Healthcare Information Security: The Unfunded Mandate

Over the last several years billions of taxpayer dollars have been paid out for the adoption of Electronic Health Records (EHR’s) in hospitals, clinics, and physician practices.  On one level this has been a great success: the percentage of EHR use in the medical community has truly soared, even  as physicians and others have complained about inefficient workflow, unanticipated expenses, and burdensome reporting requirements.  There have also been other benefits, such as efficiencies in reimbursement, dramatically increased abilities to monitor quality, and opportunities for patient engagement through newly enabled features like patient portals.

On another, less noted, level, EHR’s have been an unmitigated disaster.  Often reported in sensational terms, but rarely analyzed for its root cause, healthcare data breaches have become stunning in scale and commonplace.  A recent report stated that over the last six years, 155 million patients had their medical data breached, and more than 80% of providers have seen a data breach in the last two years (and a cynic would say the remainder just don’t know they’ve been breached yet.)   While data breaches for profit are the rule, eyebrows were barely raised when espionage by foreign governments or agents was listed as the likely reason for some large scale breaches of medical records.

When HIPAA was originally passed back in the 90’s, its primary purpose was described by its acronym: the Health Insurance Portability and Accountability Act.  The primary purpose of the law was to allow health insurance to move with patients, and to encourage efficiency in the payment process largely through the adoption of standards for coding electronic transactions.

Today, however, HIPAA is primarily known as a set of rules and practices designed to protect patient confidentiality and the security of electronic records.  Twenty years after its passage, HIPAA remains a topic of conversation — and audits for HIPAA compliance and the EHR subsidy program have documented large scale lack of compliance with the processes and standards mandated by HIPAA.

The authors of the original HIPAA legislation recognized that going from paper records and transactions to electronic records and transactions carried with it an increased risk of both large scale data breaches and abuses of highly portable electronic healthcare information.  Thus there was a heavy burden on healthcare organizations to protect against such risks.  Advocates cited, among other things, the risk that data breaches and unauthorized uses of information could result in a loss of trust in healthcare providers and a reluctance of patients to confide in — or even see — their healthcare providers.  Compliance with these rules was encouraged by a series of substantial penalties for their violation.  This was an “all stick, no carrot” approach to achieving security for electronic Protected Health Information.

The approach of Meaningful Use program was to award the adoption and use of EHR’s with tens of thousands of dollars per provider.  At the same time, compliance with HIPAA mandates for security were, once again, required but not specifically funded.  Over several years of experience, audits of the Meaningful Use program have shown failure to comply with HIPAA — most often the requirement for a Security Risk Assessment — are the most common faults found among audited entities.  And then there’s the matter of those 155 million patients whose healthcare records have been breached during the life of the Meaningful Use program.

As the Meaningful Use program fades into the sunset and MACRA looms as the next step in the digital evolution of healthcare, it’s time to take stock of where we’ve been and try to apply the lessons (hopefully) learned.  This reflection should include an analysis of the effectiveness of the unfunded mandate approach taken to healthcare information security. Here are some suggestions for fixing things.

  • Reward good security: a percentage of the funds for any new program such as MACRA should be tied to subsidized information security assessments and remediation of problems identified.  The stick hasn’t worked, we need to put some carrots out there.
  • Explicitly encourage diligence: a breach detected and closed quickly should  be penalized less than a breach that sits for months or years before being closed.
  • Make good security practices visible to patients: in my hometown of Seattle, the Health Department places health inspector’s reports available online.  In some cities health departments have a numeric or letter grade assigned for good hygienic practices, to be displayed for patrons.  Both of these approaches could be applicable to healthcare.
  • Encourage proactive security benchmarks: HIT security is a bit like preventive health: when it works great, nothing happens.  The challenge is to determine and reward preventive security practices.  To use an analogy: reward higher levels of vaccination rather than punishing outbreaks resulting from a lack of vaccinations.
  • Commoditize security:  Particularly as healthcare moves to the Cloud there is an opportunity for healthcare organizations to achieve higher levels of security.  There’s long been a suspicion of the security of Cloud, which is finally giving way to a more realistic view.  A good Cloud provider will be managing software and hardware at a scale that enables dedicated security staff and hardening and automating the management of systems.  Benchmark certifications for hosted system security exists, and providers should be rewarded for choosing these solutions over the proverbial “server in a closet.”
  • Reward software providers who prioritize security: the software on the external network attached storage hard drives on my home network includes a simple security assessment dashboard which examines key security settings and provides a simple visual interface to report their current status and reminders if routine maintenance tasks aren’t completed.  If something is wrong, a click on the dashboard item will allow you correct it.  EHR software providers need to take this approach, rather than burying  settings deep in nested menus and overwhelming users with massive needle-in-a-haystack audit logs.

The problem with this, of course, is that security isn’t sexy and as with preventive health, when it works “nothing” happens.  Ultimately, however, there are deep social — and economic — consequences to the current approach to security.  Healthcare data is attractive to the bad guys in part because healthcare records routinely contain information which is difficult to change (e.g., date of birth, social security number, home address) and therefore more useful to identity thieves than an easily changed credit card number.

Patient trust and provider reputation are on the line given our current regulatory approach to healthcare information security.  But beyond this, our current state of healthcare information security is what lawyers call an “attractive nuisance” — hugely valuable to identity thieves and others, haphazardly protected.  Let’s use this opportunity to create HIT Security 2.0 and change the incentives for everyone involved.

 

 

 

Posted in Health IT, IT, technology | Tagged , , , | Leave a comment

Project Fi Review: Love It!

Project Fi is a cell phone carrier operated by Google.   It uses a combination of T-mobile and the Sprint cellular networks, along with WiFi calling.  Currently you must have one of three phones, the Nexus 5X, 6, or 6P.  Project Fi has the Nexus 5X currently discounted to $199 with Project Fi sign up (this is $150 discount and once the phone is activated on Project Fi, you can discontinue service and keep the phone at any time.)

The benefits of Project Fi are easy to quantify.  Because you’re using a Nexus phone on Google’s network, you will get all Android updates as soon as they’re released.  Financially, Project Fi is a very good deal for most users.  In addition to the discounts on the Nexus phones, unlimited voice and texting costs only $20 per month.  Data plans add $10  / gigabytes, but any unused data is refunded at the end of the month.  Project Fi provides an app that allows you to both monitor and change your plan within the app.  The service also includes tethering, so you can provide wifi to a tablet or laptop in addition to your phone.

The icing on the cake is free international roaming, allowing you to use Project Fi in almost anywhere in the world without extra charges.  We could, for example, use our phones on trips to visit family in Ukraine – something few other providers can match.  (Of course, the Nexus phones are GSM models, so you could also opt  for a local SIM card when traveling, which gives you the advantage of an in-country phone number, if you want to go that route.)   Journalist Paul Thurrott has been using Project Fi while traveling in Europe and is ecstatic about it, as you can read here.

In our case, we were paying about $130 a month with AT&T for two phones and 3 gigabytes of data monthly.  With Project Fi, the charges – with all taxes included — run under $90 per month, assuming we use our 2 gigabytes of data each.  In practice, we’re using just about 1.25 gigabytes, which means our actual cost for 2 phones is about $80 per month, or $50 less than the AT&T plan.  This savings will pay for the discounted cost of 2 Nexus 5X 32 gig phones well within the first year of service.

So, how well does it work?  Quite well indeed, after a couple months of use.  We live in the suburbs of Seattle and voice and LTE data (usually connecting through Tmobile) has been quite reliable.  If you have WiFi available at home and work, then you’ll use very little data.  There’s been very little to really remark on service-wise: it just works.  Wifi calling is totally invisible and has been 100% reliable to date.

Some time ago I signed up with Republic Wireless, which offered a similar cell + wifi service at low cost.  We were early adopters, so our handset choice was limited to older Motorola smart phones.  The Wifi calling hand-offs on Republic were often unreliable (very poor voice quality), and texting was a bit rocky, too.  After a couple of months, I left Republic Wireless because of these issues.  They’re still operating and have newer handsets available, so perhaps their service is better, but I don’t have any recent experience with them.  Needless to say, this experience left me a little apprehensive about what the service on Project Fi might be like.

It’s notable that Project Fi works just like the Google voice service, so you have the option of forwarding calls to another number and the voice mail service includes the written transcriptions of voice mail which Google Voice users have long enjoyed.  I’m currently using Google Hangouts for SMS messages, and one result is that I can receive and reply to texts on any device – tablet, laptop, and desktop PC – where I’m logged into Google.  In fact, when a voice call comes in, I can answer it on any of those devices as well.

Signing up and getting started on Project Fi was remarkably easy.  When you go to the Project Fi website, you can sign up for service and get a discounted phone in just a few minutes.  Everything is billed through a credit or debit card, rather than the separate billing of traditional carriers.  When you sign up, they will ask for basic information about your current service if you want to port over your number.  The only  “catch” here is that if you had a Google voice number, you’ll either need to use the Google Voice number, or cancel the Google Voice number to use your “regular” cell number.

Within about a week, we had our phones in hand,  receiving two boxes from Google, each with a phone and Project Fi SIM card.  You insert the Project Fi SIM and set up the phone as usual.  Coming from another Android phone, the setup was simple as Google allows you to transfer all the backed up settings and apps from your previous phone…. Which is very welcome – you do have to wait while everything is downloaded, but the hands-on time for set up is under 15 minutes.  Similarly, because I’d provided the information required to port my nuAs mber over when I signed up, the new phone was activated and running with my phone number within 30 minutes (Project Fi will tell you this may take a day or so.)

There are very few risks and downsides with Project Fi.  Assuming you need a new phone anyway, the pricing is very good on the Nexus phones, and once the phone is activated on Project Fi, you can keep the phone even if you discontinue service.  So if you try Project Fi and it doesn’t work out for you, you at least got a new Nexus phone at a substantial discount that you can use with another carrier.  While the Nexus phones are great – running “pure” Android and getting the newest updates and newest Android versions immediately,  you can’t use a Samsung or other non-Nexus phone on Project Fi at the moment.  As mentioned above, if you have an existing Google Voice number, you either need to use it on Project Fi or kill the Google Voice number – not ideal, but understandable given the way the service works.

Of course, it’s always possible that Google will at some point discontinue Project Fi.   I know some people will be concerned with this as Google’s history of sometimes discontinuing products casts a long shadow.  However, I think it’s much more likely that Google will grow Project Fi, given that one of the major headaches Google has is with cellular carriers who drag their feet on Android upgrades.  There’s little argument that Google wants more control over this process, and Project Fi provides them with exactly that.  That said, should Google discontinue Project Fi in the future, the GSM / LTE phones will work fine on other carriers, just as my former Nexus 5 worked on AT&T.

All in all, Project Fi is a great service and if you’re at a point where you need a new phone, it’s a very cost effective package.  Although I had my concerns based on earlier experience with Republic Wireless’s cellular + wifi model, Project Fi’s service has been outstanding.  Indeed, if I didn’t know it was using two cellular networks + wifi, there would be no way to tell this was happening.  So, kudos to Google for a wonderful, inexpensive alternative that provides a very good user experience.

Posted in IT, Life, technology | Leave a comment

#FreeSavchenko

Biden-Savchenko

Posted in Uncategorized | Leave a comment

The Big Error in Windows 10

Unless cooler heads prevail, next year will see the release of Windows 10.  This should be the next “good” version of Windows if you believe the theory that every other release doesn’t, well, suck.

A lot of attention has been given to Microsoft’s jumping from Windows 8.1 to Windows 10, skipping over Windows 9.  Apparently anyone who has the most basic education understands that you count:  1, 2, 3, 3.1, 95, 98, 98SE, 2000, ME, XP, Vista, 7, 8, and….

As you can see, Windows hasn’t followed a strict series of version numbers, but rather something more like a series of best-guess-at-the-moment product names.  As befits a consumer product, the names have more of a “hold your finger up in the wind and see what flies” than a disciplined numeric sequence.

And in that spirit, I praise Microsoft for not following the leaden logic of “Windows 9” — but, “Windows 10”, really?

A few tech-wags have compared the jump to a desire for parity with the Mac’s OSX, despite the utter rarity of anyone thinking about that as version 10 of the MacOS.  And, even if you accept that dubious theory, wasn’t there a better choice for Microsoft?

Given its deep pockets and need for some sort of cache for its aging franchise, clearly Microsoft should have labelled the new Windows as Windows 11.  Just imagine the ads touting, “This one goes to 11” and the Spinal Tap tie-ins.  Not petty on the part of Microsoft, but the best kind of pop culture jab saying,  “Sorry folks, nothing to see here, just move on,” in terms of versioning.

Of course, it’ not too late yet.  So, who knows?

Posted in IT, technology | Leave a comment

Welcome back (I know you didn’t miss me….)

If there’s a cardinal sin of blogging and social media, it’s assuming that you publish content on a schedule convenient to you, ignoring the needs and utility of timely publishing for your readers.

Therefore, not only have readers of this blog NOT missed me, there’s a fair certainty you’ve moved on and won’t ever see this post.  Bummer for me; that’s life for you.

For the last year I’ve been toiling as the Interim CEO of a small software and services company.  This was a great experience for me (and for the company as well, I hope!)  But after a national search, a new, permanent CEO is in place.  I will be spending a bit of time helping in the transition, but life is now getting back to what passes for normal around here.

I hope to provide some posts here covering what I learned during my year-long engagement, both the right steps and wrong steps I took.  But forgive me if I take a bit of time to put it in perspective; I’d rather do that then just regurgitate events.  Anyway, I look forward to doing more writing again and I hope that you will enjoy having me back!

Posted in Health IT, IT, Life, Uncategorized | Leave a comment

Leap Motion Controller: Destroying My Personal Productivity

I was so busy working that I forgot my pre-ordered Leap Motion controller was due to arrive today. When I remembered, I walked up to the mailbox about 8 PM and it was there. The small USB device has a sensor that detects motion above it, creating a 3D virtual “touch screen” in the air that can do “multi-touch” detecting all 10 individual fingers and tracking them to control the computer.

leapcontroller

The setup is reasonably easy: plug the USB device in and then navigate to a URL listed on the device to download drivers and proceed with setup.  You then register the device and create an account with a dedicated Leap Motion app store, which includes free and paid apps.

As with any serious hardware evaluation, I immediately loaded “Cut the Rope” and asked my wife Irene to play.

It takes a couple minutes to get used to it (you go up with your hand to go up on screen, but initially both of us tried to go forward, like a conventional mouse.) A twitch of a finger selects like a mouse click, which seemed natural and took no time to master. I ended up moving my chair about six inches back so my hands were directly over the sensor rather than the keyboard. I should mention that the your laptop’s mouse / keyboard still works when using the Leap, which is great.

So far, I’m impressed with the hardware.

I’m eager to install the software on my desktop, which has dual 24″ monitors and a keyboard drawer, as I’m thinking the controller could sit on the desk above the keyboard drawer for smooth vertical alignment between typing and magically waving my hands in the air.

I know Leap Motion is signing OEM agreements with computer manufacturers, and I can imagine that a virtual touchscreen on a laptop could be the perfect antidote to the smudgy laptop touchscreens…

My wife’s opinion after playing a few successful games of Cut the Rope and playing with the Visualization Display app that shows what the sensor sees? “I want to watch ‘Minority Report’ again…”

Me too…

Posted in Uncategorized | Leave a comment

To BYOD or Not to BYOD? That is NOT the question…

I just finished reading a website discussion of the pro’s and con’s of Bring Your Own Device (BYOD) programs in healthcare.  It doesn’t really matter which particular article I was reading, since there are literally thousands on the topic.  While I’m always hoping for a fresh perspective, most writers tend to line up on one side or the other of the issue, pro or con BYOD.

What makes for a good article on the “controversy” doesn’t, however, make for good HIT policy.  It should be obvious that you can botch either option, either in policy or practice.  A “no BYOD” policy that’s ignored by users is as bad as a flawed BYOD policy that includes no safeguards on ePHI.  If the goal is to protect ePHI — or even just to comply with HIPAA — then focusing on BYOD alone kind of misses the point.

Those of us in IT ought to listen to the clinical voices in our organizations that are focusing on best practices, as measured by the clinical outcomes they achieve.  In that context, the question isn’t whether to BYOD or not BYOD, it’s how to avoid the slings and arrows of data breaches, overwhelmed support, frustrated users and regulatory penalties.  That is the question.

If we do start by looking at the evidence, its fairly clear that with mobile devices in healthcare, the primary risk is an unencrypted device.  Today most of these data breaches are unencrypted mobile devices, chiefly laptops.  With the explosion in popularity of tablets and smartphones, healthcare software firms are churning out more products targeting these devices for access to EHR and other ePHI data.  From an IT security perspective, I’d much rather have all users on encrypted mobiled devices, no matter who owns them.

Of course, there are many, many more capabilities that a robust mobile device management (MDM) software package will provide.   It is important that the device be un-rooted, up-to-date on security packages, password enabled, and protected from other security threats.

Remote wiping of devices is probably the most frequently deployed feature of MDM suites.  But remote wiping may be counter-productive.   Users may wait to be certain their device is lost and not just misplaced, knowing that IT will immediately wipe their device, making the user reinstall from scratch if the device turns up.  Better to have a password protected and encrypted device that will be lost, but not likely to result in a data breach.

From this perspective, the question isn’t to BYOD or Not to BYOD.   Instead, start with How do we secure data and mobile devices?  Some particular recipe of encryption, MDM, and virtualization are the likely answers.  These are the things which objectively will protect data best.  Only after you’ve answered these questions should you turn to whether and how to answer the BYOD question.

Failing the effort at those discussions, I’ll reiterate my current catchphrase: Just Encrypt IT!

Posted in Health IT | Leave a comment

Quick Update: Flipboard Mags Adds Contributors

In another update of the Flipboard client software, the ability to have multiple contributors to personally published magazines has been

flipboard-mag-2-add

added.  With the new software, you will see a link to “Invite Contributors” on the magazine’s home page:

Selecting the link will generate an email with a link in it for the contributor to accept the invitation.

If you should decide to remove a contributor at a later date, from the magazine’s home page, select “Edit” and you can easily remove the contributor.

This adds both a social element and the important ability to collaborate on a magazine.  It is impressive what Flipboard has been able to ramp up with Magazines in the space of just a couple of months since they debuted.

 

Posted in technology | Leave a comment

The Paradox of Meaningful Use Incentives

The federal government is, justifiably, trumpeting the success of the Medicare and Medicaid EHR Incentive programs in creating a rapid and dramatic increase in the use of electronic health records.  Yet, even as the statistics show we’ve reached a “tipping point” of more than 50% use of EHR’s, the agenda of the Incentive Programs and Meaningful Use are about to face their greatest challenge.  And the irony of that challenge is that it is a product of the Incentive programs themselves.

It’s widely acknowledged that meeting the Meaningful Use Stage 2 requirements will be challenging, as is reflected by the delay in Stage 2 Meaningful Use itself.   Determining the criteria for Meaningful Use took longer than expected, and even with the current delay to 2014, there are voices which are calling for further delays, or even “rebooting” the program overall.  And, as for Meaningful Use Stage 3, those criteria are still not in final form.  The MU Stage 3 criteria, which have a goal of improved health outcomes, will also be ambitious and challenging, whatever final form they take.

The problem with this, of course, is that the EHR products will need to be upgraded or adapted to meet the new Stage 2 Meaningful Use, and all of the providers will need to upgrade to those compliant versions before they can achieve MU Stage 2 in 2014.  Upgrading an EHR is not a trivial thing, for either the software vendor or for the individual practice.  And when all of a vendor’s customers are seeking to upgrade to meet a relatively tight deadline, there are challenges not only with having the software ready but also with being able to support customers doing the upgrade.

Many in the HIT community got very familiar with these challenges via not only MU Stage 1, but also through the 5010 billing format transition at the end of 2011.  For the EHR software I was using at the time, the 5010-compliant version proved to be much more of an upgrade than we’d anticipated, causing us to not only do a major software upgrade, but also to replace some server infrastructure a  year earlier than its normal end-of-life.  And given that all the software vendor’s customers were essentially upgrading at the same time to beat an end-of-the-year transition, getting vendor assistance was in itself a challenge.

The upcoming MU Stage 2 requirements will overlap with another transition, the shift to ICD-10.  ICD-10 itself is a major upgrade, increasing the format, number and complexity of codes from the current ICD-9.  Because of this, there isn’t a straight-forward 1-to-1 mapping between old codes and new codes — there’s a lot for individual practices to work out around the necessary software transition, the coding itself, and its impact on practice revenues.  This is a very major transition, and one that recent reports indicate a lot of providers are not progressing toward as rapidly as they might.

As if that wasn’t enough of a challenge, as the thresholds and complexity increase with MU Stage 2 and Stage 3, the reimbursements themselves fall off.  This is by design, since the thought was that the big expense to providers would be to purchase and implement their EHR as a part of Stage 1.   The maximum amounts differ between the Medicare ($44,000 over 5 years) and Medicaid ($63,750 over 6 years), but in both cases the incentives fall off dramatically through the course of the programs.  Consider these figures for the Medicare program for a provider who met Meaningful Use Stage 1 in 2012:

  • 2012: $18,000 (Stage 1)
  • 2013: $12,000 (Stage 1)
  • 2014: $8,000 (Stage 2)
  • 2015: $4,000 (Stage 2)
  • 2016: $2,000 (Stage 3)

As you can see, the incentive amount decrease continuously, while each MU Stage sets a progressively higher bar for functionality and reporting.   The Medicare program has additional lock in for providers, since there are progressive payment adjustments beginning in 2015 to reduce payments to those eligible who don’t participate in MU.  But will avoiding these payment reductions actually inspire providers to remain on the MU track?  A recent article suggests that the adjustments may be regarded as relatively trivial, or that providers don’t believe the adjustments will ultimately be imposed.  And,  unlike the Medicaid incentives, the Medicare program doesn’t allow providers to skip a year: you are locked into 5 consecutive years of participation: once you’re out, you’re out for good.

Of course, the EHR incentives shouldn’t be the only value for providers in pursuing Meaningful Use.  But as the complexity of the requirements increase while the payments themselves diminish, it will be interesting to see whether providers drop out of the program and their failure to meet the advanced stages of MU undermine its success.  That will be one of the more interesting HIT stories of 2014.

 

Posted in Health IT | Leave a comment

About the Lviv! Flipboard Magazine

1996-v-2010-LvivThis fall my wife and I will make our fifth trip to Lviv together.  As we prepare for that trip, I decided to collect ideas for things to do and happenings in Lviv: both to remind us of good times past, and as ideas for our upcoming trip.  To do this, I created a Flipboard magazine called “Lviv!” to share with her.

The current functioning of Flipboard Magazines is that they’re either private to only yourself – or public.  In sharing this with my wife, I really had no idea anyone else would read it.  But to share with her, I had to make it public.  So I was actually fairly surprised to see several other readers subscribing to the magazine.

If you are in Lviv and have a Flipboard magazine about their beautiful city: let me know!  I’ll subscribe and link to your magazine.  (A side note: even with my pitifully small understanding of the Ukrainian language, Google Translate makes it possible to discover and learn about more of the world than has been possible before!)

I have a tremendous personal affection and enthusiasm for the city and its people.  Since my first visit a few years after independence, there has been a deep and abiding joy seeing the city rediscover itself, reclaim its history, and face both seemingly unending challenges and, simultaneously, its untapped potential.

I was especially struck by this in 2010, when I noticed that I had taken a photo of a beautifully restored building in the center of town that I had also photographed back in 1996, when it was in considerable disrepair.  And while the changes we encounter each time we visit aren’t always as visually dramatic as this, they are equally surprising and often delightful.

The reality is that most Americans have never heard of Lviv, much less visited it.  Based on my experiences, I find that truly sad, as there is much to see and discover.

Thanks for your understanding of my purpose, and should you find anything of interest in the Magazine, that’s great.

Stephen McCallister

Posted in Travel | Leave a comment