Thursday, February 28, 2013

Part 3 of 3, Interoperability and Protecting Sensitive Data


In Parts 1 and 2, I discussed the sheer variety and numbers of equipment involves in patient care.  Together with the various types of ownership, hospital face a real risk of letting important patient data getting into the hands of criminals or just malicious people.  In the criminal's mind, Why risk a hack when you can scavenge?  The potential cost runs from embarrassment, angry customers to millions of dollars in credit monitoring cost just from one device. 




Part 3 of 3:
Another particular risk that James and I talked about did catch me a little off guard.  I was not aware of how long an equipment owner may be at risk at the hands of a leasing company that may have a less than stellar data destruction program.

A leasing company may not sell an asset at the end of a lease term.  James stated, “Instead, it may choose to pay a storage fee to hold on to the equipment.  Depending on the useful life this could be for years 5-7 years.”  Meaning, a release of your patient and sensitive information can boomerang out of the past and take a bite out of your bottom line years after you think it’s all said and done.

The bank and the customer not only have a mutual risk associated with sensitive data but with software applications loaded onto hand drives.  Shredding a hard drive can result in the finance company charging hardware replacement costs, application replacement costs with maintenance costs on top of everything. It may be a good idea to access that cost before those tasks are performed.

 LifeSpan engages healthcare customers through a mix of “training, best practices, and onsite or offsite data destruction”.  James further commented, “Whether or not they use our services or if they do it in-house or they outsource it to someone else, they need to be thinking about these things.  As an educational partner, we can help them guard the bases that way.”

In response, I asked, “How do you educate your customers?” 

He answered, “Articles, webinars and on-site training…. Data destruction to me is all about redundancy.  If you have an internal process you should also have an external review process as well.  Both should be audited.”

LifeSpan uses:
- NAID AAA Certification – The certification agency subjects LifeSpan to unannounced audits by the certifying agency.
- U.S. Department of Defense data destruction standards
--- DoD 5220.22-M
--- NIST 800-88

Education, training, redundancy, backed up by multiple certifications and unannounced inspections by certifying agencies, LifeSpan seeks to lead the way in helping healthcare agencies prevent unintended releases of data and the costs associated with it.

Any questions about the article?  Leave a post or send an email to alfordhardy@gmail.com

Tell them Al sent you.



Wednesday, February 27, 2013

Interoperability and Protecting Sensitive Data, Part 2 of 3

In Interoperability and Protecting Sensitive Data, February 10, 2013, I discussed how interoperability can increase the risk of sensitive data getting beyond your organization. More categories of devices will have patient data.  The asset disposition phase will become more risky than it is already.  Specifically in:
- Returning leased systems
- Selling to a remarket company
- Donations
- Disposing as junk

The quantities and sheer variety of devices containing data aside from stand-alone laptop, desktops, servers, and mobile phones, makes keeping sensitive data from getting beyond a healthcare organization a real problem.

Hospitals have put policies in place to resolve the problem but leasing companies and remarketers still receive equipment containing sensitive data coming from healthcare organizations.  Leasing companies and remarketers have found it necessary to mitigate that risk with their own procedures to:
- Add redundancy for their customers
- Protect themselves from lawsuits
- Prevent sensitive data from getting beyond them

Corporations like LifeSpan® often provide these services.  Increasingly, they are providing services more directly to hospitals and hospital systems.  I spoke with James Griffin, LifeSpan’s Managing Director of Southeast Sales.  He stated that “LifeSpan provides hardware recycling and disposal, data destruction, hardware resale, and a full range of IT asset disposition services to corporations, OEMs, hospitals, leasing companies, banks, and other businesses.”  This includes data destruction for laptops, desktops, servers, medical equipment, and imaging systems.


  
I asked James, “What are the potential costs to hospitals”

He replied, “It costs about $100 - $200 dollars per customer, per incident for credit monitoring.”

Let’s say that a data release comes from Ambulatory Surgeries only and restrict that to a single year of patients.  Taking about 10,000 patients that runs $1,000,000, minimally.  Those 10,000 records, depending on the format, will fit on a USB drive.  The comparative space on a hard drive in minuscule. 

As I considered James comments on the costs, I thought about the additional threats. Many of today’s misuses of sensitive information are just malicious.  There is no financial gain, just cyber street credit of an infamously handled avatar claiming to be unstoppable - again, all costing the owner expended resources.
  
James went on to tell me how data can get into the hands of a criminal intent on a cash return or a malicious person:
-A reseller is unable to sell equipment for an acceptable amount of cash. 
-So, it is sold as waste and put in a shipping container with other waste and sold by the pound.  Eventually, the container is put on a ship.
-The ship sails into a port where dumping laws are less rigid than those in the United States or European Union.
-The cargo finds its way to a dump
-Individuals comb through these trash heaps looking for precious metals or components to sell.  This brings up another LifeSpan offering, e-waste compliance, which I will cover in another blog.
-Legitimate parties restore the components, wipe the data, and resell the hardware
-Criminal elements restore the components and the data then resell both.

Friday, February 22, 2013

Does $-5-4-0-M Spell Game-Changer?


Are you a managed service provider who offers some or all aspects of Asset Management: asset optimization, workflow with Lean Six Sigma for demand equipment, maintenance, capital planning, or disposal for healthcare organizations? Do you have personnel in accounts daily?

If so, consider RTLS/RFID...again.  It just keeps coming back. Now, not only is it back - very large, well-funded, and capable companies are competing for business in healthcare.  RTLS is part of their solutions package along with biomedical services, supply chain, Lean/Six Sigma and/or IT infrastructure.

For those clinging to hope that RTLS will just go away again before all the nibbling around the edges gets to the quick of your profit margins – well... that’s likely to force a desperate decision instead of a shrewd one.  What’s changed?  A $540,000,000 maximum payout for the Veteran’s Health Administration’s RTLS weaved into both improving quality and reducing cost.  Success will send a strong positive message from the RTLS/RFID community to the healthcare community about the capabilities of the technology and services.


Your accounts probably pressure profit margins already.  On one hand, hospitals complain about insurance companies nickel and diming them and rejecting payments for what seems more like an excuse than a valid reason.  On the other hand, hospitals kick back your invoices over incidents that clearly indicate problems inflicted by their employees and not covered under the contract.
  
Some managed service companies are partnering up with full service RTLS providers.  The hope is that a managed service company can grow an account by expanding into RTLS.  The agreement is supposed to be a win-win situation.  The full service RTLS provider gets a footprint in the account.  The managed service provider expands its service.  The problem is, the full service RTLS provider may become your competitor.

There may be an alternative.  Managed service providers can offer RTLS without the investment, risk, and resources connected with software development and support. VizBee may be a good choice to consider.

VizBee is an RTLS software company with a particular model.
 1. The most important point, VizBee is not set up to become a competitor.  They sell software.  VizBee can acquire hardware to help expedite a project.  They do not sell Lean/Six Sigma projects.  Nor do they offer other cost savings consultations to hospitals.  A full service RTLS provider does sell these services.  Implementation, training, surveys, a full service RTLS provider will have their people in your account.  Do you really want that?
 2. Vizbee offers two options to the managed service provider:
a. The provider can buy software
b. Vizbee can supply software and hardware (Vizbee will be responsible for the hardware functioning)
- complex projects can be done without coding
- Add more tags and readers without limitations, just increase the license
- Add new applications by updating the license
c. Healthcare modules include:
- Asset/person tracking
- Logistics
- Inventory and warehouse management
- Guard tours
- Task management
- Tracking small surgery tools
- Hygiene: hand washing
- Maintenance management
d. VizBee provides a method of helping to model potential margins

The managed service provider can:
1. Recover the cost over the term of customers’ service contracts.
2. Efficiencies can help improve both the customer’s managed service provider’s operations.

Last, hospitals need help with RFID/RTLS support.  It is not a matter of them being capable.  It’s a matter of increased volume, scope of work, and hours that have resulted in a pay cut.  Managed services have boots on the ground who can provide needed levels of RTLS service.  A full RTLS service provider would have to charge a huge price to accomplish this.

As discussed in Covering Your Assets by Exposing the Butt-Ugly Truth, even though a hospital can save hundreds of thousands of hard dollar with RTLS, they may still be challenged to reinvest some of that money into their own asset management programs.  They may use the savings to pay other bills. 
 - Does it make sense?  I many cases, no.  No reinvestment threatens to weaken the very thing that’s paying the bill.
- Is it a reality? Yes.
- Is it possible to take RTLS off the hospital’s plate and make good business sense? Yes, especially if you provide biomedical equipment technicians, facilities, or IT personnel in accounts daily.

This helps weave the benefits of RTLS technology to reinforce process and help with workflow into healthcare organization’s daily activities and outcomes.  Who better to do this than managed service personnel who know the building, the staff, the processes, and the decision-makers?  The question is, do you really want to wait until what is, basically, a $540,000,000 investment in RTLS marketing to kick in before considering your options?  Or do you want to position with a vendor like VizBee? For more information on VizBee write alfordhardy@gmail.com or call (912)429-5725.

Tuesday, February 19, 2013

Ultra-Wide Band, A Plain Explanation


My latest article, Ultra-Wide Band, A Plain Explanation, has been published by About.com.  About.com is a business office of the New York Times, NYT.  It is an honor to have NYT writing credits on my résumé.  I have been writing for them for 1 year now.  The engagement was the result of competing in an international open call.  Happy Anniversary to me.   Big thanks to Brian Carmody.  He has helped me a great deal.

Asset Management for Healthcare continues to attract readers since I launched its first blog post, How Much Did They Pay? on 5/07/2012.  There, I compared the value of the information in my book, Covering Your Assets by Exposing the Butt-Ugly Truth, to paying thousands of dollars from other sources.  Thank you to the readers who took that challenge.

Ultra-Wide Band, A Plain Explanation – reveals  Ultra-Wide Band for an audience unfamiliar with the technology.  Those with administrative experience and those with technical experience can enjoy the article.  With changes in federal regulations and policy, I do believe that we will be hearing more of Ultra-Wide Band uses in healthcare for both outside and inside applications.  



Good Fortune in 2013 and may Every Breath and Every Step take you closer to contentment.

Al Hardy




Sunday, February 10, 2013

Interoperability and Protecting Sensitive Data, Part 1 of 3


Interoperability, Integrated Healthcare Enterprise, everyone is talking about how to make one equipment system or application talk to the other and understand the same meaning.  The big picture is to work on standards - a neutral and disinterested interpreter of languages and codes.  The result will be a bureaucratic liaison that just wants to receive the information, convert the data into a series of messages then pass it on.   This will likely increase your local risk of releasing sensitive data… as if the risks aren’t high enough already:

Leadership bonuses
Confidential board communications and documents passed between board members
Personal and corporate bank accounts
Strategic plans
Personnel actions
Social security numbers
Diagnoses
Marriage licenses
Birth certificates
The standard will treat all of the above categorical information the same so that as many devices that need the information can receive it, know what do with it, and/or respond to it.

Other than desktops, laptops, mobile phones, and servers, healthcare has to deal with these devices that contain staff information, corporate, and patient data:


C-Arms
Mobile X-Ray
 CT
MRI
Angiography systems
Catheterization systems
Mammography Units
Chemical Analyzers
Blood Gas Analyzers
Treatment Planning Systems
Lab Equipment
Bedside monitors
Transport monitors
Central stations
Mobile tablets
Handheld computers
Contrast injector
and there is more to come. 
Interoperability means even the handy and every present screening type vital signs monitor could end up with patient data. There are projects to do exactly that, so don’t laugh. Lean and Six Sigma penetration into workflow, patient behaviors, missed revenue opportunities means getting efficiencies through data collection of staff actions, patient actions, information exchanges, and treatment.  This is what DMAIC is all about.  

But, that’s not all.  Let’s talk about ownership in regard to interoperability and data.  Healthcare equipment can be:


Owned by the organization
Reside locally, but owned by state or local
 governments
Short-term rental (owned by supplier)
Long Term leased (UCC Filings or owned by bank or leasing company)
Earned purchase credit (owned by the supplier) Consignment (owned by the supplier)
Non-capital based on volume (owned by the supplier)
Cost-per-test (owned by the vendor and the bank)
Purchased service (owned by the vendor)

And… there is lost equipment, equipment in storage and equipment that is in limbo – no one uses or plans to use.  All of these can contain data and may go back to the vendor, returned for maintenance, end of term to the bank, or sold to a remarketer with hard drives still intact and with data.   

Where is the final resting place of this data?  Found by another facility?  In the hands of a criminal, desperate, or just a careless person…?  Am I creating a scare?  Well yes.  But there is a chasm of difference between crying wolf and pulling someone out of the path of a speeding tour bus.  The issue of letting sensitive data out of your organization has the potential impact of speeding buses.  How many buses equal 10 Trillion bytes (only 5 computer servers)?  Well, that depends on the damage.  Chances are you need help to avoid stepping into the path of a speeding bus in the first place.  You also need the redundancy of a company to pull you back just in case. 

Corporate policies can require removing hard drives and destroying them.  Others erase the data with an intense magnetic field.  Evidently, there are gaps in some companies’ compliance to policy. 

I discussed these issues with a leasing company, a remarketer, and an asset disposal company.  These businesses receive equipment from healthcare treatment center and other industries Each finds it absolutely necessary to add a layer of service that protects them and adds needed redundancy for their customers.  
Leasing:

I spoke with Chris Wuest, Senior Vice President of Asset Management at First American Equipment Finance, FAEF.  Our specific conversation was around the process to help customers keep information from reaching them in the first place. If it did, what was their process to mitigate the risk of stored data getting beyond them?

One of the most useful preventative tools is the Customer Care application FEAF offers.  The application gives the customer access to lease term expiration dates and more.  Chris stated that getting an early start before the expiration date allows clients to plan accordingly.  FAEF sends a checklist that instructs clients on properly preparing equipment for return.

Once equipment arrives at FAEF, Chris manages the process. “The 1st thing that occurs is an inventory.” Anything mistakenly sent is “quarantined.”  “We ask of its disposition.”  Most often the customer asks for the equipment to be returned.  There is an assessment of whether sensitive information is stored in all devices.  FAEF generates a report of finding and sends it back to the customer.  The report can help close the client’s gap in compliance.

Next, FAEF brings in a specialist to perform Department of Defense and R2 Certified data destruction and complies with e-waste as well. 

Remarketers share these concerns of their warehouses receiving stored data.  Philip Jacobus, President of DOTmed, states, "Our job is to deliver leads for equipment for sale.  … (while) the eventual buyer has a vested interest in assuring that the unit is properly de-installed and transport, it is the seller or current user of the equipment, who normally removes confidential information.”  

The take away for hospitals: 1) ask your leasing companies about their respective processes.  Please feel free to leave an anonymous note on the blog of what you find.  No need to refer to the company.  Start with the header, “Publish” or “Do not Publish.” The first thing you may find is a new outlook on how many leasing companies you may need to survey for this particular risk.

2) Interoperability may make the situation worse.  Consider finding help to manage trade-ins, resale, asset recovery programs, leased equipment returns or even assist with all the ownership issues of various equipment.  One such company is LifeSpan, http://www.lifespantechnology.com/about-us. They “provide hardware recycling and disposal, data destruction, hardware resale, and a full range of IT asset disposition services to corporations, OEMs, hospitals, and municipalities nationwide.”  More on them in the next Blog.

Need help.  Send an email to alfordhardy@gmail.com