Category Archives: ePHI

Terry Edwards

Safeguarding security: 4 tactics for secure clinical communication and collaboration

By Terry Edwards  /  29 Jul 2016

I had the honor of speaking at the 2016 Becker’s Hospital Review Annual CIO/HIT + Revenue Cycle Summit, discussing the elements needed to truly secure clinical communications with some of the best minds in the healthcare world. With a number of recent high profile news stories announcing ransomware attacks in hospitals and health systems, security and the ability to secure clinical information is top of mind for many.

Those who oversee organizational data and IT systems recognize the importance of securing communication channels containing ePHI as they build a unified communications strategy. While security and regulatory mandates are essential elements of a clinical communication strategy, to create a truly successful strategy, the needs of those who provide care: physicians, nurses, therapists and others on the care team – in any setting – at any time – must be addressed flawlessly and securely.

To do so, there a few tactics to keep in mind:

Understand what the HIPAA Security Rule actually states – There’s been a lot of confusion in the industry when it comes to HIPAA compliance and communication. I often notice that many organizations think this is all about secure text messaging, which is incomplete. The Security Rule never speaks to a particular technology or communications modality, application or device. It is technology neutral.

HIPAA compliance is about the system of physical, administrative and technical safeguards that your organization puts in place to to ensure the confidentiality, integrity and availability of all ePHI it creates, receives, maintains or transmits. Because of this, there is no such thing as a HIPAA-compliant app.

Understand care team dynamics – Care team members are mobile and they employ workflows to receive communication based upon situational variables such as origin, purpose, urgency, day, time, call schedules, patient and more. The variables determine who should be contacted and how to do so for every communications event.

For this reason, third parties (hospital switchboards and answering services) and disparate technologies are used in organizations’ clinical communication processes. Understanding this variety of technologies and actors is key to accurately assessing your organization’s compliance risk. And, coming up with strategies to effectively address that risk is key.

Secure text messaging is essential, but it’s not sufficient – While secure messaging is an essential component of your overall strategy, it’s not sufficient because:

  1. it requires the sender to always know who it is they need to reach—by name.
  2. it requires the recipient to always be available to other care team members 24/7.

These requirements are inconsistent with the complexity inherent in communication workflows that enable time-sensitive care delivery processes, because they don’t address the situational variables I described above.

Secure messaging is only one piece of what should be a much larger communications strategy—one that should address clinician workflows and multi-modal communications channels for all care team members.

Your goal should be to enable more effective care team collaboration – Organizations often focus on achieving HIPAA-compliance. This is a flawed objective. The focus should be on achieving more effective care team collaboration. If this is done effectively, achieving HIPAA-compliance will come along for the ride.

Six essential capabilities – An effective secure clinical communications and collaboration strategy will include the following six elements.

  1. It will facilitate communication-driven workflows that enable time-sensitive care delivery processes. An example of a communications-driven workflow is stroke diagnosis and treatment. When a patient with stroke symptoms presents in the ED, one of the first things the ED physician does is initiate a communications workflow to contact the neurologist covering that ED at that moment in time, while simultaneously notifying and mobilizing a stroke team to complete a CT scan to determine if it is safe to administer tPA, the drug that arrests the stroke. Time is critical. Healthcare is chock full of these kinds of workflows, executed every day in every hospital by the hundreds and thousands.
  1. It will provide technology that automatically identifies and provides an immediate connection to the right care team member for any given clinical situation—this is nursing’s greatest need! Your strategy should be to bypass third parties and eliminate all the manual tools and processes used to figure out who’s in what role right now given the situation at hand. Ignoring this need means you won’t achieve adoption, which means your organization will still be at risk.
  1. It should extend beyond any department and the four walls of the hospital. It should enable cross-organizational communication workflows. This is increasingly important under value-based care where care team members must collaborate across interdependent organizations to deliver better care.
  1. It should secure the creation, transmission and access of ePHI across all communication modalities—not just text messaging. Enough said!
  1. It should integrate with your other clinical systems to leverage the data within those systems to facilitate new communication workflows. This is key to enabling “real-time healthcare.”
  1. It should provide analytics to monitor your communication processes and continuously improve those processes over time.

With these capabilities in place, secure clinical communication simply becomes another positive result of implementing a broader care team collaboration strategy, designed to address clinical efficiency and improve patient care delivery.

Terry Hayes

Balancing act: Making data security a priority in daily nursing routines

By Terry Hayes  /  24 Mar 2016

Regardless of the hospital or specialty office, nurses are an essential piece of patient-centered healthcare delivery models. As a former pediatric nurse practitioner, I know firsthand the amount of responsibilities nurses juggle, all while maintaining the personal, bedside manner needed to ensure patients and their families feel comfortable and knowledgeable about treatment and care. Nurses are often the first and last point of contact to provide care for a patient, and a critical part of the clinical communication process, especially in the digital age.

Unfortunately, as healthcare data breaches surge and the need to prepare for HIPAA audits increases, nurses must also factor data security into their daily routines. Since 2010, the HHS Office for Civil Rights reported more than 1,400 breaches of unsecured protected health information affecting 500 or more individuals, and this number is expected to escalate. Given nursing’s dynamic role in communicating with team members across the care continuum (physicians, other nurses, patients, etc.), it’s important that nurses, as well as other healthcare professionals, are provided the right levels of secure connectivity to deliver quality care for patients efficiently.

Nurse must also understand the need for security in many of their day-to-day activities. Here are a few areas nurses must constantly keep in mind:

  • Within the care setting – Can the patient information be viewed (or heard) by anyone besides the patient? Are the connected medical devices in use secured? Could another care provider or visitor access the device if the nurse steps away momentarily? With the growing use of telemedicine, does the patient have the right set-up to participate in portals, video calls, etc.?
  • Outside of a care setting – Are documents sent to the correct printer and/or fax, and are those documents picked up quickly? Can non-authorized personnel easily access EHRs and other technologies? Are any BYOD technologies secure? Does the outside setting have appropriate procedures in place to assure patient confidentiality and, if so, is it monitored?
  • During a care transition – Do the appropriate care team providers have access to relevant information? Are any others that participate in care that should be considered? If so, what level of information should be shared with those providers? Are all communications channels, such as a voicemail or email system, fully secure and HIPAA-compliant?

While education is critically important to ensuring nurses understand how to keep patient information secure, it’s also important for hospitals and other providers to identify processes and technological solutions to improve security, meet HIPAA standards and protect the confidentiality and integrity of patient data. This is particularly true as nurses (along with the rest of the patient care team face) more pressures to meet the demands of value-based care.

Nurses: how do you make data security a priority in your day? What challenges have you run into while balancing efficient and personal patient care with security?

Terry Edwards

Insights from HIMSS16: Four key takeaways

By Terry Edwards  /  14 Mar 2016

Each year, thousands of health IT leaders come together over one week to network, collaborate and shine a spotlight on industry accomplishments, challenges and innovation at HIMSS. I’ve attended the show for the past ten years, and I’ve seen trends evolve over time – some fading quickly, others becoming a constant theme throughout the years – all representing the ever-advancing healthcare landscape.

This year, as I walked the HIMSS show floor and had conversations with other executives, physicians and vendors, I noticed the following:

  • The market is shifting beyond secure messaging – For three years I’ve been talking about the fact that secure messaging is an essential feature of an organizations clinical communications strategy, but it’s not sufficient in and of itself. We talked to more than one organization that experienced a failed secure messaging deployment. Having learned, those organizations and others are realizing that a secure comprehensive communication solution that can improve workflow is what is required. (It’s about time!)
  • Security continues to evolve as a top priority – Healthcare CIOs are viewing security as a major challenge, and one that must be addressed holistically. I spoke with one CIO who shared that one set of lost physician network credentials caused through a phishing scam required the reset of 20,000 user credentials – a major disruption to the entire organization. We also discussed the challenges for keeping information protected; it’s clear that more comprehensive security solutions are needed to avoid the disruptions and other setbacks caused by breaches. Healthcare security today must extend past the surface level and become integrated into workflow, communications, technology, etc.
  • Moving beyond Meaningful Use to optimization – For nearly a decade, Meaningful Use was king. Now that most providers have implemented EMRs, the conversation has shifted from fear of non-compliance to how we can do more with the EMR. More and more providers are looking for ways to optimize their EMR investment to leverage data, extend its usage and refine the technology so that it works more seamlessly within clinician workflow. Workflow plays such a critical role in care and physician coordination, and providers need platforms that are smart and holistic – ones consistent with reality.
  • Shifting viewpoints on the future of the industry – Depending on who you talk to, conversations around the state of the healthcare industry and its future, which were in no shortage over the course of the week, differ in tone. With many factors, such as regulations, driving change in the industry, it becomes easy to take on a negative mindset – physicians in particular become frustrated with balancing patient care, compliance, data and technology. One notable challenge is providers are having to figure out how to take responsibility for a whole episode of care when the patient’s full team of physicians may not all be in one system. However, innovation continues to lead the way, and this, too, was reflected in many positive conversations about the healthcare landscape today.

Healthcare will continue to build on what we have today, optimizing our existing technology to address broader issues, and do so much more comprehensively – raising new trends and challenges just in time for HIMSS 2017. See you there!

Save the date: HIMSS 2017, February 19-23 in Orlando, Florida

Don Dally

The outdated browser: breeding ground for cybercrime

By Don Dally, chief technology officer at PerfectServe  /  10 Mar 2016

Is your health system’s browser up to date? Too many organizations don’t know the answer to that question and are unaware of the consequences for using unsupported browsers. Or, if they do know the answer, they aren’t in a position to act on it.

Now is the time to check if your workstations are using the latest browser version available. Earlier this year, Microsoft announced that it was discontinuing support for Internet Explorer versions 8, 9 and 10. The discontinuation of this support may affect more people than you think. The loss of this support means Microsoft will no longer provide vital security patches for these browser versions, increasing vulnerabilities that go unattended, and leaving healthcare organizations wide open for attacks. This should come as no surprise to healthcare stakeholders, who’ve seen cyberattacks increase in recent years, especially in the healthcare industry. Hackers will find a way to exploit these vulnerabilities. It’s not a matter or IF, but WHEN.

There are two main reasons why outdated browsers linger:

  1. A clinical application doesn’t support modern browsers—Many healthcare providers are running older versions of browsers because they use a legacy application from a vendor that will not work on more contemporary browser versions. In basic terms, the application is holding them back.
  2. The provider organization is not updating the browser—If, for whatever reason, the provider is not updating its browser, it requires vendors to spend an inordinate amount of time and effort making sure their applications will work across the various (often outdated) browser versions used by their customers.

Browser upgrades are a two way street: providers must make sure they are using the most up-to-date browser version for vital security updates while vendors must make sure that their applications and solutions can support contemporary and future browser versions so they are not holding their users back.

How to keep current

Although browser choice can be an overlooked decision, it’s important that both vendors and providers stay on top of the latest versions. Here are some steps to help providers and/or vendors break the cycle of using outdated browsers:

  • Vendors should be held accountable for keeping pace with browser evolution
  • If you have a legacy application that requires an older browser, keep the browser on the workstation current and use virtualization to serve up an older browser for the legacy app
  • Ensure your organization has procedures in place to keep your browsers updated and properly patched

If you’re not sure whether you are using the most up-to-date browser, check here to see the newest version of your browser that’s available. We all have to step up to the plate and stay current. It is no longer an issue of convenience; it is a matter of patient privacy.

Don Dally

Education minimizes the impact of healthcare hackers

By Don Dally  /  28 Jan 2016

Security continues to be top of mind for healthcare professionals, and according to a Health IT Outcomes survey, PHI security is the top 2016 priority for more than 42% of healthcare executives. The risk of being hacked today is increasing exponentially due to the huge surge in devices and data being used and shared.

Over the last few years, healthcare systems have been targeted by various security threats. In 2015, major health insurers Anthem, Premera and Excellus headlined a long list of hacked healthcare organizations in the United States. These three organizations alone resulted in the leak of more than 100 million patient records, and the Anthem breach by itself more than doubled the number of people affected by breaches in the health industry since 2009.

Hackers in the healthcare system are like bacteria, mutating quickly to change the way they attack. In order to stay a step ahead and protect critical PHI, healthcare organizations must stay on top of what’s happening, try to predict hackers’ next moves and understand how and where PHI is shared. Healthcare providers will need to be more proactive about potential hacks and take security threats more seriously by:

  • Educating physicians on the value of security: Many physicians experience a slowdown in their daily processes when security is added to their systems – taking time away from their patient visits. Security can also be expensive to add for healthcare organizations. While antivirus solutions have become reasonably inexpensive, other necessary solutions like data loss prevention (DLP) and encryption can cost significant amounts not only to purchase, but to implement and support. Organizations need not only to balance security controls to ensure they don’t impede physicians’ efficiency, but they also need to work with physicians to help them understand that value of security outweighs both of the aforementioned concerns. A data breach not only means that protected patient health information is exposed, but also threatens the reputation of the provider organization.
  • Understanding how vendors store and transmit patient data: So much patient information lives in external, third-party organizations. However, IT security is a complex issue, and that complexity – along with the overwhelming number of vendors in the space – can be off-putting to clinicians. Providers have an obligation to their patients to understand and ensure that these organizations are taking measures to protect that critical information. Periodically, providers must compare each healthcare organization’s benefits, and also look at how each vendor stacks up when it comes to security procedures by asking questions like, “When was your last risk assessment?”, “How do you encrypt data when it is stored?” or “What data do you share with third-parties?” Providers have an obligation to themselves, and more importantly, to their patients to thoroughly vet every vendor they share their PHI with.
  • Understanding recent updates to privacy and security rules: Despite recent breaches, many providers still don’t understand the privacy and security regulations. Too many physicians I meet have lingering confusion about HIPAA, as well as standard security protocols. Privacy and security laws and regulations are constantly updated to account for the ever-changing risk landscape and protect consumer privacy. Physicians must be up-to-date on these healthcare regulations to not only prevent a hack, but to ensure that patient information remains protected.

More physician education needs to take place related to the intricacies of the healthcare system and the responsibilities and security procedures of healthcare organizations. In 2016, I trust that providers will look at more ways to partner with physicians and improve their efforts around the issue. Security is invaluable and needs to be managed more carefully as everyone’s personal data is on the line.