Monthly Archives: July 2012

13 security tips as part of a data breach response plan to combat mobile device threats in the BYOD era @ your HIM/MR office

Posted on by
Reply

I took you on a rendezvous about the Bring-Your-Own-Device(BYOD) phenomenon especially talking about mobile devices that can wreak havoc on a hospital in my two previous posts, The perils BYOD bring to healthcare – but before that, what is a mobile device exactly? and Patient data breaches in the BYOD and BYOC era.

Here are some pointers I picked up while fact-finding on BYOD and some 13 security tips as part of a data breach response plan to combat mobile device threats to a healthcare setting like at a hospital, and in essence as a focus of this website-blog, at your Health Information Management(HIM)/Medical Records(MR) Department backyard especially if you work with Electronic Medical Records(EMR).

  1. Get help from the IT department of your hospital to install and advice on USB locks for a low cost solution to easily plug ports and offer an additional layer of security when encryption or other software is installed on computers, laptops or other devices that may contain protected health information(PHI) or sensitive information, to prevent unauthorised data transfer (uploads or downloads) through USB ports and thumb drives
  2. Lost or stolen computing or data devices are the number one reason for healthcare data breach incidents. Consider geolocation tracking software or services for mobile devices that can immediately track, locate, or wipe the device of all data
  3. Brick the mobile device when it is lost or stolen
  4. All mobile devices including USB drives, should be encrypted if they will be used remotely and if there is a possibility sensitive data will be stored on those devices. Require the use of company owned and encrypted portable media
  5. Laptops put in “sleep” mode, as opposed to shutting them down completely, can render encryption products ineffective.
  6. Once a password is entered, a laptop is unencrypted (and unprotected) until the laptop is booted down. Simply putting the laptop into “sleep” mode does not cause the encryption protection to kick back in. A laptop that is lost or stolen while in “sleep” mode is therefore completely unprotected. Employees should be clearly advised to completely shut down their laptops before removing them from the workplace (e.g. when taking them home for the evening) and to only use the full shut down function, rather than “sleep” mode, when traveling or leaving their laptop unattended in an unsecure environment. This policy should be strictly enforced and audited.
  7. Limit the inappropriate use of personal devices (such as strong policies, training, and sanctions for noncompliance). To further reduce the risk, consider the root cause of the problem—what benefits are personal devices offering to employees that the organization’s systems are lacking. For example, if clinicians are texting PHI from personal devices because a hos­pital does not offer a similarly convenient means of communicating, then the hospital may want to consider whether it can offer a secure alternative to texting.
  8. Don’t permit access to PHI by mobile devices without strong technical safeguards: encryption, data segmentation, remote data erasure and access controls, VPN software, etc.
  9. Educate employees about the importance of safeguarding their mobile devices by not downloading applications and free software from unsanctioned online stores that may contain malware, turning off security settings, not encrypting data in transit or at rest, and not promptly reporting lost or stolen devices that may contain confidential and sensitive information
  10. As Electronic Protected Health Information (EPHI) can be accessed from a multitude of mobile devices, risks of contamination of systems by a virus introduced from a mobile device used to transmit EPHI, significantly increases.  Thus, implement an EPHI security by purchasing cyber liability insurance
  11. Ensure that the BYOD mobile devices(the user owns and is primarily in control of the device—not IT) coming offline are adequately secured and checked before disposal or donation. So once a user upgrades to a new smartphone or mobile device, the devices coming offline are almost always overlooked. Such smartphone and other devices are typically given to children to play with, donated to various charity organization or handed down to other family members—in many cases with­out confirmation that they’ve been sufficiently wiped and potentially leaving sensitive, confidential and other data intact. The result is a constant stream of devices going offline and posing significant data breach risks
  12. Have a proactive data management strategy to protect critical patient data and to allow access to patient data on an as needed basis, a stragety adopted from data protection concepts of the financial industry when for example, credit cards are now increasingly sent using tokenization technology. This technology can be adopted for the healthcare industry
  13. Transparency and End User Consent Opt-In when smartphone companies collect, share and/or store personal information; conduct a thorough technical review/risk audit of new technologies before implementation for use by patients and/or employees

I have visual!

There are many infograhics on BYOD but I like this one because it relates quite closely to all the above I have posted about.

The infographic below is a summary of findings from a study commissioned  by ESET, an IT security company founded and headquartered in Bratislava, Slovakia in 1992, which develops leading-edge security solutions against cyber threats. The study was to help companies gain a better understanding of the scale and scope of risks identified with BYOD when companies adopt a BYOD mindset, but should make sure to implement a BYOD policy, as it is no laughing matter.


Source : vbridges.com/

References:
Largely from ID Experts, idexpertscorp.com/, with cross-references from:

Elizabeth B., International Perspectives in Health Informatics, 2011, IOS Press BV, Netherlands

Karen A. W, Frances W.L and John P.G, Managing health care information systems : a practical approach for health care executives, 1st ed, 2005, Jossey-Bass, A Wiley Imprint, San Francisco, USA

Kenneth C.L and Jane P.L, Management Information Systems Managing The Digital Firm, 12 ed, Prentice Hall, 2012, New Jersey, USA

Keri E.P and Carol S.S, Managing and Using Information Systems A Strategic Approach, 2010, John Wiley & Sons, New Jersey, USA

Assessments before Anesthesia or Surgery

Posted on by
Reply

Preoperative assessment is the assessment done before surgery, i.e the phase when a patient is prepared for surgery in the time span that includes preparation for, the process of, and recovery from surgery.

Gathering of prompt and accurate initial medical assessment information about the patient before surgery helps to ensure a successful outcome for the patient.

This information gathering is largely a nursing function, with assessments also done by the surgeon, the anesthesiologist or a registered nurse anesthetist (RNA).

What you need to know as a Health Information Management / Medical Records practitioner is that patients for whom surgery is planned have a medical assessment performed before the anesthesia or surgery as required by the JCI Standard AOP.1.5.1, ME 1, and this medical assessment of surgical patients is documented in the medical record before surgery as required by the JCI Standard AOP.1.5.1, ME 2.

Maybe it is good to know what kind of data is gathered in an initial medical assessment before anesthesia or surgical treatment.as required by the the JCI Standard AOP.1.5.1 and what goes into the medical record you keep.

Assessment before aneasthesia or surgery includes :

  • observations by the nurse – any unusual reactions or observations recorded in the patient’s medical record and reported to the charge nurse or surgeon at once
  • vital signs the morning of surgery and any significant deviation from normal recorded and reported
  • a general systems review, noting in particular any new cardiopulmonary developments that place the patient at highrisk during surgery
  • a complete physical examination, including laboratory tests and their results recorded in the patient’s record and, if abnormal, reported to the surgeon or their representative – for nonemergency surgery, laboratory tests done about a week before the procedure.

Routine, preoperative laboratory tests often include :

  • a chest x-ray
  • complete blood count (CBC)
  • urinalysis (UA)

Other laboratory tests and examinations will include:

  • a metabolic panel
  • a toxicology screen, if there is a possibility of alcohol or drug abuse.
  • a pregnancy test may be done, to determine what, if any, medication can be used. are performed as needed
  • an electrocardiogram is usually obtained for all patients older than 40 years
  • blood is drawn for a type and cross match if any possibility exists that a blood transfusion will be needed during surgery
  • patient’s weight is documented in kilograms, because dosages of medications, including anesthetics, are usually calculated on the basis of the patient’s kilogram weight
  • a visit from the anesthesiologist or nurse anesthetist (RNA) before surgery enables a patient to ask questions that may be troubling him or her and allows the anesthesiologist or RNA to assess the patient based on the assessment findings listed above – “patient management by anesthesiologists is generally highly standardized and includes some of the most robust safety engineering found in health care”, (ACMQ 2010).

As I end this post, I wish to record that this posting brings back memories of my multifaceted experiences, skills acquired and the joy when I worked as a medical assistant (an equivalent to a male nurse) in my start-off, one singular career phase of my life.

References:
American College of Medical Quality, 2010, Medical quality management : theory and practice, 2nd edn, Jones and Bartlett Publishers, Sudbury, MA, USA

Caroline, BR & Mary, TK 2012, Textbook of basic nursing, 10th edn, Wolters Kluwer Health, Lippincott Williams & Wilkins, Philadelphia, USA

Joint Commission International, 2010, Joint Commission International Accreditation Standards For Hospitals, 4th edn, JCI, USA

JCI Standard MCI.2 – Communication with Patients and Families, about care and services and how to access those services

Posted on by
Reply

JCI Standard MCI.2 states clearly that “The organization informs patients and families about its care and services and how to access those services.”, thereby a hospital must meet 3 of its requirements to match this standard.

Let us now see what a hospital must do to live up to the expectations and hopes of sick patients and their families when they get to a hospital.

Organisation ethics requires that a hospital offer to inform patients and their families complete information they wish to know on the care and services at the hospital. Patient and families have a right to reasonable access to care as well as how to access those services. Information provided also includes information on the proposed care for a patient.

This openness and trustworthiness shown by a hospital when it works to build and establish trust and open communication with patients and their families, and when it also trys to understand and protect each patient’s cultural, psychosocial and spiritual values, helps create a bond between patients and their families.

Let’s now see how the Joint Commission International quality standards fits into this picture of openness by a hospital.

By providing all the needed information with the openness of the hospital, awareness and knowledge gained and learnt of the care and services through this openness, trust bonded between patients and their families and the hospital, the hospital easily complies with two of the JCI Standard MCI.2 requirements  namely ME 1 and ME 2.

If the hospital includes information on the proposed care for a patient.in its initial plan to inform patients and their families, then the hospital meets the requirement by the JCI Standard ACC.1.2, ME 2

At the hospital, it is only normal when patients and their families learn of the hospital’s capability to match their expectations of care and services.

When patients and their families learn that their needs fall beyond the scope of  the hospital’s competence, mission and capabilities, then the hospital is obligated to provide information to the patient and their families on alternative sources of care and services. Such alternative sources of care and services may be available at another hospital in the district, and the hospital then co-ordinates with the other hospital with the needed services, and ensures that such patients are appropriately referred to the other facility with services that meets their ongoing care needs.

The hospital will thus comply with the JCI Standard MCI.2 requirement ME3 if the hospital is able to provide information to the patients and their families on alternative sources of care and services when their needs fall beyond the scope of  the hospital’s competence, mission and capabilities.

Reference:
Joint Commission International, 2010, Joint Commission International Accreditation Standards For Hospitals, 4th edn, JCI, USA

Paying the high price for ICD-10 compliance when using EMR systems in US hospitals

Posted on by
Reply

Lucky for us in Malaysia, our hospitals with EMR systems with technology already incorporating the ICD-10 code set, are not up against paying the high price of implementing ICD-10 unlike in the US where hospitals using EMR/EHR systems are gearing up for the October 2013 ICD-10 dateline (which is likely to be delayed again to October 2014).

One example of an US hospital system that encompasses 14 hospitals, is the North Shore Long Island Jewish Health System, N.Y. They estimate the price tag will be about US$50 million (about RM158 million) including project management, I.T. remediation(some 90 applications), training and other areas.

Sutter Health which runs 24 hospitals across northern California, is another example which provided an even higher price tag–well over $100 million (about RM316 million), including $60 million (about RM190 million) for technology remediation (some 146 applications will need to be remediated) and $25 million (about RM79 million) for a computer-assisted coding program

Both these organizations are said to well ahead of the rest of the industry in their ICD-10 planning in the US. However, they are being cautious and concerned with  long-term financial impact on their revenue when converting past billing claims to ICD-10 and also estimating where documentation would need to be enhanced to support the more granular codes in ICD-10.

In the US, ICD-9 codes have been used mainly for billing, historically. It seems every clinical encounter that gets billed to an insurance payor includes diagnosis designations, encoded as ICD-9 codes.

Thus, I can understand the profound impact of paying the high price of implementing ICD-10 in the US when changing the fundamental method of encoding diagnoses to a whole new system .

The rationale for making such a change (given the disruption that will occur) is that the ICD-10 code set is more detailed and extensible, allowing for more than 155,000 different codes, and permits the tracking of many new diagnoses and procedures (a significant expansion on the 17,000 codes available in ICD-9).

As we know ICD-10 was developed by the WHO and released in 1992, soon after the ICD-10 system was adopted relatively swiftly in most of the world including in Malaysia.

Abridged, from the article The High Price of ICD-10 by Gary Baldwin, June 26, 2012, Health Data Management reporting  from the HFMA conference June 24-27 2012 in Las Vegas, where panelists shared the above estimates.

With additional references from:
practicefusion.com/, Website
ehrscope.com, Blog
pdmanesthesia.com/, Blog for the image in this post

The Five Rights of Data Administration!

Posted on by
1

If you read the post Documentation of medication administration in medical records, I am sure you did not miss reading about how clinicians and nurses use the “Five Rights of Medication Administration” to ensure proper patient care.

If you work in an EMR environment, then the following infographic, entitled “The Five Rights of Data Administration,” created by Symantec to help Health IT staff and users like you, Health Information Management(HIM) / Medical Records (MR) practitioners answer important questions about the use, access, and availability of critical patient data. This infographic outlines specific best practices to ensure that patient information is kept secure regardless of where it is. The infograhic also helps you and Health IT staff in organizations like the hospital you work in better understand the administration of patient data

I believe HIM/MR practitioners working in an EMR setting need to adopt similar but modified best practices for ensuring proper security and privacy for patient data based on the specific best practices outlined in this infograhic.

Note: Click on the infograhic above to view a larger image in a new tab of your current window.

From this infograhic, you need to cultivate the following specific best practices with coordination, guidance and help from IT staff of your hospital.

  1. Right Time – data in EMRs should be available to authorised personnel in your department whenever they need it and must be backed up and secure
  2. Right Route – users like clinicians who need access to EMR data regardless of where they and the device they’re using, must have ready access to updated data your are responsible for at your end
  3. Right Person – ensure only the right people have access to certain information though access verification in your department
  4. Right Data – prevent unauthorised tempering or accidental corruption of data with only users entitled or authorised to have access to data in your department and minimising or banning Bring Your Own Device (BYOD) mobile devices
  5. Right Use – ensure only the “minimum necessary” information is provided to external sources who request data that can be extracted from your end of the EMR system, thus assuring confidentiality

Just like medication administration is taken very seriously with the utmost accuracy and attention to detail as they can mean the difference between life and death, the proper administration of patient data should also be taken very seriously as it too can prevent misdiagnoses or mistreatment without accuracy and attention to detail.