focused on pandemic response is also the time that they are the most vulnerable to threats. Hospitals, which operate on thin margins, cut IT staff to stay afloat while revenues dropped, but still needed to deliver care to COVID patients. Data show that adversaries took advantage.
The healthcare industry has made tremendous progress and that must be acknowledged. The issuance of multiple guidance documents from international regulatory bodies and industry leaders, and the voluntary engagement by device vendors and security researchers at the DEF CON BioHacking Village, are signs that times are changing. However, the tension between healthcare and security is rooted in the fact that healthcare’s first job is to deliver healthcare. Therefore, technologies built to serve healthcare are built primarily to deliver on healthcare features, not security features, like monitoring, that would help connect security events with patient outcomes. As a result, the healthcare industry accrues security debt, yet paradoxically, healthcare must also deliver healthcare securely because any lack of security threatens the ability of the healthcare ecosystem to function. This tension must be resolved for any additional progress to occur.
