Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Attackers Try To Sell 600K Patient Records

Posted on July 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

New research has concluded that attackers recently infiltrated U.S. healthcare institutions and stole at least 600,000 patient records, then attempted to sell more than 3 TB of associated data. The attacks, which were discovered by security firm InfoArmor, targeted not only hospitals, but also private clinics and vendors of medical equipment and supplies such as orthopedics, eWeek reports.

According to InfoArmor, the attacker gained access to the patient data by exploiting weak user credentials, and hacked Remote Desktop Protocol connections on some servers with static external IP addresses. The data thief also used a local privilege escalation exploit to access system files for added patching and backdooring, InfoArmor chief intelligence officer Andrew Komarov told eWeek.

And sadly, some healthcare institutions made it pretty easy for intruders. In some cases, data thieves were able to exfiltrate data stored in Microsoft Access desktop databases without any special user access segregation or rights control in place, Komarov told the magazine.

Future exploits may emerge through medical device connections, as many institutions aren’t paying enough attention to device security, he warns.”[Providers] think that the medical device is just a device for their specific function and sometimes they don’t [have] knowledge of misconfigured devices in their networks,” Komarov said.

So what will become of the data?  Many things, and none of them good. Some cyber criminals will sell Social Security numbers and other scammers will use to sell fraudulent healthcare services,. Cyber-grifters who steal a patient’s history of illness and their biography can use them to take advantage of consumers, he pointed out. And to sharpen their con, such criminals can even buy select data focused on geographic regions, Komarov noted in a follow-up chat with me.

To address exploits engineered by remote access sessions, one consulting firm is pitching technology allowing administrators to go over remote sessions with a fine-toothed comb.

Balazs Scheidler, CTO of security vendor BalaBit, notes that while remote access to internal IT resources is common, using protocols such as Microsoft Remote Desktop or Citrix ICA, IT managers don’t always have enough visibility into who’s accessing systems, when they are logging in and from where systems are being accessed. BalaBit is pitching a system which offers “CCTV-like” recording of user sessions, including screen contents, mouse movements, clicks and keystrokes.

But the truth is, regardless of what approach providers take, they simply have to step up security measures across the board. If attackers can access your data through a vulnerable Microsoft Access database, clearly something is out of order. And in fact many cases, it’s just that easy for attackers to get into your network.

Lessons Learned from Practice Fusion’s FTC Charges and Settlement

Posted on July 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Almost 3 years ago I wrote an article about Practice Fusion violating some physicians’ trust in sending millions of emails to their patients. It’s still shocking to me to read through the physicians’ reaction to having emails unknowingly sent out in their name to their patients. I spent about a month researching that story. That’s longer than I’ve done for any other article by a significant margin. What I discovered was just that compelling.

When I first was told about the story, it seemed possible that each of those emails (we estimated 9 million) was a HIPAA violation. However, as we researched the story more and talked with multiple experts, it seemed like only a small subset could have possibly been considered a HIPAA violation. Practice Fusion had done a pretty reasonable job on the HIPAA front in our opinion. We all learned a lot about HIPAA and patient emails from the experience. Not to mention the importance of physician trust in your EHR product.

With that said, Forbes read my articles and decided to write an article that extended on the research that I’d done for the story along with a follow up article that looked at some of the things patients were posting publicly in these physician reviews. Forbes didn’t link to my article since I was pretty cautious with the whole thing after Practice Fusion had threatened sending their lawyers my way. I didn’t have a bevy of lawyers behind me like Forbes. Plus, some other crazy things happened like people trying to discredit me in the comments from the same IP address in San Francisco and a fabricated blog post to try and discredit what I’d written. Needless to say, it was quite the experience.

There were some people encouraging me to take it much further and to expose some of the crazy things that went down. That wasn’t my interest. I’d told an important story that needed to be told in what I believed was a fair an accurate way. I didn’t have any other goals despite some people insinuating that I might have other intentions.

Three years after I wrote that story it’s interesting to see that the FTC finally published the complaint against Practice Fusion (they also shared an analysis) and the Settlement agreement. I guess our government does work as slow as we all imagine.

I’m not going to dive into the details of the settlement here, but I did discuss the lessons we can learn from Practice Fusion’s FTC complaint and settlement with Shahid Shah and from our discussion I came up with these important lessons that apply to any company working in healthcare IT.

Healthcare Needs to Worry About More Than HIPAA and OCR
I think that many healthcare IT organizations only worried about HIPAA and OCR (which enforces HIPAA) when developing their products and implementing them in healthcare. This example clearly illustrates that the FTC is interested in what you do in healthcare and they’re not just going to defer to OCR to ensure that things are going right. This is particularly true as healthcare becomes more and more consumer oriented. This advice is also timely given ONC’s report to congress about health data oversight beyond HIPAA.

Healthcare Interoperability and Public Disclosure Might Be Worse
One challenge with the FTC settlement is that it could cause many other healthcare IT vendors to use it as an excuse not to take the next step in engaging patients, sharing health information where it’s needed, and other things that will help to improve healthcare. The fear of government condemnation could cause many to balk at progressive initiatives that would benefit patients.

While I do think healthcare IT companies should be cautious, fear of the FTC shouldn’t be used as an excuse to do nothing. The reality of the Practice Fusion case wasn’t that they shouldn’t have built the product they did, it was just that they needed to better communicate what they were doing to both doctors and patients. If they had done so I wouldn’t have had an article to write and the FTC wouldn’t have had any issue with what they were doing.

Communicate Properly to Patients
Reading the FTC claim was interesting to me. In the month I spent researching the story, I felt that Practice Fusion had done a great job in their privacy notice saying that the patient’s review would be posted publicly. It stated as much in their policy and I found no fault in their posting the patient reviews in public. That’s why I didn’t write about them in my articles. Certainly they could have made it more clear to patients, but I put the responsibility on the patient to read the privacy policy. If the patient chooses not to read the privacy policy when sharing really intimate personal details in an online form, then I don’t have much sympathy for them.

Of course, I’m not a lawyer and the FTC found very different. The FTC thought that the disclosure to the patient should have reached out and grabbed consumers and that the key facts shouldn’t be buried in a hard-to-understand privacy policy. A good lawyer can help an organization find the balance of effectively meeting the FTC requirements, but also not scaring patients away from participating. Although, it can certainly be a challenge.

If You Can Identify Private Information You Should
There are some obvious things that we all know shouldn’t be posted publicly. These days with technologies like NLP (natural language processing), you can identify many of these obvious pieces of private data and ensure they’re hidden and never go public. These technologies aren’t perfect, but having them in place will show that you’ve made a best effort to ensure that consumers health data is kept as private as possible.

Communicate Better with Doctors
This might be the biggest thing I learned from the experience. I find it interesting that the FTC complaint barely even talks about it (maybe it’s not under the FTC’s purview?). However, what came through loud and clear from this experience is that you need to effectively communicate what you’re doing to the doctor. This is particularly true if you’re doing something in the doctors name. If not, you’re going to lose the trust of doctors.

The FTC has a blog post up which has more lessons for those of us in the healthcare industry. They’re worthy of consideration if you’re a health IT company that’s working with patients (yes, that’s pretty much all of you).

P.S. I find it interesting that the Patient Fusion website still lists 30,061 doctors on patient fusion, 181,818 appointments today, 1,844718 reviews, and 98% doctors recommended. The same numbers that were listed back in 2013:

I guess that page isn’t a real time feed. I also looked at the Patient Fusion website today to see how they showed reviews now. I didn’t scour the whole website, but it appears that they now only show the quantitative review score and not the qualitative review.

Is Your Organization Ready for EHR Adoption? – Breakaway Thinking

Posted on July 20, 2016 I Written By

The following is a guest blog post by Heather Haugen, PhD, Managing Director and CEO at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Heather Haugen
What is the most significant barrier to Electronic Health Record (EHR) adoption for clinicians?  This question was the foundation of our research published in Beyond Implementation: A Prescription for Lasting EMR Adoption in 2010. The answer wasn’t surprising then and won’t surprise you now, but let’s consider how your leaders are doing in the face of enormous change in healthcare (think telemedicine, high pharmaceutical costs, rising medical costs, medical ID theft). It’s more important than ever to focus on technology adoption in today’s healthcare climate.

The one factor that formed a pattern across every organization struggling with EHR adoption was a lack of engagement by those leading the effort, and this still holds true today. For many reasons, this is a hard pill to swallow. First, it places responsibility back on the earliest champions: those who decided to fund and move the entire organization into an EHR implementation or upgrade. Second, it requires already overworked executive and clinical leaders to make adoption a daily priority. Effective leadership is an antecedent to adoption.

There is no greater barrier to the adoption of a complex IT application in an ever-changing healthcare environment than believing we can simply pile this effort on top of the other priorities and expect success. Organizations with disengaged, part-time, and/or overworked leaders at the helm of an EHR effort will struggle and may never achieve full adoption. In contrast, organizations with leaders who are fully invested in the daily march toward adoption will not only reach the early stages of adoption, but will enjoy a reinforced cycle of meaningful clinical and financial outcomes. Leadership must take five steps to succeed in moving their organization toward EHR adoption.

Develop a “stop doing” list: Establishing a new leadership agenda requires freeing up time for those leading and working on the effort. Without reprioritizing daily tasks, EHR adoption receives inadequate time and attention. Leaders currently in charge of EHR adoption need to understand what they are going to stop doing and focus on maintaining the courage to follow through on their decision.

Create a positive tone at the top of the organization: One of the most challenging aspects of leading an EHR adoption is transforming the project into a compelling and meaningful effort for everyone. When people, especially clinicians, believe in a cause, they will go to extraordinary lengths to ensure a successful outcome. Creating a common message with purpose and constancy is not easy, and sustaining the message is even more difficult. But when leaders create the right tone for the EHR adoption message, it will be powerful and help maintain momentum to create change.

Connect to clinical leadership: The key to provider adoption of EHRs is engagement. A governance system will engage clinicians through responsibilities and accountabilities and create clinician champions – the most highly-respected and well-networked clinicians. A high level of provider engagement can ameliorate or even overcome the common barriers to adoption, including resistance to abandoning the previous charting method, the investment of time required to learn the new system and the initial drop in productivity until users attain proficiency.

Empower decision-makers and reinforce their spheres of influence: Implementing or upgrading an EHR requires thoughtful consideration of the policies and procedures that will govern the use of the system.  There are many stakeholders with a myriad of opinions and often competing interests that can dramatically slow adoption of the EHR. Adhering to a well-defined governance process ensures that the right people are involved at the right time with the right information. The lack of governance allows the wrong people to endlessly debate decisions, ignore standards and often conclude by making the wrong decisions. Leaders must establish strong governance processes that define expectations around adoption of the EHR, involve the right stakeholders to make decisions, establish policies and best practices and ultimately evaluate performance against expectations. Governance must also be flexible enough to evolve over time.

Relentlessly pursue meaningful clinical and financial metrics: The payoff for adopting an EHR comes in the form of clinical and financial outcomes. If results are neither tracked nor realized, the effort is truly a waste of time and money. Our expectations need to be realistic, but it really is the leaders who are accountable for the relentless pursuit of positive outcomes. Leaders must incent the right people to collect, analyze, and report on the data. Similar to engaging clinicians, this requires some finesse. The good news is that clinicians are generally interested in these metrics and may find the numbers compelling enough to change processes enough to impact the outcomes. Identify several key metrics that are easy to collect, work to improve them and then measure again.

Now is the time to create a new leadership agenda to drive EHR adoption and ultimately improve patient care – which is the goal we all share!

Xerox is a sponsor of the Breakaway Thinking series of blog posts. The Breakaway Group is a leader in EHR and Health IT training.

Telus Health Continues EMR M&A Strategy – Acquires Nightingale Informatix

Posted on July 18, 2016 I Written By

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin is a true believer in #HealthIT, social media and empowered patients. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He currently leads the marketing efforts for @PatientPrompt, a Stericycle product. Colin’s Twitter handle is: @Colin_Hung

Telus Health, a Canadian based healthcare technology and services firm that is a division of one of Canada’s largest telco operators (Telus Communications), recently announced the acquisition of Nightingale Informatix for $14 Million CDN (approximately $10.4M USD).

You can read the announcement here.

This is the latest in a string of acquisitions that Telus has made over the past 5 years in the Canadian ambulatory EMR space. Med Access, Wolf Medical Systems, Kinlogix, MD Physician Services, Medesync and now Nightingale are all part of Telus Health’s product portfolio. With these acquisitions Telus is now by far the most dominant player in the Canadian ambulatory market. There are only a handful of vendors remaining – the largest of which is Vancouver’s QHR Technologies.

EMR consolidation in Canada was inevitable. The small market size could not sustain the more than 50 EMR vendors that cropped up in the heyday of adoption. As well, unlike in the US, the government in Canada did not pour billions of dollars to encourage physicians to adopt EMR technologies. The incentive programs in Canada were handled by the provinces and were much smaller in scale. Thus the Canadian market was ripe for consolidation and Telus has been aggressively seizing these opportunities.

It is a little surprising that none of the US EMR vendors have looked north of the border for growth opportunities. With a single payer system and unique patient identifiers, you would think the Canadian market would be enticing. However, no US ambulatory EMR has made significant in-roads.

Missed opportunity? or perhaps a wise decision to focus at home?

*Disclosure – This writer was VP of Marketing at Nightingale Informatix from 2012-2014.

[CORRECTION – July 19, 2016 2:11pm ET – The original post erroneously reported that Telus had acquired Healthscreen, EMIS and Clinicare EMRs. These three EMRs were in fact acquired by QHR Technologies and not Telus. This post was updated with a corrected list of Telus acquisitions]

ONC Offers Two Interoperability Measures

Posted on July 14, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For a while now, it’s been unclear how federal regulators would measure whether the U.S. healthcare system was moving toward the “widespread interoperability” MACRA requires. But the wait is over, and after reviewing a bunch of comments, ONC has come through with some proposals that seem fairly reasonable at first glance.

According to a new blog entry from ONC, the agency has gotten almost 100 comments on how to address interoperability. These recommendations, the agency concluded, fell into four broad categories:

  • Don’t create any significant new reporting burdens for providers
  • Broaden the scope of interoperability measurements to include providers and individuals that are not eligible for Medicare and Medicaid EHR incentives
  • Create measures that examine usage and usefulness of exchanged information, as well as the impact on health outcomes, in addition to measuring the exchange itself
  • Recognize that given the complexity of measuring interoperability, it will take multiple data sources, and that more discussions will be necessary to create an effective model for such measurements

In response, ONC has come up with two core measures which address not only the comments, but also its own analysis and MACRA’s specific definitions of “widespread interoperability.”

  • Measure #1: Proportion of healthcare providers electronically engaging in the following core domains of interoperable exchange of health information: sending; receiving; finding (querying); and integrating information received outside sources.
  • Measure #2: Proportion of healthcare providers who report using information electronically received through outside providers and sources for clinical decision-making.

To measure these activities, ONC expects to be able to draw on existing national surveys of hospitals and office-based physicians. These include the American Hospital Association’s AHA Information Technology Supplement Survey and the CDC National Center for Health Statistics’ annual National Electronic Health Record Survey of office-based physicians.

The reasons ONC would like to use these data sources include that they are not limited to Medicare and Medicaid EHR incentive program participants, and that both surveys have relatively high response rates.

I don’t know about you, but I was afraid things would be much worse. Measuring interoperability is quite difficult, given that just about everyone in the healthcare industry seems to have a slightly different take on what true interoperability actually is.

For example, there’s a fairly big gulf between those who feel interoperability only happens when all data flows from provider to provider, and those who feel that sharing a well-defined subset (such as that found in the Continuity of Care Document) would do the trick just fine. There is no way to address both of these models at the same time, much less the thousand shades of gray between the two extremes.

While its measures may not provide the final word on the subject, ONC has done a good job with the problem it was given, creating a model which is likely to be palatable to most of the parties involved. And that’s pretty unusual in the contentious world of health data interoperability. I hope the rollout goes equally well.

VA May Drop VistA For Commercial EHR

Posted on July 12, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

It’s beginning to look like the famed VistA EHR may be shelved by the Department of Veterans Affairs, probably to be replaced by a commercial EHR rollout. If so, it could spell the end of the VA’s involvement in the highly-rated open source platform, which has been in use for 40 years. It will be interesting to see how the commercial EHR companies that support Vista would be impacted by this decision.

The first rumblings were heard in March, when VA CIO LaVerne Council  suggested that the VA wasn’t committed to VistA. Now Council, who supervises the agency’s $4 billion IT budget, sounds a bit more resolved. “I have a lot of respect for VistA but it’s a 40-year-old product,” Council told Politico. “Looking at what technology can do today that it couldn’t do then — it can do a lot.”

Her comments were echoed by VA undersecretary for health David Shulkin, who last month told a Senate hearing that the agency is likely to replace VistA with commercial software.

Apparently, the agency will leave VistA in place through 2018. At that point, the agency expects to begin creating a cloud-based platform which may include VistA elements at its core, Politico reports. Council told the hearing that VA IT leaders expect to work with the ONC, as well as the Department of Defense, in building its new digital health platform.

Particularly given its history, which includes some serious fumbles, it’s hardly surprising that some Senate members were critical of the VA’s plans. For example, Sen. Patty Murray said that she was still disappointed with the agency’s 2013 decision back to call of plans for an EHR that integrated fully with the DoD. And Sen. Richard Blumenthal expressed frustration as well. “The decades of unsuccessful attempts to establish an electronic health record system that is compatible across the VA in DoD has caused hundreds of millions of taxpayer dollars to be wasted,” he told the committee.

Now, the question is what commercial system the VA will select. While all the enterprise EHR vendors would seem to have a shot, it seems to me that Cerner is a likely bet. One major reason to anticipate such a move is that Cerner and its partners recently won the $4.3 billion contract to roll out a new health IT platform for the DoD.

Not only that, as I noted in a post earlier this year, the buzz around the deal suggested that Cerner won the DoD contract because it was seen as more open than Epic. I am taking no position on whether there’s any truth to this belief, nor how widespread such gossip may be. But if policymakers or politicians do see Cerner as more interoperability-friendly, that will certainly boost the odds that the VA will choose Cerner as partner.

Of course, any EHR selection process can take crazy turns, and when you grow in politics the process can even crazier. So obviously, no one knows what the VA will do. In fact, given their battles with the DoD maybe they’ll go with Epic just to be different. But if I were a Cerner marketer I’d like my odds.

ONC Kicks Off Blockchain Whitepaper Contest

Posted on July 11, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Hold onto your hats, folks. The ONC has taken an official interest in blockchain technology, a move which suggests that it’s becoming a more mainstream technology in healthcare.

As you may know, blockchain is the backbone for the somewhat shadowy world of bitcoin, a “cryptocurrency” whose users can’t be traced. (For some of you, your first introduction to cryptocurrency may have been when a Hollywood, CA hospitals was forced to pay off ransomware demands with $17K in bitcoins.)

But despite its use by criminals, blockchain still has great potential for creating breakthroughs for legitimate businesses, notably banking and healthcare. Look at dispassionately, a blockchain is just a distributed database, one which maintains a continuously growing list with data records hardened against tampering and revision.

Right now, the most common use the blockchain is to serve as a public ledger of bitcoin transactions. But the concept is bubbling up in the healthcare world, with some even suggesting that blockchain should be used to tackle health data security problems.

And now, the ONC has shown interest in this technology, soliciting white papers that offer thoughtful take on how blockchain can help meet important healthcare industry objectives.

The whitepaper, which may not be no longer than 10 pages, must be submitted by July 29. (Want to participate, but don’t have time to write the paper yourself? Click here.Papers must discuss the cryptography and underlying fundamentals of blockchain technology, explain how the use of blockchain can meet industry interoperability needs, patient centered outcomes research, precision medicine and other healthcare delivery needs, as well as offering recommendations for blockchain’s implementation.

The ONC will choose eight winning papers from among the submissions. Winning authors will have an opportunity to present the paper at a Blockchain & Healthcare Workshop held at NIST headquarters in Gaithersburg, MD on September 26th and 27th.

In hosting this contest, ONC is lending blockchain approaches in healthcare a level of credibility they might not have had in the past. But there’s already a lot of discussion going on about blockchain applications for health IT.

So what are people talking about where blockchain IT is concerned? In one LinkedIn piece, consultant Peter Nichol argues that blockchain can address concerns around scalability and privacy electronic medical records. He also suggests that blockchain technology can provide patients with more sophisticated privacy control of their personal health information, for example, providers can enhance health data security by letting patients combine their own blockchain signature with a hospital’s signature.

But obviously, ONC leaders think there’s a lot more that can be done here. And I’m pretty confident that they’re right. While I’m no security or cryptocurrency expert, I know that when a technology has been kicked around for several years, and used for a sensitive function like financial exchange without racking up any major failures, it’s got to be pretty solid. I’m eager to see what people come up with!

Applying Minecraft Lessons to Healthcare

Posted on July 7, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Isaac S. Kohane has a great article on STAT which talks about what the healthcare system can learn from Minecraft. As my 3 children addictively play with Minecraft behind me, I was particularly intrigued by what healthcare could learn from Minecraft. Isaac does a great job creating the comparison:

From outside the door to their command and control center, I discreetly observed the team, taking care not to disturb them. They stared intently at the moonlit landscape littered with hidden traps and vertiginous fjords displayed on the large console in front of them, tracking their own progress and that of 10 other far-flung teams as they collectively navigated through the complex virtual environment toward a common goal.

When one team seemed to get lost or momentarily confused, a colleague on another team would grab her smartphone and offer concise video guidance. It was a remarkable demonstration of using technology to coordinate teams in complex tasks without prior training.

Even more remarkable, no team member was older than 11. The software they were using was Minecraft, the virtual reality navigation game that has addicted millions of users worldwide.

He layers on these questions about today’s health system as compared with the Minecraft team described above:

How often, in your experience as patient, family member, doctor, or nurse, do all the members of the care team actually know what the current plan is, and who else is on the team? How easily can all team members monitor activities, figure out if the care is on the right track, and instantly conference to organize a course correction if needed?

Isaac is right that we can learn a lot from Minecraft. He offers some suggestions of why we don’t. I’d like to add a few of my own.

Simplify – I’m still shocked and amazed that Minecraft made an incredibly compelling game out of blocks. It’s amazing what my children can create out of blocks. I’m also amazed at how much fun they have doing it. Unfortunately, we haven’t spent the time needed to make our interfaces simpler. We layer on complexity after complexity instead of looking at ways we can continue to simplify. I realize that healthcare is complex, but much of healthcare isn’t complex. In fact, it’s quite mundane. We can simplify most of our health IT systems.

Fun – Minecraft is fun. It encourages creativity. Millions are addicted to it. Can you say the same about your EHR? Nope. That’s because EHR software wasn’t designed for fun or creativity. They were designed as big billing engines and government compliance engines (see meaningful use). Doctors would never describe billing or government compliance as fun. If EHR software were a care engine that helped them discover new care pathways, patient risks, new medical knowledge, etc, then they’d have fun. Yes, it would be a weird twisted medical kind of “fun”, but most of the doctors I know are totally into that stuff. Just look at the success of Figure 1 to see what I mean. Should EHR vendors start a new marketing campaign “Making EHR Fun Again”? (Shoutout to Bryce Harper for those baseball fans)

Collaborative – Minecraft would be a fun game on its own, but like healthcare wearables it would wear off quickly if it was just a standalone game. The thing that makes Minecraft so addicting is that it’s collaborative by nature. The collaboration provides a new level of addiction and accountability to everyone playing. Medicine could and should and in some places is collaborative by nature too, but our health IT and EHR systems are not. Imagine if collaboratively caring for a patient was as easy as it was to connect friends on Minecraft. Yes, I’ve even seen Minecraft on an iPad connect with Minecraft on Android. Collaboration between different systems is possible even if many in healthcare want to describe all the reasons it’s impossible.

Obviously there are big differences in Minecraft and Healthcare. While you can die in both, in Minecraft you just re-spawn and start playing again. The same isn’t true in healthcare. However, that’s exactly why we should consider why some things we take for granted in games like Minecraft are no where to be found in healthcare.

E-Patient Update: Don’t Give Patients Needless Paperwork

Posted on July 6, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Recently, I had an initial appointment with a primary care practice. As I expected, I had a lot of paperwork to fill out, including not only routine administrative items like consent to bill my insurer and HIPAA policies, but also several pages of medical history.

While nobody likes filling out forms, I have no problem with doing so, as I realize that these documents are very important to building a relationship with a medical practice. However, I was very annoyed by what happened later, when I was ushered back into the clinical suite.

Despite my having filled out the extensive checklist of medical history items, I was asked every single one of the questions featured on the form verbally by a med tech who saw me ahead of my clinical appointment. And I mean Every. Single. One. I was polite and patient as I could be, particularly given that it wasn’t the poor tech’s fault, but I was simmering nonetheless, for a couple of reasons.

First, on a practical level, it was infuriating to have filled out a long clinical interview form for what seemed to be absolutely no reason. This is in part because, as some readers may remember, I have Parkinson’s disease, and filling out forms can be difficult and even painful. But even if my writing hand was unimpaired I would’ve been rather irked by what seemed to be pointless duplication.

Not only that, as it turns out the practice seems to have had access to my medication list — perhaps from claims data? — and could have spared me the particularly grueling job of writing out all the medications I currently take. Given my background in HIT, I was forced to wonder whether even the checkbox lists of past illnesses, surgeries and the like were even necessary.

After all, if the group is sophisticated enough to access my medications list, perhaps it could have accessed my other medical records as well. In fact, as it turned out, the primary care group is owned by the dominant local health system which has been providing most of my care for 20 years. So the clinicians almost certainly had a shot at downloading my current medical data in some form.

Even if the medical group had no access to any historical data on my care, I can’t imagine why administrators would require me to fill out a medical history form if the tech was going to ask me every question on the form. My hunch is that it may be some wrongheaded attempt at liability management, providing the practice with some form of cover if somebody failed to collect an accurate history during the interview. But other than that I can’t imagine what was going on there.

The reality is, physician practices that are transitioning into EMR use, or adopting a new EMR, may end up requiring their staff to do double data entry to one extent or another as practice leaders figure things out. But asking patients to do so shows an alarming lack of consideration for my time and effort. Perhaps the practice has forgotten that I’m not on the payroll?

An Alternate Way Of Authenticating Patients

Posted on July 5, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Lately, I’ve been experimenting with a security app I downloaded to my Android phone. The app, True Key by Intel Security, allows you to log in by presenting your face for a scan or using your fingerprint. Once inside the app, you can access your preferred apps with a single click, as it stores your user name and passwords securely. Next, I simplified things further by downloading the app to my laptop and tablet, which synchs up whatever access info I enter across all devices.

From what I can see, Intel is positioning this as a direct-to-consumer play. The True Key documentation describes the app as a tool non-techies can use to access sites easily, store passwords securely and visit their favorite sites across all of their devices without re-entering authentication data. But I’m intrigued by the app’s potential for enterprise healthcare security access control.

Right now, there are serious flaws in the way application access is managed. As things stand, authentication information is usually stored in the same network infrastructure as the applications themselves, at least on a high-level basis. So the process goes like this, more or less: Untrusted device uses untrusted app to access a secure system. The secure system requests credentials from the device user, verifies them against an ID/PW database and if they are correct, logs them in.

Of course, there are alternatives to this approach, ranging from biometric-only access and instantly-generated, always-unique passwords, but few organizations have the resources to maintain super-advanced access protocols. So in reality, most enterprises have to firewall up their security and authentication databases and pray that those resources don’t get hacked. Theoretically, institutions might be able to create another hacking speed bump by storing authentication information in the cloud, but that obviously raises a host of additional security questions.

So here’s an idea. What if health IT organizations demanded that users install biometrically-locked apps like True Key on their devices? Then, enterprise HIT software could authenticate users at the device level – surely a possibility given that devices have unique IDs – and let users maintain password security at their end. That way, if an enterprise system was hacked, the attacker could gain access to device information, but wouldn’t have immediate access to a massive ID and PW database that gave them access to all system resources.

What I’m getting at, here, is that I believe healthcare organizations should maintain relationships with patients (as represented by their unique devices) rather than their ID and password. While no form of identity verification is perfect, to me it seems a lot more like that it’s really me logging in if I had to use my facial features or fingerprint as an entry point. After all, virtually any ID/PW pair chosen by a user can be guessed or hacked, but if you authenticate to my face/fingerprint and a registered device, the odds are high that you’re getting me.

So now it’s your turn, readers. What flaws do you see in this approach? Have you run into other apps that might serve this purpose better than True Key? Should HIT vendors create these apps? Have at it.