Consortium News

  • 23 Mar 2015 9:34 AM | Brian Kelley
    Retrieved from | By Darius Tahir | March 20, 2015

    Draft regulations the CMS issued Friday would make significant changes to the federal incentive program that requires doctors and hospitals to adopt and meaningfully use electronic health records.

    With some exceptions, hospitals, physicians and other eligible professionals would be expected to conform to the rules (PDF) by 2018.

    Physicians and hospitals have lobbied aggressively for the CMS to relax the program's parameters. The agency said in January it would issue separate regulations narrowing the reporting period to 90 days for attesting to meeting the requirements for 2015.

    The proposed rule would require nearly all providers to report on a full calendar-year cycle beginning in 2017 and would require electronic reporting of clinical quality measures beginning in 2018.
    “The release of today's rule demonstrates that the agency continues to create policies for the future without fixing the problems the program faces today,” the American Hospital Association said in a statement Friday. “It is difficult to understand the rush to raise the bar yet again, when only 35% of hospitals and a small fraction of physicians have met the Stage 2 requirements.”
    Physicians and other eligible professionals who fail to meet the requirements are expected to pay $500 million in Medicare penalties between 2018 and 2020, according to the proposed rule. The agency said it expects all hospitals to achieve meaningful use by 2018.

    Upgrading EHRs to meet the requirements, the agency estimates, will cost physicians $54,000, plus $10,000 in annual maintenance costs. That's at the high end of what the Congressional Budget Office calculated in 2008. The CMS said upgrades would cost hospitals $5 million, plus $1 million for annual maintenance.

    The rule would give providers three options for ensuring patient engagement with their care, of which providers must fulfill two: access to their own records; secure messaging between patients and providers; and collection of patient-generated health data.

    The first two elements had attracted consistent criticism from providers in previous stages of the program, but the exact impact is unclear. In the Stage 2 rules, 5% of patients would have to view, download or transmit data from their records, which providers said made them responsible for the engagement regardless of whether patients were interested.

    The new rule would raise that engagement threshold to 25% of patients downloading or transmitting their health data. But providers can now satisfy the requirement with an application programming interface, or API, that allows third-party developers to access the data on their patients' behalf.

    The rule would also impose a similar increase in the rate of secure messaging: from 5% in Stage 2, to 25% in Stage 3.

    Meanwhile, the provision would compel providers to collect patient-generated health data in their EHRs from devices such as Fitbits or mobile apps developed with Apple's HealthKit API. Providers would have to capture data from 15% of their patients to comply.

    The digital health industry pushed aggressively for the CMS to push providers to collect the data their products generate. “I'm beyond pleased and finally vindicated,” said Robert Jarrin, Qualcomm's senior director of government affairs.

    The proposal also raises the thresholds for “computerized physician order entry,” which allows doctors to send requests for drugs, lab tests and imaging electronically. Providers would be expected to order 80% of medications electronically, up from 60% under Stage 2 of the program. The requirement for electronic lab and imaging orders would rise to 60% from 30%.

    For imaging, the proposed rule expands the requirement from radiology to a broader array of tests, including ultrasound, MRI and CT scans.

    Separate regulations proposed by HHS' Office of the National Coordinator for Health Information Technology overhaul the certification program (PDF) for healthcare IT, which is intended to give healthcare providers certainty that the software they buy can perform the functions required under the meaningful-use program.

    Comments on the proposals are due May 29.

  • 18 Mar 2015 10:38 AM | Brian Kelley
    Retrieved from | By Adam Rubenfire | March 17, 2015

    Premera Blue Cross, a health plan in the Pacific Northwest, was hit with the second-biggest cyberattack in healthcare industry history, exposing the personal, financial and medical information of more than 11 million customers.

    The Mountlake Terrace, Wash.-based company discovered the attack on Jan. 29, 2015. An investigation revealed that the initial attack occurred May 5, 2014. The breach affected Premera Blue Cross, Premera Blue Cross and Blue Shield of Alaska, and Premera affiliate brands Vivacity and Connexion Insurance Solutions.

    Premera said the company has not been able to determine if any data was actually removed from the company's systems and that there's no evidence that any of the records in the breached system have used inappropriately.

    The revelation comes just six weeks after Anthem, the nation's largest investor-owned Blues licensee, disclosed that hackers had stolen the records of nearly 80 million from its IT system.

    Information exposed in the hack dates back to 2002. The company said the records could include members' names, dates of birth, Social Security numbers, mailing addresses, e-mail addresses, telephone numbers, member identification numbers, bank account information and claims information, including clinical information.

    As with the Anthem hack, the Premera breach affects some customers of other Blues plans that participate in the national, reciprocal claims payment network called BlueCard, a Premera spokeswoman confirmed. The network is often used for members who travel out of their insurer's service area for care.

    Premera Blue Cross is beginning to mail letters to affected customers offering two years of free credit monitoring and identity theft protection. The company also has established a call center and and a website,, dedicated to information about the breach.
    "We at Premera take this issue seriously and sincerely regret the concern it may cause," Premera CEO Jeff Roe said in a statement. "As much as possible, we want to make this event our burden, not that of the affected individuals, by making services available today to help protect people's information."
    If the ongoing investigation confirms that no data was removed from Premera's system, customers could less of a risk than Anthem's customers. But the company may be offering protection to customers because it can't be sure that's the case, said Mac McMillan, a healthcare security expert and founder of CynergisTek, an Austin, Texas-based security consultancy.
    "It could very well be they can't prove the negative," McMillan said. "They can't disprove that these people had access to that information."
    It's possible but not likely that the individuals could have downloaded the data from Premera's servers but left no evidence that they removed the data, MacMillan said. Stealing data without leaving a trace is very difficult, he said, because usually only high-level administrators have the ability to eliminate audit trails.

    Hackers also may have infiltrated the system without the intention of stealing data, McMillan said. Cyberattackers sometimes look for insecure systems and manipulate them to create bots that can be used in other cyberattacks, he said.

    Premera has worked closely with the FBI and Mandiant, a major cybersecurity firm, to investigate and remove the "infection created by the attack," the company said. An FBI spokeswoman said in a statement that Premera "quickly" notified the law enforcement agency about the attack but declined to give a specific time frame.

    In the Anthem hack, the initial investigation indicated that members' bank or clinical records were not exposed. The inclusion of that information in the Premera breach makes it particularly disconcerting, said Pam Dixon, executive director of the World Privacy Forum, a San Diego based not-for-profit organization that pioneered research into the field of medical identity theft.
    "The recent spate of advanced medical breaches show us that the word is out about the value of medical data, and the sophisticated level of criminals making these attacks," Dixon said in a statement. "Patients need to be prepared and educated about both medical ID theft and phishing, and providers need to be honest about the risk of medical forms of ID theft."
    Cyberattacks are one of the least common ways that protected health information is exposed, but the episodes typically involve dramatically bigger numbers of records.

    Nearly three-quarters of the records exposed in healthcare breaches reported to HHS have been linked to cyberattacks, even though those attacks account for less than 10% of the breaches, according to a Modern Healthcare analysis of HHS data.

    "(Hackers) clearly have an eye on these types of organizations who hold financial information, but also very sensitive healthcare information," said Paul Bantick, an underwriter for cybersecurity insurer Beazley, which also provides services for organizations responding to attacks.

    "The best way for these organizations to mitigate the damage," Bantick said, "is to respond and contain it as best as you can."

  • 17 Mar 2015 4:02 PM | Brian Kelley
    Retrieved from   |   By Ivan Ristic   |   March 17, 2015

    Vulnerabilities such as Heartbleed, POODLE, and FREAK are starting to alert the world of the importance of good security hygiene of our communication infrastructure. There's never been so much scrutiny of the security of the Secure Socket Layer (SSL) and Transport Security Layer (TLS) protocols like today. We can trace this interest back as far as 2008, with no signs of slowing down. But, although most attention is on the protocol vulnerabilities, most organizations don't realize that it's their own actions that are proving to be bigger problems in practice.

    In most companies—it seems—certificates are accounted for using spreadsheets. Security of secure servers is flagged up only when there is a major public discovery. Otherwise, little is done to get the most of the security mechanisms that are available today. We can't really say that system administrators are to blame: TLS is notoriously flexible and configuring it correctly requires great time and effort. Furthermore, application-layer decisions can often negatively impact the security of otherwise properly configured servers.

    In 2009, we began our work on SSL Labs (, our research centre for SSL, TLS, and Internet PKI, with the aim to understand how these technologies are used around the world, and to provide tools and documentation to help everyone make the most of them. Although the list of best practices is long (we maintain a concise document called SSL/TLS Deployment Best Practices; it currently has 14 pages), over time we realized that there is small number of super-important things to get right.

    Encrypt your entire web site

    If you're currently deploying encryption only on a part of your web site, you're leaving a huge gap for your adversaries to exploit. Using so-called SSL stripping attacks, network attackers can gain control of any unencrypted user session and forever prevent it from moving to security. With full encryption, there's no opportunity for network attackers to strike.

    Almost equally importantly, you should deploy a new standard called HTTP Strict Transport Security, which ensures that your users' browsers never attempt insecure communication, even when tricked by savvy attackers.

    Deploy modern protocols and cipher suites

    If you haven't looked at your servers in a couple of years, chances are that, even they are not obviously insecure, they are running obsolete security protocols. If so, you should plan to upgrade as soon as possible to use new features such as TLS 1.2, forward security and authenticated encryption suites, and to phase out old features such as SSL 2, SSL 3, RSA key exchange, CBC suites, and RC4. Additionally, these days SSL configuration is used as a proxy to determine someone's security posture. This is yet another reason to upgrade now and show that your security is strong!

    Phase out your existing SHA1 certificates

    This is not really a part of our best practices, but something you need to do today. The PKI ecosystem is currently transitioning away from weak SHA1 certificates. Although the hard transition deadline is at the end of 2016, some long-lived SHA1 certificates today might produce warnings in browsers. If you have SHA1 certificates that expire in 2016 or later, you should act now to replace them with SHA256 certificates. Alternatively, if you're worried about cutting off some parts of your user base, continue to use SHA1 but with certificates that expire in 2015.

    Monitor your site and mitigate known problems

    Nothing stays perfectly secure. Even if you do your best today, a new disclosure tomorrow may break your security. The only way to deal with this problem is to continuously monitor your security posture and react when changes are detected. For SSL, we provide free assessment tools on our web site. Our server assessment tool will not only tell you about potential security problems, but also about issues that might impact your site availability. And, if you have a large number of servers to scan, we also have a free API to help you automate that task.

  • 11 Mar 2015 4:12 PM | Brian Kelley
    Bipartisan bill would increase access to Medicare data

    Retrieved from   |   Beth Walsh  |  Mar 11 

    Bipartisan legislation introduced by Senators Tammy Baldwin (D-Wisc.) and John Thune (R-S.D.) would increase the transparency of healthcare costs in Medicare.
    "Medicare is the single largest payer of healthcare services in the country, spending over $600 billion each year. But we know very little about what we are paying for,” said Baldwin a release. “The Quality Data, Quality Healthcare Act provides access to that data and puts it into the hands of those who can best use it, helping doctors make more informed decisions and improving how we deliver healthcare.”
    “Almost every business relies on metrics to evaluate what it is doing well and what it needs to improve, CMS—America’s largest health care payer should be no different,” said Thune. “Providing access to data that can be used to evaluate healthcare services is a critical component of increasing transparency and reducing healthcare costs. I hope our colleagues will join us in supporting this common-sense measure to improve the quality of healthcare while reducing costs.”
    As the largest payer of healthcare in the United States, the Centers for Medicare & Medicaid Services (CMS) sits on a wealth of information that can help inform healthcare providers in making better decisions that will improve patient care and reduce costs. Economists have argued that expanding access to Medicare cost and utilization data will increase efficiency in healthcare delivery, reduce costs and improve the quality of care.

    The senators said that recent efforts by the administration to increase access to Medicare data are promising, but lack the necessary detail and context to be most useful. They said that the Qualified Entity (QE) program is a more promising effort created by Congress that allows organizations to access and analyze comprehensive Medicare data for select purposes. "The QE program has the potential to empower our nation’s healthcare decision-makers to make better choices. However, current law is far too restrictive on which organizations can participate in the QE program, what QEs can do with the Medicare data once they have received it and the degree to which QEs can support their own data maintenance infrastructures," they said.

    The Quality Data, Quality Healthcare Act would allow organizations receiving Medicare data to analyze and redistribute it to authorized subscribers, such as insurers, health systems and physicians, so that subscribers can make more informed decisions. It also would permit those entities to charge a fee to their subscribers so that the organizations can conduct robust analyses to improve healthcare quality and reduce costs.

    The senators first introduced this bipartisan legislation last Congress. It is supported by a broad coalition, including: AARP, American Academy of Family Physicians, ASC Association, Health Collaborative, National Coalition on Health Care, National Association of Manufacturers, National Consumers League, National Retail Federation, Network for Regional Healthcare Improvement, Pacific Business Group on Health, and Midwest Business Group on Health.

    Access a summary of the act.

  • 11 Mar 2015 3:49 PM | Brian Kelley
    BCBSMA, American Well to launch video visits pilot with two physician groups

    Retrieved from mobiHealthNews   |   Aditi Pai   |   Mar 11, 2015

    Blue Cross Blue Shield of Massachusetts has partnered with American Well to pilot the company’s video visits offering, called WellConnection, with two physician groups, Emerson Physician Hospital Organization (Emerson PHO) and Lowell General Physician Hospital Organization (LGPHO). BCBSMA nurse care managers will also pilot the offering with members.

    WellConnection is a white-labeled version of American Well’s digital video visits offering that helps patients consult with physicians via their computers, smartphones, or tablets.

    The physician groups participating in the pilot are a part of BCBSMA’s Alternative Quality Contract (AQC) program, which is what the payor calls its accountable care initiative. BCBSMA launched its AQC model in 2008.

    Over the course of the two-year pilot, providers will use WellConnection to conduct video visits with patients to address a variety of health issues that are ultimately up to the discretion of the participating physicians. BCBSMA offered up a few examples: providers can use the offering to monitor a patient’s concussion recovery, offer wellness coaching, check the patient’s response to a medication, or monitor a patient’s recovery after they were hospitalized.

    BCBSMA Director of Network Innovation Greg LeGrow told MobiHealthNews that video visits have the potential to improve cost, access, quality, efficiency, as well as patient and physician satisfaction.
    "On the cost and utilizations front, we really see telemedicine having the capability to better manage cost by scheduling and shifting certain portions of care to a telemedicine or video visit," LeGrow said. "Number two is preventing potential unnecessary emergency department visits as well as shifting some of those visits to other resources. So moving it from, perhaps, a physician to physician extenders or nurse practitioners. We also think there is an ability to improve access. That’s really just providing patients with more timely, convenient, and cost affective alternatives to coming into the office."
    LeGrow added that although cost, access, and satisfaction are important,the cornerstone of Alternative Quality Contract is to improve quality and video visits will help with this, especially because, he said, this offering can help providers better manage patients’ chronic conditions, which generally require more frequent follow-ups.

    BCBSMA is encouraging providers to use this tool with all of their patients — even those who are not covered under Blue Cross — but physicians have the discretion to waive fees for their Blue Cross insured patients.
    "Not all providers might want to waive fees for Blue Cross of Mass members for every use case," LeGrow said. "If it is to a deal with a simple acute condition, such as a sinus infection, a headache, a urinary tract infection, they may still want to have that service fee and have that service fee be a governor, just like a copay does — to have the patients have some skin in the game. But for conditions where they typically don’t bring patients into the office, if they’re doing chronic condition management and following up with phone calls, they may want to do that video visit. We believe that a video visit could improve engagement with these members and in those cases they’d probably think of waving those fees."
    An early version of this pilot was first announced in July 2013, but wasn’t launched until now.
    "We have worked very hard to find the right groups who were interested and willing to participate and honestly have the right use cases put forward in order to test the efficacy of telemedicine," LeGrow explained. "So this is coming to fruition."
    When the pilot was announced, American Well CEO Dr. Roy Schoenberg said BCBSMA was one of the first payors "to embrace telehealth under the flag of improving [care] quality".

    The two practices from the Lowell General Physician Hospital Organization participating in the trial are Mill City Medical Group of Lowell and the office of Damian Folch of Chelmsford. Emerson PHO is still identifying which practices from its organization are participating.

  • 10 Mar 2015 12:39 PM | Brian Kelley
    More on the first five Apple ResearchKit apps
    mobiHealthNews  |  By: Aditi Pai  |  Mar 9, 2015

    During Apple’s most recent event, the company launched a new health offering — arguably its most clinically-focused yet — called ResearchKit. The open source platform helps researchers build medical apps and more easily recruit patients for clinical trials and other research projects.
    "iOS apps already help millions of customers track and improve their health,"Jeff Williams, Apple’s senior vice president of Operations said in a statement. "With hundreds of millions of iPhones in use around the world, we saw an opportunity for Apple to have an even greater impact by empowering people to participate in and contribute to medical research. ResearchKit gives the scientific community access to a diverse, global population and more ways to collect data than ever before."
    With the patient’s permission, researchers can collect certain data points, for example weight, blood pressure, glucose levels, and asthma inhaler use, from HealthKit. HealthKit is a health platform from Apple that launched in September and syncs data from third party apps and devices to a user-facing app called Health. Depending on the data needed for the study, researchers can also use the ResearchKit platform to request access to the smartphone’s accelerometer, microphone, gyroscope, and GPS sensors. These sensors could help in studies looking at, for example, a patient’s gait, motor impairment, fitness, speech, and memory.

    Already, Apple has partnered with several big name medical institutions to launch five apps that address: asthma, breast cancer, cardiovascular disease, diabetes and Parkinson’s disease. These apps are supported on the iPhone 5, iPhone 5s, iPhone 6, iPhone 6 Plus, and the latest generation of iPod touch.

    Here are the first five apps using Apple’s ResearchKit platform:

    Asthma Health by Mount Sinai was developed by the Icahn School of Medicine at Mount Sinai, Weill Cornell Medical College, and LifeMap Solutions. The app aims to help patients adhere to their treatment plans and avoid asthma triggers. Patients can use the app to record daytime and nighttime asthma symptoms as well as how they affect the patient’s activities. It also tracks daily usage of controller and rescue inhalers along with asthma triggers: colds, increased physical activity, strong smells, exhaust fumes, house dust, peak flow, and animals. Finally, it tracks emergency department visits, medical visits, and changes in medication. The app will also send updates about when users should take medication and what the air quality is like in a specific location.

    To join the study, users need to be 18 or older, have asthma confirmed by a doctor and be prescribed medication for asthma. If the participant smokes, has another lung condition, or has congestive heart failure, they can’t participate.

    Share the Journey was developed by the Dana-Farber Cancer Institute, Penn Medicine, UCLA’s Jonsson Comprehensive Cancer Center, and Sage Bionetworks, a nonprofit research organization. This study also received funding from the Robert Wood Johnson Foundation. The app aims to analyze why some breast cancer survivors recover faster than others, why patients’ symptoms vary over time, and what can be done to improve their symptoms. The app will send patients questionnaires and collect sensor data to track five common symptoms of breast cancer treatment: fatigue, mood, cognitive changes, sleep disturbances, and changes in exercise. ResearchKit will pull data from HealthKit to collect data on steps, sleep, and the patients’ birthdate, height, and weight. Patients will also contribute to an in-app diary about their data. According to Sage Bionetworks, recording this data should not take longer than 20 minutes per week.
    "One reason to build these apps and run these studies is to see whether we can turn anecdotes into signals, and by generating signals, find windows for intervention," Stephen Friend, president of Sage Bionetworks and Share the Journey principal investigator said in a statement. "We’re most interested in disease variations, and the hourly, daily, or weekly ebb and flow of symptoms that are not being tracked and completely missed by biannual visits to the doctor."
    To participate in the study, the patient must be a woman between the ages of 18 and 80.

    Parkinson mPower study app was also developed by Sage Bionetworks, but this one was created in partnership with University of Rochester, Beijing Institute of Geriatrics, and The Michael J. Fox Foundation for Parkinson’s Research. mPower stands for "mobile Parkinson observatory for worldwide, evidence-based research". The app description explains that although "living with Parkinson disease means coping with symptoms that change daily," these changes are not tracked frequently enough. The mPower app aims to help users track their symptoms using activities including a memory game, finger tapping, speaking, and walking. The app will also collect data from wearable devices. Although the app aims to further research in Parkinson disease, the researchers encourage people with or without Parkinson disease to download the app.
    "We know that Parkinson’s disease symptoms fluctuate over the course of a day, or a week, but that has never been measured objectively," Ray Dorsey, co-director of the Center for Human Experimental Therapeutics at the University of Rochester Medical Center, said in a statement. "The mPower study will enable us to learn from patients, and we’ll be able to give information back to patients so they can manage their conditions regardless of where they live and regardless of their mobility."
    GlucoSuccess was developed by Massachusetts General Hospital to help their research team create a crowd-sourced database of health behaviors and glucose values for people with type 2 diabetes, but the researchers also aim to help patients learn how their behaviors affect their health. Participants will track activity duration and intensity, diet information, blood glucose measurements, body weight, and waist size. The app will help remind users to log blood glucose data and record diet information through nutrition tracking app LoseIt. Using this data, GlucoSuccess will be able to provide users with insights into how their fitness and nutrition data relate to "finger-stick blood glucose values". Participants must be 18 or older, live in the US, and have an existing diagnosis of pre-diabetes or diabetes.

    MyHeart Counts was developed by Stanford Medicine to help the medical organization improve their understanding of heart health. The app measures activity through the Apple Watch, which offers a heart rate sensor, sensors in the iPhone, or a third-party wearable activity device linked to Health app. It will also ask users — who are able — to complete a 6 minute walk test. If users sync their cholesterol results and blood pressure, the MyHeart Counts app will also calculate their risk for future heart attack or stroke and provide them with a "heart age." Stanford explains that on top of providing reminders about recording activity and sleep and completing surveys on physical activity readiness, the university "may also ask you to test different approaches to help you be more active so we can understand how mobile apps in the future can help prevent heart disease." Participants must be 18 years or older, based in the US, and able to understand English.

  • 26 Feb 2015 9:57 AM | Brian Kelley
    Tableau for Healthcare Professionals
    Beginner and Intermediate Level

    March 12-13, 2015  |  Waltham, MA

    MHDC Members: receive a 10% discount!

    This two-day course is designed for the healthcare professional who works with data (regardless 

     of technical or analytical background), with a beginner to intermediate Tableau skill level. The 

    course will be delivered through lecture with demonstration, followed by extensive hands-on 

    practice with specific healthcare case studies in Tableau-ready workbooks. Our course is designed to resonate with the healthcare professional using the language and data of healthcare.

    This hands-on healthcare-centric training program integrates the best practices of data visualization as you learn how to build tables, graphs, charts and dashboards using Tableau software. Onsite training computers will be equipped with Tableau software, workbooks and healthcare datasets that have been selected to best demonstrate different visualization types.

    Learning Objectives

    When you complete this course you will be able to:

    • Connect to data utilizing a variety of options
    • Effectively navigate the Tableau workspace layout – components, shelves, data elements,
    • and terminology
    • Effectively build basic data reports using the following visualization types:
      • Text Table
      • Bar Graph
      • Line Chart
      • Area Chart
      • Scatter Plot
      • Table Lens
      • Box and Whisker
      • Histogram
      • Small Multiples
      • Bar / Line Variance
      • Geographic Map
      • Heat Map
      • Bullet Graph
      • Pareto Chart
    • Use the sort, group, bin, hierarchy, set, and filter options effectively
    • Create and utilize basic calculated fields, table calculations, and parameters
    • Use Trend Lines, Reference Lines, and statistical techniques to describe the data
    • Work with the many formatting options to fine tune the presentation of your visualizations
    • Effectively use table joins and data blending
    • Combine visualizations into Interactive Dashboards
    • Describe options for sharing your visualizations with others
    •  Describe how to ensure the security of the healthcare data
    Course Information
    • Course Instructor: Dan Benevento, our Principal and Senior Consultant, is Tableau-certified and a data visualization expert with a passion for using healthcare data to save the world. A black belt in the use and application of Tableau, Dan has collaborated with IT teams at leading companies and organizations nationwide to build databases and create hundreds of time-saving, high-impact reports and dashboards. His interactive perioperative dashboards and reports custom-designed for Directors of Surgery have streamlined medical procedures, lowered costs, and made patients safer.
    In addition to Dan, Tableau instructors will be circulating the room to answer specific questions and provide individual attention as needed.

    Questions: Email questions to or call 617-663-5510 between the hours of 9:00am and 5:00pm EST.

  • 25 Feb 2015 2:04 PM | Brian Kelley

    Retrieved from Life as a Healthcare CIO: John Halamka, MD

    Making Time for Innovation

    CIOs are at a challenging crossroads in their careers.   Regulatory burdens, security threats, and changing reimbursement models have led to a demand for change that seems overwhelming.   As workflow pressures increase, it’s easy to declare IT the rate limiting step.

    Given that many CIOs are ready to raise the white flag of defeat in desperation, finding time for innovation amidst the swirl of must do projects can be a challenge.

    My hope, and something I strive to do, is to take the long view, asking what innovations we’ll need in the next few years, which will enhance productivity, and possibly serve as generalizable tools, reducing the number of requests for niche systems.   As I think about 2016, here are a  few of the kinds of innovations I think we’ll want for healthcare organizations:

    1. In our home  lives, we use cloud hosted storage accessible  on our personal devices.     How can we give folks the same easy access to their files (in lieu of the SSLVPN web-based access) while still protecting patient privacy?
    2. In our home lives, we use social networking - Facebook, LinkedIn, and Google+ to provide collaboration spaces for sharing ideas, messages, and files among groups.   How do we offer these kind of applications to support our work lives?  Is Slack a good fit for healthcare organizations?
    3. In our home lives, we use texting for communication among teams.   How do we deploy secure, enterprise grade texting that is fault tolerant, supports delegation (if you are unreachable),  role-based messaging (the current administrator on call, whoever that is), and audibility.   Per Harvard rules, I must disclose that I serve on the Board of Directors for Imprivata which produces such a product.   I will recuse myself from any decision making processes about secure texting procurement.
    4. As I’ve blogged about previously, patient generated healthcare data will become increasingly important and we need to be able to incorporate objective data (home devices) from smartphone middleware like HealthKit and subjective data (electronic patient reported outcomes).
    5. Interoperability use cases will increasingly require closed loop transactions with tighter coupling among organizations.   The FHIR work accelerated by the Argonauts group is the best path forward to achieve this goal.

    As usual, sometimes we buy innovation and sometimes we build innovation. 

    If practical, we should procure these services from cloud-based software as a service providers.

    We need to work closely with our compliance and legal colleagues to balance risk and benefit, accepting that with all change and innovation there is a risk of the unknown.    We can mitigate risk in the face of ambiguity.

    Often organizations focus on the short term - the tyranny of the urgent.   Carving out time for innovation with a long term view is necessary to create true breakthroughs.   A dozen short term sprints will not add up to the marathon of transformation that is only accomplished via a steady pace over time.

  • 23 Feb 2015 8:50 AM | Brian Kelley | REDMOND, WA | February 20, 2015

    Microsoft's big move to adopt this standard represents a 'major milestone.'

    Google and Amazon: you just got outplayed – at least in the security standards arena. Just this month, tech giant Microsoft announced it was adopting the first international set of privacy standards for the cloud, making it the first major cloud computing platform to do so.

    Microsoft officials announced the company's cloud computing platform Azure has adopted the International Organization for Standardization's 27018 standard, which serves as a code of practice for personally identifiable data stored in public clouds. The move was partly in response to feedback from industry stakeholders, who wanted a platform that helps "improve capability to fulfill compliance obligations."

    The standard, according to the ISO, was created to ensure that public cloud service providers implement adequate security controls to better safeguard their customers' data.

    Microsoft's big move to adopt this standard represents a "major milestone," said Brad Smith, the corporation's general counsel and executive vice president of legal and corporate affairs, in a blog post announcement. And although a seemingly technical standard, Smith said it's one with "important practical benefits for enterprise customers around the world."

    Microsoft's Azure platform, in addition to Office 365 and Dynamics CRM Online, have all been independently verified to be aligned with the ISO 27018 standard. What this means for Microsoft customers, as Smith pointed out, is for one there are added security restrictions on how the company handles personally identifiable information. For instance, there are more restrictions around transmitting data over transportable media, or public networks.

    The standard's code of practice sets forth five key principles that certified companies must adhere to:
    • Consent: Client data won't be used for advertising or marketing unless consented by the consumer.
    • Control: The customer decides how their data is used.
    • Increased transparency: Cloud service providers must provide clients with greater transparency regarding where their data resides, how it's handled and third-party subcontractors involved.
    • Communication: If a breach were to occur, the company will notify customers. Cloud service providers also will inform customers about government access to data.
    • Independent and annual audit: Conducted by a third party, the audits will examine the cloud service provider's compliance documents and adherence to the standard.
    "All of these commitments are even more important in the current legal environment, in which enterprise customers increasingly have their own privacy compliance obligations," Smith added. "We’re optimistic that ISO 27018 can serve as a template for regulators and customers alike as they seek to ensure strong privacy protection across geographies and vertical industry sectors."

  • 23 Feb 2015 8:29 AM | Brian Kelley
    from  |  February 20, 2015 | By Katie Dvorak

    It's time for ICD-10 to be implemented, and added delays are not likely to motivate organizations any more than the others ones did, says pediatrician Michael Lee, the director of clinical informatics at Atrius Health.

    The past delays didn't help the industry, and only served to hinder forward momentum, Lee writes at Physicians Practice. In July, the U.S. Department of Health and Human Services finalized Oct. 1, 2015, as the new compliance date, the third time the transition has been delayed since 2009.

    Atrius Health, a nonprofit multi-specialty medical group based in Newton, Massachusetts, is ready for the new coding system, according to Lee. The organization has moved its front-end systems to ICD-10 and partnered with the Massachusetts Health Data Consortium to test and troubleshoot the new codeset.

    A recent report by the Government Accountability Office found that the Centers for Medicaid & Medicare Services has taken positive steps to help prepare the healthcare industry for ICD-10.

    However, Lee says that with testing by the CMS coming this spring, it doesn't give providers much time to address problems.
    "There is still a great deal of uncertainty in the healthcare community about what is going to happen with ICD-10, especially with recent staffing changes at CMS," he says.
    But, he adds, that doesn't mean ICD-10 should be delayed again.
    "While it would have been wise for the government to move forward with an Oct. 1, 2014, launch ... halting implementation now would be a huge burden to the industry," Lee writes. "It's not time for another delay; it's time to get to work."
    Healthcare providers are not the only ones who are ready for the transition to take place. Members of the House Energy and Commerce Committee's Subcommittee on Health made clear at a hearing examining ICD-10 implementation that they do not want to see the transition delayed yet again.

Massachusetts Health Data Consortium
460 Totten Pond Road | Suite 690
Waltham, Massachusetts 02451

For more information,
please contact Arleen Coletti
by email or at 781.419.7818

join our mailing list

© Massachusetts Health Data Consortium