My experience in the healthcare markets has given me a privileged peek in a lot of areas, Security, HIPAA, Information Technology, Electronic Health Records (EHR) / Electronic Medical Records (EMR), Digital Health, Patient Care, R&D, and Startup Product Development. I am wanting to give my opinion on the focus areas that I believe are key to getting any products into the healthcare market faster. Technology is changing at lightning speed which present challenges in this market, which in my opinion are not so much the innovation of the technology or the value of the technology to consumers, but it is more Security, HIPAA Compliance and Implementation into EHR/EMR Environments, which make information security an afterthought:
- Security Compliance
- HIPAA Compliance
- Implementation of EHR System Environments
- Yes, there’s a longer list of other concerns, but for this Blog writing, I want to focus on the ones above.
Depending on the perspective you are looking from your profession, they ultimately come down to Securing it, HIPAA compliance and implementation into EHR matured environments. Boiling them down to the simplest reasons, adoption of new products and technology are not implemented well and we are assuming they get through corporate institutional gatekeeper hurdles. We also understand that business value must also provide a return on investment, especially in the healthcare market. Otherwise, it will be a hard sell for executives to return a project of any kind. But for the sake of this article, the areas above are major roadblocks for any new technology or healthcare startup trying to get into any healthcare market. Let me explain!
Security Compliance: All Healthcare Institutional entities have a security department nowadays! We are not talking about Physical Security, although that is a part of this area and a legitimate concern. We are talking more about IT Security and adopting Best Security Practices throughout the industry for implementing safe and secure systems that provide the trust with not only providers and operations but providing a level of patient care that is only delivered by a matured practice of security measures and system design. I am being very vague here and please understand that every institution adopts security measures based off hopefully a framework and within that framework, there should be best practices in which to formulate policies and standards for security and managing the integrity of systems at varying degrees. The National Institute of Science and Technology – Special Publication 800-53 (NIST SP 800-53) is the most widely adopted Framework for Federal and most Corporate Entities within the US Markets; There are other Security frameworks out there but NIST is the most widely recognized and adopted. The challenges come into effect through implementation on the maturity level of a security framework with the institution and the level of design of the product or system being implemented. For instance, if you have a very advanced and mature product being implemented into a low maturity environment, it might not be able to handle the level of sophistication it was developed in and not work according to its design because the assumption during the development was of a mature environment. If you can still implement it, the Implementation costs would be astronomical for a workaround solution or the mandate to mature your environment up to par just to be able to use the product. The endless scenarios and solutions can be very expensive if avoiding due diligence when adopting new technology is such environments.
HIPAA Compliance: In combination with your Security Framework above, HIPAA is the specific security focus on Healthcare Data, especially PHI (Protected Health Information). These will always be a hurdle for almost any company that meets the requirements for HIPAA compliance as a Covered Entity or a Business Associate Agreement (BAA) that provides direct support to patient healthcare services or services that support healthcare patient care indirectly. This area has been always a stumbling block for a lot of healthcare companies because they don’t really have good guidance on what can be done for HIPAA compliance while implementing new systems within their institution. Advances in Technology and the demand to bring that technology into a healthcare organization are a constant struggle on a daily basis and the institutions are challenged to keep up with the changes. The challenge is how do you balance HIPAA / Security with New Technology and does it even have authority over it!
Well Yes, and be creative! The government mandates that you protect everything to the best of your institution’s capabilities according to NIST, but when HIPAA is mixed in with the bunch it gets more attention and more eyes on these specific areas by providing a specific set of safeguards in their respective areas. The two examples where I can tell you that there is not specific wordage in HIPAA and Security Frameworks to address Audible Speaking programs such as Dragon (Application used for Dictation) and working remotely at home while you personally have Amazon’s ALEXA in the room with you in your office or anywhere in the house having a conference call or talking about patient information over the phone discussing cases, if you are a medical professional. These areas are more left up to common sense, but common sense is starting to change to well its new technology and we are aware of it or no we aren’t ready for it or have it implemented in our environment and we just don’t care to use it anyway (Because Doctors Want it) on BYOD programs as long as “I” sign a waiver.
Implementation into EHR Systems (Mature and In-mature) Environments: This is where it all comes together fusing technology, new Applications, Security Concerns, and HIPAA Concerns, along with the careful and complex integration of making everything work together in varying maturity level environments. Thankfully, Project Managers are a commodity that can provide the skill-set and experience to do such efforts. The challenges with Implementing any new healthcare related products, application or technology are the varying differences in the maturity level they were designed for. Surprisingly new technology just doesn’t work without some level of complex integration in an ideal environment as healthcare institutions struggle to find the resources and personnel to mature their environment in a responsible way balancing Security and HIPAA Compliance with Patient Care Operations. We are seeing an iterative technology driven released market that is putting new technology faster into the hands of its consumers at a very fast rate and in turn the expectations and demands of corporate or healthcare technology are being pressured to keep up with the technology output pace, which causes major complications as these worlds try to merge. For example, Voice Activation Dictation applications such as Dragon, are just an example of leaps forward for medical professionals, however in today’s consumer market we have Amazon’s ALEXA technology that has spawned the need to be concerned with people working remotely with confidential company information especially healthcare related information (depending on the role), ALEXA Platform is always listening and can record information even without an activation “term”. This device is put into a listening database within your profile that is accessible by the ALEXA integrated applications and could potentially, with a high probability, unintentionally pose a rick and information leak out into the public domain. So rules and regulations haven’t caught up but security practices must evolve as consumer technology advances in conjunction with the modern technological advances. As progress moves forward within the healthcare space, new innovations such as Tele-medicine and other future healthcare technology can be utilized balancing out Security and HIPAA Concerns. The coming Blockchain revolution still will have security concern but in a much different construct than we are dealing with now, Security Frameworks may have to evolve, Policies will have to be modified, lessons and breaching will occur until these new adoption changes are made to evolve forward.
Another positive change in the healthcare market is the VA Hospital Change up for allowing overflow to go to private or public hospitals for healthcare if they can’t get it at the VA. This is a long time coming and needed to happen for major changes for VA Care. I don’t have any insight into the VA system but I can tell you from a Pro Non-Vet Standpoint, this is only ethical for our country and the system to take care of these Veterans by any means possible, regardless of your political beliefs or who is in office, its only right that we continue to provide the necessary care they need. These people weren’t fighting for the cause, they were given orders to perform a task, and during that task, they were either put in situations where their lives and the people next to them mattered more than the political decision to have them there at that moment. I give them the benefit of seeing the honorable thing to do!
With the recent announcement of AMAZON, JP Morgan Chase, and Berkshire-Hathaway Partnership, what will this do in the security and HIPAA compliance area for healthcare? (Source: https://www.cnbc.com/2018/01/30/amazon-berkshire-hathaway-and-jpmorgan-chase-to-partner-on-us-employee-health-care.html) This will undoubtedly shake up the markets from the bigger healthcare companies that burden the brunt of healthcare technology innovation and maturity, so this is probably a good thing, to have these big technology companies come into the healthcare markets to disrupt and evolve with major improvements to the simple day to day professional level work and information management within the healthcare markets. I do believe this would help lower the healthcare costs in the long term once the value-add is seen through major improvements. So any Paid Google Adworders and GMAILers or Amazon AWSers, continue using those platforms so that money is then re-invested back into major areas in healthcare technology improvements… makes you think this same this should be happening with the Public Education area too!
Blog Opinions and Article Written by Luke Timpe, President – Dyzana Consulting, LLC (twitter: @luketimpe @dyzanaconsult (email: firstname.lastname@example.org)