what keeps me up at night, 2013 editionmd.himsschapter.org/sites/himsschapter/files/... · stage 2...
TRANSCRIPT
What Keeps Me Up
at Night, 2013 Edition
John D. Halamka MD
Major Challenges for CIOs
• Healthcare Information Exchange
• Security/Privacy
• Clinical Decision Support
• Patient and Family Engagement
• Analytics, Business Intelligence, and
Quality Measures
FY13 Annual Operating Plan
Improve the Health & Well-Being of Patients, Families, Employees & Physicians
Through Innovative Clinical Care, Education, & Research
System
Advance as a system of care
Clinical Care
Education
Research
People
Engage and develop our people every day
BIDMC Fiscal Year 2013
Operating Plan:
Information Systems
True North
Grow and enhance a market-leading system of care…
… that delivers the highest value…
… by creating and sustaining a culture of continuous improvement…
… through engagement, development, and support of our employees, physicians, patients & families
Owner/ Date
• Develop, standardize, improve
transitions among sites of care
• Respond effectively to the needs of
our network and affiliates
• Achieve optimal alignment between
physicians & hospitals
• Enhance wellness and safety
• Promote & support a culture of
service excellence and continuous
improvement
• Optimize & support learning &
development
Key Opportunities Leader Partners Deliverable/Goal Departments impacted?
Achieve Meaningful
Use Stage 2 IS, Nursing, Ambulatory
Certification by October 1, 2013 and Attestation by December 31, 2013.
Includes EMAR All
Implement ICD10 IS, Nursing, Ambulatory, HMFP Execute 5 workstreams specified in ICD-10 plan, remediate clinical and
financial systems. Includes Clinical Documentation Imrpvoement All
LIS Go live IS, Nursing, Pathology,
Ambulatory Phase 1 go live All
Implement Compliance
Priorities IS, Compliance, HR LMS go live, security initiative completion All
Support ACO Needs IS, HMFP, BIDPO Implement Care Management features in webOMR and business
intelligence applications All
1
2
3
4
5
Cost
Continuously improve our ability to adapt to
changes in the healthcare environment
Maximize efficient utilization of
resources:
•Staff
•Equipment & supplies
•Space
•Diagnostic testing & treatment
Quality
Ensure reliability
•Implement processes that measurably
decrease harm/defects
•Improve reliability though standardization
•Measurably improve patient & family
experience
Value = &
Use #s to show
alignment to goals 1
Stage 2 Physician Goals Core Objective Measure
1. CPOE Use CPOE for more than 60% of medication, 30% of laboratory, and 30% of radiology
2. E-Rx E-Rx for more than 50%
3. Demographics Record demographics for more than 80%
4. Vital Signs Record vital signs for more than 80%
5. Smoking Status Record smoking status for more than 80%
6. Interventions Implement 5 clinical decision support interventions + drug/drug and drug/allergy
7. Labs Incorporate lab results for more than 55%
8. Patient List Generate patient list by specific condition
9. Preventive Reminders Use EHR to identify and provide reminders for preventive/follow-up care for more than
10% of patients with two or more office visits in the last 2 years
Stage 2 Physician Goals
Core Objective Measure
10. Patient Access Provide online access to health information for more than 50% with more than
5% actually accessing
11. Visit Summaries Provide office visit summaries for more than 50% of office visits
12. Education Resources Use EHR to identify and provide education resources more than 10%
13. Secure Messages More than 5% of patients send secure messages to their EP
14. Rx Reconciliation Medication reconciliation at more than 50% of transitions of care
15. Summary of Care Provide summary of care document for more than 50% of transitions of care and referrals with 10% sent electronically and at least one sent to a recipient with a different EHR vendor or successfully testing with CMS test EHR
16. Immunizations Successful ongoing transmission of immunization data
17. Security Analysis Conduct or review security analysis and incorporate in risk management process
Stage 2 Hospital Goals
Core Objective Measure
1. CPOE Use CPOE for more than 60% of medication, 30% of laboratory, and 30% of
radiology
2. Demographics Record demographics for more than 80%
3. Vital Signs Record vital signs for more than 80%
4. Smoking Status Record smoking status for more than 80%
5. Interventions Implement 5 clinical decision support interventions + drug/drug and drug/allergy
6. Labs Incorporate lab results for more than 55%
7. Patient List Generate patient list by specific condition
8. eMAR eMAR is implemented and used for more than 10% of medication orders
Stage 2 Hospital Goals
Core Objective Measure
9. Patient Access Provide online access to health information for more than 50% with more
than 5% actually accessing
10. Education Resources Use EHR to identify and provide education resources more than 10%
11. Rx Reconciliation Medication reconciliation at more than 50% of transitions of care
12. Summary of Care
Provide summary of care document for more than 50% of transitions of care
and referrals with 10% sent electronically and at least one sent to a
recipient with a different EHR vendor or successfully testing with CMS
test EHR
13. Immunizations Successful ongoing transmission of immunization data
14. Labs Successful ongoing submission of reportable laboratory results
15. Syndromic Surveillance Successful ongoing submission of electronic syndromic surveillance data
16. Security Analysis Conduct or review security analysis and incorporate in risk management
process
The Security Agenda
The Security Agenda
10
OCR Findings Analysis
Security Top Issues
Data as of June 2012.
11
OCR Findings
Preliminary Observations
• Policies and procedures
• Priority HIPAA compliance programs
• Small providers
• Larger entities security challenges
• Conduct of risk assessments
• Managing third party risks
• Privacy challenges widely dispersed throughout protocol
• No clear trends by entity type or size
The state of BYOD • Mobile devices are essential to productivity,
quality and safety in healthcare
• Providers want to run personal apps and
access corporate apps from the same
device
• Diversity of hardware, operating systems,
and security capabilities
• Policy is not enough
• Technology controls can be expensive
Existing Policy • Where technically feasible, Users will apply the
following safeguards for Mobile Devices that
connect to the BIDMC network and/or are used to
access, store, transmit or process Protected Data:
•*Password protection;
•*Timeout periods that require re-entry of the
password;
•*No more than 10 password attempts before the
device content is wiped;
•*Regularly updating anti-virus and other security
software;
•*Encrypting Protected Data;
•*Disabling unnecessary services, wireless
interfaces and applications (e.g. BlueTooth) when
not needed; and
•*Installing a device firewall.
Existing Policy • Users must:
• *Keep their Mobile Device in their possession, especially
when traveling or in an uncontrolled environment (e.g.,
in a hotel room, a vendor’s facility, or remote location)
or, if necessary, secure the device through some other
means;
• *Prevent unauthorized persons from accessing BIDMC’s
files stored on the device, or using the device to gain
access to BIDMC’s network;
• *Report immediately the loss or theft of a Mobile Device
owned by BIDMC or suspected to contain BIDMC’s
Protected Data; and
• *Dispose of any Mobile Device containing BIDMC
Protected Data in accordance with this policy.
Recent BIDMC Laptop Theft
• A personal device
• Violated BIDMC policy - password
protected but no timeout and no encryption
• Not physically secured
• Required expensive, time-consuming
response
• A teachable moment
Need to Educate and Assist
BIDMC Staff • We have already enforced non-trivial passwords
and timeouts on smartphones. Insecure email
protocols (IMAP and POP) are blocked
• Phase 1 - encryption of all institutionally
purchased laptops and iPads. Encryption of all
iPhones and some Android devices
• Phase 2 - encryption of all personal devices used
for business including laptops, tablets, iPads, and
smart phones
• Attestation requirement
Phase 1 • Intensive 90 day program via internal and
augmented staff
• Depots strategically located through the medical
center
• Broad communication to BIDMC community
followed by targeted communication to the
research community
• Pilot in Center for Life Sciences
• Encryption, malware scanning, anti-virus update,
patching
Phase 1 encryption
• Bitlocker
• FileVault 2
• Mcafee endpoint
• Self encrypting drives
• Upgrades
Phase 2 • Expand depots to include personal
devices
• Challenges posed by Windows XP,
Snow Leopard, Android, and older
hardware
• Licensing costs
Attestation
• Require each staff member to attest that
all mobile devices used for business
whether provided by corporate or
purchased personally are encrypted
• Attestation as part of the password
renewal process
Future Considerations
• Mobile Device Management
• Locally persistent email options
• Social networking policy
• Cloud storage
• Phased restrictions
Questions?
• http://geekdoctor.blogspot.com