Home

Cybersecurity in a Highly Regulated Industry

February 27, 2023
6:33 pm

The Healthcare Leadership Council hosted a webinar entitled, “Cybersecurity Playbook for Healthcare,” in conjunction with the Confidentiality Coalition. The discussion brought clarity to the current federal infrastructure around cybersecurity, existing tensions around breach notifications in the healthcare industry, and recommendations to improve cybersecurity practices within and beyond healthcare. Four speakers joined the panel:

  • Marilyn Zigmund Luke, Vice President, AHIP
  • Alicia Bowers, Senior Vice President and Enterprise Chief Privacy and Compliance Officer, Atrium Health (now part of Advocate Health)
  • Todd Greene, Vice President & Enterprise Chief Information Security Officer, Atrium Health
  • Allison Miller, Global Chief Information Security Officer and Senior Vice President for Optum, a division of UnitedHealth Group

Infrastructure

The healthcare system is one of 17 national critical infrastructures. As cybersecurity stretches across federal agencies, money is allocated to various agencies to maintain cybersecurity capabilities. Within the U.S. Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency (CISA), was established to receive reports from critical infrastructure sectors. The public is awaiting future regulations from CISA of how to proceed with that reporting process. The Healthcare and Public Health Sector Coordinating Council Cybersecurity Working Group identifies and mitigates systemic risks that affect patient safety, security, privacy, and national confidence in the health system.

The Problem with Breach Notifications

As healthcare is a highly regulated industry, organizations who comply with one law run the risk of violating another law because the federal agencies and states have not adequately communicated with each other regarding the larger operational impact of what they are trying to accomplish. There are unintended consequences to conflicting laws, and the burden of reporting a breach is significant. The panel noted the juxtaposition of portability and security of data, as tension arises between becoming increasingly transparent and connected while protecting patient privacy and securing data.

Breach notification requires contacting both patients and the media. Patients who receive these notifications are either confused or desensitized by the mass mailings, and are generally not concerned unless their social security number was compromised. Media outlets generally go for the more sensational headline and stories are frequently reported inaccurately. Often, the primary organization is named in the breach even though the actual breach involved a business associate or vendor. It has become clear that the majority of patients take no action after a notification, and media coverage actually helps cyber criminals and plaintiff attorneys target an organization that has just been victimized. Healthcare entities are spending more resources on class action defense rather than proactive measures due to the punitive ramifications of how breach notifications are designed.

Recommendations

The majority of breaches are not due to negligence, and the compromised entities are victims of a crime. The “Wall of Shame”, posted by the U.S. Department of Health & Services Office for Civil Rights, should come down. There is stigma associated with this and the primary organization is listed even if a vendor was breached. Healthcare is a complex industry, and multiple vendors are required to fulfill all the responsibilities that come with delivering care. Vendors should be held directly responsible, and other sectors should have the same reporting standards as healthcare.

Reduce the administrative burden and use an exclusive reporting route instead of involving multiple agencies. Avoiding creating duplicative processes and tearing down commodity channels would allow sectors to effectively communicate valuable information about cyber threats and defend against them collaboratively in a timely fashion. An additional approach to reducing the burden of unnecessary notifications is to redefine what is considered protected health information, as routinely disclosed data is easily found online outside of healthcare.

 

Prescription E-Labels are Past Due

November 30, 2021
12:32 pm

Now decades into the digital age, most tasks can be completed electronically – ordering food, booking appointments, transferring funds, and even signing contracts. In the healthcare world, medical records and laboratory results can be accessed online rapidly and securely. Technological advancements have made these activities convenient, user-friendly and efficient.

And yet, there are corners of American healthcare that have continued to utilize paper as though the digital option is not available. More than 100 billion pages of paper are printed and distributed as package inserts for medications delivered to pharmacies each year. While this is environmentally wasteful, there are also safety implications with this process. Labels can be revised multiple times a year, and when that change is approved it can take up to a year for the updated paper copy to make it through the supply chain to the pharmacists. The delay can lead to conflicting information being provided to pharmacists and result in erroneous prescriptions negatively impacting the health of patients.

The National Institute of Health manages the National Library of Medicine’s DailyMed website, and has been posting the electronic prescribing information it receives from the FDA since 2005. In fact, in 2014 the FDA recommended that the default method of providing prescribing information be switched from paper to electronic, but the proposed rule has continuously been blocked by Congress. Most providers already rely on real-time electronic updates, as FDA-approved changes are immediately updated on DailyMed. It is not surprising that the physical labels, which are printed so small they are nearly impossible to read, usually get thrown away without a second glance as the most up-to-date information is readily available online.

Moving to a digital form is not just more convenient for prescribers, but for patients as well. If a medication comes with a QR code, the patient can access the updated information and be alerted to any changes or product recalls. They could also use a search function to jump to text with personalized information, augment the font, or watch videos that explain how to administer the medication. The opportunities to engage patients, increase medication adherence, reduce environmental impact and save money are infinite. The time for prescription e-labels is well past due.

The Extraordinary Pandemic Efforts You Didn’t See

March 19, 2021
7:57 am

America is well aware of the heroic work performed throughout the COVID-19 pandemic by physicians, nurses and other front line healthcare professionals, tirelessly handling a rapidly escalating number of cases as the virus spread and hospitals were stretched to capacity and beyond.

But what we didn’t see was the vital work taking place behind the scenes to reconfigure healthcare data systems so that COVID-19 treatment guidelines could be rapidly disseminated, patient data could be made readily available, in-person exchanges could be shifted to telehealth, and more healthcare professionals could have access to critical data as they, too, were forced to work from home as America quarantined.

In an interview with the Wall Street Journal, Mayo Clinic Chief Information Officer Cris Ross described having to make decisions in days and weeks that would normally require months on how to make changes to the Clinic’s information technology systems in order to meet an unprecedented challenge.

He said, “We had to make close to 3,000 changes in our electronic health-records system to recognize rapidly evolving hospital-facility changes and protocols. Clinical guidelines for Covid treatment were developed and made available from within the records system. So, for example, if someone arrives at the emergency department who may have Covid, what are the steps? If that patient is admitted, what’s the next step? And if they’re sent to an ICU, what’s the next step?”

The rapid changes required of Mayo and other health systems when the pandemic struck underscores the importance of better preparing the nation for future health crises. Last year and into early 2021, the Healthcare Leadership Council worked with 100 different healthcare, employer and patient advocacy organizations to develop a comprehensive set of recommendations on how to strengthen private-public collaborations on disaster readiness and response. They include the creation of a 21st century public health data infrastructure that will enable real time access to critical information necessary to get ahead of a rapidly evolving crisis like COVID-19.

Many of the recommendations in this report were included in the recently-passed American Rescue Act, but much more work remains to be done before the next catastrophe strikes.

Leading Hospital CEO Addresses Data Interoperability

February 25, 2020
11:51 am

Massive amounts of healthcare data are collected across the nation, and as technology advances the question of how to use it has continued to be a discussion.  There have been hearings on Capitol Hill about interoperability and data privacy and security, and the Healthcare Leadership Council (HLC) recently hosted a congressional briefing on the subject of health data.  The resources of the private sector have been focused on utilizing data for innovation in the treatment of patients.  There has been open dialogue between healthcare organizations and government agencies regarding the best way to approach regulations surrounding the use of health data.  Joseph Impicciche, the president and CEO of Ascension, in his Morning Consult op-ed supports proposed rules by the Office of the National Coordinator for Health Information Technology (ONC) and the Centers for Medicare and Medicaid Services (CMS) on advancing nationwide interoperability and encourages additional work be done to ensure continuous improvement in patient outcomes.

HHS Policies to Promote Secure Exchange of Data Will Lead to Better Health Care

By Joseph Impicciche February 10, 2020

Health care is undergoing dramatic transformation, and the entities accountable for delivering compassionate care to patients are being challenged to meet these new and evolving needs. The dimensions of this transformation are deep and wide, and the complexities of providing care extend far beyond those traditionally involved in managing patients’ health and wellness.

Health care providers are focused on the same goal: improving health and health care for patients and consumers. This requires coordination across an expanding number of constituencies who must have access to greater clinical insight, leveraged to accelerate the delivery of novel care models and therapies. Essential to these requirements is access to robust clinical datasets and tools that facilitate real-time clinical workflow integration so that comprehensive care coordination is available to and benefits all those we serve, while maintaining patient data privacy and security.

With the future of health care dependent on the ability to make data-driven decisions, we applaud the Department of Health and Human Services’ continuous efforts and leadership through the Office of the National Coordinator for Health Information Technology and the Centers for Medicare and Medicaid Services on advancing nationwide interoperability. The proposed new policies have the potential to take an important next step in granting consumers seamless and secure access to data and increase the vehicles for the exchange of electronic health information across providers and systems. They should be used as the starting point for further discussions and potentially thoughtful modification, led by the spectrum of stakeholders involved in the delivery and receipt of care.

Every day, providers, patients and consumers find themselves trying to piece together the health information they need from siloed systems across the care delivery continuum. Within each of these systems, information is entombed in proprietary data models that effectively create dependency on a single electronic health record vendor’s platform.

Exchanging health information from disparate platforms has proven cumbersome. It can be difficult to positively confirm a patient’s identity, as no unique national identifier exists. And even when records can be accurately matched, the scope of data exchanged is often limited and not fully supportive of integrated care delivery across the continuum.

It recently has been suggested that these gaps are not significant impediments to the delivery of coordinated, whole-person care. Some argue that closing these gaps will create unsupportable fiscal and administrative burdens for health systems and providers, as well as untenable privacy and security risks for patients and consumers.

New policies must acknowledge and seek to ease the cost and administrative burden on providers; appropriate timelines should be afforded, and privacy and security risks should be mitigated. However, a properly considered rule should ultimately be finalized because of the overall benefit it will provide to patients and providers alike. We believe the cost of doing nothing is too high; the persistence of current approaches will not be economically sustainable and will not support the more sophisticated approaches to privacy and security that will be required to adequately serve patients, consumers and providers across the continuum.

Today, after incredible focus and expenditure by federal agencies and tireless work at technology adoption by numerous stakeholder groups, we’re still very far from realizing our shared goal: a robust, standards-based, cloud-enabled health care information architecture that will support broad health care data interoperability and benefit patients across the continuum of care.

The failure is multidimensional and includes the lack of common data model implementation at scale, the lack of a national health care information identifier at the individual level, and the absence of a meaningful scope of application program interfaces across health care technology platforms — both legacy and newly emerging platforms outside the traditional health care ecosystem.

The solution lies in applying new technologies — some developed in other industries — to accelerate the democratization of commoditized health care data housed in modern cloud-based architectures. Accordingly, we applaud the work of HHS, ONC and CMS in tackling what is admittedly a complex issue. They are seeking to develop a forward-looking policy that drives common health care data model development, supports accelerated development of APIs and promotes the development of software applications that support provider, patient and consumer choice in health care technology to enable true multiparty health care process integration.

Without a doubt, the pursuit of democratized health care information must be approached carefully and in parallel to the evolution of more sophisticated privacy and security frameworks. Multi-stakeholder input will be required to ensure that next-generation privacy and security policies account for the technological capabilities, increasing cybersecurity threats and greatly expanded scope of health care constituencies that now exist.

Recognition of the importance of these capabilities is not new. Foundational support for their achievement rests with a sweeping series of federal legislation enacted over the last 20 years, including the Health Insurance Portability and Accountability Act, the Health Information Technology for Economics and Clinical Health Act, the Affordable Care Act and others. The broad goal underpinning each of these policies was to create the framework necessary for the efficient and effective creation, distribution and utilization of digital health care information to benefit patients.

The work to build on these foundational policies must continue. HHS’ proposed rule warrants careful consideration and thoughtful modification to minimize burden, ensure data privacy and security and provide appropriate time for implementation. With such changes, HHS’ new rules will help advance the progression toward a framework that allows data to be optimally available to improve patient care while providing robust privacy protections and data security.

 

Joseph R. Impicciche, JD, MHA, is president and chief executive officer of Ascension.

An Expert Look at 2018 Healthcare Trends and Their Potential Impact

February 08, 2018
6:05 pm

President and CEO of Premier healthcare alliance, Susan DeVore, discusses her predictions of what 2018 will bring in a Health Affairs article.  Ms. DeVore, a member and former chair of the Healthcare Leadership Council, shares her optimism regarding the commitment to innovation and competition that is driving the industry towards value-based care and the increased utilization of actionable data.  Her assessment of current trends focuses on how growth and changes in all healthcare sectors have an impact on providers, and further solidifies the importance of the work being done to improve access to care as well as outcomes.

The article is copied below and the original publication can be found here.


What To Watch In Health Care In 2018: Six Key Trends

At the start of 2018, the health care industry is on the cusp of more significant change. The GOP Congress has moved health care away from the center of their public policy agenda, creating more certainty and a clearer view. Of course greater certainty doesn’t mean total certainty, especially as market trends and business realities continue to shift. As providers move into 2018, we still feel confident in making some predictions as to what the future holds.

Clearer Skies Ahead, Pockets Of Turbulence

Uncertainty is expected during any major political transition, but it reached an all-time high for health care leaders in 2017. The fog has largely cleared, and 2018 will be a year of health care leaders starting to place their bets. Here’s what health care leaders see.

Instead of a sweeping set of legislative changes to the Affordable Care Act, the elimination of the individual insurance mandate is now the symbolic emblem of “repeal.” While some project that the mandate’s demise will lead to a decline in the private insurance market, it remains to be seen how the elimination will ultimately play out given the mandate’s relatively weak incentive for individuals to purchase coverage. The strong economy is causing employers to offer health coverage to compete for talent, and the probable enactment of the exchange market stabilization legislation should serve to calm the exchange market, potentially lowering premiums. Going forward, focusing on states will likely become the “replace” strategy for Republicans in 2018, with a larger number of waivers granted to experiment with programs, giving states greater control and reason to consider expanding Medicaid coverage. Health care leaders are viewing 2018 as a year of greater insurance market stability, with the number of insured Americans holding steady or possibly increasing over the latest numbers.

There is also more certainty around the movement to value-based care. Last year’s raging health care debate caused health care leaders to question the movement to alternative payment models (APMs). That momentum, however, is returning, and the experienced and more transparent leadership in the Department of Health and Human Services (HHS) by Alex Azar should provide significant reassurance to providers on both insurance market certainty and the movement to value-based care.

Health care leaders still face major financial threats. Bad debt continues to grow, reaching $38.3 billion in large part due to the rise of high-deductible health plans. Hospitals have taken $148 billion in Medicare payment cutssince 2010, and these cuts are scheduled to continue. Some states are cutting Medicaid reimbursement. 82 rural hospitals, as well as many urban hospitals, have closed since 2010. This year’s $1.6 billion cut in 340B payments will crush some of the most financially challenged hospitals treating the most vulnerable patient populations. Hospitals continue to be disadvantaged in the design of many of the Centers for Medicare and Medicaid Service (CMS)’s pay for performance and alternative payment models. As a result, hospital margins remain in low single digits, and the Medicare Payment Advisory Commission projects that the Medicare margin will fall to negative 11 percent in 2018.

Attention, Value Shoppers: The New Health Care Market

2018 will be a year of a renewed focus by CMS on paying for value, particularly with the continued ramp up of the Medicare Access and CHIP Reauthorization Act of 2015 that incents clinicians to take risk, and new APMs that create attractive alternatives for fence sitting providers.

Perhaps more notable today are private sector actions to expand and accelerate the value-based payment movement and disrupt the status quo. Given the clear signals, health care leaders are focused on gaining scale and/or vertical integration to position themselves favorably for an expansion of value-based care. Unlike past merger efforts to command greater market power, today’s consolidation is often more driven by the goal to integrate care delivery and achieve savings.

There is a new form of competition emerging. Providers and payers are organizing themselves into vertically-integrated, high-value care and financing networks. Health care leaders are actively exploring commercial, employer, and Medicare Advantage risk-based programs through either ownership models or partnerships. The most recent mega-deals by CVS and Aetna, Humana and Kindred, Ascension Health and Providence Health, Aurora Health Care and Advocate Health Care, as well as the ongoing provider acquisitions by insurance goliath UnitedHealthcare, all send a clear message: insurers, physician groups, health systems, and even retail organizations are each seeking to compete as high value care and financing networks.

The CVS/Aetna merger, for instance, is based on a strategy that they will be able to disrupt the system with a retail pharmacy and e-enabled high value provider network. The Advocate/Aurora merger is seeking to achieve regional scale by combining two of the nation’s leading clinically integrated physician networks, hospitals and other provider settings, and pharmacy capabilities in the greater Chicago-Milwaukee region. UnitedHealthcare appears to acquire more physician practices each day. We anticipate more mergers and acquisitions in 2018. As the merger and acquisition activity heats up, the question remains: Who will be best at capturing and engaging patients and customers?

Washington must be careful not to undermine this movement by confusing integration to deliver efficient, high-quality care with consolidation to reduce competition. This emerging model needs to be supported by continuing the movement by public payers to APMs and careful thought by anti-trust regulators.

Episode 2018: The Consumer Strikes Back

For providers to succeed as stewards of new care delivery networks, they need to play the game differently. This means a number of new capabilities, including creating clinically integrated physician networks, collecting and integrating data, and applying analytics to find cost, work flow, and quality improvement opportunities. It also means providing more outpatient clinics and offering additional access points, establishing preferred post-acute care networks, creating new incentive and payment arrangements, building physician measurement systems to assess performance, and negotiating successful alternative payment models with public and private payers.

To ultimately succeed, however, health leaders realize that they need to, above all else, excel at attracting and engaging patients, families, caregivers, and consumers. 2018 will be the year of focus on patient capture and engagement. Providers will work with their patients, families, and caregivers to develop approaches so they more actively manage their health and health care.

This means engaging the patient in their health and health care outcomes from the beginning. This involves providing prevention, diagnosis, and monitoring services that support the total care experience. Done well, it creates stickiness to a high value care network. Organizations are focusing more on this from a human resources training and measurement vantage point. They are also establishing patient portals, providing wearable devices, implementing patient educational programs, screenings, and pushing targeted materials to patients based on their current and anticipated needs.

For example, one of our members is providing home monitoring tools as well as tablets for video consults to help patients meet their health goals. The program focuses on total patient care from prevention to recovery. Few people leave the program, and the organization has reduced overall costs by 34 percent per year and hospitalizations by nearly 50 percent.

Financial Imperative, Meet Actionable Data

A certainty for health system leaders is the need to improve productivity and efficiency. The approach, however, is going beyond the past’s focus on reducing head count and cost of supplies.

After years of avoiding care efficiency and standardization initiatives due to the difficulty of persuading clinicians to embrace them, health care leaders now have a larger and more urgent financial imperative to identify and isolate wasteful practices, cost outliers, and the root causes for the inefficiencies. The keys to success are a strong case for change and a prioritization of efficiencies that yield both cost and quality improvements. This is, therefore, all about data and analytics.

Recent cost containment efforts we have pursued with our members provides a sense of scale.  These health care systems range in size from 6 to 19 hospitals and their care transformation work has achieved savings ranging from $180 to $250 million over two years. Another specific example is a health system member of ours that realized $13 million in savings by driving care process standardization across their departments that touch just ICU and blood utilization. In addition to the savings they also improved their quality scores and reduced patient complications and readmissions. Premier data found a lot of opportunity for other hospitals around ICU stays, potentially reducing expensive ICU stays by 200,000 days across 786 hospitals. This is precisely where providers are now focusing their efforts.

2018 will be the year of delivering efficient, highly reliable care. With today’s financial imperative and actionable data, health care leaders are achieving a new level of efficiency and productivity.

America’s Other Drug Problems: Cost And Competition

Rising drug prices continue to be a dominant concern to health care leaders. Pharmaceutical innovation holds great promise for helping providers achieve their mission to improve and sustain patient lives, but it’s also a Catch-22. As providers are increasingly assuming accountability for the health outcomes of a population, six figure drug price tags and unpredictable price increases threaten financial planning and cool the enthusiasm for taking risk. 2018 will be a year of increased legislative and regulatory policymaking to foster increased drug market competition.

The FDA has and will continue to step up its game with new initiatives designed to unleash more competition that can moderate drug price trends. These include encouraging new market entrants to rapidly start developing generics in classes where there is no competition, streamlining the generic drug approval process, promoting biosimilars and taking steps to prevent branded drug makers from exploiting programs like the Risk Evaluation and Mitigation Strategy and citizens’ petitions.

Congress will also be getting into the act this year. We expect the Fair Access for Safe and Timely (FAST) Generics Act and the Creating, Restoring Equal Access to Equivalent Samples (CREATES) Act, among other legislation, will help eliminate loopholes that can slow the introductions of competitor products.

Finally, manufacturers are developing new ways to demonstrate product return on investment in response to provider demands. There is increasing use of real-world evidence to demonstrate value as well as use of outcomes measures to quantify results. While value-based contracting is still in the early stages, manufacturers are looking to measure and launch these programs.

Emerging And Converging Digital Health

In every single aspect of health care, the digital revolution is making itself felt: new apps are getting patients more engaged; health sensors and wearables are creating terabytes of new, granular data, and machine learning, natural language processing, and artificial intelligence techniques and tools are all emerging new technologies. What’s more, precision medicine, telehealth, blockchain technology, and new personalized digital devices are being infused into all parts of the workflow and consumer experience.

The biggest impediment to effective use of data continues to be the lack of interoperability, especially among the electronic health records, which impedes care coordination and efficiency. While providers are waiting on HHS to implement the interoperability provisions of the 21st Century Cures Act, they are wasting no time in building data warehouses that assemble the multiple sources of data necessary to provide quality care and make informed decisions across the continuum of care. Growth of data warehouse systems and data analytics is one of the fastest growing technology areas as health systems seek actionable information to help them manage the total cost of care at a site and across sites of care.

Consequently, there is a growing and acute need for a trained workforce able to deploy, implement, and maintain health information technologies and systems and increasingly complex medical devices.  Today’s electronically connected, data-and evidence-driven health care system requires staff with data science and data analysis skills. These skills are essential in gathering, interpreting, protecting, and analyzing large and complex data sets. Data management, cyber security, and governance is essential to precision medicine, value-based care and payment and population health.

These are the big trends we see impacting health care providers in 2018.

We are encouraged by the outlook. We are hopeful Congress and the Trump administration will encourage and not impede this progress to high value networks, increased competition among pharmaceutical manufacturers, and increased access to health information.