Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Emerging Health Apps Pose Major Security Risk

Posted on May 18, 2015 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As new technologies like fitness bands, telemedicine and smartphone apps have become more important to healthcare, the issue of how to protect the privacy of the data they generate has become more important, too.

After all, all of these devices use the public Internet to broadcast data, at least at some point in the transmission. Typically, telemedicine involves a direct connection via an unsecured Internet connection with a remote server (Although, they are offering doing some sort of encryption of the data that’s being sent on the unsecured connection).  If they’re being used clinically, monitoring technologies such as fitness bands use hop from the band across wireless spectrum to a smartphone, which also uses the public Internet to communicate data to clinicians. Plus, using the public internet is just the pathway that leads to a myriad of ways that hackers could get access to this health data.

My hunch is that this exposure of data to potential thieves hasn’t generated a lot of discussion because the technology isn’t mature. And what’s more, few doctors actually work with wearables data or offer telemedicine services as a routine part of their practice.

But it won’t be long before these emerging channels for tracking and caring for patients become a standard part of medical practice.  For example, the use of wearable fitness bands is exploding, and middleware like Apple’s HealthKit is increasingly making it possible to collect and mine the data that they produce. (And the fact that Apple is working with Epic on HealthKit has lured a hefty percentage of the nation’s leading hospitals to give it a try.)

Telemedicine is growing at a monster pace as well.  One study from last year by Deloitte concluded that the market for virtual consults in 2014 would hit 70 million, and that the market for overall telemedical visits could climb to 300 million over time.

Given that the data generated by these technologies is medical, private and presumably protected by HIPAA, where’s the hue and cry over protecting this form of patient data?

After all, though a patient’s HIV or mental health status won’t be revealed by a health band’s activity status, telemedicine consults certainly can betray those concerns. And while a telemedicine consult won’t provide data on a patient’s current cardiovascular health, wearables can, and that data that might be of interest to payers or even life insurers.

I admit that when the data being broadcast isn’t clear text summaries of a patient’s condition, possibly with their personal identity, credit card and health plan information, it doesn’t seem as likely that patients’ well-being can be compromised by medical data theft.

But all you have to do is look at human nature to see the flaw in this logic. I’d argue that if medical information can be intercepted and stolen, someone can find a way to make money at it. It’d be a good idea to prepare for this eventuality before a patient’s privacy is betrayed.

An Important Look at HIPAA Policies For BYOD

Posted on May 11, 2015 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Today I stumbled across an article which I thought readers of this blog would find noteworthy. In the article, Art Gross, president and CEO at HIPAA Secure Now!, made an important point about BYOD policies. He notes that while much of today’s corporate computing is done on mobile devices such as smartphones, laptops and tablets — most of which access their enterprise’s e-mail, network and data — HIPAA offers no advice as to how to bring those devices into compliance.

Given that most of the spectacular HIPAA breaches in recent years have arisen from the theft of laptops, and are likely proceed to theft of tablet and smartphone data, it seems strange that HHS has done nothing to update the rule to address increasing use of mobiles since it was drafted in 2003.  As Gross rightly asks, “If the HIPAA Security Rule doesn’t mention mobile devices, laptops, smartphones, email or texting how do organizations know what is required to protect these devices?”

Well, Gross’ peers have given the issue some thought, and here’s some suggestions from law firm DLA Piper on how to dissect the issues involved. BYOD challenges under HIPAA, notes author Peter McLaughlin, include:

*  Control:  To maintain protection of PHI, providers need to control many layers of computing technology, including network configuration, operating systems, device security and transmissions outside the firewall. McLaughlin notes that Android OS-based devices pose a particular challenge, as the system is often modified to meet hardware needs. And in both iOS and Android environments, IT administrators must also manage users’ tendency to connected to their preferred cloud and download their own apps. Otherwise, a large volume of protected health data can end up outside the firewall.

Compliance:  Healthcare organizations and their business associates must take care to meet HIPAA mandates regardless of the technology they  use.  But securing even basic information, much less regulated data, can be far more difficult than when the company creates restrictive rules for its own devices.

Privacy:  When enterprises let employees use their own device to do company business, it’s highly likely that the employee will feel entitled to use the device as they see fit. However, in reality, McLaughlin suggests, employees don’t really have full, private control of their devices, in part because the company policy usually requires a remote wipe of all data when the device gets lost. Also, employees might find that their device’s data becomes discoverable if the data involved is relevant to litigation.

So, readers, tell us how you’re walking the tightrope between giving employees who BYOD some autonomy, and protecting private, HIPAA-protected information.  Are you comfortable with the policies you have in place?

Full Disclosure: HIPAA Secure Now! is an advertiser on this website.

The Future Of…The Connected Healthcare System

Posted on March 11, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is part of the #HIMSS15 Blog Carnival which explores “The Future of…” across 5 different healthcare IT topics.

As I think about the future of a connected healthcare system, I get very excited. Although, that excitement is partially tamed by the realization that many of these connections could have been happening for a long time. A connected healthcare system is not a technological challenge, but is a major cultural challenge for healthcare.

The Data Connected Healthcare System
Implementation challenges aside, the future of healthcare absolutely revolves around a connected healthcare system. In the short term these connections will focus on sharing the right data with the right person at the right time. Most of that data will be limited to data inside the EHR. What’s shocking is that we’re not doing this already. I guess we are doing this already, but in a really disconnected fashion (see Fax machine). That’s what’s so shocking. We already have the policies in place that allow us to share healthcare data with other providers. We’re sharing that data across fax machines all day every day. Over the next 3-5 years we’ll see a continuous flow of this data across other electronic channels (Direct Project, FHIR, HIEs, etc).

More exciting to consider is the future integration of consumer health device data into the healthcare system. I’m certain I’ll see a number of stories talking about this integration at HIMSS already. These “pilot” integrations will set the groundwork for much wider adoption of external consumer health data. The key tipping point to watch for in this is when EHR vendors start accepting this data and presenting the data to doctors in a really intuitive way. This integration will absolutely change the game when it comes to connecting patient collected data with the healthcare system.

What seems even more clear to me is that we all still have a very myopic view of how much data we’re going to have available to us about a person’s health. In my above two examples I talk about the EHR patient record (basically physician’s charts) and consumer health devices. In the later example I’m pretty sure you’re translating that to the simple examples of health tracking we have today: steps, heart rate, weight, blood pressure, etc. While all of this data is important, I think it’s a short sighted view of the explosion of patient data we’ll have at our fingertips.

I still remember when I first heard the concept of an IP Address on Every Organ in your body reporting back health data that we would have never dreamed imaginable. The creativity in sensors that are detecting anything and everything that’s happening in your blood, sweat and tears is absolutely remarkable. All of that data will need to be connected, processed, and addressed. How amazing will it be for the healthcare system to automatically schedule you for heart surgery that will prevent a heart attack before you even experience any symptoms?

Of course, we haven’t even talked about genomic data which will be infiltrating the healthcare system as well. Genomic data use to take years to process. Now it’s being done in weeks at a price point that’s doable for many. Genomic medicine is going to become a standard for healthcare and in some areas it is already.

The connected healthcare system will have to process more data than we can even imagine today. Good luck processing genomic data, sensor data, device data, and medical chart data using paper.

It’s All About Communication
While I’ve focused on connecting the data in the healthcare system of the future, that doesn’t downplay the need for better communication tools in the future connected healthcare system. Healthcare data can discover engagement points, but communication with patients will cause the change in our healthcare system.

Do you feel connected to your doctor today? My guess is that most of you would be like me and say no (Although, I’m working to change that culture for me and my family). The future connected healthcare system is going to have to change that culture if we want to improve healthcare and lower healthcare costs. Plus, every healthcare reimbursement model of the future focuses on this type of engagement.

The future connected healthcare system actually connects the doctor’s office and the patient to treat even the healthy patient. In fact, I won’t be surprised if we stop talking about going for a doctor’s visit and start talking about a health check up or some health maintenance. Plus, who says the health check up or maintenance has to be in the doctors office. It might very well be over a video chat, email, instant message, social media, or even text.

This might concern many. However, I’d describe this as healthcare integration into your life. We’ll have some stumbles along the way. We’ll have some integrations that dig too deeply into your life. We’ll have some times when we rely too heavily on the system and it fails us. Sometimes we’ll fail to show the right amount of empathy in the communication. Sometimes we’ll fail to give you the needed kick in the pants. Sometimes, we’ll make mistakes. However, over time we’ll calibrate the system to integrate seamlessly into your life and improve your health based on your personalized needs.

The future Connected Healthcare System is a data driven system which facilitates the right communication when and where it’s needed in a seamless fashion.

Tips for Women in the Medical Device Industry

Posted on March 4, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ll admit that I’m far from an expert on the challenges and inequities of women in the workforce. I think that everyone that knows me knows that I love working with women and I love strong empowered women. It’s what I hope my daughter will become one day. I’m proud that the Healthcare IT Marketing and PR conference was the first conference to be listed with over 50% female speakers.

I recently saw a stat that there were more CEO’s of the top 1500 companies named “John” (5.3%) than there are women CEOs (4.1%). That’s particularly disturbing since my name is John. It highlighted to me how solving the issues of gender inequality in the workplace is incredibly complex and challenging.

While I admit I don’t have all the answers, I was interested to hear these 5 suggestions for women from Kathryn Stecco, MD.

Women considering entrepreneurial initiatives in medical technology should follow these basic principles.

  1. Start with a big idea that solves a big problem: A new business must start with a powerful idea for a product or service that fills a real unmet need. Market is everything.
  2. Pursue a practical solution:  Focus on products that are safe, effective and easy to use for both physician and patient. If the product doesn’t make physicians’ lives easier, they won’t use it. The product must produce meaningful clinical data that speaks for itself.
  3. Build relationships – early – with clinicians: Medical entrepreneurs must be out in the field developing ties with physicians and getting their input early in the design process. No matter how well designed your product or how impressive your patents, physicians will have the last word on the usefulness of your product. They are vital to your success.
  4. Be prepared to shift gears:  Don’t fall into the trap of becoming so enamored of an idea or a product that you lose sight of its real likelihood of succeeding in the marketplace. You must have the flexibility to move on to something else when changes in the environment cause the ground to shift under your feet and your plans to be upended.
  5. Enjoy the ride!  Successful entrepreneurs make adversity the energy that fuels their creativity. They don’t learn their most valuable lessons in the classroom but in the trenches. They thrive on the long hours, the unpredictability, the rush that comes from building something important and valuable.

Maybe some of these ideas will help some women who are working in the medical device industry. It’s a small thing for sure, but maybe if we all do small things to improve the opportunities for women those small things will turn into something great.

A Video Look at the Digital Health, Fitness and Wellness Section of CES 2015

Posted on January 8, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

After my initial CES Observations post, I’ve spent most of the time on some over the counter drugs and trying to stay warm in bed. Luckily I think I’m on the way out of whatever cold/flu/misery I had upon me. However, it kind of ruined many of my CES plans.

With that said, I did make some time to go and at least check out the Digital Health section of CES 2015. I wrote about the wearables explosion over on Smart Phone Healthcare and to illustrate some of what I describe in that post, I shot this video of the Digital Health exhibition space at CES. I was moving pretty fast to get through it in 12 minutes, but you’ll see a bunch of the brands and booths that were there along with a feeling for the event (Yes, tomorrow I need to go and investigate the steady cam options at the show.).

If you’ve been at CES or watching the coverage back home. What’s been most exciting, interesting, impressive, thought provoking, disappointing?

Medical Device Security – Where Is the Finger Pointing?

Posted on October 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

If a picture is worth a thousands words, the above picture is worth about 10,000. I think this picture is best summed up by saying that the medical device industry is a heavily regulated industry. You can see why EHR vendors don’t want to be regulated by the FDA. It would get pretty crazy.

This image also illustrates to me why a company that’s built an FDA or medical device compliance capability has something of real value. Navigating the process is not easy and it helps if you’ve been there and done it before.

As to Dr. Wen’s comment on the tweet. There are a lot of challenges when it comes to medical device security. Definitely no antivirus and many are running on old operating systems that can’t be updated. We’re going to have to put some serious thought into how to solve problems like these in future medical devices.

Confusing HIPAA Compliance With Security

Posted on October 2, 2014 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Most people  who read this publication know that while HIPAA compliance is necessary, it’s not sufficient to protect your data. Too many healthcare leaders, especially in hospitals, seem satisfied with the song and dance their cloud vendor gave them, or the business associate that promises on a stack of Bibles that it’s in compliance.

I was reminded of this just the other day when Reuters came out with some shocking statistics. One particularly discomforting stat it reported was the fact that medical data is now worth 10 times more than your credit card number on the black market (even if John has argued otherwise). Why? Well, among other things, because medical identity theft isn’t tracked well by providers and payers, which means that a stolen identity can last for months or years before it’s closed down.

Healthcare is not only lagging behind other industries in terms of its hardware and software infrastructure, but the extent to which its executives give a care as to how exposed they are to a breach. Security experts note that senior executives in hospitals see security as a tactical, not a strategic problem, and they don’t spend much time or money on it.

But this could be a deadly mistake. As Jeff Horne, vice president at cybersecurity firm Accuvant, noted to Reuters, “healthcare providers and hospitals are just some of the easiest networks to break into. When I’ve looked at hospitals, and when I’ve talked to other people inside of a breach, they are using very old legacy systems – Windows systems that are 10+ years old that have not seen a patch.”

As if that wasn’t enough, it’s been increasingly demonstrated that medical devices — from infusion pumps to MRIs — are also frighteningly vulnerable to cyber attacks. The vulnerabilities might not be found for months, and when they are, the hapless provider has to wait for the vendor to do the patching to stay in FDA compliance.

So far, even the biggest HIPAA breaches — notably the 4.5 million patient records stolen from hospital giant Community Health Systems — don’t seem to have generated much change. But the sad truth is that unless hospitals get their act together, focused senior executive attention on the issue, and spend enough money to fix the many vulnerabilities that exist, we’re likely to be at the forefront of a very ugly time indeed.

How Secure Are Wearables?

Posted on October 1, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

JaneenB asks a really fantastic question in this tweet. Making sure that wearables are secure is going to be a really hot topic. Yesterday, I was talking with Mac McMillan from Cynergistek and he suggested that the FDA was ready to make medical device security a priority. I’ll be interested to see what the FDA does to try and regulate security in medical devices, but you can see why this is an important thing. Mac also commented that while it’s incredibly damaging for someone to hack a pacemaker like the one Vice President Cheney had (has?), the bigger threat is the 300 pumps that are installed in a hospital. If one of them can be hacked, they all can be hacked and the process for updating them is not simple.

Of course, Mac was talking about medical device security from more of an enterprise perspective. Now, let’s think about this across millions of wearable devices that are used by consumers. Plus, many of these consumer wearable devices don’t require FDA clearance and so the FDA won’t be able to impose more security restrictions on them.

I’m not really sure the answer to this problem of wearable security. Although, I think two steps in the right direction could be for health wearable companies to first build a culture of security into their company and their product. This will add a little bit of expense on the front end, but it will more than pay off on the back end when they avoid security issues which could literally leave the company in financial ruins. Second, we could use some organization to take on the effort of reporting on the security (or lack thereof) of these devices. I’m not sure if this is a consumer reports type organization or a media company. However, I think the idea of someone holding organizations accountable is important.

We’re definitely heading towards a world of many connected devices. I don’t think we have a clear picture of what this means from a security perspective.

Has the Google Glass Hype Passed?

Posted on September 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It seems to me that the hype over Google Glass is done. Enough people started using them and many couldn’t see the apparent value. In fact, some are wondering if Google will continue to invest in it. They’ve gone radio silent on Google Glass from what I’ve seen. We’ll see if they’re planning to abandon the project or if they’re just reloading.

While the future of Google Glass seems unsure to me, I think the idea of always on, connected computing is still alive and well. Whether it’s eyeware, a watch or dome other wearable doesn’t matter to me. Always on, connected computing is a powerful concept.

I’m also interested in the telemedicine and second screen approaches that have been started using Google Glass in Healthcare. Both of these concepts will be an important part of the fabric of health care going forward.

I still remember the wow factor that occurred when I first used Google Glass. It still amazes me today. I just wish it were a little more functional and didn’t hurt my eyes when I used it for long periods.

What do you think of Google Glass and the category of always on computing?  Do you see something I’m missing?

Is The Future of Smart Clothing Modular or Integrated?

Posted on September 4, 2014 I Written By

Kyle is CoFounder and CEO of Pristine, a VC backed company based in Austin, TX that builds software for Google Glass for healthcare, life sciences, and industrial environments. Pristine has over 30 healthcare customers. Kyle blogs regularly about business, entrepreneurship, technology, and healthcare at kylesamani.com.

OMSignal recently raised $10M to build sensors into smart clothes. Sensoria recently raised $5M in pursuit of the same mission, albeit using different tactics. Meanwhile, Apple hired the former CEO of Burberry, Angela Ahrendts, to lead its retail efforts.

And Google is pushing Android Wear in a major way, with significant adoption and uptake by OEMs.

There’re two distinct approaches that are evolving in the smart clothing space. OMSignal, Sensoria, and Apple are taking a full-stack, vertical approach. OMSignal and Sensoria are building sensors into clothing and selling their own clothes directly to consumers. Although Apple hasn’t announced anything to compete with OMSignal or Sensoria, it’s clear they’re heading into the smart clothing space in traditional Apple fashion with the launch of Health, the impending launch of the iWatch, and the hiring of Angela Ahrendts.

Google, on the other hand, is licensing Android Wear to OEM vendors in traditional Google fashion: by providing the operating system and relevant Google Services to OEMs who can customize and configure and compete on retail and marketing. Although Google is yet to announce partnerships with any more traditional clothing vendors, it’s inevitable that they’ll license Android Wear to more traditional fashion brands that want to produce smart, sensor-laden clothing.

Apple’s vertically-integrated model is powerful because it allows Apple to pioneer new markets that require novel implementations utilizing intertwined software and hardware. Pioneering a new factor is especially difficult when dealing with separate hardware and software vendors and all of the associated challenges: disparate P&Ls, different visions, and unaligned managerial mandates. However, once the new form factor is understood, modular hardware and software companies can quickly optimize each component to drive down costs and create new choices for consumers. This approached has been successfully played out in the PC, smartphone, and tablet form factors.

Apple’s model is not well-suited to being the market leader in terms of raw volume. Indeed, Apple optimizes towards the high end, not the masses and this strategy has served them well. But it will be interesting to see how they, along with other vertically integrated smart-clothing vendors, approach the clothing market. Fashion is already an established industry that is predicated on variety, choice, and personalization; these traits are the antithesis of the Apple model. There’s no way that 20% or even 10% of the population will wear t- shirts, polos, tank tops, dresses, business clothes, etc., (which I’ll collectively call the “t-shirt market”) made by a single company. No one company can so single-handedly dominate the t-shirt market. People simply desire too many choices for that to happen.

OMSignal and Sensoria don’t need to worry about this problem as much as Apple since they’re targeting niche use cases in fitness and health. However, as they scale and set their sites on the mass consumer market, they will need to figure out a strategy to drive massive personalization. Apple, given its scale and brand, will need to address the personalization problem in the t- shirt market before they enter it.

The t-shirt market is going to be exciting to watch over the coming decades. There are enormous opportunities to be had. Let the best companies win!

Feel free to a drop a comment with how you think the market will play out. Will the startups open up their sensors to 3rd party clothing companies? Will Apple? How will Google counteract?