Author: Stuart Crawford

EHR interoperability – considered by some to be the “holy grail” of electronic health record systems – may be a little closer than you think. This summer, a new architectural innovation will be implemented that is guaranteed to positively impact the way different EHR systems exchange information with each other.

o

Interoperability

In the context of electronic health records (EHR), Interoperability refers to the ability of healthcare providers using two different EHR systems to be able to exchange patient information. A combination of standards and architecture are required in order to achieve this type of data exchange between different (and often competing) systems, and past attempts have been hampered by a wide variety of issues and concerns. However, things are about to take a dramatic turn through the work of two powerful influences in modern EHR development.

Who Is Involved

The major players in this undertaking are CommonWell Health Alliance and Carequality. Carequality works under the Sequoia Project and provides the necessary framework needed for successful data sharing among EHR systems.

CommonWell Health Alliance, on the other hand, is a network or trade association of EHR vendors. CommonWell’s goal is to make interoperability among EHR vendors a reality. Any medical facilities or doctors who use a major EHR vendor will benefit from this collaboration.

Major Accomplishment in Interoperability

CommonWell and Carequality are preparing to go live with a health information exchange that will allow doctors to share Continuity of Care Documents. This breakthrough in interoperability includes all major EHR vendors as well as the hospitals and clinics that subscribe to them. A doctor in one hospital that subscribes to a major EHR vendor will be able to exchange patient data with any other doctor that also subscribes to a different EHR vendor.

The collaboration between Carequality and CommonWell actually began back in 2016. As a result of this collaboration, Carequality created their own version of CommonWell’s record locator service. This will allow Carequality members to search patients in CommonWell’s network. CommonWell, in turn, implemented Carequality rules, which is making it possible for network members to easily query each other. This phase of interoperability is due to go live this summer, barring any unforeseen delays.

What This Will Mean for Healthcare

Once the current information exchange goes live, an estimated 80% of doctors will be able to share their patient data – even among EHRs that are fierce competitors. For those in the medical field, the ability to share patient information across EHR systems – especially as the interoperability continues to evolve and expand – will support more informed decisions about patient care. Decisions can be made more quickly and providers will have far easier access to critical patient data. This will reduce ambiguity that can adversely affect patient care and recovery. It also enables better and more efficient workflows, and no doubt will have a positive effect on patient satisfaction as patients will receive better quality care.

Current Limitations

The dream is, of course, for a physician to quickly and easily track down tiny details of a patient’s information (e.g., medication allergies). The technology and software have not progressed to that point quite yet. At this stage, physicians using major EHR systems will be able to search for and access Continuity of Care Documentation, which is basically a data dump of information about a patient.

Challenges and Concerns

It is natural that some resistance to cooperation would be present from vendors because it does not seem like good business to facilitate a client’s ability to connect with services from your competitor. Some physicians may have concerns about making it too easy for a patient to seamlessly transfer all their medical records to a different doctor. Another issue that causes difficulty for vendors is that they have clients over a continuum of sizes, from small, one-physician clinics to massive hospitals. Trying to ensure interoperability between clients at opposite ends of the spectrum may be problematic as the architecture progresses further.

Another critical challenge is one that can only be overcome by forging forward: bugs and unforeseen technical issues that arise. These can only be found and dealt with after the interoperability architecture goes live this summer, and actual users begin to interface with it in a clinical setting.

Conclusion

The ultimate goal, according to CommonWell and Carequality, is for a patient’s healthcare information to follow them wherever they go, regardless of what EHR vendor the medical facility uses.  This, in turn, means that healthcare information is no longer bound by geographical boundaries. However, this dream cannot become a reality without a robust framework of standards, which is already being successfully developed through the hard work of Carequality. The process will require collaboration among sometimes competing EHR providers, which is already taking place thanks to the CommonWell network community and positive cooperation among vendors.

What’s A Blockchain?

A “blockchain” is basically a financial record similar to that of a spreadsheet, only for bitcoins and other forms of cryptocurrency available publicly and online. As the use of cryptocurrencies has evolved, it has created some innovative business opportunities. According to MIT Technology Review, the transparency and trust created through them have increasingly facilitated trade across the world in a number of ways.

First of all, they are publicly available, and access to the records is superior to that of public access to annual company reports. Many organizations do not produce annual reports out of a lack of obligation. The extent of transparency and detail in blockchain records generally exceeds those provided through annual reporting methods. This can allow investors to have more insight into trends and opportunities for investment, trade, and other forms of business growth.

The Rise of Bitcoin and Other Cryptocurrency

Bitcoins are the most common form of cryptocurrency recorded in these newer and more unique forms of financial transactions. They were initially used in 2009 with some trepidation, but have become so popular that, today, you’ll find hundreds of different forms of digital currency, now generally referred to as cryptocurrency.

Soon after the bitcoin was introduced, people began developing cryptography tools for public use, including the blockchain. Cryptocurrency was considered valuable because it provided a global means of completing financial transactions. Due to the complex nature of the bitcoin, it is nearly impossible for individuals or organizations to spend the same bitcoin currency twice.

This successfully addressed the previous challenges with digital currencies and effectively removed the demand to establish and maintain a central authority to mediate such electronic exchanges. Cryptocurrency transactions can be difficult or impossible to trace. That’s why they’re most often used by hackers when requesting ransomware payments from their victims.

Approximately two years after introduction, bitcoins grew from novelty to the preferred payment method in online commerce. “Altcoins,” a comparable cryptocurrency, were developed after bitcoin as an alternative form of digital currency but used the same open-source code for bitcoin. There were some slight differences between the two.

At this time, approximately $1 billion dollars’ worth of bitcoins and other cryptocurrencies are in circulation. Developers realized that blockchains could be more useful to other areas of common business operations as well. Normal steps in the development and use of a blockchain include the establishment or creation of a business transaction. This most often involves the sending of a form of cryptocurrency in exchange for a product or service. They’re also used for all types of investment and financial transfers.

The placement of a line of code representing the transaction as a ‘smart contract’ is initiated when specific conditions are met within the program. The sending of a broadcast to an access network on nodes and the ongoing listing of node subsets are referred to as ‘blocks’ within a ‘chain.’

More on the steps in the creation of blockchains and their history is available through MIT Technology Review.

What Other Uses Does It Have Currently?

With the fundamental added advantages of business transparency and prediction potential, blockchains have created exciting new business opportunities. According to Ignite, as their popularity has grown, they have affected a range of indirectly related aspects of business ranging from the manners by which banks transfer money to how medical records are handled.

Also referred to as ‘shared ledger technology,’ the transparency and trend perception is expected to become commonplace for the majority of business transactions. With over half of businesses now using them, increased opportunities for investors and small businesses, in general, are expected to escalate for an overall positive economic impact.

The use of cryptocurrency increases competition, diversification of products and services, and increased trade opportunities around the globe.

An example of improved business opportunities on a larger scale is the case of the New York City Depository Trust and Clearing Corporation, which began to use blockchain to more successfully facilitate their transactions. Experts attribute this to the success of $11 trillion dollars’ worth of transactions funneled through cryptocurrency technology.

More specific business uses include their infiltration into the banking system, once hesitant to use this form of digital currency. Cryptocurrency was originally thought to be unstable, as it was not backed by gold or other tangible assets. But today, many financial institutions have accepted the use of digital currency due to the increased speed and safety in making financial settlements.

Additionally, other organizations can increase efficiency by using the smart contract in the automatization of their agreements, with high potential for increased speed especially applicable to supply chain management and manufacturing. In addition to transparency, there is increased accountability, helping organizations to experience increased security over previous forms of common practice in transactions and records. This is why, as introduced above, the technology is even beneficial to the healthcare industry and medical records. More on how these areas, communications technologies, and other industrial developments can benefit from blockchain is available at Ignite.

According to The Economist, blockchain and smart contracts have even benefitted the way companies pay employees, the nature of cloud storage, and electronic voting. It seems increasing use and development continues to give rise to further opportunities, as organizations realize the potential benefits of using cryptocurrency and block chains over traditional financial transactions.

Can You Use Blockchain?

If you have the resources and other means required for conversion, your organization could benefit from blockchain if you are seeking increased security or efficiency in:

• Banking transactions
• Medical records
• Manufacturing or inventory records
• Communications records
• Employee payments
• Electronic voting
• Cloud storage records

Even if your organization does not have a strong emphasis in any of these areas, the increased transparency and universal appeal of cryptocurrencies may be sufficient to warrant gradual integration.

As of 22 February 2018, the Notifiable Data Breach (NDB) scheme went into effect and included in its requirements is a mandatory data breach notification.  Failure to correctly notify those affected by an eligible data breach can result in fines of up to $2.1 million, besides potential compensation for affected individuals.  There are certain things that every Australian organisation needs to be aware of when it comes to mandatory breach notification.

To Whom Does It Apply?

The NDB scheme applies to organisations and agencies that have personal security information obligations under the Australian Privacy Act 1988.  Such organisations and agencies include businesses, health service providers, credit reporting agencies, Australian government agencies, TFN recipients, and not-for-profits with an annual turnover of $3 million or more.

If an organisation …

• Collects personal information,
• Receives personal information on behalf of clients,
• Processes personal information on behalf of clients,
• Or holds personal information

Then they can be impacted by the NDB scheme.

If a breach occurs, the organisation and everyone involved in the chain can be affected, including marketers, data providers, brands, agencies, and similar partners.  In addition, if an organisation has clients, those clients may impose notification requirements to make sure they are in compliance with their own NDB obligations.

What Is an Eligible Data Breach?

Data breaches refer to unauthorised access of, the disclosure of, or loss of an individual’s information. If a data breach involves an individual’s personal information and this breach is likely to result in serious harm to said individual, then that breach must to be reported. This type of data breach is referred to as an eligible data breach.  Note that there are, however, some exceptions to the notification obligations.

What Constitutes Serious Harm?

While no hard and fast definition of “serious harm” has been provided, it is reasonable to assume that any type of harm – be it physical, psychological, or financial – would likely fall under the category of serious.  This is especially true of information of a sensitive nature or involving an individual’s health.  For example, loss of information involving medical allergies could result in life-threatening circumstances for an individual in a serious accident, or unauthorised access to financial information could result in identity theft and financial loss.

What Should Be Done When a Data Breach Is Suspected?

If a data breach is suspected, there are four key steps to be followed: contain, assess, notify, and review.  Of course, as soon as a data breach is suspected it should be contained to prevent any additional compromise of information.  Next, it should be thoroughly assessed by determining who was affected and what data was compromised, followed by risk assessment and, if possible, remediation.  The third step is notification. The final step is a review of the incident and developing a plan of action to prevent a similar breach from occurring again.

Who Needs to be Notified?

According to the Office of the Australian Information Commissioner,

“The NDB scheme introduced an obligation to notify individuals whose personal information is involved in a data breach that is likely to result in serious harm.”

In addition, the Australian Information Commissioner must also be notified of the breach, and this information can be submitted via an online form.

When Must Notification Take Place?

Notification must take place as soon as the organisation can determine what information was compromised and who was affected.

What Information Must Needs to be Included?

The following information must be included as part of the notification:

• The identity and contact information for the organisation
• A description of the data breach that took place
• The type of information that was involved in the breach
• Recommendations as to what steps the affected individual should take as a result of the breach

In terms of notifying individuals, there are two basic options available as to how the notification should take place: either notify all individuals or notify only the individuals who are at risk of serious harm.

If it is not practicable to notify individuals, then a statement about the breach can be published on the organisation’s website and then publicised.

What Happens When an Organisation Fails to Notify?

If an organisation fails to notify the affected individuals and the Australian Information commissioner of an eligible breach, fines of up to $2.1 million are possible.  However, there is also the possibility of compensation for affected individuals if there is a privacy compliance failure.  Compensation averages between $10,000 and $15,000 per individual if their complaint is successful.

Conclusion

Mandatory data breach notification is a critical part of the Notifiable Data Breach scheme, and failure to comply with notification requirements can result in hefty fines and compensation for those affected.  If you are an organisation in Australia that deals with any type of personal information, then you need to know what your responsibilities are and how to respond should an eligible data breach occur under your watch.

As providers are all too well aware, their payments from Medicare are affected by their score in the Merit-based Incentive Payment System (MIPS). MIPS imposes a number of requirements; if these are not met, payments may be reduced or denied.

The MIPS requirements apply to all Medicare claims, even those whose performance is not necessarily affected by a MIPS constraint. Among these universal requirements is the meaningful use of electronic health records (EHRs). Within the EHR requirements, we have the promotion of interoperability with other EHR systems, and within that, we have the security requirements. Among the security requirements is an annual security risk assessment.

What Has Changed?

In the Federal Register of July 27, 2018, the Centers for Medicare and Medicaid Services (CMS) proposes that the current security risk assessment requirement in MIPS be replaced. The suggested replacement will be an attestation to the activities included in the security risk assessment standard that has been performed in the past MIPS year.

This essentially switches the scoring of the security risk requirement from the equivalent of a numeric grade to a pass/fail scoring system. A practice or institution passes if it has done the assessment; how well it has done on the assessment falls by the wayside. The requirements are stated in a bare-bones fashion in the Code of Federal Regulations at 45 CFR 164.308.

CMS states that their rationale is, in part, a result of the realization that a risk assessment is done well, or not at all.

What A Serious Risk Assessment Entails

The thinking behind this can be found in the Office of Civil Rights (OCR) newsletter for April 2018.  This newsletter distinguishes a gap analysis (“find the holes”) from a security risk assessment (“make sure there are no holes”). It is a highly useful guide to discerning the scope and the level of effort required for a serious risk assessment.

An article on the HHS website goes into greater detail explaining what is subject to the security rules and why:

All e-PHI created, received, maintained or transmitted by an organization is subject to the Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the security or integrity of e-PHI. Risk analysis is the first step in that process.

The guidance issues from OCR noted that the CFR requirements are divided into two categories: required and addressable.

The addressable requirements are not optional. Rather, if the approach specified in an addressable requirement is not feasible, the provider organization must develop an effective alternative to approach to achieve the same end and document this. The tendency to document-but-not-implement should be firmly resisted.

Did You Really Do A Risk Assessment?

Experts suggest that OCR has significantly underestimated the time required to do a serious risk assessment. Obviously, you have to look at hardware-associated risks. Are the BIOS files in your desktops and laptops updated? Has router firmware been updated?

You must take a hard look at software-associated risks as well. Are operating systems patched? You must strategically assess administrative risks: are you enforcing complex password requirements? Are you using biometric identifiers? Is data access truly on a need-to-know basis?

A Helicopter-Level View Is Not Adequate

The reader may protest that those concerns are nowhere to be found in the guidance. True. The point is that an adequate risk assessment will have revealed these as questions that need to be asked on a day-to-day operational basis. A risk assessment that is not dynamic misses all the critical points of vulnerability.

A risk assessment should point out any unnecessary risks and then offer a solid plan to eliminate them. It’s good to remember that the whole point of the endeavor is to make sure that the government (and all organizations) move toward the better Internet and network security. With cyber breaches occurring on almost a daily basis, there’s every need to be more cautious about how we handle, store, and transmit Big Data.

The current cost of a data breach has reached between $1.3 million and $3.5 million. The number one most sought-after data that hackers are vying for is healthcare information. On the Dark Web, 30,000 up-to-date healthcare records will fetch a pretty price.

Conclusion

Under this proposed rule change, you will no longer be given a percent of compliance score on your risk assessment. You will simply be in or out of compliance. The upside is less administrative hassle; all you have to do is carry out the activities and attest that you did this. The downside is that this may lead to a relaxation of vigilance at a time when threats are constantly increasing.

Of course, you will be living in a kicked anthill for days. The trick is to make sure that all the scurrying around is not just mindless motion, but actually protects the organization by:

• Meeting legal responsibilities,
• Protecting the organization’s reputation to the extent possible,
• Immediately stopping intrusions and mitigating the damages,
• Finding out how the breach occurred,
• Repairing the vulnerabilities, and,
• Making sure your risk assessment, security plans, and operating procedures reflect any necessary changes.

Meeting Legal Responsibilities

The Health Insurance Portability and Accountability Act (HIPAA) breach notification rule essentially requires entities that have had a breach to inform the Department of Health and Human Services (HHS), the affected individuals, and in some cases, the media, within 60 days. There are exceptions, but these are best handled by lawyers. Since there are stiff penalties for not reporting security breaches that should have been reported, but no penalties for reporting security breaches that did not need to be reported, it’s best to err on the side of caution.

Protecting the Organization’s Reputation To The Extent Possible

It is unfortunately not true that there is no such thing as bad publicity. Your organization’s reputation is going to take at least a small hit. Perhaps the worst example possible is the behavior of Experian, a credit reporting service, in response to its massive data breach. They failed to report it, they did not notify affected individuals, they dribbled out information, repeatedly contradicted the information they dribbled out, and immediately tried to monetize the breach by selling protective services to those affected. Everything that could have been done wrong in the early phase was done wrong. Apply the Golden Rule here. Look at things from the perspective of those whose data has been exposed. What would they want to be done? Figure that out, and at least pledge to do that much.

Immediately Stopping Intrusions and Mitigating the Damages

The first step is to get the affected devices off the network and isolated, so they can no longer serve as points of entry. The next step is to check the system and audit logs to identify the source of the penetration. Thirdly, it’s important to force an immediate password change for everyone, if passwords are still being used. Of course, if the source of the breach is the medical director’s smartphone, which was left in an Uber, the only way this data can be remotely deleted is for companies using a Mobile Device Management plan.

Finding Out How The Breach Occurred

In some cases (see above), the source of the data breach will be glaringly obvious. In others, it may be very hard to find. Your own IT staff may be too close to the problem to see it. In those cases, bringing in a computer forensics firm may be useful or even essential. Determining the root cause of the breach, once the details are known, requires thinking through policies and procedures. You’ll need the skills of a good detective, combined with those of an excellent IT specialist.

As illustrated above, there is always a tradeoff between ease of access and security of access. Does everyone really need remote access to patient records at all times, using devices that can be lost or stolen? Depending on the organization and how it delivers services, the answer may be yes or no. But if it is “no,” serious consideration should be given to limiting remote access. Of course, if you’re working with a managed IT services provider, they can set you up with a Mobile Device Management plan so that any lost or stolen devices can be remotely wiped of all data.

Repairing The Vulnerabilities

Once the source of the breach and the root cause have been identified, the vulnerabilities need to be repaired. The issue of 24/7 remote access from stealable devices is one example. Use of cloud services is another. Having data in the cloud is wonderful. Having unprotected data in the cloud is not. Several recent breaches have occurred because, even though access to the cloud from an organization’s network was protected, the server in the cloud itself was totally open – no password in place. Granted, this defies imagination, but it has happened more than once.

If something like this has occurred, every policy and procedure that relates to the root cause needs to be looked at. This has to be done slowly and carefully; it is not an exercise to be carried out in panic mode. In most cases, this type of error will not occur if you’re working with a managed IT services provider. They have too many checks and balances in place to allow such a glaring mistake.

It most often happens to companies who employ poorly trained in-house IT staff who spend all day playing games and talking with friends on social media. Again, though this scenario is shocking, it is occurring across the nation with more frequency. Don’t let your CEO find out the hard way that his in-house IT people actually don’t have much network and computer experience. Their last job was serving up hamburgers at a local fast-food chain.

Making Sure Your Risk Assessment, Security Plans, And Operating Procedures Reflect Any Necessary Changes

Having a credible, annually updated risk assessment is part of the HIPAA Security Rule. A breach presents an opportunity here. If it occurred, your risk assessment either did not identify it or did not prioritize it; your security plan did not encompass it; your operating procedures ignored it, or some combination of the above occurred. The breach gives you a chance to rethink the security assessment, the security plan, and your operating procedures. Take advantage of it.

Conclusion

A data breach is painful, but it is also an opportunity for health care organizations to assess their security approaches and make improvements. Never waste a crisis. If you have onsite IT staff members, they may need more thorough training in security protocols. In fact, this is probably a good time to ask a local managed IT services provider to come out and hold security awareness classes for your entire workforce.