Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

E-Patient Update:  Is Technology Getting Ahead Of Medical Privacy?

Posted on December 9, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t know about y’all, but I love, love, love interacting with Google’s AI on my smartphone. It’s beyond convenient – it seems to simply read my mind and dish out exactly the content I needed.

That could have unwelcome implications, however, when you bear in mind that Google might be recording your question. Specifically, for a few years now, Google’s AI has apparently been recording users’ conversations whenever it is triggered. While Google makes no secret of the matter, and apparently provides directions on how to erase these recordings, it doesn’t affirmatively ask for your consent either — at least not in any terribly conspicuous way — though it might have buried the request in a block of legal language.

Now, everybody has a different tolerance for risk, and mine is fairly high. So unless an entity does something to suggest to me that it’s a cybercrook, I’m not likely to lose any sleep over the information it has harvested from my conversations. In my way of looking at the world, the odds that gathering such information will harm me are low, while the odds collection will help me are much greater. But I know that others feel much differently than myself.

For these reasons, I think it’s time to stop and take a look at whether we should regulate potential medical conversations with intermediaries like Google, whether or not they have a direct stake in the healthcare world. As this example illustrates, just because they’re neither providers, payers or business associates doesn’t mean they don’t manage highly sensitive healthcare information.

In thinking this over, my first reaction is to throw my hands in the air and give up. After all, how can we possibly track or regulate the flow of medical information falls outside the bounds of HIPAA or state privacy laws? How do we decide what behavior might constitute an egregious leak of medical information, and what could be seen as a mild mistake, given that the rules around provider and associate behavior may not apply? This is certainly a challenging problem.

But the more I consider these issues, the more I am convinced that we could at least develop some guidelines for handling of medical information by non-medical third parties, including what type of consumer disclosures are required when collecting data that might include healthcare information, what steps the intermediary takes to protect the data and how to opt out of data collection.

Given how complex these issues are, it’s unlikely we would succeed at regulating them effectively the first time, or even the fourth or fifth. And realistically, I doubt we can successfully apply the same standards to non-medical entities fielding health questions as we can to providers or business associates. That being said, I think we should pay more attention to such issues. They are likely to become more important, not less, as time goes by.

Ignoring the Obvious: Major Health IT Organizations Put Aside Patients

Posted on November 18, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Frustrated stories from patients as well as health care providers repeatedly underline the importance of making a seismic shift in the storage and control of patient data. The current system leads to inaccessible records, patients who reach nursing homes or other treatment centers without information crucial to their care, excess radiation from repeated tests, massive data breaches that compromise thousands of patients at a time, and–most notably for quality–patients excluded from planning their own care.

A simple solution became available over the past 25 years with the widespread adoption of the Web, and has been rendered even easier by modern Software as a Service (SaaS): storing the entire record over the patient’s lifetime with the patient. This was unfeasible in the age of patient records, but is currently efficient, secure, and easy to manage. The only reason we didn’t switch to personal records years ago is the greed and bad faith of the health care institutions: keeping hold of the data allows them to exploit it in order to market treatments to patients that they don’t need, while hampering the ability of other institutions to recruit and treat patients.

So I wonder how the American Health Information Management Association (AHIMA) can’t feel ridiculous, if not a bit seamy, by releasing a 3000-word report on the patient data crisis this past October without even a hint at the solution. On the contrary: using words designed to protect the privileges of the health care provider, they call this crisis a “patient matching” problem. The very terminology sets in stone the current practice of scattering health records among providers, with the assumption that selective records will be recombined for particular treatment purposes–if those records can be found.

A reading of their report reveals that the crisis outpaces the tepid remedies suggested by conventional institutions. In a survey, institutions admitted that up to eight percent of their patients have duplicate records in the institutions own systems (six percent of the survey respondents reported this high figure). Institutions also report spending large efforts on mitigating the problems of duplicate records: 47 percent do so during patient registration, and 72 percent run efforts on a weekly basis. AHIMA didn’t even ask about the problems caused by lack of access to records from other providers.

To pretend they are addressing the problem without actually offering the solution, AHIMA issues some rather bizarre recommendations. Along with extending the same processes currently in use, they suggest using biometrics such as fingerprints or retinal scans. This has a worrisome impact on patient privacy–it puts out more and more information that is indelibly linked to persons and that can be used to track those persons. What are the implications of such recommendations in the current environment, which features not only targeted system intrusions by international criminal organizations, but the unaccountable transfer of data by those authorized to collect it? We should strenuously oppose the collection of unnecessary personal information. But it makes sense for a professional organization to seek a solution that leads to the installation of more equipment, requires more specialized staff, tightens their control over individuals, and raises health care costs.

There’s nothing wrong with certain modest suggestions in the AHIMA report. Standardizing the registration process and following the basic information practices they recommend (compliance with regulations, etc.) should be in place at any professional institution. But none of that will bring together the records doctors and other health care professionals need to deliver care.

Years ago, Microsoft HealthVault and Google Health tried to bring patient control into the mainstream. Neither caught on, because the time was not right. A major barrier to adoption was resistance by health care providers, who (together with the vendors of their electronic health records) disallowed patients from downloading provider data. The Department of Veterans Affairs Blue Button won fans in both the veterans’ community and a few other institutions (for instance, Kaiser Permanente supported it) but turned out to be an imperfect standard and was never integrated into a true patient-centered health system.

But cracks in the current system are appearing as health care providers are shoved toward fee-for-value systems. Technologies are also coalescing around personal records. Notably, the open source HIE of One project, described in another article, employs standard security and authentication protocols to give patients control over what data gets sent out and who receives it.

Patient control, not patient “matching,” is the future of health care. The patient will ensure that her doctors and any legitimate researchers get access to data. Certainly, there are serious issues left, such as data management for patients who have trouble with the technical side of the storage systems, and informed consent protocols that give researchers maximum opportunities for deriving beneficial insights from patient data. But the current system isn’t working for doctors or researchers any better than it is for patients. A strong personal health record system will advance us in all areas of health care.

Health Plans Need Your Records: Know What’s Driving Requests and How to Be Prepared

Posted on July 26, 2016 I Written By

The following is a guest blog post by Craig Mercure, Chief Operating Officer of Payer Solutions at CIOX Health.
Craig Mercure
Audits. Reviews. HEDIS. Stars Ratings. No matter what, health plan record requests are growing by leaps and bounds each year. And the stakes are high for health plans to ensure they receive medical records in a timely way. What we also know – the large volume of requests and submission deadlines can put a drain on provider resources.

High volumes of medical record requests make it more important than ever for providers and health plans to work cooperatively and collaboratively. Here’s some helpful background on what’s driving the request for medical records and how providers can be prepared.

There are three primary health plan reviews that receive the most focus: Medicare Risk Adjustment, HEDIS Reviews, and Affordable Care Act (ACA) Medical Records Retrieval (MRR). While there are also other ad hoc requests related to fraud, waste and abuse (e.g., Risk Adjustment Data Validation (RADV), Medicaid, etc.), these three health plan reviews cause the most provider abrasion. Medical practices are getting hammered by them.

Say, for example, that a provider chooses 10 health plans. That provider is going to receive requests from each plan for all three of the main reviews, as well as the ad hoc requests. This has a major influence on record release and all other staff members that are impacted by it. The operational impact of receiving, verifying and fulfilling these requests is growing every year.

Here’s how the top three health plan reviews break down:

Medicare Risk Adjustment (MRA) reviews documentation and diagnosis codes to ensure proper reimbursement from the Centers for Medicare and Medicaid Services (CMS). Most records are retrieved from the primary care physician (PCP), specialty doctors, and in-patient stays—wherever the true value of a particular chart may reside. The MRA reviews typically begin in June and goes through early January.

Volumes have skyrocketed to 18 million record requests over the past several years. Plans are prioritizing Medicare Advantage plans and want to research every member. Therefore, depending on the percentage of Medicare Advantage patients seen by an organization, this review can hit providers hard. Medicare Risk Adjustment reviews are most prevalent in late summer and early fall with the end date for all plans to submit all 2015 diagnoses by January 31, 2017.

Two of the primary pain points for health plans are revenue and quality of care. Consider this hypothetical scenario. A healthy Medicare Advantage member has a score of zero. However, if that member develops diabetes within a given year, the score grows to 2.8. The health plan would receive 2.8 times the normal Medicare expenditure to care for that patient. While demographics and regional data also contribute to determining true ratings, this example is very realistic.

From a quality perspective, the health plan’s purpose for medical record reviews is to identify patients with chronic disease before they fall through the cracks. Plans attempt to effectively communicate with members and secure PCP visits before more costly encounters such as emergency or acute inpatient care occur.

Healthcare Effectiveness Data and Information Set (HEDIS) Reviews are driven by the National Committee for Quality Assurance (NCQA), a 501(c)(3) not-for-profit organization dedicated to improving the quality of health care so patients can make informed decisions about which plan they want to choose. HEDIS collects measures from plans, PPOs, physicians, and other organizations which is fed into a 5-star rating system. This rating system has become a marketing tool to help patients find the best health plans. It’s intended to allow patients to make “apples to apples” comparisons of health plans, similar to how you might shop for a car. The review season is typically February to mid-May.

Affordable Care Act (ACA) Medical Records Retrieval (MRR) is in its first year. These reviews are conducted during the same time frame as HEDIS. ACA-MRR has adopted similar risk methodologies as Medicare Advantage.

For providers, dealing with these reviews has become part of doing business with health plans. However, the amount of operational planning and time required to keep up with all the various requests can be monumental. Each provider site is configured differently in terms of medical record systems and IT security. Many providers outsource the chart retrieval (also called release of information—ROI) function to relieve the burden.

Gathering data in the trenches

Information to fulfill the health plan request may come from PCPs, acute-care hospitals, extended and rehabilitation facilities—wherever the health plan determines that the chart holds the most value. Also, caregivers provide medical records to health plans in a variety of ways. These include, but are not limited to: remote access, portals, secure FTP, CDs, mail, flash drives, emails, scans, and the old-fashioned standard—printed paper. While paper is dwindling, some still exists.

The majority of Medicare Advantage and ACA reviews are at the provider level. Sometimes thousands of records are involved. This can be a huge burden on physicians. Most health plan reviewers are interested in documents describing face-to-face interactions between clinician and member, such as progress notes and encounter notes based on specific dates of service.

For health plans and chart retrieval companies, the goal is always to obtain the necessary information with a minimal amount of provider abrasion. Two specific technology capabilities help smooth the process.

Electronic documentation embedded within the provider’s EMR

Various EMR systems and provider sites capture patient encounter notes differently. Some locations might not capture or maintain the encounter and progress information that is needed in an easy-to-retrieve electronic format.

Remote connectivity to retrieve information

Remote connectivity allows real-time access for the data needed by the health plan or chart retrieval service, mitigating the need for labor-intensive processes and onsite technicians.

An experienced chart retrieval service, like CIOX Health, satisfies the information demands of health plans while also reducing operational workload for providers. They’re responsible for securely linking both sides of the health plan review equation.

Experience eases chart retrieval

A chart retrieval service that repeatedly contracts with a specific health plan for reviews gains a year-over-year advantage. They’ve already connected to all the various provider systems and obtained security clearance. Every year they spend in the trenches, they learn and gain experiential data—giving them a head start for next year’s audit season.

Providers want to be fully compliant with health plan requests. They want to honor the request as quickly and efficiently as possible. Provider preference is to work with one chart retrieval service versus multiple ones over several health plans.

A single service can also field calls and inquiries from all the various health plans. Health plans want records to meet their review requirements, and they can be aggressive if records are past due. An experienced chart retrieval service helps both stakeholders move efficiently through the process—including remote connectivity—to meet health plan deadlines.

Finally, a centralized health information management (HIM) department is another way to ease the burden for providers. With centralization, all records and requests are aggregated. While centralized HIM is common practice in hospitals and health systems, it is not always feasible for physician practices and medical groups.

Cooperative steps must be taken to support health plan reviews while also reducing provider abrasion and operational costs. By working together, both plans and providers remain satisfied and smooth the process for everyone involved.

About Craig Mercure
Craig oversees all aspects of business development, including strategic planning, sales, client services, marketing, product development, finance and communications. He also leads the infrastructure development of the company as it grows, which includes: systems, processes, pipeline management, trade support, marketing, facilities, personnel recruitment and development. Over the past 15 years, Craig has worked in executive leadership positions within the electronic medical record and medical documentation industry.

Joint Commission Now Allows Texting Of Orders

Posted on May 17, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For a long time, it was common for clinicians to share private patient information with each other via standard text messages, despite the fact that the information was in the clear, and could theoretically be intercepted and read (which this along with other factors makes SMS texts a HIPAA violation in most cases). To my knowledge, there have been no major cases based on theft of clinically-oriented texts, but it certainly could’ve happened.

Over the past few years, however, a number of vendors have sprung up to provide HIPAA-compliant text messaging.  And apparently, these vendors have evolved approaches which satisfy the stringent demands of The Joint Commission. The hospital accreditation group had previously prohibited hospitals from sanctioning the texting of orders for patient care, treatment or services, but has now given it the go-ahead under certain circumstances.

This represents an about-face from 2011, when the group had deemed the texting of orders “not acceptable.” At the time, the Joint Commission said, technology available didn’t provide the safety and security necessary to adequately support the use of texted orders. But now that several HIPAA-compliant text-messaging apps are available, the game has changed, according to the accrediting body.

Prescribers may now text such orders to hospitals and other healthcare settings if they meet the Commissioin’s Medication Management Standard MM.04.01.01. In addition, the app prescribers use to text the orders must provide for a secure sign-on process, encrypted messaging, delivery and read receipts, date and time stamp, customized message retention time frames and a specified contact list for individuals authorized to receive and record orders.

I see this is a welcome development. After all, it’s better to guide and control key aspects of a process rather than letting it continue on underneath the surface. Also, the reality is that healthcare entities need to keep adapting to and building upon the way providers actually communicate. Failing to do so can only add layers to a system already fraught with inefficiencies.

That being said, treating provider-to-provider texts as official communications generates some technical issues that haven’t been addressed yet so far as I know.

Most particularly, if clinicians are going to be texting orders — as well as sharing PHI via text — with the full knowledge and consent of hospitals and other healthcare organizations — it’s time to look at what it takes manage that information more efficiently. When used this way, texts go from informal communication to extensions of the medical record, and organizations should address that reality.

At the very least, healthcare players need to develop policies for saving and managing texts, and more importantly, for mining the data found within these texts. And that brings up many questions. For example, should texts be stored as a searchable file? Should they be appended to the medical records of the patients referenced, and if so, how should that be accomplished technically? How should texted information be integrated into a healthcare organization’s data mining efforts?

I don’t have the answers to all of these questions, but I’d argue that if texts are now vehicles for day-to-day clinical communication, we need to establish some best practices for text management. It just makes sense.

OCR Cracking Down On Business Associate Security

Posted on May 13, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

For most patients, a data breach is a data breach. While it may make a big difference to a healthcare organization whether the source of a security vulnerability was outside its direct control, most consumers aren’t as picky. Once you have to disclose to them that the data has been hacked, they aren’t likely be more forgiving if one of your business associates served as the leak.

Just as importantly, federal regulators seem to be growing increasingly frustrated that healthcare organizations aren’t doing a good job of managing business associate security. It’s little wonder, given that about 20% of the 1,542 healthcare data breaches affecting 500 more individuals reported since 2009 involve business associates. (This is probably a conservative estimate, as reports to OCR by covered entities don’t always mention the involvement of a business associate.)

To this point, the HHS Office for Civil Rights has recently issued a cyber-alert stressing the urgency of addressing these issues. The alert, which was issued by OCR earlier this month, noted that a “large percentage” of covered entities assume they will not be notified of security breaches or cyberattacks experienced by the business associates. That, folks, is pretty weak sauce.

Healthcare organizations also believe that it’s difficult to manage security incidents involving business associates, and impossible to determine whether data safeguards and security policies and procedures at the business associates are adequate. Instead, it seems, many covered entities operate on the “keeping our fingers crossed” system, providing little or no business associate security oversight.

However, that is more than unwise, given that the number of major breaches have taken place because of an oversight by business associates. For example, in 2011 information on 4.9 million individuals was exposed when unencrypted backup computer tapes are stolen from the car of a Science Applications International Corp. employee, who was transporting tapes on behalf of military health program, TRICARE.

The solution to this problem is straightforward, if complex to implement, the alert suggests. “Covered entities and business associates should consider how they will confront a breach at their business associates or subcontractors,” and make detailed plans as to how they’ll address and report on security incidents among these group, OCR suggests.

Of course, in theory business associates are required to put their own policies and procedures in place to prevent, detect, contain and correct security violations under HIPAA regs. But that will be no consolation if your data is exposed because they weren’t holding their feet to the fire.

Besides, OCR isn’t just sending out vaguely threatening emails. In March, OCR began Phase 2 of its HIPAA privacy and security audits of covered entities and business associates. These audits will “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standard interpretation specifications of the Privacy, Security, and Breach Notification Rules,” OCR said at the time.

The Downside of Interoperability

Posted on May 2, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

It’s hard to argue that achieving health data interoperability is not important — but it comes with risks. And I’ve seen little discussion of the fact that interoperability may actually increase the chance that a major attack could hit a wide swath of healthcare providers. It might be extreme to suggest that we put off such efforts until we step up the industry’s security status, but the problem shouldn’t be ignored either.

Sure, data interoperability is a critical goal for healthcare providers of all stripes. While there’s room to argue about how it should be accomplished, particularly over whether providers or patients should drive health data management, there’s no question it needs to get done. There’s little doubt that most efforts to coordinate care will fall flat if providers are operating with incomplete information.

And what’s more, with the demand for interoperability baked into MACRA, we pretty much have no choice but to make it happen anyway. To my knowledge, HHS has proposed neither carrot nor stick to convince providers to come on board – nor has it defined “widespread” interoperability to my knowledge — but the agency has to achieve something by 2018, and that means change will come.

That being said, I’m struck by how little industry concern there seems to be about the extent to which interoperability can multiply the possibility of a breach occurring. Unfortunately, security is only as good is the weakest link in the chain, and data sharing increases the length of the chain exponentially. Of course, the risk varies a great deal depending on who or what the data-sharing intermediary is, but the fact remains that a connected network is a connected network.

The problem only gets worse if interoperability is achieved by integrating applications. I’m no software engineer, but I’m pretty sure that the more integrated providers’ infrastructure is, the more vulnerabilities they share. To be fair, hospitals theoretically vet their partners, but that defeats the purpose of universal data sharing, doesn’t it?

And even if every provider in the universal data sharing network practices good security hygiene, they can still get attacked. So it’s not a matter of requiring participants to comply with some network security standard, or meet some certification criteria. Given the massive incentives these have to steal health data (and lock it up with ransomware), nobody can hold out forever.

The bottom line is that I believe we should discuss the matter of security in a fully-connected health data sharing network more often.

Yes, we almost certainly need to press ahead and simply find a way to contain the risks. We simply can’t afford our fragmented healthcare system, and data interoperability offers perhaps the best possible chance of pulling it back together.

But before we plunge into the fray, it only makes sense to stop and consider all of the risks involved and how they should be addressed. After all, universal interconnection exposes a virtually infinite number of potential points of failure to cybercrooks. Let’s put some solutions on the table before it’s too late.

Breach Affecting 2.2M Patients Highlights New Health Data Threats

Posted on April 4, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A Fort Myers, FL-based cancer care organization is paying a massive price for a health data breach that exposed personal information on 2.2 million patients late last year. This incident is also shedding light on the growing vulnerability of non-hospital healthcare data, as you’ll see below.

Recently, 21st Century Oncology was forced to warn patients that an “unauthorized third party” had broken into one of its databases. Officials said that they had no evidence that medical records were accessed, but conceded that breached information may have included patient names Social Security numbers, insurance information and diagnosis and treatment data.

Notably, the cancer care chain — which operates on hundred and 45 centers in 17 states — didn’t learn about the breach until the FBI informed the company that it had happened.

Since that time, 21st Century has been faced with a broad range of legal consequences. Three lawsuits related to the breach have been filed against the company. All are alleging that the breach exposed them to a great possibility of harm.  Patient indignation seems to have been stoked, in part, because they did not learn about the breach until five months after it happened, allegedly at the request of investigating FBI officials.

“While more than 2.2 million 21st Century Oncology victims have sought out and/or pay for medical care from the company, thieves have been hard at work, stealing and using their hard-to-change Social Security numbers and highly sensitive medical information,” said plaintiff Rona Polovoy in her lawsuit.

Polovoy’s suit also contends that the company should have been better prepared for such breaches, given that it suffered a similar security lapse between October 2011 and August 2012, when an employee used patient names Social Security numbers and dates of birth to file fraudulent tax refund claims. She claims that the current lapse demonstrates that the company did little to clean up its cybersecurity act.

Another plaintiff, John Dickman, says that the breach has filled his life with needless anxiety. In his legal filings he says that he “now must engage in stringent monitoring of, among other things, his financial accounts, tax filings, and health insurance claims.”

All of this may be grimly entertaining if you aren’t the one whose data was exposed, but there’s more to this case than meets the eye. According to a cybersecurity specialist quoted in Infosecurity Magazine, the 21st Century network intrusion highlights how exposed healthcare organizations outside the hospital world are to data breaches.

I can’t help but agree with TrapX Security executive vice president Carl Wright, who told the magazine that skilled nursing facilities, dialysis centers, imaging centers, diagnostic labs, surgical centers and cancer treatment facilities like 21st are all in network intruders’ crosshairs. Not only that, he notes that large extended healthcare networks such as accountable care organizations are vulnerable.

And that’s a really scary thought. While he doesn’t say so specifically, it’s logical to assume that the more unrelated partners you weld together across disparate networks, it multiplies the number of security-related points of failure. Isn’t it lovely how security threats emerge to meet every advance in healthcare?

Cyber Breach Insurance May Be Useless If You’re Negligent

Posted on March 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Ideally, your healthcare organization will never see a major data breach. But realistically, given how valuable healthcare data is these days — and the extent to which many healthcare firms neglect data security — it’s safer to assume that you will have to cope with a breach at some point.

In fact, it might be wise to assume that some form of costly breach is inevitable. After all, as one infographic points out, 55 healthcare organizations reported network attacks resulting in data breaches last year, which resulted in 111,809,322 individuals’ health record information being compromised. (If you haven’t done the math in your head, that’s a staggering 35% of the US population.)

The capper: if things don’t get better, the US healthcare industry stands to lose $305 billion in cumulative lifetime patient revenue due to cyberattacks likely to take place over the next five years.

So, by all means, protect yourself by any means available. However, as a recent legal battle suggests, simply buying cyber security insurance isn’t a one-step solution. In fact, your policy may not be worth much if you don’t do your due diligence when it comes to network and Internet security.

The lawsuit, Columbia Casualty Company v. Cottage Health System, shows what happens when a healthcare organization (allegedly) relies on its cyber insurance policy to protect it against breach costs rather than working hard to prevent such slips.

Back in December 2013, the three-hospital Cottage Health System notified 32,755 of its patients that their PHI had been compromised. The breach occurred when the health system and one of its vendors, InSync, stored unencrypted medical records on an Internet accessible system.

It later came out that the breach was probably caused by careless FTP settings on both systems servers which permitted anonymous user access, essentially opening up access to patient health records to anyone who could use Google. (Wow. If true that’s really embarrassing. I doubt a sharp 13-year-old script kiddie would make that mistake.)

Anyway, a group of presumably ticked off patients filed a class action suit against Cottage asking for $4.125 million. At first, cyber breach insurer Columbia Casualty paid out the $4.125 million and settled the case. Now, however, the insurer is suing Cottage, asking the health system to pay it back for the money it paid out to the class action members. It argues that Cottage was negligent due to:

  • a failure to continuously implement the procedures and risk controls identified in the application, including, but not limited to, its failure to replace factory default settings and its failure to ensure that its information security systems were securely configured; and
  • a failure to regularly check and maintain security patches on its systems, its failure to regularly re-assess its information security exposure and enhance risk controls, its failure to have a system in place to detect unauthorized access or attempts to access sensitive information stored on its servers and its failure to control and track all changes to its network to ensure it remains secure.

Not only that, Columbia Casualty asserts, Cottage lied about following a minimum set of security practices known as a “Risk Control Self Assessment” required as part of the cyber insurance application.

Now, if the cyber insurer’s allegations are true, Cottage’s behavior may have been particularly egregious. And no one has proven anything yet, as the case is still in the early stages, but this dispute should still stand as a warning to all healthcare organizations. If you neglect security, then try to get an insurance company to cover your behind when breaches occur, you might be out of luck.

The Easiest Form of Healthcare Information Blocking – Charge for It

Posted on March 23, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve watched the discussion around information blocking in healthcare with a lot of interest. I’ve seen many people (including the government) talk about how information blocking is a major issue in healthcare and that we need to do something to solve the problem of information blocking. I’ve read other organizations who have searched for information blocking and say they can’t find it and that people are overstating the issue of information blocking.

I do think that some people overstate how big of an issue information blocking is, but I know that it’s a problem. Sometimes the information blocking is done purposefully, but other times it’s happening without much thought as to why they should or shouldn’t take part in information sharing.

As I’ve watched this discussion evolve and the drive towards interoperability I’ve realized that what’s happening in interoperability today could very well be the easiest and most legal form of information blocking that exists: charge for the information.

When I look into the future of information sharing, I can see EHR vendors salivating at these new found revenue streams associated with data sharing. Sure, it will only be pennies or fractions of a penny to share each record. However, when you spread that across millions and millions of records those fractions of a penny really start to add up.

When I look at the interoperability options that are being built today, these options are going to be able to charge for access to this data in a very granular way. All the data sharing is easily tracked and if it’s being tracked it can easily be charged for. I expect large healthcare organizations are going to have to start creating entire budgets dedicated to the cost of interoperability.

Once this happens smaller healthcare organizations are going to be blocked out of accessing the data. However, they won’t be literally blocked out of accessing the data like they are now. Instead, they’ll have access to the data, but the cost to access the data will be so much that they’ll be unable to access the data due to the high costs.

If you’re someone who’s a fan of information blocking, this is the perfect solution. No one can tell you that they couldn’t get access to the data, because they could get access to the data. All they had to do was pay for it. The fact that they couldn’t afford to access the data is a different issue. I expect this day will come sooner than we think.

Ransomware Crisis Demands Provider Cooperation

Posted on February 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A few days ago, the sadly-predictable news broke that a U.S. hospital had been hit with a ransomware attack. Initial reports were that hackers demanded that Hollywood (CA) Presbyterian Medical Center pay $3.4M in bitcoins to regain access to its data. The hospital refused, and began working with paper to meet its patients’ needs. However, it was later reported that the $3.4 million number was wrong and the hospital was only asked to pay $17,000. The hospital chose to pay the ransom and got data access back.  But the mere fact that Hollywood Presbyterian got off relatively easily shouldn’t blind us to the growing ransomware threat, nor the steps we need to take to address this crisis.

Now, before I ramble on about what I think should be done, please bear in mind that I’m an HIT analyst and writer, not a network engineer. So the modest proposal is coming from a non-technical person, but I do believe that it has some merit as an idea. Hopefully readers will continue to improve, debate, and educate us on the merits and challenges of the idea in the comments.

Here’s my proposal. Whereas:

* Hospitals can’t afford to have their data randomly locked any more than airlines can afford to have their engines do so, AND

* Nobody wants to voluntarily create a ransomware market that grows steadily stronger as hospitals pay up, SO

I suggest we find a new way for hospitals to cover each others’ back. The idea would be to make it more or less impossible for hackers to capture all of another hospital’s data.

Here’s where I get hazy, so follow me — and criticize me, please — but what if every hospital had a few sister hospitals which held part of the day’s data backup?  I can see attackers shimmying through every currently available connection at a single institution, but would all five be vulnerable if they only connected in the event a data lockout at hospital A?

Even if such a peer to peer architecture would work, I’m not sure it would be practical. After all, it’s one thing to download an illegal software copy via P2P and quite another to help restore a terabyte or more of data.

Also, it certainly hasn’t escaped me that there are serious competitive concerns involved in setting up such arrangements, though those could certainly be mitigated by the fact that no sister hospital would have a complete data set for Hospital A.

Even if this idea is utter garbage, however, I believe we’ve reached a point where if we’re going to fight ransomeware, some form of deep industry cooperation is necessary. Let’s not wait for patients to be harmed or die due to data lock-out.