Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Oracle Brings Health Data Analytics To The Cloud

Written by:

For years now, healthcare providers have been inching toward cloud use, with CIOs still divided as to whether cloud applications are secure enough to meet their standards.

These days, though, the tide seems to be turning in favor of cloud applications. In fact, a recent study by KLAS on hybrid clouds in healthcare found that those who had signed on for cloud apps rated them a 4.5 out of 5 for security.

Given this growing level of trust, it was no surprise to read that Oracle had kicked off a major cloud product for healthcare at HIMSS last week.

At the show, Oracle Health Sciences introduced the Oracle Enterprise Healthcare Analytics Cloud Service, a cloud-based version of the vendor’s data management, warehousing and analytics platform. The new product comes with pre-built analytical applications and also supports third-party healthcare apps.

The existing Enterprise Healthcare Analytics is a big data play which pulls in, validates and loads data from clinical, financial, administrative and even clinical research systems to offer a single enterprise view.

What makes the cloud version interesting, of course, is that if healthcare CIOs are willing to chance the security issues, they can bypass having to spend big on IT infrastructure to bring it on board.

Also interesting is that Oracle has also given  CIOs a few models to deploy Enterprise Healthcare Analytics  available to be deployed” on-site in its “HIPAA-certified” Oracle Health Sciences Cloud, or in a hybrid model leveraging on-premise and traditional cloud.

I have little doubt that even as a cloud-based service, this is a very pricey product that isn’t for all facilities. And there’s still a large contingent of hospitals that aren’t ready to trust all of their mission-critical data to cloud security.

But it’s still worth note to see Oracle extending this kind of tool to the cloud nonetheless. I wonder if  the perceived value of an Oracle app will push more facilities off the fence and into trusting cloud security after all?

Post a Comment(0)
March 12, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Security  Healthcare  Healthcare Business Intelligence  HealthCare IT  HIPAA General  Hospital EHR  Hospitals
Tags:    

Mixing Physical, Mental Health Data Lowers Readmissions

Written by:

Ordinarily, it makes sense to treat psychiatric records with particular sensitivity, given how private these issues are for most patients.  Also, one might assume that medical doctors simply don’t need access to psychiatric records — and if so, why increase the risk of a  HIPAA breach by giving them needless data access?

Apparently, however, these assumptions may be working against patients, according to a new study by researchers at Johns Hopkins. A new study by researchers at the university found that in some cases, keeping mental health records separately from physical health records in an EMR as a privacy measure may actually decrease quality of care.

To examine this issue, researchers at Johns Hopkins surveyed the psychiatric departments at 18 of the hospitals ranked most highly by U.S. News & World Report’s Best Hospitals of 2007, according to blogger Melissa Le Furge. The survey concluded that less than 25 percent of the hospitals allowed non-psychiatric physicians to have full access to patients’ mental health EMR data.  Not so surprising, given the current state of practice.

What’s really interesting, though, is that at the hospitals that allowed non-psychiatric clinicians to have access to mental health records, patients were 40 percent less likely to be admitted within a week of discharge than industry baseline.

Melissa notes that there are many reasons why this might be:

Depression and other mental illnesses sometimes make it difficult for patients to follow physicians’ instructions after a heart attack or stroke and are less likely to take proper care of themselves…[Also,] being uninformed about medications prescribed by a psychiatrist can cause the primary care physician to prescribe medications that create adverse reactions.

Segregating mental health records may make sense from a social standpoint, but perhaps it’s not good medicine. At minimum, this issue deserves further study.

Post a Comment(1)
January 14, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Security  HealthCare IT  HIPAA General  Medical Privacy  Security Rule
Tags:    

Healthcare Faces Massive Cybersecurity Risks

Written by:

When a consumer publication like The Washington Post – hardly an insider journal of computing — picks out your industry and slams it for having poor cybersecurity, you know something’s amiss.

The newspaper has just published a report, following a year-long cybersecurity investigation, arguing that healthcare is one of the most vulnerable industries in the U.S., making it a tasty target for terrorists, black-hat hackers and criminals.

It’s rather embarrassing, but it’s hard to argue with the Post’s conclusion that healthcare data security isn’t what it could be. A few data points:

* Researchers are finding that healthcare institutions routinely fail to fix known bugs in aging software, something other industries have largely overcome.

* Providers are making careless use of such public cybertools;  the paper cites the example of the University of Chicago medical center, which at one point operated an unsecured Dropbox site for new residents managing care through their iPads (with a single user name and password published online, yet!)

* According to Post research, open source system OpenEMR “has scores of security flaws that make it easy prey for hackers”

* In perhaps the scariest example, the paper notes that clinicians routinely work around cybersecurity measures to get their job done.

Another factor contributing to cybersecurity holes is confusion about the FDA’s position on security. While the agency actually wants vendors to update FDA-approved device interfaces and systems, vendors often believe that the FDA bars them from updating device software, the Post found.

That leaves devices, especially defibrillators and insulin pumps, open to attacks. Researchers have been able to find these devices, linked to the web in the clear, simply by using a specialized search engine.

As wireless medical devices and smartphones, iPads and Android devices creep into the mix, cybersecurity vulnerabilities are likely to get worse, not better.  I wonder whether we’ll need to see a cybersecurity disaster take place before the industry catches up to, say, financial services?

Post a Comment(4)
December 27, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  EMR  EMR Security  Healthcare  Healthcare Devices  HealthCare IT  HIPAA General  Hospital EHR  Hospitals  Interfaces  Security Rule
Tags:      

EMRs May Be The Next Hacker’s Prize

Written by:

Black-hat hackers are beginning, slowly but at an increasing pace, to lock down and encrypt medical data, then demand a ransom fee before they’ll turn over the data in usable form again.

While reports of such activity are scattered and few at the moment, my guess is that we’re at the beginning of a wave of such attacks, especially attacks targeting small medical practices with unsophisticated security set-ups.

Consider what happened recently to a clinic in Queensland, Australia.   Over one weekend, a server holding seven years of patient records was breached and the data encrypted with “military-grade” tools, according to blog Naked Security.

The attackers, who seem to be based in Eastern Europe or Russia, are demanding $4,000 AUD for the release of the records, the blog reports. The clinic is attempting to avoid paying by bringing in its own security experts, but the experts retained by the clinic are apparently fairly doubtful that they can break the encryption scheme.

Such attacks have begun to occur in the U.S. as well, all targeting smaller medical practices with minimal security support.  It’s little wonder that such practices are being targeted; even if they have decent, industry-standard firewalls, antivirus software and password-protected servers — as the Aussie clinic did — such protections are child’s play to defeat if you’re a professional cybercriminal who’s done this kind of thing many times before.

Even if the practice has tougher security in place than usual, how likely is it to have good security hygiene, such as frequently updated and patched firewalls and strong, regularly switched out passwords?  Without security staff on board, not too likely.

Given the devastating consequences that can occur if a medical practice is unable to regain its data, it seems to me that it’s time the entire healthcare industry take an interest in this problem. Smaller practices need help, and we’ve got to figure out how to make sure they get it.

Post a Comment(1)
December 14, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Security  HIPAA Breaches  Medical Privacy  Security Rule
Tags:      

BYOD And HIPAA Compliance: Can You Have Both?

Written by:

With doctors among the biggest fans of smartphones around, hospitals and medical practices are having to face the reality that Bring Your Own Device is here to stay. The question is, is BYOD so hard to manage that it all but guarantees HIPAA breaches?

On the one hand, BYOD seems to have arrived to stay. According to a recent report by KLAS Research surveying 105 CIOs, IT specialits and physicians, 70 percent said they used mobile devices to access their EMRs Even this small group was accessing virtually every major enterprise EMR via mobile, reports MobiHealthNews.

But the pressures on hospitals to corral BYOD security gaps are growing.  Hospitals will soon have to provide increased protection of patient health information under Meaningful Use Stage 2.  And the HHS Office of Civil Rights will be doing stepped up HIPAA-compliance audits, which gives hospitals even less leeway than they’d have had otherwise.

Of course, hospitals have been dealing with doctors bringing one device — a laptop — for quite some time. One might think this would have prepared hospitals for dealing with security-hole-ridden portable devices that staff and clinicians bring to work.  But as we all know, laptops have proven to be major sources of security breaches, most typically by being stolen when loaded down with unencrypted data.

BYOD on the mobile side is if anything a riskier proposition.  For one thing, doctors and executive staff are likely to own more than one device, such as a phone and a tablet, multiplying the risk that an unguarded device could be stolen and bled for information.  And managing mobile devices calls for IT to support two additional operating systems (iOS and Android) configured in whatever way the user prefers.

Folks, I know I’m not saying anything crashingly original, but I’d argue it’s worth repeating: It’s time for hospitals to stop waffling and develop comprehensive protocols for BYOD use. It’s clear that left alone, the problem is going to  get worse, not better.

Post a Comment(3)
December 7, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Security  HIPAA Breaches  HIPAA General  mHealth  Security Rule
Tags:        

Disaster Planning and HIPAA

Written by:

When talk turns to HIPAA, most of us are focused on privacy compliance.  After all, privacy is a complex, expensive nightmare, and few hospitals or medical practices feel up to the task, so talking through those issues makes sense.

But as blogger Art Gross points out, the HIPAA Security General Rules require more than protecting a patient’s privacy. They also require that ePHI remains available even in the face of disaster. From the rules (courtesy of Gross, emphasis his):

§ 164.306 Security standards: General rules.
(a) General requirements. Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

Apparently, far too few healthcare providers are paying enough attention to this part of the rules. Gross, who is a HIPAA security consultant, says that when he audits organizations, few have disaster recovery or emergency operations procedures in place.

Now, big enterprise IT departments aren’t going to leave disaster recovery out of their planning; it’s simplly part of the drill for any large installation. But the smaller the provider group gets — particularly when you zoom down to one to three-doctor practices — the story changes.

As people who read blogs like this one know, smaller practices aren’t likely to have so much as a single IT staffer on board. Keeping their EMR up and running is enough of a burden. I’m not at all surprised to hear that they aren’t prepared for disasters like Hurricane Sandy, which brought down even large medical centers.

But with HIPAA demanding immediate access to ePHI, doctors won’t have a choice much longer. And hospitals will want to make sure independent doctors aren’t the weak link in the availability chain.

Yes, it’s asking a lot of small practices to make intellligent disaster recovery plans for their EMR, and even more of their hospital partners if they want to keep access to disparate EMRs out there.  But there’s just no getting around the problem.

Post a Comment(1)
November 20, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Consultant  EMR Security  HIPAA General  Hospital EHR  Hospitals  Practice Management
Tags:          

Hospital Forced To Provide EMR Data Access By Court

Written by:

A New Hampshire hospital has been forced by the state’s Superior Court to provide public health officials with access to its EMR so they can further investigate a major hepatitis C outbreak.

Exeter Hospital had been ordered by the state’s Division of Public Health Services to release patient records, but had  challenged the order, arguing that it would be violating state and federal law if it provided free access to EMR records.

The issue dates back to July, when a lab technician formerly employed by the hospital was arrested in connection of a hep C outbreak affecting more than 30 patients. The lab tech, who has hep C, allegedly stole fentanyl-filled syringes from the hospital, injected the fentanyl, then refilled the dirty syringes with another substance.

The hospital sought guidance from the courts in an effort to learn just how much access it would have to provide without running afoul of HIPAA and state privacy laws.  (If I were running Exeter Hospital I certainly would have done the same thing; otherwise, one would think  it’d be wide-open liable to suits by patients who objected to the data sharing.)

Now, it seems, the hospital is satisfied that patients involved in the outbreak are adequately protected. From its official statement on the matter:

The Court pointed out that the State needs to follow very specific, CDC-sanctioned protocols in collecting data from Exeter Hospital’s electronic medical record system and can only obtain the minimum amount of information necessary to complete its investigation. The Court has also emphasized that the information collected by the State cannot be re-published which helps to protect the privacy of patients.

For both the patients’ and Exeter’s sake, let’s hope that the public health authorities involved handle such explosive data with extreme care.  A data breach at this point would not only have devastating consequences — particularly if the hepatitis C sufferers’ names were made public — it would also plunge all involved into a legal nightmare. For their sake, I’m hoping for the best.

Post a Comment(2)
November 13, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Security  HIPAA Breaches  HIPAA General  HIPAA News  Hospital EHR  Hospitals  Medical Privacy  Security Rule
Tags:          

Access To Clinical Data Too Easy Via Phone

Written by:

Lately, I’ve had reason to be in touch with my health insurance company, my primary care doctor and multiple specialists.  In speaking with each, what I’ve noticed is that the data they collect to “protect my privacy” isn’t likely to do a good job. And I’ve been wondering whether an EMR can actually help tighten up access.

When I called to discuss clinical matters, both the payer and providers asked for the same information: My date of birth, my street address and my name. As far as I know, folks, you can get all of that information on a single card, a driver’s license.  So, anyone how finds or steals or has access to my wallet has all the info they need to crawl through my PHI.

So, OK, let’s say providers and payers add a requirement that you name the last four digits of your social security card.

There’s a few problems with that approach. First, anyone who has your wallet may well have your Social Security Card.  Second, storing patients’ SSNs in the clear in an EMR is an invitation to be hacked, as the SSN is the gold standard for identity theft. Third, if you want to store them in a form that only allows the last four digits to be read, that’s another function you need to add to your system.

So, what’s the solution? Would it work to have patients identify which doctor they see (something a thief wouldn’t know) or a recent treatment or procedure they’d had?  Probably, although some patients — forgetful elderly, or the chronically ill with multiple providers — might not remember the answers.

Seems to me that when there’s universal use of patient portals by both providers and payers, this problem will largely go away, as patients will be able to be looking at their own records when talking to providers. This will make a more sophisticated security screening possible.

But in the mean time, I’m troubled to know that my payer and several of my doctors use a security method which can be so easily compromised.  Do any of you have suggestions as to what those offices might do in the interim between now and when they have a useful portal to offer?

Post a Comment(7)
October 26, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Security  HealthCare IT  HIPAA General  Security Rule
Tags:            

Data Capture, Electronic Data, and Interoperability — #HITsm Chat Highlights

Written by:

Topic One: When can we seriously say the data being captured and stored in EHRs is leading to new opportunities for patient care?

Topic Two: Do hospitals prioritize complete data capture for max reimbursement or for an aid for clinicians in patient care?

#HITsm T3: Does electronic data entry really take more time than paper notes? What can improve speed?

 

#HITsm T4: Interoperability. What can be done to increase awareness of the CCD and CDA standards designated for data exchange?

Post a Comment(0)
October 20, 2012 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Implementation  EMR jobs  EMR Security  EMR Technology  Healthcare  HealthCare IT  HIE  HITECH  HL7  Hospital EHR  Meaningful Use  mHealth  PHR
Tags:            

Verizon Launches HIPAA-Compliant Cloud Services

Written by:

Last month, I shared some of Verizon’s big plans for the medical space with you, including their desire to become the industry’s default carrier of secure healthcare data.  This week, Verizon has launched its cloud service line, and I wanted to share some of the details on how it’s set up with you.

Verizon’s Enterprise Solutions division is offering five “healthcare-enabled” services, including colocation, managed hosting, enterprise cloud, an “enterprise cloud express edition” and enterprise cloud private edition. In addition to the services, Verizon provides a HIPAA Business Associate Agreement which, one would assume, is particularly stringent in how it safeguards data storage and tranmission between parties.

The new Verizon services will be offered through cloud-enabled data centers in Miami and Culpeper, Va. run by Terremark, which Verizon acquired some time ago. Security standards include PCI-DSS Level 1 compliance, ITIL v3-based best practices and facility clearances up to the Department of Defense, Verizon reports.

In addition to meeting physical standards for HIPAA compliance, Verizon has trained workers at the former Terremark facilities on the specifics of handling ePHI, Verizon exec Dr. Peter Tippett told Computerworld magazine.

You won’t be surprised to learn that Verizon is also pitching its (doubtless very expensive) health IT consulting services as well to help clients take advantage of all of this cloud wonderfulness.

Not surprisingly, Verizon notes in its press release that “each client remains responsible for ensuring that it complies with  HIPAA and all other applicable laws and applications.”  If I were Verizon, I’d be saying that too, and doubtless states the obvious. That being said, it does make me wonder just how much they manage to opt out of in their business associate agreement.  Call me crazy, but I think they’d want to leave as much wiggle room as humanly possible.

The bigger question, as I see it, is how big the market for these services really is at present. According to the Computerworld story, only 16.5 percent of healthcare providers use public or private clouds right now. Verizon may be able to turn things around on the strength of its brand alone, but there’s no g uarantees. I guess we’ll have to wait and see.

Post a Comment(5)
October 4, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Filed Under: EHR  Electronic Health Record  Electronic Medical Record  EMR  EMR Consulting  EMR Security  Healthcare  HIE  HIPAA General  HIPAA News  Medical Privacy  Security Rule
Tags:            


    • Next