Marion K. Jenkins, PhD, FHIMSS

It is not uncommon to read commentaries from healthcare thought leaders about healthcare IT projects that fail, either failing to meet objectives, failing to come in on time/on budget, or failing entirely. Within the provider community there seems to be an abundance of anecdotal stories of EHR and other technology failures. Some of these stories are perpetuated by the EHR software vendors themselves. Right after a practice has had a very promising demo from software vendor A, software vendor B comes in and says, righteously, “Oh, we just deinstalled system A in a practice. It was a disaster but now they are very happy.”

These stories, some no doubt real and some perhaps not, tend to stir up angst about healthcare IT projects in general and EHRs in particular.

Why do IT projects fail? Here are the major reasons, and they affect not only healthcare but other industries as well:

Why healthcare IT projects fail

It is critical that all the appropriate skills, planning, and management go into an HIT project before, during, and after implementation. Failure to understand and avoid the problems that plague all IT projects will almost guarantee certain failure.

Articles

Six major reasons that do not apply only to healthcare. 

I have been in information technology (IT) and automation for over 30 years in a variety of industries, and in healthcare IT for the past decade. So I have seen my share of the good and bad in IT.

In most industries, IT has gained widespread adoption, revolutionized operations, and increased productivity and efficiency. Unit output per worker, and the quality of that output, is measurably better, even in the brick-and-mortar world. Checkout at the grocery or hardware store is so simple and automated that we can do it ourselves - which saves us both time and money. Bar code scanning and price databases have greatly eliminated errors and "Price check on register eight" episodes. When we go to the airport, airline counter kiosks speed us through the check-in process in record time, even though the number of passengers has more than doubled and the number of employees is about one-fourth of what it used to be. Most industries are on their fourth or fifth generation IT systems, wringing the next few percentage points of efficiencies out of their systems.

In healthcare, on the other hand, even five years after ARRA/HITECH promised unprecedented billions of dollars to upgrade EMRs to EHRs, there are still many pundits who argue whether IT even has a place in healthcare. They claim that healthcare is too complicated, too fragmented, and too full of disparate processes and data types to lend itself to digitization and automation. Most healthcare entities are on their first generation systems, and according to two reports from Health Information Management Systems Society (HIMSS) Analytics, fewer than 

 in the US have achieved the highest level of adoption, implementation, and optimization of EHR systems. 

So in consequence, when we go to the doctor's office we are still typically faced with the proverbial clipboard at the check-in desk, and then when we are referred to go to the lab or imaging center or another clinic, we have to manually recreate our health history from memory for the umpteenth time.

Many healthcare software vendors claim their systems reduce costs and improve patient care, and point to statistics and case studies that supposedly prove their point. Early adopters and clinicians from mature, well-run healthcare IT system implementations are featured at national healthcare conferences, with almost rock-star type status. Indeed, I have met many clinicians and staff who work for organizations that have overcome the "digital divide" and have become highly automated, and if you ask them if they would ever go back to paper, they scoff at the idea.


The literature is also full of negative news about IT and EHRs, with headlines and content - much of it anecdotal - about the negative effects of technology in healthcare. If you ask almost any physician if they have had a negative experience with their technology, or know someone who has, the answer will be yes at least 90 percent of the time. And at these same conferences featuring the healthcare technology believers, there is a persistent whisper in the audience of incredulous disbelief. And sometimes during a Q&A session, I've seen the whisper essentially erupt into a debate between believers and non-believers.

But much of this view has to be taken with a grain of salt, as the information is frequently taken out of context or without all the facts.

Indeed there was = an article a few years ago 

, with the primary culprit being lost revenue. But if you read the actual article, it was not based on experience, it was based on a survey of physicians who were 

 to see a drop in productivity. So although it was technically a statistical study, it was based on opinion, not on fact.

Clearly there is a self-fulfilling prophecy concept here. If you expect something to be bad, it probably will be.  

What is the source of the data supporting the naysayers? Are there data to back up the horror stories of physicians leaving in droves, or shutting down their practices, to either avoid going the IT route, or in response to an IT disaster?

It is a fact that there have been many well-publicized IT failures in healthcare. What is not widely appreciated is that across all industries, IT projects have a failure rate that some experts believe could be as well over 10 percent. (A failure in this context generally understood to mean that the implementation failed to meet expectations in all three areas: time, cost, and user requirements. In roughly another significant percentage of cases, the system implementations are not fully successful in one of these key areas, but at least the implementations were somehow rescued rather than abandoned.  

Here are many well-known examples in literature. The industry journal 

, costing companies like Hershey Foods and jeweler Shane Company millions, but none of them were in healthcare.

The literature is also full of root-cause analyses and case studies of these and many other failures, and essentially all of them point to improper executive and organizational buy-in, lack of proper planning, poor user training and implementation, failure to develop requirements and matching them with systems capabilities, and dealing with the impact of changes to the organization.

These are all major factors in healthcare, so for healthcare IT projects to have even half a chance to be successful, it needs executive and organizational buy-in to even start.

So, as a pro-technology, pro-EHR, pro-automation expert, my advice to reluctant physicians and practice executives who are considering an EHR is simple: 

. If you don't believe it will work, it won't work.

On the other hand, with proper buy-in, good user requirements matched with a good vendor product, proper budgeting, planning, and implementation, healthcare IT can be a real game-changer, and can definitely contribute positively to the three pillars of the 

Institute for Healthcare Improvement (IHI) triple aim

: lower costs; better outcomes; and improved health of patient populations.

The debate over pros and cons of health IT persist, but to find success in your medical practice you need one key element: buy-in from the key players.

Success with Health IT Requires Buy-in, Not Just Budget

The recent conference of the Health Information Management Systems Society (HIMSS) was held in Orlando from February 23-27. HIMSS is mostly comprised of healthcare IT executives and consultants working in and serving the "large market" segment of healthcare, which includes hospitals and large clinics, integrated delivery networks, independent physician associations, and accountable care organizations. HIMSS has about 55,000 members nationwide and over 40 state/regional chapters.

If you have not been to a HIMSS annual conference recently (or never), the numbers are staggering. This year, there were about 38,000 attendees, which was up about 10 percent over last year. There were more than 300 educational sessions, plus another hundred or so breakout sessions, luncheons, and breakfasts hosted by vendor partners as well as state HIMSS chapter organizations and other associated groups like nursing informatics and regulatory bodies.

If past conferences are a guide, the ratio of attendance from exhibitors and consulting companies is interesting - vendor attendees typically outnumber the attendance from provider organizations (i.e. hospitals, etc.) by about 3 to 2. That number is a bit misleading, however, as many of the vendors and consultants who attend are actually doing so on behalf of one or maybe several of their provider organization clients.

There were over 1,200 exhibitors (up about 7 percent over last year). If you spent just five minutes with each one, that would be over 100 hours, not counting walking the exhibit hall floor, which itself is about a mile long. Spending just one additional minute with each vendor would add another 20 hours to your trek. Exhibitors also occupied more space than last year, up by about 20 percent according to reports from HIMSS staff.

Needless to say, the only way to have a good HIMSS annual meeting experience is 1.) Wear comfortable walking shoes; and 2.) Map out your plan ahead of time so you aren’t wandering all over.

The "Best of HIMSS" List (arbitrary categories and selection by this author) 

• Best giveaway: Google Glass and GoPro cameras

• Biggest booth: Cerner, at 13,000 square feet. Cost? Priceless?

• Smallest booth: 10x10. (It’s still several thousand dollars, and many of those exhibitors looked like they were NOT getting their money’s worth…)

• Live attractions that had the absolute least connection to healthcare IT, but seemed to garner the most attention: Slight-of-hand magicians, carnival barkers, sand painters, speed artists, game show setups.

• Most handy attendee "creature comfort": The golf cart shuttles that would take you from one end of the exhibit hall to the other in about 10 minutes (on one ride, a guy "riding shotgun" would stop at various exhibitor booths along the center aisle, and get the rest of us riders the trade show swag of our choosing.)

• Loudest vendor party: Greenway Medical, at the Hard Rock CafÃ© at Universal Studios.

• Most outrageous cab fare: A $73 tab from Universal to the Orlando Airport. Highway robbery.

Under the primary conference theme of "Onward," the subthemes of HIMSS14 included "Innovation," "Impact," and "Outcomes." The focus of vendor exhibits and conference sessions seemed to be usability, optimization, and getting healthcare IT to work for clinicians and actually impacting patient care.

While all vendors certainly showed off their latest systems, devices, gadgets, and software, the underlying theme seemed more focused on making things work, rather than just the dazzle and buzz of the latest and greatest tech gear.

The vendor solutions presented ranged from the broadest-reaching possible, including all-encompassing software and consulting services designed to attempt to handle literally all IT issues across an entire healthcare organization, to extremely narrow niches, such as keyboards that could be used in a sterile environment, or high-performance battery packs for mobile devices.

I have been to many HIMSS conferences, and of course they always offer the latest and greatest. In fact at past conferences the sheer depth and breadth of "what’s new in IT" has seemed overwhelming, almost to the point of leading to technology shellshock among attendees, and gridlock among vendors.

This conference seemed different, at least to me and to several others I talked to. Attendees seemed to be intent on finding solutions, and vendors seemed intent on demonstrating the real-world value of their solutions, tying them into better patient outcomes and provider usability rather than simply the newest tech "bright shiny object."

Mobility, interoperability, security, Telehealth, measurable patient outcomes, etc., were some of the major underlying themes. Vendors who couldn’t somehow tie their solutions into the overall healthcare IT picture - and specifically to the Institute for Healthcare Improvement's Triple Aim of better population health, lower per capita cost, and better patient experience and outcomes - were not perceived as real players on the national healthcare IT stage.

Apparently even the two million square feet of exhibit space in the Orange County Convention Center in Orlando isn’t big enough for HIMSS15. Next year, the conference is moving to the McCormick Place in Chicago, which is about 30 percent bigger. The conference will also be moved from March to April, no doubt out of respect to the Polar Vortex.

Here's some observations from my walkabout with 38,000 of my closest friends in healthcare IT, better known as the HIMSS14 Conference recently held in Orlando.

HIMSS14: One Attendee's In-depth Look at All Things Health IT

 we discussed how "cloud" is ready for prime time in healthcare. That blog contained information on what cloud services are, how they work, and why they are part of most physicians' - and virtually all hospitals' - IT strategies going forward.

This month we address cloud myths and misnomers, concluding with a "cloud checklist" for practices.

Many ads, marketing materials, and salespeople make the cloud sound like it's magically foolproof, implying that going to the cloud makes all your IT troubles magically disappear. Many users don't think about the fact that cloud services contain all the IT hardware, software, and related complexity that is represented with any IT installation. In fact a cloud hosting facility contains massive servers, storage systems, and network gear. The main difference is that a properly designed cloud hosting facility has IT systems with much more computing horsepower, with systems that are designed to support thousands or even millions of users, and it is configured and managed by much more skilled technical resources.  Cloud is not automatically foolproof.

Many people have the opposite opinion than the one above, that cloud is risky. Cloud services can be risky, especially if they are not designed, configured, and maintained properly. And there have been many well-publicized cloud outages. In most cases if you look at the root causes of the major cloud outages, they are traceable to IT principles that were either ignored to begin with, or IT operations that were not followed over time. Properly designed and managed cloud services should be more reliable than onsite IT infrastructure.

Cloud can be cheap. In fact some cloud services are "free." But to borrow and slightly tweak a phrase from Homer’s Odyssey, “Beware of 

 bearing gifts,” you need to watch out for hidden costs.  Many times those free cloud services come with annoying ads and pop-ups, sometimes including spyware, which is designed to track your web browsing habits. If cloud services are free, there is always a catch.  If it is incredibly cheaper than other solutions (including your on-site servers) then something is missing.  Properly designed and configured cloud services can be less expensive, depending on the circumstances, but it's a significant difference then you likely don't have the whole story.

This is obviously the opposite of the myth above, so how can some people think cloud is cheaper while others think it is more expensive? In most cases we have seen, a properly designed cloud infrastructure is less costly than a comparable on-site client/server installation, especially over time. If you are looking at a comparison of the two solutions and cloud is significantly more expensive, you are probably not looking at an apples-to-apples comparison. Cloud services typically have real-time geographic replication, which means you not only have one installation of your servers and data, but a second site that is ideally located several states away. In case of disaster in one data center, you can be up and running within minutes (or less) in the other data center. To properly compare such dual-site cloud services, you have to account for that with an onsite model.  That almost always makes cloud a more attractive option economically.

5. If your EHR is hosted in the cloud, you are HIPAA compliant

There are many cloud hosted EHR solutions out there. Whether an EHR is hosted in the cloud or onsite, HIPAA compliance (with the EHR) is more or less a given. But what is critical to understand is that of the 700+ HIPAA breaches reported by HHS since 2009, not a single one of them involved an EHR. Instead those breaches involved data that had been exported out of an EHR in the form of documents and reports, and stored locally on a server, a workstation, a laptop, or a portable USB drive. So it's not the EHR that needs the benefit of a secure cloud hosting facility, it's all the other items like files, documents, spreadsheets, images, PDFs and the like. A proper healthcare cloud solution should include all elements of a clinic's functions - both clinical and business office.

6. Cloud providers should be "HIPAA-certified."

There is no such thing as a formal “HIPAA certification,” at least not yet.  Cloud providers who claim they are HIPAA certified (as a formal and specific designation) are stating something that's incorrect, and this may indicate their ignorance of the HIPAA Security Rule in general. As the checklist below indicates, a formal HIPAA compliance program is essential, along with the cloud provider's willingness to execute a Business Associate Agreement. 

1. Ask questions and get comfortable and make sure you understand what your are getting … you should be able to get the same comfort level with a cloud provider as  you would with an on-site or internal IT solution. Your cloud provider should be able to explain exactly what services are being provided - but more importantly - exactly how those services are going to be delivered. If they cannot explain the services at a level that you can understand, that is a giant red flag.

2. Insist that your cloud provider provide documentation of their HIPAA compliance program, and insist that they sign a Business Associate Agreement (BAA). If they will not, or if you don't get a comfort level of their understanding of and compliance with HIPAA, do not move forward. A simple outside audit or a claim that they are “HIPAA Certified” is a giant red flag.

3. Check references. This sounds simple but is often ignored. 

4. Find out how long the cloud provider has been offering these types of services. Many cloud providers have started up in the last few years and they do not have extensive history in healthcare IT. Here is nothing inherently wrong with a startup, but you need to understand how much history a cloud provider has with healthcare.

5. Don't assume that just because your EHR is hosted you are HIPAA compliant, and all your applications are covered. You need to have a solution for all business and clinical functions, many of which happen outside of your EHR. In fact there has not been a single breach due to an EHR, whether hosted or onsite. You need to address all documents and reports, such as Word and Excel files, as well as financial systems and e-mail. Speaking of e-mail, Internet service provider (ISP) e-mail such as Gmail, Hotmail, etc., is not - nor can it be made to be - HIPAA compliant.

There are many myths about cloud IT services. Here, we dispel the major ones and provide a checklist for those considering a trip to the cloud.

Cloud Myths and Misinformation Physicians Must Consider

Chances are, you've heard about cloud computing but may not know much about it and how it relates to HIPAA. Here, we answer a few key questions about cloud services.

Cloud hosting has many variants and goes by many names, but it generally refers to the IT model where a medical practice uses computer servers and data-storage systems located in a service provider's data center rather than onsite at the practice. Some people think that since the word "cloud" is used, there is somehow magically no more hardware issues to worry about. On the contrary, a typical cloud-hosting facility has massive amounts of hardware and software systems. 

Cloud is so new, is it right for healthcare?

Cloud hosting is actually not a new concept. In fact, versions of cloud hosting under different names have been around for nearly 30 years. In the early days of massive mainframes, such companies as Boeing Computer Services and Computer Science Corporation offered these services under the terms "timeshare" and "service bureau." Over the years many other labels have been used, including application service provider (ASP), software-as-a-service (SaaS),infrastructure as a service (IaaS), utility computing, and hosting. Finally about five years ago, the label "cloud" finally took hold, and although some of the terms above are still relevant in specialized circumstances, cloud hosting covers the overall concept.

What has made it an attractive solution for healthcare? 

Recent advances in several areas, including server and storage virtualization, and increased bandwidth of broadband services, have made cloud hosting much more attractive. In addition, server architecture - including both processing horsepower and processing (CPUs) - have become massively scalable. And improvements in management software have significantly added to both performance and reliability. These advances in technology have prompted significant changes in the way cloud services can be configured and delivered.

Cloud services are not automatically HPAA compliant. In fact,not only are many cloud providers not HIPAA compliant, they are wholly ignorant of HIPAA principles. The new HIPAA Omnibus rule released earlier in 2013 required all service providers to undergo a HIPAA compliance and remediation program by September 23, 2013. 

(If you are using a cloud provider, you should contact them and request a copy of their HIPAA compliance program documents, and also request that they sign a Business Associate Agreement. If they cannot produce them, or they are reluctant to execute a BAA, you have a major problem.) 

Cloud-hosting services can be made HIPAA compliant, provided proper HIPAA security is built into the platform, along with HIPAA-compliant processes and procedures for its operation. 

Note: There are some common "cloud services" that you may be familiar with or are already using that are definitely not HIPAA compliant.  These include common web mail services from many Internet Service Providers (ISPs) such as AOL, Gmail, Hotmail, etc. These are not - nor can they be made to be - HIPAA compliant. In addition, most of them specifically prohibit any kind of business use, so in using them in conjunction with a medical practice typically violates their "Terms of Use" policies. 

What are the big advantages of cloud over onsite servers, storage, etc.?

Perhaps the biggest advantages are in the ability to grow as the practice’s needs grow, and to avoid the costly and disruptive effects of repeated computer upgrades every few years. Most people understand that new computer systems are obsolete within a few months after they are installed.  So system designers have to anticipate future needs and buy more capacity than they really need, based on anticipated requirements of a few years down the road. Eventually the needs increase and even the "new" equipment becomes underpowered. So in a computer system "lifecycle," for the first few years there is too much capacity, and for the last few years there is too little capacity. Therefore for most of the time, the system is either too big or too small. 

Cloud services allow the computing horsepower - CPU, memory and hard drive space - to be "dialed-up" as needs increase, so it can keep pace with the needs of the practice. And generally that upgrade can be done without the downtime typically associated with a computer system "forklift upgrade."

And a good cloud provider is generally able to offer access to hardware and software tools that would be unaffordable to a typical practice. 

This is critical, and it is important to make sure you understand what is being provided to the practice by a cloud provider. With onsite servers and other infrastructure, you have to have staff (or contract with an IT provider) to maintain your servers and take care of things like data backups, operating system patches, etc.  With cloud hosting, those services are still necessary, and in most cases they can be provided more efficiently than with an onsite model. However not all cloud providers deliver those services automatically, so you need to check and make sure.

No, since there is still hardware, software - and people - involved, there is still the potential for outages and downtime, so you need to do your homework and make sure you understand the risks as well as the advantages.

does that mean I’m good to go as far as HIPAA is concerned?

Not at all. There has never been a reported HIPAA breach from an EHR - either hosted or onsite. The main culprits have been e-mail, files stored locally, and the theft of portable devices like laptops and USB drives. So you need to consider your non-EHR applications, and make sure they are properly secured. This is true whether those applications are running locally or with a cloud provider. One advantage of properly designed cloud services is that they tend to not allow healthcare data to be stored on local devices.

Next month: Cloud myths and misnomers, along with a healthcare cloud checklist

Recent technology advances make cloud hosting an attractive option for healthcare. But HIPAA compliance is not automatic.

Why Cloud Services are Ready for Prime Time in Healthcare

Worried about potential HIPAA security breaches? You don’t need to worry about your EHR …and that’s the problem.

HIPAA was signed into law nearly 20 years ago by President Bill Clinton. With all the administrative overhead that has developed over the years as a result, it’s easy to forget that the “P” in HIPAA stands for "portability" (not "privacy," or “Pain-in-the-neck.”). It was designed to make it easier for our health records to be portable, so we as patients could have more choice and more control over providers.

That was clear back in 1996, and all medical practices, clinics, and hospitals dutifully developed and rolled out their HIPAA compliance policies, most of which created very little value for either patients or providers. 

The HIPAA Security Rule didn’t come out until 2003. It became effective in 2005, and it governed electronic records; up until then HIPAA only covered paper records. By that time, most practices and facilities were sick of HIPAA, and besides, HIPAA Security was much more complicated. Most practices assumed their IT departments and/or software vendors had HIPAA taken care of, so they largely ignored HIPAA Security.

ARRA/HITECH and Meaningful Use: The carrot and the stick …and it's a very big stick

The American Recovery and Reinvestment Act/Health Information for Economic and Clinical Recovery (HITECH) Act in early 2009 allocated billions of dollars to encourage healthcare entities to significantly increase their use of EHRs. Privacy interests were concerned about potential risks, and they managed to get a significant increase in penalties written into the HITECH verbiage. Specifically, the maximum fines were increased from $25,000 to $1.5 MILLION.

Under ARRA/HITECH, the number of practices that have adopted EHRs has nearly doubled, but the effective penetration rate is still under 50 percent. There are many reasons, including the mere fact that transforming an entire industry from paper to electronic is going to take more than just a few years.    Many pundits have also pointed to HIPAA risks as a reason to eschew EHRs. The thought process for some is that with Wikileaks, third-world hackers, and poorly designed software, EHRs represent an open door to HIPAA Security breaches. Some people make it just another excuse to ignore the many benefits of EHRs.

What do the actual HIPAA breach numbers show?

 that lists all HIPAA breaches since 2009 that have involved more than 500 patient records. There have been nearly 700 reported breaches, and including a recent breach in Illinois involving nearly 4 million patient records, the total number of patient records is now nearly 27 million.

More importantly, what are the sources of those breaches? What can we learn about actual risks from the breach data?

First, by doing a simple word search through all of the words in all fields (location, type of breach, and summary description) the following five key words combine for more than 75 percent of the largest breach risks:

A search of "location=" in the HHS database reveals five issues that combine for over 75 percent of all breaches:

Portable: 12 percent ("other portable electronic device")

A search through "type of breach" reveals three issues that combine for more than 75 percent of all breaches:

Theft: 55 percent (includes theft plus other causes)

If you search through the HHS database for the word “EHR,” you indeed find it listed in 2 percent of the cases, but when you research the actual breach events, those incidents are not specifically related to, caused by, or within the EHR itself. They happen outside of the EHR.

Therefore, if a person argues that the increase of EHRs has increased HIPAA risk, the argument is not backed up by the data.

So what are the biggest HIPAA Security risks?

The biggest risks are not the Internet bad guys lurking in Who's-Bekistan, or a nascent genius trust-fund baby hiding in some darkened dorm room at High-Tech/Nerdy-University. The biggest risks are caused by - or enabled by - clinical and business office employees doing things with computer systems that they have no business doing, and doing it on IT systems that were poorly designed and poorly implemented.

 was caused by theft of some laptops. That's not an IT problem, it's a system-design and human-behavior problem. Most of the other breaches have the same or similar root causes. Systems that are poorly designed, poorly implemented, and poorly operated are the root cause of the vast majority of HIPAA breaches.

IT systems should be designed such that no data is able to be stored on local devices, including laptops, workstations, portable USB drives, or any other device. They should be secured in a medical-grade data center environment, and old-fashioned client-server architecture, which has been the traditional model for the last 20 years, should be replaced with virtualized thin- or zero-client technologies. 

If you think the HIPAA compliance documentation from your EHR vendor makes you HIPAA compliant, you better think again.