“The SDPR will consolidate geographically fragmented EMR, PAS, and LIMS systems to create a detailed lifelong patient record and deliver cost savings,” NSW Health said in a news release.
NSW Health is the largest public health system in Australia with more than 220 public hospitals, 16 Local Health Districts, and three Specialty Networks. NSW Health Pathology operates more than 60 pathology laboratories (clinical laboratories in the US) and has 150 patient service centers.
“While this initiative will provide untold benefits to all the patients of NSW, we are excited about its potential for improving the health outcomes of our regional patients,” said Andrew Montague (above), former Chief Executive, Central Coast Local Health District in a press release. “By enabling greater collaboration across all local health districts and specialty health networks, the Single Digital Patient Record will provide clinicians with even better tools to keep the patient at the center of everything we do.” This project is more market evidence of the trend to bring clinical laboratory test results from multiple lab sites into a single data repository. (Photo copyright: Coast Community News.)
Cloud-based Realtime Access to Patient Records
Australia has a population of about 26 million and New South Wales, a state on the east coast, is home to more than eight million people. Though the scale of healthcare in Australia is much smaller than in the US, this is still a major project to pull patient data together from all the NSW hospitals, physicians’ offices, and other healthcare providers such as clinical laboratories and pathology practices.
With the change, NSW clinicians will benefit from a cloud–based system offering up real-time access to patients’ medical records, NSW Health Pathology Chief Executive Tracey McCosker told ITnews.
“Patients and our busy staff will benefit from clinical insights gained from the capture of important new data. Our work in pathology is vital to the diagnostic process and developing a statewide laboratory information management system will ensure we provide the best possible services,” McCosker told ITnews.
The KLAS Research report, “US Hospital Market Share 2022,” states that Epic, located in Verona, Wisconsin, has the largest US electronic health record (EHR) market share, Healthgrades noted. According to KLAS:
NSW Health’s decision to engage Epic came after a process involving 350 clinicians, scientists, and technical experts, Zoran Bolevich, MD, Chief Executive of eHealth NSW and NSW Health’s Chief Information Officer, told ITnews.
NSW Health’s Goal for Statewide Digital Patient Record
It was in December 2020 when NSW Health announced its plan to create the SDPR.
“Our vision is to be able to provide a single, holistic, statewide view of every patient—and for that information to be readily accessible to anyone involved in the patient’s care,” Bolevich said in the news release.
The SDPR, according to NSW Health, will address the following:
Challenges:
Current systems not connected statewide.
Inaccessible patient data.
Duplicative data collection.
Gaps in decision-making.
Goals:
Improve health outcomes.
Create patient centricity.
Leverage insights.
NSW’s government has already invested more than $106 million in the SDPR, Healthcare IT News reported.
Other Large EHR Rollouts
NSW Health is not the only large organization to take on such an ambitious project of creating a large-scale digital patient record. And not always to a successful conclusion.
The US Department of Veterans Affairs (VA)—also intent on EHR modernization—recently announced it is suspending roll-out of the Oracle Cerner EHR at VA centers until June 2023 to address technical issues affecting appointments, referrals, and test results.
Four VA centers in Washington, Oregon, and Ohio already went live with the system in 2022.
“We are delaying all future deployments of the new EHR while we fully assess performance and address every concern. Veterans and clinicians deserve a seamless, modernized health record system, and we will not rest until they get it,” said Deputy Secretary of Veterans Affairs Donald Remy, JD, in a news release.
For its part, Oracle Cerner wrote federal lawmakers noting the importance of continuing the project, which will move the VA away from its former VistA health information system.
“Modernization requires change and some short-term pain for the long-term benefits of a modern technology infrastructure,” noted Oracle Cerner Executive Vice President Ken Glueck in the letter, Becker’s Health IT reported. “A modernization project of this scale and scope necessarily involves time to untangle the decades of customized processes established in support of VistA, which inevitably involves challenges.”
NSW Health’s goal is to build a single repository of health information—including lab test results from multiple clinical laboratory sites. When finished NSW Health expects that sharing patient data will contribute to producing better healthcare outcomes.
However, the VA’s experience—and several other similar attempts at large-scale electronic patient record installations—suggest the work ahead will not be easy. But for NSW Health, it may be worth the effort.
Recent attacks illustrate how costly a security breach can be and why clinical laboratories and pathology groups must work to protect their information systems from ransomware attacks
Therefore, it is crucial clinical laboratories and pathology groups have a cybersecurity strategy in place for dealing with ransomware attacks. Running security drills may need to be part of that strategy. Managers and employees should undergo specific training and vendors must be vetted carefully. Without such a strategy, the question is not if an attack will happen, but rather when an attack will succeed.
Ransomware Attackers are Getting Better
“Ransomware is increasing in sophistication; it’s increasing in prevalence. The purveyors of ransomware are generally reinvesting the fees that they collect from the entities they extort to acquire more capabilities,” Beau Woods, Senior Advisor at the federal Cybersecurity and Infrastructure Security Agency (CISA), told The San Diego Tribune.
“They’re getting better, they’re getting more frequent, particularly during the pandemic where we’ve opened up more connectivity to allow more remote work,” he added.
The Scripps Health attack is notable for several reasons, with one being the length of the outage it caused. The attack was first detected on May 1 of this year. It took four weeks before Scripps could restore most of its network and get its Epic EHR back online, Health IT Security reported.
However, the ransomware attack on Universal Health Services (NYSE:UHS) may be the biggest attack so far. It took place on September 27, 2020, and caused a three-week outage. The company told The San Diego Tribune the incident had a $67 million impact on operations.
According to HIPAA Journal, “The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack.”
At Utah Pathology Services, an employee e-mail hack resulted in the potential exposure of patient data. The malicious actors attempted to divert funds intended for a physician but failed to do so. However, the information of 112,000 patients was accessible to the hacker during the attempt.
“The compromised data varied by patient but could include names, contact information, insurance details such as ID and group numbers, medical and health information like internal records numbers and clinical and diagnostic information, and some Social Security numbers,” Health IT Security reported.
Value of Patient Data on the Dark Web is Increasing
In the case of the Utah Pathology Services attack, the hackers were specifically after money. However, according to cybersecurity company SecureLink, patient records are “the new prize” for hackers. Healthcare data carries a value of its own on the digital black market. In fact, healthcare data is more valuable than credit card or banking data.
“Healthcare data is valuable on the black market because it often contains all of an individual’s personally identifiable information, as opposed to a single marker that may be found in a financial breach,” SecureLink wrote in a blog post.
A 2018 Trustwave Global Security Report estimated that a healthcare record is worth about $250. Trustwave, however, estimated the value of a banking record at less than $5. That strongly suggests health records are increasing in value.
And even after a healthcare entity has regained control of its IT infrastructure, the hacker still has possession of the stolen patient information. It may take weeks or years for the hacker to sell that information, meaning the breach represents a continuing threat to the healthcare organization and its patients.
Clinical Laboratories Must Prepare for an Attack
Simply understanding the threat is not enough. Clinical laboratory and pathology group managers must have robust plans in place for both protecting patient information and for dealing with a security breach should one occur.
According to a Health IT Security report, “The ransomware attack that struck all 400 UHS care sites and caused three weeks of EHR downtime in September, cost the health system $67 million in recovery costs and lost revenue.”
The report added, “Security researchers have long-recommended the need for providers to shift into a proactive security model, like zero trust. Recent reports show successful cyberattacks on healthcare providers doubled in the last year, with at least 560 providers falling victim to ransomware.”
To deal with the ransomware attacks, we wrote, “CISA, FBI, and HHS advise against paying ransoms. ‘Payment does not guarantee files will be recovered,’ the advisory states. ‘It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.’ The federal agencies advise organizations to take preventive measures and adopt plans for coping with attacks.
“The advisory suggests:
Training programs for employees, including raising awareness about ransomware and phishing scams. Organizations should ‘ensure that employees know who to contact when they see suspicious activity or when they believe they have been a victim of a cyberattack.’
Regular backups of data and software. These should be ‘maintained offline or in separated networks as many ransomware variants attempt to find and delete any accessible backups.’ Personnel should also test the backups.
Continuity plans in case information systems are not accessible. For example, organizations should maintain ‘hard copies of digital information that would be required for critical patient healthcare.’”
Given the enormous amounts of money hackers can earn from selling protected health information on the Dark Web, it is a near certainty these attacks will continue. Clinical laboratory and anatomic pathology group managers would be well advised to plan for the inevitability that their health system will be targeted.
Could clinical laboratories use texting to improving patient compliance with the medical laboratory test orders given to them by their doctors?
California’s largest physician-owned medical practice has
employed text messaging to reduce patient no-shows. Just as other innovations such
as same-day walk-in clinical laboratory
testing and patient at-home self-testing made it easier for patients to comply
with physicians’ lab test orders, text messaging appears to help get more
patients through the doors and into doctors’ exam rooms.
At least that’s the experience at Riverside Medical Clinic
(RMC) in Riverside, Calif. The multi-specialty practice has more than 170
providers who see more than 400,000 patients annually. After struggling to
lower its 15% baseline no-show rate using a phone-only reminder system, RMC turned
to a two-way texting appointment reminder system from Santa Barbara, Calif.-based
WELL Health (WELL).
According to a case
study, prior to the texting
system implementation, no-shows were costing RMC more than $3 million per year.
“The problem we were trying to resolve was getting a hold of our
patients in an expedient manner without having to do redundant work,” Diego
Galvez-Ramirez, Associate Vice President, Patient Business Services at
Riverside Medical Clinic, told Healthcare IT News. “We wanted to
give time back to our staff. A big frustration was not having enough time for
staff to accomplish their duties.”
After RMC implemented WELL’s HIPAA-compliant text-based reminder
system, front office efficiency and productivity improved, and the practice
experienced a 33% decrease in appointment no-shows.
Additionally:
No-shows decreased from 15% to 10% within the
first month of going live across the enterprise.
Confirmed appointments rose from 29.45% to
94.45%, translating to a savings of more than $40,000 in two months.
91% of patients who confirmed via WELL presented
for their visit.
Phone volume at RMC’s two call centers decreased
by 4% to 6%.
Galvez-Ramirez suggests that healthcare providers—including
clinical laboratories and anatomic pathology groups—keep pace with the
realities of today’s connected world. “Most of the time, the cell phone is not
used to make phone calls,” he told Healthcare IT News. “You have to adapt
to the new ways that your patients want and are used to communicating.
“In our environment,” he continued, “you also have to be
quick to respond to your patients. No patient wants to spend unnecessary time
on a phone call. Being able to send them their appointment to their phone is
not a new concept, it’s an expectation.”
The WELL messaging app draws a patient’s information from the
physician’s electronic
health record (EHR) system to configure the appointment reminder. This
includes appointment type, date/time, and location. Based on the patient’s
preferred method, the system sends reminder messages via phone, text, or e-mail.
As Healthcare IT News noted, WELL’s competitors in the
patient communication space include:
Texting Reduces No-Shows at Other Healthcare Networks
Other healthcare organizations also have replicated RMC’s
success in reducing its no-show rates by moving away from telephone-based
reminders.
An Athena Health
study examined 54.3 million patient visits in 2015 and found no-show rates
dropped to 4.4% when patients received a reminder text from their provider. By
comparison:
Athena patients who received a phone call
instead of a text failed to show up 9.4% of the time;
E-mail reminders resulted in a 5.9% no-show rate;
and,
10.5% of patients who received no form of
reminder message missed their appointments.
Is Texting Secure and HIPAA Compliant?
A 2018 poll conducted by the Medical
Group Management Association (MGMA) found that 68% of healthcare organizations
used text messaging to communicate with patients about appointments. But is it
secure?
An MGMA
article notes that according to HIPAA Journal,
“Recent changes to HIPAA
have introduced new rules relating to how Protected
Health Information (PHI) should be communicated and many healthcare
organizations and other covered entities are now at risk of financial sanctions
and legal action should an avoidable breach of PHI occur.” The MGMA goes on to
state that, “As text messaging is not typically a fully-secure channel for the
communication of PHI, practices must be vigilant when sending information via
text messages.”
With proper training and precautions, clinical laboratories and
pathology groups might want to add text messaging to their patient outreach
programs. Data indicate that doing so could improve patient compliance with the
medical lab test orders given to them by their physicians. Industry experts
estimate that for every 100 medical lab test requests written by providers,
only about 60% of patients show up to provide the specimens needed for a lab to
perform those tests. Improving on those numbers would help clinical
laboratories and patients alike.
As the Medicare program expands telemedicine services, the opportunity may arise for sub-specialist pathologists to offer consultation services across state lines
More use of telemedicine across state borders has long been predicted as a way to improve access to care—particularly for patients in rural areas—as well as to give physicians and patients access to talented sub-specialists. Within the anatomic pathology profession, however, there are probably as many pathologists who view telemedicine across states lines to be a threat as there are pathologists who see it as an opportunity to raise the quality of care.
Some medical laboratory organizations risk coming up short on the deadline for implementation of 5010 standards
Less than eight weeks remain before the January 1, 2012, deadline for implementation of Form 5010. Every sector of the healthcare system—from government and private payers to hospitals, physicians, pathologists, and clinical laboratories—is involved in this important healthcare reform.
Many providers and payers are scrambling to meet the Health Insurance Portability and Accountability Act (HIPAA) version 5010 compliance deadline. This is the latest version of standards for the conversion of electronic health records (EHRs).
The Centers for Medicare and Medicaid Services (CMS) continues to maintain a hard line position regarding the deadline, according to an article in Modern Healthcare. “There is no wiggle room,” Denise Buenning, Director of the Administrative Simplification Group in CMS’ Office of E-Health Standards and Services, stated. “We’re holding fast to the date.”