Mari Savickis CHIME This Week in Health IT Newsday
February 8, 2021

 – Episode #

Guest Information

Share this clip:

Share on linkedin
Share on twitter
Share on facebook
Share on email

February 8, 2021: Mari Savickis, Vice President, Public Policy at CHIME joins Bill for the news today to discuss the HIPAA security rule, information blocking, vaccination, cybersecurity and more. What is the talk on the Hill about vaccination? How are we doing so far with logistics? Will we hit Biden’s promise of 100 million vaccinations in the first 100 days? The single biggest use case ever for patient identification is a pandemic. Why are some health systems able to set up efficient processes with their EMR while others struggle? Cybersecurity. It’s a journey. Not a destination. There’s lots of problems along the road. And the health sector has been behind the eight ball. There’s never going to be a time where you’re completely inoculated from a cyber threat but the industry has been working damn hard these past few years trying to catch up.

Key Points:

  • The H.R. 7898 bill recognizes cybersecurity practices established under the National Institute of Standards and Technology Act [00:17:40] 
  • Cybersecurity is one of those things that is so challenging. You need a lot of funds to stay up to date and ahead of it. [00:18:28] 
  • If you could picture cybersecurity like a door, are four double bolts enough or is it five? [00:24:18] 
  • Tiberius is the Department of Health and Human Services’ vaccine allocation planning system. VTrckS is the Centers for Disease Control and Prevention’s vaccine ordering portal. [00:29:40] 
  • Information Blocking Resource Center
  • Patient ID Now
  • Trends in EMR Interoperability – CHIME / Klas Research


Newsday – Information Blocking, Cybersecurity and Vaccination Logistics

Want to tune in on your favorite listening platform? Don't forget to subscribe!

Thank You to Our Show Sponsors

Related Content

Amplify great thinking to propel healthcare forward and raise up the next generation of health leaders.

© Copyright 2021 Health Lyrics All rights reserved

Newsday – Information Blocking, Cybersecurity and Vaccination Logistics

Episode 362: Transcript – February 8, 2021

This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

[00:00:00] Bill Russell: [00:00:00] Welcome to This week in Health IT. It’s Newsday. My name is Bill Russell, former healthcare CIO for a 16 hospital system and creator of This Week in Health IT a channel dedicated to keeping health IT staff current and engaged. Special thanks to Sirius Health, healthcare, Health Lyrics, and Worldwide Technology who are news day show sponsors for investing in our mission to develop the next generation of health IT leaders. We set a goal for our show. [00:00:30] And one of those goals for this year is to grow our YouTube followers. We have about 600 plus followers today on our YouTube channel. Why you might ask because not only do we produce this show, In video format, but we also produce four short video clips from each show that we do.

[00:00:46] If you subscribe, you’ll be notified when they go live. We produced produce those clips just for you, the busy health IT professionals. So go ahead and check that out. We also launched Today in Health IT a weekday daily show that [00:01:00] is on todayinhealth We look at one story each day and try to keep it about 10 minutes or less. So it’s really digestible. This is a great way for you to stay current straightway for your team to stay current. In fact, if I were a CIO today, I would have all my staff listening to today in health it so we could discuss it. You know, I agree with the content disagree with the content. It is still a great way to get the conversation started.

[00:01:24] So check that out as well. Now onto today’s show today, we are joined by Mari [00:01:30] Savickis, VP of Public  Policy with CHIME. Good afternoon Mari and welcome to the show. 

[00:01:35] Mari Savickis: [00:01:35] Well, thank you Bill. Thanks for having me. 

[00:01:37] Bill Russell: [00:01:37] Yeah. Well looking forward to it. You’re working out of your house, pretty excited about working out of your house?

[00:01:45] Mari Savickis: [00:01:45] Yes, broadcasting live from like the amazing headquarters of Fredericksburg, Virginia, so exciting. I know that you and I discussed having a beach background Bill because in my fantasy world where I like to live I’m at the beach, but instead I’m here in like the cold Tundra of Virginia. 

[00:02:00] [00:02:00] Bill Russell: [00:02:00] Yeah. Is anyone getting up to the Hill these days?

[00:02:03] I mean, we had the event that was there. The national guards are still there. I mean, does the team actually go up there much these days or is it pretty, is it still pretty locked down? 

[00:02:16] Mari Savickis: [00:02:16] Oh, it’s locked down. We’re not going up to the Hill. You don’t get, I mean, there was a little bit more flexibility before the insurrection, but no, we’re not going to the Hill.

[00:02:26] Bill Russell: [00:02:26] Yeah. 

[00:02:27] Mari Savickis: [00:02:27] It’s very tightly controlled. 

[00:02:28] Bill Russell: [00:02:28] So you [00:02:30] just like everybody else has to figure out how to do your job remotely and interact with the with the key players, gather the information and get a representative on the Hill. You know, actually before we jump into, I’d love to hear just sort of a picture of what the transition looks like. So my picture is that almost everything comes to a stop around the election. Everyone’s sort of waiting. And then the elections you know, decided and then things start at a frenetic pace. I mean, you have [00:03:00] most presidents are judged based on their first a hundred days. That’s just sort of the, the way it is, you know, what have you accomplished? What direction have you have you set? So I’d imagine things just set out in a pretty hectic pace. Is that generally what happens when a new administration comes in? 

[00:03:16] Mari Savickis: [00:03:16] It is though. I mean, the handoff this time, I think everyone knows was much more complicated. So the transition starts like very early on.

[00:03:24] And, you know, as in like, it should have happened last year into the beginning of this year. But I [00:03:30] think this is well-documented now that the transition was very bumpy and it has set things behind for a while. The transition officials weren’t allowed access to the previous administration. So things are a little bit behind, but I think they’re playing catch up.

[00:03:45] And you know, every President looks to make their mark during their first hundred days in office. And we’ve seen like a blizzard of executive orders trying to walk back some of the last administration’s policies. And one of the things that happens [00:04:00] is and this happens no matter, you know, it’s happens pretty commonly when there’s a handoff and from one administration to Senate acts, particularly from when it’s going from, you know, one party to another party is that they’re going to hit pause.

[00:04:11] They’re going to pause. And they’re going to take a look at what’s actually in the pipeline and what was recent released. And they’re going to maybe pull things, things back. So we’re waiting on, you know, a number of things to just see how that shakes out. Like for example, the HIPAA rule was released. I forget what day was like, maybe like the day before the inauguration and [00:04:30] maybe it was a day off and it that’s, we have no certainty as to whether or not, you know, is this going to get pulled back? We can’t get an answer from the office for civil rights and it’s probably because they don’t have all their transition officials in yet.

[00:04:42] And I’m like, the new administration is not yet in place. So yeah, it’s a little bit hectic right now, but I think they’re picking up steam. And they’re busy. 

[00:04:54] Bill Russell: [00:04:54] You know, I’ve talked to people in several administrations, actually. I know it’s hard to [00:05:00] believe that I actually know people in administrations but they they will say to you that what they want to do is get to this sort of normalcy and sort of portray that everything’s under control.

[00:05:11] But in that first hundred days, it’s just every day is like chaos. It starts perfect at like seven o’clock everything’s okay. And then by like eight or nine o’clock everything’s out of whack and you’re just scrambling to make sure things don’t spiral out of control. [00:05:30] So I mean, that’s, that’s the nature, but you have you know, you have a president who has been a vice-president and hopefully can surround himself with some people that know how to navigate that.

[00:05:41] It actually, I saw a story where he’s already reaching out to Rahm Emanuel who was Obama’s. Chief of Staff. ANd that’s the kind of thing when you have when you have that kind of experience coming in, maybe they can get through it. Let’s start with I I’d love to talk a little bit about your team and hit a couple of regulatory things.

[00:06:00] [00:05:59] We’re going to hit some stories. And I think there’s some fun stories that will give us the backdrop to talk about some things that are really pertinent to health IT. Let’s start with your team. Who’s on your team at chime that’s that’s working the federal affairs and congressional work?

[00:06:17] Mari Savickis: [00:06:17] Sure. And you know, this is an interesting time for the team because we onboarded them all remotely in last March. So they actually started right as the pandemic was picking up. And so [00:06:30] none of them have actually met each other in person. And in fact, I haven’t met our administrative support Lauren, I haven’t even met her she’s in Michigan.

[00:06:39] So we have Cassie Leonard, who is our director of congressional affairs. And she comes by way of Senator Kennedy’s office. So right off the Hill. And then we also have Andrew Tomlinson, who is our director of federal affairs, and he is handling all the work with the agencies and he comes by way of ONC and then a brief stopover at United.

[00:06:59] So [00:07:00] they both bring a really deep bench and they’re pretty darn fabulous and so fortunate to have them. And, you know, we’ve been able to increase our bandwidth with the addition of the three, three individuals. 

[00:07:11] Bill Russell: [00:07:11] Yeah. Is there like a words per minute, they have to be able to read in order to take those jobs.

[00:07:17] Mari Savickis: [00:07:17] Right. I know. Right. You must be able to devour regulations and statute at an alarming rate. No nothing like that. That’s an interesting idea. 

[00:07:27] Bill Russell: [00:07:27] Well, you guys you know, you guys are [00:07:30] keeping CHIME membership abreast of things that are going on. There’s some interesting things right around the corner information blocking April 5th is the first deadline. Anything going on with regard to that? Or what are you guys keeping an eye on there? 

[00:07:43] Mari Savickis: [00:07:43] Yeah, we actually have a ton going on. So you know, we’re really fortunate that we were able to advocate for some delays for our members. That was incredibly important, especially in light of the pandemic. And it’s afforded them some additional time to meet this compliance online. And [00:08:00] while some were told, were ready in November because they felt like they had no other choice. We know that some of our members were still struggling and we actually have a survey out right now just to kind of get a better finger on the pulse of just how many will indeed be ready.

[00:08:12] So we’re focusing our efforts on education. And in fact, tomorrow we are launching an information blocking center in conjunction with several other provider stakeholder groups that we work closely with which is really exciting. And we’re going to be able to direct our you know, our members and their members to a single [00:08:30] where, you know what we want to call like one stop location for their education. So we’re pretty excited about that. 

[00:08:36] Bill Russell: [00:08:36] That’s fantastic. I think the other thing that is top of mind, and we’re going to do a story on, on vaccination. You pulled a great story from the MIT technology review, so we’ll go a little back and forth on the vaccination. But talk specifically a little bit about what’s going on in the Hill, around the vaccination and maybe focusing on health IT for that topic.

[00:09:00] [00:09:00] Mari Savickis: [00:09:00] Well, there were actually two hearings this week. So I’m the house oversight committee and the house subcommittee on health, both energy and commerce committees. They had some hearings this week and we’re still reviewing them. I don’t know that there’s necessarily an enormous focus on healthcare data, but.

[00:09:19] I can tell you that the stories that are percolating up from the field are that not everything is going swimmingly, which I know that no one will find that shocking, given our antiquated data [00:09:30] reporting infrastructure for public health. It’s something that we continued to push for more investment in and while we did get some money, In the stimulus packages last year, it’s still an investment but we need more funds to help strengthen this. And I used to like, what better time to test out, you know, our pipes than during a pandemic. So that’s, it’s been a challenge and the CDC has a requirement that you have to submit your hospitals have to send their data up or the, I guess the state sits in between it, but it was in 24 [00:10:00] hours. So you have to send that up. And so that is creating challenges when you have to do things at like a really lickety-split pace and you have certain information you have to collect and you do this quickly and you do it on paper records. So you know what happens when we use paper records. So it has been a challenge. 

[00:10:17] Bill Russell: [00:10:17] Why, I’m sorry, why are health systems using paper records? 

[00:10:21] Mari Savickis: [00:10:21] Is this this like a needle across the record moment, Bill? 

[00:10:26] Bill Russell: [00:10:26] I’m kinda surprised. I mean, we had meaningful use, which started, I [00:10:30] don’t know, like over a decade ago. I would think that almost all the health systems are using some sort of electronic tracking for this. And if not, I mean, they’re just asking for challenges, aren’t they? I mean, they’re going to have to turn paper into electronic to send it back to the federal government. Is there, I mean, am I missing something? Am I being really thick headed right now? 

[00:10:57] Mari Savickis: [00:10:57] Yeah, I mean, I don’t think that the providers really want to [00:11:00] start doing dropping back to paper, but you have the current reality. It’s like, you know, shots in arms and they need to be done as quickly as possible. And you are collecting information that’s required by the state.

[00:11:09] And so what they’re doing is they’re taking the paper of records and information, they collect onsite and then they’re later keying it in which again would be after the 24 hour period. And so they don’t have you know, the ability to work, I guess that quickly looking at every single data point and keying it in.

[00:11:25] And so what’s happening is that in some cases, the data is getting communicated up to the [00:11:30] state. And we have examples where the state is not absorbing that data. And for example, one member told us that they the state requires that the patients identify our number and that like the electronic record number be included and it wasn’t included.

[00:11:44] So they were basically you know, several thousand records were put to the side. And the only way that the provider found out was by doing, you know, a quick spot check to see if they were actually there and then they weren’t. And so there are these issues that are happening. I don’t think any providers like, Oh yeah, we should totally drop back to paper records. That’s a [00:12:00] great idea. 

[00:12:00] They’re just trying to, you know, do the best they can with the requirements that have been placed on them. And again work expeditiously through the system. The other issue too, that we’ve heard is so if the, if there’s not an accurate tally in the database that the state holds which is sort of, you know, determines how many vaccinations a provider gets, then you may be looking for more vaccinations cause you actually administer them, but the state may not have that [00:12:30] reflected in their database.

[00:12:31] And so that affects your number of vaccinations sent to you. And so then your, I mean we have one member who told us they actually had to close their clinic. 

[00:12:40] Bill Russell: [00:12:40] Right for vaccinations. Yeah. I mean the numbers, the number of vaccines going to places. So the thing I was in, by the way, if people are listening to this going, why is the interviewer going back and forth? Because this is a news day show. This is what we do on the new station. We go back and forth. So the, it’s interesting, cause I’ve talked to several health systems today [00:13:00] and you know, just through the course of my normal work that I do. And I ask them about vaccinations and. The two phone calls I had today, they were like, hey it’s going great.

[00:13:10] We integrated this. We have QR codes. People are showing up they’re in and out within 10 minutes, the information is going right into the EMR, it’s generating the reports. We’re setting it up to the state. Now everyone in the world will tell you that the States are a notoriously underfunded from the public health side.

[00:13:29] Their [00:13:30] systems are kind of a patchwork kind of thing. And sometimes I can take the data and, so they’re so they’re underfunded, understaffed. So they are going to set aside 7,000 records and not let you know. So that kind of stuff happens. Nobody doubts that they also, you know, sometimes you struggling to send them information the way they tell you to send it to them.

[00:13:49] And it doesn’t go into their system correctly and falls by the wayside. All that stuff does happen. I’m not denying that but I’m wondering why some health systems with their EMR are able to [00:14:00] set up pretty efficient processes while others are struggling. Is this a, an education thing? Is it a different EMR thing?

[00:14:09] I’m not asking you to answer it because I’m not sure that you have an answer for it. I’m just sort of, I’m just sort of wondering out loud what makes one health system able to do it? And another health system not? Anyway, I will move on because we’re going to come back to vaccine a little later. Anything around cybersecurity?

[00:14:25] I mean, there, there were so many very visible incidents leading up to the election [00:14:30] and that didn’t really slow down after the election. There’s still a lot of things going on in healthcare. What can we expect? What are you keeping an eye on? Or what’s the movement right now around cybersecurity.

[00:14:45] Mari Savickis: [00:14:45] It’s hot. I mean it continues to be our hottest policy priority and year after year. And it’s it hasn’t abated. So the challenges are, I think they’re well chronicled and well-documented but we have a lot of problems. I’d say [00:15:00] that, you know, while the health sector, which is one of many sectors across the country, we’ve got like energy and banking and retail. Healthcare is one of them and we’ve been behind the eight ball, but I think we’ve been working hard the past few years to catch up. That being said, we still have challenges. You know, we, they, you know, even the best resource members that we have still have issues. And so we have a constant barrage of cyber attacks and they increased exponentially in [00:15:30] when the pandemic started because people are opportunistic.

[00:15:33] And, you know, there were two major issues that happened last year. There was a credible and active threat that pretty much brought the industry to a standstill the last day of October. And so that had everyone at an extremely high alert and several hospitals did actually get attacked. There’s ones that were in the news, like there was a hospital in Vermont that was brought down for several days.

[00:15:55] And then there was, you know, then there was also the solar winds issue. And so it hasn’t [00:16:00] really abated Bill. I mean, there’s a lot of attention that’s being brought to bear on cyber. And I think that most there’s a bipartisan consensus that this is an issue that warrants you know, more additional attention and we’re going to keep fighting for additional funds for our, for our members.

[00:16:16] Bill Russell: [00:16:16] Yeah. And we’re gonna, we’re gonna start with a HIPAA story. My thing on cybersecurity, I heard somebody say this once that he goes, that he, and it resonated with me. He was like, you know,  these nation [00:16:30] States and these crime syndications are essentially attacking our corporations in the United States.

[00:16:37] And he said, it’s the equivalent of, they’ve all set up aircraft carriers off the coast, and they’re just flying in and doing runs and they’re, you know, they’re shutting down places they’re stealing money and that kind of stuff. And his premise was, if that were actually happening, if aircraft errors were off our coast, we would mobilize and do something about it.

[00:16:58] But in cyber, for some reason, we [00:17:00] haven’t up until now really mobilized enough to protect. And we were sort of saying, Hey, every health system has to come up with their own plans to protect themselves. And every corporation has to come up with their own plans to protect themselves. So I’m really hopeful in this space that we see movement.

[00:17:16] And I’m glad to hear that it’s bipartisan that. That we really need to do something to protect organizations like our hospitals who functioned in the US. All right. You ready? Sure. 

[00:17:29] Mari Savickis: [00:17:29] Can we move [00:17:30] on Bill. I would like to share I’m going to try to insert some good news into, you know, into our conversation, cause it’s not always, you know, bad news. At the very I guess it was the end of last year, beginning of this year probably one of the last bills that president Trump signed was HR 78 98. And this may have been maybe overlooked by some folks. So we try to get the word out. This is a really good bill and we’re very happy that it was signed into legislation. It’s going to give our members, the provider community credit for using [00:18:00] cybersecurity best practices.

[00:18:01] So when, you know, OCR, the office for civil rights starts considering maybe like the length of an audit, they’re going to have to take into consideration whether or not a hospital system or provider was actually using some best practices for the last 12 months. So this is really a nice step in the right direction.

[00:18:17] And more of a carrot that a stick. And we’ve been trying to find ways to provide more incentives rather than penalties to incite the right behavior. So we’re really pleased about this 

[00:18:28] Bill Russell: [00:18:28] That’s fantastic. [00:18:30] It’s, cybersecurity is one of those things that is so challenging and you need a fair amount of funds to stay up stay up to date and stay ahead of it.

[00:18:41] And actually that takes us to our first story. Our first story is the fifth circuit court of appeals vacates, the MD Anderson HIPAA penalty. And this sort of speaks to some of that. Right. So essentially what happened here is The circuit court vacated the penalty. They [00:19:00] vacated it for a couple of reasons.

[00:19:02] One is they said that the health system had mechanisms in place to encrypt the Phi on mobile devices. But it was the employees who fail to use the encryption control before the laptop and USB devices were taken. Therefore the health system had done their duty and had done the things they were supposed to do.

[00:19:28] So they vacated it for that [00:19:30] reason. And they also said that the the penalties were, I think the word was like capricious and these were words they used arbitrary and capricious in that the OCR was not enforcing their penalties evenly across all health systems. So they vacated that penalty. And I think it was $4.5 million to MD Anderson. So that’s been vacated. You pulled this story out. What are your thoughts on this story? 

[00:20:00] [00:20:00] Mari Savickis: [00:20:00] Yeah, this is another morsel of goodness that I feel like got lost in the shuffle of the madness of January. And we only saw one or two articles on it and we’re like, wow, this is a really big deal.

[00:20:12] So it actually is in some ways, you know just so much of the, that bill we just discussed is that they mean there, we’re going to have to put the bill in place. Right. It’s going to have to be operationalized will have to be a rulemaking people weigh in. What’s considered every little nuance of a best practice.

[00:20:30] [00:20:30] But this is great. It says that, you know, you have tried really hard .That the provider tried very hard. And there’s never, you know, there’s never going to be a time where you’re going to come be completely inoculated from a cyber threat, that just is not going to happen. You can. So I think that this ruling is very instrumental.

[00:20:48] The data in question goes back to 2013 and 2014. And I’m glad that the prime provider fought because some of the things we’ve heard from our members is that the audits [00:21:00] performed by OCR. They’re done by different auditors in different regions there, they don’t always look at the same things and they sometimes can be very fairly variable, but I mean, I think we’ll have to wait and see how how exactly we’re able to operationalize this bill and give this, you know, these providers the best, give them credit for the best practices.

[00:21:21] So I think this case will play into that. And I think it’s really, really a good news story.

[00:21:29] Bill Russell: [00:21:29] By the way [00:21:30] I agree a thousand percent with that. They, when they say it’s arbitrary and capricious, I think there is a certain amount of truth to that. So they have to go back to the drawing board and essentially say, okay, we need a uniform process for measuring this. You wouldn’t send out, you know, accountants around the country and say, hey, there’s going to be a little different in the South and the West and the North and the East.

[00:21:54] You actually have standards that CPA [00:22:00] study and they follow standard. Same thing should be true here. We should know that when they come into audit, they’re going to be looking at these things. And these are the things we’re going to have in place. I agree with that a thousand percent, I actually did post this on my LinkedIn kind, a couple of interesting back and forths.

[00:22:16] And you know, one of them was, you know, the Wayne Sadan the who’s a transformational CIO CTO, CTO. And he goes, you know, my take as a CIO employees fail to use the encryption control. He’s [00:22:30] quoting the story. He says, what CIO or CSO creates an encryption control especially for a portable device in double especially for one containing Phi, then doesn’t deploy it and enforce the use throughout the system? And what internal audit compliance function would let said, CIO, CSO, get away with that? And what CEO board upon hearing of all this worked or didn’t work during regular  IT cyber refuse didn’t order everyone to make it so [00:23:00] employees can choose to encrypt Phi or not question mark. And no fine for such systemic negligence.

[00:23:06] You know, I sort of agree with that. I mean, actually this was one of my breeches, to be honest with you. When I was CIO we had purchased a group of, it was either a lab or a bunch of ambulatory surgery centers. And before we even got into them, they had somebody who backed up the information on a USB drive, put it in her purse and her purse got stolen.

[00:23:30] [00:23:30] Well we had already purchased them, but we we didn’t go in there with our full IT on day one. And that happened like within the first week. So we lost that information. And so that was a reportable event. It was a fineable event and all those things now and I understand,  as a CIO, you’re sitting back on it, you know, we had the things in place we had encryption arrests and encryption and transport. We had a iron key for [00:24:00] locking down USB drives. We had all those things. We had just purchased this organization. We just didn’t have a chance. And, you know, and we ended up getting signed is that, I guess, under this ruling, they’re gonna have to step back and say, look, this is an extenuating circumstances. They had all the procedures, they just didn’t get in there. 

[00:24:18] Mari Savickis: [00:24:18] That’s exactly right. I mean, it’s like, if you could picture a door, like as for our four double bolts enough, or is it five? Right. So, I mean, the HIPAA security rule does give some latitude in terms of how [00:24:30] you establish meeting your security requirements. But that’s also like another reason why we, so CHIME AEs. One of our organizations that comprises CISOs underneath CHIME has worked really hard to develop these set of cybersecurity best practices or they’re known in the field as 4 0 5 D. A super unsexy name I know, or DC lingo.

[00:24:53] But they’ve been developed and they’re voluntary, right? They’re voluntary somehow. They’re also called hiccup on another weird name but either way [00:25:00] they’re a set of best practices that CISOs and CIOs can deploy. And there’s some that are for smaller and medium-sized lesser sophisticated and then ones for larger ones.

[00:25:10] And so what this bill is going to do and what this. Hopefully it will, I think, take an account. What just happened with Andy Anderson is that we’ll say, you know, you’re working hard and, and you’re a cybersecurity, it’s a journey. It’s not a destination. So, you know, some, some of these are maturity issues, right?

[00:25:26] And so you were saying you just bought the stuff right? You were on your [00:25:30] pathway to, you were increasing your maturity, but you were like a week, you know, it happened the week after you bought the stuff and you hadn’t implemented it yet. So it’s about. Depicting that you are making an investment. Certainly providers who are not doing the right thing and they’d been warned by OCR. And then like you left the door unlocked. Well, no that’s not going to work. I mean, that is not going to work. So you have, I mean, that has to be like credible investment has to have been made in effort. 

[00:25:54] Bill Russell: [00:25:54] Yeah. I mean, the hard thing about that is I can hear people right now saying you know, we, [00:26:00] we wouldn’t judge banks this way. You know, that the banks are measured by their ability to keep our financial systems strong and that kind of stuff. When they, if somebody were walking in, I’m going back to a Western here we’re able to walk in blow up the safe and take the money and walk out. We would want to hold that bag accountable for not putting the right things in place.

[00:26:26] And I think there’s a set of the population that’s saying, look, [00:26:30] The amount of breaches over the last, I mean, every year it’s millions of records that go missing or just outright stolen from our systems. And I think we all agree we have to do better. And the question is it incentives or is it sticks?

[00:26:48] And you know, what I hear you saying is we need more incentives because a lot of these systems are trying to do this without enough 

[00:26:56] Mari Savickis: [00:26:56] We have a lot of experience with sticks and [00:27:00] and carrots and, like meaningful use is definitely a stick. And so you’re, what you’re doing is you’re skating to the puck. Right. So you don’t want to establish a situation where you have like a checkbox and maybe some of our, you know, very strong advocates for better cyber will. So you don’t want to have a checkbox mentality. Cause that’s not gonna get you. It’s not gonna increase your maturity. You’re just going to go check, check, check.

[00:27:20] And so that’s not going to necessarily like results in the kind of security that you need. And so it is you know, incenting, we think is a better pathway [00:27:30] forward. I mean, sometimes you, I mean, predators never like pay penalties. I mean, I’m not going to sit here and be like, Oh yeah, we love penalties.

[00:27:35] That’s like said no provider ever. Please bring me a penalty. I can’t wait. No, I mean, you know, there’s ways to do this and like it’s and but to just hammer them and just be like, you’re going to have this protracted two year long audit, you’re going to be like, your head’s going to be in a dark cloud.

[00:27:53] We’re going to put you on the naughty list. I mean, it just goes on and on and on and on. And instead of focusing on [00:28:00] here’s, I could actually, you know, improve yourself. It’s more like you’re now you’re dealing with some crazy protracted audit. And again some are warranted. But we were just, we’ve been trying for years to try and move this ball forward and you’re going it’s voluntary bill. These best practices are voluntary. 

[00:28:17] Bill Russell: [00:28:17] Yeah, well we’re going to move on to vaccine. I will share one last story is you know, we had an internal auditor and when I came in I couldn’t get my security team out from underneath the audits. They were essentially internal [00:28:30] audit would do a an audit.

[00:28:31] They’d give them a list of things they needed to fix. They’ve six, those things, the next audit would come through. They’d get another list. They’d have to fix those things. And I finally went to the internal auditor and said, you got, you have to give us a six month reprieve, no audits for six months. So that we can actually strategically get ahead of this.

[00:28:47] Otherwise this is going to continue forever. You know, you’re going to find things, perhaps fix them so forth. How about if we put a strategy together, we come, we work with you on it. You can look at it, give us some feedback and then we’ll put [00:29:00] something in place. And that that was a huge game changer for our health system actually think about security strategically and we changed.

[00:29:09] Almost everything we did as a result of doing that. And when, once you get on that hamster wheel, it’s hard to get off and it doesn’t get you any closer to where you want to get to. All right. Let’s talk vaccine. As if that topic wasn’t interesting enough get a vaccine.

[00:29:29] All right. So you’ve pulled out an [00:29:30] article from the MIT journal, the technology review, and then it is This is how  America getsit’s Vaccines. I’m going to hit this real quick. So there’s a handful of steps. There’s a pre-step where there’s two systems Tiberius and VTrckS. Tiberius pulls stuff in and it’s actually a pretty state-of-the-art system. It was just developed last year has some really, really cool overlay stuff and whatnot. VTrckS is what we would call a legacy system. And there’s an awful [00:30:00] lot of uploading things via human interface. If you will, downloading them from one system and uploading them manually into that.

[00:30:10] So that’s we’re going to call that pre step one. Step one is actually HHS receives regular updates from Pfizer and Moderna as you would expect. And I guess J and J.. Step two, as HHS decides determines the numbers to send to each state right now, they’re sort of hovering at about 4.3 million per week.

[00:30:30] [00:30:30] And then Tiberius is used to divvy up the backseat on the basis of census data. So it’s a simple algorithm. It’s not fancy machine learning. It just sort of looks at, you know, the census data says, hey, we’re sending out 4.3 million, where are we going to send it? And that’s what it does. Okay. So Tiberius pushes the figures around to other systems.

[00:30:53] It ends up getting to the CDC where a technician manually uploads and sets order limits and [00:31:00] VTrckS is something like an online store. If you think about it that way. And that’s where orders are placed for the vaccine. And then we get to step three. Step three is the States and the territories distribute the vaccine locally.

[00:31:14] This is where it gets interesting. This is where it’s you know, the, what’s the best way to say this. So it gets to the States and what’s a lot of the articles is pretty [00:31:30] negative in terms of the States and they’ve been underfunded, they’re understaffed, and they’re trying to get all this stuff, but anyway, it gets the States. And then the States determine where it’s going to go. It goes back up into VTrckS. Which I think is they actually put the addresses in there and then it ships the vaccines. Step four is ships the vaccines and actually amazingly this is the easy part. FedEx and ups know how to do this. They’ve been doing this for years and they ship it and then step five is [00:32:00] administer the vaccine and report back.

[00:32:02] And that’s what we were talking about a little bit earlier. And that’s probably where I want to start with you. Is you know, this is where the the vaccine gets down locally. They’re talking about the fact that the States are struggling to divvy it up. The scheduling systems are a little uneven. Some States are using Salesforce. Some Eventbrite is another one that’s being used. [00:32:30] Some are using some health systems are using their portal. Some retailers. And I don’t think retailers have a lot of the vaccine. They’ve been sort of tapped to do the long-term care facilities. But I’m not sure they’ve been opened up to do the general public yet but they’re gonna use their their retail portals as well to do that.

[00:32:50] But then you have to report back and if you don’t report back and report back effectively, Then your vaccine sort of goes down. So that’s a little bit of the lay [00:33:00] of the land of the five steps from that article. And we’ll share that link to that article in the show notes.

[00:33:08] All right. So you shared this story, you sent it over. What are your thoughts and where do you want to take the conversation? 

[00:33:16] Mari Savickis: [00:33:16] I’m a perpetually an optimist Bill. Okay. So I like to think that, you know, everyone is really doing the best that they can do. Right. I mean, I’m sure you can find some bad apples and actors out there. And then this is maybe me speaking personally but I’d like to think that [00:33:30] people are doing. Hard work during this difficult time. And so, there was a quote in here about, there was a lot of money and effort spent to develop the vaccine very quickly or vaccines, but there wasn’t nearly as much effort spent on the distribution process.

[00:33:46] And this is really, you know, these are the, you mentioned, you know UPS and FedEx, like this is a logistics operation, right? And so it’s not all situations where, you know, someone is maybe entering things manually and there’s [00:34:00] no electronic record. I mean, we had another member for example, and this is like, it just varies every state’s different and what they were require.

[00:34:06] I mean, it’s a morass of different policies called together quickly to try to get everyone vaccinated as quickly as possible. I mean, it’s very, very difficult. We just spoke to another member who has a very large eHR vendor that you would know, and they use their scheduling system to you know, to facilitate the appointments. Right. But say you’re not, they take [00:34:30] all comers, right. So if you’re not in their system, then they have to create a record for you. But the point of when they reach out and say, I need a vaccination, they will look for you in the system. and they’re picking up certain pieces, democrat for information, but if they don’t get enough and they don’t get the right match, I know you’re going to find the shocking Bill. Where am I going with this? 

[00:34:47] Bill Russell: [00:34:47] You’re going to go national patient ID. There you go. 

[00:34:50] Mari Savickis: [00:34:50] The dark hole of every single piece of interoperability policies that we have to deal with. And so this has become, again, no, there are, I’m sure there’s [00:35:00] lots of providers that are doing things successfully, though. I would hope they are going back and spot checking their state registries. Note to CIO is if you haven’t spot check your registry, have your staff go do that and make sure the data is actually in there. Cause we’ve gotten some very alarming stories in the past two weeks that we plan on sharing publicly and we’re not going to be naming any providers but we’re gonna make sure that lawmakers and policymakers know that this isn’t working necessarily as seamlessly as you can.

[00:35:24] Again so because of this data wrapped up in such a way where they, when they hit into the state database and [00:35:30] they don’t have all of the patient information because they can’t use their social security number Bill. Guess what they’re doing? They’re using a data aggregators. Oh, my golly. Like, so here we go.

[00:35:39] It’s like if you had a patient identifier number. You wouldn’t have to be, you know, working with data aggregators to have a better match. So it all comes back to, not everything, but like lots of things come back to being able to actually identify the patient or the consumer at the point of care. So these are the things when we there’s a lot of things with the vaccine administration that are not [00:36:00] technology oriented. This is the piece that we’re focusing on.

[00:36:06] Bill Russell: [00:36:06] You know that’s interesting. I actually, I’m not going to go down that road. You so eloquently put the the need for a national patient ID. The road I’m going to go down is I’m actually really optimistic. You know most IT projects most projects in general start and they’re bumpy right?

[00:36:25] So we acknowledge that they’re bumpy to start, but [00:36:30] I’m looking at this going a hundred million vaccines in a hundred days. This is the administration’s stated goal and objective. We’re already at, with all these bumps and bruises. I mean, according to the Washington post, according to Bloomberg, according to the USA today, we’re at about 30 million people vaccinated.

[00:36:49] And that’s what this all these problems that you read and all these, I mean this article included has a bunch of things like, Oh, this is broken, this is broken. This is broken. Okay, great. And I [00:37:00] agree with you. I don’t, I don’t put any nefarious you know, intentions behind any of this.

[00:37:07] I’m just saying. Yeah. Okay. You’ve identified all the things that are broken but 30, some odd million people have been vaccinated and that probably does not include. The military, because we were probably not counting them in those numbers. And so you up that number by a fair amount, let’s just say you get the 35 million. 35 million have been vaccinated since December.

[00:37:25] We didn’t have a huge quantity of the vaccine itself. And we had all these [00:37:30] logistics issues. Okay. That’s the start of the project and that’s not all that bad of a start. And to be honest with you, if the number of vaccines being produced continues in the direction and yes, they were overstated in the beginning and we all acknowledged that now.

[00:37:49] But still we’re looking at the potential for almost a hundred to 200 million doses being produced between the two Pfizer and [00:38:00] Moderna, and I’m not even including J and J at this point. So by April, we might be looking at 200 million doses being available in the U S to be distributed. I’m really optimistic.

[00:38:12] I think we’re going to have more of a problem. once we get through everybody that wants the shot, then we are going to have getting to a hundred you know, a hundred million people vaccinated. I think that that number is going to be achieved and it’s going to be achieved relatively quick. I’d be [00:38:30] surprised we’re not there by the president’s, you know, stated date of April what’s the first hundred days, April 28th, roughly for the administration. So I’d be surprised if we’re not at that a hundred million number and what the a hundred million number and the number of people who have already had the you know, who have had COVID and have developed some immunities to it, at least as far as we know we’re gonna make a serious dent in this thing by you know, [00:39:00] by the end of the spring, I think so I’m very, I’m very positive even with all these negatives, even with all these challenges that we are really making a dent in this. That’s, that’s my personal my personal view of this. Think I’m nuts. 

[00:39:16] Mari Savickis: [00:39:16] You, well, I mean, I, like I said, I’m like, I’m an optimist too. I mean, you’ve clearly given this a lot of thought. I can’t say that I sit here and hammering over is everyone going to get vaccinated like, Oh my gosh. Like, I mean, I’ve just, I’m just trying to focus on the here [00:39:30] now Bill. You know, we were just picking apart one problem. I think what we try to do is identify like the single biggest use case ever for patient identification, a pandemic.

[00:39:40] Right? So I’m sure that we’re the United States. We will figure this out. You know, we will, you know, we will persevere and it will get done. I think we’ll have to do some, you know, post-mortem on this afterwards and just figure out like where we could have done things better. I heaven forbid we have another pandemic. That’s even hard to even fathom, but yeah, I’m sure we’ll get it done.

[00:40:00] [00:39:59] I think we’re just trying to figure out, like, along the way, how do we mitigate some of these bumps? You know, I mean, my parents, for example, they’re not snowbirds but they are on Medicare. They live in Virginia, but they’re providers in Washington, DC, you have, you know, you have elderly patients, you maybe lose their card. Don’t maybe know which vaccine they got, you know, they got vaccine one, but was it Madrona wasn’t Pfizer, or they’re not sure. So you can see there’s going to be some hiccups here. But I’m sure I’ll figure it [00:40:30] out. I just think that there’s a lot we could do about it. 

[00:40:32] Yeah. I’ll 

[00:40:33] Bill Russell: [00:40:33] tell you health IT leaders who are wondering, you know, you know, bill talked about systems that have QR codes and they’re checking in they’re in and out in 10 minutes, boy, that is not us.

[00:40:43] What are we doing wrong? Reach out to CHIME reach out to me. I’m more than happy to connect you with health systems. That really feel like they have this pretty well wired. And you know, you have systems like Atrium that are doing mass vaccination and events, CIC, and [00:41:00] Massachusets. You see a university of Colorado health system doing mass vaccinations in Colorado.

[00:41:06] So I think that’s the next thing we’re going to see. We’re going to see these mass vaccination events. And in order to do those, you have to have a pretty sound process for bringing people in people that aren’t necessarily in your EHR tracking them. Now, you know, if you’re in a major metro the reason the patient ID stuff doesn’t resonate with me is we had to figure this out a long time ago.

[00:41:28] Well, I mean, we had [00:41:30] you know, 15% of the people in our ERs were, did not have social security numbers. Let’s just say it that way. So we had to figure out this patient matching and how do you handle people who are showing up for the first time and how do you handle consumers that you’re trying to reach out to that aren’t necessarily going to be in your EMR and you’re not going to track them now, granted, our budget was significant.

[00:41:54] We had. Yeah, 700 people in our IT department. And not everybody can do this [00:42:00] but there are absolutely ways around needing a national patient ID to do this  effectively. But I agree with you, if you put it down on every health system, I’ve, I’ve already sat across from CEO’s who have six people on their staff that were doing the same thing my 700 people were doing it and that’s just there’s there’s no way you can do it. I agree. You have to rely on other people to do it. So I empathize and I appreciate it. Mari thanks for your time. I really [00:42:30] appreciate it. This was a fun conversation. 

[00:42:32] Mari Savickis: [00:42:32] All right. Yeah. I mean it’s always nice to be invited on.

[00:42:37] So Bill we really appreciate that opportunity and would be okay if I made a shameless plug for our information blocking center and our would that be okay? 

[00:42:47] Bill Russell: [00:42:47] That would be fantastic. Go for it. 

[00:42:51] Mari Savickis: [00:42:51] Okay. So again we just launched our our information blocking center. So it’s information blocking [00:43:00] And then back to the point about patient ID, we actually have a patient ID coalition. And so we welcome our members to join us patient ID Yeah and everyone, hopefully it knows where to find me. And we’re happy to answer any questions and always happy to talk to a member. So thanks very much Bill for having me.

[00:43:19] Bill Russell: [00:43:19] What a great discussion. If you know someone that might benefit from our channel, from these kinds of discussions, please forward them a note, perhaps your team, your staff. I know if I were a CIO today, [00:43:30] I would have every one of my team members listening to this show. It’s conference level value every week.

[00:43:36] They can subscribe on our website or they can go wherever you listen to podcasts, Apple, Google, overcast, which is what I use, Spotify, Stitcher, you name it. We’re out there. They can find us. Go ahead. Subscribe today. Send a note to someone and have them subscribe as well. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health IT leaders. Those are VMware, Hill-Rom, [00:44:00] StarBridge Avisors, Aruba and McAfee. Thanks for listening. That’s all for now.

Play Video