3 minutes read

IT leaders at healthcare practices face immense pressure to find the holy grail of technical footprints. They seek something cost-effective, secure, and that delivers optimal ROI. Compounding that pressure is the fact that, in the minds of many of their executives and investors, that holy grail is the cloud.   

Cloud computing is more than a trend; it’s here to stay. According to a research report by Global Market Insights, the size of the healthcare cloud computing market is on track to exceed $55 billion (USD) by 2025.    

With nearly 20 years of experience in healthcare IT, our team is deeply familiar with the technical environments and considerations for specialty healthcare practices across the US. The following are answers to some of the questions we get most frequently about cloud computing. For a more personalized cloud analysis, specific to your practice’s needs, contact our experts. 

QUESTION 1: “Should I be 100% Cloud?”

I’m a healthcare practice with hundreds of employees and multi-site operations. We use a cloud-based electronic health record, but still locally host several other applications. Should I be entirely in the cloud?

ANSWER:  

First, let’s establish a definition of what it means to be in the cloud and differentiate between public versus private clouds.   

Most commonly, when people refer to the cloud, they’re talking about virtualized servers running on hardware you don’t own with a multi-tenant configuration; this is a public cloud. In cases where you own the physical servers and host virtual servers on them, you essentially have your own private cloud. For purposes of this FAQ, we are not referring to “pure-cloud” applications that are delivered 100% via web browser and maintained by the software vendor. A few mainstream examples of those, in our client base, would be Athena Health or specialty systems like FlatIron’s OncoEMR.   

Based on the still-high costs of pure public cloud, our experts find that the best practice is to design a combination using both public and private clouds. Consider an appropriately-sized private cloud to run key production software that would otherwise generate large amounts of consumption-based billing on a public cloud like Amazon or Azure.   

Typically the ROI, in this case, is less than 24 months for purchasing enterprise-grade server hardware and hosting your own private cloud. There are many other use-cases where a public cloud makes a lot of sense right now, including for bulk data storage and disaster recovery. Consider services like AWS, S3, or Wasabi to capitalize on inexpensive storage and keep the size of your private cloud as small as possible.   

In some cases, moving certain applications directly to the cloud provides immediate savings in support and operating costs. Examples would include Office 365 and “Cloud Hosting,” another sometimes cost-effective option between a pure-cloud application and a private cloud.   

QUESTION 2: Private Cloud

Will I always need to have or host some hardware in a private cloud setup?

ANSWER: 

This answer will change over time as the costs of public cloud drop. Two of the biggest drivers of cost in using the public cloud for hosting production servers is the cost of the ingress and egress of data, so essentially how much data are you uploading or downloading or changing daily, and the amount of CPU processing power needed.   

Since most healthcare applications typically have high data change rates and use a lot of processing, it is often cheaper to host them in a private cloud. Still, we suspect this will shift over time, and at some point, it will no longer be advantageous to maintain your own private cloud.   

QUESTION 3: Managing my Cloud

How do I keep track of all of this?

ANSWER:   

The array of options available to healthcare practices requires specific expertise to build and maintain a plan that matches the business’s specific needs. Path Forward customers receive a quarterly business review and an updated minimum security requirements checklist. As part of this quarterly review, we provide a 24-month forecast of hardware needs for the internal private cloud, as well as recommendations for migrating to the public cloud cost-effectively over time.  

With the ever-changing landscape of cloud technologies and emerging cloud providers, there isn’t a substitute for doing your research and updating your plan at least four times a year!  

Have a question about your IT configuration?

If you don’t see the answer to your question here, drop us a line or use our live chat website feature. We’re happy to work with you to sort out the best blended-cloud configuration for your healthcare practice. 

3 minutes read

How many passwords do you currently keep track of? Maybe 20, 30, or more than 50? It can feel like hundreds because we use them constantly. Passwords allow us to access almost everything we do in a day – whether it’s for work or listening to music. As of 2019, the average American maintains passwords for 27 online accounts (Harris poll). (Other studies, commissioned by commercial interests, report an average of upwards of 80+ passwords per person.)

Regardless of whether you fall on the low or high end of that range, it’s a lot of passwords. Despite all the available guidance and tips for creating strong passwords, studies show people’s habits generally fall short.

Everyone probably knows a friend who got locked out, unable to access their email, social media or other personal online accounts. Then that person spent days on the phone with tech support trying to prove their identity.

Why Do People Struggle with Personal Password Security?

• People don’t want to relinquish control of their passwords. The first commandments we learn when establishing our online presence< are: “Don’t share your password with anyone. Don’t write your passwords down.” There’s a built-in distrust in tools like password managers. Pew Research Institute reports that only 3% of internet users rely primarily on password managers.
• It’s hard to remember a lot of different passwords. People want to make passwords easier to remember, so they use patterns, change one character in an existing password, or reuse passwords for multiple accounts. A security survey conducted by Google found 65 percent of people use the same password for multiple or all of their accounts. This data is quite surprising given the hundreds of articles published each year advising against exactly that.

Online Security: Stay Ahead of Hackers

With so many people working from home now, it can feel like we’re online most of the day. It’s more important than ever to be mindful of how we protect our own little personal sphere in a way that minimizes the risk of having our identity compromised.

Four Steps to Keeping Your Identity Safe

1. Change Your Mindset: Cue from your employer. Most employers have robust password management processes and multi-factor authentication (MFA), so you’re probably already using these technologies and processes. Following the lead from the IT experts at your company is free security advice that we could extend into our personal lives, but somehow, we view it as separate from our personal life.

2. Adopt These Two Solutions: 

• Password Manager or Vault. Password management technology is now more available and mainstream than it used to be. It also requires careful research and an ongoing commitment to consistently using the technology for it to work effectively. In the future, we may be able to eliminate the use of passwords permanently, but until that happens, a password manager is the best solution.  
• Multi-factor Authentication (MFA). MFA protects your account even if someone has guessed or stolen your password. After a password is successfully entered and before granting access to an account, the technology confirms your identity. It requires you to engage with an auto-generated confirmation link, phone call, or text message to your personal device to authenticate your identity.

The common downside with MFA is, by design, it will be much more difficult to gain access to your account if you don’t have the other factor available.

MFA is only available when a company has built it into their website. Use this technology whenever a website or business offers it.

3. Enlist Expert Advice: Selecting and setting up a password manager requires careful consideration for ensuring a proper set up because the risks for doing it wrong are significant. If the explanations sound too technical, enlist a tech-savvy friend or a professional for additional guidance.

If you are using an MFA that sends a token to your phone and plan to buy a new phone, the MFA security app will not restore from a backup automatically. Be sure to find out how to restore your MFA security app before turning off your old phone.

4. Have a Good Recovery Plan: Your rescue plan will include your most critical password for protecting your online identity. Whether it gets you into your password manager (preferred!) or your primary email account, this one password deserves your very best effort in applying every best practice.

Stay Dilligent

Keep in mind, the first line of defense in protecting your personal online identity is to stay alert and be aware of scams and suspicious links. While user-error certainly isn’t the root cause of all account breaches, it is an area of risk. It’s also important to be sure to follow best practices for password creation. With diligence, strong passwords and technologies like a password manager and MFA, you can significantly improve the security of your online identity.

3 minutes read

Compliance is daunting enough in a year without a pandemic. This year we’ve faced constant change:  telehealth privacy issues, entire departments working from home, redesigned processes, and worldwide phishing attacks that take advantage of confusion and change. Through it all, our regulatory and reporting deadlines are knocking at the door.

It can be hard to stay focused on both the urgent and the important. Your compliance team can help you prioritize and manage your regulatory and contractual to-do lists.

Balancing Act

As a compliance officer and compliance advisor, I work with our internal team and with healthcare practice clients to help prioritize obligations and to balance operational improvements with financial realities.

Many healthcare practices have seen a significant financial impact from Covid-19. Resources and time are in short supply.  So this to-do list focuses on some fundamental compliance work. You can also download a more detailed checklist here.

5 Ways to Protect Your Healthcare Practice

1. Update your risk assessment and business continuity/ disaster recovery plans.

Heavyweight champ Mike Tyson famously said, “everyone has a plan until they get punched in the mouth.” No matter how good your plans were before Covid-19, chances are that things haven’t gone as planned. Update your plan with what you learned. What went well? What were the unexpected challenges? For example, prevention is much less expensive than remediation, so make sure your plan includes security patches are up to date.

2. Revisit your monitoring and auditing standards.

Given all the changes in 2020, it’s easy to overlook your regular checks and balances, even something as routine as reviewing your bank statements. Keeping an eye on your billing and collections is critical. So is making sure you continue to meet payor and regulatory standards, whether it’s commercial insurance, state filings, or Medicare. Your compliance team can help you prioritize and perform your internal controls.

3. Update your policies and procedures.

Many practices didn’t have formal standards for teleworking or telehealth sessions before Covid-19. Maybe your information systems usage policy doesn’t prohibit unsecured wireless networks, or maybe your annual risk assessment didn’t include employees working at home. Standards that made sense before the pandemic will still need to be reviewed. Again, use what you learned over the past few months. Many policies need revisiting considering a more robust work-from-home and telehealth arrangement for physicians and staff.

4. Catch up on due diligence for new vendors.

Have you added a new telehealth vendor, or did you outsource billing or printing services? Have your existing vendors kept up with training, background checks, and other compliance requirements?  Keep in mind that CMS and other payors—as well as your cybersecurity insurance policy—may require proof that you kept up on your due diligence.

5. Don’t sleep on (or during) HIPAA and compliance training.

HHS did not address mandatory compliance training in its Covid-19 guidance. We have to assume that training deadlines haven’t changed. If you added new staff during the past few months, the clock is ticking for HIPAA and CMS training. Don’t forget that insurers and states may require additional training, too. Training will only get harder to schedule as we get closer to December 31.

Anticipate the Next 3 Steps

While it’s not clear yet whether recent changes to compliance requirements are going to become permanent, it’s important to prepare for them as though they will. Enforcement of security measures will adapt to meet changes in technology, and we know telehealth is here to stay in one capacity or another. Temporary HIPAA allowances for Covid-19 disclosures have spurred discussions on how we share information on other threats to public health.

Investing time now to evaluate your compliance plan will pay dividends and keep the important from becoming urgent. If you need guidance, please reach out to me. We offer free compliance consultations to help healthcare practices sort out what needs to be done to #comebackstronger.