Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Making Precision Medicine a Reality with Dr. Delaney, SAP & Curtis Dudley, VP at Mercy

Posted on February 4, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Making Precision Medicine a Reality-blog

Ever since President Obama announced the precision medicine initiative, it’s become a hot topic in every healthcare organization. While it’s great to talk theoretically about what’s happening with precision medicine, I’m always more interested with what’s actually happening to make medicine more precise. That’s why I’m excited to sit down with a great panel of experts that are actually working in the trenches where precision medicine is being implemented.

On Monday, February 8, 2016 at 2 PM ET (11 AM PT) I’ll be hosting a live video interview with Curtis Dudley from Mercy and Dr. David Delaney from SAP where we’re going to dive into the work Curtis Dudley and his team are doing at Mercy around perioperative services analytics that improved quality outcomes and reduced delivery costs.

The great part is that you can join my live conversation with this panel of experts and even add your own comments to the discussion or ask them questions. All you need to do to watch live is visit this blog post on Monday, February 8, 2016 at 2 PM ET (11 AM PT) and watch the video embed at the bottom of the post or you can subscribe to the blab directly. We’ll be doing a more formal interview for the first 30 minutes and then open up the Blab to others who want to add to the conversation or ask us questions. The conversation will be recorded as well and available on this post after the interview.

Here are a few more details about our panelists:

If you can’t join our live video discussion or want to learn more, check out Mercy’s session at HIMSS16 called “HANA as the Key to Advanced Analytics for Population Health and Operational Performance” on March 1, 2016 at 11:00 a.m. at SAP Booth #5828.

If you’d like to see the archives of Healthcare Scene’s past interviews, you can find and subscribe to all of Healthcare Scene’s interviews on YouTube.

To Improve Health Data Security, Get Your Staff On Board

Posted on February 2, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As most readers know, last year was a pretty lousy one for healthcare data security. For one thing, there was the spectacular attack on health insurer Anthem Inc., which exposed personal information on nearly 80 million people. But that was just the headline event. During 2015, the HHS Office for Civil Rights logged more than 100 breaches affecting 500 or more individuals, including four of the five largest breaches in its database.

But will this year be better? Sadly, as things currently stand, I think the best guess is “no.” When you combine the increased awareness among hackers of health data’s value with the modest amounts many healthcare organizations spend on security, it seems like the problem will actually get worse.

Of course, HIT leaders aren’t just sitting on their hands. According to a HIMSS estimate, hospitals and medical practices will spend about $1 billion on cybersecurity this year. And recent HIMSS survey of healthcare executives found that information security had become a top business priority for 90% of respondents.

But it will take more than a round of new technical investments to truly shore up healthcare security. I’d argue that until the culture around healthcare security changes — and executives outside of the IT department take these threats seriously — it’ll be tough for the industry to make any real security progress.

In my opinion, the changes should include following:

  • Boost security education:  While your staff may have had the best HIPAA training possible, that doesn’t mean they’re prepared for growing threat cyber-strikes pose. They need to know that these days, the data they’re protecting might as well be money itself, and they the bankers who must keep an eye on the vault. Health leaders must make them understand the threat on a visceral level.
  • Make it easy to report security threats: While readers of this publication may be highly IT-savvy, most workers aren’t. If you haven’t done so already, create a hotline to report security concerns (anonymously if callers wish), staffed by someone who will listen patiently to non-techies struggling to explain their misgivings. If you wait for people who are threatened by Windows to call the scary IT department, you’ll miss many legit security questions, especially if the staffer isn’t confident that anything is wrong.
  • Reward non-IT staffers for showing security awareness: Not only should organizations encourage staffers to report possible security issues — even if it’s a matter of something “just not feeling right” — they should acknowledge it when staffers make a good catch, perhaps with a gift card or maybe just a certificate. It’s pretty straightforward: reward behavior and you’ll get more of it.
  • Use security reports to refine staff training: Certainly, the HIT department may benefit from alerts passed on by the rest of the staff. But the feedback this process produces can be put to broader use.  Once a quarter or so, if not more often, analyze the security issues staffers are bringing to light. Then, have brown bag lunches or other types of training meetings in which you educate staffers on issues that have turned up regularly in their reports. This benefits everyone involved.

Of course, I’m not suggesting that security awareness among non-techies is sufficient to prevent data breaches. But I do believe that healthcare organizations could prevent many a breach by taking advantage of their staff’s instincts and observational skills.

NIST Goes After Infusion Pump Security Vulnerabilities

Posted on January 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As useful as networked medical devices are, it’s become increasingly apparent that they pose major security risks.  Not only could intruders manipulate networked devices in ways that could harm patients, they could use them as a gateway to sensitive patient health information and financial data.

To make a start at taming this issue, the National Institute of Standards and Technology has kicked off a project focused on boosting the security of wireless infusion pumps (Side Note: I wonder if this is in response to Blackberry’s live hack of an infusion pump). In an effort to be sure researchers understand the hospital environment and how the pumps are deployed, NIST’s National Cybersecurity Center of Excellence (NCCoE) plans to work with vendors in this space. The NCCoE will also collaborate on the effort with the Technological Leadership Institute at the University of Minnesota.

NCCoE researchers will examine the full lifecycle of wireless infusion pumps in hospitals, including purchase, onboarding of the asset, training for use, configuration, use, maintenance, decontamination and decommissioning of the pumps. This makes a great deal of sense. After all, points of network connection are becoming so decentralized that every touchpoint is suspect.

The team will also look at what types of infrastructure interconnect with the pumps, including the pump server, alarm manager, electronic medication administration record system, point of care medication, pharmacy system, CPOE system, drug library, wireless networks and even the hospital’s biomedical engineering department. (It’s sobering to consider the length of this list, but necessary. After all, more or less any of them could conceivably be vulnerable if a pump is compromised.)

Wisely, the researchers also plan to look at the way a wide range of people engage with the pumps, including patients, healthcare professionals, pharmacists, pump vendor engineers, biomedical engineers, IT network risk managers, IT security engineers, IT network engineers, central supply workers and patient visitors — as well as hackers. This data should provide useful workflow information that can be used even beyond cybersecurity fixes.

While the NCCoE and University of Minnesota teams may expand the list of security challenges as they go forward, they’re starting with looking at access codes, wireless access point/wireless network configuration, alarms, asset management and monitoring, authentication and credentialing, maintenance and updates, pump variability, use and emergency use.

Over time, NIST and the U of M will work with vendors to create a lab environment where collaborators can identify, evaluate and test security tools and controls for the pumps. Ultimately, the project’s goal is to create a multi-part practice guide which will help providers evaluate how secure their own wireless infusion pumps are. The guide should be available late this year.

In the mean time, if you want to take a broader look at how secure your facility’s networked medical devices are, you might want to take a look at the FDA’s guidance on the subject, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software.” The guidance doc, which was issued last summer, is aimed at device vendors, but the agency also offers a companion document offering information on the topic for healthcare organizations.

If this topic interests you, you may also want to watch this video interview talking about medical device security with Tony Giandomenico, a security expert at Fortinet.

Security Concerns Threaten Mobile Health App Deployment

Posted on January 26, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare organizations won’t get much out of deploying mobile apps if consumers won’t use them. And if consumers are afraid that their personal data will be stolen, they’ve got a reason not to use your apps. So the fact that both consumers and HIT execs are having what I’d deem a crisis of confidence over mHealth app security isn’t a good sign for the current crop of mobile health initiatives.

According to a new study by security vendor Arxan, which polled 815 consumers and 268 IT decision-makers, more than half of consumer respondents who use mobile health apps expect their health apps to be hacked in the next six months.

These concerns could have serious implications for healthcare organizations, as 76% of health app users surveyed said they would change providers if they became aware that the provider’s apps weren’t secure. And perhaps even more significantly, 80% of consumer health app users told Arxan that they’d switch to other providers if they found out that the apps that alternate provider offered were better secured. In other words, consumer perceptions of a provider’s health app security aren’t just abstract fears — they’re actually starting to impact patients’ health decision making.

Perhaps you’re telling yourself that your own apps aren’t terribly exposed. But don’t be so sure. When Arxan tested a batch of 71 popular mobile health apps for security vulnerabilities, 86% were shown to have a minimum of two OWASP Mobile Top 10 Risks. The researchers found that vulnerable apps could be tampered with and reverse-engineered, as well as compromised to provide sensitive health information. Easily-done hacks could also force critical health apps to malfunction, Arxan researchers concluded.

The following data also concerned me. Of the apps tested, 19 had been approved by the FDA and 15 by the UK National Health Service. And at least where the FDA is concerned, my assumption would be that FDA-tested apps were more secure than non-approved ones. But Arxan’s research team found that both FDA and National Health Service-blessed apps were among the most vulnerable of all the apps studied.

In truth, I’m not incredibly surprised that health IT leaders have some work to do in securing mobile health apps. After all, mobile health app security is evolving, as the form and function of mHealth apps evolve. In particular, as I’ve noted elsewhere, mobile health apps are becoming more tightly integrated with enterprise infrastructure, which takes the need for thoughtful security precautions to a new level.

But guidelines for mobile health security are emerging. For example, in the summer of last year, the National Institute of Standards and Technology released a draft of its mobile health cybersecurity guidance, “Securing Electronic Records on Mobile Devices” — complete with detailed architecture. Also, I’d wager that more mHealth standards should emerge this year too.

In the mean time, it’s worth remembering that patients are paying close attention to health apps security, and that they’re unlikely to give your organization a pass if they’re hacked. While security has always been a high-stakes issue, the stakes have gotten even higher.

What’s Happening at MEDITECH w/ Helen Waters, VP @MEDITECH

Posted on January 25, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

UPDATE: Here’s the video recording of my interview with Helen Waters from MEDITECH

MEDITECH - Helen Waters

Many in the large hospital EHR space have argued that it’s a two horse race between Cerner and Epic. However, many forget how many users MEDITEH still has using its healthcare IT products. Not to mention MEDITECH was originally founded in 1969 and has a rich history working in the space. On Friday, January 29, 2016 at 1 PM ET (10 AM PT), I’ll be sitting down with Helen Waters, VP at MEDITECH to talk about the what’s happening with MEDITECH and where MEDITECH fits into the healthcare IT ecosystem.

You can join my live conversation with Helen Waters and even add your own comments to the discussion or ask Helen questions. All you need to do to watch live is visit this blog post on Friday, January 29, 2016 at 1 PM ET (10 AM PT) and watch the video embed at the bottom of the post or you can subscribe to the blab directly. We’ll be doing a more formal interview for the first 30 minutes and then open up the Blab to others who want to add to the conversation or ask us questions. The conversation will be recorded as well and available on this post after the interview.

We’re interested to hear Helen’s comments about the culture and history of MEDITECH along with what MEDITECH’s doing with its products to change perceptions and misconceptions around the MEDITECH product. We’ll also be sure to ask Helen about important topics like interoperability and physician dissatisfaction (“Too Many Clicks!”). We hope you’ll join us to learn more about what’s happening with MEDITECH.

If you’d like to see the archives of Healthcare Scene’s past interviews, you can find and subscribe to all of Healthcare Scene’s interviews on YouTube.

Workflow Redesign Is Crucial to Adopting a New Health IT System – Breakaway Thinking

Posted on January 20, 2016 I Written By

The following is a guest blog post by Todd Stansfield, Instructional Writer from The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Todd Stansfield
Workflow analysis and redesign have long been touted as essential to health IT adoption. Most organizations recognize the importance of modifying current workflows to capitalize on efficiencies created by a new application and identify areas where the system must be customized to support existing workflows. Despite this recognition, there remains room for improvement. In fact, last month the Office of the National Coordinator (ONC) identified the impact of new IT systems on clinical workflows as one of the biggest barriers to interoperability (ouch).

A successful redesign includes both an analysis of current workflows and desired future workflows.

Key stakeholders – direct and indirect – should take part in analyzing existing workflows. An objective third party should also be present to ask the right questions and facilitate the discussion. This team can collaborate to model important workflows, ideally in visual form to stimulate thorough analysis. To ensure an efficient and productive meeting, you should model workflows that are the most common, result in productivity losses, have both upstream and downstream consequences and involve multiple parties. The National Learning Consortium recommends focusing only on what occurs 80 percent of the time.

Once you document current workflows, you can set your sights on the future. Workflow redesign meetings are the next step; you need them to build a roadmap of activities leading up to a go-live event and beyond – from building the application to engaging and educating end users. Individuals from the original workflow analysis sessions should be included, and they should be joined by representatives from your health IT vendor (who can define the system’s capabilities) and members of your leadership team (who can answer questions and provide support).

After the initial go-live, you need to periodically perform workflow analysis and continue adjusting the roadmap to address changes to the application and processes.

Why should you spend all the time and effort to analyze and redesign workflows? Three reasons:

  1. It makes your organization proactive in your upcoming implementation and road to adoption. You’ll anticipate and avoid problems that will otherwise become bigger headaches.
  2. It’s the perfect opportunity to request customizations to adapt your application to desired workflows.
  3. It gives your staff a chance to mentally and emotionally prepare for a change to their daily habits, increasing buy-in and decreasing resistance to the switch.

Thorough and disciplined workflow redesign is an important step to adopting a new health IT application, but of course it’s not the only one. You’ll still need leadership to engage end users in the project, education that teaches learners how to use the new application to perform their workflow, performance metrics to evaluate adoption, and continual reinforcement of adoption initiatives as the application and workflows change over time.

Xerox is a sponsor of the Breakaway Thinking series of blog posts.

Biometric Use Set To Grow In Healthcare

Posted on January 15, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t know about you, but until recently I thought of biometrics as almost a toy technology, something you’d imagine a fictional spy like James Bond circumvent (through pure manliness) when entering the archenemy’s hideout. Or perhaps retinal or fingerprint scans would protect Batman’s lair.

But today, in 2016, biometric apps are far from fodder for mythic spies. The price of fingerprint scan-based technology has fallen to nearly zero, with vendors like Apple offering fingerprint-based security options as a standard part of its iOS iPhone operating system. Another free biometric security option comes courtesy of Intel’s True Key app, which allows you to access encrypted app data by scanning and recognizing your facial features. And these are just trivial examples. Biometrics technologies, in short, have become powerful, usable and relatively affordable — elevating them well above other healthcare technologies for some security problems.

If none of this suggests to you that the healthcare industry needs to adopt biometrics, you may have a beef with Raymond Aller, MD, director of informatics at the University of Southern California. In an interview with Healthcare IT News, Dr. Aller argues that our current system of text-based patient identification is actually dangerous, and puts patients at risk of improper treatments and even death. He sees biometric technologies as a badly needed, precise means of patient identification.

What’s more, biometrics can be linked up with patients’ EMR data, making sure the right history is attached to the right person. One health system, Novant Health, uses technology registering a patient’s fingerprints, veins and face at enrollment. Another vendor is developing software that will notify the patient’s health insurer every time that patient arrives and leaves, steps which are intended to be sure providers can’t submit fradulent bills for care not delivered.

As intriguing as these possibilities are, there are certainly some issues holding back the use of biometric approaches in healthcare. And many are exposed, such as Apple’s Touch ID, which is vulnerable to spoofing. Not only that, storing and managing biometric templates securely is more challenging than it seems, researchers note. What’s more, hackers are beginning to target consumer-focused fingerprint sensors, and are likely to seek access to other forms of biometric data.

Fortunately, biometric security solutions like template protection and biocryptography are becoming more mature. As biometric technology grows more sophisticated, patients will be able to use bio-data to safely access their medical records and also pay their bills. For example, MasterCard is exploring biometric authentication for online payments, using biometric data as a password replacement. MasterCard Identity Check allows users to authenticate transactions via video selfie or via fingerprint scanning.

As readers might guess from skimming the surface of biometric security, it comes with its own unique security challenges. It could be years before biometric authentication is used widely in healthcare organizations. But biometric technology use is picking up speed, and this year may see some interesting developments. Stay tuned.

Meaningful Use Is Going to Be Replaced – #JPM16

Posted on January 12, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Big news came out today during the JP Morgan annual healthcare conference in San Francisco. Andy Slavitt, acting administrator of CMS, live tweeted his own talk at the event including this bombshell:


Technically meaningful use is not quite over, but it’s heading that way. We always read about lame duck head coaches in sports. I guess this is the version of a lame duck government program? Of course, this is just coming from the acting administrator of CMS. It’s not yet law. So, all those working on meaningful use reports, keep working.

The end of meaningful use as we know it will be generally welcome news to most in healthcare. Although, I’m sure that most will also take it with a grain of salt. Many in healthcare likely worry that the “something better” that replaces meaningful use and MACRA will actually be something worse. The cynics might argue that nothing could be worse, but I’ve never seen the government back down from that challenge.

What interests me is what levers they have available to them to be able to make changes. Can they do it without congressional action? Are doctors angry enough that congress will take action? What will happen to the remaining $10-20 billion allocated to meaningful use? What will hospitals and doctors that were counting on the meaningful use money do? Will they not get it anymore or will it be available in a new program? Obviously, there are more questions than answers at this point.

All in all, I’m glad to hear that Andy Slavitt is open to change. I suggested they blow up meaningful use a couple years ago.

Andy also did a tweetstorm to outline the 4 themes for reforming the MACRA and post-MU tech program:

These all seem surprisingly reasonable and mirror many of the comments I hear from doctors. However, the challenge is always in the implementation of these ideas. Some of them are very hard to track and reward. I can’t argue with the principles though. They highlight some of the major challenges associated with healthcare tech. It’s going to take some time to infuse entrepreneurship instead of regulation back into the EHR world, but these guidelines are a good step towards that effort.

UPDATE: Here’s the full text of Andy Slavitt’s talk at the JP Morgan Healthcare Conference.

Mobile Health Security Issues To Ponder In 2016

Posted on January 11, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In some ways, mobile health security safeguards haven’t changed much for quite some time. Making sure that tablets and phones are protected against becoming easy network intrusion points is a given. Also seeing to it that such devices use strong passwords and encrypted data exchange whenever possible is a must.

But increasingly, as mobile apps become more tightly knit with enterprise infrastructure, there’s more security issues to consider. After all, we’re increasingly talking about mission-critical apps which rely on ongoing access to sensitive enterprise networks. Now more than ever, enterprises must come up with strategies which control how data flows into the enterprise network. In other words, we’re not just talking about locking down the end points, but also seeing to it that powerful edge devices are treated like the vulnerable hackable gateways they are.

To date, however, there’s still not a lot of well-accepted guidance out there spelling out what steps health organizations should take to ramp up their mobile security. For example, NIST has issued its “Securing Electronic Health Records On Mobile Devices” guideline, but it’s only a few months old and remains in draft form to date.

The truth is, the healthcare industry isn’t as aware of, or prepared for, the need for mobile healthcare data security as it should be. While healthcare organizations are gradually deploying, testing and rolling out new mobile platforms, securing them isn’t being given enough attention. What’s more, clinicians aren’t being given enough training to protect their mobile devices from hacks, which leaves some extremely valuable data open to the world.

Nonetheless, there are a few core approaches which can be torqued up help protect mobile health data this year:

  • Encryption: Encrypting data in transit wasn’t invented yesterday, but it’s still worth a check in to make sure your organization is doing so. Gregory Cave notes that data should be encrypted when communicated between the (mobile) application and the server. And he recommends that Web traffic be transmitted through a secure connection using only strong security protocols like Secure Sockets Layer or Transport Layer Security. This also should include encrypting data at rest.
  • Application hardening:  Before your organization rolls out mobile applications, it’s best to see to it that security defects are detected before and addressed before deployment. Application hardening tools — which protect code from hackers — can help protect mobile deployments, an especially important step for software placed on machines and locations your organization doesn’t control. They employ techniques such as obfuscation, which hides code structure and flow within an application, making it hard for intruders to reverse engineer or tamper with the source code.
  • Training staff: Regardless of how sophisticated your security systems are, they’re not going to do much good if your staff leaves the proverbial barn door open. As one security expert points out,  healthcare organizations need to make staffers responsible for understanding what activities lead to breaches, or security hackers will still find a toehold.”It’s like installing the most sophisticated security system in the world for your house, but not teaching the family how to use it,” said Grant Elliott, founder and CEO of risk management and compliance firm Ostendio.

In addition to these efforts, I’d argue that staffers need to really get it as to what happens when security goes awry. Knowing that mistakes will upset some IT guy they’ve never met is one thing; understanding that a breach could cost millions and expose the whole organization to disrepute is a bit more memorable. Don’t just teach the security protocols, teach the costs of violating them. A little drama — such as the little old lady who lost her home due to PHI theft — speaks far more powerfully than facts and figures, don’t you agree?

Tiny Budgets Undercut Healthcare’s Cyber Security Efforts

Posted on January 4, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

This has been a lousy year for healthcare data security — so bad a year that IBM has dubbed 2015 “The Year of The Healthcare Security Breach.” In a recent report, Big Blue noted that nearly 100 million records were compromised during the first 10 months of this year.

Part of the reason for the growth in healthcare data breaches seems to be due to the growing value of Protected Health Information. PHI is worth 10x as much as credit card information these days, according to some estimates. It’s hardly surprising that cyber criminals are eager to rob PHI databases.

But another reason for the hacks may be — to my way of looking at things — an indefensible refusal to spend enough on cybersecurity. While the average healthcare organization spends about 3% of their IT budget on cybersecurity, they should really allocate 10% , according to HIMSS cybersecurity expert Lisa Gallagher.

If a healthcare organization has an anemic security budget, they may find it difficult to attract a senior healthcare security pro to join their team. Such professionals are costly to recruit, and command salaries in the $200K to $225K range. And unless you’re a high-profile institution, the competition for such seasoned pros can be fierce. In fact, even high-profile institutions have a challenge recruiting security professionals.

Still, that doesn’t let healthcare organizations off the hook. In fact, the need to tighten healthcare data security is likely to grow more urgent over time, not less. Not only are data thieves after existing PHI stores, and prepared to exploit traditional network vulnerabilities, current trends are giving them new ways to crash the gates.

After all, mobile devices are increasingly being granted access to critical data assets, including PHI. Securing the mix of corporate and personal devices that might access the data, as well as any apps an organization rolls out, is not a job for the inexperienced or the unsophisticated. It takes a well-rounded infosec pro to address not only mobile vulnerabilities, but vulnerabilities in the systems that dish data to these devices.

Not only that, hospitals need to take care to secure their networks as devices such as insulin pumps and heart rate monitors become new gateways data thieves can use to attack their networks. In fact, virtually any node on the emerging Internet of Things can easily serve as a point of compromise.

No one is suggesting that healthcare organizations don’t care about security. But as many wiser heads than mine have pointed out, too many seem to base their security budget on the hope-and-pray model — as in hoping and praying that their luck will hold.

But as a professional observer and a patient, I find such an attitude to be extremely reckless. Personally, I would be quite inclined to drop any provider that allowed my information to be compromised, regardless of excuses. And spending far less on security than is appropriate leaves the barn door wide open.

I don’t know about you, readers, but I say “Not with my horses!”