Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Large Health Facilities Have Major Patient Data Security Issues

Many healthcare organizations have security holes that leave not only their systems, but their equipment susceptible to cyberattacks, according to two recent studies.

The researchers included Scott Erven, head of information security for multi-state hospital and clinic chain Essentia Health, and Shawn Merdinger, an independent consultant. According to iHealthBeat, the two presented their findings last week at the Shakacon conference.

Erven and his colleagues conducted a two-year study addressing the security of Essentia’s medical equipment. As part of their study they found that hackers could manipulate dosages of drugs provided by drug infusion pumps, deliver random defibrillator shock to patients or prevent medically needed shocks from taking place, and change the temperature settings in refrigerators holding blood and drugs.

The research team also looked for exposed equipment within other healthcare organizations, and the results were appalling. Within only 30 minutes, iHealthBeat notes, they found one healthcare organization which had 68,000 devices that exposed data.  Across all of the health systems they studied, they found 488 exposed cardiology systems, 323 PACS systems, 32 pacemaker systems, 21 anesthesiology systems and and several telemetry systems used to monitor elderly patients and prevent infant abductions.

Both Erven and Merdinger found that the organizations are leaking data because an Internet-connected computer had not been configured securely. Typically, data leaks occurred because sys admins had allowed Server Message Block –a protocol used to help admins find and communicate with computers internally — and allowed it to broadcast information turning private data into publicly-accessible data.

According to Erven, these issues are “global” and impact thousands of healthcare organizations. He suggests that too often, healthcare organizations focus on HIPAA compliance and don’t put enough effort into penetration testing and vulnerability protection.

This should come as no surprise. After all, Proficio’s Takeshi Suganuma notes, HIPAA was developed to protect PHI for a wide range of organizations, and as he puts it, “one size seldom fits all.”  While HIPAA compliance is important, collection, analysis and monitoring of security events are also critical activities for medium- to large-sized organizations, Suganuma suggests.

He also warns that healthcare organizations should be aware that cyberattackers are exploiting not only traditional network vulnerabilities, but also vulnerabilities in printers and medical devices. Networked medical devices are a particularly significant issue, since provider IT teams can’t upgrade the underlying operating system embedded in these devices — and too many of the devices are using older versions of Windows and Linux with known security holes.

The key point Suganuma, Erven and Merdinger are making is that while HIPAA compliance is good, healthcare organizations must pay greater attention to new attack vectors, or they face high odds of security compromise.  Seems like there’s a lot of work (and investment) afoot.

July 2, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

UPMC Kicks Off Mobility Program

If you’re going to look at how physicians use health IT in hospitals, it doesn’t hurt to go to doctors at the University of Pittsburgh Medical Center, a $10 billion collosus with a history of HIT innovation. UPMC spans 21 hospitals and employs more than 3,500 physicians, and it’s smack in the middle of a mobile rollout.

Recently, Intel Health & Life Sciences blogger Ben Wilson reached to three UPMC doctors responsible for substantial health IT work, including Dr. Rasu Shrestha, Vice President of Medical Information for all of UPMC, Dr. Oscar Marroquin, a cardiologist responsible for clinical analytics and new care model initiatives, and Dr. Shivdev Rao, an academic cardiologist.

We don’t have space to recap all of the stuff Wilson captured in his interview, but here’s a few ideas worth taking away from the doctors’ responses:

Healthcare organizations are “data rich and information poor”: UPMC, for its part, has 5.4 petabytes of data on hand, and that store of data is doubling every 18 months. According to Dr. Shrestha, hospitals must find ways to find patterns and condense data in a useful, intelligent, actionable manner, such as figuring out whether there are specific times you must alert clinicians, and determine whether there are specific sensors tracking to specific types of metrics that are important from a HIM perspective.

Mobility has had a positive impact on patient care:  These doctors are enthusiastic about the benefits of mobility.  Dr. Marroquin notes that not only do mobile devices put patient care information at his finger tips and allow for intelligent solutions, it also allows him to share information with patients, making it easier to explain why he’s doing a give test or treatment.

BYOD can work if sensitive information is protected:  UPMC has been supporting varied mobile devices that physicians bring into its facilities, but has struggled with security and access. Dr. Shrestha notes that he and his colleagues have been very careful to evaluate all of the devices and different operating systems, making sure data doesn’t reside on a mobile device without some form of security.

On the self-promotion front, Wilson asks the doctors about a pilot  project (an Intel and Microsoft effort dubbed Convergence) in which clinicians use Surface tablets powered by Windows 8. Given that this is an Intel blog, you won’t be surprised to read that Dr. Shrestha is quite happy with the Surface tablet, particularly the form factor which allows doctors to flip the screen over and actually show patients trends.

Regardless, it’s interesting to hear from doctors who are gradually changing how they practice due to mobile tech. Clearly, UPMC has solved neither its big data problems nor phone/tablet security issues completely, but it seems that its management is deeply engaged in addressing these issues.

Meanwhile, it will be interesting to see how far Convergence gets. Right now, Convergence just involves giving heart doctors at UPMC’s Presbyterian Hospital a couple dozen Microsoft Surface Pro 3 tablets, but HIT leaders plan to eventually roll out 2,000 of the tablets.

July 1, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Sutter Health Ready To Deploy HIE, But Can It Succeed?

Sutter Health doesn’t have a great reputation when it comes to EMR implementation. Late last year, when we reported that Sutter’s Epic EMR crashed for an entire day, comments came pouring in about the company’s questionable approach to training its staff on using the system.

According to Epic consultants who’d been involved in the project, Sutter leaders decided that Epic experts were there to “facilitate” training done by inexperienced in-house teams, rather than actually teach key users what they need to know. The result was strife, disorder and anxiety, according to several consultants who’d been involved. Since then, Sutter has connected its EMR to five medical foundations and 17 hospital campuses; by next year, it expects the EMR to connect to information on 3 million patients. But there’s no reason to think it’s changed its training strategy, which could cast a bit of a pall over the new project.

Now, Sutter Health is building out a health information exchange, working with Orion Health, which will tie together hospitals and doctors both inside and outside of its network across northern California. Sutter plans to begin deploying the HIE in phases this summer, starting with data integration with the Epic EMR and extending to testing exchange of inbound and outbound data. If the project works out, it seems likely that it will be a plus for every provider that does business with Sutter.

The question is, will Sutter do a better job of managing this process than it did in rolling out its EMR? While it’s easy to boast that your plans are going to be a “gamechanger” for the market, it’s hard to take that claim at face value when your EMR implementation hasn’t gone so splendidly.

Certainly, Orion is a reputable HIE vendor which has been praised for having strong products and service. And Sutter certainly has the financial wherewithal to see such an effort through. The thing is, if Sutter leaders (seemingly) took a wrongheaded approach to the all-important issue of EMR training, who knows what curveballs they might throw into the process of rolling out an HIE? Even if its EMR has stabilized and Sutter has somehow gotten past its training hurdles, its past missteps don’t inspire confidence.

If I were with Orion, I’d draw a firm line where training was concerned, as Sutter’s past strategy only seems to have cast its last major HIT vendor in a bad light. If not, I’d make sure the contract had a workable bailout clause…or be prepared for some serious headaches.

June 30, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

AHA urges agencies to speed up EMR choice expansion

In a move that shouldn’t surprise anybody, the American Hospital Association is urging CMS and the ONC to hurry up and finalize new rules which would expand choice for certified EMRs.

The AHA letter argues that its members are on the verge of walking away from Meaningful Use. But if CMS and the ONC speed ahead with with the new proposed rules — which would offer more choice in specific meaningful use requirements they must meet this year — hospitals will be much better equipped to proceed.

Why the rush? Well, for one thing, the letter argues, time is of the essence for hospitals, which have to decide their meaningful use strategy for fiscal 2014. If they must make choices before the new rule is finalized, it could cause them “significant financial and operational harm,” the AHA contends.

Meanwhile, if the agencies don’t push these rules through quickly, “many providers are likely to conclude that they cannot meet meaningful use this year and abandon the program,” wrote Linda Fishman, AHA senior vice president of public policy analysis and development, in a letter to CMS Administrator Marilyn Tavenner and National Coordinator Karen DeSalvo, MD.

The letter also takes on other issues. It asks that CMS and ONC clarify the rules implementation, offer more flexibility in the reporting of clinical quality measures, shorten the MU reporting period for 2015 in analyze lessons learned from Stage 2 before finalizing Stage 3′s start date, according to HealthcareITNews.

The AHA’s letter comes at a challenging time for the meaningful use program generally, which has of late attracted broader attention than it has in the past.

Not only are industry groups pressuring ONC, legislators are too. For example, at a recent health IT conference, U.S. Rep Tom Price, MD, R-GA, argued that meaningful use is “maybe not even doing what needs to be done as it relates to patients and physicians.”

In his remarks, Price argued that meaningful use could be improved by keeping the patient front and center, making sure patients know they own their health data and establishing an interoperability standard.  But he suggests that because the MU program roadmap was laid out in the HITECH Act, it’s not as fluid as it should be and doesn’t accommodate such concerns.

The reality, however, is that there is no simple way to get interoperability; right now, we’re lucky if individual EMRs meet providers’ needs.  Despite the demands from other stakeholders, health IT vendors still have a lot more to gain by creating islands rather than interoperable products.

June 23, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Georgia EMR Disaster: Was IT Department Responsible?

A few weeks ago, heads began to roll at Georgia’s Athens Regional Health System when its $31 million Cerner rollout began to fall apart. After clinicians complained that a rushed rollout process was generating a host of medication errors and other mistakes, President and CEO James Thaw resigned, and less than a week later, SVP and CIO Gretchen Tegethoff left as well.

Since then, however, the political landscape there has changed, with the facility’s chief medical officer, as well as Cerner executives, contending that the disaster was due to mistakes by the health systems IT team, according to HealthcareITNews. The Cerner execs, CMO and others are arguing that IT leaders made strategic decisions that should’ve been made by clinicians, the publication says.

A local paper, the Athens Banner Herald, notes that the Cerner rollout was done largely by the hospital’s IT team, and that few end-users were involved. That, at least, is what Cerner VP Michael Robin told the paper.  And a different Cerner VP, Ben Himes, took another shot at the IT department, arguing that this implementation seems to have come out on the IT side of things, rather than stressing clinical involvement.

The bottom line seems to be that regardless of what actually happened, the clinicians at the hospital seem to of felt left out of the process, never good thing when we’re dealing with a tool that they’ll need to use everyday.  Regardless of what actually happened, it seems the hospital’s IT department didn’t do a good job of engaging clinicians and getting their feedback; under those circumstances, the likelihood of kicked up a fuss even if implementation was otherwise smooth.

On the other hand, I’m always a little skeptical when vendors point fingers at their customers and say it was their fault when things go wrong. OK, I realize that there may be some truth to their accusations, and that Cerner has a right to defend itself, but it’s hardly a good PR move to dump problems with the implementation completely in the customer’s lap.

The truth is, will probably never know exactly what happened with this EMR implementation. Considering the scale of the project, and the number of people involved, it’s inevitable that this will go down in a blaze of finger-pointing. But it never hurts to be reminded that EMR implementations which leads physicians feeling as though they’re on the sidelines are politically risky at best, and potentially disastrous at worst.

 

June 18, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Pennsylvania Hospital Sees Data Breach

No matter how careful you are with patient data, there’s always a way for it to slip out the door or be accessed illegitimately. That’s why a Pennsylvania-based hospital has been forced this to notify almost 2,000 patients that an employee had committed a HIPAA breach.

The 551-bed Penn State Milton S. Hershey hospital learned, after conducting an internal investigation, that an employee accessed and transmitted protected health data outside of the hospital’s secure information network. The hospital was forced to inform 1,801 patients that their names, medical record numbers, lab tests and results and visit dates could conceivably have been accessed by unauthorized persons or entities due to an employee mistake.

The HIPAA breach was due to a mistake by a Penn State Hershey clinical laboratory technician, who was authorized to work with PHI but did so insecurely. The lab tech accessed patient data via an insecure USB devices through his home network rather than the hospital network, as well as sending patient data via his personal email address to two hospital physicians.

To date, Penn State Hershey has had a respectable track record for security. As HealthcareITNews notes, this is the first large HIPAA breach the facility has reported to HHS.

But there’s clearly an education gap here if an otherwise well-behaved lab tech didn’t know that he be compromising data if he accessed and sent it this way.

To prevent breaches like this from becoming common, hospitals need to keep up an ongoing education program which continually re-emphasizes the dangers of outside-network communication, unencrypted communications, data storage on easily stolen laptops and phones and more. But few hospitals offer the level of education required to fend off everyday accidents like this one.

But education isn’t the only security challenge facing hospital IT departments. There’s also an issue that remains in hospital security which, as we discuss HIPAA breaches, is worth a quick note. While it’s critical to educate staffers  on what they can do to avoid HIPAA breaches, health IT departments themselves may need a refresher from time to time,  notes my colleague John Lynn.

John notes that while hospital IT staffers may have strong antivirus software protecting their facility, their malware protections are often weak, as software that locks staff computers down too much often makes users angry.

As he sees it, the next wave of security breaches may not be due to human error (or malicious content) but unseen malware quietly feeding data to health data thieves. Not only that, he expects to see personal mobile phones get compromised and infect the hospital network. All scary stuff.

June 16, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Cerner Agrees To Pay $106M Over Allegedly Defective Software

After years of back and forth, Cerner has settled a dispute with a North Dakota hospital claiming that Cerner’s financial software was defective and didn’t deliver expected business benefits.

Back in April 2012, Trinity Health told the vendor that it was transitioning away from Cerner’s patient accounting software solution and certain IT services provided by Cerner. At the time, it alleged that the patient accounting solution didn’t work right.  Of course, Cerner disputed the allegations, according to its 10-K yearly report.

The two players began arbitration in December 2013, a move which allowed Cerner to collect some payments due from the hospital.  At the outset, Cerner was predicting liability you of up to $4 million, while Trinity anticipated damages totaling $240 million.

Ultimately, the two agreed upon a settlement under which Cerner would pay Trinity $106 million. Interestingly, Trinity is continuing as a client of Cerner for its clinical solutions, something you might not expect under the circumstances.

This is a particularly unusual outcome for a vendor/hospital dispute, because most vendor contracts contain clauses to eliminate “consequential damages,” which limit hospital’s ability to take legal action, notes Trinity attorney Michael Dagley. That being said, there are areas under state and common law provisions of consumer fraud statutes, under which manufacturers cannot misrepresent product capabilities and benefits.

Knowing how hard it is for a hospital to sue a vendor of IT services, it makes you wonder whether the growing number of hospitals dumping their current EMR are doing so because they’re not getting what they want but can’t sue to get their money back.  While it may be heinously expensive, buying a new EMR and installing it is certainly faster than going through years of court proceedings and then having to buy another EMR nonetheless.

March 12, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Is IT The Reason CEO Turnover Is So High?

A new study from the American College of Healthcare Executives reports that hospital CEO turnover increased to 20 percent in 2013, the highest rate reported since ACHE began tracking these numbers in 1981.

There are several reasons one could identify as causes for high CEO turnover, including the retirement of baby boomers and the trend towards consolidation in the industry, which may eliminate jobs.

All that being said, I believe that the most likely reason for high CEO turnover of late is the turmoil around IT, including but not limited to evaluating and buying equipment from EMR vendors, managing process changes as the EMR is installed, seeing to it that the EMR doesn’t bankrupt the hospital and more.

And then, there is a need for management to be responsible for all of the systems that feed into the EMR, and to do something with the data that they produce.

Bottom line, it’s hardly surprising that there are a record number of CEOs struggling to stay on top of the crest where IT is concerned.  And it’s also not too surprising that some CEOs, who had done very well as the responsible leader with their hands on the wheel, might be less suited to the massive changes that can occur in the wake of IT transformation.

No, in reality it’s not very surprising that this is a time of high turnover for CEOs.  When you pile on the various revolutions taking place in healthcare IT, and the need to lead your staff through them, manage them and prepare for the future, you have what might be seen as an impossible job for some CEOs. It’s not a big surprise that particularly high number of hospital CEOs are calling it a day — or having it called for them.

March 11, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Stanford Team Builds EMR Automated Checklist Solution

A Stanford team has built an automated checklist that pulls data out of EMRs and pushes patient-specific alerts to caregivers.  The checklist, along with the dashboard style interface clinicians use to work with it, has caused a threefold drop in the rates of a serious type of hospital acquired infection, according to a study of the solution published in Pediatrics.

The study, conducted by researchers in the pediatric intensive care unit at the Stanford University School of Medicine and the Lucile Packard Children’s Hospital Stanford, was focused on preventing bloodstream infections that begin in central lines.

To create the automated checklist, the research team collaborated with engineers from HP Labs, who programmed the checklist and displayed real-time alerts a large LCD screen in the nurses’ station.  Alerts from the system were generated in three different colors, red, yellow and green, each with a specific action to be taken in response to the dot. For example one dot might indicate that it was time for patients central line to be changed, and another if it was time for caregivers to reevaluate whether medications given in the line could be switched to oral meds instead.

Using the checklists created from EMR data it was much easier for clinicians to follow national guidelines in keeping central lines infection free. During the study, researchers reported, the rate of central line infections in the hospital’s PICU fell from 2.6 to 0.7 per 1000 days of central line use.

According to Natalie Pageler, MD, the study’s lead author, these are the kinds of solutions that can transform the use of EMRs  by digging into their deeper capabilities. “Electronic medical records are data rich of information poor,” Dr. Pageler said. “Often, the data in electronic medical records is cumbersome for caregivers using real-time, but this study showed a way to change that.”

March 5, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Large Health Systems May Miss Stage 2 Deadline

Usually, it’s the small institutions that are having fits when an IT program deadline is approaching. This time around, it’s the big boys that are struggling.

Intermountain Healthcare has announced that the organization will probably not attest to Stage 2 of the Meaningful Use program this year over concerns about patient safety, according to iHealthBeat

In an interview with HealthLeaders Media, CIO Marc Probst said that with the organization transitioning from its own EMR to EMR software from Cerner, all the software will not be running at all of the locations by the end of this year. This isn’t surprising after the relatively recent announcement that Intermountain would be switching to Cerner.

It’s not clear what it says about the success of the Meaningful Use Stage 2 program, other than that Intermountain has other priorities, but it does make you wonder what other large health systems will take a similar posture.

After all, ONC Chief Medical Officer Jacob Rieder (who also spoke with HealthLeaders) said that other large institutions are reporting similar situations. As amazing as it sounds considering the money involved, I won’t be surprised if we see more institutions following similar paths. There are a decent number of hospitals that haven’t even selected an EHR software.

According to Reider, it will be easier for small providers to meet Stage 2 requirements, given that they generally don’t have to plan as far into the future. But when it comes to large health systems, it seems that achieving this year’s Meaningful Use goal is a bridge too far.

March 4, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.