The Department of Health and Human Services published a guide of cybersecurity practices with the aim of reducing the growing risk from cyberattacks. The recommendations are just that — suggestions to be instituted voluntarily.
“Health Industry Cybersecurity Practices: Managing threats and protecting patients” stems from the Cybersecurity Act of 2015. Section 405(d) called for an alignment of security approaches across the healthcare industry.
In that vein, HHS and the 405(d) Task Group spent more than a year tapping into the expertise of 150 public and private healthcare and cybersecurity experts through the Health Sector Coordinating Council. The task group focused on current threats, weaknesses and effective cybersecurity practices.
Last week, the task group published its four-volume guide. Rather than reinvent the wheel, the guide builds off the NIST Cybersecurity Framework with the aim of helping healthcare CIOs move the cybersecurity needle. Indeed, one of the guide’s unmistakable themes is the criticality of educating everyone in an organization on how to fight against cyber threats. As Janet Vogel, HHS acting chief information officer, said in a press release announcing the news, “Cybersecurity is everyone’s responsibility.”
The guide’s first volume details five of the most widespread cybersecurity threats healthcare organizations face. It uses easy-to-understand language, for example, describing email phishing attacks as “an attempt to trick you, a colleague or someone else in the workplace into giving out information using e-mail.” The first volume also includes real-world scenarios, quick tips on how to keep the threats at bay and, in table form, the potential vulnerabilities that may exist within an organization and the corresponding cybersecurity practices to consider.
The second and third volumes are “technical volumes” broken down by organization size. One provides detail on the ten recommended cybersecurity practices for small healthcare organizations and the other for mid-sized and large healthcare organizations.
The cybersecurity practices are not listed in any order. Instead, the resource is meant to provide “flexibility for an organization to determine its unique security posture, through a risk assessment or other assessment, and to determine how to prioritize and allocate resources,” according to the guide.
The final volume is a collection of additional resources that may come in handy.
And if healthcare CIOs need it, the guide makes a compelling case as to why cybersecurity should be top of mind for anyone in the C-suite. Healthcare organizations are increasingly facing ransomware attacks, where crucial data is sometimes held hostage, and the cost of data breaches continues to rise. According to survey results from IBM Security and Ponemon Institute, the cost for a healthcare data breach rose $28 per record between 2017 and 2018 from $380 to $408.
The U.S. Department of Health and Human Services is seeking the public’s input on how Health Insurance Portability and Accountability Act (HIPAA) rules should be modified to promote better patient care.
HIPAA rules were developed to protect patient information and enable information sharing when necessary. But in recent years, the Office for Civil Rights (OCR) has fielded calls to revisit the rules, claiming they limit the very information sharing that’s needed for coordinated care and impede standing up a payment model that rewards providing quality care to patients, also known as value-based care.
The Department of Health and Human Services (HHS) is now asking what HIPAA rules make accomplishing those goals challenging.
“In addressing the opioid crisis, we’ve heard stories about how the privacy rule can get in the way of patients and families getting the help they need,” Eric Hargan, HHS deputy secretary, said in a press release. “We’ve also heard how the rule may impede other forms of care coordination that can drive value.”
While changes have occurred within the healthcare field that could warrant some changes in regulation, HIPAA tends to be “everybody’s favorite bogeyman,” said David Harlow, a Boston lawyer who specializes in healthcare law and regulations.
“The danger in rewriting the regulations anytime something changes in the technical environment in the real world is it’s going to be different by the time the regulations are finalized, so you’re perpetually playing catch up,” he said.
Harlow said HIPAA isn’t always to blame for data-sharing issues, which instead can stem from an organization’s misunderstanding of HIPAA rules. For example, nothing in HIPAA prohibits information sharing between providers or between providers and payers, which Harlow said could indicate that healthcare providers or payers that engage in value-based payment arrangements can’t get data from their partners.
To be involved in care coordination and case management, partners, which include providers and payers, have to negotiate agreements that include data sharing, according to Harlow.
“I’m scratching my head why is this an issue,” he said.
However, Harlow believes some HIPAA rules should be modified such as shortening the length of time for an insurance company or provider to deliver a patient’s protected health information (PHI) once requested, as well as adjustments to rules regarding parental involvement in children’s care.
Harlow said some regulations have not kept up with the times that may need revisiting, but there are also rules written flexibly enough that don’t need tinkering with. He said it’s up to OCR to figure out which is which.
Seeking public input for modifying HIPAA rules is part of the Regulatory Spring to Coordinated Care initiative, which is led by HHS’ Hargan. He said in a press release that the initiative’s goal is to take a closer look at how regulations such as HIPAA can be fine-tuned to incentivize care coordination while protecting patients.
While HHS is seeking broad input on HIPAA rules, the department is also seeking comments on specific areas of the HIPAA privacy rule, such as facilitating parental involvement in patient care, accounting for patient protected health information disclosures as required by the HITECH Act, and information sharing for care coordination.
Public comments on HIPAA rule modifications are due by Feb. 11, 2019. You can submit public comments here.
The U.S. Food and Drug Administration took an innovative approach to combating the national opioid crisis earlier this year. The FDA issued a challenge to medical device developers to leverage technology in the fight against opioid addiction and abuse.
In response to the FDA Innovation Challenge: Devices to Prevent and Treat Opioid Use Disorder, the federal agency received more than 250 applications from medical device developers. Last month, the FDA selected eight applicants to advance to the next phase.
Those selected will build out their ideas, which range in capabilities from predicting risk of opioid use disorder and detecting opioid overdose, to providing pain treatment alternatives and dispensing medication, according to a news release from the FDA.
The eight applicants selected are:
- Algomet Rx, Inc.: Rapid Drug Screen for monitoring
- Avanos: Product name and purpose have been withheld per company request
- Brainsway, LTD: Brainsway Deep Transcranial Magnetic Stimulation Device for opioid use disorder therapy
- CognifiSense, Inc.: Virtual Reality Neuropsychological Therapy for pain therapy
- iPill Dispenser: iPill Dispenser for medication dispensing
- Masimo Corporation: Product name withheld; purpose is overdose therapy
- Milliman: Opioid Prediction Service for diagnosis
- ThermoTek, Inc.: NanoThermTM and VascuThermTM Systems for pain therapy
iPill’s opioid dispenser
Sherie Hsieh, co-founder of iPill Dispenser, said being chosen to participate in the challenge validated her and co-founder John Hsu’s vision to revolutionize the way prescriptions are dispensed.
“We want to empower the patient experience and to empower physician engagement and also to empower our public health agencies with the data we’re able to collect,” she said.
iPill Dispenser is an opioid dispenser controlled by a mobile app. Hsu said the dispenser is a “hack-proof square box that is difficult to open.” The dispenser only allocates the prescribed amount of medication at a pre-programmed time. Unauthorized attempts to open the device trigger the release of a gel, making the opioids unusable.
“Opioids currently are prescribed in a way in which people can self-medicate,” Hsu said. “You get a bottle with a child-resistant cap and you can take one pill or the bottle… [iPill Dispenser] is opened by the iPill app. And you have to use your fingerprint and a personal, special code within the iPill app that confirms that the particular app that resides on a particular cell phone is recognized by the dispenser.”
The iPill mobile app also collects real-time data as users access the dispenser, which can be anonymously shared with public health agencies to remain HIPAA-compliant.
In a former interview, FDA spokesman Michael Felberbaum said that the goal of the innovation challenge was to “provide additional incentives for product developers to invest in products that can address aspects of the addiction crisis and advance the development of promising technologies.”
Indeed, iPill’s Hsu said he hopes to work collaboratively with the FDA to receive financial support to complete product development, as well as regulatory support to move the iPill Dispenser into the market as quickly as possible.
“The innovation challenge is important because there are many reasons for people to have pain and there are many solutions,” Hsu said. “For the FDA to help us through this period allows us to move forward with a solution that can really help the population.”
The next steps start with a collaborative phase that focuses on creating a product profile for the selected medical devices. Product profiles will take into account risks and benefits, as well as patient needs, according to a press release. Potential regulations the device will have to adhere to will also be discussed.
In most cases, challenge participants will submit formal applications to the FDA, such as the Premarket Approval application. While the application review times will be expedited, the devices will need to adhere to the regulatory standard of demonstrating a reasonable assurance of effectiveness and safety, the release said.
It’s almost too easy to dismiss the idea of blockchain in healthcare. The first major application of blockchain — Bitcoin – does feel kind of sketchy (all the currency that went “missing”) and the idea that patients will own their health records as long as they can hang on to long numeric keys seems ridiculous when most of us can’t even remember passwords we create.
At the American Medical Informatics Association meeting in San Francisco, blockchain in healthcare came up often during presentations. But even among a group of people looking for forward thinking ideas there was a tremendous amount of skepticism.
Amidst the doubters, Roger Boodoo, MD, a radiologist with the Defense Health Agency and an enthusiastic participant in a number of the blockchain financial exchanges, offered a vision that could improve patient engagement and ultimately all of healthcare.
For Boodoo, it comes down to the fact that blockchain is a way to create “programmable money” and that money can be used to incentivize patients to get health screens, cavities filled or even participate in medical research. “Only 4% of the people eligible for lung cancer screening actually get screened,” he explained. “We could offer incentives like tokens at the point of care and that would not violate anyone’s privacy.”
That’s just the beginning, in Boodoo’s view. “Dentacoin” could reward patients for getting cavities filled and for paying attention to dental health. Participants in clinical trials could be paid in a blockchain currency, and if the drug makes it to the market, the payment could represent a small percentage of the pharmaceutical maker’s profits.
Blockchain incentives could also help solve problems that simply require a lot of people to participate, Boodoo said, like the large numbers needed to train an AI in order to ensure it’s a reliable reader of xrays or MRIs. And it’s an obvious choice as a foolproof way to track organ donations.
While he acknowledged the hurdles, Boodoo challenged the audience to at least consider blockchain going forward. “Define a business problem that is not currently solved and identify a network of participants,” he said. “There are many failed abstracts but we are making progress thanks to education. Just brainstorm some use cases and lead the way.”
By October 18, Hurricane Michael, the strongest U.S. storm in terms of maximum sustained wind speed since Hurricane Andrew in 1992, left 35 people dead and displaced over 300,000 people in Florida, Georgia and Alabama. In preparation for the storm, the Strategic Health Information Exchange Collaborative (SHIEC) connected HIEs throughout the Southeast to make sure providers in surrounding states had access to patient records, taking into consideration the needs of evacuees who were injured from the disaster or needed to be transferred from their home-based healthcare facilities.
“This hurricane in particular came very quickly after Florence. There just was not as much time to prepare for this one as there was for Florence,” said Kelly Thompson, CEO of SHIEC. “So in terms of the arrangement between the states and things that we have done, we have been very focused on disaster preparedness, the planning, and the response.”
The Georgia Regional Academic Community Health Information Exchange (GRAChIE) and Alabama State HIE, One Health Record, collaborated closely to build up connectivity between providers in and beyond these two states within 24 hours after SHIEC set them up for connection in response to Michael. The HIEs’ effort in establishing a provider network lies in leveraging the existing data centers and ensuring providers have access to patient records.
“We actually don’t follow a different set of protocol for moving data around than we do for our day-to-day business operations. It’s the same kind of connectivity. What we’re doing now is broadcasting a much wider net,” said Tara Cramer, executive director of GRAChIE. “We set up emergent connections so that as people relocate for a period of time, we’re hopefully able to capture some of their data (to provide care when) they arrive in an emergency room or an urgent care center or need a medication refilled, anything like that.”
The connection would spread out into Alabama, North Carolina, South Carolina and Florida for data. And it’s not just the record itself that can be accessed, updated and resubmitted by providers, but a Continuity of Care Document, which is an HL7 standardized document that has various types of summaries of information on each patient.
Basically, what HIEs do is register patients with some demographic information and link these patients with their records and documents in a registry in the form of an index. For ease of use and for quick response and recovery, HIEs initially query the indexes to see which patient the provider is looking for, and then the related documents are queued off to let providers see what patient information has been stored in the HIE database.
“Alabama has a hybrid model, which means that we have a centralized repository that can be leveraged for the storage of data,” said Gary Parker, the director of Health Information Technology for One Health Record. “In cases between GRAChIE and One Health Record, because of that hybrid model, we can allow queries to pass through bidirectional from GRAChIE to One Health Record through the EHR systems or through our portal (if they do not have an EHR), that are connected on either side.”
But there are also challenges in terms of implementing the existing framework for connectivity. Since giving providers access to patient records and building up connections among HIEs in surrounding states are not the main concerns for HIEs, thanks to the experiences they have for disaster response and the protocol they are practicing on a day-to-day basis, the difficulty sometimes is the buy-in that they need from facilities and providers to provide them with the patient information in the exchange.
Out of the consideration of keeping patient’s privacy, providers tend to be cautious of how patient information is being shared, even though they understand the benefit of HIEs in terms of disaster response and recovery. “It’s the education as well and outreach that we’re going to do a better job of promoting going forward,” said Parker.
Based on the previous experience of dealing with hurricanes, HIEs such as GRAChIE see the important role that HIEs are playing in natural disaster preparation, response and recovery, and are opting to be involved in a wider network to help providers deliver better care.
“Let’s not wait for these things to be coming before we start talking to our neighbor HIEs about how we’re going communicate during the times of the disaster. Let’s get the plans in place now,” said Cramer. “We will likely maintain all of these connections. We may not keep them active all the time. But instead of having to build them when we need them, we can just turn them off and on as needed.”
And it’s not just in hurricanes that HIEs can ensure access to patient records, but also in tornadoes, fires or anything of that nature where patients are moving to other locations. For better outcomes, HIEs should partner with state officials, whether it’s an agency at Department of Health and Human Services, EMS, the Federal Emergency Management Agency, the American Red Cross or anyone else that is involved in planning and response effort.
“We just feel so strongly that accessing their medical information should not be one of those stressors. We can do better than that,” said Cramer.
During an interview on the PBS News Hour, CVS CEO Larry Merlo drew an interesting distinction when speaking about the future of healthcare. Fresh from the merger with Aetna, Merlo said people directly in the care of a physician or in a hospital setting were “patients” while everyone else is simply a healthcare consumer.
That’s an interesting perspective, particularly coming from the CEO of an enormous chain of pharmacies that has increasingly moved to attract not just consumers but patients to its Minute Clinics. And it makes me wonder why it matters to spell out the difference.
At the end of the day we’re all patients, and we’re all consumers, right? But perhaps the emphasis on consumers underscores the changing expectations we all have when it comes to healthcare. Consumer technology has made us powerful in every single part of our lives, except for healthcare. Consumers, by their very definition, have status and ownership and the ability to vote with their feet by choosing where and how to spend. Patients, on the other hand, can be (and often are) powerless – no choices, no votes, and certainly no ownership.
Can your local CVS change all that, particularly now that it’s tied directly in to an enormous insurance network? Will the vast reams of (hopefully anonymous) data suddenly available to CVS/Aetna effect true change for a healthcare consumer?
FitBit, and a number of other companies, are working on wellness coaching programs that include wearables data, family/friend input and perhaps eventually patient records. But in a data-driven community pharmacy, the tech who rings up the prescription knows the healthcare consumer not only has high blood pressure but missed a recent checkup, hasn’t acted on a referral to a cardiologist and has let a company-reimbursed gym membership lapse.
Setting privacy concerns aside for a moment, a simple intervention during a transaction at the local pharmacy could help put this healthcare consumer back on the right track – all without ever going in to “patient” mode. And maybe that is the true message Merlo was sending: in today’s ponderous and slow to change healthcare world, it’s better to be a consumer than a patient. Time will tell if he’s right.
*In the interest of full disclosure, CVS is the pharmacy I use.
The cardiologist walked in to the hospital room and handed me an envelope. “My notes and his test results are in there,” he said. “Don’t lose that – it’s gold.”
Gold? Sure. But that envelope was also a textbook example of why the broken medical records system has left interoperability in healthcare elusive.
Last month, my husband – a long-term kidney cancer patient – had a heart attack. He ended up in our local community hospital, where kind staff did their best. But he’s complicated and then some – on a clinical trial for metastatic renal cell disease, diabetic, and on and on.
In a world with interoperability, access to the medical records system and his data should have required no more than his consent and a few clicks of the mouse. In a world without interoperability, well, it became complicated quickly.
No one had heard of his medication (which has potential heart side effects) and they relied on both of us to outline his issues, his treatments and his many scripts. Then it was up to me to call his oncologist, get recent EKGs and records faxed from that particular medical records system, and to grease the wheels in case actual phone conversations needed to happen. And even though his primary care is located in the same town as the hospital and in the same network (meaning they should be on the same medical records system), I had to reach out to her for results of a recent nuclear stress test. In the end it took four calls back and forth to the oncologist and two to the primary to get the eventual flood of faxed paperwork to arrive.
When he was discharged, that envelope was handed to us and eventually presented to the big city cardiologist, who said he took the time to read it and literally enter the information in to his medical records system (which made him late for our appointment). He took copious notes on his computer though, and sent us to the major hospital across the street for a heart catheterization test.
While I’d like to say that was a paper-free (and seamless) process, it wasn’t. The sheet with his list of medications wasn’t up to date, even though they’d been revised across the street 24 hours previously. Nursing staff used a computer next to his bed to tie in to their medical records system, but a binder, and the ubiquitous clipboard, were probably more in use. One loose piece of paper in particular caught my eye – it had a detailed drawing of a heart and was apparently meant for the cardiologist’s reference. We both laughed about that, but if I’m honest, it was nervous laughter. If you need a line drawing of the heart, should it really be on paper?
Heart-wise, he’s going to be ok. But I’m a lot less optimistic than I was previously that true healthcare interoperability across every medical records system will be achieved any time soon.
Given the statistics from Centers for Disease Control and Prevention that 11.5 million people misused prescription opioids, contributing to 40% of all U.S. opioid overdose deaths in 2016, it seems that prescription drug monitoring programs (PDMPs) fit perfectly with efforts to improve safe prescribing practices for patients. But PDMPs don’t always work as intended, according to a report from JAMA Surgery, a monthly professional medical journal.
PDMPs are state-run databases built to identify high-risk patients and prevent opioid overprescriptions from different healthcare facilities, often by integrating electronic medical records with other data sources, such as pharmacy records. Currently, 49 states in the U.S. use PDMPs, with 28 states mandating PDMP enrollment in 2016, according to the Prescription Drug Monitoring Program Training and Technical Assistance Center (TTAC) at Brandeis University.
The Surgery research looked at a 2017 New Hampshire state law that mandated all healthcare professionals conduct a PDMP query and complete an risk assessment for patients receiving outpatient opioid prescriptions for acute pain. According to Surgery, early data indicated that the mandatory program succeeded in decreasing ′′doctor shopping′′ and opioid-related deaths for outpatients with chronic pain.
But there was no significant change in opioid prescription rates among 1,057 patients who underwent surgery before and after the program was mandated in a moderately-sized academic hospital, nor a drop in the mean number of pills prescribed for patients undergoing general surgery. Doctors who have been involved in the program complained that filing the PDMP queries and completing required assessments cost them additional time; only 22% of surgeons supported the idea that PDMP should be mandatory.
But it could be that the grass roots efforts at hundreds of hospitals around the country might be just as successful, if not more so. Take Children’s Hospital Los Angeles, which has been using healthcare APIs to boost interoperability since 2014. The hospital’s IT team is making headway, but they would agree the struggle is real.
Like hospitals everywhere, CHLA has a mix of legacy systems, apps in the cloud and a lot of other systems that are somewhere in between. For Aaron Fry, the manager of enterprise applications, the goal is clear: free the data and get it flowing to everyone. Similar to other nascent efforts around the country, CHLA has chosen one of the widely accepted healthcare APIs – FHIR— to bring interoperability in to the hospital systems, and will use Cerner’sversion of FHIR when it comes time to look at integrating patient data or clinical information.
CHLA is no stranger to the challenges of healthcare APIs and integration. Its portal sitewas built using APIs to tie physicians in to the Cerner back end, and it’s been online since 2014. The hospital has continued to add functionality, including most recently an API from DocuSign to provide signing capabilities.
Now, though, CHLA is putting energy in to developing an API layer that will create a bridge between the older systems and new internally and externally facing applications. The hospital’s challenge is nearly universal – how to use healthcare APIs to create an organic layer that brings legacy and mobile together, and to do it quickly, securely and in a HIPAA compliant way.
Flexibility has been key. Some internal systems do have a REST APIon board (so it’s much easier), while others have required proprietary scripting languages for data extraction (making things much harder). Control of information access is also an issue. Some data needs to be accessible only on the premises, while other data is safe to view anywhere.
Not surprisingly, Fry said the biggest challenges have been around the legacy systems. His strategy has been to break down the problem in to small parts, and he has 3 to 4 of his team of 15 moving forward on an employee-facing ERP app. Using the Agile software developmentmethodology, Fry and team will show this app to the stakeholder – in this case, the MarCom department – and if it’s a go, this process could be the model CHLA uses moving forward.
Will sweeping change come from the slow but steady steps at hospitals like CHLA, or through big company, industry-driven efforts? We’re going to have to wait and see.
Imagine that a surgeon is holding a duplicated organ in hand when illustrating specific pathologies to the patient before a scheduled operation. Thanks to the 3D printing technology, a true-to-life anatomical model promises better communication between doctors and patients, and much more.
Since the 1980s, 3D printing has developed rapidly and been applied to various fields. Now, it’s making the rounds in the healthcare industry, which can bring transformative changes, seeing that 3D printed replicas can help with the pre-surgical preparation and surgery training by providing accurate, accessible and cost-effective alternatives to cadavers.
“[3D printing is] creating opportunities for patients who were previously considered inoperable, because surgeons can get more comfortable with the procedure [through preparation and training],” said Mike Gaisford, director of marketing for healthcare solutions at Stratasys, an industrial 3D printer manufacturer.
Two main 3D printing technologies make it possible for Stratasys to create a lifelike organ model with a certain disease, like a kidney with a tumor in it. The technologies can also duplicate muscles and tissues with the original color and texture being simulated.
One is PolyJet, which produces full-color, multi-material, pre-surgery models in anatomically correct detail, derived directly from unique patient CT scans. With microscopic layer resolution and accuracy down to 0.1 mm, it can produce thin walls and complex geometries within organs using various technologies. Another Stratasys technology can replicate human anatomy with a wide range of clinical scenarios and pathologies. Those models can effectively replace costly cadavers.
Using a replica with realistic texture, color and faithful reflection of the complexity of the original organ, surgeons can plan out operations or show the models to patients and families. It’s more visual than just looking at 2D CT or MRI scans and trying to “do some mental gymnastics” to come up with a 3D concept for guidance, said Gaisford.
Also, in contrast to cadavers, 3D printing models are more portable, which enables surgeons to practice on an anatomical piece anywhere they like, such as at a meeting room or an office. The shorter time span to create a model makes 3D printing a potentially good choice when dealing with an emergency, compared to buying cadavers or animals for pre-operational use. But for now, 3D printing technology benefits mostly complex surgery cases, such as an unusual brain aneurysm with a complex situation or uncertainty, but not routine ones. And in general, top-tier academic medical centers are the likely customers for this technology for pre-surgical planning and training.
“[3D printing] is changing the way providers do their work,” said Gaisford.