Friday, 17 November 2017, 2:26 PM
Site: KW Foundation | Campus
Course: KW Foundation | Campus (KWSN | KW Foundation Social Network & Campus)
Glossary: Glosario eSalud | eHealth Glossary
S
Picture of System Administrator

SaaS application development on PaaS: 5 steps to reduce risk

by System Administrator - Monday, 11 August 2014, 1:35 PM
 

SaaS application development on PaaS: 5 steps to reduce risk

by Judith M. Myerson

Developers need only follow these five steps to mitigate the risks of SaaS application development.

AWS Elastic Beanstalk (beta) is a useful tool for cloud architects and developers who want to deploy, monitor and scale Web applications quickly, on an as-needed basis. All they have to do is upload a code and let Elastic Beanstalk automatically handle the deployment -- from capacity provisioning, load balancing and autoscaling to application health monitoring. At the same time, they can retain full control over the AWS resources powering the application. They can even use the Elastic Beanstalk console to access the underlying resources at any time.

That said, developing Web applications on platform as a service (PaaS) comes with vulnerabilities. Threat agents include hackers, software design flaws or poor testing methods. These can take advantage of vulnerabilities in order to infect or halt the application.

By mitigating the risks of SaaS application development on PaaS, cloud architects and developers become more aware of the significant threats to their application. These insights can then contribute to higher return on investments, simply by implementing cost-effective safeguards. They also can reduce the costs of disaster recovery by reducing the frequencies of vulnerability exploitation.

Here are five steps to start reducing your risks:

  • Identify assets
  • Identify vulnerabilities and threats
  • Assess risks
  • Fix with safeguards
  • Implement risk mitigation policy

Step 1. Identify assets

Identify assets associated with software-as-a-service (SaaS) applicationdevelopment on PaaS, then assign a value to each asset. Determine the categories where the assets should belong. Here are some examples:

Users: SaaS developers and SaaS users would both fit into this category. The value of each user group should be based on the average number of man hours spent in developing and testing the application.

These insights can then contribute to higher return on investment, simply by implementing cost-effective safeguards.

Resources: These are any resources that are used by PaaS developers to run and store the SaaS application. For example, Elastic Beanstalk leverages Amazon Elastic Compute Cloud (EC2),Amazon Simple Storage Services, Amazon Simple Notification Service,Amazon CloudWatch, Elastic Load Balancing and Auto Scaling. The value is based on pay-as-you-go for these resources.  Elastic Beanstalk is free.

Security: This could mean encryption mechanisms, firewalls and industry security standards, including SecaaS (security as a service). The value is based on the man-hours used to implement security.

Documentation: Training manuals, administration guidelines, security standards, network standards, contingency planning, disaster recovery plans and service-level agreements (SLAs) are just a few examples of documentation. The value is based on the type of media used to publish the documentation -- print, online or digital media (CD).

Software: Operating systems; vulnerability testing tools; office tools (documents, spreadsheets, presentations); log analyzers; and programming languages (Java, .NET, the PHP script language, the Node.js programming language, Python and Ruby) would all qualify as software. The value is based on the purchase price or the pay-as-you-go subscription needed to develop the SaaS application on PaaS.

Step 2. Identify vulnerabilities and threats

Hackers are not the only threat agents who could take advantage of PaaS vulnerabilities. Here are other examples of threat agents:

  • Software design flaws could let in malicious SQL injections.
  • Improper access control configurations could result in theft of the sensitive data the application is processing for storage.
  • Improper firewall configurations could result in accidental PaaS outages.
  • The vulnerability of data recovery due to the cloud characteristics of pooling and elasticity. This means resources allocated to one user would be accidentally reallocated to a different user. It is not always possible to recover data from a previous user.

Step 3. Assess risks

Users want to be assured that PaaS will be available continuously and that their demand for more traffic can be met. One method of assessing the risk of unavailability is quantitative. Some examples include:

  • Estimated frequency per year that the PaaS would become unavailable due to infrastructure as a service (IaaS) outages
  • Estimated frequency of PaaS attacks due to improper firewall configurations
  • Estimated frequency of not meeting performance guarantees set forth in an SLA
  • Estimated frequency of unsuccessful failover of network routers and switches that the support the IaaS on which the PaaS runs.

Step 4. Fix with safeguards

Implementing cost-effective safeguards is one way to mitigate the risks of SaaS application development on PaaS. Here are some examples:

  • The application has been properly designed with no software flaws. PaaS developers and cloud architects have the adequate skills and instructions to develop well-designed applications on the PaaS.
  • Access control configurations have been properly configured for users based on their different roles and/or data sensitivity. The logging option has been activated.
  • Firewalls have been properly configured. Intrusion detection systems and load balancers are in place. A PaaS failover mechanism policy is enforced. The traffic to and from the PaaS has been encrypted.

Step 5. Implement risk mitigation policy

The process of identifying assets, identifying vulnerabilities and threats, assessing risks, and implementing safeguards can vary from one department to another within an organization. To standardize and reduce the cost of the process, a risk mitigation policy should be implemented.

The policy should include the AWS resources, programming languages and servers that are used to develop, run and store the application on the PaaS -- in this case, Elastic Beanstalk -- and how often the policy should be reviewed due to major technology changes, as well as changes in both user and organizational requirements.

In conclusion, have a good team follow the five steps involved in mitigating the risks of SaaS application development on PaaS. A quality group of PaaS developers will help to plan ahead and determine what the cost-effective risk mitigation process should entail.

This was first published in July 2014
 
Picture of System Administrator

Secondary Storage

by System Administrator - Monday, 11 August 2014, 5:53 PM
 

Secondary Storage

Secondary storage, sometimes called auxiliary or external storage, is non-volatile storage that is not under the direct control of a computer's central processing unit (CPU) or does not directly interact with an application.

Typically, secondary storage is used to back up primary storage through replication, which involves holding a secondary copy of the data. To choose an effective secondary storage media, one must first understand the data's value, how often it's used and how it will be accessed. External hard drives, portable flash drives, CDs, DVDs and cloud backup are often used for secondary storage.

In a business environment, an older network-attached storage (NAS) box, SAN array or tape may be used for secondary storage. Object storage systems can also be used as an inexpensive way to implement secondary storage and lessen the demand on primary storage arrays. The growth of corporate data has prompted many storage managers to move data to secondary storage to ease the strain on primary storage systems, reclaim more expensive storage arrays and maintain older data in an easily accessible form to satisfy business and regulatory requirements.

Secondary storage is usually asynchronous; as a result, the data in secondary storage may not be as current as the data in primary storage, especially when backups are not policy-driven and automated. Generally, secondary storage devices perform at a lower level than secondary storage and are less expensive. For many companies, placing a second class of storage between their primary storage and archived storage is the first step toward a tiered storage environment. 

  • Bit rot is the slow deterioration in the performance and integrity of data stored on storage media. It is also known by the names bit decay, data rot, data decay and silent corruption.

Bit rot is the slow deterioration in the performance and integrity of data stored on storage media. It is also known by the names bit decay, data rot, data decay and silent corruption. Storage array vendors are aware of bit rot and build their products to identify flaws in disks before they place them in arrays, and then monitor disks in production to detect rot before it becomes a problem. While the frequency of bit rot in data is typically low, it can be increased by wear, dust or other contaminants, background radiation and instances of high heat. To guard against bit rot, administrators should periodically go through stored data and compare it to a known copy. 

  • LUN management is the process of assigning, provisioning and overseeing logical unit numbers (LUNs) across a storage environment.

LUN management is the process of assigning, provisioning and overseeing logical unit numbers (LUNs) across a storage environment. LUN management is a standard feature in storage management software. Since an enterprise storage array may host more than 10,000 LUNs, it is important for administrators to be able to efficiently create and manipulate LUNs.  Masking and zoning, are key features of logical unit number management. LUN management tools can bevendor- or product-specific, orheterogeneous, allowing LUNs to be managed across all storageplatforms. Some  LUN management tools are able to reclaim storage that is no longer needed and provide administrators with reporting capabilities. 

Glossary

"Secondary Storage" is part of the:

Link: http://searchstorage.techtarget.com/

Picture of System Administrator

Securing Industrial Systems

by System Administrator - Tuesday, 28 October 2014, 3:41 PM
 

National infrastructure systems pose unique security challenges for firms

Organisations responsible for critical national infrastructure need to face up to system security flaws. We identify the causes and potential solutions. 

Please read the attached article

Picture of System Administrator

Segments of Digital Health Consumers

by System Administrator - Thursday, 7 August 2014, 5:48 PM
 

New Research Reveals 4 Segments of Digital Health Consumers

Market research firm Park Associates has announced a new digital health research revealing four digital health consumer segments based on their attitudes toward their health and healthcare solutions: Healthy and Engaged, Challenged but Mindful, Unhealthy and In Denial, and Young and Indifferent. The research found that among all U.S. broadband households, 26% are Healthy and Engaged, 25% are Challenged but Mindful, 28% are Unhealthy and In Denial, and 21% are Young and Indifferent.

The new research, Digital Health Consumers: A Lifestyle and Technology Segmentation analyzes consumer health habits and segments the market according to lifestyles and personal health conditions based on a survey of 2,500 U.S. broadband heads-of-household in 4Q 2013. It then identified which segments are most and least receptive to digital health products and services and provides a demographic and technographic profile of each segment. 

Parks Associates’ digital health consumer segments include:

Healthy and Engaged – Health conscious, don’t have chronic health problem (26%)

- Offer the greatest market potential for digital health products and services.

- Regularly exercise and eat fresh fruits and vegetables.

- Have higher incomes, on average.

Challenged but Mindful – Health conscious, have chronic health problem (25%)

- Offer the second-greatest market potential for digital health products and services.

- Regularly exercise and eat fresh fruits and vegetables but have a chronic health condition.

- Older consumer segment; unlikely to have children in the home.

Unhealthy and In Denial – Not health conscious, have chronic health problem (28%)

- Offer the third-greatest market potential for digital health products and services.

- Lower income levels, on average; disproportionately likely to live in the Midwest and South.

- Do not habitually exercise or eat fresh fruits and vegetables; have a chronic health condition.

Young and Indifferent – Not health conscious, don’t have chronic health problem (21%)

- Lowest market potential for digital health products and services.

- Youngest segment; low income levels; least likely to be married.

- Express the most enthusiasm for technology products and services.

- Healthy but do not habitually exercise or eat fresh fruits and vegetables.

The research found that the consumer segment Young and Indifferent reported the highest interest in new technologies; however, they have the lowest concern for their health. Only 28% looked up health information online in the last 12 months. 

The market research firm will discuss this research in detail as the host of the Connected Health Summit: Engaging Consumers on September 4-5 in San Diego and offer implications for consumer engagement strategies for healthcare providers and their health technology partners

New Research Reveals 4 Segments of Digital Health Consumers by Fred Pennic

Link: http://hitconsultant.net

Picture of System Administrator

Seguridad Móvil

by System Administrator - Friday, 12 September 2014, 2:59 PM
 

¿Cuáles son las mejores herramientas de seguridad para la colaboración móvil?

Mario de Boer

Estamos hablando de colaborar en equipos con los cuales usted puede no haber tenido una relación preexistente. ¿Va a forzar su MDM con todos esos dispositivos? Bueno, eso no va a funcionar, ¿no? La gestión de todos esos dispositivos no va a funcionar en esa situación.

Si soy malware, y me estoy ejecutando en este dispositivo, ¿puedo acceder a los datos que viven en el contexto de otra aplicación? En general, estos dispositivos son bastante seguros. La única manera de hacerlo es con rooting, jailbreaking u obteniendo de otro modo acceso privilegiado al dispositivo. Bueno, ¿adivinen qué? Si soy tan inteligente, entonces puedo escribir malware que rompa los niveles privilegiados de ese dispositivo y probablemente puedo desactivar el anti-malware también, ¿verdad? Así que el anti-malware realmente no va a ayudarle con la protección de sus datos.

Afortunadamente, muchos de los dispositivos móviles modernos tienen muy buena protección de datos y control de acceso en el propio dispositivo.

Nosotros [también] tenemos soluciones de contenedores, tenemos gestión de aplicaciones móviles y tenemos cada vez más soluciones empresariales como soluciones corporativas para compartir archivos que hacen un muy buen trabajo protegiendo los datos que se almacenan en estos dispositivos móviles.

Pero idealmente, el usuario o empresa deberían ser capaces de proteger los datos en sí, no solo las aplicaciones, a través del control de gestión de derechos –que dicta quién puede ver o modificar la información que usted comparte y quién no– y hacer la protección de datos a nivel local, justo en el propio dispositivo móvil.

Lo que realmente me gustaría es proteger los datos en sí y no preocuparme por las aplicaciones. Usando la gestión de derechos, por ejemplo. Si no podemos usar eso, entonces tenemos que depender de, por ejemplo, la sincronización de archivos corporativa y compartir eso que se ejecuta  en el dispositivo para hacer el control de acceso y la protección de datos local en el propio dispositivo. Créanme que estas soluciones son cada vez mejores y mejores en hacer eso. Y olvídese de la gestión de todo el dispositivo, ya que no va a funcionar en la colaboración móvil.

Mueva el entorno de colaboración móvil a la nube

En primer lugar, utilizamos servicios en la nube no solo para evitar la apertura de su red interna, sino también porque muchas de las soluciones en la nube están realmente bien equipadas para soportar dispositivos móviles, para soportar múltiples grupos de usuarios de diferentes organizaciones y para estar disponible de manera muy fiable. El riesgo, por supuesto, es que se pierde el control. Usted tiene que renunciar a parte de su propio control y cambiarlo por confianza.

[Pero] la mejor conclusión es evitar el uso de las redes internas por completo. Ir a la nube con su entorno de colaboración.

Las soluciones en la nube remedian el riesgo de dar acceso remoto... la única cosa de la que tiene que cuidarse en este caso es que intercambie los riesgos de dar más acceso a las aplicaciones generales con tener confianza.

Asegure las aplicaciones ofreciendo alternativas a los usuarios

Asegúrese de que tiene alternativas empresariales para aplicaciones de colaboración que tengan  una facilidad de uso que realmente coincida con las soluciones que la gente tiene de forma gratuita. Suena difícil de hacer, ¿verdad? ¿Cómo puedo coincidir con la usabilidad de Dropbox? Bueno, sí puede porque usted es una empresa. Puede ofrecer a sus usuarios una solución que no solo sincronice y comparta archivos, sino que sincronice y comparta archivos y además dé acceso a  carpetas internas importantes, y dé acceso a su entorno de SharePoint, y se integre con su información de presencia. Usted puede hacer una solución mucho mejor que las soluciones gratuitas. Así que esa es una oportunidad.

También puede, nuevamente… utilizar el control de gestión de derechos para controlar los datos en sí. Ahora controlo el acceso a esos datos independientemente de la aplicación que utilizo. Ya se trate de sincronizar y compartir archivos corporativos o simplemente almacenamiento en la nube o correo electrónico, no me importa... Y puedo cambiar la política en cualquier momento que quiera.

De la presentación de Mario de Boer sobre "Cinco Mayores Problemas de Seguridad en la Colaboración Móvil”, en la Conferencia Catalyst de Gartner en San Diego. De Boer es un analista de Gartner en el equipo de Estrategias de Seguridad y Manejo de Riesgos para los Profesionales Técnicos. Sus principales áreas de interés son seguridad de punto final y dispositivos móviles, seguridad del navegador web y seguridad de las redes sociales, correo electrónico y colaboración. Cuenta con más de 15 años de experiencia en la industria en las áreas de seguridad, riesgo y temas de cumplimiento, trabajando para empresas, organizaciones gubernamentales y empresas de consultoría.

Link: http://searchdatacenter.techtarget.com

Picture of System Administrator

Sending Medicaid to the Cloud - Are Medicaid IT Systems Ready to Join the 21st Century?

by System Administrator - Sunday, 17 January 2016, 9:54 PM
 

Are Medicaid IT Systems Ready to Join the 21st Century?

by David Raths

Wyoming embraces an MMIS-as-a-service approach

This week my Healthcare Informatics colleague Heather Landi wrote a story about how the Centers for Medicare & Medicaid Services (CMS) has launched a new online resource to help states modernize outdated Medicaid IT systems. The new online resource is designed to serve as a one-stop-shop for private-sector companies to identify opportunities to participate in Medicaid IT investments. 

This announcement from CMS coincided with the publication of a story I wrote for Government Technology magazine about the Wyoming state government’s efforts to become the first state to move away from an expensive custom-developed Medicaid Management Information System (MMIS) to an MMIS-as-a-service approach. The project is called WINGS (for Wyoming Integrated Next Generation System).

In April 2015 I wrote an earlier story for Government Technology detailing the difficulties states face with the ever-changing federal and state requirements for what MMIS platforms must do. Because there are just 50 such systems in the country, only a handful of software vendors respond to procurements for new systems. Cost overruns, critical audits, lawsuits and finger pointing between states and IT vendors are commonplace. But the embrace of a service-oriented architecture (SOA) by CMS has set the stage for states to finally start breaking up big procurements into smaller chunks, which should also allow new vendors to enter the market.

Wyoming officials explained to me their thought process behind trying something new. “When you look at the overall costs of traditional MMIS to the federal government and the states, it is a little on the insane side,” said Teri Green, senior administrator and state Medicaid agent in the Wyoming Department of Health’s Division of Healthcare Financing. “It is time to take a hard look at what we want and need.”

Replacing a traditional MMIS, which is like trying to do enterprise resource planning system replacements in other industries, has a lot of risk and costs associated with it, said Jesse Springer, an IT project manager for the Wyoming Medicaid organization. “Generally that model hasn’t worked well in the last decade. We don’t have the risk tolerance to do that kind of project.”

Jim Plane, a partner with consulting firm Public Knowledge, which has helped Wyoming with the planning phase of its project, said Wyoming realized that in order to meet state and federal requirements on the horizon, it needs to get services up and running more quickly than the five to seven years an MMIS replacement typically takes.

Wyoming also explored modernizing the user interfaces and portals of its current system but continuing to use the core claims engine, which is a COBOL-based legacy system. “That would be the lowest cost but wouldn’t be a long-term solution,” Springer told me. “It would be putting a Band-Aid on it for another decade or so.”

Finally, the state considered both a pure software-as-a-service (SaaS) model and a hybrid model where some MMIS components would be hosted and others would be state-owned and -operated. In the end, the hybrid approach won out. "Just because of the state of the industry, we think we are going to have to do some type of hybrid model, but we are going to try to take SaaS as far as we can go with it," said Springer.

Where this story and the one Healthcare Informatics just published come together is in the goal of broadening the number of vendors competing in the MMIS space. Plane noted that many of the largest healthcare claims processors in the country are not present in the Medicaid space. "For a long time, federal regulations around MMIS procurement led to the market shrinking rather than expanding," he said, "but I think CMS is showing great leadership in trying to maintain the existing marketplace of MMIS vendors while encouraging states to innovate and bring in new vendors, and we are starting to see that."

It will be interesting to follow Wyoming's experience over the next few years to see if it is successful and if its approach spreads to other states.

Link: http://www.healthcare-informatics.com

Sending Medicaid to the Cloud

Led by Wyoming, states are ready to pioneer MMIS as a service.

BY DAVID RATHS

The Wyoming state government already has considerable experience with cloud-based services. It uses Google Apps for Government, NEOGOV for human resources and is looking at Salesforce.com for customer relationship management. But as its Department of Health prepares to issue an RFP to replace its Medicaid Management Information System (MMIS), all eyes in the Medicaid IT sector are on Wyoming because it will be the first time a state has tried to move away from an expensive custom-developed system to an MMIS-as-a-service approach.

The project is called WINGS (for Wyoming Integrated Next Generation System). “When you look at the overall costs of traditional MMIS to the federal government and the states, it is a little on the insane side,” said Teri Green, senior administrator and state Medicaid agent in the Wyoming Department of Health’s Division of Healthcare Financing. “It is time to take a hard look at what we want and need.”

An April 2015 Government Technology story detailed the difficulties states face with the ever-changing federal and state requirements for what MMIS platforms must do. Because there are just 50 such systems in the country, only a handful of software vendors respond to procurements for new systems. Cost overruns, critical audits, lawsuits and finger pointing between states and IT vendors are commonplace.

But the embrace of a service-oriented architecture (SOA) by the federal Centers for Medicare and Medicaid Services (CMS), which funds most MMIS development work, has set the stage for states to finally start breaking up big procurements into smaller chunks, which should also allow new vendors to enter the market.

Although large geographically, Wyoming’s relatively small Medicaid organization is an advantage as it tries to innovate. “We are small enough that we are more intimately involved with projects, contracts and systems at almost every level of our organization,” Green said. “We have an awareness of what it means to procure a system. The larger an organization is, the further away the levels of management are from those details. For us, we are aware of the pros and cons of the current system and models available to us going forward.”

Replacing a traditional MMIS, which is like trying to do enterprise resource planning system replacements in other industries, has a lot of risk and costs associated with it, said Jesse Springer, an IT project manager for the Wyoming Medicaid organization. “Generally that model hasn’t worked well in the last decade. We don’t have the risk tolerance to do that kind of project.”

Wyoming considered sharing an MMIS with another state, like the partnership developed between Michigan and Illinois Medicaid agencies, but ultimately decided against it. “Those models are interesting, but the state loses a lot of flexibility, and it depends on who you are partnering with,” Springer noted.

Wyoming also explored modernizing the user interfaces and portals of its current system but continuing to use the core claims engine, which is a COBOL-based legacy system. “That would be the lowest cost but wouldn’t be a long-term solution,” he said. “It would be putting a Band-Aid on it for another decade or so.”

Finally, the state considered both a pure software-as-a-service (SaaS) model  and a hybrid model where some MMIS components would be hosted and others would be state owned and operated. In the end, the hybrid approach won out. “Just because of the state of the industry, we think we are going to have to do some type of hybrid model, but we are going to try to take SaaS as far as we can go with it,” said Springer.

One goal for Wyoming and other innovative state Medicaid organizations is to broaden the number of vendors competing in the MMIS space. Jim Plane, a partner with consulting firm Public Knowledge, which has helped Wyoming with the planning phase of its project, noted that many of the largest health-care claims processors in the country are not present in the Medicaid space. “For a long time, federal regulations around MMIS procurement led to the market shrinking rather than expanding,” he said, “but I think CMS is showing great leadership in trying to maintain the existing marketplace of MMIS vendors while encouraging states to innovate and bring in new vendors, and we are starting to see that.”

Plane said Wyoming realized that in order to meet state and federal requirements on the horizon, it needs to get services up and running more quickly than the five to seven years an MMIS replacement typically takes.

MODULAR IN ARKANSAS

If Wyoming is the first state to take a serious look at MMIS-as-a-service, Arkansas is credited as one of the first to launch the modular approach that CMS is pushing the states toward. The approach is designed to break MMIS projects into multiple smaller, less risky deployments. But it comes with its own set of new questions.

For instance, CMS has not defined what “modular” actually means, so each state has its own interpretation and must decide how many pieces to break its MMIS project into, said Victor Sterling, IT director of Arkansas Medicaid. “Some states broke it up into 10 different pieces; we considered 23 different pieces at one point in our history,” he added, “but the industry at the time just wasn’t ready for that many pieces. The technology pieces need to talk to each other, so the more pieces you have, the more complexity.”

Arkansas settled on a three-part system, and three different vendors: the data warehouse and analytics (Optum Government Solutions), pharmacy benefit management (Magellan Health) and core MMIS (HP).

The RFP required that the vendors demonstrate they had application programming interfaces and SOA methodologies to connect their system to those of other vendors. “Previously, for MMIS, that was foreign to these companies like HP and Accenture,” Sterling said. “They never had to do anything like that before, so it took some time for CMS to push out that message about modularity and for the vendors to react. But we were recently at a CMS conference and every vendor now has a way to connect to other vendors’ systems.”

One of the benefits of breaking up the project is that it allowed for a staggered implementation. State resources need to be involved as well as vendor resources, so you don’t want to do them all at once, Sterling said. Arkansas implemented the data warehouse in February 2015 and the pharmacy system in March, both on time and on budget, Sterling said. The core MMIS is scheduled to go live in May 2017.

With the modular system in place, Arkansas can replace pieces as required going forward. “The concept is, I don’t need to buy a new car if I just need new tires,” Fleming said. “We have a three-part system now. I imagine that in seven years, when we are required by state law to re-procure, we would break up those three systems into even more pieces and become even more modular at that point.”

Fleming said Arkansas would pay attention to Wyoming’s experience with MMIS as a service. “When we released our RFP in 2012, the cloud-based concept was new on CMS’ radar,” he noted. “We were working under the requirement at the time that the state had to own the system. I believe CMS is pushing toward that cloud-based service level where you just pay for what you use. It is more cost-efficient. It is like leasing a car instead of buying. I imagine when we re-procure we will definitely be looking at cloud-based solutions.” 

A NEW APPROACH IN SOUTH CAROLINA

Jim Coursey has only been the deputy director for the Office of Information Management and CIO for the South Carolina Department of Health and Human Services since July, yet he has a clear idea of the approach he wants to take. Two years ago the department created an RFP that envisions the components of an MMIS would be dispersed among multiple systems and that “the very notion of a single system to ingest claims and encounters and pay claims will not exist.”

“I think we are going to continue with that strategy,” Coursey said. “Doing MMIS as a service is an appropriate way for an agency like ours to proceed. We need to be able to put product out on the street faster than you would do with a big-bang approach.”

The hope is that this will allow not only major integrators but also mid-tier companies with strong offerings to be able to compete because they are just biting off one chunk instead of having to handle an entire enterprise, he said.

Coursey said that although the state’s existing MMIS is stable, South Carolina is interested in meeting CMS’ expectations. “CMS is highly committed to purchasing MMIS as a service and the concept of modularity for information systems,” he added. “A lot of our funding is contingent on their approval of our broad plan.”

The state is currently focusing on provider management, with plans to complete that module by mid-2016, followed by the other modules by the end of 2018 or beginning of 2019.

Coursey isn’t concerned that vendors won’t be ready to play in the new modular space. Some of the current trend was driven by vendor recommendations over the last decade, he said. “The big system integrators embraced the SOA idea and the opportunity to break up monolithic systems into smaller solutions as a better way to be able to compete,” Coursey said, adding that vendors have helped states understand that they didn’t have to do IT maturity model planning in terms of decades. “States can start to think in a more granular fashion and look at opportunities to roll in technologies. The vendor community may have been in the lead, and states such as ours have come around to take advantage of that.” 

MAKING CLAIMS PROCESSING A COMMODITY

Public Knowledge’s Plane said the unifying vision of Wyoming and other states trying to innovate is to turn claims processing into a commodity. “The problem with Medicaid claims processing, especially in fee-for-service states, is that it is not a commodity; it is a highly customized task and they are paying dearly for it. In the commercial space, claims processing is close to a commodity right now, and states have to streamline policies and procedures to force this to become a commodity.”

Meanwhile, Wyoming is working through the requirements for three RFPs. One is for a systems integrator to develop enterprise shared services, such as an enterprise service bus. The next would be data warehouse/business intelligence, to work on elements such as fraud, waste and abuse. Third is the benefits management/claims processing.

The state is waiting on a clarification from CMS that the 90/10 rule applies to services and commercial-off-the-shelf (COTS) software. “The proposed rule supports a 90 percent federal [funding] match for COTS and potentially for services, so we asked them to clarify that,” Springer explained. “That will open the doors to a lot of other models, because from the state perspective we think we could save everybody involved, including the federal government, a lot of money if we were allowed to pursue COTS and SaaS.”

Link: http://www.govtech.com

Picture of System Administrator

Seven Principles that Can Help Stressed Out Physicians

by System Administrator - Saturday, 9 August 2014, 2:06 AM
 

Seven Principles that Can Help Stressed Out Physicians

By Carol Stryker

Physicians are busy. They often have little time for friends and family, have no time for the community, and seldom feel as though they have covered all their bases. Their lives have way too much in common with a hamster in a wheel. 

Still, there are some things physicians can do to experience improved work-life balance. Here are seven principles to keep in mind next time you feel like your sense of balance is spiraling out of control:

1. Acknowledge and accept the fact that time is limited and there is no way to create more. This fact is both mind-numbingly obvious and generally ignored. Time can be made more productive but it cannot be increased, and there are upper limits on productivity.

2. Accept the fact that there will never be enough time.  The only people who never run out of time are lethargic and unimaginative, the antithesis of most physicians. Some tasks and interests have to be abandoned forever, while others will simply need to wait their turn.

3. Be intentional about the use of time, and be aware that it involves choices as well as decisions. Deciding to do something is deciding not to do something else. The decision is a choice, a corollary to the principle that two things cannot concurrently occupy the same space. The challenge is to distinguish between the urgent and the important, as well as the important and the less important. Without intention, priorities tend to be clear only in retrospect when different action is impossible.

4. Abandon guilt about what is not getting done. If you are making good use of your time and investing it in what is most important to you, there is no reason to feel guilty. You may wish you could do it all, but you must realize you bear no responsibility for an immutable law of nature.

5. Seek alternate resources. Nowhere is it written that you must do everything. If something essential is not getting done, find a way to delegate it.

6. Refuse to be bullied. This is particularly difficult because many physicians have so routinely been bullied during their training. When someone demands more research, more revenue, more whatever than is reasonably possible, push back and negotiate the demands. (I am not oblivious to the fact that this may involve finding another job or practice. You need to weigh the pros and cons.)

7. Do not engage in self-bullying. This kind of bullying may be the most common. Physicians have a tendency to be driven, and to be offended at the notion that they must make trade-offs. Unchecked, it leads to serious over-commitment, stress and, eventually, burnout.

Now that you have read the above, the key is applying these principles to your daily life. To help, I've provided an example below. Take a look, while it may not apply directly to you, it will get you thinking about some ways you may be able to improve your own work-life balance.

To help other physicians identify similar opportunities, I encourage you to share your thoughts in the comments section below.

Example: Dr. Jones is a mid-30s cardiologist with a wife and three small children. He loves soccer and biking. The family is anxious to retire its debt, build its dream home, and live the life they have been planning since the beginning of medical school. At present, Dr. Jones is feeling very stressed.

In order to generate the revenue that will generate the income he needs and feels he deserves, he needs to see about 40 patients a day. The senior partners in the practice refuse to hire a nonphysician provider for him until his numbers are up, and they give him the least experienced medical assistants. There is no way Dr. Jones can keep his schedule on track and do the business development he needs to do to increase his volumes.

His wife is very frustrated, and she lets him know it. She was moderately OK with being broke in school and even training, but she is ready for the struggle to be over. She is also tired of being a single parent and worried that the children do not have enough time with their father. Both money and time with the children are a concern for Dr. Jones, too. He also laments his lack of exercise.

He is constantly pedaling as fast as he can but no one is happy. Things do not seem to be getting better.

Based upon the seven principles above, what can he do?

Link: http://www.physicianspractice.com

Picture of System Administrator

Seven Revenue-Driving Best Practices

by System Administrator - Thursday, 15 January 2015, 7:36 PM
 

Get healthier results for your practice

Seven Revenue-Driving Best Practices

Every step of the way, from front-end operations through your back-end processes, this eBook will show you RCM best practices you can start today.

Please read the attached whitepaper.

 

Picture of System Administrator

Seven Ways to Beat Telemedicine at Its Own Game

by System Administrator - Thursday, 17 September 2015, 7:20 PM
 

Seven Ways to Beat Telemedicine at Its Own Game

By Lucien W. Roberts

Have you ever wondered if payers are helping primary care by offering complementary access to care through 24/7 telemedicine physicians, payer-owned and operated health centers, or drug store clinics? Or are these efforts undermining the primary-care physician/patient relationship that is the supposed key to patient engagement (and thus bending the healthcare cost curve)? And more importantly, does the answer matter?

Several months ago, I got an e-mail from my health insurance company. The e-mail suggested I use their telemedicine service and espoused the following benefits:

  • Costs the same or less than a primary-care visit;
  • No sitting in germ-filled waiting rooms (ouch); and
  • A doctor who will give my health the time and attention it deserves (double ouch).

I presumed payers offered after-hours hotlines to prevent ER visits. This e-mail removed the veil from my naïveté. While primary care and payers share the goal of keeping patients out of emergency rooms, it is the payers who benefit most. Keep in mind, this debate is not about quality of care and it certainly isn't about continuity of care. It's about money.

Here's what I suggest primary-care physicians do to address this competition:

1. Accept that these alternatives are not going away.

Especially since current primary-care shortages are being forecasted in many areas. Complain and protest as we might, it's a Don Quixotic fight that distracts from the core strategy of out-servicing our new competition.

2. Understand that convenience trumps great care.

We live in a convenience-driven society where consumers (aka patients) prioritize accessibility over quality; sorry to burst your bubble. Think about take-out Chinese food. If you can pick up decent food on the way home rather than driving an extra 10 minutes for great food, which one do you pick? To retain and attract patients, think like a consumer.

3. Take a hard and candid look in the mirror.

Are you patient-friendly in your hours, location, and care? How can you be better? If you deliver great service and great access, your patients have little reason to seek out other options. Don't give them an excuse to look elsewhere.

4. Get proactive.

A payer is paying another doctor (possibly in another state and time zone) to care for your patients via telemedicine (while you are taking evening/weekend call and getting paid nothing). Why not approach the payer and ask to provide your own telemedicine coverage at the same price? This is one time the continuity-of-care argument actually may be compelling. 

5. If you can't beat 'em — work with them.

If you choose not to offer extended or weekend hours, forge a relationship with your favorite urgent-care center and make sure your patients know about it. Make sure the urgent-care center sends you notes on your patients; that's your ROI for this relationship, along with increasing odds that your patients won't wander to another provider.

6. If you can't work with 'em — beat them.

Drug store clinics are about convenience, period, and perhaps easier access to antibiotics. Have you thought about setting up your own vital-signs or minor-care kiosk at the grocery store or mall? Could you link it to your patient portal and capture patient data trends? A kiosk could be a wonderful patient attraction/retention tool.

7. Read "Zombie Loyalists."

Finally, I urge each of you to read or listen to Peter Shankman's new book "Zombie Loyalists." His message — that vocally loyal patients are the most effective marketing tool — is one most of us get, but few of us embrace. It's a great read and he offers solid advice for creating your own loyal patient base in both the old-fashioned (word of mouth) and new-fashioned (social media) worlds.  

Payers think like most companies: A dollar saved is another dollar to the bottom line. Find ways to strengthen your position as an alternative to remote or retail care options, and your patients will remain your patients. No one says it will be easy, but that's your best chance at facing and defeating the competition; whether it's a traditional competitor, a drug store, or even a payer.

Lucien W. Roberts, III, MHA, FACMPE, is administrator of Gastrointestinal Specialists, Inc., a 22-provider practice in Central Virginia. For the past twenty years, he has worked in and consulted with physician practices in areas such as compliance, physician compensation, negotiations, strategic planning, and billing/collections. He may be reached at muletick@gmail.com.

Link: http://www.physicianspractice.com

Picture of System Administrator

Seven Ways to Transform Unproductive Meetings

by System Administrator - Thursday, 25 June 2015, 10:44 PM
 

Seven Ways to Transform Unproductive Meetings

By Sue Jacques

When medical practice meeting attendees don't know why they're there or what is expected of them, they can quickly become frustrated and inattentive. And if leadership hasn't planned in advance or established clear protocols, well-intentioned gatherings can go south in no time. Here is a seven-step strategy for revolutionizing the efficiency of your meetings.

1. Start with a clear purpose.

Effective meetings begin with well-defined goals. Declare the purpose of the meeting in the invitation so people understand in advance what topics will be discussed. Not only will this keep the meeting on track, it will enable participants to come prepared with questions and reports, which will ultimately save time. If you're ever unsure about why you've been invited to attend a meeting, contact the planner for clarification.

2. Include the right people.

It's common for meeting organizers to routinely ask the same people to attend a variety of meetings. From now on, be mindful of who you are including in your invitations. Ask yourself if and why each invitee needs to be there, and then cull the list so it includes only necessary participants. You may also consider having some people attend just the portion of a meeting that requires their attention or input. Not every person needs to be present for every minute of every meeting. As an attendee, check with the chairperson to see if it's acceptable for you to come or go according to the agenda.

3. Select the best place.

The location and layout of a room is vital to the success of a meeting. If people are uncomfortable — whether because they're feeling cold, crammed, or conspicuous — your meeting will lose its effectiveness. Choose a right-sized venue that has the necessary privacy, equipment, setup, and accessibility for the group. When planning an off-site meeting, inform participants about transportation and parking options (you'll stand a better chance of people showing up on time if they have this information at their fingertips). Once the group is gathered, remember to address standard housekeeping details, such as mentioning the location of restrooms and emergency exits.

4. Develop a viable program.

A realistic agenda — which should be distributed in advance — is at the heart of every productive meeting. Scheduling too many items in an inadequate amount of time shows a lack of respect, not only for participants, but for the matters to be discussed, as well. For efficiency, try to stick with an agenda containing no more than three topics. Once you exceed that number of items you run the risk of losing the attention of the group, especially if the one of the issues is controversial. If you expect a lengthy discussion or heated debate about a subject, it may be best to schedule a separate meeting to focus only on that.

5. Prepare in advance.

Whether you're chairing a meeting or attending one, you have a responsibility to be well prepared and ready to participate. This takes time and planning. An organized chairperson will inform other key players of any expectations that are required of them. No matter what your role at the meeting is, always read the agenda and educate yourself on the topics of discussion before you walk through the door. If you are asked to present a report, do your research and have written notes to refer to so you don't forget vital information.

6. Make punctuality a priority.

It is imperative to honor people's schedules by starting meetings promptly. Far too much time is wasted on waiting for people who are late. Collectively, that wasted time costs a lot of money. But starting on time is easier said than done, especially in the unpredictable profession of medicine. If the beginning of a meeting is delayed for some reason, it still needs to end on time. To accomplish that you will either need to adjust the agenda or minimize the discussion. If you're the person who's late, quietly walk in, sit down, and listen up to avoid disrupting the meeting any further.

7. Perform a postmortem.

Every meeting needs to end with a detailed recap. Allow ample time at the conclusion of the agenda to summarize key points, review expectations, assign tasks, schedule future get-togethers, and answer any questions. Then follow up by promptly distributing meting minutes to participants.

Meetings present wonderful opportunities for groups to clear the air, advance patient care, and become more aware. That's why it's important to always prepare.

  • Sue Jacques is The Civility CEO®, a veteran forensic medical investigator turned corporate civility consultant, professional speaker, and author.
  • Jacques helps individuals, businesses, and medical practices create courteous cultures and prosper through professionalism.

More: http://www.physicianspractice.com