Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Attackers Try To Sell 600K Patient Records

Posted on July 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

New research has concluded that attackers recently infiltrated U.S. healthcare institutions and stole at least 600,000 patient records, then attempted to sell more than 3 TB of associated data. The attacks, which were discovered by security firm InfoArmor, targeted not only hospitals, but also private clinics and vendors of medical equipment and supplies such as orthopedics, eWeek reports.

According to InfoArmor, the attacker gained access to the patient data by exploiting weak user credentials, and hacked Remote Desktop Protocol connections on some servers with static external IP addresses. The data thief also used a local privilege escalation exploit to access system files for added patching and backdooring, InfoArmor chief intelligence officer Andrew Komarov told eWeek.

And sadly, some healthcare institutions made it pretty easy for intruders. In some cases, data thieves were able to exfiltrate data stored in Microsoft Access desktop databases without any special user access segregation or rights control in place, Komarov told the magazine.

Future exploits may emerge through medical device connections, as many institutions aren’t paying enough attention to device security, he warns.”[Providers] think that the medical device is just a device for their specific function and sometimes they don’t [have] knowledge of misconfigured devices in their networks,” Komarov said.

So what will become of the data?  Many things, and none of them good. Some cyber criminals will sell Social Security numbers and other scammers will use to sell fraudulent healthcare services,. Cyber-grifters who steal a patient’s history of illness and their biography can use them to take advantage of consumers, he pointed out. And to sharpen their con, such criminals can even buy select data focused on geographic regions, Komarov noted in a follow-up chat with me.

To address exploits engineered by remote access sessions, one consulting firm is pitching technology allowing administrators to go over remote sessions with a fine-toothed comb.

Balazs Scheidler, CTO of security vendor BalaBit, notes that while remote access to internal IT resources is common, using protocols such as Microsoft Remote Desktop or Citrix ICA, IT managers don’t always have enough visibility into who’s accessing systems, when they are logging in and from where systems are being accessed. BalaBit is pitching a system which offers “CCTV-like” recording of user sessions, including screen contents, mouse movements, clicks and keystrokes.

But the truth is, regardless of what approach providers take, they simply have to step up security measures across the board. If attackers can access your data through a vulnerable Microsoft Access database, clearly something is out of order. And in fact many cases, it’s just that easy for attackers to get into your network.

ONC Offers Two Interoperability Measures

Posted on July 14, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For a while now, it’s been unclear how federal regulators would measure whether the U.S. healthcare system was moving toward the “widespread interoperability” MACRA requires. But the wait is over, and after reviewing a bunch of comments, ONC has come through with some proposals that seem fairly reasonable at first glance.

According to a new blog entry from ONC, the agency has gotten almost 100 comments on how to address interoperability. These recommendations, the agency concluded, fell into four broad categories:

  • Don’t create any significant new reporting burdens for providers
  • Broaden the scope of interoperability measurements to include providers and individuals that are not eligible for Medicare and Medicaid EHR incentives
  • Create measures that examine usage and usefulness of exchanged information, as well as the impact on health outcomes, in addition to measuring the exchange itself
  • Recognize that given the complexity of measuring interoperability, it will take multiple data sources, and that more discussions will be necessary to create an effective model for such measurements

In response, ONC has come up with two core measures which address not only the comments, but also its own analysis and MACRA’s specific definitions of “widespread interoperability.”

  • Measure #1: Proportion of healthcare providers electronically engaging in the following core domains of interoperable exchange of health information: sending; receiving; finding (querying); and integrating information received outside sources.
  • Measure #2: Proportion of healthcare providers who report using information electronically received through outside providers and sources for clinical decision-making.

To measure these activities, ONC expects to be able to draw on existing national surveys of hospitals and office-based physicians. These include the American Hospital Association’s AHA Information Technology Supplement Survey and the CDC National Center for Health Statistics’ annual National Electronic Health Record Survey of office-based physicians.

The reasons ONC would like to use these data sources include that they are not limited to Medicare and Medicaid EHR incentive program participants, and that both surveys have relatively high response rates.

I don’t know about you, but I was afraid things would be much worse. Measuring interoperability is quite difficult, given that just about everyone in the healthcare industry seems to have a slightly different take on what true interoperability actually is.

For example, there’s a fairly big gulf between those who feel interoperability only happens when all data flows from provider to provider, and those who feel that sharing a well-defined subset (such as that found in the Continuity of Care Document) would do the trick just fine. There is no way to address both of these models at the same time, much less the thousand shades of gray between the two extremes.

While its measures may not provide the final word on the subject, ONC has done a good job with the problem it was given, creating a model which is likely to be palatable to most of the parties involved. And that’s pretty unusual in the contentious world of health data interoperability. I hope the rollout goes equally well.

VA May Drop VistA For Commercial EHR

Posted on July 12, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

It’s beginning to look like the famed VistA EHR may be shelved by the Department of Veterans Affairs, probably to be replaced by a commercial EHR rollout. If so, it could spell the end of the VA’s involvement in the highly-rated open source platform, which has been in use for 40 years. It will be interesting to see how the commercial EHR companies that support Vista would be impacted by this decision.

The first rumblings were heard in March, when VA CIO LaVerne Council  suggested that the VA wasn’t committed to VistA. Now Council, who supervises the agency’s $4 billion IT budget, sounds a bit more resolved. “I have a lot of respect for VistA but it’s a 40-year-old product,” Council told Politico. “Looking at what technology can do today that it couldn’t do then — it can do a lot.”

Her comments were echoed by VA undersecretary for health David Shulkin, who last month told a Senate hearing that the agency is likely to replace VistA with commercial software.

Apparently, the agency will leave VistA in place through 2018. At that point, the agency expects to begin creating a cloud-based platform which may include VistA elements at its core, Politico reports. Council told the hearing that VA IT leaders expect to work with the ONC, as well as the Department of Defense, in building its new digital health platform.

Particularly given its history, which includes some serious fumbles, it’s hardly surprising that some Senate members were critical of the VA’s plans. For example, Sen. Patty Murray said that she was still disappointed with the agency’s 2013 decision back to call of plans for an EHR that integrated fully with the DoD. And Sen. Richard Blumenthal expressed frustration as well. “The decades of unsuccessful attempts to establish an electronic health record system that is compatible across the VA in DoD has caused hundreds of millions of taxpayer dollars to be wasted,” he told the committee.

Now, the question is what commercial system the VA will select. While all the enterprise EHR vendors would seem to have a shot, it seems to me that Cerner is a likely bet. One major reason to anticipate such a move is that Cerner and its partners recently won the $4.3 billion contract to roll out a new health IT platform for the DoD.

Not only that, as I noted in a post earlier this year, the buzz around the deal suggested that Cerner won the DoD contract because it was seen as more open than Epic. I am taking no position on whether there’s any truth to this belief, nor how widespread such gossip may be. But if policymakers or politicians do see Cerner as more interoperability-friendly, that will certainly boost the odds that the VA will choose Cerner as partner.

Of course, any EHR selection process can take crazy turns, and when you grow in politics the process can even crazier. So obviously, no one knows what the VA will do. In fact, given their battles with the DoD maybe they’ll go with Epic just to be different. But if I were a Cerner marketer I’d like my odds.

ONC Kicks Off Blockchain Whitepaper Contest

Posted on July 11, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Hold onto your hats, folks. The ONC has taken an official interest in blockchain technology, a move which suggests that it’s becoming a more mainstream technology in healthcare.

As you may know, blockchain is the backbone for the somewhat shadowy world of bitcoin, a “cryptocurrency” whose users can’t be traced. (For some of you, your first introduction to cryptocurrency may have been when a Hollywood, CA hospitals was forced to pay off ransomware demands with $17K in bitcoins.)

But despite its use by criminals, blockchain still has great potential for creating breakthroughs for legitimate businesses, notably banking and healthcare. Look at dispassionately, a blockchain is just a distributed database, one which maintains a continuously growing list with data records hardened against tampering and revision.

Right now, the most common use the blockchain is to serve as a public ledger of bitcoin transactions. But the concept is bubbling up in the healthcare world, with some even suggesting that blockchain should be used to tackle health data security problems.

And now, the ONC has shown interest in this technology, soliciting white papers that offer thoughtful take on how blockchain can help meet important healthcare industry objectives.

The whitepaper, which may not be no longer than 10 pages, must be submitted by July 29. (Want to participate, but don’t have time to write the paper yourself? Click here.Papers must discuss the cryptography and underlying fundamentals of blockchain technology, explain how the use of blockchain can meet industry interoperability needs, patient centered outcomes research, precision medicine and other healthcare delivery needs, as well as offering recommendations for blockchain’s implementation.

The ONC will choose eight winning papers from among the submissions. Winning authors will have an opportunity to present the paper at a Blockchain & Healthcare Workshop held at NIST headquarters in Gaithersburg, MD on September 26th and 27th.

In hosting this contest, ONC is lending blockchain approaches in healthcare a level of credibility they might not have had in the past. But there’s already a lot of discussion going on about blockchain applications for health IT.

So what are people talking about where blockchain IT is concerned? In one LinkedIn piece, consultant Peter Nichol argues that blockchain can address concerns around scalability and privacy electronic medical records. He also suggests that blockchain technology can provide patients with more sophisticated privacy control of their personal health information, for example, providers can enhance health data security by letting patients combine their own blockchain signature with a hospital’s signature.

But obviously, ONC leaders think there’s a lot more that can be done here. And I’m pretty confident that they’re right. While I’m no security or cryptocurrency expert, I know that when a technology has been kicked around for several years, and used for a sensitive function like financial exchange without racking up any major failures, it’s got to be pretty solid. I’m eager to see what people come up with!

E-Patient Update: Don’t Give Patients Needless Paperwork

Posted on July 6, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Recently, I had an initial appointment with a primary care practice. As I expected, I had a lot of paperwork to fill out, including not only routine administrative items like consent to bill my insurer and HIPAA policies, but also several pages of medical history.

While nobody likes filling out forms, I have no problem with doing so, as I realize that these documents are very important to building a relationship with a medical practice. However, I was very annoyed by what happened later, when I was ushered back into the clinical suite.

Despite my having filled out the extensive checklist of medical history items, I was asked every single one of the questions featured on the form verbally by a med tech who saw me ahead of my clinical appointment. And I mean Every. Single. One. I was polite and patient as I could be, particularly given that it wasn’t the poor tech’s fault, but I was simmering nonetheless, for a couple of reasons.

First, on a practical level, it was infuriating to have filled out a long clinical interview form for what seemed to be absolutely no reason. This is in part because, as some readers may remember, I have Parkinson’s disease, and filling out forms can be difficult and even painful. But even if my writing hand was unimpaired I would’ve been rather irked by what seemed to be pointless duplication.

Not only that, as it turns out the practice seems to have had access to my medication list — perhaps from claims data? — and could have spared me the particularly grueling job of writing out all the medications I currently take. Given my background in HIT, I was forced to wonder whether even the checkbox lists of past illnesses, surgeries and the like were even necessary.

After all, if the group is sophisticated enough to access my medications list, perhaps it could have accessed my other medical records as well. In fact, as it turned out, the primary care group is owned by the dominant local health system which has been providing most of my care for 20 years. So the clinicians almost certainly had a shot at downloading my current medical data in some form.

Even if the medical group had no access to any historical data on my care, I can’t imagine why administrators would require me to fill out a medical history form if the tech was going to ask me every question on the form. My hunch is that it may be some wrongheaded attempt at liability management, providing the practice with some form of cover if somebody failed to collect an accurate history during the interview. But other than that I can’t imagine what was going on there.

The reality is, physician practices that are transitioning into EMR use, or adopting a new EMR, may end up requiring their staff to do double data entry to one extent or another as practice leaders figure things out. But asking patients to do so shows an alarming lack of consideration for my time and effort. Perhaps the practice has forgotten that I’m not on the payroll?

An Alternate Way Of Authenticating Patients

Posted on July 5, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Lately, I’ve been experimenting with a security app I downloaded to my Android phone. The app, True Key by Intel Security, allows you to log in by presenting your face for a scan or using your fingerprint. Once inside the app, you can access your preferred apps with a single click, as it stores your user name and passwords securely. Next, I simplified things further by downloading the app to my laptop and tablet, which synchs up whatever access info I enter across all devices.

From what I can see, Intel is positioning this as a direct-to-consumer play. The True Key documentation describes the app as a tool non-techies can use to access sites easily, store passwords securely and visit their favorite sites across all of their devices without re-entering authentication data. But I’m intrigued by the app’s potential for enterprise healthcare security access control.

Right now, there are serious flaws in the way application access is managed. As things stand, authentication information is usually stored in the same network infrastructure as the applications themselves, at least on a high-level basis. So the process goes like this, more or less: Untrusted device uses untrusted app to access a secure system. The secure system requests credentials from the device user, verifies them against an ID/PW database and if they are correct, logs them in.

Of course, there are alternatives to this approach, ranging from biometric-only access and instantly-generated, always-unique passwords, but few organizations have the resources to maintain super-advanced access protocols. So in reality, most enterprises have to firewall up their security and authentication databases and pray that those resources don’t get hacked. Theoretically, institutions might be able to create another hacking speed bump by storing authentication information in the cloud, but that obviously raises a host of additional security questions.

So here’s an idea. What if health IT organizations demanded that users install biometrically-locked apps like True Key on their devices? Then, enterprise HIT software could authenticate users at the device level – surely a possibility given that devices have unique IDs – and let users maintain password security at their end. That way, if an enterprise system was hacked, the attacker could gain access to device information, but wouldn’t have immediate access to a massive ID and PW database that gave them access to all system resources.

What I’m getting at, here, is that I believe healthcare organizations should maintain relationships with patients (as represented by their unique devices) rather than their ID and password. While no form of identity verification is perfect, to me it seems a lot more like that it’s really me logging in if I had to use my facial features or fingerprint as an entry point. After all, virtually any ID/PW pair chosen by a user can be guessed or hacked, but if you authenticate to my face/fingerprint and a registered device, the odds are high that you’re getting me.

So now it’s your turn, readers. What flaws do you see in this approach? Have you run into other apps that might serve this purpose better than True Key? Should HIT vendors create these apps? Have at it.

AMA’s Digital Health ‘Snake Oil’ Claim Creates Needless Conflict

Posted on June 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Earlier this month, the head of the American Medical Association issued a challenge which should resonate for years to come. At this year’s annual meeting, Dr. James Madara argued that many direct-to-consumer digital health products, apps and even EMRs were “the digital snake oil of the early 21st century,” and that doctors will need to serve as gatekeepers to the industry.

His comments, which have been controversial, weren’t quite as immoderate as some critics have suggested. He argued that some digital health tools were “potentially magnificent,” and called on doctors to separate useful products from “so-called advancements that don’t have an appropriate evidence base, or that just don’t work that well – or that actually impede care, confuse patients, and waste our time.”

It certainly makes sense to sort the digital wheat from the chaff. After all, as of late last year there were more than 165,000 mobile health apps on the market, more than double that available in 2013, according to a study by IMS Institute for Healthcare Informatics. And despite the increasing proliferation of wearable health trackers, there is little research available to suggest that they offer concrete health benefits or promote sustainable behavior change.

That being said, the term “snake oil” has a loaded historical meaning, and we should hold Dr. Madara accountable for using it. According to Wikipedia, “snake oil” is an expression associated with products that offer questionable or unverifiable quality or benefits – which may or may not be fair. But let’s take things a bit further. In the same entry, Wikipedia defines a snake oil salesman “is someone who knowingly sells fraudulent goods or who is themselves a fraud, quack or charlatan.” And that’s a pretty harsh way to describe digital health entrepreneurs.

Ultimately, though, the issue isn’t whether Dr. Madara hurt someone’s feelings. What troubles me about his comments is they create conflict where none needs to exist.

Back in the 1850s, when what can charitably be called “entrepreneurs” were selling useless or toxic elixirs, many were doubtless aware that the products they sold had no benefit or might even harm consumers. And if what I’ve read about that era is true, I doubt they cared.

But today’s digital health entrepreneurs, in contrast, desperately want to get it right. These innovators – and digital health product line leaders within firms like Samsung and Apple – are very open to working with clinicians. In fact, most if not all work directly with both staff doctors and clinicians in community practice, and are always open to getting guidance on how to support the practice of medicine.

So while Dr. Madara’s comments aren’t precisely wrong, they suggest a fear and distrust of technology which doesn’t become any 21st century professional organization.

Think I’m wrong? Well, then why didn’t the AMA leader announce the formation of an investment fund to back the “potentially magnificent” advances he admits exist? If the AMA did that, it would demonstrate that even a 169-year-old organization can adapt and grow. But otherwise, his words suggest that the venerable trade group still holds disappointingly Luddite views better suited for the dustbin of history.

UPDATE:  An AMA representative has informed me that I got some details in the story above wrong, and I’m eager to correct my error. According to Christopher Khoury, vice president of environmental analysis and strategic analytics with the group, the AMA is indeed investing in digital health innovation. He notes that in January, the group announced the formation of San Francisco-based Health2047 (www.health2047.com), for which it serves as lead investor. Health2047 is dedicated to furthering the commercialization of digital tools and solutions that help practicing physicians. It also sponsors Matter, a healthcare incubator based in Chicago.

Securing IoT Devices Calls For New Ways Of Doing Business

Posted on June 8, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

While new Internet-connected devices can expose healthcare organizations to security threats in much the same way as a desktop PC or laptop, they aren’t always procured, monitored or maintained the same way. This can lead to potentially major ePHI breaches, as one renowned health system recently found out.

According a piece in SearchHealtlhIT, executives at Intermountain Healthcare recently went through something of a panic when connected audiology device went missing. According to Intermountain CISO Karl West, the device had come into the hospital via a different channel than most of the system’s other devices. For that reason, West told the site, his team couldn’t verify what operating system the audiology device had, how it had come into the hospital and what its lifecycle management status was.

Not only did Intermountain lack some key configuration and operating system data on the device, they didn’t know how to prevent the exposure of stored patient information the device had on board. And because the data was persistent over time, the audiology device had information on multiple patients — in fact, every patient that had used the device. When the device was eventually located, was discovered that it held two-and-a-half years worth of stored patient data.

After this incident, West realized that Intermountain needed to improve on how it managed Internet of Things devices. Specifically, the team decided that simply taking inventory of all devices and applications was far from sufficient to protect the security of IoT medical devices.

To prevent such problems from occurring again, West and his team created a data dictionary, designed to let them know where data originates, how it moves and where it resides. The group is also documenting what each IoT device’s transmission capabilities are, West told SearchHealthIT.

A huge vulnerability

Unfortunately, Intermountain isn’t the first and won’t be the last health system to face problems in managing IoT device security. Such devices can be a huge vulnerability, as they are seldom documented and maintained in the same way that traditional network devices are. In fact, this lack of oversight is almost a given when you consider where they come from.

Sure, some connected devices arrive via traditional medical device channels — such as, for example, connected infusion pumps — but a growing number of network-connected devices are coming through consumer channels. For example, though the problem is well understood these days, healthcare organizations continue to grapple with security issues created by staff-owned smart phones and tablets.

The next wave of smart, connected devices may pose even bigger problems. While operating systems running mobile devices are well understood, and can be maintained and secured using enterprise-level processes,  new connected devices are throwing the entire healthcare industry a curveball.  After all, the smart watch a patient brings into your facility doesn’t turn up on your procurement schedule, may use nonstandard software and its operating system and applications may not be patched. And that’s just one example.

Redesigning processes

While there’s no single solution to this rapidly-growing problem, one thing seems to be clear. As the Intermountain example demonstrates, healthcare organizations must redefine their processes for tracking and securing devices in the face of the IoT security threat.

First and foremost, medical device teams and the IT department must come together to create a comprehensive connected device strategy. Both teams need to know what devices are using the network, how and why. And whatever policy is set for managing IoT devices has to embrace everyone. This is no time for a turf war — it’s time to hunker down and manage this serious threat.

Efforts like Intermountain’s may not work for every organization, but the key is to take a step forward. As the number of IoT network nodes grow to a nearly infinite level, healthcare organizations will have to re-think their entire philosophy on how and why networked devices should interact. Otherwise, a catastrophic breach is nearly guaranteed.

FHIR Product Director Speaks Out On FHIR Hype

Posted on June 6, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

To date, all signs suggest that the FHIR standard set has tremendous promise, and that FHIR adoption is growing by leaps and bounds. In fact, one well-connected developer I spoke with recently argues that FHIR will be integrated into ONC’s EHR certification standards by 2017, when MACRA demands its much ballyhooed “widespread interoperability.”

However, like any other new technology or standard, FHIR is susceptible to being over-hyped. And when the one suggesting that FHIR fandom is getting out of control is Grahame Grieve, FHIR product director, his arguments definitely deserve a listen.

In a recent blog post, Grieve notes that the Gartner hype cycle predicts that a new technology will keep generating enthusiasm until it hits the peak of inflated expectations. Only after falling into te trough of disillusionment and climbing the slope of enlightenment does it reach the plateau of productivity, the Gartner model suggests.

Now, a guy who’s driving FHIR’s development could be forgiven for sucking up the praise and excitement around the emerging standard and enjoying the moment. Instead, though, it seems that Grieve thinks people are getting ahead of themselves.

To his way of thinking, the rate of hype speech around FHIR continues to expand. As he sees it, people are “[making] wildly inflated claims about what is possible, (wilfully) misunderstanding the limitations of the technology, and evangelizing the technology for all sorts of ill judged applications.”

As Grieve sees it, the biggest cloud of smoke around FHIR is that it will “solve interoperability.” And, he flatly states, it’s not going to do that, and can’t:

FHIR is two things: a technology, and a culture. I’m proud of both of those things…But people who think that [interoperability] will be solved anytime soon don’t understand the constraints we work under…We have severely limited ability to standardise the practice of healthcare or medicine. We just have to accept them as they are. So we can’t provide prescriptive information models. We can’t force vendors or institutions to do things the same way. We can’t force them to share particular kinds of information at particular times. All we can do is describe a common way to do it, if people want to do it.

The reality is that while FHIR works as a means of sharing information out of an EHR, it can’t force different stakeholders (such as departments, vendors or governments) to cooperate successfully on sharing data, he notes. So while the FHIR culture can help get things done, the FHIR standard — like other standards efforts — is just a tool.

To be sure, FHIR seems to have legs, and efforts like the Argonaut Project — which is working to develop a first-generation FHIR-based API and Core Data Services specification — are likely to keep moving full steam ahead.

But as Grieve sees it, it’s important to keep the pace of FHIR work deliberate and keep fundamentals like solid processes and well-tested specifications in mind: “If we can get that right — and it’s a work in process — then the trough of despair won’t be as deep as it might.”

Vendors Bring Heart And Lung Sounds To EHR

Posted on June 3, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In what they say is a first, a group of technology vendors has teamed up to add heart and lung sounds to an EMR. The current effort extends only to the drchrono EHR, but if this rollout works, it seems likely that other vendors will follow, as adding multimedia content to patient medical records is a very logical step.

Urgent care provider Direct Urgent Care, a Berkeley, CA-based urgent care provider with 30,000 patients, is rolling out the Eko Core Digital Stethoscope for use by physicians. The heart and lung sounds will be recorded by the digital stethoscope, then transmitted wirelessly to a phone- or tablet-based mobile app. The app, in turn, uploads the audio files to the drchrono HR.

Ordinarily, I’d see this as an early experiment in managing multimedia health data and leave it at that. But two things make it more interesting.

One is that the Eko Core sells for a relatively modest $299, which is not bad for an FDA-cleared device. (Eko also sells an attachment for $199 which digitizes and records sounds captured by traditional analog stethoscopes, as well as streaming those files to the Eko app.) The other is that the recorded sounds can be shared with remote specialists such as cardiologists and pulmonologists, which seems valuable on its face even if the data doesn’t get stored within an EMR.

Not only that, this rollout underscores a problem just been given too little attention. At present, what I’ve seen, few EMRs incorporated anything beyond text. Even radiology images, which have been digital for ages (and managed by sophisticated PACS platforms) typically aren’t accessible to the EMR interface. In fact, my understanding is that PACS data is another silo that needs to be broken down.

Meanwhile, medical practices and hospitals are increasingly generating data that doesn’t fit into the existing EMR template, from sources such as wearables, health apps and video consults. Neither EMR developers nor standards organizations seem to have kept up with the influx of emerging non-text data, so virtually none of it is being integrated into patient records yet.

In other words, not only is it interesting to note that an EMR vendor is incorporating audio into medical records, at a modest cost, it’s worth taking stock of what it can teach us about enriching digital patient records overall.

Eventually, after all, patients will be able to capture — with some degree of accuracy — multimedia content that includes not only audio, but also ultrasound recordings, EKG charts and more. Of course, these self-administered tests and will never replace a consult by a skilled clinician, but there certainly are situations in which this data will be relevant.

When you also bear in mind that the number of telemedicine consults being conducted is growing dramatically, and that these, too, offer insights that could become part of a patient’s chart, the need to go beyond text-based EMRs becomes even more evident.

So maybe the Eko/drchrono partnership will work out, and maybe it won’t. But what they’re doing matters nonetheless.