Maybe your healthcare organization has experienced a ransomware attack recently. Well, you certainly are not alone.
Ransomware attackers have mounted 4,000 daily attacks against healthcare organizations in early 2016 alone. That’s a 300% increase from the 1,000 daily ransomware attacks reported in 2015, according to a recent U.S. Government interagency report.
That number is pretty staggering.
The U.S. Department of Health and Human Services (HHS) recently published guidance on ransomware including how to know if your healthcare organization is under attack, how to recover, and how to know if HIPAA has been violated.
Some key indicators of a ransomware attack, according to HHS, are:
- Clicking on malicious links or file attachments
- Increased activity in the central processing unit (CPU) and disk activity for no apparent reason
- Inability to access certain files
- Detection of suspicious network communications
HHS recommends that if an entity believes a ransomware attack is underway, it should immediately activate its security incident response plan, which should include determining the scope and origination of the attack, whether the attack is finished, and how the attack occurred.
Once these initial steps have been taken, HHS recommends that a covered entity then work to contain the impact and propagation of the ransomware, and then eradicate the ransomware.
Once this is done the covered entity should mitigate vulnerabilities, restore the data lost in the attack in order to recover, and then conduct post-incident activities. These should incorporate deeper analysis of the evidence to determine whether the entity has any regulatory, contractual or other obligations as a result of the attack.
Lysa Myers, security researcher at cybersecurity firm ESET North America, said in an email that generally the guidance from HHS was good. However, “I would like to see a bit more about specific techniques and tactics to prevent malware, such as: patch or update software regularly, show hidden file-extensions, and block executable files sent in email,” she said.
(SearchHealthIT contributorReda Chouffani, in a recent story, details ten ways to stop and avoid a ransomware attack.)
Meanwhile, Myers said the government guidance will — without being an unnecessary burden — help healthcare organizations better protect themselves—against ransomware and malware, and many other types of breaches as well.
“By adding additional techniques like encrypting sensitive data when it’s stored or when it’s sent via the Internet, and using multi-factor authentication, they can significantly impact their level of risk,” Myers said.
With its levy of a $650,000 fine on a service provider of the Archdiocese of Philadelphia, the Department of Health and Human Services’ Office for Civil Rights (OCR) has entered into what appears to be its first-ever settlement with a business associate for allegedly violating the HIPAA Security Rule.
The OCR action stemmed from the 2013 theft of an iPhone from Catholic Health Care Services (CHCS), which led to the loss of protected health information (PHI) of 412 people, according to the OCR settlement and corrective action plan.
The agency provides information and technology services to nursing homes operated by the Archdiocese.
The HITECH Act of 2009 made business associates of healthcare organizations covered entities under HIPAA and subject to HIPAA’s health data privacy and security requirements just as healthcare organizations are.
Starting in 2016, OCR has begun auditing business asssociates for the first time in a formal round of audits of healthcare organizations and business associates such as companies and nonprofits that handle PHI, including billing firms and cloud providers.
After an investigation starting in 2014, OCR determined that, among other violations, CHCS failed to perform a security risk analysis and failed to put in place a security risk management plan.
“Business associates must implement the protections of the HIPAA Security Rule for the electronic protected health information they create, receive, maintain, or transmit from covered entities,” OCR Director Jocelyn Samuels said in a release. “This includes an enterprise-wide risk analysis and corresponding risk management plan, which are the cornerstones of the HIPAA Security Rule.”
Meanwhile, another PHI breach by a business associate that exposed health data of 4,300 dental patients was disclosed recently by Massachusetts General Hospital, the Boston Globe reported.
In February, Mass. General learned that an unauthorized party had gained access to electronic files stored by Patterson Dental Supply Inc., which supplies software to help manage dental practices for healthcare providers including Mass. General.
On June 29, the hospital began notifying affected patients that their PHI – including dates of birth, social security number, and possibly date and time of their dental appointments – had been exposed.
Responding to Congress’ call last year to define health IT interoperability measures that Medicare providers must meet to receive reimbursement under new value-based models, ONC has published the measures.The new measures are now part of MACRA, the Medicare Access and CHIP (Children’s Health Insurance Program) Reauthorization Act.
The measures, as detailed in an ONC blog post, are:
- “Measure 1: Proportion of health care providers who are electronically engaging in the following core domains of interoperable exchange of health information: sending; receiving; finding (querying); and integrating information received from outside sources
- Measure 2: Proportion of health care providers who report using the information they electronically receive from outside providers and sources for clinical decision-making.”
The blog post’s authors, Seth Pazinski and Taisha Searcy, of the ONC Office of Planning, Evaluation and Analysis, elaborated that the measures fulfill many commenters’ requests that they not add to providers’ reporting burdens, but rather come from existing national surveys of hospital and office-based physicians.
The surveys are the American Hospital Association’s Information Technology Supplement Survey and the Center for Disease Control and Prevention’s National Center for Health Statistics’ annual National Electronic Health Record Survey of office-based physicians. The surveys measure not only interoperability but also how physicians use other EHR functions in their daily practice.
The ONC officials also noted that commenters, in addition to being concerned about burdensome reporting, also wanted the measures’ scope broadened to include providers not eligible for the meaningful use program for EHRs, such as behavioral health providers.
Commenters also raised concerns about recognizing the complexity of measuring interoperability.
“Although the MACRA requirement for measuring interoperability largely focuses on ‘meaningful users,’ we are committed to advancing interoperability of health information more broadly,” the ONC officials wrote. “We will be expanding our measurement efforts to include populations across the care continuum in the near-term, as well as an increased focus on outcomes in the longer-term.”
Read the official statutory language here.
Most healthcare organizations — 58% of respondents to a Peer60 report—aren’t ready to adopt alternative payment models for value-based care yet, according to the report. Also, 37% of respondents said they will be adopting alternative payment models for value-based care and 5% of respondents said they will not.
This doesn’t come as much of a surprise, however, since the trend of bigger hospitals being more likely to have the resources—financial, technical, or otherwise– to pull off adopting a new payment model than smaller hospitals has stayed fairly constant, the report said. More specifically, the report found that hospitals with less than 500 beds are likely to be slow in adopting alternative payment methods.
The alternative payment methods include:
- Accountable Care Organization (ACO)
- Bundled Payments
- Full and Partial Capitation
- Comprehensive Primary Care (CPC) and CPC+
- Pay for Performance (P4P)
- Value-Based Purchasing (VBP)
The surveyors received varied responses from some of the providers that indicated they are not opting for value-based payment models.
“Some were of the opinion that doctors would be paid less than ever before due to noncompliant patients; outcomes determined primarily by patient compliance could lead to physicians cherry-picking patients whose outcomes will show higher levels of value,” the report said. “One provider even called the value-based system ‘diabolical.'”
Another provider respondent said in the report that, “metrics used by payers are not reflective of the true quality of services delivered.”
However, some hospitals across the country have already begun to adopt and use value-based care payment models. One example of this are four healthcare organizations in Massachusetts that signed on to Blue Cross Blue Shield’s value-based care model.
Although most healthcare organizations may not be ready to move over to value-based payment approaches yet, the report did find that providers are most interested in adopting a bundled payments model, which CMS says allows for greater provider adaptability and flexibility in deciding how payments are allocated.
The first day of the two-day Health IT Summit in Boston was filled with speakers and panels addressing value-based care and cybersecurity. Most of the audience at the summit, about half, were health IT professionals and administrators while the rest consisted of security and privacy professionals, and clinicians and providers, according to an informal poll done during a session at the summit.
Richard Royer, CEO of Primaris, a Missouri-based consulting firm, outlined three actions that need to be executed in order to achieve value-based care:
- Know how to optimize your EHR and the data. Technology plays an important role not only in meaningful use but also in value-based care. Adoption of EHRs has tripled in the last seven years, according to Sylvia Burwell, secretary of the Department Health and Human Services, who spoke about the issue at the Health Datapalooza conference in Washington, D.C. in May. However, Royer asserted that “simply having an EHR is not enough” when it comes to achieving value-based care.
- Know your patients. Focus on population health and care coordination. This means linking systems electronically and bringing all the players into a coordinated system. Providers have to start thinking of managing a population of patients, because that’s where the value-based reimbursement system is headed.
- Know your practice. And know how to deliver care, Royer said. In this case, providers should be making sure they are focusing on the right strategies and technologies to improve the delivery of care. If they are concentrated on the right things, he added, then the emphasis should be on “doing things right.”
Another poll taken at the summit showed that attendees were about equally divided when it comes to whether external hackers or inside threats are the greatest security risk in the near and long term.
“I don’t think there’s a difference anymore,” Julie Berry, CIO at Steward Health Care System in Boston, said on the same panel. “You can’t lock people out anymore. You have to live like they’re there already.”
The key is to figure out who has access to what data and what part of the medical record that person is touching, Erika Barber, privacy and security manager at Massachusetts General Hospital in Boston, said.
One hospital is using an application that manages patient privacy and automatically detects breaches to help them monitor who has access to what within its healthcare organization.
Health IT is so often seen as central to creating efficiencies, maximizing reimbursement and helping spur advances in medical care, that its effect on patient safety is sometimes overlooked.
But not by Andy Gettinger, M.D.
In a recent post on ONC’s blog, Gettinger, ONC’s CMIO and director of the agency’s Office of Clinical Quality and Safety, elaborates on two new ONC reports on health IT safety.
A key takeaway: “Evidence continues to indicate that health IT safety is dependent not just on EHR systems themselves, but on a complex interplay of factors, including an institution’s leadership, culture, readiness, installation practices, training and handling of upgrades.”
Gettinger also says in the post that EHR usability and interoperability are also important to improving the safe use of health IT.
The first report, on evidence on health IT safety and interventions, includes analysis of studies by the Joint Commission and Harvard University’s CRICO (Controlled Risk Insurance Company) malpractice claims database.
The Joint Commission identified 120 reports over a 3.5-year period that involved events resulting in patient harm caused by health IT issues such as user-computer interface problems, the ONC report says.
In an analysis of 248 cases in the CRICO database in 2012 and 2013 caused by health IT problems, medication issues in ambulatory care and complications from treatment were the leading cause of claims (38%), with diagnosis next at 28%, according to the report.
Among the recurring patterns with health IT systems identified by the CRICO analysis were risks from EHR conversions and updates, problems with copy-paste functionality and prepopulated data, and “incorrect assumptions that the information in the EHR was always correct and up to date.”
The second report lays out goals and priorities for healthcare organizations to improve patient safety using health IT.
It includes a summary of major federal health IT safety policies, including moves to discourage information blocking; EHR transparency initiatives; establishing a framework for vendors and users to report health IT-related deaths, injuries and unsafe conditions; and recommending that Congress set up an independent body for investigating health IT safety incidents.
Among these is the creation of a Health IT safety Collaborative under ONC to promote safe use of health IT and coordinate safety issues among developers building health IT systems.
When Cerner Corp. was chosen to take on the task of connecting the U.S. Department of Defense’s (DoD) 55 hospitals and 600 clinics, it was declared a big win for the EHR vendor.
But the DOD’s Office of the Inspector General (OIG) is recommending in an audit report that the DoD and Cerner reconsider the initial go-live date because the “mandated execution schedule may not be realistic for meeting the required initial operational capability date of December 2016.”
The OIG explained in the audit report that while the DoD Healthcare Management System Modernization program has identified risk and mitigation strategies, rushing the system into use by December may create other risks.
These include “potential delays involved in developing and testing the interfaces needed to interact with legacy systems, ensuring the system is secure against cyber attacks, and ensuring the fielded system works correctly and that users are properly trained.”
Zane Burke, president of Cerner, told SearchHealthIT in a video interview that the endeavor would not be easy.
“The use cases are both challenging and awe-striking, as you think about what those men and women are out doing serving our country, serving the nation and their need for care in very difficult, challenging settings,” Burke says in the video. “Our role is to make sure that no matter where that soldier or their family is … the electronic health record transfers with them and they have access to that.”
However, the OIG is recommending that a schedule analysis be performed and that program risks continue to be monitored.
Regardless, one industry analyst, Nancy Fabozzi, principal analyst for connected health at the Frost & Sullivan consulting firm, told SearchHealthIT that she thinks Cerner was the EHR vendor best suited for the job.
“Cerner is seen as being more interoperable and they sort of ooze efficiency,” Fabozzi said.
Doug Fridsma, M.D., is a passionate guy.
A former chief science officer for ONC, Frisdma joined the American Medical Informatics Association (AMIA) in 2014 as president and CEO, telling SearchHealthIT in an interview at the time that he was looking forward to being back with his “tribe.” Fridsma also holds a doctorate in biomdedical informatics.
Last week, Frisdma took center stage back at his old agency’s annual meeting in Washington, D.C. with an articulate plea, or perhaps even demand, for patients to be able to obtain all their health information in electronic form.
The setting was a session on consumer access to health data and the ONC’s “Interoperability Pledge.” Dozens of EHR vendors, healthcare providers, health information exchanges and other healthcare organizations have committed to the pledge as part of the agency’s campaign against information blocking.
“It is unconscionable that in 2016 most patients are unable to obtain their entire medical record unless they print it out,” Fridsma said, according to the text of his remarks provided by AMIA.
Fridsma said healthcare has lagged behind other fields in terms of consumers’ ability to get and use information. He added that while progress has been made in recent years with health information sharing technology such as patient portals and ONC’s Blue Button initiative, it is not enough.
Fridsma asserted, however, that patients now have a right to an electronic copy of their health records under HIPAA. He cited guidance from the Department of Health and Human Services’ Office for Civil Rights clarifying that most providers should be able to provide health data electronically, and must do it with 30 days upon request.
But Fridsma said these policies, which were accelerated by the HITECH Act of 2009 and the meaningful use program it spawned, have resulted in only “slivers” of information for patients.
He said patients have a right to all their health information, not just that which CMS defines in meaningful use or what ONC’s certification program deems necessary for EHRs.
“AMIA believes if the information is stored electronically, patients are entitled to their entire medical record in an electronic format, and not just a summary record or the limited data that a vendor chooses to make available via portal or API,” Fridsma said. “Patients deserve more than PDFs, and the benefits of digitizing healthcare will only be realized when patients — and providers — have fluid, portable data.”
Specifically, Fridsma called on the federal government to remove what he called a “prohibition” in the EHR certification process that restricts the use of unstructured data, such as free text notes and other unstandardized clinical documentation.
He said the provision was originally intended to prevent unstructured data overload, but is no longer needed. It has also impeded interoperability, he said.
By removing the prohibition and allowing use of the full suite of HL7’s Clinical Document Architecture (CDA) templates aligned with the Fast Health Interoperability Resources (FHIR) standard will result in more ways to exchange health data, Frisdma said.
“The federal government has played a vital role and the final piece is to enable patients to have complete access to a “full extract” of their health data,” he concluded.
Moves by federal health regulators to pressure EHR vendors to reveal more information about pricing and functionality of their software are meeting a mixed response.
ONC, at its annual meeting this week in Washington, D.C., unveiled procedures intended to make vendors comply with the agency’s 2015 Edition final rule and be more transparent about their EHRs by disclosing more information about ONC-certified software’s “costs and limitations.”
Vendors must make the disclosures and attest that they will or will not take additional voluntary actions to support transparency along the lines of the “Interoperability Pledge” to refrain from information blocking. The pledge was signed by dozens of health IT vendors and organizations over the winter.
“Under the ONC Health IT Certification Program’s enhanced transparency requirements, developers must fully disclose all known material types of costs and limitations — including technical and contractual restrictions,” according to a post on ONC’s blog by Elise Sweeney Anthony, acting director of the agency’s Office of Policy, and Steven Posnack, director of the Office of Standards and Technology.
“Developers must describe this information on their websites and in their marketing materials,” the blog continued. “These descriptions must use detailed, plain language that will allow providers and users to identify and understand the specific limitations and types of costs that may apply.”
But for one at least one major EHR vendor, the new requirements amount to little more than more bureaucracy.
“Like the meaningful use program, ONC’s latest well-intentioned effort to improve the health IT market will again have the opposite effect,” Dan Haley, general counsel and for athenahealth, Inc., said in an emailed statement. “Pricing and functionality transparency is best created by a free and functioning market — not by a website packed with opaque disclosures and attestations.”
Another EHR vendor, Amazing Charts, which like athenahealth mostly sells to ambulatory providers, had a more positive view.
Amazing Charts COO and president, John Squire, told SearchHealthIT he welcomes the ONC moves, maintaining his company has long practiced pricing transparency by publishing detailed costs on its website.
“I think it’s great. I think it helps level the playing field,” Squire said. “We’re competing against people who hide those fees.”
Marc Scrimshire, a developer, interoperability advocate and entrepreneur in residence at CMS building a Blue Button Plus patient access system for beneficiaries, called the ONC actions a “step forward.”
“Anything that’s going to push forward transparency and have a number of [EHR] vendors willingly provide information is a good thing,” Scrimshire said in a telephone interview from the ONC annual meeting. “It’s something that will help users compare fact against fiction.”
However, Scrimshire noted that ONC — as a largely coordinating agency and without significant enforcement power — is just one player in the health IT world.
“We’ve got to push as a community,” he said. “The government can’t do it on its own.”
In the blog post, however, the ONC officials noted the agency reserves the authority to terminate certification of health IT systems from vendors that don’t comply with the requirements or force vendors to take corrective action.
Add the Mayo Clinic to the list of organizations that will have a major role in the Precision Medicine Initiative.
The National Institutes of Health (NIH) is slated to receive $130 million in 2016 from the Precision Medicine Initiative (PMI) for its part in building a national precision medicine group of a million patients. In turn, NIH will pledge $142 million to the Mayo Clinic over a five-year period and those funds will be used to create the world’s largest research cohort biobank. The Mayo Clinic biobank will be used to capture, store and distribute the biological specimens of the PMI Cohort Program. The goal of the PMI program is to study the health and individualities the PMI Cohort volunteers and use the findings to ultimately craft more personalized treatment plans for diseased patients.
The Mayo Clinic’s infrastructure allows it to store and analyze more than 35 million biospecimens, and the clinic will use robotics and lab automation to process and retrieve the specimens.
The data collected in the biobank will be augmented by surveys given to PMI Cohort volunteers, EHR data, medication history and real-time health tracking done through mobile devices. All of the information from the precision medicine group will be analyzed by researchers to determine genetic and environmental differences that could influence an individual patient’s health condition.
Francis S. Collins, M.D., NIH Director, explained the motivation behind the PMI: “The more we understand about individual differences, the better able we will be to tailor the prevention and treatment of illness,” he said in an NIH release.
The Mayo Clinic development follows an announcement made earlier this year that linked NIH, ONC and the Harvard Medical School Department of Biomedical Informatics together in hopes of advancing precision medicine. Those three entities jointly formed the Sync for Science pilot, a program that will take health data donated by patients and make it available to the PMI Cohort Program.