E-Health, Security, and the New Breed of Practice Management Systems
Abstract
Practice management systems play a vital role in the smooth functioning of physician practices. They are the lifeblood through which all of the components of healthcare delivery and payment flow. With the increasing movement toward a full and robust E-Health environment, it is imperative that they keep pace with new and tougher data security laws, advances in data accessibility and maintain compatibility with the latest technology to enable a smooth transition for the practice’s physicians and staff. The role of a practice management system in this emerging setting and the attributes that it must possess to be viable are discussed in this paper. The discovery by the author of one such practice management system that fully meets and surpasses the demands of this exacting set of requirements is further elaborated upon.
Executive Summary
While there are approximately 750 practice management software (PMS) systems available today for use in physician practices, there is just now emerging a new breed of PMS systems that are fundamentally different than all the existing PMS systems on the market. The fundamental difference is that these ‘new breed’ PMS systems have an architecture designed from the ground up around the HIPAA regulations and newest technology, while almost all of the existing PMS systems were designed before HIPAA and with older technology. These new breed PMS systems provide the necessary ingredients for physician practices to move smoothly and effectively into the emerging E-Health environment.
One such system, ProSourceMD Practice Management System (PSMD) by Navaro Medical Solutions, Inc. (www.ProSourceMD.com) stands out as the total package for viably existing and growing in an E-Health setting. PSMD has many leading-edge and distinguishing features including the ability to access data online and offline, Real Time Business Monitoring dashboard, Certified for Vista certification, robust EDI capabilities to name a few that both meet and exceed the defining requirements for successful operation in E-Health and separate it from the competition,
Very importantly, PSMD exhibits a unique and distinguishing security safeguard in the way it encrypts sensitive data at all steps in the practice management process, thereby assuring protection from both internal and external unauthorized access and exposure while mitigating and minimizing client risks. PSMD encrypts data from its inception, when being captured, immediately encrypts it in storage, and provides the capability of sending it through an encrypted tunnel to any carrier that is equipped to accept electronic transmissions. Of special importance is the fact that the PSMD System stores the data in encrypted format, making it virtually impossible for unauthorized access. It is this attribute, the storage of sensitive data and electronic protected health information (ePHI) in an encrypted format, which makes PSMD consistent with even the most stringent state data protection requirements and allows it to stand alone among practice management systems in its ability to help protect all confidential data entered into the system and protect the practice from a costly data breech.
The paper examines the events leading to this new breed in practice management software, 5 unique characteristics of new breed practice management software and a focused look on the risks and the adverse impacts to a practice from failure to have the necessary data protections imbedded in its systems. It further examines how the PSMD systems fulfills and surpasses the necessary risk mitigation factors to enable worry-free, efficient, and bottom-line effective operation both now and in the projected future health setting.
A New Breed of Software
There is a new breed of Practice Management Software (PMS) systems emerging in 2007 that offer fundamental differences and significant advantages to the medical practice over most of the existing 750 practice management systems on the market.
The fundamental difference is that most existing PMS systems were designed and built before the HIPAA regulations were released using 1970-1990 technology. The new breed of PMS systems has been built from the ground up around the HIPAA regulations and the very latest software technology.
In 2002, Microsoft released a major new software platform called .Net that has replaced their older technology used to create windows software used in the 1980’s and 1990’s. The .Net software technology has become the centerpiece to all their new operating systems and application platforms going forward. Microsoft has stopped upgrading and supporting older software technologies or in the process of doing so. Also in the 2002-2003 timeframe, the HIPAA regulations were adopted into their final form, bringing together a blueprint for data, privacy, security, and EDI standards.
Considering it can take 5 years to design, build and test, it is no surprise that we are just now beginning to see the emergence of this new breed of PMS. While these older applications ride into the sunset, the new breed PMS systems will take practices into the new E-Health future.
Five characteristics of this new breed of PMS include:
a) Robust HIPAA privacy and security built into the fundamental program architecture by design. For example, all sensitive data will be ‘stored’ as encrypted. Almost none of the current PMS systems ‘store’ sensitive data as encrypted, and, in most cases, it is the only way to protect the practice from liability if there is a data breech.
b) Online and Offline data access. Neither the current client server model nor web based ASP model PMS systems offer program access both online and offline at the same time. If there is a power or Internet outage or you are out of Internet connectivity range, you are cut off from your data with most PMS systems on the market today. With the new breed of PMS systems, you can work 24x7 through the Internet and also have some functionality and laptop access to data while offline.
c) Certified for Vista logo. The only way to be assured that your PMS is compatible with Windows Vista, its most secure operating system and potentially those to follow, is to look for the Certified for Vista logo. New breed PMS systems are able to achieve this certification, old technology systems will have a much harder time.
d) Real–Time Business Monitoring Dashboard-Ability to see a real time overview on the business status of all the data in your system, with drill down access to the underlying data. This is just one of the many new efficiency and productivity enhancements found in new breed PMS systems.
e) Direct EDI implementations – Ability to create, validate, send and receive complete HIPAA transactions directly to and from any carrier that can accept the transaction.
Data Protections
The many standards - nationally, internationally, and at the state level - associated with security/privacy have a strong commonality of features:
• Protect confidentiality of sensitive data at rest and in transit
• Restrict data access on need-to-know basis
• Authentication/Access Controls/Audit Controls
• Assure data integrity
• Business continuity- system/data availability
• Network protection
• Security management process
• Administrative, Physical, Technical safeguard areas
The HIPAA Security Rule covers all of these requirements, so compliance with it also brings serendipity compliance with other regulations. Of particular note is the wave that is sweeping across the US, spurred on by the seminal legislation in California in 2003 known as California Senate Bill 1386 – The California Security Breach Information Act – requiring any alleged breach of identifiable information stored in an unencrypted database to be reported to all potential victims and the ensuing necessary follow-up actions by the company with stewardship responsibility for protecting that data. The critical safeguard to this data, preventing many costly notification and damage control activities, is encryption of the stored data. As of this writing, these provisions have been replicated in at least 36 other states across the country. And, some of this mirroring has included even stronger data security and protection mandates.
What happens to those healthcare providers (and physician practices) that do not have the necessary safeguards in place to protect ePHI and other sensitive data?
Security breaches are common and on the increase as we evolve into a more intensive electronic healthcare environment. The challenge to healthcare organizations is to become proactive in preventing these threats from causing adverse health and financial and impacts. There is no such thing as 100% security. The trick is to minimize your risk by using easily available and adaptable administrative, physical, and technical safeguards and to imbed them in your daily business functions so that your staff works in concert with your policies, processes, and native system technologies to assure protection of your and your client’s (the patient) sensitive data.
What would your practice answer to the following questions?
• What would it mean to your practice if you lost access to your computer systems and the patient data on them? For a week? Permanently? Could you run the office? Could you continue to see the same number of patients? Could you capture the information you need to provide care and get paid? How long would it take to recover from such an event? Would you have to re-interview patients to get key medical data?
• What if a copy of the computerized data about your patients was taken by a disgruntled former employee and posted on the Internet or used for credit card fraud? Are you prepared to respond to this event?
These situations are not hypothetical. They are based on scenarios that some healthcare providers have already experienced. Hardware/software failures, hackers and employees compromise businesses everyday. Setting up a security program with procedures to manage these threats is necessary for a medical practice operating in today’s computerized environment. Without a security program, your business’s vulnerability to disruption and legal liability escalates significantly. Your medical practice has a regulatory as well as a practical concern. In fact, in recently released statistics by the Office for Civil Rights of the Federal Department of Health and Human Services, the enforcement agency for the HIPAA Privacy Rule, private practices received the highest number of corrective action notifications of all of the types of provider-covered entities. The two highest sources of privacy compliance issues involved the impermissible uses and disclosures of protected health data and the lack of safeguards of protected health information.
The HIPAA regulations set includes a HIPAA Security Rule that applies to the typical practice and specifies that security measures must be in place in order to protect the confidentiality, the integrity, and the availability of electronic patient identifiable information. Noncompliance with the HIPAA Security Rule can result in the following possible consequences:
• lost reputation/negative publicity/lost business – patients seek out a new practice
• lost business and revenue-generating opportunities due to systems being down and unavailable
• lost or corrupted data, along with associated recovery or replacement costs, time, resources after an incident happens,
• lost user productivity – staff time spent on recovery and damage control
• lost intellectual property – practice financials
• consulting and legal fees associated with investigating and prosecuting attackers
• insurance premium increases
• legal and public relations fees associated with defending liability suits by failing to meet contract obligations or Federal/State regulations
• incident reporting requirements and resulting investigative follow-up burdens on the organization with the alleged violation(s) from Federal/State enforcement agencies and accrediting bodies
• loss of trust in management/ownership – potential for accreditation problems
Additionally, loss of protected health information and its subsequent unauthorized access can result in the following potential harm to the patient
• Identity theft- credit card/financial
• Medical identity theft – using another person’s name, Social Security number, or insurance information to obtain medical services, or using someone else’s identity to falsify insurance claims (estimates of up to ½ million victims to date in the US)
• Employment and societal impact and embarrassment
• The change in either the availability and/or the integrity of the patient’s healthcare information with resulting adverse treatment outcomes or death
While there are numerous studies chronicling the costs associated with major data breaches (according to the Ponemon Institute an average of $13.8 M), a more realistic figure is approximately $180 per record. This could entail a combination of notification of potential victims and follow up for credit protection. It does not however include legal actions, which typically average about $10,000 per patient, and potential federal and/or state fines that can range anywhere from $1,000 to $250,000 per incident. Of course, as pointed out earlier, an encrypted database greatly absolves the corporation or organization responsible for the stewardship of the data from not having done” due diligence”. In fact, most state laws explicitly state that if confidential data is stored as encrypted, then it is excluded from the disclosure requirements, the fines, the costs, the lawsuits… The greatest single thing a medical practice can do to protect itself from the cost of a major data breach is to store all its confidential data as encrypted data.
The most important features and attributes of the practice management system for the E-Health era focus on the information security that the system provides both to the practice and to the patients it serves. The sources of threats to the data are both from the inside and the outside. The insider threat is amplified when sensitive data not protected from unauthorized users, when there is error or malicious handling, and /or when sensitive data is put on a mobile device, which is then lost or stolen. Typically, the outsider threat materializes through a physical break-in or through the network. In fact, a recent study by the eHealth Vulnerability Reporting Program, a collaborative of healthcare industry organizations, technology companies, and security professionals, during which more than 850 providers and seven electronic health records (EHR) systems were assessed over a 15-month period, found that all of the EHR systems had vulnerabilities that could easily be identified using standard tools and techniques and could be exploited to gain control of the application and access to the data. Practice management systems need to be cognizant of these sources of data leakages and breach possibilities when they are designed. Some suggested security features that will stand the practice in good stead in its safeguarding of its ePHI and other proprietary data are:
1) Encrypted data storage
Data stored in database is stored as encrypted data.
Encrypted values include ePHI and other confidential data
2) Encrypted data transport
All program communication is through an encrypted tunnel
3) Being able to operate on the latest MS operating system”
The practice management software should be certified to utilize full functionality on the latest and most secure available operating system (currently Vista, MS’s most secure operating system ever developed)
4) User Identification
All activities must be traceable back to a user, who can be uniquely identified.
5) Strong and unique passwords
6) Auditing/logging
Each login should be recorded. A record of before and after access needs to be kept to see what data values were changed and/or if any data or records have been deleted. This log needs to show when, and by whom
7) Emergency login access
There should be processes for emergency access logins,
8) Design premised on a “Need to Know”
Basic program design should have an underlying theme that patient data should only be displayed when there is a business need to show it. There should be enough granularities built in to control access privileges to the context level and permit drilling down only to those authorized data. Unnecessary patient data should not be summarily shown, thereby avoiding inappropriate disclosure. Where possible, the use of “fuzzy logic” should be employed to facilitate user navigation to needed data
9) Data Backup
Data should be backed up and stored to an out-of-area server on a daily basis.
A Practice Management System that meets the E-Health Needs of a Practice
I recently performed an assessment of Navaro Medical Solutions, Inc. (NMS) in terms of its compliance with the HIPAA Security Rule requirements and, in particular, the security safeguards built in and surrounding its ProSourceMD and ProSourceMD for Anesthesia Practice Management System (PSMD) (www.ProSourceMD.com) . The assessment resulted from NMS’s concern for the creation of a system that not only offered the full range of practice management capabilities but did so in a secure environment that would protect both sensitive patient demographic, financial, and clinical data as well as and proprietary and financial practice data. The design goal of PSMD is to provide consistent data protection throughout the data management life cycle from data capture, storage, and transmission that meets and exceeds regulatory requirements at both the federal and state levels. A distinguishing security feature of PSMD is its encryption of sensitive data at all steps in the process, assuring protection from both internal and external unauthorized access and exposure while mitigating and minimizing client risks. PSMD encrypts data from its inception, when being captured, immediately encrypts it in storage, and provides the capability of sending it securely to any carrier that is equipped to accept electronic transmissions. This process greatly minimizes any potential data loss or corruption threats that result from needing to transmit from provider (the medical practice) to the insurance carrier. Of special importance is the fact that NMS in its PSMD System stores the data in encrypted format, making it virtually impossible for unauthorized access. It is this attribute which makes PSMD consistent with even the most stringent state data protection requirements. This approach to the design of its practice management system is consistent with NMS’s desire to be able to instill the same level of data protection assurance as the healthcare providers that it serves and to enable those clients to be compliant with federal and state regulatory data protection requirements.
Worthy of note is the use of a rather unique application of two-factor authentication in the PSMD System, where both a user id and password can be combined with a unique device id to further authenticate an authorized user. Furthermore, PSMD back-up procedures are exemplary as is its employment of leading-edge technology, such as server virtualization with High Availability, Automatic Failover technology in its datacenter and its ProSourceMD program being Certified for Vista by Microsoft.
ProSourceMD, perhaps because it is a new and innovative practice management system that was built with the HIPAA Administrative Simplification mandates for transactions, code sets, identifiers, patient privacy, and good business security practices in mind, was found not only to be HIPPA-compliant and also to meet and exceed all of the essential requirements to operate efficiently and effectively in an E-Health environment discussed above but also, and more importantly, provides the core system around which a practice can architect its component systems to increase its delivery of healthcare and better serve itself and its patients. Moreover, the PSMD System ensures confidentiality for both patient and other sensitive data, while affording the client practice with continued assurance of the integrity of its patient and billing data as well as providing for ubiquitous access and constant availability. It is safe to say that ProSourceMD stands alone as an E-Health ready practice management system.
About the Author
John Parmigiani is an independent information systems technology consultant with over thirty-five years experience in both the public and private sectors. As a former federal executive in health information management and as a nationally recognized expert and speaker in regulatory compliance and information security in healthcare, he served as the federal government chairperson for the interdisciplinary team that developed the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule and as a member of the federal management group that oversaw the development of the HIPAA Privacy Rule and the Transactions, Code Sets, and Identifiers requirements for electronic health. He has performed over 70 engagements, primarily in the healthcare arena for hospitals, physicians, suppliers, academic medical centers, health plans, laboratories, retail pharmacies, and hardware and software developers with a focus on HIPAA compliance. The President of John C. Parmigiani & Associates, LLC, John can be contacted at www.jcparmigiani@comcast.net . Additional information concerning his credentials can be found at www.johnparmigiani.com
Note: ProSourceMD (PSMD) was originally known as UbiquityMD (UBMD). The name in this document has been updated to reflect the name change.