Bowtie Confidential: Preparing for the Inevitable Breach 2/7/12

You may be one of the fortunate healthcare organizations that have not experienced a breach in security or inappropriate access to Personal Health Information (PHI.) However, when you least expect it, it will happen to you.

You cannot prevent breaches, but you can take reasonable measures to prevent them, and create a plan to respond rapidly and appropriately. A poorly contained and failed response has the potential to cost millions through penalties, lost business, and ruined reputations. A well-executed plan can save your organization from these consequences.

If you haven’t already, it is important to create an incident management process. I suggest using the business impact analysis model, which will identify the potential risks and threats to the organization.

Here are eight steps organizations should take to develop an incident response process, each reflecting an area of the incident response management cycle.

1. Risk analysis. Prior to developing the plan, the organization needs to understand the business – operations, processes, etc. – and identify the high-impact risks that must be mitigated. From who or what is your organization trying to protect the assets?
2. Threat analysis. Also prior to implementing a plan, a thorough understanding of the IT infrastructure is needed to identify the “single point” of failure and other potential weaknesses. Where and how does your organization capture and store the most sensitive data? Perform a workflow and data flow analysis to determine this. Which systems and networks are the most vulnerable to attack?
3. Security policy mapping. Security should be deployed throughout the organization to mitigate known threats, risks, and vulnerabilities to the extent possible. Assess on an ongoing basis the risk and threat analyses results and compare them to existing security controls. Are there sufficient procedures in place? Are they securing the right things? Procedures should apply appropriate levels of structure to the security controls based on the potential threat and associated impact.
4. Incident response policies and procedures. When breaches happen, the organization will need to identify and classify the incident according to appropriate criteria. Then the organization must initiate the response team, contain and stop the incident, gather appropriate incident evidence/data, if applicable, restore operations, notify individuals as necessary, and determine the course of action the organization will undertake. External organizations, patients, physicians, and regulatory agencies will want to see that plans are in place, rapid response to address the exposure was taken, and affected patients/people were notified.
5. Testing. Testing will validate and confirm the organization’s capabilities, provide training and awareness to the response team and illustrates responsibilities, and highlight weaknesses or invalid assumptions. If you don’t test, you won’t be prepared. It is highly recommended that testing of the incident response process be conducted minimally twice per year.
6. Review and update. Post-test or post-incident debriefings are essential. Validate the plan and update it if necessary.
7. Create an incident response team. A breach can happen anywhere inside or outside of the organization. Therefore, it is important that the response team be a cross-functional group – including outside professionals and vendors if necessary. Potential team members would include organizational leadership, information security / risk management / compliance staff, IT staff, operational staff (business, financial, and clinical,) legal staff, corporate / organizational communications staff, and external professionals such as forensic analysts, notification providers, etc.
8. Training. Once a plan and team is in place, the next most important component of a good incident response plan is employee training. The alacrity with which a breach is reported to the response team can make a substantial difference in the impact. Train employees on the basics of security, how to identify a breach, and most importantly, what to do and who to contact when an incident is identified.

Incident response and management is a top strategic priority. It is better to be proactive now than to perform damage control later around reputation, penalties, and patient care.

Rob Drewniak is vice president, strategic and advisory services, for Hayes Management Consulting.

News 2/7/12

meridianEMR launches meridianMobile, a native iPhone app to complement its meridianEMR system.

Senator Tom Udall (D-NM) will introduce legislation making it easier for physicians to practice telemedicine in multiple states without the need to apply for separate licenses in each state. The bill would streamline licensure and create an interoperable database of telemedicine providers.

AAFP drops the $30 per month fee for member access to its Delta-Exchange professional networking site. Non-members will continue to pay.

MGMA sends a letter to HHS Secretary Kathleen Sebelius outlining problems that practices are having with the 5010 transition, urging an additional delay in enforcing the change. MGMA warns that unless the government takes the necessary steps to resolve issues, many practices will face significant cash flow disruptions for practices and operational difficulties, a reduced ability to treat patients, staff layoffs, and even practice closure.

Virginia HIT adds NextGen to its list of affiliated vendors. Its other solution partners include Allscripts, athenahealth, MDLand International, and Pulse.

Several practice consultants offer tips to help practices get the most from the tech support departments of their vendors. It includes questions that should not be sent to the support hotline, such as:

• Practice-specific questions
• How-to type inquiries about tasks that should have be covered in training
• Hardware versus software problems
• Questions that involve functions outside of the system’s capabilities.

Confused about the various Medicare penalty programs on tap for the next few years? Note that 2012 is the first year that Medicare will impose penalties for not using e-prescribing. In 2015 the EMR penalties kick in, which is the same year PQRS penalties go into effect. For 2012 and 2013, physicians can earn bonuses for MU, e-prescribing, and participating in PQRS. However, here’s a little “gotcha” about PQRS: physicians who don’t report enough quality measures under PQRS in 2013 may risk a Medicare pay cut in 2015. The AMA and other organizations are urging CMS to remove all PQRS penalties.

Here’s a new twist on in-store medical clinics. Rite Aid and OptumHealth team up to offer telehealth visits in exam rooms at Rite Aid pharmacies. Patients enter a private room, register on a computer terminal, and respond to a series of questions about their current problem or complaint. They can then be connected to a video chat with a nurse for free or a 10-minute visit with a physician for $45.

E-mail Inga.

DOCtalk by Dr. Gregg 2/3/12

Hey, You, Get Onto My Cloud

Singing “I can’t get no satisfaction” last week must have set off some sort of cosmic karmic coincidence collision thing, because just after bemoaning the current general state of EHR techdom, I was given a jolt of inspiration sufficient to stop my sagging satisfaction sadsack soliloquy.

Thank you, Inga. Inga was my “scoop” source. She had recently heard of, and just finished interviewing, the chief executive officer and the director of marketing for the software that provided the aforementioned jolt for my EHR psyche. She had read my Jagger-infested article and e-mailed a simple, “Looked at CareCloud?” I hadn’t, but I soon did.

I Googled them and saw enough to more than pique my interest. Thanks to Inga’s introduction to Mike Cuesta, the marketing man mentioned above, I was able to hook up with Juan Molina, CareCloud’s director of biz dev/“Chief Evangelist”, and Nicole Trueba, events and outreach manager. They undertook some very kind squeeze-me-in scheduling and enabled a short, but quite enjoyable demo of CareCloud’s new Charts EHR software, along with a fast overview of their Central, Concierge, and Community solutions. (Central is PM, Concierge is back office/RCM stuff, and Community is a business-facing “social” community. The patient-facing version is coming.)

I could sense my satisfaction shooting up from the first page view. Their EHR component was just officially released January 20 of this year and it is, in a word, spectacular, in both look and feel.

Designed from the ground up to be “one platform” and browser agnostic, it is smooth, seamless, and fast. Starting with new technology allowed for technological design considerations that are simply impossible when trying to layer newness onto old code (e.g, Windows on top of DOS still has DOS-related issues that are virtually impossible to eliminate. I’m sure you can think of other such examples.)

Perhaps most apparent is the design excellence. Even before hearing that it is true, you can tell that they started out with user experience (UX) experts doing the human/computer interface design layout. The Web site says their UX folks spent hours studying provider workflows with their UX expert eyes. It comes through. Handing a beautiful design off to the programmers for them to then construct the actual mechanics beneath led to a UX that is truly “Apple-ified.” It is enjoyable to look upon, easy to navigate, and extremely workflow-friendly. It is vastly different from the typical experience you get when programming is core and design is secondarily considered.

I’ve said it for a long time: “App me, baby.” Well, they did. Apps are both a core element of the design and smoothly integrated so that you can add the apps you need as you need them and pocket them when you don’t.

Built on open architecture (Ruby on Rails and Adobe Flex), it is designed to be future-friendly. Instead of locking into current standards, these guys have learned that evolving technology means that great answers for today are the leg-irons for tomorrow’s development.

Another thing that really caught my attention was CareCloud’s social side. Their implementation of certain social aspects into the design creates huge workflow advantages. It struck me as almost the Facebook of EHRs. I’m not a huge Facebook user, but I nonetheless appreciate the value and power it provides in connecting people and facilitating interactions. Apparently these designers understood that from the outset, because the functionality for office use is extremely integrated and also appears to be extremely well-considered.

I’ve seen somewhat similar “digital ecosystems,” but never one as well thought out and as well implemented. Though as I mentioned, we had to sort of squeeze the first demo in and thus it was a limited overview, it was still one of the most impressive systems I have ever seen. Sure, it has some warts and needs to continue to evolve, but its starting point is so far down the path to greatness that it should make other developers shudder. It’s kick ass, to be sure.

In case you’re wondering, it is Drummond -certified as a Complete EHR and SureScripts-certified for ePrescribing. Not unimportantly, especially to small guys like me, they offer a pay-as-you-go plan or a comprehensive RCM version. Plus, they provide 24/7 real person support via phone, chat, or e-mail.

I’ve told the tale before that when I first saw Bond Clinician back in 2004, I almost told the rep to stay quiet, as it looked so nice and so straightforward that I thought I could probably start using it without any instruction. I mean, that’s exactly what iPads are: great-looking technology with tons of power that don’t even come with instruction manuals. I may learn differently as I dig deeper into it, but I’m thinking the CareCloud folks took a page from that playbook and have come as close as anyone to date in creating a truly iPad-ized EHR – one that is friendly, gorgeous, and (my personal favorite) stupid simple to use.

I’m also thinking I may now have to reconsider this whole “can’t get no satisfaction” thing.

From the trenches…

“Why is Cloud 9 so amazing? What’s wrong with Cloud 8?” – Mitch Hedberg

Dr. Gregg Alexander, a grunt in the trenches pediatrician at Madison Pediatrics, is Chief Medical Officer for Health Nuts Media, directs the Pediatric Office of the Future exhibit for the American Academy of Pediatrics, and sits on the board of directors of the Ohio Health Information Partnership (OHIP).

News 2/2/12

Merge Healthcare announces the addition of six orthopaedic practices utilizing its OrthoEMR and 10 radiology practices using Merge RIS.

ADP, parent company of AdvancedMD, announces the acquisition of RCM company PhyLogic Healthcare. The purchase allows AdvancedMD to offer outsourced medical billing to its PM/EHR clients.

Advanced Data Systems integrates its MedicsDocsAssistant EHR with Midmark’s IQecg, IQspiro, and IQholter devices. Here’s a video showing the integration.

As rumored here a couple weeks ago, Greenway Medical goes public Thursday with an $80 million IPO, providing a market cap of $330 million.

NexTech VP Christina Majeed accompanies providers from The London Vision Clinic on a medical mission trip to the Tilganga Institute of Ophthalmology in Nepal, where NexTech had donated its EMR system. Majeed and the London Vision Clinic providers trained staff on the EMR, as well as shadowed doctors and observed surgeries.

Louisiana Health Practitioners select ChartLogic EHR Suite for its four-provider practice.

Kareo opens a sales and customer service office in Indianapolis, managed by Kareo’s national director of sales Jason McDonald. Kareo expects to grow the office from 15 employees to 65 by the end of the year.

University of Kansas researchers look at patient-physician email interactions and find that treatments and lab tests were the most common topics of discussion. Doctors took an average of 23 hours to reply to patients’ emails, suggesting that some physicians place less importance on email as a tool for patient communications.

First-fill medication adherence improves 10% among physicians who adopt e-prescribing technology, compared to physicians not using e-prescribing.

The Rural Assistance Center and the National Rural Health Resource Center develop an online toolkit that helps rural healthcare providers find HIT resources, including EHRs.

Though 80% of physicians believe iPads have a promising future in healthcare, most are skeptical of their ability to transform patient care today. Most physicians still use desktop computers as their primary device for accessing patient data, whether at the office, home, or hospital; mobile devices are used primarily when physicians are outside their normal working environments.

A big welcome to DrFirst, HIStalk Practice’s newest Platinum sponsor. DrFirst is a leader in the standalone e-prescribing market and the first company to establish connections to both RxHub and Surescripts. They are also one of the first companies to offer e-prescribing services for EHR vendors, to provide medication history and electronic prescribing for hospitals, and to transmit prescriptions for controlled substances under a DEA waiver. DrFirst also just introduced its EHR Advisor online tool to help physicians find a solution from those offered by the company’s 200+ EHR vendor partners, all of which are Surescripts certified. The Advisor tool is pretty cool and includes screenshots of different products, downloadable PDFs, and videos. DrFirst is also participating in our Soles4Souls shoe drive at HIMSS and will have a drop-off box (booth 5456) for you to donate your gently used shoes. We appreciate the having DrFirst on board and supporting HIStalk Practice!

Hard to believe, but DrFirst is the 32nd company to sponsor HIStalk Practice. When we launched the site just over three years ago, Mr. H wasn’t sure if enough people would be interested in the ambulatory world to sustain a second site. Today we have over 10,000 readers a month and more than 1,200 subscribers, so I’d like to think Mr. H was wrong (and he’s hardly ever wrong.) Thank you for reading, for telling your HIT ambulatory-loving friends about HIStalk Practice,  and for clicking on a few ads to learn more about the goodies being offered by our sponsors.

The Austin (TX) newspaper profiles DocBookMD, a three-year old company that offers a mobile app for the secure exchange of texts, photos, charts, and X-rays over mobile devices.  The app is offered for free through 80 “sponsoring” medical societies and used by 5,500 doctors in 20 states.  DocBookMD also just announced its raised $2.2 million from investors.

E-mail Inga.

More news: HIStalk, HIStalk Mobile.

HIStalk Practice Interviews Albert Santalo, CEO, CareCloud

Albert Santalo is chairman, president, and CEO of CareCloud of Miami, FL.

Give me some idea about the size of the company, number of employees, revenue, and the number of practices live.

The company is about 120 employees now. We’re managing around $700 million in accounts receivable for clients. We don’t disclose specific revenue numbers, but we’ll be in the $10 million or so range for 2012, anywhere from $8 million to $12 million.

How many practices do you have live?

The number of practices is probably 250 or so. They range in size from solo practitioner to larger, multi-specialty groups. It’s well over 1,000 providers.

Countless companies offer PM and EMR systems and several of those have cloud-based solutions. What’s your competitive differentiator and what companies do you see as your primary competition?

We see lots and lots of companies, and we group them into different categories. Almost every company that’s out there that has had any type of success has started in practice management or medical records and bought another company with the other discipline. Very, very few have built what I would call an industrial strength solution for both sides from the ground up on a common architecture.

When you think about the way a medical practice works, the clinical side is not really separate from the financial and administrative side. The whole thing starts with an appointment. At some point, there’s a handoff to a clinician who uses a medical record system. Then it goes back into the billing process to get the doctor paid for what they do. There’s too many clunky handoffs between these old, fragmented systems.

Most companies just haven’t gone to the trouble to build this all on a common architecture. I would say it’s a subtle differentiator for us because most people don’t really get it. But the reality is that when you look at our system and you see what kind of elegant, beautiful experience it is from cradle to grave, it becomes obvious that this all should be built on a common platform.

Yes, there are a few cloud-based players, but most of them built their systems in the late ‘90s or early 2000s. The Internet-based tools to build these systems have evolved two or three generations later, and that is what we’re using.

For instance, some of our competition only works on Internet Explorer on a Windows PC, while the world has changed in the last few years. A lot of physicians are using Macs — if not at work, in their personal lives. There are mobile devices, and physicians need to be able to access information anywhere. A lot of people don’t like Internet Explorer — they want to use Google Chrome or Firefox or Safari. We built this the way you would build it in the last few years, which is so that it works ubiquitously on any browser.

What companies would you say are your primary competition?

We come across all sorts of existing solutions. We compete with traditional players such as Allscripts, Greenway, NextGen, etc. But at the end of the day, the only company that we really feel sees the world the way we do and has built something like what we are hoping to achieve is athenahealth.

You allude to CareCloud’s slick user interface. Does the user interface offer a sustainable advantage given that these entrenched companies theoretically could freshen up their user interface to resemble yours?

That is an issue, but what I would ask is has anyone really been able to duplicate Apple’s user experience? It’s not like it’s not there and everyone can’t use it. Yet all of the stodgy, old companies struggle to create a user experience like what Apple has created.

One of the things you have to understand about CareCloud is that design is ingrained in our DNA. The first person that I hired when I founded the company was Mike Cuesta, who comes from a graphic design background. In other words, Employee #1 was a designer.

It’s really hard, especially when you’re a bigger company, to get design woven into your culture if it wasn’t already there. Design isn’t something that’s done by consensus. Bigger companies tend to be a little more democratic, for lack of a better word, and committees don’t design well. Design is done by really, really talented designers.

On top of that, some of the technologies that the competition uses are not easily employed in a design type of a way.For instance, if you look at somebody who’s developed in straight-up HTML, you know they have to make the leap to HTML5 to really do rich Internet applications, and the HTML5 development tool kits are not there yet. It’s easier said than done, but the reality is as people are imitating our current designs, we’re already working on the next generation of something even better.

Do you have a sales force?

We do. We’re selling the product through a combination of a traditional sales force and through online marketing. As of late, we’ve been ramping up the sales force pretty significantly. I’m amazed at the amount of people defecting from the old world to come here and deal with something new. I’ve been shocked at the talent that’s been showing up, and we’re hiring them.

We’ve got eight new sales people showing up here Monday for training. That will be the next wave, and there’s a wave after that.

Geographically, they’re located all over?

Throughout the US, everywhere from the northeast to the West Coast.

Any plans to distribute the product through resellers?

Yes. There’s a lot of traditional VARs and such that are out there, and especially with larger installs, we can use help with implementations. In fact, we’re already working with some VARs that are partnering with us to put our solution into their client base.

You recently launched CareCloud Charts. What are the advantages and disadvantages of entering the EMR market late in the game, especially late in the ARRA game?

We could have entered a lot earlier, but we’re big believers that we just have to build things correctly and not rush them too much. You have to always build on a strong foundation.

I would say that the disadvantages are that there have been a lot of people that have purchased the EMR already, but there are also a lot of people that have gotten burned in that process. They’ve been chasing the Meaningful Use dollars and they realize that they made a poor choice in what their EMRs are.

The good news is that they already have bought into the EMR as something they have to do, but a lot of them are looking to swap it out. We’re seeing a lot of that. With our type of solution, which is really pay-as-you-go, it’s a pretty easy transition from a financial perspective, because they don’t have to buy eight servers and do all sorts of creative stuff like with other solutions.

The other about coming late in the game, something that isn’t quite apparent to everybody yet, is most of the EMRs — if not all of the EMRs that have been written and developed up until now — have been developed with the idea that what we’re trying to do is capture the information as it relates to a doctor and a patient seeing each other in a brick-and-mortar type of setting.

The reality is that the world is moving towards much more of a real-time, instrument type of model. We envision that in the not too distant future, people will be wearing sensors. They’ll be stepping on their scale in their home, and that scale will be connected to the Internet, taking their blood pressure, etc.

The way we’ve designed our clinical system is such that it lends itself to this real-time world, where there’s lots and lots of data being captured in real time on specific patients. The system has to provide strong analytics and alerting to the providers so that they’re not inundated with all these data.

It’s a very, very different architecture than what’s out there, especially if you compare it to systems that are written in MUMPS, which is technology from the ‘70s. As you know, this is what you see in healthcare IT. It’s ridiculous. We wouldn’t buy any piece of technology in our personal lives that had anything in it from 1967, yet people are spending tens, hundreds of millions of dollars on systems like Epic, which is crazy.

You’ve said that CareCloud offers a social infrastructure. Explain that.

Think of the social infrastructure like this. When you really look at healthcare, it is a social business. Today, especially with the kind of the fragmented world that we live in on the provider side, a patient bounces around from practice to practice as they’re getting care. A primary care doctor may refer a patient to a cardiologist or urologist, but there isn’t any good infrastructure to push data between these providers.

People talk about HIEs and things like that, but the reality is penetration of HIEs is very low. We’ve built a secure, social framework within our system so that that data is usually pushed from person to person, business to business so that it’s not captured again. It doesn’t infringe on the patient experience, so that errors aren’t introduced. It really speeds up the delivery of care and can help eliminate some of the redundant care that exists.

We think of an HIE as, “Why can’t an HIE be a secure Facebook as opposed to this thing where I have to get my CIO to talk to your CIO?” Guess what? Most doctors don’t even have a CIO. This whole integration between practices and systems is not realistic in ambulatory healthcare. We built it as a friendly place where everyone can interact.

If I use eClinicalWorks or athenahealth, I can access the social infrastructure?

Yes. We’re not there yet in terms of those capabilities, but yes, you will be able to access that infrastructure. Absolutely. And our hope is that you’ll stop using eClinicalWorks. [laughs].

In your various company announcements, you talked a lot about investors, innovation, and awards. You don’t say a lot about customer successes. Who are your notable customers and what have they accomplished using your product?

There are many, many flavors of customers that we have. Some are larger, some are smaller. The successes mostly relate to financial successes. That’s the biggest way that we measure the success around here, that these practices are able to derive more revenue from what they do. Because, as you know, a lot of practices do a lot of work and don’t get paid properly for it.

That’s the first piece, and at the same time, they are able to save on a lot of costs because we convert what’s typically a fixed cost to a variable cost. There are so many bills and this is thrown into our offering that they just do it a lot more effectively and more cheaply.

Your EHR product has been ONC-certified, correct?

Yes.

Have any of your early users been able to attest?

They need to use it meaningfully for 90 days. We’re not there yet, but that’s coming.

As you know, there’s a lot of noise in the system around this whole thing. Although you spoke of the timing earlier, we’re still early in the game in terms of the attestations. You can even see the people that are making a lot of noise, like Practice Fusion. They say they have 100,000-something providers. They only have like 100-and-something providers that have gotten Meaningful Use dollars, which is abysmal, in my opinion.

Any additional thoughts that you’d like to share?

We’re very excited about what’s coming this year. There’s a lot of innovation we’re going to be releasing. We worked very hard in making sure that the EMR was ready for the marketplace, but now, a lot of what happens now that the product is completely rounded out, is a lot of building on top of what we already have. It will be a tremendous amount of refinement. There will be a movement into the mobile space and so forth this year, so it should be pretty exciting.