Pain points: What's coming in healthcare IT in 2017

Here's what the year has in store: gushing data flows, continuing work on EHR interoperability, and cybersecurity pirates thicker than ever. In other words, gird your loins for more of the same healthcare IT!

Back in 2012, when Mike Archuleta joined the tiny Mt. San Rafael Hospital in rural Trinidad, Colorado, as IT director, he inherited a whole lot of nothing. 

No health IT team. No data center. Outdated servers. No infrastructure that would meet the government requirements newly issued with the Affordable Care Act. No physician or nurse documentation system. No e-prescribing. No cybersecurity plan. 

Three years later, under his leadership, the hospital achieved what consultants had pegged at a meager 20 percent possibility: the difficult-to-reach, vaunted Stage 2 of the government’s meaningful use criteria for adoption of electronic health records (EHRs). Mt. San Rafael was named one of the 2016 "Most Wired” hospitals by Hospitals & Health Networks, among other honors. Not too shabby for a 25-bed critical access facility. 

But, wow, what a sprint. Will 2017 finally bring Archuleta and other healthcare IT professionals time to relax?

Of course not. Like every other healthcare IT leader, Archuleta faces a new year full of increasing cybersecurity threats, continued data management headaches, and yet more new regulations and twists in old ones to satisfy. If he doesn’t, his hospital could face penalties. 

There are lots of questions on HIPAA. Is a given cloud-based solution compliant with HIPAA and HITECH? Is it scalable? Can it grow with the organization? And which is faster: software or the cloud?

Mike ArchuletaITIL healthcare CIO, Mt. San Rafael Hospital

His peers are all dealing with the same issues. Archuleta, who’s now ITIL healthcare CIO and digital health evangelist at Mt. San Rafael, is also on the board of directors for the Colorado branch of HIMSS (Healthcare Information and Management Systems Society), the nation’s largest healthcare IT organization. Archuleta hears the same pain from his colleagues there. 

Healthcare IT is just like every other kind, except it's more critical—particularly since lives are always at stake. There’s the challenge of building and maintaining the compute and storage capacity necessary to handle the data spurting from the healthcare world, be it from the Internet of Things (IoT) or generated by stressed-out doctors pecking at the keyboard to access one of the gazillion new e-health apps out there.

We’re on the cusp of more data growth still, between all the fitness trackers, consumers' at-home monitoring of things like blood pressure and blood glucose levels, and the explosion in EHRs. As Alvaro Gomez-Meana and Mary Mirabelli note in HPE’s Healthcare.nxt report, in the U.S. alone, 1,100 vendors offer EHRs, and we don’t yet have integration and the seamless communication and information delivery it should (theoretically, hopefully someday) get us. 

And that’s just the start. Here’s a look at the pain points the new year will bring to Archuleta and his fellow healthcare IT leaders, and how they plan to cope.

Healthcare Rx: How technology and IoT can help fix a broken system

Tiptoeing into the cloud

Healthcare is increasingly pushed toward the cloud, turning to elastic compute and storage to help manage its data, just like every other industry. According to the HIMSS Analytics 2016 Cloud Survey, which polled IT leaders at 105 healthcare provider organizations, close to 50 percent reported that they were planning a future move to the cloud for analyzing big data and PACS (picture archiving and communication system) storage. Many are already using cloud technology for patient engagement tools.

The payoffs are enticing. For example, PACS storage can enable the capture, storage, viewing, and sharing of all types of images internally and externally, including X-rays and MRIs.

But it’s not always a smooth move to the cloud. Just as with EHRs, systems don’t always talk to each other. One hospital can have competing, non-interoperable PACS in its inpatient, ambulatory, or emergency departments, and the same lack of interoperability can make it impossible for those systems to transmit medical images to the other electronic systems with which PACS have to integrate. 

Wearables improve population health management

Another major push that’s sending healthcare to lead the way to cloud computing is the social paradigm. Consumers want access to their test results. They want to use their mobile devices to book appointments. They’re pushing their health data via wearable devices, such as Fitbits, Pebbles, Bluetooth-enabled blood pressure monitors, and remote patient monitoring platforms (such as Glooko for diabetics), all of which can send data to care teams. All this data isn’t just about one individual, one patient. It’s all adding up to big data, and the coming year is going to see a big push for healthcare IT to use it to gain perspective into population health. 

“People went wild experimenting with health apps for Androids and iPhones—watches, smart watches,” says Anne Zieger, a healthcare industry analyst. The mobile devices operated independently and at a personal level initially, she says. “But what’s happening is that hospitals and doctors are saying, ‘Huh. I can look at trends, but what if I had all that Fitbit and smart watch data and I put it all together, and I could make predictions about the population I’m managing?’” Zieger notes. If the doctors don’t say that, don’t worry—the patients will. They are tracking their own health metrics and expect healthcare professionals to incorporate that into care plans. 

The money trail underscores the trend: As venture capital firm Rock Health’s midyear review shows, significant money is being invested in the categories of wearables and sensors, population health management, and personal health tools. 

Can’t we all just get along?

In its 2016 report to Congress on the progress of health IT, delivered in November, the Office of the National Coordinator for Healthcare IT highlighted a persistent sticking point in healthcare IT: namely, the way that EHR vendors continue to block information and patient access to their own medical records. “The traditional business environment does not adequately reward, and often inhibits, the exchange of electronic health information, even when exchange is technically feasible,” the report glumly sums up. 

Nobody expects miracles, but we should continue to see some progress on that front in 2017, be it through carrot or stick. For one thing, toward year’s end, Congress passed and President Obama signed the 21st Century Cures Act, legislation that requires health technology vendors to make disclosures about interoperability, with potential penalties for information-blocking practices.

We’ll also see a continued increase in adoption of vendor-neutral FHIR (Fast Healthcare Interoperability Resources) standards, developed by the HL7 ANSI organization, as an alternative to proprietary interfaces by leading vendor EHR systems. Another step toward interoperability: In December, we saw a collaboration between the not-for-profit Sequoia Project’s Care Quality Interoperability Framework and Commonwell Health Alliance, a consortium of health IT vendors that aims to promote interoperability. The effort should help to boost data sharing among providers in 2017. 

Regulations are gumming up the cloud

But while we’re seeing some progress on EHR interoperability that should help with the move to the cloud, regulatory issues are another sticking point. 

At Phoenix Children’s Hospital, that’s one of the bones CIO David Higginson has to pick with the cloud. He’s ready for the move, all right; for Phoenix Children’s, the big, capital-intensive, rip-and-replace push into EHRs is coming to a close. Now, it’s time for lean IT: a move to operating on a much smaller budget, if it can wheel the figurative gurney over the bumps. 

In this post-meaningful-use landscape, Higginson’s team is looking at every cost, negotiating every contract, and trying plenty of new, intriguing stuff to connect patients more closely to the hospital. The cloud is already playing a part: Every patient’s room has a tablet, for example. It makes perfect sense: Why not let kids order their own food off a menu? Play games? Talk to friends and family during their stay? See which nurse or doctor will be stopping by next?

But cloud could play an even bigger part in helping out with lean healthcare IT. One example: To connect better with patients, over the past few months Phoenix Children’s has focused on putting live chat on its website. The idea is to install smart chat, Higginson says, chat that knows what you’re looking at on the hospital’s site, routes you to the most relevant person in the organization, and has the capability to do things like present a web form that enables you to book an appointment at the time you’re asking about it. You can see why that would be appealing to a lean IT outfit: It is conversion marketing with a 20 percent success rate at turning site visitors into customers and patients. 

The biggest hurdle is with cloud providers’ tendency to gag on regulatory issues. “First thing that gets us all the time: 85 to 95 percent of live chat [solutions] are run on the cloud with a non-HIPAA-compliant version, and the vendor’s not interested in providing one,” Higginson says. “There have been many great products we did lots of research on, but we can’t use them without a HIPAA solution. We run into that everywhere. Web 2.0 solutions over the last few years? They’ve been completely non-usable in healthcare because of HIPAA.”

More regulations coming in 2017

The new year has yet more regulations ahead for healthcare IT leaders to grapple with (and for the cloud to gag on), including Meaningful Use Stage 3 for the EHR incentive program, more interoperability work, and MACRA-MIPS (Medicare Access and CHIP Reauthorization Act Merit-based Incentive Payment System). 

Specifically, in the healthcare industry’s continued, years-long, heavily regulated slog away from paper-based systems, where a doctor’s handwriting had to be interpreted and patient files could be misplaced, the year 2017 ushers in the Meaningful Use Stage 3 requirement that more than 60 percent of proposed measures attain interoperability. That’s up from 33 percent in Stage 2. Other new benchmarks for 2017 and the years beyond include public health reporting and finalization of the use of APIs to build bridges across disparate systems and increase data access. Those linked systems are intended to help patients get access to their own health records, which will empower them to make health decisions on their own. 

We’ve got a way to go in that regard, EMRs or no EMRs. “EMRs are in place,” says Zieger. “They’re wonderful. They can do certain things. But they’re still siloed. They’re not always connected to the lab or to imaging systems, for example.” 

When it comes to regulations, 2017 isn’t just about data analytics or big data. It’s about healthcare IT figuring out how to connect the things their healthcare organizations have already got, Zieger says. Here’s a real-world example: Zieger experienced lack of interoperability firsthand with a pulmonary embolism. For treatment, she went down the block to a nearby hospital. They fixed her up. But the hospital is in a separate healthcare system than the one she prefers, Innova. 

“Does Innova have any idea I had a pulmonary embolism?” Zieger says. Well, no. How would they know, being in a completely different hospital network with a separate system that doesn’t talk to other hospital networks? “How much of a prediction can they make about me having another pulmonary embolism? That’s dependent on interoperability,” she points out. “Putting aside those two healthcare systems I border on, if my primary care physician is at a hospital owned by a health system, that health system knows nothing about my primary care if I don’t tell them. What the heck do they know about me? Nothing. It ought to be known. It's scattered all over the place. You say, ‘Doctor, can you look at my X-ray?’ The answer is ‘Nope, that system’s not connected.’”

And then there’s MACRA-MIPS. MACRA replaces the current Medicare reimbursement schedule with a new pay-for-performance program that’s focused on quality, value, and accountability. The Centers for Medicare and Medicaid Services explains it as the enactment of a new payment framework that rewards healthcare providers for giving better care instead of more service: a transition of the healthcare industry from fee-for-service to value-based care. 

But adopting new payment systems hasn’t exactly been a walk in the park. During a panel devoted to the issue in December, Grace Emerson Terrell, MD, former CEO of Cornerstone Health Care, said that for many physicians, the complexity of EMRs and MIPS are overwhelming, and the payment systems are slow to respond. 

Conformance to MACRA-MIPS will be a priority in 2017, Mt. San Rafael’s Archuleta says. The work entails consolidation of three existing quality reporting programs: Physician Quality Reporting System (PQRS), Value-based Payment Modifier (VBPM), and meaningful use (MU). On top of that, MACRA-MIPS also adds a new performance category, called improvement activities (IA). All of that has to be consolidated into a single system through MIPS.

So that’s a quick peek at what’s coming down the pike vis-à-vis interoperability and regulations in the new year. And while all that work’s going down, the crooks are going to be banging away at defenses harder than ever. Setting up appropriate security is going to be yet another sticking point to moving to the cloud in 2017. 

Lions and tigers and ransomware, oh my!

While cloud security is a major concern for any industry, as the conveyor of the most valuable, most targeted data (save PayPal accounts, that is) healthcare has a bull's-eye on its back. That complicates cloud choices more than in other sectors, as a recent Healthcare IT News article notes: “Healthcare decision makers must keep in mind they can’t just tap into anybody’s offering. A cloud-based solution that is purpose-built for the regulatory and privacy demands of healthcare and life sciences requires more than compute, storage, and networking services.”

Archuleta is on the cusp. Since 2012, he and his team have managed to get an on-premises data center running, but in 2017 they’ll begin moving some data to the cloud to balance out the overall infrastructure. After all, that infrastructure costs the organization in terms of hardware, heating and cooling, and precious real estate. 

For now, Mt. San Rafael is using an all-flash storage solution through NetApp, but Archuleta is evaluating cloud solutions. He’s got specific questions in mind: “How difficult is it to obtain capital funding for a specific cloud-based solution?” is one. 

Then, he answers that himself: “It’s difficult,” he says. “How much access can you have to support with [a given] product? And there are lots of questions on HIPAA [the Health Insurance Portability and Accountability Act]. Is a given cloud-based solution compliant with HIPAA and HITECH [Health Information Technology for Economic and Clinical Health Act]? Is it scalable? Can it grow with the organization? And which is faster: software or the cloud?”

Cybercrooks are hoping you get cloud wrong 

Then again, says Archuleta, there are good reasons not to go to the cloud. The ROI for infrastructure on premises in a data center may be pretty dismal, he says, but at least you have control over securing and accessing your data. “The growth, the scalability—that, you need to do yourself. But the beauty is, you get security and updates internally. You have all the access to your information, and you have all the updates.”

As for what he sees coming in the new year, increased cyber risk is at the top of the list, cloud or no cloud. 

It’s easy to see why. As it is, according to a recent survey, 87 percent of healthcare lawyers say that healthcare is at greater risk of data breaches than other industries. The crooks back them up: According to account monitoring company LogDog, coveted Social Security numbers were selling on the Dark Web for a measly $1 as of last February—same as a Facebook account. That pales in comparison with the asking price for medical data, which was selling for $50 and up. No wonder healthcare is the most popular sector for cyberattacks. It’s likely to stay there in the new year, too: In its 2017 Data Breach Industry Forecast, Experian says healthcare organizations will continue to be buffeted, with new, sophisticated attacks emerging. 

All those breaches of 2016? The ransomware attacks on hospitals, such as the one on Hollywood Presbyterian? For which it coughed up $17,000 to get back its vanished EMRs, access to X-ray and CT scan info, and ability for employees to turn on their computers again?

“I think it’s going to get worse,” Archuleta says. “You’ll see way more breaches, and ransomware will boost up. In 2016, [the crooks] saw very high profits of organizations paying ransom fees.” 

In 2017, if organizations don’t start focusing on employees and awareness training, there will be a problem, he says. His fears are backed up by a CHIME survey that found that healthcare CIOs and chief information security officers specifically cited social engineering and data theft as top threats. The upshot: While healthcare organizations like Phoenix Children’s have shifted into lean IT mode, expect healthcare to spend more on security in 2017, for good reason. 

6 takeaways for healthcare IT leaders

  • Expect to see gradual increases in interoperability. 
  • The ecosystem of IoT data-collecting devices, such as wearables and sensors, will continue to expand. 
  • As patients increasingly track their own health, they’ll expect their health teams to incorporate the data into care plans. 
  • Social engineering attacks, data theft, and ransomware attacks will continue to rise.
  • Spending on cybersecurity defenses will rise as well. 
  • The move to the cloud will continue, though regulatory, security, and interoperability snags won’t disappear. 

This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.