Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Will a Duo of AI and Machine Learning Catch Data Thieves Lurking in Hospital EHR Corridors?

Posted on September 19, 2016 I Written By

The following is a guest blog post by Santosh Varughese, President of Cognetyx, an organization devoted to using artificial intelligence and machine learning innovation to bring an end to the theft of patient medical data.
As Halloween approaches, the usual spate of horror movies will intrigue audiences across the US, replete with slashers named Jason or Freddie running amuck in the corridors of all too easily accessible hospitals. They grab a hospital gown and the zombies fit right in.  While this is just a movie you can turn off, the real horror of patient data theft can follow you.

(I know how terrible this type of crime can be. I myself have been the victim of a data theft by hackers who stole my deceased father’s medical files, running up more than $300,000 in false charges. I am still disputing on-going bills that have been accruing for the last 15 years).

Unfortunately, this horror movie scenario is similar to how data thefts often occur at medical facilities. In 2015, the healthcare industry was one of the top three hardest hit industries with serious data breaches and major attacks, along with government and manufacturers. Packed with a wealth of exploitable information such as credit card data, email addresses, Social Security numbers, employment information and medical history records, much of which will remain valid for years, if not decades and fetch a high price on the black market.

Who Are The Hackers?
It is commonly believed attacks are from outside intruders looking to steal valuable patient data and 45 percent of the hacks are external. However, “phantom” hackers are also often your colleagues, employees and business associates who are unwittingly careless in the use of passwords or lured by phishing schemes that open the door for data thieves. Not only is data stolen, but privacy violations are insidious.

The problem is not only high-tech, but also low-tech, requiring that providers across the continuum simply become smarter about data protection and privacy issues. Medical facilities are finding they must teach doctors and nurses not to click on suspicious links.

For healthcare consultants, here is a great opportunity to not only help end this industry wide problem, but build up your client base by implementing some new technologies to help medical facilities bring an end to data theft.  With EHRs being more vulnerable than ever before, CIOs and CISOs are looking for new solutions.  These range from thwarting accidental and purposeful hackers by implementing physical security procedures to securing network hardware and storage media through measures like maintaining a visitor log and installing security cameras. Also limiting physical access to server rooms and restricting the ability to remove devices from secure areas.

Of course enterprise solutions for the entire hospital system using new innovations are the best way to cast a digital safety net over all IT operations and leaving administrators and patients with a sense of security and safety.

Growing Nightmare
Medical data theft is a growing national nightmare.  IDC’s Health Insights group predicts that 1 in 3 healthcare recipients will be the victim of a medical data breach in 2016.  Other surveys found that in the last two years, 89% of healthcare organizations reported at least one data breach, with 79% reporting two or more breaches. The most commonly compromised data are medical records, followed by billing and insurance records. The average cost of a healthcare data breach is about $2.2 million.

At health insurer Anthem, Inc., foreign hackers stole up to 80 million records using social engineering to dig their way into the company’s network using the credentials of five tech workers. The hackers stole names, Social Security numbers and other sensitive information, but were thwarted when an Anthem computer system administrator discovered outsiders were using his own security credentials to log into the company system and to hack databases.

Investigators believe the hackers somehow compromised the tech worker’s security through a phishing scheme that tricked the employee into unknowingly revealing a password or downloading malicious software. Using this login information, they were able to access the company’s database and steal files.

Healthcare Hacks Spread Hospital Mayhem in Diabolical Ways
Not only is current patient data security an issue, but thieves can also drain the electronic economic blood from hospitals’ jugular vein—its IT systems. Hospitals increasingly rely on cloud delivery of big enterprise data from start-ups like iCare that can predict epidemics, cure disease, and avoid preventable deaths. They also add Personal Health Record apps to the system from fitness apps like FitBit and Jawbone.

Banner Health, operating 29 hospitals in Arizona, had to notify millions of individuals that their data was exposed. The breach began when hackers gained access to payment card processing systems at some of its food and beverage outlets. That apparently also opened the door to the attackers accessing a variety of healthcare-related information.

Because Banner Health says its breach began with an attack on payment systems, it differentiates from other recent hacker breaches. While payment system attacks have plagued the retail sector, they are almost unheard of by healthcare entities.

What also makes this breach more concerning is the question of how did hackers access healthcare systems after breaching payment systems at food/beverage facilities, when these networks should be completely separated from one another? Healthcare system networks are very complex and become more complicated as other business functions are added to the infrastructure – even those that don’t necessarily have anything to do with systems handling and protected health information.

Who hasn’t heard of “ransomware”? The first reported attack was Hollywood Presbyterian Medical Center which had its EHR and clinical information systems shut down for more than week. The systems were restored after the hospital paid $17,000 in Bitcoins.

Will Data Thieves Also Rob Us of Advances in Healthcare Technology?
Is the data theft at MedStar Health, a major healthcare system in the DC region, a foreboding sign that an industry racing to digitize and interoperate EHRs is facing a new kind of security threat that it is ill-equipped to handle? Hospitals are focused on keeping patient data from falling into the wrong hands, but attacks at MedStar and other hospitals highlight an even more frightening downside of security breaches—as hospitals strive for IT interoperability. Is this goal now a concern?

As hospitals increasingly depend on EHRs and other IT systems to coordinate care, communicate critical health data and avoid medication errors, they could also be risking patients’ well-being when hackers strike. While chasing the latest medical innovations, healthcare facilities are rapidly learning that caring for patients also means protecting their medical records and technology systems against theft and privacy violations.

“We continue the struggle to integrate EHR systems,” says anesthesiologist Dr. Donald M. Voltz, Medical Director of the Main Operating Room at Aultman Hospital in Canton, OH, and an advocate and expert on EHR interoperability. “We can’t allow patient data theft and privacy violations to become an insurmountable problem and curtail the critical technology initiative of resolving health system interoperability. Billions have been pumped into this initiative and it can’t be risked.”

Taking Healthcare Security Seriously
Healthcare is an easy target. Its security systems tend to be less mature than those of other industries, such as finance and tech. Its doctors and nurses depend on data to perform time-sensitive and life-saving work.

Where a financial-services firm might spend a third of its budget on information technology, hospitals spend only about 2% to 3%. Healthcare providers are averaging less than 6% of their information technology budget expenditures on security, according to a recent HIMSS survey. In contrast, the federal government spends 16% of its IT budget on security, while financial and banking institutions spend 12% to 15%.

Meanwhile, the number of healthcare attacks over the last five years has increased 125%, as the industry has become an easy target. Personal health information is 50 times more valuable on the black market than financial information. Stolen patient health records can fetch as much as $363 per record.

“If you’re a hacker… would you go to Fidelity or an underfunded hospital?” says John Halamka, the chief information officer of Beth Israel Deaconess Medical Center in Boston. “You’re going to go where the money is and the safe is the easiest to open.”

Many healthcare executives believe that the healthcare industry is at greater risk of breaches than other industries. Despite these concerns, many organizations have either decreased their cyber security budgets or kept them the same. While the healthcare industry has traditionally spent a small fraction of its budget on cyber defense, it has also not shored up its technical systems against hackers.

Disrupting the Healthcare Security Industry with Behavior Analysis   
Common defenses in trying to keep patient data safe have included firewalls and keeping the organization’s operating systems, software, anti-virus packages and other protective solutions up-to-date.  This task of constantly updating and patching security gaps or holes is ongoing and will invariably be less than 100% functional at any given time.  However, with only about 10% of healthcare organizations not having experienced a data breach, sophisticated hackers are clearly penetrating through these perimeter defenses and winning the healthcare data security war. So it’s time for a disruption.

Many organizations employ network surveillance tactics to prevent the misuse of login credentials. These involve the use of behavior analysis, a technique that the financial industry uses to detect credit card fraud. By adding some leading innovation, behavior analysis can offer C-suite healthcare executives a cutting-edge, game-changing innovation.

The technology relies on the proven power of cloud technology to combine artificial intelligence with machine learning algorithms to create and deploy “digital fingerprints” using ambient cognitive cyber surveillance to cast a net over EHRs and other hospital data sanctuaries. It exposes user behavior deviations while accessing EHRs and other applications with PHI that humans would miss and can not only augment current defenses against outside hackers and malicious insiders, but also flag problem employees who continually violate cyber security policy.

“Hospitals have been hit hard by data theft,” said Doug Brown, CEO, Black Book Research. “It is time for them to consider new IT security initiatives. Harnessing machine learning artificial intelligence is a smart way to sort through large amounts of data. When you unleash that technology collaboration, combined with existing cloud resources, the security parameters you build for detecting user pattern anomalies will be difficult to defeat.”

While the technology is advanced, the concept is simple. A pattern of user behavior is established and any actions that deviate from that behavior, such as logging in from a new location or accessing a part of the system the user normally doesn’t access are flagged.  Depending on the deviation, the user may be required to provide further authentication to continue or may be forbidden from proceeding until a system administrator can investigate the issue.

The cost of this technology will be positively impacted by the continuing decline in the cost of storage and processing power from cloud computing giants such as Amazon Web Services, Microsoft and Alphabet.

The healthcare data security war can be won, but it will require action and commitment from the industry. In addition to allocating adequate human and monetary resources to information security and training employees on best practices, the industry would do well to implement network surveillance that includes behavior analysis. It is the single best technological defense against the misuse of medical facility systems and the most powerful weapon the healthcare industry has in its war against cyber criminals.

Engaging Patients With Health Data Cuts Louisiana ED Overuse

Posted on September 15, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Maybe I’m misreading things, but it seems to me that few health IT pros really believe we can get patients to leverage their own health data successfully. And I understand why. After all, we don’t even have clear evidence that patient portals improve outcomes, and portals are probably the most successful engagement tool the industry has come up with to date.

And not to be a jerk about it, but I bet you’d be hard-pressed to find HIT gurus who believed the state of Louisiana would lead the way, as the achingly poor southern state isn’t exactly known for being a healthcare thought leader.  As it so happens, though, the state has actually succeeded where highfalutin’ health systems have failed.

Over one year, the state has managed to generate a 23% increase in health IT use among at-risk patients, and also, a 10.2% decrease in non-emergent use of emergency departments by Medicaid managed care organization members, thank you very much.

So how did Louisiana’s top healthcare brass accomplish this feat? Among other things, they launched a HIE-enabled ED data registry, along with a direct-to-consumer patient engagement campaign. These efforts were done in partnership with the Louisiana Health Care Quality Forum, which developed statewide marketing plans for the effort (See John’s interview with the Louisiana Health Care Quality Forum for more details).

They must have created some snazzy marketing copy. As Healthcare IT News noted, between August 2015 and May 2016, patient portal use shot up 31%, consumer EHR awareness rose 23% and opt-in to the state’s HIE grew by 3%, Quality Forum marketer Jamie Martin told HIN.

Not only that, the number of patients asking for access to or copies of electronic health data increased by 12%, and the number of patients with current copies of their health information grew by 9%, Martin said.

This is great news for those who want to see patients buy in to the digital health paradigm. Though it’s hard to tell whether the state will be able to maintain the benefits it gained in its initial effort, it clearly succeeded in getting a substantial number of patients to rethink how they manage their care.

But (and I’m sorry to be a bit of a Debbie Downer), I was a bit disappointed when I saw none of the gains cited related to changing health behaviors, such as, say, an increase in diabetics getting retinal exams.

I know that I should probably be focused on the project’s commendable successes, and believe it or not, I do find them to be exciting. I’m just not sure that these kinds of metrics can be used as proxies for health improvement measures, and let’s face it, that’s what we need, right?

Electronic Prescribing Of Controlled Substances Rates Spiking

Posted on September 1, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Back in the day, say a decade ago or so, when e-prescribing itself was a new and big deal, the feds – especially the DEA – didn’t think much of the e-prescribing of controlled drugs like opiates. But a few years later the agency eventually came around. In June of 2010, it released a rule which allowed providers to issue such prescriptions nd pharmacies to receive, dispense and archive these scripts electronically nationwide.

Since then, electronic prescribing of controlled substances (EPCS) has taken off, according to a story in Search HealthIT. In fact, EPCS has been growing rapidly, particularly during 2015, according to national pharmacy IT network Surescripts.

Specifically, the number of ECPS transactions shot up 600% last year, from 1.67 million to 12.8 million scripts issued, according to Surescripts’ 2015 National Progress Report. Part of the reason for this surge is that providers are getting on board at a brisk pace. The number of providers enabled to use EPCS grew 359% last year.

Among the interesting stats to be culled from the Surescripts report is that 32% of drugs prescribed were opioids. This statistic should draw a lot of interest from public officials and enforcement agencies trying to stem the tide of opioid overdoses which killed more than 28,000 Americans in 2014. That’s four times as many who died of this cause in 2010, according to Surescripts’ sources.

A Drop in the Bucket

It’s worth noting that the number of EPCS transactions still pales in contrast to the number of transactions hosted on the Surescripts network that year. The network handled 9.7 billion transactions in 2015, up 40% from the previous year, the company reported. That means the EPCS is still a drop in the bucket overall.

Also, levels of EPCS-enabled pharmacies and physicians vary across the U.S. For example, 91% of pharmacies are EPCS-enabled in New York, the top state for such pharmacies. (A New York State rule requiring every practitioner in the state to e-prescribe all medications went into effect in March.) Other top-ranked states for pharmacy penetration included Massachusetts, California and Texas. On the other hand, only 73% of pharmacies were EPCS-enabled in Georgia and Florida.

Still, with adoption levels seemingly evening out between states – and the gap small enough to close over the next few years – it seems like EPCS is becoming an established practice. Surescripts contends that this is for the best, and argues that EPCS reduces fraud and improper prescribing by making it easier to track such medications. And with states like New York mandating e-prescribing for all providers, the growth in EPCS is likely to stay healthy.

However, for every action there’s a reaction, and the other shoe may not have dropped where EPCS risks are concerned. It may take a few years to find out whether the confidence some have in this approach was merited.

Three Words That Health Care Should Stop Using: Insurance, Market, and Quality (Part 2 of 2)

Posted on August 23, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site ( and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The previous part of this article ripped apart the use of the words “insurance” and “market” to characterize healthcare. Not let’s turn to another concept even more fundamental to our thinking about care.


The final element of this three-card Monte is the slippery notion of quality. Health care is often compared to the airlines (when we’re not being compared to the Cheesecake Factory), an exercise guaranteed to make health care look bad. Airlines and restaurants offer relatively homogeneous experiences to all their clients and can easily determine whether their service succeeded or failed. Even at a mechanical level, the airlines have been able to quantify safety.

Endless organizations such as the National Association for Healthcare Quality (NAHQ) and the Agency for Healthcare Research and Quality (AHRQ) collect quality measures, and CMS has tried strenuously to include quality measures in Meaningful Use and the new MACRA program. We actually have not a dearth of quality measures, but a surfeit. Doctors feel overwhelmed with these measures. They are difficult to collect, and we don’t know how to combine them to create easy reports that patients can act on. There is a difference between completing a successful surgery, caring for things such as pain and infection prevention after surgery, and creating a follow-up plan that minimizes the chance of readmission. All those things (and many more) are elements of quality.

Worst of all, despite efforts to rank patients by their conditions and risk, hospitals repeatedly warn that quality measures underestimate risky patients and therefore penalize the hospitals that do the most difficult and important work–caring for the sickest. Many hospitals are throwing away donor organs instead of doing transplants, because the organs are slightly inferior and therefore might contribute to lower quality ratings–even if the patients are desperate to give them a try.

The concept of quality in health care thus needs a fresh look, and probably a different term. The first, simple thing we can do is remove patient ratings from assessments of quality. The patient knows whether the nurse smiled at her or whether she was discharged promptly, but can’t tell how good the actual treatment was after the event. One nurse has suggested that staff turnover is a better indication of hospital quality than patient satisfaction surveys. Given our fascination with airline quality, it’s worth noting that the airline industry separates safety ratings from passenger experience. The health care industry can similarly leverage patient ratings to denote clients’ satisfaction, but that’s separate from quality.

As for the safety and effectiveness of treatment, we could try a fairer rating system, such as one that explicitly balances risk and reward. Agencies would have to take the effort to understand all the elements of differences in patients that contribute to risk, and make sure they are tallied. Perhaps we could learn how to assess the success of each treatment in relation to the condition in which the patient entered the office. Even better, we could try to assess longitudinal results instead evaluating each office visit or hospital admission in isolation.

These are complex activities, but we have lots of data and powerful tools to analyze it. Together with a focus on changing behavior and environments, we should be able to make a real difference in quality–and I mean quality of life. Is there anything an ordinary member of the health professions can do till then? Well, try issuing Bronx cheers and catcalls at any meeting or conference presentation where someone uses one of the three misleading terms.

Three Words That Health Care Should Stop Using: Insurance, Market, and Quality (Part 1 of 2)

Posted on August 22, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site ( and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

Reading the daily papers, I have gotten increasingly frustrated at the misunderstandings that journalists and the public bring to the debates of over health expansion, costs, and reform. But you can’t blame them–our own industry has created the confusion by misusing terms and concepts that work in other places but not in health. Worse still, the health care industry has let policy-makers embed the incorrect impressions into laws and regulations.

So in this article I’ll promote the long process of correcting the public’s impressions of health care–by purging three dangerous words from health care vocabulary.


The health care insurance industry looks like no other insurance industry in the world. When we think of insurance, we think of paying semi-annually into a fund we hope we never need to use. But perhaps every twenty years or so, we suffer damage to our car, our house, or our business, and the insurance kicks in. That may have been true for health care 70 years ago, when you wouldn’t see the doctor unless you fell into a pit or came down with some illness they likely couldn’t cure anyway. The insurance model is totally unsuited for health care today.

The Affordable Care Act made some symbolic gestures toward a recognition that modern health care should embrace prevention and wellness. For instance, it eliminated copays for preventative visits. The insurance companies took that wording very literally: if you dare to bring up an actual medical problem during your preventative visit, they charge you a copay. Yet the “preventative” part of the visit usually consists of a lecture to stop smoking and go on the Mediterranean diet.

Effective wellness programs jettison the notion of insurance (although patients need separate insurance for catastrophic problems). They keep in regular contact with clients, provide coaching, and sometimes use intelligent digital interventions such as described by Dr. Joseph Kvedar in The Internet of Healthy Things (which I reviewed shortly after its release). There are scattered indications that these programs do their job. As they spread, the system set up to deal with catastrophic health events will have to adapt and take a modest role within a behavioral health model.

The term “insurance” is so widely applied to our healh funding model that we can’t make it go away. Perhaps we should put the word in quotation marks wherever it must be used.


This term is less ubiquitous than “insurance” but may be even more harmful. Numerous commenters have pointed out the difference between health care and actual markets:

  • In a market, you can walk away and refuse to pay for a good that is too expensive. If the price of beef goes through the roof, you can switch to beans (and probably should, for your own health). So the best time to argue with someone who promotes a health care market may be right after he’s fallen from a ladder and is clutching at his leg in agony. Ask him, “Do you feel you can walk away from an offer of health care?” Cruel, but a lesson he won’t forget.

  • A market serves people who can afford it. It’s hard to find a stylish hair dresser in a poor neighborhood because no one can pay $200 for a cut. But here’s the rub: the people who need health care the most can’t afford it. Someone with serious mental or physical problems is less likely to find work or be able to attend a college with health insurance. Parents of seriously ill children have to take time off from work to care for them. And so on. It’s what economists–who have trouble discarding the market way of thinking–call a market failure.

  • In a market, you know what you’re going to pay for a service and what your options are. Enough said.

  • In a market, you can evaluate the quality of a service and judge (at least in retrospect) whether it was worth the cost. I’ll deal with quality in the next section.

The misconception of health care as a market came to a head in the implementation of the Affordable Care Act. Presumably, millions of “young invincibles” were avoiding health insurance because of the cost. The individual mandate, combined with affordable plans on health care exchanges, would bring them flooding into the insurance system, lowering costs for everyone and balancing the burden created by the many sick people who we knew would join. And yet now we have stubbornly rising health care rates, deductibles, and caps, along with new costs in the states where Medicaid expanded Where did this all fall apart?

Part of the problem is certainly the recession, which caused incomes to decline or stagnate and exacerbated people’s health care needs. Also, there was a pent-up need for treatment among people who had lacked health insurance and avoided treatment for some time. This comes through in a study of prescription medication use. Furthermore, people don’t change habits overnight: many continue to over-rely on the emergency room (perhaps because of a shortage of primary care providers).

But there’s another unanticipated factor: the “young invincibles” actually start using health care once they get access to it. An analysis showed that mental health needs among the young are much higher than expected. In particular, they suffer widely from depression and anxiety, which is entirely reasonable given the state of our world. (I know that these conditions are connected to genetics and biology, but environment must also play a role.)

Ultimately, until we get behavioral health in place for everybody, health care costs will continue to rise and we won’t realize the promise of near-universal coverage. Many health care activists–especially during the recent political primary season–call for a single-payer system, which certainly would introduce many efficiencies. But it doesn’t solve the problems of chronic conditions and unhealthy lifestyles–that will require policy action on levels ranging from improvements in air cleanliness to new opportunities for isolated individuals to socialize. Meanwhile, we still have to look at the notion of quality in tomorrow’s post.

E-Patient Update: Is It Appropriate to Trash “Dr. Google”?

Posted on August 1, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Apparently, a lot of professionals have gotten a bit defensive about working with Google-using customers. In fact, when I searched Google recently for the phrase “Don’t confuse your Google search with my” it returned results that finished the phrase with “law degree,” “veterinary degree,” “nursing degree” and even “library degree.” And as you might guess, it also included “medical degree” among its list of professions with a Google grudge.

I first ran across this anti-Dr.-Google sentiment about a year ago, when a physician posted a picture of a coffee mug bearing this slogan on LinkedIn. He defended having the mug on his desk as a joke. But honestly, doc, I don’t think it’s funny. Let me explain.

First, I want to concede a couple of points. Yes, humor means different things to different people, and a joke doesn’t necessarily define a doctor’s character. And to be as fair as possible, I’m sure there are patients who use Web-based materials as an excuse to second-guess medical judgment in ways which are counterproductive and even inappropriate. Knowledge is a good thing, but not everyone has good knowledge filters in place.

That being said, I have, hmmm, perhaps a few questions for clinicians who are amused by this “joke,” including:

  • Wouldn’t people’s health improve if they considered themselves responsible for learning as much as possible about health trends, wellness and/or any conditions they might have?
  • Don’t we want patients to be as engaged as possible when they are talking with their doctors (as well as other clinicians)? And doesn’t that mean being informed about key issues?
  • Does this slogan suggest that patients shouldn’t challenge physicians to explain discrepancies between what they read and what they’re being told?
  • Does this attitude bleed over to a dislike of all consumer-generated health data, even if it’s being generated by an FDA-approved device? If so, have you got a nuanced understanding of these technologies and a well-informed opinion on their merits?

Please understand, I am in no way anti-doctor. The truth is, I trust, admire and rely upon the clinicians who keep my chronic illnesses at bay. I have a sense of the pressures they confront, and have immense respect for their dedication and empathy.

That being said, I need clinicians to collaborate with me and help me learn what I need to know, not discourage and mock my efforts. And I need them to be open to the benefits of new technologies – be they the web-based medical content that didn’t exist when you were in med school, remote monitoring, wearables, sensor-laden t-shirts, mobile apps, artificial intelligence or flying cars.

So, I hope you understand now why I’m offended by that coffee mug. If a doctor dislikes something so elementary as a desire to learn, I doubt we’ll get along.

Attackers Try To Sell 600K Patient Records

Posted on July 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

New research has concluded that attackers recently infiltrated U.S. healthcare institutions and stole at least 600,000 patient records, then attempted to sell more than 3 TB of associated data. The attacks, which were discovered by security firm InfoArmor, targeted not only hospitals, but also private clinics and vendors of medical equipment and supplies such as orthopedics, eWeek reports.

According to InfoArmor, the attacker gained access to the patient data by exploiting weak user credentials, and hacked Remote Desktop Protocol connections on some servers with static external IP addresses. The data thief also used a local privilege escalation exploit to access system files for added patching and backdooring, InfoArmor chief intelligence officer Andrew Komarov told eWeek.

And sadly, some healthcare institutions made it pretty easy for intruders. In some cases, data thieves were able to exfiltrate data stored in Microsoft Access desktop databases without any special user access segregation or rights control in place, Komarov told the magazine.

Future exploits may emerge through medical device connections, as many institutions aren’t paying enough attention to device security, he warns.”[Providers] think that the medical device is just a device for their specific function and sometimes they don’t [have] knowledge of misconfigured devices in their networks,” Komarov said.

So what will become of the data?  Many things, and none of them good. Some cyber criminals will sell Social Security numbers and other scammers will use to sell fraudulent healthcare services,. Cyber-grifters who steal a patient’s history of illness and their biography can use them to take advantage of consumers, he pointed out. And to sharpen their con, such criminals can even buy select data focused on geographic regions, Komarov noted in a follow-up chat with me.

To address exploits engineered by remote access sessions, one consulting firm is pitching technology allowing administrators to go over remote sessions with a fine-toothed comb.

Balazs Scheidler, CTO of security vendor BalaBit, notes that while remote access to internal IT resources is common, using protocols such as Microsoft Remote Desktop or Citrix ICA, IT managers don’t always have enough visibility into who’s accessing systems, when they are logging in and from where systems are being accessed. BalaBit is pitching a system which offers “CCTV-like” recording of user sessions, including screen contents, mouse movements, clicks and keystrokes.

But the truth is, regardless of what approach providers take, they simply have to step up security measures across the board. If attackers can access your data through a vulnerable Microsoft Access database, clearly something is out of order. And in fact many cases, it’s just that easy for attackers to get into your network.

E-Patient Update: Don’t Give Patients Needless Paperwork

Posted on July 6, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Recently, I had an initial appointment with a primary care practice. As I expected, I had a lot of paperwork to fill out, including not only routine administrative items like consent to bill my insurer and HIPAA policies, but also several pages of medical history.

While nobody likes filling out forms, I have no problem with doing so, as I realize that these documents are very important to building a relationship with a medical practice. However, I was very annoyed by what happened later, when I was ushered back into the clinical suite.

Despite my having filled out the extensive checklist of medical history items, I was asked every single one of the questions featured on the form verbally by a med tech who saw me ahead of my clinical appointment. And I mean Every. Single. One. I was polite and patient as I could be, particularly given that it wasn’t the poor tech’s fault, but I was simmering nonetheless, for a couple of reasons.

First, on a practical level, it was infuriating to have filled out a long clinical interview form for what seemed to be absolutely no reason. This is in part because, as some readers may remember, I have Parkinson’s disease, and filling out forms can be difficult and even painful. But even if my writing hand was unimpaired I would’ve been rather irked by what seemed to be pointless duplication.

Not only that, as it turns out the practice seems to have had access to my medication list — perhaps from claims data? — and could have spared me the particularly grueling job of writing out all the medications I currently take. Given my background in HIT, I was forced to wonder whether even the checkbox lists of past illnesses, surgeries and the like were even necessary.

After all, if the group is sophisticated enough to access my medications list, perhaps it could have accessed my other medical records as well. In fact, as it turned out, the primary care group is owned by the dominant local health system which has been providing most of my care for 20 years. So the clinicians almost certainly had a shot at downloading my current medical data in some form.

Even if the medical group had no access to any historical data on my care, I can’t imagine why administrators would require me to fill out a medical history form if the tech was going to ask me every question on the form. My hunch is that it may be some wrongheaded attempt at liability management, providing the practice with some form of cover if somebody failed to collect an accurate history during the interview. But other than that I can’t imagine what was going on there.

The reality is, physician practices that are transitioning into EMR use, or adopting a new EMR, may end up requiring their staff to do double data entry to one extent or another as practice leaders figure things out. But asking patients to do so shows an alarming lack of consideration for my time and effort. Perhaps the practice has forgotten that I’m not on the payroll?

AMA’s Digital Health ‘Snake Oil’ Claim Creates Needless Conflict

Posted on June 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Earlier this month, the head of the American Medical Association issued a challenge which should resonate for years to come. At this year’s annual meeting, Dr. James Madara argued that many direct-to-consumer digital health products, apps and even EMRs were “the digital snake oil of the early 21st century,” and that doctors will need to serve as gatekeepers to the industry.

His comments, which have been controversial, weren’t quite as immoderate as some critics have suggested. He argued that some digital health tools were “potentially magnificent,” and called on doctors to separate useful products from “so-called advancements that don’t have an appropriate evidence base, or that just don’t work that well – or that actually impede care, confuse patients, and waste our time.”

It certainly makes sense to sort the digital wheat from the chaff. After all, as of late last year there were more than 165,000 mobile health apps on the market, more than double that available in 2013, according to a study by IMS Institute for Healthcare Informatics. And despite the increasing proliferation of wearable health trackers, there is little research available to suggest that they offer concrete health benefits or promote sustainable behavior change.

That being said, the term “snake oil” has a loaded historical meaning, and we should hold Dr. Madara accountable for using it. According to Wikipedia, “snake oil” is an expression associated with products that offer questionable or unverifiable quality or benefits – which may or may not be fair. But let’s take things a bit further. In the same entry, Wikipedia defines a snake oil salesman “is someone who knowingly sells fraudulent goods or who is themselves a fraud, quack or charlatan.” And that’s a pretty harsh way to describe digital health entrepreneurs.

Ultimately, though, the issue isn’t whether Dr. Madara hurt someone’s feelings. What troubles me about his comments is they create conflict where none needs to exist.

Back in the 1850s, when what can charitably be called “entrepreneurs” were selling useless or toxic elixirs, many were doubtless aware that the products they sold had no benefit or might even harm consumers. And if what I’ve read about that era is true, I doubt they cared.

But today’s digital health entrepreneurs, in contrast, desperately want to get it right. These innovators – and digital health product line leaders within firms like Samsung and Apple – are very open to working with clinicians. In fact, most if not all work directly with both staff doctors and clinicians in community practice, and are always open to getting guidance on how to support the practice of medicine.

So while Dr. Madara’s comments aren’t precisely wrong, they suggest a fear and distrust of technology which doesn’t become any 21st century professional organization.

Think I’m wrong? Well, then why didn’t the AMA leader announce the formation of an investment fund to back the “potentially magnificent” advances he admits exist? If the AMA did that, it would demonstrate that even a 169-year-old organization can adapt and grow. But otherwise, his words suggest that the venerable trade group still holds disappointingly Luddite views better suited for the dustbin of history.

UPDATE:  An AMA representative has informed me that I got some details in the story above wrong, and I’m eager to correct my error. According to Christopher Khoury, vice president of environmental analysis and strategic analytics with the group, the AMA is indeed investing in digital health innovation. He notes that in January, the group announced the formation of San Francisco-based Health2047 (, for which it serves as lead investor. Health2047 is dedicated to furthering the commercialization of digital tools and solutions that help practicing physicians. It also sponsors Matter, a healthcare incubator based in Chicago.

Value Based Reimbursement Research Results in Time for #AHIPInstitute

Posted on June 15, 2016 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

McKesson Health Solutions has commissioned a new National Research study on Value Based Reimbursement. Here’s a quick summary of some of the findings:

The rapid pace of change in healthcare payment continues unabated, with payers reporting they are 58% along the continuum towards full value-based reimbursement, a 10% leap since 2014. Hospitals aren’t far behind, reporting they’re now 50% along the value continuum, up 4% in the past two years.

Those numbers were a bit shocking to me. It doesn’t feel like we’ve gotten that far in the shift to value based reimbursement. Does it feel like it to you? I knew we were headed that direction, but definitely thought we had just begun. These numbers paint a much different story.

This week I’m excited to attend my first AHIP Institute. I’ll be exploring this shift in all its gory details.

Along with this study and with AHIP starting tomorrow, McKesson has been sharing a number of cartoons about the healthcare industry. Here are a few of them they tweeted out:

Healthcare Costs

Healthcare Payment Pathway