The U.S. Department of Health and Human Services (HHS) will soon launch a healthcare focused cybersecurity center, according to a press release. Christopher Wlaschin, chief information security officer at HHS, announced this news at a forum in April. The cybersecurity center will be called the Health Cybersecurity and Communications Integration Center (HCCIC) and will be modeled after the Homeland Security Department’s National Cybersecurity and Communications Integration Center (NCCIC), Wlaschin said.
The purpose of HCCIC will be to seek to reduce the extensive “noise” in the healthcare industry about cyberthreats and to analyze and deliver best practices, Wlaschin said. He added that the cybersecurity center will also help smaller providers and doctors’ offices to understand the two or three things they can do to protect patient privacy and ensure information security when it comes to the various technologies they may be using. HHS also envisions HCCIC working with mobile health app developers to help promote data security in that fast-growing area.
Wlaschin said HHS anticipates that HCCIC will reach initial operating capability in late June.
Mark Scrimshire, the innovator behind CMS’ Blue Button initiative, told Federal News Radio that his team has already written an API to allow health applications developers to verify their security with a trusted source.
In the wake of highly concerning cyberattacks such as the WannaCry ransomware attack that have happened recently, it’s not surprising that interest and investment in cybersecurity is taking center stage in healthcare.
HHS and CMS’ focus on mobile and security also makes sense since the number of mobile health applications has been increasing steadily and rapidly, the Federal News Radio article said.
“Every single data holder in the industry has this problem of who do they trust with the keys,” Scrimshire said in the article. “What we’re trying to do is say, ‘Let’s try and sort this out as an industry.’ We’ve actually put together code to allow the technologists to do it.”
From February through April 2017, Black Book Research crowdsource-surveyed 8,845 physician practices about the transition to the Medicare Access and CHIP Reauthorization Act (MACRA) of 2015 which aims to transition healthcare from fee-for-service-reimbursement to value-based reimbursement.
The survey found this transition is proving to be tricky for physician practices.
Here are the top four health IT trends that could prove challenging to providers during this transition:
1) Physician practices unaware of certain MACRA and MIPS details
- 54% of respondents were unaware that the Centers for Medicare and Medicaid Services (CMS) will publish data on their Physician Compare website. This data will also be accessible via Yelp, Angie’s list, Health Grades and Google.
- 69% of the surveyed physician practice managers are aware they need to report on six quality measures; however, only 22% are aware that they had the option of choosing the metrics they believe represent the strengths of the practice.
- 94% of respondents were unaware or unsure of how to predict their Merit-Based Incentive Payment System (MIPS) — a new program that is part of MACRA that measures eligible professionals on quality, resource use, clinical practice improvement and meaningful use of certified EHR technology — scores for 2017.
2) The market for MIPS technology is booming
Of physician practices with three or more clinicians that responded to the survey, 77% seek to buy MIPS Compliance Technology Solutions by Q4. However, 92% of respondents were not aware of any branded technologies that support MACRA and MIPS measures for 2017 reporting other than their EHR.
Interestingly, the primary reason for provider organizations to acquire MIPS technology was not quality measurements but because they were having trouble deciphering their MACRA earning potential, 89% of respondents said.
“Given the magnitude of the changes, the hunt is on for the best MIPS incentive enablement resources,” said Doug Brown, managing partner at Black Book Research, in a press release. “Finding one stop solutions shop for MIPS support is becoming easier with quality measure monitoring dashboards and enterprise analytics vendors.”
3) Ambulatory EHR Optimization sparked by MACRA and MIPS
The eight largest EHR systems include Cerner, Epic, Allscripts, eClinicalWorks, NextGen, athenahealth, Practice Fusion, and GE Healthcare, according to the survey. Of the physician practices surveyed, 72% said they are using EHR products not considered as part of those top eight EHRs and stated that they were not working with their EHR vendor to make sure they are prepared for MIPS measures and can properly report data.
“The replacement market is heavily leaning to these largest 8 EHRs from small EHR vendors and expected to increase through 2018 as some providers had previously invested in EHRs that do not acclimate to agile change at scale like MACRA demands,” Brown said in the press release. “EHR companies are not required by MACRA to update their technology so providers are ill-equipped should the practice stick with their uncertified EHR.”
4) Physician practices struggle to align data
The survey found that 81% of respondents said they have not grasped how to align data with reporting measures.
“Seemingly, the MACRA requirements appear fairly easy to meet, you simply attest to at least one performance improvement activity. However, the reality will be significantly more difficult as smaller practices in particular begin preparing for risk,” Brown said in the press release.
Healthcare data breaches hit an all-time high in 2016, according to a report by Bitglass. However, the volume of leaked records caused by 2016 healthcare data breaches decreased from the previous year, according to the report. In 2015, however, 113 million Americans were affected, including 11 million Premera Blue Cross customers and 78.8 million Anthem customers.
Furthermore, so far in 2017, only 1.5 million records have been breached, suggesting that the total number of breaches will continue to decline. However, healthcare organizations need to remain diligent to prevent breaches from occurring.
Although the number of individuals affected in 2016 decreased compared to 2015, when it comes to healthcare organizations, that is not the case. In 2016, healthcare data breaches affected 328 healthcare firms, surpassing the previous record of 268 in 2015.
Experts believe that the industry will be playing catchup as far as cybersecurity spending in 2017 to combat the growing number of threats. There are also new cybersecurity technologies, such as identity access control, that can make it harder for hackers to gain entry into the hospital network.
Five of the largest 2016 healthcare data breaches (80%) were due to hacking or IT incidents. In 2017, the largest breach was due to theft and the next four largest were due to hacking.
The Bitglass report also found that unauthorized disclosures comprised 40% of 2016 healthcare data breaches, making it the leading cause of breaches. Unauthorized disclosure includes non-privileged access to protected health information and personally identifiable information.
In Pennsylvania, health IT contributed to 889 medication mistakes in hospitals over a six month period from January 1, 2016, to June 30, 2016.
During this time period the Pennsylvania Patient Safety Authority found that the majority of these medication mistakes were due to errors in hospitals’ computerized physician order entry (CPOE) and EHR systems. These medication mistakes included dose omission (13.8%), wrong dose or over dosage (10.9%), and extra dose (10.7%), according to a report by the Pennsylvania Patient Safety Authority. Of the 889 medication mistakes made, 69.2% reached the patient, and eight of the 889 medication mistakes resulted in patient harm, the report said.
While the majority of medication mistakes occurred due to errors with CPOE and EHR systems, these mistakes spanned across all health IT components which also include pharmacy systems, electronic medication administration record (eMAR), clinical documentation systems, clinical decision support systems, and bar coded medication administration (BCMA) system, the report found.
CPOE and EHR errors
“The CPOE system was cited most often as an HIT component that contributed to the top three error event types,” the report said.
The report found that half of the 889 medication mistakes cited the CPOE system as a contributing factor while EHR components — including the clinical documentation and clinical decision support systems — contributed to 13.8% of the errors.
Of the errors reported concerning the EHR system, 56 were identified as communication issues with the majority of those 56 errors (69.6%) being due to prescriber free-texting instructions in the order comments field.
“More than a third of the free-text orders (35.9%) specified when to hold or discontinue the medication, which is a workaround that prescribers may use instead of modifying the end date within the CPOE medication order,” the report said.
The report concludes that ongoing health IT system surveillance and remedial interventions are needed.
“Oftentimes, failures in the HIT systems are attributed to human error, which hinders the investigation into secondary causes of the patient safety event such as limitations in software interoperability, usability, and workflow processes,” the report said. “The interaction between clinician and software is a key component that is to be taken into consideration when trying to improve the safety of HIT.”
A new ONC challenge is seeking ways to ensure the accuracy and reliability of health data, also known as data provenance. Data provenance refers to information about when the data was created, by whom, and whether it was changed during its electronic exchange.
Data provenance — and ensuring data is accurate and reliable — is important in healthcare because inaccurate data, incomplete data, or data that has been altered during health information exchange, can have a negative impact on patient safety and the quality of care delivery.
Providers must also be able to verify that the data originated from a trustworthy source. As patient-generated data becomes more common, healthcare providers may be skeptical about the source of health data.
The purpose of the ONC challenge is to identify current capabilities and methods used in health IT to convey the provenance of health data as it used to support clinical care.
Participants in the ONC challenge must identify and articulate the challenges of data provenance as it relates to clinical care. The first phase will focus on real world data provenance challenges and explain why they are important to solve. The second phase will require participants to test their solutions to the problem they identified in phase 1.
ONC is asking participants to submit white papers for the first phase of the challenge by May 22, 2017. ONC will award a cash prize of $20,000 to up to four winners. The second phase will run from June 14, 2017, to January 22, 2018. The first place winner will receive a cash prize of $60,000, and the second place winner will receive $40,000.
Participants can register for the ONC challenge on the CC Innovation Center website.
The FBI’s cyber division notified the private industry that cyber criminals are targeting File Transfer Protocol (FTP) servers in order to get their hands on protected health information (PHI). FTP is a protocol used to transfer data between network hosts. The FTP servers these criminals are targeting are usually FTP anonymous authentication servers, are associated with medical and dental facilities, and handle PHI and personally identifiable information (PII), the FBI’s notification said. The FBI explained that the reason these criminals are targeting FTP is to not only get their hands on PHI, but also to intimidate, harass and blackmail the business owner(s).
When an organization has set their FTP servers to operate in anonymous mode, the FBI explained that this means the FTP server has been configured to allow anonymous access. Therefore, a user can authenticate to the FTP anonymous authentication server with a common username such as “anonymous” and they are not required to submit a password or e-mail address. This can potentially expose sensitive data stored on the servers. The FBI cited research conducted in 2015 by the University of Michigan called “FTP: The Forgotten Cloud” where researchers found that over 1 million FTP servers were configured to allow anonymous access.
The FBI added that cyber criminals could also attack an FTP anonymous authentication server that not only allows anonymous access but may also allow “write” access to store malicious tools or launch targeted cyberattacks.
Having an FTP server configured in either of these ways exposes that business to potential data theft and may be compromised by cyber criminals, the FBI said.
The FBI recommends that medical and dental healthcare organizations request their IT services personnel check networks for FTP servers running in anonymous mode. And if an organization has a legitimate reason for operating FTP servers in anonymous mode– for example, if certain documents needs to be made readily available to the public– administrators should ensure sensitive PHI and PII are not stored on that server.
Financial services may have replaced healthcare as the most breached industry in 2016, but that doesn’t mean healthcare is in the all-clear.
According to a report by IBM Security, the healthcare industry suffered fewer medical record breaches in 2016 compared to the previous year. In 2015 cyberattackers leaked 100 million records. That number dropped to 12 million last year.
However, that doesn’t mean that the healthcare industry is becoming immune to medical record breaches or cyberattacks. Ransomware will continue to be a concern for the healthcare industry in 2017, and experts predict the number of attacks will double by 2018. Ransomware accounted for 85% of malicious attachments to spam email, according to the IBM Security report.
Healthcare organizations will also need to be on the lookout for insider threats. Last year, internal threats comprised 71% of attack sources, and inadvertent actors– users who were unaware that they were causing a security event– caused nearly half of those attacks. The amount of insider attacks may be due to the healthcare industry’s susceptibility to phishing attacks, the report said.
Internal threats are a common theme for many organizations. After a record-breaking month of breaches in November 2016, Protenus, which publishes a monthly data breach barometer, said “hacking pales in comparison to insider breaches.” One way to prevent medical record breaches by internal and external attackers is to implement a security awareness campaign and conduct regular employee training.
The price of telehealth services may only continue to increase in the coming years as healthcare providers and businesses are using online consultations more and more. This has not only increased the demand for telehealth services during a three year period up to 2017, according to a market research report by IBISWorld, but also caused an increase in price. IBISWorld expects the price to only increase in the coming years through 2020.
However, telehealth market competition is helping keep price growth in check since the telehealth market is highly fragmented and competitive, the report said. Although, there are a few prominent players such as Teladoc and Doctor On Demand.
“IBISWorld estimates that there are about 640 firms currently operating in the US telehealth market. Moreover, most operators are small and midsize firms that are privately owned and operated. In the next three years, market share concentration is projected to remain low as new players enter the market, warranting strong price competition,” Anna Son, procurement research analyst at IBISWorld, said in a press release.
In 2017 alone, prices of telehealth services are expected to grow 3.5%, Son said in the release. This is because more and more employers are and will be offering more telehealth services to their employees. Son said in the release that this is “to help curb skyrocketing healthcare costs related to employee sickness and absenteeism.”
Regulations contribute to price increase
In the United States today 30 states and the District of Columbia require private health insurance carriers to provide the same coverage for telehealth services as they do for in-person visits over the next three years, the release said.
Furthermore, during the three year period in which the demand for telehealth services grew, there were also a number of regulatory changes as well with more to come, the release said. Currently, there are more pending legislations that are expected to help facilitate the adoption of telehealth in the future.
“A rising number of health insurance companies are planning on expanding their coverage for telehealth services. These regulatory changes will help accelerate the integration of telehealth services in healthcare settings, thus leading to anticipated double digit sales growth and rising service rates in the coming years,” Son said.
The American Medical Association and 102 other physician groups have called on CMS and ONC to delay the use of 2015 certified EHRs beyond the current timeframe of required use starting in 2018 because they are concerned the EHR technology is not widely available yet.
“The undersigned organizations are writing to request a deferment from implementing 2015 Edition certified electronic health record technology (CEHRT) until such technology is widely available,” the letter said. “We believe that the technology will not be readily available to physicians across a wide variety of specialties and that the use of 2015 Edition CEHRT should remain voluntary.”
The letter goes on to say that few EHR vendors have fully upgraded their systems to be 2015 Edition certified. Only 54 of the over 3,700 EHR products are currently certified EHRs and posted on the Certified Health IT Product List.
The American Medical Association (AMA) and other physician groups said in the letter that requiring physicians to upgrade to the 2015 edition EHR technology by 2018 would limit the choice of EHR technologies since so few are actually certified EHRs at this time. The AMA added that keeping with the current timeline could force physicians to choose and implement a system that is ultimately not suitable for their specialty or patient population.
“This is not only contrary to the purpose of an electronic health record (EHR)—a tool to help physicians respond to patient care needs—but also jeopardizes a physician’s chance of success in the [Quality Payment Program] QPP and [Meaningful Use] MU,” the letter said. “Physicians should not be subject to financial penalties under the QPP and MU because vendors have not certified their 2015 Edition products in a timely manner.”
The letter also points out that the switch to the 2014 CEHRT created similar issues and the result was a large backlog of products. To overcome this challenge, CMS eventually had to create a hardship exemption for technology delays.
Fueled by the increased use of connected medical devices for patient care, the number of remotely monitored patients grew 44% in 2016, according to a report by Berg Insight, a market research firm in Sweden.
With that expanded role for connected devices, some7.1 million patients were being remotely monitored worldwide as of last year, the report says. Personal health tracking devices are not included in the report.
Furthermore, Berg Insight predicts that the number of remotely monitored patients will grow to 50.2 million by 2021
Using patients’ own mobile devices is also becoming a viable remote patient monitoring strategy; Berg Insight forecasts that by 2021 that bring your own device approach will be used for remotely monitoring 22.9 million patients.
“Care delivery platforms and mHealth connectivity solutions are two of the most rapidly developing parts of the mHealth technology value chain,” the report states. “Care delivery platforms will be instrumental for engaging patients in their own care and delivering remote [patient] monitoring services to a large number of people in a cost efficient way.”
While the benefits of remote patient monitoring are clear and the adoption of these technologies continues to grow, this trend also comes with its challenges.
For one, the report mentions the strong trend towards creating more connectivity in medical devices. Although connecting medical devices has its benefits it turns out that such devices also create serious security vulnerabilities to healthcare organizations.
In fact, Karl West, CISO at Intermountain Healthcare in Salt Lake City, Utah, told SearchHealthIT last year that medical devices are the new threat landscape.
Meanwhile, the report says health-related apps and devices can generate huge amounts of data, and healthcare organizations are struggling to not only handle and store all that data but make sense of and derive value from it.
One strategy many are turning to is third party cloud technologies. When using the cloud it’s “important for end users, doctors and care giving institutions is to choose a place where as many standards as possible are followed and where it is as easy as possible to export the data,” according to the report.