EHR Satisfaction is Up, but Interoperability and Support Issues Persist

EHR Satisfaction is Up, But Interoperability and Support Issues Persist

Satisfaction with electronic health record (EHR) systems is on the rise, according to a recent survey of healthcare professionals across a broad range of facilities. However, system interoperability and support operations raised some red flags among respondents.

The 340 responses compiled by Healthcare IT News compared 2016 EHR ratings to the prior year based on interoperability, interface, security, user experience and support services.

EHR systems from Epic, Cerner, GE Healthcare, Allscripts, eClinicalWorks and Meditech led the way in total satisfaction ratings, followed by Siemens, McKesson and NextGen. All but eClinicalWorks and NextGen scored higher in 2016 than 2015.



Source: Healthcare IT News


While respondents overall gave positive marks for user experience and security provisions, they were most dissatisfied with intrusive alerts at the interface level, and — not surprisingly — interoperability.

Indeed, “interoperability with other systems” lagged other capabilities for users of all included EHRs except NextGen. Even among users of Epic, the survey’s top-rated EHR, interoperability graded out at the lowest level of all measured attributes. “It would be nice if it were possible to have exchange data from third-party EHRs be incorporated as structured data,” noted one Epic respondent.

Another area of concern was ongoing support. An eClinicalWorks user complained that technicians required remote access to the customer’s computer to fix problems, which ties up operations. The user said he would only recommend the EHR for standalone clinics with a full-time IT staff to deal with problems.”

EHR software also presents a timing problem in regard to exchanging data among providers: Successful data exchange between hospitals using different EHRs can be disrupted when either or both connected hospitals upgrade to a new version of the software. In a separate article, Penn Medicine CIO Mike Restuccia predicted that interoperability would fail to meet expectations until widely agreed-upon data standards are put in place and vendors take up the call for integrated solutions.

NetDirector’s HealthData Exchange integration solution addresses the problems holding back some EHR users. It enables data mapping once during set-up so that clinical data can move seamlessly among different systems used at hospitals/ practices, labs, pharmacies, imaging centers and government agencies. The data is transformed to the correct format of the receiver during transport.

Additionally, healthcare facilities only need to manage a single connection to NetDirector instead of multiple integrations to each disparate system. That cuts down on internal IT resources and frees up time to focus on delivery of care.

For more information, contact NetDirector or request a free demo.

Transaction Spotlight: Fees and Costs Request

HealthCare Cloud Computing Before It Was Cool

Like its atmospheric modifier, cloud computing comes together in boundless shapes and sizes. Some say it’s a simple feat — accessing and storing data and programs over the Internet instead of on a hard drive — but a mind-boggling combination of data processing, synchronization, communication, and protection takes place beyond the individual user’s confines.

In any case, it’s big business, with public cloud companies projected to stake out an estimated $500 billion in market cap by 2020. “The depth and breadth of cloud progress is pretty shocking,” investor Byron Deeter of Bessemer Venture Partners told Forbes.

That’s a long way from the roots of the dot-com era, when Application Server Providers (ASPs) connected people via the Web to software hosted in offsite data centers, and thereby offered businesses a viable alternative to buying hardware and hiring people to manage it. Still, the drawbacks at the time — sluggish connections and sky-high ASP operations costs — kept traditionally late-adopter industries like healthcare mostly on the ground rather than in the cloud.

Healthcare’s ascent

As recently as 2014 only about 22 percent of healthcare organizations surveyed by HIMSS Analytics were planning to use cloud computing for back-office functions. In 2016, nearly 47 percent of respondents have cloud usage in their back-office plans. The same holds true for business continuity/ disaster recovery functions and health information exchange: the former rising from 31 percent in 2014 to 47 percent in 2016, and the latter from 20 to 41 percent.

“In 2014, the cloud was primarily seen as a model that could support HIE and data storage, whereas, in 2016, it is being leveraged for a full range of functions including patient empowerment,” according to the survey report.

Indeed, healthcare entities cite the following factors (in order of importance) in their move to the cloud:

  • Cost savings
  • More complete disaster recovery capabilities
  • More scalability for internal requirements
  • Speed of deployment
  • Improved user access to applications
  • Plans to scale information and virtual care to patients
  • Freeing up internal storage/compute cycles
  • Accommodation of mobile workforce
  • Regulatory compliance
  • Accessibility to compute cycles

Another way to say it is that core health IT components, such as electronic health record (EHR) systems, cannot be at risk for downtime with vital patient care considerations hanging in the balance. With technologies coalescing in the background, tens of thousands of EHR users across multiple vendor platforms now use the cloud daily with complete trust.

Additional “hot spot” cloud applications in healthcare continue to emerge in the areas of telemedicine, medical imaging, public health and patient self-management, hospital management, therapeutic interventions, and secondary use of data for analysis and clinical research.

In response, cloud service providers “need to ensure uptime and performance, deliver on compliance and service level agreements, and offer reliable technical support,” the HIMSS Analytics report states.

NetDirector, one of the originators of the cloud-based integration platform, has built its healthcare business by ensuring the movement of clinical records between providers, helping them achieve a safer and more efficient level of care. The company’s HealthData Exchange combines cloud-based technology with world-class security levels to enhance workflow — which, in turn, allows providers to focus on patient care.

Learn more about the further emergence of cloud-based healthcare data integration or request a free demo.



Ransomware Rises Up as Major Healthcare Data Security Threat

Ransomware, a form of digital extortion, involves lockdown of computers via malware or encryption of electronic files with a private key that only the attacker holds. Victims are left to pay the hacker to regain access, develop workarounds or isolate affected data/devices.

The FBI reports an increase in incidents in which users infect their computers with ransomware by clicking on a compromised website, often lured by a deceptive email message or pop-up window. A fairly recent variant encrypts files on a hard drive as well as any external or shared drives to which the computer has access.

Although ransom amounts typically range from a few hundred to several thousand dollars per instance, hackers collected more than $200 million total in the United States during the first quarter of 2016.

Healthcare organizations, in particular, need to be on the lookout. Research conducted by security firm Solutionary reveals that the healthcare sector accounted for 88 percent of all ransomware attacks it tracked during the first half of 2016.

In perhaps the highest profile healthcare case of this year, 434-bed Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin ransom to obtain a decryption key and restore normal operations after a lockout.

Why is healthcare such a target?

A number of interrelated factors play into healthcare’s ransomware vulnerability:

  • Hospitals and health systems store detailed personal information on patients to make it readily available in the course of care. Stolen health insurance credentials can be used to commit medical fraud, fetching 10 to 20 times more than credit card numbers on the black market.
  • Healthcare providers rely on electronic records to stay operational. With patients’ lives potentially on the line during a ransomware attack, they may be more willing to pay up quickly than victims in other industries.
  • Healthcare is a consolidating industry, with major care organizations merging and acquiring other facilities. Integration of disparate information systems often leaves gaps that give hackers access to sensitive data.

What can be done?

Threat intelligence experts at Solutionary say healthcare organizations can counter the threat of ransomware by using off-site backups for their data — and the systems used to access that data. They should also test the backups regularly to ensure data can be restored quickly.

While providing data exchange services to healthcare organizations, NetDirector utilizes IT infrastructure provider Peak 10’s offsite data center to ensure online backups, data recovery capabilities, minimal to no downtime, and the most current security certifications.

With the major risk of self-managing data security, it makes sense for providers to use a trusted vendor like NetDirector to protect against ongoing threats such as ransomware.

For more information on complete healthcare data integration services, contact NetDirector or request a free demo.


HIPAA Incidents Highlight Need for Adherent Technology Approach

It’s been a busy summer for the Department of Health and Human Services’ HIPAA-compliance body, the Office for Civil Rights (OCR). Between late June and early August, OCR reached settlements totaling $11.65 million in four cases of HIPAA violations and vulnerabilities.

In chronological order:

A $650,000 settlement announced June 29 stated that Catholic Health Care Services (CHCS), which provided management and IT services as an HIPAA business associate to six skilled nursing facilities in the Philadelphia area, failed to safeguard residents’ electronic protected health information (ePHI). Theft of a CHCS-issued iPhone — unencrypted and not password-protected — compromised the ePHI of 412 residents. OCR determined that CHCS had no risk analysis or risk management plan in place for handling PHI, as required under HIPAA’s Security Rule.

OCR announced on July 18 a $2.7 million settlement with Oregon Health & Science University (OHSU) over “widespread and diverse problems” that will be addressed through a three-year corrective action plan. OCR’s investigation started after OHSU submitted breach reports involving unencrypted laptops and a stolen unencrypted thumb drive containing ePHI. Although OHSU performed risk analyses in six years between 2003 and 2013, the processes did not cover all ePHI in OHSU’s enterprise. “While the analyses identified vulnerabilities and risks to ePHI located in many areas of the organization, OHSU did not act in a timely manner to implement measures to address these documented risks and vulnerabilities to a reasonable and appropriate level,” according to OCR.

A statement released July 21 detailed multiple alleged HIPAA violations at the University of Mississippi Medical Center (UMMC) settled by a $2.75 resolution amount and corrective action plan. OCR found that ePHI stored on a UMMC network drive was vulnerable to unauthorized access via the organization’s wireless network. Users could access files in an active directory after entering a generic username and password. The directory included 328 files with the ePHI of an estimated 10,000 patients dating back to 2008. OCR determined that UMMC was aware of risks and vulnerabilities to its systems as early as 2005, but failed to take risk-management action until after the breach. The agency cited “organizational deficiencies and insufficient institutional oversight.”

Advocate Health Care Network agreed to settle potential HIPAA penalties for $5.5 million and by implementing a corrective action plan, OCR announced on Aug. 4. The settlement amount was the largest to date against a single entity, according to OCR, reflecting “the extent and duration of the alleged non-compliance.” The investigation began in 2013 after Advocate submitted three breach notification reports pertaining to separate incidents involving a subsidiary, Advocate Medical Group. The combined breaches affected the ePHI of approximately 4 million individuals, the agency reported. The incidents included the theft of four desktop computers from an administrative office building, unauthorized access to a billing service’s network, and theft from an employee vehicle of an unencrypted laptop — exposing ePHI in each case.

HIPAA audits also a consideration

OCR’s recent actions stemmed from investigations following breach notifications. However, healthcare organizations should also be prepared for the agency’s stepped-up HIPAA audit activity. Every HIPAA covered entity and business associate is eligible for an audit. So-called remote “desk audits” are currently underway and will be completed by the end of 2016. Onsite audits will follow, covering a broader scope of requirements from HIPAA’s rules.

As indicated, the stakes have never been higher for healthcare providers and vendors when handling ePHI. Technology such as NetDirector’s HealthData Exchange electronically moves data among disparate systems while adhering to HIPAA security standards. While helping to ensure compliance, the cloud-based solution frees up time that can be allocated to optimizing the patient care experience.

For more information on how to ease regulatory burdens, contact NetDirector or request a free demo.



iPaaS Set to Address Integration Challenges

14796090251_5d6467a59b_bWithin three years, a cloud-enabled capability known as integration platform as a service (iPaaS) will surpass traditional application integration suites as the preferred means of supporting business application, data and process integration projects, according to a March 2016 report published by IT research and advisory firm Gartner.

iPaaS will help application managers and directors of integration meet the challenge of integrating hybrid application portfolios and provide easy access to the data within those systems, the Gartner report states.

Gartner counts iPaaS as a fast-growing segment — up 55% in U.S. dollars in 2015 — within the worldwide application infrastructure and middleware market.

“2015 was the year that iPaaS became a serious alternative to traditional software-based integration approaches,” said Keith Guttridge, research director at Gartner. “Buyers are choosing iPaaS due to its low entry costs, reduced operational demands and improved productivity. Vendor interest in this space is also growing rapidly, with the number of offerings doubling in the past 12 months.”

iPaaS typically combines cloud-based applications and data sources, application programming interfaces (APIs) and on-premises systems. IT departments, development teams and even business users leverage iPaaS capabilities to create and manage integration interfaces. The technology’s functionality can support and bridge between a variety of connectivity protocols and data/message delivery styles, according to Gartner.

“For organizations that never established systematic integration practices on-premises, the thought of having to start now is daunting,” Gartner’s analysis states. “The large costs, long delivery times and complex infrastructure build associated with traditional on-premises approaches are just not in line with today’s lean approaches and timelines.”

Capabilities quickly maturing in iPaaS can address such concerns while adding new features via multiple intra-year product releases. “Most vendors have moved beyond the initial use case of data and process synchronization between packaged applications and data sources, and are now focusing on unlocking extra value through API creation and publication, mobile application integration, the Internet of Things and big data analytics,” the report says.

Gartner’s analysis adds that only a handful of iPaaS offerings currently serve the requirements of a specific vertical market; however, some providers “are in the process of delivering value propositions for a few selected industry sectors such as healthcare.”

The report recommends that end users who have not yet begun to pilot iPaaS projects begin to do so.

iPaaS in action

NetDirector’s cloud-based solutions reside behind the scenes from a customer perspective, leveraging iPaaS technology to move data and documents between various trading partners. The automated process generates return on investment by reducing full-time employees or extra staff formerly needed to manually key in data or handle documents.

In industries such as mortgage banking and legal services, the NetDirector Data Exchange provides a standardized format and hub for transactions between multiple parties. Even small organizations lacking in-house IT resources can easily interact with the hub and manage their data flow.

In the medical arena, NetDirector’s HealthData Exchange platform facilitates movement of patients’ clinical records between a variety of providers (e.g., hospitals, physician groups, labs, pharmacies, imaging centers, government agencies and insurance providers) to help ensure safe and efficient delivery of care.

For more information, contact NetDirector or request a free demo.




Improving Data Usage in the Healthcare Environment

HealthcareDataUsage2016At University of Colorado Health (UCHealth), continuous process improvement relies upon effective data usage and integration with the enterprise EHR system. Over the past year, UCHealth has leveraged data science to significantly improve resource utilization in cancer treatment. Now the health system is taking a comparable approach to operating room (OR) scheduling in a project that will roll out through the latter part of next year.

At a cancer treatment infusion facility, UCHealth optimizes scheduling to “level load” patients throughout the day and maximize chair usage. Daily reports, shared during staff huddles, indicate where unexpected patients can be added and when to expect peak loads. Additional performance reports include historic data and highlight areas for further improvement.

This merging of Lean production practices with data analytics has yielded 15 percent lower waiting times for cancer treatment patients — 33 percent lower at peak hours — amid a 16 percent increase in patient volume. What’s more, staff overtime dropped by 28 percent due to optimized scheduling.

The OR project will similarly mine data to maximize surgical resources across five hospitals.

And the forward thrust will lead to new opportunities, according to CIO Steve Hess: “So, inpatient is the natural next place to go after OR. But don’t stop there, think about radiology and imaging, think about lab tests, pharmacy needs, ambulatory clinics … Frankly, the canvas is blank in terms of what you can do with machine learning combined with process improvement philosophies.”

Areas of improvement

Sue Schade, recently identified as one of the “most powerful women in healthcare IT” by Health Data Management and currently interim CIO at University Hospitals in Cleveland, is a strong believer in “visual management” techniques that can help identify systems’ priorities. Her Lean-rooted philosophy takes aim at areas such as reducing cycle times, eliminating preventable incidents, decreasing variation, and increasing coordination and communication between teams.

Data derived from tracking systems helps hospital leadership zero in on the causes of major incidents to prevent reoccurrence and provides performance metrics that can be shared across departments.

Schade quotes from the book The Lean IT Field Guide, “If a picture is worth a thousand words, information made visible in the workplace is priceless.”

Simplifying healthcare data integration

However promising any improvement strategy may be, it would not be possible without properly formatted and integrated data. NetDirector’s HealthData Exchange meets this challenge by moving clinical and financial data among disparate systems within the healthcare ecosystem.

HealthData Exchange uses a “map once, use many” method — as opposed to custom point-to-point interfaces — to enable the sending and receiving of data to/from all of an organization’s providers and vendors. Connected hospitals and physician practices instantly have access to dozens (and potentially hundreds) of providers and vendors through pre-defined integrations.

And because it’s built and optimized for cloud deployment, HealthData Exchange incorporates redundancy and security at every level. The network currently processes more than 10 million data and document transactions per month, while enabling individual users with the means to proactively monitor all connections.

For more information, contact NetDirector or request a free demo.

What’s Happening in Healthcare Regulation and Compliance

Healthcare-Regulations-and-Compliance-Spring-2016Technology’s crossover into most aspects of healthcare brings new possibilities in prevention, treatment and continuous care. But sometimes, too, it raises unique issues that need to be addressed by regulatory or legislative oversight.

Recent headlines from opposite ends of the U.S. highlight new laws at the state level — but with implications that could soon apply more broadly.

The rise of ransomware

Ransomware attacks, in which hackers disable computer systems and demand payment before allowing victims to regain access, would be prosecuted as cyber-extortion under a bill advancing in California’s legislature.

The bill heads to the state Senate’s appropriations committee with strong support. It follows a high-profile case that ended in February with Hollywood Presbyterian Medical Center paying a $17,000 ransom in bitcoin to a hacker who had shut down the 434-bed hospital’s systems.

“The malware locks systems by encrypting files and demanding ransom to obtain the encryption key,” Hollywood Presbyterian CEO Allen Stefanek told the Los Angeles Times. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

The office of California State Senator Bob Hertzberg cited FBI statistics stating that hackers collected more than $209 million in ransomware payments in the Untied States during the first quarter of 2016.

Shortly after the Hollywood incident, computers at the Los Angeles County Department of Health Services were infected with a data-blocking program, the Times reported. In that instance, the agency refused to pay ransom and isolated infected devices on its own.

In a separate case in late March, MedStar Health, which operates 10 hospitals in the Washington, D.C. area, acknowledged on Facebook that a virus prevented certain users from accessing email and electronic patient records. MedStar opted to take down all system interfaces to prevent the virus from spreading and reported there was no evidence that information had been compromised. However, the health system had to utilize paper transactions where necessary.

Another malware attack last month at Methodist Hospital in Henderson, Kentucky, locked users out of electronic web-based services. A spokesperson said no patient data was impacted, but IT had to shut down all of the hospital’s desktop computers and scan each for infection before restoring operations. As in the MedStar case, the facility chose not to pay ransom but incurred time costs in resorting to paper-based back-up systems.

New York makes e-prescribing mandatory

Electronic prescribing for controlled and non-controlled substances became mandatory under New York state law on March 27. The e-prescribing edict, part of the state’s Internet System for Tracking Over Prescribing law, carries possible civil/criminal penalties or fines for non-compliance. The measure is intended to reduce prescription theft and forgery, as well as “doctor shopping” by patients.

Of particular note for electronic prescribing of controlled substance (EPCS), the law requires additional security features and registration of certified software with the Bureau of Narcotic Enforcement (BNE).

A year ago, the New York Department of Health sent a letter to prescribers cautioning that “implementation timelines for EPCS software vary and may be lengthy.” The agency strongly recommended immediate action in obtaining and registering certified EPCS software, which in many cases may be part of a commercial EHR system.

According to health information network Surescripts, more than two-thirds of active e-prescribers in New York are EPCS-enabled after a large surge earlier this year.

But even though providers may apply for a waiver from the EPCS requirements under specified circumstances (including technology limitations), physicians and organizations using systems from small EHR vendors may still be out of compliance. Achieving certification is “a bit of a heavy lift on the EHR side,” Surecripts Senior Vice President Ken Whittemore told Health Data Management.

Additionally, BNE approval requires completion of EHR updates, identity-proofing of prescribers, two-factor authentication for prescription signing, and establishment of secure access controls, noted Whittemore.

Keeping the focus on care

The delivery of healthcare shouldn’t be derailed by security threats from outside agents. Nor should it be burdened with technology implications stemming from otherwise well-meaning requirements.

At NetDirector, we stay current with issues that could affect compliance in these areas, so that providers can focus on delivering superior care. Our solutions implement high-level integrations that insulate organizations from cyber-hazards and enable core systems to function as intended — and, in some cases, as required by law or regulation.

For more information, please contact us or request a free demo.