The proposed rules for Stage 2 of the HITECH Act electronic health record incentive program “are going to bring a lot of new and challenging privacy and security issues to the forefront,” says attorney Adam Greene.

Three of the most significant proposed Stage 2 meaningful use rule components that raise privacy and security concerns, he says, call for providing patients with real-time access to their medical information via portals, ramping up participation in health information exchange and providing secure messaging for patients.

Greene, a former official at the Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, says in an interview that providing patients with online access to their records raises such issues as how to handle patient authentication as well as how to manage access to records by authorized representatives of patients

Hospitals and clinics alike, Greene says, will need to carefully consider: “What are the new threats and vulnerabilities that will need to be addressed in a risk management plan as a result of this new access to records?”

Preparation Steps

In the interview, he also says healthcare providers should:

• Ask their electronic health records vendor to describe, in detail, how they’ll manage their patient portal and how they’ll log access to it.

• Ask health information exchanges to describe how they are applying encryption of messages and authentication of parties exchanging information.
• Carefully consider when the use of secure messaging by physician practices is appropriate. For example, it isn’t necessary for sending routine appointment reminders, he notes.
• Discuss with EHR software vendors how they’ll meet the proposed Stage 2 software certification rule requirement to encrypt data stored on mobile devices by default, addressing both hardware and software issues.

Breach Settlement

Greene also discusses the implications of the recent OCR settlement in the BlueCross BlueShield of Tennessee breach case, which included a $1.5 million penalty. “If you lose the records of 1 million individuals, or possibly significantly less, you should be prepared for a thorough OCR investigation and the possibility of a settlement or fine,” he stresses.

He also notes that the Tennessee case, which involved the theft of 57 unencrypted hard drives, calls attention to the importance of protecting data with encryption.

Greene made his comments following a presentation at the recent National HIPAA Summit. He is a partner at Davis Wright Tremaine LLP in Washington, where he specializes in HIPAA and HITECH Act issues. He formerly was senior health information technology and privacy specialist at the HHS Office for Civil Rights, where he played a significant role in administering and enforcing the HIPAA privacy, security and breach notification rules.

“For help with your meaningful use readiness, contact us at healthcare@apex.com”

A recent poll from KPMG, an audit, tax and advisory services firm, suggests many business administrators at hospitals and health systems are expressing doubt on whether or not they can meet the new Stage 2 meaningful use requirements of EHR compliance standards. Less than half of those surveyed (48 percent) in the KPMG poll last month said they were confident in their organization’s level of readiness to meet Stage 1 meaningful use requirements.

“The results show that organizations are moving forward but it’s interesting that many are not more confident with their level of readiness, especially when considering anticipated Stage 2 requirements,” Brad Benton, partner and national account leader for KPMG Healthcare, said in a statement.

Thirty-nine percent of the respondents said they were somewhat confident in their organization’s level of readiness, three percent said they were not confident at all, and 10 percent didn’t know what their level of readiness was. Interestingly, the majority (71 percent) of the hospital and health system business leaders said they are more than 50 percent of the way to completing EHR system adoption.

According the report, the biggest challenge organizations have had in meeting Stage 1 meaningful use requirements is simply understanding the requirements involved in demonstrating meaningful use (25 percent). This was followed by training and change management efforts (20 percent); capturing the relevant data electronically as part of clinical workflows (18 percent); lack of a dedicated meaningful use team (12 percent) and not having the appropriate certified technology (six percent).

“Adding to the challenge is the continuing development of the regulations themselves,” Mike Beaty, principal and KPMG Healthcare IT enablement leader, said in a statement. “Each successor stage really builds on its predecessor, so it’s imperative that organizations really embrace and institutionalize the concept that achieving compliance is not just a technology focused project. Real success will be defined by highly-effective adoption of redesigned clinical workflows and care delivery processes.”

For help with your meaningful use readiness, contact us at healthcare@apex.com

Security of data and networks, an issue that companies are taking seriously. They’re going to great lengths to protect themselves from external threats and are, for the most part, safe from them. And yet, there are still stories about how businesses are being infected by malware. If they’re safe to the external environment, where’s the threat coming from?

In recent years the majority of security threats and compromises have come from within the company. A common threat to companies is the logic bomb - malware that targets IT systems and deletes data. As a logic bomb is introduced from within the network, the blame often lies with a disgruntled employee with full access to internal systems.

Insider threats Giving employees full access to the network when they don’t need it is a common mistake often made by companies. There’s little need for an employee who does graphic design to have access to weekly sales records. This practice could set your company up for a considerable security problem in the future.

Dawn Cappelli, an insider-threat expert at the Carnegie Mellon Software Engineering Institute stressed, "These types of insider attacks happen to businesses of all sizes, from small companies to very large corporations." This is an important issue businesses should be aware of if they want to remain secure.

Take Precautions Security threats can be a particularly harsh nightmare for small businesses, as many don’t have an IT department or staff with the technical expertise needed to maintain a secure network. If you’re one of these organizations, it’s a good idea to hire an outside consultant to help you with your network security. With consultants, it’s important that you maintain close contact with them to ensure any issues that crop up are dealt with expeditiously.

If you don’t work with an external company there are a few things you should do when you have an employee leave the company. First, their accounts should be deleted immediately and their access privileges should also be revoked. Second, if you have accounts with shared passwords, you should change them to ensure an ex-employee can’t gain access to the system.

If you’d like to learn more about internal security, and measures you can take to ensure you are safe, we are ready to help you. Please contact us.

If you’ve ever observed people playing any sort of game, you probably noticed how involved the players with the game are. Why do players get so into the game? Competition and the desire to achieve established goals. There’s a Web trend emerging of companies using these game elements to drive engagement and customer buy-in.

The term to describe this trend is gamification, but what is it, and how can businesses use it?

What is gamification Gamification is the application of game design techniques and mechanics to non-game applications. Foursquare and its badges is a good example of this - users check in at locations to earn points, unlock badges and compete with their friends. Do they win anything? Nothing physical, but there’s something satisfying with competing with other people to be the best.

While gamification got its start with technological related operations, it has since been integrated by businesses of all sizes. Business that have adopted elements of gamification have seen improved user engagement and ROI.

How can businesses leverage gamification? Gamification is interesting because it can be applied in a variety of different business situations. For example, here are three such uses:

• To increase employee engagement. It can be hard at times to keep your employees engaged while they’re doing mundane tasks. One of the most common uses of gamification is deploying badges to act as a motivator to encourage employees to put effort into their job. When an employee reaches a predetermined level they are recognized for their achievement. This will go a long way in improving engagement.
• To create brand advocates. You can use gamification to turn your customers and fans into brand advocates. Before they start singing your praises, they need to be given a reason to do so. The best way to do this is to create a points/reward system. For actions such as purchases or reviews, customers gain points that can be spent on other services. Think of it as akin to the points system used by credit card companies.
• To generate traffic. Many SMBs are dependent on their websites for revenue but struggle to get traffic to their site. Gamification techniques can be employed to encourage people to spend more time on, and return to, your website, almost like a modern loyalty program.

There are many uses for gamification and we’ll continue to see new and innovative ways to deploy it in organizations. If you’re interested in ways you can implement aspects of gamification in your business, or would like to learn more, we are here happy to sit down with you for a chat. Please contact us.

There’s a big gap between what physicians thought they could do, and what they were eligible to do, to collect meaningful use incentives last year, according to a new study, which appears in the May issue of Health Affairs.

The study shows that 91 percent of physicians nationwide were eligible for federal electronic medical record (EMR) incentives in 2011. However, only 10 percent intended to apply for the program.

That number was on the low side of what the federal government had anticipated. The Center for Medicare & Medicaid Services had estimated that 10 percent to 36 percent of Medicare-eligible professionals and 15 percent to 47 percent of Medicaid-eligible professionals would demonstrate meaningful use in 2011.

According to the authors, among physicians intending to apply for meaningful use, about 21 percent were ready with the 10 core capabilities. Even in the state with the highest degree of readiness - Wisconsin - only 32 percent of physicians were ready with the 10 core capabilities.

The authors say the low level of readiness illustrates the challenges in meeting the federal schedule for financial incentives. Healthcare practices have support options, however. Your IT provider can help you if you need assistance preparing your meaningful use.

The key to patient-centered care - a concept that continues to evolve - is the relationship between physician and patient. Finding the balance between patient engagement and information technology, however, can be challenging.

IT has benefited healthcare practices in many ways. For example, it allows patients to service themselves when it comes to transactional exchanges, such as scheduling appointments and reviewing bills.

There are fears, however, that IT can also create distance between the practitioner and patient, reducing face-to-face contact. Here are three tips to ensure that doesn’t happen:

1. Accept that patient-centered IT initiatives help the physician. Small practices need to adopt the same features as their competitors, including large practices as well as low-cost primary care providers such as CVS and Walgreens.

2. Determine your needs. Patient-centered IT practices vary. Some practices use patient portals to optimize patient input. Others use email, text, video and mobile apps to create an impact across a broader spectrum of their patients' health. You’ll need to find what works best for your patient. Younger patients, for example, might prefer text messaging; older patients might prefer email.

3. Reconsider your reimbursement model. IT advancements have patients emailing, text messaging and video conferencing their doctors without payment. That puts pressure on the physician to do more for less. This is a problem with your business model, not your IT. You can't offer services that eradicate half of your service visits or you'll bankrupt your practice.

For details, please see “Five Keys to IT and the Physician-Patient Relationship.”

If you mention “OS X” and “virus” in the same sentence, you’ll get some weird looks from Mac users. Traditionally viruses and trojans on OS X were near non-existent, but there’s a Mac specific trojan, codenamed Flashback, that has affected more than 600,000 computers. This is big news as it shows that machines running OS X may not be as secure as first thought.

Many Mac owners are unsure of what exactly the Flashback trojan is, what it does and how to ensure they’re not infected. We’re here to help clarify the situation.

What is a Trojan and What Does Flashback Do? In general terms, a trojan is a piece of malicious software that infects a computer and gives control of part, or the whole computer to hackers. The Flashback trojan takes advantage of an OS X Java vulnerability and infects computers by tricking them into downloading a fake Java update.

When the program is installed, Flashback will download and install the main trojan code without the need for permission from the administrator. From there it proceeds to hijack your browser, redirect search queries to websites developed by hackers, and then take advantage of pay-per-click advertising.

Why Should I be Worried? While this version hijacks your browser, there are far more sinister things it could do. As this trojan acts as a downloader, there’s nothing stopping the developers from updating the malware to steal passwords, banking information and other confidential information.

How do I Ensure My Mac is Clean? Apple has released an update for machines running OS X 10.6 and later. The first step you should take is to update your computer to patch the vulnerability. To update your Mac:

1. Press the Apple logo, located in the top right hand of your screen.
2. Select Software Update...
3. Press Install and Restart.

While the patch will prevent Flashback from working, it won’t delete the program if you’ve been infected. The Internet security company F-Secure has developed a script that scans your computer and removes Flashback if found. Once you have downloaded the script, open and run it. The script will search your computer and place the infected files in an encrypted ZIP folder labeled Flashback_quarantine.zip.

Flashback has infected a higher number of Macs than any other trojan to date and goes to show that Macs also have security flaws. This also serves as a reminder that you should have a virus scanner and security program running on your Mac. If you have any questions regarding the security of your Mac or other devices, please don’t hesitate to contact us. We are here to help keep your machines secure.

With the adaptation of Stage 2, companies operating in the electronic medical records will shift their focus from the capture to exchange of health information. One industry insider has recommended 10 things your EMR needs to be truly interoperable.

1. Single sign-on (SSO). Applications tend to proliferate, and if you don't allow people to switch between these applications using a common login and password, users will get frustrated and give up.
2. Context transitions. As applications grow, and you need to integrate them into an EMR, SSO won’t be enough, because you’ll still lose the “active patient or task" being performed. You’ll also need to provide for the transition of context between applications.
3. Widget publishing. EHRs often have hundreds of functions, and if some are exportable or publishable as widgets, they become much easier to integrate into new user interfaces in the future.
4. Widget consumption. EMRs will become more like containers of cross-application functionality than innate functionality, so consuming widgets will be a basic requirement.
5. Mash-ups. EMRs should allow access to their content through the content management interoperability services (CMIS) standard, thereby allowing users to unlock content they have in various health records.
6. Customizable dashboards. EMRs should provide dashboards that can be tailored by organization, user role, or even user.
7. Interactive Voice Response (IVR). IVR, which allows an EMR to interact with users through phones and other voice systems, such as Skype, will improve collaboration with patients and other physicians who aren’t at a computer.
8. Voice recognition. This will help users conduct EMR tasks more efficiently.
9. Natural language understanding. Because most EMR data is entered by humans, an EMR must integrate with systems that can convert the spoken word or typed text to structured data.
10. Customizable data import and export. A good EMR must allow customizable importing and exporting of simple lists in common formats, such as Excel, CSV and XML.

Details about these tips, and an additional two not discussed above, can be found here.

In order for your IT department to be successful, you need a strategic plan that will both optimize your workflow and help to define your practice’s needs. The well thought out and executed plan will exhibit a focus on the experiences of your staff and patients. Here are five considerations that can help you develop your strategic IT plan.

1. Improve the patient experience. Many healthcare practitioners consider the patient experience a major challenge, yet don’t give much thought to how IT can improve it. Consider what you can do electronically to support patients, whether they're in your facility or not. Electronic forms? Email and text message reminders and confirmations? Kiosks?
2. Consider best practices. Technology can help you get to know your patients better. The Web, for example, can be used as a first point of engagement. Ask a few questions of visitors, then tailor your responses to their needs. A patient interested in a first consultation would receive different information than one preparing for his or her first round of cancer treatment.
3. Don’t forget the staff! Your staff needs successful workflows to interact effectively with patients. Common errors are multiple devices and different logins. Keep in mind how clinicians work to develop efficiencies. Your staff needs to be able to provide clinical care without being tied to a PC.
4. Use social media. Social media often isn’t included in IT planning, as it’s usually more of a marketing consideration. Without thinking about how it will be used, it will become difficult for patients and staff to have a singular experience. Your IT department needs to work with other departments to develop a social media plan that will yield a consistent presentation to the end user.
5. Use integrative planning. Typically, IT does its strategic planning in isolation. Ideally though, IT would plan with other departments. This “integrative planning” allows for a consistent plan supported by all parts of the practice.

In the past five years, there has been a significant rise in the sharing of files and information between computer users. Many businesses have also taken to sharing files using cloud services and peer-to-peer (P2P) networks, allowing users to share files with each other over the Internet. This brings about a number of issues, both with file recoverability and overall security.

With the seizure of a number of cloud storage and sharing websites, including Megaupload, and the seemingly omnipresent malware in P2P files and the shaky security in relation to P2P networks, businesses have had their hands full staying secure. Do you know what your options are when it comes to data security?

Cloud Services Knowhow The recent seizure of Megaupload’s files and servers by the US Government caught many people and businesses unprepared. While Megaupload’s main purpose was file sharing, it was found that a large number of organizations were using their services to store files. If you had files stored on Megaupload, the chances of getting the files back are non-existent.

It needs to be pointed out that many cloud services don’t guarantee that files stored on the service will be recoverable in the event of a crash, or disruption in service, e.g., a government seizing servers. If you read the user agreements of a number of major cloud services, they all have clauses stating that if data stored on their service is lost for any reason, it’s gone forever, and the hosts can’t be held liable for losses.

Risks of P2P With high speed Internet widely available at low prices, P2P file sharing has become incredibly popular, it’s almost uncommon to find someone who has never used a P2P service. If you or your employees use P2P at your office, there are a number of potential security threats you should be aware of:

• The unknown share: If you put a file in a folder that is shared on a P2P network, it’ll be shared with all other people connected to that folder and almost anyone can access it. This is normally done by mistake, i.e., not looking where the file will be saved when you save it. There’s also malware out there that will move files into a shared folder which the developer of the malware can find and upload with ease and without the user knowing it is happening.
• Open network: Typically P2P works on open networks: users give and share. What this means is that when using P2P on a poorly configured network, the whole network could be unsecure, allowing for access to other computers connected to the network.
• Untracked data: If you share a document with another person, and they then share it with others, there is potentially, an unlimited amount of people that can get the data. If you want to take it back, it can be impossible to do so, even if the original document is deleted.
• Storage hijacking: There’s news of malware that has been developed with the purpose of downloading illegal material onto your hard drive. This could pose a problem if the data is found, as you will be liable.

What Should I do? With regards to cloud services, as with anything that comes with a contract, the first thing you should do is gain an understanding of it by utilizing reading material such as blogs, news articles and Wikis. It’s a pain in the neck, but it’ll help you understand the boundaries of the program and your responsibilities. Remember that if you go to court to get files back from a company, and it becomes known that you didn’t read the agreement, you’ll probably end up losing that case.

Second, it’s not recommended to keep single copies of data on one cloud service. Chances are high that in your business, you store your data and backups in a place separate from the computer. This makes sense with the cloud as well - keep your data with a number of different cloud services. If it’s important enough, have physical backups of what you put in the cloud.

For P2P networks there are also a number of steps you can take to protect the data on your network:

• The most obvious one is to ban employees from using any file sharing services outside of your network.
• If you do allow file sharing, it’s a good idea to establish and strictly enforce a protocol for this. You should also set which users are allowed to share files, and what files are appropriate to share. Be sure that all staff are aware of your policy and the measures that will be taken in the event of any deviations.
• Develop a system to classify documents by whether or not they can be shared, and who they can be shared with.
• If you work in an office where you need to share files, but don’t want to use a P2P network or the cloud, and are unsure of other solutions out there, don’t worry. There are companies that specialize in document sharing solutions that should be able to provide you with assistance.

The most important thing is that whatever the situation is, you take action to try to solve the problem while frequently revisiting the actions to ensure that they are working. If you’d like to learn more about document sharing over the cloud, or via P2P networks, give us a buzz. We’re more than happy to help.