On Monday, the U.S. Food and Drug Administration (FDA) proposed banning most powdered gloves in the U.S. While the use of these gloves is on the decline, the risks associated with them for both healthcare workers and patients, cannot be corrected through new or updated labeling, says the FDA.
“This ban is about protecting patients and healthcare professionals from a danger they might not even be aware of,” says Jeffrey Shuren, M.D., director of FDA’s Center for Devices and Radiological Health. “We take bans very seriously and only take this action when we feel it’s necessary to protect the public health.”
The powder that is sometimes added to natural rubber latex gloves to aid in putting them on or taking them off, can carry proteins that might cause respiratory allergic reactions. Also, while powdered synthetic gloves don’t typically cause allergic reactions, they have been linked to potentially serious side effects such as severe airway inflammation, wound inflammation, and post-surgical adhesions. It’s important to note here that these side effects have been associated with powder used in gloves, regardless of the type of the glove used.
The ban would apply to powdered surgeon’s gloves, powdered patient examination gloves, and absorbable powder for lubricating a surgeon’s gloves. It does not extend to non-powdered surgeon and examination gloves. Those gloves will remain listed as Class I medical devices, which are devices that pose the least amount of risk to the patient or healthcare worker.
The public will be able to comment on the proposed rule online at www.regulations.gov for 90 days.
Next week, New York will become the first state to require all prescriptions be written electronically. Physicians who fail to comply will be penalized with fines and/or imprisonment. This is the second part of a 2012 state law, I-Stop, which was designed to help fight prescription opioid abuse.
The first part of I-Stop went into effect in 2013 and is an online drug registry that contains all of the controlled medications prescribed to a patient. Physicians need to consult the registry before prescribing medications, according to a recent article in the New York Times.
Minnesota has a similar law, however, physicians aren’t penalized for using paper prescriptions.
By John Commins, HealthLeaders Media
Advocates for a voluntary patient safety identifier envision a process that would allow patients to create a way for medical systems to recognize them quickly and accurately, in much the same way as financial sector businesses.
A leading trade group for the nation’s health information technology sector is asking patients to endorse the creation of a national voluntary patient safety identifier.
The American Health Information Management Association said Monday that it has launched a petition and wants to send the Obama administration at least 100,000 signatures from patients who support the idea.
The petition, which AHIMA hopes to send to the White House by April 19, asks for the removal of a ban that prohibits the Department of Health and Human Services from participating in efforts to create a patient safety identification system.
“That was way back in the original draft language of HIPAA. It had language specific to unique patient identifiers,” says AHIMA’s Pamela Lane, vice president, policy & government relations. “Back in the day there was a lot of concern about big government spying on people. So, when the final language came out, they’d taken the references to patient identifiers out.”
“To keep it from getting added back in, there was language put into the appropriations bill in 1999 that said that HHS could not use any of their resources on patient identifiers. They can talk about the problem, but they can’t talk about the solutions,” Lane says.
2,488 Maria Garcias
Lane says the need for patient safety identifiers continues to grow as 80% of doctors and 97% of hospitals use electronic health records. She cited a study conducted by the Harris County Hospital District in Houston, TX, which found that, among 3.5 million patients, there were nearly 70,000 instances where two or more patients shared the same last name, first name, and date of birth. Among these were 2,488 different patients named Maria Garcia and 231 of those shared the same birth date.
A specific patient identifier would ensure that each patient’s health information is kept together and is complete and remains under the patient’s control. AHIMA and other supporters of the voluntary patient safety identifier envision a process that would allow patients to create a way for medical systems to recognize them quickly and accurately, in much the same way as financial sector businesses.
“We don’t know what it will look like. We are not proposing any particular technical solution, but we don’t believe the technology is the problem anymore,” Lane says. “It could be something as simple as an email address specifically for healthcare, or could be like a banking [or] ATM number. The technology exists for there to be lots of things to talk about. There are brilliant minds that have been working now for almost 20 years since HIPAA was enacted on technical solutions. We just want to be able to have private/public conversations.”
Lane says AHIMA members often see firsthand the problems associated with mismatching patient IDs.
“We’ve waded into it because we are the profession in healthcare that has to clean up a lot of the problems,” she says. “Let’s say there are two patients with the same name. Many, many times the people who match those records and validate those identities are EMR professionals. We are the ones who have the closest real-world knowledge of the problem.”
The petition marks the first direct appeal to patients and consumers by AHIMA, which is not well known outside of healthcare circles. “We have not traditionally been consumer-facing as an association. This is a brand new avenue of advocacy for us,” Lane says.
“This is a great opportunity to say ‘I am the one who on the back end fixes the problem and I am going to help you find ways to fix it on the front end.’ We also have worked with other associations and groups, as they reach out to their members, who reach out to patients. It’s a heavy lift, but we don’t have to do it all ourselves.”
Source: HealthLeaders Media
By Alexandra Wilson Pecci, HealthLeaders Media
Johns Hopkins Medicine coordinates high-quality care across ambulatory care centers, using a model it says has resulted in improved metrics associated with breast cancer screenings, immunizations, and diabetes management.
Johns Hopkins Medicine's commitment to quality care is evidenced by a governance, oversight, and accountability model that is cascading throughout its ambulatory medicine sites.
"Hopkins has always had an emphasis on quality and safety that was really borne from our inpatient experiences," says Steven Kravet, MD, president of Baltimore, MD-based Johns Hopkins Community Physicians.
Yet how to ensure that the quality of care remains high, even as the organization grows, and in particular, grows on the ambulatory side? Like many health systems and hospital operators, JHM is seeing more growth in its ambulatory services than its inpatient services. And outpatient services are being distributed not only throughout the community, but beyond it.
In the wake of rapid outpatient growth, JHM recognized the need for better ambulatory quality and safety processes to maintain the high-level of care that's become the inpatient standard. So it developed a model to coordinate high-quality care across its ambulatory care centers, which resulted in improvements in metrics pertaining to breast cancer screenings, childhood immunizations, diabetes management, and prenatal care.
Kravet is lead author of a paper in the March issue of Academic Medicine that outlines the JHM model's structure and success.
JHM has two hospital outpatient centers and more than 39 primary and specialty care outpatient sites where nearly two million non-ancillary ambulatory visits are conducted annually across the health system, the paper notes. Often, each ambulatory care practice has its own organizational structure.
To ensure consistent quality, JHM created a governance, oversight, and accountability model that cascades throughout the ambulatory sites. It consists of:
An Ambulatory Leadership Dyad
The dyad consists of a senior physician leader in the role of ambulatory chief quality officer (CQO) and a masters-trained nurse in the role of a senior director for ambulatory quality. The CQO was selected from the Office of Johns Hopkins Physicians (OJHP), which coordinates and oversees ambulatory physicians and staff. CQO dyad organizes and oversees analytics and dashboards for the quality metrics.
The Ambulatory Quality Council
The AQC comprises key leaders from each ambulatory practice setting, the OJHP, and JHM's Armstrong Institute for Patient Safety and Quality. Some of the practices are represented by a physician and an administrative leader, while others are represented by a physician, an administrative leader, and a senior nurse.
"It's created a table to hear what's going on in ambulatory, even when it's distributed throughout the community," Kravet says.
The AQC is also divided into four workgroups which share best practices, and each workgroup is devoted to a different theme:
- Performance measures
- Patient safety/risk
- Patient care/experience
This "cascading accountability model… provided a quality structure for all JHM ambulatory practices. As part of this model, the JHM Quality Board Committee created a quality and safety accountability system, establishing goals and measures for the CQO dyad. The Ambulatory Quality Council then defined its goals, set standards, monitored performance, and reported to the JHM Quality Board," the paper says.
Kravet says this approach brings people together to create an accountability model, set standards, facilitate processes, and distribute knowledge in a practical way. In a way, it's reminiscent of how franchises operate: Each is an independently owned business, but must adhere to the model and standards of the overall organization.
"The same measures… are then pushed down to the unit level," Kravet says. "We distribute the dashboards and the expectations."
In addition, the paper says that "if an ambulatory practice continues to report substandard performance metrics, its leaders as well as the ambulatory practice chief quality officer are required to create an action plan and present it to the Board of Trustees."
Since it was implemented in early 2014, the model has resulted in improvements in a dozen government-required performance metrics. "An additional benefit was an improvement in Medicaid value-based purchasing metrics, which are linked to several million dollars of revenue," the paper says.
"It has created a great sense of accountability," Kravet says. It's broken down silos by putting patients at the center of care and encouraged stakeholders to have a voice in shaping and sharing goals.
Moreover, the model is scalable, and the authors believe it can be expanded to "other ambulatory practices within and outside JHM, including to regional and international partners," the paper reports.
"Patient safety is something that everyone can galvanize around," Kravet says. "When people are part of the design, they have greater buy-in into the accountability."
This article appears in the March issue of Patient Safety Monitor.
Hospitals need to have a structure in place to respond to patient safety failures
Healthcare can be a stressful industry to work in, particularly when something goes wrong. Instead of relying on humans to react under pressure, one organization is offering a structured approach to patient safety failures.
In January, LifeWings Partners LLC, an organization that specializes in patient safety training and best practices, released a failure recovery tool aimed at standardizing the way hospitals respond to medical errors. Patient Safety Monitor Journal spoke with Stephen W. Harden, chairman and CEO of LifeWings in Collierville, Tennessee, about the new tool and how hospitals can integrate it into their patient safety systems.
Editor's note: The following has been edited for space and clarity.
Q: Can you tell me why you decided to focus on failure recovery?
A: Despite their best efforts, there is a lack of perfection on the part of healthcare. Healthcare is provided by humans and one thing we know about humans is they are going to make mistakes. So it's not perfect and the mortality statistics point that out.
Q: Why do clinicians deviate from protocols?
A: There are basically four reasons why a protocol isn't followed:
One reason is people don't know the protocol exists because they've never been taught it. That's a training problem.
Some people have been taught that there's a protocol, but they don't actually know how to follow it. Teaching means that you've told them how to do it and explained the importance of the how and the why. Then you have an expert demo how to do it. Then the learner practices it under the watchful eye of the expert?they actually try and do the protocol. And then the learner gets feedback from the expert.
The third reason healthcare professionals don't follow protocol is they can't. There is some sort of barrier the organization has left in the way. Maybe the protocol is written down, but the manual is hidden away in someone's office. So you've added too many steps to the healthcare provider's workday to go get the protocol and follow it. More commonly the reason they can't is they are physiologically not capable of following it. What that means is you've mis-hired somebody. You've hired someone that can't adequately do the job.
The fourth reason is they are making a conscious decision not to. Typically, that's because they think their way is better or that it's not really required. If you think your way is better, or you feel like you can combine some steps to make the protocol more efficient. Or you don't have time to do it that way and you've developed a shortcut. There are all sorts of logical reasons on the part of the provider where they think, "I really don't have to go through all these steps?there's a quicker, smarter, easier way to do this."
Quite frankly, that is really the main reason protocols are not followed, and the problem that managers and supervisors within healthcare struggle with the most is willful noncompliance.
Q: How does the checklist help with that? How does it identify which of these reasons led to failure and help resolve willful noncompliance?
A: I'm not sure it helps any of those reasons. What it does do is it acknowledges the fact that humans do make mistakes despite their best efforts. In that moment?when you realize you've made a mistake and you need to recover from it?you really do need a blueprint or a checklist to follow, when maybe you're not cooking on all cylinders. When a mistake has been made and you've hurt someone you didn't intend to hurt, everyone is in a state of mini shock. You need a guideline to follow to help plot your steps forward in the midst of the chaos and the shock. And that's what it's for.
The analogy for this is a flight crew on a commercial airline 30,000 feet above the ocean and three hours from nearest landfall, and they have an engine fire. Well, that's going to create a lot of shock and consternation in the cockpit; I don't care how experienced the crew is. You don't want them to try and use all their cognitive abilities to come up with how they are going to respond to an engine fire 600 miles from nearest landfall with 235 people on board. You want those steps laid out for them so, in the midst of this mind-numbing shock, they don't have to depend on their cognitive abilities when under so much stress.
It's the same sort of analogy. You hurt a patient who put their life in your hands. Your job was to fix them and now you've hurt them. There's a lot of stress. We're not at the top of our game cognitively. Having a checklist to follow that guides you through these steps in the midst of that performance detriment is really valuable.
Q: Is that why hospitals struggle? Because they don't have that structure in place?
A: I don't know. I can say they don't have recovery protocols in place, but it's probably not as well-defined as a protocol to deal with a bloodstream infection or a protocol to deal with ventilator associated pneumonia.
What we're trying to do is give high-performing teams in hospitals a checklist to follow to guide them through that high stress high workload moment after they realize they've hurt a patient.
Q: You've listed nine steps in the failure recovery tool. Are any of those particularly important or ones that hospitals tend to neglect?
A: If you pinned me down and made me pick one, I would say most hospitals struggle with acknowledging throughout the team that something was amiss and confronting it head on. There's a culture of silence, both because no one wants to admit a mistake, number one, and number two, they don't want to get sued.
This is less so now in my career helping hospitals than it was 10 years ago. Ten years ago, I was always shocked at the culture of silence that pervaded around a mistake. That's one of the primary ways we learn?acknowledging something you didn't want to happen happened, understanding why it happened, and disseminating the learning. That's an area of healthcare that's way, way behind aviation. Aviation is really good at picking at its scabs and figuring out why that happened, sharing lessons learned, and letting others learn from your misfortunes so they don't repeat the mistake. Healthcare is not there yet.
Q: But you feel that has shifted over the last decade?
A: I do believe there is a groundswell or shift happening slowly but surely. But they certainly aren't where aviation is in terms of publicizing and acknowledging their mistakes so everyone can learn from them in a nonpunitive environment.
Q: How would you like to see hospitals use this tool?
A: Here's what I want them to do: I want them to say, "Yes we need something like this. This is a good start. Let's blow this up and build it for our specific purposes."
I'd like to see them use the underlying principles and customize it to their needs. Quite frankly, that's the only way anyone is going to use it. The one thing we've discovered about all the protocols we promote and offer to all of our client hospitals is they have to take those and blow them up and rebuild that in their own vision and culture and their own way.
If you build something yourself and it fits your people and culture and your particular medical society, you're way more likely to use it than if someone just handed it to you and said, "Here, use this."
This article appears in the March issue of Patient Safety Monitor Journal.
Patient Safety Awareness Week (March 13-19) presented by the National Patient Safety Foundation’s (NPSF) United for Patient Safety Campaign is underway. Healthcare facilities and leading patient safety organizations across the country are expected to participate in patient safety week.
The United for Patient Safety Campaign, announced by the NPSF last month, encourages dialogue between patients and healthcare providers to promote safety for both patients and healthcare workers. Participants are encouraged to download educational materials, post pictures, and share their plans for Patient Safety Awareness Week.
NPSF is offering two major events this week, first up is a Twitter chat – “Patient Safety in All Settings” that will take place at 2 pm EST on March 15th. The chat will focus on safety issues across all healthcare settings. Participants can join the chat by using the hashtag #PSAW16chat.
On Thursday, March 17 at 1 pm EST, the NPSF is hosting a free webcast, “Patient Safety is a Public Health Issue.” Leading experts from the Agency for Healthcare Research and Quality (AHRQ), Centers for Medicare and Medicaid Services (CMS), Centers for Disease Control and Prevention (CDC), and NPSF will discuss how patient safety is being addressed at the national level.
As part of Patient Safety Awareness Week, The Joint Commission unveiled a new web page today, dedicated to patient safety resources, including a new issue of its Quick Safety newsletter about the Patient Safety Systems chapter of the hospital manual.
Last week, The Joint Commission released its sentinel event statistics from 2015. Of the 936 sentinel events reported last year, the most common were unintended retention of a foreign body (116), wrong-site/wrong-side/wrong procedure surgery (111), falls (95), and suicides (95).
The most common root causes of sentinel events last year were human factors (e.g., staff supervision issues) leadership (e.g., organizational planning), and communication with either administration or patients.
The Joint Commission has been compiling sentinel event data since 2004. Of the 9,884 patient cases reported, more than 55% of patients died due to a sentinel event and 8.7% suffered from permanent loss of function.
View the full chart here.
Complete P.T., Pool & Land Physical Therapy, Inc. (CPT), a California-based physical therapy practice, agreed to a corrective action plan and a $25,000 resolution amount to settle allegations that it disclosed protected health information (PHI) as part of a video testimonial campaign, HHS says.
The settlement is the result of a complaint lodged with Office for Civil Rights (OCR) in August 2012. The complainant alleged that CPT posted patient testimonials to its website without legal, HIPAA-compliant authorization. The testimonials included patients’ names and full face photographs. OCR launched an investigation and determined that not only had CPT disclosed PHI without permission, the organization did not have reasonable safeguards to protect PHI or effective policies and procedures to obtain HIPAA-compliant authorization to disclose PHI.
OCR Director Jocelyn Samuels stressed that HIPAA applies to all providers that fall under the definition of covered entity, including physical therapy providers. Covered entities must obtain permission before using a patient’s PHI for marketing purposes, which includes posting on social media or websites, and all disclosure authorizations must meet requirements outlined in HIPAA.
As part of the settlement, CPT agreed to adopt a corrective action plan and report their compliance efforts to OCR for one year. According to the terms of the corrective action plan, CPT must:
- Develop HIPAA-compliant policies and procedures to protect PHI
- Distribute these policies and procedures to its staff and require a written or electronic signature documenting that the signatory read and understands the policies and procedures
- Assess and update policies and procedures at least annually
CPT agreed to submit a draft of its revised policies and procedures to HHS for approval. HHS will, if necessary, recommend changes and CPT will resubmit the draft until HHS gives it final approval. CPT will then have 30 days to implement the policies and procedures, including distributing them and educating staff and obtaining signed compliance certification from staff.
HHS placed particular emphasis on CPT developing policies governing the disclosure of PHI and directing staff to create and obtain valid authorization from patients before PHI is disclosed.
CPT also agreed to train staff on HIPAA and CPT’s updated policies. Staff will be required to sign a training certification document, acknowledging that they have received and completed the training. CPT will keep all course materials and review and update them annually.
The Joint Commission released a new Sentinel Event Alert last week, aimed at helping healthcare providers to better identify and treat patients at risk for suicide. Over 1,000 patient suicides were recorded in The Joint Commission Sentinel Event Database between 2010 and 2014.
According to SEA 56, the most common cause to the patient suicides during this time frame is linked to inadequate assessment, especially psychiatric assessment. The Joint Commission recommends that healthcare facilities create a standardized process of suicide ideation screening. This could be done by simply adding the question “Are you having suicidal thoughts or have you had suicidal thoughts in the past?” to the waiting room questionnaire. Ensure that the questionnaire is reviewed before the patient leaves the facility and if necessary, refer the patient for further screening.
Additionally, healthcare providers should check the patient’s background for potential suicide risk factors, including:
- Previous suicide attempts
- History of alcohol and drug abuse
- Mental or emotional disorders (e.g., depression or bipolar disorder)
- History of trauma or loss (e.g., abuse as a child, family history of suicide, economic hardship)
- Serious illness, physical or chronic pain or impairment
- Social isolation or a pattern of aggressive or antisocial behavior
- Recent discharge from inpatient psychiatric care (e.g., patients may be at higher risk during the first year after discharge)
This alert replaces previous SEA’s 46 and 7.
For more information on this Sentinel Event Alert, click here.
For the last several years, there has been a startling mortality trend emerging in the United States: Each year, middle-aged white Americans are dying at a faster clip than any of their counterparts in different age groups, ethnicities, or countries.
It's a trend that was startling, in part, because researchers couldn't explain why it was happening, particularly since death rates for other groups have been declining. However, in November, new research from two Nobel Prize winning Princeton economists found that the increasing number of deaths among whites 45?54 was linked to substance abuse, including heroin and prescription opioids.
According to the CDC, the rate of opioid overdose deaths between 1999 and 2013 was highest among those ages 45-54 (10.6 per 100,000). Furthermore, opioid overdose deaths increased sevenfold among adults 55-64 to 7.5 per 100,000 in 2013, and deaths among non-Hispanic whites have increased more than four times from 1.6 per 100,000 in 1999 to 6.8 per 100,000 in 2013.
This is an excerpt from the monthly healthcare safety resource Patient Safety Monitor Insider. Subscribers can read the rest of the article here. Non-subscribers can find out more about the journal, its benefits, and how to subscribe by clicking here.
On March 1, the Department of Justice (DOJ) charged Olympus Corp. with paying millions of dollars in kickbacks to hospitals and doctors to buy its products. The company, which owns 85% of the U.S. endoscope market, has agreed to pay $646 million to resolve the criminal charges and civil charges brought against it. The sum is the largest total amount paid in U.S. history for violations involving the Anti-Kickback Statute by a medical device company.
“Olympus Corp. of the Americas’ and its subsidiaries’ greed-fueled kickback scheme threatened the impartiality of medical decision-making and the financial integrity of Medicare and Medicaid,” said Special Agent in Charge Scott J. Lampert of the U.S. Department of Health and Human Services in a statement.
The DOJ says that by using kickbacks, Olympus’ U.S. division (OCA) made over $600 million in sales and $230 million in profits. The company admits to the charges, which include:
- Holding up a $50,000 research grant until a hospital signed a deal to purchase Olympus equipment
- Giving a doctor with a major role in a New York medical center’s buying decisions free use of $400,000 in equipment for his private practice.
- Paying off doctors with hot air balloon rides, winery tours, spa treatments, lavish meals and rounds of golf at an Olympus sponsored forum.
- Paying for a trip for three doctors to travel to Japan in 2007 as a quid pro quo for their hospital’s decision to switch from a competitor to Olympus.
- Giving a hospital a $5,000 grant to facilitate a $750,000 sale.
- Giving a week-long, paid vacation in Japan to the physician president of a professional organization and his spouse for three years in a row. The president was also paid a $10,000 honorarium to give a single lecture during each trip.
“The Department of Justice has longstanding concerns about improper financial relationships between medical device manufacturers and the health care providers who prescribe or use their products,” said Principal Deputy Assistant Attorney General Mizer. “Such relationships can improperly influence a provider’s judgment about a patient’s health care needs, result in the use of inferior or overpriced equipment, and drive up health care costs for everybody.”
The OCA division’s settlement is split between $312.4 million for criminal penalties and an additional $310.8 million to settle civil claims under the federal and various state False Claims Acts. Mizer said in addition to yielding a substantial recovery for taxpayers, the settlement will send a clear message that these types of abusive arrangements will not be tolerated.
Charges for Olympus’ Latin American Division
It's worth noting that $22.8 million of the fine is being paid by Olympus’ Latin American (OLA) division to resolve a separate criminal charge after paying providers at government-owned facilities to buy Olympus products.”
Between 2006 and 2011, OLA spent nearly $3 million in cash, money transfers, personal grants, personal travel and free or heavily discounted equipment to get providers at government-owned facilities to buy Olympus products. OLA admits it delivered this illicit kickbacks benefits to pre-selected practitioners at “training centers,” nominally set up to educate and train doctors. In total, OLA actions earned them $7.5 million in profits.
Olympus has come under fire in recent months by the Food and Drug Administration and the Senate after it was revealed that their duodenoscopes were linked to dozens of infection outbreaks and 21 deaths since 2012. A report by the Washington Post found that the company knew its scopes had a flaw that prevented them from being disinfected properly, but concealed the dangers from hospitals for two years.
“OLA’s illegal tactics in Central and South America mirrored Olympus’s conduct in the United States. The FCPA resolution announced today demonstrates the department’s commitment to ensuring the integrity of the health-care equipment market, regardless whether the illegal bribes occur in the U.S. or abroad,” said Principal Deputy Assistant Attorney General Bitkower.
As part of the settlement Olympus has signed a new corporate integrity agreement with the Department of Health and Human Services. The program requirements include:
- Compliance responsibilities for OCA management and the board of directors
- A health care compliance code of conduct that includes certain standards
- Training and education that includes specified standards
- Requirements for consulting arrangements, grants and charitable contributions, management of field assets and review of travel expenses
- A risk assessment and mitigation process
- New review procedures for testing the compliance program
“For years, Olympus Corporation of the Americas (OCA) and Olympus Latin America (OLA) dropped the compliance ball and failed to have in place policies and practices that would have prevented the substantial kickbacks and bribes they paid,” said U.S. Attorney Paul Fishman. “It is appropriate that they be punished for that. At the same time, the deferred prosecution agreement takes into account the companies’ cooperation and commitment to fully functional corporate compliance.”
By Scott Mace, HealthLeaders Media
This article originally appeared in HealthLeaders Media.
As HIMSS gets underway, the healthcare IT world is still shaking from last month's audacious privacy breach at a California hospital. Hollywood Presbyterian Hospital paid a $17,000 ransom to a criminal enterprise that broke into the hospital's system, encrypted data, and demanded an even larger payment.
While the concept of "ransomware" is not new, the very public ransom payment by Hollywood Presbyterian once again ratchets up the pressure in healthcare executive suites and boardrooms to do something different, and soon, to protect healthcare's digital assets.
As these things usually go, we may not learn exactly how the ransomware crooks found their way into Hollywood Presbyterian's systems and data. Perhaps to guard against further intrusions, or as a bulwark against lawsuits, enterprises tend not to divulge publicly just what the root cause of breaches are.
With that in mind, I spoke last week with a CIO who is sounding the alarm about an attack vector which, to my knowledge, has not yet been publicly blamed for any major breach in a US healthcare system, but has to be on the list of culprits.
Aaron Miri is chief information officer of the 100-bed Walnut Hill Medical Center in Dallas, Texas. "I came out of the telecom space," he says. "Healthcare is probably 10, 15, 20 years behind the finance, telecom, and other industries, and rapidly catching up, but very much behind.
"Medical devices are one of the top issues for CIOs, due to the fact that the rules of the road apply differently to hospitals than they do to the medical device manufacturers, the EMR vendors, and to all the different verticals within healthcare that make up the continuum of healthcare."
The issue, Miri says, is that too many medical device manufacturers do not meet the definition of a covered entity as defined by HIPAA. Where a covered entity such as Walnut Hill has to abide by all of HIPAA's provisions to encrypt data at rest or in transit, the non-covered-entity device manufacturers can avoid placing basic security provisions in their equipment—provisions such as specific, secure logins.
"Those medical devices and those devices out there in the field are absolutely a risk point, because they have to touch a corporate network in some form or fashion to translate that data back to your EMR or whatever application is ingesting that," Miri says.
At this point, I noted the lack of specific callouts to unsecured medical devices as a root problem on the HHS Office of Civil Rights' notorious "wall of shame" of HIPAA breaches.
Miri's response took the form of an example. "In one of my previous lives, we had a newborn hearing test [device] that goes into the newborn's ear, [and] was plugged in, via a serial cable, to a vendor-provided laptop," he says.
"That was all considered a standalone solution. But it was really a laptop connected to this medical device, all supported by the vendor. But it could not be encrypted for latency purposes. So we had to do all sorts of mitigating factors around it to make sure that, because it wasn't encrypted, that we accepted the risk, that we understood what the risk was, and so forth and so on. We had a business associate agreement with that vendor, and so that vendor dealt with the whole kit and caboodle, the whole solution. However, that was a risk point."
Sure enough, Miri says, "we did have an issue that we had to report to the OCR, because that laptop ended up stolen. These things happen all the time; however, given the nature of how clinical devices are somewhat a hodgepodge of laptops, computers, and/or a medical device, it may not qualify as a standalone device that must be reported."
A Big, Big, Big Problem
Windows XP is also a continuing headache in too many medical devices, Miri says. "I just saw one the other day in the UK, where a Windows XP device that was actually a lab instrument was infected with malware and had inadvertently infected an entire NHS hospital."
Another example Miri cites is medication-dispensing machines. "In my previous life, I had three brand-new medicine-dispensing machines shipped to me, brand new, still in the shrinkwrap," he says. "We put them into a brand new unit we had just built. We turned them on. We plugged them in the network. Immediately, my systems started going haywire. Sure enough, these things came infected from the factory with malware, because their underlying operating system was Windows XP. This was just a year and a half ago.
"Based on my conversations with other CIOs, [we] don't even know what's happening because of how unmanaged these devices are." He likens these devices to "little pockets of individual freedom floating out there that must attach to your network because the FDA mandates it must do so, without any ability to get your arms around the product, because they play by a different set of rules. So it's a big, big, big problem."
In Washington, groups such as CHIME and HIMSS are calling for tougher rules on medical device manufacturers, but Miri notes that responsibility for solving the problem is divided by between the FDA, the FTC, and the HHS Office of Civil Rights. "Who is the true sheriff of the road?" he asks. "Anybody who knows anything about government knows that once you have multiple agencies playing, they seem to get in each other's way."
The White House has a cybersecurity coordinator, but Miri says there is an effort to augment this with, effectively, a national chief information security officer, to stop the finger-pointing among agencies. A provision in the Cybersecurity Information Sharing Act of 2015, signed into law by President Obama in December, may help put such a czar in place.
"Some action is better than no action, but there is still no mandate, and I am still able to go buy medical devices on the market without any encryption, or without following the same rules that I am forced to go by as a covered entity," Miri says.
For now, CIOs such as Miri will have to rely upon a protective superstructure of security software, overlaid upon their computer networks, to try to detect intrusions, and limit the amount of damage that a rogue device can do upon a network. Miri relies on commercial solutions from vendors such as Imprivata to manage important aspects such as single sign-on, user access controls, and auditing.
"Especially when it comes to IT, I'm competing for every dollar I need to spend against a dollar that could be spent on a new bed or a new instrument, so if I cannot show ROI, you can bet your bottom dollar the CFO is going to give me any money to spend."
"So beyond the convenience and quality and safety factors of being able to audit, track, and disseminate what's going on with my community, I am able to show time saved. I am able to show a maximization of the time spent at the bedside with the patient."
Miri described other techniques that are making a difference, including virtual desktop interfaces (VDI) which provide further control of desktops. But I came away from our conversation believing it is high time that we crack down on those devices that represent one of the most vulnerable attack vendors of healthcare IT today.
It's not difficult to believe that if we do not act much more aggressively, a lot more ransoms shall be demanded by cyber criminals. At this crucial time in healthcare, it's the last thing any of us need.
Scott Mace is the senior technology editor at HealthLeaders Media.
Building on its Comprehensive Unit-based Safety Program (CUSP), the U.S. Department of Health and Human Services Agency for Healthcare Research and Quality (AHRQ) recently released a new toolkit aimed at reducing catheter-associated urinary tract infections (CAUTI) in hospitals.
Released in October 2015, the toolkit consists of three modules: implementation, sustainability, and resources. Hospitals can use principles of the CUSP program that have been successful in reducing central line-associated bloodstream infections (CLABSI) to reduce CAUTI rates in high-risk areas of the facility.
This is an excerpt from the monthly healthcare safety resource Patient Safety Monitor Journal. Subscribers can read the rest of the article here. Non-subscribers can find out more about the journal, its benefits, and how to subscribe by clicking here.
On February 19, the Food and Drug Administration (FDA) announced that reprocessing instructions for Pentax duodenoscopes had been validated and approved by the agency. The announcement means that scopes from the three major manufactures, Olympus, Fujifilm, and Pentax, are now safe to use with their updated instructions.
Five months ago, the FDA issued safety warning against the three companies, stating that a design flaw prevented their scopes from being cleaned properly and were an infection risk. A later Senate investigation revealed that dirty scopes were the direct cause of 25 infection outbreaks since 2012.
- Nurse Renewal Rooms Benefit Patients, Too
- Patient Safety Experts Highlight Key Concerns for 2016
- CMS Announces Standardized Quality Measures
- PSQH Applies for BPA Worldwide Business Publication Membership
- Patient Safety News Roundup
- New Tool Simplifies the Process of Patient Safety Improvement
- Study: Poor Communication Leads to Malpractice, Death
- CDC’s Core Elements of Hospital Antimicrobial Stewardship Programs
- JAMA: Nurses Key to Surviving Surgery
- Nominations Open for Sherman Award for Excellence in Patient Engagement
- Olympus Recalls Duodenoscopes, FDA Approves New Model
- FDA Releases Cybersecurity Recommendations for Medical Device Manufacturers
- C.diff Infection Raises Hospital Costs by 40% per Case
- FDA validates revised reprocessing instructions for Model ED-530XT duodenoscopes
- Study: Discharge notes are often written grades above patient reading levels