In my last blog, I mentioned a global survey of frontline healthcare workers completed January 2013 by HIMSS and Intel on what motivates the use of workarounds, what types of workarounds are being used, and where there may be challenges in privacy and security.

 

One of the most interesting questions from the survey asked healthcare workers was, “How commonly do 'workarounds' happen in your organization, which may involve the use of alternative tools such as personal device/apps or social media that may be out of compliance with policy?”.

 

The results found that 22 percent of healthcare workers indicated they use workarounds every day, and 30 percent indicated using workarounds sometimes. Combined these represent more than half of 674 global healthcare worker respondents that acknowledge using workarounds, risking the confidentiality and integrity of sensitive healthcare data. Workarounds may include personal smartphones, tablets, laptops, USB keys, apps, email, texting, social media and others. The interesting thing about these types of risks is that they can happen even with thin client/VDI solutions, and even the most secure platform including corporate provisioned devices can be impacted if the healthcare worker has personal devices on them, is able to install apps, can use social media, do text messaging and so forth.

 

A key take-away of this result is that the use of workarounds is currently real, serious, and should be included in risk assessments done by healthcare organizations. These types of risks are also poised to grow as healthcare workers are increasingly empowered with more exciting and powerful personal devices, apps, social media and tools they can and do use to improve healthcare, but in many cases inadvertently also add privacy and security risk.

 

Stay tuned for more information in my weekly blog series. Next week we’ll look at the specific motivations and drivers that are compelling healthcare workers to use workarounds, ranging from healthcare solutions that are unusable, to IT departments that are too slow to enable new technologies and apps, to cumbersome security controls that are impeding healthcare workers.

 

Are you currently including risks of workarounds used by healthcare workers in your risk assessments?

 

If you will be at HIMSS13 in New Orleans, join us for a workshop panel to explore this concept further. RSVP and reserve your spot.

 

HIMSS_2013_Banner.jpg

We spend a lot of time and attention analyzing vulnerabilities with specific endpoint devices or cloud platforms, which is warranted, but often not the most significant source of privacy and security risk.

 

Healthcare workers are being increasingly empowered with tools from bring your own device (BYOD) personal smartphones, tablets, laptops, to personal apps for file transfer, note sharing and other tasks, to social media, texting, personal email, USB keys and so on. When healthcare solutions, or the security around them, are perceived by healthcare workers as unusable or cumbersome, they can and do use workarounds that can drive additional risk.

 

One specific example is moving unencrypted patient information using a file transfer service accessed using an app running on a personal device. In this case the sensitive healthcare data is moving through the data transfer cloud associated with the file transfer app. This moves the protected healthcare data into a “side channel”, separate from the EHR, out of the control of the healthcare organization. This in turn adds risk to confidentiality of breaches, as well as risk to the integrity or completeness of the patient record since data moving in side channels like this, out of band with the official repository eg EHR (Electronic Health Record) solution, often does not result in updates to the patient record.

 

Over time the patient record can become incomplete or dated. In a best case this can result in suboptimal healthcare, and in a worst case become a patient safety concern.  This vulnerability can exist even with a secure endpoint device and secure cloud behind it, and even if a thin / VDI client is used, since it only requires the user to have the ability to install and use the file transfer app.

 

Cloud Security Slide.jpg

 

In January 2013, HIMSS surveyed frontline healthcare workers globally on what motivates the use of workarounds, what types of workarounds are being used, and where there may be challenges in privacy and security such as lack of policy, enforcement, or ineffective training. This survey greatly exceeded expected response rate with more than triple the target number of responses, or 674 total respondents. Here’s some quick bites of information about the respondents:

 

  • 77% of respondents were in North America
  • 11% in Europe
  • 4.5% Middle East
  • 46% of respondents were working in hospitals
  • 27% in multi-hospital systems or integrated delivery systems
  • 7% in ambulatory care facilities
  • 66% of respondents were in large organizations with more than 500 employees
  • 23% in medium sized organizations with 50-500 employees
  • 10% in small organizations with less than 50 employees

 

The largest categories of roles of respondents were nurses at 14 percent, doctors/PAs/nurse practitioners at 13 percent, administrative directors/managers at 11 percent, and several other healthcare frontline worker roles across provider, payer, life sciences and pharma sectors of healthcare.

 

What did they have to say? Stay tuned for more information in my weekly blog series leading up to HIMSS13 on the drivers motivating use of workarounds by healthcare workers, what specific workarounds they are using, and where privacy and security is breaking down.

 

What risks are you seeing in your healthcare organization with sensitive healthcare data moving from endpoint devices into unsecured clouds?

 

If you will be at HIMSS13 in New Orleans, join us for a workshop panel to explore this concept further. RSVP and reserve your spot.

 

HIMSS_2013_Banner.jpg

By now, many of you have likely heard about the four V’s of Big Data: Volume, Velocity, Variety and Value. The ideas behind this construct for Big Data were conceived by Gartner over a decade ago. In the coming months, you will find a number of blogs, papers, videos and other resources here that discuss Big Data solutions for healthcare and life sciences in greater detail.

 

These solutions will take advantage of advanced platform capabilities from Intel and ecosystem partners to improve the reliability, scalability, and security of these solutions.  As an introduction, I wanted to use this space to set the stage for what Big Data means to healthcare, and why these solutions are needed:

 

•    Volume: The amount of healthcare data that needs to be stored, managed, processed and protected is growing at an ever-increasing rate. This situation is exacerbated by strict data retention requirements. Medical imaging is one area where the growing volume of data is especially evident. According to IBM, 30 percent of the data stored on the world’s computers are medical images. Advances in the life sciences industry in the area of cost effective genomic sequencing are causing data storage needs in this segment to explode. Many traditional solutions have trouble scaling to accommodate this growing volume of data. “Scale-Out” solutions, where computing nodes are added to an existing cluster to meet growing demand have several advantages to traditional “Scale-Up” solutions, where one big, powerful server is replaced with another bigger more powerful server.

 

•    Velocity: Many existing analytics / data warehouse solutions are batch in nature. Meaning all the data is periodically copied to a central location in a ‘batch’ (for example every evening). Clinical and administrative end users of this information are, by definition, not making decisions based on the latest information. Use cases such as clinical decision support really only work if end-users have a complete view of the patient with the latest information. Solutions that make use of in-memory analytics or column-store databases are typically used to improve the velocity of the data or “time to insight.”

 

•    Variety: Traditional analytics solutions work very well with structured information, for example data in a relational database with a well formed schema. However, the majority of healthcare data is unstructured. Today, much of this unstructured information is unused (for example, doctor’s free form text notes describing a patient encounter). Sophisticated natural language processing techniques and infrastructure components such as Hadoop Map-Reduce are being used to normalize a variety of different data formats, unlocking the data in a sense for clinical and administrative end users.

 

•    Value: Analysis by McKinsey Global Institute has identified a potential $300 billion value for Big Data per year in the healthcare industry in the U.S. alone. The majority of this value would be realized through savings/reduced national healthcare spending. For individual healthcare organizations, Big Data value will be realized by more efficient, more scalable management and processing of a quickly growing volume of data, and by enabling faster, better-informed decisions by clinicians and administrative end users.

 

If you would like more information on the role Intel plays in Big Data for healthcare, visit this site: Big Data and Analytics in Healthcare and Life Sciences.

 

What questions do you have about Big Data in healthcare? What challenges is your organization facing in regards to the four V’s? Leave a comment or follow me on Twitter @CGoughPDX.

The consumerization of mobile devices poses unique challenges for healthcare CIOs, who are tasked with maintaining security, streamlining productivity gains expected of the industry’s growing mobile workforces, and implementing information technologies that ultimately lead to improved quality of care.

 

For a glimpse into how one leading healthcare organization is managing the bring-your-own-device (BYOD) trend, I reached out to Hal Baker, M.D., vice president and CIO at WellSpan Health Systems.

 

With more than 9,000 employees, volunteers, and physicians, the health system includes WellSpan Medical Group, 35 outpatient health care locations, and three respected hospitals: WellSpan York Hospital, WellSpan Gettysburg Hospital, and WellSpan Surgery & Rehabilitation Hospital.

 

Dr. Baker reports his organization is down to less than 40 Blackberrys, given the rise in popularity of Droid and iOS devices among physicians, nurses, and administrative staff.

 

While hourly administrative staff member’s mobile devices are not connected to the health system’s network because labor laws prohibit such employees from working off-hours, physicians’ and medical salaried staff’s devices are loaded from Exchange Server to ensure confidential information is adequately protected. This approach can work well for health systems, provided Exchange Server runs on the server side and the organization can provide access from client software running on a mobile device.

 

Virtual desktop

To better manage the BYOD trend—and to make the organization’s own devices easier to support and less expensive to manage—WellSpan has begun implementing a virtual desktop solution running Windows 7 in a server array. Unlike thin client solutions, it functions similarly to PC Anywhere, bringing up what is essentially a brand new PC for laptop and desktop users every morning.

 

“Our virtual desktop set-up is nice because none of the data leaves the data center,” says Dr. Baker, “so, there’s no footprint on the laptop. Users can log out and have it sit in a suspended state without worrying about anything being resident.”

 

In addition, Dr. Baker’s team has set up a throttled guest network that is shared by staff bringing in their own devices, as well as patients, families, and guests. Doing so has helped WellSpan reduce internet saturation due to bandwidth intensive sites such as YouTube.

 

As his department disables older encryption networks, such as WEP, Dr. Baker anticipates the creation of another guest network for workforce and medical staff. This additional network will run off WellSpan’s domain because he doesn’t want to put unmanaged devices on the organization’s domain for security reasons. A full-time security team prevents issues from developing among users who may seek workarounds.

 

Encryption

For healthcare organizations, the age of accountable care hinges on being able to reach people in their homes, especially patients who are at high risk of readmission.

 

However, the same mobile technology that empowers staff to send photos of a patient’s condition to a physician may also place the entire health system at risk of a HIPAA violation if those images end up on an employee’s iCloud, or accidentally posted to Facebook. It’s not that a staff member would deliberately share such information, more a risk of unintentional connectivity that extends from the consumer realm into the healthcare space.

 

In WellSpan’s case, the health system made a business decision to connect mobile staff, such as visiting nurses, via email not text. Information shared among medical staff through mobile devices remains encrypted during transmission and does not enter the EHR until a physician forwards it to the records department so it may be added to the EHR.

 

“Our challenge,” says Dr. Baker, “is to try to leverage the consumerization of communications—text messaging, pictures, Skype, Facetime—to allow connectivity for the coordination of care, which is all the good stuff, while doing it in a way that protects the sanctity of security that HIPAA, I think, reasonably expects of us.”

 

Toward that end, WellSpan has installed a Symantec product on all laptops and USB drives, and has enforced encryption on all connected smart phones. Any file downloaded, copied, or received as an email is now automatically encrypted.

 

The IT team also has educated staff and physicians on why it’s necessary, for example, to enter a password to access a PowerPoint presentation.

 

Yes, it’s a pain, but already the approach has paid off. Last year, a WellSpan employee’s car was broken into and a laptop that contained protected health information (PHI) was stolen. The organization was able to sidestep a breach—and appearing on the dreaded Wall of Shame—because the IT Department could show the laptop was fully encrypted and in a locked state.

 

Mobile apps

Although WellSpan does not formally participate in an ACO program, the health system provides significant primary care through its medical group, effectively serving as an accountable care organization for the uninsured population in its community.

 

While many in this population don’t have a computer or high speed internet in their homes, a surprising number regularly access the Web via smart phones.  With so many patients now bringing their own devices to facilities, WellSpan has opted to develop its own mobile app for patients, a move Dr. Baker expects to further improve quality of care.

 

The health system’s mobile app will offer appointment reminders, directions to offices and facilities, and barcode scanning for refilling medications—for starters.

 

Granted, such apps are widely available through third party vendors, but Dr. Baker feels mobile offers an opportunity to stay connected with a population of patients for whom it is WellSpan’s mission to keep healthier. After all, four 15-minute visits per year aren’t as effective at keeping a diabetic patient under control as a provider who can stay in touch monthly, or weekly, via the Web.

 

“If we’re going to reach our patients and give them information, then lBYODet them see what their lab results show, let them communicate with us when they get off their night shift at 4:00am, or after working a second job,” Dr. Baker says. “We need to be able to reach out to them through this technology.”

 

What questions do you have?

 

As a B2B journalist, John Farrell has covered healthcare IT since 1997 and is Intel’s sponsored correspondent.

Filter Blog

By date:
By tag: