Government & Policy
Health information exchanges can help providers and public health departments overcome common obstacles.
The whole point of electronic health records is to facilitate the sharing of patient data, but that is still difficult, not just because interoperability hasn't been fully achieved, but also because matching patient records is still not easy to achieve – putting patients at risk for incorrect care and also posing privacy concerns, according to a new report by the Government Accountability Office.
The report, titled, "Approaches and Challenges to Electronically Matching Patients' Records across Providers," says there two ways that records are failed to be matched accurately. These include:
Records for different patients are mistakenly matched. When this happens, health, safety and privacy are in jeopardy. A provider may use a diagnosis or medication information for the wrong patient. Or, if the wrong patient's medical information is added to another patient's record, the first patient's privacy has been breached.
Records for the same patient are not matched. When medical records for the same patient are not matched, providers don't have all the information they need to provide proper care.
For the study, GAO interviewed representatives from physician practices and hospitals to find out how they match patient records.
Some of them told GAO they have worked to improve the consistency with which they format demographic data in their electronic health records. Multiple stakeholders said no single effort would solve the challenge of patient record matching.
Stakeholders suggested these general ways the healthcare community could improve how patient records are matched:
implement common standards for recording demographic data;
share best practices and other resources; and
develop a public-private collaboration to improve matching.
When it comes to the role the Office of the National Coordinator for Health IT (ONC) should play, most interviewed for the survey weren't sure. However, some suggested that ONC could require demographic data standards for health IT certification, while others said the agency should push voluntary adoption of the standards.
WHY IT MATTERS
Healthcare providers are increasingly sharing patients' health records electronically. When a patient's records are shared with another provider, it is important to accurately match them to the correct patient. GAO and others have reported that accurately matching patient health records is a barrier to health information exchange.
GAO cites a 2014 study found that as few as 50 percent of records are accurately matched when organizations exchange information. In the American Hospital Association's 2017 survey, 45 percent of large hospitals reported that difficulties in accurately identifying patients across health IT systems limited health information exchange.
THE LARGER TREND
GAO points out how important industry standards are for entering names and identifying data into an EHR, and recommends ONC's Interoperability Standards Advisory Reference as a way to ensure accurate matching. The latest version was just released Jan. 15, and was based on 74 comment letters, including nearly 400 individual recommendations for revisions.
A standards-based health ecosystem is also critical, and this year's HIMSS Global Conference and Exhibition's Interoperability Showcase next month Orlando will feature 82 organizations demonstrating 121 health IT systems across 16 different use-cases. The showcase is designed to get at the heart of what the true value of interoperability really is, said Christel Anderson, senior director, interoperability initiatives, at HIMSS.
Diana Manos is a Washington, D.C.-area freelance writer specializing in healthcare, wellness and technology.
Twitter: @Diana_Manos
Email the writer: dnewsprovider@gmail.com
Healthcare IT News is a HIMSS Media publication.
HHS Secretary Alex Azar joins the roster, which also features Aneesh Chopra, Karen DeSalvo, Michael Levitt, Mick Ebeling, Seema Verma and Susan DeVore.
The association called on government agencies to takes steps toward making data-driven healthcare more commonplace.
The private sector and government have accomplished a lot and the next phase is critical to the best use of APIs.
Minister for Health Gan Kim Yong delivered a ministerial statement on the Committee of Inquiry (COI) report on the SingHealth cyberattack in the Singapore Parliament on January 15 2019. In the statement, he said that the Ministry of Health (MOH) has appointed a Cybersecurity Advisory Committee to conduct a horizontal review of the cybersecurity governance structures and processes across the public healthcare clusters and Integrated Health Information Systems (IHiS), the IT agency for the Ministry.
He also outlined four key responses to the COI report’s recommendations. The first is enhancing governance and organisational structures as there is a “need for clearer cybersecurity risk ownership and accountability between IHiS and the public healthcare clusters, underpinned by a strong relationship to avoid fragmenting the Ministry’s healthcare IT strategy.”
At MOH, the Chief Information Security Officer (CISO) is currently also the Director of Cyber Security Governance at IHiS but these roles will be separated. The MOH CISO will be supported by a dedicated office in MOH and report to the Permanent Secretary. The MOH CISO office will be the cybersecurity sector lead for the healthcare sector. It will coordinate efforts to protect Critical Information Infrastructure in the healthcare sector, and ensure that the sector fulfils its regulatory obligations under the Cybersecurity Act. For its part, IHiS will have its own separate Director of Cyber Security Governance.
At the clusters, the cluster Group CIO office will now be made fully accountable to the respective cluster management and Boards. The GCIO office will be adequately resourced to carry out its role. The position of the Cluster Information Security Officer will be elevated to report directly to cluster management, and be accountable to the IT and Risk Management Committees of the cluster Boards.
Secondly, a cybersecurity model with multiple lines of defence will be put in place. A more robust ‘Three Lines of Defence’ structure within the public healthcare:
The first line comprises units and personnel who develop, deliver and operate the IT systems. This is the Delivery Group. MOH will strengthen the IT delivery group to better integrate cybersecurity into IT delivery initiatives, improve the management of network security, and increase emphasis on security architecture and monitoring.
The second line of defence comprises units and personnel who have the specific responsibility to oversee security strategy, risk management and compliance. MOH will strengthen and elevate this second line of defence by establishing a dedicated Cyber Defence Group in IHiS headed by a senior leader at or equivalent to the Deputy Chief Executive level. The strengthened group will have independent oversight of cybersecurity implementation, compliance and risk management, and will oversee incident reporting and management. This will ensure that cybersecurity is managed at the senior management level, and an appropriate balance is struck between service delivery and cybersecurity considerations.
The third line of defence comprises checks and assurances independent of IHiS and our healthcare clusters, and independent of the first two lines of defence. MOH Holdings Group Internal Audit will continue to play this role. MOH also intends to commission and tap on independent third parties where appropriate.
The third aspect would be improving the cybersecurity awareness and capacity of staff. Starting this year, IHiS will engage specialist providers to conduct realistic hands-on “Cyber Range” simulation training to raise the competence of their security incident response personnel. IHiS also intends to learn from GovTech’s bug bounty and vulnerability disclosure programmes and start similar efforts.
Lastly, a tiered model of Internet access will be considered. In its report, the COI has recommended that an internet access strategy which minimises exposure to external threats should be implemented. Following the cyberattack, temporary Internet Surfing Separation (ISS) was implemented across Singapore’s public healthcare sector.
However, the implementation of the ISS has posed several challenges in the provision of patient care in some areas such as emergency care, decision-support for prescriptions and treatments, access to patient education resources, and booking of clinical appointments. ISS also caused delays to frontline patient management and backend administrative tasks. Research and education initiatives in the public healthcare institutions have also been impacted by ISS.
The current model of ISS is still workable but there needs to be longer-term solutions that are more efficient and sustainable. One such solution is the “virtual browser”, which allows access to the Internet through strictly controlled and monitored client servers. The client server acts like a decontamination room in which a file is opened and only an image/copy of the file is taken and sent to the recipient. In this manner, any malicious material or hidden content is ‘left behind’ in the decontamination room, greatly reducing cybersecurity risks.
This “virtual browser” pilot will begin in the first quarter in 2019 at the National University Health System. “Virtual browsers” will be deployed in selected job functions at selected departments and clinics. Some of the job roles participating in the pilot include frontline pharmacists, and emergency department clinicians.
The conduct and evaluation of the pilot is expected to take about 6 months and MOH will closely with the Cybersecurity Agency of Singapore (CSA) to assess the cybersecurity adequacy of the solution. The effectiveness of the Virtual Brower will also be assessed.
Mandatory contributions to the National Electronic Health Record (NEHR) system will continue to be deferred as it is undergoing a series of cybersecurity assessments conducted by the CSA, GovTech, and independent firm PwC. The NEHR will also be subject to further testing and reviews, including exercises to test its defences against targeted attacks, as well as business continuity and disaster recovery plans.
Patient Engagement
Dr. Afzal Chaudhry, CCIO of Cambridge University Hospitals Trust, says the new government strategy document is pivotal in changing the balance of healthcare by focusing on patient engagement and open standards and ensuring greater data transparency.
The document includes changes made due to comments from stakeholders and it contains new standards and updated characteristics.
Without proper documentation for government regulators, infosec protocols might safeguard data without meeting federal criteria.