The EHR is only one form of burnout-inducing tech, says ER doc who doubles as CMO of CDS supplier.
A recent article in the Journal of the American Medical Informatics Association (JAMIA) points out the continuing role of information technology and electronic health record (EHR) usability issues in aggravating clinician burnout.
Matt Lambert, MD, is a practicing emergency medicine physician, as well as chief medical officer of Curation Health, a supplier of clinical decision support software to healthcare providers. Lambert addressed the burnout issue and more in a conversation with HealthLeaders.
HealthLeaders: What do you think causes physician burnout?
Matt Lambert: Change coupled with inadequate support, resourcing, and education is a main cause of provider burnout in my opinion. We experienced this with the incented roll-out of electronic health records—and we are experiencing this again today in the taxing but vitally important transition from fee-for-service to value-based care (VBC).
In addition, the emotional impact—day-in and day-out—of doing everything you can to help your patients and not always being able to do so is a core cause of burnout. We deal in human lives and people trust us to, in some sense, save them no matter what. Not being able to always "save" patients is immensely harrowing and can wear on a providers' mental health.
Lastly, frustration with the healthcare system at-hand is a reality. Over time, things like why we can't get patients' medications delivered or ensure they have a ride to their dialysis appointments become intensely frustrating. Many of the issues mapping to social determinants of health (SDOH) fall into this bucket—essentially, they are simple changes and fixes that you don’t even need a provider for but that can have an immense impact on patient outcomes. Not having the resources to manage SDOH‒related issues that lead to poor outcomes is a consistent frustration leading to burnout.
Matt Lambert, MD, chief medical officer, Curation Health (Photo courtesy of Curation Health)
HL: Have you ever felt burnout? If so, what do you think was the main contributor?
Lambert: In my opinion, physician burnout is multifactorial, but the electronic health record does play a significant role in this issue, which is ironic, because my own burnout was one of the things that led me to diversify my career and landed me at the intersection of healthcare and technology. Emergency medicine is my clinical specialty, and the very nature of that job drives people to burnout. Choosing to be there for people in distress, while being away from your loved ones on nights, weekends, and holidays exposes you to a lot of pain and suffering—while also diminishing your own ability to manage stress. Being the point person for managing the gap between the expectations of patients and their families and the incentives for health systems and insurance companies, is no light lift either. Lastly, and [I'm] stating the obvious here, the pandemic has created unprecedented stress on the provider community.
Caring for others with very little margin for error is challenging. Doing so with poorly configured technology is even more difficult and can lead to burnout.
HL: How much of burnout comes from the EHR, and how much of it comes from other issues?
Lambert: Having embraced the adoption of healthcare technology, I find it less burdensome than providing acute care. I do empathize with my colleagues who list the electronic health record as higher on the burnout scale, however. If I had to break it down, I would say it’s a 60-40 split today, with 60% of provider burnout mapping to the electronic health record and 40% to other issues. I often say that we—at Curation Health—apply physician-level accountability and attention to detail with healthcare technology, and I expect the same from our electronic health record colleagues.
HL: What factors outside of the EHR might contribute to provider burnout?
Lambert: Regulators and the related guidelines they offer have a major impact on provider burden. Sometimes well-intentioned regulations wind up creating more challenges, and often, the unintended consequence of these regulations is greater administrative burden. Thomas Jefferson stated, “the man in the field, knows what is best for the man in the field,” and I hope the new administration will embrace this theme in developing guidelines moving forward.
Also, technology other than the electronic health record can also be immensely time-consuming and frustrating, which leads to burnout. Companies that create technology without understanding the unique intricacies of the providers’ workflow can create more challenges that drive provider burnout.
HL: What evolutions have occurred in clinical decision support (CDS) tools?
Lambert: Curation Health is a quality and risk adjustment platform that integrates with electronic health records at the point of care. Our platform helps providers and payers simplify the transition to VBC. We created the Curation Health platform to address a missing and mission-critical step in VBC—enabling physicians and care teams to code and document in a way that truly reflects the complexity of care they are providing, and to do so without adding new administrative burdens to their workload or asking them to operate in an unfamiliar workflow.
In my career as a physician informaticist and CMIO, I have created more than my fair share of CDS tools within several electronic health records. Aligning order sets with the latest clinical guidelines for the treatment of community acquired pneumonia or making it easier to comply with federal guidelines for sepsis is a very good use of healthcare software. But, at Curation Health, we have repurposed CDS to mean something completely different—Clinical Documentation Support.
Research for the 2021 State of Cybersecurity Report: The COVID-19 Evolution was conducted in January by surveying 131 security or cybersecurity decision-makers employed at U.S. hospitals, health systems, and ambulatory care organizations.
Three out of four respondents said changes due to the COVID-19 pandemic have resulted in a larger or more complex computing edge, akin to the cybersecurity concept of attack surfaces.
On average, these decision-makers believe they need to be spending 24% more on cybersecurity in the next two to three years than they currently do.
Of those surveyed, 73% say their organization needs to increase funding to continue to be secure, effective, and compliant. Unfortunately, only 40% expect their organizations will be able to make the necessary financial investment in cybersecurity.
The new IT security challenges presented by the pandemic have driven greater adoption of two-factor authentication. Total adoption of those surveyed is 67%, with 12% of adoption due to COVID-19.
Email and Telehealth Perceived as High-Security Risks
Two most common technologies—email and telehealth—are perceived to be high-security risks by those surveyed. Some 44% of organizations surveyed adopted telehealth in the past year as a response to the pandemic. At this point, 96% of organizations use email, and 95% use telehealth.
But these technologies are also rated as critical risk vectors. Of those surveyed, 84% perceive email and 70% perceive telehealth as introducing risk.
Three out of four respondents said their organization had added at least one computing element to their tech stack as a direct response to COVID-19. Among the leading components added due to the pandemic were telehealth, integration of tablets and smart phones into clinical workflow, smart or digitally connected medical devices, remote patient monitoring, and chatbots or other AI-assisted communication.
Team-up with Chatterbox Labs, due out next month, will build on related work by both companies.
The thorny issue of monitoring, updating, and validating an organization's artificial intelligence (AI) model in the face of growing concern about unethical AI use is the basis for a new team-up between the Deloitte AI Institute and Chatterbox Labs, a technology company that validates ethical, trustworthy, and fair AI.
Model Insights for Trustworthy AI will be a Deloitte-branded solution to help organizations address AI ethics.
State of AI in the Enterprise, the recently released third edition of Deloitte's study of enterprise AI adoption, concluded that 95% of those surveyed are concerned about their AI initiatives' ethical risks.
The Deloitte AI Institute developed a guide for organizations on how to utilize AI responsibly within their enterprises, and deal with common risks and challenges regarding the ethics of using AI. Now this guide, the Deloitte Trustworthy AI framework, is being operationalized through the Chatterbox collaboration.
By continuous monitoring of enterprise AI models, the new technology, Model Insights for Trustworthy AI, provides insights that can detect biases and vulnerabilities, and let organizations validate that their AI models are ethical.
"Rapid developments in AI have unlocked incredible opportunities for organizations globally," said Beena Ammanath, executive director of the Deloitte AI Institute, in an announcement. "At the same time, more work is needed to ensure the ethical use of AI technology."
Deloitte's Model Insights technology, which will be available in April 2021, is built on Artificial Intelligence Model Insights from Chatterbox Labs.
Alaska's Mat-Su Health Foundation project provides a model that its proponents say can be replicated anywhere.
Healthcare continues to be bedeviled by "frequent flyers"—high utilizers of expensive emergency departments. But one healthcare system in Alaska is showing how, with the right dose of technology, and focusing on social determinants of health, these high utilizers can be better served, and dramatically reduce ER costs in the process.
To better understand the strategy, it helps to take a look at the organizations involved and the timeline.
Community Needs Assessment Reveals Dire Needs
Mat-Su Health Foundation, co-owns the Mat-Su Regional Medical Center, which serves a population of 100,000 in an area defined as the Matanuska-Susitna Borough, or Mat-Su for short. (Alaska uses borough designations instead of counties.) Located in Palmer, Alaska, the hospital is situated in one of the fastest-growing population areas in south central Alaska.
In 2013 the Foundation conducted a community health needs assessment, which found mental health, emotional health, and substance use disorder as the highest priority health issues facing the region. In addition, the population had twice the national average yearly suicide rate.
To address these challenges, the Foundation convened a task force, which included state and local leaders, as well as first responders, to research and then tackle the problem at all points where patients in crisis touched the system.
A follow-up study demonstrated additional concerns across all payers and all age groups, says Elizabeth Ripley, chief executive officer of Mat-Su Health Foundation. About 99 patients had five or more visits to the emergency department; 66 had 10 or more visits, and 19 people had a total of 477 visits. To reduce these super-utilizers, Ripley convened leadership, including Anne Zink, MD, then head of the hospital's emergency department, and now chief medical officer for the state of Alaska.
Elizabeth Ripley, chief executive officer, Mat-Su Health Foundation (Photo courtesy of Elizabeth Ripley)
Additional data for 2013 painted a grim picture:
The emergency department saw 2,391 behavioral health patients for a total of 6,053 visits, costing an estimated $23 million.
These patients had higher charges, more frequent visits, and were more likely to return to the hospital within 30 days, as compared to other patients.
An additional $1.6 million was spent on law enforcement, 911 dispatch, and transportation.
Alaska state troopers responded to 851 health-related emergency calls, and EMS/ambulance services responded to an average of 432 calls.
Broadening Community Involvement
"Besides doing all the data crunching, we interviewed a lot of people for the reports," Ripley says. "We interviewed the chiefs of police from two towns, and the captain of the Palmer detachment of the state troopers."
Those interviewed, naturally, showed heightened interest in reading the report. The state trooper captain, went further, taking a 40-hour class on how to incorporate crisis intervention training and mental health first aid practices into law enforcement. "He came in and said, 'I've had a bunch of wins,' " Ripley says. He wanted all first responders in the Mat-Su Borough to be similarly trained. Today every officer at the Alaska State Trooper Academy in Sitka receives mental health first aid education, and 25 Mat-Su troopers have completed crisis intervention training.
Yet that was just the beginning of the transformation that became the High-Utilizer Mat-Su, or HUMS, program. In late 2016 and early 2017, a team from Mat-Su Borough traveled to meet King County to meet Enrique Enguidanos, MD, MBA, and see firsthand the kind of crisis intervention that he and his company had come up with there, to good results.
Enguidanos had been the medical director for Providence Regional Medical Center Everett, which had the largest emergency room in the state of Washington, an ER that saw 120,000 people a year. "We had a problem with utilizers, and my nursing director and I just created a grassroots program out of our hospital, and it had tremendous results."
The key: Knowing when a high utilizer was presenting at the emergency room, and getting a mental health counselor to show up in person, while the patient was still at the ER, and get them into the mental health system right then and there, during the crisis.
ADT Technology Bolsters Efforts
To do that, Enguidanos relied on one of a new generation of tools mining admission-discharge-transfer (ADT) events, collected by every hospital. This equipped the mental health intervention team with information to know, at any hour of the day, when and where the high-utilizer patient was presenting.
The tool he used, the Collective Platform (formally known as the Emergency Department Information Exchange, or EDIE), provided by Collective Medical, enabled his intervention team in Washington state to reduce emergency department visits by 80%, by instead connecting frequent flyer patients with primary care physicians and federally qualified health centers.
Programs such as Collective Medical's embody the first of seven best practices developed by the Washington State Hospital Association of redirecting care to the most appropriate setting. For example, it involves exchanging patient information among ERs, helping patients understand and use appropriate sources of care, instituting case management to reduce inappropriate ER utilization, and implementing guidelines to discourage narcotic-seeking behavior.
In 2017, due in part to Zink's advocacy, Alaska implemented the Collective Platform statewide, which paved the way for Enguidanos' implementation of the program in the Mat-Su service region. To extend his expertise, Enguidanos founded and became chief executive officer of Community Based Coordination Solutions (CBCS), a healthcare services consultancy which contracted with Mat-Su Health Foundation to implement its HUMS program in that Alaska borough. "Typically, what I do is contract with payers around the country, I'll bring in my own staff, and we go at risk," Enguidanos says. "It's really about finding the homeless, mental health, and substance abuse patients that others can't engage."
One way that CBCS initially finds these patients, about 25% to 30% of the time, is when CBCS staff gets a text that one of these patients has shown up in an emergency department. "No one has ever been able to see them," Enguidanos says. "Payers all have them on their rolls. They've been assigned to a case manager, but the case manager has never met them, because the patients don't answer their phones." Some frequent-flyer patients, in fact, had five or six care coordinators who had never communicated with each other.
Having already created relationships with the emergency department, CBCS staff proceeded to ask ER staff if the patient is okay meeting with CBCS staff at the ER. If the patient agrees, CBCS staff then meet and ask each patient about their particular care gaps or concerns.
"Probably half of those visits come after hours, when traditional care coordination programs aren't going to be around," Enguidanos says. Even if the patient's concern is just about how to get transportation to an appointment the following morning, these after-hours care coordinators help however they can.
Throughout the Alaska rollout in the Mat-Su area, Zink spearheaded this effort, Ripley says. "I just can't understate how important it is to have a champion," she says. "She's a super-communicator, and in a case like this, there were so many people we had to convince along the way—legislators, administrators, ER docs."
"A huge piece of the work is putting the patient at the center," Ripley says. "That's how we got people to the multidisciplinary team table."
Program Results in Significant Savings, Yet More Work is Necessary
In 2018, the first year of the program, the medical center reduced emergency department utilization by more than 52%, saving $1.9 million, which includes the cost of HUMS. For those patients with a decrease in utilization, the system saved $2.167 million. "And we've reduced the cost of the program over time," Ripley says.
The upfront investment is real, and Mat-Su could afford to do that by plowing nonprofit proceeds back into programs like HUMS. At present, that limits the size of the program to 100 patients. "But the payoff for individuals, families, and the community is just extraordinary," Ripley says. Many stories already exist of individual patients for whom HUMS has turned their lives around, leading to better health, employment, and more, she adds.
It also makes concrete the care plans previously created by care coordinators for these patients, Enguidanos says.
"Suddenly, we had one plan that was working," he says. "It was how much we could do with just community workers and making that initial engagement. After about a year, we can get patients in a less acute program. We can reach them by phone. It's not that they didn't have phones before. It's just that they didn't see any value in engaging with us."
The patient quickly becomes invested in their own care, which makes the efforts of clinicians all that much easier, Enguidanos says.
CBCS' contract with Mat-Su Health Foundation concluded after a two-year run, but HUMS continues, operated by LINKS, a nonprofit agency that the Foundation funds. Despite its success, HUMS essentially represents a proof of concept that still needs to be scaled. For that to happen, other stakeholders— namely, payers and states—need to go all in, including funding and operation. Ripley says.
"We shouldn't even have to prove the model anymore," she says. "We should just be deploying it across the country. It's ridiculous that we're not.
"Our next level is getting the payers engaged," Ripley says. "They would have a lot more leverage. Now it's all voluntary [patients must opt in]. But with a little leverage, we could bring quality of life to a lot more people.
"At this point," she continues, "where America has the most costly healthcare system in the world, why can't we pivot to make sure all of our hospitals and communities have a program like this?"
Part of the answer may lie in the fact that the steps taken by Mat-Su Health Foundation have only begun to solve the problem. Ripley admits that the number of super-utilizers of the emergency room has, in fact, continued to grow each year, despite the cost savings that HUMS has unlocked.
"We need other measures to stem the tide," Ripley says.
[Editor's note: This story was updated on 4/17/21 to reflect that Mat-Su Health Foundation co-owns the Mat-Su Regional Medical Center, and due to a previous editing error, the article now correctly indicates that 19 people had 477 emergency room visits prior to launching the solution.]
Federally qualified health center emerged stronger to serve the community during the COVID-19 pandemic.
When the Tubbs Fire came roaring down from hillsides northeast of Santa Rosa, California, in October 2017, it devastated a community and the Vista campus of its federally qualified health center, Santa Rosa Community Health.
But thanks to the courage and quick action of its CEO and other leadership, and key adopted technically-savvy outside technical operations, the clinic pivoted to continue operations while critical improvements were made. The story of how the organization approached this crisis—compounded by IT issues—and ultimately came out the other side better, provides a blueprint for innovation under fire.
The CEO, Naomi Fuchs, credits, among other things, her educational training in anthropology for sustaining "an interface of culture and healing" that enabled the clinic to do what it took to survive, including standing up a centralized call center in two days, which also let patients communicate with their clinicians via text message. Clinic staff also physically reached out to fire refugees camped on area beaches.
Her training "really informs my approach to leadership. It's about the people and the culture you create," she says.
"When we lost the building, that displaced about 150 employees and about 24,000 patients," Fuchs says. "The phrase we said over and over again is that we will be here for everyone no matter what."
Easier said than done, Fuchs admits. "You don't know how it's going to turn out," she says. "There's nothing predictable about any of it. You don't know where your money is going to come from. You have to take a leap of faith, and work really hard."
No Layoffs, Community Rallies, and Rebuilding Starts
Tough decisions bombarded leadership in the first days after the Tubbs Fire. On day number two, Fuchs and her team decided to press on with no layoffs. Meanwhile, the community rallied around the organization, including suppliers and lenders. "Most of them did, not all of them," Fuchs says.
"One of the other big lessons is that the people who are doing all the tactical work, day-to-day responding, probably should not be the people who are doing the planning," Fuchs says. "It's really two different states of mind. You've got your on-the-ground people, and then we designated a few people who stayed off-site to just help with planning."
Fuchs also drew upon professional relationships she had made in her healthcare career of more than 30 years in Sonoma County. "One of our employees has been embedded in the Santa Rosa Memorial Hospital ER for years now, connecting with patients," she says. The cell phone of the CEO was in Fuchs' phone.
Such connections were critical to the patient care coordination demanded by both the fires and the pandemic. "You need to build that foundation of collaboration and relationships all along, not just when there's an emergency," Fuchs says.
Communication from leadership to employees was critical in those early days. "We had a catchphrase, and we still use it all the time, which is communicate at the rate of change," Fuchs says. "In the beginning, we would have as many as 60 or 70 people on calls. It was before the big Zoom era. It might have been three times a day. Then, as things stabilized a little bit, we went to twice a day, and then we went to once a day," paced over time with emails and in-person meetings, she adds.
Unpaid Telehealth Visits Prompt State to Authorize Payment During Emergencies
After the Tubbs Fire, as they scrambled to provide service in leased office space around the community, Fuchs and her organization also championed California state legislation that made patient encounters via telephone visits billable in an emergency, Fuchs said.
"We'd already pivoted to telephone visits in 2017," Fuchs says. "We never got paid for them" until the California legislation change, she adds.
"And of course, now, everybody's been in an emergency, and nobody wants to give them up, because it works so well for the patients," Fuchs says.
The Tubbs Fire highlighted in graphic detail the sheer safety value of moving clinical information technology off site. "We had people basically going into the burnt building, dragging out our servers to see if they still worked, trying to reconfigure and redeploy them," Fuchs says.
The Tubbs Fire had cemented Fuchs' determination to change her IT environment to boost reliability of the clinic's operations—and employee satisfaction and morale.
"People were really at their wit's end with how unstable things were," Fuchs says. "We probably even lost some providers and some staff over it. When you're trying to take care of people, you can't be wondering or hamstringed by your EMR being so slow or not there."
Enter the Permanently Outsourced CIO
As the tech problems hit their zenith, the clinic's IT director resigned, and Fuchs turned to a small but rapidly growing IT company, itself a product of a health system-funded innovation incubator, to rethink IT and straighten out the clinic's tech mess.
"We were asked to come on-site in June of 2018 through a referral," says Marc Whinnem, vice president of operations at Hospitality Business Network Solutions (HBNS), a subsidiary of The Innovation Institute, backed by Avera Health, Bon Secours Mercy Health, Children's Hospital of Orange County, the Franciscan Missionaries of Our Lady Health System, MultiCare, and Valley Children's Healthcare.
At that point, Santa Rosa Community Health "didn't want the headache of an in-house IT company," Whinnem says.
Whinnem, a 25-year veteran of the IT business, had a lot on his plate coming on board. The IT systems had "a lot of bolt-ons on top of bolt-ons" as a result of years of rapid but relatively unplanned clinic growth. Outdated hardware had to be replaced. Access to current gear, such as network switches, was restricted, due to lost or missing passwords. The current desktop environment was a mix of Windows 10 and outdated Windows 7 operating systems that had to be replaced. Misconfigured and deficient Citrix technology that was serving up EHR screens from a Sacramento colocation facility caused frustration to those delivering care. Whinnem suggested migrating offsite servers to the cloud.
"People aren't looking for outsourced IT support when everything's going well," Whinnem says. "They're looking for outsourced IT support when things are not going well, and they need help to transform that environment."
While he was swapping out Citrix for Microsoft Remote Desktop technology that would accompany the move to the cloud, he also had to deal with an ongoing rebuild of the community's infrastructure after the succession of fires.
"Homes and businesses were burned to the ground," he says. "Power and cabling get melted underground, and they had to be replaced." In fact, the outages continued for years, and to this day, continue in certain areas, he adds.
Unfortunately, all this gave the on-site staff operations team "a lot of practice in moving between paper and digital systems as they were up and going," Whinnem says.
In short order, Whinnem's role expanded to that of 100% outsourced chief information officer for Santa Rosa Community Health. It's a role he is familiar with; at this point, he acts as the outsourced CIO for a variety of small health organizations and other businesses.
Whinnem compared untangling the jumble of IT problems to approaching an iceberg, not realizing that the bulk of the problems lay unseen, underneath the apparent size of the problem.
The Vista campus reopened in September 2019, shortly before the Kincade Fire threatened to, but did not, burn down the rebuilt campus.
The Clinic Makes the Transition to the Cloud
The clinic's transition to the cloud was a big lift. "We had hopes to really turn this environment around between six and eight months," Whinnem says. "Realistically, it took us about a year."
Whinnem's team started the cutover from the Sacramento colocation facility to an Amazon Web Services cloud-based environment in January 2020, and completed the transition and closed down the colocation site on the weekend of July 4, 2020. The time in between was "working through resolving all the bugs and issues of making sure that it was functional," he says.
"The largest transition was really at the end, which is when we moved the whole electronic health record environment over," Whinnem says. "That was one of the areas that really caused the most grief prior to the move. Within a week, it was a completely different environment. Everyone noticed instantly. It was transformational."
The improvement couldn't have come at a more fortunate time since the pandemic hit just as the new Microsoft Remote Desktop environment was being tested. "The decision was made to flip everybody over, and we had to do that within two to three days," Whinnem says. "It went very well, and every time we added users, it made things more and more stable." And as the pandemic emptied out offices everywhere, the new environment made working from home practical and doable, just as it had been during the 2019 fires, when air pollution had also sent staff to safer locations to work remotely.
Another series of nearby fires threatened Santa Rosa in the fall of 2020. And the pandemic raged. But the clinic kept up with each new challenge, such as helping with county efforts to set up mass vaccination sites, such as at the Sonoma County Fairgrounds.
Whinnem also notes that an IT staff that rotates between different clients, instead of always serving the same company, alleviates a problem that mature IT shops sometimes face: boredom.
Another advantage: "When you've got [IT] people that are seeing and experiencing new things, and they are seeing how they work in other environments, and going through the pros and cons of all of that, they bring all that experience back," Whinnem says.
Overall, "the return on investment comes with having a more stable environment is just such a better work environment for all of our employees," Fuchs says.
As cybercriminals target supply chains, it's essential to protect against third-party attacks.
With cybersecurity risks on the rise at hospitals and health systems, third-party access has been identified as a point of vulnerability. While preventing these types of breaches presents special challenges, there are actions organizations can take to mitigate risk.
SecZetta is a provider of technology that helps organizations execute risk-based identity access and lifecycle strategies for non-employee populations. With its technology, organizations can collect third-party, non-employee data in a collaborative and continuous manner to improve operational efficiency and accuracy in granting access, streamlining compliance audits, assessing risk, providing identity verification, and deprovisioning access as needed.
Such technology is now being utilized by hospitals and health systems seeking to safeguard supply chain processes, such as vaccine creation and distribution. It provides a way for these organizations to proactively provide cybersecurity and breach protection.
Recently, SecZetta CEO David Pignolet answered HealthLeaders' questions about how his company's technology does what it does, amid the security challenges that healthcare-providing organizations face.
HealthLeaders: Describe the typical third-party cybersecurity event, and how it has impacted the creation and distribution of COVID-19 vaccines.
David Pignolet: In the typical third-party cybersecurity event, identity credentials for third-party users are often compromised. These compromises make managing the identity lifecycle for third-party users extremely important for organizations that grant third-party access to their internal systems and data.
On average, companies take about 197 days to identify and 69 days to contain a breach, according to IBM, so it is probably too soon to really understand the extent as to the cybersecurity incidents related to the distribution of the COVID vaccine. In fact, the
While it’s unlikely that companies know if they’ve been hacked, there are things that can be done to strengthen their defenses and understand any potential vulnerabilities now. Some of the most effective ways of understanding potential “weak” spots in your cyber defense program are by hiring “red teams” or “white hat” hackers to attack your organization. Weaknesses identified can be shored up immediately to prevent real attackers from succeeding.
HL: How do cybersecurity firms shut down third-party access in the event of a breach?
Pignolet: Most organizations have no automated way to remove or suspend third-party access in the event of a breach. This is because the automated identity processes, which have been at the heart of access methodology for employees, typically do not exist for third-party users. Current methods for providing third-party users with access at the majority of healthcare organizations still rely heavily on very manual processes focused on coordinating access approvals across the line of business and IT through a series of emails, phone calls, and maybe an IT ticketing system.
However, leading healthcare organizations have begun to adopt third-party identity lifecycle risk applications to automate these onboarding processes, including the collection of valuable data on the new users, such as the name of their employer, what credentials they have, who their sponsor is, what they need access to, and how long they will need access. This is invaluable information in the case of a breach.
For example, with a third-party identity lifecycle risk solution, healthcare organizations can automate the removal of access for third-party users, based on their employer or other factors in their profile—like their location, type of access, or their risk score. Access removal is fast and comprehensive, yet no user information would be lost, and access can just as quickly be restored once adequate security controls are confirmed to be back in place. The timely removal of access in a breach would be almost impossible for healthcare organizations without a third-party identity lifecycle risk solution.
HL: The SolarWinds breaches represent a new, pernicious form of cybercrime. Is the industry rethinking trust and certification issues in light of SolarWinds?
Pignolet: For too long, third-party risk management has been a compliance-driven exercise in most organizations. The breach data tied to third parties best illustrates the point—59% of all breaches are related to third parties, a pretty startling statistic. (According to an Opus Ponemon study, more than half of all data breaches (59%) can be traced to third parties and only 16% of organizations say they can effectively mitigate third-party risks.)
These breaches are generally tied to third-party users. This is because third-party risk management processes are typically defined at an organization level, but there is no consideration for the third-party users that are actually granted access.
While organizations should be on high alert, alarmingly, most don’t even know who their third parties are, or how many third parties they have (According to a2018 Ponemon Institute supply chain study, most organizations don’t even know their exact number of third-party users and only a third of organizations had a list of all third parties they are sharing sensitive information with).
There are many ways that organizations are trying to reduce their third-party risk exposure. From an identity perspective, many organizations have adopted zero trust and “least privilege” practices to reduce over-provisioning employee access. However, because many lack an authoritative source of information for their third-party users, they don’t have the information or context needed to apply these policies to some of their most risky users. By adopting a third-party identity lifecycle risk solution, organizations are able to implement Zero Trust and “least privilege” practices across their entire workforce ensuring better outcomes from these strategies.
HL: Will supply chains face new forms of government regulation in the wake of SolarWinds, and how can technology meet new challenges presented by such regulation?
Pignolet: I don’t believe that regulations will fall to the supply chains, but rather to the organizations that utilize them as part of their business operating model. It will be incumbent on them to ensure the security controls are in place to protect the integrity of their business operations and their customers data. It is hard to say exactly what form the regulations will take, but the unfortunate consequence of most regulatory action is that it drives a compliance vs. a security mindset. This can actually further handicap organizations as they may believe by meeting the demands of the regulation they are adequately protected.
The coronavirus pandemic challenged health systems' abilities to effectively schedule physicians; new report measures breadth vs. depth of scheduling software, as well as attributions affecting outcomes.
Following a year where the ability to effectively schedule physicians became crucial due to the COVID-19 pandemic, KLAS recently released a comparison of physician scheduling software, declaring that physician scheduling vendors "have made great strides" driving tangible outcomes,
QGenda Advanced Scheduling and Lightning Bolt took top honors. "Advanced Scheduling has the largest market share and some of the broadest deployments, most often used in very large organizations and academic medical centers," the report stated.
Broad deployment of Advanced Scheduling is supported by the system's rules engine, and QGenda's deep knowledge of scheduling, according to the KLAS report.
Lightning Bolt, a PerfectServe company, historically has been deployed in smaller, departmental settings, but more recently has proven itself able to scale up to a few very large organizations, according to KLAS. Overall, Lightning Bolt produces broad outcomes more consistently that the other software evaluated.
More complex deployments can face more difficulty when enabling reporting and dashboards. For instance, the report KLAS evaluated the offering from Ultimate Kronos Group(UKG), which has fewer enterprise deployments than competitors, and feedback from health organizations to KLAS found it less robust for more complex deployments.
Customers of QGenda Shift Admin require more help from the vendor to get reporting and dashboard functioning well, but the vendor is responsible and willing to help, KLAS' report stated.
The complexity of the leading software, QGenda Advanced Scheduling, is such that gleaning insights is difficult, KLAS' report stated. Thorough training of customers is a success factor, and those organizations that buy QGenda's add-on analytics package see more outcomes, though they are frustrated by the extra cost, the report added.
The report includes a grid measuring each of the four software packages' impact on outcomes for four attributes: scheduling transparency, scheduling efficiency, physician satisfaction, and data management. A separate evaluation places each package on an X-Y grid where the X axis represents deployment breadth as measured by the average number of facilities, and the Y axis is the average number of different departments per facility.
Real-time data feed helps local hospitals and others prepare for pandemic surges.
A free Web site that tracks flu and COVID-19, and predicts where it will surge next, is now online.
The FluDemic AI Prediction Center pulls in a wide range of data feeds into proprietary machine learning algorithms to help the public better understand what is going in their communities, and detect hot spots as they emerge.
The free site offers current nationwide conditions by county, with various layers of criteria to browse, including average seven-day cases or deaths, the same results per 100K of population, average 14-day hospitalizations, and socioeconomic risk by mortality or morbidity. Animations for each of these trends over time are also provided in the free site, as is a prediction of each of these values in the next seven days.
A premium version of the site ingests real-time proprietary datasets from health systems and health information exchanges, and allows users to drill down to the neighborhood level. The premium version requires a monthly subscription based on data requests from the stakeholders, such as health systems, government, life sciences, and payers.
The platform lets users analyze trends of positive cases, fatalities, hospitalizations, and vaccination rates. A section on community impact measures unemployment, community mobility, and assorted indexes affected by the COVID-19 pandemic. As it ingests more data, FluDemic continues to learn and make stronger predictions.
In the future, this platform will expand into other areas, such as diabetes, opioid abuse, COPD, and cancer.
NCSA executive director Kelvin Coleman recently spoke with HealthLeaders about the continuing threat posed by criminals who see healthcare continuing to be one of the biggest, most lucrative targets for their ever-increasing cyber-intrusion capabilities.
HealthLeaders: What marketplace trends are impacting cybersecurity?
Kelvin Coleman: What we're seeing now is the digital transformation in healthcare. By 2025, four short years from now, it's going to be at about $210 billion invested. Compare that to $76 billion, just a couple of years ago, a threefold increase. We know, for example, virtual healthcare assistants—that market including smart speakers and conversational platform chatbots—is going to hit about $2.8 billion in a couple of years. COVID has really fueled it. We're seeing telehealth visits jump 175 times what they were pre-pandemic levels. These numbers are clearly pointing to the transformation, the evolution of the telehealth market, and we're not going back anytime soon.
NCSA executive director Kelvin Coleman (Photo courtesy NCSA)
HL: What is NCSA's big call to action?
Coleman: Right now, the big call to action is update, update, update. The telehealth industry relies on a lot of legacy systems, and we need to be able to update the systems and come into a much more modern era. The healthcare industry, particularly telehealth, relies on connected devices. The call to action for a lot of these healthcare providers is to come into the 21st century, getting rid of legacy programs. Some of them are still running Windows 7. There's absolutely no excuse for that. 83% of imaging devices run on outdated operating systems like Windows 7. So that's the first call to action.
The second call to action is an overwhelming show of force as it relates to training and awareness. That's still a big piece of what we do in terms of making sure folks stay safe in a physical security environment, when it comes to active shooters. We train people how to deal with that situation. Comes a fire, everyone knows what to do during a fire drill. When it comes to bad weather, inclement weather, you know what to do during that drill. Well, in the same way, people need to be trained in technology, to be sure that they understand what to do during a potential hack. That same training program, we're absolutely advocating for healthcare providers. Those two things alone will get us a long way to realizing a safer environment. Updating legacy systems and certainly enacting a very robust training and awareness program.
HL: With all the attacks that have taken place, particularly ransomware, is it possible people are experiencing "security fatigue," in a fashion similar to COVID fatigue?
Coleman: We know hospital systems have been hacked. We know that some have been held hostage by ransomware. And so the fatigue is really almost irrelevant because you're protecting patients' information. You're protecting the integrity of what you're doing as a healthcare provider. I would imagine when the seatbelt campaign started, decades ago, some would have said having seatbelt fatigue is kind of over the top. Well, we now know that it's a regular part of life. All these public service announcements can perhaps tire you out, but are very much needed. We have to continue to imprint upon people that this is just where we are today. Change the culture on how people see this.
HL: The Solar Winds hack took place way upstream in the supply chain. Certainly people are becoming aware of that kind of attack, but the potential for harm far outstrips the ability of a lot of end users somewhere to actually do anything about it. Can you share your thoughts?
Coleman: Make sure whatever third-party vendor you're dealing with has just as robust of a security policy as you have for yourself. Robust passwords, multi-factor authentication, while these things aren't very exciting, they're very effective for the end user to better protect themselves and their organization against attacks.
HL: Regarding security, what three things should leadership in healthcare focus on first?
Coleman: You can put in a training and awareness program tomorrow. Make sure you have a robust, thorough password and multi-factor authentication policy. Finally, start to identify your legacy systems. Again, that's easy enough to do. Those three things alone will get you a long way, in terms of helping your system.
HL: When an organization gets attacked, it can be quite useful for that information to be shared with other similar organizations. How do you score healthcare today in terms of reporting and sharing information on hacks and threats? Are those people stepping forward in meaningful amounts to share that information?
Coleman: They're getting much, much better at just sharing this information. You look at the health IT sector, ISAC, and other organizations, they are really on board with making sure everyone is protected. So yeah, they're getting much better.
HL: While there's certainly never going to be a day when there will be no attacks, will we flatten the curve of attacks at some point, or is that unrealistic?
Coleman: Yes. Not unrealistic at all.
HL: So when will that happen?
Coleman: We are heading in that direction. Y2K was only 20 years ago. After that particular time, the technology revolution really took off. In the next iteration, security is going to be very top of mind, because organizations realize that it's a business case. If I don't feel comfortable that you're going to keep my information safe, or keep my account safe, with [the] potential to be hacked, I'm probably not going to do business with you.
Research conducted among thousands of clinicians informs the report, which covers products from six EHR vendors.
The top electronic health record challenges faced by small hospitals, as well as best practices, are described in a recent report from KLAS.
KLAS defines small community hospitals as having 1 to 200 beds, and its report, "Small Community Hospital EMR Best Practices 2021," considers the following primary EHR software intended for these hospitals:
This report lists various challenges and best practices for each vendor's EHR software, as determined by KLAS research.
According to KLAS, it is possible for any size organization, using just about any EHR software, to assure strong clinician success. Two practices identified by KLAS research are key to enabling success.
First, organizations must create a culture of success. IT and organizational leadership is crucial, including designing in regular moments for the IT team to receive feedback from clinicians on the frontline. Training to help the IT and informatics team supply quality support and communication with clinicians is also key.
Small hospitals also need to build trust in their EHR software vendor by creating a collaborative relationship with regular touch points, the KLAS report stated.
It is also important for leadership to communicate high expectations that clinicians will master the EHR software, KLAS stated.
KLAS data from more than 100,000 clinicians reveals that good training has a profound and lasting impact on EHR software satisfaction.
The other key is customized training. According to KLAS, the quality of the trainer is more important that the particular structure of the training. KLAS recommends requiring a minimum of seven hours of initial EHR software education for clinicians, and at least three hours of follow-up training yearly.
KLAS interviews thousands of healthcare professional about the IT products and services their organizations use. The questions KLAS asks are organized into six customer experience pillars: culture, loyalty, operations, product, relationship, and value.