April 25, 2014

Of Portals and Patient Care: Education and the Healthcare PM

Patient Education, Literacy and Patient Portals are Making Healthcare InroadsPatient Education and Literacy are among the key topics that are bandied about in the Preventative Medicine discipline and its quest to reduce healthcare costs.  Of course the fact that 42 percent of patients do not understand “empty stomach” guidelines for medication is a cause for concern and a data point for how effective healthcare and wellness education has been to date.

With that in mind  AtTask  has published a short piece of mine that covers Patient Education and how it impacts healthcare professionals and the project managers tasked with implementing Patient Education-based projects.

Here’s a bit of the post and then follow the link for the remainder of the article:

I had mentioned in my last post, Hazards on the HIE Road – A Map for Project Managers, that I was going to discuss Patient Education and what projects that PMs were going to be exposed to in this space.

Like most things in healthcare, patient portals and education are linked to HIPAA, Meaningful Use and the Joint Commission. Project Managers must understand the various technological, business and healthcare related drivers that are moving these tools to the fore.

Patient Learning and the tools associated with that discipline have gained considerable traction in the healthcare field. Driven by regulatory, technological, and patient forces, healthcare providers are launching suites of tools that allow patients to access their medical records online, order tests and interact with providers. Medical professionals are relying more on patient portals and other tools to drive better results for their practice and efficiently facilitate patient visits.

Not only do patient learning tools and portals educate the client, they provide risk management and business process management benefits. These tools help coordinate the distribution of clinical, administrative, and financial activities including multi-disciplinary and multi-care settings, plans of care, active care coordination, and the automation of compliance management with a healthcare provider.

- See more at: Of Portals and Patient Care: Education and the Healthcare PM

Plugging Breaches with Bureaucrats

The Paperwork Makes Your Interwebz Secure.
The Paperwork Makes Your Interwebz Secure.

Filling Out These Forms Will Make You Secure....Really.

Breaches within the Sony’s and Epsilon’s networks  in recent months has shone a light on a very real concern in the Age of Stolen Information.  The government believes that more legislation and regulation will solve the security problems that plague our interconnected networks and systems.

One only has to take a quick glance the latest regulations from the Food and Drug Administration (FDA) on Medical Device Data Systems (MDDS) or the new Cyberwarfare Doctrine from the Pentagon to see the trend toward greater regulation.

But rules dictated by government fiat always lags far behind technological advances and creates a “security by compliance” culture.  So what is the solution?

In my opinion, additional Federal legislation on the subject of information security breaches is unnecessary.  Currently there are multiple industry regulatory regimes that cover information security best practices.  At a high level here are a few:

I have recently contributed to three  articles that tie into my opinion on security by regulation.  One was for the Chicago Tribune entitled “Security Breaches Highlight Need for Consumer Vigilance.  It covered the impact of the Walgreens, McDonald’s, Gawker security breach.  Another was published for PCWorld on the Playstation Network security breach.  The title of the article was “Experts on the PSN Hack: Sony Could Have Done More.  Finally, a piece just ran in InfoWorld entitled “10 Hard Truths IT Must Learn to Accept” where I discuss the security by compliance issue and how the pursuit of 100 percent compliance and security is a folly.

Legislation will not address enterprise security problems.  However, if you look at what caused the PSN security breach, there were multiple issues that lead to the compromise.  The chief cause appears to be that Sony was lax about routine maintenance of the infrastructure and the complete lack of internal and external communication.  This includes:

  • Server patching and hardening
  • Monitoring the network and servers for suspicious activity
  • Disjointed or missing breach response procedures
  • Lack of security leadership in the organization
  • Lack of breach communication plan
If We Hit it Harder It Might Fit!

Government Regulations at Work.

The best way to minimize the risk of a breach for an organization is to stay on top of standard maintenance and monitoring procedures.  Keep the organizations servers patched and make sure they are hardened before putting them on the production network.

Ensure there is a security breach response plan that has been tested and communicated to the highest levels of the company.  Have a single point of contact that directs communication regarding the breach to the appropriate parties.  Also, ensure that the breach plan includes a robust communication plan for potentially effected customers.

Finally, there is always going to be a risk for a security breach or data loss.  Systems and software are designed by humans and there will be flaws that can be exploited.  Plus, social engineering will always provide a path to compromising the most secure systems due to the fallibility of the human element.  Legislation will not address these factors.

Security practitioners understand that there is always a risk for a security breach.  Therefore, risk assessment and risk management are a key component of a security professional’s job.  Identify the most critical systems and data and implement the most robust safeguards around them.  Focus monitoring efforts on these critical areas and ensure the organization’s senior leadership understands the risks, mitigation strategies and internal/external communication plans.

In my experience, compliance with multiple frameworks and regulations creates a belief in security by compliance. Organizational leadership buys into the mindset that if they have all the check-boxes marked, then they are secure and additional policies, programs and monitoring are wasted efforts.  This is a critical mistake in an age when your adversaries can turn on a time and exploit your inflexibility.

Dr. House, EHR and Consulting: The Case of the Unpopular Mandate

EHR, HIPAA, HITECH and its Impact on Successful Implementations

Consulting and the Fictional TV Doctor.

At a high level, information technology professionals are like physicians.  They recommend new treatments (EHR software) to address conditions (HIPAA).  Unfortunately IT pros don’t get paid nearly as well, but at least we both worry about outsourcing to some degree.

The stereotype of the IT professional can also be compared to a doctor, or at least a fictional one, Dr. Gregory House.  Sullen, anti-social, with a high regard for his own knowledge, Dr. House avoids all contact with his customers (patients).  He only swoops in to provide a solution to a problem (condition) before he retreats once more to his solitude. [Read more...]