It's possible that the last thing the federal government was thinking about when it mandated MDS 3.0 (changes to the minimum data set (MDS) to increase resident-centered care in nursing homes, as formulated by the Centers for Medicare and Medicaid Services), was the fact that so many long-term care facilities would actually be required to completely throw out the software they were already using. 

After all, the major long-term care software developers appeared to be so adept at applying band-aids and duct tape to their legacy Disk Operating Systems (DOS) over the years. So there may have been a belief out there that their "clunkers" would never be completely eliminated.

Several years ago, I attended a number of meetings between a local user community and a nationally known software developer. The developer had recently purchased the software which was being used by the vast majority of nursing homes in Massachusetts. At the time, there was extreme consternation and frustration on the part of many facilities.  I was actually quite skeptical as to whether this developer could actually keep its bold promises that appeared to be offered out of sheer desperation. But, in the end, this developer deserved a great deal of credit for keeping its promises and maintaining its system well beyond any reasonable time-frame expectations. 

However, MDS 3.0 changes everything, and at some point there are both financial and foundational aspects that make it impossible for software developers to continue to apply workarounds to their legacy applications.

Ultimately, the discontinuance of older software is a practical, sensible and prudent decision as long as long-term facilities are given the opportunity to easily migrate to a more suitable replacement. But why wouldn't we cling to the hope of new systems that wouldn't require support for "DOS beasts," their strange Central Processing Unit (CPU) workarounds, and endless printer driver conflict issues? 

As an IT support firm, we've had to devote an inordinate amount of time to the maintenance of these legacy systems at the expense of more challenging and productive projects such as the implementation of hosting solutions which can more effectively move an organization into the "computing cloud." (NOTE: Cloud computing is a style of computing in which dynamically scalable and often virtualized resources are provided as a service over the Internet.)  

So where do we go from here?

Since many facilities have been presented with enticing offers that may expire soon, you will need to work fast if you want to consider other alternatives.  

It wouldn't be prudent to commit to any financial (i.e. general ledger and accounts payable) modules offered by just any software developer—unless you like being constrained by limited reporting and flexibility that inevitably results in mysterious and overly complex off-line spreadsheets that only one person in the organization knows how to use. Fortunately, most enterprises have already figured this out and have abandoned these mediocre systems in favor of financial applications from one of the big database players in the enterprise resource planning (ERP) software market.

At the other end of the spectrum, many small, free-standing facilities would probably be better off with one of the leading low-end systems—especially the inexpensive on-line versions which allow your accountant to work concurrently with you on your live system.

But if you fall in the middle, especially if you require audited financial statements, there's hope and change available for you as well. Several mainstream ERP systems not only provide more reporting flexibility, these systems can also deliver industrial-grade budget, forecasting and Web-based distribution capability that may not even be on the drawing boards of many long-term care software developers.

If you are a not-for-profit, you can evaluate applications written specifically for your organization. But unless you produce monthly internal reports in compliance with FAS 117, or if you need to monitor a significant number of grants with different reporting periods and complex allocation requirements, a mainstream system will work just fine.

Finding a fit

Choosing the software was the easy part; now you need to figure out which clinical/billing software developer's approach makes the most sense for your circumstances. Most people will probably be very impressed with the user interfaces available with the browser-based solutions. The key areas to focus on are the size of the existing installed base, the end-user customization alternatives available, and the developer's approach to training and installation.

Browser-based systems represent a fundamental shift into "cloud computing," the best part being that you don't have to buy and support your own servers for these applications.  But non-browser-based systems can also operate in a hosted environment, so this is actually not as significant a differentiator as it might initially seem to be.

Furthermore, the move to the cloud itself really isn't as troublesome as some may fear.  For example, in order to create a more highly available business continuity strategy, many companies have already moved their e-mail and backup functions into secure, redundant data centers. This makes sense operationally for a variety of reasons, not the least of which is the ability to potentially replace large capital investments in new hardware with more affordable and predictable monthly fees. 

So with concerns regarding cloud computing out of the way, it's the selection of the right software developer relationship that represents the most critical decision that you face.

Clinical, admissions and billing considerations

At the enterprise level, the prospect of using an extremely powerful system, even if it may have somewhat limited customization features, is very attractive—especially if you need to upgrade, migrate and roll out a solution to many facilities. If you represent a smaller group of nursing homes and want complete control over your clinical applications, then you may want to take a look at systems that provide ultimate flexibility in that area.  

But be forewarned: If you want to design your own system, even if it does not require the services of outside programmers, make sure that you have staff with both the time and personal commitment to make the system work. Otherwise you've just wasted your money and you'll be back looking for a new system very shortly.

If you are a free-standing facility or a very small group of homes, you will also want to be absolutely certain that you agree with the developer's implementation approach, which could rely almost exclusively on remote training as opposed to on-site assistance.  In other words, "Train the Trainer" makes sense unless your trainer is also responsible for several other duties like resident care, which always seem to get in the way.

The system selection process

First of all, a compelling purchase price alone is not a guarantee of a successful implementation; if it were, then open source software such as Linux would have obliterated Microsoft years ago. 

Secondly, although data migration has always been a primary reason for remaining with the same developer in the past, that no longer has to be the case.  Since everyone is required to submit the same standardized MDS data files, all of the developers have been able to design automated conversions of key resident information without having to get directly into the proprietary database of the existing applications in place.

Finally, always remember that the overarching key to a successful implementation remains competent and knowledgeable staff receiving meaningful, appropriate and customized training that is supplemented by timely and reliable ongoing support. This key to success simply can't be translated into a "features comparison" formula or a quick comparison of bottom line numbers from the "Investment Summary" page.

With these fundamental principles in mind, before committing to any software developer's system, it would be appropriate to at least take a quick look at some of the alternatives available before just signing up for the latest upgrade.  There are some niche applications for organizations that provide a broader spectrum of care in areas such as continuing care retirement centers and home health care.

And, if you're just not satisfied with the point-of-care systems bundled with the major clinical software systems, then you could consider a multi-developer strategy. But make sure that the developers involved can show you how the point-of-care system easily and seamlessly integrates with one centralized database of resident information.

If you have already made an internal investment in hardware that can operate in a self-hosted environment, or if you desire a more on-site implementation training approach, or even if you're looking for the benefits of "cloud computing" but with more flexibility and control over your system, then don't give up on the non-browser-based solutions. They may not be as pretty as the more flashy browser-based alternatives, but their systems are generally more mature and robust. What's more, the software developers may be more willing to offer a more traditional on-site training approach at a reasonable price.

Time to get moving

In any case, you'll need to act soon because regardless of the system you select, you will require time to plan and implement it before the MDS 3.0 deadline next fall.  As for me, I will always look back fondly at those clunkers.  It was a great ride, but now it's time to get into line for a new and exciting trek with all the ups, downs, curves and breathtaking challenges that can be seen from up in the clouds.

John LoConte is a principal at KDSA Consulting, LLC, an information technology services firm located in North Andover, MA. LoConte has provided IT services to the elder care community for more than 25 years.

For more information on Long Term Care News, please visit www.McKnights.com

Community Health Resources Expands Network Protection with Fortinet Consolidated Security Solution

Agency Adds Network Security Functions for Enhanced Protection, Ease of Management and Lower Total Cost of Ownership

In the wake of recent data security breaches that continue to affect Massachusetts residents, the state has recently passed new protective regulations to safeguard their personal information, or PI. And frankly, it can’t be happening a moment too soon.

The legislation, known formally as Massachusetts Regulatory Compliance Law 201 CMR 17.00, is intended to protect residents’ PI.

With the deadline for compliance recently extended to March 2010, these regulations set minimum standards for businesses to safeguard PI contained in both paper and electronic records. This law is in addition to existing compliance regulations such as SOX, HIPAA and PCI.

A “breach of security” is defined as an unauthorized acquisition of PI that creates a substantial risk of identity theft or fraud against a resident of Massachusetts.

The critical question, of course, is who needs to comply, and how will compliance be defined?

The first part of the question is relatively simple: Ultimately, the legislation applies to all organizations that own, license, store or maintain PI about a resident of the Commonwealth of Massachusetts.

Under the new law, PI is defined as an individual’s first and last name (or first initial and last name) and one of the following: Social Security number, driver’s license number or state-issued identification card number, or a financial account number, credit card number or debit card number.

Actual compliance, the second part of the question, is a bit more complicated.

To comply with the regulation, organizations must implement a range of security and privacy standards and technologies described in the law.

These boil down to six general requirements:

1. Develop, implement and maintain a comprehensive written information security program (WISP) for PI;
2. Make sure the WISP is properly staffed and establish monitoring and training to ensure employee compliance;
3. Identify and inventory all paper and electronic records to determine if they contain PI which must be secured;
4. Restrict collection and access to PI to only those required for legitimate business purposes;
5. Encrypt PI stored on laptops and portable devices, including laptops, flash drives, PDAs or information transmitted over wireless or public networks;
6. Take reasonable steps to verify that third-party service providers with access to PI have appropriate safeguards in place that meet or exceed the standards.

With these requirements as a backdrop, how does a business actually begin the process of getting started on a program to gain compliance with the new statute?

While not intended to be a specific inventory of action steps, the following list will illustrate the basic effort that companies must undertake.

• Establish a team. It is very important for senior management to participate; they need to be involved with establishing the policies and procedures for the organization.
  Typically, this team will also include members of human resources, IT, legal and administrative departments.
  
  
• Formulate, then implement, the WISP. This must be extremely comprehensive, including all administrative, technical and physical safeguards.
  
  
• Designate a data security coordinator. This person will shoulder primary responsibility for implementing the WISP, as well as training employees to follow properly the plan’s myriad parameters.
  In addition, the coordinator should perform regular monitoring and testing of the plan’s safeguards, as well as evaluate third-party service providers for compliance.
  
  
• Establish internal risk guidelines. This includes amending employment contracts to require compliance with the plan, developing disciplinary actions to be taken based on the nature of a specific violation, limiting the amount of PI collected as reasonably necessary for the business and more.
  
  
• Establish physical risk guidelines. This encompasses prohibiting employees from keeping open files containing PI on their desks when they are not present; securing files and records containing PI at the end of the workday; restricting visitors access to one entry point for each building that PI is stored, and more.
  
  
• Establish external risk guidelines. This means that reasonably up-to-date firewall protection and computer operating system software security vulnerability patches are installed on all systems processing PI. Also, all PI stored on laptops or portable devices must be encrypted and all PI records and files transmitted across public or wireless networks must be encrypted.
  
  
• Perform gap analysis. Determine specific safeguard areas that require actions for improvement.
  
  
• Maintain, monitor and test. This involves distributing copies of the WISP plan to employees, conducting immediate and regular training of employees and reviewing all security measures annually or upon any material change in business practices impacting the integrity of security.
  
  
• Notification. Whenever there is an incident that may require notification under M.G.L c.93H, there must be a post-incident review of events and actions taken.

Anyone doubting the need to fully comply with the new statute should consider the penalties. Organizations that do not comply may, in the event of a data breach, be subject to serious fines ($100 to $5,000 per violation, depending on the type), as well as potential lawsuits filed by the Massachusetts Attorney General, businesses or individuals.

Needless to say, the information technology people in your company will be a vital part of the team established to meet the requirements of the new legislation.

Some areas that they can help address are assessing, updating or revising your existing security program; implementing some of your existing compliance procedures; and helping to make strategic investments in newer firewalls, encryption alternatives and other technologies.

Organizations may also need to reach out to various partners such as their legal counsel and/or outside technology consultants to ensure they fully understand the requirements for compliance.

As of this writing, modifications were being considered to the legislation, so it’s important to check the following resources for the latest version:

• Office of Consumer Affairs & Business Regulation

• Massachusetts Society of Certified Public Accountants

• InfoSecurity Analysis.com

Dawn Mortimer, CPA, CITP, is principal and co-founder of KDSA Consulting, a North Andover-based company that is designed to meet the unique technology goals of businesses in a wide variety of industries.