New Innovative Medical Breakthroughs that Are Changing Healthcare

Pat Stricker, RN

There are so many changes in healthcare that it is hard to keep up with all the new treatments, therapies, medications, procedures, and medical equipment that are being developed. Many of these are the result of new technologies, but others are innovative ways to use simple, known techniques in a new way to make significant changes. This article will review some of the current and future technologies that are changing or will change the healthcare landscape.  Hopefully you will find some that you were not aware of or some that might be helpful for some of you patients.

Now let’s take a look at what may be in store for us in the near future. The following are only a small list of some of the unbelievable  advances and innovations that are being worked on. As technology and computerization continue to advance there will be more amazing treatments and procedures available.

  • A promising Alzheimer’s drug – The use of Aducanumab resulted in less cognitive decline (about 15-27%) on memory and cognitive tests after 18 months of treatment. It is being re-studied and FDA approval will hopefully be obtained by early 2020.
  • A blood test to detect breast cancer – It screens for auto-antibodies produced in reaction to cancer cells and may be able to detect cancer up to 5 years before a lump is noticed or symptoms occur. The tests are less expensive and easier than mammograms. They are currently being studied in the U.K. and may be available within 5 years. A similar test is being studied in Scotland for lung cancer.
  • A new cystic fibrosis drugThis drug, Trikafta, provides “significant improvements” in lung function and respiratory health. It is now available to about 90% of the patients 12 or older with the most common cystic fibrosis mutation (about 27,000 people in the U.S.).
  • Crispr for Gene Modification—The Clustered Regularly Interspaced Short Palindromic Repeats (CRISPR) gene-editing tool is the most advanced gene-editing technology. It works by harnessing the natural mechanisms of the immune system to then “cut out” infected DNA strands, giving it the power to potentially transform the way we treat disease. It allows DNA and genes to be modified in the early stages to study and treat sickle cell disease, multiple myeloma, sarcoma, cervical cancer, and non-Hodgkin’s lymphoma, as well as malaria, superbugs, and HIV. By modifying these genes, these threats could potentially be overcome in a matter of years. However, there are concerns about its use, mostly in relation to “playing God” and worries that gene-editing could produce “designer” babies. CRISPR is still a first-generation tool and its full capabilities are not yet understood.
  • Peanut Allergy Promise — A study using the antibody, Etokimab, has shown promise. People with severe peanut allergies were able to eat peanut protein within 2 weeks after just one injection of the antibody. A larger study is planned to determine dosing, timing and potential opportunities to treat other food allergies.
  • A Sickle Cell Breakthrough — A gene therapy, based on 20 years of research, uses infusions of a patient’s own bone marrow to produce normal red blood cells. Clinical trials are being conducted in various locations and patients have been symptom free after a year of treatment.


The following innovations are based on suggestions from a panel of doctors and researchers at Cleveland Clinics that identified medical innovations for 2019 that would transform the medical field and change healthcare.

  • Alternative Therapies for Pain — Genetic testing is being used to predict an individual’s ability to metabolize drugs and identify drugs that work for a patient, thereby eliminating ineffective and unnecessary drugs and adverse reactions. This personalized approach to identify and prescribe appropriate medications for individuals has the potential to help end the opioid crisis.
  • Artificial Intelligence (AI) — Artificial intelligence is being used in decision-making support in patient triage, at the point of care, and in improving the analysis and accuracy of patient scans. AI is helping to make caring for patients quicker, easier, and more accurate. It will be responsible for major innovations in healthcare in the near future. AI has already significantly altered the healthcare landscape. It was used in a study to recognize forms of cancer. AI was taught to recognize forms of cancer by using algorithms that Google uses to identify objects online. It then found two forms of cancer in a tissue sample as accurately as a human could, but in just a matter of seconds. AI has also been used to model the precise dosage of a cancer drug to shrink tumors while causing only minimal toxic side effects.
  • Cardiac Percutaneous Valve Replacement and Repair — Many cardiac procedures performed percutaneously, via a catheter through the skin, have replaced open heart surgery. Examples include mitral and tricuspid valve replacements and repair that have shown very positive outcomes. This innovation has the potential for changing the future of cardiac care.
  • Immunotherapy for Cancer Treatment — Immunotherapy, a technique that uses the body’s own immune system to fight cancer, has been used for years, but new and innovative therapies are showing very promising results. It is hopeful that effective therapies will soon be available for all tumor profiles.
  • Robotic Surgery — Today minimally invasive robotized surgery provides precise and effective surgeries with improved outcomes. Robots are used in numerous routine surgeries and have resulted in the shortest and least invasive surgeries, with less recovery time and limited pain after surgery. They are also used in more complex procedures that are highly difficult or near-impossible. The robots will not take the place of a surgeon in the future, but rather assist and enhance a surgeons’ work.
  • RNA-Based Therapies — Ribonucleic acid (RNA) based therapies, which are similar to DNA-based gene therapies, provide the ability to intercept genetic abnormalities before they cause problems. These new therapies have shown immense potential and are being explored for rare genetic diseases such as Huntington’s, as well as cancer and other neurological conditions.
  • Robotic Support – Scientists are developing robotics that enfold and support like an exoskeleton for patients with severe mobility problems, such as partial paralysis. The devices are programmed to guide the body through motions, such as helping a stroke victim walk, by rebuilding posture and strength.
  • Acute Stroke Treatment Timeframe — A stroke can cause irreversible damage and disability due to a prolonged lack of blood flow, therefore a timely response is critical. However intervention has only been recommended within a limited timeframe. Now new stroke guidelines expand the timeframe for treatment, which will allow more future stroke patients to receive treatment, while improving recovery and reducing the risk of disability.
  • Prehospital Stroke Visor — Hemorrhagic strokes are responsible for nearly 40% of stroke deaths, even though they are less common than ischemic strokes. The uncontrolled bleeding from the ruptured blood vessel must be controlled as quickly as possible. A new hemorrhage scanning visor using low-energy frequency waves can be placed on a patient’s head and used in prehospital settings to quickly detect hemorrhagic strokes. The device is 92% accurate and has cut treatment time, thereby saving more lives.
  • 3D Printing – 3D printers are an amazing technology and have become one of the hottest topics. Prosthetics are increasingly popular because it provides unprecedented levels of comfort and mobility by matching an individual’s measurements down to the millimeter. This specificity also provides more advanced, specialized care, minimizes complications, and improves outcomes. 3D is primarily used currently for prosthetics, cranial and orthopedic implants and joints, and stents for narrowing airways. It has also been used in heart surgeries and a total face transplant. In April, 2019 the world’s first 3D “printed heart” with cells, blood vessels, ventricles and chambers, was produced at a lab in Tel Aviv. Fatty tissue from patients was reprogrammed into stem cells, which were then differentiated into cardiac and endothelial cells that make up the lining of blood vessels. The next step will be to train the printed heart to act like a human heart by transplanting them into animals and eventually, humans. It is the hope that “printed hearts” will eventually be able to be used to save patients who are waiting for a heart donor. Surgeons are also working on creating organs for transplant from stem cells. They have been able to create blood vessels, synthetic ovaries and even a pancreas. These artificial organs then grow within the patient’s body to replace original faulty ones. The ability to supply artificial organs that are not rejected by the body’s immune system would be revolutionary, saving thousands of patients that depend on life-saving transplants each year.  Burn victims are also finding relief with 3D “printed” skin created from production material from the patient’s own plasma and skin biopsies. 3D printing is also taking 2D x-rays and CT Scans and turning them into 3D models, providing more comprehensive views in order to better diagnose issues. 3D printing can also “print” pills that contain multiple drugs, which help patients with the organization, timing and monitoring of multiple medications.  3D printing is a truly amazing technology that seems to be able to do almost anything. It has great promise for numerous future applications.
  • An “EpiPen” for Spinal Cord Injuries — Immune cells typically work to clear out dead or damaged cells after an injury, as well as increase the body’s defense against infection. However an over-active immune response can sometimes occur, which can cause numbness and even paralysis in some cases. An “EpiPen” like device, using nanoparticles, is being studied to see if it can suppress immune cells without side effects common with pharmaceuticals. If this works it may be able to provide a quick, readily available treatment for spinal injuries, as well as other types of trauma, cancer, and inflammatory diseases.


Other innovations that are on the horizon to revolutionize medicine include:

  • Bionic Prosthetics — A 3D printer can create a bionic eye within an hour. While it is not fully designed and working yet, the promise of seeing a prosthetic bionic eye is much closer to reality.
  • Contact Lenses That Track Glucose Levels – Researchers have been able to attach transparent, flexible electronics to contacts so that glucose levels can be checked, using tears, and then wirelessly relaying the results back to a computer program or app. And none of the electronics or sensors block the vision.
  • A Patch that Measures Blood Pressure — A patch, smaller than a postage stamp, can be worn and it can measure blood pressure deep within the body by emitting ultrasonic waves that pierce the skin and bounce off tissues and blood. The blood pressure data can then be sent back to a laptop.
  • A Musical Milestone — In Geneva Switzerland music is folded into the care plan for some preemies. This NICU music program features 3 specific songs, which babies listen to through special headphones. This ongoing study’s goals are to understand how music affects a preemie’s brain and how well it can recognize melody, tempo, and pitch-skills related to language processing. The songs were composed to help the infants fall asleep, wake up, and interact. MRIs are taken of the babies’ brains as they listen to the music, comparing it to babies who were not exposed to the music. The MRI scans reveal improved brain connectivity and the songs appear to support the daily rhythm of sleeping and waking, which is key to thriving in a noisy NICU.
  • Deep Brain Stimulation — Electrodes implanted in the brain deliver deep brain stimulation (DBS). These “brain pacemakers”, which have been used to effectively treat conditions like obsessive/compulsive disorders and Parkinson’s disease, are being tested in Alzheimer’s patients to improve focus, memory, and judgment. Another stroke recovery study has shown promising results, allowing a woman who was paralyzed on her left side to regain function after months of physical and occupational therapy and DBS.
  • Identifying Jaundice — A smartphone app is able to check the whites of our eyes for signs of jaundice. This could help diagnose pancreatic cancer by identifying elevated bilirubin levels.

·         Smart Inhalers – Inhalers, if used correctly, are effective for 90% of patients however research shows that as many as 94% of patients do not use their inhalers properly and only about 50% of patients have their condition under control. Bluetooth-enabled smart inhalers have been developed to help patient gain better control over their condition. A small device attached to the inhaler records the date and time of each dose and whether it was correctly administered. It then sends that data to the patient’s smartphone so they can track and manage their condition. Patients who used this device used less medication and had more reliever-free days.

·         Wireless, Absorbable Brain Sensors – Bioabsorbable electronics can be placed in the brain to measure brain temperature and pressures and then dissolve when they are no longer needed, thereby eliminating the need for another surgery to remove them.

  • Precision Medicine – Pharmaceuticals are becoming much more personalized to individual patients with the advent of gene therapy. The trend is moving away from having one standard, general way to approach treatment protocols and moving towards providing personalized treatment and prevention based on each individual’s genetics, lifestyle, and environment. Treatment is determined based on diagnostic and molecular genetic testing. Physicians can now select specific medicines and therapies to treat diseases, such as cancer or rheumatoid arthritis, based on an individual’s genetic make-up. This provides a more effective treatment plan since it attacks tumors based on the patient’s specific genes and proteins, causing gene mutations which make it easier to destroy the cancer cells. Precision medicine has shown many early successes and will be an ever-increasing concept in tomorrow’s healthcare environment.


The following are cutting-edge medical super-tools that were included in “2019 Medical Breakthroughs: Move Easier, Feel Better, Live Longer” article by Jacqueline Detwiler that was in the October/November, 2019 issue of the AARP Magazine, page 44. They are arranged in groups of like-topics.

Bone Grafts — Researchers have found a way to add calcium-rich eggshells to a hydrogel mixture that allows them to form a frame where new bone can develop from bone cells, making bone grafts more effective in treating osteoporosis and other skeletal damage.


  • Prostate Urine Risk (PUR) Test — Researchers in the U.K. have developed a Prostate Urine Risk test that can identify patients who will require treatment for prostate cancer within the first 5 years after diagnosis. This test could eliminate the need for biopsies and lessen the risk of impotence or incontinence.
  • Skin Cancer Diagnosis Using Infrared Light — Infrared light is being used to map a potential skin cancer by blasting it with sound waves to measure its density and stiffness as a way to diagnose cancer with doing a biopsy. Researchers expect FDA approval next year.
  • Some cancers live by the same daily clock as we do. Understanding this rhythm helps physicians determine when it’s most susceptible to treatment. Researchers used a protein that makes fireflies glow to light up glioblastoma cancer cells whenever they were active. They discovered that oral anti-cancer drugs could be more effective if they hit the tumor at that exact time. Participants are being treated at different times of the day to identify the best times for attacking the cancer.

Chronic ConstipationThis condition may be treated in the future with pills that vibrate while moving through the GI tract. The vibrating pills induce natural peristalsis, moving stool through the body without chemical action.

Circadian-Rhythm Tests and Treatments

Circadian rhythms affect us and our bodily functions more than we realize, as evidence by some of the following studies on mood, sleeping, activity, eating, taking medications, the importance of light, etc. There is now a cell phone app called myCircadianClock that can help you identify your circadian rhythm and how to synchronize your body clock with the outside world. Check it out at

  • Circadian Rhythm Blood Test — During a 24-hour period about ½ of your genes are activated. Researchers have developed a blood test that measures your personal internal rhythms and determines a “time signature” that allows them to identify the absolute best times for you to eat, exercise, work and receive medications or other therapies when your body is most receptive.
  • Body Clock Tune-Ups — Circadian clocks are weakened by difficulty sleeping through the nights and daytime sleepiness often associated with Parkinson’s. Researchers have found that exposing subjects to bright light twice a day can reset sleep patterns and reduce early symptoms.
  • Adjust Your Daily Clock — The toxic effects of late night eating and all-day snacking is similar to those of “lead and asbestos”. Almost all genes, hormones, brain chemicals, neurotransmitters, digestive juices, and enzymes are programmed to turn on and off, or go up or down, every 24 hours. Eating when the stomach, pancreas, liver, and other organs are unprepared leaves the body less time to repair itself. Over time this can lead to chronic diseases. Re-establishing your circadian rhythm can fix these problems. Not eating at night and getting morning sunlight can help synchronize our body clocks with the outside world. New science shows that food should be eaten within an 8-12 hour window each day, beginning about an hour after you wake up. Researchers found that when overweight people restricted their eating to a 10-hour window they lost 4% of their body weight in four months without any changes in their diet.
  • Circadian Rhythm Lighting — Companies have developed lighting for hospitals and elder care facilities that mimics the movement of the sun, with light that grows gradually brighter toward midday and darker as sunset arrives. This helps counteract the effects of continuous fluorescent lights and the disruption of normal daily rhythms.

Depression:  A Mood Adjusting Spray Depression treatments frequently work for a time and then stop or are less effective as time goes by. A nasal spray called Spravato (Esketamine), recently approved by the FDA, can be used with an oral anti-depressant for patients with treatment-resistant depression. Some participants have found that there was no “off” time and it is still working after 2 years.


  • An Operation That Improves Blood Sugar — A study for diabetics in Holland included diet and lifestyle recommendations but also an outpatient procedure known as duodenal mucosal resurfacing (DMR) that used heat to destroy the topmost layer of the duodenum, the first portion of the small intestine. The idea was to destroy the layer of cells that prevent insulin from functioning optimally and replacing them with regenerated, healthy cells. Six months later, 85% of the patient had better blood sugar control and were no longer using insulin. The study is now being replicated in the U.S.
  • Afternoon Exercise for Type-2 Diabetes — A study showed that high-intensity interval training helps control blood sugar in people with type-2 diabetes, especially when it is done in the afternoon. In fact, it was not only better than exercising in the morning after breakfast, but the two patterns actually had different effects. When exercising after breakfast the participants’ blood sugar spiked, but the blood sugar remained lower throughout the day for those who exercised in the afternoon.

Exercise Can Help Prevent a Second FallA study of 345 men and women 70 and older showed that participants cut their risk of a second fall by 36% by following the Otago Exercise Program, a series of 5 strengthening and 12 balance moves with increasing levels of difficulty. The program focuses on knee, hip, and ankle strengthening and overall balance.

Heart Disease: A Whole-Life Longevity PlanA program developed by Dean Ornish, the developer of the Ornish Diet, has created a holistic 9-week lifestyle intervention course to help people reverse serious heart disease. It includes four rules: eat a low-fat, plant-based diet; get regular exercise; manage stress with yoga and meditation; and maintain love and intimacy. Within one month of completing the pilot study, the ten participants showed cardiac function improvement. One, who had been evaluated for a heart transplant, had a 27% reduction of his blocked arteries and has made amazing overall progress. The program is available in 18 states and is being approved by some insurance companies.

Light Therapy

  • Blood Pressure Light — Patients in a study were exposed to 30 minutes of whole-body blue light, a dose comparable to daily sunlight. The light reduced the systolic blood pressure by almost eight points, similar to what is seen with blood pressure lowering drugs.
  • Light-Box Therapy — Light-box therapy has been used for years to treat seasonal affective disorder, which leads to a low mood in the winter. Now the same therapy is being used to treat depression, including treatment-resistant depression and bipolar depression. Patients sit near a light box during morning hours to reset their circadian rhythm, resulting in improved mood. A study also showed that patients hospitalized for depression who had rooms that faced the southeast (more sunlight each day) were discharged an average of 30 days earlier than those in rooms facing the northwest (less sunlight each day).

More Comfortable MammogramsNew mammogram machines allow patients to control the compression of their own breasts, which can result in clearer pictures with less stress and pain. One study showed that 91% of the patients gave themselves equal or greater compression over the previous year’s scan, which improved the images.

Parkinson’s – Less Invasive Treatment for Tremors  — Deep brain stimulation, the gold standard for treatment of patients with Parkinson’s tremors that don’t respond to medication, is effective about 90% of the time. However, it requires a surgery to implant the electrodes in the brain. Last year the FDA approved a safer, noninvasive MRI Exablate Neuro treatment that guides ultra-sound waves directly to the most affected areas of the brain and destroys misfiring cells without requiring surgery.

Robotic UndergarmentsAn undergarment with robotic muscles that was originally designed to enhance soldiers’ endurance, can augment core strength by about 25%. Each garment is customized to fit an individual’s lifestyle and issues, providing support to core muscles, legs and hips, and back. They are available in the Seattle area and some elderly communities and companies are providing them to members and employees to lease for $1,000 to $1,500.

10,000 Steps a DayThe standard goal of 10,000 steps a day isn’t based on science. It was related to a 1964 Tokyo Olympics marketing effort. Researchers worked with 17,000 women (average age: 72) to determine how many steps are needed in older adults to lower their risk of dying from all causes. They were asked to record their steps for at least 10 hours a day, four days a week. They found that mortality rates began to drop at 4,400 steps and leveled off at 7,500 steps. So you can rest a little and not feel like you have to push yourself to get to 10,000 steps – 7,500 may be enough.  However, the more you do, the better it is for your health.

Tips on How to Successfully Select and Implement an Electronic Health Record

Pat Stricker, RN

Selecting and implementing a new electronic medical record (EMR)  or electronic health record (EHR) is a huge project for any organization. These are large systems used throughout the organization with detailed information about the patient and their treatment. They are integral to the daily operations of the organization, so organizations must think carefully about exactly what they need and be sure the system will help them achieve their organizational mission and goals. They also need to choose the right vendor – one that aligns with their organizational goals and strategies, is willing to be a “partner” with the client, and has a good reputation for successfully completing implementations and launching the system as promised and on-time.


While the terms EMR and EHR are often used interchangeably, there are differences according to the Office of the National Coordinator for Health Information Technology (ONC).

  • EMRs were developed in the 1960s and were primarily digital medical (clinical) records used by physicians to diagnosis and treat their patients. They took the place of paper records and, in addition, provided the ability to monitor and track patient data and improve the quality of patient care. However, the information did not travel outside the practice group. The patient record still needed to be printed and mailed to specialists and other members of the care team.
  • Over time the EMRs evolved into EHRs as the health care industry started to develop standards to allow other health care data to be collected and shared with all care team members. EHRs provided a broader view of the patient record that could be shared outside the practice group with specialists, hospitals, therapists, outpatient care, post-acute care facilities, home care agencies, laboratories, etc. EHRs also began to define and drive workflow processes, as well as provide evidence-based decision-making tools, order entry, plans of care, documentation templates, and detailed monitoring and analytical capabilities. EHRs became total patient health records that can be accessed by the patient or any health care provider caring for them to assure the most up-to-date, coordinated, patient-centered care.

An electronic health record is defined by the Healthcare Information and Management Systems Society (HIMSS) as: “a longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting. Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunizations, laboratory data and radiology reports. The EHR automates and streamlines the clinician’s workflow. The EHR has the ability to generate a complete record of a clinical patient encounter – as well as supporting other care-related activities directly or indirectly via interface – including evidence-based decision support, quality management, and outcomes reporting.”

So even though the terms EMR and EHR are used interchangeably, they are very different. We will be using the term EHR.


Last month’s article, Physician and Nurse Involvement Is Critical in EHR Selection and Implementation, focused on why EHRs are important and why physicians and nurses need to be part of the selection and implementation process. This article will focus on how to select the right EHR and vendor and how to make sure the system is implemented in a way that meets your needs and those of your patients.


Selecting an EHR

Selecting the “right” software for any project is not an easy task. There are numerous EHRs available, each with its own capabilities and processes. On average it takes 6 months to over 2 years for organizations to select an enterprise software. So you must make sure you take the time to find the one that fits your unique goals and needs (requirements). The following are some key steps that you should consider when selecting an EHR or other software for your business needs.

  • Planning
    • Create a Selection Committee comprised of representatives from management and line positions from all functional areas that will be using the system or interacting with it. This is critical so ideas, input, and feedback are obtained from all interested parties.
      • Assign an executive champion to provide guidance and clear roadblocks
      • Assign a full-time project manager with experience implementing large software projects
    • Define your organization’s business, operational, and expected outcome goals and how you envision the system can help achieve them.
    • Define “ideal” processes and workflows
      • Review all current and planned workflows carefully. Identify what works/is needed and what doesn’t work/isn’t needed. Eliminate all unneeded steps and those that are not being tracked or reported on.
      • Spend time re-designing workflows so you have streamlined, automated workflows that you can use to define your workflow requirements. Include steps you think may not be possible (it never hurts to ask!).
    • Define requirements that are critical to your processes (efficiency measures, documentation standards, performance consistency and standardization, etc.).

NOTE: On average a requirements document such as this will consist of over 275 requirements. Sites like SelectHub provide templates to help you develop the requirements.

  • “Must Have” – mandated requirements that are essential
  • “Needed” – requirements that are necessary. They are needed to make workflows and processes easier or improve efficiency and performance, but not mandated.
  • “Like-to Have” – ideas that seem improbable or impossible, but would be great if they were available, such as auto-documentation, automated integration with other applications, etc. (They may not be available but it never hurts to ask!)
  • Analytic – Quality, analytic, and quantitative tracking, monitoring, and reporting
  • Research software products that meet the needs identified above.
    • Conduct an internet search for a product that meets all your identified requirements.  NOTE: An average of about 10 software products are typically researched, but that number should be reduced before scheduling demonstrations.
      • Using a site like SelectHub may help reduce your time and effort. It provides a software selection platform that lets you identify the type of product needed, determine the requirements you are looking for, set priorities, and compare products that meet your needs. It also provides templates to help you develop the requirements.
    • Seek input from surveys, client recommendations, or other rating services.
    • Make sure the product is flexible enough to fit your defined needs. You should not have to change your workflows to fit the software.
    • All data in the system should be reportable, measureable, and able to be analyzed to show how workflow benefits the patients, providers, organization, and entire healthcare system.
    • Consider the user experience and ability of the patient to access their record.
    • Consider the way the system is deployed and what IT resources are needed to maintain it.
  • Research software vendors to find a “partner”, not merely a service provider or vendor. Selecting the “right” vendor is just as important as selecting the “right” software. The vendor needs to be aligned with and able to support your strategic goals and expected outcomes. And the two organizations need to have similar company cultures so they can develop a true collaborative partnership in which each is willing to help the other. Conducting a detailed vendor assessment is key! It is just as important as assessing the product.
    • Conduct an internet search for a vendor that has a proven track record in the industry.
    • Seek input from surveys, client recommendations, or other rating services.
    • Consider whether the vendor aligns with your clinical, administrative, revenue, population health and analytic goals.
    • Ask for statistics on their success rates for implementation and launching on-time. Ask if they have ever failed an implementation. They should have these statistics available. NOTE: Under-performance and project failures can be an issue. Statistic show that for all IT projects more than ½ fail and 3% under-perform.
    • Make sure they have a defined implementation process (with timelines) to share with you and that they have a dedicated implementation team to work with your team.
    • Ask for references and speak to or visit them to see how the system works for them. Also ask what the system is not able to accomplish for them.
    • Develop a list of vendor requirements based on the above.
    • Schedule an on-line overview demo to see if the product is what you are looking for. It does not need to be detailed at this point in the process.
  • Develop a Request for Information (RFI) and/or Request for Proposal (RFP) Document based on the product and vendor requirements that you have already defined.
    • An RFI is an initial communication document sent to numerous vendors that describes your organization; the need, scope, and purpose of the proposed project; and higher level requirements. It may also include expected pricing, delivery methods, and other business information. An RFI provides the organization with summarized information from each vendor in order to determine which vendors should be reviewed in more detail.
    • An RFP is a formal, comprehensive request that is sent after an RFI or in place of an RFI to elicit detailed information from vendors an organization is interested in. It includes detailed information about the project, its timeline and budget, and detailed requirements that a vendor must meet. It allows the organization a chance to compare all vendors using the same criteria.
    • A list of detailed “Must Have”, “Needed”, and “Like-to-Have” requirements should be listed giving the vendor as much information about what you are looking for and what the system needs to be able to do.

NOTE:  The Smartsheet website provides free business templates designed to assist organizations in building RFI, RFP, and requirements documents for projects.

  • Evaluate RFIs/RFPs to Determine Vendors for Demonstrations
    • Develop a Demonstration Checklist based on the product and vendor requirements.
    • Each type of requirement in the RFI/RFP should be listed with a scored ranking. Quality, analytic, and quantitative tracking, monitoring, and reporting requirements would be listed under one of these categories and scored accordingly. Using a point system for scoring will make it easier to objectively compare all products and vendors. The scoring system could be similar to this for the system requirements:
      • “Must Have” – mandated requirements, so no points awarded                 0
      • “Needed” – necessary, but not mandated. They make workflows and

processes easier or improve efficiency and performance.                                       + 1

  • “Like-to Have” – ideas that seem improbable or impossible, but would be

GREAT to have                                                                                                                           + 2

  • “Available” with Customization (extra cost)                                                 –  1
  • “Not available” – requirements are not available                                 –  2
  • Add a vendor requirements section to the checklist.
    • Score their requirements in a similar fashion
    • Also consider adding or subtracting points based on your interactions with the representatives from each vendor. Were they responsive, friendly, and helpful? Did they anticipate your needs? Did they understand your business needs and goals? Do they have a dedicated team to work with your team? Does their culture seem to fit in with your organizations culture? How do they handle issues and delays? Do they have good implementation and launch statistics? Have they ever had a failed implementation? Also add other things that are important to your organization.
  • Tabulate the scores for each vendor and choose the top 3-6 for further evaluation.
  • Manage the Demonstration Process
    • Select no more than the top 3-6 vendors for a demonstration based on the product and vendor scores.
    • Schedule a demo – It can be an initial online demo, if that has not been done, or a full product demo at your site.
    • Schedule a defined timeline for the demo – Schedule the same amount of time for each vendor (e.g. 2-4 hours) and stick to the timeline. Do not allow vendors to go over the time allotted, as it is not fair to other vendors. It also shows that the vendor may not be organized enough to conduct the demo within the specified timeline.
    • Schedule all demos within a short timeframe (e.g. 2-3 days or up to 1 week). This makes it a little difficult time-intensive for the Selection Committee during that time period, but it reduces the confusion of trying to remember vendors and products that were presented over a long time period.
    • Ask for customized case scenarios to be presented – Send the vendor case scenarios for key processes or functions you want them to demonstrate. Vendors should be asked to develop these scenarios in their system and show them during the demo. Those that do not take the time to develop these scenarios should have points deducted from their score.
    • Ask vendors to show other “Must Have” and “Like-to-Have” requirements – Ask them to show as many as possible in their demo. They should not be allowed to just tell you that they can do something. Insist that they show you how it is done.
    • Develop a Demonstration Checklist that includes all product and vendor requirements. Also include Comment Sections so the committee can provide non-solicited feedback.
      • Provide each committee member with a checklist at the beginning of each demo and ask them to rate each requirement as it is demonstrated.
      • Require committee members to complete the checklist at the end of each demo to assure their observations are fresh. Allowing them to wait until the end of the entire demo process to fill out the checklists leads to confusion about what each product/vendor demonstrated. It is best to collect feedback immediately.
    • Tabulate the results of the Demonstration Checklists after all demos have been completed.
    • Hold a committee meeting to discuss the demo results. Gather input from all areas and try to reach a consensus on a chosen product/vendor.
    • Select a “Partner” and product.
  • Contracting would be the last step in selecting a software.


Implementing an EHR

The next step is to implement the chosen software. This task will now be taken over by the Implementation Team. Some of these team members may have been on the Selection Committee, but many others were not, so all team members need to be brought up to speed on the product and its goals for the organization. The goals and strategies for the project need to be reviewed, as well as the requirements, and expected outcomes. A demo of the system is also needed, so everyone is familiar with its capabilities.

The vendor’s project manager oversees the implementation project, working in conjunction with the client’s project manager. Weekly status meetings should be scheduled for the implementation team, as well as monthly or bi-monthly governance meetings with senior leadership to discuss the project’s progress and outstanding issues.


While each product will have its own steps in the Implementation Process depending on the nature of its processes, they usually include steps similar to these:

  • Initial Implementation Team Meeting – this can be done by conference call, on-line, or in-person at the client site to introduce the client and vendor management and implementation teams.
    • The client should present an overview of the goals and strategies for the project, as well as the requirements, and the expected outcomes.
    • The vendor should present an overview demonstration of product, the implementation process, and review a draft implementation plan explaining: all key steps, expected timeframes, training schedules, and expected responsibilities and time commitments for implementation team members.
  • Installation of the System – The two technical teams should begin to install the system.
  • Initial On-site Meeting – should include:
    • An initial overview training for the implementation team focusing on the features of the system and “hands-on” practice in navigating it.
    • An in-depth assessment and discussion of current and expected workflow processes for all functional areas should be conducted, if this has not already been done. The goal should be to revise and optimize the workflows and processes, not use the current ones. This is an essential step that drives how the system will be configured to meet the client’s unique needs and helps the vendor finalize the implementation project plan with realistic tasks and timeframes.
  • In-depth training for the client’s implementation groups: technical, clinical, reporting, etc. These sessions focus on specifics related to their key responsibilities.
  • The technical team will install the system, set-up network connections, create processes for data loads and exports, build interfaces, etc.
  • The analytics group will work on developing reports, audits, and data analytic needs.
  • The clinical team will set up workflow processes and configure the system.

These trainings can be done on-site or in on-line sessions. Due to the cost of on-site visits, more implementation steps are being done using on-line conference sessions. These sessions, which continue throughout the implementation, are part training and part “hands-on” work, with tasks assigned between meetings. Intermittent on-site work sessions are also scheduled.

  • Re-designing Processes – Old, convoluted processes and work-arounds should not be brought over to the new system. Workflow processes need to be simplified, optimized, and automated as much as possible. Automated workflows based on business rules and evidence-based data should be added whenever possible. All stakeholders should have input into the re-design of the workflows that affect them. Third-party applications should also be reviewed to see if they are still needed or if the processes can be done in the new system, thereby eliminating extra work.

Health care leaders agree that streamlining, automating, and optimizing processes is a critical step that allows the system to provide value and efficiencies. One even joked that “if you don’t (redesign workflows first), you’re just moving garbage at the speed of light and magnifying inefficiency.”  Another said, “When we redesigned the system around (a workflow process)…it streamlined so much, and from a quality point of view it also took out a huge number of errors and potential errors.”  Clearly, process redesign is a critical step that requires time and attention!

  • Development of a Practice System – Each team needs to have access to a practice system where the implementation staff can test data loads, configuration, reports, etc. The vendor should offer a process that allows each team their own system that can be used by them and not interfere with other groups. For example a vendor may offer to set up three databases: one for technical group to use for data loads, interfaces, etc.; one for configuring the workflows and processes; and one for training and practice used by all groups.
  • User Acceptance Training – Prior to the final training, the data load and configuration databases that contain all the new processes and integrations can be combined to produce a database for User Acceptance Testing. Realistic case scenarios should be developed for all workflows and processes. Team members should enter these into the system to assure they are accurate. If not, they should make needed changes and test again. Once the team is convinced the workflows and processes are accurate, the database can become the End-User Training database.
  • End-User Training – This is usually conducted within one to two weeks before Go-Live. The timing will be determined based on the number of staff to be trained and the availability of training facilities. The goals should be to train for comprehension and retention of basic skills and to observe the students and offer suggestions. Ideally, each trainee should have their own computer, not a shared computer, so they can get as much “hands on” practice as possible. The class should be taught by the vendor and the client, with the vendor providing basic features and navigation and the client teaching client-specific workflows and processes.

After the training a training room should be available for the staff to continue to do more individual practice or have 1:1 training with an instructor or mentor before Go-Live. They should be encouraged to enter real-life, case scenarios that test the various workflow processes that are included in a normal workday or to replicate actual cases they performed the previous day. This has been identified as a key need, as studies have shown that in problem implementations about 85% of the staff members were missing basic skills at Go-Live. Extra practice time also provides further User Testing of the newly designed workflows and system changes.

  • Go-Live! – The implementation team and vendor should be available for the staff at Go-Live and during the first week to offer assistance and keep logs depicting all issues, suggestions and requests for changes. At the end of each day, the implementation team should review what went well and things that need revision. This continuous improvement quality process is critical, so that issues are identified and addressed on a timely basis.
  • Post-Implementation Support – Weekly team status meetings should continue for the next three to four weeks or until all issues and revisions are resolved. An ongoing Change Management Process should be put in place to identify and resolve all quality issues that continue to arise. The client should be reviewing the system, utilization, performance, and workflow issues and results.

About four to six weeks after Go-Live, the vendor should schedule a meeting with the client’s leadership and implementation teams to get input on the overall implementation project:  what worked, what could have gone better, etc. This information should be used by the vendor to improve their implementation processes.

Lastly, about six to nine months after Go-Live, the vendor should conduct another on-site visit to determine how the system is working, reassess the client’s needs, review ongoing configuration needs, provide suggestions for improvements, provide additional tips and hints for better use of the systems and assist the client in determining how to add additional programs or processes, if needed.


It’s hard to know if a software system will work the way you initially envision, until you actually work with it for a while. Defining exact requirements at the beginning of the project is a crucial step, but it still needs to be followed by a continued process to monitor and revise issues and problems as they arise. You can’t just implement a system and then forget it and move on to the next project.


I hope this article has provided some insight into the most important factors to consider, if you are looking for a new system. Knowing how to choose the “right system and vendor” is extremely important, which then makes the actual implementation much easier. Any implementation takes a great deal of time and resources, but it is definitely worth it, because of the improved effectiveness, efficiency, productivity and clinical outcomes that it can provide. Taking the time to choose the “right system and vendor”, re-design and optimize workflow processes, and train the staff on basic skills are critical keys to achieving a successful implementation.

But the most important thing is to “get a seat at the table” – to become part of the selection and implementation process. If you know this type of project is being planned, volunteer to be on a committee, don’t wait to be asked. Your input is invaluable. You work in these systems every day. You know what is needed. You know what works and what doesn’t. You know what new processes are needed and what could be eliminated. If you are not chosen for a committee, document your ideas and suggestions in a professional, positive, succinct format and submit them to the selection committee. That way, even if you don’t have a seat at the table, you will be at the table and you’ll have a chance to offer input.

TCS Healthcare Technologies Releases ACUITYnxt 1.6

ACUITYnxt is “The Managed Care System Designed by Case Managers”

AUBURN, Calif.Nov. 26, 2019 /PRNewswire/ — TCS Healthcare Technologies is excited to release ACUITYnxt 1.6.  ACUITYnxt is a secure, cloud-hosted solution providing risk-bearing organizations the ability to improve the health of their member populations while reducing avoidable healthcare costs.

This release includes advanced population risk stratification, deeper workflow automation, expanded clinical content, and an embedded data integration engine.  These enhancements provide the capability to use multiple external data sources to stratify members, automate program enrollment, and auto-schedule follow up actions.

TCS CEO, Deborah Keller, states, “Designing and operationalizing population health programs that truly impact health requires far more than data collection.  We understand that our clients need technology that helps them leverage their own resources in the most efficient way possible to positively impact as many lives as they can.  That translates to overcoming interoperability challenges and fully utilizing all data points in the member experience to decrease inefficient processes and eliminate dangerous blind spots.”

Keller notes, “We are so excited to offer this latest release of ACUITYnxt.  There is simply nothing else on the market that provides the flexibility to operationalize innovative population health programs while also supporting end users with an intuitive experience.  I am constantly humbled by the ability of our clinical and technical teams to collaborate in a way that results in software that is simply unmatched.”

To request an ACUITYnxt demo, email us at

About TCS Healthcare Technologies:

TCS Healthcare Technologies (TCS) is a leading provider of software designed to support health plans, TPAs, ACOs and other risk-bearing organizations. The TCS team of US-based clinicians and developers are recognized for their best-in-class managed care expertise and customer support.

TCS Healthcare Technologies is an HCAP Partners portfolio company.

Post Fall Managed Care Forum (FMCF) 2019

Deborah Keller, RN, BSN, CMCN, CPHQ

Chief Operating Officer

As a provider of managed care software, each year I determine which conferences TCS will participate in as a vendor. This is a difficult decision as there are so many high-quality conferences from which to choose and I am personally energized by nearly every conference I attend.  Having clients in every sector of managed care including Medicare and Medicaid health plans, third-party administrators, self-insured plans, and ACOs; conferences not only provide TCS with sales and marketing opportunities, but more importantly, they help keep us connected to users in each of these sectors.


After researching the Fall Managed Care Forum (FMCF) and understanding the relationship between the American Association of Managed Care Nurses (AAMCN), the NAMCP Medical Directors Institute, and the American Association of Integrated Healthcare Delivery Systems (AAIHDS), TCS decided to become an exhibitor at the FMCF in Las Vegas.  Since 2014, TCS has exhibited at the conference every year.


In 2017, I was fortunate enough to partner with one of our clients to present on Social Determinants of Health at FMCF. Attendees of the presentation may remember the lights going off and on during the presentation and Dr. Jonathan Burke’s hilarious improv as it was happening.  Despite this very minor snafu, the feedback on the session was incredibly positive.  The appreciation, encouragement, and follow-up information requests from that presentation have been wonderful.  Several of you have reached out to let us know how you incorporated the SDOH visual model we provided into your own programs and education campaigns.


The variety and quality of presentations at this year’s FMCF, like previous years was solid.  It is exciting to hear directly from presenters how their programs are maturing and progressing operationally.  After so many years of speaking of treating the whole person, it is inspiring to see SDOH so heavily factoring into how members are being managed.


As for TCS, over the past five years, we have enjoyed every aspect of participating in this event as a vendor.  We enjoy seeing our own clients, our vendor partners, and all the attendees who stop by our booth to say hello.  In the spirit of continuing to drive our products directly from the expert user community, this year I brought along Matt Fahner, our VP of Engineering.  This allowed Matt to hear directly from attendees what they think of our latest software offering, ACUITYnxt.  The feedback was better than we could have ever hoped for.  We absolutely appreciate the time that many of you spent answering our questions and we deeply appreciate learning from you all.


Over the next two months, I have a few events coming up that I am very excited about.  I am looking forward to moderating a session about innovative approaches to effectively managing social barriers to care at the Social Determinants of Health Action Forum on November 14th and 15th in Miami, Florida and participating at the Transformation Today & Tomorrow Conference on December 4th and 5th in Pinehurst, NC.

To join us at a discounted rate, please use the code: H121TCS

At website:

If I don’t see you at one of these events, I look forward to seeing everyone at FMCF 2020!

TCS Healthcare Announces the Release of Acuity Connect v7.32

AUBURN, Calif., October. 4, 2019 – 

What’s New in this Release of Acuity Connect™ v7.32

This release improves overall security and addresses vulnerabilities that have been discovered since the last release.  Updates to the Java®, Apache Tomcat®, and Apache HTTP Server™ platforms are included.


Security Improvements

Acuity Connect v7.32 includes the following fixes to address vulnerabilities and security concerns:

  • Implemented the AllowedMethods method in Apache HTTP Server to prevent malicious actors from obtaining server configurations through an insecure use of the OPTIONS method.
  • Fixed a bug that could allow a malicious actor to access the Apache HTTP Server environment’s as well as any new directories that were added after implementation.
  • Updated HTML doctype directives to ensure a malicious actor cannot downgrade sessions from the browser’s modern “standards mode” to a more insecure “quirks mode”.
  • Deprecated support for version 1.1 of the TLS connection protocol to prevent malicious actors from downgrading a session’s encryption algorithm to an older, rarely used, and potentially less secure protocol. Acuity Connect will now only support connections using TLS version 1.2. ·
  • Updated the jQuery® implementation used by Acuity Connect from 2.2.4 to 3.4.1 to address several vulnerabilities. A detailed change log can be found at the following website:…3.4.1

Platform Updates

Acuity Connect v7.32 also includes significant updates to the supplied software platforms. ·

  • Java: This release moves Acuity Connect from a 32-bit (x86) Java 8 Runtime Environment (JRE) platform to the most recent LTS 64-bit Java 11 Development Kit (JDK) release.  This update includes a JDK software package as Oracle® has deprecated standalone JRE releases.  For detailed upgrade instructions, refer to the Acuity Connect v7.32 Installation Guide.

o    For a list of changes, refer to the Java 11 release notes.

  • Apache Tomcat: This release moves Acuity Connect from a 32-bit (x86) Apache Tomcat 8 environment to a 64-bit Apache Tomcat 9 environment.  This new version fixes several bugs and known vulnerabilities.  For details instructions on backing up and replacing Apache Tomcat installations, refer to the Acuity Connect v7.32 Installation Guide.

o  For a list of changes, refer to the Apache Tomcat 9 change logs.

  • Apache HTTP Server: This release moves Acuity Connect from a 32-bit (x86) Apache HTTP Server 2.4 environment to the latest 64-bit version of the server software.  This new version fixes several bugs and known vulnerabilities.  For detailed instructions on backing up and replacing Apache HTTP Server, refer to the Acuity Connect v7.32 Installation Guide.

o  For a list of changes, refer to the Apache HTTP Server 2.4 fixed vulnerability list.

Bug Fixes

Acuity Connect v7.32 also addresses the following functionality issue: ·

  • Fixed a bug that prevented Auto Approval Rules from accepting and saving changes to the Assessment Form checkbox.



Copyrights and Trademarks

ACUITY Advanced Care, ACUITY, Acuity Connect, AcuPort, AcuStrat, AcuPrint, and AcuCare are trademarks of TCS Healthcare Technologies.  All rights reserved.

Microsoft SQL Server and all Microsoft Windows products are registered trademarks of Microsoft Corporation of the United States.

CPT five-digit codes, descriptions, and other data only are copyright American Medical Association.  All rights reserved.  Fee schedules, relative value units, conversion factors and/or related components are not assigned by the AMA, are not part of CPT, and the AMA is not recommending their use.   The AMA does not directly or indirectly practice medicine or dispense medical services.  The AMA assumes no liability for data contained or not contained herein.  CPT is a registered trademark of the American Medical Association.   Applicable FARS / DFARS; restrictions apply to government use.

Oracle and Java are registered trademarks of Oracle and/or its affiliates.  Other names may be trademarks of their respective owners.

Advanced Installer is a trademark of Caphyon software.  All rights reserved.

Apache, Apache HTTP Server, Apache Tomcat, and the Apache feather logo are either registered trademarks or trademarks of the Apache Software Foundation in the United States and/or other countries.

jQuery is a registered trademark of the JS Foundation in the United States and/or other countries.

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (   Web user interfaces and PDF technologies in Acuity Connect utilize components from Kendo UI by Progress.  Progress, Telerik, and Kendo UI are registered trademarks of Progress Software Corporation in the U.S. and other countries.  All rights reserved.

Physician and Nurse Involvement Is Critical in EHR Selection and Implementation

Debb Keller, RN, CMCN, CCM, CPHQ

Chief Executive Officer

Pat Stricker, RN, MEd

Senior Vice President


I frequently hear some “older” physicians and nurses complaining about electronic health records (EHRs). They feel they inhibit documentation and are cumbersome and frustrating to use. However I can’t imagine any of the younger physicians or nurses would ever conceive of working in a system without electronic patient records.


As I was beginning to write this article I began to wonder how many of you even remember the days in which there were no computerized records — when everything was in a written chart that was only accessible to one member of the healthcare team at any one time. I’m sure that must be more than half of you reading this article. For those of you that don’t know what it was like before computerized records, let me give you some insight.


Imagine having to submit a list of patients that you were going to see tomorrow in the clinic to the Medical Records Department (MRD) the day before so they could gather the records and bring them to the clinic that morning. Or if you are seeing a patient in the Emergency Department you would need to call the MRD and ask them to bring the patient’s record to the ED. Until you get the record you would be caring for the patient without having any medical history. And once you are finished with the record it would need to be returned to the MRD for filing or, if the patient was admitted, the record would need to be transferred to the floor with the patient.


If the patient had any lab, x-ray, or other procedures done within the last day or so, those results would probably not be filed in the record yet. They would still be with the provider for review or waiting to be filed. In the hospital, if these results were needed right away, they would be sent to the department via an archaic pneumatic tube system that was available throughout the facility. (And they often got sent to the wrong area!) In addition, only one person had access to the patient’s record at a time. Other care team members could not review the record to help them make clinical decisions.


Is that system archaic enough to convince you that we need electronic medical records? If not, let’s talk about how the record was documented. All notes were written manually (and hopefully they were legible enough so everyone could interpret them). There was no automated documentation or structured documentation standards that make it easier to find information. There was also no automated medication information, lists, or order entry, nor any decision support tools. These were only available in reference books that might not be readily available when you needed them.


Okay! Have I convinced you yet that the minor inconveniences that we may have in using an EHR today is better than using written records?  I hope so.  Are there things we can do to make the EHR system perform better and meet our needs? Absolutely! But we need to get involved!


I’d like to share with you portions of a blog written by Debb Keller, RN, the CEO of TCS Healthcare Technologies. Debb feels that it is critical for physicians and nurses to be intimately involved in the selection and implementation of EHRs in order to make them work efficiently. Here are portions of Debb’s blog, Why Practitioners, and Nurses Especially, Need to Be More Involved With EHRs.


“Electronic Health Records – EHRs. In theory, it sounds so simple. I mean, who keeps paper records anymore? Open a bank account or a credit card, and they’ll encourage you to “go paperless” and receive bills and statements only electronically. Cloud storage services allow you to store all your files in a way that allows you to access them anywhere. Address books are replaced with contact lists, and now you even have the option of receiving an e-receipt instead of a paper one when you buy a cup of coffee.

Why, then, do EHRs live in infamy in the healthcare world? It’s not because electronic records aren’t useful in healthcare: they allow access to information at the point of care, and they help avoid problems like misreading or mishearing written or phone prescriptions, which can lead to a patient receiving the wrong medication.

The issue at hand is the user-friendliness of these technologies. ……. A whopping 44% of physicians and 35% of Nurses and APRNs (Advance Practice RNs) surveyed in a Medscape poll said that EHRs had reduced the quality of care they were able to provide. Those surveyed cited problems such as ‘added paperwork/charting, entering data during the patient encounter, lack of interoperability with other systems and system failures or problems.’

These technological pain points have not only reduced care quality in the eyes of large proportions of practitioners, they also reduce job satisfaction, which contributes to burnout.

Although there isn’t a silver bullet to improve such a complex problem, the first step is to increase the involvement of practitioners with EHRs. No matter where your healthcare practice or company currently stands with its EHR system, there are actions to be taken:

  • EHR system currently in use: even if you have an EHR system and aren’t in a position to replace it, you can still take steps to improve things for your healthcare professionals and, in turn, your patients. It shouldn’t come as a surprise that educating on a subject makes it more manageable, but in a study by Arch Collaborative, tens of thousands of clinicians were interviewed and found to have ‘critical gaps in users’ understanding of how to optimize their EHR.’ Though no amount of training can fix flawed technology, it can certainly improve both experience and outcomes.
  • Implementing an EHR system: there are a lot of EHR systems on the market and choosing the right one isn’t always easy. The choice will certainly vary based on your practice. Now, who do you think will have the best sense of the needs of your practitioners? I think you know where this one is going. 66% of physicians and 80% of APRNs/nurses were not consulted in the EHR system selection process, according to a Medscape poll, and of those who did weigh in, only 2% said the system they wanted was chosen. Now, I can understand that sometimes, the opinions of practitioners might not be what the practice goes with in the end; it could come down to a budget or system compatibility issue. However, the fact that it’s so infrequent, among companies who are bothering to ask at all, can’t be chalked up to those excuses.
  • Companies designing EHRs: for technology companies in the healthcare space, just like any other, user experience design is so important. Whatever approach you may take, whether it is having clinicians work directly with the design team, doing extensive user research, or undergoing extensive user testing, bringing in end users is going to give you a product that works better for them. For instance, Dr. Lalita Abhyankar wrote in an OpEd entitled “You Hate Your EHR? Help Develop Something Better” about her experience going to a meetup for people interested in healthcare tech. ‘As I walked home in the cold that night, I realized, perhaps, the reason we are the victims of poorly designed technology is because many of us haven’t yet elbowed our way to a seat at the table.’ Challenging though it may be, we can all try to get to the table and give our opinions.

I want to note that while it’s important for every end-user to be involved in development, selection, and implementation of EHRs, involving nurses and APRNs is especially important. Although studies have shown that overall, nurses are more satisfied with their EHRs than physicians, they still face a lot of issues using them, and over one third still feel they were reducing care quality. Moreover, ‘The majority of the care-delivery support that occurs in the EHR is completed by nurses.’

Patricia Daly puts it especially well in an article for LWW’s Nursing Journal: ‘These clinical nurses are experts in patient-care delivery and can articulate the needs of patients, families, and nurses to HIT professionals.’

Every single day ……., I draw on my experience as an RN. As a practicing nurse, the resources I needed were provided by technology companies. As the CEO of a technology company, the resources I need are provided by clinicians—their knowledge and expertise is essential to me and my team doing our jobs as effectively as possible.

I believe so strongly that technology in the healthcare space (including EHR) is just getting started. It has the enormous capacity to not only help practitioners by making their lives easier but help them help patients as well. And that’s the ultimate goal here, isn’t it? Helping patients! “


Very well said, Debb.  I think it is clear that we all need to “elbow our way to the table” and get involved.  Sure, EHRs can be frustrating at times, but not as frustrating as returning to an archaic written record. I don’t think anyone can deny that EHRs increase the quality of patient care and the efficiency of the staff. However, we can even make these systems better by providing input into their selection and implementation. Next month, we will look at what we can do to help select the right EHR and how to make sure the system is implemented in a way that meets our needs and those of our patients.

TCS Healthcare Technologies Names Matt Fahner new VP of Engineering

AUBURN, Calif.Sept. 4, 2019 /PRNewswire/ — TCS Healthcare Technologies (TCS), a leading provider of population health and managed care software, is pleased to announce that Matt Fahner has been appointed Vice President of Engineering. In this new role, Mr. Fahner will oversee the development of all TCS products.

According to Debb Keller, CEO of TCS, “Matt is absolutely the right person to continue to move our product offerings forward.  Matt consistently strives to understand what our clients need, what works for them, and what doesn’t.  He has a true passion to deliver products that far exceed the original goal.  That passion to ‘get it right’ is reflected across his entire team.  Matt truly has a ‘servant spirit’ which is the foundation of the culture at TCS.”

On the topic of product development, Fahner notes, “I always want to understand the user experience and find ways to make it better.  I want to provide solutions that aren’t just better ‘for now,’ but are actually designed for growth and changing business needs.”  This is an area that Fahner has come to understand well due to this long tenure with TCS.  He notes, “While some of the foundational needs of our clients have not changed a lot since 2008, a lot has changed forthem.  They need more data integration, they need more flexibility, more analytics, and more workflow efficiency than ever before.  Building products that can meet these needs and evolve without losing data integrity or relying on expensive and cumbersome customizations is our main focus.”

Keller notes, “Under Matt’s leadership, TCS released our latest platform last fall, ACUITYnxt, to an overwhelmingly positive market response.  The wonderful feedback we are continuously getting is a direct result of Matt and his team’s efforts to go above and beyond.”

To learn more about TCS and its suite of software products, visit our website or contact Marissa Lish at

How to Recognize a Phishing Attack

Pat Stricker, RN

Last month’s article, Healthcare Data Breaches: Their Frequency, Impact, and Cost, discussed the overall impact that cybersecurity breeches are having on healthcare. Healthcare continues to lead all industries in the number of beaches with 27% and has the highest cost for data breaches at $408/record, nearly three times the cross-industry average of $148. While the number of data breaches in healthcare remained relatively the same between 2017 and 2018 (359 and 351), the number of healthcare records exposed increased at an alarming rate of over 250% (5,138,179 to 13,020,821). This shows that hackers are getting bolder. They realize each healthcare record is worth $50 on the black market, much more than Social Security and birth date records ($3) or credit card information ($1.50).  That is because healthcare records contain personal, financial, and medical data that can be used for Medicare fraud – the most profitable type of identity theft.


Studies also show that healthcare employees are seven times more often responsible than employees of other industries for causing breaches due to human errors and/or careless actions such as: inappropriate conversations; misuse or careless handling of mail, emails, and other hard copy documents; leaving computer screens or hard copy records unattended and visible to others; and sharing passwords or not logging off a computer when not in use.


However the biggest threat posed by employees is the intentioned, careless clicking on links or documents in “phishing” emails, which can allow hackers to steal the login information, giving them access to email or cloud accounts that contain patient data. These are usually innocent, unknowing acts by the employees, but they are very consequential to the organization. The links or documents in the phishing emails can expose PHI or embed malware within the computer system or network, resulting in serious network problems or system stoppages. This obviously causes significant issues and costs for the healthcare organization and financial gain for the hackers.


This is exactly what happened in the largest healthcare data breach in 2018. A health system email system exposed 1.4 million records when hackers sent emails to employees from a fake account that appeared to be coming from an executive within the organization. The email asked the users to disclose their email credentials. Once the employees clicked on the link or the attached document, the hackers gained access to internal email accounts and then to patients’ records. This phishing attack was not uncommon. The 2018  Verizon Data Breach report confirmed that phishing attacks are increasing, accounting for 43% of all data breaches. Other research found that over 90% of data breaches are the result of phishing emails and an average of 16 malicious email messages are sent to every email user every month.


That is scary!  That means we have at least 16 chances each month of clicking on a phishing email and creating a data breach or a ransomware attack causing a possible system outage of the entire computer network at our organization. How would you like to be the person responsible for causing the data breach and costing the organization millions of dollars in fines or paying a ransom to get the system up and running again?  Some employees have even been terminated due to this type of error, if it was done against normal company policies. I’m sure none of us would want to be in that situation, so we have to educate ourselves to be aware of possible phishing schemes and know how to avoid them. Let’s start by defining some key concepts.


Phishing is a scam aimed at getting an online user to reveal personal or confidential information for the purpose of identity theft. There are three types of attacks: 

  • Phishing – a general email that is sent as spam or as an email addressed to a large, non-specific group of users. The goal is to get users to open embedded links or attached files that, when clicked on, allow the hackers to access to the user’s system. Once in the organization’s system hackers can delve deeper to obtain personal information, credentials, logins, passwords, and other data.
  • Spear phishing – a more sophisticated and elaborate targeted phishing attack that focuses on a specific company or individual and combines tactics like personalizing or impersonating users so the spear phishing email is extremely believable and compelling. The goals are to bypass or evade email filters and antivirus software and gain access to a system in order to introduce malware and other attacks. This type of approach was used in the large breach described above.
  • Whaling – a specific attack that targets specific members of an organization’s upper management team by name. The goal is to obtain confidential company information by using a webpage or email that appears to be legitimate (corporate logo, color scheme, address, brand identity). It is usually presented as an urgent matter that needs attention, such as an internal corporate issue, a new or updated policy, significant complaint, or legal issue.


A phishing scam typically starts with a legitimate-appearing email from a person, company, or website asking the user to update personal information, such as a password, credit card, social security number, or bank account number. The message looks authentic and comes from organizations a user may have accounts with. It also may include legitimate-looking company logos and formats that the company uses. In fact, it usually looks so authentic that recipients respond to about 20% of them. In fact, the 2015 HIMSS Cybersecurity Survey of 300 health information professionals indicated that phishing attacks were their biggest future security fear and the “#1 thing that keeps Chief Information Security Officers up at night”. The 2019 HIMSS Cybersecurity Survey of 166 health information security professionals still found phishing to be a major concern, especially for those healthcare systems that are not conducting adequate phishing tests. One reason this is so worrisome is that the threat is directed at all levels of employees in an organization and it is relatively easy to get someone to unknowingly click on a link or document. It is not something Information Systems can control with tools and countermeasures.


Phishing attacks often introduce ransomware into computer systems by sending emails from legitimate-looking banks or credit card companies requesting the recipient to “update” their personal information (birthdate, social security number, passwords, etc.). When the attachment or link is clicked, malicious malware is introduced into the system, which can spread from one system to another. Ransomware can also be introduced, encrypting documents, music, pictures, and other files and making them inaccessible. The organization can be held hostage until they pay a ransom to unlock the files. If the ransom is not paid within a defined time the ransom is increased. Organizations that have routine back-ups of their system can eliminate having to pay the ransom and restore their system, but it still results in system downtime and a lot of time and effort to get the system operational  again. Organizations that do not have system back-ups have to pay the ransom or risk losing all their data.


Systems that are using older versions of software that are not receiving automated cybersecurity updates are very susceptible to phishing attacks. We cannot get lulled into thinking that the security programs on our system or our Information Technology (IT) department will handle all these threats. While some employees are specifically targeted because of their position or because of the types of information they have access to, all individuals and companies should assume they are or could be targets of phishing attacks. All it takes is for one person to click on a link that contains the malware. And I’m sure you don’t want to be “that person” who takes down the entire system!


Tips for Preventing Phishing Attacks

To make sure you are not a victim of a phishing attack, let’s review some things you can do to prevent getting “hooked”.  These two articles, 8 Ways to Prevent “Phishing Scams” and 10 Tips to Prevent Phishing Attacks, provide the following useful suggestions to help guard against phishing.

  • Learn to recognize potential phishing emails, such as those that:
  • Are sent as a general email without your name included.
  • Come from senders unknown to you.
  • Ask you to confirm or update personal information.
  • Make a request for information look like it is an urgent matter.
  • Threaten you with worrisome consequences, if you do not respond.
  • Look authentic – images in email look like or are similar to a known company.
  • Threaten to terminate your account or offer free gifts or promotional items.
  • Be sure to communicate personal information only via phoneor secure websites:
    • Do not give personal, financial, or login information to someone who calls or emails you requesting it. A legitimate organization will not ask for this information in this manner. Look up the number of the company or organization and call them directly or go to their secure website to provide such information.
    • For email transactions, make sure the website is secure before giving any information.



      • Look for “https” in the address bar.  The “s” means it’s secure.
  • Look for a padlock in front of the browser address and a “green address bar”, indicating the site has applied for a SSL certificate, is the legitimate owner of the website, and encrypts information to and from the site.
  • Even if the browser address has a padlock or a green address bar, you cannot be guaranteed that it is totally safe, since “phishers” are applying for certificates in names of companies with mis-spellings that are very similar to real websites, e.g. “” instead of “” or “” instead of “”. So check the website name carefully.
  • If you are still unsure about the site’s validity, double-click the padlock icon to see the security certificate. In the “Issued To” in the pop-up window you will see the name matching the site you think you are on. If the name differs, you are probably on an unsafe site.
    • If your browser gives you a message about an “untrusted security certificate” for a website, do not proceed to the website, as it is not trustworthy.
  • Do not download files or open attachments in emails from unknown senders. Even if emails are from known senders, be certain you know the files or attachments are trustworthy before downloading or opening them.
    • Files or attachments can contain malware that could infect your computer.  
    • Be careful of links that offer bargain, low cost products. They could lead to webpages that can gain access to your credit card information.
  • Beware of embedded links in emails that ask you to update your personal information or password, even if the email appears to come from someone you know. Phishing emails, in addition to looking legitimate by using company logos, etc., also try to look like a security-conscious organization by notifying you that your account was compromised and asking you to be proactive and re-register or change your password. They may even provide a hyperlink to make it “quick and convenient” for you. However when you click on the link and enter your information, it will steal your data. To prevent being “caught”:
  • Hover over the hyperlink to determine the address of the hyperlink. You should be able to tell if it is the official website address or a copy-cat. Example: instead of
  • Always enter the company website address yourself or look up the company phone number and call to see if they are requesting the information. Legitimate businesses usually do not request personal information by email.
  • Never enter personal information through links provided in an email. Only login and enter personal information once you are sure you are on the official site.
  • Beware of pop-ups and follow these tips:
    • Never enter personal information in a pop-up screen. Legitimate organizations do not ask you to submit information that way.
    • Do not click on links in a pop-up screen.
    • Do not copy web addresses from pop-ups into your browser.
    • Enable pop-up blockers.
  • Use anti-spyware, firewalls, spam filters, and anti-virus software.
    • Anti-spyware and firewalls prevent phishing attacks from gathering data from your computer, e.g. webpages containing personal information, like credit cards.
    • Spam filters identify files that could contain unsolicited commercial email (UCE). Spam is identified based on the content, inaccurate header information, blacklisted files, known spammers or specific senders, or specific wording in the subject line or body of the email.
    • Antivirus software scans every file which comes through the Internet to your computer to prevent viruses from deleting files or directory information.
    • Update the programs regularly to assure they are able to block new viruses and spyware.
  • Consider setting up a free virtual private network (VPN) instead of using free, open, unsecured Wi-Fi networks that can be easily compromised. A Consumer Trust Survey found that 43% of the respondents use free, untrustworthy Wi-Fi networks.
  • Password protect all your devices. 61% of the survey’s respondents indicated their tablets were not password protected. Many smartphones are also vulnerable, because they do not have strong, up-to-date anti-virus and malware protection and the operating systems are not routinely updated. Unfortunately many phones are not password protected either, because users say it takes too long to access the content. The use of thumbprints and facial recognition have helped to gain quicker access and make phones safer, but it is essential to have all devices password protected. Isn’t it better to take a little longer to log in than to allow devices to be unprotected and the target of phishing schemes?

·         Be sure to use unique, strong passwords for all your websites. One-third of the respondents said they only use one or two passwords for all their websites. This is dangerous!
o    See hints for developing strong passwords in this previous newsletter article, Cybersecurity for Case Managers: Responsibilities of Individual CMs

  • Be sure your operating system and browser are updated to the latest version that addresses the most current online risks.
  • Whenever possible, do not allow websites to keep your payment information on file.
  • Do not share too much information on social media, such as birthdays, anniversaries, children’s names, what you like, what you are doing at work, when you are going on vacation, etc.  All of this can be used to create very targeted and believable phishing attacks.
  • Do not connect and share information with people you don’t know.
  • Do not use your own personal email while at work or while on your organization’s network. Your Internet Service Provider and computer system may not be as well protected as that of your organization and could be more easily compromised.
  • Do not click on ads, as they often contain malware or direct you to a phishing website. If you want to learn more about a product, directly enter the website or product name in the browser address.
  • Go to Anti-Phishing Working Group for a list of current phishing attacks, helpful resources, and the latest news in the fight to prevent phishing.
  • If you think you have been the victim of a phishing attack, be sure to report it right away to your organization, so it can be dealt with as soon as possible.


The weakest link in any security system is the human element and that’s particularly true when it comes to phishing attacks. Employees are the biggest threat, since they are the ones who initiate the action that allows the phishing attack to occur.  In addition, hackers have become more creative in manipulating and influencing people, which allows them to gain access to computer systems and obtain sensitive information.


Staff Education, Testing, and Monitoring

The most important aspect in preventing phishing attacks is education. Management staff is responsible for making sure all staff members are routinely provided with phishing training and continuously tested and monitored to assure they can recognize the threats and know how to avoid them. Phishing training sessions are recommended at least every quarter to condition employees to look for and report phishing emails. This type of training and monitoring can reduce the percentage of successful phishing attacks. Some companies also include monthly “phishing tests” in which test emails are sent to all employees to see if they are able to identify and handle them appropriately. Those who get “caught” are reminded and given additional education. Companies that encourage employees to report potential phishing threats rather than reprimand them for failing phishing tests tend to have greater success in curtailing threats.


The following are resources that include free phishing and cybersecurity quizzes, tests, tools, resources, and staff training programs that can be used by individual case managers to test their knowledge and awareness and by the management and IT staff to assess the organization’s level of potential threats, develop training and testing programs, and track program results. I hope you will find these useful.

Phishing Quizzes, Tests, and Tools

  • Phishing Field Guide from Barkly. Good information for managers about how to recognize, avoid, and stop phishing attacks. The Appendix includes: free phishing tests, anti-spam and email filtering tools, examples of real-life phishing emails to use to test yourself or your employees.
  • Top 9 (Free) Phishing Simulators from Infosec. Phishing Training Programs designed to provide educational awareness, resources, and tools that allow you to create and run your own phishing program.
  • Find Out What Percentage of Employees are “Phish-prone from KnowBe4. Access to a free phishing security test for up to 100 employees.
  • The Phishing Quiz tests your phishing knowledge to determine how skilled you are at detecting malicious phishing attempts.
  • Phishing Your Employees 101 is a simple, open source toolkit and education program designed to help organizations quickly and easily set up phishing websites and lures that can be used to test their employees’ phishing awareness.
  • GoPhish. A free, open source, user-interface tool for IT departments to use to develop their own phishing training, testing, and results tracking.
  • State of Phishing Defense 2018 Report from Cofense outlines the top 10 phishing threats, with metrics on susceptibility and resiliency rates; shows why users respond to certain phishes and can be used to develop awareness training and phishing simulations.
  • The Open DNS Phishing Quiz tests employees to see if they can delineate between legitimate and phishing websites.  

Cybersecurity Quizzes, Tests, and Tools

There’s no question that phishing poses a significant danger to healthcare organizations, as it is the preferred method for hackers to gain access to systems in order to capture PHI and/or deploy ransomware for their financial gain. In addition, all system users are potentially able to fall victim to a phishing attack and introduce malware into the system, so that is a daunting challenge for the IT department, who have little control over how email and internet is used by all employees.

As case managers, we must realize that cybersecurity is not just an IT function. Sure, the IT team does everything it can at a corporate level to develop a secure infrastructure and implement security safeguards. While IT may be responsible for managing the overall cybersecurity of an organization, adopting security best practices, and deploying appropriate technology to lessen the chances that a phishing attack will succeed, each of us has an individual responsibility to be aware of what our roles are in assuring safe security practices. We need to be aware of our vulnerabilities and what we must do to assure the integrity of our computer systems. We need to be “stewards of security”, empowered and accountable to create a culture that raises awareness and reduces security incidents.


Remember, anyone can be targeted almost anywhere online, so you need to keep an eye out for “phishy” schemes. I’m sure you don’t want to be the one responsible for allowing a malware, virus, or spyware to gain access to your organization’s computer system, or worse yet, the one responsible for a devastating and costly data breach resulting from your phishing attack.

Watch out for the “phish”!

NOTE: For more information about what each of us can do, refer to this previous newsletter article “Cybersecurity for Case Managers: Responsibilities of Individual CMs”.

TCS Healthcare Technologies Releases ACUITYnxt 1.5

The latest SaaS-based case management software releases a new module to support time-tracking, billing and invoicing

AUBURN, Calif.July 3, 2019 — TCS Healthcare Technologies is excited to release ACUITYnxt 1.5, the latest version of the most intuitive case management software in the industry.  ACUITYnxt is a secure cloud-based case management software application that fully supports the case management process.

“Many of today’s case managers are contractors and business owners themselves so time-tracking, capturing billable items, and invoicing are critical features for them,” said Deborah Keller, RN, BSN, Chief Executive Officer for TCS.

Keller notes, “ACUITYnxt now fully supports these needs.  Our work logs are designed to support simple time-tracking workflows as well as workflows requiring granular billing documentation for time, units of service, specific medical codes, and user-defined items such as mileage as well.  While work logs can be created manually, ACUITYnxt can automatically prompt users with a new work log after saving changes to specific modules or record types.”

In addition to the new time tracking features, ACUITYnxt 1.5 includes several new reports to support invoicing and care plan coordination.

“We have also enhanced a feature unique to ACUITYnxt, drag and drop Screen Templates.   Screen Templates allows for customized layouts for key modules without expensive software coding.  This feature has been expanded to the Work Log module,” adds Keller.  “TCS Healthcare continues to push out new ACUITYnxt functionality in alignment with a very robust road map.  Our entire team is excited about our next release this fall which will include population health stratification and workflow automation.  Authorization management including grievances and appeals management is very soon to follow.”

To request an ACUITYnxt demo, email us at

About TCS Healthcare Technologies:

TCS Healthcare Technologies (TCS) is a leading provider of software and clinical solutions that support and improve medical management operations for health plans, TPAs, ACOs and other case management organizations.  TCS’ team of US-based clinicians and developers are recognized for their best-in-class managed care expertise and customer support throughout the industry.

Healthcare Data Breaches and Their Frequency, Impact, and Cost

Pat Stricker, RN

History and Statistics of Data Breaches

There has been a lot of news lately about data breaches in political organizations, national security agencies, businesses, financial institutions, social networks, and healthcare companies. With each breach confidential data (personal, financial, medical, intellectual property, or trade secrets) is stolen, viewed, or used by unauthorized individuals. While this had been a problem when records were paper-based, the number of records stolen or exposed was smaller. Once the data became digitalized in the late 1980s and early 1990s it became a much bigger issue, since large numbers of records could be compromised more easily.


In 2012, the Computer Science Corporation predicted that by 2020 data production would be 44 times what it was in 2009 (a 4,300% increase). They also predicted that one-third of all data would live in or be passed through the cloud. Well, it’s only 2019 and we may have already exceeded that prediction with the amount of data that is generated each date. 90% of the data was generated between 2013 and 2015 alone. That means that the other 10% was generated since the beginning of time. That is unbelievable! How is that possible? How will we ever be able to handle this exponential increase in the volume of data in the coming years?


By the early 2000s data management and privacy had become a big enough issue that laws and regulations were enacted to create guidelines for the handling, storage, and protection of sensitive data. Examples of these include HIPAA for healthcare and PCI for payment card financial data. Most databases that track breaches cover the years from 2005 onward, since that was the time data started to grow exponentially, allowing hackers more opportunity to steal massive amounts of data in a single breach. In 2005 alone, 136 data breaches compromised 55,101,241 records according to the Privacy Rights Clearinghouse (PRC), a non-profit organization committed to protecting privacy for all by educating and empowering individuals and advocating for positive change.


PRC provides is a database that tracks data breaches reported in the United States by government agencies or verifiable media sources. This searchable database is available for everyone to use for research purposes and is sortable by type of breach and/or organization and by year. The data can also be downloaded as a CSV file. PRC’s data shows that there have been 8,804 reported breaches in the U.S. since 2005, exposing over 11 billion (11,575,804,706) records. Reporting to the Clearinghouse is voluntary, so it does not capture all breaches. Therefore it is not a comprehensive compilation of breach data, so the actual number of breaches and total records affected is obviously higher.


Statista, another company that reports data breaches, reports that the number of cyber-attacks continues to rise. In 2005 they found that 157 breaches exposed 66.9 million records, while in 2014 the numbers had risen to 783 breaches exposing at least 85.6 million records, a nearly 500% increase in the number of breaches in just 9 years. And in 2012, three years later, the number of breaches nearly doubled to 1,579. From 2013 to 2015, 90% of healthcare organizations had at least one data breach.


The statistics vary by company depending on the type of data it collects, but the consistent element is that even though there has been an immense amount of time and effort spent on trying to protect the data, the number and size of breaches continues to rise, as shown in this graph:

Annual number of data breaches and exposed records in the United States from 2005 to 2018 (in millions)

healthcare data breaches 2019

The Statista numbers above are only for the United States. The Gemalto Breach Level Index reports worldwide data showing there has been more than 14 billion records (14,717, 618, 286) lost or stolen since 2013 when the digital security company started collecting data. That means:

Records are Lost or Stolen at the Following Frequency:

healthcare records stolen

The Breach Level Index website also has other valuable statistics such as industry breach details, a map view of where the breaches occur, a breach risk calculator, and other privacy information.Those are staggering numbers and unfortunately only 4% of the breaches were “secure”, meaning the data was encrypted and therefore useless. The other 96% contained data that was not encrypted, so the data was able to be viewed and used by the hackers.

A recent 2018 Ponemon Report found that data breaches in the U.S. cost an organization an average of $7.91 Million, which is an average of $148/record. The costs include investigation, notification, and remediation. There is also a cost due to the loss of reputation if the data breach is large or could/should have been avoided.


The annual Verizon Data Breach Investigations Report (DBIR) is a respected, detailed, statistical report that includes data from 86 countries and input from 73 data sources. Working closely with the Secret Service’s Cyber Division the team analyzes the available data to determine the threat landscape, identify the ever-changing threats, and recommend actionable techniques, tools, procedures, strategies, and best practices to prevent breaches and mitigate risks. The entire 2019 Data Breach Investigations Report and Executive Summary contain a great deal of detailed information for those who need it.

No company or organization is immune to a data breach. All companies possessing sensitive data are under a constant threat. The most likely targets for breaches are government, financial, and healthcare industries. Although the rankings change from time to time, the accommodation and retail industries round out the top five most threatened industries, according to the DBIR, although the social media industry is becoming more threatened in the last few years. For purposes of this article, we are only going to discuss the healthcare industry in detail.


Data Breaches in Healthcare

Breaches within medical organizations accounted for about 26% of all breaches in 2016 and almost one in four Americans have had their medical information compromised. Financial gain is the main motivator for hackers because healthcare records are highly valued for their personal, financial, and medical data. This type of information is worth roughly 50 times more than credit card or Social Security data, since it can be used for Medicare fraud – the most profitable type of identity theft. In fact, the co-author of the 2014 Data Breach Investigation Report stated that some employees found jobs in healthcare for the sole purpose of stealing patient information to commit identify theft or tax fraud. Not only can this be used by the hackers, but the records can be easily sold to others because of this valuable data.


Breaches also have a significant impact on patients, making them mistrust the system and withhold information: 61% resulted in exposure of personal information and embarrassment; 56% resulted in financial identity theft; and 45% resulted in medical identity theft.


Healthcare employees are responsible seven times more often than employees of other industries for breaches caused by human errors (33.5%) and/or careless actions such as:

  • Inappropriate conversations
  • Misuse or carelessness in handling emails, mail, and other hard copy documents
  • Leaving a computer screens or hard copy records unattended and visible to others
  • Sharing passwords with others or not logging off a computer when not in use


One of the biggest threats posed by employees is the intentioned, careless clicking on links or documents in “phishing” emails, which can allow hackers to steal the login information to access email or cloud accounts to get patient data. The links or documents can also plant malware within the computer system or network which can lead to more serious network problems or system stoppages. These are usually innocent acts, but very consequential to the organization. Employees have been terminated due to this type of error, if it was done against normal company policies. We will discuss “Phishing” and how to be aware of the dangers in more detail next month.


Insider threats are also a bigger issue for healthcare organizations than for other industries. 56% of healthcare threats come from inside the organization and are caused by the ability to gain access to records that are not necessary for business use or patient care or by credential theft. However, there are user-based risk mitigation tools available that will detect if an employee connects to an unauthorized device or uses suspicious software and immediately notify the security officer. After the incident, it allows the employee’s actions to be analyzed and records can be exported to a protected file for further investigation.


A Data Breach Investigations Report analyzed more than 1,300 data breaches involving 20 industries and found that the Top 3 Security Threats to the Healthcare Industry were:

  • Insider misuse by employees or trusted third parties who intentionally or unintentionally stole data or damaged a system. Employers consider employee negligence their biggest security risk. Based on the 2018 Ponemon Benchmark Study on the “Cost of Insider Threats”, incidents involving a negligent employee cost the company an average of $283,281, while the cost is usually double that if it involves a thief who steals credential. However the company also shares the responsibility because they should be auditing to identify who is inappropriately accessing patient data.
  • Unintentional actions that directly compromised patient information were found to be the cause of 12% of the security incidents. Examples included: inserting one patient’s information into another patient’s record or envelope; provider websites that allow patients’ information to be available to the public; and decommissioning computers or medical devices without properly removing patient information (“rendering PHI unusable, unreadable, or indecipherable”).
  • Healthcare was the only industry that had theft and loss as a major cause of security incidents. Theft and loss of laptops and other equipment accounted for 46% of the security incidents. The high percentage was attributed to the fact that encryption was not being done. If lost or stolen devices had been encrypted, they would not have had to report the incident as a breach, because the data would have been considered “secure”.


The most drastic healthcare breach of healthcare data was the Anthem medical data breach in 2015 that affected 78.8 million people – more than the whole population of Germany. Not only was the number of affected records extremely high, but the data exposed contained very detailed, sensitive personal information: names, contact information, social security numbers, email addresses, home addresses, and income information. As a result Anthem was fined a total of $115 million.


The HIPAA Journal reported that between 2009 and 2018 there were 2.546 healthcare data breaches that involved more than 500 records resulting in the exposure of 189 Million (189,945,874) records. That is equal to about 59% of the U.S. population.


Data Breach Defense and Prevention Resources

So what can we do to prevent a data breach or to mitigate our risk? Data breach defense and prevention resources have increased drastically over the past few years because of the ever-increasing number of security threats. These solutions offer a proactive approach to security to help ensure the safety of sensitive information. The following resources are offered to allow a more detailed review of breach prevention.

  • Data Breach Today — a multimedia news resource on the latest data breaches, their impact, and strategies for prevention
  • Data Breach Watch– a resource reporting data breaches, news, and trends impacting consumers and companies
  • The Global Privacy & Security Compliance Law Blog– a resource that explains stringent and ever-changing security regulations and compliance requirements
  • The New York Times article –discusses strategies for minimizing the risk of a data breach. One suggestion is to eliminate unnecessary storage of data. Keeping lots of sensitive information may be more risky for the customer and company than not keeping the data. Target’s storage of their customers’ four-digit personal identification numbers or PINs for the debit cards is a good example of data that was not necessary.
  • Data Breach Industry Forecast for 2018 – The 5th annual Experian report that provides an overview of data breach trends and the need for a data breach response plan.
  • Resources from Digital Guardian — cover data breach topics and provide insight into preventing and responding to breaches.

While the Information Technology team may be responsible for managing the overall cybersecurity of an organization, each of us has an individual responsibility to be aware of cybersecurity, how it impacts healthcare and the privacy of our patients, and what procedures we need to follow to assure safe security practices. While nurses may not have an in-depth understanding of the intricacies of cybersecurity, it is important for us to understand the evolving role of cybersecurity in healthcare today and how that affects our role. Threats are becoming more sophisticated while organizations struggle to prioritize and implement more effective security requirements. Unfortunately, the threats usually evolve more quickly than the security measures, so organizations are striving to assure that their measures are dynamic, up-to-date, and include commonly accepted practices.


Over the last 20 years, as computer systems and the internet have become an ever-increasing integrated part of healthcare, the need for protecting patient information has become much more complex. It used to be rather easy, since records and reports were in hard copies and contained in the patient’s chart, which was in a protected area in the physician’s office, hospital, or healthcare facility, and only accessible by a limited number of people. Things are very different now. The number of people who have access to patient information is much larger. The information can be sent to multiple people by email, fax, or text and it can be accessed by multiple people from computers, laptops, mobile devices, and smartphones. It can also be stored in numerous places, such as laptops, mobile devices, network drives, CDs, DVDs, thumb drives, and smartphones. While we do have security procedures to try to limit access to only those who have a need to know, ensuring the privacy of patient information is a huge challenge.


Given these widespread incidents of cyberattacks, the cost of breaches, the business disruption, and the effect on patients, what can we do to stop them? While there is no way to totally stop cyberattacks, the risk of cyberattacks can be significantly reduced if organizations: are diligent about continually reassessing their HIPAA compliant infrastructure; implement HIPAA compliant guidelines and best practices; and continually educate (and monitor) employees regarding their role in cybersecurity.


Healthcare organizations have a challenging uphill battle to modernize systems and reduce risks, but it can be done. We have had almost 15 years of data breach research, which has increased our knowledge of the causes, how to identify potential problems, and what needs to be done to reduce or avert risks. Organizations need to assure that IT teams are provided with dedicated staff that has the resources, time, and money to develop, maintain, monitor, and enforce stringent cybersecurity policies and practices. Employee education is also a critical aspect of reducing risk. Continuous education of all system users needs to be done, so they are aware of their responsibilities in maintaining cybersecurity.

Now that we have looked at the causes and impact of cybersecurity, next month’s article will focus on specific, practical things we, as nurses, can do to help improve cybersecurity and assure we are not the individual responsible for a devastating and costly data breach.