Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

HIPAA Slip Leads To PHI Being Posted on Facebook

Written by:

HHS has begun investigating a HIPAA breach at the University of Cincinnati Medical Center which ended with a patient’s STD status being posted on Facebook.

The disaster — for both the hospital and the patient — happened when a financial services employee shared detailed medical information with father of the patient’s then-unborn baby.  The father took the information, which included an STD diagnosis, and posted it publicly on Facebook, ridiculing the patient in the process.

The hospital fired the employee in question once it learned about the incident (and a related lawsuit) but there’s some question as to whether it reported the breach to HHS. The hospital says that it informed HHS about the breach in a timely manner, and has proof that it did so, but according to HealthcareITNews, the HHS Office of Civil Rights hadn’t heard about the breach when questioned by a reporter lastweek.

While the public posting of data and personal attacks on the patient weren’t done by the (ex) employee, that may or may not play a factor in how HHS sees the case. Given HHS’ increasingly low tolerance for breaches of any kind, I’d be surprised if the hospital didn’t end up facing a million-dollar OCR fine in addition to whatever liabilities it incurs from the privacy lawsuit.

HHS may be losing its patience because the pace of HIPAA violations doesn’t seem to be slowing.  Sometimes, breaches are taking place due to a lack of the most basic security protocols. (See this piece on last year’s wackiest HIPAA violations for a taste of what I’m talking about.)

Ultimately, some breaches will occur because a criminal outsmarted the hospital or medical practice. But sadly, far more seem to take place because providers have failed to give their staff an adequate education on why security measures matter. Experts note that staffers need to know not just what to do, but why they should do it, if you want them to act appropriately in unexpected situations.

While we’ll never know for sure, the financial staffer who gave the vengeful father his girlfriend’s PHI may not have known he was  up to no good. But the truth is, he should have.

July 1, 2014 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

HIMSS: Insider Threats Still Biggest Health IT Security Worry

Written by:

You can do whatever you like to lock down your data, but  it if they do they do it did buy a block of members of the earth is the work doesn’t go for all it takes is one insider who knows how to unlock it to create a serious security breach.

Results from the 2013 HIMSS Security Survey suggest that despite progress towards hardening security and use of analytics, healthcare organizations must still do more to mitigate the risk of insider threat, such as the inappropriate access of data via employees.

The HIMSS survey, which was supported by The Medical Group Management Association and underwritten by Experian Data Breach Resolution, surveyed 283 information technology and security professionals employed in US hospitals and physician practices. What the researchers found was that the greatest “that motivator” was that of healthcare workers potentially snooping into EMRs to find friends, neighbors, spouses or coworkers.

Given that healthcare IT leaders are particularly concerned about inappropriate use of health data by insiders, you won’t be surprised to hear that there’s been an increase use of several technologies related to access to patient data, including user access control and audit logs in each access to patient records.

But you may be surprised to learn that of the 51 percent of respondents increase the security of the past year, 49 percent of these organizations are still spending just 3 percent  or less of their overall IT budget on securing patient data.

Other findings from the HIMSS survey include that healthcare organizations are using multiple means of controlling employee access to patient information;  67 percent use at least two mechanisms, such as user base and role-based controls, for controlling access the data.

February 27, 2014 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Is Your EMR Compromising Patient Privacy?

Written by:

Two prominent physicians this week pointed out a basic but, in the era of information as a commodity, sometimes overlooked truth about EMRs: They increase the number of people with access to your medical data thousands of times over.

Dr. Mary Jane Minkin said in a Wall Street Journal video panel on EMR and privacy that she dropped out of the Yale Medical Group and Medicare because she didn’t want her patients’ information to be part of an EMR.

She gave an example of why: Minkin, a gynecologist, once treated a patient for decreased libido. When the patient later visited a dermatologist in the Yale system, that sensitive bit of history appeared on a summary printout.

“She was outraged,” she told Journal reporter Melinda Beck. “She felt horrible that this dermatologist would know about her problem. She called us enraged for 10 or 15 minutes.”

Dr. Deborah Peel, an Austin psychiatrist and founder of the nonprofit group Patient Privacy Rights, said she’s concerned about the number of employees, vendors and others who can see patient records. Peel is a well-known privacy advocate but has been accused by some health IT leaders of scaremongering.

“What patients should be worried about is that they don’t have any control over the information,” she said. “It’s very different from the paper age where you knew where your records were. They were finite records and one person could look at them at a time.”

She added: “The kind of change in the number of people who can see and use your records is almost uncountable.”

Peel said the lack of privacy causes people to delay or avoid treatment for conditions such as cancer, depression and sexually transmitted infections.

But Dr. James Salwitz, a medical oncologist in New Jersey, said on the panel that the benefits of EMR, including greater coordination of care and reduced likelihood of medical errors, outweigh any risks.

The privacy debate doesn’t have clear answers. Paper records are, of course, not immune to being lost, stolen or mishandled.

In the case of Minkin’s patient, protests aside, it’s reasonable for each physician involved in her care to have access to the complete record. While she might not think certain parts of her history are relevant to particular doctors, spotting non-obvious connections is an astute clinician’s job. At any rate, even without an EMR, the same information might just as easily have landed with the dermatologist via fax.

That said, privacy advocates have legitimate concerns. Since it’s doubtful that healthcare will go back to paper, the best approach is to improve EMR technology and the procedures that go with it.

Plenty of work is underway.

For example, at the University of Texas at Arlington, researchers are leading a National Science Foundation project to keep healthcare data secure while ensuring that the anonymous records can be used for secondary analysis. They hope to produce groundbreaking algorithms and tools for identifying privacy leaks.

“It’s a fine line we’re walking,” Heng Huang, an associate professor at UT’s Arlington Computer Science & Engineering Department, said in a press release this month “We’re trying to preserve and protect sensitive data, but at the same time we’re trying to allow pertinent information to be read.”

When it comes to balancing technology with patient privacy, healthcare professionals will be walking a fine line for some time to come.

November 20, 2013 I Written By

James Ritchie is a freelance writer with a focus on health care. His experience includes eight years as a staff writer with the Cincinnati Business Courier, part of the American City Business Journals network. Twitter @HCwriterJames.

Healthcare Cloud Spending To Ramp Up Over Next Few Years

Written by:

For years, healthcare IT executives have wrestled with the idea of deploying cloud services, concerned that the cloud would not offer enough security for their data. However, a new study suggests that this trend is shifting direction.

A new study by market research firm MarketsandMarkets has concluded that the healthcare industry will invest $5.4 billion in cloud computing by 2017.  This year should see a particularly big change, with total healthcare cloud investment moving from 4 percent to 20.5 percent of the industry, according to an article in the Cloud Times.

The current US cloud market for healthcare is dominated by SaaS vendors such as CareCloud, Carestream Health and Merge Healthcare, according to MarketsandMarkets. These vendors are tapping into an overall cloud computing market which should grow at a combined annual growth rate of 20.5 percent between 2012 and 2017, the researchers say.

As the report notes, there are good reasons why healthcare IT leaders are taking a closer look at cloud computing. For example, the cloud offers easy access to high-performance computing and high-volume storage, access which would be very costly to duplicate with on-premise computing.

On the other hand, the MarketsandMarkets researchers admit, healthcare still has particularly stringent data security requirements, and a need for strict confidentiality, access control and long-term data storage. Cloud vendors will need to offer services and products which meet these unique needs, and just as importantly, change and adapt as regulatory requirements shift. And they’ll have to have an impeccable reputation.

That last item — the cloud vendor’s reputation — will play a major role in the coming shift to cloud-based deployments. If giants like AT&T, IBM and Verizon stay in the healthcare cloud business, which seems likely to me, then healthcare institutions will be able to admit that they’re engaged in cloud deployments without suffering a public black eye over potential security problems.

On the other hand, if the giants were to get cold feet, cloud adoption would probably slow substantially, and remain at the trickle it has been for several years. While vendors like Merge and Carestream may be doing well, I’d argue that the presence of the 2,000-pound gorilla vendors ultimately dictates whether a market thrives.

October 4, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A Primer On HIPAA Compliance For BYOD

Written by:

Here’s a statistic that caught me off guard: according to IDC Healthcare Insights, clinicians on average use 6.4 mobile devices in a day. That stat, courtesy of HIT Consultant, underscores the need for a smart and thorough security policy for clinicians who use their own devices at work.

Increasingly, healthcare organizations are crafting security policies for BYOD, but they vary greatly in how much such devices are allowed to access the hospital network, which hospital applications they can access and which devices can access the Internet, HIT Consultant notes.

However, according to Andrew Shearer, CTO at Care Thread, there’s some do’s and don’ts which should be common to all BYOD programs. Here’s some thoughts from Shearer, below.

DO:

Make sure your vendor and its sub-vendors are compliant with the new HIPAA Omnibus requirements

Be aware that under the new rules, HIPAA requirements now extend to business associates of entities that receive  protected health informatoin, such as contractors and subcontractors. Also new, not only vendors to healthcare organizations required to have business associate agreements, vendors must also hold BAAs with their sub-vendors.

Use two levels of security when users login to enterprise applications

Shearer recommends using Active Directory for the first level, allowing providers to use their hospital login credentials.  The second stage, he suggests, is to use a separate PIN for quick access to mobile apps which are in use, one which should disconnect when it goes idle.

Have the ability to remotely wipe a device if it is missing

This isn’t required by HIPAA, but it’s still an essential part of a strong mobile/BYOD security management program. Be prepared to do anything from deleting data in selected folders to turning the device into a brick (removing all programming or returning it to factor settings).

DON’T:

Allow PHI to be written to the mobile device

While it’s very common for clinicians to use mobile messaging apps to share patient information, such sharing is generally not HIPAA-compliant, Shearer notes.  In his view, the ideal healthcare communication app should allow access to messages and PHI only when the use is logged in.

Permit integration with insecure file-sharing / hosting services

Cloud-based hosting and file-sharing services like Evernote and Dropbox are very popular, but they’re not HIPAA compliant. To be HIPAA compliant, organizations must use multiple security protocols, including physical security, technical security in PHI storage and user authentication.

Ignore security updates

Make sure you do periodic audits of mobile devices to make sure any that transmit work-related information meet regulatory standards. Also, make sure apps on mobile devices are up to date, as older versions may not meet current security threats.

June 13, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Oracle Brings Health Data Analytics To The Cloud

Written by:

For years now, healthcare providers have been inching toward cloud use, with CIOs still divided as to whether cloud applications are secure enough to meet their standards.

These days, though, the tide seems to be turning in favor of cloud applications. In fact, a recent study by KLAS on hybrid clouds in healthcare found that those who had signed on for cloud apps rated them a 4.5 out of 5 for security.

Given this growing level of trust, it was no surprise to read that Oracle had kicked off a major cloud product for healthcare at HIMSS last week.

At the show, Oracle Health Sciences introduced the Oracle Enterprise Healthcare Analytics Cloud Service, a cloud-based version of the vendor’s data management, warehousing and analytics platform. The new product comes with pre-built analytical applications and also supports third-party healthcare apps.

The existing Enterprise Healthcare Analytics is a big data play which pulls in, validates and loads data from clinical, financial, administrative and even clinical research systems to offer a single enterprise view.

What makes the cloud version interesting, of course, is that if healthcare CIOs are willing to chance the security issues, they can bypass having to spend big on IT infrastructure to bring it on board.

Also interesting is that Oracle has also given  CIOs a few models to deploy Enterprise Healthcare Analytics  available to be deployed” on-site in its “HIPAA-certified” Oracle Health Sciences Cloud, or in a hybrid model leveraging on-premise and traditional cloud.

I have little doubt that even as a cloud-based service, this is a very pricey product that isn’t for all facilities. And there’s still a large contingent of hospitals that aren’t ready to trust all of their mission-critical data to cloud security.

But it’s still worth note to see Oracle extending this kind of tool to the cloud nonetheless. I wonder if  the perceived value of an Oracle app will push more facilities off the fence and into trusting cloud security after all?

March 12, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Mixing Physical, Mental Health Data Lowers Readmissions

Written by:

Ordinarily, it makes sense to treat psychiatric records with particular sensitivity, given how private these issues are for most patients.  Also, one might assume that medical doctors simply don’t need access to psychiatric records — and if so, why increase the risk of a  HIPAA breach by giving them needless data access?

Apparently, however, these assumptions may be working against patients, according to a new study by researchers at Johns Hopkins. A new study by researchers at the university found that in some cases, keeping mental health records separately from physical health records in an EMR as a privacy measure may actually decrease quality of care.

To examine this issue, researchers at Johns Hopkins surveyed the psychiatric departments at 18 of the hospitals ranked most highly by U.S. News & World Report’s Best Hospitals of 2007, according to blogger Melissa Le Furge. The survey concluded that less than 25 percent of the hospitals allowed non-psychiatric physicians to have full access to patients’ mental health EMR data.  Not so surprising, given the current state of practice.

What’s really interesting, though, is that at the hospitals that allowed non-psychiatric clinicians to have access to mental health records, patients were 40 percent less likely to be admitted within a week of discharge than industry baseline.

Melissa notes that there are many reasons why this might be:

Depression and other mental illnesses sometimes make it difficult for patients to follow physicians’ instructions after a heart attack or stroke and are less likely to take proper care of themselves…[Also,] being uninformed about medications prescribed by a psychiatrist can cause the primary care physician to prescribe medications that create adverse reactions.

Segregating mental health records may make sense from a social standpoint, but perhaps it’s not good medicine. At minimum, this issue deserves further study.

January 14, 2013 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare Faces Massive Cybersecurity Risks

Written by:

When a consumer publication like The Washington Post – hardly an insider journal of computing — picks out your industry and slams it for having poor cybersecurity, you know something’s amiss.

The newspaper has just published a report, following a year-long cybersecurity investigation, arguing that healthcare is one of the most vulnerable industries in the U.S., making it a tasty target for terrorists, black-hat hackers and criminals.

It’s rather embarrassing, but it’s hard to argue with the Post’s conclusion that healthcare data security isn’t what it could be. A few data points:

* Researchers are finding that healthcare institutions routinely fail to fix known bugs in aging software, something other industries have largely overcome.

* Providers are making careless use of such public cybertools;  the paper cites the example of the University of Chicago medical center, which at one point operated an unsecured Dropbox site for new residents managing care through their iPads (with a single user name and password published online, yet!)

* According to Post research, open source system OpenEMR “has scores of security flaws that make it easy prey for hackers”

* In perhaps the scariest example, the paper notes that clinicians routinely work around cybersecurity measures to get their job done.

Another factor contributing to cybersecurity holes is confusion about the FDA’s position on security. While the agency actually wants vendors to update FDA-approved device interfaces and systems, vendors often believe that the FDA bars them from updating device software, the Post found.

That leaves devices, especially defibrillators and insulin pumps, open to attacks. Researchers have been able to find these devices, linked to the web in the clear, simply by using a specialized search engine.

As wireless medical devices and smartphones, iPads and Android devices creep into the mix, cybersecurity vulnerabilities are likely to get worse, not better.  I wonder whether we’ll need to see a cybersecurity disaster take place before the industry catches up to, say, financial services?

December 27, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

EMRs May Be The Next Hacker’s Prize

Written by:

Black-hat hackers are beginning, slowly but at an increasing pace, to lock down and encrypt medical data, then demand a ransom fee before they’ll turn over the data in usable form again.

While reports of such activity are scattered and few at the moment, my guess is that we’re at the beginning of a wave of such attacks, especially attacks targeting small medical practices with unsophisticated security set-ups.

Consider what happened recently to a clinic in Queensland, Australia.   Over one weekend, a server holding seven years of patient records was breached and the data encrypted with “military-grade” tools, according to blog Naked Security.

The attackers, who seem to be based in Eastern Europe or Russia, are demanding $4,000 AUD for the release of the records, the blog reports. The clinic is attempting to avoid paying by bringing in its own security experts, but the experts retained by the clinic are apparently fairly doubtful that they can break the encryption scheme.

Such attacks have begun to occur in the U.S. as well, all targeting smaller medical practices with minimal security support.  It’s little wonder that such practices are being targeted; even if they have decent, industry-standard firewalls, antivirus software and password-protected servers — as the Aussie clinic did — such protections are child’s play to defeat if you’re a professional cybercriminal who’s done this kind of thing many times before.

Even if the practice has tougher security in place than usual, how likely is it to have good security hygiene, such as frequently updated and patched firewalls and strong, regularly switched out passwords?  Without security staff on board, not too likely.

Given the devastating consequences that can occur if a medical practice is unable to regain its data, it seems to me that it’s time the entire healthcare industry take an interest in this problem. Smaller practices need help, and we’ve got to figure out how to make sure they get it.

December 14, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

BYOD And HIPAA Compliance: Can You Have Both?

Written by:

With doctors among the biggest fans of smartphones around, hospitals and medical practices are having to face the reality that Bring Your Own Device is here to stay. The question is, is BYOD so hard to manage that it all but guarantees HIPAA breaches?

On the one hand, BYOD seems to have arrived to stay. According to a recent report by KLAS Research surveying 105 CIOs, IT specialits and physicians, 70 percent said they used mobile devices to access their EMRs Even this small group was accessing virtually every major enterprise EMR via mobile, reports MobiHealthNews.

But the pressures on hospitals to corral BYOD security gaps are growing.  Hospitals will soon have to provide increased protection of patient health information under Meaningful Use Stage 2.  And the HHS Office of Civil Rights will be doing stepped up HIPAA-compliance audits, which gives hospitals even less leeway than they’d have had otherwise.

Of course, hospitals have been dealing with doctors bringing one device — a laptop — for quite some time. One might think this would have prepared hospitals for dealing with security-hole-ridden portable devices that staff and clinicians bring to work.  But as we all know, laptops have proven to be major sources of security breaches, most typically by being stolen when loaded down with unencrypted data.

BYOD on the mobile side is if anything a riskier proposition.  For one thing, doctors and executive staff are likely to own more than one device, such as a phone and a tablet, multiplying the risk that an unguarded device could be stolen and bled for information.  And managing mobile devices calls for IT to support two additional operating systems (iOS and Android) configured in whatever way the user prefers.

Folks, I know I’m not saying anything crashingly original, but I’d argue it’s worth repeating: It’s time for hospitals to stop waffling and develop comprehensive protocols for BYOD use. It’s clear that left alone, the problem is going to  get worse, not better.

December 7, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.