This is truly a very challenging time if you are a health care organization. There is a fundamental change occurring that will transform the way medicine is practiced in the next 20 years. Almost like the invention of electricity, the light bulb or the first gas powered engine, the change will have enormous impact to everyone that it touches.

At the same time the risks associated with this change cannot be ignored. As our society moves to the use of electronic medical records, the security issues and associated risk levels have never been greater.

The burden on health care organizations is incredible when looking at securing electronic medical records, smart phones and tablets, USB drives, wireless access points, and remote access solutions. Combine that with the impact of natural disasters such as earthquakes and tornadoes that have been all over the news lately. Implementing disaster recovery solutions only adds to the overwhelming security burden.

Health care organizations are already strapped for the necessary resources to implement electronic medical records. Where will they find the resources to ensure that the appropriate security and disaster recovery procedures are properly implemented?

Like all new technologies, electronic medical records offer incredible opportunities but along with opportunities are real risks that need to be addressed. We will look back in a few years and see that health care organizations made the move from the dark ages to a much more modern area. Unfortunately we will see lots of mistakes and security issues that could and should have been addressed.

Almost like the Earth spinning and no one notices it, there is a major shift in health care IT going on. On the surface you can’t miss the chatter.  Talk of stimulus funds, meaningful use requirements, cloud based EMRs, free EMRs, iPads, smart phones and the list goes on. Hundreds and thousands of medical practices ranging from 1-3 employees up to hundreds of employees are in the process of either evaluating or transitioning to electronic medical records.  And as these organizations continue their transition from paper based records to electronic medical records the impact will be felt for years to come.

It is exciting to be a part of something that will have a lasting impact. But at the same time I think that there will be a lot of fatalities in this process. On the surface the migration to electronic medical records seems pretty straightforward.

1. Select an EMR vendor
2. Purchase equipment
3. Install equipment
4. Train staff
5. Start using new EMR

But the reality is it is far from easy. There are hundreds of EMR vendors; some good, some not so good. EMR implementations fail at a very high rate. The complexity of setting up a network to support an EMR is daunting. Integrating servers, network, tablets, smartphones, lab equipment, etc. can be a challenge at best and a disaster at worst.

And if a practice makes it this far there are the concerns with patient records and HIPAA security. These practices that are new to electronic medical records have not been tasked with protecting electronic assets in the past. This skill set in not easily acquired nor is it cheap. Network and data security is not a part-time job and it should not be added onto to someone’s job responsibility especially if they are not IT savvy.

And will these practices understand the risks of implementing technology to support electronic medical records? Will they implement the appropriate data backup solutions and disaster recovery solutions to ensure that a disaster does not cripple their ability to use and access the electronic medical records? Will they understand that most small businesses never recover from a disaster that impacts IT?  Will they make the appropriate investments to ensure that a disaster does not put them out of business?

It is almost like a herd being led into an ambush, some of these organizations will be among the fatalities.  A failed EMR implementation can cost hundreds of thousands of dollars. Not many smaller medical practices can take that financial impact and still survive.  A data breach or serious HIPAA violation can  have a huge financial impact on an organization. An unplanned for disaster can put an organization out of business.

So as the headlines talk of meaningful use stage 2 and 3, Medicare EHR Incentive Programs, Attestation, the next greatest tablet, mobile health apps, and cloud based EMRs remember that the impact to some health care organizations will be fatal. Can the quest for electronic medical records be similar to a herd being led into an ambush? Will we look back and see that 2011-2013 led to a thinning of the herd? Will these fatalities lead to more hospitals and larger organizations consolidating smaller medical practices? Electronic medical records are needed and provide an enormous opportunity for the entire health care system but without proper guidance and support many medical practices will be causalities in the process.

Putting a gun in an inexperienced person’s hands is a very bad idea.  Hand guns can be very safe if safety precautions are taken.  Experienced gun owners take the right steps to ensure that the gun does not cause harm.  Not storing a loaded gun, safety locks and ensuring that guns are stored in a locked gun cabinet are all steps that knowledgeable and experienced gun owners take.

This year many health organizations are implementing EMRs for the first time.  They are going from paper charts and relatively few computers to complex networks, servers, tablets and other computing devices.  These organizations are used to protecting patient’s information by ensuring that charts are not left where unauthorized persons can read them, storing charts in locked cabinets and other general precautions to protect paper based records.

The switch to electronic medical records is a new adventure for some of these organizations.  They probably spent months evaluating, planning and implementing their new EMR.  The first weeks and months of an EMR implementation is usually a very hallowing experience.  New systems, new workflows, hardware and software issues all put a lot of stress and strain on an organization’s employees.  Doctors, nurses and the entire staff usually struggle in the beginning of an implementation.  In addition, the total amount of training that the EMR vendor provides is on an average 1-2 hours per employee (and that number may be high in some cases).  The training is usually focused on how to use the new EMR, how to login, how to enter progress notes, how to e-prescribe, etc.  Little or no training is provided on how to protect patients’ information.

The topics of securing the daily tape backup, encrypting USB drives and laptops, ensuring that emails are sent securely, performing a risk assessment and other topics are usually not discussed in the EMR training.  Some may argue that the EMR vendor should address these topics but that is for another discussion.  The reality is that you have an organization that is struggling with learning and using a new EMR and have little or no knowledge on computer and patient data protection.  Is it any wonder why we have so many patient data breaches?

EMRs and electronic data accessed and used by inexperience employees are very dangerous to the organization’s patients.  Just as dangerous as putting guns in an inexperienced person’s hands.

System performance is one of the biggest issues that I have seen in implementing an EMR.  It seems that almost immediately after “going live” with an EMR implementation a sudden swell of enthusiasm is stopped in its tracks due to system performance.  From my experience there are 3 main reasons an EMR may experience performance problems along with many less prominent reasons.

The three main reasons for EMR performance issues are:

1. Underpowered EMR database server – I am not sure why EMR vendors don’t beef up their minimal system requirements.  The requirements are as they say “minimal” and will give you just that; “minimal” performance.  I guess the truth is, the faster the server the more expensive it is.  EMR vendors try to minimize the expense to implement their product.  My recommendation is to push back on the EMR vendor and keep asking them if the recommended server will provide good performance today and for the next 3 years.  My gut feeling is they will be very non-committal on the server lasting 3 years but may push you to a more powerful server to hedge their bet.  It is cheaper to spend the money upfront then to rip and replace in 2 years.  Additional memory and processors can significantly improve performance.
2. Slow disks or not enough disks in the EMR database server – An EMR database server is constantly hit with read and write functions.  A slow set of disks or not enough disks can cripple the server and produce awful results and significantly impact performance.  Without getting into too many technical details it is safe to say that you should put as many disks that you can into your database server.  You should also buy the fastest disks you can (15K RPM).  A significant amount of fast disks can add considerable expense to a database server especially if you are looking at an external cage of fast disks but the performance gains can be significant.
3. System Performance across a wide area network connection - the third main reason for EMR performance issues is trying to run an EMR application across a network connection between 2 or more locations (Wide Area Network – WAN).  The amount of data that is sent back and forth between the EMR client and the EMR server can be significant.  In an scenario where the clients and the server are in the same building (Local Area Network) there many not be any performance impact.  That is because there is a lot of bandwidth between the clients and the server (usually 100Mbps and up to 1000Mbps).  But when the client is in one location and the server is in another location (separate building) there could be significant delay and performance problems.  A typical T-1 has the bandwidth of 1.5Mbps which is significantly slower than LAN connections (again 100Mbps up to 1000Mbps).  Increased bandwidth between locations can help but the expense can be significant.  A better solution is to implement Citrix or Terminal Services to run the EMR client at the remote locations.  Citrix requires 1 or more additional servers located next to the EMR server (on the same network subnet) but requires very little bandwidth between offices.  Citrix performance can be as good as running the EMR client and server in the same location.  In almost every implementation we have done, Citrix provided the best performance running an EMR across a WAN.  The additional expense is well worth it.  One note:  if your EMR is web based and utilizes a browser to run the program then the  bandwidth requirements would be very minimal and not require Citrix.

The take away from this is that in order to ensure you have good performance from your EMR, it is essential to purchase the right EMR database server.  In addition, a Citrix solution for remote offices/locations should be explored.

There is a story over at FierceHealthIT that summarizes a healthcare security study commissioned by Kroll Fraud Solutions, Nashville, Tenn.  The study concluded that healthcare organizations take security seriously but may have a false sense of how secure thier organization really is.

Reasons for this may be that organizations continue to view security in silos. Some 87 percent of respondents said they have policies to monitor access to and sharing of electronic health information, but most of the reported breaches had more to do with carelessness than technology–stolen laptops and back-up tapes, as well as improper document disposal.

 

The white paper, commissioned by Nashville, Tenn.-based Kroll Fraud Solutions, says respondents gave their organizations high marks–an average of 6 on a scale of 1 to 7–for compliance with HIPAA, state security laws, CMS regulations and the Federal Trade Commission’s “Red Flags” rule for identity theft, and a score of 5.75 for compliance with new security requirements of the HITECH Act portion of the American Recovery and Reinvestment Act. Despite these high ratings, 19 percent of organizations reported having a data breach in the past 12 months, up from 13 percent in 2008.

The first steps to ensuring that your practice is secure it taking security seriously. It is important to write security policies and procedures. But security is not about going down a list of to-do items and checking each one off. Security is about ingraining best practices into your everyday workflow. Unfortunately security at times gets in the way of how we normally perform our jobs. Security requires a few extra steps at times. You might have to encrypt the file that you are working on before copying it to a USB drive or you may have to send a patient an encrypted email rather than just a standard email. Each one of these actions required a few extra steps but you made sure that the data was secure and protected. 

Security also cost money. There is no way around it. In order to ensure that your data is protected and secure and especially to comply with the HIPAA Security Rule, you have to invest in security technology. Patients want to communicate more and more by email, you will have to eventually invest in email encryption to safely and securely communicate with patients. Data is more and more portable and you have to put in the proper technology to protect it. Portable data can be on laptops, tablets, USB drives, smartphones, etc. Each one of these devices can leave your office and could potentially be lost or stolen. Implementing encryption technology is essential to protecting the data. Unfortunately you may have to implement one or more encryption technologies that are appropriate for each device. 

Security cost money in ways you may not think about. Proper security requires that employees have unique user ids and passwords and only have access to the information that they have been granted access. But how do you know if someone is trying to access information that they are not allowed to access? How do you know if someone has hacked through your firewall and is accessing your EMR? Your servers should be setup to log important events that occur on them such as logons, logoffs, invalid password attempts, successful data access, unsuccessfully data access, etc. These server log files can become huge and there is so much information that it is almost impossible to understand what is happening on the servers. You will either have to invest in technology that goes through the server logs and notifies you if some security event is occurring or you will have to invest in an outside IT company to monitor your log files. Either way it is probably not an expense that you have considered. 

Computer networks are constantly changing. There are new programs being added, program updates being applied and security patches being downloaded and applied. Every change to the network has the potential of opening up a hole that someone could find and exploit to access your data. A security best practice is to periodically have a network penetration and vulnerability scan performed on your network. These scans are usually done by outside IT consultants that are very familiar with network security. The network penetration scan tries to access your network from outside of your office. This could be through the Internet, phone lines, wireless access points, etc. The scan looks for holes in your network security that someone could access. The holes could be created by an improperly configured firewall or by having unnecessary services running on the network that could be accessed. Without the network penetration test you would probably have no idea that these security holes existed. The network vulnerability scan looks for security holes on your internal network. Vulnerabilities could be identified by your vendors such as Microsoft or your EMR vendor. The vendors put out security patches that address the security vulnerabilities. A vulnerability scan will check to make sure that the appropriate security patches for your network have been applied. The end result of both the network penetration and vulnerability scan should be a comprehensive report on any issues that have been identified and the recommended steps to address the issues. 

The other big piece of security is training your staff to perform their job functions in a safe and secure manner that protects patient data. It is important to go over the polices and procedures with employees but it is even more important for them to understand the benefits of security. When you start implementing better network security your will be making changes that will directly affect your employees. They need to understand why passwords need to be 8 characters and changed every 60 days (for example). They need to understand why data must be encrypted if it is leaving your network. The good news is that employees already understand security. They understand the need for safe transactions when they are buying something from amazon.com. Training should take what they already understand and apply it to patient information. The bad news is that network security means change. Many employees don’t like change and they like doing things they way they are used to. 

As you can see, security is a challenge for any medical practice. It requires a few extra steps to perform a job function in a secure manner. Security has costs that are both obvious and are hidden. Security means change and change can have a direct impact on your staff. The purpose of this article was not to scare you away from security but to shed some light on what you will be getting into as you implement better network security that protects your patients’ data.

A survey by NaviNet, the largest real-time healthcare communications network, shows some interesting trends in EMR adoption in medical practices with 10 or fewer physicians.  It seems the reduction in administrative overhead and CMS mandates are spurring adoption more than ARRA stimulus incentives.  Cost still remains the largest obstacle in adoption but 33% surveyed said they plan on implementing in the next 12 months.

In August 2009, 9% of small physician practices projected that they would be implementing an EMR in 6 months. Six months later in 2010, 12% are currently implementing.

Reducing administrative overhead continues to be a key driver for IT adoption.

ARRA is becoming a more important driver of IT adoption – In 2010, 27% of small physician practices said ARRA incentives are impacting IT buying decisions while in 2009 that figure was 12%.

Only about one quarter of small physician practices said that they plan

Only about one quarter of small physician practices said that they plan on following CMS’ guidelines for ‘Meaningful Use’ to qualify for incentive payments provided by ARRA.

 Drivers of IT Adoption

Cost still remains the largest obstacle for adoption

Barriers to EMR Adoption

The amount of practices implementing EMRs have increased and 33% of those surveyed planned on implementing in the next 12 months.

Timeline for EMR Adoption

If you haven’t heard about HIPAA yet, you probably have been living under a rock.  If you ask most people about HIPAA, patients and practice staff alike, you will probably get responses back concerning the privacy and protection of health information.  Most practices have implemented the basic required steps to protect patient privacy.  Two of the most common requirements include HIPAA privacy notices that patients are required to sign, and publicly available HIPAA privacy policies.  However, as more and more practices are moving towards electronic health records systems (EHRs), there is a more complex side of HIPAA that many small, midsize and even large practices may not have focused on – the HIPAA Security Rule.

I plan on future articles that go into the HIPAA Security Rule much more in-depth but for now let’s look at the Security Rule at a high level.  The HIPAA Security Rule requires that practices put in place policies and procedures to ensure that electronic protected health information (EPHI) is properly protected.   A good comparison regarding EPHI between the HIPAA Privacy Rule and the Security Rule is stated in the Centers for Medicare & Medicaid Services (CMS) Security 101 for Covered Entities:

Electronic vs. oral and paper: It is important to note that the Privacy Rule applies to all forms of patients’ protected health information, whether electronic, written, or oral. In contrast, the Security Rule covers only protected health information that is in electronic form. This includes EPHI that is created, received, maintained or transmitted. For example, EPHI may be transmitted over the Internet, stored on a computer, a CD, a disk, magnetic tape, or other related means. The Security Rule does not cover PHI that is transmitted or stored on paper or provided orally.

There are three main parts of the HIPAA Security Rule as defined by CMS for small providers:

1. Administrative Safeguards – These provisions are defined in the Security Rule as the “administrative actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.”
2. Physical Safeguards – These provisions are defined as the “physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
3. Technical Safeguards – These provisions are defined as the “technology and the policy and procedures that protect electronic protected health information and control access to it (the EPHI).”

As I mentioned, I plan on drilling down into each of the main parts of the Security Rule.  For a very good overview from CMS, take a look at the Security Standards: Implementation for the Small Provider document.  The document goes into further detail of each of the three parts and provides questions and examples to help you better understand the concepts and principles.

The Medical Group Management Association (MGMA) has an interesting study on the benefits of electronic registration.  In January, 2009 the MGMA launched an initiative call SwipeIT.

Project SwipeIT is an industry wide initiative launched by the Medical Group Management Association (MGMA) in January 2009 to advance the adoption of standardized patient health-insurance identification (ID) cards containing machine-readable information.

The concept is that the insurance providers will issue patient health-insurance ID cards that contain patient information including demographics, health plan information, co-pays, etc.  The cards will act and function like a credit card.  Each medical practice, hospital, clinic will need to have a card reader that can process the information on the card.  The card reader can then be linked to a practice’s EMR or practice management system which will populate the patient demographic and insurance fields automatically.  The whole process is referred to as electronic registration.

The MGMA study takes a look at the costs of non-electronic registration and calculates the savings that can be realized by implementing electronic registration.  There are enough numbers and calculations in the study to make your head spin but I will highlight a few statistics that are eye opening.

Model Assumptions and Raw Inputs	Values
Number of claims per year for physician professional services	1,160,542,000
Hours saved per year during registration process by implementing electronic registration	95,280,498
Dollars saved per year during registration process by implementing electronic registration	$1,931,753,287
Number of claims per year that must be resubmitted due to payer denial due to incorrect patient demographics from non-electronic registration	57,168,299
Hours per year to resubmit claims denied due to payer denial due to incorrect patient demographics from non‐electronic registration	14,292,075
Dollars saved per year by not having to resubmit claims denied due to payer denial due to incorrect patient demographics from non-electronic registration	$289,762,993
Total savings due to implementing electronic registration (dollars per year)	$2,221,516,280

The MGMA estimates that $2.2 billion per year can be saved by implementing electronic registration.  It should be noted that the study does not estimate the cost to implement the electronic registration including the cost to insurance providers to issue the card, practices and hospitals to purchase and install card readers, EMR and practice management vendors to modify their software to interface with the card readers, etc.  I suspect that a good part of the initial $2.2 billion in savings would go to the implementation costs.  The savings on-going would still be significant.

The MGMA also studied the impact on a typical 6 FTE physician practiced and published their results.  They took conservative and non-conservative estimates on the impact of electronic registration.  The difference in the estimates are described as:

A conservative estimate where only 10% of patients have their insurance cards copied, presumably because of changes in their information.

The non-conservative estimate is where:

(a practice) copies the patient’s insurance card on each visit. This practice may also have a much larger proportion of patients whose information needs updating.

The highlights of the study are listed below:

Conservative estimate	Time
Time saved by Swipe card	7 h/ day	1820 h/ year
Non-conservative estimate
Time saved by Swipe card	23h45m/day	6175h/year

If these numbers are accurate, the need for front desk personnel could be reduced and savings could be realized at a practice.

Electronic registration is an industry wide initiative.  All stakeholders including insurance providers, EMR vendors, medical practices and hospitals would all need to be involved and implement the appropriate technologies.  Until then, the savings highlighted in these studies are only theoretical.

There are literally hundreds of Electronic Medical Records (EMR) systems for sale.  Some have similar feature sets while other differ in their offerings.  There are many articles, blogs, and whitepapers on picking and implementing the best EMR for a practice.  Most of these seem to focus on the software selection, the workflow process, the implementation process and ongoing support of the EMR.  What seems to be missing is the focus on the actual network and computer system that the EMR will be running on.

As a practice goes from paper charts to a full blown EMR implementation, there will be a need to grow the practice’s computer network dramatically.   With the old paper chart model, there may be a couple of computers at the front desk for patient sign in and insurance information collection.  There may also be a few computers for billing and administration.  On the whole, a practice may have a very small or limited computer network. 

On the other hand, once a practice moves toward an EMR implementation the amount of technology required increases dramatically.  The front desk will may need scanners to scan insurance cards, driver’s licenses, etc.    Additionally the front desk may check on insurance coverage which may require Internet connectivity.    Physicians will need tablet computers to enter patient information during a visit.  If a practice decides not to purchase tablet computers then perhaps each exam room will need a computer, laptop or terminal to access the EMR system.  The billing department will need access to the EMR system as well as Internet connectivity to submit insurance claims.  Workgroup or network scanners may be needed to scan old patient records into the EMR or to scan patient’s new paper information i.e. letters, referrals, etc.  Electronic fax servers may be required to send information out of an EMR to another physician’s office or the fax server may be used to receive electronic faxes and attach them to patient records within the EMR. 

In addition to the equipment mentioned above, there is the EMR itself.  The EMR may require a database server and database software such as Microsoft SQL Server.  There may be a need for a network domain controller which stores the user names and network credentials for a practice’s employees.  The EMR database may be backed up to a tape backup unit or by a remote backup service that backs up the data securely over the Internet.  The reliance on the Internet become essential and requires a dependable and fast Internet connection.  These connections can be a T1 from a phone carrier (i.e. Verizon, AT&T, Qwest, etc.), DSL or a Cable Modem.  The Internet connection should be secured via a Firewall which protects a practice’s network.

Once all of the above technology is purchased and deployed a practice may want to roll out Email for both internal and external communication.  Email with patients may require additional email encryption technology.  With all the new computers and employees that now have access to the Internet, the potential for abuse may arise.  Technology to limit employee’s access to the Internet may need to be implemented.  Additional technology to provide Disaster Recovery of the EMR or network may also need to be purchased and implemented.  Remote Access to the EMR may be required which may require additional network technology.

As you can see, a practice may go from a handful of computers to a full blow computer network with a lot of advanced technology.  The network will need to be maintained which may include verifying data backups, security patch deployment, software upgrades, preventative maintenance, etc.  In addition, the HIPAA Security Rule and HITECH Act requires that a network be secure, audited and access to patient information must be available.  These requirements bring along the need for additional technology and network maintenance processes.

We will go into detail about a lot of these technologies in future updates.  A final thought to think about when a practice is evaluating EMRs – Don’t forget about the computer network!