Monthly Archives: February 2015

What The Anthem Breach Teaches Us About Access Control

Post by Azam Husain

Senior Product Manager, Caradigm

As more details continue to emerge from the Anthem breach, the incident has put all healthcare organizations on notice. The estimated cost of the breach could be in excess of $100 million with as many as 80 million people impacted.[1] A breach of this magnitude is an important learning opportunity to think about healthcare security best practices and in particular, how to control access to sensitive data in organizations.  Here are several key takeaways from the breach for healthcare organizations.

Data thieves are looking for soft targets

Healthcare organizations are prime targets for cyberattacks not only because healthcare data is valuable, but because healthcare organizations have a reputation for being susceptible to breaches. In this HealthcareIT News article discussing the breach, Lynne Dunbrack of IDC Health Insights said “Cybercriminals view healthcare organizations as a soft target compared with financial services and retailers because historically, healthcare organizations have invested less in IT, including security technologies and services than other industries, thus making themselves more vulnerable to successful cyberattacks.” Until healthcare as an industry improves its adoption of security practices including data access control, cybercriminals will continue to view healthcare data as a vulnerable target.     

Improper access is a top security vulnerability

Investigators believe hackers accessed Anthem’s information by stealing system administrator credentials of five different employees. They also believe that the breach had been in progress for several years.  Benjamin Lawsky, Superintendent of New York State Department of Financial Services, said in this article that “Anthem is a wake-up call to the insurance sector really showing that there is a huge potential vulnerability here.”

Some have pointed out that Anthem should have encrypted the information, however, the greater shortcoming was the lack of proper access controls. Encryption would not have stopped attackers who had gained authorized credentials. The vulnerability was not in the software, operating system or hardware, but in the process of managing proper access controls based on business and operational requirements. 

Three types of safeguards are needed to control access to sensitive data

Managing access control can be challenging, especially with respect to preventing insider data breaches or simple mistakes by users with high level access. Anthem is not alone as many organizations need to tighten system access.  When providers are considering what strategies to employ to improve access control, they should consider three broad types of safeguards.  

1)      Technical safeguards – Grant role-based access to data and applications on a need-to-know basis.

2)      Physical safeguards – Control of physical workstation access and access to clinical applications.

3)      Administrative safeguards – Create comprehensive policies and auditing tools that allow a compliance manager to report on who has access to which systems, applications and patient records as it applies to their role.

Caradigm is the leader in Identity and Access Management (IAM) solutions, and is focused exclusively on healthcare organizations. If you’d like to discuss your access control needs further or see a demo, contact us here.   

[1] Osborne, Charlie. “Cost of Anthem’s data breach likely to exceed $100 million.” Retrieved from 2.12.15

Planning Your DSRIP Implementation

Post by Vicki Harter, BA, RRT

Vice President, Care Transformation

We are in the middle of a broad and dynamic effort to reform Medicaid. In 2014, 30 states reported having some delivery system reform initiatives underway with that number increasing to 40 states in 2015.[1] Delivery System Reform Incentive Payment (DSRIP) programs are one example of Medicaid reform that is top of mind for provider organizations because of the significant funding available to support the transformation of care to Medicaid beneficiaries. Nine states (California, Illinois, Kansas, Massachusetts, New Hampshire, New Jersey, New Mexico, New York, and Texas) have indicated that they plan to implement or expand DSRIP programs in FY 2015, so for providers in those states, it is the right time to strategize how to implement a successful DSRIP project supported by health information technology (HIT).

The following are a few recommendations to consider in order to get your DSRIP Year 1 off to a strong start.

A Key First Win is Integrated Health IT (HIT)

In order to truly transform how healthcare organizations meet the needs of the Medicaid population, silos of care must be brought together. Healthcare collaboration has been challenging across the healthcare community due to the lack of interoperability of IT solutions, which prevents the aggregation and sharing of information across a diverse team of care givers. Integrated HIT across a health system should be one of the first goals of a PPS (Performing Provider System) because it enables the longitudinal information required to accomplish DSRIP projects including care coordination and population health management. When evaluating solutions, keep in mind that the integration of HIT is outside the scope of many population health solution providers that focus on a specific area of population health such as analytics or workflow efficiency. The ability to aggregate and share all data within a diverse PPS is a capability that few solution providers are executing on today.   

Factor in Speed of Results with Performance-Based Payments

DSRIP waiver funds are allocated with the achievement of specific performance metrics. Initially, those metrics will be process based, but they will become performance based for the majority of the program. In order to receive full funding amounts, implementation plans should consider the scale, speed and scope of deployment. As PPS’ are committing to take on a number of different projects, it’s important to identify synergies and efficiencies that can accelerate clinician processes and results across multiple projects. Without those efficiencies, clinicians can become bogged down by the amount of change management and new processes being introduced.  Examples of new efficiencies that are possible include:

  • Identifying patients that are most impactful in order to achieve faster results from targeted interventions.
  • Enabling an interoperable, longitudinal patient record across the PPS so clinicians don’t have to log into many different systems for the information they need.
  • Team-based care with clear roles and responsibilities assuring “top of license” activity.  
  • Enabling quality analysts and other clinicians to see performance analytics and gaps in care in real-time so those gaps can be closed quickly and even while still in the presence of a patient.
  • Automatically generating personalized care plans, task lists and interventions for care team members to enhance efficiency and reduce variations in care.
  • Utilizing those personalized care plans to generate self-management action plans for patients so they can engage in self-care.

Take An Enterprise Approach to Transform Care

The goals of DSRIP align very closely with population health approaches as both seek to transition from fee-for-service, episodic care to value-based care for a population across a community of providers.  The ultimate goal is health delivery transformation, which can’t be accomplished with a narrow, point solution approach. Point solutions for population health can be counter-productive to DSRIP goals because they sustain the silos and inefficiencies that DSRIP was intended to address. The difference with an enterprise population health approach is that it integrates all of the core capabilities needed for population health and true care delivery transformation: integrated information systems, health care analytics, care coordination and patient engagement.  An enterprise approach is also extensible, which allows providers to support today’s needs while planning for the initiatives of tomorrow.

Caradigm is the leading enterprise population health company that can help organizations succeed with their DSRIP initiative. To learn more about how Caradigm can help you plan your DSRIP implementation, please visit our DSRIP page, see our recent DSRIP press release or send a note here

[1] Smith, Vernon K. Ph.D., Gifford, Kathleen, Eileen Ellis Health Management Associates and Rudowitz, Robin and Snyder, Laura Kaiser Family Foundation. National Association of Medicaid Directors. Medicaid in an Era of Health & Delivery System Reform: Results from a 50-State Medicaid Budget Survey for State Fiscal Years 2014 and 2015. October 2014. 

The Population Health Marathon

Post by Peter Kinhan

Vice President/General Manager, GE Healthcare IT

There are significant changes underway in the healthcare reimbursement models. While changes are broad and rapid, it is becoming clear that this will feel more like a marathon than a sprint.

The US healthcare system is facing significant cost, quality and access challenges. Recognizing these challenges, and catalyzed by the Affordable Care Act, a variety of alternative Fee-For-Value (FFV) reimbursement models have emerged. These models emphasize value (higher quality per unit cost) rather than volume, like one-sided and two-sided Medicare or private shared savings models, bundled payments, partial and full capitation reimbursement models.
But when will the tipping point happen? When will the majority FFV revenue outweigh that of FFS. If this was a marathon, I would say we are still in the early miles when the legs are strong and buoyant. There are still many tests and challenges to come in the mid to late stages of the race.

Early results suggest that the transition from volume to value has not been easy for many providers. CMS ACOs results from PY1 & PY2 show that only 25% of participating ACOs were able to realize shared savings1. Furthermore, ACO data tracked by the Leavitt Partners LLC shows that after an initial start that led to nearly 700 private and CMS ACOs in the last 2 years, the rate of new ACO formation has slowed down2. These ACOs cover less that 10% (nearly 23 Million) lives so far, potentially suggesting that providers are currently “dipping their toes” and large scale adoption is yet to come.

One could make the argument that this trend mirrors a “hype cycle” where the initial expectation from population health is giving way to the realities on the ground and we are in the “trough of disillusionment”. There is no shortage of potential roadblocks that may delay the migration towards of large scale adoption – lack of a clear long term value based care strategy with a predictable business model, misalignment of incentives (physicians, payers, others), ever regulatory landscape, capability gaps. Despite the challenges, there is reason for cautious optimism. The majority of the ACOs improved on 30 out of 33 quality metrics and 25% of ACOs were able to realize shared savings. Given that many of these efforts were essentially pilot projects it would be fair to assume that important capabilities have been built and lessons learned for greater future success.

As the landscape continues to evolve, in addition to internally developing some of the core capabilities, providers will need a dependable partner who will continue to innovate and invest in new capabilities and solutions to best meet the evolving needs. At GE Healthcare, we not only understand the market challenges but also have made population health a core pillar of our integrated care portfolio and strategy. Through Caradigm, we have augmented our CentricityTM portfolio to offer comprehensive industry-leading population health solutions. Looking ahead, we realize that the journey ahead will be difficult but ultimately rewarding. By continuing to innovate, grow our portfolio and collaborate with our customers, we are progressing to the finish line of transforming healthcare by improving care quality and population health outcomes.

This post was originally published on the GE Health IT Views blog.