Healthcare IT (HIT) Strategic Planning & Budgeting MARCH 26, 2014
Agenda Introduction / Session Overview HIT Budgeting 101 Security and Compliance EHR budgeting HIT Where Are We Going Q & A 2 Copyright Winxnet, 2014. Confidential and Proprietary.
Introduction Christopher Claudio Co-Founder / CEO Winxnet Winxnet - national leader in HIT consulting IT & EHR Outsourcing, consulting and management for healthcare organizations, IDNs and hospitals 70+ employees, 4 locations southeast New England Board of Trustees Maine Medical Center (637 bed Tertiary hospital largest in State of Maine) EPIC executive committee MaineHealth (top 100 IDN) Multiple IT Governance and Strategy committees for primary care and specialty/sub-specialty practices Microsoft, Cisco and Citrix certified engineer 3 Copyright Winxnet, 2014. Confidential and Proprietary.
Session Overview HIT Budgeting 101 the core considerations Foundational budgeting / IT Governance Myths that cost your practice money Security and compliance planning EHR budgeting today and in the future HIT Where are we going? Q & A 4 Copyright Winxnet, 2014. Confidential and Proprietary.
HIT Budgeting 101 The Foundation The Budget Process Physician and administrative leadership involvement IT Steering committee / exec committee Strategic plan alignment An Annual Process Start at least 3 months before fiscal Capex v. Opex analysis Document it (Strategic IT Plan) Plan for change (10% variance) 5 Copyright Winxnet, 2014. Confidential and Proprietary.
HIT Budgeting 101 Continued Capital expenses to always budget for: Hardware / Software / Networking Projects Telecommunications EHR Upgrades Training Security/Compliance audit Operating expenses to always budget for: EHR / Application maintenance Cloud Services Telecommunications IT Management / Support Security and Compliance 6 Copyright Winxnet, 2014. Confidential and Proprietary.
10 Myths That May Cost Your Practice $ 1. PC / device / laptop lifecycles are every 3 years 2. Software lifecycles are every 1-3 years 3. Maintenance/warranty support required for every device 4. Cloud solutions are always cheaper 5. HIPAA police don t exist 6. My vendors are compliant because they told me 7. Data storage is expensive 8. My EHR is certified so I am HIPAA compliant 9. Changing EHRs will fix everything 10. My EHR vendor will address the problems 11. My EHR data is getting backed up 7 Copyright Winxnet, 2014. Confidential and Proprietary.
Privacy vs. Security Privacy Rule: Sets the standards for who may have access to PHI Security Rule: Sets the standards for ensuring that only those who should have access to EPHI will actually have access Security: far more documentation and updates required The messy one, and ongoing, ever changing Privacy Rule applies to PHI which may be electronic, oral or paper form Security Rule applies only to EPHI 8 Copyright Winxnet, 2014. Confidential and Proprietary.
That was then In 2010, there were 212 major healthcare breaches. 5.4 million patients How and Where: 49% of ephi data breaches from lost or stolen mobile devices 81% of providers use mobile devices to access and/or store patient data 49% of providers do not protect mobile devices containing patient data 9 Copyright Winxnet, 2014. Confidential and Proprietary.
This is Now From 2011-2013, there were 540 major healthcare breaches. 21 million patients 400% increase 10 Copyright Winxnet, 2014. Confidential and Proprietary.
2011 By the Numbers* 149 breaches of protected health information (PHI) 10,841,802 patient health records affected 49,396 average # of patient records per breach in 2011 (80% incr. over 2010) 59% of all patient records breached involved a business associate (vendor) 39% occurred on a laptop or other portable device 25% occurred on a desktop PC or server 60% resulted from malicious intent (theft, hacking) 97% increase in total records breached, 2010-2011 76% increase in records breached involving a business associate, 2010-2011 525% growth in records breached due to loss 2010-2011 5 the top 5 major incidents resulted in 57% of all patient records breached 20 the top 20 major incidents resulted in 88% of all patient records breached 11 Copyright Winxnet, 2014. Confidential and Proprietary. *Minimum of 500 Individuals Affected
2012 By the Numbers* 192 breaches of protected health information (PHI) 2,983,984 patient health records affected in 2012 21.5% increase in # of large breaches in 2012 over 2011 70% decrease in # patient records 67% of all breaches a result of theft or loss 57% of all patient records breached involved a business associate 5X Historically, breaches at business associates have impacted 5 times as many patients records as those at a covered entity 38% of incidents were as a result of an unencrypted laptop or other portable electronic device 63.9% of all records breached in 2012 resulted from the 5 largest incidents 780,000 number of records breached in the single largest incident of 2012 12 Copyright Winxnet, 2014. Confidential and Proprietary. *Minimum of 500 Individuals Affected
2013 By the Numbers* 199 breaches of protected health information (PHI) 7,095,145 patient health records breached in 2013 137.7% increase in number of patient records breached 2012-2013 85.4% percent of the total records breached in 2013 resulted from the 5 largest incidents 4,029,530 records breached in the single largest incident 83.2% of 2013 of patient records breached in 2013 resulted from theft 22.1% of breach incidents in 2013 resulted from unauthorized access 35% of 2013 incidents were due to the loss or theft of an unencrypted laptop or other portable device ~20 of PHI breaches have involved a business associate each year from 2009-2013 10.2% of patient records breached involved a BA 13 Copyright Winxnet, 2014. Confidential and Proprietary. *Minimum of 500 Individuals Affected
Breach Numbers* - Summarized 804 breaches of protected health information (PHI) since 2009 29,276,385 patient health records affected since 2009 21% breaches involving BA 2009-2013 57% of total patient records breached involving BA 2009-2012 10.2% of total patient records breached involving BA 2013 14 Copyright Winxnet, 2014. Confidential and Proprietary. *Minimum of 500 Individuals Affected
HIT Security and Best Practices Assessing Your Risk IT Governance Technology Encryption / Mobile Device Mgmt (MDM) Summary 15 Copyright Winxnet, 2014. Confidential and Proprietary.
Assessing Your Risk Physical Logistical/Administrative Technical Procedural Organizational 16 Copyright Winxnet, 2014. Confidential and Proprietary.
IT Governance Measurable Repeatable Accountable Good Systems/Tools (SIEM) The Right People 17 Copyright Winxnet, 2014. Confidential and Proprietary.
Technology News Flash No Single Solution Firewalls Intrusion Detection/Prevention Reporting (SIEM) Encryption Hardware Resting data / PHI Messaging Security Policies Passwords length/complexity/duration/storage (not) Enforcement Systems Management Tools/Best Practices (see IT Governance) Technology can t beat common sense be smart/teach 18 Copyright Winxnet, 2014. Confidential and Proprietary.
Mobile Device Management / Encrypt USB Locks / Physical Locks GPS Locate Remote Wipe Encryption All Devices BYOD Policing / Management Clinical Device Management Education 19 Copyright Winxnet, 2014. Confidential and Proprietary.
Security / Compliance Top 5 Budget Items 1. HIPAA security risk analysis (annually) 2. Encryption All Devices (Clinical Device Management/Ancillary) 3. Install a Security Information and Event Management (SIEM) tool 4. Managed Security Services 5. Staff Training / Documentation of Policies and Procedures 20 Copyright Winxnet, 2014. Confidential and Proprietary.
EHR Budgeting 1. Support and Maintenance 2. Upgrades (ICD10, MU) 3. Interfaces 4. BI / ACO Reporting 21 Copyright Winxnet, 2014. Confidential and Proprietary.
HIT Future 1. EMR vendor consolidation 2. HIE collapse into IDNs (public to private HIE) 3. Rigorous reimbursement criteria expansion PCMH Capitation 4. Interface innovation 22 Copyright Winxnet, 2014. Confidential and Proprietary.
QUESTIONS & COMMENTS