Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

VA May Drop VistA For Commercial EHR

Posted on July 12, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

It’s beginning to look like the famed VistA EHR may be shelved by the Department of Veterans Affairs, probably to be replaced by a commercial EHR rollout. If so, it could spell the end of the VA’s involvement in the highly-rated open source platform, which has been in use for 40 years. It will be interesting to see how the commercial EHR companies that support Vista would be impacted by this decision.

The first rumblings were heard in March, when VA CIO LaVerne Council  suggested that the VA wasn’t committed to VistA. Now Council, who supervises the agency’s $4 billion IT budget, sounds a bit more resolved. “I have a lot of respect for VistA but it’s a 40-year-old product,” Council told Politico. “Looking at what technology can do today that it couldn’t do then — it can do a lot.”

Her comments were echoed by VA undersecretary for health David Shulkin, who last month told a Senate hearing that the agency is likely to replace VistA with commercial software.

Apparently, the agency will leave VistA in place through 2018. At that point, the agency expects to begin creating a cloud-based platform which may include VistA elements at its core, Politico reports. Council told the hearing that VA IT leaders expect to work with the ONC, as well as the Department of Defense, in building its new digital health platform.

Particularly given its history, which includes some serious fumbles, it’s hardly surprising that some Senate members were critical of the VA’s plans. For example, Sen. Patty Murray said that she was still disappointed with the agency’s 2013 decision back to call of plans for an EHR that integrated fully with the DoD. And Sen. Richard Blumenthal expressed frustration as well. “The decades of unsuccessful attempts to establish an electronic health record system that is compatible across the VA in DoD has caused hundreds of millions of taxpayer dollars to be wasted,” he told the committee.

Now, the question is what commercial system the VA will select. While all the enterprise EHR vendors would seem to have a shot, it seems to me that Cerner is a likely bet. One major reason to anticipate such a move is that Cerner and its partners recently won the $4.3 billion contract to roll out a new health IT platform for the DoD.

Not only that, as I noted in a post earlier this year, the buzz around the deal suggested that Cerner won the DoD contract because it was seen as more open than Epic. I am taking no position on whether there’s any truth to this belief, nor how widespread such gossip may be. But if policymakers or politicians do see Cerner as more interoperability-friendly, that will certainly boost the odds that the VA will choose Cerner as partner.

Of course, any EHR selection process can take crazy turns, and when you grow in politics the process can even crazier. So obviously, no one knows what the VA will do. In fact, given their battles with the DoD maybe they’ll go with Epic just to be different. But if I were a Cerner marketer I’d like my odds.

FHIR Product Director Speaks Out On FHIR Hype

Posted on June 6, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

To date, all signs suggest that the FHIR standard set has tremendous promise, and that FHIR adoption is growing by leaps and bounds. In fact, one well-connected developer I spoke with recently argues that FHIR will be integrated into ONC’s EHR certification standards by 2017, when MACRA demands its much ballyhooed “widespread interoperability.”

However, like any other new technology or standard, FHIR is susceptible to being over-hyped. And when the one suggesting that FHIR fandom is getting out of control is Grahame Grieve, FHIR product director, his arguments definitely deserve a listen.

In a recent blog post, Grieve notes that the Gartner hype cycle predicts that a new technology will keep generating enthusiasm until it hits the peak of inflated expectations. Only after falling into te trough of disillusionment and climbing the slope of enlightenment does it reach the plateau of productivity, the Gartner model suggests.

Now, a guy who’s driving FHIR’s development could be forgiven for sucking up the praise and excitement around the emerging standard and enjoying the moment. Instead, though, it seems that Grieve thinks people are getting ahead of themselves.

To his way of thinking, the rate of hype speech around FHIR continues to expand. As he sees it, people are “[making] wildly inflated claims about what is possible, (wilfully) misunderstanding the limitations of the technology, and evangelizing the technology for all sorts of ill judged applications.”

As Grieve sees it, the biggest cloud of smoke around FHIR is that it will “solve interoperability.” And, he flatly states, it’s not going to do that, and can’t:

FHIR is two things: a technology, and a culture. I’m proud of both of those things…But people who think that [interoperability] will be solved anytime soon don’t understand the constraints we work under…We have severely limited ability to standardise the practice of healthcare or medicine. We just have to accept them as they are. So we can’t provide prescriptive information models. We can’t force vendors or institutions to do things the same way. We can’t force them to share particular kinds of information at particular times. All we can do is describe a common way to do it, if people want to do it.

The reality is that while FHIR works as a means of sharing information out of an EHR, it can’t force different stakeholders (such as departments, vendors or governments) to cooperate successfully on sharing data, he notes. So while the FHIR culture can help get things done, the FHIR standard — like other standards efforts — is just a tool.

To be sure, FHIR seems to have legs, and efforts like the Argonaut Project — which is working to develop a first-generation FHIR-based API and Core Data Services specification — are likely to keep moving full steam ahead.

But as Grieve sees it, it’s important to keep the pace of FHIR work deliberate and keep fundamentals like solid processes and well-tested specifications in mind: “If we can get that right — and it’s a work in process — then the trough of despair won’t be as deep as it might.”

Vendors Bring Heart And Lung Sounds To EHR

Posted on June 3, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In what they say is a first, a group of technology vendors has teamed up to add heart and lung sounds to an EMR. The current effort extends only to the drchrono EHR, but if this rollout works, it seems likely that other vendors will follow, as adding multimedia content to patient medical records is a very logical step.

Urgent care provider Direct Urgent Care, a Berkeley, CA-based urgent care provider with 30,000 patients, is rolling out the Eko Core Digital Stethoscope for use by physicians. The heart and lung sounds will be recorded by the digital stethoscope, then transmitted wirelessly to a phone- or tablet-based mobile app. The app, in turn, uploads the audio files to the drchrono HR.

Ordinarily, I’d see this as an early experiment in managing multimedia health data and leave it at that. But two things make it more interesting.

One is that the Eko Core sells for a relatively modest $299, which is not bad for an FDA-cleared device. (Eko also sells an attachment for $199 which digitizes and records sounds captured by traditional analog stethoscopes, as well as streaming those files to the Eko app.) The other is that the recorded sounds can be shared with remote specialists such as cardiologists and pulmonologists, which seems valuable on its face even if the data doesn’t get stored within an EMR.

Not only that, this rollout underscores a problem just been given too little attention. At present, what I’ve seen, few EMRs incorporated anything beyond text. Even radiology images, which have been digital for ages (and managed by sophisticated PACS platforms) typically aren’t accessible to the EMR interface. In fact, my understanding is that PACS data is another silo that needs to be broken down.

Meanwhile, medical practices and hospitals are increasingly generating data that doesn’t fit into the existing EMR template, from sources such as wearables, health apps and video consults. Neither EMR developers nor standards organizations seem to have kept up with the influx of emerging non-text data, so virtually none of it is being integrated into patient records yet.

In other words, not only is it interesting to note that an EMR vendor is incorporating audio into medical records, at a modest cost, it’s worth taking stock of what it can teach us about enriching digital patient records overall.

Eventually, after all, patients will be able to capture — with some degree of accuracy — multimedia content that includes not only audio, but also ultrasound recordings, EKG charts and more. Of course, these self-administered tests and will never replace a consult by a skilled clinician, but there certainly are situations in which this data will be relevant.

When you also bear in mind that the number of telemedicine consults being conducted is growing dramatically, and that these, too, offer insights that could become part of a patient’s chart, the need to go beyond text-based EMRs becomes even more evident.

So maybe the Eko/drchrono partnership will work out, and maybe it won’t. But what they’re doing matters nonetheless.

Time To Leverage EHR Data Analytics

Posted on May 5, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For many healthcare organizations, implementing an EHR has been one of the largest IT projects they’ve ever undertaken. And during that implementation, most have decided to focus on meeting Meaningful Use requirements, while keeping their projects on time and on budget.

But it’s not good to stay in emergency mode forever. So at least for providers that have finished the bulk of their initial implementation, it may be time to pay attention to issues that were left behind in the rush to complete the EHR rollout.

According to a recent report by PricewaterhouseCoopers’ Advanced Risk & Compliance Analytics practice, it’s time for healthcare organizations to focus on a new set of EHR data analytics approaches. PwC argues that there is significant opportunity to boost the value of EHR implementations by using advanced analytics for pre-live testing and post-live monitoring. Steps it suggests include the following:

  • Go beyond sample testing: While typical EHR implementation testing strategies look at the underlying systems build and all records, that may not be enough, as build efforts may remain incomplete. Also, end-user workflow specific testing may be occurring simultaneously. Consider using new data mining, visualization analytics tools to conduct more thorough tests and spot trends.
  • Conduct real-time surveillance: Use data analytics programs to review upstream and downstream EHR workflows to find gaps, inefficiencies and other issues. This allows providers to design analytic programs using existing technology architecture.
  • Find RCM inefficiencies: Rather than relying on static EHR revenue cycle reports, which make it hard to identify root causes of trends and concerns, conduct interactive assessment of RCM issues. By creating dashboards with drill-down capabilities, providers can increase collections by scoring patients invoices, prioritizing patient invoices with the highest scores and calculating the bottom-line impact of missing payments.
  • Build a continuously-monitored compliance program: Use a risk-based approach to data sampling and drill-down testing. Analytics tools can allow providers to review multiple data sources under one dashboard identify high-risk patterns in critical areas such as billing.

It’s worth noting, at this point, that while these goals seem worthy, only a small percentage of providers have the resources to create and manage such programs. Sure, vendors will probably tell you that they can pop a solution in place that will get all the work done, but that’s seldom the case in reality. Not only that, a surprising number of providers are still unhappy with their existing EHR, and are now living in replacing those systems despite the cost. So we’re hardly at the “stop and take a breath” stage in most cases.

That being said, it’s certainly time for providers to get out of whatever defensive crouch they’ve been in and get proactive. For example, it certainly would be great to leverage EHRs as tools for revenue cycle enhancement, rather than the absolute revenue drain they’ve been in the past. PwC’s suggestions certainly offer a useful look on where to go from here. That is, if providers’ efforts don’t get hijacked by MACRA.

Breach Affecting 2.2M Patients Highlights New Health Data Threats

Posted on April 4, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A Fort Myers, FL-based cancer care organization is paying a massive price for a health data breach that exposed personal information on 2.2 million patients late last year. This incident is also shedding light on the growing vulnerability of non-hospital healthcare data, as you’ll see below.

Recently, 21st Century Oncology was forced to warn patients that an “unauthorized third party” had broken into one of its databases. Officials said that they had no evidence that medical records were accessed, but conceded that breached information may have included patient names Social Security numbers, insurance information and diagnosis and treatment data.

Notably, the cancer care chain — which operates on hundred and 45 centers in 17 states — didn’t learn about the breach until the FBI informed the company that it had happened.

Since that time, 21st Century has been faced with a broad range of legal consequences. Three lawsuits related to the breach have been filed against the company. All are alleging that the breach exposed them to a great possibility of harm.  Patient indignation seems to have been stoked, in part, because they did not learn about the breach until five months after it happened, allegedly at the request of investigating FBI officials.

“While more than 2.2 million 21st Century Oncology victims have sought out and/or pay for medical care from the company, thieves have been hard at work, stealing and using their hard-to-change Social Security numbers and highly sensitive medical information,” said plaintiff Rona Polovoy in her lawsuit.

Polovoy’s suit also contends that the company should have been better prepared for such breaches, given that it suffered a similar security lapse between October 2011 and August 2012, when an employee used patient names Social Security numbers and dates of birth to file fraudulent tax refund claims. She claims that the current lapse demonstrates that the company did little to clean up its cybersecurity act.

Another plaintiff, John Dickman, says that the breach has filled his life with needless anxiety. In his legal filings he says that he “now must engage in stringent monitoring of, among other things, his financial accounts, tax filings, and health insurance claims.”

All of this may be grimly entertaining if you aren’t the one whose data was exposed, but there’s more to this case than meets the eye. According to a cybersecurity specialist quoted in Infosecurity Magazine, the 21st Century network intrusion highlights how exposed healthcare organizations outside the hospital world are to data breaches.

I can’t help but agree with TrapX Security executive vice president Carl Wright, who told the magazine that skilled nursing facilities, dialysis centers, imaging centers, diagnostic labs, surgical centers and cancer treatment facilities like 21st are all in network intruders’ crosshairs. Not only that, he notes that large extended healthcare networks such as accountable care organizations are vulnerable.

And that’s a really scary thought. While he doesn’t say so specifically, it’s logical to assume that the more unrelated partners you weld together across disparate networks, it multiplies the number of security-related points of failure. Isn’t it lovely how security threats emerge to meet every advance in healthcare?

This Time, It’s Personal: Virus Hits My Local Hospital

Posted on March 30, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In about two weeks, I am scheduled to have a cardiac ablation to address a long-standing arrhythmia. I was feeling pretty good about this — after all, the procedure is safe at my age and is known to have a very high success rate — until I scanned my Twitter feed yesterday.

It was then that I found out that what was probably a ransomware virus had forced a medical data shutdown at Washington, D.C.-based MedStar Health. And while the community hospital where my procedure will be done is not part of the MedStar network, the cardiac electrophysiologist who will perform the ablation is affiliated with the chain.

During my pre-procedure visit with the doctor, a very pleasant guy who made me feel very safe, we devolved to talking shop about EMR issues after the clinical discussion was over. At the time he shared that his practice ran on GE Centricity which, he understandably complained, was not interoperable with the Epic system at one community chain, MedStar’s enterprise system or even the imaging platforms he uses. Under those circumstances, it’s hard to imagine that my data was affected by this breach. But as you can imagine, I still wonder what’s up.

While there’s been no official public statement saying this virus was part of a ransomware attack, some form of virus has definitely wreaked havoc at MedStar, according to a report by the Washington Post. (As a side note, it’s worth pointing out that if this is a ransomware attack, health system officials have done an admirable job of keeping the amount demanded for data return out of the press. However, some users have commented about ransomware on their individual computers.)

As the news report notes, MedStar has soldiered on in the face of the attack, keeping all of its clinical facilities open. However, a hospital spokesperson told the newspaper that the chain has decided to take down all system interfaces to prevent the spread of the virus. And as has happened with other hospital ransomware incursions, staffers have had to revert to using paper-based records.

And here’s where it might affect me personally. Even though my procedure is being done at a non-MedStar hospital, it’s possible that the virus driven delay in appointments and surgeries will affect my doctor, which could of course affect me.

Meanwhile, imagine how the employees at MedStar facilities feel: “Even the lowest-level staff can’t communicate with anyone. You can’t schedule patients, you can’t access records, you can’t do anything,” an anonymous staffer told the Post. Even if such a breach had little impact on patients, it’s obviously bad for employee morale. And that can’t be good for me either.

Again, it’s possible I’m in the clear, but the fact that the FUD surrounding this episode affects even a trained observer like myself plays right into the virus makers’ hands. Now, so far I haven’t dignified the attack by calling the doctor’s office to ask how it will affect me, but if I keep reading about problems with MedStar systems I’ll have to follow up soon.

Worse, when I’m being anesthetized for the procedure next month, I know I’ll be wondering when the next virus will hit.

Ransomware Crisis Demands Provider Cooperation

Posted on February 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A few days ago, the sadly-predictable news broke that a U.S. hospital had been hit with a ransomware attack. Initial reports were that hackers demanded that Hollywood (CA) Presbyterian Medical Center pay $3.4M in bitcoins to regain access to its data. The hospital refused, and began working with paper to meet its patients’ needs. However, it was later reported that the $3.4 million number was wrong and the hospital was only asked to pay $17,000. The hospital chose to pay the ransom and got data access back.  But the mere fact that Hollywood Presbyterian got off relatively easily shouldn’t blind us to the growing ransomware threat, nor the steps we need to take to address this crisis.

Now, before I ramble on about what I think should be done, please bear in mind that I’m an HIT analyst and writer, not a network engineer. So the modest proposal is coming from a non-technical person, but I do believe that it has some merit as an idea. Hopefully readers will continue to improve, debate, and educate us on the merits and challenges of the idea in the comments.

Here’s my proposal. Whereas:

* Hospitals can’t afford to have their data randomly locked any more than airlines can afford to have their engines do so, AND

* Nobody wants to voluntarily create a ransomware market that grows steadily stronger as hospitals pay up, SO

I suggest we find a new way for hospitals to cover each others’ back. The idea would be to make it more or less impossible for hackers to capture all of another hospital’s data.

Here’s where I get hazy, so follow me — and criticize me, please — but what if every hospital had a few sister hospitals which held part of the day’s data backup?  I can see attackers shimmying through every currently available connection at a single institution, but would all five be vulnerable if they only connected in the event a data lockout at hospital A?

Even if such a peer to peer architecture would work, I’m not sure it would be practical. After all, it’s one thing to download an illegal software copy via P2P and quite another to help restore a terabyte or more of data.

Also, it certainly hasn’t escaped me that there are serious competitive concerns involved in setting up such arrangements, though those could certainly be mitigated by the fact that no sister hospital would have a complete data set for Hospital A.

Even if this idea is utter garbage, however, I believe we’ve reached a point where if we’re going to fight ransomeware, some form of deep industry cooperation is necessary. Let’s not wait for patients to be harmed or die due to data lock-out.

Securing Mobile Devices in Healthcare

Posted on February 8, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is sponsored by Samsung Business. All thoughts and opinions are my own.

When you look at healthcare security on the whole, I think everyone would agree that healthcare has a lot of work to do. Just taking into account the top 5 health data breaches in 2015, approximately 30-35% of people in the US have had their health data breached. I’m afraid that in 2016 these numbers are likely going to get worse. Let me explain why I think this is the case.

First, meaningful use required healthcare organizations to do a HIPAA risk assessment. While many organizations didn’t really do a high quality HIPAA risk assessment, it still motivated a number of organizations to do something about privacy and security. Even if it wasn’t the step forward many would like, it was still a step forward.

Now that meaningful use is being replaced, what other incentive are doctors going to have to take a serious look at privacy and security? If 1/3 of patients having their records breached in 2015 isn’t motivating enough, what’s going to change in 2016?

Second, hackers are realizing the value of health data and the ease with which they can breach health data systems. Plus, with so many organizations going online with their EHR software and other healthcare IT software, these are all new targets for hackers to attack.

Third, while every doctor in healthcare had a mobile device, not that many of them accessed their EHR on their mobile device since many EHR vendors didn’t support mobile devices very well. Over the next few years we’ll see EHR vendors finally produce high quality, native mobile apps that access EHR software. Once they do, not only will doctors be accessing patient data on their mobile device, but so will nurses, lab staff, HIM, etc. While all of this mobility is great, it creates a whole new set of vulnerabilities that can be exploited if not secured properly.

I’m not sure what we can do to make organizations care about privacy and security. Although, once a breach happens they start to care. We’re also not going to be able to stem the tide of hackers being interested in stealing health data. However, we can do something about securing the plethora of mobile devices in healthcare. In fact, it’s a travesty when we don’t since mobile device security has become so much easier.

I remember in the early days of smartphones, there weren’t very many great enterprise tools to secure your smartphones. These days there are a ton of great options and many of them come natively from the vendor who provides you the phone. Many are even integrated into the phone’s hardware as well as software. A good example of this is the mobile security platform, Samsung KNOX™. Take a look at some of its features:

  • Separate Work and Personal Data (Great for BYOD)
  • Multi-layered Hardware and Software Security
  • Easy Mobile Device Management Integration
  • Enterprise Grade Security and Encryption

It wasn’t that long ago that we had to kludge together multiple solutions to achieve all of these things. Now they come in one nice, easy to implement package. The excuses of why we don’t secure mobile devices in healthcare should disappear. If a breach occurs in your organization because a mobile device wasn’t secure, I assure you that those excuses will feel pretty hollow.

For more content like this, follow Samsung on Insights, Twitter, LinkedIn , YouTube and SlideShare

NIST Goes After Infusion Pump Security Vulnerabilities

Posted on January 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As useful as networked medical devices are, it’s become increasingly apparent that they pose major security risks.  Not only could intruders manipulate networked devices in ways that could harm patients, they could use them as a gateway to sensitive patient health information and financial data.

To make a start at taming this issue, the National Institute of Standards and Technology has kicked off a project focused on boosting the security of wireless infusion pumps (Side Note: I wonder if this is in response to Blackberry’s live hack of an infusion pump). In an effort to be sure researchers understand the hospital environment and how the pumps are deployed, NIST’s National Cybersecurity Center of Excellence (NCCoE) plans to work with vendors in this space. The NCCoE will also collaborate on the effort with the Technological Leadership Institute at the University of Minnesota.

NCCoE researchers will examine the full lifecycle of wireless infusion pumps in hospitals, including purchase, onboarding of the asset, training for use, configuration, use, maintenance, decontamination and decommissioning of the pumps. This makes a great deal of sense. After all, points of network connection are becoming so decentralized that every touchpoint is suspect.

The team will also look at what types of infrastructure interconnect with the pumps, including the pump server, alarm manager, electronic medication administration record system, point of care medication, pharmacy system, CPOE system, drug library, wireless networks and even the hospital’s biomedical engineering department. (It’s sobering to consider the length of this list, but necessary. After all, more or less any of them could conceivably be vulnerable if a pump is compromised.)

Wisely, the researchers also plan to look at the way a wide range of people engage with the pumps, including patients, healthcare professionals, pharmacists, pump vendor engineers, biomedical engineers, IT network risk managers, IT security engineers, IT network engineers, central supply workers and patient visitors — as well as hackers. This data should provide useful workflow information that can be used even beyond cybersecurity fixes.

While the NCCoE and University of Minnesota teams may expand the list of security challenges as they go forward, they’re starting with looking at access codes, wireless access point/wireless network configuration, alarms, asset management and monitoring, authentication and credentialing, maintenance and updates, pump variability, use and emergency use.

Over time, NIST and the U of M will work with vendors to create a lab environment where collaborators can identify, evaluate and test security tools and controls for the pumps. Ultimately, the project’s goal is to create a multi-part practice guide which will help providers evaluate how secure their own wireless infusion pumps are. The guide should be available late this year.

In the mean time, if you want to take a broader look at how secure your facility’s networked medical devices are, you might want to take a look at the FDA’s guidance on the subject, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software.” The guidance doc, which was issued last summer, is aimed at device vendors, but the agency also offers a companion document offering information on the topic for healthcare organizations.

If this topic interests you, you may also want to watch this video interview talking about medical device security with Tony Giandomenico, a security expert at Fortinet.

Biometric Use Set To Grow In Healthcare

Posted on January 15, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t know about you, but until recently I thought of biometrics as almost a toy technology, something you’d imagine a fictional spy like James Bond circumvent (through pure manliness) when entering the archenemy’s hideout. Or perhaps retinal or fingerprint scans would protect Batman’s lair.

But today, in 2016, biometric apps are far from fodder for mythic spies. The price of fingerprint scan-based technology has fallen to nearly zero, with vendors like Apple offering fingerprint-based security options as a standard part of its iOS iPhone operating system. Another free biometric security option comes courtesy of Intel’s True Key app, which allows you to access encrypted app data by scanning and recognizing your facial features. And these are just trivial examples. Biometrics technologies, in short, have become powerful, usable and relatively affordable — elevating them well above other healthcare technologies for some security problems.

If none of this suggests to you that the healthcare industry needs to adopt biometrics, you may have a beef with Raymond Aller, MD, director of informatics at the University of Southern California. In an interview with Healthcare IT News, Dr. Aller argues that our current system of text-based patient identification is actually dangerous, and puts patients at risk of improper treatments and even death. He sees biometric technologies as a badly needed, precise means of patient identification.

What’s more, biometrics can be linked up with patients’ EMR data, making sure the right history is attached to the right person. One health system, Novant Health, uses technology registering a patient’s fingerprints, veins and face at enrollment. Another vendor is developing software that will notify the patient’s health insurer every time that patient arrives and leaves, steps which are intended to be sure providers can’t submit fradulent bills for care not delivered.

As intriguing as these possibilities are, there are certainly some issues holding back the use of biometric approaches in healthcare. And many are exposed, such as Apple’s Touch ID, which is vulnerable to spoofing. Not only that, storing and managing biometric templates securely is more challenging than it seems, researchers note. What’s more, hackers are beginning to target consumer-focused fingerprint sensors, and are likely to seek access to other forms of biometric data.

Fortunately, biometric security solutions like template protection and biocryptography are becoming more mature. As biometric technology grows more sophisticated, patients will be able to use bio-data to safely access their medical records and also pay their bills. For example, MasterCard is exploring biometric authentication for online payments, using biometric data as a password replacement. MasterCard Identity Check allows users to authenticate transactions via video selfie or via fingerprint scanning.

As readers might guess from skimming the surface of biometric security, it comes with its own unique security challenges. It could be years before biometric authentication is used widely in healthcare organizations. But biometric technology use is picking up speed, and this year may see some interesting developments. Stay tuned.