If they didn’t know it already, members of the hospital field’s C-suites do now: Keeping health care data out of the hands of cybercriminals is harder than ever.
Thanks to stories in recent months about the escalation in the types of acts criminals will take to profit from stealing hospital data or holding it for ransom, an awareness of the depth of the problem has reached the general public.
“We can’t take this threat too lightly,” says Jon Melling, a partner with information technology-focused Pivot Point Consulting. “Patients and other interested stakeholders expect health information to be kept absolutely confidential.”
Cybersecurity is just one of the areas shown to be getting a lot of attention in the results of the 2016 Health Care’s Most Wired survey, conducted by our sister publication Hospitals & Health Networks and Health Forum. Other matters growing in importance among the Most Wired hospitals and health networks include using data to make the transition from volume-based to value-based reimbursement; helping to connect hospitals in remote locations with specialists via video or audio; and continuing to work to make electronic health records more useful and shareable among different hospitals and health systems.
But the protection of valuable health care data is at or near the top of chief information officers’ priority lists. “The way [criminals are] getting in primarily is through phishing emails,” says Lynn Sessions, a partner with law firm BakerHostetler. “What happens is a health care employee gets an email thinking it’s a legitimate email. And these are very convincing emails. And they end up giving up their username and password,” Sessions says.
Hospitals and health systems are fighting back in response to the threats presented by hackers, putting more resources into defensive systems and employee education, according to the results of this year’s survey.
Most Wired-designated participants already were big users of defensive measures such as intrusion detection systems — every year since 2013, at least 92 percent of them used such approaches. Now, Most Wired hospitals and health systems are taking more aggressive steps to beat back the hordes of hackers and hacking programs searching for a way into hospitals’ information technology systems. Sixty-seven percent of Most Wired hospitals and health systems are using pattern detection to prevent automated logins, compared with 60 percent in 2015 and just 48 percent in 2013.
A less-discussed but still important threat that the hospital field is addressing concerns what's called social engineering. The practice entails using personal interaction — such as posing as a co-worker or family member — to obtain password information or some other means to crack into a hospital’s data.
“When we do a security assessment, we look at technical security, the basics like bits, bytes and wires,” says Munzoor Shaikh, a director in the health care practice of consulting firm West Monroe Partners, Chicago. "But beyond the bits, bytes and wires, there’s a lot of internal security measures that actually have to do with the human and the process side.” Hospitals should have some type of process to limit that kind of risk, he says.
Among Most Wired hospitals, 40 percent perform annual social engineering risk assessments, 28 percent perform unannounced assessments, and 7 percent perform assessments quarterly. Eight percent perform such assessments no more frequently than every two years and 17 percent never do, according to Most Wired data.
Dialing up care
The Most Wired hospitals and systems in the survey are users of telehealth to varying degrees, but experts say telehealth, in its different forms, is on the upswing, despite being hindered by reimbursement limitations. “Telehealth is getting a lot more interest,” says Chantal Worzala, vice president for health information and policy operations with the American Hospital Association.
Part of the interest is driven by increased consumer understanding of how much more convenient it can be to interact with others using devices such as smartphones, and health care follows that trend, Worzala says.
Another driver of the growth in telemedicine comes from the inpatient side of care, where telemedicine can limit the effects of caregiver shortages, she says. The same holds true for behavioral health care.
Among those designated as Most Wired hospitals and health systems, the most popular use of telemedicine is for consultations and office visits (61 percent), while the use of telemedicine for rehabilitation (17 percent) was least cited by hospitals.
Among the Most Wired, use of telemedicine for psychiatric examination or psychotherapy in the hospital setting involved close to half of respondents at 47 percent.
Telemedicine would be improved by modernization of Medicare’s handling of such care. “It’s extraordinarily limited in what will be covered,” Worzala says.
Analytics use growing
Meanwhile, the use of IT data to better care for patients and patient populations continues to grow in popularity. “Analytics is picking up very, very nicely,” says Marc Probst, chairman of the College of Healthcare Information Management Executives and chief information officer for Intermountain Healthcare, Salt Lake City.
Probst notes that analytics used to be the domain of just a handful of academic organizations that were able to use the data they were collecting to conduct strong analyses and make better decisions for clinical and even financial practices. That capacity is spreading, he says.
“We’re seeing a tremendous uptick in capability and use. That’s a neat opportunity,” Probst says.
The survey data back up that view, with less than half (41 percent) of Most Wired hospitals and systems performing advanced analytics such as conducting controlled experiments or scenario planning and some form of forecasting.
But 91 percent of Most Wired respondents are performing business intelligence analyses in a single department, and 82 percent of all respondents are.
The practice of performing population health analysis with IT as its backbone also is still in the growth phase. The percentage of Most Wired hospitals and systems performing different aspects of pop health management implementation ranged from 48 percent that are synchronizing clinical and financial risk measures for clinical, operational and compliance standards to 84 percent that are identifying and targeting patients for outreach.
Look for the use of these practices to grow sharply as the field transitions to value-based care models. “Most folks would consider the analytics capability for a value-based environment to be an absolutely critical, necessary building block to be successful,” says Scott Ransom, M.D., managing director of strategic solutions for Navigant Consulting.
Integration of data for practical applications has room to grow and potential for great benefits. Fifty-nine percent of the Most Wired integrate clinical and claims data so they are accessible, searchable and reportable across the care community.
Data management cuts costs
Managing data properly helped Mercy, Chesterfield, Mo., when the large health system used clinical data to cut perioperative costs, and Mercy is applying what it learned in that area to other parts of its operations.
“In every health care organization, IT as well as the operations and clinical side are looking at ways to drive expense out of the organization,” says Gil Hoffman, chief information officer with Mercy. “Data play a role in that, figuring out ways we can do things more efficiently and still have the very, very best patient outcomes,” Hoffman says.
Mercy improved efficiency to the tune of $9 million by reworking its purchasing practices using supply cost data in perioperative care. This is an area that drove a large amount of the system’s overall costs, says Betty Jo Rocchio, R.N., vice president of perioperative performance acceleration. Mercy standardized its perioperative supply choices in concert with surgeons on its staff and applied those choices across the organization, Rocchio says. In addition to saving money, outcomes have remained the same or improved, she says.
The biggest task from a data perspective was getting it into an organized, actionable format so that “people can make decisions and consume that information in a way that can drive their business,” Rocchio says. “Most of health care has a ton of data. It’s the analytics that we struggle with.”
Here is a sampling of this year's Most Wired hospitals and health systems, in alphabetical order:
Abington (Pa.) Jefferson Health
Abraham Lincoln Memorial Hospital | Lincoln, Ill.
Adventist Health | Roseville, Calif.
Adventist Health System | Altamonte Springs, Fla.
Advocate Health Care | Downer's Grove, Ill.
Here is the full list.