The Department of Health and Human Services recently stated what anyone working with healthcare information systems already knows. The smaller the medical practice, the more challenging it is for them to manage healthcare IT.
To quote the April 2016 paper by the Office of the National Coordinator for Health Information Technology (ONC):
Smaller practices and rural and safety net providers often struggle to make selections from a large number of certified health IT choices, in many cases with access to fewer resources and less technical expertise.
Solo medical practices slowest to adopt EHR and new healthcare technology
Adoption rates for electronic health records (EHR) incentivized by the 2009 HITECH Act saw small practices lagging behind hospitals to modernize health information systems with so-called certified EHR equipment. A little more than half (55%) of solo physicians had adopted certified EHR in the five years after HITECH; compare that to hospitals (97%) and physicians as a whole (74%), and the disparity becomes more evident.
The government penalizes practices that forgo meaningful use of EHR equipment, starting with a 1% hit in 2015. This increases to 2% in 2016 and 3% in 2017. Why do so many solo practices choose to incur EHR penalties instead of moving to EHR?
The ONC report states that, unlike comparison tools for other industries, there is very little comparative information available on certified health IT usability and cost. “Just like anything in IT you need management buy-in to make it happen,” says Michael Tallman, a HIPAA trainer and consultant for medical facilities in the public and private sectors.
For a doctor that runs his or her own shop, a new health information system introduces all sorts of non-medical complexity to their business. It opens up questions about HIPAA compliance, protected health information (PHI), data security risks, and special rules for doctors and office staff to follow when using health IT equipment.
The lack of comparative information for health IT might explain why NeweggBusiness small medical office customers often ask for guidance about which hardware to purchase. “Compliancy and HIPAA-related things, those are the big confusion points,” says David Kim, an Account Executive specializing in assisting the healthcare segment. “Security is a big concern.”
“ONC urges the technology community to provide more clarity about hardware for health IT, so we try to provide due diligence.”
Health IT deploys mostly the same hardware any SMB would
In most circumstances, a small medical practice is fine with the same hardware that a security-conscious small business would use. “Medical records are just like any other kind of sensitive data a business wants to protect,” the HIPAA expert Tallman says. “I certainly agree this is like any other form of information assurance.”
It makes sense, then, that medical customers are, in fact, buying the same equipment as SMBs.
In Q1 2016, the number one item NeweggBusiness sold to healthcare customers is the Dell OptiPlex 3020 with an Intel Core i5, a tried-and-tested office PC.
Three of the top seven items are Fujitsu document scanners, which are probably being used for EHR migration, the process of moving old paper records to digitally stored formats.
The top piece of networking equipment is NETGEAR GS108T, an inexpensive 8-port smart switch designed for a small office network setup.
Standard commercial monitors—a 23-inch ASUS VS238H-P and 24-inch Acer S1 series monitor—are both top 10 selling items in our healthcare segment. This makes sense because most new commercial monitors meet Digital Imaging and Communications in Medicine (DICOM) standards for medical use. Only special diagnostic and operating room / surgical situations necessitate high-end medical grade monitors.
Some technical acumen helps when deploying bardcode scanners in healthcare, but the POS scanner and printer hardware is usually similar to what a small retail store would use to track inventory.
For additional security products, official HHS IT recommendations say keeping endpoint security software up to date is important for small practices, and for larger practices, adding hardware firewall appliance to the network.
Human behavior dictates HIPAA compliance more than anything else
“The first line of defense are always your users,” Tallman says. “Staff training and auditing is always the best bang for your buck.” The statistics back this sentiment. A May 2015 Ponemon Institute study states nearly 70% of healthcare organizations cited employee negligence as their biggest security threat.
“Something as simple as walking away from a kiosk without logging off exposes patient information and can result in huge fines,” Tallmans explains. “A lot of SMB types feel like they are below the radar; that kind of complacency will get them hit first.”
There is a dearth of information on HIPAA awareness for small medical office staffs available online, and Tallman suggests that is where any practitioner should start.
The HHS provides HIPAA documentation especially for small providers and health plans, which outlines approved user behavior in a clear and focused manner uncommon in governmental writing. The American Dental Association (ADA) provides similar HIPAA materials for dental offices.
Another good resource is the HIPAA Blog for up to date compliance-related news that affects small practices.
When in doubt, Tallman recommends getting a consultant involved to train and audit staff behavior. “Always evaluate. Get a couple of opinions if you can swing it.”
Layer in cloud hosting and software encryption
Many small practices turn over storage of EHR to cloud providers. This is an alternative to storing patient information on computers and servers at the office. There are pros and cons to this approach, and cloud providers are not all the same. Practitioners opting for the cloud route should be aware of the questions doctors should ask cloud providers before trusting them with patient data.
Encryption is regarded as one of the best defenses against stolen medical data. For example, if someone loses a laptop with patient medical records, encryption software might prevent that data from being exposed.
There are a whole host of applications that can encrypt hard drives. Some of the popular choices with healthcare are BitLocker which comes with Windows 10 Pro, or a software security package that comes with encryption tools like Kaspersky Total Security, for example. “Encryption is one more layer so that the information is not erroneously thrown out there,” Tallman explains.
At the end of the day, data security for healthcare technology benefits from a multilayered approach, just like any kind of small business would, and as such often implements the same tools for doing so.
