What Keeps Me Up

at Night, 2013 Edition

John D. Halamka MD

Major Challenges for CIOs

• Healthcare Information Exchange

• Security/Privacy

• Clinical Decision Support

• Patient and Family Engagement

• Analytics, Business Intelligence, and

Quality Measures

FY13 Annual Operating Plan

Improve the Health & Well-Being of Patients, Families, Employees & Physicians

Through Innovative Clinical Care, Education, & Research

System

Advance as a system of care

Clinical Care

Education

Research

People

Engage and develop our people every day

BIDMC Fiscal Year 2013

Operating Plan:

Information Systems

True North

Grow and enhance a market-leading system of care…

… that delivers the highest value…

… by creating and sustaining a culture of continuous improvement…

… through engagement, development, and support of our employees, physicians, patients & families

Owner/ Date

• Develop, standardize, improve

transitions among sites of care

• Respond effectively to the needs of

our network and affiliates

• Achieve optimal alignment between

physicians & hospitals

• Enhance wellness and safety

• Promote & support a culture of

service excellence and continuous

improvement

• Optimize & support learning &

development

Key Opportunities Leader Partners Deliverable/Goal Departments impacted?

Achieve Meaningful

Use Stage 2 IS, Nursing, Ambulatory

Certification by October 1, 2013 and Attestation by December 31, 2013.

Includes EMAR All

Implement ICD10 IS, Nursing, Ambulatory, HMFP Execute 5 workstreams specified in ICD-10 plan, remediate clinical and

financial systems. Includes Clinical Documentation Imrpvoement All

LIS Go live IS, Nursing, Pathology,

Ambulatory Phase 1 go live All

Implement Compliance

Priorities IS, Compliance, HR LMS go live, security initiative completion All

Support ACO Needs IS, HMFP, BIDPO Implement Care Management features in webOMR and business

intelligence applications All

1

2

3

4

5

Cost

Continuously improve our ability to adapt to

changes in the healthcare environment

Maximize efficient utilization of

resources:

•Staff

•Equipment & supplies

•Space

•Diagnostic testing & treatment

Quality

Ensure reliability

•Implement processes that measurably

decrease harm/defects

•Improve reliability though standardization

•Measurably improve patient & family

experience

Value = &

Use #s to show

alignment to goals 1

Stage 2 Physician Goals Core Objective Measure

1. CPOE Use CPOE for more than 60% of medication, 30% of laboratory, and 30% of radiology

2. E-Rx E-Rx for more than 50%

3. Demographics Record demographics for more than 80%

4. Vital Signs Record vital signs for more than 80%

5. Smoking Status Record smoking status for more than 80%

6. Interventions Implement 5 clinical decision support interventions + drug/drug and drug/allergy

7. Labs Incorporate lab results for more than 55%

8. Patient List Generate patient list by specific condition

9. Preventive Reminders Use EHR to identify and provide reminders for preventive/follow-up care for more than

10% of patients with two or more office visits in the last 2 years

Stage 2 Physician Goals

Core Objective Measure

10. Patient Access Provide online access to health information for more than 50% with more than

5% actually accessing

11. Visit Summaries Provide office visit summaries for more than 50% of office visits

12. Education Resources Use EHR to identify and provide education resources more than 10%

13. Secure Messages More than 5% of patients send secure messages to their EP

14. Rx Reconciliation Medication reconciliation at more than 50% of transitions of care

15. Summary of Care Provide summary of care document for more than 50% of transitions of care and referrals with 10% sent electronically and at least one sent to a recipient with a different EHR vendor or successfully testing with CMS test EHR

16. Immunizations Successful ongoing transmission of immunization data

17. Security Analysis Conduct or review security analysis and incorporate in risk management process

Stage 2 Hospital Goals

Core Objective Measure

1. CPOE Use CPOE for more than 60% of medication, 30% of laboratory, and 30% of

radiology

2. Demographics Record demographics for more than 80%

3. Vital Signs Record vital signs for more than 80%

4. Smoking Status Record smoking status for more than 80%

5. Interventions Implement 5 clinical decision support interventions + drug/drug and drug/allergy

6. Labs Incorporate lab results for more than 55%

7. Patient List Generate patient list by specific condition

8. eMAR eMAR is implemented and used for more than 10% of medication orders

Stage 2 Hospital Goals

Core Objective Measure

9. Patient Access Provide online access to health information for more than 50% with more

than 5% actually accessing

10. Education Resources Use EHR to identify and provide education resources more than 10%

11. Rx Reconciliation Medication reconciliation at more than 50% of transitions of care

12. Summary of Care

Provide summary of care document for more than 50% of transitions of care

and referrals with 10% sent electronically and at least one sent to a

recipient with a different EHR vendor or successfully testing with CMS

test EHR

13. Immunizations Successful ongoing transmission of immunization data

14. Labs Successful ongoing submission of reportable laboratory results

15. Syndromic Surveillance Successful ongoing submission of electronic syndromic surveillance data

16. Security Analysis Conduct or review security analysis and incorporate in risk management

process

The Security Agenda

The Security Agenda

10

OCR Findings Analysis

Security Top Issues

Data as of June 2012.

11

OCR Findings

Preliminary Observations

• Policies and procedures

• Priority HIPAA compliance programs

• Small providers

• Larger entities security challenges

• Conduct of risk assessments

• Managing third party risks

• Privacy challenges widely dispersed throughout protocol

• No clear trends by entity type or size

The state of BYOD • Mobile devices are essential to productivity,

quality and safety in healthcare

• Providers want to run personal apps and

access corporate apps from the same

device

• Diversity of hardware, operating systems,

and security capabilities

• Policy is not enough

• Technology controls can be expensive

Existing Policy • Where technically feasible, Users will apply the

following safeguards for Mobile Devices that

connect to the BIDMC network and/or are used to

access, store, transmit or process Protected Data:

•*Password protection;

•*Timeout periods that require re-entry of the

password;

•*No more than 10 password attempts before the

device content is wiped;

•*Regularly updating anti-virus and other security

software;

•*Encrypting Protected Data;

•*Disabling unnecessary services, wireless

interfaces and applications (e.g. BlueTooth) when

not needed; and

•*Installing a device firewall.

Existing Policy • Users must:

• *Keep their Mobile Device in their possession, especially

when traveling or in an uncontrolled environment (e.g.,

in a hotel room, a vendor’s facility, or remote location)

or, if necessary, secure the device through some other

means;

• *Prevent unauthorized persons from accessing BIDMC’s

files stored on the device, or using the device to gain

access to BIDMC’s network;

• *Report immediately the loss or theft of a Mobile Device

owned by BIDMC or suspected to contain BIDMC’s

Protected Data; and

• *Dispose of any Mobile Device containing BIDMC

Protected Data in accordance with this policy.

Recent BIDMC Laptop Theft

• A personal device

• Violated BIDMC policy - password

protected but no timeout and no encryption

• Not physically secured

• Required expensive, time-consuming

response

• A teachable moment

Need to Educate and Assist

BIDMC Staff • We have already enforced non-trivial passwords

and timeouts on smartphones. Insecure email

protocols (IMAP and POP) are blocked

• Phase 1 - encryption of all institutionally

purchased laptops and iPads. Encryption of all

iPhones and some Android devices

• Phase 2 - encryption of all personal devices used

for business including laptops, tablets, iPads, and

smart phones

• Attestation requirement

Phase 1 • Intensive 90 day program via internal and

augmented staff

• Depots strategically located through the medical

center

• Broad communication to BIDMC community

followed by targeted communication to the

research community

• Pilot in Center for Life Sciences

• Encryption, malware scanning, anti-virus update,

patching

Phase 1 encryption

• Bitlocker

• FileVault 2

• Mcafee endpoint

• Self encrypting drives

• Upgrades

Phase 2 • Expand depots to include personal

devices

• Challenges posed by Windows XP,

Snow Leopard, Android, and older

hardware

• Licensing costs

Attestation

• Require each staff member to attest that

all mobile devices used for business

whether provided by corporate or

purchased personally are encrypted

• Attestation as part of the password

renewal process

Future Considerations

• Mobile Device Management

• Locally persistent email options

• Social networking policy

• Cloud storage

• Phased restrictions

Questions?

• jhalamka@caregroup.harvard.edu

• http://geekdoctor.blogspot.com