Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The Downside of Interoperability

Posted on May 2, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

It’s hard to argue that achieving health data interoperability is not important — but it comes with risks. And I’ve seen little discussion of the fact that interoperability may actually increase the chance that a major attack could hit a wide swath of healthcare providers. It might be extreme to suggest that we put off such efforts until we step up the industry’s security status, but the problem shouldn’t be ignored either.

Sure, data interoperability is a critical goal for healthcare providers of all stripes. While there’s room to argue about how it should be accomplished, particularly over whether providers or patients should drive health data management, there’s no question it needs to get done. There’s little doubt that most efforts to coordinate care will fall flat if providers are operating with incomplete information.

And what’s more, with the demand for interoperability baked into MACRA, we pretty much have no choice but to make it happen anyway. To my knowledge, HHS has proposed neither carrot nor stick to convince providers to come on board – nor has it defined “widespread” interoperability to my knowledge — but the agency has to achieve something by 2018, and that means change will come.

That being said, I’m struck by how little industry concern there seems to be about the extent to which interoperability can multiply the possibility of a breach occurring. Unfortunately, security is only as good is the weakest link in the chain, and data sharing increases the length of the chain exponentially. Of course, the risk varies a great deal depending on who or what the data-sharing intermediary is, but the fact remains that a connected network is a connected network.

The problem only gets worse if interoperability is achieved by integrating applications. I’m no software engineer, but I’m pretty sure that the more integrated providers’ infrastructure is, the more vulnerabilities they share. To be fair, hospitals theoretically vet their partners, but that defeats the purpose of universal data sharing, doesn’t it?

And even if every provider in the universal data sharing network practices good security hygiene, they can still get attacked. So it’s not a matter of requiring participants to comply with some network security standard, or meet some certification criteria. Given the massive incentives these have to steal health data (and lock it up with ransomware), nobody can hold out forever.

The bottom line is that I believe we should discuss the matter of security in a fully-connected health data sharing network more often.

Yes, we almost certainly need to press ahead and simply find a way to contain the risks. We simply can’t afford our fragmented healthcare system, and data interoperability offers perhaps the best possible chance of pulling it back together.

But before we plunge into the fray, it only makes sense to stop and consider all of the risks involved and how they should be addressed. After all, universal interconnection exposes a virtually infinite number of potential points of failure to cybercrooks. Let’s put some solutions on the table before it’s too late.

Medical Device Security At A Crossroads

Posted on April 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As anyone reading this knows, connected medical devices are vulnerable to attacks from outside malware. Security researchers have been warning healthcare IT leaders for years that network-connected medical devices had poor security in place, ranging from image repository backups with no passwords to CT scanners with easily-changed configuration files, but far too many problems haven’t been addressed.

So why haven’t providers addressed the security problems? It may be because neither medical device manufacturers nor hospitals are set up to address these issues. “The reality is both sides — providers and manufacturers — do not understand how much the other side does not know,” said John Gomez, CEO of cybersecurity firm Sensato. “When I talk with manufacturers, they understand the need to do something, but they have never had to deal with cyber security before. It’s not a part of their DNA. And on the hospital side, they’re realizing that they’ve never had to lock these things down. In fact, medical devices have not even been part of the IT group and hospitals.

Gomez, who spoke with Healthcare IT News, runs one of two companies backing a new initiative dedicated to securing medical devices and health organizations. (The other coordinating company is healthcare security firm Divurgent.)

Together, the two have launched the Medical Device Cybersecurity Task Force, which brings together a grab bag of industry players including hospitals, hospital technologists, medical device manufacturers, cyber security researchers and IT leaders. “We continually get asked by clients with the best practices for securing medical devices,” Gomez told Healthcare IT News. “There is little guidance and a lot of misinformation.“

The task force includes 15 health systems and hospitals, including Children’s Hospital of Atlanta, Lehigh Valley Health Network, Beebe Healthcare and Intermountain, along with tech vendors Renovo Solutions, VMware Inc. and AirWatch.

I mention this initiative not because I think it’s huge news, but rather, as a reminder that the time to act on medical device vulnerabilities is more than nigh. There’s a reason why the Federal Trade Commission, and the HHS Office of Inspector General, along with the IEEE, have launched their own initiatives to help medical device manufacturers boost cybersecurity. I believe we’re at a crossroads; on one side lies renewed faith in medical devices, and on the other nothing less than patient privacy violations, harm and even death.

It’s good to hear that the Task Force plans to create a set of best practices for both healthcare providers and medical device makers which will help get their cybersecurity practices up to snuff. Another interesting effort they have underway in the creation of an app which will help healthcare providers evaluate medical devices, while feeding a database that members can access to studying the market.

But reading about their efforts also hammered home to me how much ground we have to cover in securing medical devices. Well-intentioned, even relatively effective, grassroots efforts are good, but they’re only a drop in the bucket. What we need is nothing less than a continuous knowledge feed between medical device makers, hospitals, clinics and clinicians.

And why not start by taking the obvious step of integrating the medical device and IT departments to some degree? That seems like a no-brainer. But unfortunately, the rest of the work to be done will take a lot of thought.

The Need for Speed (In Breach Protection)

Posted on April 26, 2016 I Written By

The following is a guest blog post by Robert Lord, Co-founder and CEO of Protenus.
Robert Protenus
The speed at which a hospital can detect a privacy breach could mean the difference between a brief, no-penalty notification and a multi-million dollar lawsuit.  This month it was reported that health information from 2,000 patients was exposed when a Texas hospital took four months to identify a data breach caused by an independent healthcare provider.  A health system in New York similarly took two months to determine that 2,500 patient records may have been exposed as a result of a phishing scam and potential breach reported two months prior.

The rise in reported breaches this year, from phishing scams to stolen patient information, only underscores the risk of lag times between breach detection and resolution. Why are lags of months and even years so common? And what can hospitals do to better prepare against threats that may reach the EHR layer?

Traditional compliance and breach detection tools are not nearly as effective as they need to be. The most widely used methods of detection involve either infrequent random audits or extensive manual searches through records following a patient complaint. For example, if a patient suspects that his medical record has been inappropriately accessed, a compliance officer must first review EMR data from the various systems involved.  Armed with a highlighter (or a large excel spreadsheet), the officer must then analyze thousands of rows of access data, and cross-reference this information with the officer’s implicit knowledge about the types of people who have permission to view that patient’s records. Finding an inconsistency – a person who accessed the records without permission – can take dozens of hours of menial work per case.  Another issue with investigating breaches based on complaints is that there is often no evidence that the breach actually occurred. Nonetheless, the hospital is legally required to investigate all claims in a timely manner, and such investigations are costly and time-consuming.

According to a study by the Ponemon Institute, it takes an average of 87 days from the time a breach occurs to the time the officer becomes aware of the problem, and, given the arduous task at hand, it then takes another 105 days for the officer to resolve the issue. In total, it takes approximately 6 months from the time a breach occurs to the time the issue is resolved. Additionally, if a data breach occurs but a patient does not notice, it could take months – or even years – for someone to discover the problem. And of course, the longer it takes the hospital to identify a problem, the higher the cost of identifying how the breach occurred and remediating the situation.

In 2013, Rouge Valley Centenary Hospital in Scarborough, Canada, revealed that the contact information of approximately 8,300 new mothers had been inappropriately accessed by two employees. Since 2009, the two employees had been selling the contact information of new mothers to a private company specializing in Registered Education Savings Plans (RESPs). Some of the patients later reported that days after coming home from the hospital with their newborn child, they started receiving calls from sales representatives at the private RESP company. Marketing representatives were extremely aggressive, and seemed to know the exact date of when their child had been born.

The most terrifying aspect of this story is how the hospital was able to find out about the data breach: remorse and human error! One employee voluntarily turned himself in, while the other accidentally left patient records on a printer. Had these two events not happened, the scam could have continued for much longer than the four years it did before it was finally discovered.

Rouge Valley Hospital is currently facing a $412 million dollar lawsuit over this breach of privacy. Arguably even more damaging, is that they have lost the trust of their patients who relied on the hospital for care and confidentiality of their medical treatments.

As exemplified by the ramifications of the Rouge Valley Hospital breach and the new breaches discovered almost weekly in hospitals around the world, the current tools used to detect privacy breaches in electronic health records are not sufficient. A system needs to have the ability to detect when employees are accessing information outside their clinical and administrative responsibilities. Had the Scarborough hospital known about the inappropriately viewed records the first time they had been accessed, they could have investigated earlier and protected the privacy of thousands of new mothers.

Every person seeks a hospital’s care has the right to privacy and the protection of their medical information. However, due to the sheer volume of patient records accessed each day, it is impossible for compliance officers to efficiently detect breaches without new and practical tools. Current rule-based analytical systems often overburden the officers with alerts, and are only a minor improvement from manual detection methods.

We are in the midst of a paradigm shift with hospitals taking a more proactive and layered approach to health data security. New technology that uses machine learning and big data science to review each access to medical records will replace traditional compliance technology and streamline threat detection and resolution cycles from months to a matter of minutes. Making identifying a privacy breach or violation as simple and fast as the action that may have caused it in the first place.  Understanding how to select and implement these next-generation tools will be a new and important challenge for the compliance officers of the future, but one that they can no longer afford to delay.

Protenus is a health data security platform that protects patient data in electronic medical records for some of the nation’s top-ranked hospitals. Using data science and machine learning, Protenus technology uniquely understands the clinical behavior and context of each user that is accessing patient data to determine the appropriateness of each action, elevating only true threats to patient privacy and health data security.

Patient Portal Security Is A Tricky Issue

Posted on April 25, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Much of the discussion around securing health data on computers revolves around enterprise networks, particularly internal devices. But it doesn’t hurt to look elsewhere in assessing your overall vulnerabilities. And unfortunately, that includes gaps that can be exposed by patients, whose security practices you can’t control.

One vulnerability that gets too little attention is the potential for a cyber attack accessing the provider’s patient portal, according to security consultant Keith Fricke of tw-Security in Overland Park, Kan. Fricke, who spoke with Information Management, noted that cyber criminals can access portal data relatively easily.

For example, they can insert malicious code into frequently visited websites, which the patient may inadvertently download. Then, if your patient’s device or computer isn’t secure, you may have big problems. When the patient accesses a hospital or clinic’s patient portal, the attacker can conceivably get access to the health data available there.

Not only does such an attack give the criminal access to the portal, it may also offer the them access to many other patients’ computers, and the opportunity to send malware to those computers. So one patient’s security breach can become a victim of infection for countless patients.

When patients access the portal via mobile device, it raises another set of security issues, as the threat to such devices is growing over time. In a recent survey by Ponemon Institute and CounterTack, 80% of respondents reported that their mobile endpoints have been the target of malware the past year. And there’s little doubt that the attacks via mobile device will more sophisticated over time.

Given how predictable such vulnerabilities are, you’d think that it would be fairly easy to lock the portals down. But the truth is, patient portals have to strike a particularly delicate balance between usability and security. While you can demand almost anything from employees, you don’t want to frustrate patients, who may become discouraged if too much is expected from them when they log in. And if they aren’t going to use it, why build a patient portal at all?

For example, requiring a patient to change your password or login data frequently may simply be too taxing for users to handle. Other barriers include demanding that a patient use only one specific browser to access the portal, or requiring them to use digits rather than an alphanumeric name that they can remember. And insisting that a patient use a long, computer-generated password can be a hassle that patients won’t tolerate.

At this point, it would be great if I could say “here’s the perfect solution to this problem.” But the truth is, as you already know, that there’s no one solution that will work for every provider and every IT department. That being said, in looking at this issue, I do get the sense that providers and IT execs spend too little time on user-testing their portals. There’s lots of room for improvement there.

It seems to me that to strike the right balance between portal security and usability, it makes more sense to bring user feedback into the equation as early in the game as possible. That way, at least, you’ll be making informed choices when you establish your security protocols. Otherwise, you may end up with a white elephant, and nobody wants to see that happen.

The Senate is Promoting Healthcare Innovation – How Organizations Can Keep Pace – Breakaway Thinking

Posted on April 20, 2016 I Written By

The following is a guest blog post by Mark Muddiman, Engagement Manager at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Mark Muddiman
On March 9, 2016 the Senate Committee on Health Education Labor and Pensions (HELP) approved S.1101, better known as the Medical Electronic Data Technology Enhancement for Consumers’ Health (MEDTECH) Act. As HIMSS reports, the bill aims to limit the regulatory oversight of “low-risk” medical device software, while simultaneously making a clear distinction of the FDA’s reach of authority.

But how do you define “low-risk” when it comes to a person’s health?

The answer might surprise you. These items are deemed low-risk by the MEDTECH act and will no longer require oversight:

  • administrative, operational, or financial records software used in healthcare settings
  • software for maintaining or encouraging a healthy lifestyle unrelated to medical treatment
  • electronic patient records, excluding software for interpreting or analyzing medical image data
  • software for clinical laboratory testing, excluding software for interpreting or analyzing test data
  • software that provides medical recommendations and the basis for those recommendations to healthcare professionals, excluding software for acquiring, processing, or analyzing medical images or signals

Regulations serve a purpose in ensuring that the devices used do not put patients at risk, and some fear that the loosening of these restrictions could be problematic. But the number of policies vendors were previously required to abide by was staggering. There is little value in subjecting vendors or healthcare leaders to such stringent policies with software and devices that are unlikely to lead to increased risk or an adverse event. Unnecessary regulation ultimately restricts patient access to the most current technology and impedes more successful clinical outcomes.

As HIMSS further clarified, the MEDTECH act still allows the FDA to oversee medical software if it considers the product “reasonably likely to cause serious adverse consequences.” The congressional summary goes on to note that the FDA may assess a software function for safety and effectiveness if the medical device has multiple functions. For example, mobile applications do not need supervision if integrated by a vendor unless they become linked to something of medium or high risk such as medication administration. In short, vendors get the freedom they need to explore new avenues, but the FDA doesn’t cede total control and retains an option that can be interpreted broadly enough to intervene when needed. In this sense, the MEDTECH act finds a middle ground using a risk-based approach to focus oversight where it’s needed most.

Key players in the industry have supported the bill; Health IT Now and the American Medical Informatics Association (AMIA) both praised the passage of the act, while major vendors including Athenahealth, IBM, and McKesson strongly supported the push to pass the bill. Undoubtedly, the passing of the MEDTECH act was great news for vendors.

The benefits to patients and vendors are clear, but what about healthcare providers and administrators?

CIOs and CMIOs already have their hands full in keeping pace with a seemingly endless set of transformations in health IT. Now the senate is aiming to quicken innovation and promote shorter times for technology to reach the market, inevitably resulting in a faster rate at which organizations must adopt that technology. Some providers likely viewed the passage of the act with an exasperated palm to the face. The frustration is real; the move to ICD-10 occurred less than seven months ago, not to mention many organizations have implemented EHRs but are focusing on optimization to improve their ROI.

Simply put, there is no end in sight to new technologies arriving in healthcare, and there will not be a slowdown anytime soon. Healthcare organizations must proactively plan a long-term adoption strategy that accounts for continual enhancements in technology, with a focused ability to quickly bring staff to a high level of proficiency. Those that achieve such agility will be able to leverage the best technology to offer the highest standards of care.

Xerox is a sponsor of the Breakaway Thinking series of blog posts. The Breakaway Group is a leader in EHR and Health IT training.

Are Ransomware Attacks A HIPAA Issue, Or Just Our Fault?

Posted on April 18, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

With ransomware attacks hitting hospitals in growing numbers, it’s growing more urgent for healthcare organizations to have a routine and effective response to such attacks. While over the short term, providers are focused mostly on survival, eventually they’ll have to consider big-picture implications — and one of the biggest is whether a ransomware intrusion can be called a “breach” under federal law.

As readers know, providers must report any sizable breach to the HHS Office for Civil Rights. So far, though, it seems that the feds haven’t issued any guidance as to how they see this issue. However, people in the know have been talking about this, and here’s what they have to say.

David Holtzman, a former OCR official who now serves as vice president of compliance strategies at security firm CynergisTek, told Health Data Management that as long as the data was never compromised, a provider may be in the clear. If an organization can show OCR proof that no data was accessed, it may be able to avoid having the incident classed as a breach.

And some legal experts agree. Attorney David Harlow, who focuses on healthcare issues, told Forbes: “We need to remember that HIPAA is narrowly drawn and data breaches defined as the unauthorized ‘access, acquisition, use or disclosure’ of PHI. [And] in many cases, ransomware “wraps” PHI rather than breaches it.”

But as I see it, ransomware attacks should give health IT security pros pause even if they don’t have to report a breach to the federal government. After all, as Holtzman notes, the HIPAA security rule requires that providers put appropriate safeguards in place to ensure the confidentiality, the integrity and availability of ePHI. And fairly or not, any form of malware intrusion that succeeds raises questions about providers’ security policies and approaches.

What’s more, ransomware attacks may point to underlying weaknesses in the organization’s overall systems architecture. “Why is the operating system allowing this application to access this data?” asked one reader in comments on a related EMR and HIPAA post. “There should be no possible way for a database that is only read/write for specified applications to be modified by a foreign encryption application,” the reader noted. “The database should refuse the instruction, the OS should deny access, and the security system should lock the encryption application out.”

To be fair, not all intrusions are someone’s “fault.” Ransomware creators are innovating rapidly, and are arguably equipped to find new vectors of infection more quickly than security experts can track them. In fact, easy-to-deploy ransomware as a service is emerging, making it comparatively simple for less-skilled criminals to use. And they have a substantial incentive to do so. According to one report, one particularly sophisticated ransomware strain has brought $325 million in profits to groups deploying it.

Besides, downloading actual data is so five years ago. If you’re attacking a provider, extorting payment through ransomware is much easier than attempting to resell stolen healthcare data. Why go to all that trouble when you can get your cash up front?

Still, the reality is that healthcare organizations must be particularly careful when it comes to protecting patient privacy, both for ethical and regulatory reasons. Perhaps ransomware will be the jolt that pushes lagging players to step up and invest in security, as it creates a unique form of havoc that could easily put patient care at risk. I certainly hope so.

Health Data Sharing and Patient Centered Care with DataMotion Health

Posted on April 13, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Now that the HIMSS Haze has worn off, we thought we’d start sharing some of the great video interviews we did at HIMSS 2016. In this case, we did a 3 pack of interviews at the DataMotion Health booth where we got some amazing insights into health data sharing, engaging patients, and providing patient centered care.

First up is our chat with Dr. Peter Tippett, CEO of Healthcelerate and Co-Chairman of DataMotion Health, about the evolution of healthcare data sharing. Dr. Tippett offers some great insights into the challenge of structured vs unstructured data. He also talks about some of the subtleties of medicine that are often lost when trying to share data. Plus, you can’t talk with Dr. Tippett without some discussion of ensuring the privacy and security of health data.

Next up, we talked with Dennis Robbins, PHD, MPH, National Thought Leader and member of DataMotion Health’s Advisory Board, about the patient perspective on all this technology. He provides some great insights into patients’ interest in healthcare and how we need to treat them more like people than like patients. Dr. Robbins was a strong voice for the patient at HIMSS.

Finally we talked with Bob Janacek, Co-Founder and CTO of DataMotion Health, about the challenges associated with coordinating the entire care team in healthcare. The concept of the care team is becoming much more important in healthcare and making sure the care team is sharing the most accurate data is crucial to their success. Learn from Bob about the role Direct plays in this data sharing.

Thanks DataMotion Health for having us to your booth and having your experts share their insights with the healthcare IT community. I look forward to seeing you progress in your continued work to make health data sharing accessible, secure, and easy for healthcare organizations.

Small Practice Marketing Strategies Twitter Chat (#KareoChat)

Posted on April 12, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Health IT Marketing and PR Awards 2016

Last week we held the Healthcare IT Marketing and PR conference which is organized by Healthcare Scene. By all accounts, the conference ran well and the feedback I’ve gotten is that people really enjoyed the event and the healthcare marketing and PR community we’ve built. During the event, we held the HITMC Awards and Kareo won the award for Best Social Media Program. This is a well deserved honor since they put a lot of work into hosting the weekly #KareoChat.

Coming out of the conference, Kareo asked me if there were some topics from the conference that would work well for the #KareoChat audience of small practice physicians. After reviewing the sessions at the conference, I realized that there was a lot of lessons from the conference that could be applied to small practice marketing. In fact, so many of the topics could be a #KareoChat of their own. With that said, they asked if I’d host this week’s #KareoChat based on topics from the conference. So, I decided to pull together a potpourri of topics that applied well to small practices.

Kareo Chat - HITMC

Here’s a look at the topics for this week’s #KareoChat:

  1. When and why should a physician practice go through a rebranding? #KareoChat @HealthITMKTG
  2. How can you use your and your competitors’ online reviews (good and bad) to your benefit? #KareoChat @mdeiner
  3. Could small practices benefit from their own podcast? Is it worth it?  #KareoChat @GetSocialHealth @Resultant @jaredpiano
  4. How and when should small practices use visual content in their office? #KareoChat @csvishal2222
  5. How can the 4 communication preferences (Facts, Futures, Form, Feelings) help small physician practice marketing? #KareoChat @ChartCapture
  6. Where and how can we use the power of storytelling in small physician practice marketing? #KareoChat @ctrappe @stacygoebel

If you’d like to join us to discuss these topics, just follow the #KareoChat hashtag on Thursday, April 14th at Noon ET (9 AM PT). I expect it will be a really diverse and interesting chat across a wide variety of topics related to small practice marketing.

Full Disclosure: Kareo is an advertiser on one of the Healthcare Scene websites.

Breach Affecting 2.2M Patients Highlights New Health Data Threats

Posted on April 4, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A Fort Myers, FL-based cancer care organization is paying a massive price for a health data breach that exposed personal information on 2.2 million patients late last year. This incident is also shedding light on the growing vulnerability of non-hospital healthcare data, as you’ll see below.

Recently, 21st Century Oncology was forced to warn patients that an “unauthorized third party” had broken into one of its databases. Officials said that they had no evidence that medical records were accessed, but conceded that breached information may have included patient names Social Security numbers, insurance information and diagnosis and treatment data.

Notably, the cancer care chain — which operates on hundred and 45 centers in 17 states — didn’t learn about the breach until the FBI informed the company that it had happened.

Since that time, 21st Century has been faced with a broad range of legal consequences. Three lawsuits related to the breach have been filed against the company. All are alleging that the breach exposed them to a great possibility of harm.  Patient indignation seems to have been stoked, in part, because they did not learn about the breach until five months after it happened, allegedly at the request of investigating FBI officials.

“While more than 2.2 million 21st Century Oncology victims have sought out and/or pay for medical care from the company, thieves have been hard at work, stealing and using their hard-to-change Social Security numbers and highly sensitive medical information,” said plaintiff Rona Polovoy in her lawsuit.

Polovoy’s suit also contends that the company should have been better prepared for such breaches, given that it suffered a similar security lapse between October 2011 and August 2012, when an employee used patient names Social Security numbers and dates of birth to file fraudulent tax refund claims. She claims that the current lapse demonstrates that the company did little to clean up its cybersecurity act.

Another plaintiff, John Dickman, says that the breach has filled his life with needless anxiety. In his legal filings he says that he “now must engage in stringent monitoring of, among other things, his financial accounts, tax filings, and health insurance claims.”

All of this may be grimly entertaining if you aren’t the one whose data was exposed, but there’s more to this case than meets the eye. According to a cybersecurity specialist quoted in Infosecurity Magazine, the 21st Century network intrusion highlights how exposed healthcare organizations outside the hospital world are to data breaches.

I can’t help but agree with TrapX Security executive vice president Carl Wright, who told the magazine that skilled nursing facilities, dialysis centers, imaging centers, diagnostic labs, surgical centers and cancer treatment facilities like 21st are all in network intruders’ crosshairs. Not only that, he notes that large extended healthcare networks such as accountable care organizations are vulnerable.

And that’s a really scary thought. While he doesn’t say so specifically, it’s logical to assume that the more unrelated partners you weld together across disparate networks, it multiplies the number of security-related points of failure. Isn’t it lovely how security threats emerge to meet every advance in healthcare?

April Fool’s Day – Health IT Edition

Posted on April 1, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Most of you know that I love a good April Fool’s day joke. I don’t like those that hurt people, but I love good humor (ask me about the time my wife said she was going into labor and wasn’t). You may remember my past years’ pranks about the #HIT100 Health IT Company, the ONC Reality TV show, and my personal favorite where we announced we’d be selling our own EHR software. Good memories all around.

This year I’ve been busy organizing the Health IT Marketing and PR Conference, but that doesn’t mean I can’t enjoy other people’s work. I’m sure I’ve missed some of the great health IT related April Fool’s day jokes, so let me know of others in the comments.

The big winner for April Fool’s 2016 for me was SnapChart from Twine Health. You’ll particularly enjoy it if you’re a SnapChat user, but it’s a great one either way. This video should demonstrate what I mean:

Well done Twine Health! I think even patient privacy advocates would appreciate SnapChart. “We all know that EHRs suck. Well this EHR only sucks for 7 seconds….BOOM”

Another honorable mention goes to Epic who has a long standing tradition of offering something entertaining on April Fool’s Day:
Epic April Fool's Day 2016
*Click on the image to see a larger version

Nice work by Epic to keep it topical with reference to Clinton and Sanders. However, the one that takes the cake is Jonathan Bush using MyChart. The only thing that would make me laugh more would be if athenahealth put out a video response from Jonathan Bush. Please?!

Cureatr decided to go old school with a new technology called the Faxenatr:

Howard Green, MD posted this announcement from Alphabet Inc and Google Inc’s company Verily Life Sciences about the UHIT (Universal Health Information Technology).

So many others I could mention outside of health IT. This one from Samsung about a 3D holographic projection was cool:


Although, when you look at what’s happening with VR, maybe it will be more reality than we realize.

Gmail’s Mic Drop is pretty funny. Well, at least it was until people starting losing their job because of it. The concept of a mic drop on email or social media is pretty interesting though. I wonder if there’s a way you could really implement something like it.

What other April Fool’s day jokes have you seen. It’s Friday. We all need a good laugh.