TCS Healthcare Announces the Release of Acuity Connect v7.32

AUBURN, Calif., October. 4, 2019 – 

What’s New in this Release of Acuity Connect™ v7.32

This release improves overall security and addresses vulnerabilities that have been discovered since the last release.  Updates to the Java®, Apache Tomcat®, and Apache HTTP Server™ platforms are included.

 

Security Improvements

Acuity Connect v7.32 includes the following fixes to address vulnerabilities and security concerns:

  • Implemented the AllowedMethods method in Apache HTTP Server to prevent malicious actors from obtaining server configurations through an insecure use of the OPTIONS method.
  • Fixed a bug that could allow a malicious actor to access the Apache HTTP Server environment’s as well as any new directories that were added after implementation.
  • Updated HTML doctype directives to ensure a malicious actor cannot downgrade sessions from the browser’s modern “standards mode” to a more insecure “quirks mode”.
  • Deprecated support for version 1.1 of the TLS connection protocol to prevent malicious actors from downgrading a session’s encryption algorithm to an older, rarely used, and potentially less secure protocol. Acuity Connect will now only support connections using TLS version 1.2. ·
  • Updated the jQuery® implementation used by Acuity Connect from 2.2.4 to 3.4.1 to address several vulnerabilities. A detailed change log can be found at the following website:  https://github.com/jquery/jquery/compare/2.2.4…3.4.1

Platform Updates

Acuity Connect v7.32 also includes significant updates to the supplied software platforms. ·

  • Java: This release moves Acuity Connect from a 32-bit (x86) Java 8 Runtime Environment (JRE) platform to the most recent LTS 64-bit Java 11 Development Kit (JDK) release.  This update includes a JDK software package as Oracle® has deprecated standalone JRE releases.  For detailed upgrade instructions, refer to the Acuity Connect v7.32 Installation Guide.

o    For a list of changes, refer to the Java 11 release notes.

  • Apache Tomcat: This release moves Acuity Connect from a 32-bit (x86) Apache Tomcat 8 environment to a 64-bit Apache Tomcat 9 environment.  This new version fixes several bugs and known vulnerabilities.  For details instructions on backing up and replacing Apache Tomcat installations, refer to the Acuity Connect v7.32 Installation Guide.

o  For a list of changes, refer to the Apache Tomcat 9 change logs.

  • Apache HTTP Server: This release moves Acuity Connect from a 32-bit (x86) Apache HTTP Server 2.4 environment to the latest 64-bit version of the server software.  This new version fixes several bugs and known vulnerabilities.  For detailed instructions on backing up and replacing Apache HTTP Server, refer to the Acuity Connect v7.32 Installation Guide.

o  For a list of changes, refer to the Apache HTTP Server 2.4 fixed vulnerability list.

Bug Fixes

Acuity Connect v7.32 also addresses the following functionality issue: ·

  • Fixed a bug that prevented Auto Approval Rules from accepting and saving changes to the Assessment Form checkbox.

 

 

Copyrights and Trademarks

ACUITY Advanced Care, ACUITY, Acuity Connect, AcuPort, AcuStrat, AcuPrint, and AcuCare are trademarks of TCS Healthcare Technologies.  All rights reserved.

Microsoft SQL Server and all Microsoft Windows products are registered trademarks of Microsoft Corporation of the United States.

CPT five-digit codes, descriptions, and other data only are copyright American Medical Association.  All rights reserved.  Fee schedules, relative value units, conversion factors and/or related components are not assigned by the AMA, are not part of CPT, and the AMA is not recommending their use.   The AMA does not directly or indirectly practice medicine or dispense medical services.  The AMA assumes no liability for data contained or not contained herein.  CPT is a registered trademark of the American Medical Association.   Applicable FARS / DFARS; restrictions apply to government use.

Oracle and Java are registered trademarks of Oracle and/or its affiliates.  Other names may be trademarks of their respective owners.

Advanced Installer is a trademark of Caphyon software.  All rights reserved.

Apache, Apache HTTP Server, Apache Tomcat, and the Apache feather logo are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries.

jQuery is a registered trademark of the JS Foundation in the United States and/or other countries.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org).   Web user interfaces and PDF technologies in Acuity Connect utilize components from Kendo UI by Progress.  Progress, Telerik, and Kendo UI are registered trademarks of Progress Software Corporation in the U.S. and other countries.  All rights reserved.


Physician and Nurse Involvement Is Critical in EHR Selection and Implementation

Debb Keller, RN, CMCN, CCM, CPHQ

Chief Executive Officer

Pat Stricker, RN, MEd

Senior Vice President

 

I frequently hear some “older” physicians and nurses complaining about electronic health records (EHRs). They feel they inhibit documentation and are cumbersome and frustrating to use. However I can’t imagine any of the younger physicians or nurses would ever conceive of working in a system without electronic patient records.

 

As I was beginning to write this article I began to wonder how many of you even remember the days in which there were no computerized records — when everything was in a written chart that was only accessible to one member of the healthcare team at any one time. I’m sure that must be more than half of you reading this article. For those of you that don’t know what it was like before computerized records, let me give you some insight.

 

Imagine having to submit a list of patients that you were going to see tomorrow in the clinic to the Medical Records Department (MRD) the day before so they could gather the records and bring them to the clinic that morning. Or if you are seeing a patient in the Emergency Department you would need to call the MRD and ask them to bring the patient’s record to the ED. Until you get the record you would be caring for the patient without having any medical history. And once you are finished with the record it would need to be returned to the MRD for filing or, if the patient was admitted, the record would need to be transferred to the floor with the patient.

 

If the patient had any lab, x-ray, or other procedures done within the last day or so, those results would probably not be filed in the record yet. They would still be with the provider for review or waiting to be filed. In the hospital, if these results were needed right away, they would be sent to the department via an archaic pneumatic tube system that was available throughout the facility. (And they often got sent to the wrong area!) In addition, only one person had access to the patient’s record at a time. Other care team members could not review the record to help them make clinical decisions.

 

Is that system archaic enough to convince you that we need electronic medical records? If not, let’s talk about how the record was documented. All notes were written manually (and hopefully they were legible enough so everyone could interpret them). There was no automated documentation or structured documentation standards that make it easier to find information. There was also no automated medication information, lists, or order entry, nor any decision support tools. These were only available in reference books that might not be readily available when you needed them.

 

Okay! Have I convinced you yet that the minor inconveniences that we may have in using an EHR today is better than using written records?  I hope so.  Are there things we can do to make the EHR system perform better and meet our needs? Absolutely! But we need to get involved!

 

I’d like to share with you portions of a blog written by Debb Keller, RN, the CEO of TCS Healthcare Technologies. Debb feels that it is critical for physicians and nurses to be intimately involved in the selection and implementation of EHRs in order to make them work efficiently. Here are portions of Debb’s blog, Why Practitioners, and Nurses Especially, Need to Be More Involved With EHRs.

 

“Electronic Health Records – EHRs. In theory, it sounds so simple. I mean, who keeps paper records anymore? Open a bank account or a credit card, and they’ll encourage you to “go paperless” and receive bills and statements only electronically. Cloud storage services allow you to store all your files in a way that allows you to access them anywhere. Address books are replaced with contact lists, and now you even have the option of receiving an e-receipt instead of a paper one when you buy a cup of coffee.

Why, then, do EHRs live in infamy in the healthcare world? It’s not because electronic records aren’t useful in healthcare: they allow access to information at the point of care, and they help avoid problems like misreading or mishearing written or phone prescriptions, which can lead to a patient receiving the wrong medication.

The issue at hand is the user-friendliness of these technologies. ……. A whopping 44% of physicians and 35% of Nurses and APRNs (Advance Practice RNs) surveyed in a Medscape poll said that EHRs had reduced the quality of care they were able to provide. Those surveyed cited problems such as ‘added paperwork/charting, entering data during the patient encounter, lack of interoperability with other systems and system failures or problems.’

These technological pain points have not only reduced care quality in the eyes of large proportions of practitioners, they also reduce job satisfaction, which contributes to burnout.

Although there isn’t a silver bullet to improve such a complex problem, the first step is to increase the involvement of practitioners with EHRs. No matter where your healthcare practice or company currently stands with its EHR system, there are actions to be taken:

  • EHR system currently in use: even if you have an EHR system and aren’t in a position to replace it, you can still take steps to improve things for your healthcare professionals and, in turn, your patients. It shouldn’t come as a surprise that educating on a subject makes it more manageable, but in a study by Arch Collaborative, tens of thousands of clinicians were interviewed and found to have ‘critical gaps in users’ understanding of how to optimize their EHR.’ Though no amount of training can fix flawed technology, it can certainly improve both experience and outcomes.
  • Implementing an EHR system: there are a lot of EHR systems on the market and choosing the right one isn’t always easy. The choice will certainly vary based on your practice. Now, who do you think will have the best sense of the needs of your practitioners? I think you know where this one is going. 66% of physicians and 80% of APRNs/nurses were not consulted in the EHR system selection process, according to a Medscape poll, and of those who did weigh in, only 2% said the system they wanted was chosen. Now, I can understand that sometimes, the opinions of practitioners might not be what the practice goes with in the end; it could come down to a budget or system compatibility issue. However, the fact that it’s so infrequent, among companies who are bothering to ask at all, can’t be chalked up to those excuses.
  • Companies designing EHRs: for technology companies in the healthcare space, just like any other, user experience design is so important. Whatever approach you may take, whether it is having clinicians work directly with the design team, doing extensive user research, or undergoing extensive user testing, bringing in end users is going to give you a product that works better for them. For instance, Dr. Lalita Abhyankar wrote in an OpEd entitled “You Hate Your EHR? Help Develop Something Better” about her experience going to a meetup for people interested in healthcare tech. ‘As I walked home in the cold that night, I realized, perhaps, the reason we are the victims of poorly designed technology is because many of us haven’t yet elbowed our way to a seat at the table.’ Challenging though it may be, we can all try to get to the table and give our opinions.

I want to note that while it’s important for every end-user to be involved in development, selection, and implementation of EHRs, involving nurses and APRNs is especially important. Although studies have shown that overall, nurses are more satisfied with their EHRs than physicians, they still face a lot of issues using them, and over one third still feel they were reducing care quality. Moreover, ‘The majority of the care-delivery support that occurs in the EHR is completed by nurses.’

Patricia Daly puts it especially well in an article for LWW’s Nursing Journal: ‘These clinical nurses are experts in patient-care delivery and can articulate the needs of patients, families, and nurses to HIT professionals.’

Every single day ……., I draw on my experience as an RN. As a practicing nurse, the resources I needed were provided by technology companies. As the CEO of a technology company, the resources I need are provided by clinicians—their knowledge and expertise is essential to me and my team doing our jobs as effectively as possible.

I believe so strongly that technology in the healthcare space (including EHR) is just getting started. It has the enormous capacity to not only help practitioners by making their lives easier but help them help patients as well. And that’s the ultimate goal here, isn’t it? Helping patients! “

 

Very well said, Debb.  I think it is clear that we all need to “elbow our way to the table” and get involved.  Sure, EHRs can be frustrating at times, but not as frustrating as returning to an archaic written record. I don’t think anyone can deny that EHRs increase the quality of patient care and the efficiency of the staff. However, we can even make these systems better by providing input into their selection and implementation. Next month, we will look at what we can do to help select the right EHR and how to make sure the system is implemented in a way that meets our needs and those of our patients.


TCS Healthcare Technologies Names Matt Fahner new VP of Engineering

AUBURN, Calif.Sept. 4, 2019 /PRNewswire/ — TCS Healthcare Technologies (TCS), a leading provider of population health and managed care software, is pleased to announce that Matt Fahner has been appointed Vice President of Engineering. In this new role, Mr. Fahner will oversee the development of all TCS products.

According to Debb Keller, CEO of TCS, “Matt is absolutely the right person to continue to move our product offerings forward.  Matt consistently strives to understand what our clients need, what works for them, and what doesn’t.  He has a true passion to deliver products that far exceed the original goal.  That passion to ‘get it right’ is reflected across his entire team.  Matt truly has a ‘servant spirit’ which is the foundation of the culture at TCS.”

On the topic of product development, Fahner notes, “I always want to understand the user experience and find ways to make it better.  I want to provide solutions that aren’t just better ‘for now,’ but are actually designed for growth and changing business needs.”  This is an area that Fahner has come to understand well due to this long tenure with TCS.  He notes, “While some of the foundational needs of our clients have not changed a lot since 2008, a lot has changed forthem.  They need more data integration, they need more flexibility, more analytics, and more workflow efficiency than ever before.  Building products that can meet these needs and evolve without losing data integrity or relying on expensive and cumbersome customizations is our main focus.”

Keller notes, “Under Matt’s leadership, TCS released our latest platform last fall, ACUITYnxt, to an overwhelmingly positive market response.  The wonderful feedback we are continuously getting is a direct result of Matt and his team’s efforts to go above and beyond.”

To learn more about TCS and its suite of software products, visit our website or contact Marissa Lish at mlish@tcshealthcare.com.


How to Recognize a Phishing Attack

Pat Stricker, RN, MEd

Senior Vice President

Last month’s article, Healthcare Data Breaches: Their Frequency, Impact, and Cost, discussed the overall impact that cybersecurity breeches are having on healthcare. Healthcare continues to lead all industries in the number of beaches with 27% and has the highest cost for data breaches at $408/record, nearly three times the cross-industry average of $148. While the number of data breaches in healthcare remained relatively the same between 2017 and 2018 (359 and 351), the number of healthcare records exposed increased at an alarming rate of over 250% (5,138,179 to 13,020,821). This shows that hackers are getting bolder. They realize each healthcare record is worth $50 on the black market, much more than Social Security and birth date records ($3) or credit card information ($1.50).  That is because healthcare records contain personal, financial, and medical data that can be used for Medicare fraud – the most profitable type of identity theft.

 

Studies also show that healthcare employees are seven times more often responsible than employees of other industries for causing breaches due to human errors and/or careless actions such as: inappropriate conversations; misuse or careless handling of mail, emails, and other hard copy documents; leaving computer screens or hard copy records unattended and visible to others; and sharing passwords or not logging off a computer when not in use.

 

However the biggest threat posed by employees is the intentioned, careless clicking on links or documents in “phishing” emails, which can allow hackers to steal the login information, giving them access to email or cloud accounts that contain patient data. These are usually innocent, unknowing acts by the employees, but they are very consequential to the organization. The links or documents in the phishing emails can expose PHI or embed malware within the computer system or network, resulting in serious network problems or system stoppages. This obviously causes significant issues and costs for the healthcare organization and financial gain for the hackers.

 

This is exactly what happened in the largest healthcare data breach in 2018. A health system email system exposed 1.4 million records when hackers sent emails to employees from a fake account that appeared to be coming from an executive within the organization. The email asked the users to disclose their email credentials. Once the employees clicked on the link or the attached document, the hackers gained access to internal email accounts and then to patients’ records. This phishing attack was not uncommon. The 2018  Verizon Data Breach report confirmed that phishing attacks are increasing, accounting for 43% of all data breaches. Other research found that over 90% of data breaches are the result of phishing emails and an average of 16 malicious email messages are sent to every email user every month.

 

That is scary!  That means we have at least 16 chances each month of clicking on a phishing email and creating a data breach or a ransomware attack causing a possible system outage of the entire computer network at our organization. How would you like to be the person responsible for causing the data breach and costing the organization millions of dollars in fines or paying a ransom to get the system up and running again?  Some employees have even been terminated due to this type of error, if it was done against normal company policies. I’m sure none of us would want to be in that situation, so we have to educate ourselves to be aware of possible phishing schemes and know how to avoid them. Let’s start by defining some key concepts.

 

Phishing is a scam aimed at getting an online user to reveal personal or confidential information for the purpose of identity theft. There are three types of attacks: 

  • Phishing – a general email that is sent as spam or as an email addressed to a large, non-specific group of users. The goal is to get users to open embedded links or attached files that, when clicked on, allow the hackers to access to the user’s system. Once in the organization’s system hackers can delve deeper to obtain personal information, credentials, logins, passwords, and other data.
  • Spear phishing – a more sophisticated and elaborate targeted phishing attack that focuses on a specific company or individual and combines tactics like personalizing or impersonating users so the spear phishing email is extremely believable and compelling. The goals are to bypass or evade email filters and antivirus software and gain access to a system in order to introduce malware and other attacks. This type of approach was used in the large breach described above.
  • Whaling – a specific attack that targets specific members of an organization’s upper management team by name. The goal is to obtain confidential company information by using a webpage or email that appears to be legitimate (corporate logo, color scheme, address, brand identity). It is usually presented as an urgent matter that needs attention, such as an internal corporate issue, a new or updated policy, significant complaint, or legal issue.

 

A phishing scam typically starts with a legitimate-appearing email from a person, company, or website asking the user to update personal information, such as a password, credit card, social security number, or bank account number. The message looks authentic and comes from organizations a user may have accounts with. It also may include legitimate-looking company logos and formats that the company uses. In fact, it usually looks so authentic that recipients respond to about 20% of them. In fact, the 2015 HIMSS Cybersecurity Survey of 300 health information professionals indicated that phishing attacks were their biggest future security fear and the “#1 thing that keeps Chief Information Security Officers up at night”. The 2019 HIMSS Cybersecurity Survey of 166 health information security professionals still found phishing to be a major concern, especially for those healthcare systems that are not conducting adequate phishing tests. One reason this is so worrisome is that the threat is directed at all levels of employees in an organization and it is relatively easy to get someone to unknowingly click on a link or document. It is not something Information Systems can control with tools and countermeasures.

 

Phishing attacks often introduce ransomware into computer systems by sending emails from legitimate-looking banks or credit card companies requesting the recipient to “update” their personal information (birthdate, social security number, passwords, etc.). When the attachment or link is clicked, malicious malware is introduced into the system, which can spread from one system to another. Ransomware can also be introduced, encrypting documents, music, pictures, and other files and making them inaccessible. The organization can be held hostage until they pay a ransom to unlock the files. If the ransom is not paid within a defined time the ransom is increased. Organizations that have routine back-ups of their system can eliminate having to pay the ransom and restore their system, but it still results in system downtime and a lot of time and effort to get the system operational  again. Organizations that do not have system back-ups have to pay the ransom or risk losing all their data.

 

Systems that are using older versions of software that are not receiving automated cybersecurity updates are very susceptible to phishing attacks. We cannot get lulled into thinking that the security programs on our system or our Information Technology (IT) department will handle all these threats. While some employees are specifically targeted because of their position or because of the types of information they have access to, all individuals and companies should assume they are or could be targets of phishing attacks. All it takes is for one person to click on a link that contains the malware. And I’m sure you don’t want to be “that person” who takes down the entire system!

 

Tips for Preventing Phishing Attacks

To make sure you are not a victim of a phishing attack, let’s review some things you can do to prevent getting “hooked”.  These two articles, 8 Ways to Prevent “Phishing Scams” and 10 Tips to Prevent Phishing Attacks, provide the following useful suggestions to help guard against phishing.

  • Learn to recognize potential phishing emails, such as those that:
  • Are sent as a general email without your name included.
  • Come from senders unknown to you.
  • Ask you to confirm or update personal information.
  • Make a request for information look like it is an urgent matter.
  • Threaten you with worrisome consequences, if you do not respond.
  • Look authentic – images in email look like or are similar to a known company.
  • Threaten to terminate your account or offer free gifts or promotional items.
  • Be sure to communicate personal information only via phoneor secure websites:
    • Do not give personal, financial, or login information to someone who calls or emails you requesting it. A legitimate organization will not ask for this information in this manner. Look up the number of the company or organization and call them directly or go to their secure website to provide such information.
    • For email transactions, make sure the website is secure before giving any information.

 

 

      • Look for “https” in the address bar.  The “s” means it’s secure.
  • Look for a padlock in front of the browser address and a “green address bar”, indicating the site has applied for a SSL certificate, is the legitimate owner of the website, and encrypts information to and from the site.
  • Even if the browser address has a padlock or a green address bar, you cannot be guaranteed that it is totally safe, since “phishers” are applying for certificates in names of companies with mis-spellings that are very similar to real websites, e.g. “phypal.com” instead of “paypal.com” or “banskfamerica.com” instead of “bankofamerica.com”. So check the website name carefully.
  • If you are still unsure about the site’s validity, double-click the padlock icon to see the security certificate. In the “Issued To” in the pop-up window you will see the name matching the site you think you are on. If the name differs, you are probably on an unsafe site.
    • If your browser gives you a message about an “untrusted security certificate” for a website, do not proceed to the website, as it is not trustworthy.
  • Do not download files or open attachments in emails from unknown senders. Even if emails are from known senders, be certain you know the files or attachments are trustworthy before downloading or opening them.
    • Files or attachments can contain malware that could infect your computer.  
    • Be careful of links that offer bargain, low cost products. They could lead to webpages that can gain access to your credit card information.
  • Beware of embedded links in emails that ask you to update your personal information or password, even if the email appears to come from someone you know. Phishing emails, in addition to looking legitimate by using company logos, etc., also try to look like a security-conscious organization by notifying you that your account was compromised and asking you to be proactive and re-register or change your password. They may even provide a hyperlink to make it “quick and convenient” for you. However when you click on the link and enter your information, it will steal your data. To prevent being “caught”:
  • Hover over the hyperlink to determine the address of the hyperlink. You should be able to tell if it is the official website address or a copy-cat. Example: banskfamerica.com instead of www.bankofamerica.com.
  • Always enter the company website address yourself or look up the company phone number and call to see if they are requesting the information. Legitimate businesses usually do not request personal information by email.
  • Never enter personal information through links provided in an email. Only login and enter personal information once you are sure you are on the official site.
  • Beware of pop-ups and follow these tips:
    • Never enter personal information in a pop-up screen. Legitimate organizations do not ask you to submit information that way.
    • Do not click on links in a pop-up screen.
    • Do not copy web addresses from pop-ups into your browser.
    • Enable pop-up blockers.
  • Use anti-spyware, firewalls, spam filters, and anti-virus software.
    • Anti-spyware and firewalls prevent phishing attacks from gathering data from your computer, e.g. webpages containing personal information, like credit cards.
    • Spam filters identify files that could contain unsolicited commercial email (UCE). Spam is identified based on the content, inaccurate header information, blacklisted files, known spammers or specific senders, or specific wording in the subject line or body of the email.
    • Antivirus software scans every file which comes through the Internet to your computer to prevent viruses from deleting files or directory information.
    • Update the programs regularly to assure they are able to block new viruses and spyware.
  • Consider setting up a free virtual private network (VPN) instead of using free, open, unsecured Wi-Fi networks that can be easily compromised. A Consumer Trust Survey found that 43% of the respondents use free, untrustworthy Wi-Fi networks.
  • Password protect all your devices. 61% of the survey’s respondents indicated their tablets were not password protected. Many smartphones are also vulnerable, because they do not have strong, up-to-date anti-virus and malware protection and the operating systems are not routinely updated. Unfortunately many phones are not password protected either, because users say it takes too long to access the content. The use of thumbprints and facial recognition have helped to gain quicker access and make phones safer, but it is essential to have all devices password protected. Isn’t it better to take a little longer to log in than to allow devices to be unprotected and the target of phishing schemes?

·         Be sure to use unique, strong passwords for all your websites. One-third of the respondents said they only use one or two passwords for all their websites. This is dangerous!
o    See hints for developing strong passwords in this previous newsletter article, Cybersecurity for Case Managers: Responsibilities of Individual CMs

  • Be sure your operating system and browser are updated to the latest version that addresses the most current online risks.
  • Whenever possible, do not allow websites to keep your payment information on file.
  • Do not share too much information on social media, such as birthdays, anniversaries, children’s names, what you like, what you are doing at work, when you are going on vacation, etc.  All of this can be used to create very targeted and believable phishing attacks.
  • Do not connect and share information with people you don’t know.
  • Do not use your own personal email while at work or while on your organization’s network. Your Internet Service Provider and computer system may not be as well protected as that of your organization and could be more easily compromised.
  • Do not click on ads, as they often contain malware or direct you to a phishing website. If you want to learn more about a product, directly enter the website or product name in the browser address.
  • Go to Anti-Phishing Working Group for a list of current phishing attacks, helpful resources, and the latest news in the fight to prevent phishing.
  • If you think you have been the victim of a phishing attack, be sure to report it right away to your organization, so it can be dealt with as soon as possible.

 

The weakest link in any security system is the human element and that’s particularly true when it comes to phishing attacks. Employees are the biggest threat, since they are the ones who initiate the action that allows the phishing attack to occur.  In addition, hackers have become more creative in manipulating and influencing people, which allows them to gain access to computer systems and obtain sensitive information.

 

Staff Education, Testing, and Monitoring

The most important aspect in preventing phishing attacks is education. Management staff is responsible for making sure all staff members are routinely provided with phishing training and continuously tested and monitored to assure they can recognize the threats and know how to avoid them. Phishing training sessions are recommended at least every quarter to condition employees to look for and report phishing emails. This type of training and monitoring can reduce the percentage of successful phishing attacks. Some companies also include monthly “phishing tests” in which test emails are sent to all employees to see if they are able to identify and handle them appropriately. Those who get “caught” are reminded and given additional education. Companies that encourage employees to report potential phishing threats rather than reprimand them for failing phishing tests tend to have greater success in curtailing threats.

 

The following are resources that include free phishing and cybersecurity quizzes, tests, tools, resources, and staff training programs that can be used by individual case managers to test their knowledge and awareness and by the management and IT staff to assess the organization’s level of potential threats, develop training and testing programs, and track program results. I hope you will find these useful.

Phishing Quizzes, Tests, and Tools

  • Phishing Field Guide from Barkly. Good information for managers about how to recognize, avoid, and stop phishing attacks. The Appendix includes: free phishing tests, anti-spam and email filtering tools, examples of real-life phishing emails to use to test yourself or your employees.
  • Top 9 (Free) Phishing Simulators from Infosec. Phishing Training Programs designed to provide educational awareness, resources, and tools that allow you to create and run your own phishing program.
  • Find Out What Percentage of Employees are “Phish-prone from KnowBe4. Access to a free phishing security test for up to 100 employees.
  • The Phishing Quiz tests your phishing knowledge to determine how skilled you are at detecting malicious phishing attempts.
  • Phishing Your Employees 101 is a simple, open source toolkit and education program designed to help organizations quickly and easily set up phishing websites and lures that can be used to test their employees’ phishing awareness.
  • GoPhish. A free, open source, user-interface tool for IT departments to use to develop their own phishing training, testing, and results tracking.
  • State of Phishing Defense 2018 Report from Cofense outlines the top 10 phishing threats, with metrics on susceptibility and resiliency rates; shows why users respond to certain phishes and can be used to develop awareness training and phishing simulations.
  • The Open DNS Phishing Quiz tests employees to see if they can delineate between legitimate and phishing websites.  

Cybersecurity Quizzes, Tests, and Tools

There’s no question that phishing poses a significant danger to healthcare organizations, as it is the preferred method for hackers to gain access to systems in order to capture PHI and/or deploy ransomware for their financial gain. In addition, all system users are potentially able to fall victim to a phishing attack and introduce malware into the system, so that is a daunting challenge for the IT department, who have little control over how email and internet is used by all employees.

As case managers, we must realize that cybersecurity is not just an IT function. Sure, the IT team does everything it can at a corporate level to develop a secure infrastructure and implement security safeguards. While IT may be responsible for managing the overall cybersecurity of an organization, adopting security best practices, and deploying appropriate technology to lessen the chances that a phishing attack will succeed, each of us has an individual responsibility to be aware of what our roles are in assuring safe security practices. We need to be aware of our vulnerabilities and what we must do to assure the integrity of our computer systems. We need to be “stewards of security”, empowered and accountable to create a culture that raises awareness and reduces security incidents.

 

Remember, anyone can be targeted almost anywhere online, so you need to keep an eye out for “phishy” schemes. I’m sure you don’t want to be the one responsible for allowing a malware, virus, or spyware to gain access to your organization’s computer system, or worse yet, the one responsible for a devastating and costly data breach resulting from your phishing attack.

Watch out for the “phish”!

NOTE: For more information about what each of us can do, refer to this previous newsletter article “Cybersecurity for Case Managers: Responsibilities of Individual CMs”.


TCS Healthcare Technologies Releases ACUITYnxt 1.5

The latest SaaS-based case management software releases a new module to support time-tracking, billing and invoicing

AUBURN, Calif.July 3, 2019 — TCS Healthcare Technologies is excited to release ACUITYnxt 1.5, the latest version of the most intuitive case management software in the industry.  ACUITYnxt is a secure cloud-based case management software application that fully supports the case management process.

“Many of today’s case managers are contractors and business owners themselves so time-tracking, capturing billable items, and invoicing are critical features for them,” said Deborah Keller, RN, BSN, Chief Executive Officer for TCS.

Keller notes, “ACUITYnxt now fully supports these needs.  Our work logs are designed to support simple time-tracking workflows as well as workflows requiring granular billing documentation for time, units of service, specific medical codes, and user-defined items such as mileage as well.  While work logs can be created manually, ACUITYnxt can automatically prompt users with a new work log after saving changes to specific modules or record types.”

In addition to the new time tracking features, ACUITYnxt 1.5 includes several new reports to support invoicing and care plan coordination.

“We have also enhanced a feature unique to ACUITYnxt, drag and drop Screen Templates.   Screen Templates allows for customized layouts for key modules without expensive software coding.  This feature has been expanded to the Work Log module,” adds Keller.  “TCS Healthcare continues to push out new ACUITYnxt functionality in alignment with a very robust road map.  Our entire team is excited about our next release this fall which will include population health stratification and workflow automation.  Authorization management including grievances and appeals management is very soon to follow.”

To request an ACUITYnxt demo, email us at info@tcshealthcare.com.

About TCS Healthcare Technologies:

TCS Healthcare Technologies (TCS) is a leading provider of software and clinical solutions that support and improve medical management operations for health plans, TPAs, ACOs and other case management organizations.  TCS’ team of US-based clinicians and developers are recognized for their best-in-class managed care expertise and customer support throughout the industry.


Healthcare Data Breaches and Their Frequency, Impact, and Cost

Pat Stricker, RN, MEd

Senior Vice President

History and Statistics of Data Breaches

There has been a lot of news lately about data breaches in political organizations, national security agencies, businesses, financial institutions, social networks, and healthcare companies. With each breach confidential data (personal, financial, medical, intellectual property, or trade secrets) is stolen, viewed, or used by unauthorized individuals. While this had been a problem when records were paper-based, the number of records stolen or exposed was smaller. Once the data became digitalized in the late 1980s and early 1990s it became a much bigger issue, since large numbers of records could be compromised more easily.

 

In 2012, the Computer Science Corporation predicted that by 2020 data production would be 44 times what it was in 2009 (a 4,300% increase). They also predicted that one-third of all data would live in or be passed through the cloud. Well, it’s only 2019 and we may have already exceeded that prediction with the amount of data that is generated each date. 90% of the data was generated between 2013 and 2015 alone. That means that the other 10% was generated since the beginning of time. That is unbelievable! How is that possible? How will we ever be able to handle this exponential increase in the volume of data in the coming years?

 

By the early 2000s data management and privacy had become a big enough issue that laws and regulations were enacted to create guidelines for the handling, storage, and protection of sensitive data. Examples of these include HIPAA for healthcare and PCI for payment card financial data. Most databases that track breaches cover the years from 2005 onward, since that was the time data started to grow exponentially, allowing hackers more opportunity to steal massive amounts of data in a single breach. In 2005 alone, 136 data breaches compromised 55,101,241 records according to the Privacy Rights Clearinghouse (PRC), a non-profit organization committed to protecting privacy for all by educating and empowering individuals and advocating for positive change.

 

PRC provides is a database that tracks data breaches reported in the United States by government agencies or verifiable media sources. This searchable database is available for everyone to use for research purposes and is sortable by type of breach and/or organization and by year. The data can also be downloaded as a CSV file. PRC’s data shows that there have been 8,804 reported breaches in the U.S. since 2005, exposing over 11 billion (11,575,804,706) records. Reporting to the Clearinghouse is voluntary, so it does not capture all breaches. Therefore it is not a comprehensive compilation of breach data, so the actual number of breaches and total records affected is obviously higher.

 

Statista, another company that reports data breaches, reports that the number of cyber-attacks continues to rise. In 2005 they found that 157 breaches exposed 66.9 million records, while in 2014 the numbers had risen to 783 breaches exposing at least 85.6 million records, a nearly 500% increase in the number of breaches in just 9 years. And in 2012, three years later, the number of breaches nearly doubled to 1,579. From 2013 to 2015, 90% of healthcare organizations had at least one data breach.

 

The statistics vary by company depending on the type of data it collects, but the consistent element is that even though there has been an immense amount of time and effort spent on trying to protect the data, the number and size of breaches continues to rise, as shown in this graph:

Annual number of data breaches and exposed records in the United States from 2005 to 2018 (in millions)

healthcare data breaches 2019

The Statista numbers above are only for the United States. The Gemalto Breach Level Index reports worldwide data showing there has been more than 14 billion records (14,717, 618, 286) lost or stolen since 2013 when the digital security company started collecting data. That means:

Records are Lost or Stolen at the Following Frequency:

healthcare records stolen

The Breach Level Index website also has other valuable statistics such as industry breach details, a map view of where the breaches occur, a breach risk calculator, and other privacy information.Those are staggering numbers and unfortunately only 4% of the breaches were “secure”, meaning the data was encrypted and therefore useless. The other 96% contained data that was not encrypted, so the data was able to be viewed and used by the hackers.

A recent 2018 Ponemon Report found that data breaches in the U.S. cost an organization an average of $7.91 Million, which is an average of $148/record. The costs include investigation, notification, and remediation. There is also a cost due to the loss of reputation if the data breach is large or could/should have been avoided.

 

The annual Verizon Data Breach Investigations Report (DBIR) is a respected, detailed, statistical report that includes data from 86 countries and input from 73 data sources. Working closely with the Secret Service’s Cyber Division the team analyzes the available data to determine the threat landscape, identify the ever-changing threats, and recommend actionable techniques, tools, procedures, strategies, and best practices to prevent breaches and mitigate risks. The entire 2019 Data Breach Investigations Report and Executive Summary contain a great deal of detailed information for those who need it.

No company or organization is immune to a data breach. All companies possessing sensitive data are under a constant threat. The most likely targets for breaches are government, financial, and healthcare industries. Although the rankings change from time to time, the accommodation and retail industries round out the top five most threatened industries, according to the DBIR, although the social media industry is becoming more threatened in the last few years. For purposes of this article, we are only going to discuss the healthcare industry in detail.

 

Data Breaches in Healthcare

Breaches within medical organizations accounted for about 26% of all breaches in 2016 and almost one in four Americans have had their medical information compromised. Financial gain is the main motivator for hackers because healthcare records are highly valued for their personal, financial, and medical data. This type of information is worth roughly 50 times more than credit card or Social Security data, since it can be used for Medicare fraud – the most profitable type of identity theft. In fact, the co-author of the 2014 Data Breach Investigation Report stated that some employees found jobs in healthcare for the sole purpose of stealing patient information to commit identify theft or tax fraud. Not only can this be used by the hackers, but the records can be easily sold to others because of this valuable data.

 

Breaches also have a significant impact on patients, making them mistrust the system and withhold information: 61% resulted in exposure of personal information and embarrassment; 56% resulted in financial identity theft; and 45% resulted in medical identity theft.

 

Healthcare employees are responsible seven times more often than employees of other industries for breaches caused by human errors (33.5%) and/or careless actions such as:

  • Inappropriate conversations
  • Misuse or carelessness in handling emails, mail, and other hard copy documents
  • Leaving a computer screens or hard copy records unattended and visible to others
  • Sharing passwords with others or not logging off a computer when not in use

 

One of the biggest threats posed by employees is the intentioned, careless clicking on links or documents in “phishing” emails, which can allow hackers to steal the login information to access email or cloud accounts to get patient data. The links or documents can also plant malware within the computer system or network which can lead to more serious network problems or system stoppages. These are usually innocent acts, but very consequential to the organization. Employees have been terminated due to this type of error, if it was done against normal company policies. We will discuss “Phishing” and how to be aware of the dangers in more detail next month.

 

Insider threats are also a bigger issue for healthcare organizations than for other industries. 56% of healthcare threats come from inside the organization and are caused by the ability to gain access to records that are not necessary for business use or patient care or by credential theft. However, there are user-based risk mitigation tools available that will detect if an employee connects to an unauthorized device or uses suspicious software and immediately notify the security officer. After the incident, it allows the employee’s actions to be analyzed and records can be exported to a protected file for further investigation.

 

A Data Breach Investigations Report analyzed more than 1,300 data breaches involving 20 industries and found that the Top 3 Security Threats to the Healthcare Industry were:

  • Insider misuse by employees or trusted third parties who intentionally or unintentionally stole data or damaged a system. Employers consider employee negligence their biggest security risk. Based on the 2018 Ponemon Benchmark Study on the “Cost of Insider Threats”, incidents involving a negligent employee cost the company an average of $283,281, while the cost is usually double that if it involves a thief who steals credential. However the company also shares the responsibility because they should be auditing to identify who is inappropriately accessing patient data.
  • Unintentional actions that directly compromised patient information were found to be the cause of 12% of the security incidents. Examples included: inserting one patient’s information into another patient’s record or envelope; provider websites that allow patients’ information to be available to the public; and decommissioning computers or medical devices without properly removing patient information (“rendering PHI unusable, unreadable, or indecipherable”).
  • Healthcare was the only industry that had theft and loss as a major cause of security incidents. Theft and loss of laptops and other equipment accounted for 46% of the security incidents. The high percentage was attributed to the fact that encryption was not being done. If lost or stolen devices had been encrypted, they would not have had to report the incident as a breach, because the data would have been considered “secure”.

 

The most drastic healthcare breach of healthcare data was the Anthem medical data breach in 2015 that affected 78.8 million people – more than the whole population of Germany. Not only was the number of affected records extremely high, but the data exposed contained very detailed, sensitive personal information: names, contact information, social security numbers, email addresses, home addresses, and income information. As a result Anthem was fined a total of $115 million.

 

The HIPAA Journal reported that between 2009 and 2018 there were 2.546 healthcare data breaches that involved more than 500 records resulting in the exposure of 189 Million (189,945,874) records. That is equal to about 59% of the U.S. population.

 

Data Breach Defense and Prevention Resources

So what can we do to prevent a data breach or to mitigate our risk? Data breach defense and prevention resources have increased drastically over the past few years because of the ever-increasing number of security threats. These solutions offer a proactive approach to security to help ensure the safety of sensitive information. The following resources are offered to allow a more detailed review of breach prevention.

  • Data Breach Today — a multimedia news resource on the latest data breaches, their impact, and strategies for prevention
  • Data Breach Watch– a resource reporting data breaches, news, and trends impacting consumers and companies
  • The Global Privacy & Security Compliance Law Blog– a resource that explains stringent and ever-changing security regulations and compliance requirements
  • The New York Times article –discusses strategies for minimizing the risk of a data breach. One suggestion is to eliminate unnecessary storage of data. Keeping lots of sensitive information may be more risky for the customer and company than not keeping the data. Target’s storage of their customers’ four-digit personal identification numbers or PINs for the debit cards is a good example of data that was not necessary.
  • Data Breach Industry Forecast for 2018 – The 5th annual Experian report that provides an overview of data breach trends and the need for a data breach response plan.
  • Resources from Digital Guardian — cover data breach topics and provide insight into preventing and responding to breaches.

While the Information Technology team may be responsible for managing the overall cybersecurity of an organization, each of us has an individual responsibility to be aware of cybersecurity, how it impacts healthcare and the privacy of our patients, and what procedures we need to follow to assure safe security practices. While nurses may not have an in-depth understanding of the intricacies of cybersecurity, it is important for us to understand the evolving role of cybersecurity in healthcare today and how that affects our role. Threats are becoming more sophisticated while organizations struggle to prioritize and implement more effective security requirements. Unfortunately, the threats usually evolve more quickly than the security measures, so organizations are striving to assure that their measures are dynamic, up-to-date, and include commonly accepted practices.

 

Over the last 20 years, as computer systems and the internet have become an ever-increasing integrated part of healthcare, the need for protecting patient information has become much more complex. It used to be rather easy, since records and reports were in hard copies and contained in the patient’s chart, which was in a protected area in the physician’s office, hospital, or healthcare facility, and only accessible by a limited number of people. Things are very different now. The number of people who have access to patient information is much larger. The information can be sent to multiple people by email, fax, or text and it can be accessed by multiple people from computers, laptops, mobile devices, and smartphones. It can also be stored in numerous places, such as laptops, mobile devices, network drives, CDs, DVDs, thumb drives, and smartphones. While we do have security procedures to try to limit access to only those who have a need to know, ensuring the privacy of patient information is a huge challenge.

 

Given these widespread incidents of cyberattacks, the cost of breaches, the business disruption, and the effect on patients, what can we do to stop them? While there is no way to totally stop cyberattacks, the risk of cyberattacks can be significantly reduced if organizations: are diligent about continually reassessing their HIPAA compliant infrastructure; implement HIPAA compliant guidelines and best practices; and continually educate (and monitor) employees regarding their role in cybersecurity.

 

Healthcare organizations have a challenging uphill battle to modernize systems and reduce risks, but it can be done. We have had almost 15 years of data breach research, which has increased our knowledge of the causes, how to identify potential problems, and what needs to be done to reduce or avert risks. Organizations need to assure that IT teams are provided with dedicated staff that has the resources, time, and money to develop, maintain, monitor, and enforce stringent cybersecurity policies and practices. Employee education is also a critical aspect of reducing risk. Continuous education of all system users needs to be done, so they are aware of their responsibilities in maintaining cybersecurity.

Now that we have looked at the causes and impact of cybersecurity, next month’s article will focus on specific, practical things we, as nurses, can do to help improve cybersecurity and assure we are not the individual responsible for a devastating and costly data breach.


The Universal Challenge in Keeping Clinical Member Data Accurate

Denise Fournier

Application Support Specialist

How often have you heard of data mix-ups between two similarly named members in a software system, or when finding a member in your system, the record is out of date?

Long ago, I remember hearing talk of making sure my dad, Cyril, and his sister, Catherine, didn’t both have accounts at the same store when they were younger and living in the same town, or their purchases would end up getting charged to each other’s account. This would have been the late 40’s to early 50’s, long before the advent of electronic record keeping. Now that everything is computerized and digitized, of course this can’t happen anymore, right?

But, as we all know, data mix-ups do still happen.  And somehow, now they seem even harder to detect and correct.

Currently, my work at TCS Healthcare is to help clients keep their member records accurate and up to date via electronic data loads.  This is still a universal challenge regardless of using a sophisticated software solution, a home grown software solution, or even when keeping track of records via Excel!

So, where do these “challenges” come from? One of the most common problems we run across involves changes to what we refer to as “matching info”. If you’re lucky, you have a single unique identifier that can be used to match up incoming records to previously created ones. In years past that may have been a social security number. But even that had issues – not everybody had one, duplicates did creep into the system, numbers got transposed – and so on.

Currently, the use of social security numbers as unique identifiers is slowly disappearing. So, if there is no other “unique identifier”, you have to rely on information such as name, birth date, gender, etc., all of which can be changed at any time for a variety of reasons. Especially difficult is the common task of recording newborn babies due to changes with the baby’s first name.

Of course, in managed care, there is usually some sort of member ID, which works just fine for most situations. But the same issues can occur that we see with social security numbers – duplicates, transposed numbers, family members with the same base number, etc.

Members with dual coverage, often under different payers, pose yet another dilemma. Detecting dual coverage members adds even more complexity to keeping data records accurate since there is no uniform identifier between different payers. Compounding the problem, data collection practices can vary significantly from payer to payer.

So, what can be done to keep your data as accurate as possible?

The obvious solution is a uniform identifier assigned to each person that NEVER changes regardless of which or how many payers cover that person. On paper, this is a nice idea, but it is probably not realistic.

In truth, there is no “best solution”. However, the following are some practices you can incorporate into your routine which can help to identify potential issues.

Incorporate safeguards into your process to detect and “exception out” bad data before it ends up in your system. For example, finding a member name that was “John Smith” yesterday compared to “Sandra Jones” today, might indicate a transposed member ID at some point in your process.

Monitor your exceptions and make corrections not just to your target but to your source as well. This means if you fix an error on a target system but never circle back and correct the source, that same error can and probably will recur the next time that record comes back through your data feed.

Don’t rely solely on error processing to catch everything. Make sure you also incorporate safeguards during processing to avoid inserting or updating bad data. For example, if a specific value needs to be unique, make sure that an insert is only attempting to add just one record with that value, and that value doesn’t already exist. The more complex things get, the more likely you are to run into unexpected scenarios, and the unexpected can cause a variety of issues like unintended duplicates.

Set up reasonable and strong matching rules to detect your dual covered members. Trying to find dual coverages by using JUST first and last name is NOT a good plan. Include more data items such as birth date, gender, social security number (if you can collect it), address, etc., which can help to detect more dual coverages. There will always be some records that simply don’t line up, so you’ll also want to have a process in place that allows you to mark your dual coverage records whenever they are discovered outside your normal process.

Overall, data maintenance is definitely a challenging business! And for those who have accepted that challenge, keeping that “bad” data at a minimum is an on-going process. However, adding in safeguards and consistent monitoring can help significantly in the “fight” for good member data.


TCS Healthcare Technologies Releases ACUITYnxt 1.4

The newest SaaS-based case management software now offers Assessments that auto-trigger Care Plans to support the case management process.

Auburn, CA – April 8, 2019 — TCS Healthcare Technologies is excited to release ACUITYnxt 1.4, the latest version of the most intuitive case management software in the industry.  ACUITYnxt, a cloud-based case management software application, now offers several features to further enhance the ability for ACUITYnxt to support the case management process.

“Every nurse case manager knows that assessments are central to the case management process, which is why we are excited to add assessments which auto-trigger care plans in ACUITYnxt,” said Deborah Keller, RN, BSN, Chief Executive Officer for TCS.  “Our assessments in ACUITYnxt are unique in that case managers can create and customize their own assessments in an intuitive panel, including the triggering of specific care plans based on assessment responses.”

Keller adds, “A new Member Plan module displays every care plan a member is enrolled in, offering the user a 360-degree view of the full plan of care.  Organizations can elect to use the classic Problems- Goals-Interventions-Outcomes format or any combination of those elements.”

In addition to assessments and auto-triggered care plans, the latest release of ACUITYnxt also includes Drag-n-Drop Screen Design and Custom Fields.  As features have expanded, the ACUITYnxt database has been tuned for optimal performance resulting in a 600% improvement in processing speed.  Also, all CPT and HCPCS medical codes have been updated to reflect the latest 2019 releases from the AMA and CMS.

“Feedback from our ACUITYnxt early adopters has been overwhelmingly positive.   All have remarked that ACUITYnxt is intuitive and easy to use, allowing them to be efficient and effective as they manage their case load,” notes Keller.  “This confirms our roadmap for ACUITYnxt.  Our next release in July 2019 will include a new data integration engine and updated reporting for billing and time tracking.”

To request an ACUITYnxt demo, email us at info@tcshealthcare.com.

 

About TCS Healthcare Technologies (www.tcshealthcare.com)

TCS Healthcare Technologies (TCS) is a leading provider of software and clinical solutions that support and improve medical management operations for health plans, TPAs, ACOs and other case management organizations.  TCS’ team of US-based clinicians and developers are recognized for their best-in-class managed care expertise and customer support throughout the industry.

 

To learn more about ACUITYnxt and TCS Healthcare Technologies, visit www.tcshealthcare.com.


TCS Healthcare Technologies Names Deborah Keller new Chief Executive Officer

Experienced nurse leader to take helm of care management software company

AUBURN, Calif.April 1, 2019 /PRNewswire/ — TCS Healthcare Technologies (TCS), a leading provider of software solutions for health plans, TPAs, ACOs and case managers, is pleased to announce that Deborah Keller, RN has been appointed Chief Executive Officer (CEO).  She assumes the strategic leadership as Rob Pock, Founder, steps down as CEO.

According to Pock, “Debb is the perfect choice to take over the helm of TCS.  I have worked closely with her over the past seven years and have observed her servant attitude with respect to our clients and our employees.  As an RN Case Manager with extensive experience in the “trenches,” she brings to TCS the heart, soul and character of those we strive to serve.  As CEO she has the leadership skills and the industry vision that will bring great products and services to the managed care industry.  Debb’s appointment sets TCS apart as the only care management software company that is led by a clinician and former user of the Acuity suite of software.”

As TCS transitions leadership, TCS will continue its development plans for ACUITY Advanced Care and ACUITYnxt.  Keller says, “TCS has an aggressive five-year roadmap for both products.  Our clinicians will continue to work side-by-side with our developers to bring to market solutions that include the functions, features, and integrations necessary to fully support population health programs.”

Regarding her new position, she notes, “I want to take my experience as a client, a clinician and now as CEO to help ensure our product roadmap remains focused and true to our client base and the needs of the industry, both today and into the future.”

“I am humbled and excited to lead TCS Healthcare as we continue to build software products that managed care end users, especially case managers, actually enjoy using.”

To learn more about TCS and its suite of care management software products and services, visit www.tcshealthcare.com.

About TCS Healthcare Technologies (www.tcshealthcare.com)

TCS Healthcare Technologies (TCS) is a leading provider of software and clinical solutions that support and improve medical management operations for health plans, ACOs, TPAs, and risk-bearing provider groups. TCS’ team of US-based clinicians and developers are recognized for their best-in-class managed care expertise and customer support throughout the industry.


A Recipe for Healthcare Success: Workflow Automation, Business Rules, and Artificial Intelligence

Pat Stricker, RN, MEd

Senior Vice President

Technology today makes the healthcare industry entirely different that it was when I started my nursing career. There were no computers to track and monitor the numerous processes in the hospital; no cell phones; no automatic devices for IV drips, respiratory machines, or telemetry; no automatic thermometers or BP devices; no electronic medical records; and no electronic pharmacy ordering/delivery system. Everything was done manually. Surgery schedules, staff schedules, admitting logs, and all other informational documents were typed or hand written anew each day. Consequently it took a long time to get anything accomplished, yet we were able to provide excellent care considering what we had to work with.

Compare that to today when we are used to having everything electronic and at our finger-tips.  Processes in the hospital are electronic and automated — computerized records, all types of electronic monitoring devices, order entry for all ancillary services, remote monitoring, computer programs for all aspects of patient care, cell phones for instant communication with others and access to internet information, and computerized logs, reports, and any other type of data that is available instantly in real-time. Consequently things get accomplished very quickly today and most of these things are even done automatically without us having to intervene.

The banking and retail industries have surpassed the healthcare industry in automating processes —  teller machines (ATMs), automated banking on our computers and cell phones, self-checkout at the grocery store, cellphone-controlled thermostats and home alarm systems, self-driving vehicles, and a variety of other automated processes. The healthcare industry, on the other hand, lags behind these industries, because it is capital and hardware intensive and constrained by numerous safety regulations. This makes automating processes more difficult and leads to slower progress. However, healthcare reforms and increased competition have created the need to focus on increasing efficiency and reducing costs. These are the two main financial priorities cited by three out of four hospital and health system CEOs. In order to accomplish these goals, automating manual tasks and processes has become a key strategy to improve performance and create more time for the staff to devote to higher level cognitive functions that require human intervention.

 

Workplace Automation and Workflows

Let’s start by defining some of the terms used in the automation process:

  • Automation: 1) The technique of making an apparatus, process, or system operate automatically by using mechanical or electronic devices that take the place of human labor; 2) a technology, method or system of operating or controlling a process by highly automatic means, as by electronic devices; 3) decreasing human intervention to a minimum; 4) a mechanical device that functions automatically without continuous input from an operator.
  • Workflow: A defined process involving a series of tasks that must be done by a specific individual(s) in a specific sequence in order to obtain pre-defined results.

Workplace automation in the past was typically associated with manufacturing. One of the first introductions of workplace automation was done on the assembly line at the Ford Motor Company in 1913 to improve the work process and reduce costs. With this innovation Ford achieved a dramatic reduction in the time to produce a car from 12 hours to 1.5 hours! In addition, the number of cars produced was increased with the same number of workers and the workers were happy because they no longer had to perform repetitive, boring tasks. So it was a win for the company and the workers.

Other workplace automation involved the use of robots that took the place of humans. This created a negative perception of workplace automation. This was a concern when automation and robotics were first introduced in the pharmacy. Some feared robots would replace the pharmacists, however they found automation allowed the them to eliminate counting medications that required little cognitive value and let them focus on more clinically relevant work that was more productive and rewarding.

Today’s workplace automation is not focused on replacing humans, but rather empowering humans by complementing or augmenting their abilities, in order to allow them to reduce repetitive tasks with little cognitive value and spend more time on meaningful, relevant, higher level, decision-making functions.

Automation will be even more essential as more of the baby-boomer nurses retire. A study in 2009 found that 260,000 registered nurses are projected to retire by 2025 – 6 years from now. That will be twice as large as any nursing shortage experienced in this country since the mid-1960s. This shortage of RNs will make it imperative that we achieve optimum work efficiency by eliminating redundant, repetitive work and manual tasks.

Another reason to work toward optimizing automated workflows is to be able to manage population health management (PHM) programs. There are not enough providers to manage these large patient populations, so this makes automation a “must have” rather than a “nice to have”. A report by the Institute for Health Technology Transformation says, “Automation makes population health management feasible, scalable and sustainable.”

Automation has also been shown to reduce repetitive tasks and increase more meaningful tasks. A time-in-motion study was conducted by a Florida hospital to measure nurse work behavior before and a year after the implementation of an electronic health records (EHR) system with clinical documentation. The administration wanted to determine if the move toward automation actually increased the time at the bedside, decreased the time spent on documentation, and decreased time spent on administrative tasks. Results showed a significant increase in the time nurses spent on both direct care and in EHR documentation. However, they found that the increased time spent in both of those areas came from a 12% decrease in the time spent on administrative tasks after implementing the automated documentation system. This validated the value of automating tasks. Nurses were able to spend more time on direct care and thoughtful documentation, rather than repetitive administrative tasks.

Automation can be a set of tools within a business software program that performs repetitive, easy-to-replicate tasks without the need for human interaction. Anything that adds value that is done more than once should be considered for automation. In a hospital setting that may be a routine procedure that is done frequently on a large population, such as joint replacements.  Once these repetitive, routine tasks become automated the process will become easier to adapt the concepts to higher level tasks.

 

Business Rules, Business Engines, and Workflow Engines

In order to automate tasks, business rules need to be defined. A business rules is: 1) a policy or procedure that guides conduct or action; 2) a definition or constraint of some aspect of business which always resolves to either true or false; 3) a description of operations and constraints that apply to an organization; 4) a process that provides business structure or controls/influences the behavior of a business; 5) a criteria for decision-making.

Business rules set expectations and provide guidelines for daily business activities. They also help organizations stay in compliance with local, state, and federal regulations.

Business rules contain an IF/THEN statement – IF a certain condition exists, THEN a certain action should take place. Examples include: 1) IF a new case is created, THEN send a Welcome Letter; or 2) IF a certain quality issue or risk is identified, THEN send an alert to a certain person or department.

A Business Rules Engine is a software system that executes one or more business rules (from regulations, company policies, or other sources). The system allows non-programmers to add and change business logic without the intervention of the vendor or IT department. This is a key component, since the department or organization needs to be able to customize the rules to meet their unique workflow needs. The rules can also be applied to data for analysis resulting in process improvement and improved outcomes.

Workflow Engine is a key software component that manages and monitors business processes and workflow activities (processing, approving, and determining new activities to transition to, based on defined workflows). It facilitates the flow of information, tasks, and events, allocating tasks to different users while communicating data to other participants. It can execute a number of arbitrary steps and sequences. Examples include: assigning a new case to a clerical group or user based on the type of program the patient was enrolled in vs. assigning a new case with the same type of enrollment to a clinical group or user based on a risk factor that was identified for the patient.

Workflow engines typically have three main functions:

  • Verifying to see if a process is valid depending on the current status.
  • Determining if the user is permitted/has the authority to execute the task.
  • Executing a task, after verifying the above two conditions are met. If not met, an error report is created and the task (change) is rolled back.

Healthcare software applications have business rules and workflow engines, but some work better and are easier to use than others. If purchasing a software application be sure to ask pointed questions about how the business rules and workflow engine works. Provide the vendor with a case study of one of your most difficult workflow processes and ask them to automate it for you. Also ask them to show you how a non-programmer would create this automated workflow.

Automation and Artificial Intelligence (AI)

Automation leads to the next big trend in healthcare today — Artificial Intelligence (AI). There are numerous definitions of AI , but these define its essence: 1) a branch of computer science dealing with simulation of intelligent human behavior in computers, 2) the capability of a computer system to imitate human intelligence (learning, reasoning, and self-correction), 3) a collection of multiple technologies that enable machines to perform administrative and clinical functions, 4) computer systems able to perform tasks normally requiring human intelligence (visual perception, speech recognition, decision-making, and language translation).

Some examples of AI include: machine learning, natural language processing (machine translation, question answering, and text generation), image recognition, speech to text or text to speech, and robotics.

AI does not rely on technology that uses algorithms and/or tools to complement a human being. AI attempts to truly augment human activity by imitating and surpassing the abilities of a human. Today, the basic goal of AI is to use human reasoning as a model, not as an end goal of creating a perfect replica of the human mind. We should not be afraid of AI replacing humans, but rather embrace it as a powerful tool that empowers humans to focus on their highest potential.

Systems using AI are taught to recognize patterns in unstructured data and turn it into structured data that enables automation. AI innovations in electronic health records (EHR), revenue cycle, and operations will continue to increase exponentially over the next few years. AI will be integrated into clinical workflows, empowering providers with real-time data at the point of care.

AI has the power to make improvements in cost, quality and access. Therefore it is experiencing explosive growth. According to Accenture analysis the health AI market in 2014 was at $600 million, but that is expected to increase to $6.6 billion by 2021 – an amazing eleven-fold growth in just 7 years and a compound annual growth rate of 40%. However it is expected to increase more than 10 times over the next 5 years and they predict that key clinical healthcare AI applications can potentially save U.S. healthcare $150 billion by 2026.

Automation and AI is a growing trend in all area of business, especially as technology becomes more sophisticated. Previously implementation and new projects required large amounts of time and cost to get completed, thereby limiting the number of projects that could be done and cancelling a lot of innovative new programs. Now with automation and AI, projects will be able to be completed in 25-50% less time and with less cost, thereby allowing those resources to be allocated to other needed projects and programs. This increased efficiency, productivity and lower costs will result in better profitability, so this is definitely going to be an key imperative for healthcare organizations.

 

The Benefits of Automation

  • Saves Time and Improves Productivity
  • Streamlines Processes
    • Reviewing workflows helps identify and eliminate unneeded or unnecessary steps
  • Improves Efficiency and Throughput
    • Allows system to be scalable and staff to handle more patients
  • Improves Reliability and Accuracy
  • Reduces Costs and Improves Profitability
  • Improves Quality and Consistency
    • Consistent basis for care activities, medical records, order entry and decision support leads to reduced deaths, non-compliance and costs.
  • Increases Predictability of Outcomes
    • Standardized care plans, supported by automation, make it more likely for a patient to follow the plan. Automation can also detect when the patient has deviated from the plan and alert the care team so they can intervene.
  • Allows More Time for Human Creativity and Higher Cognitive Functioning
  • Provides Ability to Analysis Large Amounts of Data to Support Decision-Making
  • Increases Patient Experience
  • Improves Project Implementation (Less Tasks to Teach the Users)
  • Performance and Program Improvement/Optimization
    • Data from Automation Provides Continuous Feedback That Can Be Used to Increase Performance Over Time

 

Problems or Issues with Automation

  • Unrealistic Expectations
  • Poor Design and Testing
  • Lack of Time and Attention Required to Maintain Automated Rules
  • Technology Problems
  • Organizational Problems

 

Steps to Take to Implement Automation

  • Review workflows, policies, and procedures closely to determine what steps should be added, deleted, or changed.
  • Look for processes that are routinely done that do not have a defined workflow.
  • Look for processes performed on large populations on a routine basis, e.g. joint replacement.
  • Think “outside the box” when defining a workflow process. Don’t include unnecessary steps.
  • Challenge yourself on every workflow – Do all these steps need to be taken? What can be eliminated? What can be automated?
  • Review documentation standards. Look for ways to automate repetitive documentation by providing appropriate options that can be selected in a dropdown. Streamline documentation, if possible, while still making sure it is appropriate.
  • Track and identify problems with patients with home devices. Contact immediately to resolve issues and analyze progress over time.
  • Look for ways to automate quality and identify risk factors.
  • Look for ways to automate scripting, scheduling, reporting, and analysis.
  • Make sure any software applications you purchase have business rules and automation tools. They should each department is able to make changes to meet their own needs, not just the vendor or IT department. Learn how to customize workflows within the system.
  • Develop a Change Process to document all changes, why they were made, who made them and when. Assure the Change Process has management oversight and approval.
  • Develop IF/THEN statements for automation. If “this occurs”, THEN auto-generate “this action”.
  • Make automation “part of the culture” within the organization.

 

Examples of Automated Processes

  • Letters: welcome, follow-up, appointment, closure, instructions, education. Trigger a specific letter based on a documentation field (new enrollment, type of enrollment, non-adherence with care plan, need for additional education, etc.). Can also set up a text field that can be pulled into a letter for more personalization. Letters can be set to be delivered by email, text, or mail.
  • Identify and enroll candidates for programs based on a diagnosis, number or types of admissions, prescribed medications, treatments, risk factors, etc.
  • Provide “Gold-card” service for providers. Allow certain providers automatic approval of procedure (UM) requests.
  • Send automated reminder to re-schedule for patients who miss appointments.
  • Set up auto-data loads on a routine basis for patient’s labs, pharmacy scripts, or imaging results.
  • Identify risk factors and create automated action (call, letter, enrollment, etc.)
  • Create admission and discharge automation that may include processes for registration, billing, insurance, providers, CMs, ancillary team, pharmacist, therapists, etc.
  • Develop process to find:
    • Patients with risk factors for new programs being offered
    • Candidates for marketing programs
    • Certain providers and analyze patients’ progress
    • Quality issues – lack of compliance, risk factors, falls, etc.
    • Medication non-adherence

It seems inevitable that we are headed towards a future with more automation and AI and that they have the potential to transform the economy at large. However, one thing seems certain – if something can be automated, it will be.