Technically Speaking: Securing Your Personal Zoom Accounts

As health care providers, it is our duty to safeguard our patients’ protected information. And as professionals, it is our duty to keep private matters private. Last spring, our security team learned of multiple instances when uninvited users joined a meeting, were confronted and left the meeting without saying a word. While these incidents may have been accidents, they were suspicious enough to warrant widespread conversations regarding masking meeting details in Outlook calendar settings. Now another similar vulnerability has been brought to the fore.

This time the risk lies within Zoom. Zoom, if by some odd chance you’ve never heard of it (where have you been?), is a video conferencing platform that lets users communicate via virtual meetings. It’s a powerful tool that has, along with its competitors, allowed us to maintain productivity throughout the pandemic while also keeping safely separate from one another. Children’s has an enterprise account, but Zoom also allows individuals to create accounts of their own. Many of you have already done this, which is totally acceptable; however, individual users are often not utilizing the built-in security features that Zoom offers.  This creates a security risk.

Therefore, beginning Nov. 1, all accounts created in Zoom with a Children’s email address will require the use of the waiting room feature and meeting passwords. This change will apply to all Children’s domain accounts, whether assigned through Children’s, or self-requested through Zoom. While it may not seem like much, this will make meetings as secure as reasonably possible and keep unwanted guests out.

As a reminder, Children’s encourages the use of Zoom for meetings with 50 or more participants and Virtual Care appointments. WebEx is to be used for all other use cases.

Thank you for your cooperation, your understanding and for all you do to make our digital world safe and sound. Please contact Mark Vande Brake if you have any questions about Zoom, or reach out to me regarding any other technology issues.

Special thanks to Melissa Rappl, chief information security officer, and Mark Vande Brake, teleconference/av analyst, for their contributions to this week’s piece.

Stephen Dolter, M.D., CMIO

Technically Speaking: Sharing Resident Notes

Medical records belong to patients… or, in pediatrics, parents. At any time, a parent (or guardian) can walk into Health Information Management (HIM) and request a copy. But that’s a pretty big hurdle, so the government has been working to make accessing records easier for patients and families. In 2020, the ONC* Cures Act Final Rule (an information-blocking provision) went into effect. This stipulates, among other things, that health care organizations cannot block electronic access to most parts of a patient’s medical record; they must be shared freely. This includes (but is not limited to) clinical notes, lab and imaging results and medication and allergy lists.  You can read all about it here, but be prepared to spend several days digesting it. Fine. No big deal. We’ve actually been doing this for years.

But what about resident notes? Lots of us use those as a framework for our own notes.  Addend, make changes and sign. What happens to those? Well, up until now, the attendings had to click a button at the top of the note to share it. Otherwise it didn’t go anywhere. The reason behind this is that we didn’t want families to be confused by reading a resident note before an attending had a chance to review it and make corrections. Any inconsistencies could undermine trust in the team and/or hospital. So, because the note was created by a resident, it wasn’t shared by default. In cases when the attending forgot to click Share, we were out of compliance. Houston, we have a problem.

Fortunately, Epic came through with a fix. We are now able to separate sharing from releasing when it comes to notes. Sharing now simply means that a note is eligible to be released electronically. It’s not until it’s released that it actually gets pushed to patients and families.  And what magically releases these notes now? Voila—an attending signature! So going forward, all resident notes will be shared… it’s just that they won’t get released until they’re signed by a staff physician.

Parallel to all this, the Centers for Medicare and Medicaid Services (CMS) relaxed their restrictions on attendings utilizing student documentation for billing purposes. This led to student notes being addended and signed. Fortunately, the above also applies to student notes; they’re only released when signed.

Compliance achieved? Yep. Extra work required? Nope. Actually, this new behind-the-scenes workflow requires less work for us! That’s a win in my book!

If you have questions or concerns about this new process, please reach out! Thanks for all you do to keep our patients safe and our organization in compliance!

* Office of the National Coordinator for Health Information Technology

Stephen Dolter, M.D., CMIO

Technically Speaking: ZOOM Telehealth Integration

Special thanks to guest contributors Jennifer McWilliams, M.D., Rebecca Ohlinger and Shawn Loftus for this week’s piece. Dr. McWilliams is the division chief of Psychiatry and medical director of Virtual Care at Children’s, Ohlinger is the manager of Virtual Care and Loftus is the Virtual Care Program Coordinator.

What is changing?

Telehealth visits will be transitioned to an integrated process that enables providers to start virtual visits in Epic, rather than signing in separately to Zoom.

When is the change occurring?

We will start a slow rollout on Oct. 4.

Why is this change occurring?

Integrating telehealth visits with Epic enhances the security of the visit and makes the process more efficient for nursing and access staff.

What do I need to do?

Add the Virtual Visits column to your Epic schedule.  See the attached tip sheet.

Details:

Beginning Oct. 4, we will start a slow rollout of a new integrated process that enables providers to start virtual visits in Epic, rather than signing in separately to Zoom. All telehealth appointments that are scheduled on or after Oct. 4 will be scheduled using new integrated visit types. Appointments that have already been scheduled, however, will not be converted to the new visit types and will remain scheduled with the previous visit types.

To identify if your patient has been scheduled with the new process, you will need to add the Virtual Visit column to your schedule in Epic. See the attached tip sheet on how to add this column.

When you begin a telehealth clinic day, look to the Virtual Visit column to determine how the patient has been scheduled. A video camera or a star (asterisk) will appear.

When a video camera icon appears in the Virtual Visit column, the patient has been scheduled with the new integrated process. If the patient has an active Children’s Connect account, they will join the visit from the patient portal. If they do not have Children’s Connect activated, Epic will email them a link automatically 45 minutes before the appointment. Wait for the camera to turn green and hover over the camera to see who is waiting to be seen.  Click on the green camera to start the visit.

When the star (asterisk) icon appears in the Virtual Visit column, the patient was scheduled prior to Oct. 4 using the old process. Log in to Zoom and click New Meeting. From there, wait for the patient to join then click admit.

An eLearning is available to all providers. Please take a couple of minutes to review this prior to the Oct 4 go-live.  CHSO – 73880 Zoom Integration for Telehealth. See the tip sheet on completing a virtual visit. Let us know if you have any questions!

Stephen Dolter, M.D., CMIO

Technically Speaking: Take Steps Now to Disable VoalteMe Lock Screen Previews

Greetings, fellow providers!

Part of our duty as medical professionals is to safeguard patient data from prying eyes. Our technical team just learned of a potential security issue that could jeopardize such data, and I wanted to share it with all of you as soon as possible.

VoalteMe, the smartphone app that runs on personal devices and allows users to communicate with providers, nurses and hospital staff using the hospital’s Voalte network, is now showing some message previews on mobile devices’ lock screens.  Message previews are nice—they allow users to see not only who a message is from, but also a portion of the content of the message.  This isn’t usually an issue for personal messages, but when those messages can contain patient health information (PHI), each one is a potential leak waiting to occur.

In the past, Voalte messages could not be previewed from a lock screen. This prevented anyone but the owner of the mobile device from reading any of the content of the message. Now a setting has changed that sometimes allows this to occur. We have deemed it a potential security risk.

While we dialogue with Voalte to see if we can disable previews, we encourage all of you to do so yourselves to safeguard your patients’ PHI. To do this on an iPhone, open your device settings (note: NOT settings within the Voalte app) and tap VoalteMe. Then tap Notifications and change Show Previews to When Unlocked or Never. This process is likely slightly different for Android users, but the idea is the same.

I’ll let you know if and when Voalte goes back to not allowing previews by default.

Thanks for keeping PHI secure and for all you do!

Stephen Dolter, M.D., CMIO

Technically Speaking: Phantom Voalte Alerts

Excellent communication is one of the cornerstones of the practice of medicine. Every day, we strive to advance the functionality of our solutions to ensure we can all talk to each other when necessary and do so in an efficient manner. So, when I heard about a bug in our Voalte platform that was compromising provider efficiency, I thought I’d let you know about it (and how to fix it).

From time to time, users will receive a Voalte alert that cannot be cleared.  No matter how often they open the app and tap on a conversation, Voalte will still list the conversation in bold font, and they will still see a badge on the Voalte icon on the home screen showing that they have an unread message. This invariably leads to the user thinking they somehow missed a message and checking multiple times, slowing down their day. This issue has been a problem for several months, but it seems to be much more common after the recent Voalte facelift. 

While we work on diagnosing the problem and implementing a solution, there’s an easy, temporary fix you can use—just quit the app and re-launch it! Note: quitting an app is not the same as returning to your device’s lock screen!

On an iPhone (X or newer), swipe up from the bottom and continue to hold your finger on the screen.  If your iPhone is a pre-X model, double tap the home button. On an Android device, tap the three dots in the bottom left. This will bring up a visual display of all your open apps. Flick the Voalte placard up to quit the app. Then, return to your home screen and tap the Voalte icon again. Your phantom message should now be cleared!

Some users have also reported inconsistent audible alerts (or a lack of audible alerts entirely) when using Voalte. These issues seem isolated and require unique fixes.

If you’re having trouble of any kind with Voalte, please reach out and let me know about it!  Thanks for all you do!

Stephen Dolter, M.D., CMIO

Technically Speaking: Junk Email

Whatcha gonna do with all that junk? All that junk inside your… junk email folder? It’s a fair question, so we should probably discuss why junk email folders exist and how to most effectively manage them.

When I was in college in the mid 90s, I got my first email account and would excitedly punch up the St. Thomas VAX system whenever I had a chance, hoping I would have a message. I went days without a single one, and when I saw that a new email had arrived, I wanted to jump for joy. By the time I graduated, I had multiple internet mail accounts, and the messages were starting to become more of a burden than a novelty. Even then, I was receiving just a few each day.

Fast forward to now. I have email accounts with Children’s, UNMC, Google, Apple and Microsoft and receive (literally) hundreds of messages every day. One of the most notable ways I manage to get through them is that I make extensive use of junk email filters. In fact, I have one entire account that I use for junk email. Junk emails are messages that users never even want to read. Our Office 365 accounts have built-in junk folders and automatically route messages there that fulfill one or more of a set of criteria. Without these, I’d be sorting through emails endlessly, but by making good use of them, I don’t even see half the messages I receive.

Does this message look like it’s sent to people on a mailing list? Junk it. How about that one?  Does it look like spam or a phishing scheme? Junk. Sounds great. But sometimes the filter messes up and messages wind up where they shouldn’t. This not only results in unwanted messages infiltrating inboxes, but also in wanted messages getting sent to junk folders.

IT leadership has heard from multiple sources that users’ junk filters have been getting inappropriately aggressive recently. We are investigating the cause, but until we find it, we recommend periodically checking your junk folder to make sure Outlook is filtering properly. I usually check mine once every few weeks and will sometimes find a message from a listserve or distribution list that I actually need. What should you do if you find the same is true?

In your junk folder, right-click on a message and click Junk. This will bring up a list of choices for you to take, including telling Outlook that it made a mistake.

You can also customize the “aggressiveness” of your junk filters by clicking on Junk Email Options (above). This will open the following window, where you can customize to your heart’s content!

If you’re having problems getting the junk email filtering process to work for you, please submit a ticket via the MyHelpDesk portal. All I ask is that you don’t send Pulse announcements straight to your junk folder! 😂  And fear not—none of you are in my junk filters! Thanks for all you do!

Stephen Dolter, M.D., CMIO

Technically Speaking: Timeless Software Launch, Part 2

Special thanks to guest author Vanessa Le, Clinical Education, for this week’s column. Vanessa is an ICU Clinical Informaticist who has been working tirelessly to bring the Timeless breast milk and formula tracking/ordering system online. Click here to read Timeless Part 1.

Now that the Nutrition Center (NC) is open in the Hubbard Center for Children, Timeless – the software program used to track and prepare formula and breast milk products – has launched.  The nutrition techs in the NC are now fortifying and preparing all formula and breast milk.

Why did Children’s move to this process?

  • The NC allows for a clean, dedicated space to prepare milk aseptically by techs who have specific training in this area. 
  • Measurements are much more precise in the NC; techs can measure down to a tenth of a gram versus ½ teaspoon at the bedside.
  • Timeless allows techs to label and track breast milk as they are fortifying it, thereby preventing delivery of breast milk to the wrong patient. 
  • We know exactly how much milk is in house and where it is stored, ensuring no milk is left behind at discharge.

These changes have resulted in some new workflows that will affect how quickly the NC can respond to changes in diet orders.

  • The NC will prepare breast milk (anything that requires fortification or other additives) twice daily, at 7 a.m. and 3 p.m. They will prepare individual syringes/bottles and deliver to the bedside around 10:30 a.m. and 6:30 p.m.
  • Because the breast milk syringes for the daytime feeds are prepared at 7 a.m., any changes that are made to the diet orders during rounds will not go into effect until the second batch of milk has been prepared at 3 p.m. and will not reach the baby until the 11 p.m.- midnight feed. This includes changes in calories and volume, as well as changing from a continuous drip to a gavage feeding.
  • Please consider this new NC workflow when making changes to diet orders and consider making changes overnight so those changes can take effect when the lab starts making the 7 a.m. batch of milk. Otherwise, it could be nearly 12 hours after an order was entered before the patient will receive the new milk order.
  • The nurse or certified nursing assistant will get a soft stop in Timeless when the old syringe is scanned. The nurse can verify the feeding based on the old order and continue with the feeding as planned.

This workflow does not apply to the following situations:

  • Fresh breast milk (20 cal./oz)
  • Ready to use/ready to feed formula
  • Formula prepped in the NC (the prep cycle for formula is not changing and will continue as before)

The NC team is busy preparing breast milk and working through their process on how to make this more efficient. We are asking for some grace, patience and flexibility as we accommodate to these new workflows.

Please let Vanessa or me know if you encounter any issues with breast milk or formula ordering. Thanks for all you do!

Stephen Dolter, M.D., CMIO

Technically Speaking: Email Encryption

Cybersecurity threats are all around us in the 21st Century. As more and more of our medical, financial and personal lives are lived online, bad actors are flocking to the Internet to try to steal data and scam unwitting victims. Here at Children’s, we have taken countless steps to keep our users safe. Most of our security systems live and work beneath the surface and are invisible to end users, but some occasionally poke through and reveal their presence.

This happened about a week ago when a colleague sent an email containing a social security number to a family member. ProofPoint, our email security solution, immediately recognized that the email contained sensitive information and was bound for a non-Children’s account, so it encrypted the message, keeping the user’s information safe from prying eyes. ProofPoint will do the same thing if it detects protected health information (PHI). In either case, it will alert the sender of its actions.

Users can also choose to manually encrypt an email message by adding [Encrypt] to the subject line. Be sure to include the square brackets.

When you send an encrypted email, the recipient will receive an email with the message below:

Once they “Click here” in the body of the message, the system prompts them to create an account to login and view the encrypted message. After they read the message, you will receive a confirmation email to that effect.

Some of you may be thinking this is a violation of privacy. It isn’t. Children’s has a duty to ensure that sensitive data like PHI and financial information remains secure, and as a private entity, it can take whatever steps are necessary to provide that security. If we allow any leaks, we can be held accountable, and that’s not a legal position we want to find ourselves in. Besides, the encryption is automated, and the contents of messages aren’t being reviewed by any humans. If this were your personal email, that would be a different story.

If anyone has Hubbard IT issues, please reach out using the MyServiceCenter portal on your desktop. Thanks for all you do!

Stephen Dolter, M.D., CMIO

Technically Speaking: Teletiquette

Last May at ePIG, Jennifer McWilliams, M.D., Children’s Behavioral Health, division chief of Psychiatry and medical director of Virtual Care, had attendees in hysterics as she presented tips, tricks and suggestions for successful virtual care sessions. I asked her to summarize her content for a TechSpeak column, and this is what she submitted.  Dr. McWilliams, take it away!

In March 2020, many of us were thrown headfirst into telehealth — and often with little training — began to see our patients via virtual visits.  As we settle into our new normal through 2021, the one thing that is clear is that Virtual Care is here to stay. With that in mind, I wanted to share some tips and tricks to help make your Virtual Care visits the best possible experience for our patients and families.

  • Turn the camera on—it’s surprising how often this simple step gets overlooked!
  • Remove Clutter – keep the space that’s visible on camera neat and clean so that patients can focus on you and not your clutter.
  • Check your Lighting – make sure you’re not back-lit or have strange shadows falling across your face. If you have windows, keep in mind the lighting will change throughout the day.
  • Test your hardware – it’s always reasonable to ask patients if they can see and hear you well enough.
  • Your Zoom Name is your ID Badge – remember, what you list in Zoom is what patients will see and call you. We recommend including your name and credentials, just as they appear on your ID badge.
  • Introduce Others in the Visit – If anyone else is in the room or on the call with you, such as students, nurses or scribes, introduce them even if the patient can’t see them.
  • Make Eye Contact – remember, you need to look at the camera, not the screen to give the impression of making eye contact.
  • Be Aware of Body Language – patients can only see a limited part of you, so they only see part of your body language. Be aware of what they can – and can’t – see.
  • Pause – sometimes the audio transmission will lag. Take time to pause so patients can respond without you talking over each other.
  • Use Signposting – if you’re doing something that the patient can’t see, such as taking notes or reading their chart, verbalize what you’re doing so they don’t think you’re distracted and not giving them your full attention.
  • Be Yourself – this is the most important – remember Virtual Care is just a tool – be yourself and you’ll be great!

These tips are just as applicable to virtual meetings as they are telehealth visits. And let’s face it—both will be a part of our lives well into the future!  As always, if you have any questions or concerns, please reach out to the Virtual Care team.

Me (Stephen) again… if you’d like to get the word out on any tech-related business that interests you, you could be the next TechSpeak guest contributor!  Just let me know. Thanks for all you do!

Oh, and if your patients are moving this weekend, I wish you the best experience possible!

Stephen Dolter, M.D., CMIO

Technically Speaking: Burnout

By now, we’ve probably all seen the results of the Physician and Provider Engagement Survey that was conducted earlier this year. We are clearly improving as an organization, but we also have a lot of opportunities for improvement. We also uncovered some early warning signs for provider burnout, and that worries me. 

I have some honest questions for all of you that are related to this survey, and I’d sincerely appreciate candid, unfiltered answers. No one is going to retaliate.

First, how much does Epic interfere with your ability to maintain a healthy work-life balance?  Does it keep you from getting out of clinic at a reasonable time? Do you work too much from home? The figure below, taken from the survey results slideshow, reveals a decompression score that is below the national average. Could this be because work is intruding upon your personal life? I know that many of you have a spike in your EHR usage after hours. This may be by choice if you need to pick your kids up from school or be present for family dinner. But it may also be a sign that Epic isn’t working as efficiently for you as it could be. It may be because your notes take too long to write. Please—if you feel like you need help, let me know.

Does Epic interfere with your ability to decompress?

Recently, the Epic Ambulatory Team launched a new program called PIG-let.  It piggybacks (pun intended) on the spirit of the Provider Informatics Group (ePIG) and puts physician and nursing informaticists in division meetings to solicit feedback on how we can improve the functionality of our EHR. Their plan is to take that feedback to the Epic analysts, identify quick wins, make changes to the system, and follow up a few months later with a status report on what changes have come about as a result of the initial meeting. If you’d like the PIG-let to visit your division, please let me know that as well.

I’m gonna need your help with this one.

Then there’s scheduling. I can’t believe Epic doesn’t have something to do with this, but never having worked in an SPC clinic, I’ve never experienced this pain. I need to know how we can make scheduling and registration processes easier and more efficient. Just tell me. We’ll do what we can to make it better.

Unlike clinic scheduling, over-communication is an issue with which I’m very familiar. Now I’m not here to say that communication is a bad thing—clearly, it’s not—but I agree that we need to curb unnecessary and interruptive communication.

This is precisely why Dr. Lauren Maskin has launched the Just the FACs pilot. This project aims to streamline asynchronous communication and encourage voice conversations to improve efficiency and eliminate unnecessary Voalte alerts. Her team is also devising a communication matrix that will suggest which form of communication (text message, request for conversation, direct phone call, etc.) is best for specific purposes.

When all is said and done, I want you to have the best information systems possible. I don’t want you to burn out. If that means we have work to do, then we’d better get to it. Just point me in the right direction. Thanks for all you do!

Stephen Dolter, M.D., CMIO

1 2 3 4