In my May 2015 article on Risk-Based Thinking (RBT), I discussed the current state of healthcare related to risk and our current performance as a profession.  Since that article, there have been other journal articles that showed improvements in our performance, related to risk, which we all know translates to patient safety.  Today I see that 241 hospitals appeared on the CMS HAC (Hospital Acquired Conditions) list for the third year in a row

    Rather than repeat the performance data detailed in the last article, I’ll spend more time on the benefits of implementing, maintaining and improving an integrated process and risk based management systems as part of your accreditation.
  
   Let’s start with some brief definitions.  Risk is defined as the effect of uncertainty on achieving objectives.  Risk-based thinking is not defined in our DNV-GL accreditation (specifically in ISO 9001:2015), but it was defined in a pre-cursor document to the 2015 version...and I like this definition.  Risk-based thinking is defined as the “process of considering risk qualitatively and possibly quantitatively when planning, implementing and managing a quality management system”. Aviation and nuclear industries use this definition of risk as it relates to operational and organizational processes.  This broadens some of the traditional definitions of risk (finance or legal) in healthcare. 
 
   We know that we are still very “siloed” in our hospitals.  We really understand our processes in our own silo, yet we are “under-aware” of the critical interactions our processes have with processes in other silos!  Negative issues manifest mostly when our efforts or our final products do not meet the need of the person or service in the next process.  This is a very real risk. 
 
     We need our processes to produce repeatable outcomes, based on process design, not on individual heroics.  Basic process management (understanding the processes and their sequence and interaction, which is a foundational element of your DNV-GL NIAHO accreditation) will enable you to better control and sustain those processes, especially those that require a high degree of consistency. You must include a risk consideration and work to improve consistency in those processes with the greatest risk.
 
     Hospitals should create a risk management framework, a defined organizational structure to manage risks, to help create better outcomes.  By creating a risk framework, integrated with our processes, we can produce a safer environment for our patients.  The need for heroics is diminished, since our processes are no longer “people- dependent”.
 
      While it is not a difficult process, it is the discipline to make these changes that is difficult.  Many of our contemporaries may not be open to change, so that hurdle must be addressed early. 
 
     Here’s how a sound, mature process and risk-based system can help you manage some current challenges. 
 
Value-based purchasing:  Moving to a “pay for performance” reimbursement model is the number one item keeping hospital CEOs and CFOs up at night in 2016.  Using the basic foundation that ISO 9001 presents, a closed-loop system for sustainability and improvement, a hospital can better manage contracted staff and ensure more consistent outputs of clinical services.  This also includes the ancillary or support activities, such as purchasing, EVS/EMS, Sterile Processing, etc., that can indirectly affect clinical outcomes.
 
HIPAA Compliance:  Now that fines are being levied for breaches (thanks to HITECH), maintaining privacy has become a real liability to our bottom line.  Using your design requirements to create and improve processes that factor in the risk of failure, you can best manage your IT, human factors and the interfaces between both.  Using the same closed-loop system described above, you can check the degree of effectiveness routinely before an event might  occur.
 
ICD-10 implementation: Implementing ICD-10 was a major undertaking.  There was a lot of confusion and anxiety associated with the change.  Working in an environment that manages processes well, (business as well as clinical) can ease the concerns brought about by changes such as ICD-10 implementation.  You have a defined approach for managing change that will create reasonable assurance that you considered all potential risks and worked to overcome all significant roadblocks. Additionally, the new requirements for awareness, specifically, the negative effect of non-conformance on the organizational objectives, increases internal communication and can reach across silos to ensure we're all doing the right thing.
 
MACRA: The uncertainty that this change is bringing in 2017 can be managed through similar requirements described above in value-based purchasing, etc.  In fact, most significant changes that occur in hospitals, can be managed effectively by optimizing the foundational elements of your DNV-GL accreditation.  By nature of the design of the quality management system being integrated into your hospitals business processes and strategic direction, the benefits just need to be identified and realized.
 
     Also, consider implementing an advanced level of internal auditing that works into your accreditation,  called Value-added auditing (VAA).  Value-added auditing provides a more mature and thorough look at all of your processes (clinical, financial, managerial and support) and can provide a prospective view (not just retrospective as internal audits have been historically) of your hospital operations. 
 
     We have to move from the silos we have created and understand how our processes affect other processes, directly and indirectly.  Inserting a risk management framework (risk-based thinking) into our process management will begin to optimize your accreditation.
 
     Commercial aviation made this leap to next level process and risk management years ago.  Having worked with NASA during these changes, specifically after the Columbia disaster, I understand how they broke down their silos and worked as a true system.  Though not perfect, they manage their processes and associated risks at the right level to gain that assurance that the mission will be a success.  Our patients deserve the same, clinically and financially.  If we don’t manage our business processes, we can go broke trying to help our patients.  If we don’t manage our clinical processes, we can go broke trying to defend ourselves in court. 
 
Ted is a Pharmacist, a Certified Enterprise Risk Manager (CERM©), and a Senior Advisor with BlueSynergy Associates.  He advises and instructs hospitals in quality, risk and environmental management systems.  Ted led the largest ISO 9001 implementation in healthcare at the Veterans Administration.  He is a Senior Member of ASQ and a certified Lead Auditor in quality management systems by Exemplar Global.  He can be reached by email at tschmidt@bluesynergyassociates.com. 

By: Jeff Harris, RPh

       Bob is a hockey fan. His Facebook timeline is filled with posts about his favorite team and his search for tickets. Bob also works in the department of Health Information Services for a major hospital in a large city. One day Bob receives an email at work informing him that he has won two tickets to the upcoming semi-finals in which his beloved team will be top seeded. Finally entering in every contest for free tickets that popped up on social media had paid off! He eagerly clicks on the link but nothing seems to happen. The next week the hospital's network is down and a shadowy group is demanding thousands of dollars to unlock critical records.
 
       What Bob experienced is called “spear phishing”.  Regular “phishing” is to cast a wide net and see who you can “catch”, similar to sending out large amounts of spam emails and hoping that the right person will click on the link. Spear phishing, in contrast, involves targeting a specific individual who has been researched through social media or otherwise and selected based on his accessibility to desired networks 
 
       Ransomware is a type of malicious code used by hackers to encrypt a target's files, making a healthcare organization unable to access critical patient data. Once the target clicks on the link and the system is corrupted, the hackers will then offer to unlock the files for a fee in untraceable currency.
 
       How prevalent is ransomware in healthcare organizations? One poll showed that up to 75% of hospitals reported have some sort of ransomware attack in the last year. Since this was self reported, it begs the question as to how many hospitals chose to quietly pay the ransom and not to disclose the attacks.
 
   There is an entire industry devoted to stopping ransomware, and many recommendations to combat these type of attacks including: having a robust back up system, making sure ALL hardware is updated with the latest patches – even the IV pumps in storage and used only rarely, and regular vulnerability scanning and penetration testing as outlined in HIPPA and HITRUST guidelines. 
 
      I do think that the biggest factor is being ignored, the human factor. According to CompTIA, an IT industry trade association, human error is responsible for 52% of breaches in network security. Our digital lives and our work lives are becoming increasingly intertwined. Perhaps training employees like Bob in the safe use of social media at home will go a long way towards creating a culture in which safe Internet practices are second nature at home and at work. Something has to be done. A study done in September 2016 by a security firm determined that employees download malware once every four seconds. More focus on this critical area is essential if we want to stop the relentless attacks on our health care records.

By: Ted Schmidt, RPh, CERM

       With the recent changes to the enforcement of HIPAA and HITECH (Health Information Technology for Economic and Clinical Health Act), “covered entities and their business associates” (aka hospitals and their providers) will now be subject to fines/penalties for noncompliance.  Since HIPAA was enacted in 2005, the consensus is that there has been little enforcement of these requirements.  Since the advent of HITECH in 2009, there is actual language in that act that calls for enhanced enforcement.  This enforcement will come from HHS as well as the states Attorney Generals.  With all of the recent publicity regarding hospital data breaches and PHI ransoms, we can expect to see much more activity in the enforcement arena.
 
       The enforcement of the "rules" from HHSs Office of Civil Rights (OCR) is now happening and findings of non-compliance can bring the hospital or entity significant fines.  Fines and penalties can go as high at $250,000 for “willful neglect” and up to $1,500,000 for repeat offenders.   A recent article stated that a nursing home system in Pennsylvania was fined $650,000 for repeat issues related to these rules. In today’s healthcare economy, that's money that the hospital or entity could better use somewhere else. No margin, no mission!  Writer’s Note- since I first started this article, it was announced that a health system in Oregon paid a $2.7 million fine to HHS for two (2) HIPAA breaches.
 
      The HIPAA and HITECH rules can be classified into three sets, which include: Privacy (with 81 requirements), Security (with 78 requirements) and Breach Notification (with 10 requirements).  These requirements form the foundation for the enforcement audits.  Maintaining compliance to these 169 requirements is not only required, but failing to do so can increase risk to your patients AND your hospitals reputation and of course, your bottom-line.  
 
     Compliance begins with conducting a risk assessment.  Federal law states that all healthcare organizations that are covered entities or business associates under the HIPAA Privacy and Security Rules conduct a thorough and accurate Risk Assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the entity (45 CFR Part 164.308(a)(1)(ii)(A)).  While there is much speculation about these security risk assessments, the government does give us some insights on the conduct of these assessments.  As reported on the HealthIT.gov website, the Top 10 Myths about Conducting your Security Risk Analysis can give some structure and understanding to the scope of this activity.  This “top 10 list” dispels some rumors about the intensity, frequency and methods that must be used to conduct this risk analysis.  However, as is typical in government requirements, the government does not give specific direction on “how” to do the risk analysis, but rather, “what” has to be done.  On the same webpage (HealthIT.gov), there are other valuable resources: a Security Risk Assessment (SRA) tool and a SRA Tool User Guide.  Both of these resources are valuable and available for download.
 
      The relationship between your NIAHO accreditation and HIPAA/HITECH is more evident with the recent updates from the US Department of Health and Human Services (HHS) and the release last year of ISO 9001:2015.  There are many controls that currently exist in your accreditation (NIAHO and ISO) that affect your compliance to these rules from HIPAA/HITECH. The following list of common HIPAA/HITECH findings are coupled with existing accreditation controls that would mitigate these findings:

Common Finding #1- Business associates (aka "suppliers", aka "contractors") are a common source of noncompliance.  These persons are controlled per your purchasing and contracting controls in ISO and NIAHO.  Properly written contracts will detail specific internal controls for managing devices, PHI, computer access, etc.  Also, required re-evaluation of these business associates will ensure compliance based on data collection, analysis, evaluation and possible actions of those highest risk activities.  NIAHO GB.3 and ISO 9001:2015 (8.4) are a part of your accreditation and your management “system”.  For instance, a business associate that has performance criteria (based on risk) in their contract will have metrics associated with those performance criteria.  Using the system of ISO 9001, when those metrics are measured, analyzed and evaluated, the results dictate if action is necessary.  This action could be no action, corrective action or preventive action (aka risk avoidance/mitigation).

Common Finding #2- Improper disposal of PHI.  Controls regarding disposition and protection of documented information (soft and hard copy) exist and all employees should be educated in this process.  This finding is strongly supported in your accreditation in ISO 9001 control 7.5.3.1.b (documented information adequately protected-which by the way includes soft and hard copy), 7.5.3.2.a & d (distribution and access of documented information and retention and disposition) and in NIAHO MR.4 (medical record confidentiality).

Common Finding #3- Hacking of computer systems.  Controls regarding maintenance of the infrastructure (hardware and software), addressing risk (which includes cyber-risk) and opportunities (ISO 6.1.2) as well as Physical Environment (PE.1) all require maintaining infrastructure from hacking.  

Common Finding #4- Lack of authorization for disclosing PHI.  There are controls to protect and safeguard patient property (ISO 9001 8.5.3), which includes PHI.  There are also controls in Medical Records (MR.4) to assure confidentiality of patients’ medical records.

      There is a silver lining that can be found in all of this complexity that we call hospital life…and that is your current accreditation provides the foundation for managing these potential, although common, HIPAA/HITECH non-compliances.  
 
     When you look at the basic structure of your accreditation, you’re reminded that it is built around the ever popular and ever effective, Plan, Do, Check, Act (PDCA) model.  This foundational structure is created to allow for full integration of a multitude of current other systems in your hospital, such as occupational health and safety, risk, environmental management, energy management, business continuity and even corporate social responsibility.    Managing your HIPAA/HITECH requirements should be no exception, as it relates to organizational risk.
 
      Your Security Risk Assessment (SRA) should be a part of an enterprise Risk Management system, not a risk assessment in it’s own silo.  There is too much opportunity for leaving white space blank, increasing redundancy and miscommunication when your HIPAA/HITECH risk assessment only considers the HIPAA/HITECH requirements.   The effect that other processes (risk and operational) have on your HIPAA/HITECH outcomes is mostly unknown until you consider risk from an enterprise perspective.  For instance, if you allow business associates to access your computer network remotely, are you certain that their access is appropriately protected so as not to compromise your network?  That’s how Target and Home Depot got hacked of their credit card data.  Could your business associates unknowingly leave a gate open when they leave your network? In either case, your hospital is now vulnerable and your hospital is responsible to pay any penalty for a PHI breach.
 
      Risk is risk no matter where it falls in your compliance requirements such as OSHA, FDA, HHS, DEA, state requirements, etc. HIPAA/HITECH risk, therefore, should be fully integrated with all hospital risk processes.  Risk should also be fully integrated at all levels, from the strategic level down to the transactional level.  In short, risk management for HIPAA/HITECH should be part of an enterprise risk management system. 
 
      We’ve seen the unsafe and embarrassing results of not managing our processes on an enterprise level (remember the IOM study “To err is Human”) and we’re still trying to dig out of that mess.  Fast-forward over 15 years and we’re still dealing with the same patient safety issues.  Why is that?  Aren’t we dedicated, smart people who come to work every day to help our patients?  We have failed in managing our processes properly but now we are hearing all about enterprise risk management.  To be certain, our risk management attempts will fail if we do not properly manage our processes and properly integrate risk with these processes.
 
     There are a multitude of management systems that are designed to help you manage your PHI that are integrated systems.  These include ISO 27001, Sans Top 20, COBIT 5 and NIST has several options to consider.  The primary consideration should be that your risk and process management systems be fully integrated into one system that covers your business as well as your clinical processes.  You’d never believe that your current accreditation meets this need.

Ted Schmidt is a Pharmacist, a Certified Enterprise Risk Manager (CERM©), and a Senior Advisor with BlueSynergy Associates, LLC.  BlueSynergy Associates maximize innovation, experience and customer perspective to reduce risk and make hospitals a safer environment. He currently advises and instructs hospitals in quality, risk, safety and environmental management systems.  Ted led the largest ISO 9001 implementation in healthcare at the Veterans Administration.  He is a Senior Member of the American Society for Quality and a certified Lead Auditor in quality management systems by Exemplar Global. 

        Hospital resource changes in the last 3-5 years have been challenging.  Meaningful use, value-based purchasing, ACO’s, ICD-10, patient safety issues, cyber security all require additional resources that may not have been budgeted and funded.  In addressing these needs, your hospital’s focus on its vision may become fragmented.
 
     Fortunately, some of you may already have the architecture in place to help keep your focus, namely, your DNV-GL accreditation. By bundling NIAHO℠ with ISO 9001, DNV-GL creates the best platform for hospitals to address their clinical needs and achieve their Vision in a disciplined, proven system of management.  Here’s how it works:
 
     ISO 9001:2015 is part of your accreditation.  So, your accreditation requires hospitals to align their strategic and business processes with the quality management system.  Your accreditation also requires you to integrate your process management with your risk management.  Other requirements include creating and managing objectives (operational as well as financial); measuring your performance to your objectives; analyzing and evaluating your performance; and responding to your performance for improvements as needed. 
 
     Your hospital’s vision, mission and values are fundamental to success.  You need to know where you are going and whom you are going to serve…your vision.  You need a plan to get where you are going.  Strategic, tactical and operational plans are paramount to define your mission to achieve your vision.  And your hospital and personal values are those attributes that are key to your success.
 
     If you have a vision: “to be the healthcare provider of choice in the community” or  “to deliver care to the poor and underserved in the community”, your vision needs to be realized.  Your accreditation allows you to create high level objectives that will help you fulfill your vision.  The objectives created for the mission should always cascade from the vision objectives.  These mission objectives can be strategic (deploy homeless initiative in our community), tactical (develop and deploy teams of clinicians and social workers), or operational (teams focus on primary needs for women and children, specifically maternal and new baby services).  Your values will give you those attributes needed to be successful, personally and collectively. Many hospitals measure the degree of implementation of their values in their employee performance evaluations and surveys.
 
     You use risk-based thinking (RBT) to focus on what’s most important so you can maximize your resources.  RBT is nothing more than employing some activity to determine what could prevent you from achieving your objectives. Once you know where to create objectives and what objectives to create, fulfilling the objectives is achieved by creating more objectives at the lower layers.  These objectives cascade down to the lowest layer so that everyone’s work helps achieve your overall objective.
 
     To illustrate, the owner of any NFL team has to have full faith and confidence in his/her general manager. If the general manager is in lock-step with the head coach, the synergy is evident.  Together they manage the talent (current and future), the salary cap, the PR, etc.  When the same head coach is in lock-step with the team captain, then the players all work to help achieve the objectives.  In today’s NFL, a half-step taken incorrectly can ruin a play. One play can win or lose a game. It’s that predictable.  More over, the likelihood of the team achieving its vision is greatly enhanced when all of these layers align and the player taking the half-step is aware of the importance of that half-step.  It’s the same in hospitals.
 
     The old phrase in healthcare, “no margin, no mission” still applies today. Communicating your vision at all layers is as important as the objectives you need to achieve to reach your vision.  Cascading your objectives can help ensure your hospitals remain financially and operationally sound.  If you get it right at the high layer (the NFL team owner or the governing body in hospitals), you will have success at the operational layer.   The means for managing these objectives at all layers lies in your accreditation.  How about that?  You’re already paying for your accreditation!

Ted is a Pharmacist, a Certified Enterprise Risk Manager (CERM©), and a Senior Advisor with BlueSynergy Associates.  BlueSynergy Associates maximize innovation, experience and customer perspective to reduce risk and make hospitals a safer environment. He advises and instructs hospitals in quality, risk and environmental management systems.  Ted led the largest ISO 9001 implementation in healthcare at the Veterans Administration.  He is a Senior Member of ASQ and a certified Lead Auditor in quality management systems by Exemplar Global.  He can be reached by email at tschmidt@bluesynergyassociates.com or by calling toll free at 844-424-7825.
 
​
​

      Many hospitals have started the ISO 9001 journey. This journey probably started because the hospital wanted a fresh and new approach with their accreditation.  For the first time a hospital could begin to decide how they would meet requirements and not have to abide by a prescriptive way of doing things.

     To implement the DNV-GL accreditation requires a hospital to establish a formal quality management system (QMS). This QMS is based on the framework of ISO 9001:2008 and now requires a transition to the 9001:2015 standard. But guess what, ISO only tells you WHAT you have to do and not HOW to do it. Now the problem begins, so let’s look at these 3 reasons to gain understanding.

     Reason number 1: The original message on how to best learn and implement ISO 9001 was to send someone to an ISO 9001 Lead Auditor course.  This course is intense and overwhelming for many of the attendees. I know because I have taken the course myself and my hand never really did recover from all that writing. In addition to being a student in one of those courses, I am a trainer for the week long course. Yes, that is right, I admit it.  I am one of the few trainers for the 9001 Lead Auditor for Healthcare course in addition to the 9001 Internal Auditor course for healthcare.  The lead auditor course really is a great course. It is accredited by Exemplar Global and at the end of the course; you get a certificate which is a personal certification to the lead auditor requirements. Great! But what does that mean exactly?

      That means you have successfully completed a training course (Congratulations, you did earn it!) which is a requirement to be a lead auditor for a certification body – like DNV-GL. In addition to one of these lead auditor courses, you must perform a number of ISO 9001 audits (measured in days) where you were the lead auditor and some you may have just been a team member. Then you submit your audit log, certification number from your class, and of course a check (over $500 the first year) to one of the ISO accreditation bodies like Exemplar Global and now you are an official card carrying lead auditor for an ISO 9001 QMS (I admit I am one of those nerds). Why would you do that? Because it is a requirement to be a lead auditor for a certifying organization like DNV-GL and other registrars. It really is a great course, BlueSynergy Associates offers it for a reason and we deliver the course in-house and publicly.

      Question: Did you notice how I never mentioned how this course will help you plan, document, implement, and improve your 9001 QMS, especially how to transition to the new 2015 standard? - That’s right; I did not say any of those things. Here is a better option for those looking for more or better education, especially as it applies to helping a hospital move from being a reactive culture to being a proactive one – think “PRN”.  Click the “better option” link above and see what I mean.

     Reason number 2: Most of the common implementation methods that you have been exposed to came from the automotive & manufacturing industries.  I don’t consider healthcare as an industry, we don’t have smoke stacks filling the sky and we certainly do not produce standardized “widgets”. Healthcare is a profession. It is a profession in which we provide  complex services to people, our patients. When our processes fail we potentially harm a person; when manufacturing fails they make an inferior product. Big Difference!

     BlueSynergy Associates offers a FREE webinar. The webinar covers some of the changes from the 2008 standard to the 2015 standard, an intro to risk-based thinking, and some thoughts on transition planning. It is an hour in length and it is delivered entirely from the healthcare perspective.  Check it out or forward it to a friend, or even better, check it out and forward to a friend.

     Reason number 3: You hired a food critic to teach you how to become a chef! Wait, what? Let me explain. Hiring a consultant with a background primarily in surveying / auditing to provide input for your QMS is like hiring a food critic to teach you how to cook. Being a great food critic does not make you a chef. A food critic has many talents and has sampled a lot of food presumably, but knowing how to critique food does not necessarily translate to knowing how to teach someone how to cook.

     I’ll explain further. Many ISO surveyors become consultants or moonlight as consultants. This brings some benefits as well as some shortcomings (see Reason # 2 above, guess where they got their start?).  Think of a former ISO surveyor as the food critic. Their job as a surveyor is to look for compliance; are you meeting your requirements. Being compliance minded is the major drawback. Yes, they have seen many examples of how to meet a requirement (food critic), but most truly lack the experience ofhow (chef) to use ISO standards as a performance framework. If you use a chef to teach you how to cook and a food critic to tell you objectively what you are missing, you will have better outcomes. Each individual is working in an area they know best.

      Now let’s put a bow on these problems. Each year, your leadership is expected to manage costs and improve the value of care you provide to your patients.  The DNV-GL accreditation model was built with these same goals in mind. However, your QMS that is maturing, is not showing the ROI everyone had hoped and may not be maturing at the rate necessary to keep up with increasing demands on your hospitals’ needs.  Your internal audit program and all of your internal auditors are supposed to add value through the internal audits and their findings. Yes, they do have findings, but no one is necessarily sure how or if the findings are seen as a value to leadership and that the resources applied to your QMS & accreditation are producing results which are truly recognized as an asset to your hospital.    

     Your transition to the 2015 standard is the perfect time to pivot your QMS and show your leadership that accreditation doesn’t have to cost, it should pay. After all, this is likely why many hospitals left TJC and moved to DNV-GL. The 2015 QMS standard requires integration of your patient care with your strategy and business processes. This alignment will help drive high reliability as well as high value patient care.
   
​      Some questions to ponder?

1. Do you think that simply rebranding ISO 9001:2008 courses for ISO 9001:2015 will help you realize value? 
2. Do you think this same way of thinking will help you pivot your QMS to the original vision you had with DNV-GL?

     Thank you for your interest and time to read all the way to here.  I am passionate about what I do and I would welcome the opportunity to learn more about you and the journey your hospital is taking to sustainable improvement. I can be reached by email at eschulze@bluesynergyassociates.com and by calling me toll free at 1-844-424-7825. Your comments are always welcome.

​Until next time,
Eric