Tag Archives: EHR

How Technology Prevents HIPAA Violations

HIPAA violations are growing in number and cost, and have affected medical facilities of all sizes.

While training and vigilance on the part of administrators and staff is a vital component to HIPAA compliance, the right technology can turn an open book into a bank vault. From secure medical grade all-in-one computers to software to online tools, here are some of the best ways technology is making ePHI (electronic protected health information) more secure.

HIPAA violations and costly fines don’t have to be an inevitability.

How Bad is It?

HIPAA violations and fines are practically raining from the sky. 2018 saw significant data breaches, some that affected millions of patients.

In January of 2018, it was revealed that the data of 30,000 patients was stolen by hackers from Florida Medicaid when an employee fell for a phishing email.

Also in January, a medical group in New York had a record breach that had nothing to do with malicious intent. A misconfigured database with an unsecured port accidentally exposed the data of 42,000 people to anyone who stumbled across it. Social security numbers, patient notes, and even names of family members were all up for grabs.

In April, the Center of Orthopaedic Specialists in California got hit by ransomware that may have exposed 85,000 patient records to hackers. In September, three hospitals settled a $1 million dollar fine for potentially compromising patient privacy while they were filming a documentary for ABC.

And, of course, Anthem paid a record-breaking $16 million in fines and violation settlements for a breach that affected 79 million patients. They were given a hefty penalty for not only the breach itself, but for failing to implement adequate access controls, not conducting a risk analysis before it happened, and for not regularly reviewing system activity to keep an eye on red flags.

Almost all of these breaches could have been prevented or mitigated by better technology, more robust security software, and improved employee education.

Online Training Programs Can Educate Staff Members

Hacking is a multi-headed hydra that is more than just ransomware and worms. “Social engineering” describes all of the methods deployed by hackers to gain access to secure systems from regular people in an organization.

Social engineering tactics can vary wildly, from dressing like an electrician to get access to a sensitive area, to calling up an employee and pretending to be an IT tech who needs their information, or even just employing a malware program that requires a victim to click, open, download, or install something they shouldn’t have.

Consider enrolling staff members into an online HIPAA compliance course, or a general data security training program. If you’re afraid of employees falling asleep during a dry infosec video, try SecurED, a data security training course that was actually written in part by Hollywood comedy writers.

And if you want the real skinny from an expert, world-famous hacker Kevin Mitnick actually created his own security awareness training to help illuminate the best techniques for avoiding malicious software and social engineering.

Install Security Software on All Devices

Cloud storage attached to medical all-in-one computers, medical tablets, and personal devices must be encrypted. Any messages, data, or images that back up to a cloud service are just as susceptible to interception as messages sent from one user to another.

Dropbox, OneDrive, and Google Drive aren’t automatically encrypted, and expose a weak point in any system. The solution isn’t to stop using cloud services — backing up data has never been more important — but to instead use a secure cloud storage program like Sookasa to encrypt files before they enter a cloud storage folder.

It also may be wise to consider HIPAA compliance tracking software like HIPAATrek. This software, and other brands like it, create a one-stop-shop for all current HIPAA regulations, training, assessments, risk analysis surveys, checklists, and a whole host of compliance tools to keep any medical facility in the green and out of the fast-growing list of HIPAA horror stories.

Secure Accounts with Two-Factor Authentication

A single password and login for staff members aren’t sufficient for sensitive accounts. Passwords can be guessed, cracked, or collected fairly easily, especially if employees aren’t maintaining proper password etiquette.

Two-factor authentication is recommended by all security professionals at this point, and a failure to do so could have dire consequences for any organization under HIPAA authority.

Smart cards, custom RFID tags, and biometric scanners can provide the physical authentication, while a PIN or password can be used in conjunction to add an extra layer of security. Medical all-in-one computers or medical tablets with built-in RFID and biometric scanners are highly recommended for this purpose because they are far more reliable than a USB scanner plugged into an off-the-shelf office computer.

Plus, USB readers are portable and have a tendency to get lost or disappear. Misplacing an integrated medical panel PC is slightly more difficult.

Only Use Messaging Software with HIPAA Associate Agreements

Texting and easy picture-sharing have completely changed the way our society communicates, even in the workplace.

However, HIPAA’s security standards mean that doctors and nurses can’t be as free as the general populace. While texting a coworker a question might seem innocuous, it can lead to breached confidentiality and a hefty fine if it contains patient details. Ditto for sending pictures — getting a second opinion from another nurse about a suppurating wound isn’t a bad idea in theory, but may, in fact, be a violation of HIPAA standards.

For workplace communication, make sure work devices are installed with encrypted messaging software from a HIPAA associate. If your practice is using a BYOD policy, make sure those devices have the same level of encryption. Or, it may be a wise idea to abandon a BYOD policy altogether — they’ve been shown to invite massive security breaches.

A messaging app made by a business under a HIPAA associate agreement is certified to provide the necessary security to meet HIPAA standards.

There are quite a few HIPAA compliant texting apps, like TigerConnect and OhMD, that can make a major difference in cybersecurity. Many of these apps, or similar email encryption programs (like Barracuda or Virtru ) can also be installed on medical tablets and medical all-in-one computers, creating an easy, encrypted communication system for any facility.

Don’t Forget the Real World

Consider those hospitals fined for filming a documentary — not all patient confidentiality breaches come from computer hackers.

Even something as simple as the placement of a computer screen or patient monitor can have HIPAA implications. Medical all-in-one computers with built-in privacy screens can reduce the angle where a monitor is readable, while a computer on wheels can be rotated away from prying eyes.

Cameras and video recording are obviously off-limits, but sometimes staff can be tempted by the social media machine in their pocket. A perfectly harmless photo from the wrong angle can unknowingly capture sensitive information on a chart, or the face of a patient in the background.

Of course, a malicious low-tech data thief could also snap a quick picture of sensitive information while a doctor’s back is turned.

Technology can help, of course, but common sense is even more important. Keep an eye on your surroundings, especially when viewing ePHI, to maintain maximum data security.

Employ and Document Digital Security Methods Today

A three-pronged approach of education, technology, and vigilance should hopefully keep any doctor’s office, hospital, or clinic away from major HIPAA violations. Even should a lax staff member cause a breach, a thorough and documented history of implementing all of these techniques should also lower the culpability and any potential fines for the organization.

Contact Cybernet today to learn more about medical all-in-one computers and medical tablets with built-in two-factor authentication, Imprivata single-sign-on compatibility, and built-in privacy screens.

 

patient engagement technology and medical tablets

EHR and it’s Evolution into CHR: A Critical Look at Cutting-Edge Technology in Healthcare

Epic CEO, Judy Faulker, recently expressed her view how Electronic Health Records are evolving into Comprehensive Health Records—a term that evaluates more than just a specific window of sampling an individual’s health from doctor visits. CHR is a term that may be invented as the new EHR, incorporating more data and analysis of a patient that stems from their in-clinic or hospital visits and their time outside of a medical facility too. Foraging into a new technology frontier that implies a near-constant evaluation of a person’s well-being may sound like an answer that physicians have been looking for, but anyone who is ever a patient (all of us) could be under the scrutiny of patient tracking technology that could be always on, always tracking. Yes, the benefit is physicians can understand the entire gamut of a patient’s health by seeing comprehensive snapshots of activity from day to day, but do the costs outweigh the benefits? Are we already in the pathway of the “Big Data” steamroller? Let’s take a critical look.

Are We Already Headed Down this Path?

Many individuals are already familiar with utilizing in-home tracking devices and food intake monitoring, so the “at home” concept of tracking health isn’t new. Wearable fitness trackers coupled with diet and exercise apps are near ubiquitous in society today. There are also several medical grade devices like blood sampling devices or blood pressure monitors to see how trackable vitals are measured outside of the doctor’s office and clinics. But now that CHR is becoming a reality for EHR corporations, there are implications to consider about how this data would be collected into a central repository. If CHR will incorporate the data from consumer-grade devices into an EMR system, how will this data transfer occur? Would EHR software developers have to build integrations for the hundreds of various fitness apps and wearables that are available on the consumer market.  Would we need to entrust app developers and wearable manufacturers with the responsibility of building those integrations? We could see EHR software developers create their own consumer apps and wearables, but that raises even more questions. Would software developers even want to enter the arena of app development and medical device manufacturing? And if they did, how do get a patient to willingly utilize something they may not want to?

CHR and Big Data: How Accurate is the Information?

A patient may be under the scrutiny of a doctor for monitoring their food intake for diabetes, and it’s likely a common thing some individuals may “cheat” on their diet—maybe someone once logged a dinner of chicken and vegetables when instead they indulged a large burger and fries. That second iced mocha of the day might get “forgotten” when it comes time to update their food log. The same propensity to “cheat” when recording time spent at the gym lifting weights, or doing yoga can creep in if we are entrusting the patient to log their own activity. So manual input data needs to be examined and taken lightly if it’s to be wrapped into CHR. Plus, there’s the question of accuracy of wearable devices—many aren’t as devices used in hospitals, clinics and doctors offices. How accurate is a pedometer? How accurate is a sleep tracking device you can purchase off the shelf? Can that be incorporated into a medical health profile? And furthermore, even if the comprehensive data is used for analysis for health, can that be considered an invasion of privacy?

Is the CHR Data Secure Enough?

With potentially thousands of different devices tracking different variables such as food intake, steps taken, heart rate, and other measurable factors, there’s a concern of how all that data might be transferred to EMR systems. Since hospitals have begun implementing BYOD practices among their staff, securing has become a massive point of concern. Medical grade computers are specifically designed with a number of privacy safeguards built into them to protect patient data. Now imagine the security risks if data is being transferred from millions of unsecured consumer devices. We’ve discussed at length in the past that patient medical records are even more valuable on the black market than an individual’s financial data. Now you have to consider millions of new vulnerabilities for hackers to try and exploit. So how would a transfer happen? Wireless transfer? Patient web portals? If CHR is to incorporate an unknown breadth of data, will HIPAA laws need to be rewritten to account for vulnerabilities that can’t be controlled by a healthcare facility or a doctor’s office?

CHR Data and the Implications of Insurance

Insurance companies evaluate a patient’s medical history gauge what their premiums should be. It’s a given that if someone smokes, healthcare is more expensive for them. If we are to enter a new era of healthcare data, can insurance companies utilize more comprehensive methods of evaluating someone’s health? If a patient claims that they run three times a week, and yet their pedometer shows no activity outside of walking, will that reflect on their bill? How far does the willingness go to track aspects of someone’s life? CHR is prepped to track not only how we treat ourselves, but our social lives too. Will all these medical and social effects on our well-being be reflected in insurance companies and their premiums? While the intent of CHR would be to compile the most comprehensive view of an individuals health, the information could very easily be used to create more “high risk” pools by insurance companies, and could even price some users out of the market completely.

These are just a handful of questions to ask as the encroaching concept of CHR starts to hit EMR companies. They’re evolving, perhaps for the better of our lives and health, but there are strong implications of privacy, accuracy, security, and unfortunately impact on wallets too. For now, EMR systems have not yet seen that evolution, and quite frankly they shouldn’t until these questions are answered. We’d love to hear your thoughts as well. Please comment below and let us know what you think about CHR.


 

Prevent Physician Burnout with Health IT That Lifts The Burden

EHR can help providers. A lot has been said about how exactly EHR can help everyone in the health care. However, when providers implement EHR the physician productivity and patient satisfaction suddenly drop. The factor often unaccounted for is how the new technology blends with the end users, and the time it takes for the new technology to prove its ROI. We are several years into implementing the EHR systems across the country, but the numerous surveys continue ringing the alarm on the physician burnout that is at an all-times high. EHR and increased computerization are among the top 3 causes of burnout, as reported by the physicians.

HIT Paradox

The study funded by the American Medical Association (AMA) shows how physicians are overloaded with bureaucratic and clerical work that is not related directly to patient care:

For every hour physicians provide direct clinical face time to patients, nearly 2 additional hours is spent on EHR. Outside office hours, physicians spend another 1 to 2 hours of personal time each night doing additional computer and other clerical work,” according to Annals of Internal Medicine. “During the office day, physicians spent 27% of their total time on direct clinical face time with patients and 49.2% of their time on (electronic health records) and desk work.”

According to the 2016 Medscape Lifestyle report, the burnout among US physicians “has reached a critical level.” The severity of the burnout was measured on the scale of 1 (lowest) to 7 (severe). Most specialties rated the severity of their burnout at 3.85 – 4.74.

The top 3 causes of burnout (again, on the scale of 1 to 7) are:

  • Too many bureaucratic tasks – 4.84
  • Spending too many hours at work – 4.14
  • Increasing computerization – 4.02

A Mayo Clinic NEJM Catalyst Insights Council survey polled clinical leaders and executives on the same issue. 96% of respondents agree that physician burnout is a serious or moderate problem, which remains largely unaddressed inside the organizations. As the top reasons to address the problem, the respondents cite decreased quality of care (63%), the effect on the attitude of the rest of the team (38%), and physician suicide (8%).

Here, again, the top causes of physician burnout are:

  • Increased clerical burden due to the use of EHR – 62%
  • Increased productivity requirements/expectation – 51%

Ironically, EHR is the reason the productivity expectations increased. The use of EHR is reported to disrupt the established workflow, forcing the physicians to “carry their workload into off-hours, or “pajama time.”

Why You Should Care

  • The burnout causes errors and poses a direct threat to the lives and well-being of both physicians and patients. Most likely, the surveys do not reflect the full picture because they are based on volunteer respondents’ answers. What about those who refused to participate? They are likely to avoid the subject of burnout because a) it can raise questions regarding their ability to deliver at their workplace; b) fear of being stigmatized (as any mental issue tends to lead to stigma).
  • The staff engagement in any new strategy a provider is deploying to cut costs or ensure compliance is fruitless without the physicians’ buy-in.
  • The physician burnout is a symptom of the loss of enthusiasm for work, emotional exhaustion, depersonalization, sense of low personal accomplishment, feelings of cynicism, a decreased level of compassion and involvement with patients and staff.
  • The domino effect of the physician burnout can and does have a devastating effect on health care. According to the US Bureau of Labor and Statistics’ Real Sector Growth, health care has a -0.6% decline in productivity every year.
  • Physicians with a high level of burnout choose part-time practice, early retirement or leaving for other industries (pharma, insurance) as a way out. With the medical staff shortage on the one hand and the growing population on the other, providers can not afford to lose clinical talent.

Technology IS The Solution When Done Right

HIMSS17 saw a number of sessions featuring success stories of providers using innovative solutions to address the physician burnout and increase productivity.

Perfecting the Mobile Solution” demoed how Palmetto Health-USC addressed the issue of physician burnout (due to the clerical/EHR documentation overload) by adopting a mobile solution. Relying on a Windows 10 medical tablet with a digitizer stylus, the provider was able to not only improve physician productivity but also alleviate the physician burnout.

Benefits of a medical tablet, as reported by Palmetto executives:

  • Improved patient-doctor communication, eye to eye contact
  • Doctors review charts before going into the room → more dedicated visit and saved 2-3 minutes per visit
  • Faster note completion and triage, ability to take history from patient in the hallway effortlessly
  • Ability to document anywhere
  • Improved workday and productivity
  • Decreased patient wait times
  • Small technology footprint
  • No negative impact on workflow
  • Reduced login times, improved security
  • Reduced eye fatigue from looking at the tablet
  • Improved efficiency with dual screen mode
  • Easy to move with or without cart
  • Easy to share and clean the device

Benefits of a medical tablet, as reported by physicians:

  • Provider satisfaction – 71%
  • Device easy to use 83%
  • Reduced time spent after work documenting 64%
  • Faster documentation 46%
  • Improved access to health records 54%
  • Improved security of patient records with reduced need to print, secure network, fingerprint access
  • Improved patient communication and education at bedside 54%
  • Improved workflow and reduced login times 64%
  • Reduced transcription costs
  • Fewer desktops needed

The factors that contributed to the successful implementation of the mobile solution at Palmetto:

  • Larger screen, digitizer stylus, support for full-size mouse and keyboard
  • Extended battery life
  • Corporate shared device (not BYOD)
  • Dragon dictation support
  • EHR-ready
  • Ability to manage/support the devices on-site
  • User-friendly interface with manageable learning curve (Win 10)
  • Support for high-quality medical imaging and X-ray image printing
  • Fast and secure logins with biometric reader/RFID SSO/Smart Card or CAC

A similar experience was reported at the HIMSS17 “Mobile Innovation and Telehealth in Emergency Care” session featuring the outcomes of Emergency Telehealth and Navigation program (ETHAN). The medical tablets running ETHAN used by the ambulance teams help the Houston Fire Department reduce the overload of the very ambulance teams and increase their productivity by 44 minutes (from 83 in regular teams), and reduce the flow of low-acuity patients to the overcrowded ERs.

If the team’s assessment of a patient is that of a low acuity, they initiate a video conference with a remote physician. The latter makes an assessment and offers alternatives to an ambulance ride to the ER. We covered it in detail here.

Conclusion

An EHR-ready Windows medical tablet with RFID SSO, fingerprint, CAC/Smart Card and barcode reader, antimicrobial casing, hot-swap batteries, rugged case, carrying handle and strips does alleviate the physician burnout caused by technology because:

  • It is easy to use – familiar Windows interface, minimum learning curve. Security is made simple requiring minimum user effort.
  • It is safe – antimicrobial casing kills the pathogens, IP65 sealed bezels enable cleaning with liquid chemical solutions for ultimate disinfection.
  • It is reliable – with durable, military-grade battery or hot-swap batteries that let you swap them without powering off the device and losing data.

Another way to reduce the negative effect of technology on physician and nurse burnout is to use maneuverable and lightweight non-powered medical carts with ergonomic medical computers with hot-swap batteries, which provide the full-shift uptime and flexible charging options. This configuration eliminates the nurses’ strain of having to charge the cart or the laptop frequently. It also reduces the cost of IT because our hot-swap batteries are durable unlike those of your regular powered medical carts that need frequent replacements.

P.S. While the AMA and other professional organizations might get busy lobbying to reduce regulations regarding clerical work, the providers and HIT vendors must work towards interoperability and ease of use of their solutions. Check out our Key Takeaways from HIMSS17 here.