Network Infrastructure

LOS ANGELES — Building on several best practices and basic blocking and tackling of cybersecurity, healthcare organizations must also take a higher-level view to effectively address the problems of today. “Cybersecurity could not be more important. The breaches continue to happen, in the federal government, the private sector, it’s all over,” said Ronald Ross, a fellow and data scientist at the National Institute of Standards and Technology here on Monday at the Privacy and Security Forum. In addition to outlining the new security engineering guidance document that NIST released on May 4, 2016, which he described as “the most important, most transformational,” he has worked on at NIST, Ross offered that high-level solution. “Leadership, governance, and accountability will solve 90 percent of our cyberbreaches,” Ross said. Sign up for the Healthcare IT News Privacy & Security Update newsletter. Symantec health information technology officer David Finn agreed, saying that a strong leader with governance in place can then hold people accountable when those policies and procedures are not working. “Governance has to include the CEO, CFO, the board,” Finn added. “Because that’s the only way it works.” That approach should take into account: expenditures, insurance, regulatory compliance and “all the things that companies do to mitigate risk,” said PwC managing director Lisa Gallagher. Kyle Gilliland, director of information security at Huntington Hospital said that healthcare entities cannot simply buy security. “It starts with taking a look at your business needs and trying to build security into those,” Gilliland said. Ross also said cybersecurity needs to be proactive, not reactive, and that healthcare organizations should build security into every facet of their business — and explained that when NIST was working on the new document, it reached out to engineers who build bridges, planes and other large systems to understand and incorporate their best practices.  [Also: NIST to release new guidance for strengthening hospital cybersecurity] “When a plane crashes or a bridge collapses, the first thing we do is call the engineers to find out why it happened,” Ross explained. In the event of a data breach, however, healthcare organizations typically collect more threat intelligence, rather than actually understanding their own weaknesses to improve upon those. NIST’s new guidelines can help lead entities in that direction, though Ross said regardless of which framework a hospital chooses, the best tactic is to pick one the organization understands, is comfortable with, and can execute against. “The only way to improve security is to architect and engineer your system,” Ross said. “You have to use engineering techniques to limit the damage adversaries can do.” Twitter: @SullyHIT Email the writer: tom.sullivan@himssmedia.com Like Healthcare IT News on Facebook and LinkedIn

"With respect to some business practices: It's time to lead, follow or get out of the way," CMS Acting Administrator Andy Slavitt said at the 2016 Health Datapalooza in Washington, D.C. "If you want to lead the way with innovations that help consumers, great; if you want to follow by using established standards for data and measurement and technology, also great," he added. "If you have a business model which relies on silo-ing data, not using standards or not allowing data to follow the needs of patients – pick a new business model or pick a new business." On the heels of the April announcement of the proposed MACRA ruling, Slavitt spoke to healthcare innovators, industry leaders and developers early Tuesday evening. And while he had no further news to share with the specifics of the proposal, it was clear his intentions were firm. "What Vice President Biden said should stick with us: As taxpayers, we did not spend $35 billion so companies could build their own silos," Slavitt said. "At this stage, there's no room for business practices that don’t match the need of patients." On the forefront of Slavitt's thoughts were patients with the least access to care and an "obsession with a plight of the independent physician." However, "physicians are baffled by what feels like the 'physician data paradox.' They're overloaded on data entry and yet rampantly under-informed," Slavitt said. And the majority of providers are seeing a chasm between the time needed to invest in making the IT work and the actual positive results within their practices. "Technology isn’t doing the things we know it can," he added. "Help us make smarter decisions, reduce our wasted time, help us communicate or understand what to expect next." While these issues are troubling, according to Slavitt, the solution isn't the need for more IT inventions. But rather five crucial steps to initiate change in the healthcare industry: the massive release of data; changing incentives to reward providers for patient outcomes; creating "core" quality measures across all payers; advancing interoperability; and the proposed replacement of meaningful use. "These steps are designed to make it easier for you to innovate, to open up competition and to move the focus from designing around regulations, to allowing you to design around patients’ and physicians’ needs," Slavitt said. "The opportunity for you to transform healthcare into an information industry has never been more ripe or more urgent." Twitter: @JessieFDavis Email the writer: jessica.davis@himssmedia.com Like Healthcare IT News on Facebook and LinkedIn

The American Dental Association unwittingly sent malware-infected USB thumb drives to dental offices nationwide, the ADA confirmed today.

Adam Landman, MD, will take the reins as chief information officer at Boston's Brigham and Women's Health Care, effective May 2.

Stolen credentials, privilege misuse and miscellaneous errors were the three biggest causes for health data breaches in 2015, according to the 9th annual Verizon Data Breach Investigations Report released Tuesday.

There are day-to-day blocking and tackling tactics that every healthcare organization should be doing right now to reasonably address the current security threat landscape.

Officials uncovered 'significant risks' and irregularities during rollout, raising concerns about a viable final product, a spokesperson says.

A top security expert says healthcare entities need to apply a more scientific and evidence-based approach to the practice of security. Here’s what Seattle Children’s is doing to harden its threat environment.

The deal ties Dell’s population health solutions into Ensocare’s cloud service for care coordination, the vendors said.

Combine years of delay, ever-changing rules and requirements, state and federal red tape and a once-mighty company now in deep financial trouble. What do you get? In California’s case, a $179 million computer modernization project that has to be junked. The project, which went to bid in 2007 and still is far from completion, was to process claims for Medi-Cal, the state’s health-payment program for low-income residents. It finally was put to rest this week when the state Department of Health Care Services announced a legal settlement with Xerox Corp., the project contractor, under which Xerox will pay the state approximately $120 million. (The state had paid Xerox $9 million so far, $8.1 of it with federal funds.) That means Medi-Cal’s existing computer system — creaky, patched-together and, decades old — will continue to operate for however long it takes the state to contract out and build a replacement. According to the settlement, Xerox will continue to run the existing system until 2019. The health care services department is putting a bright face on the project’s demise calling it an “opportunity” to reevaluate current needs, it in a press release issued Monday. A fresh start, it went on, will ensure “modern, robust and sustainable system.” The department noted California’s not the only state with such problems: “Many other states … have adjusted their strategies” toward their Medicaid computer systems, the release said. Medi-Cal is California’s version of Medicaid. Indeed, Xerox’s problems with its Medicaid systems in Texas, Alaska and other states have been widely publicized. The DHCS declined to comment beyond the press release. The settlement requires the department and Xerox both approve in advance any public statement for the next 30 days. In its statement, Xerox said the settlement agreement finalizes the announcement it made last fall “that it did not expect to complete implementation of the Health Enterprise Platform in California.” Xerox further said that it is “pleased to work with DHCS to continue processing Medi-Cal claims through September 2019.” The existing computer system, more than 30 years old, handles millions of transactions a day for Medi-Cal, everything from approving medical procedures and paying doctors to determining patient eligibility for the program. Persistent problems came to a head two years ago when a backlog of nearly a million Medi-Cal applications caused untold numbers of patients to put off seeing their doctors until the problems were resolved. California’s drawn-out competition for the replacement project began in 2007. Xerox won the contract in 2010. By 2012, the project was already in trouble. Delays caused the state to impose on Xerox a “corrective action plan. ” Originally scheduled for completion by the end of this year, the project isn’t close to done, the settlement indicates. Its not uncommon for government computer systems to fall behind schedule, in part because of red tape. In this case, the massive Medi-Cal replacement contract with Xerox was inked just five days before President Barack Obama signed the Affordable Care Act into law. As new regulations under the law worked their way through the health care system, requirements for the Medi-Cal project continued to change. Compounding matters, Xerox itself fell into deep trouble. Its stock has lagged far behind the market in general. The company is under pressure from investor activist Carl Icahn. Late last year, Xerox said it would wind down its Medicaid computer systems business in California and Montana, take a $385 million charge against earnings, and “focus on profitable market segments.” That meant the end of the California project. Several companies compete in the Medicaid system market. As of February, Xerox was the number-two provider, covering 11 states. The leader, HP Enterprise Systems, covers 18. Xerox will pay California about $103 million in cash, provide computer hardware and software worth $15 million, and abandon requests for payment worth roughly $5 million more. This story was produced by Kaiser Health News, which publishes California Healthline, a service of the California Health Care Foundation.