HIMSS17 Takeaways on Cybersecurity, Interoperability & Telehealth
2017 HIMSS conference has come to an end. It was an overwhelming event — more than forty-five thousand attendees, 1,200+ exhibiting companies, 300 sessions on the 7 million square feet of Orlando’s County Convention Center. With so many topics and sessions, it is easy to feel like you have missed something. The Cybernet team summarizes its key HIMSS17 takeaways.
Cybersecurity was on everyone’s mind. In fact, it was one of the dominant topics this year, and it will continue to be dominant for years to come because the healthcare system continues to create an ever-growing digital footprint, amassing petabytes of data collected through a growing army of connected medical devices. At the same time, many providers have a vague understanding of which devices on their networks are smart and have the capability to siphon data when compromised.
Many HIMSS17 cybersecurity sessions pointed a finger on poorly controlled and managed IoT. Data Security: Threat Assessment in the Ransomware Era cites a ForeScout survey of IT professionals, of which only 30% are confident they know what IoT “things” are on their network, and only 44% have a security policy for IoT. Those who thought they had no IoT devices on their networks actually had at least eight types of IoT devices. 88% of all ransomware attacks in 2016 hit healthcare, which is telling. All the while the effects are devastating — employees are locked out, EHR and prescriptions are down, patient appointments are canceled. Not to mention the administrative fines and liabilities.
In the light of propagating cyber attacks on healthcare and their significant cost on providers, medical device manufacturers are in the spotlight. Evolving State of Medical Device Cybersecurity featured Seth Carmody, Ph.D., the Cyber Security Program Manager at the FDA. Shared responsibility and the need for a collaborative approach to information sharing and risk assessment continue being the urgent needs.
Of note was a suggestion the medical devices should undergo a pre-market cybersecurity testing and certification. FDA’s Post Market Cybersecurity Guidance remained largely unchanged but the 30-day remediation time-frame has been expanded to 60 days, and the clarifications on terminology, participation with ISAOs and privacy and confidentiality harms were given.
Of practical use were key medical device cybersecurity myth busters:
- Manufacturers can push software updates made to strengthen cybersecurity without FDA’s “re-certification,” and
- Cybersecurity of medical devices is required by law; it is not an optional, voluntary feature.
Breaches and Ransomware? How Does Your Security Compare featured gloomy statistics and a useful scale for the organizations to compare their security strategies to those of their peers. Healthcare has the highest cost per capita of the data breach, $355. The Baseline security strategies focuse on compliance, device encryption, mobile device management and prevention of data loss along with a few basic elements such as firewall, email and web gateway, and backups. Enhanced security adds device control, pen testing, SSD encrypted, endpoint data loss prevention, remote lock and wipe, multi-factor authentication with a timeout, remote administration, and virtualization. The Advanced security includes the above and adds digital forensics, multi-factor authentication with walk-away lock, tokenization, activity monitoring, and threat intelligence among others. Any IT professional responsible for the security of a healthcare organization should give the benchmark scale a good read.
HIMSS17 cybersecurity coverage included the CHIME/HIMSS CIO Forum keynote with Kevin Mitnick. The cybersecurity consultant to the FBI and Fortune 500 companies made a few live demos of how easy it is to compromise critical files and systems. Mitnick’s demos involved average technical skills and simple social engineering techniques exploiting the human error.
Key takeaway for providers — compliance is not enough. Good security encompasses a lot more than compliance, and minimizing the risks translates into reduced costs and downtime, and increased patient trust.
Key takeaway for manufacturers — with the growth of mobility and an increased volume of electronic health data, the potential of a data breach is escalating. Building cybersecurity into every HIT solution is critical in the value-based system. The medical devices’ pre-market cybersecurity testing/certification is a near-future possibility.
Transformation is in the process, but don’t get too comfortable — was the leitmotif of HIMSS17 interoperability sessions. The industry united around the HL7 Fast Healthcare Interoperability Resources (FHIR) standard. Health IT vendors are increasingly implementing FHIR-based interfaces into their solutions to streamline cross-platform information exchange that would require minimum effort on the user’s part.
HIMSS17 Interoperability Showcase featured real-world examples of how FHIR allows different HIT solutions to work together and communicate seamlessly.
Key takeaways: keep it simple. Presenting the wealth of health information in a consolidated view can hamper understanding. Limit the ways you present data. When conveying meaning through charts, make it simple and consistent rather than good-looking. “More is less” approach enhances understanding and increases the chances of physicians accounting for the data in decision-making.
Other interoperability sessions provided a similar conclusion: the data is growing, but presenting the end user with a reduced view helps visualize the information and tell a coherent story of what is happening, especially within large populations.
At the same time, EHR in the context of interoperability continues to be the cause of anxiety. Making EHRs more user-friendly and interoperable is an unmet necessity. The interoperability across EHRs and other applications will take longer than expected, and some providers are creating in-house solutions to address this issue.
Overcome Challenges/Obstacles to Achieving Interoperability stresses the health record is so fragmented the strain on physicians is immense, but barriers arise since federated model membership is voluntary. There is a need for a single place for the health record. It can be a single repository, Perpetual Health Record, a patient’s intelligent portal that would organize, prepare, display, self-correct, reconcile and archive data, and evaluate information in context, store and represent it based on relevance. All providers must engage and integrate the exchange capabilities from the ground up in their products. The industry needs a standard look and feel, and conventional algorithms of identifying relevant and useful data.
Breaking HIE Barriers underlines the need for the information exchange to be easy and ubiquitous. Providers and patients expect the data to be useful, not just accessible. For interoperability to demonstrate its value, it must show obvious benefits so that users would be willing to pay for it. So, interoperability and information exchange should be about more than health information.
Medical staff, especially primary care doctors, are overburdened with EMRs lacking in usability, clinical and clerical paperwork, general data overload and value-based care requirements. Ease of use was one of the main themes of many interoperability sessions.
Clinician burnout is a great concern for providers. Semantic Data Analysis for Interoperability and Managing a Legacy Team in an EHR Transition both articulate the same need to facilitate the transition to new technology easier on the staff. Choosing the right vendor is one of the key aspects of a successful upgrade and employee retention.
Key takeaways: providers need HIT solutions that are easier to use for the staff, not just the patients. Labor is nearly half of the healthcare system costs, and HIT must make it more efficient and hassle-free.
Telehealth, Mobile, and Cloud
HIMSS17 telehealth was one of the most exciting themes due to the real-world success stories with the visible progress. Reducing cost of care, providing care in rural areas under physician shortages, reducing readmissions through remote physician follow-ups — telehealth solutions are proving their worth.
Removing Barriers from Migrating to the Hybrid Cloud highlighted how the costs of expanding on-premise storage are unsustainable with predicted 25,000 petabytes of digital medical data by 2020. 77% of industry actors are seeking partners to help them maintain a high infrastructure reliability, and the cloud is the solution. At the moment, many cloud adopters run payroll, HR, EHR, email, and EMR in the cloud. More providers are planning to move disaster recovery, PACS, ERP, office data analytics, radiology and coding to the cloud.
Mobile Innovation and Telehealth in Emergency Care featured a success story of the Houston Fire Department’s mobile solution ETHAN in combination with medical tablets. The outcomes — the reduced number of low-acuity repeat callers and the increased efficiency of ambulance teams. The first was attained through follow-up calls, the second through remote physicians who advised low-acuity patients on alternatives to the ambulance transport to the emergency room.
Telehealth solutions are evolving to include record keeping, billing, secure messaging, or the voice-managed A.I. assistants.
An important point was the customer experience. Consumerization of HIT is changing the patients’ role from being a passive, reactive care recipient to an active manager of their health.
The Perfecting the Mobile Solution session by Palmetto Health made a strong point of how choosing the right EMR-ready equipment is key to success. Key takeaways: there is no one-size-fits-all solution in screen size, cart size or type, or MDM. Analyzing every stakeholder’s needs and addressing them with a proper configuration with flexible, modular approach can be successful within the framework of an all-in-one mobile solution.
Among the top barriers to mobility are budget constraints, BYOD, wireless network support, security concerns, compatibility, learning curve and device form factor choice. The form factor and OS are deal-breakers capable of solving all other concerns. Windows 10 medical tablet with a digitizer stylus beat all the other mobile solutions in the compatibility, cost, and productivity.
“For every hour physicians provide direct clinical face time to patients, nearly two additional hours is spent on EHR and desk work within the clinic day,” according to Annals of Internal Medicine. HIT productivity paradox saw EHR initially reduce staff productivity by 25–33%. The medical tablets’ effect is the opposite, resulting in faster triage and note completion, reduced wait times, the ability to document anywhere and a smaller technology footprint.
Palmetto Health reported numerous benefits of deploying their mobile solution: provider satisfaction, ease of use, less time documenting after work, improved access to patient records, ability to share data with patients at the bedside, improved security with less printing/ secure network/ fingerprint access, improved patient education and communication, reduced transcription costs, improved workflow, and fewer desktops.
Key takeaways: large screen, extended battery life, Dragon dictation support and corporate shared devices (vs. BYOD) are preferable.
Among other HIMSS17 dominant themes was uncertainty regarding new and old regulations, but overall the conference felt like a summary of the industry’s achievements, and the goals that lay ahead — innovation, consumerization, and improved ease of use.