Have executives run out of excuses to postpone increasing security awareness, employee training, and overall IT security budgets? Based on events of the past two months, one could make a pretty compelling case.
I saw a CNBC news story on April Fool's Day that I had to read three times to make sure it wasn't a hoax.
A survey of 1,530 nonexecutive directors and C-level executives in the US, UK, Germany, Japan, and Nordic countries, conducted by Nasdaq and Tanium, found that 40% of executives said they do not feel responsible for the repercussions of criminal hackings.
"I think the most shocking statistic was really the fact that the individuals at the top of an organization, executives like CEOs and CIOs, and even board members, didn't feel personally responsible for cybersecurity or protecting the customer data," said Dave Damato, chief security officer at Tanium, speaking on CNBC's Squawk Box that same day.
Have executives run out of excuses to postpone increasing security awareness, employee training, and overall IT security budgets? Based on events of the past two months, in the healthcare industry anyway, I could make a pretty good case:
In mid-March, another ransomware attack hit Methodist Hospital in Henderson, KY. The attackers copied records and deleted the originals. In this case, the hospital was able to activate a backup system and continue to run its systems smoothly, albeit with temporary limited Web access to some services. Methodist paid no ransom.
In mid-February, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin to hackers who had infiltrated its network and encrypted medical records and demanded a $3.4 million ransom be paid. The hospital CEO said paying the $17,000 ransom to unlock its own data, after three weeks of operating without critical computer programs, was in the organization's best interest.
All of this has activated security vendors and members of the media, such as myself, into a storm of calls to action in the information security realm not seen since the Anthem breach early last year.
Various advances in the kinds of malware that can deliver ransomware to healthcare desktops and laptops, often through spam, phishing attempts, or other credible-looking emails, are blamed for the recent rash of attacks.
The idea of ransomware is not new. Reports dating back to 2005 and before mention it by name. And then consider this: Some cloud-based systems will now lock ordinary users out of their services while they perform security scans and remove files they determine are malware.
This happened to me just last week, when ESET, a security vendor who has worked with Facebook since 2014, locked me out of Facebook (on every device I use to access the service) while it performed an hour-long scan-and-remove operation on one of my PCs.
The files it removed were unfamiliar to me, and probably were just adware, but nothing punctuates the precarious condition we find ourselves in better than the fact that a careful PC user such as myself must now consider such lock-outs a possible everyday occurrence.
What's to be Done
"Ransomware as it's out there today is taking advantage of a lot of things that we've seen from the security realm that we would like people to fix in the past… like patches not being applied, and outdated software," says Tony Tulio, senior manager of information security and privacy at General Dynamics Health Solutions.
In addition to keeping up with patching operating systems and applications, organizations need to adopt a security framework, such as ISO 27000, the NIST risk management framework, or the framework for healthcare promoted by HITRUST, Tulio says.
Any responsible healthcare organization backs up its data, but the ransomware surge suggests backups should occur more frequently, so the "last known good" backup can be relatively recent, and thus require a minimal amount of rework if it must be slipped into production use.
Another good suggestion Tulio offers is to try to interrupt the communication which must occur between ransomware and its command-and-control servers somewhere out on the Internet. "There are a lot of different points in there where you can break that chain and stop ransomware from actually affecting your computers," he says.
With each new wave of malware, I am more convinced than ever that the writing is on the wall for desktop computing as we know it. Keeping individual PC patches up-to-date just does not make economic sense at a time when we should be moving more of the IT budget away from running such patching and toward better overall security controls. Zero-client approaches make more sense than ever, although in healthcare, they are still uncommon.
Still, it is worth remembering that healthcare (and other industries) continue to face a variety of security challenges; ransomware is not the only threat out there. In February, someone found paper records for 113,000 patients in a recycling bin. Garden-variety breaches continue, although ransomware's ability to interrupt normal hospital operations clearly is a bigger threat to patients' lives.
Perhaps this is why so many high-ranking executives think cybersecurity is not their problem. But it's everybody's problem, it's getting worse, and the ransomware attacks on healthcare of the past two months are likely to make those cyber insurance rates spike upward again.
I keep coming back to that executive survey where I began this column. I hope any executive indifference to this threat will begin to disappear.
Healthcare is being squeezed from all directions, but having patient files held for ransom—with the terrible possibility that when they are unlocked, they will be marred by subtle, but troubling alterations—is unacceptable for all of us.
Healthcare information and security officers are leading efforts to avoid cyberattacks through training and tools as 81% of healthcare executives say that their organizations' systems have been compromised during the past two years.
This article first appeared in the March 2016 issue of HealthLeaders magazine.
"The worst place we could be in is if Americans are so desensitized to the breach of the day that we begin to accept that as normal," explains Pete Murphy, executive vice president and chief information officer at Cardinal Innovations Healthcare, a managed care organization with 720,000 enrolled members across 16 counties in North Carolina.
Now that cyber attacks as a source of data breaches are becoming routine in and out of healthcare, each breach represents not just a monetary loss to providers and payers but also a loss of faith by customers and patients in the healthcare industry.
This new fact has pushed data security way up the priority list for healthcare.
Consider this: 81% of healthcare executives say that their organizations have been compromised by at least one malware, botnet, or other cyber attack during the past two years, and only half say they feel that they are adequately prepared in preventing attacks, according to a 2015 KPMG healthcare cybersecurity survey.
Murphy, who previously managed risk and infrastructure in the financial services industry at employers such as TIAA-CREF, started at Cardinal in 2011.
"The breach stats in healthcare show that we are being targeted," he says.
"The healthcare security posture is behind other industries that have made these investments and have gone before us, and I think we need to catch up quickly. It's no mystery that attackers and their methods are increasingly sophisticated."
One such method is spear phishing, where fraudulent emails appear to originate from a known business or colleague but are, in reality, sent by criminals seeking elevated network credentials or other personal information from the targeted individual.
Once an attacker obtains such credentials, rather than immediately launching an online attack, the attacker may plant advanced persistent threats, Murphy says. "They have some characteristics that are particularly scary.
They hide themselves well, either in computer memory or on disk storage. They are likely going to exist in your environment undetected, could be for years sometimes."
If an organization had only $100 to spend on its security program, "you'd start with bringing your employee base into the problem with you," Murphy says. "You'd work to increase their awareness of the issue and give them all a little badge and make them all deputy chief information security officers."
Many of the breaches that occurred in 2015, such as the Anthem breach that affected 30 million members, remain under investigation by the Federal Bureau of Investigation, with no guarantee that the breach cause or causes will ever be brought to light. But the next major breach could have a different cause.
"Companies need to invest in technical security expertise, because the game changes constantly," Murphy says.
"We have some very good security people here that are passionate about it and have inquiring minds and really enjoy what we call threat hunting and attack hunting."
To respond to the spear phishing threat, Cardinal began doing awareness-testing exercises by sending fake emails to its own employees to see if they would click on them.
Murphy says it's not an exercise that many organizations undertake. As a result of this and other measures, Cardinal's number of malware infections and actual incidents have declined. Unfortunately, "these extra measures are not yet recognized widely by everyone in the cyber risk insurance world," so some do not reduce premiums for such insurance, he adds.
Phishing as a security exercise
Other measures Cardinal has taken include increasing the strength of users' passwords, and increasing the frequency of password expirations, Murphy says. For more sensitive use cases, such as remote access by employees who work with high-risk data, Cardinal is also requiring two-factor authentication—a password plus a biometric or other physical token.
The spear phishing threat is also top of mind for Tom Gordon, senior vice president and CIO of Virtua Health, a Marlton, New Jersey–based system with three acute care hospitals, three health and wellness centers, two ambulatory care centers, three fitness centers, primary and specialty physician practices with 287 physicians plus 87 additional practitioners, plus urgent care centers, ambulatory surgery centers, and long-term care and rehabilitation centers.
"We've had people give their credentials up" to attackers via phishing emails, Gordon says.
"Then you have to explain to the CFO that the $10 million we spent on security, well, it's not going to prevent any of that stuff if somebody gave out their credentials."
In response, Virtua has rolled out two-factor authentication, he says.
To run its own phishing awareness exercise, Virtua is turning to PhishMe, a commercially available service specifically offered to providers to run such exercises. Employees who fall prey during these exercises will have their accounts go on a watch list.
"And if you do it a second time, well, a more critical conversation takes place," Gordon says.
"It's not super-expensive, which is nice, and it'll allow us to run our own internal phishing attacks. The idea is to educate people. It'll also allow us to find out if there are people who are doing this more often than they should be."
To bolster security education, Virtua has also brought in security expert Mac McMillan, FHIMSS, CISM, to its quarterly meeting attended by all 700 managers in the organization, to explain what phishing is and when to alert the security team or simply delete those emails.
Gordon also turns to services such as FairWarning to help explain to his CFO and other executives the importance of investing in technology solutions and necessary personnel to monitor the information such tools are gathering.
"We haven't had a lot of pushback on the infrastructure items, like the hardening software and the encryption software and the intrusion prevention," Gordon says. "We've spent millions on that stuff."
Still, the possibility of future breaches cannot be ruled out. Fax communications persist and can be sent in error to a wrong phone number, Gordon says. Securing the Internet of things now entering healthcare is also a concern.
"We built a new hospital four years ago and a few new outpatient centers," he says.
"Every one of those systems all have connectivity to the outside." Given that the Target breach of 2013 was initiated by attackers through one of the organization's heating, ventilating, and air conditioning contractors, the security hardening of such systems has become a must-have.
Organizations join forces
One tangible result of the breaches of 2015 are efforts for organizations to pool their threat knowledge, responses, and other resources.
In December 2015, as part of the 2016 Omnibus spending package, Congress provided $31.5 million to enable the National Institutes of Standards and Technology to establish the National Cybersecurity Center of Excellence, and directed the Department of Health and Human Services to establish a task force to analyze how other industries are addressing cybersecurity.
Beyond the federal government's response, healthcare executives are joining together in other ways to meet the growing threat of breaches.
In 2014, the College of Healthcare Information Management Executives formed the Association for Executives in Healthcare Information Security to offer chief security officers and other top-ranking information security leaders the professional development and networking opportunities critical for their success.
Another collective response is coming from the Health Information Trust Alliance (HITRUST), an industry-led consortium that in summer 2015 conducted CyberRX 2.0, an exercise performed in conjunction with Deloitte Advisory Cyber Risk Services and HHS that brought together 250 individuals from 12 health plans across the United States to test their cyber incident readiness and identify areas for improvement for industrywide cyber resilience.
"You have to continuously exercise your plans," says Ray Biondo, chief information security officer at Chicago-based Health Care Service Corporation, which serves nearly 16 million members across five states and employs nearly 23,000 people in more than 60 local offices.
As one of the participating health plans, HCSC participated in what HITRUST described as the country's first simultaneous cyber attack simulation exercise for health plans.
"At this latest exercise, I think we've taken a giant leap forward in the healthcare sector to collaborate and cooperate in this cybersecurity space," Biondo says.
As the CyberRX exercise unfolded, the HITRUST Cyber Threat Exchange (CTX) shared critical intelligence, yet participants had difficulty sharing their own threat indicators of compromise (IOC) with the CTX and with HHS, the organization says in a summary of its findings. This validated a recent study of the HITRUST CTX, which found that while 85% of organizations use IOCs, only 5% of organizations share their IOCs.
As HITRUST continues its exercises and AEHIE continues its educational efforts, there is also an effort underway to improve IOC sharing via new methods of deidentifying those IOCs to be shared through a dedicated Homeland Security Information Sharing and Analysis Center (ISAC). Each industry vertical, including healthcare, has its own ISAC, says Murphy.
"Several of us in the healthcare industry are meeting to discuss ways to share threat information. We would like for this new leadership of the national health ISAC to become that same central clearinghouse of intelligence and threat information for healthcare," says Murphy, who was one of the participants who set up the financial industry's ISAC when he was working for Bank of America.
"It's going to come down to information sharing, collaboration, and cooperation going forward for us to really thwart some of the stuff," Biondo says.
"We're never going to stop it all, but maybe we could stop a lot of it, and that's key."
Optimizing block scheduling for hospital operating rooms is a potential cost savings for health systems. Having the right tools and the right data is imperative.
While it’s possible to bemoan the industrialization of healthcare, when large amounts of resources— represented by operating rooms, hospital beds, and staff—it is essential that healthcare systems look for inefficiencies and squeeze them out.
Toward that end, Mercy Medical Center, an 875-bed operating unit of Catholic Health Initiatives in Des Moines, Iowa, recently turned to cloud-based analytics software from Hospital IQ (formerly PatientRoute) to improve patient flow, reducing backups in the emergency room, and to better meet surgeon demand for operating rooms.
Mercy’s path to Hospital IQ began several years ago, when Kathy Goetz, vice president of perioperative and specialty services, attended a meeting convened by the Institute of Healthcare Optimization about how to do more to optimize scheduling people, rooms, and equipment.
“I was introduced to some statistical theories about how to help manage the flow of patients with a concept called the queuing theory,“ Goetz says. “That’s the concept of how do you help get things through a system. Queuing theory basically talks about when you have people standing in lines, how do you get them through? If you think about having four tellers at a bank, and you’ve got five people in one line and seven in another line and three in another line and eight in another line, how do you decide at what point you’re going to open up a fifth line? Or are you better to shut down one of the lines and consolidate your resources and have everybody go through three lines?“
Queuing theory is a fairly simple concept, but not so simple to implement without algorithmic help. Still, many industries, such as banking and grocery retailing, have applied the theory to good effect, as witnessed every time a supermarket opens a new checkout line when demand for clerks soars.
“I became very intrigued by the idea and came back and tried to implement some of the concepts, but found that what we lacked was the statistical software to help us be able to analyze our current flow data, and also to enable us to do some simulation modeling,“ Goetz says.
Through the Institute of Healthcare Optimization, Goetz found Hospital IQ. “We spent some time looking at what we thought the return on investment would be for our organization if we were able to utilize those tools,“ she says. In fall 2015, Mercy began its formal partnership with Hospital IQ, which began to send staff to Des Moines monthly to identify the data needed from Mercy to input into its analytics software.
‘A Big Surgical Factory’
One of the most challenging resources to optimize is block scheduling, which is the way surgeons use specific blocks of time, a resource most electronic health records do an inadequate job of optimizing. Block scheduling is made complex by the fact that different surgeries and surgeons require different lengths of time.
Since operating rooms can cost $60 per minute to run, making sure those ORs are not prepped-but-idle is a real area of potential cost savings for health systems.
“You want to get the most out of that time and understand who’s using it well and who’s not using it well,“ says Rich Krueger, CEO of Hospital IQ. Kruger comes from outside of healthcare, from virtualization software vendor VMware, and has a background rich in the theories of W. Edwards Deming, who championed quality control and management theory in the post-World War II era.
“The way you run the operating room, it’s a big surgical factory,“ Krueger says. “Most of your procedures are elective. Some percent are urgent or emergent, trauma cases or work-ins or whatever, but a lot are scheduled, and surgeons need to know when they can schedule patients.“
Until now, institutions such as Mercy have tried to fill the analytics gap with those time-honored healthcare analytics tools, the spreadsheet and the report writer. And for smaller hospitals, such solutions will suffice. But as Krueger puts it, “the bigger the system, the more complex the factory“ and thus the need for the kind of visualization that Hospital IQ provides.
At Mercy, decreasing overtime and meeting surgeon demand for increased caseloads is essential, Goetz says. It has engaged Hospital IQ “to assist us in looking at our overall hospital throughput, from patients that present either through the emergency department, through admitting, through procedural areas for admission after the procedure—whether it’s in surgery or cardiac catheterization labs—or [for] different imaging-type studies to help us as we have encountered some issues with boarding of some patients in our ED because our inpatient beds have been occupied.”
Granular and Visual
Because of the way the software is built, it is much easier for Goetz and her team to drill down to the case level, sitting next to a physician, to show them resource utilization and patient flow which need attention. “That sort of granularity is not something that we’ve had available to us through our electronic medical record or other programs,“ she says.
One of Hospital IQ’s more intriguing features even allows users to replay the data by watching actual resource utilization over time and look for ways to smooth perioperative and inpatient elective procedures, whether through staffing up, staffing down, moving staff around, or even moving patients around.
“You want to precisely manage inpatient resources and beds and staff to what actual demand is,“ Krueger says. Setting up Hospital IQ requires getting the needed data out of a multitude of existing data systems at health systems—bed management systems, alarm systems, scheduling systems, and EHRs, among others.
Finally, as with much of the recent wave of analytics technology, Hospital IQ is able to take the data it ingests and predict patient and surgery demand by such parameters as day of the week or month, and the impact such predictions will have on wait times for ORs or regular beds or ICU beds. Then there are the long-term trends to keep tabs on, such as decreasing length of stay, which also factor into the software’s predictions.
At this point I wondered if enterprise resource planning (ERP) software, which larger healthcare systems already use, provides some of this predictive capability.
“We’ve met with hundreds of customers, or probably a hundred at this point. You’re the first person that has ever asked me if any of the ERP systems does this,“ Krueger tells me.
“In fact, one of the ERP vendors that we discussed is actually interested in partnering with us because they’re looking at all the operational data. We’re reconciling things like orders and movements and timestamps—a lot of operational details that are not in ERP or supply chain systems.“
Back at Mercy, use of the technology is still too fresh to have measureable outcomes, but such data is imminent, Goetz says. Part of this is because the underlying data Hospital IQ is drawing upon at Mercy is itself somewhat of a moving target.
“We recently had some changes in our financial software that we use, and so trying to go back and say ‘OK, if we’re going to look at the data for a six-month period, we have it for four months in the old system and now we have two months of data in the new system.’ You don’t want to be using data that’s not really representative of where you are today,“ Goetz says.
“Now we’re at the point where we’ve identified where we think the majority of the information is going to come out of, and we’ve gotten enough data sent and validated that the data will come across… Now I think we’ll be able to move forward rather quickly and get some really quick wins.“
Rounding with IT staff has not only raised the IT skills of nurses, giving them a competitive advantage, it has also reduced the volume of help desk tickets and rewarded some IT staffers with a deeper level of purpose than ever before.
We hear about alert fatigue, but tech fatigue in general is also worthy of attention in healthcare.
As a way of combatting tech fatigue, the IT staff of HCA North Texas is making regular rounds of units, and in the process redefining how a healthcare IT department interacts with hospital and clinic staffs.
Last week, HCA North Texas CIO Leah Miller explained to me how it works.
Miller told me how she partnered with HCA North Texas Chief Nursing Executive Carol Gregory to verify that the myriad of equipment in use by nurses at the division’s 13 hospitals was continuing to be in good working order to meet a variety of important objectives, including compliance with sepsis bundle initiatives to reduce mortality.
“What we realized is they don’t really have time to make the call to ensure their equipment is working, and [also] take care of our patients,” Miller says. “So we took some of the Studer Group nurse leader rounding principles, and we created tech rounding.”
Here is how it works. Once a week, an IT team from HCA walks through each unit. “You can think of them as operational blitzes, where every member of the IT staff, from our nurses, our clinical informaticists, to our technical folks, to our physician support folks, all round to a unit at once,” Miller says.
A More Proactive Service Team
The idea is to evolve from the traditional IT service desk model, where all too often, staff wait to get a call, then generate a trouble ticket, then resolve the problem, and then move on to the next call.
During IT rounding, IT staff does everything from updating tracking equipment, to clinician training on systems, to checking computers to make sure they are in good working order and running the latest updates.
By being proactive, HCA is avoiding IT troubles in the units later on. “Recently in our division, we proactively touched 4,000 scanners for exactly that reason,” Miller says. “We don’t want our nurses in front of our patients having problems scanning meds.”
In the last three months, HCA North Texas has seen an average reduction in total trouble ticket volume of 15% percent, which equates to approximately 7,000 tickets HCA clinicians did not have to call in.
HCA North Texas has seen an even greater reduction in high priority tickets, those that are urgent because they can directly impact or delay patient care. These high priority tickets have dropped by an average of 52%, or 787 fewer instances per month of issues delaying patient care.
As elsewhere, clinicians are literally surrounded by technology as they do their jobs. HCA North Texas has more than 700 different applications it uses to deliver care to patients and it is not uncommon for a nurse to interact with about 50 applications on a daily basis. So IT rounding is an effort to simplify clinicians’ lives.
As beneficial as IT rounding appears to be to HCA North Texas IT operations, its biggest benefit has been to improve job satisfaction of nursing and related staff, Miller says.
“What else can we provide nurses as a competitive advantage to recruit them? Traditionally, in the healthcare systems I’ve been in, we focus so much on the physicians, and sometimes our nurses get lost, so we’re really trying to change that.”
Additional Benefits to IT Rounding
IT rounding may also have other beneficial ripple effects. First, there’s the rest of HCA, a much larger national healthcare organization which could benefit from this practice and help it spread.
Second, this increased level of engagement between IT staff and clinical staff could definitely influence future technology acquisition decisions. As much as the healthcare industry likes to measure things, there is something about measuring the quality of a technology product or service by simply counting the number of trouble ticket it generates that fails to capture some essential properties of that technology.
Miller agrees, and says that the tech rounding notion was born in part at HCA North Texas’ quarterly governance committee. “We take a service line at a time and focus [in a] deep dive, look at what’s trending in the industry, where the pain points are for clinicians,” she says.
“Our senior leaders chose med/surg, which is how this all started. It brought a lot of good things to light, everything from what you say [to] how we approach RFPs for vendors to the new tech that we’re looking at.”
For instance, when HCA North Texas set a new standard for in-room computing, leadership took care to ensure it uses equipment that does not have our nurses’ back to the patients. “We changed some things up in the way they document and the way we communicate with them, education tools for the patients. I’m just talking about the blocking and tackling of rounding, but it has, there’s probably six initiatives just from this that have started because of this.”
Although IT staff was initially a bit hesitant to move away from its traditional role, it now means some IT staffers see the healthcare mission at a deeper level than some of them had before.
“One of our techs met a teenager who was suffering from cancer and not going to make it. [He was] just on palliative care, and all he wanted to do was play his Xbox, and so we were able to get an Xbox for him,” Miller says. “As each of these guys have this interaction at a deeper level, they are now believers. They realize it connects them to purpose, to why we’re here.”
Savvy health IT customers understand that business intelligence tools are needed to leverage electronic health records data to the fullest.
Sometimes, we are at the mercy of technology.
Some years back, I was helping a nonprofit understand its customer relationship management system, as part of its intent to migrate from one CRM to another. In my naiveté, I sought to understand the underlying data structure of the CRM, which would help us figure out where the data lived, which data we had to move, and how best to arrange it after the move.
But the nonprofit's CRM, like the average CRM, and for that matter, like the average EHR, was populated with thousands of tables. Nine thousand tables.
It was daunting.
It is no wonder that the average nonprofit, community hospital, or health clinic is at the mercy of such a CRM or EHR, and why, once an organization selects such a technology, switching costs are prohibitively high.
The key, by the way, is often to try to leave the data where it already is and to use every modern analytics method to work with it.
I kept this all in mind recently when I spoke with Clark Carpenter, infrastructure supervisor at Southeastern Ohio Regional Medical Center, a 99-licensed bed facility in Cambridge, OH.
In 2012, Southeastern moved onto the Meditech EHR system and discovered that something was lacking in the reporting capabilities within Meditech, Carpenter told me.
To help, he brought in Tess McKahan to write the needed reports. "One was for our infection prevention department," McKahan explains. "There are a lot of things that they track on a daily basis, and with Meditech, the information was in there, and was just very hard to get to." It was also hard for the director to find easily.
So McKahan consolidated everything onto a dashboard. With one click a user could view data on all the patients to be seen that day. "Or," she says, "we can make another tab where it details it for her, so she doesn't have to go into the system."
As the self-service business intelligence tool it selected to write these reports, Southeastern chose Datawatch, a technology which IBM just selected as its preferred tool for IBM Watson Analytics and IBM Cognos Analytics users.
Datawatch also allows Southeastern to generate reports to track computerized physician order entry, (CPOE) not only to help reduce infections, but also to perform needed reporting for compliance purposes, McKahan says. "We have grown our business intelligence department, and now we are able to create dashboards for all over the hospital," she says.
Carpenter adds that the dashboards track where physicians stand as far as orders for lab, pharmacy, and diagnostic imaging. "There were certain criteria they had to meet in order to meet the meaningful use stages," he says.
"There's a percentage of those orders [that] had to be electronic. With this, we've been able to identify where we were as far as the meaningful use stage was concerned, but we've also been able to identify which physicians maybe needed some additional training, some additional help doing their electronic orders and training and so forth."
"And then [we were able to] really dive into those particular physicians instead of doing across the board saying, 'OK we need to get these numbers up. We were able to target those physicians and get them to the point where they're comfortable using order entry, therefore raising our numbers moving forward.'"
The dashboards also identified and explained a discrepancy between numbers being reported by one department director and what was actually happening. "What we ended up finding out… is that there were a lot of cancellations in that particular area," Carpenter says. "Since then, we've purchased appointment reminding software to decrease our levels of cancellation and increase our shows to that particular department. That's been a big one as well."
At this point I tossed in my usual observation that many in healthcare would presume the EHR itself does all this, and there should be no need for external business intelligence technology to do it.
"Without a dashboard to bring instances of different areas together, this information is scattered throughout Meditech," Carpenter says. "You look at Epic, which is competition for Meditech. They run into the same issues. There still has to be that front-end dashboard piece to be able to take that information together. I know other Epic hospitals, huge product for huge hospitals, and they run into the same situation we do."
Even in the most demanding situation, no EHR implementation would use all of the 9,000 tables I mentioned earlier. But business intelligence exists not only to make better sense of the data, but also to zoom in on important data where it lives.
Savvy health IT customers understand this and, like Southeastern Ohio Regional Medical Center, are finding the tools needed to leverage EHR data to its fullest.
With growing emphasis on postacute care, leaders are looking for solutions that enhance information exchange and patient safety.
This article first appeared in the January/February 2016 issue of HealthLeaders magazine.
Technology is driving a new wave of care coordination into long-term postacute care and home settings to enable improved outcomes at lower cost.
In July 2015, the Centers for Medicare & Medicaid Services published a proposed rule that incorporates encouragement for LTPAC facilities to adopt electronic health records, even though the meaningful use incentive payment program provided zero dollars for purchasing EHRs.
Many LTPACs are still using paper records at this point.
Despite such industry challenges, Dallas-based Tenet Healthcare—a for-profit organization that operates 87 general acute care hospitals, 20 short-stay surgical hospitals, and more than 425 outpatient centers in the United States—is already leveraging technology to speed care coordination between its facilities and LTPACs. From February to October 2014, Tenet's health information service provider (HISP) connected 350 LTPAC providers with 75 Tenet hospitals in 23 states, says Carol George, Tenet director of clinical integration.
Specifically, each LTPAC became incorporated into an online directory available to Tenet care managers from within Tenet's EHR software.
Using the Direct secure messaging protocol required in meaningful use stage 2–certified software, Tenet case managers have since sent thousands of care coordination messages to LTPACs, George says.
Prior to this initiative, such LTPACs had to receive these messages via phone or fax. "They didn't have what I would call the catcher's mitt," says Liz Johnson, chief information officer for acute care hospitals and applied clinical informatics at Tenet. "They didn't have a way for us to send something to a secure box that was managed by someone who had had their ID proofed. We made a decision as a company that the best thing we could do, given that there was no incentive on their side, was to begin to orchestrate Direct mailboxes for those entities."
Using Direct secure messaging is "much easier than printing from a chart and faxing things over," George says. "And if you get a busy signal on a fax machine, you've got to wait. It seemed so normal in healthcare for years."
Johnson explains, "What we hope is, by getting more complete information to the place of care, that the patients would be able to move in a more orchestrated or orderly fashion, and therefore their care wouldn't [for instance] repeat meds," Johnson says.
George says that in the past year, five large LTPAC providers have rolled out their own Direct HISP connections, further smoothing the flow of information.
Tenet has not yet studied the effect of this process improvement on overall outcomes, Johnson says. "We're always working diligently, like I said, to get the patients where they need to be."
Leveraging tablets, speech
One way some postacute care facilities are becoming more efficient with technology—and achieving some of the same cost-control objectives as acute care facilities—is to leverage EHRs based on tablets that enable a quicker learning curve for nurses and speech recognition to speed order entry.
Landmark Hospitals, a 282-bed, seven-hospital, long-term acute care (LTAC) system originating in Cape Girardeau, Missouri, in 2006, has since opened or acquired facilities in Missouri, Utah, and Georgia, and opened its seventh hospital in July 2015 in Naples, Florida. The company was formed to establish regional hospital referral centers for medically complex patients in need of intensive postacute care.
Joseph Morris joined Landmark eight years ago as consulting chief information officer. Nearly four years ago, the company decided to build its own EHR software to serve the needs that were different than those of a conventional hospital, Morris says. Partnering with Nuance, Landmark made the EHR voice-enabled and focused on running on tablets, although it also developed a desktop version, and recently added an electronic medication administration record to its ChartPad voice-driven EHR.
The goal by the end of 2015 was to complete the feature set, starting a separate company, Technomad, which is offering ChartPad to other long-term care facilities. "We divested our entire IT department to Technomad, which sells its services back to Landmark," says Morris, who also serves as CIO for Technomad.
"One of the main reasons we decided to build our own EHR was we don't qualify for meaningful use dollars," Morris says. "But we had to make it easy for our physicians as well. Physicians don't like point-and-click. They don't like the large EHR systems. When they come to our hospitals, they're glad we have ChartPad, and we allow them to dictate freely as they'd been doing before.
"If you look at the other EHRs, every lab that you have, every radiology result that you have, is going to populate your progress note every day," Morris says. "With our note, we just carry over from day to day. We only carry over the pertinent information that they need. And we allow physicians to make changes with their voice, changes that go right into the note." The Nuance SpeechAnywhere technology in use does not require the kind of training that an earlier Nuance technology, Dragon Medical, required, Morris says.
To facilitate care coordination with mainstream hospitals, the ChartPad EHR also generates meaningful use standard structured data, including ICD-10, RxNorm, and allergies,
"I don't think, nationwide, that people are aware of what long-term acute care facilities can do," says Adry Oliveira, RN, director of nursing at Landmark Hospital of Salt Lake City, which is based in nearby Murray, Utah, and has been open for two years. "We do chest tubes, bronchoscopies, arterial line monitoring, central venous pressure monitoring, and basically anything an acute care ICU can do. We have a respiratory therapist here 24 hours a day, and they are all intubation-certified. Our charge nurses place PICC lines. Our doctors will do central lines. A patient who is critically ill can be taken care of in a hospital like this."
ChartPad helps Landmark with efficiency, which is helpful considering that it gets a smaller reimbursement for taking care of a postacute patient than an acute hospital would get. "I can have an agency nurse come in, and she will learn ChartPad within an hour," Oliveira says. Even visiting physicians from Intermountain Healthcare—one of the area hospitals which discharges ICU patients to Landmark—use ChartPad while rounding at Landmark, and "they're happy with it," she says.
"All my audits can be done in a shorter time than it was before, because I can pull out the fall risk assessments, pain assessment, and reassessment. I can look at every single patient within minutes, and review the care provided by all departments."
Feeling the technology benefit
PointClickCare, an EHR built specifically for long-term care facilities, has helped LTPACs detect drug-to-drug interactions and out-of-range dosages and allergies, but interoperability issues with acute care remain, says Coral Lindahl, RN, nurse informaticist and PointClickCare coordinator at Ebenezer, the senior service division of Fairview Health Services, a Minneapolis-based system that operates six hospitals and medical centers, more than 40 primary care clinics, and more than 67 independent living, assisted living, memory care, and nursing home facilities.
"When I started out in nursing, we had a book that was probably 4 or 5 feet thick that we had to keep on our med carts and [use to] look up these drugs, and we had to know it all," Lindahl says. "Now the system does it for us."
Recently, Ebenezer moved to the latest version of the cloud-based EHR, and is now able to have providers view lab results online, instead of having them faxed from the lab, Lindahl says.
At this point, Fairview and Ebenezer still lack a common provider directory. "There was an organization here in Minnesota that was the state health information organization, but they don't exist anymore," Lindahl says. "It was going to be their responsibility to maintain that repository of information, so everybody's kind of scrambling in Minnesota, trying to get back on track. Right now, unfortunately, it would be me calling providers up and saying, 'Can you give me your Direct message address?'
"We've got a lot of organizations that will say, 'We're interoperable. We'll share health records.' Everybody talks the talk, but nobody moves. I think there's a lot of competing priorities."
One bright spot: Completion in 2014 of an 18-month project conducted by Stratis Health, which serves as the Medicare quality improvement organization for Minnesota, that facilitated health information exchange and medication reconciliation between 10 skilled nursing facilities and their three admitting hospitals.
Home health agency cites technology's role in growth
One fast-growing residential home health agency is leveraging technology but without the benefit of any integration with electronic health records from area hospitals or healthcare systems.
Residential Home Health, based in Troy, Michigan, is an independent provider of in-home home care and hospice services. The agency works with approximately 100 hospitals annually, 200 nursing homes, and 3,000–4,000 physicians, caring for about 3,500 home care patients and 300 hospice patients, performing about 400,000 home visits annually, generally paid for by Medicare, says company president David Curtis.
Ten years ago, Curtis and some partners bought the company and were able to sell it in 2015 to Graham Holdings, a NYSE-listed diversified conglomerate with $3.5 billion in operating revenue in 2014.
"We've grown from 48 employees and $5 million in revenue to about 900 employees and around $100 million in revenue in 2015, all in home care and hospice," Curtis says.
Tech tools of the company are Homecare Homebase, an EHR designed for home healthcare; the Medtronic's Cardiocom telehealth platform, which monitors more than 300 patients around the clock; and Salesforce.com, a customer relationship management platform adapted by Residential Home Health to manage care workflow.
"We need not just point-of-care documentation, but we need good workflow management, really good operational reporting and analytics, and dashboards, so the people know how we're tracking relative to our goals," Curtis says. "And we need email, secure email, which triggers communication of events as they happen, to people who need to know. So good technology is vital for us to stay connected, particularly given the decentralized operating model."
Residential Home Health boosts its referrals from physicians by providing them with a mobile app for iOS or Android that gives those physicians visibility into how their patients' home care is progressing, Curtis says.
"We don't have any data we get directly from a hospital EHR, and we've been doing it for 15 years," Curtis says. "Epic, which is a market leader, runs a very closed system and, in my opinion, they're not open to integration with third parties. And hospitals are doing all they can just to manage their systems, let alone plug in other people.
"Plus, generally speaking, hospitals work with dozens, maybe hundreds of home health providers, who all use different EHRs, so there's no easy way to plug into all the potential postacute partners, so they don't."
Instead, Residential Home Health relies on Extended Care Information Network, hospital care management and discharge planning software acquired by Allscripts in 2008. "I get a 30-page PDF that I've got to comb through and transpose into our EMR," Curtis says.
"Our sales team, when they get a referral, they know, quickly, and if something happens with one of those patients, whether it's an acute event, a rehospitalization, or a successful discharge, they know."
The net result: more informed and productive clinics, hospitals and physicians, and close to 2,000 new patient referrals a month for Residential Home Health, Curtis says.
As long-term care becomes more important to the overall success of acute care, finding partners such as Residential Home Health, aided by technology, will be increasingly important to the success of healthcare overall, Curtis says. Despite many competitors, he plans to expand beyond Michigan and Illinois into other states, he says.
The CIO of a Texas hospital shares security horror stories from his experience in the telecom industry and calls unsecured devices "a big, big, big problem."
As HIMSS gets underway, the healthcare IT world is still shaking from last month's audacious privacy breach at a California hospital. Hollywood Presbyterian Hospital paid a $17,000ransom to a criminal enterprise that broke into the hospital's system, encrypted data, and demanded an even larger payment.
While the concept of "ransomware" is not new, the very public ransom payment by Hollywood Presbyterian once again ratchets up the pressure in healthcare executive suites and boardrooms to do something different, and soon, to protect healthcare's digital assets.
As these things usually go, we may not learn exactly how the ransomware crooks found their way into Hollywood Presbyterian's systems and data. Perhaps to guard against further intrusions, or as a bulwark against lawsuits, enterprises tend not to divulge publicly just what the root cause of breaches are.
With that in mind, I spoke last week with a CIO who is sounding the alarm about an attack vector which, to my knowledge, has not yet been publicly blamed for any major breach in a US healthcare system, but has to be on the list of culprits.
Aaron Miri is chief information officer of the 100-bed Walnut Hill Medical Center in Dallas, Texas. "I came out of the telecom space," he says. "Healthcare is probably 10, 15, 20 years behind the finance, telecom, and other industries, and rapidly catching up, but very much behind.
"Medical devices are one of the top issues for CIOs, due to the fact that the rules of the road apply differently to hospitals than they do to the medical device manufacturers, the EMR vendors, and to all the different verticals within healthcare that make up the continuum of healthcare."
The issue, Miri says, is that too many medical device manufacturers do not meet the definition of a covered entity as defined by HIPAA. Where a covered entity such as Walnut Hill has to abide by all of HIPAA's provisions to encrypt data at rest or in transit, the non-covered-entity device manufacturers can avoid placing basic security provisions in their equipment—provisions such as specific, secure logins.
"Those medical devices and those devices out there in the field are absolutely a risk point, because they have to touch a corporate network in some form or fashion to translate that data back to your EMR or whatever application is ingesting that," Miri says.
At this point, I noted the lack of specific callouts to unsecured medical devices as a root problem on the HHS Office of Civil Rights' notorious "wall of shame" of HIPAA breaches.
Miri's response took the form of an example. "In one of my previous lives, we had a newborn hearing test [device] that goes into the newborn's ear, [and] was plugged in, via a serial cable, to a vendor-provided laptop," he says.
"That was all considered a standalone solution. But it was really a laptop connected to this medical device, all supported by the vendor. But it could not be encrypted for latency purposes. So we had to do all sorts of mitigating factors around it to make sure that, because it wasn't encrypted, that we accepted the risk, that we understood what the risk was, and so forth and so on. We had a business associate agreement with that vendor, and so that vendor dealt with the whole kit and caboodle, the whole solution. However, that was a risk point."
Sure enough, Miri says, "we did have an issue that we had to report to the OCR, because that laptop ended up stolen. These things happen all the time; however, given the nature of how clinical devices are somewhat a hodgepodge of laptops, computers, and/or a medical device, it may not qualify as a standalone device that must be reported."
A Big, Big, Big Problem
Windows XP is also a continuing headache in too many medical devices, Miri says. "I just saw one the other day in the UK, where a Windows XP device that was actually a lab instrument was infected with malware and had inadvertently infected an entire NHS hospital."
Another example Miri cites is medication-dispensing machines. "In my previous life, I had three brand-new medicine-dispensing machines shipped to me, brand new, still in the shrinkwrap," he says. "We put them into a brand new unit we had just built. We turned them on. We plugged them in the network. Immediately, my systems started going haywire. Sure enough, these things came infected from the factory with malware, because their underlying operating system was Windows XP. This was just a year and a half ago.
"Based on my conversations with other CIOs, [we] don't even know what's happening because of how unmanaged these devices are." He likens these devices to "little pockets of individual freedom floating out there that must attach to your network because the FDA mandates it must do so, without any ability to get your arms around the product, because they play by a different set of rules. So it's a big, big, big problem."
In Washington, groups such as CHIME and HIMSS are calling for tougher rules on medical device manufacturers, but Miri notes that responsibility for solving the problem is divided by between the FDA, the FTC, and the HHS Office of Civil Rights. "Who is the true sheriff of the road?" he asks. "Anybody who knows anything about government knows that once you have multiple agencies playing, they seem to get in each other's way."
The White House has a cybersecurity coordinator, but Miri says there is an effort to augment this with, effectively, a national chief information security officer, to stop the finger-pointing among agencies. A provision in the Cybersecurity Information Sharing Act of 2015, signed into law by President Obama in December, may help put such a czar in place.
It's a big, big, big problem.
"Some action is better than no action, but there is still no mandate, and I am still able to go buy medical devices on the market without any encryption, or without following the same rules that I am forced to go by as a covered entity," Miri says.
For now, CIOs such as Miri will have to rely upon a protective superstructure of security software, overlaid upon their computer networks, to try to detect intrusions, and limit the amount of damage that a rogue device can do upon a network. Miri relies on commercial solutions from vendors such as Imprivata to manage important aspects such as single sign-on, user access controls, and auditing.
"Especially when it comes to IT, I'm competing for every dollar I need to spend against a dollar that could be spent on a new bed or a new instrument, so if I cannot show ROI, you can bet your bottom dollar the CFO is going to give me any money to spend."
"So beyond the convenience and quality and safety factors of being able to audit, track, and disseminate what's going on with my community, I am able to show time saved. I am able to show a maximization of the time spent at the bedside with the patient."
Miri described other techniques that are making a difference, including virtual desktop interfaces (VDI) which provide further control of desktops. But I came away from our conversation believing it is high time that we crack down on those devices that represent one of the most vulnerable attack vendors of healthcare IT today.
It's not difficult to believe that if we do not act much more aggressively, a lot more ransoms shall be demanded by cyber criminals. At this crucial time in healthcare, it's the last thing any of us need.
Using technology associated with a Tom Cruise movie to identify hospital patients is an actuality at one Louisiana hospital, where it saves time at check-in, reduces chances for patients to receive the wrong care, and has already paid for itself.
At Terrabonne General Medical Center, a 325-bed acute care hospital in Houma, Louisiana, patients check in by having their photo taken by a greeter at the door to the waiting room.
Technology behind the scenes scans the unique markings on each patient's irises, matches these patterns up to previous registration data, or flags the patient as being new. The whole iris-matching process takes a couple of seconds. Even identical twins have unique patterns, and the whole thing works with patients as young as nine months old.
According to John Sonnier, manager of patient access services at Terrabonne, the only time a patient has to be reenrolled with the iris-scanning technology from RightPatient is when the patient has cataract surgery. "The surgery distorts the iris, so they have to be reregistered," he says.
Once the camera at the front desk takes that photo of a registered patient, RightPatient consults a master patient index and pulls up the patient's medical record, which is stored in McKesson STAR, and the patient is checked in.
This workflow replaced one all-too-common at healthcare check-ins nationwide: asking patients to present a government-issued photo ID, dates of birth, and, most irritatingly to some patients, all or part of their Social Security number.
Since going live with RightPatient in December 2014, nearly 17,000 individuals have checked in at the at Terrabonne's hospital, its radiology areas, the outpatient ambulatory surgery center, and at the emergency department.
"There's only one person that I know of that did not want to have their picture taken," Sonnier says. "Once we went through all the standard questions; once we finished, and I explained, 'now if you would have allowed me to take a picture of your iris, it would have pulled you up within two seconds, and I wouldn't have had to ask all that information from you.' And that person allowed me to take a picture at that point."
The Simpler, the Better
Needless to say, the time saved at check-in, and the reduced chance for patients to receive (intentionally or unintentionally) the wrong care, mean Terrabonne's system has already paid for itself.
It also meets the criteria I set four years ago—the simpler the technology, the better. What could be a simpler biometric than taking a photo, crisp enough to capture unique iris patterns?
As it turns out, for patient experience, it can hardly get any simpler. It also plays out a science-fiction scenario described in the 2002 movie Minority Report, where Tom Cruise's character, and all others in this fictional world of 2054, are recognized by digital sensors. All manner of welcome and unwelcome personalization is present (personalized advertising being the most unwelcome-looking).
It's a bargain the healthcare industry may be preparing to make, in order to once-and-for-all overcome the persistent lack of widespread patient ID technology that has us still reaching for our driver's licenses, dates of birth and Social Security numbers. Not to mention Congress' continuing ban on a national patient identifier.
But will this country as a whole have the kind of acceptance Terrabonne has seen?
Will others be so willing to essentially submit a high-tech mug shot upon every check-in? Like many technologies, here it is wise to remember that one size does not fit all.
"While it might work for the majority of us, if you're in parts of Pennsylvania and you're Amish, that's not going to work," says Catherine Schulten, director of product management at LifeMedID, another healthcare digital ID solution provider. "If you're in parts of Michigan and you're Muslim, and you wear a full face covering, that's not going to work."
But in some parts of the country, such as Homer, Louisiana, getting mug shots taken all over town is already a normal thing. "With our community, you go to the doctor, they take your picture," Sonnier says. "You go to the dentist, they take your picture. You go to the optometrist [they take your picture]. So we're used to having our picture taken."
In other words, put the solution in an area of the country where identity theft is rampant, where hyphenated names are commonplace and commonly misspelled on ID cards, and the face as a biometric token is an attractive option. And it presents none of the hygiene concerns of asking patients to have their palms scanned, or fingerprints taken.
From my vantage point in the San Francisco region, it seems like another world. I've never (knowingly) had my mug shot taken for any of those purposes. I posed the question on my Facebook page, and my friends' sentiments ran heavily against the idea, with many Big Brother concerns. One notable exception: one friend said his kid had received some other kid's medications, and had the clinician been looking at a photo of his kid in the process, the mixup might have been caught.
For more perspective, I turned to Adrian Gropper, MD, chief technology officer of Patient Privacy Rights, a nonprofit dedicated to restoring patient control over personal health information.
"I personally don't have any problem with a photo at registration as long as that photo is considered PHI like your address or phone number," Gropper told me in an email. "I welcome the idea, and there's some actual research to support [it], showing a thumbnail alongside any patient record screen. It actually seems to improve the empathy of clinicians and it is a safety measure."
This technique, a way of helping verify a patient's identity during the actual clinician encounter, is made possible as an optional feature in many EHRs, but it is unclear how many providers actually employ it. Terrabonne does not; although the photo makes the medical record match, Terrabonne's implementation of McKesson STAR does not store any patient photo for such purposes, Sonnier says.
Gropper adds, however, "it would be evil to send a photo to an HIE or other directory service for matching because that would be a coercive match that a patient cannot control," he writes.
So does Terrabonne's implementation qualify as a coercive match? Is it in Minority Report territory? Or is this just a clever way to solve the vexing problem of patient ID, one which patients can opt out of in time to avoid becoming part of the big photo-matching database?
Coming off the massive healthcare data breaches of 2016, the thought of patient photos in criminal hands, matching our stolen medical records to all the many other photos of us on the Internet, and captured by ever-more cameras in public, is disquieting.
The ultimate judges of biometric patient ID methods, for solutions from RightPatient, LifeMedID, and others, is likely to be the panel convened by the College of Healthcare Information Management Executives (CHIME), whose year-long National Patient ID Challenge competition launched on January 19.
"We want you, [and] every single place you've gotten care, to be correctly identified at the right time at the right place for the right care," says CHIME president and CEO Russ Branzell. The competition will see many different solutions vie for the top prize. Mug shots will be only one of several biometric identifiers in competition.
But one thing is also clear to me: there will not be palm vein sensors available in mobile phones, now or any time in the foreseeable future. This matters because there is no reason that check-ins such as those that are occurring at Terrabonne couldn't use the patient's own selfie photo, taken with the camera on their mobile phone, for an even more self-service patient check-in experience.
Minority Report concerns or not, cameras are easy, simple, and powerful biometric sensors. My money is on mug shots as the biometric token to beat.
Software and hardware developments are opening new ways to get patients more involved in their own care.
This article first appeared in the January/February 2016 issue of HealthLeaders magazine.
From addressing addiction to overcoming obesity, providers are engaging patients more than ever to help them change their behaviors for better health. Technology tools are an enabler, unlocking a range of solutions for care teams and patients.
Nearly two-thirds of Americans own a smartphone today, according to the Pew Research Center. Healthcare systems are capitalizing on the widespread use of such devices to effect behavior change.
With simple texting, patient portals, activity trackers, and connected medical devices, the healthcare industry is taking aim at improving patient behavior to prevent illness and readmissions, control or reverse chronic conditions, or direct patients to appropriate treatment before their health spirals out of control.
The Power of Texting
At the Rochester, Minnesota-based Mayo Clinic, with more than 59,000 employees in 70 health system sites in Minnesota, Arizona, Florida, Georgia, Wisconsin, and Iowa, texting has played a key role in positive outcomes in the health system's smoking cessation program.
"It is clear that text messaging and mobile applications support smoking cessation, and there have been a couple of large systematic reviews that have shown that," says Michael Burke, EdD, assistant professor of medicine at the Mayo Clinic College of Medicine and program coordinator of the Mayo Clinic Nicotine Dependence Center.
"Technology is more scalable, may add to the face-to-face aspect of smoking cessation programs, and it may play a role in filling the gaps which frequently occur between a person's being advised to stop smoking and them connecting with either medication and/or counseling that will increase the likelihood that they'll succeed in stopping smoking," Burke says.
A cornerstone of Mayo's digital smoking cessation efforts is a website, becomeanx.org, operated by the Truth Initiative, a national public health organization formed after the 1998 master settlement agreement between the tobacco industry and the attorneys general of 46 states. The organization developed the program working in partnership with Mayo.
"It's an informational website where you can learn a lot of different things about the anatomy of addiction, medication to help people stop, what triggers are and how to manage those, and there's a regular blog," he says. "You can also join the community, which is a large network of people who have stopped smoking or are in the process of stopping smoking, and they can form their own groups within that and provide advice."
The newest element of the program, now in pilot testing at Mayo, engages those who have connected with a tobacco treatment specialist with a text message support program, Burke says. To deal with relapses in smoking, participants can type in words such as crave or lapse and receive guidance on "things they can do to deal with a relapse," Burke says.
"There are so many apps to help people stop smoking, but very, very few are really based upon the evidence that shows us what actually works," he says. "We've been working to develop evidence-based digital support that can help tailor a message to people's specific situations, to help them stop smoking and to keep them connected with providers at a distance."
A study in the September 2015 Journal of Substance Abuse Treatment concluded that "smoking quit rates for the text messaging intervention group were 36% higher compared to the control group quit rates. Results suggest that SMS text messaging may be a promising way to improve smoking cessation outcomes."
Two particular factors that have been shown to be important in improving rates of tobacco abstinence are medication use and amount of time spent with a provider, Burke says. "We are looking to see the effect of text messaging on medication use, which I think is unique. We don't have results yet. In addition, there is a dose response relationship between counseling time and outcomes. As little as three minutes talking with a patient will significantly improve outcomes, and more time has better results. We are looking at the impact of text messaging in extending the provider reach in contact."
Such simple efforts could produce significant results.
"There's nothing that's more cost-effective in healthcare than helping people stop smoking, except for childhood vaccinations," Burke says. "Helping people stop smoking, in terms of clinical intervention, is extremely cost-effective in terms of just how many coronary bypasses it prevents and how many surgeries heal better, and how many cancer medications work better. No matter where on the life spectrum or disease spectrum that somebody stops smoking, there is a health benefit that can be translated into a cost benefit or quality of life benefit."
Burke says one risk of digital interventions is the potential of laying them on so thick that they become counterproductive. "If you bombard patients with messages, they may wind up avoiding the messages," he says. "So the technologies need to be inviting, interactive, and understanding of the person's particular situations and supportive without being strident."
Beyond texting, there is the potential of mobile apps for smoking cessation, including the ability to determine if a patient is entering an environment where smoking may be present, such as a bar.
"Mobile apps do have a real potential for understanding a person's individual circumstances, not only in terms of their personal circumstances, but to know, when you're going into a bar, your particular risk, and a mobile app has a potential to sense when someone's going into a bar. But the messaging needs to be really individualized and interactive," he says.
Beyond the Mobile Phone
As medical devices acquire certain phone-like qualities, they are able to provide smarter cues to motivate patients with chronic diseases. At Mount Sinai Health System, an integrated health system with seven hospital campuses in the New York City area, traditional blood glucometers are starting to be replaced with Livongo, a chronic care management system that uses a wireless glucometer to measure blood glucose levels. The program has been made available to all of its employees and their dependents and is about to be made available to members of another payer population who have diabetes.
Whereas traditional glucometers provide data that must be manually uploaded to a PC, the Livongo device contains a 2G radio that automatically uploads readings to the Livongo cloud-based analytics platform, says Niyum Gandhi, executive vice president and chief population health officer at Mount Sinai Health System. The next version, which comes to market this year, will have 3G.
The Livongo platform includes a rules-based engine that forwards results for special attention to Livongo's team of certified diabetes educators, who can intervene with patients enrolled in the program, Gandhi says.
"They can provide coaching," he says. "It might be something as simple as letting you know your blood sugar is low, drink a glass of orange juice. They can engage more longitudinally, as well, to kind of help the patients take control of their own diabetes. So that's Livongo's traditional model, which they have up and running with a whole bunch of self-funded employers across the country."
The Mount Sinai patient population exceeds the national average for presence of diabetes. "It's actually north of 10%," Gandhi says. "We've built a lot of clinical capabilities around management of many chronic diseases. Diabetes is one of them."
Notwithstanding its research-focused Diabetes, Obesity, and Metabolism Institute, Mount Sinai Health System deals with the same shortage of endocrinologists and certified diabetes educators facing other healthcare systems in the United States, he says.
"Our diabetes educators do a great job of engaging patients on a lot of these issues, but it takes a lot of time and energy. The shortcoming of just an in-person model is that, first of all, it's harder to scale, and second of all, there's time in between visits," Gandhi says. "So how do we make sure that helping the patient manage their diabetes is part of their daily lives, and that we're connecting what they do on a regular basis--which is checking their blood sugar--to a care team, the Livongo team of certified diabetes educators, which is plugged into the patient's diabetes educator at Mount Sinai and then, as appropriate, other clinicians at Mount Sinai as well?
"We're moving the system to population health. We're getting paid in that manner. We want to manage clinical care more effectively as well," he says.
The smarter cues come from the Livongo device doing double duty via its built-in two-way messaging capability, explains Gandhi. "The Livongo user always gets a message back after the blood sugar reading. So it might say, 'Seems like your blood sugar is in control. Keep up the good work.' Or it could say, 'Hey, things are little low. Drink a glass of orange juice.' "
Physicians could also configure messages to the device to prompt patients to schedule needed foot or eye exams, or to reorder supplies, he says. If the patient replies to a request for a call or message to make appointments, Mount Sinai care managers know they have the patient's attention, instead of their often unsuccessful traditional outreaches to patients to schedule such appointments.
"Who knows what they're thinking about when you send them a text? Here, we'll send you a message immediately after you test. I know what you're thinking about immediately after you're testing. You're thinking about your diabetes," Gandhi says.
Other Livongo users are proving to test themselves more frequently, due to its convenience and ease of use, he says. "In general in diabetes, people don't test frequently enough, so the testing rate goes up a little bit as well, which is nice."
Starting with an employee count of 36,000 on its own insurance plan, Mount Sinai was expecting a spike in those with diabetes to opt into the Livongo pilot starting in January, as part of the annual benefit cycle restart, Gandhi says. "We did make it available off benefit cycle, because we were so excited by it that we didn't want to slow down."
Although enrollment in the new program will not affect employee insurance premiums directly, unlike the traditional glucometer program in the plan, which has a copayment, the Livongo glucometer and testing supplies will be provided by Mount Sinai to employees free of charge, he says. "It's not like they have big deductibles or copays against diabetes testing supplies," but it adds up.
Gandhi also envisions the larger potential of scaling up programs such as this to the health system's overall patient population, aside from just diabetes. "We have 145,000 lives in full risk that are Medicaid and Medicare," Gandhi says. "We have another 75,000 or so Medicare lives in shared savings, either through Medicare shared savings or from the plan, and then we have as of January 1 another 120,000, maybe 130,000 commercial lives in some sort of shared savings. We will probably have over half a million lives by the end of 2016 in some sort of shared savings or risk environment.
"Because of our position in New York as an academic medical center, and the geographies we serve, that half a million skews disproportionately less healthy, with a higher propensity to have diabetes," he says. "We need to roll out, payer by payer, based on our arrangements with them, so I'm not going to oversell that we'll be up and running with everybody with Livongo within the first few months of the year."
As the program unfolds, Mount Sinai will evaluate its economic and clinical impacts, but until then, the return on investment of using Livongo will remain unknown, Gandhi says. The health system also has work to do to integrate the Livongo-generated results, or summaries thereof, into its Epic electronic health records, he adds. "We wouldn't want every blood sugar value to go in, because that's information overload. But should we have summary results where certain things go outside of control, rather than having somebody manually document it in Epic? Should we have something automatically go in? We could do that, but we're not there yet."
Tracking Patient Activity
A culture of patient engagement, wellness, and self-care starts at the top at Houston Methodist, a seven-hospital, 1,931-licensed-bed health system in Texas, where its own employee population is serving as an important test bed as leadership considers the bigger picture of changing the behavior of its entire patient population.
"Digital health and wellness initiatives build on a history of previous wellness initiatives," says Marc L. Boom, MD, president and CEO of the system, which has 18,000 employees. "It goes way back through our DNA. Back in the '90s, we had a restaurant that focused on healthy food, and Dr. Michael Debakey, our retired chairman of surgery, had a whole cookbook on healthy living along with Dr. Antonio Gotto. We're always looking for interesting things to do to have fun with them, to help promote health and wellness.
"We're also an employer who pays for insurance, and we see the benefits to having a healthy workforce, and, of course, as a hospital system, we feel a responsibility to model great behaviors for our patients."
In 2014, Houston Methodist started offering Fitbit digital activity trackers to its employees "at a significant discount," Boom says. "We had employees enrolled in Fitbit challenges trying to beat their local CEOs at each of our hospitals and/or me, which, I've got to tell you, keeps you honest real quickly in terms of your own walking habits."
Houston Methodist employees can also qualify for lower health insurance premiums by being active and using the Fitbit to demonstrate that, Boom says.
Of course, wellness programs themselves are not a new idea, but driving them with digitally powered data is. "The digital element is really quite spectacular, because it almost introduced gaming into it, even though it's not true gaming, but there was a competitive effort and ethic to it," Boom says. "The device doesn't lie, but also it's kind of there in the background, and it's this reminder and this tool throughout the day."
Houston Methodist has 29,000 members on its medical plan; employees are about 15,000 and spouses covered are 3,200. With more than 15,000 Fitbits purchased so far by employees and their spouses?who were also eligible for the discount, even if the spouse was not covered on the employee's plan?participating Houston Methodist employees are averaging more than 9,000 steps per day, Boom says. That number of steps is generally considered appropriate for healthy adults.
"We want to have incentives in place, so if I'm identified as an employee who might have some higher health risk, we have structures in place that plug them into their physicians and plug them into wellness coaches and others who will help them through that journey," Boom says.
"We also have the opportunity through Fitbit to demonstrate employee activity as one of the ways to demonstrate that you're working on those health issues. I can't specifically link it to clinical outcomes because it's part of a broader picture, but I can tell you where we have been focusing on this, we are significantly reducing [the number of] people who would be found to be at high risk because they've got uncontrolled hypertension, uncontrolled diabetes, those kinds of things, and it's part of that overall program."
As CEO, Boom says he spends "99% of my time running our institution. I still see a few patients, and I'm passionate about wellness. So this has been a program that I have been quite involved in and quite passionate about."
As to the larger population health mission facing Houston Methodist, Boom notes that "the city of Houston, for a variety of reasons, has not moved as quickly toward the full-fledged population management from a payment mechanism. We've decided to take a little different approach. Of course money is important, but for us, it's about the quality of care and the safety of care that's provided to our patients."
Starting with 325 employees at rising or high risk for conditions such as diabetes, hypertension, high cholesterol, and smoking status, Houston Methodist has been "able to significantly move their metrics, and in 2016 we're expanding it to our entire organization and expect that we'll have over 2,000 people in a high-risk or at-risk metric engaged within our institution," Boom says. "Those folks are going to be going through this intensive management process and trying to help their health, and if we can do with that group what we've done with the smaller group, it will be quite compelling."
As for what ultimate success looks like, he says "the benefit of being a self-insured employer and being an employer who has engagement of its employees and cares about their health and happiness is that we don't have to put in programs that show a dramatic financial effect in three months, and that's been one of the challenges we have over time with sort of the traditional insurance model.
"If we do the right thing, that's going to keep that employee healthy. It's going to keep them happy, and it's going to cost them and us less money over time. So we're playing that long game. It's harder to measure that specific ROI in the short term," he says.
But Boom does point to measures that indicate engagement. "Since 2011, each year we have had over 80% completion in employees qualifying for our Healthy Directions incentives." To qualify, employees and covered spouses had to complete a biometric screening and health assessment, and test nicotine-free. "As we rolled out enhanced incentives in 2015 that required employees to actively engage in a wellness program either fitness, on site, or telephonic, we saw 71% completion."
Linking to the Patient Portal
When combined with other aspects of wellness such as in-person health coaching, activity tracking is making substantial headway against risk factors for some chronic conditions.
At Indiana University Health, during a three-year study concluded in 2014, from an original cohort of 4,210 drawn from a total employee population of 30,000, 66% of those identified at-risk employee participants experienced some decrease in their body mass index, and 69% of participants decreased their hemoglobin A1C, says Marci Cooper, RD, MPH, manager of employee wellness at Indianapolis-based IU Health, which staffs approximately 6,000 hospital beds and operates in more than 190 locations.
"We also have a wellness portal online, sort of a one-stop shop for everything wellness. It tracks incentive points," Cooper says. "Fitbit is linked onto our portal, so if you are just walking with your Fitbit, it automatically syncs and you can get up to a point a day, up to 50 points, for just being active and using your Fitbit without having to go in and enter those. All of these different activities earn you points, and then they're paid out the next year as a premium reduction."
Sheriee Ladd, senior vice president of human resources at IU Health, explains that the wellness effort was prompted by a review of the employees' healthcare costs and utilization expenses. "We noted that our weight, obesity, our BMI, was a huge concern. We noted that smoking was still occurring with some of our caregivers. We used the data to create a multiyear strategy of how we would focus on wellness and well-being strategy.
"This was a very difficult conversation to have, because people don't want to talk about their weight. They didn't want to hear the HR lady saying, 'We're going to begin to measure things that matter and that are going to decrease comorbidities,' and they were worried," Ladd says. "But at no time in my 40-year career have I received more notes, more calls, and more testimonials and thank-yous from the workforce as I have since we started this wellness and well-being strategy."
The wellness portal also offers employees interactive online workshops in managing stress at work, as well as financial wellness, Cooper says. Employees can also schedule health screenings through the portal and track strength training and consumption of fruits and vegetables.
While data on the effect of 2014 and 2015 employee discounts on Fitbits remains to be derived, anecdotally, Cooper says, there have been individual employee successes. "We have a guy who walked a million steps in one month and he reduced his body weight by 10% and he normalized his cholesterol numbers and also normalized his hemoglobin A1C from a pre-diabetes level to normal, so that's real outcomes."
At the end of two years, Cooper says 8,809 IU Health employees, including their family and friends, have purchased and used the Fitbits, which represents up to one-half of those IU employees covered under its health plan.
IU Health has yet to calculate an ROI for its Healthy Results wellness program. Cooper cites a 2010 Harvard University study of 100 peer-reviewed journal articles, Workplace Wellness Programs Can Generate Savings, which found that a properly designed wellness program can expect to yield an ROI of 3.27:1 on healthcare cost reductions, and another 2.73:1 on employee absence and related costs after about three years.
IU Health is also integrating its wellness program with case management in its population health program, Cooper says. "We're improving data and physician integration within the system, so when you come to a screening, it's automatically in the EMR, and it's ready and waiting when you go see your doctor; so we're avoiding that repetitive cost based on duplicate screening and duplication of services and medical costs," she says.
Ladd notes that the employee wellness efforts will influence the organization's efforts to improve the health of the community. "We also have heavy emphasis in population health at large, beyond our workforce. So the work we're doing with this, I'll call it a seed group, helps inform the broader strategies that our doctors, physician groups, and all of them are utilizing as they're taking care of the patients in their practices."
What Patients Want
Efforts to change patient behavior through technology have their roots in the many ongoing initiatives to boost patient engagement. Leading healthcare CIOs are applying the same kind of consumer-centric focus as has occurred in other industries.
"Consumers want to be in charge of information on all fronts, so they want to be in charge of their health as well," says Sarah Richardson, chief information officer at NCH Healthcare System, a two-campus, 716-licensed-bed system based in Naples, Florida. "Half of our patients go north for the summer. There's research out that shows that [among NCH patients] 99% of people respond to a text versus 20% using email, and over 95% of [them] have smartphones.
"Whether we are increasing people's access a portal to get their medical records, access lab returns, check their blood pressure, monitor any behaviors for our chronic or high-risk patients, we want a text message to activate behavior and encourage them to do something they wouldn't have already done," she says.
To spur this kind of engagement, NCH is partnering with HealthGrid, which makes a customer relationship management system for healthcare providers, Richardson says.
"This is based on our desire to partner with a solution that will increase engagement and usage of the patient portal as a primary method of interaction with a provider and healthcare system," she says. "Our findings have been through site visits, demos, and documented improvements from existing clients. We will baseline our success metrics and share them as part of our value creation from implementing the product."
Richardson, who came to healthcare out of the hotel and hospitality business, says the two industries "aren't that different" and recently hired a chief experience officer from a nationally known healthcare provider.
"I want the experience of using the technology to be a reason that they're stickier or more compliant with their healthcare, because at the end of the day, the more people we can keep out of the hospital—but in our system and doing their wellness prevention, their annual wellness visits, and health maintenance and all of their different preventive services that still keep them in our system—we're actually keeping them healthier and happier and out of an acute setting," Richardson says.
NCH is looking to integrate Cerner HealtheIntent population health management technology to query patients' pharmacies so NCH can know which patients have not refilled their medications, then notify patients to obtain those refills, she says.
"Yes, the first phase is to connect with patients who are at risk for readmission or have chronic disease states that may [make them] a candidate for home monitoring. The maturity of the product will allow us to understand socioeconomic factors that prevent access to medication, and seek opportunities to reach them as well," Richardson says.
Shared Care Plans
A 2013 study estimated that patient nonadherence to medications costs the United States $100 billion to $289 billion annually. To specifically address medication adherence, Geisinger Health System—the Danville, Pennsylvania, system that serves more than 2.6 million residents in central and northeastern Pennsylvania—has forged a multiyear collaboration with pharmaceutical maker Merck to develop IT-driven projects and processes designed to address this particular challenge.
However, Geisinger is also exploring ways to change the patient encounter itself as another strategy to improve not only adherence, but overall shared accountability between physicians and patients.
Thus, the OpenNotes movement that brought more open sharing of notes between physicians and patients is now poised to spawn a shared care plan to live right in the medical record, and act as a prompt to improve patient behavior.
This effort, dubbed OurNotes, is being crowdfunded by The Commonwealth Fund, with development by Beth Israel Deaconess Medical Center, and due to be tested at Geisinger early this year with design participation and implementation from its own patients.
"Patients and their family proxies would prefer to have a situation where they have better control as to what happens only on the outpatient visit side for the time being," says Alistair Erskine, MD, chief clinical informatics officer at Geisinger. OurNotes will extend the Geisinger patient portal to invite patients to document their questions for physicians before their visits. It requires physicians to address these patient questions, and then is not officially completed until the patient reviews the physician's notes and signs off on them, noting any issues or concerns at the end. "It forces the agenda of the patient to be first, and that's the key thing," Erskine says.
Over time, Geisinger's Institute for Advanced Application, with Erskine heading the OurNotes initiative, will evaluate the impact of OurNotes on patient behavior such as medication adherence, but he notes "we're not going to wait until it's perfect and has been fully researched, because we have so many clinics that we can implement this in other places. We want to go faster."
Erskine says he hopes OurNotes at Geisinger can "blaze a trail" for the growing list of healthcare systems around the nation that have adopted OpenNotes. "It will be a very nice natural evolution," he says. "The key part about OurNotes is the patient is setting the agenda for the visit, shared decision-making with the provider, and then the ability to make sure we give control back to the patient in terms of, 'This is a final version, and is there anything that we missed?' "
Experience and Engagement
In addition to its initiative with connected devices, Mount Sinai Health System recognizes that changing patient behavior may mean new ways of practicing medicine and looking to technology advances outside the healthcare industry.
"I've had this discussion with some of our physicians," Gandhi says. "The answer isn't just to make it easy for the doc. The answer is to make the doc realize that it's not just about the doc. It's about the patient or the consumer, because they don't like to think of themselves as patients. In no other industry would anybody say, 'Oh, I want to engage people, but I'm going to do it in the way that's easiest for me.'
"We have a habit in healthcare of making our back-end garbage the patients' front-end problem. We take the EMR and all of its back-end garbage, and put a mediocre interface on it and show it to the consumer," he says, and points to advances in other industries, such as personal finance. "Now Mint.com, that's a consumer-centric experience. American Express did something very similar. That's what a patient portal should feel like in healthcare."
"We're in a little bit of a we-don't-know-what-we-don't-know state as an industry. And it's going to dawn on people really quickly that MACRA is a really big deal," says a co-chair of ONC's Health IT Standards Committee.
With a new year comes new leadership at ONC's Health IT Standards Committee. One of the recently appointed co-chairs of the committee is Arien Malec, vice president for the data platform solution line at RelayHealth. Last week I asked Malec what to expect from the committee in 2016. The transcript below has been lightly edited.
HealthLeaders: We had a lot of rulemaking at the end of last year, we had some spin put on the rulemaking by people like Andy Slavitt in January. So what is the industry thinking about meaningful use itself, and about stage 3 in particular?
Malec: The joking statement that I've done on Twitter is to keep calm and await MACRA-enabling regulation. Meaningful use is indelibly written in the ink of MACRA. It is indelibly written into the MIPS calculation, as 25% of the overall MIPS score.
And use of certified health information technology is required in the APM, the alternative payment methodology track under MACRA, and then for hospitals, critical access hospitals and Medicaid, the reforms that MACRA put in just aren't there.
Meaningful use is alive and well in all of those tracks. What CMS has been very clear about is its desire to streamline measurement, make measurement more outcome-oriented and less process-oriented.
[It's more about] have we taken appropriate care of diabetic patients and less [about] have we counted the clicks for updating the problem list? CMS has announced, in many different forms, its desire to make sure that those measurements are aligned, so that potentially you get dual credit for certain measures.
As well as removing the process-oriented measures to the extent possible from meaningful use, there may be a level of deeming that's appropriate, relative to clinical quality measure outcomes. CMS has some flexibility, even with regard to the critical access and hospital-based measures, and to some extent with Medicaid measures, in terms of aligning those requirements with other CMS programs like ACOs or bundled payment programs and the like.
I would expect a steady progress of aligning meaningful use with those other programs. Organizations that want to continue on a sole meaningful use track might well do that. But I expect most organizations to start shifting toward the alternative payment track, and I'd expect to see CMS be accommodative of that shift by making it easy to check the meaningful use box along with the mainline focus on alternative payment and value-based payment.
Medicaid may require some legislative fixes, because I don't think all the levers are under CMS's control, and Medicaid doesn't have currently the concept of an ACO or those kinds of value-based measures, although there are Medicaid Advantage plans that are more value-oriented.
So there's going to be some room for legislative fixes. There's going to be a lot of room for CMS program alignment, and that's been consistent with what industry in general and what Congress specifically has been asking CMS to do. All of CMS's public statements have been aligned with that. I think Andy Slavitt was trying to say all that, and people caught the first part of the statement of meaningful use as we know it is effectively dead, and they didn't pick up the second part of that statement, which tried to explain where meaningful use is going, aligned with value-based payment and value-based care approaches.
HealthLeaders: So are you saying the penalty phase of meaningful use for physicians is pretty much at an end, but the penalty phase for hospitals continues?
Malec: Correct. CMS is bound by the legislation, and until Congress changes the ink on the law, CMS has no regulatory flexibility to adjust the penalty phase. What CMS does have, or should have regulatory flexibility to do, is to say, you can meet the meaningful use measures in these appropriate ways, and one of those, again, aligned with where Congress has been very explicit in MACRA, could well be participation in a bundled payment program or participation in an ACO.
HealthLeaders: But there are those critics out there, former HIT Standards Committee chair John Halamka being one of them, who basically say we should declare victory on meaningful use, go home, and start the work on MIPS and MACRA and not try to belabor what meaningful use tried to do that apparently it has not always been successful at.
Malec: Yeah, and I think if you peel it back, and peel back the money quotes, you get to a very similar place with what John Halamka and other critics have said, which is, let's stop counting clicks, let's stop with onerous certification requirements that aren't aligned with clinical quality. Let's do certification that actually improves interoperability, and let's do meaningful use measurement that's aligned with more outcomes-based approaches and less process-based approaches.
HealthLeaders: So is that what you're expecting the new notices of proposed rulemaking (NPRMs) to do, is to radically change certification of software?
Malec: I would not expect certification criteria to change off of the 2015 edition of certification criteria. It's important to keep in mind that ONC and CMS knew full well what was going on with MACRA when they published the meaningful use and the certification requirements.
It's possible, and I think likely, that ONC will continue to refine certification requirements to be better aligned with ACO enablement. If you look at the text of the [Senate] HELP committee draft, there's language on population health enablement and standards that are required there.
I would expect the standards committee to get involved in looking at standards readiness and system readiness for value-based care, and there's more work to be done, obviously, in the area of both standards and policy and business practices, to better enable improved care and improved health.
In addition, we've got precision medicine that's going on, and there's going to continue to be work on standards to enable research, precision medicine, and a learning health system, so I would not expect the standards work to slow down. I've generally been in favor of focusing certification on interoperability, and making sure that those certification requirements are actually material in improving interoperability and not about checking boxes.
HealthLeaders: I know there are some improvements in stage 3 along those lines, but do you think the industry is going to be able to handle this uncertainty? Because their job right now is to build certified for stage 3, right?
Malec: Yes. And I think the industry in general, if it's expecting change to slow down, is going to be sadly mistaken. I've talked to a number of CIOs and CMIOs, and I've asked the question, where are you with MACRA readiness? And to a person, they kind of look at me and go, 'huh?'
What I think people aren't realizing right now is that although MACRA payment adjustments start in 2019, CMS usually does measurements two years in advances, [which] starts in 2017.
And we're talking real dollars in MACRA. We're talking real dollars in preparing for, if you go the alternative payment track. We're talking even more real dollars, and a lot of preparation that's required to get there, so I think we're in a lull, [and] in a little bit of a we-don't-know-what-we-don't-know state as an industry. And it's going to dawn on people really quickly that MACRA is a really big deal.
That's going to drive some significant changes, both with regard to how technology is developed, but also with regard to how delivery systems use technology to drive clinical quality improvements.
HealthLeaders: So what's your call to action to those CIOs and CMIOs? What should they be doing today?
Malec: If you look at the way that MACRA is built, it is highly advantageous to participate in an alternative payment methodology. Under MIPS, you've got this kind of micro-adjustment of your payment. It goes up, it goes down, and it's zero-based, so by definition, if you go up, somebody else is going down.
On the APM track, you get a guaranteed 5% year-over-year fee for service increase, plus whatever you make in your value-based bonus under the alternative payment program, so if you're on a two-sided risk model in an ACO, you have the ability to make money by delivering excellent care more efficiently.
It's worth noting that the alternative payment track requires more than the usual financial risk, so those kind of one-sided or pay for performance programs, where you get a bonus, but you don't get a ding, likely wouldn't count.
CMS needs to clarify what alternative payment methodologies mean under MACRA. So if I were a health system, I would be preparing now for participation in meaningful value-based programs, and a lot of the work in preparing now is governance oriented, physician culture oriented, but there's also a lot of work in data acquisition.
I think anybody who's looked at the news regarding ACOs will tell you that interoperability is one of the harder parts of running an ACO, and you need to start the work now in order to complete the work in 2017 or 2018, so that you can ready yourself for 2019 or 2020. This is definitely going to require a lot more of a longer-term thought process than we've seen in healthcare to date. We saw in meaningful use a lot of just-in-time. I got my EHR just in time, and now I'm ready. This is not a just-in-time kind of situation.