Scott Griffith, Executive Vice President and Co-Founder at Aesto Health
The Office of the National Coordinator for Health IT (ONC) has laid out a 10-year plan that requires healthcare EMR systems to be connected by 2024.
There is no doubt that connecting medical records, or interoperability as it is known, will benefit patients and the healthcare community.
Just close your eyes for a moment and imagine being on a skiing trip in Utah with friends from all around the country, when suddenly one person from your party, who happens to live in Florida, becomes short of breath and their condition rapidly deteriorates.
With no time to drive to the closest urban health system, you focus on finding an ER, rushing from the slopes and into the local critical access hospital where the healthcare team springs into action. The attending physician barks out orders and action is taking place, but the patient is in a tailspin.
Suddenly, a nurse comes to the doctor’s side with a clue.
When the patient’s information was entered into the hospital EHR, it triggered an immediate search of the National Health Information Network (NHIN) and the entire medical record from Florida populated into the EHR in UTAH!
Now with access to information not previously available, an Overseas Travel Physical for the patient was found in the EHR. In the notes related to the physical, the healthcare team in Florida documented the “patient intends to travel throughout multiple tropical countries, and our findings are consistent with him being fit for this type of travel.” The Hospitalist/ER Physician now knows to consult with an Infectious Disease specialist by phone and the EHR was shared. Together, the medical professionals crafted a strategy to properly care for the patient.
After more than 30 years of working in a hospital setting, I recognize the advantages interoperability will bring to the treatment of patients.
My career has since moved into healthcare cybersecurity and HIPAA compliance. I am acutely aware of the shocking number of breaches that occur every week in the healthcare sector. Our Worst Hacks of the Week blog is a reminder of just how commonplace those breaches are.
The Vulnerability of Interoperability
The real danger of interoperability is that when cybercriminals infiltrate one system, they gain access to many more. In June of 2021, MetroHealth System in Cleveland, Ohio, experienced a breach through their Business Associate, CaptureRx. The hackers gained access to more than 1 million patient records across 16 hospitals and healthcare organizations through this one breach.
It’s more important than ever that healthcare organizations carefully vet the practices of their Business Associates to make sure they are doing all they can to prevent breaches. Needless to say, HIPAA compliance training has to be more than a check-the-box exercise for healthcare providers. With the advent of interoperability, a culture of constant vigilance against cybercrime has to be apparent in every facility.
The Hackers are Professionals
Cyberattacks are nonstop. Full-time professionals are behind this work. Whereas cybersecurity is just a part of the tasks many hospital workers perform. The recent attacks on the meatpacker, JBS, and the Colonial Pipeline are evidence of the very real threat. If hackers can breach high-security organizations such as these, how do rural hospitals with limited resources defend themselves?
Time to Fight
Despite these risks, interoperability is coming; the benefits are just too great to ignore.
It’s all the more important that HCPs make sure their facility operates in a state of constant vigilance starting with these common-sense practices.
HCPs need to keep their software and security systems up-to-date. It doesn’t matter if a network is working if it’s three or four updates behind; functional does not mean safe. Keeping your IT staff fully staffed is also a must.
Constantly and thoroughly vet your Business Associates. Make sure they are applying a high standard of security. Remember, 16 facilities were affected by the CaptureRx breach. Interoperability will not only connect HCPs, it will also connect the Business Associates that each HCP has in their network. A breach through one Business Associate could affect everyone connected to that network.
Don’t entrust your system to anyone and everyone with access; use a zero-trust security model to ensure that, if a hacker or virus invades a system, the infection cannot spread to the rest of a single HCP’s network, and then onto ALL HCP networks.
Create a culture where cybersecurity is part of everyone’s job. Employees are the second-biggest breach point for a hospital, right behind Business Associates, so building a “culture of security” inside your organization is one of the easiest and most effective ways to spot and stop hackers.
Prepare Evidence of Effort
Given the number of breaches that occur on a regular basis, it’s not a matter of if a breach will happen but when. When it does, an OCR investigation is sure to follow. These investigations can drag out, occupying the time of vital office staff and resulting in fines and damage to your reputation.
For a grim reminder of how common OCR investigations are, visit the OCR Wall of Shame. New cases under investigation are added nearly every day.
If the day comes when you are under investigation, your best defense is well-documented Evidence of Effort. Every single action that is taken toward cybersecurity needs to be documented in an Evidence of Effort file that can be quickly accessed in the event of an OCR investigation. A cooperative effort of this kind will not only speed the investigation but can also reduce or eliminate fines. CaptureRx is now currently facing a class-action lawsuit that accuses them of failing to properly protect private healthcare information. A well-organized Evidence of Effort file should be the first step in their defense.
Interoperability is the future of medicine and will be a powerful tool toward connecting doctors and patients to more effective care, but we must remember that it drastically increases our responsibility for patient data. A careless breach on our part now not only affects our network but everyone connected to it.
We owe it to ourselves, our patients and all the patients in our connected network to make sure we are doing everything in our power to protect their information.