Future-Ready Healthcase IT Platforms: Get To The Cloud


Published on

Healthcare platforms are changing. Find out how a jump to the cloud is expanding the potential far beyond its previous abilities. Learn more: http://del.ly/DellHealthcare

Published in: Health & Medicine
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Corrine – What’s the source?

    The adoption of IT cloud services among healthcare firms is roughly at parity with all firms. However, there is a far greater (32.5%) percentage of healthcare firms evaluating IT cloud services for a specific workload or service compared with all firms (23.6%). This represents an opportunity for suppliers to help educate healthcare organizations about best practices and use cases for cloud adoption.

    Also increasing are private cloud deployments, both internal and external –changes how firms will procure services and solutions.

  • Emphasize that these are common concerns across industries.
  • A HIMSS survey of large healthcare organizations found that just 47% currently conduct annual risk assessments as of last year, which is part of the original HIPAA requirement. Fifty-eight percent of the respondents had no staff members dedicated to security, and 50% spent 3% or less of organizational resources on security. So, you’re certainly not alone if you have yet to implement and conduct periodic risk assessments.

    We wanted to show on this slide that Meaningful Use is really nothing new. The Security Rule has been around since 1996 in the original form of HIPAA. When the HITECH Act was developed as part of the American Recovery and Reinvestment Act, it applied some new extensions to the already existing rule. For instance, with HITECH, new breach notification rules were extended, mandating reporting of breach incidents to HHS for breaches that affect more than 500 people, and extending the rules to health care business associates. HITECH also implements a new tiered system that increases civil monetary penalties for noncompliance and also allows state attorney generals to file civil actions for HIPAA violations on behalf of a community’s constituents.

    The Meaningful Use guidelines, set out by CMS, cover measure 45 CFR 164.308, which sets out the requirement to conduct a risk assessment. This measure, in turn is part of a series of measures that encompass the full security rule from HIPAA. Meaningful Use can be thought of as HHS finally starting to get some sizzle to their steak in terms of enforcing and incenting providers to not only adopt EHR, but also to make sure that they are implemented in a way that supports the original HIPAA guidelines.

    How the risk assessments are conducted still has some flexibility built in, which adds some confusion to the environment. Many federal guidelines are often referred to such as NIST SP 800-66. Some of the basic questions that this guideline and other recommend that you should consider in implementing the security Rule are questions such as:
    Have you identified ePHI within your organization? – including ePHI that you create, maintain, or transmit.
    What are the external sources of ePHI? For example, do vendors or consultants create, receive, maintain or transmit ePHI?
    And, What are the human, natural, and environmental threats to information systems that contain ePHI?

    While risk analysis is a necessary component to reach and achieve the Meaningful Use requirements, it’s also a necessary tool to reach any sort of substantial compliance with many other standards and implementation specifications. So, although it’s a starting point, the risk assessment is really just a stepping stone to the complete compliance that will be required and continually enforced in the near future.

    The HIPAA Security Rule specifically focuses on the safeguarding of EPHI and is the most comprehensive guideline around protected health information. All HIPAA covered entities, which includes some federal agencies, must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to covered entities including:
    Covered Healthcare Providers— Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard.
    Health Plans— Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance issuer and the Medicare and Medicaid programs).
    Healthcare Clearinghouses— A public or private entity that processes another entity’s healthcare transactions from a standard format to a nonstandard format, or vice versa.
    Medicare Prescription Drug Card Sponsors – A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act.

  • Since 2009, 435 healthcare entities reported data breach affecting over 20 million patients1
    The average economic impact of a data breach over the past two years is approx $2.2 M 2.
    Nearly 40% involves lost/stolen portable media device containing unencrypted PHI
    Encrypted patient data is covered under Safe-Harbor

    In July of 2011, the HHS’ Office of Civil Rights (OCR) announced that they had appointed consulting firm KPMG to conduct up to 150 HIPAA audits of covered entities and business associates by the end of 2012, and the implementation of the audit program fulfills a compliance enforcement mandate of the 2009 HITECH Act.
    The KPMG contract enables OCR to put “feet on the street,” while retaining an oversight role in the process. Sue McAndrew, OCR’s deputy director for health information privacy, confirms that some audits could even result in OCR enforcement action. “Certainly, if we uncover in the course of the audit major violations or potential violations … we will be dealing with those … in the same manner we would through our formal enforcement process,” she said recently. Criminal and civil penalties can be levied against organizations and/or individuals for
    violations of HIPAA Privacy and Security Rules. Monetary penalties for a breach of HIPAA Privacy and Security Rules range from $100 to $50,000 per violation. In addition to all this, state
    attorneys general are now authorized to bring civil actions against HIPAA violators on behalf of state residents. These audits have already begun

    These audits will supposedly “initially offer comprehensive assessments of compliance with the HIPAA privacy and security rules rather than specific narrower issues.”

    While the projected number of 150 audits in 2012 makes the likelihood of an audit visit to your organization fairly low – keep in mind, OCR has a separate initiative underway to train State Attorneys General on the HIPAA audit process as well, so this is something that will likely become even more persistent and granular in the future.

    Organizations participating in the EHR “meaningful use” plan already have a compelling incentive to “conduct or update a security risk analysis” but with or without meaningful use, this is a mandatory requirement for all covered entities and business associates, taken verbatim from the HIPAA Security Rule itself.

    And as you may know, organizations are required to report breaches affecting 500 or more individuals to HHS, along with details of the breach – where the entire incident is then posted publicly on the HHS website on their so-called “wall of shame”.

    And a third factor is that OCR and States Attorneys’ offices now have the ability to penalize healthcare providers for failing an audit. This is level of scrutiny is not likely to dissipate anytime soon; if anything, there is more likelihood than ever that a breach or lack of risk management can have disastrous consequences.

    In addition to this trifecta of incentives to focus on security, there’s also the reality that breaches are happening every day. In fact 60% of hospitals had more than two data breaches in the past two years. This is likely because over 2 thirds of hospitals don’t have the proper policies and controls to detect and respond to breaches, according to a recent Ponemon research study.

    Since the data breach notification regulations by HHS went into effect in September 2009, 435 (as of 7/15/2012) incidents affecting 500 or more individuals have been reported to HHS, according to its website. A total of over 20 million individuals have been affected by a large data breach since 2009. The regulations require a covered entity that discovers a reportable breach affecting 500 individuals or more to report the incident to the HHS Office of Civil Rights immediately.

    A report recently released by Redspin, an IT security firm, states that data breaches stemming from employees losing unencrypted devices spiked 525 percent in the last year (2011) alone.  This statistic confirms that devices, including laptops, tablets and smartphones, pose a very high risk for a data breach. Redspin reported that eighty-one percent of healthcare organizations now use smartphones, iPads, and other tablets, but forty-nine percent of respondents in a recent healthcare IT poll by the Ponemon Institute said that nothing was being done to protect the data on those devices. In a study published in 2011, the Ponemon Institute found that the cost of a data breach was $214 per compromised record and the average cost of a breach is $7.2 million.
    Encryption of PHI is a major step a provider or institution can take to secure its sensitive patient data. Encryption is the use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without use of a confidential process or key. According to a Guidance from HHS, if an entity encrypts its data in accordance with the National Institute of Standards and Technology standards for encryption, then any breach of the encrypted data falls within a safe harbor and does not have to be reported. This is an incredibly important safe harbor that could save an entity a lot of money.
  • Future-Ready Healthcase IT Platforms: Get To The Cloud

    1. 1. 2013 Future-ready Healthcare IT Platforms: Get to the Cloud Andrew Litt, MD, Chief Medical Officer, Dell Healthcare and Life sciences
    2. 2. 2013 Panelist David Tomlinson CIO/CFO; Centegra Bill Russell CIO; St. Joseph Health Ismelda Garza IT Director; Comanche County Medical Center
    3. 3. 2013 Current Usage Moving beyond the cloud hype Enterprise cloud application revenues reached $22.9B in 2011 and are projected to reach$67.3B by 2016. 60% of server workloads will be virtualized by 2014. Global cloud traffic will account for nearly two- thirds of total data center traffic by 2016. Today 46% of business data stored outside of internal IT structures. Over the past three years nearly 74% of data centers increased physical server count. IaaS cloud management & security and PaaS are growing from $7.6B in 2011 to $35.5B in 2016. 24% 37% 39% Private Hybrid Public Projected Market Spend of $241 Billion by 2020 Source: Dell Customer Research, April 2013
    4. 4. 2013 Industry adoption varies GartnerAdvanced Heavy Moderate Measured Lagging Adopting Private cloud PaaS and IaaS Community cloud and service providers Community cloud and SaaS Email and collaboration Panicky migration from vendor to provider Not much happening Public records, medical processes Industry Financial services Telecommunications Government Education High tech Energy and utilities Healthcare Retail Brokerage and messaging integration
    5. 5. 2013 Healthcare transformation in the cloud Healthcare and Life Sciences
    6. 6. 2013 Changing healthcare landscape 2013 Traditional IT still dominant 41.8% of a healthcare organization's IT budget is allocated to traditional IT deployment 2015 Cloud IT growth accelerates Within two years' time traditional IT budget will decrease to 35.4%. Use of public cloud services will increase from 12.6% to 15.8% 2017 Cloud IT multi $B market Although adoption is held back by regulatory initiatives and security concerns, the cloud market in healthcare is expected to grow to $5.4 billion by 2017
    7. 7. 2013 Impediments to cloud adoption for healthcare providers 40 28.4 20.5 17.4 14.1 11.8 11.3 7 Concerns over security and availability Have not yet developed a cloud roadmap No end-to-end service management strategy Unclear future and roadmap for cloud services Have not yet created a service catalog for cloud services Have concerns about cross-border rules Have not identified what our exit plan for cloud would be Concerns that cloud providers will not continue to innovate Source: IDC's Global Technology and Industry Research Organization IT Survey, 2012 (% of respondents)
    8. 8. 2013 Multiple regulatory requirements Health Insurance Portability and Accountability Act (1996) Security rules • 45 CFR 160 • 45 CFR 162 • 45 CFR 164 HIPA HITECH MEANINGFUL USE American Recovery and Reinvestment Act – Health Information Technology for Economic and Clinical Health (2009) HIPAA Security Rule Plus • New civil money penalties for violations • Covered entities and business associates must comply • Breach notification obligation for breaches on or after Sept. 2009 Meaningful Use (2010) Risk Analysis • 45 CFR 164.308 (a) (1) • Core Measure 15
    9. 9. 2013 How can audits and penalties impact you Breach Notification Rule KPMG contract: Audits of 150 hospitals Fines and penalties
    10. 10. 2013 Challenges = cloud opportunity Reduce costs Improve quality of care Operate under high regulations Effectively manage IT resources
    11. 11. 2013 • Manage specific environment on customer behalf • Facilitate aggressive implementation schedules • SLA easy to understand and implement (99.95% uptime) • Free up hospital IT resources to focus on service delivery and application implementation • Expect predictable outcomes with a choice of service levels for operational availability. • Choose disaster recovery options that allow you to meet Recovery Point Objectives and Recovery Time Objectives • Select add-on solution options to fulfill your specific requirements • Reliable & secure ISB backup, recovery, and tape administration • Highly secure and reliable network connectivity options offer HIPAA- compliant data encryption • System monitoring • Pre-defined server availability levels • Standard data administration procedures and tools Why Cloud? Secure Flexible Simple
    12. 12. 2013 Dell cloud strategy for healthcare Hospitals Physicians Payers Life Science Healthcare cloud platform Establish an Interoperability Network connecting Healthcare Constituents Develop a Next Generation delivery mechanism based on a secure Cloud Platform that support derivative data driven solutions Integrate Current and Future Solutions through the cloud to deploy at scale Strategic Pillars 1 2 3Analytics Archiving & Storage Reporting & Alerting Other Electronic Medical Records Revenue Cycle Services Payers Solutions Healthcare solutions Data Management Security Other InteroperabilityMobility
    13. 13. 2013 Dell Healthcare in the Cloud diagnostic image objects managed by Dell in the cloud. Protecting medical images for 7% of US Population 6B+ Security events 29B50+ customers supported with cloud-based HIS and DR MEDITECH Processed daily by Dell SecureWorks, a core component of the Dell Cloud Integration processes 650,000+ Per day with Dell Boomi, over 3Xs our nearest competitor To market with the Dell OpenStack Solution 1st More EMRs supported in a secure dedicated Healthcare Cloud than any other healthcare IT services provider $200M Dell achieved this by virtualizing 10,000 servers and reducing applications from 7,000 to less than 2,500 Dell’s Crowbar deployment, management and services saved by Dell 400Kphysicians and 500 individual practices supported by Dell’s physician hosting cloud solution
    14. 14. 2013 David Tomlinson, CIO/CFO Centegra
    15. 15. 2013 Bill Russell, CIO St. Joseph Health,
    16. 16. 2013 Ismelda Garza; IT Director Comanche County Medical Center
    17. 17. 2013 Q&A
    18. 18. 2013 Let’s get started Visit the Solution Showcase to see our end- to-end healthcare solutions and services Gain hands on experience, see demonstrations at the Solution Showcase Schedule a visit to a Dell Solution Center near you: Austin • New York City • Washington D.C. Chicago • Santa Clara • Mexico City • Sao Paolo Go to www.Dell.com/healthcare
    19. 19. 2013