BB&T Contributing Editors

SAN DIEGO – More so than in years past, this year’s Healthcare Information and Management Systems Society (HIMSS; Chicago) annual conference, held here in mid-February, was a nexus of convergence for hardware and software vendors, end-user and middleware vendors, national and regional special interest groups, civilian and military groups and various other providers and vendors.

The conference had almost 800 vendors taking booth space, making it fin-ancially successful for HIMSS , even if the attendance was down from last year due to the winter storm that dumped 27” of snow on New York and across the Northeast, closing airports from Boston to Baltimore a couple of days before HIMSS. That affected vendor personnel attending as well as those registered.

Some 24,500 persons were in attendance for one or more of the five days this conference was open, down a bit from expectations. Because HIMSS has become an expensive show and one that does not draw physician group practices, many of the EHR vendors skipped the show this year. The biggest ones, however, were in attendance because their business has a significant hospital component and hospitals and large integrated delivery networks (IDNs) are well represented at HIMSS. These larger vendors also are prime movers in the regional health information organizations (RHIO) market, which was a hot topic at HIMSS.

The keynote introduction for Dr. David Brailer, national healthcare IT czar, started off by claiming that 30 cents of every dollar is still wasted by the current healthcare system. All medical providers are being chided to embrace the conversion to electronic healthcare, noting that the benefit is the ability to share patient information with all providers who need it, across multiple offices and even to make it available to patients themselves.

Brailer, now a speaker at every national healthcare IT event, varied a bit from his usual message, suggesting in a less-veiled manner than in the past that while the federal government would like to see the “free market forces” and IT industry champions emerge and bring forth (at its own expense) both the products and infrastructure to comprise a national healthcare information infrastructure, the government was prepared to mandate it if the free market approach doesn’t bear fruit in the next three to five years. There is some urgency about achieving specific goals for which the EHR and infrastructure to connect it is required, specifically:

Empowering consumers.

Enhancing EHR administration and reducing administrative expenses.

Improving clinical care by preventing drug and other errors and exposing deviation from “best practices” approaches.

Enhancing the ability of the federal government to quickly detect and track chemical, biological and other national epidemics that require a coordinated, federal response.

This may be the reason that Uncle Sam already has put the Vista EHR (not to be confused with the next version of Microsoft Windows) into the public domain – a solution that is not truly free, has a cumbersome and archaic user interface and is based on archaic databases, but one that is used by Veterans Affairs (VA) hospitals nationwide. So the government solution would make all physicians “as productive” as physicians in the VA hospitals now are. If pursued to its logical conclusion and implemented nationwide, that essentially would put most EHR companies that are getting $33,000 per physician per system installed, out of business. That would transform what Brailer described as the biggest business in the world into the biggest problem in the world.

Brailer offered to continue to “lead the way,” noting that the Bush administration has doubled the National Healthcare Coordinator’s budget for 2006 by $55 million to $116 million. Yet this budget is only a drop in the bucket of what is needed, and in spite of Brailer’s remarks, at the current cost per physician of implementing an EHR (that a study reported in the September 2005 issue of Health Affairs puts at $33,000 per physician), either the government is going to have to come up with some creative financing for practices or some more economical EHR systems are going to have to emerge and gain brand identity in the market, because $33,000 per doctor simply is out of the reach of most smaller practices that are the primary ones yet to adopt. There was no lack of EHR vendors at HIMSS able to offer very competitive EHR solutions way under that cost, but they are generally smaller and unknown companies. Electronic, ambulatory EHR will supposedly save the U.S. healthcare system $140 billion a year (or about 7% of total healthcare expenditures).

Brailer’s other emphasis was on the emergence of regional health information organizations (RHIOs) around the country, which are the anticipated points of connection and statewide consolidation for physician group practices sending data from the new electronic practice management and medical records systems. Currently, less than 14% of hospitals participate in RHIOs, and more than 75% have done no planning to join RHIOs. This will be an uphill battle for Brailer, so he announced a new study of RHIOs that is intended to find out what makes current RHIOs successful. He indicated that CMS is ultimately looking for only one RHIO per state, which may be great for smaller states like Alaska, but not too workable in larger states like California. Even in these states, however, Brailer anticipates no more than two to three RHIOs connected to one, statewide master RHIO that would consolidate for the master national RHIO.

Meanwhile, leading the charge at HIMSS to continue positioning itself as the natural “broker” on all healthcare IT issues, its leaders, Steve Lieber and Dr. Mark Leavitt, announced that HIMSS was participating with the AIMS Foundation in the Katrina Phoenix Project and that HIMSS would establish several new conferences in 2006, including the HIMSS World of Healthcare IT in Geneva, Switzerland; the HIMSS Asia-Pacific Conference (2007) in Singapore; and the new HIMSS Achieving National Healthcare Transformation Conference in Washington on June 7-8

HIMSS is gaining recognition as other healthcare IT organizations and groups use its conference either as a venue for their own smaller meetings or to advertise their separate meetings. The American Medical Informatics Association (AMIA; Bethesda, Maryland), American Health Information Management Association (AHIMA; Chicago), Medical Records Institute (organizer of the Toward an Electronic Patient Record conference; Boston), Integrating the Healthcare Enterprise (IHE), Health Level 7 (HL-7; Ann Arbor, Michigan) and the Microsoft Healthcare Users Group (MS-HUG; also Ann Arbor) all were at HIMSS.

Brailer and Leavitt are two key players in the Certification Commission for Healthcare Information Technology (CCHIT; Chicago) efforts to establish a standard for certification of EHR systems. That certification activity has been moving along, with frequent announcements by CCHIT and HIMSS touting progress; but there also was an undercurrent that emerged at HIMSS. EHR vendors, even some CCHIT members, expressed some concerns about the certification approach and its potential to adversely impact smaller vendors and EHR system prices.

As the standards grow in size, and missing even one criterion could lead to non-certification, concerns were expressed that CCHIT may be drifting a bit off track. There also were concerns about the value of any CCHIT certification when the certification process takes longer than the average release cycle for the EHR vendors, meaning that by the time one version is certified, the certification could be essentially obsolete and meaningless, as a newer version (that is not certified) might have been released.

Small EHR vendors, which are the only ones with prices per physician that are affordable to smaller practices, expressed concern to us privately that the specs are being scaled up beyond what small practices actually need, as a means to force them out of the competition. This also, however, would elevate the price a group practice would have to pay for EHR, as only the larger vendors with the more expensive systems would be able to supply all the “features” that the certification they helped craft could actually meet.

Each year HIMSS conducts a Leadership Survey, now in its 17th year, but the survey’s margin of error is getting larger and larger. The number of respondents each year is diminishing while the overall number of chief information officers (CIOs), the primary completers of the survey, is staying the same size or growing. The total “n” for the 2006 survey was only 205 respondents, of which about 185 were CIOs. HIMSS leadership surveys of years past had two to three times as many respondents.

With 4,827 CIOs in hospitals alone, not to mention additional ones in large IDNs, the level of participation (3.8%) is small and conclusions drawn would have at least a +/- 7% margin of error from such a small sample size alone. It is a comment perhaps on the shrinking participation by hospital CIOs that this survey is no longer as influential as it has been in the past. There are other serious issues with the HIMSS Leadership Survey and methodology as well.

Survey methodology also was plagued by a lack of geographic randomness, with only 5% of respondents located in the northeastern part of the country, which represents a much larger percentage of all hospitals and IDNs. This again raises questions about how representative survey conclusions are for the U.S. as a whole. With such survey anomalies, the results may no longer be a reliable source from which to draw conclusions about the IT priorities for physician group practices and only cautiously for U.S. hospitals.

There is almost no representation from small physician group practices, the market that EHR is all about, and therefore the ability to infer anything about the physician EHR market from the Leadership Survey is quite limited, particularly for the smaller group practices that have yet to adopt EHRs. The survey revealed its hospital bias in another way, reporting that 24% of organizations had implemented an EMR. This EHR implementation level is twice as big as reported by a much larger Medical Group Management Association (MGMA; Englewood, Colorado) survey of physician group practices published in the September 2005 issue of Health Devices. The MGMA survey showed that only 11.4% of physician group practices had implemented EHR, and these were primarily the larger ones.

Based upon the revenues reported by HIMSS survey respondents, the largest percentage (28%) had revenues in the $51 million to $200 million range, typical of fairly small hospitals. Another 17% had revenues of $201 million to $350 million. The spread is shown in Table 5.

Conclusions that did emerge from the 2006 survey indicated that internal breaches were the primary security concern of CIOs. Yet 78% said they planned to implement single sign-on approaches during the next 24 months. Single sign-on makes it easier for one provider to access all medical information, but without adequate security safeguards, including vigilant anti-spyware measures, it makes it very easy for unauthorized personnel to access, change or steal all patient information. The use of effective anti-spyware programs is essential in healthcare, because without them, spyware programs can capture and transmit confidential patient and medical information, causing an organization to be in violation of Health Insurance Portability and Accountability Act (HIPAA) requirements.

Lest healthcare vendors simply dismiss spyware as not that big a deal, they might take note of the experience of the Internal Revenue Service (IRS) since the advent of electronic filing of income tax returns. Tax fraud is at its highest since the advent of electronic filing. “In 1995, the biggest story regarding electronic tax fraud in the U.S. involved the conviction of three people in Houston for filing 800 falsified returns using stolen identities. By 2003, one in every 933 returns filed in the U.S. was fraudulent,” the IRS’s Office of Refund Crimes said.

The HIMSS conference had remarkably little presence of anti-spyware vendors, at least the ones with the most effective products. More to the point in healthcare, a recent article by John McPartlin in CFO: Magazine for Senior Financial Executives, reported that an IT support staffer at Miami Children’s Hospital noticed something just wasn’t right with the desktop machines used by the hospital’s 650 physicians and 2,400 employees. “We had machines that experienced freak reactions,” said Alex Naveira, the hospital’s information security officer. They were running too slow or they reacted oddly to web sites and pop-ups. After a battery of tests, the diagnosis was clear: an acute case of spyware.”

Microsoft (Redmond, Washington) has provided a free anti-spyware beta version that providers can download and install, and will be integrating it into Vista, the next version of Windows slated for release this year. While Microsoft Antispy is better than Computer Associates’ (Islandia, New York) Pest Patrol in providing real-time, anti-spyware protection, both programs let too many spyware “cookies” and programs through. What is needed is a second layer of defense that can be invoked periodically, say three times a day, and manually after any episode of browsing on the Internet.

Various run-on-demand anti-spyware programs also are available. Some include Paretologic’s (Victoria, British Columbia) XosftspySE, Safer-Networking Ltd.’s Spybot Search & Destroy and Sunbelt Software’s (Clearwater, Florida) Counterspy programs. In testing conducted by Medical Strategic Planning (MSP; Lincroft, New Jersey), the most effective of these was Paretologic’s XoftspySE, due to its speed of scanning, lack of drain on CPU resources and comprehensive database of spyware programs. Paretologic’s product already has a database of more than 34,600 spyware programs, and its Xheng webcrawler technology will double or triple that number, making it by far the most sensitive spyware detector program tested.

Microsoft has come out with Windows Defender, Beta 2. It is unclear whether this is a replacement for, or simply a run-on-demand addition to, its Antispy Beta 1. Unlike Antispy, Defender is not a real-time scanner. More importantly, it is not a good backup to any real-time scanner, as it misses a lot of spyware that XoftspySE catches. On one computer, Defender missed SideStep, a spyware program that is loaded by Microsoft’s Internet Explorer every time it loads, shares its memory context and allows it to detect events, monitor messages and actions.

Browser spyware is dangerous. Microsoft’s Defender product missed this serious threat and eight other less-serious problems and cookies that were det-ected by XsoftspySE, any of which in a medical practice application could contain patient information open on the machine at the time they were created. As in antivirus software, with spyware all you have to miss is one serious program for the damage to be done, and HIPAA violations to be created.

Unfortunately, of these anti-spyware vendors, we saw only Microsoft at the conference. With a two-level, anti-spyware detection shield in place (Microsoft Antispy and Paretologic XoftspySE), group practices, hospitals, IDNs and other healthcare enterprises can be more comfortable that single-point sign-on is as safe as it is convenient for healthcare users. This patient information vulnerability is one of the key drivers causing the market for medical anti-spyware software to grow into a $1.2 billion market by 2010, according to a report by Radicati Group (Palo Alto, California). The other hot technology that CIOs plan to implement is “identity management” technology.

One company that exhibited at HIMSS whose technology could be at the heart of secure, single sign-on is Ping Identity (Denver), an enterprise software and services company that offers single-sign-on technology based on web services architecture, using SOAP standard messaging over the web. Ping Identity offers solutions for both Microsoft and Linux platforms. Currently, only 20% of those CIOs surveyed have implemented single-point sign-on.

About 14% of respondents indicated that patients could schedule appointments on their organization’s web site, although this also was a capability that 73% were planning to implement over the next couple of years. Three-quarters of those surveyed felt that IT budgets would increase in 2006 and 2007, and were planning to add IT personnel to their organizations. The survey indicated that IT made up only about 2.5% of their organization’s total budgets, which is about half of what IT budgets in non-healthcare organizations are in the U.S. Again, the survey is very reflective of the hospital IT market, rather than the unpenetrated physician EHR market that will fuel the EHR adoption that Brailer is talking about and looking for.

Apparently, larger budgets also will be used to finance IT outsourcing, as three-quarters of those surveyed indicated they currently use outsourcing and plan to expand that. They also will fund reduction of medical errors, indicated by half of survey respondents as a priority for IT. Brailer’s message apparently is getting across to those surveyed, as the number indicating that implementing EHRs was a priority jumped on the 2006 survey to 45%, up from the 29% that indicated this was a priority in last year’s survey.

Other top priorities included providing remote access to data, enhancing workflow process and implementing wireless connectivity. Items that were not priorities included implementing HIPAA. Whether this indicates that hospitals already have accomplished this or just weren’t that concerned with compliance was not clear from the survey response. Overall, the survey suggested that there would be a growing market for a number of vendors exhibiting at HIMSS, particularly those that were selling wireless networking and network security devices and software, including bar code scanning devices.

(Next month: A look at some of the nearly 800 companies that populated the HIMSS exhibit floor.)