Secure Messaging, Remote Access VitalShriners Hospitals Take Steps to Ensure Privacy, Security
The 22 pediatric specialty care hospitals, which get referrals from physicians worldwide, are relying more on secure messaging to ensure the continuity of care, Bria says.
In an interview (transcript below), the physician, who is a medical informatics specialist, also describes:
- Why remote access to electronic health records and other systems is growing. Remote access is supported by the use of two-factor authentication.
- Why the hospitals are well-prepared to qualify for the HITECH Act EHR incentive payments, although they must continue to work on building secure connectivity to referring physicians.
Bria has been CMIO at Shriners Hospitals for Children for five years and chairs its security committee. He is founder and president of the Association of Medical Directors of Information Systems. He formerly served as medical director for clinical information systems at the University of Michigan Health System.
HOWARD ANDERSON: For starters, why don't you tell about your organization's size and scope?
BILL BRIA: Shriners Hospitals for Children is a system that has been created as a result of the Shriners Fraternity International's vision of providing care for children regardless of ability to pay. It originated in the polio era ... As the polio epidemic was conquered, the Shriners continued the same notion in pediatric orthopedics, and more recently for pediatric burn patients, and now, in a few of our hospitals, oral and maxillofacial repair. ... The vision of the fraternity has been extraordinary in that, about eight or nine years ago, they decided for all 22 hospitals ... to implement an electronic medical record environment and to serve it all out of a centralized data center. That system is the Cerner Millennium system. ... I had the privilege of joining the organization now a little over five years ago. At that time, the system was not billing anyone for services. (Note: Shriners started billing insurers for certain services in July 2010). ...
Addressing SecurityANDERSON: We want to chat with you today about your organization's information security priorities for the year ahead. How does your staff handle security duties now?
BRIA: There is within the information technology department a security section. In addition, I chair the security committee, a multi-disciplinary group. ... We meet twice a month. We've had some recent additions to our toolkit for security. ...
ANDERSON: So do you have a chief information security officer now, or do you plan to add one?
BRIA: We do not, and there is no immediate plan to do add one. ... We've recently added this new billing infrastructure ... and now we are focused on the basics of the revenue cycle.
Security SpendingANDERSON: Is the percentage of your IT budget devoted to information security growing? And what are some of the top spending priorities?
BRIA: It's stable. Our top priorities have been the creation and the implementation of a secure messaging environment. We picked a commercial product to do this. ... Because we are so specialized in pediatric orthopedics and burns, we have a large number of patients that come from significant distance to our hospitals. And since we are Shriners Hospitals for Children of North America, we have a substantial population of patients from above and below the border. So the need for secure messaging for continuity of care has been recognized for a long time. ... We have ... a secure patient messaging environment that interfaces quite nicely and smoothly with our existing information tools.
ANDERSON: Are there other security technologies you anticipate rolling out in the next year or two?
BRIA: One of the things that we have used modestly, but we expect to use a lot more in the next year or two, is remote access to our electronic health records. We have a two-factor (token) authentication environment now, but we want to increase the adoption and effective use of it. The idea of a compliance environment with a billing world is rather different then the approach that is purely clinical in nature. ... So the notion of getting ... information available to our clinicians so that the charts are signed on time and orders are done electronically wherever the physician may be has become much more important. ...
EHR IncentivesANDERSON: Will you be applying for incentives under the HITECH Act for using electronic health records?
BRIA: We absolutely plan to because our adoption of CPOE (computerized physician order entry) is greater than 80 percent ... one of the largest hurdles that most organizations are facing is achieving the minimum 30 percent CPOE compliance for phase one of the incentives. ... Where we see challenges is in a number of the connections with the local environments. Our hospitals are much less community-based; they all receive patients nationally. ...
ANDERSON: In light of your plans to apply for the HITECH Act incentives, how would that effect your information security plans if at all? Are you planning to update your risk assessment?
BRIA: We have a regular review process because we do have a dedicated team within IS for the technology aspects of our information environment. But the Shriners fraternity has been very insistent on patient confidentiality and safety standards way above what was absolutely required .... Now that we are going to accept third-party payments ... it raises that whole other aspect of stepping up even further the external review and assurance that we're, in fact, protecting the stream of patient information from beginning to end.
Security ChallengesANDERSON: In your role as chair of the security committee, what do you see as the most important trends in the healthcare information privacy and security overall next year and beyond?
BRIA: I think one of our biggest challenges stems from serving international patients. ... This creates rather interesting challenges with regards to communications, patient information protection, confidentiality, networking with other medical sources. I think we're going to truly become international in scope with regards to our security environments. ... But the idea of communicating with other medical entities that extend the care of the children that we see is going to create the need for a lot more bridge building and the ability to offer information interchange. ...