HIMSS 2016 Reflections: Where are we on interoperability, security, and analytics?
Two weeks ago, I wrote about HIMSS16 from the perspective of healthcare organizations facing the daunting challenge of developing a coherent IT strategy. Today, I wanted to offer some broader perspective about what’s real and what remains elusive in healthcare IT. As I commented in my previous post, the 2016 HIMSS conference was overwhelming with its 40,000+ attendees and 1,300+ vendors. There is so much to weed through: a sea of buzzwords du jour, vendors with overlapping products, and more hype than clarity. Nonetheless, it is a useful snapshot of the big trends in healthcare IT and progress is towards long-term goals. Below are my thoughts on the big three: (1) interoperability; (2) health data security; and (3) data analytics. (In my next post, I’ll touch on takeaways from HIMSS about some of the emerging healthcare IT issues.) There has been progress and forward movement on all three areas, though perhaps not as much traction as there has been hype.
Interoperability of electronic health records (EHR) has been the focus of federal healthcare reform efforts since the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act, one month after President Obama was inaugurated. The basic idea is that free exchange of health data between and among different healthcare organizations is an essential step on the road to improving the quality of care and reducing cost (by fostering market conditions of transparency, competition, and consumer choice). Patients should be able to choose where to go for care without the constraint of where their current data is siloed.
Although much of our healthcare system has shifted from paper records to EHR, the reality is that our healthcare IT infrastructure remains fragmented and data is siloed in systems that don’t share information or otherwise “speak” to one another. If you have a serious health condition and have been going to a particular doctor or hospital for care, the biggest disincentive to shop around, no matter how dissatisfied you may be, is that your health data is held hostage. A new provider may mean repeat testing or lack of access to essential historical data. The HITECH Act introduced “meaningful use” requirements, through which healthcare providers were required to push towards interoperability among other functional requirement in their adoption of EHR, but in recent months, the government has pushed off the next phase of meaningful use – in part due to the reality that EHR vendors don’t support the goals.
The biggest news out of HIMSS16 was the announcement from Sylvia Burwell, Secretary of the U.S. Department of Health and Human Services (HHS) of an industry-wide pledge to improve interoperability across all EHRs and health systems. While this sounds great, the irony of this “solution” is that the obstacles to interoperability have been the big HIMMS16 players themselves, most notably EHR vendors like Epic. Far from easing access to health data, large providers like Epic have been proprietary, deliberately blocking data accessibility to limit provider choice, improving their competitive position in the process, and forcing hospitals and healthcare systems into their platforms.
The issue of data security, addressed in more detail below, is also proving to be an obstacle to interoperability. Notably, many of the descriptions of interoperability focused on patients’ access to their own data, and bypassed the issue of providers’ ability to access data from other providers.
It is music to everyone’s ears to hear the large healthcare IT vendors and largest health systems have pledged to support specific goals of patient access, reducing (if not eliminating) information blocking, and further development of industry interoperability standards such as Health Level 7 (HL7). The proof will be in the pudding. My hunch is progress will be glacial on many fronts, though it is promising to see movement on Fast Health Interoperability Resources (FHIR, pronounced “fire” for those wanting to show their street cred in health IT circles) cloud enabling third-party applications.
If progress towards interoperability remains slow, perhaps we will see government getting tough with industry by imposing penalties. The HITECH Act put the onus on healthcare providers, but my vote would be to hold EHR vendors accountable in the next phase. I will leave it to legislators and regulators to think about what this looks like.
Fellow patients, let’s demand meaningful access to our data. And fellow entrepreneurs and investors, let’s think bout how to leverage patient access, an issue everyone can get behind, to force the issue far beyond where EHR vendors and large systems are comfortable sharing.
- Health Data Security
Healthcare data security has been a theme of healthcare IT and previous HIMSS conferences for years, but its prominence is rising. Some people are declaring that the issue has finally achieved “critical mass,” whatever that means. After nearly two decades of dealing with HIPAA, I’ve heard this refrain before, and my perspective is that health information security is incrementally being taken more and more seriously, but that there is still plenty of room to go. For larger providers, there is undoubtedly a greater urgency to the issue, with multiple large data breaches in healthcare and other settings hitting the front page of newspapers.
I think healthcare organizations will take information security seriously when it is too expensive not to do so. The current mandates have been in effect for years, but the reality is that, outside of a few major media stories, there have been relatively few major federal or state penalties for noncompliance. As a consequence of light government enforcement, the majority of providers have moved slowly and there has been more “hat” than “cattle” (i.e. lip service to HIPAA compliance without the real work of training and organizational process).
In the absence of government pressure, what accounts for the heightened focus on data security at HIMSS16? I credit two related pressure points: media/public interest and the growing influence of health systems and other large players. Front page news coverage has led a growing number of healthcare organizations to treat data privacy and security as a “brand” issue, key to sustaining consumer confidence. One of my pet theories is that, in a world where our privacy has generally eroded as a result of technology and the availability of so much information and search capacity online, health data privacy is one of the last protected zones and therefore one that consumers care about even more. As a result, the negative s of data breach publicity or user experiences that don’t convey a serious commitment to privacy protection are much more serious. This may account for why larger healthcare organizations have taken the need for health data security so seriously. The secondary pressure on small organizations is that, in a post-ACA world heading toward bundled payment, many small providers need to align themselves with accountable care organizations (ACOs) and other larger organizations, and one threshold issue in doing so is satisfying the data security standards of the larger players.
So what were some takeaways from HIMMS on data security? Chief information officers are prioritizing the issue, but many organizations are still woefully behind, particularly on the “people” and “process” elements that accompany technology. Many organizations are unprepared for a potential breach, let alone how to respond.
The HIMSS Cybersecurity Command Center showed off plenty of new technologies offered by vendors to address the evolving “threat landscape,” but as I detailed in my previous post, healthcare leaders frequently have difficulty finding a strategic perspective amid the din of offerings. Part of the problem is that data security is often perceived as a state of being rather than a journey. I’m an advocate for starting with education, as exemplified by the HIPAA toolkit product released by Compliagent. (Full disclosure: I’m a founder of Compliagent.)
Here too, HIMSS featured Secretary Burwell’s announcement of government encouragement in the form of a Healthcare Industry Cybersecurity Task Force. Last week, HHS also announced that its Office for Civil Rights (OCR) is launching Phase 2 HIPAA audits to verify that healthcare providers and plans (covered entities), as well as their business associates are meeting compliance standards. These initiatives from the government are positive steps. They are not real drivers of healthcare industry behavior, but they are a welcome additional nudge in the right direction.
For me, the real takeaway from HIMSS is that healthcare organizations of all sizes need to incorporate healthcare information security into their strategic planning. It’s not because government regulators are coming, but because the failure to do so is an increasingly real threat to the trust of patients and other providers, and a genuine threat to organizational growth and sustenance. It’s a positive sign that HIMSS is calling attention to the need to address the issue of data security, but I’m not ready to say we’ve reached critical mass this year.
What should patients do? I recommend voting with your feet and having zero tolerance for organizations that don’t put a premium on protecting your privacy and security. As for investors and entrepreneurs, there’s no doubt that spending on health data security is on the rise. I am an advocate for exercising caution given how crowded the competitive landscape is. The threat landscape is evolving quickly, as is the interplay with broader information security protocols. I am leery of expensive solutions and a fan of low-cost tools that emphasize the people and process aspects of the solution, not just the technology.
- Health Data Analytics
For me, HIMSS16 was most interesting for the growing prominence of data analytics. (My previous post catalogued over 200 analytics solutions providers at HIMSS, not counting the many more clinical decision support tools relying on analytics, and the multitude of data-based revenue cycle solutions.) More and more healthcare organizations are beginning to make serious use of data to improve the quality of care and patient safety, and to reduce spending by identifying preventive opportunities and efficiencies.
The most common buzzword with respect to analytics at HIMSS was population health, referring to the methodology of approaching healthcare not on an individual patient basis, but rather by studying health outcomes and care across entire groups. The triple aim of population health is to improve health and patient experience, while reducing spending. Analytics in support of population disease management and wellness were on full display at HIMSS.
My advice in my previous post was for providers to go slow and to be strategic, and this applies nowhere more than analytics. With a few exceptions (such as in behavioral health and arguably in long-term and post-acute care), providers are already well down the road of EHR implementation, and hopefully have made progress in improving health data security. My sense is that a much greater number of organizations are still in the early stages of thinking about analytics. The biggest challenge in walking around HIMSS was the sheer number of vendors selling data-crunching tools.
There may be an advantage in being a slow mover. There will be valuable lessons learned by these early adopters, with lessons about mistakes that can be avoided, as well as development of a deeper number of high quality consultants with real expertise to share.
My sense is also that solutions are going to take more than just good software tools, and that, here too, the “people” and “process” parts of the equation are going to lag. It also strikes me that it is harder to identify clear winners among the tools and solutions, and that significant consolidation in the analytics provider market remains ahead. In the interim, the better investment of time may be developing organizational and departmental dashboards of key indicators of healthcare quality, safety, patient experience, and expense. This process will pave the way for investment in and adoption of solutions in the future by getting healthcare organizations and their personnel focused on analytics and their power with information already at hand.
For patients, my recommendation is to investigate the degree of transparency in the healthcare providers you work with. To what extent do they offer you price, quality, and safety transparency? How do those numbers compare with other data you can find? For entrepreneurs and investors, there are going to be some big winners in the space, and we are in the midst of a land grab, with plenty of opportunities. Focus on strategy more than bells and whistles, and look for successful pilot programs from which to learn.