Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

De-identified Healthcare Data – Is It Really Unidentifiable

Posted on September 30, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

There’s always been some really interesting discussion about EHR vendors selling the data from their EHR software. Turns out that many EHR vendors and other healthcare entities are selling de-identified healthcare data now, but I haven’t heard much public outcry from them doing it. Is it because the public just doesn’t realize it’s happening or because the public is ok with de-identified data being sold. I’ve heard many argue that they’re happy to have their de-identified data sold if it improves public health or if it gives them a better service at a cheaper cost.

However, a study coming out of Canada has some interesting results when it comes to uniquely identifying people from de-identified data. The only data they used was date of birth, gender, and full postal code data. “When the full date of birth is used together with the full postal code, then approximately 97% of the population are unique with only one year of data.”

One thing that concerns me a little about this study is that postal code is a pretty unique identifier. Take out postal code and you’ll find much different results. Why? Cause a lot of people share the same birthday and gender. However, the article does offer a reasonable suggestion based on the results of the study:

“Most people tend to think twice before reporting their year of birth [to protect their privacy] but this report forces us all to think about the combination or the totality of data we share,” said Dr. El Emam. “It calls out the urgency for more precise and quantitative approaches to measure the different ways in which individuals can be re-identified in databases – and for the general population to think about all of the pieces of personal information which in combination can erode their anonymity.”

To me, this is the key point. It’s not about creating fear and uncertainty that has no foundation, but to consider more fully the effect on patient privacy of multiple pieces of personal information in de-identified patient data.

Common EHR Implementation Issue – EMR Upgrade Problems

Posted on September 29, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m really excited that this Common EHR implementation issues series has been so popular. If you missed it, you can see the previous posts in the series: Unexpected EHR Expenses, EHR Performance Issues, a little follow up to avoiding the EHR performance issues altogether, and inadequate EHR templates.

This weeks common EHR implementation issue is: EMR Upgrade Problems

I’d like to categorize this EHR implementation issue into two areas. One is upgrading to an EHR from an old legacy EHR and/or PMS. The second is upgrading your existing EHR that’s just outdated. I’ll take them in reverse order.

Upgrade of Existing Outdated EHR
In this world of your web browser and operating system auto updating at regular intervals it’s sometimes hard to remember that not all software does that. In fact, it turns out that most software doesn’t auto update (often for good reason). Of course, this problem doesn’t apply to a SaaS based EHR software since those updates are applied whether you like it or not. The nice part is that the SaaS EHR updates appear to the user to just happen automatically with little to no intervention on their part. Of course, we’ll save what happens when a SaaS EHR update causes you problems for another post. In the client server world of EHR (or hybrid EHR as some like to call themselves when they’re web based on an in house server) you will have to deal with updating your EHR.

I think with rare exception, it’s a huge mistake to not keep your EHR software up to date (goes for most other software as well). I’m not suggesting that even client server software should auto update. Considering the deployment and upgrade model of most EHR software, it’s almost essential to review the new feature list before doing an update to ensure that the update won’t cause you unnecessary heartache. Understanding the changes that will happen with the EHR Upgrade will let you warn your users about it so that they don’t come running into your office after the upgrade wondering why their favorite feature was changed.

What’s the problem with not upgrading? Many might just think that they don’t need to update their EHR software since they don’t want/need the extra features that are part of the upgrade. This is a bad strategy for a couple reasons. First, there are often security fixes that are part of the EHR upgrade that you’ll be missing out on if you don’t upgrade. Second, a bunch of relatively minor updates is much better on a clinic than one massive one that requires a ton of change. Third, when a future update comes that has a feature you do want, it’s not always pretty to go through multiple upgrades at the same time. Fourth, try calling the EHR support when you’re on an old version. Most of the time they’re going to say you need to upgrade for them to appropriately support you.

One other suggestion on EMR Upgrades now that I’ve supported the idea of upgrading. Just because I suggest you upgrade to the latest version of your EHR, doesn’t mean you have to be the beta tester for the company. Do the upgrade early in the process, but not necessarily so early that you’re going to be the bug tester for the company.

Upgrading an EHR from a Legacy EHR or PMS
This situation happens most often when either a clinic decides to switch from their old hasn’t been updated legacy PMS (which might include some basic EHR features) or when a clinic decides to move off their existing EHR to a new one.

Upgrading from a legacy PMS could easily be a whole series of blog posts. Suffice it to say that the biggest challenge with the upgrade from the old legacy PMS system is often getting the data out of it. Some legacy PMS systems don’t provide that data willing. In fact, many will even charge you to get access to it. They’ve basically lost you as a customers, so they’re trying to maximize whatever revenue they can get. It’s not pretty.

Even if you can get access to the data, there’s often a lot of data manipulation that will have to occur. A common problem that’s related to this is whether you even want to get the data out of the old PMS. Far too often, the data in the old legacy system has so much junk in it, that it’s worth considering the option of starting from scratch. It’s not pretty to upload inconsistent and ugly data from a legacy system into your nice, new EHR software.

Switching from one EHR software to another is becoming more and more common. In 2-3 years I believe we’re going to see an amazing influx of EHR software switches. It will be the topic du jour. We’re already starting to see it in a number of situations: an EHR that isn’t certified, an EHR that the doctor hates, an EHR that’s gone under, an EHR that’s sold to another company, etc.

The biggest problem right now with switching EHR software is that there’s no standard for the data to be exported and imported into a new EHR company. Some of you might remember my post asking EHR vendors to consider the value of EHR data liberation. In it I describe why not only is it the right ethical thing to do, but it also can make a lot of business sense to do so. Sadly, I’ve only really seen one EHR software that has embraced the concept of really liberating the data in their EHR.

I’d love to support a movement from EHR vendors that embrace the concept of EMR data liberation. I imagine most are too afraid of giving their users an easy option to leave their EHR. It’s too bad EHR vendors are so focused on protecting their business instead of focusing everything they do on the customer experience, but I digress.

Considering the above described state of EHR data export, you can see why moving to an EHR is such an issue. It’s worth mentioning this topic before you even select an EHR. Before purchasing the EHR, ask the question, What if this EHR is terrible and I want to switch? This is water under a bridge if you’re already in a compromising position under contract with an EHR you don’t like.

Unfortunately, I don’t really have very many great suggestions for those in this position. Just some words of comfort. First, switching EHR software can actually be easier than implementing an EHR in the first place. You already have the computers and IT infrastructure. Plus, for some reason second EHR implementations have a much higher success and satisfaction rate from what I’ve seen. Second, while it’s a bitter bullet to bite, everyone that I know that’s done it wishes they’d done it earlier. Although, don’t rush into another EHR just because. Take your time to select an EHR properly if you’re going to switch, but don’t be afraid to switch based on what economists call sunk costs. Third, this is one case where it’s often good to hire someone who’s done these type of EHR switching before. They can be a big help.

Surprising EHR Tweet of the Day

Posted on September 28, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I saw this tweet and decided I couldn’t pass up posting it. When I read it, all I could think was, Yeah……right!! (yes, that last part is in the sarcasm font)

@NewIQ – David Whitaker
The next five years will be pivotal for EHR solutions. The cloud presents a real opportunity for the creation of a truly dynamic system.
Followed by…
I would not be surprised if the folks at Google or Facebook werent already working on a strategy. #EHR #cloud

I think the last thing Facebook is thinking about is anything to do with EHR. They might be interested in healthcare apps for “consumers” managing their health, but they couldn’t give a rip about EHR. They might even consider helping doctors connect with patients on Facebook (although, even that I think is unlikely), but not an EHR.

Google has probably thought of EHR back when Google Health launched. Obviously they chose to go with PHR and we see how that turned out. I don’t think Google could make a worse mistake than to try and create an EHR.

Yeah, Facebook or Google doing EHR…that would be surprising.

Guest Post: GFI FaxMaker Solves Healthcare Customers’ Faxing Needs

Posted on I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Guest Post: This is a sponsored guest post written by James Taylor and provided by GFI FaxMaker.

HIPAA requirements are becoming a part of every technology discussion, especially within the healthcare industry. One of the biggest pain points for both doctors and dentists is faxing. The HIPAA requirements for faxing EMR/EHR records are fairly straightforward, and also fairly onerous and time consuming, and healthcare organizations are looking for better ways to do faxing. This is where GFI’s fax server software, GFI FaxMaker, steps into the scene.

Installation

Installation is easy, though it does require a domain admin account (more on that below). It can use a fax modem, FoIP SaaS service from Brooktrout, or ISDN lines, and can be installed right on your Exchange server or integrate with Exchange (or other email systems) using an SMTP connector. Install gets a 9/10.

Integration

GFI FaxMaker almost sells itself just in how easily it can be integrated into practically any client’s existing infrastructure, whether they are a private practice, or part of a huge hospital network. The email to fax and print to fax capabilities make it easy for end-users to send faxes, and helps to ensure HIPAA compliance in several ways; these include:

  1. Fax numbers can be pulled from the email client address book (GAL),
  2. Delivery confirmation reports can be automatically generated and stored with the sent faxes,
  3. Incoming faxes are delivered directly to the recipient; no paper left lying around, and no need for the user to go stand by the fax machine waiting for an incoming fax,
  4. Faxes can be stored as PDF or TIFF, and routed to network shares. Practically any client’s medical records program for EMH/EHR can consume these with no need for extra work making this another way to plug directly in to programs without needing to write any code.
  5. The ability to ‘print to fax’ makes every Windows program my clients use ‘fax capable’

    Share the printer and clients can just double-click it to start faxing from any application.

making it so easy to plug into existing infrastructure earns this a 9/10.

Fax routing flexibility

GFI FaxMaker’s routing capabilities are its best feature. You can automatically deliver faxes to users, network folders, or printers, based on several different attributes including:

If your senders’ fax machines identify themselves by CSID, you can route using that, or you can set up extensions for each user without having to get dedicated lines. Of course, it can use dedicated lines too. OCR rocks, since it can scan for the recipient’s name and deliver the fax by ‘reading’ the To: line on a cover page or finding a keyword in the body of the fax. Just don’t expect it to decipher a doctor’s handwriting.

It can also automatically archive inbound and outbound faxes as PDF or TIFF format, making it easy to import faxes into other programs or to keep a secured archive.

Most organizations are very big on electronic archiving, and they don’t have the budget to get every single doctor and PA in the practice their own fax number, so I give this a 9/10.

What I like

GFI FaxMaker installs very easily, integrates with every email environment without having to install anything on the mail server, and sets up a shared printer so users can simply print to fax. It is easy to setup, easy to understand, and just works. Getting rid of the fax machines, the stocks of ink, and all the paper left lying around that goes along with a traditional fax is great, and with no more incoming faxes hitting the output tray, there’s no chance of confidential patient information (EMR/EHR) being at risk. Considering how big a concern that is for HIPAA compliance, and how little space most offices have to ‘secure’ a traditional fax machine, this is a huge benefit and earns GFI FaxMaker a 10/10 for convenience and compliance.

What I don’t like

The one thing I don’t care for is that GFI FaxMaker wants to run under the account of a domain admin. Small offices running SBS don’t seem to care, but hospitals with Information Security departments take exception to this. Two things; no software should want to run as a domain admin, and any software that isn’t going to run as system ought to run under a service account. If you let it run under your user account, it will break in a couple of months when you change your password. In terms of how I rate this product, that counts off more than anything else.

I would also prefer the print drivers to be signed by Microsoft; I know that takes time, but it is a jarring warning in bold red when you go to install it on a Windows server.

The bottom line

GFI FaxMaker is an excellent faxing solution for health care organizations, whether they are private practice or attached to major medical centers. It’s easy to use, is able to integrate into existing systems, and contributes to HIPAA compliance – making itself a great solution on its own merits; the amount of time, money, and administrative support it saves your IT support helps it pay for itself in no time. I rate it a very strong 9/10, and bet you will too.

With all that it has to offer, GFI FaxMaker may be the best new application your healthcare practice has ever seen. But don’t just base it on my great experience, see for yourself.

CakeHealth – Mint for Healthcare Expenses

Posted on September 27, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

For those of you that don’t keep your eye on the Silicon Valley tech scene, you might have missed the launch of a company called Cake Health at TechCrunch Disrupt. From what I can tell, they were one of the most exciting companies coming out of the popular TechCrunch Disrupt event. Here’s a short description of what Cake Health offers:

…with Cake Health, you’ll never lose track of your healthcare expenses again. Our analytics monitor your out-of-pocket cost, and what services you should be getting now. With our recommendations, your health benefits are optimized based on you actual needs and usage, so your costs are reduced.

I think the best (and most popular) phrase I’ve seen to describe Cake Health is that it’s like Mint.com for healthcare. If you’ve never used Mint.com you should check it out (although, I’ve been considering switching to Wave since Mint was bought by Intuit). They figured out a simple way to get all your financial transactions into Mint and then provided some interesting aggregate information along with ways for you to save (that’s the Mint business model).

Obviously, Cake Health is still new, but you can see a lot of these same elements in their product offering. They have easy ways for you to import your claims data. Now we’ll see how well they can help you on figuring out ways to save on your healthcare expenses. That will be their biggest challenge. The easy part for them will be monetizing their users if they get enough of them.

Although, you can see the power of what they’ve created. In 48 hours after they launched, they had over $8M in claims imported. That’s a lot of interesting healthcare data. I’ll be interested to see in what ways they can leverage that data to improve healthcare.

Meaningful Use Tool – Meaningful Use Monday

Posted on September 26, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Lynn is out partying in New York (otherwise known as the SRSsoft user group meeting), and so I’m going to try and fill in for her today in our continuing series of Meaningful Use Monday posts.

The great thing is that I was recently sent a meaningful use tool that was developed by Stacey Chapman, a consultant at PTS Consulting Group. Here’s a little background on Stacey:

Stacey Marie Chapman is a Principal Consultant with PTS Consulting, having previously worked as an Implementation Consultant, as well as, for eClinicalWorks. Stacey recently worked on curriculum development and instructional content for the ONC sponsored Community College Consortia to Educate Health Information Technology Professionals in Health Care Program through Bronx Community College.

PTS provides customized Electronic Health Record Project Management solutions for engagements of all size and specialty; effectively aligning IT applications with client’s process models, to achieve maximum operational efficiency and overall usability.

So, this Meaningful Use tool is built in excel and goes over all the various meaningful use requirements.(Note: Since it’s an excel file, I suggest you click the download link below since excel files don’t display very well in an embed)

You can see the full screen version of the meaningful use tool here.

Also, we’d love to get more questions you’d like answered on Meaningful Use Monday. If you have any questions or think there’s a topic we haven’t covered on Meaningful Use Monday, let us know in the comments or on our Contact Us page.

The EHR Serenade by Enoch Choi at Doctors 2.0 and Health 2.0

Posted on September 25, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I must admit that I don’t know the background of this because I wasn’t able to make it to Doctors 2.0 and Health 2.0 this year, but I couldn’t help but laughing at the performance. Not sure why the YouTube video is black. Maybe it was just the audio of the presentation and they made a video out of it. Either way, I think this is an interesting message for doctors about EHR.

Here’s the description from the YouTube video:
“Give doctors a little respect. Make EHRs more usable. I serenade the last decade of developing and using EHR in full time urgent care practice at AHRQ”

And now for the EHR Serenade:

If someone knows of a video of this presentation at Health 2.0, let me know and I’ll update this post.

Crazy and Funny ICD-10 Codes

Posted on September 23, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The Wall Street Journal put out an interesting article about the switch from ICD-9 coding to ICD-10. The title mocks the ICD-10 codes, Walked Into a Lamppost? Hurt While Crocheting? Help Is on the Way”, and the subtitle is funny as well, “New Medical-Billing System Provides Precision; Nine Codes for Macaw Mishaps”

I must admit that I’m not very well steeped in the history of ICD-9 and ICD-10. Nor am I that familiar with the process that was used for creating the voluminous ICD-10 coding system. I’m more of a practical person and so I’ve been more interested in EHR’s ICD-10 preparedness and the timeline for ICD-10 implementation. Seems like we won’t have much choice.

I guess I should have known that going from 18,000 codes (which doctors can’t even stay up with as is) to 140,000 codes would offer some crazy and hilarious codes. Here’s some examples from the article linked above:

There are codes for injuries in opera houses, art galleries, squash courts and nine locations in and around a mobile home, from the bathroom to the bedroom.

And the appropriate follow up question from a family physician, “Really? Bathroom versus bedroom? What difference does it make?”

Some other interesting codes mentioned in the article:
R46.1 is “bizarre personal appearance”
R46.0 is “very low level of personal hygiene”
W22.02XA, “walked into lamppost, initial encounter
W22.02XD, “walked into lamppost, subsequent encounter”
V91.07XA, “burn due to water-skis on fire”

There are codes for injuries received while sewing, ironing, playing a brass instrument, crocheting, doing handcrafts, or knitting—but not while shopping. There are codes for injuries from birds such as: a duck, macaw, parrot, goose, turkey or chicken. I’d hate for my doctor to choose the “bitten by turtle” versus “struck by turtle” code. My insurance company might not reimburse the second.

Do people know of any other off the wall ICD-10 codes?

While this has me a little concerned to see ICD-10 in action, hopefully it will give all of you a good laugh going into the weekend. I can’t say I saw a code for any sort of Friday inefficiency, but there probably should be.

EMR Under Construction (Implementation) Sign

Posted on September 22, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I saw a tweet of a picture from the front desk of a doctor’s office that’s implementing an Electronic Medical Record in their office. I’ll embed the image below, but since it’s a little hard to read, here’s the text from the sign:

UNDER CONSTRUCTION
Pardon us while we improve your visit.

In order to provide you with the most efficient visit possible, MedExpress is installing an EMR (Electronic Medical Records) system.

This technology enables MedExpress to provide you even more convenient care, and ensures that your records will hold more accurate documentation, in a safer, more concisely stored location.

By 2012, it is federally mandated that healthcare providers initiate electronic health records. MedExpress is keeping up with the current health information technology. In addition, this promotes “green practices” to lower our paper usage.

Please bear with us, as we are currently in training with this system.

This sign brings up a lot of interesting talking points. The first one that hits me is back about 5 years ago when I heard someone propose (mostly jokingly) the idea of having a “Got EMR?” sign for offices. This isn’t quite the same, but does use some of the same idea of the value of EHR to patients.

I’ll set aside the part of the sign that talks about the government EHR mandate since we’ve talked about it plenty of times before (and how it’s not really a mandate). I’ll also avoid commenting on the “green practices” section of the sign, but it’s amazing how green has infiltrated marketing.

Instead, does anyone else find it amazing that the anticipated slow down for this clinic’s EHR implementation was so big that they typed and printed up a sign explaining the slow down? Maybe it’s just during the time that the doctors are training and not actually a slow down that has to do with actual use of the EHR after training. Although, I know many EHR vendors that are now rolling their eyes when they hear about the EHR training and implementation time and its effect on physician productivity.

I can’t help but wonder which EHR software this clinic is implementing. That would be interesting to know.

EMR Security Monitoring Systems

Posted on September 21, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

There’s been an interesting situation going on between a couple EHR vendors. I first saw this when I got the press release that meridianEMR filed a lawsuit against UroChart. The lawsuit claims that UroChart obtained access to meridianEMR’s data.(Note: See this comment from IT Director of meridianEMR that discusses more details of what happened and how no data was breached.)

Lawsuits aside, meridianEMR is trying to capitalize on the situation by talking about their EMR security monitoring system was what notified them of the breach attack by UroChart. They call it their Advanced Monitoring System (AMS) and say it responds immediately to any breaches attacks and protects patient records.

I’m not sure if it’s a smart move to use a breach of their system as a way to promote their ability to protect patient records. I guess they can argue that their monitoring service was what protected their patient records. However, the lawsuit is claiming that patient records were at risk. I don’t think that’s something any EMR vendor wants tied to their name, is it?

Marketing strategy aside, this security monitoring service is interesting and I can’t say I’ve really seen something like it in any other EMR system. Sure, they all have some sort of audit tracking and trail. However, I think most EMR vendor’s strategy is not detection, but prevention. They harden their systems using the best techniques, but don’t do much to try and detect breaches. Should that be changed?

One problem with breaches is that good hackers know how to even avoid the detection part. I still remember when my friend showed me how he had hacked into a server and you could see him logged in. Then, he ran a script and you couldn’t see him anymore. I guess if you compare it to the physical world, it’s like having a camera watching the front door, but no camera on the back door. However, in the digital world there are lots of different doors, including those we don’t know about.

Some might argue that ignorance is bliss in this instance. Sure, no EMR vendor is going to admit that in public. Neither is a doctor. However, the regulations have made it pretty harsh when you know that there’s been a breach of your system. You basically have to make it known to all the world. However, if you don’t know that your EMR system has been compromised, then you have no such requirements.

I’m sure some people won’t like me saying this, but be sure that many doctors and EMR vendors have thought about this. I’m sure there were parallels in the paper world too. So, let’s not act like this is really that new. Although, certainly technology has made it possible to have much larger breaches.

One thing worth noting is that I haven’t seen a group of healthcare hackers forming. There’s no underground group of people that I’ve heard of that are trying to hack and get access to healthcare data. Financial data is much easier to monetize for a hacker than healthcare data. That’s not to say that healthcare data isn’t valuable and can’t have consequences if it’s put in the wrong hands. However, most hackers do it for the Lulz, for financial gain, or vengeance. Things could certainly change, but I haven’t seen healthcare as a prime target for hackers. I’d love to see if you have evidence that says otherwise.

If you evaluate the list of breaches that are published by HHS, this seems to agree with my above evaluation. Almost every single breach was just due to something being lost, a physical device being stolen (which you can almost guarantee they wanted the laptop and not the healthcare data which they probably didn’t even know was on the laptop), or inappropriate use by someone on a system already.

It will be interesting to see how these EMR security monitoring systems evolve. Plus, will we see more need for these type of protections and monitoring of EMR systems?