Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Medical Device Security – Where Is the Finger Pointing?

Posted on October 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

If a picture is worth a thousands words, the above picture is worth about 10,000. I think this picture is best summed up by saying that the medical device industry is a heavily regulated industry. You can see why EHR vendors don’t want to be regulated by the FDA. It would get pretty crazy.

This image also illustrates to me why a company that’s built an FDA or medical device compliance capability has something of real value. Navigating the process is not easy and it helps if you’ve been there and done it before.

As to Dr. Wen’s comment on the tweet. There are a lot of challenges when it comes to medical device security. Definitely no antivirus and many are running on old operating systems that can’t be updated. We’re going to have to put some serious thought into how to solve problems like these in future medical devices.

Amazing Live Visualization of Internet Attacks

Posted on October 22, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently heard Elliot Lewis, Dell’s Chief Security Architect, comment that “The average new viruses per day is about 5-10k appearing new each day.” To be honest, I wasn’t quite sure how to process that type of volume of viruses. It felt pretty unbelievable to me even though, I figured he was right.

Today, I came across this amazing internet attack map by Norse which illustrates a small portion of the attacks that are happening on the internet in real time. I captured a screenshot of the map below, but you really need to check out the live map to get a feel for how many internet attacks are happening. It’s astounding to watch.

Norse - Internet Attack Map

For those tech nerds out there, here’s the technical description of what’s happening on the map:

Every second, Norse collects and analyzes live threat intelligence from darknets in hundreds of locations in over 40 countries. The attacks shown are based on a small subset of live flows against the Norse honeypot infrastructure, representing actual worldwide cyber attacks by bad actors. At a glance, one can see which countries are aggressors or targets at the moment, using which type of attacks (services-ports).

It’s worth noting that these are the attacks that are happening. Just because something is getting attacked doesn’t mean that the attack was successful. A large majority of the attacks aren’t successful. However, when you see the volume of attacks (and that map only shows a small portion of them) is so large, you only need a small number of them to be successful to wreak a lot of havoc.

If this type of visualization doesn’t make you stop and worry just a little bit, then you’re not human. There’s a lot of crazy stuff going on out there. It’s actually quite amazing that with all the crazy stuff that’s happening, the internet works as well as it does.

Hopefully this visualization will wake up a few healthcare organizations to be just a little more serious about their IT security.

CMS’ HIPAA Risk Analysis Myths and Truths

Posted on October 21, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been writing about the need to do a HIPAA Risk Assessment since it was included as part of meaningful use. Many organizations have been really confused by this requirement and no doubt it will be an issue for many organizations that get a meaningful use audit. It’s a little ironic since this really isn’t anything that wasn’t already part of the HIPAA security rule. Although, that illustrates how well we’re doing at complying with the HIPAA security rule.

It seems that CMS has taken note of this confusion around the HIPAA risk assessment as well. Today, they sent out some more guidance, tools and resources to hopefully help organizations better understand the Security Risk Analysis requirement. Here’s a portion of that email that provides some important clarification:

A security risk analysis needs to be conducted or reviewed during each program year for Stage 1 and Stage 2. These steps may be completed outside OR during the EHR reporting period timeframe, but must take place no earlier than the start of the reporting year and no later than the end of the reporting year.

For example, an eligible professional who is reporting for a 90-day EHR reporting period in 2014 may complete the appropriate security risk analysis requirements outside of this 90-day period as long as it is completed between January 1st and December 31st in 2014. Fore more information, read this FAQ.

Please note:
*Conducting a security risk analysis is required when certified EHR technology is adopted in the first reporting year.
*In subsequent reporting years, or when changes to the practice or electronic systems occur, a review must be conducted.

CMS also created this Security Risk Analysis Tipsheet that has a lot of good information including these myths and facts which address many of the issues I’ve seen and heard:
CMS HIPAA Security Risk Analysis Myths and Facts

Finally, it’s worth reminding people that the HIPAA Security Risk Analysis is not just for your tech systems. Check out this overview of security areas and example measures to secure them to see what I mean:
CMS HIPAA Security Risk Analysis Overview

Have you done your HIPAA Risk Assessment for your organization?

Interesting and Funny Insights Into EHR and Health Information Management

Posted on October 20, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Last week I had the chance to attend the Craneware Summit in Las Vegas. It was a really interesting event where I had the chance to meet and talk with a wide variety of people from across the spectrum of healthcare. I love getting these added perspectives.

One of the sessions I attended was an E&M session which provided some really interesting insights into the life of an E&M coder and how they look at things. There’s a lot more to their job, but I tweeted these comments because they made me laugh and illustrated part of the challenge they face in a new EMR world.


I thought these immediate responses to the question were interesting. They came from a crowd of HIM and coding professionals. Overall, they were quite supportive of EMR it seemed.


Many doctors don’t understand this. That’s why so many coders still have jobs.


Too funny.


Said like a true coder.

Funny ICD-10 Codes Have Ruined the ICD-10 Branding

Posted on October 17, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The people at online physician community, QuantiaMD, recently sent me a list of the top 3 “Crazy ICD-10 Codes” that they got from their community. It was quite interesting to learn that when they asked their community for these codes, they yielded double the participation the company typically sees. No doubt, physicians have globbed on to these funny and crazy ICD-10 codes. I’ll be honest. I’ve gotten plenty of laughs over some of the funny ICD-10 codes as well. Seriously, you can’t make some of this stuff up. Here’s a look at the top 3 crazy ICD-10 codes they received (and some awesome color commentary from the nominators):

1. W16.221 – Fall into bucket of water, causing drowning and submersion. I didn’t realize mopping the floor was so dangerous!
2. 7. Z63.1 – Problems in relationship with in-laws. Really, Who does not?
3. V9733xD – Sucked into jet engine, subsequent encounter. Oops I did it again.

While these codes are amazing and in many respects ridiculous, they’re so over the top that they’ve branded ICD-10 as a complete joke. For every legitimate story about the value of ICD-10 there have probably been 10 stories talking about the funny and crazy ICD-10 codes. You can imagine which story goes viral. Are you going to share the story that talks about improvement in patient care or the one that makes you laugh? How come the story about their being no ICD-9 code for Ebola hasn’t gone viral (Yes, ICD-10 has a code for Ebola)?

Unfortunately, I don’t think the proponents of ICD-10 have done a great job making sure that the dialog on the benefits of ICD-10 is out there as well. Yes, it’s an uphill battle, but most things of worth require a fight and can easily get drowned out by humor and minutiae if you give up. If ICD-10 really is that valuable, then it’s well worth the fight.

My fear is that it might be too late for ICD-10. Changing the ICD-10 brand that has been labeled as a joke is going to be nearly impossible to change. However, there are some key people on the side of ICD-10. CMS for starters. If you can get the law passed, then the ICD-10 branding won’t matter.

One thing I do know is that doing nothing means we’ll get more and more articles about Funny ICD-10 codes and little coverage of why ICD-10 needs to be implemented. I encourage those who see the value in ICD-10 to make sure their telling that part of the story. If you don’t have your own platform to share that part of the story, I’ll be happy to offer mine. Just drop me a note on my contact us page.

Are You a Healthcare Data Hoarder?

Posted on October 16, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m thinking I need to start a new healthcare reality TV show called “Healthcare Data Hoarders.” We’ll go into healthcare institutions (after signing our HIPAA lives away), and take a look through all the data a healthcare organization is storing away.

My guess is that we wouldn’t have to look very far to find some really amazing healthcare data hoarders. The healthcare data hoarding I see happening in comes in two folds: legacy systems and data warehouses.

Legacy Systems – You know the systems I’m talking about. They’re the ones stored under a desk in the back of radiology. The software is no longer being updated. In fact, the software vendor is often not even around anymore. However, for some reason you think you’re going to need the data off that system that’s 30 years old and only one person in your entire organization knows how to access the legacy software. Yes, I realize there are laws that require healthcare organizations to “hoard” data to some extent. However, many of these legacy systems are well past those legal data retention requirements.

Data Warehouses – These come in all shapes and sizes and for this hoarding article let me suggest that an EHR is kind of a data warehouse (yes, I’m using a really broad definition). Much like a physical hoarder, I see a lot of organizations in healthcare that are gathering virtual piles of data for which they have no use and will likely never find a way to use it. Historically, a data warehouse manager’s job is to try and collect, normalize, and aggregate all of the healthcare organizations data into one repository. Yes, the data warehouse manager is really the Chief Healthcare Data Hoarder. Gather and protect and and all data you can find.

While I love the idea that we’re collecting data that can hopefully make healthcare better, just collecting data doesn’t do anything to improve healthcare. In fact, it can often retard efforts to leverage healthcare data to improve health. The problem is that the healthcare data that can be leveraged for good is buried under all of this useless data. It takes so much effort to sift through the junk data that people just stop before they even get started.

Are you collecting data and not doing anything with it? I challenge you to remedy that situation.

Is your healthcare organization a healthcare data hoarder?

8 Steps to Creating a Solid EHR Foundation – Breakaway Thinking

Posted on October 15, 2014 I Written By

The following is a guest blog post by Noelle Whang, Sr. Instructional Designer at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Noelle Whang
Implementing an electronic health record (EHR) is a huge undertaking, but the work after go live can be even more demanding. Mapping and redesigning workflows is an important aspect of EHR implementation and optimization that is often overlooked, especially after the application has been live for a while.  This seemingly simple but complex task involves diagraming and analyzing all current work processes and adjusting them to include use of a new EHR system or upgrade, or to be more effective with a current system.

Workflow mapping and redesign should occur before implementation and regularly after go live to ensure end users truly adopt the EHR and organizational benefits are realized. Following these eight steps can ease the task of mapping workflows to identify any that should be adjusted to maximize optimization:

  1. Identify what workflows will need to be mapped in detail. “Understanding the full clinical context for health IT to the level of task, resources, and workflow is a necessary prerequisite for successful adoption of health IT,” according to a Perspectives in Health Information Management article. It’s helpful to first map out the entire patient care process at a high level, such as from registration to discharge in the inpatient setting and scheduling to check-out in the ambulatory setting. Documenting how business is performed at a high-level facilitates identifying the more granular tasks that need to be mapped in detail, such as scheduling a patient appointment or placing verbal orders.  It also helps in identifying all the roles involved in each workflow, as these can vary depending on the department or patient process.  For example, discharging a patient from Labor and Delivery may include roles, such as a lactation nurse and pediatrician, not found in other departments.  Remember to also consider departments or patient processes that are often overlooked, such as Materials Management and Respiratory Therapy. Other areas of concentration should be those with lower productivity or that relate to how the organization is going to determine return on investment.
  1. Identify teams to map out each process. After identifying what workflows need to be mapped, establish the team that will do the actual mapping. Usually, individuals who perform a particular workflow or those who are responsible for implementing any redesign changes are best suited to map workflows, as they have in-depth knowledge of the process. For example, select one registrar, one nurse and one physician to map out all workflows in the Emergency Department.
  1. Determine the process for mapping the workflows. Once the team has been identified, determine how information about workflows will be gathered, documented, and visually represented. The process for gathering information can be through interviews, observation, or meetings.  The information can be documented with tools such as Microsoft Word or Visio or simply on paper.  The data can be represented in formats such as a swim lane chart, a flow process chart or other process diagrams.   In my experience mapping out workflows, the most commonly used format is a swim lane chart created through Visio.  And remember: Internal staff will most likely need to be trained on how to gather the data and use the appropriate tools.
  1. Map the workflow as actually performed. After determining how information is gathered and documented, create the actual workflows diagrams.  Document all work as it is currently being performed, including any undesirable behavior such as workarounds or inconsistencies.  For a case study on how one organization created their workflow diagrams, see the following Journal of American Medical Information Association article.
  1. Analyze the workflow. Once the workflows are diagramed, begin the analysis. If a vendor has not been selected, use the diagrams to determine if a particular application fits the needs of your organization, with the caveat that it is neither feasible nor desirable to keep workflows exactly the same after an implementation.  If the application is already in place, the diagrams can be used to determine where problems are occurring, what the root cause is, and how to fix them.  The diagrams can also be used to determine where optimization or efficiencies may be gained.
  1. Document the new workflow. Once the analysis is complete and you have determined what workflows are currently not working for your organization, document the new and improved workflow.  It is a good idea to take the new workflows through a couple of use-case scenarios to ensure that the updates are not causing other problems or unintended consequences.
  1. Update or create policies and procedures. New or updated policies and procedures may be necessary to implement and support the new workflow. This can include determining consequences for any end users that do not adhere to the new workflows.  Note that this also requires thinking about how non-adherence will be identified, perhaps through routine application audits or quarterly in-department observation.
  1. Train staff. After all the hard lifting of creating the workflow diagrams, analyzing the processes and updating the workflows, the last step is to train end users on the new workflows, policies and procedures.  Remember to convey why the changes are occurring, and if possible, tie the reasons to big-ticket items such as increasing patient safety and satisfaction.

It’s easy to focus entirely on big tasks such as vendor selection and system configuration when implementing an EHR, but neglecting workflows can have serious negative impacts, including costly reconfigurations and operational inefficiencies.  It’s like building a house where each individual room is perfect, but the doors are all in the wrong place. With poor design you end up having to go through the closet to get to the kitchen, or even worse the foundation may begin to crack.  Similarly, with poorly designed EHR workflows, you can end up with duplicate documentation, activities that take more time than they should, and workarounds or shortcuts that can lead to negative consequences. Set your healthcare organization up for success and create a solid foundation by making workflow mapping and redesign a priority.

Xerox is a sponsor of the Breakaway Thinking series of blog posts. The Breakaway Group is a leader in EHR and Health IT training.

Are You HIPAA Secure?

Posted on October 14, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was recently asked to provide some tips on health IT and data security for a healthcare lawyer’s website. You can see the final blog post here, but I thought I’d share the 3 suggestions and tips I sent to them.

1. Encrypt all of your computers that store PHI (Protected Health Information) – If your hard drive is lost or stolen and it’s not encrypted, you’ll pay the price big time. However, if it’s encrypted you won’t have to worry nearly as much.

2. Avoid Sending SMS Messages with PHI – SMS is not HIPAA secure and there are plenty of high quality secure, HIPAA compliant text message options out there. Find one you like and use it. While being secure it also has other features like the ability to see if the recipient has read the message or not.

3. Do a HIPAA Risk Assessment – Not only is this required by HIPAA and meaningful use, it’s a good thing to do for your patients. Don’t fake your way through the assessment. Really dig into the privacy and security risks of your organization and make reasonable choices to make sure that you’re protecting your health data.

No doubt there’s a lot more that could be said about this topic, but I think these three areas are a good place to start. A huge portion of the HIPAA breaches that have occurred could have been prevented by doing these three things.

If you have other suggestions for people, I’d love to hear them in the comments. I’m sure there are some more obvious ones that I’ve missed.

Google Helpouts Tested in Google Search Results – Dr. Google?

Posted on October 13, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It was first noticed by someone on Reddit and then confirmed by Engadget that Google has been testing a Google Helpout style feature which offers a telemedicine video visit with a doctor. You can see an image of the test Google search telemedicine integration below:
Google Helpout - Google Search Integration

This is a really interesting integration for a number of reasons. First, Google wasn’t charging for these initial test visits, but would no doubt charge for these visits in the future. Second, it takes an Act of God to get Google to integrate something into their cash cow: search results. That should tell us how serious Google is about doing these types of integrations.

I can already hear the naysayers who think this is a terrible idea. They might be right as a business. We’ll have to see how that plays out. The reimbursement model could a challenging one. Plus, there are plenty of reasons why this won’t work. Google will have to get really good at knowing when to offer a visit and when not to offer a visit. We’ll see if they want to make the investment required to understand when the visit is something that should be encouraged and when it shouldn’t be encouraged.

One thing I’ve observed with Telemedicine is that it can really work well…if you have the right situation. The reason Telemedicine has gotten a bad rap is that the naysayers have plenty of ammo they can use to explain why Telemedicine could be a terrible thing. These naysayers are correct. There are a bunch of healthcare situations where a telemedicine visit just isn’t going to work. However, just because something doesn’t solve 100% of the situations doesn’t mean it shouldn’t be used for the 30% of the time (I think it could be more than this) that it’s a beautifully elegant solution that’s just as effective as an in office visit?

As noted, this was just at trial by Google. Google is well known for trying things to see how they do and then scraping them after the trial. So, we’ll see how this goes. It does seem that Google can’t keep its hands out of healthcare. I think they see the trillion dollar industry and just can’t resist.

Patient Shark Tank at Digital Health Conference

Posted on October 10, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As most of you know, I’ve been working with NYeC to promote the Digital Health Conference since the very first Digital Health Conference 4 years ago. It’s a great event and I get a chance to meet many of you readers there. Plus, I just love spending time in NYC. If you’ve never been, you can register here (20% off your registration when you use the discount code: HCS).

I just heard about a new feature at the conference this year: The Patient Shark Tank. Here’s a description of what they have in store:

How do we ensure that the patient voice is amplified in the design, the development, or enhancement of innovations created FOR the patient? Patient communities are emerging as key influencers and disrupting the healthcare landscape. They are impacting strategies, policies, and setting the stage for new patient-centric innovations. Patients are now sought after thought leaders influencing the way healthcare systems think about and interact with patients and prodding them to improve the patient experience.

Join us as our judges rate innovations from the patient and caregiver perspective and innovators build their perspective into the innovations designed to serve them. As each innovator pitches their concept or initiative, our patient and caregiver panelists will ask targeted questions based on their experiences to understand how the innovation uniquely addresses patient needs. In addition, we will integrate clinician perspective to understand whether a doctor would prescribe the innovation to their patients.

I’m a huge fan of Shark Tank, so I love the idea. I only hope that they’ve got a line up of judges that are as entertaining as Shark Tank. Sometimes these events can get pretty bland if they choose judges who are shy about sharing their opinions on a company or product. That doesn’t benefit the companies or the audience.

Unfortunately, you won’t have much time to get your idea submitted. The deadline to apply to pitch your innovative concept or initiative is Thursday, October 16th. I look forward to seeing what ideas get pitched at the event.