Compliance
Data governance in healthcare
By Todd Peterson, Product Marketing Manager, Identity and Access Management, Dell Software
In the United Kingdom, for example, where the right to universal free healthcare has existed since the formation of the NHS in 1948, there is currently no freestanding right to privacy at common law, but personal privacy is often contested as a basic right in courtrooms.
In the United States, consider the example of a group of hospital physicians working on a research article comparing success rates of various treatments for the same condition. Because privacy controls make it impossible for doctors to view any records except those of their own patients, they have established a SharePoint site where each shares relevant records.
Because the only access control for the site requires a valid username and password in the hospital’s Active Directory (AD) environment (meaning anyone working at the hospital can get to it), the hospital can’t prove to auditors that all patient information is controlled according to U.S. HIPAA (The Health Insurance Portability and Accountability Act of 1996) guidelines.
Compliance means controlling access to data, regardless of industry or industry-specific regulations. Data governance enforces compliance on unstructured data (documents, PDFs, spreadsheets) stored on SharePoint sites, network-attached storage (NAS) devices, file servers, etc., and, while different industries might use different terminology, all regulations require these three things:
- Access control – continuously ensuring that people with access to data are supposed to have access.
- Separation of duties – ensuring there are no conflicts of interest, or too much power and knowledge in any one party’s hands.
- Audit – proving that access control and separation of duties are in place and rules are followed.
- If the hospital IT department had implemented the right technology solutions, it could, at minimum, have:
- Developed a process to request, approve and grant access to the SharePoint site only to those who should have it.
- Had a quick and easy way to attest to who actually has access.
- Prevented unauthorized individuals from accessing (or uploading to) the site.
All IT departments face myriad threats to their organization’s data, and there are multiple compliance regulations and internal policies to consider as well. The right technology choices will provide much-needed data governance.
Future Watch: Security
Quantum key technology boasts unbreakable encryption
A Boston startup called Whitewood Encryption Systems has licensed security technology from Los Alamos National Laboratory (LANL) in New Mexico to create and market an “unbreakable” quantum key cryptography solution. The low-cost device, which Los Alamos scientists say is simple and compact enough to be made into a thumb-drive-size unit, uses the quantum properties of light for generating random numbers. These random numbers create cryptographic keys for real-time encryption at high data rates.
| This small device developed at Los Alamos National Laboratory uses the truly random spin of light particles to generate cryptographic keys to securely transmit information between two parties.(Photo credit: Los Alamos National Laboratory) |
Since the keys are based on the random polarization state of photons (light particles), which is ruled by the laws of quantum mechanics and not simply a mathematical formula, an adversary cannot predict the outcome of this “natural” random number generator. The solution is “unbreakable by conventional cryptographic methods,” says Duncan McBranch, Chief Technology Officer, LANL. Scientists at the lab have been working on perfecting the technology for 20 years.
Whitewood’s quantum random number generator device for encryption is planned to hit the market in Q2 2015. “The unit will enable nearly any form of encryption to be more secure – including encryption of sensitive healthcare data for EHRs/EMRs,” says John Serafini, Vice President at Allied Minds, the parent company of Whitewood. “The device could be used by any EHR/EMR user on-site (hospital/practice) or at the servers of any cloud-based services. Future systems of quantum encryption, the Whitewood system of quantum key management, will require hardware on-site and will offer an unprecedented level of data security.”
Meaningful Use
HHS modifies certified EHR technology rule
Healthcare providers got a little more flexibility in how they use certified electronic health record technology (CEHRT) to meet Meaningful Use on August 29, 2014. On that day, the Department of Health and Human Services (HHS) published a final rule on the EHR Incentive Program reporting period for 2014.
The rule states that eligible providers can use the 2011 Edition CEHRT or a combination of 2011 and 2014 Edition CEHRT for an EHR reporting period in 2014 for the Medicare and Medicaid EHR Incentive Programs. All eligible professionals (EPs), eligible hospitals (EHs) and critical access hospitals (CAHs) are required to use the 2014 Edition CEHRT in 2015.
The rule also finalizes the extension of Stage 2 through 2016 for certain providers and announces the Stage 3 timeline, which will begin in 2017 for providers who first became meaningful EHR users in 2011 or 2012.
Response from the College of Healthcare Information Management Executives’ (CHIME) President and CEO, Russell P. Branzell, was swift and biting, characterizing the “modifications” rule as a missed opportunity with serious consequences.
“The final rule lacked a key provision that would ensure continued EHR adoption and MU participation,” wrote Branzell in a release on the same day as the rule’s announcement.
“CHIME is deeply disappointed in the decision made by CMS and ONC to require 365 days of EHR reporting in 2015. This single provision has severely muted the positive impacts of this final rule. Further, it has all but ensured that industry struggles will continue well beyond 2014.
“Roughly 50 percent of EHs and CAHs were scheduled to meet Stage 2 requirements this year, and nearly 85 percent of EHs and CAHs will be required to meet Stage 2 requirements in 2015. Most hospitals who take advantage of new pathways made possible through this final rule will not be in a position to meet Stage 2 requirements beginning October 1, 2014. This means that penalties avoided in 2014 will come in 2015, and millions of dollars will be lost due to misguided government timelines.
“Nearly every stakeholder group echoed recommendations made by CHIME to give providers the option of reporting any three-month quarter EHR reporting period in 2015. This sensible recommendation, if taken, would have assuaged industry concerns over the pace and trajectory of rulemaking; it would have pushed providers to meet a higher bar, without pushing them off the cliff; and it would have ensured the long-term vitality of the program itself. Now, the very future of Meaningful Use is in question.”
Electronic Health Records
One in four ambulatory EMRs on the chopping block
More than one-quarter of both large and small ambulatory practices say they are considering replacing their EMR, according to the latest KLAS report on ambulatory EMR perception. The study, which interviewed more than 400 large and small practices across the country, finds that another 12 percent would like to replace their system but cannot do so for financial or organizational reasons.
“There are different reasons for this shift,” says report author Jared Dowland. “Larger practices are seeking to consolidate from multiple EMRs and tighten their relationships with nearby hospitals, while smaller practices are seeking to resolve functionality, support and cost concerns.”
“Ambulatory EMR Perception 2014” reveals not only why ambulatory practices are replacing their EMRs, but where they are considering going. Learn more at www.KLASresearch.com/reports.
Milestones
Henry Schein Practice Solutions opens new HQ, Center Of Excellence
Henry Schein, a major provider of healthcare products and services to office-based dental, animal health and medical practitioners, is also full of heart. The new Center of Excellence not only demonstrates innovative products and provides state-of-the-art training to dentists, but it also gives local dental professionals a modern facility to offer free, high-quality oral care to the community’s underserved population.
Staffing
Calling all IT recruiters: Clinical application support most needed
The annual HIMSS study was conducted May-June 2014, with findings based on responses from 200 individuals representing healthcare providers, vendors and consulting organizations.
Other significant findings touched on outsourcing (70 percent of respondents reported at least one area of anticipated outsourcing, down a notable 23 percent from 2013) and layoffs (a 5 percent increase in staff layoffs over last year).
Respondents considered IT recruiters/executive search firms to be the most effective resource to leverage in meeting their hiring demands. “The lack of local qualified health IT workers, whether real or not, is a very real concern for many,” says Lorren Pettit, Vice President, Research, HIMSS Analytics. “And in an industry in which recruiting workers away from other healthcare organizations is fairly common practice, IT recruiters and staffing agencies are clearly seen to be the most effective recruitment resource at a healthcare employer’s disposal. I wouldn’t be surprised to see the use of recruiters increase as a preferred recruitment resource as the demand for select IT professionals increases.”
Download the full survey results at www.himssanalytics.org.
