Ransomware focus limits healthcare IT progress in 2017

"Cyber" came into its own in 2017. As hackers hit healthcare and other industries with ransomware attacks that crippled some companies for weeks, the term has been on the tip of every executive's tongue.

Now, companies are putting their energy and money into cybersecurity as they try to protect themselves from digital threats.

But that focus reflects more than the growing landscape of cyber threats; it also reflects the relative lack of focus—or at least broad progress—on other health IT topics in 2017. Interoperability continues to elude the industry, delays in electronic health record requirements mean old technology can stick around for a bit longer, and general uncertainty stymies confidence in what comes next.

If there was a bright spot in healthcare's technological progress in 2017, it was telemedicine. The majority of providers now offer telehealth services. In May, Texas became the final state to allow telemedicine visits without in-the-flesh preliminary meetings, symbolizing the acceptance of the practice across the country.

There were important shifts—a new head of the Office of the National Coordinator for Health Information Technology, for instance, and an electronic health record deal between Cerner and the VA—that point to a 2018 in which health IT buzzwords, like interoperability and "meaningful," will continue to evolve, as the industry insists upon technology that doesn't just sound good but actually makes good on its patient-care promises.

Cybersecurity

In the most high-profile attack of the year, hackers unleashed the WannaCry ransomware into hundreds of thousands of computers —including those at the U.K.'s NHS—around the world in May. The software took over, encrypted files, and required ransom in return for decryption.

Soon after WannaCry wreaked havoc on information systems, hackers let loose another piece of malware, dubbed NotPetya. That malware took down several healthcare organizations in the U.S., including Merck and Nuance. It took Nuance weeks to come back online after the attack.

"There was a huge switch this year in the threat world," said Mac McMillan, CEO and co-founder of privacy and cybersecurity consulting firm Cynergistek. "Now, threat actors have decided it's ok to disrupt a hospital and affect patient care so they can extort money," he said. "That's a big deal. It basically points to the concept that they will risk patient safety to commit a crime."

As attacks have increased, so has vigilance. But McMillan worried that people still aren't going to really take action until someone gets injured because of a cyberattack.

Nevertheless, the Health Care Industry Cybersecurity Task Force took a proactive step in June, releasing recommendations for new security frameworks and amendments to anti-kickback laws.

Meanwhile, most healthcare organizations have implemented cybersecurity training programs. Some even send out fake phishing attacks to teach employees how to recognize malicious emails.

The focus on email makes sense, since it's the most common entry point, followed by network servers, according to the Office for Civil Rights Breach Portal. Overall, by the end of November, HHS received 314 breach reports since the beginning of the year, affecting 4.7 million people.

Along with email, the industry has also recognized another potential point of entry: internet-connected medical devices. A hacker could break into a health system's entire network through an internet-enabled pacemaker. Or the hacker could make the pacemaker malfunction. That concern led to the recall of 465,000 Abbott pacemakers in August.

Theoretically, if a medical device were on the same network as a hospital's EHR, hackers could also break into the EHR through the device, using it as a point of entry to all the data in the network just as they might break into a home network through a connected device like an Amazon Echo or Google Home.

Certified EHRs and regulatory relief

The very technology that hackers take advantage of to compromise data is the same technology that providers take advantage of to improve patient care. While electronic health records help providers reduce unnecessary tests and treatments, they're also a bane for physicians who spend about half of each day working with EHRs.

"There still remains a real frustration around EHRs and usability and whether or not there should be federal mandates to use technology as opposed to incentives to use it," said Anders Gilberg, senior vice president of government affairs for the Medical Group Management Association.

The CMS tried to help with that administrative burden by putting off requirements for physicians and Medicare-eligible hospitals to use 2015-certified EHR technology, allowing them to use 2014-certified EHR technology for another year without being penalized. That change gave providers more leeway in software choice, preventing what would have been last-minute scrambling to get certified EHRs in place and protecting them from penalties.

"The thing they are not calling for is the demise of the meaningful use program," pointed out Leslie Krigstein, vice president of congressional affairs for the College of Healthcare Information Management Executives.

The ONC also tried to reduce the regulatory burden on vendors, announcing in September that it would allow vendors to "self-declare" meeting most of the criteria for getting their products certified. The agency said the change would make the ONC Health IT Certification Program more efficient.

But some worried that deregulation could put patient safety at risk.

That was the concern with eClinicalWorks' software. The company found itself in legal trouble a couple of times in 2017 for lying about its software's capabilities. In one case, a patient claimed he couldn't ascertain from his EHR records when he first had symptoms of cancer. In May, the vendor settled a different case with the government, agreeing that it and some of its employees would pay $155 million for misleading regulators.

Telemedicine

Telemedicine was a clearer technological bright spot for providers in 2017. Providers and telemedicine companies say the technology could cut costs. They also say it could broaden access to healthcare, which it did in the aftermath of the the hurricanes that swept the southern part of the country this fall. Then, some companies offered their services for free to those in hurricane-hit areas.

But telemedicine is still somewhat nascent. Though most states have telemedicine parity laws that require commercial payers to reimburse in-person and telehealth encounters equivalently, and there's legislation pending to expand Medicare coverage, limited reimbursement stymies the technology.

"Medicare is behind and is just catching up," said Alexis Gilroy, chair of the American Telemedicine Association's business and finance group. "There's been a misperception of increased utilization and cost to the Medicare program by opening up telemedicine."

The VA has been leading the charge for telemedicine lately. In August, VA Secretary Dr. David Shulkin announced the VA's "anywhere to anywhere" healthcare initiative, which would allow providers to care for patients virtually across state borders, so matter where the providers or patients are. In November, the House passed a bill that would allow VA healthcare providers to do just that.

Interoperability—or the lack thereof

Healthcare is still an industry of data silos, with patient data held apart by different EHRs. The 21st Century Cures Act tasked the industry with improving interoperability, and it also prohibited data-blocking. But though systems are getting better at sharing information, they're not truly interoperable yet.

Take Epic's Share Everywhere, for instance, announced in September: A patient can grant any provider access to his or her records, which are viewable through a web browser. But that's it—that records are not integrated into the receiving provider's EHR.

While the feature is important step forward, the technology is still more about providing access to data, rather than actually true interoperability.

Critics of the VA's EHR have long complained about the lack of interoperability between it and the DoD's system. That may soon change, though, thanks to Cerner, whose technology the DoD contracted to use in 2015 and whose technology the VA will begin implementing as soon as a contract is signed (imminently, is the word on the street).

"The age of interoperability is upon us," said Chuck Christian, vice president of technology and engagement for the Indiana Health Information Exchange. "The industry has realized that in order for us to truly have an impact, we need more information about the patient than just what is contained in our (EHR)."