Monthly Archives: January 2015

Are You Ready for an EHR Audit?

Are You Ready for an EHR Audit?

With the many advantages of electronic health records (EHRs), there are disadvantages, including the potential for misuse and fraud. To guard against this potential, the U.S. Office of the Inspector General (OIG) is stepping up its audit efforts for healthcare providers’ EHRs. Proactive providers should follow some commonsense practices to be ready if an EHR audit occurs.

OIG has requested a budget of $400 million for fiscal year 2015—a large increase over the previous year—and almost 300 more staff to carry the increased workload of auditing EHRs. In addition, they intend to use forensic data analysis methods to identify questionable activities in providers’ EHR systems. , they are seeking evidence that federal EHR incentive payments were improperly claimed.

Female Doctor Using Tablet

Image Courtesy of Stock Images at FreeDigitalPhotos.net

Preparation for an EHR audit should not differ from preparing for any other audit, whether from the Food and Drug Administration, an ISO certification provider or a financial auditor. By way of review, here are things providers should think about to ensure readiness for an EHR audit.

Audit Readiness Checklist

Audit preparedness is a matter of documenting what you do, and doing what you document. This starts with your standard operating procedures (SOPs).

  • What is the state of your EHR-related SOPs? Are they up to date?
  • Have EHRs been reviewed within the required time frame (consider period for time frame)and approved by management?
  • Have all required personnel been trained on SOPs?
  • Where are the training records?

An EHR system is an IT system, and fraud prevention starts with proper IT security.

  • What are your policies for controlling access to the EHR system?
  • Where are the records that show these policies are being followed?
  • Do all personnel have levels of access for their job functions?
  • Are the user accounts of former employees disabled in a timely manner?
  • Are your computers, servers and firewalls properly configured, and do they have the latest security updates?
  • Where are the records for these updates?

Another part of a successful audit lies in making sure your personnel are ready.

  • Do you have an audit response team?
  • Do they know their roles and responsibilities?
  • Do you have a room where the auditors can work?
  • Have all personnel been trained on how to interact with the auditors?

Finally, OIG will look for patterns in the EHR data that might indicate fraudulent activity or misrepresentation. A healthcare provider that has claimed EHR incentive payments had better have the records to back up these claims.

The time to assess your audit readiness is now—not when the auditors come knocking on your door. With an honest assessment, you can try to ensure you are ready for an EHR audit.

Dean Van Dyke

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Newsletter Sign UpCTA ICD-10 eBook

Law Firm Mergers: Don’t Forget the Tech

Law Firm Mergers: Don’t Forget the Tech

Law firm mergers often leave technology considerations as an afterthought. Doing so, however, can cause problems that prevent a smooth transition to effective operation as the new entity. Law firm CIOs should insist on being brought into the merger process early to map out the go-forward strategy for both hardware and software systems.

Legal Technology

Image Courtesy of renjith krishnan at FreeDigitalPhotos.net

In corporate mergers, evaluation of each party’s technology portfolio is an important part of the due diligence process. In law firm mergers though, technology takes a back seat to questions such as each party’s respective specialties, corporate cultures, and client bases. Given the extent to which law firms depend on their technology systems, leaving IT out of the merger discussion is a recipe for a rocky start to life as a single entity. Here are some technological aspects that deserve more attention in law firm merger talks, and reasons CIOs should come to the merger table early and insist on having the resources to get the IT merger job done right:

Honest Evaluation of Assets

Each party in a merger brings valuable hardware and software assets to the table, so careful thought should be given as to which ones to keep. This should not be a matter of the acquiring firm’s technology being forced on the acquired firm’s users. Often, the acquired firm has systems that make more sense for the combined entity going forward, or that have features tailored for the acquired firm’s specialties. Once the decision has been made for each system, it’s important to map out the strategy for migrating to the go-forward system. It may not be possible to have all the migrations complete by “Day One,” so decisions must be made as to what what needs to be ready right away and what can wait.

Planning for Day One

Certain items must be ready for Day One, such as domain name registrations, networking, email systems and phone systems. Especially with network circuits, long lead times (90 days or more) may be needed to get them in place and properly configured so all sites are on the same network. If the merger is a secret, it may be necessary to use surreptitious means to acquire domain names and perform other tasks.

In addition, it’s important to communicate early and often across the entire combined organization regarding IT changes. This applies not only to hardware and software systems, but to the structure of the IT organization. Doing so means there are no surprises and that all of the stakeholders will feel included in the combined entity.

Realistic Assessment of Costs

Two aspects of cost need to be weighed in a merger: the costs of the IT merger activities, and the long-term cost savings from consolidating systems. Both must be assessed and factored into the overall costs of the merger. Some IT costs are difficult to predict in advance, especially if software licenses must be purchased or upgraded or if key employees must be retained, but good-faith estimates must be made by the people who know best, namely the IT departments. Similarly, consolidation opportunities must be identified that maximize savings without sacrificing features and functionality.

By keeping these factors in mind, and with early involvement and proper planning, IT can pave the way to a smooth merger transition.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Newsletter Sign UpCTA Law Firms and Cyber Attacks eBook

4 Ways an EDD Review Tool Helps with Email Discovery

4 Ways an EDD Review Tool Helps with Email Discovery

Although electronic data discovery (EDD) review tools may seem pricey, the time and trouble they save are well worth the cost. This is true for many types of electronically stored information, but it is useful for reviewing emails and attachments, and can prevent users from compromising the data.

Here are four ways that EDD review tools pay for themselves in email review:

Prevention of Spoliation

When viewing emails using a native email program such as Microsoft Outlook, or a web-based client such as Gmail, it is usually difficult, if not impossible, to open an email without altering it . Usually the email program alters the metadata—the information about the email—such as the read/unread status, date and time accessed and so on. Worse, some emails may be configured to automatically send a “read receipt” to the sender, which is not ideal while you are conducting a review. Any alteration of the metadata can cause spoliation, which can make your case that much more difficult.

EDD review tools for email prevents the alteration of any of an email’s metadata. Because you copy the emails into the EDD review tool and review them there rather than in an email program, you can peruse without fear of altering the metadata or automatically sending read receipts.

Indexing and Searching Attachments

Unlike most email programs, a good EDD review tool can automatically index the contents of email attachments, enabling full-text searches of not only the email messages, but also the attachments. EDD tools can also index file types that email programs have trouble reading, such as PDF files, and can open attached ZIP files and index the contents. All of this is done without compromising the files’ metadata or losing track of which file is related to which email.

No Malware

Email attachments can contain viruses and other types of malware. Opening them in an email program risks infecting your computer and other computers on your network. In an EDD review tool, however, malware attachments cannot be executed, so there is no risk of infection.

Document Tagging

Most email programs have no good way to “tag” or classify emails or attachments, other than by moving them into folders. Again, doing so risks spoliation because it alters metadata. Messages cannot be moved into more than one folder unless you make a copy, risking further spoliation.

A good EDD review tool will enable you to tag each email and attachment with many tags, either those tags supplied by the program or others that you create. The tags do not alter the messages’ metadata, and they enable each email or attachment to be assigned to multiple categories for later detailed examination.

Different EDD review tools have different features, capabilities and price points, so it is worthwhile to look at several to find the right fit. Considering the downsides to reviewing emails in native email programs, EDD tools are a worthwhile investment.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Newsletter Sign UpCTA Email Encyption eBook

Law Firms and Data Security: A Perfect Storm of Vulnerability

Law Firms and Data Security: A Perfect Storm of Vulnerability

Data breaches that make the headlines focus on major retailers, but smaller companies, such as law firms, are just as vulnerable, if not more so. Law firms gather sensitive data from their clients yet may not comprehend the liability to which they expose themselves. Law firms must become familiar with regulatory and common-sense practices for protecting the data they become custodians of while doing business.

Law Book on Laptop

Image Courtesy of FreeDigitalPhotos.net

At one time, attorney-client confidentiality could be assured with paper documents and a locked file cabinet. With the explosive growth of electronic documents and databases in commerce, however, so too needs to secure such information by law firms representing business clients in pursuing many legal matters. This data includes sensitive financial and healthcare data—the kind that hackers love to get their hands on.

Because law firms habitually err on the side of gathering more data than needed to ensure that nothing important gets omitted—and because many law firms fall behind the curve for implementing robust data safeguards—a perfect storm of vulnerability is brewing in the legal industry. It’s time for law firms to examine their data security practices, identify weaknesses, and resolve them.

For any business unused to dealing with data security issues, the prospect of implementing a solid security system may be daunting, and there is an alphabet soup of standards, regulations, and laws (which may vary from one jurisdiction to another) that a firm may need to comply with.

However, the rules are simple: protect your clients’ data. From that common-sense base, a practical data security apparatus can be built. Here are some other good data security principles to live by:

  • Don’t gather more data than you need. Limiting personally-identifiable information (PII) and personal health information (PHI) you gather limits your liability if a breach occurs.
  • Know what constitutes sensitive data and mark it. Having a simple, straightforward way to identify and classify sensitive data, and having clear rules on how it is to be handled, simplifies the compliance process for all concerned.
  • Address high-risk areas first. If you do not have the resources to plug every possible vulnerability, determine which areas have the highest risk and prioritize them.
  • Put someone in charge. Everyone at the firm should be accountable for protecting sensitive data, and one person should have ownership of the process and the authority to enforce it.

Notions of privacy have evolved since the time this country’s founders wrote about protecting citizens’ “persons, houses, papers, and effects” in the Bill of Rights. Sensitive personal information about you is everywhere, and usually outside of your control. As practitioners of the law, legal firms must be at the forefront in protecting people’s privacy by safeguarding their data.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Newsletter Sign Up

CTA Law Firms and Cyber Attacks eBook

Meaningful Use: More Trouble than It’s Worth?

Meaningful Use: More Trouble than It’s Worth?

As the deadlines loom for meeting electronic health records (EHRs) “meaningful use” requirements, it is becoming clearer that the effort to meet those requirements is disproportionately burdening those entities least able to cope: individual physician practices. Some are questioning whether the potential benefit is worth the trouble.

The promise and the potential of EHRs is indisputable: A standard means of collecting, storing, protecting, and sharing medical records can increase the quality of care and patient outcomes through better coordination between doctors, hospitals, and clinics; more accurate diagnoses; and fewer errors in administering treatment and medication. As a bonus, EHRs can reduce overhead costs and therefore reduce the costs of medical care.

Female Doctor Using Laptop

Image Courtesy of Phaitoon at FreeDigitalPhotos.net

However, implementing such a system on a nationwide scale is proving to be far more complex and onerous than anticipated. Larger facilities, which typically have full-time IT departments and larger budgets, are having a difficult enough time certifying that they are meeting the meaningful use requirements of the HITECH act. It’s proving to be even more daunting for individual physician practices, which usually lack the staff and expertise to implement compliant systems, even on a small scale.

Implementing an EHR system for an individual practice can run into the tens of thousands of dollars—a staggering amount for an entity whose IT budget for a year may be only a fraction of that. Some practices are questioning whether the return on that investment will make the effort worthwhile, or if it would be easier and less expensive to merely pay the penalty amount for non-compliance.

The baby is in danger of being thrown out with the bathwater here. If physicians are considering not implementing an EHR system because it’s the easier path, then the whole program and the schedule of meaningful use mandates may need to be re-examined.

This cannot be solved with steeper penalties. The Centers for Medicare and Medicaid Services (CMS), which is administering the meaningful use program, needs to work with physician groups to find a reasonable solution that gets all physicians on board and compliant. Physicians need all the help they can get at an affordable price, not extra penalties.

Physicians are often the first point of contact with patients, and their participation in an EHR world is critical if the system is to succeed. If the meaningful use initiative can be viewed less as a mandate-and-penalty model and more of a partnership between physicians and regulators, EHRs are more likely to see the success that everyone—patients, physicians, hospitals, insurers, and regulators—wants to see.

Dean Van Dyke

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Newsletter Sign Up

CTA ICD-10 eBook

How Data Analytics Will Enhance Healthcare

How Data Analytics Will Enhance Healthcare

The use of data analytics, already established in fields such as banking, insurance, and manufacturing, has entered into the healthcare field. Its adoption by hospitals and medical groups promises to increase productivity, identify inefficiencies, reduce costs, and increase the quality of patient care.

Data Analytics

Image courtesy of cooldesign at FreeDigitalPhotos.net

Understanding Data Analytics

The term “data analytics” refers to the use of business intelligence tools to monitor key performance metrics, allowing users to see at a glance how the business is performing and to identify trends. Many industries already use data analytics, and healthcare is getting on board.

Some ways that healthcare uses data analytics include:

  • Giving practitioners visibility into how they operate;
  • Enabling tasks to be appropriately assigned to nurses and other clinical staff; and
  • Measuring the effectiveness of treatments.

Data analytics may reveal that one doctor orders multiple tests for a set of symptoms, but the patient outcomes are no better than for other doctors who order fewer tests for the same symptoms. The treating physicians can then adjust how they approach these symptoms and reduce the cost of treatment.

Data analytics can also monitor doctors’ activities. If the data shows that some doctors are spending a good deal of time on tasks that can be handled by nurses or other staff, management can allocate those resources appropriately, freeing the doctors to do more of what they do best. This visibility is a powerful motivator for all involved. It gives doctors, nurses, and other stakeholders the information they need to be more efficient and reduce costs.

Effective Data Analysis

The key to having effective data analytics lies in having data to analyze. The system must securely collect appropriate amounts of the right data in a way that does not overburden the processes being monitored. This means that a practice or a hospital must carefully determine what data to collect, when and from whom to collect it, and how to analyze it to provide meaningful, actionable information. An organization must be very selective in which data is collected, because more time spent on data entry means less availability spent on core operations.

With planning and design—and by keeping all stakeholders in the loop for gathering requirements and designing, building and testing the system—data analytics are a powerful tool for lowering expenses, increasing productivity, and improving patient outcomes.

Newsletter Sign Up CTA ICD-10 eBook

Hacking Medical Records: A Growing Threat

Hacking Medical Records: A Growing Threat

A disturbing upswing in medical-record hacking requires all custodians of such data to take a hard look at their security apparatus. For the people whose medical records are compromised, the consequences can be even more devastating than having financial records stolen.

Medical Records

Source: freedigitalphotos.net

When a major retailer suffers a data breach that compromises customer credit- and debit-card information, there is a narrow set of potential consequences for the affected customers. A criminal can use the information to assume the victim’s identity, make fraudulent transactions, and ruin his or her credit. Although these are serious concerns, there are countermeasures available to limit or eliminate the risk; law enforcement, credit providers, and reporting agencies are proactive in resolving these issues when they happen.

However, when medical information is compromised, the impact is wide-ranging and long lasting. If one’s medical history is published on the Internet for all to see, personal information like substance abuse or mental health issues could affect an individual’s ability to get a new job or obtain quality health insurance at reasonable rates. Personal relationships can also be damaged or destroyed by a breach. Even sensitive data, once published online, is hard to erase.

This was thrust into national awareness recently with the cyberattack on Sony Pictures, which exposed employees’ personal medical records besides other sensitive information such as Social Security numbers and passport numbers. The breach, with other recent medical-record breaches, points out issues that have not previously received the attention they deserve:

  • The custodians of medical records are not limited to hospitals, clinics, insurance companies, and doctors’ offices.
  • Not everyone who possesses medical records and other personal data protects them well.
  • An individual has little or no control over who has access to their health records, how those records are stored, or what happens to them. Custodians are trusted to protect this information and not misuse it.

Some ask why Sony Pictures possessed that level of detail on their employees’ health histories. Everyone who is responsible for other people’s medical records should ask that same thing of themselves when the stored data serves no compelling business purpose and is not required by law or regulation.

The lax attitude toward medical record security results from there being little for hackers to gain from accessing these records, and therefore they do not require the level of protection that financial data does. However, given the level of risk to patients, and the potential loss of trust and damage to a company’s reputation, organizations should look closely at medical record security.

Dean Van Dyke

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Newsletter Sign UpUnderground Economy of Data Breaches