Recently, I took a bunch of heat for writing that Anthem was right not to encrypt. My point was that the application encryption is just one of several security measures that add up to a security posture, and that we needed to wait until we got more information before condemning Anthem for a poor security posture.
A security posture is the combination of an organization’s overall security philosophy as well as the specific security steps that the organization takes as a result of that philosophy. Basically the type of posture taken shows whether an organization takes security and privacy seriously, or prefers a “window dressing” approach. I argued that simply knowing that the database in question did not have encryption was not enough detail to assess the Anthem security posture.
Well we have more evidence now, and its not looking good for Anthem.
March 2nd through the 8th were National Patient Safety Awareness Week – I don’t really know what that means either. We seem to have a lot of these kinds of days and weeks – my daughters pointed out that March 4 was National Pancake Day – with resultant implications for our family meals.
But back to patient safety and National Patient Safety Awareness Week. In recognition, I thought it would be useful to talk about one organization that is doing so much to raise our awareness of the issues of patient safety. Which organization is this? Who seems to be leading the charge, reminding us of the urgent, unfinished agenda around patient safety?
It’s an unlikely one: The Office of the Inspector General of the Department of Health and Human Services. Yes, the OIG. This oversight agency strikes fear into the hearts of bureaucrats: OIG usually goes after improper behavior of federal employees, investigates fraud, and makes sure your tax dollars are being used for the purposes Congress intended.
In 2006, Congress asked the OIG to examine how often “never events” occur and whether the Centers for Medicare and Medicaid Services (CMS) adequately denies payments for them. The OIG took this Congressional request to heart and has, at least in my mind, used it for far greater good: to begin to look at issues of patient safety far more broadly.
Taken from one lens, the OIG’s approach makes sense: the federal government spends hundreds of billions of dollars on healthcare for older and disabled Americans and Congress obviously never intended those dollars pay for harmful care. So, the OIG thinks patient safety is part of its role in oversight, and thank goodness it does.
Because in a world where patient safety gets a lot of discussion but much less action, the OIG keeps the issue on the front burner, reminding us of the human toll of inaction.
Yesterday’s New York Times headline read that “Medicare Is Faulted on Shift to Electronic Records.” The story describes an Office of Inspector General (OIG) report, released November 29, 2012, that faults the Centers for Medicare and Medicaid Services (CMS) for not providing adequate oversight of the Meaningful Use incentive program. Going after “waste, fraud, and abuse” always makes good headlines, but in this case, the story is not so simple.
For those not intimately familiar with the CMS policy, in 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. The program, administered through CMS and state Medicaid programs, created financial incentives for doctors (and other eligible professionals) and hospitals to adopt and “meaningfully use” a certified electronic health record (EHR). To receive financial incentives, which began to be paid in May 2011, doctors and hospitals “attest” that they have met the meaningful use requirements, providing an affirmation for which they are held legally accountable.
The process works as follows: health care providers visit a CMS website, register, and enter data demonstrating that their EHRs are “certified” and that they met each of the individual requirements for meaningful use. Then they attest that that all the data they entered is true. For example, a physician might have to report, to meet just one of the 20 meaningful use measures, how many prescriptions she wrote over the past 90 days, and how many she wrote electronically. My conversations with colleagues suggest that it can take a lot of time for providers to gather all the data they need to “attest” to meeting Meaningful Use. Then, CMS runs logic checks to ensure that the numbers entered make sense and, if there are no errors, they cut the provider a check. Through September, 2012, CMS paid out about $4 billion in incentives to 82,000 professionals and more than 1,400 hospitals.