Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

CIOs Want More Responsibility — And It’s About Time They Get It

Posted on January 19, 2015 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The life of a healthcare CIO is a tough one. More than ever before, healthcare CIOs walk a fine line between producing great technical results and thinking strategically about how technology serves clinicians. As with their more junior peers, many healthcare CIOs only get noticed when something breaks or goes offline. Worse, healthcare CIOs may get the blame dumped on them when a big project — especially a mission-critical one like an EMR implementation — fails due to problems beyond their control.

But despite the political battles they must fight, and the punishing demands they must meet, healthcare CIOs are largely satisfied with their career paths — as long as they have a shot at getting more responsibility that can help them move their organization’s strategy forward. This, at least, is the conclusion of a new survey by SSi-SEARCH.

SSi-SEARCH surveyed 169 CIOs to learn how they felt about key aspects of their job, according to iHealthBeat.  All told, the researchers found that CIOs are most satisfied with the trajectory of their career, compensation and strategic involvement. (This is a significant change from a couple of years ago, when CIOs told SSi-SEARCH that their pay wasn’t keeping up with the growth in their responsibilities.)

On the other hand, healthcare CIOs were markedly dissatisfied with the resources available to them, and almost half (48%) said that there will need to be changes within the next year. That’s certainly no surprise. As we’ve noted in this space before, not only do healthcare CIOs need to implement or further augment EMRs and handle the switch from ICD-9 to ICD-10, many need to make costly upgrades to or replace their revenue cycle management systems.

Even if their institution can’t increase their budget, healtlhcare CIOs would be somewhat mollified if they got some respect for some of the softer skills they bring to the table.

Forty-five percent of those surveyed said they wanted recognition for improving patient safety, 44 percent said they wanted to be recognized for innovation, and 37 percent wanted CEOs to appreciate their skill at “bringing departments together,”  SSi-SEARCH found.

Not surprisingly, they want to be appreciated for their overall contributions to their institutions as well. While 69 percent of CIOs felt that their work was “critically important” to the strategic mission of their organization, and 29 percent felt they had been “very important,” some of their employers don’t seem to see it. In fact, 23 percent of those CIOs surveyed felt that they hadn’t been recognized at all.

Sadly, though the healthcare CIO’s job has evolved far from bits and bytes to projects and strategies that directly impact outcomes, not every institution is ready to give them credit. But if they have CIOs pigeonholed as tech wizards, they’d better change their tune.

Giving CIOs the latitude, responsibility and budget they need to do a great job is enormously important. If healthcare organizations don’t, they’ll never meet the demands they currently face, much less emerging problems like population health management, big data and mobile health. This is a make-or-break moment in the dance between healthcare organizations and IT, and it’s not a good time for a misstep.

Hospitals Put Off RCM Upgrades Due To #ICD10, #MU Focus

Posted on December 29, 2014 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

If you look closely at the financial news coming out of the hospital business lately, you’ll hear the anguished screams of revenue cycle managers whose infrastructure just isn’t up to the task of coping with collections in today’s world. Though members of the RCM department — and outside pundits — have done their best to draw attention to this issue, signs suggest that getting better systems put in has been a surprisingly tough sell. This is true despite a fair amount of evidence from recent hospital financial disasters that focusing on an EMR at the expense of revenue cycle management can be quite destructive.

And a new study underscores the point. According to a recent Black Book survey of chief financial officers, revenue cycle upgrades at U.S. hospitals have taken a backseat to meeting the looming October 2015 ICD-10 deadline, as well as capturing Meaningful Use incentives. Meanwhile, progress on upgrades to revenue cycle management platforms has been agonizingly slow.

According to the Black Book survey, two thirds of hospitals contacted by researchers in 2012 said that they plan to replace their existing revenue cycle management platform with a comprehensive solution. But when contacted this year, two-thirds of those hospitals still hadn’t done the upgrade. (One is forced to wonder whether these hospitals were foolish enough to think the upgrade wasn’t important, or simply too overextended to stick with their plans.)

Sadly, despite the risks associated with ignoring the RCM upgrade issue, a lot of small hospitals seem determined to do so. Fifty-one percent of under 250 bed hospitals are planning to delay RCM system improvements until after the ICD-10 deadline passes in 2015, Black Book found.

The CFOs surveyed by Black Book feel they’re running out of time to make RCM upgrades. In fact, 83% of the CFOs from hospitals with less than 250 beds expect their RCM platforms to become obsolete within two years if not replaced or upgraded, as they’re rightfully convinced that most payers will move to value-based reimbursement. And 95% of those worried about obsolescence said that failing to upgrade or replace the platform might cost them their jobs, reports Healthcare Finance News.

Unfortunately for both the hospitals and the CFOs, firing the messenger won’t solve the problem. By the time laggard hospitals make their RCM upgrades, they’re going to have a hard time catching up with the industry.

If they wait that long, it seems unlikely that these hospitals will have time to choose, test and implement RCM platform upgrades, much less implement new systems, much before early 2017, and even that may be an aggressive prediction. They risk going into a downward spiral in which they can’t afford to buy the RCM platform they really need because, well, the current RCM platform stinks. Not only that, the ones that are still engaged in mega dollar EMR implementations may not be able to afford to support those either.

Admittedly, it’s not as though hospitals can blithely ignore ICD-10 or Meaningful Use. But letting the revenue cycle management infrastructure go for so long seems like a recipe for disaster.

Another Health System’s Finances Weighed Down By Epic Investment

Posted on December 26, 2014 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

While Memphis-based Baptist Memorial Health Care Corp. may intend to be “the high-quality and low-cost provider” in its region, spending $200 million on an EMR purchase has got to make that a bit more, shall we say, challenging.

While health systems nationwide are struggling with issues not of their own making, such as some states’ decision not to expand Medicaid, it appears that Baptist Memorial’s financial troubles have at least some relationship to the size of its 2012 investment in an Epic EMR platform.

Baptist, which let 112 workers go in September, has seen Standard & Poor’s lower its long-term rating on the health system’s bond debt twice since mid-2013.  Through June, the system’s losses totaled $124 million, according to S&P.

Baptist employs 15,000 workers at 14 hospitals located across the mid-south of the US, so the staffing cuts clearly don’t constitute a mass layoffs. What’s more, the layoffs are concentrated corporate services, Baptist reports, suggesting that the chain is being careful not to gut its clinical services infrastructure. In other words, I’m not suggesting that Baptist is completely falling apart, Epic investment or no.

But the health system’s financial health has deteriorated significantly over the past few years. After all, back in 2009, S&P gave Baptist Memorial a long-term ‘AA’ rating, based on its strong liquidity and low debt levels; history of positive excess income and good cash flow; and solid and stable market share in his total surface area, with favorable growth in metropolitan Memphis.

However, at this point Baptist is clearly struggling, so much so that is taking the extraordinary step of cutting the salaries of top executives in the system by 22% to 23%. That includes cutting the salary of health system CEO Jason Little. But this is clearly a symbolic gesture, as executive pay cuts can’t dent multimillion dollar operating revenue shortfalls.

So what will help Baptist improve its financial health? In public statements,  Baptist CEO Little has said that the hospitals’ length of stay has been excessive for the compensation that they get from payers, and that fixing this is his key focus. This problem, of course, is only likely to get worse as value-based reimbursement becomes the rule, so that strategy seems to make sense.

But Baptist is also going to have to live with its IT spending decisions, and it seems obvious that they’ve had long-term repercussions. I don’t think any outsider can say whether Baptist should have bought the Epic system, or how much it should have spent, but the investment has clearly been a strain.

A Turning Point? Wearables Could Save 1.3M Lives by 2020

Posted on December 22, 2014 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

For years, wearable health bands have been expensive toys useful almost exclusively to fit people who wanted to get fitter. On their own, wearables may be chic, sophisticated and even produce medically relevant information for the user, but they haven’t been integrated into practical care strategies for other populations.

And with good reason. For one thing, doctors don’t need to know whether an otherwise-healthy patient took 10,000 steps during a run, what their heart rate was on Thursdays in June or even what their pulse ox reading was if they’re not wheezy asthmatics. Just as importantly, today’s EMRs don’t allow for importing and analyzing this data even if it is important for that particular patient.

But as the banners at last week’s mHealth Summit pointed out, we’re headed for the era of the mHealth ecosystem, a world were all the various pieces needed to make patient generated data relevant are in place. That means good things for the future health of all patients, not just fitness nuts.  In fact, a Swiss analyst firm is predicting that smart wearable devices will save 1.3 million lives by 2020, largely through reductions in mortality to in-hospital use of such devices, according to mobihealthnews.

New research from Switzerland-based Soreon Research argues that smart wearables, connected directly with smart devices, projects that using wearables for in-hospital monitoring will probably save about 700,000 lives of the 1.3 million it expects to see preserved by 2020. Even better, wearables can then take the modern outside the hospital. “New wearable technology can easily extend monitoring functions beyond the intensive care unit and alert medical professionals to any follow on medical problems a patient may develop,” according to Soreon Research Director Pascal Koenig.

Not surprisingly, given their focus on monitoring aerobic activities, Soreon projects that wearables can be particularly helpful in avoiding cardiovascular disease and obesity. The firm believes that monitoring patients with wearables could prevent 230,000 deaths due to cardiovascular diseases, and reduce obesity related deaths by 150,000.

And that’s just a taste of how omnipresent wearables use may be within a few years. In fact, Soreon believes that patients with chronic conditions will help push up the smart wearables market from $2 billion today to $41 billion, or more than 1000% growth. That’s a pretty staggering growth rate regardless of how you look at it, but particularly given that at the moment, clinical use of smart wearables is largely in the pilot stage.

What few if any pundits are discussing — notably, as I see it — is what software tools hospitals will use to crunch this flood of data that will wash it on top of the astonishing volume of data EMRs are already producing.

True, at the mHealth Summit there were vendors pitching dashboards for just this purpose, who argued that their tools would allow healthcare organizations to manage populations via wearable. And of course tools like Apple HealthKit and Microsoft Health hope to serve as middlemen who can get the job done.

These solutions will definitely offer some value to providers. Still, I’d argue that wearables will not make a huge impact on clinical outcomes until the day what they produce can be managed efficiently within the EMR environment a provider uses, and I don’t see players like Epic and Cerner making big moves in this direction. When the mHealth ecosystem comes together it’s likely to produce everything analysts predict and more, but bringing things together may take much longer than they expect.

Here’s What Makes Henry Ford Health System’s Employee Innovation Program Tick

Posted on November 25, 2014 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Hospitals are increasingly launching efforts designed to leverage new technologies, be they working with healthcare accelerators, taking advantage of employee ideas or setting up onsite centers designed to support a culture of innovation. One institution which has gotten a little further down the road than many of its peers is Henry Ford Health System, whose innovations program has paid off handsomely, generating countless smart, useful inventions from its employees.

So serious is the health system about exploiting its employees’ great ideas that it’s made organized efforts to reward such thinking directly. For example, HFHS just completed the competition among employees to submit their best ideas in clinical applications for wearable technology. The institution not only encouraged employees to participate, but sweetened the pot by offering a total of $10,000 in prizes to winners of the contest.

Winning entries included:

*  A system designed to record and encourage mobility of acute care patients by using wearable activity trackers
*  A recovery tool for total hip replacement patients which monitors and limits range of motion to rehab by using wearable sensors
*  A health and wellness reminder system for elderly patients, leveraging location-based sensors and smart watches
*  A mobile game interface, powered by activity trackers, designed to encourage childhood exercise and fight obesity

Certainly, the employees must appreciate the cash prizes, but they told a Forbes reporter that they’d participate even if there were no prizes, because what they really enjoy is having the experience and access to the program. That’s a pretty telling indicator that simply appreciating their concepts goes a long way.

This contest comes as part of larger efforts to make the health system innovation friendly. “The most important word is yes,” said Nancy Schlichting, the system’s CEO in a Forbes interview. “It is difficult to create a culture of innovation. If you shut down one person to shut down everyone, because bad news travels fast. When it comes to innovation, my mantra is yes.”

Other efforts to encourage employee intrapreneurship include big rewards for success in product development. The HFHS intellectual property policy offers a 50% share of future revenues coming from product ideas that end up in the market. That’s a pretty impressive call to action for employees who might have a great idea in their hip pocket.

Yet a third way the health system encourages innovation is to bypass employees’ natural fear of failure by tapping into their desire to help people. By encouraging clinicians to focus on patient care improvements, for example, the system drew staff cardiologist Dr. Dee Dee Wang to create a breakthrough method for more accurately sizing artificial heart valves and planning trans-catheter surgeries using 3-D printed models from CT scans. (She worked with Dr. William O’Neill in this work.)

So if they can generate great innovations, why aren’t more health systems and hospitals launching programs like these?

I don’t think the direct cost of creating such a program is much of an obstacle, especially for a multi-hospital system. It may require hiring a senior exec to spearhead the effort, but that’s not a huge investment for entities that size.

My guess is that one reason they don’t move ahead is management bandwidth — that health leaders simply don’t feel they have the time, energy and focus to kick off such a program at the moment. But I also suspect that C-suite execs just haven’t given much thought to the untapped potential their employees have for creating incredible solutions to critical health care problems. Sadly, I suspect it’s more the latter than the former.

CFO Pleads Guilty To Meaningful Use Fraud

Posted on November 24, 2014 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

It had to happen eventually — the money is just too good.  The former chief financial officer of a now-closed Texas hospital has plead guilty to charges that he defrauded the meaningful use program, in what may be the first prosecution of its kind.

According to Healthcare IT News the former CFO of Shelby Regional Medical Center in Center, TX, has been indicted on charges that he falsely attested that Shelby Regional met meaningful use requirements for fiscal year 2012. The alleged fraud garnered the medical center $783,655 in payments, according to the indictment.

It’s not that hospitals haven’t wrongly claimed large amounts of meaningful use cash before. In fact, Florida-based Health Management Associates seems to have wrongfully claimed $31 million in meaningful use payments last year prior to its acquisition by Community Health Systems, with 11 of 71 HMA hospitals failing to meet meaningful use criteria.

But it does seem to be unusual, if not unprecedented, for CMS to catch providers in the act of willfully falsifying meaningful use attestations. Either the self-attestation honor system is working or CMS  is failing to catch a great deal of monkey business.

In Shelby Regional’s case, the hospital relied on paper records throughout fiscal year 2012 and only minimally used an EMR, according to the feds. To make sure the facility still captured its meaningful use payout, CFO Joe White instructed the software vendor and employees of the hospital to input data from paper records into the EMR, sometimes months after patients were discharged and after the fiscal year. (If convicted, White faces five years in prison).

What makes the purported fraud at Shelby Regional seem all the more egregious is that it was apparently part of a much larger scheme. Tariq Mahmood, MD, who owned Shelby Regional and five other Texas hospitals, is also being investigated by federal prosecutors for alleged healthcare fraud. The six hospitals owned by Mahmood collected a total of $16.8 million in meaningful use incentives for fiscal 2011 and 2012.

The truth is, there’s probably a lot more fraud going on in the meaningful use program that hasn’t been caught. After all, a report by the Office of the Inspector General for HHS issued early this year concluded that CMS fraud auditors such as the Recovery Audit Contractors weren’t doing a great job of reviewing EMR records, failing to take basic steps such as reviewing EMR audit logs to verify that medical records support a claim. It’s little wonder they haven’t caught more providers deliberately gaming the meaningful use system.

Hospitals can do more to avoid accidental problems with meaningful use claims, too. Observers have noted that few hospitals have sufficient safeguards in place to catch attestation problems before they happen.

ACOs Stuck In Limbo In Trying To Build HIT Infrastructure

Posted on September 26, 2014 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Though they try to present themselves differently, ACOs are paper tigers. While they may be bound together by the toughest contracts an army of lawyers can devise, they really aren’t integrated in a meaningful way.

After all, the hospitals and medical groups that make up the ACO still have their own leadership, they don’t generally hold assets in common other than funds to support the ACO’s operations, and they’re definitely not in a great position to integrate technically.

So it comes as no surprise that a recent study has found that ACOs are having a hard time with interoperability and rolling out advanced health IT functions.

The study, a joint effort by Premier and the eHealth Initative, surveyed 62 ACOs. It found that 86% had an EMR, 74% had a disease registry, 58% had a clinical decision support system, and 28% had the ability to build a master patient index.

Adding advanced IT functions is prohibitively difficult for many, researchers said. Of the group, 100% said accessing external data was difficult, 95% said it was too costly, 95% cite the lack of interoperability, 90% cite the lack of funding or return on investment and 88% said integration between various EMRs and other sources of data was a barrier to interoperability.

So what you’ve got here is groups of providers who are expected to deliver efficient, coordinated care or risk financial penalties, but don’t have the ability to track patients moving from provider to provider effectively. This is a recipe for disaster for ACOs, which are having trouble controlling risk even without the added problem of out of synch health IT systems.

By the way, if ACOs hope to make things easier by merging with some of the partners, that may not work either. The FTC — the government’s antitrust watchdog — has begun to take a hard look at many hospital and physician mergers. While hospitals say that they are acquiring their peers to meet care coordination goals, the FTC isn’t buying it, arguing that doctors and hospitals can generally achieve the benefits of coordinated care without a full merger.

This leaves ACOs in a very difficult position. If they risk the FTC’s ire by merging with other providers, but can’t achieve interoperability as separate entities, how are they going to meet the goals they are required to meet by health insurers? (I think there’s little doubt, at this point, that truly successful ACOs will have to find a way to integrate health IT systems smoothly.)  It’s an ugly situation that’s only likely to get uglier.

EMR Change Cuts Cardiac Telemetry Use Substantially

Posted on September 25, 2014 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Changing styles of medical practice can be really tough, even if major trade organization sticks its oar in to encourage new behavior from docs.

Such is the situation with cardiac telemetry, which is listed by the American Board of Internal Medicine Foundation as either unnecessary or overused in most cases. But a recent piece of research demonstrated that configuring an EMR to help doctors comply with the guideline can help hospitals lower needless cardiac monitoring substantially.

Often, it takes a very long time to get doctors to embrace new guidelines like these, despite pressure from payers, employers and even peers. (Physicians may turn on a dime and try out a new drug when the right pharmaceutical rep shows up, but that’s another story.) Doctors say they stick to their habits because of patient, institutional or personal preferences, as well as fear of lawsuits.

But according to a recent study appearing in JAMA Internal Medicine, reprogramming its Centricity EMR did the trick for Wilmington, Del.-based Christiana Care Health System.

To curb the use of cardiac telemetry that was unnecessary, Christiana Care removed the standard option for doctors to order cardiac monitoring outside of AHA guidelines, and required them to take an extra step to order this type of test.

Meanwhile, when the cardiac monitoring order did fall within AHA guidelines, Christiana Care added an AHA-recommended time frame for the monitoring. After that time passed, the EMR notified nurses to stop the monitoring or ask physicians if they believed it would be unsafe to stop.

The results were striking. After implementing the changes in the EMR, the health systems average daily not intensive care unit patients with cardiac monitoring fell by 70%. What’s more, Christiana Care’s average daily cost of administering  non-ICU cardiac monitoring held by 70%, from $18,971 to $5,772.

Christiana Care’s health IT presence is already well ahead of many hospitals — it’s reached Stage 6 of the HIMSS EMRAM scale — so it’s not surprising to see it leading the way in shaping physician behavior.

The question now is how the system builds on what it’s learned. Having survived a politically-sensitive transition without creating a revolution in its ranks, I’d argue the time is now to jump in and work on compliance with other clinical guidelines. With pressure mounting to deliver efficient care, it’d be smart to keep the ball rolling.

Epic Hires DC Lobbying Firm To Fight Closed-System Reputation

Posted on September 15, 2014 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

For quite some time, everybody’s favorite EMR giant has a “no marketing, no government relations” policy. (In fact, Epic staffers really seem to hate journalists, but maybe they just don’t like me — who knows?)

Anyway, a few weeks ago, reports the ever-watchful HISTalk, it came out that Epic has broken its rule, hiring on DC lobbying firm Card & Associates. While you might think Epic would hire a billion-dollar behemoth, Card is a smallish firm with seven modest accounts and only one healthcare client. It must help, however, that Card is run by the brother of the former White House Chief of Staff under Pres. George W. Bush.

So what made Epic change its standard operating procedure and begin lobbying The Hill? In its federal lobbying disclosure, the EMR firm says that it’s begun lobbying to “educate members of Congress on the interoperability of Epic’s healthcare information technology.”

The timing of the outreach effort isn’t a coincidence, Modern Healthcare astutely notes. As you read this, a team made up of Epic, IBM and a handful of other technology giants are fighting other equally ferocious IT firms to win the roughly $11 billion contract to update the Department of Defense’s clinical systems.

While none of its contract competitors have a strong reputation for interoperability, Epic is seen as much worse, with a RAND Corp. study released in July calling Epic’s systems “closed records.” That had to hurt.

Unless Epic plans to hold health IT classes for Congress over the next several years, I doubt they’ll be able to make their point with largely Luddite Senators and Representatives in Washington on a technical basis. That is, Epic’s lobbyists won’t be able to convince legislators that Epic is interoperable on the merits.

But lobbyists may very well be able to break the ice on The Hill, and sell the idea that those mean, bad old health IT competitors haven’t been telling the truth about Epic. The pitch can include the somewhat matronly CEO, Judith Faulkner, who doesn’t look like the most powerful woman in healthcare or a competitor that would gladly bite your head off and spit it down your neck. Then they can roll out Epic’s pitch that its systems actually are interoperable (between other Epic installs at least). If it sticks even a little bit, whatever the $1.7 billion company spent will have been worth it.

Frankly, I find the idea of portraying Epic as an underdog in any way as downright laughable, and I bet you do too. But I simply can’t imagine another pitch that would work.

Large Health Facilities Have Major Patient Data Security Issues

Posted on July 2, 2014 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Many healthcare organizations have security holes that leave not only their systems, but their equipment susceptible to cyberattacks, according to two recent studies.

The researchers included Scott Erven, head of information security for multi-state hospital and clinic chain Essentia Health, and Shawn Merdinger, an independent consultant. According to iHealthBeat, the two presented their findings last week at the Shakacon conference.

Erven and his colleagues conducted a two-year study addressing the security of Essentia’s medical equipment. As part of their study they found that hackers could manipulate dosages of drugs provided by drug infusion pumps, deliver random defibrillator shock to patients or prevent medically needed shocks from taking place, and change the temperature settings in refrigerators holding blood and drugs.

The research team also looked for exposed equipment within other healthcare organizations, and the results were appalling. Within only 30 minutes, iHealthBeat notes, they found one healthcare organization which had 68,000 devices that exposed data.  Across all of the health systems they studied, they found 488 exposed cardiology systems, 323 PACS systems, 32 pacemaker systems, 21 anesthesiology systems and and several telemetry systems used to monitor elderly patients and prevent infant abductions.

Both Erven and Merdinger found that the organizations are leaking data because an Internet-connected computer had not been configured securely. Typically, data leaks occurred because sys admins had allowed Server Message Block –a protocol used to help admins find and communicate with computers internally — and allowed it to broadcast information turning private data into publicly-accessible data.

According to Erven, these issues are “global” and impact thousands of healthcare organizations. He suggests that too often, healthcare organizations focus on HIPAA compliance and don’t put enough effort into penetration testing and vulnerability protection.

This should come as no surprise. After all, Proficio’s Takeshi Suganuma notes, HIPAA was developed to protect PHI for a wide range of organizations, and as he puts it, “one size seldom fits all.”  While HIPAA compliance is important, collection, analysis and monitoring of security events are also critical activities for medium- to large-sized organizations, Suganuma suggests.

He also warns that healthcare organizations should be aware that cyberattackers are exploiting not only traditional network vulnerabilities, but also vulnerabilities in printers and medical devices. Networked medical devices are a particularly significant issue, since provider IT teams can’t upgrade the underlying operating system embedded in these devices — and too many of the devices are using older versions of Windows and Linux with known security holes.

The key point Suganuma, Erven and Merdinger are making is that while HIPAA compliance is good, healthcare organizations must pay greater attention to new attack vectors, or they face high odds of security compromise.  Seems like there’s a lot of work (and investment) afoot.