Pundits have been predicting the perfect storm for the last few years. This refers to the confluence of clinical and administrative practice impacts of the change from HIPAA X12 4010 to 5010, the CMS Meaningful Use incentive program, and the change from the diagnostic coding system ICD-9 to ICD-10 in the U.S. Other changes are also in the background such as electronic prescribing of controlled substances (DEA) and changes in the regulation of EHRs and medical devices (FDA.) These initiatives will impact all practices ranging from those in the largest integrated delivery networks to the solo provider. The greatest effect will be on small practices because they generally do not have an abundance of resources and highly trained experts needed to fulfill the new requirements. The migration, already underway, from small practices to much larger groups and employed positions is likely to become a stampede. Retirement will be a course some will choose that could worsen the physician shortage in the U.S. So if there are limited resources, how does one deploy available resources now?
The Arizona chapter of HIMSS, the Arizona chapter of AHIMA, the Arizona Regional Extension Center, and a number of other organizations sponsored an educational session about ICD-10 last Friday. We learned that the U.S. is the last major western country to make the switch. Asian countries including China, Korea, and Japan among others have already made the change. You might wonder why the change to ICD-10 is being brought up now if it isn't even scheduled to take effect until October 1, 2013. Aren't there more pressing items? For example, the hospital where I work published an information sheet this month about the ICD-10 transition. Information technology staff recommended a 3 to 6 month period for training. What their message failed to convey was the need for a substantial risk-based analysis of current state, planned changes, gap analysis, need to coordinate software and hardware updates in multiple systems, implementation testing, increased staffing needs and productivity loss across the spectrum of the organization.
Experience in Canada and Australia showed a 10-50 percent loss of productivity of clinicians and coders that lasted up to a year. In many cases, productivity never returned to the condition before the changeover. The reasons are that ICD-10 has much more specificity than ICD-9. There are also many more codes for both diagnoses and procedures. That means that coding staff are going to need to be much more knowledgeable in anatomy, physiology, and the differences between similar sounding surgical procedures. Clinicians are going to need to document their work much more thoroughly than most have been accustomed to doing in the past or risk denial of claims and/or reductions in payments. All of this will take everyone more time. It is a scary thought but clinicians should probably plan on a 25% reduction in practice income for 6 months to a year.
Useful risk mitigation strategies are: educate yourself about the coming changes-early and frequently, communicate with all your vendors and work collaboratively to install and test all systems involved in the changeover well ahead of Oct. 1, 2013, plan coding scenarios to test coder and clinician readiness, plan to accommodate the loss of productivity and income. Technical solutions such a computer assisted coding have promise but are not ready for routine widespread use. Having a certified EHR will make it easier to collect and code patient data needed for ICD-10 but many systems will need to be upgraded. Consider whether Meaningful Use or ICD-10 compliance is more important in deciding on how you deploy your limited resources. I know one consultant who thinks that ICD-10 should be the priority because it poses the greatest risk to the financial health of a medical practice.
Monday, June 20, 2011
Wednesday, June 15, 2011
Digital certificates: Uses in health information exchange- final in series
This post is the last I have currently planned on introducing the topic of the trust framework and digital certificates. The first post in this series addressed the concept of a trust framework. I discussed the role of certificate authorities in helping establish trust among information exchange partners. I provided links to sites that explain how certificate authorities perform identity proofing by following policies and procedures that help define various levels of trust. The second post explored the difference between electronic signatures and digital signatures. Certificates are used with the latter to enable cryptographic technologies that can be used to insure data integrity and non-repudiation. Now I want to discuss two other important uses for digital certificates-user authentication and data encryption.
Digital certificates are a hot topic of discussion in various arenas that are leading the way in health information technology. Both of the two FACA committees, the HIT Standards Committee and HIT Policy Committee, have sponsored meetings of work groups and the entire committee to delve into issues dealing with digital certificates. The use of digital certificates was a core element in the design of the Direct Project. Pilot projects of HwHIN Direct are all dealing with the management of digital certificates. Finally, the Standards and Interoperability Framework sponsored by ONC has several work groups working on digital certificate management and provider directories. The reason for all this overlapping work is that use of digital certificates is central to the user authentication process. Many of the health information exchange transactions are founded on the use two-way exchange of digital certificates (based on strong identity proofing policies and strategies) to assure end point identities. Directories are one way health information exchange users locate the digital certificates of their partners. NIST has prepared an excellent and well-illustrated publication that thoroughly explains the authentication process. It is not easy reading but explains all the concepts that are important for one to truly understand the authentication processes currently used in health information technology. Don't be confused by terminology. Digital certificate, token, and key can be used interchangeably.
The final use of digital certificates is to power the Public Key Infrastructure that is used to encrypt data. I recommend another NIST publication as a reference to help understand the uses of symmetric and asymmetric encryption. This Wikipedia page may also be helpful. We know that the federal rule on data breaches strongly encourages encryption technology. Also, data encryption was designed into the Direct Project specification. I cannot imagine anyone sending unencrypted protected health information over the public internet in this day and age. Furthermore, it is probably a good risk mitigation strategy to encrypt most protected health information, whether it is in transit or at rest on disk storage. The rash of successful network attacks in multiple information technology realms keeps HIT executives and security experts up at night.
Digital certificates are a hot topic of discussion in various arenas that are leading the way in health information technology. Both of the two FACA committees, the HIT Standards Committee and HIT Policy Committee, have sponsored meetings of work groups and the entire committee to delve into issues dealing with digital certificates. The use of digital certificates was a core element in the design of the Direct Project. Pilot projects of HwHIN Direct are all dealing with the management of digital certificates. Finally, the Standards and Interoperability Framework sponsored by ONC has several work groups working on digital certificate management and provider directories. The reason for all this overlapping work is that use of digital certificates is central to the user authentication process. Many of the health information exchange transactions are founded on the use two-way exchange of digital certificates (based on strong identity proofing policies and strategies) to assure end point identities. Directories are one way health information exchange users locate the digital certificates of their partners. NIST has prepared an excellent and well-illustrated publication that thoroughly explains the authentication process. It is not easy reading but explains all the concepts that are important for one to truly understand the authentication processes currently used in health information technology. Don't be confused by terminology. Digital certificate, token, and key can be used interchangeably.
The final use of digital certificates is to power the Public Key Infrastructure that is used to encrypt data. I recommend another NIST publication as a reference to help understand the uses of symmetric and asymmetric encryption. This Wikipedia page may also be helpful. We know that the federal rule on data breaches strongly encourages encryption technology. Also, data encryption was designed into the Direct Project specification. I cannot imagine anyone sending unencrypted protected health information over the public internet in this day and age. Furthermore, it is probably a good risk mitigation strategy to encrypt most protected health information, whether it is in transit or at rest on disk storage. The rash of successful network attacks in multiple information technology realms keeps HIT executives and security experts up at night.
Tuesday, June 14, 2011
HIMSS Virtual Conference 2011: Closing Keynote-an exceptional presentation
The HIMSS Virtual Conference ran last Wednesday and Thursday. Meaningful Use seemed to be the key topic of focus. The sessions that I had time to view were generally instructive and interesting. The closing keynote was altogether different though.
The content and visual impact of the keynote presented by Dan DeMaioNewton of Monster Worldwide were unique. I haven't seen such an impressive slide presentation since thirty years ago when dual slide projectors and screens were first used in a medical conference talk. You have to be "old" to remember that now primitive technology. Last Thursday graphics, color, and animation were integrated in a fashion that truly amplified what the speaker had to say. I realized that the bar for presentations had suddenly been raised. I anticipate that others will be spending a lot of time and money to exceed this new standard. The presentation would have been remarkable if only for its visual impact but it provided more.
One of the themes of discussion considered HIT hiring practices and prospects. The question was " what is more important to employers- a degree (formal education in the field) or experience?" Mr. DeMaioNewton stated categorically that a degree was a necessary prerequisite. During further discussion, he allowed that experience was also important. Then, only yesterday, I was reading a discussion string on LinkedIn by those seeking employment in HIT. Most of the posts seemed to indicate that employers usually asking for a minimum of three years of experience for the positions they were attempting to fill. Up front at least, employers are looking for experienced personnel. I think that there will be continuing demands for HIT staff and fewer qualified individuals to fill the positions. Eventually the demand for staff will dilute out strict employer requirements for both training and experience. For the present, employers are still in the driver's seat so recent grads are going to face an uphill battle to break into the ranks of HIT professionals. That has been my personal experience anyway.
Another topic provided advice that was instructive. What do you do when you have a supervisor or potential supervisor who knows less than you? This is a situation that may prevent one from landing or keeping a job. Often, the supervisor doesn't want anyone around that knows more than they. They build fiefdoms of power and drive away those with more skill. Surprisingly, corporate culture often supports and encourages this management style. Mr. DeMaioNewton made the point that there are well-run companies that seek and value excellent employees. Good workers owe it to themselves not to tolerate work environments that stymie their enthusiasm and creativity. They should look for organizations where their special skills are recognized and rewarded. Just yesterday I read of a company whose hiring practices were based on finding the best people possible and then finding a job for them to do. The trick is finding the enlightened organizations.
The content and visual impact of the keynote presented by Dan DeMaioNewton of Monster Worldwide were unique. I haven't seen such an impressive slide presentation since thirty years ago when dual slide projectors and screens were first used in a medical conference talk. You have to be "old" to remember that now primitive technology. Last Thursday graphics, color, and animation were integrated in a fashion that truly amplified what the speaker had to say. I realized that the bar for presentations had suddenly been raised. I anticipate that others will be spending a lot of time and money to exceed this new standard. The presentation would have been remarkable if only for its visual impact but it provided more.
One of the themes of discussion considered HIT hiring practices and prospects. The question was " what is more important to employers- a degree (formal education in the field) or experience?" Mr. DeMaioNewton stated categorically that a degree was a necessary prerequisite. During further discussion, he allowed that experience was also important. Then, only yesterday, I was reading a discussion string on LinkedIn by those seeking employment in HIT. Most of the posts seemed to indicate that employers usually asking for a minimum of three years of experience for the positions they were attempting to fill. Up front at least, employers are looking for experienced personnel. I think that there will be continuing demands for HIT staff and fewer qualified individuals to fill the positions. Eventually the demand for staff will dilute out strict employer requirements for both training and experience. For the present, employers are still in the driver's seat so recent grads are going to face an uphill battle to break into the ranks of HIT professionals. That has been my personal experience anyway.
Another topic provided advice that was instructive. What do you do when you have a supervisor or potential supervisor who knows less than you? This is a situation that may prevent one from landing or keeping a job. Often, the supervisor doesn't want anyone around that knows more than they. They build fiefdoms of power and drive away those with more skill. Surprisingly, corporate culture often supports and encourages this management style. Mr. DeMaioNewton made the point that there are well-run companies that seek and value excellent employees. Good workers owe it to themselves not to tolerate work environments that stymie their enthusiasm and creativity. They should look for organizations where their special skills are recognized and rewarded. Just yesterday I read of a company whose hiring practices were based on finding the best people possible and then finding a job for them to do. The trick is finding the enlightened organizations.
Thursday, June 9, 2011
Introduction to electronic signatures and digital certificates
Below is a summary I prepared awhile back for an Arizona Health-e Connection committee of which I was a member. This provides an introduction to the concept of digital certificates, though at a very basic level. I visited several websites to obtain the information needed to prepare the summary. As a caveat, I am not a technical expert in this area so I cannot attest to complete accuracy.
Electronic Signature:
There may be some confusion concerning the difference between electronic signatures and digital signatures. The most significant difference is that electronic signatures do not require the use of digital certificates.
An electronic signature is comparable to a seal or an electronic version of signature stamp. It is any legally recognized electronic means that indicates that a person adopts the contents of an electronic message. When recognized under the law, electronic signatures have the same legal consequences as the more traditional forms of executing documents. The electronic signature shows that the user has applied that symbol to indicate intent to sign. It is important that the electronic symbol be related specifically to the party who is signing, that there is proof the symbol was applied with the intent to sign, that the data being signed can be proven to be the original data, and be such that all parties to a signature are allowed to have independent copies. An electronic signature actually displays an image of you handwriting signature or a visual mark within the document to illustrate your consent towards a document’s contents and uniquely identifies you as a signer. It is permanently attached to a document like a handwritten signature on paper. It does not work well for multiply signed documents because of validation check steps that detect any changes (including a new signature) to the document. Some of the laws that apply to electronic signatures include: The U.S. E-Signature Act of 2000, Uniform Electronic Transactions Act (UETA), and FDA 21 CFR part II.
Digital Signature:
An electronic signature may incorporate a digital signature if it uses cryptographic methods to assure both message integrity and authenticity (non-repudiation.) The message integrity mechanisms will readily detect any changes in a digitally signed document. All current cryptogenic digital signature schemes require that the recipient have a way to obtain the sender’s public key (digital certificate) with assurances (trust) that the public key and sender identity belong together. The message integrity measures must assure that neither the attestation nor the value of the public key can be surreptitiously changed.
Digital signatures are created by hashing data (a cryptographic process) to produce a large number that uniquely identifies the contents in such a manner that any change would no longer produce the same number. This is a counter-measure to Man in the Middle attacks. That number is then encrypted with a person’s encryption key to prove that it belongs to the same person associated with the key. Public Key Cryptography uses two encryption keys that are mathematically related to one another yet one key cannot be derived from an analysis of the other key. This is often called asymmetric encryption because the key used to encrypt (private key) is not the same key that is used to decrypt (public key.) The public key can safely be given to others so they can use that key to decrypt information encrypted with the associated private key. It is critical to keep private key private. This may require technical and/or physical privacy protections. Private keys are stored on disc, servers, or smart cards.
Certificates
In cryptography, a public key certificate is an electronic document that uses a digital signature to bind together a public key with an identity-includes information such as name, organization, address, etc. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will contain information about the certificate authority (CA) that issued the certificate. The most common use of certificates is for HTTPS-based web sites. A web site operator obtains a certificate by applying to a certificate provider (CA.) The certificate provider requests contact email address for the website from a public domain name registrar and checks that the published address and email address match. The CA is also known as a Trusted Third Party (TTP.) It is critical to note for health information exchange purposes that the level of trust is determined by the policies and procedures for identity proofing followed by the CA.
A future post will discuss use of digital certificates for health IT purposes in more detail. Having a grasp of this information is essential if one is to understand the current controversies and activity at the national level concerning health information exchange, the Nw-HIN, The Direct Project, and Providers Directories.
Sources:
http://www.wikipedia.com/
www.esignform.com/ElectronicSignatures.jsp
www.silanis.com/resource-center/articles/electronic-signatures-vs-digital-signatures.html
Electronic Signature:
There may be some confusion concerning the difference between electronic signatures and digital signatures. The most significant difference is that electronic signatures do not require the use of digital certificates.
An electronic signature is comparable to a seal or an electronic version of signature stamp. It is any legally recognized electronic means that indicates that a person adopts the contents of an electronic message. When recognized under the law, electronic signatures have the same legal consequences as the more traditional forms of executing documents. The electronic signature shows that the user has applied that symbol to indicate intent to sign. It is important that the electronic symbol be related specifically to the party who is signing, that there is proof the symbol was applied with the intent to sign, that the data being signed can be proven to be the original data, and be such that all parties to a signature are allowed to have independent copies. An electronic signature actually displays an image of you handwriting signature or a visual mark within the document to illustrate your consent towards a document’s contents and uniquely identifies you as a signer. It is permanently attached to a document like a handwritten signature on paper. It does not work well for multiply signed documents because of validation check steps that detect any changes (including a new signature) to the document. Some of the laws that apply to electronic signatures include: The U.S. E-Signature Act of 2000, Uniform Electronic Transactions Act (UETA), and FDA 21 CFR part II.
Digital Signature:
An electronic signature may incorporate a digital signature if it uses cryptographic methods to assure both message integrity and authenticity (non-repudiation.) The message integrity mechanisms will readily detect any changes in a digitally signed document. All current cryptogenic digital signature schemes require that the recipient have a way to obtain the sender’s public key (digital certificate) with assurances (trust) that the public key and sender identity belong together. The message integrity measures must assure that neither the attestation nor the value of the public key can be surreptitiously changed.
Digital signatures are created by hashing data (a cryptographic process) to produce a large number that uniquely identifies the contents in such a manner that any change would no longer produce the same number. This is a counter-measure to Man in the Middle attacks. That number is then encrypted with a person’s encryption key to prove that it belongs to the same person associated with the key. Public Key Cryptography uses two encryption keys that are mathematically related to one another yet one key cannot be derived from an analysis of the other key. This is often called asymmetric encryption because the key used to encrypt (private key) is not the same key that is used to decrypt (public key.) The public key can safely be given to others so they can use that key to decrypt information encrypted with the associated private key. It is critical to keep private key private. This may require technical and/or physical privacy protections. Private keys are stored on disc, servers, or smart cards.
Certificates
In cryptography, a public key certificate is an electronic document that uses a digital signature to bind together a public key with an identity-includes information such as name, organization, address, etc. The certificate can be used to verify that a public key belongs to an individual. In a typical public key infrastructure (PKI) scheme, the signature will contain information about the certificate authority (CA) that issued the certificate. The most common use of certificates is for HTTPS-based web sites. A web site operator obtains a certificate by applying to a certificate provider (CA.) The certificate provider requests contact email address for the website from a public domain name registrar and checks that the published address and email address match. The CA is also known as a Trusted Third Party (TTP.) It is critical to note for health information exchange purposes that the level of trust is determined by the policies and procedures for identity proofing followed by the CA.
A future post will discuss use of digital certificates for health IT purposes in more detail. Having a grasp of this information is essential if one is to understand the current controversies and activity at the national level concerning health information exchange, the Nw-HIN, The Direct Project, and Providers Directories.
Sources:
http://www.wikipedia.com/
www.esignform.com/ElectronicSignatures.jsp
www.silanis.com/resource-center/articles/electronic-signatures-vs-digital-signatures.html
Subscribe to:
Posts (Atom)
Posts
