Securing Your Business: Disaster recovery – do you need backup or a business continuity plan?

bouncer-blogAs an MSP specializing in healthcare and security, StratX IT Solutions is often asked,

“Is there a difference between backup and business continuity plans for disaster recovery?”

Many believe that data backup and business continuity plans are one in the same but they are not! One allows you to recover your files, and the other enables you to continue operating your practice regardless of the severity of the outage or your physical location. They are complimentary solutions and you need both in order to secure the business of your practice.

With estimates that 70% of data outages are caused by human error (eg, opening emails with viruses*) and the Gartner Group study which predicts that 25% of PCs will fail each year, asking “IF” you need a disaster recovery plan for your systems has become moot. What is critical is “HOW”.

But let’s backup for a minute (bad pun intended). Let us explain what data backup and business continuity plans are, and what StratX recommends to our clients as the most failsafe combination.

It all starts with data backup. It is the foundation for disaster recovery and business continuity – no backup means no business continuity.

But, not all backup solutions are created equal.  Remember when tape backup was the only option? Data protection is a fast-evolving market, and solutions that were put in place a decade or so ago are no longer suited to meet today’s regulatory and requirements.

What is required is a robust, viable foundation for ensuring secure, HIPAA compliant data backup and retention. Backup products fall into three (3) basic categories:

  1. Onsite backup (data stored on hardware kept physically in your office)
  2. Cloud backup (data stored on hosted hardware via the internet)
  3. Hybrid onsite-cloud backup (combines the first two categories)

Onsite backup works well when a quick restore of lost or damaged files is required. The data is onsite and, it’s fast and easy to restore to its original location. But what happens if:

  • The power goes out?
  • If the device fails?
  • Or if the equipment is stolen or fails?

You might think the cloud looks more attractive due to onsite backup’s “what ifs,” but cloud-only backup is risky too.

  • What if you lose connectivity to the internet?
  • Restores tend to be difficult and time-consuming.
  • And, after all, the cloud can fail, too.

What is a hybrid onsite-cloud solution?

  • Your data is first copied and stored on a local device and your data is also replicated in the cloud.

StratX recommends that our clients purchase and use a hybrid onsite-cloud backup solution. By using onsite backup to mitigate the risks of the cloud, and using the cloud to mitigate the risks of onsite backup your data will be available to you in case of an emergency and allow you to put your business continuity plan into action.

Furthermore, we recommend our clients use a hybrid onsite-cloud solution which gives them the ability to work virtually. The backup contains full server images (vs. only files or data) which can be restored or activated as servers in a disaster and allow you to work as if the original servers were still functioning – this is where a business continuity plan comes into play.

Business continuity, the ability to keep daily operations running, isn’t a product that you purchase per se, it’s the action plan that is designed and managed by your IT staff or vendor.

The plan lays out how you will access your server, software, applications and data when disaster strikes and also sets a timeline to achieve that access. It should also have provisions to have your IT support continually test the process before you are faced with an issue. It’s better to troubleshoot failed “test” restorations than to lose days, weeks or even months reinstalling and configuring your systems.

The only safe way to head-off downtime of your systems, regardless of the cause, is to be informed and prepared. Do you have a clearly outlined plan in place for your practice?

It’s critical that you are prepared, ask your IT staff:

  • How quickly can my business be up and running in the event of disaster?
  • Do we have documented backup, security and a business continuity plan in place which meet our regulatory requirements?
  • Is all of our critical data backed up daily, or more frequently?
  • How fast can we get our systems up and running to a pre-disaster operating state?
  • Have we done a real world test our backup and business continuity plan?

 

Jack Mortell

SRSsoft guest blogger: Jack Mortell of StratX IT Solutions

* Print our “email safety guide” for your staff. It describes the key signs they should look for to identify and avoid opening malicious emails.

MACRA News: CMS Yields to Pressure with “Pick Your Pace”

yieldAs everyone is in the midst of anxiously trying to prepare for MACRA while awaiting the Final Rule, (due November 1), CMS announced yesterday that it is stepping back the requirements and the timetable to make it easier for providers to avoid the 2019 negative payment adjustments set out in the Proposed Rule. This decision comes in the wake of 4,000 comments and subsequent pressure from professional groups and from Congressmen/women pleading for relief from the rushed implementation of a complex and overly aggressive set of requirements that would negatively impact many practices, particularly small groups.

Andy Slavitt, Acting Administrator of CMS, published a blog that gave an overview of the new options that allow providers to “pick their pace” of complying. It appears that the only way a provider would receive a negative adjustment in 2019 would be if they do almost nothing in 2017. He outlined 4 options for participation:

  1. Do something! Avoid a negative payment adjustment in 2019 by submitting some data in 2017. This begs the question: what constitutes “some data?” Does this mean some data in each MIPS category, some data in one category, quality data only? (To me, the wording in Slavitt’s blog is reminiscent of CMS’ past MU shift to “capability enabled” or “met for 1 patient”.)
  2. Report for a short reporting period (“a reduced number of days”) could qualify you for a “small” positive payment adjustment.
  3. Comply with MIPS as defined in the Proposed Rule—or I assume, as it will be defined in the Final Rule— for the full calendar year and you could qualify for a “modest” positive payment adjustment.
  4. Participate in MACRA’s Advanced Alternate Payment Model option. CMS is hinting that it may broaden the definition of an APM.

This news will no doubt be greeted with relief and cheers by most providers, but I wouldn’t be surprised if they are left feeling more uncertain now of what will be required in 2017 than they did before the announcement! What constitutes sufficient reporting in options 1 and 2 above? How many days are in a short reporting period—90 perhaps? How do the revised “small” and “modest” payment adjustments compare to the potential 4% proposed for 2017 and to each other? Will performance still be evaluated relative to other providers? And what happened to budget neutrality, i.e., where is this money coming from if hardly anyone will receive a negative adjustment?

Please let us know what you think of this latest MACRA news, and stay tuned as we learn more!

MIPS: 5 Things You Can Do Now to Prepare

5-things-mips-blogEven though the final MACRA rule is not expected until November 1, 2016, you would be well advised to start putting an action plan in place now. As proposed, the first performance year begins on January 1, 2017, a mere 2 months after the expected release of the Final Rule—you won’t have sufficient time to prepare if you wait until then. Yes, CMS has hinted about a possible delay or a shortened reporting period (in response to numerous concerns expressed in the 4,000 comments to the proposed rule), but you cannot bank on that until it is finalized. There are things you can do to start planning your strategy and improve your chances of success when this first regulatory foray into value-based payment begins:

  1. Focus on 2016 PQRS reporting: Quality reporting carries a 50% weighting next year, which makes it the most important of the 4 MIPs performance targets, (the others being Advancing Care Information, aka MU; Clinical Practice Improvement Activities; and Resource use, aka cost). Take advantage of the next 4 months to improve your quality measure workflow and reporting.
  1. Think about whether to report MIPS as individual physicians or as a group: It’s important to look at your practice’s current MU and PQRS performance as a predictor of which option might be more beneficial. You may already be reporting PQRS as a GPRO—success here makes a strong argument for reporting all categories as a group. (Remember, as proposed, you must report consistently across all 4 MIPS categories.)
  1. Develop workflows to support success: Identify the ACI patient engagement and health information exchange (HIE) measures that are of most interest or relevance to your practice. Analyze and try to enhance the workflows that support these measures. Ask your EHR vendor for a professional services evaluation—they may be able to offer assistance in this regard.
  1. Review the list of Clinical Practice Improvement Activities: Review the list provided in Table H of the Proposed Rule. Are there activities that fit your practice or possibly some that you were considering, even before MACRA?
  1. Evaluate your current technology resources: Is your EHR up to the job—or is it killing your productivity, particularly when you use it to meet the government requirements? If you are not satisfied, now is a good time implement new technology.

The most important step to take now and in the coming months is to keep yourself educated and up to date as the regulations evolve and the start date approaches, (But you clearly know that, since you’re reading this post!) On cms.gov, you will find Quality Payment Program Resources pages. You can also consult your professional societies/academies for specialty-specific guidance or reach out to your EHR vendor for training. I invite you to watch (or watch again) my webinar titled, “MACRA/MIPS: 962 Pages in 30 Minutes”, which is available on demand.

Frictionless Product Delivery

upgradeWhat if I told you that software deployment could be simple? You’d likely accuse me of smuggling Kahlua into my morning coffee. It seems like only yesterday that installations required CDs and that every workstation needed hands-on attention. Once you got to a particular unit, you would be greeted with an array of screens and prompts that could conceivably require hours of monitoring. Allow me to assure you that those days are over!

The term “innovation” is usually applied only to product development, but at SRS, we have pushed this approach to all facets of what we do, including procedures and processes. One of our many innovations this year has been the incorporation of a software deployment tool, which silently installs applications without user interaction.

While I would love to take all of the credit for this major advancement, I can’t. We first heard about it during our IT Round Table collaboration session at our User Summit last year when we were discussing the tools IT professionals use for software, patches, and file deployments across their infrastructure.  All were pleasantly surprised by the ease of use, consistency, reliability, and advanced options offered by this software deployment tool, and they all agreed that it was much more reliable than Group Policy deployments and other well-known software deployment tools on the market. We took this feedback and did our homework.

How does this Software Deployment Tool benefit you?

  • Quick and easy deployments – only one resource needed to create and deploy a package across multiple sites without any user interaction
  • Deployments scheduled at your convenience
  • Detailed report provided in real time during and after the deployment is completed
  • No prior technical knowledge required

In some cases, the workstation deployment time of an SRS upgrade has been reduced from 3.5 hours to 20 minutes. That is an outstanding 90% improvement! A simple adjustment to your process can have a dramatic impact on both the time and cost spent in the deployment process.

You must be wondering, “There has to be a catch!” I assure you, there isn’t! Perhaps the best part is that there’s no need to review a complex manual. At SRS, we provide training and testing, and have confirmed that non-technical users can configure the deployment and re-use it without our assistance—it’s that easy!

Whether your focus is software development or deployment, or sales or marketing, innovation designed to remove friction will always lead to increased efficiencies and better results!

The Right Tools for Relevant Results

surgical-tools-315pxThere is discussion in the industry about the effectiveness of healthcare information technology (HCIT) solutions. And so there should be; although we have seen improvements in HCIT solutions, a significant number of physicians are not happy with their current systems. Perhaps it is because some vendors feel that they know what’s better for their practice, and build the system around their vision at the expense of how the doctor likes to do things. Or maybe it’s because vendors sell practices solutions that aren’t specialized to their requirements—leading to complexity, fatigue and frustration. In either case, doctors are forced to use tools that are inappropriate to their needs and slow them down.

It’s not rocket science: doctors want tools that help them do their job effectively. Like the stethoscope—it’s one of the oldest medical tools still in use today, but it continues to perform an essential task, even in an era of high tech, and there is nothing complicated about it. Although it was originally invented to spare a young physician the embarrassment of putting his ear directly up against the chest of a young woman, it turned out to have enormous diagnostic value. Because of that, the stethoscope quickly caught on with other doctors.

Another good example is molecular breast imaging (MBI). Mammography was a good way to detect breast cancer, but MBI turns out to be three times more effective at finding tumors in dense breast tissue. MBI is simply a tool that has produced better results.

What about laser surgery? Developed at first for eye and skin surgery, it has expanded its range to include different medical and cosmetic procedures, from cosmetic dermatology to the removal of precancerous lesions. Laser surgery allows doctors to perform certain specific surgeries more safely and accurately—again, a new tool that provides better results.

When it comes to HCIT solutions, however, the reception has been decidedly less enthusiastic. Maybe that’s because, in contrast to the examples above, it hasn’t been clear what the purpose of HCIT solutions actually were. To help doctors collect data on patients, or to help administrators collect data on doctors? To make practices more efficient, or to simplify the government’s monitoring of public health? Without a clear task to perform, it’s not surprising that HCIT solutions have produced mixed results. It’s hard to assess the value of a tool when you aren’t sure what it is supposed to do.

It turns out that, like the stethoscope, electronic health record solutions were a tool designed for extra-diagnostic reasons, and then later repurposed. However unlike the stethoscope, the adoption of EHRs has been driven not by doctors who found them helpful, but by hospitals, insurance plans, and government agencies who sought to control skyrocketing costs and standardize healthcare. This disparity has been an underlying cause for ineffective workflows within the systems. And even when EHRs were designed with physicians in mind, they were designed for primary care physicians, leaving the specialist community underserved.

What is clear is that, when an HCIT solution is designed with the primary purpose of helping doctors, the industry does see value in them. According to the latest Black Book survey of specialty-driven EHRs, 80% of practices with specialty-distinctive EHRs affirm their confidence in their systems. The same survey reported that satisfaction among users who had switched to specialty-driven EHRs has shot up to 80%. And finally, 86% of specialists agreed that the biggest trend in technology replacements is specialty-driven EHRs due to specialist workflow and productivity complications.

The statistics show what we already knew; doctors want the technology and tools that give them relevant results. Like earlier great medical inventions, HCIT can play a vital role too. One positive development is that EHRs, like the lasers used in surgeries, have evolved to serve a variety of specific purposes. Just as there isn’t a single type of laser that is used by both ophthalmologists and dermatologists, EHRs are increasingly specialty specific.

This means that specialists are no longer forced to use systems designed for primary care physicians that collect every piece of data that every type of doctor might possibly need. That sort of all-inclusive data collection doesn’t lead to better results; if anything, too much data causes unnecessary clutter, making analysis more difficult. What is crucial is having more RELEVANT data. Specialists need EHRs that collect the data that is relevant to them, and only the data that is relevant to them. They need an HCIT solution that is driven by their specialty, that respects their workflow, and that has the flexibility to handle their practice’s unique requirements.

To find out more about developments in HCIT solutions that are improving patient care, check out our latest whitepaper, “Healthcare: How Moving from Paperless to Frictionless is Improving Patient Care”.

90-Day MU Reporting: Deja-Vu All Over Again!

flag-money-stethLast week, in keeping with what seems to have become a mid-year tradition, CMS issued a proposed rule that—amidst its 700-plus pages related to hospital payments—reduces the 2016 MU reporting period from the full calendar year to any 90 consecutive days. (Note that this applies only to providers participating in the Medicare, not Medicaid, EHR Incentive Program, and has no effect on PQRS reporting.) Would it have been better if the announcement had come in a more timely fashion—i.e., at the beginning of the year instead of the middle? Absolutely! But don’t let that keep you from taking advantage of this opportunity.

This is good news for providers who had given up on MU for 2016—or who got off to a slow start on the program this year. Here’s an opportunity to get back in the game and avoid the 2018 payment adjustment (3% or 4%, to be set at the discretion of the Secretary of HHS). It also provides a bit of a breather for those who are successfully demonstrating meaningful use and may be able to identify an already-completed 90-day period during which they met all the requirements. These providers can now turn their attention to preparing for MACRA, which is proposed to be effective on January 1 and in which MU (renamed “Advancing Care Information”) is only one of the four components.

So, what accounted for this change? Is it an indication of a kinder and gentler CMS to come? The CMS Fact Sheet states that CMS is trying to “assist health care providers by increasing flexibility in the program.” Was it in response to the deluge of comments to the MACRA rule that screamed “Help!,” or to the repeated requests for relief submitted by providers, organizations, and members of Congress? Let us know below what you think brought about this change of heart.