Some really interested EMR related tweets in tonight’s round up from around the EMR twittersphere. I’m testing out the new Twitter embed function. We’ll see how it does. It’s a convenient thing, but might need some tweaking.

As always, feel free to follow me on Twitter @techguy and/or @ehrandhit. If you’re on Twitter, let me know so I can make sure I’m following you as well.

The #ROI on #EHR, #EMR, #Lab systems isn’t found in KLAS. It’s in the correct alignment to unique practice needs, process,workflow #HITsm

— Linda Lia (@EMRAnswers) December 10, 2011

Well said! EMR ROI can’t be certified, but it can be measured and planned for.

what if #stevejobs developed #emr software?

— HIT Consultant (@hitconsultant) December 12, 2011

I wrote a bit about Steve Jobs and EMR before. The icon of Steve Jobs and creating something the way Steve Jobs did is going to be around for a very long time to come.

Good progress! 10,566 #Medicare Providers & #Hospitals receive almost $1 billion in #EHR #MeaningfulUse adoption incentives. #HealthIT #EMR

— Justin Barnes (@HITAdvisor) December8, 2011

Over 10k eligible providers and $1 billion in stimulus money. I wonder how many of those 10k providers already had an EMR and how many implemented an EMR to get the stimulus money.

Wow, that high? Impressive RT @amednews: Only 24% of doctors rank data security as a top priority in EMR systems bit.ly/vTUz0F

— johnmoehrke (@johnmoehrke) December7, 2011

Definitely much higher than I’d have thought as well. Sure, every doctor wants their systems to be secure, but very few make it any sort of priority beyond expecting it to be secure.

Time again for our weekend EHR Twitter round up. Let the fun begin.

@ahier – Brian Ahier
#EHR’s need encryption says @HealthPrivacy to Senate panel bitly.com/rTnx6s

Is there an EHR software that doesn’t use encryption? Is there a doctor’s office that’s paying for an EHR that doesn’t use encryption? Certainly not all EHR encryption implementations are created equal. In fact, I wish that things like encrypting data were part of an EHR certification. Why? Cause that’s something you can actually certify in a meaningful manner.

@drmikesevilla – Mike Sevilla, MD
RT @SeattleMamaDoc Computers all down in the exam rooms today. One major limitation of an EMR/EHR (dependence on a computer)

Definitely is one challenge with an EMR/EHR. I wonder how many patients were seen without the chart, because it couldn’t be found quickly. There are always pros and cons to IT. It does highlight the need to have a well thought out plan for how you’re going to care for patients when your EHR is down.

@iWatch – iWatch News
State health exchanges might not be sustainable after $548M in stimulus money runs out: bit.ly/t9QfSl #HIE #EHR

Wait, so changing the name of them from RHIO to HIE didn’t solve any of the problems with these exchanges? Oh yes, I forgot to mention the extra $548 million to help solve the problems. I think this best illustrates that money isn’t the issue or at least there are more issues with HIE than just the money.

There’s been an interesting situation going on between a couple EHR vendors. I first saw this when I got the press release that meridianEMR filed a lawsuit against UroChart. The lawsuit claims that UroChart obtained access to meridianEMR’s data.(Note: See this comment from IT Director of meridianEMR that discusses more details of what happened and how no data was breached.)

Lawsuits aside, meridianEMR is trying to capitalize on the situation by talking about their EMR security monitoring system was what notified them of the breach attack by UroChart. They call it their Advanced Monitoring System (AMS) and say it responds immediately to any breaches attacks and protects patient records.

I’m not sure if it’s a smart move to use a breach of their system as a way to promote their ability to protect patient records. I guess they can argue that their monitoring service was what protected their patient records. However, the lawsuit is claiming that patient records were at risk. I don’t think that’s something any EMR vendor wants tied to their name, is it?

Marketing strategy aside, this security monitoring service is interesting and I can’t say I’ve really seen something like it in any other EMR system. Sure, they all have some sort of audit tracking and trail. However, I think most EMR vendor’s strategy is not detection, but prevention. They harden their systems using the best techniques, but don’t do much to try and detect breaches. Should that be changed?

One problem with breaches is that good hackers know how to even avoid the detection part. I still remember when my friend showed me how he had hacked into a server and you could see him logged in. Then, he ran a script and you couldn’t see him anymore. I guess if you compare it to the physical world, it’s like having a camera watching the front door, but no camera on the back door. However, in the digital world there are lots of different doors, including those we don’t know about.

Some might argue that ignorance is bliss in this instance. Sure, no EMR vendor is going to admit that in public. Neither is a doctor. However, the regulations have made it pretty harsh when you know that there’s been a breach of your system. You basically have to make it known to all the world. However, if you don’t know that your EMR system has been compromised, then you have no such requirements.

I’m sure some people won’t like me saying this, but be sure that many doctors and EMR vendors have thought about this. I’m sure there were parallels in the paper world too. So, let’s not act like this is really that new. Although, certainly technology has made it possible to have much larger breaches.

One thing worth noting is that I haven’t seen a group of healthcare hackers forming. There’s no underground group of people that I’ve heard of that are trying to hack and get access to healthcare data. Financial data is much easier to monetize for a hacker than healthcare data. That’s not to say that healthcare data isn’t valuable and can’t have consequences if it’s put in the wrong hands. However, most hackers do it for the Lulz, for financial gain, or vengeance. Things could certainly change, but I haven’t seen healthcare as a prime target for hackers. I’d love to see if you have evidence that says otherwise.

If you evaluate the list of breaches that are published by HHS, this seems to agree with my above evaluation. Almost every single breach was just due to something being lost, a physical device being stolen (which you can almost guarantee they wanted the laptop and not the healthcare data which they probably didn’t even know was on the laptop), or inappropriate use by someone on a system already.

It will be interesting to see how these EMR security monitoring systems evolve. Plus, will we see more need for these type of protections and monitoring of EMR systems?

You’ve undoubtedly heard the argument before: EHR certification is about assuring that systems meet minimum requirements for functionality and interoperability, but the certification process falls way short in terms of usability, privacy and security. But have you heard the argument from one of the ONC-authorized certification bodies?

This is an excerpt from an e-mail I received today:

Meaningful Use criteria have become a massive EHR certification driver for healthcare organizations. Hospitals and other providers rely on the criteria to ensure that their health IT systems meet minimum government-specified functionality and interoperability requirements to support Stage 1 of Meaningful Use.  Achieving Meaningful Use also ensures a health care organization qualifies for reimbursement under the American Recovery and Reinvestment Act as a way to incent adoption of e-health processes among health organizations. The ultimate goal is to improve our nation’s healthcare system by leveraging technology to allow greater access to important health information and empower patients to securely access their own health information.

However, as one of only five organizations authorized to test both complete and modular EHRs by the Office of the National Coordinator (ONC) for Health IT, ICSA Labs questions whether EHR certifications are enough as the criteria represents only minimum requirements. Amit Trivedi, healthcare program manager at ICSA Labs, believes providers should take further steps to heighten the security and privacy of their health IT systems. He also suggests vendors should look beyond the current regulations to address and improve usability, data portability, and information exchange in their products.

That’s right, ICSA Labs, one of five organizations currently authorized to test and certify complete EHRs on behalf of the Office of the National Coordinator for Health Information Technology, seems to think that the standards it tests EHRs against are inadequate, which is something that critics of certification—particularly critics of the Certification Commission for Healthcare Information Technology—have been saying for years. Critics of many of the larger vendors have been saying that, too. But it’s shockingly refreshing to hear this from an actual certification body.

In fact, the publicist for ICSA, a unit of Verizon Business, has offered interviews with executives of two lesser-known vendors,  Health System Technology and Design Clinicals, to talk about how they are going beyond the minimum certification requirements. Deadlines beckon, so I didn’t really have time to wait for the publicist to try to find me an schedule opening for one of the executives, but here’s a statement from a March 30 ICSA press release that is somewhat telling:

“This year we are expanding our certification programs into health IT, a much-needed area of focus to help modernize today’s health care system,” said George Japak, managing director for ICSA Labs. “With our new focus on safeguarding patient information within electronic health records, we are committed to helping accelerate the adoption of health IT.”

We don’t hear too much about security in the context of certification from too many other camps, so it’s nice to hear that at least one certification organization is critical of the rules it is under contract to follow. Perhaps we’ll see tougher usability, privacy and security standards in the permanent certification program ONC needs to have in place by the beginning of 2012 to support the forthcoming Stage 2 “meaningful use” requirements from CMS.

Wishful thinking?

Boy, back in the good old days, protecting patient data was comparatively easy. All you had to do was make sure that nobody got their hands on a patient’s paper chart who shouldn’t be looking at it.

After all, simple stuff like locking file rooms and making sure charts never get left in a public place are pretty easy to understand. Sure, paper records get stolen or rifled through now and then — no system is perfect — but putting processes in place to prevent unauthorized chart access isn’t that complicated.

On the other hand, introducing electronic medical records  – plus e-prescribing, digital sharing of lab results and more — is a completely different kettle of fish.

For one thing, providers must control access to medical information stored in their EMR in a far more sophisticated way than they had with paper charts.  For example, while role-based access to data may not sound too threatening to your average IT boss, it’s not exactly intuitive if you’re not a geek. Figuring out just who should get access to what gets a lot more complicated than when you used to just have to pull and route a chart.

Another issue: few clinicians know much about data security, and it’s not likely that they’re going to suddenly get wildly excited about encryption or VPNs.  Sure, you can warn them that it comes down to whether some random stranger (or even a staff member) will steal their patients’ Social Security numbers or broadcast medical secrets. But it’s just about impossible to explain security issues without wandering into scary jargon that will alienate the heck out of many doctors.

Of course, healthcare organizations can make sure their clinicians are trained to understand the importance of  securing their EMR. And they can even explain why specific types of security measures will limit their HIPAA exposure, the best pitch you can make to non-techies.

Still, the bottom line is that moving from paper to EMRs isn’t just a change-management exercise. It forces clinicians to think about how they use, distribute and share data on a profound level. I hope it does, anyway…cause if providers aren’t ready to think about these issues, things aren’t going to be pretty.

In kind of ironic timing, the news was recently reported of a patient talking to lawyers about a possible lawsuit against a doctor who sent her protected health information (PHI) to his home email in an un-encrypted format. The irony is that for the past week, my post on Email not being HIPAA secure has been having a really good discussion happening in the comments about these very issues (you should go read through the comments, they’re very interesting).

One interesting part of the above news story is that it didn’t even include the most common personal information used for identity theft. Certainly a person’s name and medical information should be kept private as well and could have consequences related to its release on the internet. However, it definitely doesn’t bring out the privacy critics like a breach of financial related info would bring.

While I personally hate lawsuits, a part of me kind of hopes that this or some other lawsuit happens related to email and PHI. Not because I like lawsuits or I want someone to be held responsible. Mostly because we could use some legal precedent to better enable those who want to use technology like email. Until the precedence is set (or a more specific law), I think that many people are just too afraid to use email for any sort of health care related communication.

In the comments I mentioned above, someone even commented about them wanting a doctor who would let them waive their right to privacy in the name of convenience. Basically, they would rather use email to communicate even PHI at the risk of someone seeing their health information so that they can use communication tools like email in their healthcare. I bet there are a lot more people who would opt in for this also. The problem is that the law is such that I don’t know many doctors who are willing to take the risk even if the patient gives them permission.

The best alternative right now is the patient portal where a patient receives an email saying something has been added or updated on the portal and invites them to login to the private secured portal to see the PHI or other health information. Not perfect and not that broadly adopted.

Lots of other issues related to email with doctors, but at least resolving the privacy and security ones would allow us to focus on those other issues.

During a bond hearing Thursday in Superior Court, Wheeler’s Macon attorney Reza Sedghi described his client’s actions as a job application gone awry with “no criminal intent or compromise of sensitive patient information.” Sedghi said Wheeler had obtained access to the database with a password and access codes obtained while working on a Macon physician’s connectivity problems with the hospital.

The attorney said Wheeler uncovered seven flaws in the hospital’s system and sought to use the discovery to land a job with the countywide medical complex, spending several hours with Rhodes and David Griffin, the hospital’s security chief.

“They asked for and received a copy of his resume and a written report of his findings,” Sedghi reported in court. “Then they walked out of the conference room and returned with two Warner Robins police officers.”

Wheeler’s acts were stupid, the Macon attorney conceded, but “he had no malicious intent. He was the one exposing the flaws.” -source

I must admit that I’m a bit torn by the story of this kid who I believe didn’t have any malicious intent when he breached the hospitals security system. The crazy thing is that if he’d had malicious intent they wouldn’t have likely known that there were these security holes and that he had breached them.

Certainly the kid is dumb to have done it, but the reaction by the hospital system is terrible. Here’s a quote from the same article excerpt above:

“I condemn any effort of any party to justify his acts,” Rhodes [CIO] said in an exclusive Warner Robins Patriot interview. “This is a criminal act and he did not do Houston Healthcare or its patients any favors. His actions were illegal and we will support the authorities in prosecuting this to the full extent of the law.”

Talk about a major overreaction. Of course his condemnation of efforts to justify his acts makes people more interested in doing so. Honestly, Robert Rhodes, chief information officer for Houston Healthcare, just sounds like an angry CIO whose security efforts were torn to shreds by a 21 year old. I’d be angry too if I were Robert Rhodes. Mostly because Robert Rhodes is the one that should be fired for having such porous security and they should hire Christopher Wheeler to help them actually implement some real security.

Of course, the CIO is quick to point out that “He did not breach our internet security. He got in through a stolen pass word. He didn’t discover a breach. He was the breach.”

This is just wrong. It wasn’t stolen, but given to him as part of his duties to help the doctor connect to the hospital. That’s not a breach. What’s insane is that a doctor’s password would have the ability to create all these back doors and expose seven flaws in the hospital’s IT systems. The CIO should be held accountable for that. So much for only giving users the access that they need. Or maybe the doctors at Houston Healthcare need that ability. Yeah, right.

I don’t want to give the impression that security isn’t important. It is and what this guy did was wrong and he’ll be punished in the legal system for what he did. Although, it does seem that it wasn’t with malicious intent and so some leeway should be given there. However, the CIO accepting a c-level executive salary with responsibility over a network with so many security flaws that could be exposed by a 21 year old using a doctor’s password sounds much more inappropriate to me.

I was recently sent an Information Week article on the “Steady Bleed: State of HealthCare Data Breaches.” The article basically tries to list out all of the data breaches that are happening in healthcare and how healthcare companies aren’t doing what they need to do to protect patient data.

Now, I’ll be the first to acknowledge that more can always be done. I even agree that more can and needs to be done to protect patient information. However, I don’t agree with the article’s assertion that the use of an electronic health record (EHR) is the reason why health care providers are so poorly securing patient information.

Many of you might remember my post on EMR and EHR about HIPAA Breaches related to EMR. In that post, I discuss how it’s unfair for someone to automatically assume that if there was a breach, then it was the electronic medical record software’s fault. In the analysis I did in the above post, I found that most of the HHS list had nothing to do with EMR software. In fact, many of the HIPAA breaches were lost devices which contained lists of insurance information. EHR had nothing to do with that.

I’m not saying that breaches don’t happen with an EMR. They do. However, most of the examples given in the Information Week article could have happened just as easily in the paper world. It didn’t take an electronic health record for people to start looking up famous sports stars health information.

Maybe the real difference with an EHR is that now we can know and track who accesses each patient record. That just means that now we actually know about all the violations whereas with paper charts they’d just happen and we’d likely never know about it or have a way to prove that it happened. So, yes, the number of reported HIPAA breaches should be going up. We have more information to report on.

The good thing long term is that with an EHR we now have tracking mechanisms that allow us to hold someone accountable for their breaches of HIPAA. If this accountability is taken seriously, the number of breaches will go down. That’s a much better long term solution than the naive ignorance of not knowing about breaches in the paper chart world.

Sure not all EHR software is secure. They need to fix that and improve that. However, the numbers and reports I’ve seen don’t seem to indicate that breaching an EHR software’s security is the real problem. There are far easier ways to take patient data than trying to breach an EHR’s security system. Let’s focus on those other ways that people take patient data and punish it appropriately. That’s far more productive than saying that we’re rushing too quickly into an unsecured EHR world.

On EMR Update a user posted an interesting security problem with their EMR software:

I was on our user’s forum reading about a security flaw in our EMR. There were some discussions about the ability to circumnavigate prescription privileges and have your staff write themselves narcotics. We couldn’t figure out if anyone had done anything like this in our office, so I had our IT guy spend some time in the system. He was able to determine that one of our staff members had in fact been printing out an old script that had been written in the past and manually faxing it to pharmacies around town. The problem with the software is that it lets you print out a script from a locked note, and it prints out with the present date so it can be filled!

Has anyone else had staff in their EMR get away with writing bogus prescriptions? If you don’t know, you may want to check your system. Obviously this is an intolerable situation. We are hoping our vendor will take this seriously for once and get it fixed quickly. Otherwise, we will be forced to look elsewhere for a replacement EMR that doesn’t have this issue.

I love this story, because it highlights a number of interesting things.

1. The challenge of creating a secure, usable, and effective EMR. It’s NOT easy.

2. How responsive will your EMR vendor be to end user requests?

3. What would it take for you to switch EMR software? Can you imagine?

Think about how wonderful the ability to send a discharge summary by email to a patient straight from your EMR. I think it’s pretty easy to see the tremendous benefits of this type of communication. Send the patient information to one place they probably visit every day and where they can read and process the information away from the hustle and bustle of the clinic. Certainly many doctors have been doing this with little pamphlets or handout sheets with clinical information. Unfortunately, too many of these sheets never get read. Certainly that same thing could happen with an email, but at least the next generation of patients are going to want this information in their email box.

Of course, the problem with sending this information in an email is that email is not secure. Email encryption hasn’t taken hold fast enough to make it encrypted. Is a user’s email box really a secure location where they want their health information? I personally don’t have a problem with it, but I would expect that many people wouldn’t want their health information in their email any more than their regular mailbox. Either way, without the encryption it wouldn’t be difficult for someone to sniff out what’s being sent in an Email containing for example a patient’s discharge. It would be going across the internet in basically plain text.

This situation actually happened in Austrailia a little while back in an article I read called “Unsecured email sparks dispute.” I know I wouldn’t be happy if a clinic just decided to send these unsecured emails. Not so much because I was personally worried about my information being lost. I personally have nothing to hide (yet anyway). However, I would feel uncomfortable patronizing an organization that would deal so flippantly with my information.

I’m sure that someone will chime in that this is the whole purpose of a Patient Portal or EHR interface that allows people a secure method to receive and send protected health information. This is all well and good, but from what I’ve seen this usually requires the doctor’s EMR company to support this type of interaction. Plus, even more serious of an issue is that you’re giving your patients one more login and password that they’ll need to remember. Certainly not a deal breaker, but one more inconvenience for our users and the staff that have to support our users when they forget their password. Unfortunately, I think that this is the future of secured messaging, but I can always hope that there’s something better that we’re just missing.

We should also realize that this isn’t going to get any easier. In fact, I think we can reasonably say that this is going to get harder and harder. Don’t be surprised if soon some patient would like their health information somehow incorporated into some site like Facebook. It’s really only a matter of time until some developer creates a health interface into Facebook.

It might not make sense to most people, but the next generation of patients are going to grow up living and breathing their online life in some sort of social network (Facebook is just one example of these). They are very comfortable with transparency and will be interested in being able to track and compare health information with other people. Not to mention interact in a social network with other people who have similar conditions. It seems like this isn’t a question of if, but when this type of interaction will happen.

Even if you think that health information on a social network like Facebook is far fetched, we are already seeing health information propagating to the web in Microsoft’s HealthVault and Google Health. Is this going to be ok? Will it become as synonymous as online banking has become to the banking world? It’s not that far of a stretch to think that Google Health could easily be tied into Google’s OpenSocial platform which would allow a patient’s health information to do all sorts of cool things.

The convergence of Health Care and IT is going to be really interesting. It’s taken health care a while to get going with IT, but I think almost everyone agrees that IT could do amazing things to better the health care a person receives.