With the efforts to repeal and replace the Affordable Care Act, many are questioning how changes in Washington, D.C., may affect the shift to value-based care.
A study commissioned by Quest Diagnostics, a company that provides clinical laboratory services, and Inovalon, a healthcare cloud vendor, surveyed physicians and health plan executives to gauge the nation’s journey to value-based care.
Here are the study’s key findings:
More tools are needed for shift to value-based care
While 53% of the health plan executive respondents said that physicians have the necessary tools to succeed in a value-based care healthcare system, only 43% of physicians said they have the necessary tools. However, this is an improvement from 2016, the study found. Last year, 44% of health plan executives said physicians had the necessary tools while only 29% of physicians said they had the necessary tools. The study points out that the gap between these perceptions decreased from 15% in 2016 to 10% in 2017, suggesting there has been progress towards alignment between health plans and physicians.
EHRs aren’t closing the gaps
Physicians and health plan executives also had differing views on the value EHRs bring to value-based care. The study found that 75% of health plan executives said EHRs have everything physicians need while only 54% of physicians thought so.
Furthermore, 70% of physician respondents said they do not see a clear link between EHRs and improved patient outcomes and 65% of physician respondents said that if they could get one key insight at the point of care via their EHR it would be information related to performance or quality measures that apply to individual patients.
Despite doubts about the value of EHRs, physicians are still investing in them and are open to their potential, the study said.
Physician respondents also said that they’d be willing to spend more time using technology if their EHRs could yield insights unique to their patients (71%). Furthermore, nine out of 10 physicians also agreed that access to quality and performance measures specific to patients is key to the shift to value-based care.
The study also found that co-investment in health IT between physicians and health plans may be the answer, with 85% of health plan executives saying co-investment in health IT would accelerate value-based care adoption.
“This finding supports other research that shows health plans experience greater benefits from the implementation of information technologies, such as EHRs, than the providers that implement them,” the study said. “Perhaps health plan executives are mindful of the significant investment required of physician practices to implement HIT solutions and the potential for co-investment to help surmount this challenge.”
In the wake of the recent WannaCry and Petya attacks that have hit healthcare organizations worldwide, a group of Boston researchers is urging the industry to consider the public health implications of cybercrime.
The researchers — two physicians and an information security professional — outlined their concerns in a perspective piece published in the New England Journal of Medicine. The group cites a Ponemon Institute survey in which nearly 90% of participating healthcare organizations said they have suffered a data breach in the past two years as proof that cyberattacks in the healthcare industry are a growing and prominent threat.
Potential threats to healthcare information security
Some of the threats to the industry include denial of service attacks and ransomware, such as the WannaCry and Petya attacks. Both forms of attacks had public health implications as they could impair a healthcare organization’s ability to deliver efficient care, the group said, but they stopped short of exposing patient data.
If patient data is exposed, however, a cyberattack becomes more worrisome. One of the major public heath implications of such an attack is that protected health information is “durable” unlike, say, a credit card number that can be changed if the card is stolen or lost. However, medical history can be used to identify a patient years after the initial data breach, the researchers said.
Attackers could also manipulate patient data, such as potassium values, which could cause serious harm to patients’ health. Similarly, attackers could manipulate clinical systems like medical devices.
How organizations can reduce risk
While the researchers acknowledged that the challenge of protecting the healthcare industry from the rising number of threats is “complex” and that although there is no “silver bullet” that can stop all attacks, there are things organizations can do to reduce their risk.
Healthcare organizations should use best practice security procedures such as software update and data encryption, as well as do frequent backups. Improving password security by requiring frequent password changes can also help keep attackers out of a hospital system.
Finally, educating healthcare professionals about how attacks occur — such as clicking a malicious link in an email — can help reduce risk as well.
The researchers’ comments echo those of the Health Care Industry Cybersecurity Task Force, which called healthcare cybersecurity a “public health concern” that required “immediate and aggressive attention.” The task force outlined six imperatives to address the public health implications of cyberthreats, including improving awareness and education and developing a workforce that prioritizes cybersecurity.
Healthcare has had its sights set on transitioning over to value-based healthcare for a while now. But moving beyond the current fee-for-service care delivery model has proven challenging. Despite these challenges, some experts believe that value-based healthcare’s reliance on data and data analytics has exciting implications for health IT. Two lawyers share their four predications for value-based healthcare and digital health technology in a Law 360 article.
1) Raw data gains value from value-based healthcare tech
What with EHRs, HIEs, clinical decision-making tools and more, healthcare is generating a massive amount of data, the article said. In order to effectively use and take advantage of these tools, raw data needs to be collected from multiple sources and analyzed in one place.
2) Focus will turn to data sharing
Data sharing will become essential to value-based healthcare, the article said. This, in turn, will motivate those who collect, de-identify, aggregate and analyze clinical data, and the providers who generate the data to further share information. The article warns healthcare vendors and providers that, although data sharing is a positive force when it comes to value-based healthcare, these stakeholders should first consider whether patient authorization is necessary (in some cases it is and in other cases, legally, it is not), whether a provider is required to modify and redistribute its notice of privacy practices, and whether business associates should be handling PHI.
3) The market will be driven by evidence-based and HIPAA compliant tech
Currently, many developers focus on creating healthcare technologies that are patient-facing and wellness-oriented, the article said. This means that the companies creating these tools can avoid regulatory scrutiny, the article explained. However, value-based healthcare may change all that, especially since population health and patient engagement are key factors to successfully achieving value-based healthcare. As providers begin to use these tools, such as an app for their patient to use to document clinical information, the vendors creating these apps and healthcare technologies will then have to ensure their product is HIPAA compliant.
4) Employers take center stage
Employers are the primary purchasers of healthcare and will continue to be, according to the article. This means that employers will also likely greatly influence the use of health IT. Employers have said they want to make telehealth services available to employees, the article said. Furthermore, employers view these wellness programs as cost saving measures and the article said that health IT will facilitate this growth.
The Department of Health and Human Services will award $195 million to community health centers to expand substance abuse and mental health services that focus on awareness, prevention and opioid treatment in the U.S. The award will help health centers leverage health IT and training to support the expansion of mental health and substance abuse services, and integrate those services into primary care, according to an HHS release.
The funding will also increase the number of personnel for substance abuse and mental health services, according to an HHS release.
HHS Secretary Tom Price said integration is key to solving the challenges of mental illness and the opioid epidemic, and that the funding would help health centers across the country provide integration for mental health services to aid in opioid treatment.
One health IT tool that community health centers may utilize is the Behavioral Health Provider EHR Readiness Assessment Toolkit, which was developed specifically for substance use and mental health treatment. The toolkit can help health centers adopt certified health IT, as well as telehealth, social media, mobile technologies and other information technology. These technologies can be used to spread awareness or provide remote services to patients who may be dealing with behavioral health issues.
Health IT has the potential to have a positive impact on opioid treatment, other substance abuse care and mental health services, especially in rural or underserved areas where access to those services may be limited. However, it is important to balance health IT with actual providers because there are aspects of healthcare — especially behavioral and mental health — that still require a human touch.
Applications for HHS’ Access Increases for Mental Health and Substance Abuse Services award must be submitted by July 26, 2017, and funding is expected to be awarded in September.
Last week, SearchHealthIT discussed how the Health Care Industry Cybersecurity Task Force declared cybersecurity a public health issue. This week, SearchHealthIT takes an in-depth look at the six imperatives laid out by the cybersecurity task force.
The Health Care Industry Cybersecurity Task Force (HCIC Task Force), created by Congress as part of the landmark Cybersecurity Act of 2015, gathered information from external stakeholders and subject matter experts from across the healthcare industry, as well as other sectors, to better understand what changes need to be made and what goals need to be achieved in order to improve cybersecurity in healthcare.
In a report, they list six cybersecurity imperatives:
Better define leadership, governance, and expectations for healthcare cybersecurity
There are many opportunities for confusion when it comes to cybersecurity in healthcare, the report said.
“The technical infrastructure underlying health systems is inordinately complex. It must support not only patient records but also a diverse suite of medical devices used in diagnosing, monitoring, and treating patients,” the report said. “Understanding and managing cybersecurity risks for this mission-critical environment is challenging as the healthcare system has a mixture of state-of- the-art applications and devices, as well as older legacy devices that use unsupported operating systems or networking protocols.”
Furthermore, there are multiple frameworks for addressing cyber risk, the report said. This only adds to the confusion and the opportunity for vulnerability.
Because of these complexities and confusions, the cybersecurity task force said in their report that a consistent cybersecurity framework is needed.
The task force also recommended creating a cybersecurity leadership role within HHS.
Increase the security and resilience of medical devices
The report explains that there is a misalignment when it comes to medical devices and other healthcare technologies. For example, operating systems and other platforms such as commercial off-the-shelf software are misaligned with medical devices and electronic health records (EHRs), which can be utilized for 10 to 20 years or more.
“Some foundational challenges that will need to be addressed in order to enhance the cybersecurity of medical devices and EHRs include legacy operating systems, secure development lifecycle, strong authentication, and strategic and architectural approaches to product deployment, management, and maintenance on hospital networks,” the report said.
Develop healthcare workforce to prioritize cybersecurity
The cybersecurity task force said in their report that there are several challenges to creating a healthcare workforce that will prioritize cybersecurity:
- Finding people and tools to address the small and medium-sized healthcare organizations which usually can’t afford full-time technical resources.
- Limited resources for reinvestment in cybersecurity, especially for small and medium-sized organizations.
- Identifying cybersecurity leadership roles to identify risk.
- The growing involvement of patients in their own care also increases the exposure to threats.
Improve cybersecurity awareness and education
The report suggests three action steps the healthcare industry should take to achieve awareness and education:
- “Increase outreach for cybersecurity across all members of the health care workforce through ongoing workshops, meetings, conferences, and tabletop exercises.
- “Provide patients with information on how to manage their health care data by developing consumer grading systems for non-regulated health care services and products.
- “Develop cyber literacy programs to educate decision makers, executives, and boards of directors about the importance of cybersecurity education.”
Identify mechanisms for protecting from attacks and exposure
The Task Force recommends doing this by developing guidance for the industry on creating economic impact analysis and loss for cybersecurity risk, and researching how to protect healthcare big data sets.
Improve sharing information about industry threats, risks, and mitigations
“Together, industry and government should work together to ensure that the best resources are leveraged from the various systems and tailored toward the unique needs of health care while protecting privacy and maintaining appropriate legal protections,” the report said.
A federal task force called healthcare cybersecurity a “public health concern” that needs “immediate and aggressive attention,” and said increased digital connectivity places a greater responsibility on healthcare organizations to secure their equipment and patient data.
After a record-breaking year of data breaches last year, experts have predicted that the healthcare industry will increase cybersecurity spending in 2017. Threats to cybersecurity for healthcare facilities range from technical exploits such as ransomware to insider threats such as employee negligence. Both types of threats can potentially expose patient data and leave it susceptible to fraud and identity theft.
To address these and other challenges of cybersecurity for healthcare, Congress established the Health Care Industry Cybersecurity Task Force. In a recent report to Congress, the task force used information gathered from briefings, public meetings and expert consultations to identify six imperatives to help improve cybersecurity for healthcare as an industry.
- Define and streamline leadership, governance and expectations for healthcare industry cybersecurity – A single person should be responsible for coordinating cybersecurity activities within and outside of HHS.
- Increase the security and resilience of medical devices and health IT – Ensure that legacy systems are secured and track medical device vulnerabilities.
- Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities – Identify cybersecurity leadership within an organization with the authority and expertise to prioritize cybersecurity issues and initiatives.
- Increase health care industry readiness through improved cybersecurity awareness and education – Develop programs geared toward executives and boards of directors about the importance of cybersecurity education.
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure – Develop guidance for the healthcare industry and academia to evaluate cybersecurity risks for healthcare R&D.
- Improve information sharing of industry threats, weaknesses, and mitigations – Streamline the sharing of cybersecurity information and guidance to make it easier to use for small and medium-sized healthcare organizations.
The task force also identified best practices from the financial services and energy sectors, including conducting comprehensive information sharing and implementing baseline protections, such as patching systems against known vulnerabilities. The task force also recommended boosting communications and collaboration across the industry in order to educate portions of the sector that may not have had access to information about the latest threats to cybersecurity for healthcare organizations.
Health IT experts have lauded the benefits artificial intelligence (AI) will bring to healthcare for some time now. They range from improving cybersecurity to improving the workflow of a hospital. However, only the wealthiest countries and wealthiest healthcare organizations are able to purchase and use AI technologies.
Margaret Chan, director general of the World Health Organization (WHO) said at an AI summit that this technology must benefit everybody, not just the wealthiest countries and organizations, according to a Wired article.
“Enthusiasms for smart machines reflect the perspectives of well-resourced companies and wealthy countries,” Chan said in the article. “We need a wider perspective.”
Chan illustrates this disparity and how, quite frankly, silly AI technologies seem to those who don’t even have electricity and running, clean water.
“Any discussion of smart machines revolutionizing healthcare must be alert to these huge gaps in capacities,” Chan said in the article.
However, Chan said one thing everyone has in common regardless of wealth is the need to address chronic diseases such as heart disease, diabetes and hypertension. Here is where Chan believes AI technologies and wearables could provide great value.
In addition to addressing the disparity issue, Chan also warned against the over-reliance on technology, asserting that while machines will aid doctors in their work and streamline processes that lead to decisions, technologies like AI will never replace doctors and nurses when it comes to their interactions with patients.
Furthermore, Chan said that sometimes these technology tools give a false sense of safety and security. “Wearables for monitoring cardiovascular performance are already being questioned,” she said, for example.
In addition to disparity issues and warning against over-reliance of technology, Chan also pointed out that when it comes to AI technologies there are also many regulatory issues that need to be addressed.
“What if a smartphone app misses a symptom that signifies a severe underlying disease?” Chan said in the article. “Can you sue a machine for medical malpractice?”
Chan said that medical devices are heavily regulated for good reason but how can a machine be programmed to think like a human? She pointed out that doctors and nurses are not only licensed to practice medicine but also undergo continued study.
But with AI, there are many questions, she said. “We do not have the answers to many questions around AI. We’re not even sure we know all the questions that need to be asked.”
The U.S. Department of Health and Human Services (HHS) will soon launch a healthcare focused cybersecurity center, according to a press release. Christopher Wlaschin, chief information security officer at HHS, announced this news at a forum in April. The cybersecurity center will be called the Health Cybersecurity and Communications Integration Center (HCCIC) and will be modeled after the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC), Wlaschin said.
The purpose of HCCIC will be to seek to reduce the extensive “noise” in the healthcare industry about cyberthreats and to analyze and deliver best practices, Wlaschin said. He added that the cybersecurity center will also help smaller providers and doctors’ offices to understand the two or three things they can do to protect patient privacy and ensure information security when it comes to the various technologies they may be using. HHS also envisions HCCIC working with mobile health app developers to help promote data security in that fast-growing area.
Wlaschin said HHS anticipates that HCCIC will reach initial operating capability in late June.
Mark Scrimshire, the innovator behind CMS’ Blue Button initiative, told Federal News Radio that his team has already written an API to allow health applications developers to verify their security with a trusted source.
In the wake of highly concerning cyberattacks such as the WannaCry ransomware attack that have happened recently, it’s not surprising that interest and investment in cybersecurity is taking center stage in healthcare.
HHS and CMS’ focus on mobile and security also makes sense since the number of mobile health applications has been increasing steadily and rapidly, the Federal News Radio article said.
“Every single data holder in the industry has this problem of who do they trust with the keys,” Scrimshire said in the article. “What we’re trying to do is say, ‘Let’s try and sort this out as an industry.’ We’ve actually put together code to allow the technologists to do it.”
From February through April 2017, Black Book Research crowdsource-surveyed 8,845 physician practices about the transition to the Medicare Access and CHIP Reauthorization Act (MACRA) of 2015 which aims to transition healthcare from fee-for-service-reimbursement to value-based reimbursement.
The survey found this transition is proving to be tricky for physician practices.
Here are the top four health IT trends that could prove challenging to providers during this transition:
1) Physician practices unaware of certain MACRA and MIPS details
- 54% of respondents were unaware that the Centers for Medicare and Medicaid Services (CMS) will publish data on their Physician Compare website. This data will also be accessible via Yelp, Angie’s list, Health Grades and Google.
- 69% of the surveyed physician practice managers are aware they need to report on six quality measures; however, only 22% are aware that they had the option of choosing the metrics they believe represent the strengths of the practice.
- 94% of respondents were unaware or unsure of how to predict their Merit-Based Incentive Payment System (MIPS) — a new program that is part of MACRA that measures eligible professionals on quality, resource use, clinical practice improvement and meaningful use of certified EHR technology — scores for 2017.
2) The market for MIPS technology is booming
Of physician practices with three or more clinicians that responded to the survey, 77% seek to buy MIPS Compliance Technology Solutions by Q4. However, 92% of respondents were not aware of any branded technologies that support MACRA and MIPS measures for 2017 reporting other than their EHR.
Interestingly, the primary reason for provider organizations to acquire MIPS technology was not quality measurements but because they were having trouble deciphering their MACRA earning potential, 89% of respondents said.
“Given the magnitude of the changes, the hunt is on for the best MIPS incentive enablement resources,” said Doug Brown, managing partner at Black Book Research, in a press release. “Finding one stop solutions shop for MIPS support is becoming easier with quality measure monitoring dashboards and enterprise analytics vendors.”
3) Ambulatory EHR Optimization sparked by MACRA and MIPS
The eight largest EHR systems include Cerner, Epic, Allscripts, eClinicalWorks, NextGen, athenahealth, Practice Fusion, and GE Healthcare, according to the survey. Of the physician practices surveyed, 72% said they are using EHR products not considered as part of those top eight EHRs and stated that they were not working with their EHR vendor to make sure they are prepared for MIPS measures and can properly report data.
“The replacement market is heavily leaning to these largest 8 EHRs from small EHR vendors and expected to increase through 2018 as some providers had previously invested in EHRs that do not acclimate to agile change at scale like MACRA demands,” Brown said in the press release. “EHR companies are not required by MACRA to update their technology so providers are ill-equipped should the practice stick with their uncertified EHR.”
4) Physician practices struggle to align data
The survey found that 81% of respondents said they have not grasped how to align data with reporting measures.
“Seemingly, the MACRA requirements appear fairly easy to meet, you simply attest to at least one performance improvement activity. However, the reality will be significantly more difficult as smaller practices in particular begin preparing for risk,” Brown said in the press release.
Healthcare data breaches hit an all-time high in 2016, according to a report by Bitglass. However, the volume of leaked records caused by 2016 healthcare data breaches decreased from the previous year, according to the report. In 2015, however, 113 million Americans were affected, including 11 million Premera Blue Cross customers and 78.8 million Anthem customers.
Furthermore, so far in 2017, only 1.5 million records have been breached, suggesting that the total number of breaches will continue to decline. However, healthcare organizations need to remain diligent to prevent breaches from occurring.
Although the number of individuals affected in 2016 decreased compared to 2015, when it comes to healthcare organizations, that is not the case. In 2016, healthcare data breaches affected 328 healthcare firms, surpassing the previous record of 268 in 2015.
Experts believe that the industry will be playing catchup as far as cybersecurity spending in 2017 to combat the growing number of threats. There are also new cybersecurity technologies, such as identity access control, that can make it harder for hackers to gain entry into the hospital network.
Five of the largest 2016 healthcare data breaches (80%) were due to hacking or IT incidents. In 2017, the largest breach was due to theft and the next four largest were due to hacking.
The Bitglass report also found that unauthorized disclosures comprised 40% of 2016 healthcare data breaches, making it the leading cause of breaches. Unauthorized disclosure includes non-privileged access to protected health information and personally identifiable information.