Consortium News

  • 08 Apr 2015 9:47 AM | Deleted user

    Retrieved from   |   By: Aditi Pai   |   Apr 7, 2015

    Brigham and Women’s Hospital in Boston will pilot iGetBetter’s apps to reduce hospital readmissions through remote patient monitoring and post-discharge patient engagement. The pilot will target patients that have heart disease, specifically those with hypertrophic cardiomyopathy (HCM).

    "There is a great need for innovative approaches to relieve symptoms for patients with hypertrophic cardiomyopathy," Dr. Neal Lakdawala, a BWH physician and the clinical lead on the pilot, said in a statement. "Disease manifestations can vary significantly on a day to day, and even minute to minute basis, but contemporary practice has not adapted to this aspect of disease. We are excited about the potential for this pilot, in which we will accelerate the pace of relief for patients using technology that allows them to report symptoms, vital signs, and step counts daily. This information will allow us to titrate their medications weekly and individualize treatment."

    With iGetBetter’s system, patients can review their personalized care plans on a patient-facing HTML5 web app, designed to work on various devices, including Android and iOS ones. The app allows patients to view announcements and reminders, log their progress, manage their contact information, and communicate with care team members.

    In this specific trial, patients will also be able to sync health information that they track with Withings’ Bluetooth-enabled blood pressure cuffs and activity monitors. Withings donated the devices to Brigham and Women’s for the pilot. 

    iGetBetter’s program syncs with many other connected health apps and devices including Garmin, RunKeeper, Fitbit, Fitbug, Omron, MapMyFitness, and Moves. The company integrates the data from these devices through Validic.

    "For the first time, we will be using daily patient biometric readings coupled with daily subjective inputs from patients about possible cardiac symptoms to titrate medication levels to maximum desired levels remotely without the need for multiple outpatient office visits," Dr. David Lebudzinski, Chief Medical Officer at iGetBetter said in a statement. "This potentially represents a major improvement for these hypertrophic cardiomyopathy patients who will be brought up to desired medication doses faster than ever, achieving a level of therapeutic safety much faster than in the past. This should improve their quality of life and reduce their risk for adverse cardiac events very quickly."

    Clinicians can use the system’s provider-facing app to monitor patients’ data, adjust their medications, and contact patients when necessary to avoid hospital admissions.

    In February, iGetBetter raised $1.1 million, which brought the company’s total funding to at least $2.6 million. At the time, the company said pilots with six health systems had already been completed, two of which signed on as customers afterward. Several more pilots were set to begin, they said at the time, for diseases including congestive heart failure, total knee and hip replacements, hypertension, diabetes, and depression.

  • 25 Mar 2015 5:03 PM | Deleted user

    The CMS and ONC NPRMs

    Retrieved from Life as a Healthcare CIO: MARCH 24, 2015

    This analysis was written by Micky Tripathi and John Halamka.

    On Friday March 20, CMS released the Electronic Health Record Incentive Program-Stage 3 and ONC released the 2015 Edition Health Information Technology (Health IT) Certification Criteria, 2015 Edition Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications.

    Perhaps the most important statement in the entire 700+ pages is the following from the CMS rule: "Stage 3 of meaningful use is expected to be the final stage and would incorporate portions of the prior stages into its requirements."

    Providers and vendors alike were all hoping for something lean and clean. The CMS Stage 3 rule weighs in at 301 pages, but the ONC Certification rule takes the cake at 431 pages. The JASON Task Force, whose recommendations were unanimously approved by the HIT Standards and Policy Committees, recommended that ONC and CMS make an explicit trade-off: Decrease the breadth and complexity of the MU program, and in return, increase the expectations in a few key areas, such as interoperability. The CMS MU Stage 3 rule, for the most part, has adopted this philosophy. Unfortunately, the same can't be said for the ONC Certification rule.

    We provide a brief synopsis of the MU and Certification Rules below, followed by our analysis of these proposals.

    CMS Stage 3 MU Rule Synposis

    The CMS Meaningful Use Rule is focused and narrowed to 8 objectives.

    There is some fine-print though. Contained within many of the objectives are multiple measures. Depending on which options one chooses, and whether you are a provider or a hospital, the total number of MU measures could range from 15 to 20, and that's NOT INCLUDING the Clinical Quality Measures, which have always been like a MU menu all of their own, and which are now going to be determined through a different process and won't be defined until later in 2015.

    Here is a synopsis of the MU Stage 3 requirements:

    Provider-facing EHR functions:

    *ePrescribing: The thresholds have increased to 80% for EPs and 25% for EHs, but overall this is just asking for more of the same. Of note is that controlled substance prescriptions can now be optionally included in states where it is allowed electronically.

    *Clinical decision support: There are 2 measures: 1) implement 5 CDS interventions tied to 4 quality measures; and 2) turn on drug-drug and drug-allergy interaction alerts for the entire EHR reporting period. This is aligned with the past trajectory from earlier stages.

    *CPOE: There are 3 measures: use CPOE on at least 80% of medication orders, 60% of lab orders, and 60% of diagnostic imaging orders. CMS has given a little flexibility here by now counting entry by "scribes" (personnel with at least a medical assistant credential), excluding standing orders, and including a broader array of imaging such as ultrasound, MRIs, and computed tomography.

    Patient-facing EHR functions:

    *Patient access to information: There are 2 measures: 1) 80% of patients must be able to access their records either through the View/Download/Transmit function or through an ONC-certified API; and 2) give 35% of patients access to patient-specific educational resources. Note, this objective just requires that access is provided to patients. No patient action is required in order to meet these objectives

    *Active patient engagement: There are 3 measures: 1) 25% of patients must access their records either through View/Download/Transmit or through an ONC-certified API; 2) 35% of patients must receive a clinically-relevant secure message; and 3) provider must incorporate information from patients or "non-clinical" settings for 15% of patients. These measures do require patient action, though there is some flexibility because provider-initiated messages now count toward the secure messaging measure, for example. The most challenging measure will be the last one, which requires patient-generated data or data from non-clinical settings such as home health, physical therapy, etc.


    *Health information exchange: There are 3 measures: 1) send electronic summary for 50% of TOCs and referrals; 2) get electronic summary for 40% of TOCs and referrals; and 3) perform med/allergy/problem reconciliation for 80% of TOCs and referrals.

    *Public health and clinical data registry reporting: There are 6 measures. "Active engagement" is required for: 1) immunizations; 2) syndromic surveillance; 3) reportable conditions case reporting; 4) public health registries; 5) non-public health registries; 6) electronic lab reporting. EPs need to choose 3 out of 1-5, and EHs need to choose 4 out of 1-6. Having witnessed that that there is wide variability in public health capacity across the country, CMS has provided some flexibility here by defining "active engagement" broadly to include either registering, testing, or transacting. In short, you'll get credit even if you're not actively transacting as long as you are on the path and making a good faith effort.

    The CMS rule is laid out logically and pretty easy to follow. (That is, for a 300+ page federal regulation.)

    ONC 2015 Edition Certification Rule Synopsis

    We wish we could say the same about the ONC Certification Rule. Whereas the CMS rule seems to be using MU Stage 3 to stabilize expectations, the ONC rule does the opposite and crams too much into the 2015 Edition Certification. To make matters worse, the rule isn’t laid out clearly or logically, so it's hard to ascertain how all of the pieces fit together.

    There are 68 individual certification requirements described in the ONC rule. It would be impossible to lay out all of the details here. The list of all of the requirements is here.

    There are 36 of the 68 requirements that are required for Meaningful Use. ONC introduces the concept of the "Base EHR", which has the following 16 requirements. New requirements are marked with a *.

    • Demographics
    • Problem List
    • Medication List
    • Medication Allergy List
    • Smoking Status
    • Implantable Device List*
    • Clinical Decision Support
    • CPOE – medications
    • CPOE – laboratory
    • CPOE – diagnostic imaging
    • Transitions of Care
    • Application Access to Common Clinical Data Set*
    • Direct Project, Edge Protocol, and XDR/XDM
    • Direct Project
    • Clinical Quality Measures – record and export
    • Data Portability

    But for meaningful use, CMS says that you need the Base EHR, plus 20 more requirements:

    • Automated Measure Calculation
    • Automated Numerator Recording
    • Patient Health Information Capture*
    • Family Health History – pedigree
    • Family Health History
    • Transmission to Public Health Agencies – health surveys*
    • Transmission to Public Health Agencies – antimicrobial use and resistance reporting*
    • Transmission to Public Health Agencies – reportable condition reporting*
    • Drug-drug, Drug-allergy Interaction Checks for CPOE
    • Transmission to Cancer Registries
    • Transmission to Public Health Agencies – reportable laboratory tests and values/results
    • Transmission to Public Health Agencies – syndromic surveillance
    • Transmission to Immunization Registries
    • Secure Messaging
    • View, Download, and Transmit to 3rd Party
    • Drug-formulary and Preferred Drug List Checks
    • Electronic Prescribing
    • Clinical Information Reconciliation and Incorporation
    • Patient-specific Education Resources
    • Clinical Quality Measures -- Report

    So what are the additional 32 requirements if they're not required for Meaningful Use? It's the list below, arrayed in order of decreasing complexity as estimated by ONC.

    • Electronic Submission of Medical Documentation*
    • Accessibility Technology Compatibility*
    • Consolidated CDA Creation Performance*
    • Vital Signs, BMI, and Growth Charts
    • Data Segmentation for Privacy (Federal substance abuse privacy law) – send*
    • Data Segmentation for Privacy (Federal substance abuse privacy law) – receive*
    • Quality Management System
    • Decision Support – knowledge artifact (send CDS interventions)*
    • Transmission of Laboratory Test Reports
    • Clinical Quality Measures – filter*
    • Incorporate Laboratory Tests and Values/Results
    • Safety-Enhanced Design
    • Care Plan (consolidated from multiple care plans)*
    • Social, Psychological, and Behavioral Data*
    • Decision Support – service (receive CDS interventions)*
    • Healthcare Provider Directory – query response*
    • Healthcare Provider Directory – query request*
    • Clinical Quality Measures – import and calculate
    • Accessibility-Centered Design*
    • Integrity
    • End-User Device Encryption
    • Emergency Access
    • Automatic Access Time-out
    • Amendments
    • Audit Report(s)
    • Auditable Events and Tamper-resistance
    • Authentication, Access Control, Authorization
    • SOAP Transport and Security Specification and XDR/XDR for Direct Messaging
    • Accounting of Disclosures
    • Image Results
    • Patient List Creation
    • Electronic Medication Administration Record

    Buried within these 700+ pages of proposed federal regulations are many objectives, measures, and requirements, as well as a lot of hopes, dreams, and aspirations -- what we would characterize as The Good, The Bad, and The Ugly.

    The Good

    The CMS rule level sets everyone at Stage 3 by 2018. That makes life easier for providers, vendors, and the government.

    Some of the objectives and thresholds need adjustment to align with workflow, change management and market realities, but overall the CMS MU Stage 3 proposal is a good first draft. CMS deserves a lot of credit for streamlining and consolidating a lot of the stray threads from MU Stages 1 and 2, and making the Stage 3 rule coherent and relatively easy to understand.

    Both the MU and Certification rules emphasize application program interfaces (APIs), and do so in a judicious and thoughtful way. They give credit to those early adopters who may implement APIs ahead of the market, signal toward RESTful FHIR APIs and OAuth as future certification candidates, but don't lock in those standards before they are mature and market-tested. This glide path is directly in line with recommendations from the JASON Task Force, HITSC and HITPC, as well as the Argonaut Project, and thus has a lot of community momentum behind it. They seem to have learned the lessons of the Direct standard, which should be commended.

    The MU rule makes a practical leap into query-based exchange by requiring receipt of records from other entities. Few will be able to generate queries electronically at the outset, but it gives credit to those who can, and motivates others to enable workflows and technologies to do so as quickly as possible.

    The “Base EHR Definition" was introduced in the ONC 2014 Certification Edition and included all of the security certification criteria and standards. However, no individual module submitted for certification was required to meet the "Base EHR Definition," nor was any module required to meet any security criteria at all. Instead, it was up to each purchaser to determine whether the set of modules purchased collectively met the "Base EHR Definition" and therefore would be capable of meeting the requirements of HIPAA. The ONC 2015 Certification Edition removes security from the "Base EHR Definition" and instead assigns each security requirement to the types of modules where that functionality is most applicable.

    Finally, patients are given a high priority, as they should be. The big problems of health care can't be solved without making patients better custodians of their own care, and the MU and Certification rules give a large boost to those efforts.

    The Bad

    In the Meaningful Use rule, CMS undermines a bit of the simplicity by allowing a reporting period exception for year 1 Medicaid participants. They should have Medicaid year 1 follow the same requirements as everyone else which will level set everyone.

    While it is good to align the CQMs with other CMS quality programs, the detail on CQMs now won't be provided until later this year. We’re asked to weigh in now on quality measurement policy issues (such as whether all products should be required to support all measures) absent important information such as how many measures CMS is considering, whether they are all well suited to EHRs, and if they would be generally applicable to all EHR products.

    There are 3 main issues with the ONC rules. First is the concept of "decoupling". CMS and ONC have “decoupled” their rules, so that CMS can specify a smaller number of objectives/certification criteria, while ONC can provide a list of everything health IT could/should/might be, including a broad scope beyond EHRs. CMS now owns the "CEHRT definition.” CMS sets the program policy requirements for MU and defines what minimally needs to be certified. This is a change in the directionality of the ONC/CMS regulatory relationship. In the past two regulatory cycles ONC’s rules have included MU program policy and pointed to CMS for details. Now, ONC’s rule is agnostic to any program and the CMS MU program points to ONC for certification specifications. Thus, the ONC rule includes a variety of certification specifications for which there are no corresponding MU requirements from CMS. This has the potential to create market confusion, an overwhelming scope for vendors/developers, and a laundry list of requirements that serve narrow interests.

    Second, if we care about patient health, it's not intuitively obvious why some requirements are where they are. For example, why is "Vital Signs, BMI, and Growth Charts" excluded on the MU list, but "Transmission to Public Health Reporting -- health surveys" is included on the MU list?

    Third, it feels as if every wish of every stakeholder was included in the rule without setting priorities, rather than being specifically focused on functions the directly serve patient care and patient engagement. There is not a really bad idea among the 68 proposed requirements, but do all of the problems of public health and Medicare FFS post-payment medical documentation review and safety-enhanced design and a host of other needs have to be solved at the same time as MU-related certification? ONC estimates that all the development they propose would take 23,000 hrs to 47,000 hrs to develop. They have improved at estimating but that is still low (for example, for safety-enhanced design, they estimate 300-600 hrs, but it's taken most vendors >1000hrs in the past and they just doubled the number of things you're expected to summative usability test). And by ONC's own estimates, vendors will have to spend 44% more development hours to meet all of the non-MU related certification requirements. It would be much more simple if ONC created a 2015 Edition Rule for only MU-required functions, and then separate rules for the many other non-MU certifications that it would like to propose.

    Fourth, while the API part of the Certification Rule seems to reflect the lessons learned from our experience with Direct, other areas seem to be making some of the same mistakes. By casting the net so widely on the types of functions it wants to certify, the Rule inevitably proposes some standards that are not sufficiently market-tested to be de facto requirements for the entire industry. The Health IT Standards Committee developed a very thoughtful framework for identifying which standards will have high chances of market acceptance. Standards for such functions as provider directories, multi-entity care plans, exchange of CDS interventions, submission of FFS post-payment documentation, data segmentation to meet cumbersome federal substance abuse law requirements, etc don’t yet meet that test. Standards for public health transactions (such as requiring bidirectional interfaces for immunization registries and reportable conditions reporting) are not only novel, they are not even deployed by most public health agencies. We should have a high bar for anointing a standard to be worthy of federal-level certification, even if such requirements are “voluntary”. The Rule does much to promote the move to RESTful APIs, and in most cases, we may very well find that following the path of facebook, and google, and twitter will be much faster and valuable than burdening the industry with even more older generation, health-care specific approaches.

    The Ugly

    If a clinician has 12 minutes to see a patient, be empathetic, document the entire visit with sufficient granularity to justify an ICD-10 code, achieve 140 quality measures, never commit malpractice, and broadly communicate among the care team, it’s not clear how the provider has time to perform a "clinical information reconciliation" that includes not only medications and allergies, but also problem lists 80% of the time.

    Maybe we need to reduce patient volumes to 10 per day? Maybe we need more scribes or team-based care? And who is going to pay for all that increased effort in an era with declining reimbursements/payment reform?

    As one of us wrote about in the Information Week article, Boiling the Frog, each incremental proposal is tolerable, but the collective burden is making practice impossible.

    The sheer number of requirements may create a very high, expensive and complex set of barriers to product entry. It may stifle innovation in our country and reduce the global competitiveness for the entire US Health IT industry by over-regulating features and functions with complicated requirements that only apply to CMS and US special interests. The certification criteria are often not aligned with what EHR users ask for. In some cases, the criteria are completely designed to accrue benefits to people who aren't feeling the opportunity cost. So if certification is loaded by non-EHR users, EHR users are going to find that even if the MU objectives are fewer in number and more focused, that their EHRs are focused on a lot of things they haven't asked for.

    There needs to be a very public discussion with providers as to who should prioritize EHR development -- ONC and the stakeholders they've included, or EHR users. The work of the country over the next few months needs to be achieving a consensus about what should be in the Certification rule and what should be removed. If industry, academia, clinicians, payers, and patients can align on a minimal set of requirements, we're confident ONC will listen.

  • 23 Mar 2015 9:34 AM | Deleted user
    Retrieved from | By Darius Tahir | March 20, 2015

    Draft regulations the CMS issued Friday would make significant changes to the federal incentive program that requires doctors and hospitals to adopt and meaningfully use electronic health records.

    With some exceptions, hospitals, physicians and other eligible professionals would be expected to conform to the rules (PDF) by 2018.

    Physicians and hospitals have lobbied aggressively for the CMS to relax the program's parameters. The agency said in January it would issue separate regulations narrowing the reporting period to 90 days for attesting to meeting the requirements for 2015.

    The proposed rule would require nearly all providers to report on a full calendar-year cycle beginning in 2017 and would require electronic reporting of clinical quality measures beginning in 2018.
    “The release of today's rule demonstrates that the agency continues to create policies for the future without fixing the problems the program faces today,” the American Hospital Association said in a statement Friday. “It is difficult to understand the rush to raise the bar yet again, when only 35% of hospitals and a small fraction of physicians have met the Stage 2 requirements.”
    Physicians and other eligible professionals who fail to meet the requirements are expected to pay $500 million in Medicare penalties between 2018 and 2020, according to the proposed rule. The agency said it expects all hospitals to achieve meaningful use by 2018.

    Upgrading EHRs to meet the requirements, the agency estimates, will cost physicians $54,000, plus $10,000 in annual maintenance costs. That's at the high end of what the Congressional Budget Office calculated in 2008. The CMS said upgrades would cost hospitals $5 million, plus $1 million for annual maintenance.

    The rule would give providers three options for ensuring patient engagement with their care, of which providers must fulfill two: access to their own records; secure messaging between patients and providers; and collection of patient-generated health data.

    The first two elements had attracted consistent criticism from providers in previous stages of the program, but the exact impact is unclear. In the Stage 2 rules, 5% of patients would have to view, download or transmit data from their records, which providers said made them responsible for the engagement regardless of whether patients were interested.

    The new rule would raise that engagement threshold to 25% of patients downloading or transmitting their health data. But providers can now satisfy the requirement with an application programming interface, or API, that allows third-party developers to access the data on their patients' behalf.

    The rule would also impose a similar increase in the rate of secure messaging: from 5% in Stage 2, to 25% in Stage 3.

    Meanwhile, the provision would compel providers to collect patient-generated health data in their EHRs from devices such as Fitbits or mobile apps developed with Apple's HealthKit API. Providers would have to capture data from 15% of their patients to comply.

    The digital health industry pushed aggressively for the CMS to push providers to collect the data their products generate. “I'm beyond pleased and finally vindicated,” said Robert Jarrin, Qualcomm's senior director of government affairs.

    The proposal also raises the thresholds for “computerized physician order entry,” which allows doctors to send requests for drugs, lab tests and imaging electronically. Providers would be expected to order 80% of medications electronically, up from 60% under Stage 2 of the program. The requirement for electronic lab and imaging orders would rise to 60% from 30%.

    For imaging, the proposed rule expands the requirement from radiology to a broader array of tests, including ultrasound, MRI and CT scans.

    Separate regulations proposed by HHS' Office of the National Coordinator for Health Information Technology overhaul the certification program (PDF) for healthcare IT, which is intended to give healthcare providers certainty that the software they buy can perform the functions required under the meaningful-use program.

    Comments on the proposals are due May 29.

  • 18 Mar 2015 10:38 AM | Deleted user
    Retrieved from | By Adam Rubenfire | March 17, 2015

    Premera Blue Cross, a health plan in the Pacific Northwest, was hit with the second-biggest cyberattack in healthcare industry history, exposing the personal, financial and medical information of more than 11 million customers.

    The Mountlake Terrace, Wash.-based company discovered the attack on Jan. 29, 2015. An investigation revealed that the initial attack occurred May 5, 2014. The breach affected Premera Blue Cross, Premera Blue Cross and Blue Shield of Alaska, and Premera affiliate brands Vivacity and Connexion Insurance Solutions.

    Premera said the company has not been able to determine if any data was actually removed from the company's systems and that there's no evidence that any of the records in the breached system have used inappropriately.

    The revelation comes just six weeks after Anthem, the nation's largest investor-owned Blues licensee, disclosed that hackers had stolen the records of nearly 80 million from its IT system.

    Information exposed in the hack dates back to 2002. The company said the records could include members' names, dates of birth, Social Security numbers, mailing addresses, e-mail addresses, telephone numbers, member identification numbers, bank account information and claims information, including clinical information.

    As with the Anthem hack, the Premera breach affects some customers of other Blues plans that participate in the national, reciprocal claims payment network called BlueCard, a Premera spokeswoman confirmed. The network is often used for members who travel out of their insurer's service area for care.

    Premera Blue Cross is beginning to mail letters to affected customers offering two years of free credit monitoring and identity theft protection. The company also has established a call center and and a website,, dedicated to information about the breach.
    "We at Premera take this issue seriously and sincerely regret the concern it may cause," Premera CEO Jeff Roe said in a statement. "As much as possible, we want to make this event our burden, not that of the affected individuals, by making services available today to help protect people's information."
    If the ongoing investigation confirms that no data was removed from Premera's system, customers could less of a risk than Anthem's customers. But the company may be offering protection to customers because it can't be sure that's the case, said Mac McMillan, a healthcare security expert and founder of CynergisTek, an Austin, Texas-based security consultancy.
    "It could very well be they can't prove the negative," McMillan said. "They can't disprove that these people had access to that information."
    It's possible but not likely that the individuals could have downloaded the data from Premera's servers but left no evidence that they removed the data, MacMillan said. Stealing data without leaving a trace is very difficult, he said, because usually only high-level administrators have the ability to eliminate audit trails.

    Hackers also may have infiltrated the system without the intention of stealing data, McMillan said. Cyberattackers sometimes look for insecure systems and manipulate them to create bots that can be used in other cyberattacks, he said.

    Premera has worked closely with the FBI and Mandiant, a major cybersecurity firm, to investigate and remove the "infection created by the attack," the company said. An FBI spokeswoman said in a statement that Premera "quickly" notified the law enforcement agency about the attack but declined to give a specific time frame.

    In the Anthem hack, the initial investigation indicated that members' bank or clinical records were not exposed. The inclusion of that information in the Premera breach makes it particularly disconcerting, said Pam Dixon, executive director of the World Privacy Forum, a San Diego based not-for-profit organization that pioneered research into the field of medical identity theft.
    "The recent spate of advanced medical breaches show us that the word is out about the value of medical data, and the sophisticated level of criminals making these attacks," Dixon said in a statement. "Patients need to be prepared and educated about both medical ID theft and phishing, and providers need to be honest about the risk of medical forms of ID theft."
    Cyberattacks are one of the least common ways that protected health information is exposed, but the episodes typically involve dramatically bigger numbers of records.

    Nearly three-quarters of the records exposed in healthcare breaches reported to HHS have been linked to cyberattacks, even though those attacks account for less than 10% of the breaches, according to a Modern Healthcare analysis of HHS data.

    "(Hackers) clearly have an eye on these types of organizations who hold financial information, but also very sensitive healthcare information," said Paul Bantick, an underwriter for cybersecurity insurer Beazley, which also provides services for organizations responding to attacks.

    "The best way for these organizations to mitigate the damage," Bantick said, "is to respond and contain it as best as you can."

  • 17 Mar 2015 4:02 PM | Deleted user
    Retrieved from   |   By Ivan Ristic   |   March 17, 2015

    Vulnerabilities such as Heartbleed, POODLE, and FREAK are starting to alert the world of the importance of good security hygiene of our communication infrastructure. There's never been so much scrutiny of the security of the Secure Socket Layer (SSL) and Transport Security Layer (TLS) protocols like today. We can trace this interest back as far as 2008, with no signs of slowing down. But, although most attention is on the protocol vulnerabilities, most organizations don't realize that it's their own actions that are proving to be bigger problems in practice.

    In most companies—it seems—certificates are accounted for using spreadsheets. Security of secure servers is flagged up only when there is a major public discovery. Otherwise, little is done to get the most of the security mechanisms that are available today. We can't really say that system administrators are to blame: TLS is notoriously flexible and configuring it correctly requires great time and effort. Furthermore, application-layer decisions can often negatively impact the security of otherwise properly configured servers.

    In 2009, we began our work on SSL Labs (, our research centre for SSL, TLS, and Internet PKI, with the aim to understand how these technologies are used around the world, and to provide tools and documentation to help everyone make the most of them. Although the list of best practices is long (we maintain a concise document called SSL/TLS Deployment Best Practices; it currently has 14 pages), over time we realized that there is small number of super-important things to get right.

    Encrypt your entire web site

    If you're currently deploying encryption only on a part of your web site, you're leaving a huge gap for your adversaries to exploit. Using so-called SSL stripping attacks, network attackers can gain control of any unencrypted user session and forever prevent it from moving to security. With full encryption, there's no opportunity for network attackers to strike.

    Almost equally importantly, you should deploy a new standard called HTTP Strict Transport Security, which ensures that your users' browsers never attempt insecure communication, even when tricked by savvy attackers.

    Deploy modern protocols and cipher suites

    If you haven't looked at your servers in a couple of years, chances are that, even they are not obviously insecure, they are running obsolete security protocols. If so, you should plan to upgrade as soon as possible to use new features such as TLS 1.2, forward security and authenticated encryption suites, and to phase out old features such as SSL 2, SSL 3, RSA key exchange, CBC suites, and RC4. Additionally, these days SSL configuration is used as a proxy to determine someone's security posture. This is yet another reason to upgrade now and show that your security is strong!

    Phase out your existing SHA1 certificates

    This is not really a part of our best practices, but something you need to do today. The PKI ecosystem is currently transitioning away from weak SHA1 certificates. Although the hard transition deadline is at the end of 2016, some long-lived SHA1 certificates today might produce warnings in browsers. If you have SHA1 certificates that expire in 2016 or later, you should act now to replace them with SHA256 certificates. Alternatively, if you're worried about cutting off some parts of your user base, continue to use SHA1 but with certificates that expire in 2015.

    Monitor your site and mitigate known problems

    Nothing stays perfectly secure. Even if you do your best today, a new disclosure tomorrow may break your security. The only way to deal with this problem is to continuously monitor your security posture and react when changes are detected. For SSL, we provide free assessment tools on our web site. Our server assessment tool will not only tell you about potential security problems, but also about issues that might impact your site availability. And, if you have a large number of servers to scan, we also have a free API to help you automate that task.

  • 11 Mar 2015 4:12 PM | Deleted user
    Bipartisan bill would increase access to Medicare data

    Retrieved from   |   Beth Walsh  |  Mar 11 

    Bipartisan legislation introduced by Senators Tammy Baldwin (D-Wisc.) and John Thune (R-S.D.) would increase the transparency of healthcare costs in Medicare.
    "Medicare is the single largest payer of healthcare services in the country, spending over $600 billion each year. But we know very little about what we are paying for,” said Baldwin a release. “The Quality Data, Quality Healthcare Act provides access to that data and puts it into the hands of those who can best use it, helping doctors make more informed decisions and improving how we deliver healthcare.”
    “Almost every business relies on metrics to evaluate what it is doing well and what it needs to improve, CMS—America’s largest health care payer should be no different,” said Thune. “Providing access to data that can be used to evaluate healthcare services is a critical component of increasing transparency and reducing healthcare costs. I hope our colleagues will join us in supporting this common-sense measure to improve the quality of healthcare while reducing costs.”
    As the largest payer of healthcare in the United States, the Centers for Medicare & Medicaid Services (CMS) sits on a wealth of information that can help inform healthcare providers in making better decisions that will improve patient care and reduce costs. Economists have argued that expanding access to Medicare cost and utilization data will increase efficiency in healthcare delivery, reduce costs and improve the quality of care.

    The senators said that recent efforts by the administration to increase access to Medicare data are promising, but lack the necessary detail and context to be most useful. They said that the Qualified Entity (QE) program is a more promising effort created by Congress that allows organizations to access and analyze comprehensive Medicare data for select purposes. "The QE program has the potential to empower our nation’s healthcare decision-makers to make better choices. However, current law is far too restrictive on which organizations can participate in the QE program, what QEs can do with the Medicare data once they have received it and the degree to which QEs can support their own data maintenance infrastructures," they said.

    The Quality Data, Quality Healthcare Act would allow organizations receiving Medicare data to analyze and redistribute it to authorized subscribers, such as insurers, health systems and physicians, so that subscribers can make more informed decisions. It also would permit those entities to charge a fee to their subscribers so that the organizations can conduct robust analyses to improve healthcare quality and reduce costs.

    The senators first introduced this bipartisan legislation last Congress. It is supported by a broad coalition, including: AARP, American Academy of Family Physicians, ASC Association, Health Collaborative, National Coalition on Health Care, National Association of Manufacturers, National Consumers League, National Retail Federation, Network for Regional Healthcare Improvement, Pacific Business Group on Health, and Midwest Business Group on Health.

    Access a summary of the act.

  • 11 Mar 2015 3:49 PM | Deleted user
    BCBSMA, American Well to launch video visits pilot with two physician groups

    Retrieved from mobiHealthNews   |   Aditi Pai   |   Mar 11, 2015

    Blue Cross Blue Shield of Massachusetts has partnered with American Well to pilot the company’s video visits offering, called WellConnection, with two physician groups, Emerson Physician Hospital Organization (Emerson PHO) and Lowell General Physician Hospital Organization (LGPHO). BCBSMA nurse care managers will also pilot the offering with members.

    WellConnection is a white-labeled version of American Well’s digital video visits offering that helps patients consult with physicians via their computers, smartphones, or tablets.

    The physician groups participating in the pilot are a part of BCBSMA’s Alternative Quality Contract (AQC) program, which is what the payor calls its accountable care initiative. BCBSMA launched its AQC model in 2008.

    Over the course of the two-year pilot, providers will use WellConnection to conduct video visits with patients to address a variety of health issues that are ultimately up to the discretion of the participating physicians. BCBSMA offered up a few examples: providers can use the offering to monitor a patient’s concussion recovery, offer wellness coaching, check the patient’s response to a medication, or monitor a patient’s recovery after they were hospitalized.

    BCBSMA Director of Network Innovation Greg LeGrow told MobiHealthNews that video visits have the potential to improve cost, access, quality, efficiency, as well as patient and physician satisfaction.
    "On the cost and utilizations front, we really see telemedicine having the capability to better manage cost by scheduling and shifting certain portions of care to a telemedicine or video visit," LeGrow said. "Number two is preventing potential unnecessary emergency department visits as well as shifting some of those visits to other resources. So moving it from, perhaps, a physician to physician extenders or nurse practitioners. We also think there is an ability to improve access. That’s really just providing patients with more timely, convenient, and cost affective alternatives to coming into the office."
    LeGrow added that although cost, access, and satisfaction are important,the cornerstone of Alternative Quality Contract is to improve quality and video visits will help with this, especially because, he said, this offering can help providers better manage patients’ chronic conditions, which generally require more frequent follow-ups.

    BCBSMA is encouraging providers to use this tool with all of their patients — even those who are not covered under Blue Cross — but physicians have the discretion to waive fees for their Blue Cross insured patients.
    "Not all providers might want to waive fees for Blue Cross of Mass members for every use case," LeGrow said. "If it is to a deal with a simple acute condition, such as a sinus infection, a headache, a urinary tract infection, they may still want to have that service fee and have that service fee be a governor, just like a copay does — to have the patients have some skin in the game. But for conditions where they typically don’t bring patients into the office, if they’re doing chronic condition management and following up with phone calls, they may want to do that video visit. We believe that a video visit could improve engagement with these members and in those cases they’d probably think of waving those fees."
    An early version of this pilot was first announced in July 2013, but wasn’t launched until now.
    "We have worked very hard to find the right groups who were interested and willing to participate and honestly have the right use cases put forward in order to test the efficacy of telemedicine," LeGrow explained. "So this is coming to fruition."
    When the pilot was announced, American Well CEO Dr. Roy Schoenberg said BCBSMA was one of the first payors "to embrace telehealth under the flag of improving [care] quality".

    The two practices from the Lowell General Physician Hospital Organization participating in the trial are Mill City Medical Group of Lowell and the office of Damian Folch of Chelmsford. Emerson PHO is still identifying which practices from its organization are participating.

  • 10 Mar 2015 12:39 PM | Deleted user
    More on the first five Apple ResearchKit apps
    mobiHealthNews  |  By: Aditi Pai  |  Mar 9, 2015

    During Apple’s most recent event, the company launched a new health offering — arguably its most clinically-focused yet — called ResearchKit. The open source platform helps researchers build medical apps and more easily recruit patients for clinical trials and other research projects.
    "iOS apps already help millions of customers track and improve their health,"Jeff Williams, Apple’s senior vice president of Operations said in a statement. "With hundreds of millions of iPhones in use around the world, we saw an opportunity for Apple to have an even greater impact by empowering people to participate in and contribute to medical research. ResearchKit gives the scientific community access to a diverse, global population and more ways to collect data than ever before."
    With the patient’s permission, researchers can collect certain data points, for example weight, blood pressure, glucose levels, and asthma inhaler use, from HealthKit. HealthKit is a health platform from Apple that launched in September and syncs data from third party apps and devices to a user-facing app called Health. Depending on the data needed for the study, researchers can also use the ResearchKit platform to request access to the smartphone’s accelerometer, microphone, gyroscope, and GPS sensors. These sensors could help in studies looking at, for example, a patient’s gait, motor impairment, fitness, speech, and memory.

    Already, Apple has partnered with several big name medical institutions to launch five apps that address: asthma, breast cancer, cardiovascular disease, diabetes and Parkinson’s disease. These apps are supported on the iPhone 5, iPhone 5s, iPhone 6, iPhone 6 Plus, and the latest generation of iPod touch.

    Here are the first five apps using Apple’s ResearchKit platform:

    Asthma Health by Mount Sinai was developed by the Icahn School of Medicine at Mount Sinai, Weill Cornell Medical College, and LifeMap Solutions. The app aims to help patients adhere to their treatment plans and avoid asthma triggers. Patients can use the app to record daytime and nighttime asthma symptoms as well as how they affect the patient’s activities. It also tracks daily usage of controller and rescue inhalers along with asthma triggers: colds, increased physical activity, strong smells, exhaust fumes, house dust, peak flow, and animals. Finally, it tracks emergency department visits, medical visits, and changes in medication. The app will also send updates about when users should take medication and what the air quality is like in a specific location.

    To join the study, users need to be 18 or older, have asthma confirmed by a doctor and be prescribed medication for asthma. If the participant smokes, has another lung condition, or has congestive heart failure, they can’t participate.

    Share the Journey was developed by the Dana-Farber Cancer Institute, Penn Medicine, UCLA’s Jonsson Comprehensive Cancer Center, and Sage Bionetworks, a nonprofit research organization. This study also received funding from the Robert Wood Johnson Foundation. The app aims to analyze why some breast cancer survivors recover faster than others, why patients’ symptoms vary over time, and what can be done to improve their symptoms. The app will send patients questionnaires and collect sensor data to track five common symptoms of breast cancer treatment: fatigue, mood, cognitive changes, sleep disturbances, and changes in exercise. ResearchKit will pull data from HealthKit to collect data on steps, sleep, and the patients’ birthdate, height, and weight. Patients will also contribute to an in-app diary about their data. According to Sage Bionetworks, recording this data should not take longer than 20 minutes per week.
    "One reason to build these apps and run these studies is to see whether we can turn anecdotes into signals, and by generating signals, find windows for intervention," Stephen Friend, president of Sage Bionetworks and Share the Journey principal investigator said in a statement. "We’re most interested in disease variations, and the hourly, daily, or weekly ebb and flow of symptoms that are not being tracked and completely missed by biannual visits to the doctor."
    To participate in the study, the patient must be a woman between the ages of 18 and 80.

    Parkinson mPower study app was also developed by Sage Bionetworks, but this one was created in partnership with University of Rochester, Beijing Institute of Geriatrics, and The Michael J. Fox Foundation for Parkinson’s Research. mPower stands for "mobile Parkinson observatory for worldwide, evidence-based research". The app description explains that although "living with Parkinson disease means coping with symptoms that change daily," these changes are not tracked frequently enough. The mPower app aims to help users track their symptoms using activities including a memory game, finger tapping, speaking, and walking. The app will also collect data from wearable devices. Although the app aims to further research in Parkinson disease, the researchers encourage people with or without Parkinson disease to download the app.
    "We know that Parkinson’s disease symptoms fluctuate over the course of a day, or a week, but that has never been measured objectively," Ray Dorsey, co-director of the Center for Human Experimental Therapeutics at the University of Rochester Medical Center, said in a statement. "The mPower study will enable us to learn from patients, and we’ll be able to give information back to patients so they can manage their conditions regardless of where they live and regardless of their mobility."
    GlucoSuccess was developed by Massachusetts General Hospital to help their research team create a crowd-sourced database of health behaviors and glucose values for people with type 2 diabetes, but the researchers also aim to help patients learn how their behaviors affect their health. Participants will track activity duration and intensity, diet information, blood glucose measurements, body weight, and waist size. The app will help remind users to log blood glucose data and record diet information through nutrition tracking app LoseIt. Using this data, GlucoSuccess will be able to provide users with insights into how their fitness and nutrition data relate to "finger-stick blood glucose values". Participants must be 18 or older, live in the US, and have an existing diagnosis of pre-diabetes or diabetes.

    MyHeart Counts was developed by Stanford Medicine to help the medical organization improve their understanding of heart health. The app measures activity through the Apple Watch, which offers a heart rate sensor, sensors in the iPhone, or a third-party wearable activity device linked to Health app. It will also ask users — who are able — to complete a 6 minute walk test. If users sync their cholesterol results and blood pressure, the MyHeart Counts app will also calculate their risk for future heart attack or stroke and provide them with a "heart age." Stanford explains that on top of providing reminders about recording activity and sleep and completing surveys on physical activity readiness, the university "may also ask you to test different approaches to help you be more active so we can understand how mobile apps in the future can help prevent heart disease." Participants must be 18 years or older, based in the US, and able to understand English.

  • 26 Feb 2015 9:57 AM | Deleted user
    Tableau for Healthcare Professionals
    Beginner and Intermediate Level

    March 12-13, 2015  |  Waltham, MA

    MHDC Members: receive a 10% discount!

    This two-day course is designed for the healthcare professional who works with data (regardless 

     of technical or analytical background), with a beginner to intermediate Tableau skill level. The 

    course will be delivered through lecture with demonstration, followed by extensive hands-on 

    practice with specific healthcare case studies in Tableau-ready workbooks. Our course is designed to resonate with the healthcare professional using the language and data of healthcare.

    This hands-on healthcare-centric training program integrates the best practices of data visualization as you learn how to build tables, graphs, charts and dashboards using Tableau software. Onsite training computers will be equipped with Tableau software, workbooks and healthcare datasets that have been selected to best demonstrate different visualization types.

    Learning Objectives

    When you complete this course you will be able to:

    • Connect to data utilizing a variety of options
    • Effectively navigate the Tableau workspace layout – components, shelves, data elements,
    • and terminology
    • Effectively build basic data reports using the following visualization types:
      • Text Table
      • Bar Graph
      • Line Chart
      • Area Chart
      • Scatter Plot
      • Table Lens
      • Box and Whisker
      • Histogram
      • Small Multiples
      • Bar / Line Variance
      • Geographic Map
      • Heat Map
      • Bullet Graph
      • Pareto Chart
    • Use the sort, group, bin, hierarchy, set, and filter options effectively
    • Create and utilize basic calculated fields, table calculations, and parameters
    • Use Trend Lines, Reference Lines, and statistical techniques to describe the data
    • Work with the many formatting options to fine tune the presentation of your visualizations
    • Effectively use table joins and data blending
    • Combine visualizations into Interactive Dashboards
    • Describe options for sharing your visualizations with others
    •  Describe how to ensure the security of the healthcare data
    Course Information
    • Course Instructor: Dan Benevento, our Principal and Senior Consultant, is Tableau-certified and a data visualization expert with a passion for using healthcare data to save the world. A black belt in the use and application of Tableau, Dan has collaborated with IT teams at leading companies and organizations nationwide to build databases and create hundreds of time-saving, high-impact reports and dashboards. His interactive perioperative dashboards and reports custom-designed for Directors of Surgery have streamlined medical procedures, lowered costs, and made patients safer.
    In addition to Dan, Tableau instructors will be circulating the room to answer specific questions and provide individual attention as needed.

    Questions: Email questions to or call 617-663-5510 between the hours of 9:00am and 5:00pm EST.

  • 25 Feb 2015 2:04 PM | Deleted user

    Retrieved from Life as a Healthcare CIO: John Halamka, MD

    Making Time for Innovation

    CIOs are at a challenging crossroads in their careers.   Regulatory burdens, security threats, and changing reimbursement models have led to a demand for change that seems overwhelming.   As workflow pressures increase, it’s easy to declare IT the rate limiting step.

    Given that many CIOs are ready to raise the white flag of defeat in desperation, finding time for innovation amidst the swirl of must do projects can be a challenge.

    My hope, and something I strive to do, is to take the long view, asking what innovations we’ll need in the next few years, which will enhance productivity, and possibly serve as generalizable tools, reducing the number of requests for niche systems.   As I think about 2016, here are a  few of the kinds of innovations I think we’ll want for healthcare organizations:

    1. In our home  lives, we use cloud hosted storage accessible  on our personal devices.     How can we give folks the same easy access to their files (in lieu of the SSLVPN web-based access) while still protecting patient privacy?
    2. In our home lives, we use social networking - Facebook, LinkedIn, and Google+ to provide collaboration spaces for sharing ideas, messages, and files among groups.   How do we offer these kind of applications to support our work lives?  Is Slack a good fit for healthcare organizations?
    3. In our home lives, we use texting for communication among teams.   How do we deploy secure, enterprise grade texting that is fault tolerant, supports delegation (if you are unreachable),  role-based messaging (the current administrator on call, whoever that is), and audibility.   Per Harvard rules, I must disclose that I serve on the Board of Directors for Imprivata which produces such a product.   I will recuse myself from any decision making processes about secure texting procurement.
    4. As I’ve blogged about previously, patient generated healthcare data will become increasingly important and we need to be able to incorporate objective data (home devices) from smartphone middleware like HealthKit and subjective data (electronic patient reported outcomes).
    5. Interoperability use cases will increasingly require closed loop transactions with tighter coupling among organizations.   The FHIR work accelerated by the Argonauts group is the best path forward to achieve this goal.

    As usual, sometimes we buy innovation and sometimes we build innovation. 

    If practical, we should procure these services from cloud-based software as a service providers.

    We need to work closely with our compliance and legal colleagues to balance risk and benefit, accepting that with all change and innovation there is a risk of the unknown.    We can mitigate risk in the face of ambiguity.

    Often organizations focus on the short term - the tyranny of the urgent.   Carving out time for innovation with a long term view is necessary to create true breakthroughs.   A dozen short term sprints will not add up to the marathon of transformation that is only accomplished via a steady pace over time.

Massachusetts Health Data Consortium
460 Totten Pond Road | Suite 690
Waltham, Massachusetts 02451

For more information,
please contact Arleen Coletti
by email or at 781.419.7818

join our mailing list

© Massachusetts Health Data Consortium