Exchanging Information Safely and Securely within Your Ecosystem

Exchanging Information Safely and Securely within Your Ecosystem

A “Meaningful” Act (Pt. 2)

by Ruby Raley
Director, Healthcare Solutions
Axway

(To read the first part of this blog post, click here.)

The body continues to be an apt metaphor in this post.

One of the other areas I find that people have neglected in their plans is the “nervous system.” So, you’re going to put this new eMR system in, you have to have all of these data breach protections, you have to have encryption, you have to be able to notify people promptly if data is lost. You need a nervous system that knows when any blood vessel is cut, when there is a leakage of information, which would be equivalent to internal bleeding—perhaps not obvious to anyone but going on nonetheless—and a significant impact on your patient’s health, possibly even a cause of death if left untreated.

How are you going to know that there is internal bleeding of data? Are you really going to go through log files and every system you have and verify that every transmission went through? Wouldn’t you rather just have a dashboard where you could quickly see the stats, find anomalous situations, immediately be alerted if something goes astray, and take action promptly and resolve the problem before there is internal bleeding and the “patient” is in critical care? I really think that some of those additional ways of thinking about the HITECH Act are critical to the success of the providers.

It’s just too hard to try to do everything inside your eMR system. You can’t stop people from sending attachments, needing to communicate with third parties, and needing to get data in and out of your enterprise. It’s just a fact of life, so why not put a plan together for it?

People who think that they don’t need a nervous system, that all they have to do is search through log files to find out what happened, I find, have either had better luck in life than I have or aren’t IT people on the front lines, because what I’ve seen over and over again is log files get erased every time there is an upgrade.

If you had an outage on Friday, and you had a system upgrade going in on Saturday, your log files might not be where you can find them on Monday. Maybe they were saved before the upgrade went in. Maybe the tapes didn’t work right. How do you know? In order to do the diagnosis, you have to look at the sending and receiving system, line up the time, look at the messages and try to figure out whether the darn messages were delivered.

To me, thinking that log files sufficiently satisfy the data breach and HIPAA security rule—I don’t quite get that. One of the things that I recommend to providers is that they do a mock exercise. How would they find the data breach? How would they convene their SWAT team? How would they actually plan through and respond to a real-life data breach? It’s much like having a patient flatline on the ER table—mitigating action needs to be taken immediately.

What they’re going to find is that, first of all, they have to include many more departments than they might have thought. When is the last time an IT outage or a service disruption required that the compliance officer, corporate marketing and PR people got called? Did you have to call the CEO when the system last went down? Do you know the criteria that need to be satisfied before you notify people? You have to make sure that a large number of people understand what the process is, because with a data breach, the legal ramifications of not taking due diligence, of exhibiting willful neglect, or of not following your own processes are severe.

And you never had to do that before. Who cared if a file didn’t get received by the insurance company on the other end? They’d call you and you’d resend it. Before, you never called the CEO or CSO to say that a file went astray and you didn’t know it had happened. You’re going to discover department people who aren’t aware, too. You’re going to discover people in the IT organization, people who might not have been exposed to the HITECH Act before, who need training so that they understand the circumstances under which to act. If you don’t have all of this preplanned, then it’s going to be fairly random and it’s not going to come together for you. Can you prove to the HHS and the auditors that your process, as written, was followed in these events? Can you afford the excessive fines and penalties that will follow if you can’t prove that your process, as written, was followed?

A “Meaningful” Act (Pt. 1)

by Ruby Raley
Director, Healthcare Solutions
Axway

Healthcare providers implementing the HITECH Act seem to regard the implementation of eMR (electronic medial records) like a major organ transplant. All they’ve got to do, they figure, is get a new heart in the body, or a new liver, or a new lung, and get the patient set back up again, and everything is good. But what they forget is that they have to integrate that organ into the support systems of the body. Those are the vascular systems, the lymph nodes, the nervous systems and so forth. They need a specialist that has the ability to integrate that new organ, that new eMR system, into their ecosystem so that it’s much more effective.

One of the definitions of “meaningful use,” which you need to meet in order to qualify for incentives, is a capability for information exchange. I doubt that you’re going to upgrade every organ in your body or every system in your ecosystem or in your enterprise to achieve meaningful use, but I don’t doubt that you need a helping hand to integrate that new component, that new eMR, that new eHR-upgraded system. And that’s where a B2B service provider comes in, and that’s a B2B service provider’s core strength. A B2B service provider integrates, knits together and connects up components.

What I find is that people forget that there’s a lot of ad hoc file transfer that goes on today. You’ll have many partners who aren’t connected to your eMR/eHR. They could be third-party clinics and labs, external payers, external HIEs—all of these people and systems need to be connected. You have choices. You can pay your eMR/eHR vendor to connect them, or you can come up with new connective tissue, new vascular systems, to ensure that information flows, as Dr. Blumenthal says, to every corner of the body, and that it flows back in, is reoxygenated and sent back out to the body parts so that every part of the body is as healthy as possible. Again, that’s a B2B service provider’s strength. That’s what they do. Managed file transfer, email attachment management—these are core capabilities that you may have neglected to consider while you were focusing on implementing that new eMR system in your enterprise. But they’re necessary for security and for meeting meaningful use criteria.

(To be continued.)

Encryption and Electronic Health Records: A Q&A with Paul Fowler (Pt. 2)

(To read the first part of this blog post, click here.)

AXWAY: Let’s talk about compliance. Some would say that if you’re compliant, you’re doing fine.

PF: Some people think compliance is setting up a few rules and some people think compliance is pretty much locked-down infrastructure. The government tells you what needs to get done to satisfy the law; they never tell you how to go about actually satisfying the law. There are people who do not believe that encrypting email is necessary, but there are also people who don’t believe that seatbelts are necessary! It doesn’t mean that it’s not common knowledge that seatbelts save lives. There are many people asking themselves, “Do I cut three employees from my staff in order to buy an encrypted email system?” And their answer is, “No, that’s not necessary.” And I tend to liken it to seatbelt laws: anybody who thinks they don’t need a seatbelt is right until they have a wreck, don’t have one on, and die. Then the realization of its importance becomes clear, but at a high cost. In the same way, there are tons of people who don’t believe that encryption is a necessary thing. They don’t believe they need their files managed in a very secure, two-factor-authentication method. Now clearly, the government, when they’re ordering nuclear weapons, uses managed file transfer, a system that will provide that encryption. But when you’re chatting on IM with your friends, you don’t have any security there at all. And you don’t worry about it because who cares what you’re saying to your friends? But if you’re in a hospital and IMing with your friends that some famous actor came in, here’s his medical record, and look what they’re treating him for—this all creates a host of issues for the hospital to worry about, issues that could expose them to massive liability. That’s big dollars. Managed file transfer, encrypted email, the encryption of IM systems—these things should become important to hospitals so that they can identify who internally is responsible for violations and educate those people constructively.

AXWAY: Protecting the company is fine, but besides privacy concerns, what else do these technologies address?

PF: As you implement managed file transfer and these kind of encrypted email technologies, you begin to see patterns of your trading partners and exactly how they operate. You begin to establish the connections with networks and facilitate the safe spread of medical information. The more medical information gets shared, globally and collectively, the better patient outcomes are, both individually and collectively. So if every diabetic knows what works for every other diabetic, the community of diabetes patients is treated better. And if you can share one diabetic’s record with an expert, without compromising the diabetic’s identity, then that expert’s patient has an improved chance for better treatment, and everybody wins. Ultimately, that’s what’s it all about. It transcends mere compliance in some real way. The real challenge is this: How do we share medical information without compromising the privacy of an individual? The goal is not just to protect the information. The goal is to share the information with people who need it. For example, if I travel to Paris, which I do two or three times per year, and I don’t have an eHR, if I find myself in a hospital in Paris, nobody will know anything about me. How do I, as a patient, get my medical records to brand new doctors in a safe and secure way all the time?

Encryption and Electronic Health Records: A Q&A with Paul Fowler (Pt. 1)

In this two-part Q&A blog post, the Axway Editorial Staff talks with Paul Fowler, Axway’s vice president of Healthcare Innovation, about electronic health records and the new HITECH Act.

AXWAY: The compliance deadline for the HITECH Act changes, including the breach notification requirements, is February 17, 2010. How will that affect healthcare professionals starting next month?

PF: The HITECH Act was part of the president’s stimulus bill. What it basically was designed to do was stimulate the adoption of electronic health records (eHR) in the health industry. (eHRs are mandated by 2015.) Like all bills, it covers several areas. In one area, it gives physicians, hospitals and other folks a minor financial stimulus to adopt an eHR system. The healthcare interchanges and the healthcare record companies need to transmit these records to other partners, and to do that, they will need infrastructure, a robust B2B system to act as a backbone. But one of the more interesting things about the HITECH Act is that it puts teeth into the HIPAA law. HIPAA’s been around for years; it specified how eHR should be stored and even how your private health records should not be used. Previously, there was a law that stated that the only time you actually could get caught with a HIPAA violation was if somebody caught you stealing electronic records. The people who had to complain about it were the people victimized by the breach, i.e., the patients. In 99.9% of all scenarios, nobody cares about these breaches, because they simply don’t know; if your medical information gets leaked to a healthcare company, you don’t know it. So this old law had limited penalties. The only time anyone got in trouble was when, for instance, a famous person’s records were revealed and made news. But now, with this new HITECH Act, they’ve increased the fines and created an agency that will actually do an inspection on HIPAA compliance. That’s a law with real teeth, and it’s good for everybody.

AXWAY: What are you seeing hospitals doing to make themselves iron-clad against violating the HITECH Act and HIPAA in general? What are some steps all hospitals should take?

PF: What I’m seeing is that most hospitals are hiring Chief Privacy Officers, senior-level people in the organization, to demonstrate to both the government and the customers that they’re serious about HIPAA and healthcare privacy. Hiring this person is a good start. Second, a hospital needs to do a complete systems review and a technical roadmap and ask themselves, “Where are we relative to this? What is our risk?” These Chief Privacy Officers are really risk managers. They need to do a complete systems audit. Third, they need to safeguard against liability in the event that a partner has a breach. They need to do an extended audit, and have an extensive understanding of the people they’re actually exchanging information with, and ask, “Are they compliant with the information that they’re giving and receiving?” Hospitals need encrypted email, yet the email that comes in and out of the hospital is often not encrypted. Anybody can intercept it. It can be forwarded anywhere. They need the ability to send encrypted email so that they know that if anybody intercepts it, the only people who can read it are the people it’s intended for, the people who could decrypt it.

(To be continued.)

A Seamless, Effortless Flow of Information

by Ruby Raley
Director, Healthcare Solutions
Axway

Last month, Dr. David Blumenthal, National Coordinator for Health Information Technology, wrote an open letter on healthit.hhs.gov that shared his vision of the HITECH Act’s overarching goal and some of its implications.

Blumenthal writes, “A key premise: information should follow the patient, and artificial obstacles – technical, business related, bureaucratic – should not get in the way. As a doctor, I have many times wanted access to data that I knew were buried in the computers or paper records of another health system across town. Neither my care nor my patients were well served in those instances. That is what we must get beyond. That is the goal we will pursue…”

Further down, in the same paragraph, he writes, “Exchange within business groups will not be sufficient – the goal is to have information flow seamlessly and effortlessly to every nook and cranny of our health system, when and where it is needed, just like the blood within our arteries and veins meets our bodies’ vital needs.”

The desire for a seamless, effortless flow of information, to every nook and cranny of our health system, is something I’ve talked with many customers about.

We’ve identified two major concerns in the effort to satisfy this desire. The first one is the obvious one: security and HIPAA compliance. A number of vendors today offer enterprises the ability to protect against data loss, encrypt data and ensure patient privacy.

The second one is less obvious: the actual feasibility of effecting a seamless, effortless flow of information.

When I talk to providers, partners and business associates, they reflect on how systems have grown over the years—whether through acquisitions as they built their integrated network or the fact that the IT budget was starved and a system had to be retained far past its original expected life—and they reflect on how the IT team now has significant challenges.

New connections present a challenge. A lot of new connections require scripting in old and obscure languages that no one really knows anymore. Perhaps one or two people on a team have any experience in it, and that really slows down the ability to flow data into a new nook or cranny.

Another challenge is finding out what happened to data that went astray. Problem resolution takes a really long time. We’re finding industry standards of more than 20 hours to resolve a problem—a delay that’s just short of an eon in business terms!

A third challenge is freeing IT teams from manually reviewing log files. Can you imagine the effort it takes to produce audit trails to identify what really happened when you have to look through multiple log files? These are system-to-system connections, not just one log file. IT has to look through the log file on one system, then look through the log file on another system, then correlate the times, look at all the messages and figure out what was going on. That’s a huge challenge, and doing it well is almost an art form.

You must overcome these challenges and choose a vendor that makes it easy to flow data to every nook and cranny of your health system, to actually have the system find the problem for you, and to retain the audit information you need to prove to the government that the data was not lost and no message went astray. That’s really the biggest point of patient privacy. Most data breaches are due to either the inadvertent or the unplanned release of data to a party that wasn’t supposed to have it. These are things that you can protect against. Let’s make moving data simple and easy again and help David Blumenthal’s vision become reality.

A Different Kind of Immunization

by Ruby Raley
Director, Healthcare Solutions
Axway

Have you heard about ARRA and the HITECH Act?

A little background. The HITECH Act is a 400-page piece of legislation and part of the American Recovery and Reinvestment Act (ARRA), and its purpose is to provide grants, incentives and penalties to improve the healthcare infrastructure within doctor’s offices, hospitals, and state and federal agencies.

The government hopes to foster the adoption of e-medical records and e-health records (eMR and eHR) with this act, and they plan to pay doctors and hospitals a certain amount for the next three to five years to foster that adoption. Then, after that period, the government will impose penalties or reduced Medicare payments if doctors and hospitals don’t have the technology necessary to comply.

So what does this mean to doctors and hospitals?

Imagine a hospital with subcontractor doctors. All their anesthesiologists are in a group practice, and, in fact, a number of specialists are in group practices. The hospital also has doctors that work directly for them as employees and don’t work outside the hospital. It has relationships with labs and other satellite clinics. It has relationships with family providers all around town. It has relationships with certain payers, like insurance companies.

How is this hospital going to actually accommodate all of these providers who now get to decide which vendor they’re going to select for eMR and eHR? How is this hospital going to satisfy HIPAA privacy protection requirements? After all, the government enhanced the requirements for HIPAA privacy protection because they felt that if people didn’t believe that their data–their personal private data–was safe, they wouldn’t support doctors sharing it with others through an electronic system.

This sentiment is easy to understand. If you went to a doctor, gave your social security number, disclosed the fact that your family has a history of cancer, and then realized that that information was going to become public information, that that information could stop you from getting future medical coverage or that that information could be used to steal your identity, you would be outraged.

The government got this. They decided that they had to put more pressure on HIPAA, which ushered in new rules.

The new rules demand that data must be encrypted whenever it’s moving, and that data at rest must be encrypted or destroyed.

Which brings us to where we’re at today.

To accommodate these new rules, doctors and hospitals need the right tools to protect patient data, to safely move data from one vendor of eMR to another vendor of eHR, and to enable themselves to work with and submit data to any of the state-supported portals (i.e., Health Information Exchanges). Doctors and hospitals must solve interoperability, privacy, compliance, and protection problems, have their infrastructure assessed, and determine what they need to satisfy these new demands.

Anything short of that will, very soon, put doctors and hospitals at risk of the aforementioned imposed penalties or reduced Medicare payments, and what was once a non-issue for medical practitioners will become an extraordinarily critical issue. As an industry well acquainted with the importance of immunization, healthcare should understand that the sting of a data privacy vaccination is necessary to prevent serious harm in eHR exchange in the years ahead.

(Photo by robertdx: http://www.flickr.com/photos/robertdx/ / CC BY 2.0)