Despite being a prime target for hackers, some healthcare organizations may not be as focused on cybersecurity as you might think.
And it seems those healthcare organizations are mainly payer organizations, according to a survey of 115 senior-level healthcare professionals conducted by the HealthCare Executive Group (HCEG) in which 62% of respondents are from payer and integrated delivery systems. Instead, healthcare organizations are focused on reimbursement.
The results of the survey showed that the top three main concerns of healthcare professionals for 2018 include clinical and data analytics, population health services, and value-based payments. Cybersecurity, on the other hand, was number six on the list.
Ferris Taylor, chair of the board of directors of the HealthCare Executive Group and COO at Arches Health Plan in Salt Lake City, believes one reason these issues top the list for healthcare organizations, including these payer organizations, is that creating interoperability in order to make it possible to bring various types of data together in one place is a priority.
“We’re seeing that interoperability … is really a difficult challenge, getting legacy computer systems to talk to each other. But the part of healthcare that is attainable and actionable is bringing the data together,” Taylor said. “Clinical [data] is a very important part of that top ten statement, clinical and data analytics, because we have administrative data, but now it’s time to bring in all of the pieces of data.”
While Karen Clark, CIO at OrthoTennessee in Knoxville, Tenn., agrees, she believes the main driving force behind clinical and data analytics, population health services, and value-based payments being the top three concerns is that they are all necessary for reimbursement.
“The first three items on this list are really all facets of the same thing,” Clark said. “If you’re going to manage population health in order to participate in value-based payment methods, then you’ve got to have data analytics.”
Bundled payments are a driving force
Clark explained that bundled payments, an alternative payment method, for example, could be motivating healthcare organizations to focus on those top three items.
Previously, everything for a procedure would be billed independently, Clark said. For example, if a patient went to the hospital for a surgery, the hospital would bill for all the hospital costs, the surgeon would bill for his or her professional services, the therapy company would bill for any rehab work that the patient needed, and so on.
However, with bundled payments, this is no longer the case.
“In a bundle, the entity who owns the bundle is given a lump sum of money for all those costs and they’re responsible for managing the patient’s preoperative care, the procedure, and then the post-acute care,” Clark explained.
Clark used the example of a patient who has diabetes where the provider is responsible for the entire episode of care.
Clinical and data analytics would be used to determine the percentage of patients who did not have their A1Cs under control and what the complications, were as well as the risk for readmission, Clark said. With this knowledge, the provider can optimize patient health for the best procedure, as well as suggest a post-acute care plan that will have the best outcome, she said.
“So you use clinical and data analytics to give you this data you need to make those decisions. Population health comes into the picture because now instead of just being concerned with the surgery the surgeon is doing things that typically he did not do before,” Clark added. “And then, of course, the bundle is the value-based payment.”
The issue of cybersecurity vs. compliance
Clark believes that cybersecurity may not have shown up higher on the list of priorities for healthcare organizations because often people mistake cybersecurity to simply mean compliance.
“You can be compliant with all the regulations around protecting PHI — and certainly you should be — but that is the bare minimum for making your practice secure,” Clark said. “If we were to help medical practices identify this as risk management, it would go to the top of the list or near the top.”