Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Despite Abundance of Threats, Few Providers Take Serious Steps To Protect Their Data

Posted on July 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I scarcely need to remind readers of the immensity of the threats to healthcare data security out there. Not only is healthcare data an attractive target for cybercriminals, the aforementioned keep coming up with new ways to torture security pros (the particularly evil ransomware comes to mind).

Unfortunately, healthcare organizations are also notorious for spending too little on data security. Apparently, this also extends to spending money on information security governance or risk management, according to a new study.

The study is sponsored by Netwrix Corp., which sells a visibility platform for data security and risk mitigation and hybrid environments.  (In other words, the following stats are interesting, but keep your bias alert on.)

Researchers found that 95% of responding healthcare organizations don’t use software for information security governance or risk management and that just 31% of respondents said they were well prepared to address IT risks. Still, despite the prevalence of cybersecurity threats, 68% don’t have any staffers in place specifically to address them.

What’s the source of key IT healthcare security threats? Fifty-nine percent of healthcare organizations said they were struggling with malware, and 47% of providers said they’d faced security incidents caused by human error. Fifty-six percent of healthcare organizations saw employees as the biggest threat to system availability and security.

To tackle these problems, 56% of healthcare organizations said they plan to invest in security solutions to protect their data. Unfortunately, though, the majority said they lacked the budget (75%), time (75%) and senior management buy-in (44%) needed to improve their handling of such risks.

So it goes with healthcare security. Most of the industry seems willing to stash security spending needs under a rock until some major headline-grabbing incident happens. Then, it’s all with the apologies and the hand-wringing and the promise to do much better. My guess is that a good number of these organizations don’t do much to learn from their mistake, and instead throw some jerry-rigged patch in place that’s vulnerable to a new attack with new characteristics.

That being said, the study makes the important point that employees directly or indirectly cause many IT security problems. My sense is that the percent of employees actually packaging data or accessing it for malicious purposes is relatively small, but that major problems created by an “oops” are pretty common.

Perhaps the fact that employees are the source of many IT incidents is actually a hopeful trend. Even if an IT department doesn’t have the resources to invest in security experts or new technology, it can spearhead efforts to treat employees better on security issues. Virtually every employee that doesn’t specialize in IT could probably use a brush up on proper security hygiene, anyway. And retraining employees doesn’t call for a lot of funding or major C-suite buy-in.

The Petya Global Malware Incident Hitting Nuance, Merck, and Many Others

Posted on July 3, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The Petya Malware (or NotPetya or ExPetya) has really hit healthcare in a big way. The biggest impact on the healthcare IT world was the damage it caused to Nuance, but it also hit Merck and some other healthcare systems. After a shaky start to their communication strategy, Nuance seems to finally at least be updating their customers who saw a lot of downtime from when it first started on June 28 until now. This rogue Nuance employee account has been pretty interesting to watch as well. There’s a lesson there about corporate social media policies during a crisis.

Petya was originally classified as ransomware, but experts are now suggesting that it’s not ransomware since it has no way to recover from the damage it’s doing. It’s amazing to think how pernicious a piece of malware is that just destroys whatever it can access. That’s pretty scary as a CIO and it’s no surprise that Petya, WannaCry, and other malware/ransomware is making CIOs “cry.”

It’s been eye opening to see how many healthcare organizations have depended on Nuance’s services and quite frankly the vast number of services they offer healthcare. It’s been extremely damaging for many healthcare organizations and has them rethinking their cloud strategy and even leaving Nuance for competitors like MModal. I’m surprised MModal’s social team hasn’t at least tweeted something about their services still being available online and not affected by Petya.

I’ll be interested to see how this impacts Nuance’s business. Nuance is giving away free versions of their Dragon Medical voice recognition software to customers who can’t use Nuance’s transcription business. Long term I wonder if this will actually help Nuance convert more customers from transcription to voice recognition. In the past 5 days, Nuance’s stock price has droppped $1.54 per share. Considering the lack of effective alternatives and the near monopoly they have in many areas, I’ll be surprised if their business is severely damaged.

As I do with most ransomware and malware incidents, I try not to be too harsh on those experiencing these incidents. The reality is that it can and will happen to all of us. It’s just a question of when and how hard we’ll be hit. It’s the new reality of this hyper connected world. Adding to the intrigue of Petya is that it seems to have been targeted mostly at the Ukraine and companies like Nuance and Merck were just collateral damage. Yet, what damage it’s done.

Earlier today David Chou offered some suggestions on how to prevent ransomware attacks that are worth considering at every organization. The one that stands out most to me with these most recent attacks is proper backups. Here is my simple 3 keys to effective backups:

Layers – Given all the various forms of ransomware, malware, natural disasters, etc, it’s important that you incorporate layers of backups. A real time backup of your systems is great until it replicates the malware in real time to your backup server. Then you’re up a creek without a paddle. An off site backup is great until your off site location has an issue. You need to have layers of backup that take into account all of the ways your data could go bad, be compromised, etc.

Simple – This may seem like a contradiction to the first point, but it’s not. You can have layers of backups and still keep the approach simple and straightforward. Far too often I see organizations with complex backup schemes which are impossible to monitor and therefore stop working effectively. The KISS principle is a good one with backups. If you make it too complex then you’ll never realize that it’s actually failing on you. There’s nothing worse than a failed backup when you think it’s running fine.

Test – If you’ve never tested your backups by actually restoring them, then you’re playing russian roulette with your data. It’s well known that many backups complete without actually backing up the data properly. The only way to know if your backup really worked is to do a test restore of the data. Make sure you have regularly scheduled tests that actually restore your data to a backup server. Otherwise, don’t be surprised if and when your backup doesn’t restore properly when it’s really needed. Malware events are stressful enough. Knowing you have a good backup that can be restored can soften the blow.

Backups won’t solve all of your problems related to malware, but it’s one extremely important step in the process and a great place to start. Now I’m going to go and run some backups on my own systems and test the restore.

Cost of a Breach, Proper Medical Record Disposal, and Delayed Breach Notifications

Posted on June 22, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time for a quick roundup of HIPAA related tweets from around the Twittersphere. Check out these tweets and we’ll add in a bit of our commentary.


Matt’s correct that it’s not all avoidable, but at $380 per record that’s expensive. Breaches are expensive everywhere, but especially in healthcare. When you look at how insecure various industries are, my guess is that healthcare would be near the top of the list as well. That’s a problem.


I’m with Danika Brinda as well. I have no idea why this is still happening. Are people really that uneducated and naive when it comes to disposal of paper medical records? Hire a company with a great reputation if you’re not sure how to do it properly yourself.


Happens all the time. The fine for the delay is more than the damage of the breach itself. There should be no reason organization’s delay in their efforts to notify patients of a breach. Doing so can be a very expensive prospect. Plus, it’s the right thing to do for the patients.

Why Small Medical Practices Are at Great Risk for a Cyber Attack

Posted on June 14, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The good people at ClinicSpectrum recently shared a look at why small practices are at risk for a cyber attack. They label it as why your EHR is at risk for a cyber attack, but I think their list is more specific to small practices as opposed to EHR. Take a look at their list:

Each of these issues should be considered by a small medical when it comes to why they are at risk for a cyber attack. However, the first one is one that I see often. Many small practices wonder, “Why would anyone want to hack my office?”

When it comes to that issue, medical practices need to understand how most hackers work. Most hackers aren’t trying to hack someone in particular. Instead, they’re just scouring the internet for easy opportunities. Sure, there are examples where a hacker goes after a specific target. However, the majority are just exploiting whatever vulnerabilities they can find.

This is why it’s a real problem when medical practices think they’re too small or not worth hacking. When you have this attitude, then you leave yourself vulnerable to opportunistic hackers that are just taking advantage of your laziness.

The best thing a medical practice can do to secure their systems is to care enough about having secure systems. You’ll never be 100% secure, but those organizations who act as if they don’t really care about security are almost guaranteed to be hacked. You can imagine how HHS will look at you if you take this approach and then get hacked.

No Duh, FTP Servers Pose PHI Security Risk

Posted on April 12, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The File Transfer Protocol is so old – it was published in April 1971 – that it once ran on NCP, the predecessor of TCP/IP. And surprise, surprise, it’s not terribly secure, and was never designed to be so either.

Security researchers have pointed out that FTP servers are susceptible to a range of problems, including brute force attacks, FTP bounce attacks, packet capture, port stealing, spoofing attacks and username enumeration.

Also, like many IP specifications designed prior before standard encryption approaches like SSL were available, FTP servers don’t encrypt traffic, with all transmissions in clear text and usernames, passwords, commands and data readable by anyone sniffing the network.

So why am I bothering to remind you of all of this? I’m doing so because according to the FBI, cybercriminals have begun targeting FTP servers and in doing so, accessing personal health information. The agency reports that these criminals are attacking anonymous FTP servers associated with medical and dental facilities. Plus, don’t even know they have these servers running.

Getting into these servers is a breeze, the report notes. With anonymous FTP servers, attackers can authenticate to the FTP server using meaningless credentials like “anonymous” or “ftp,” or use a generic password or email address to log in. Once they gain access to PHI, and personally identifiable information (PII), they’re using it to “intimidate, harass, and blackmail business owners,” the FBI report says.

As readers may know, once these cybercriminals get to an anonymous FTP server, they can not only attack it, but also gain write access to the server and upload malicious apps.

Given these concerns, the FBI is recommending that medical and dental entities ask their IT staff to check their networks for anonymous FTP servers. And if they find any, the organization should at least be sure that PHI or PII aren’t stored on those servers.

The obvious question here is why healthcare organizations would host an anonymous FTP server in the first place, given its known vulnerabilities and the wide variety of available alternatives. If nothing else, why not use Secure FTP, which adds encryption for passwords and data transmission while retaining the same interface as basic FTP? Or what about using the HTTP or HTTPS protocol to share files with the world? After all, your existing infrastructure probably includes firewalls, intrusion detection/protection solutions and other technologies already tuned to work with web servers.

Of course, healthcare organizations face a myriad of emerging data security threats. For example, the FDA is so worried about the possibility of medical device attacks that it issued agency guidance on the subject. The agency is asking both device manufacturers and healthcare facilities to protect medical devices from cybersecurity threats. It’s also asking hospitals and healthcare facilities to see that they have adequate network defenses in place.

But when it comes to hosting anonymous FTP servers on your network, I’ve got to say “really?” This has to be a thing that the FBI tracks and warns providers to avoid? One would think that most health IT pros, if not all, would know better than to expose their networks this way. But I suppose there will always be laggards who make life harder for the rest of us!

Wide Ranging Impact of A Healthcare Cybersecurity Attack

Posted on March 8, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

David Chou recently shared this amazing graphic of the “above the surface” and “beneath the surface” impacts from cyber attacks. The above the surface attacks are those that are better know costs related to an incident. The beneath the surface attacks are the less visible or hidden costs of a cyber attack.

Which of these impacts concerns you most?

If this list of 14 impacts on your organization isn’t enough to wake you up to the importance of cybersecurity, then there isn’t much hope. However, most of the CIOs I’ve seen are well aware of this and it’s why it keeps them up at night.

Hybrid Entities Ripe For HIPAA Enforcement Actions

Posted on February 8, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As some readers will know, HIPAA rules allow large organizations to separate out parts of the organization which engage in HIPAA-covered functions from those that do not. When they follow this model, known as a “hybrid entity” under HIPAA, organizations must take care to identify the “components” of its organization which engage in functions covered by HIPAA, notes attorney Matthew Fisher in a recent article.

If they don’t, they may get into big trouble, as signs suggest that the Office for Civil Rights will be taking a closer look at these arrangements going forward, according to attorneys.  In fact, the OCR recently hit the University of Massachusetts Amherst with a $650,000 fine after a store of unsecured electronic protected health information was breached. This action, the first addressing the hybrid entity standard under HIPAA, asserted that UMass had let this data get breached because it hadn’t treated one of its departments as a healthcare component.

UMass’s troubles began in June 2013, when a workstation at the UMass Center for Language, Speech and Hearing was hit with a malware attack. The malware breach led to the disclosure of patient names, addresses, Social Security numbers, dates of birth, health insurance information and diagnoses and procedure codes for about 1,670 individuals. The attack succeeded because UMass didn’t have a firewall in place.

After investigating the matter, OCR found that UMass had failed to name the Center as a healthcare component which needed to meet HIPAA standards, and as a result had never put policies and procedures in place there to enforce HIPAA compliance. What’s more, OCR concluded that – violating HIPAA on yet another level – UMass didn’t conduct an accurate and thorough risk analysis until September 2015, well after the original breach.

In the end, things didn’t go well for the university. Not only did OCR impose a fine, it also demanded that UMass take corrective action.

According to law firm Baker Donelson, this is a clear sign that the OCR is going to begin coming down on hybrid entities that don’t protect their PHI appropriately or erect walls between healthcare components and non-components. “Hybrid designation requires precise documentation and routine updating and review,” the firm writes. “It also requires implementation of appropriate administrative, technical and physical safeguards to prevent non-healthcare components from gaining PHI access.”

And the process of selecting out healthcare components for special treatment should never end completely. The firm advises its clients review the status of components whenever they are added – such as, for example, a walk-in or community clinic – or even when new enterprise-wide systems are implemented.

My instinct is that problems like the one taking place at UMass, in which hybrid institutions struggle to separate components logically and physically, are only likely to get worse as healthcare organizations consolidate into ACOs.

I assume that under these loosely consolidated business models, individual entities will still have to mind their own security. But at the same time, if they hope to share data and coordinate care effectively, extensive network interconnections will be necessary, and mapping who can and can’t look at PHI is already tricky. I don’t know what such partners will do to keep data not only within their network, but out of the hands of non-components, but I’m sure it’ll be no picnic.

How Many Points of Vulnerability Do You Have in Your Healthcare Organization?

Posted on December 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Far too often I hear healthcare CIOs talk about all of the various electronic devices they have in their organization and how this device proliferation has created a really large risk surface that makes their organization vulnerable to breaches and other nefarious actions. This is true to some extent since organizations now have things like:

  • Servers
  • Desktops
  • Mobile Devices
  • Network Devices
  • Internet Access
  • Medical Devices
  • Internet of Thing Devices
  • etc

As tech progresses, the number of devices we have in our healthcare organizations is only going to continue to grow. No doubt this can pose a challenge to any Chief Security Officer (CSO). However, I actually think this is the easiest part of a CSO’s job when it comes to making sure a healthcare organization is secure. I think it’s much harder to make sure the people in your organization are acting in a way that doesn’t compromise your organization’s security.

As one hospital CIO told me, “I’m most concerned with the 21,000 security vulnerabilities that existed in my organization. I’m talking about the 21,000 employees.

Granted, this CIO worked at a very large organization. However, I think he’s right. Creating a security plan for a device is pretty easily accomplished. It will never be perfect, but you can put together a really good, effective plan. People are wild cards. It’s much harder to keep them from doing something that compromises your organization. Especially since the hackers have gotten so pernicious and effective in the tactics they use.

At the end of the day, I look at security as similar to child proofing your house when you have a young child. You’ll never make it 100% completely safe, but you can really mitigate most of the issues that could cause harm to your child. The same is true in your approach to securing your healthcare organization. You can never ensure you won’t have any security incidents, but you can mitigate a lot of the really dangerous things. Then, you just have to deal with the times something surprising happens. Now if we would just care as much about keeping our healthcare organizations secure as we do keeping our children safe, then we’d be in a much better place.

The Teeter Totter of Security and Usability – Tony Scott, US CIO at #CHIME16

Posted on November 15, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was recently at the CHIME Fall Forum and had the privilege of hearing a keynote presentation by Tony Scott, US Federal CIO, that was made possible by Infinite Computer Solutions. Tony Scott has a fascinating background at VM Ware, Microsoft, Disney and GM which gives him a pretty unique perspective on technology and his topic of cybersecurity.

During Tony’s keynote, he made a great plea for all of us working in healthcare IT when he said:

Cybersecurity is important and there’s something that each one of us can do about it!

When it comes to Cybersecurity I think that many people throw up their arms and think that there’s not much they can do. However, if we all do our small part in improving cybersecurity, then the aggregate result would be powerful. That’s something each of us in healthcare should take seriously as we think of how cybersecurity issues could literally impact the care patients receive going forward.

Along these same lines, Tony Scott also suggested that members of CHIME (largely healthcare CIOs) should work to share with peers. Cybersecurity is such a challenging problem, we have to share and learn from each other. I saw this happening first hand in a few of the cybersecurity sessions I attended at the conference. Healthcare CIOs were happily sharing security best practices with each other. The reality is that everyone in healthcare suffers when healthcare organizations suffer a breach and erode the confidence of patients. So, we all benefit by sharing our experience and knowledge about cybersecurity with each other.

Tony Scott also framed the cybersecurity challenge when he said, “Every time we have a breach, we could think of it as a quality issue.” No doubt this was calling back to his days at GM when quality issues were a major challenge, but what a great way to frame a breach. When there’s a breach, there’s something wrong with the quality of the product we provide our healthcare organizations and ultimately patients. With that mindset, we can go about making sure that the health IT product we provide is of the highest quality.

While I enjoyed each of these insights from Tony Scott’s keynote, I had the unique opportunity to be able to head backstage to the green room to talk privately with Tony Scott and the team from Infinite Computer Solutions that was hosting him as keynote. We had a brief but interesting discussion about his keynote and the challenges of cybersecurity in healthcare.

During our discussion, Tony Scott offered an important insight about the balance of cybersecurity and usability when he compared it to a teeter totter. Far too many organizations treat cybersecurity and usability like a teeter totter. If you make something more secure, then that makes things less usable. If you make things more usable, then they’re going to be less secure. Or at least that’s how many people look at cybersecurity.

In my discussion with Tony, he argued that we need to look at ways to raise the teeter totter up so that there’s not this give and take between security and usability. We should look for ways to make things extremely usable, but also secure. I’d suggest that this is the challenge we must face head on in healthcare over the next decade. Let’s not just settle ourselves with the teeter totter effect of security and usability, but let’s strive to raise the teeter totter up so we preserve both.

Security and Privacy Are Pushing Archiving of Legacy EHR Systems

Posted on September 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In a recent McAfee Labs Threats Report, they said that “On average, a company detects 17 data loss incidents per day.” That stat is almost too hard to comprehend. No doubt it makes HIPAA compliance officers’ heads spin.

What’s even more disturbing from a healthcare perspective is that the report identifies hospitals as the easy targets for ransomware and that the attacks are relatively unsophisticated. Plus, one of the biggest healthcare security vulnerabilities is legacy systems. This is no surprise to me since I know so many healthcare organizations that set aside, forget about, or de-prioritize security when it comes to legacy systems. Legacy system security is the ticking time bomb of HIPAA compliance for most healthcare organizations.

In a recent EHR archiving infographic and archival whitepaper, Galen Healthcare Solutions highlighted that “50% of health systems are projected to be on second-generation technology by 2020.” From a technology perspective, we’re all saying that it’s about time we shift to next generation technology in healthcare. However, from a security and privacy perspective, this move is really scary. This means that 50% of health systems are going to have to secure legacy healthcare technology. If you take into account smaller IT systems, 100% of health systems have to manage (and secure) legacy technology.

Unlike other industries where you can decommission legacy systems, the same is not true in healthcare where Federal and State laws require retention of health data for lengthy periods of time. Galen Healthcare Solutions’ infographic offered this great chart to illustrate the legacy healthcare system retention requirements across the country:
healthcare-legacy-system-retention-requirements

Every healthcare CIO better have a solid strategy for how they’re going to deal with legacy EHR and other health IT systems. This includes ensuring easy access to legacy data along with ensuring that the legacy system is secure.

While many health systems use to leave their legacy systems running off in the corner of their data center or a random desk in their hospital, I’m seeing more and more healthcare organizations consolidating their EHR and health IT systems into some sort of healthcare data archive. Galen Healthcare Solution has put together this really impressive whitepaper that dives into all the details associated with healthcare data archives.

There are a lot of advantages to healthcare data archives. It retains the data to meet record retention laws, provides easy access to the data by end users, and simplifies the security process since you then only have to secure one health data archive instead of multiple legacy systems. While some think that EHR data archiving is expensive, it turns out that the ROI is much better than you’d expect when you factor in the maintenance costs associated with legacy systems together with the security risks associated with these outdated systems and other compliance and access issues that come with legacy systems.

I have no doubt that as EHR vendors and health IT systems continue consolidating, we’re going to have an explosion of legacy EHR systems that need to be managed and dealt with by every healthcare organization. Those organizations that treat this lightly will likely pay the price when their legacy systems are breached and their organization is stuck in the news for all the wrong reasons.

Galen Healthcare Solutions is a sponsor of the Tackling EHR & EMR Transition Series of blog posts on Hospital EMR and EHR.