Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Whitepaper: Is Windows 10 HIPAA Compliant?

Posted on February 22, 2017 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
HIPAA One has collaborated with Microsoft on a new whitepaper that addresses Windows 10 and HIPAA compliance.

The whitepaper, HIPAA Compliance with Microsoft Windows 10 Enterprise, provides guidance on how to leverage Microsoft Windows 10 as a HIPAA-compliant, baseline operating system for functionality and security. Additionally, the paper tackles head on (and debunks) the myth that Microsoft Windows is not HIPAA compliant.
In light of the recent focus on HIPAA enforcement actions; hospitals, clinics, healthcare clearinghouses and business associates are trying to understand how to manage modern operating systems with cloud features to meet HIPAA regulatory mandates. Along with adhering to HIPAA, many healthcare organizations are under pressure to broadly embrace the benefits of cloud computing and manage the security implications.

Microsoft has invested heavily in security and privacy technologies to address and mitigate today’s threats. Windows 10 Enterprise has been designed to be the most user-friendly Windows yet and includes deep architectural advancements that have changed the game when navigating hacking and malware threats. For this reason, organizations in every industry, including the Pentagon and Department of Defense have upgraded to Windows 10 Enterprise to improve their security posture. However, as with all software upgrades; functionality, security and privacy implications must be understood and addressed.

The intersection between HIPAA compliance and main stream applications can often be confusing to navigate. This industry-leading whitepaper addresses the questions and concerns that are currently top-of-mind for healthcare IT and legal professionals responsible for managing ePHI and maintain HIPAA compliance.

Download your copy today and learn now Microsoft Windows 10 Enterprise enables its users to meet and/or exceed their HIPAA Security and Privacy requirements.

About Steven Marco
Steven Marco is the President of HIPAA One®, leading provider of HIPAA Risk Assessment software for practices of all sizes.  HIPAA One is a proud sponsor of EMR and HIPAA and the effort to make HIPAA compliance more accessible for all practices.  Are you HIPAA Compliant?  Take HIPAA One’s 5 minute HIPAA security and compliance quiz to see if your organization is risk or learn more at HIPAAOne.com.

Consumers Fear Theft Of Personal Health Information

Posted on February 15, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Probably fueled by constant news about breaches – duh! – consumers continue to worry that their personal health information isn’t safe, according to a new survey.

As the press release for the 2017 Xerox eHealth Survey notes, last year more than one data breach was reported each day. So it’s little wonder that the survey – which was conducted online by Harris poll in January 2017 among more than 3,000 U.S. adults – found that 44% of Americans are worried about having their PHI stolen.

According to the survey, 76% of respondents believe that it’s more secure to share PHI between providers through a secure electronic channel than to fax paper documents. This belief is certainly a plus for providers. After all, they’re already committed to sharing information as effectively as possible, and it doesn’t hurt to have consumers behind them.

Another positive finding from the study is that Americans also believe better information sharing across providers can help improve patient care. Xerox/Harris found that 87% of respondents believe that wait times to get test results and diagnoses would drop if providers securely shared and accessed patient information from varied providers. Not only that, 87% of consumers also said that they felt that quality of service would improve if information sharing and coordination among different providers was more common.

Looked at one way, these stats offer providers an opportunity. If you’re already spending tens or hundreds of millions of dollars on interoperability, it doesn’t hurt to let consumers know that you’re doing it. For example, hospitals and medical practices can put signs in their lobby spelling out what they’re doing by way of sharing data and coordinating care, have their doctors discuss what information they’re sharing and hand out sheets telling consumers how they can leverage interoperable data. (Some organizations have already taken some of these steps, but I’d argue that virtually any of them could do more.)

On the other hand, if nearly half of consumers afraid that their PHI is insecure, providers have to do more to reassure them. Though few would understand how your security program works, letting them know how seriously you take the matter is a step forward. Also, it’s good to educate them on what they can do to keep their health information secure, as people tend to be less fearful when they focus on what they can control.

That being said, the truth is that healthcare data security is a mixed bag. According to a study conducted last year by HIMSS, most organizations conduct IT security risk assessments, many IT execs have only occasional interactions with top-level leaders. Also, many are still planning out their medical device security strategy. Worse, provider security spending is often minimal. HIMSS notes that few organizations spend more than 6% of their IT budgets on data security, and 72% have five or fewer employees allocated to security.

Ultimately, it’s great to see that consumers are getting behind the idea of health data interoperability, and see how it will benefit them. But until health organizations do more to protect PHI, they’re at risk of losing that support overnight.

Hybrid Entities Ripe For HIPAA Enforcement Actions

Posted on February 8, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As some readers will know, HIPAA rules allow large organizations to separate out parts of the organization which engage in HIPAA-covered functions from those that do not. When they follow this model, known as a “hybrid entity” under HIPAA, organizations must take care to identify the “components” of its organization which engage in functions covered by HIPAA, notes attorney Matthew Fisher in a recent article.

If they don’t, they may get into big trouble, as signs suggest that the Office for Civil Rights will be taking a closer look at these arrangements going forward, according to attorneys.  In fact, the OCR recently hit the University of Massachusetts Amherst with a $650,000 fine after a store of unsecured electronic protected health information was breached. This action, the first addressing the hybrid entity standard under HIPAA, asserted that UMass had let this data get breached because it hadn’t treated one of its departments as a healthcare component.

UMass’s troubles began in June 2013, when a workstation at the UMass Center for Language, Speech and Hearing was hit with a malware attack. The malware breach led to the disclosure of patient names, addresses, Social Security numbers, dates of birth, health insurance information and diagnoses and procedure codes for about 1,670 individuals. The attack succeeded because UMass didn’t have a firewall in place.

After investigating the matter, OCR found that UMass had failed to name the Center as a healthcare component which needed to meet HIPAA standards, and as a result had never put policies and procedures in place there to enforce HIPAA compliance. What’s more, OCR concluded that – violating HIPAA on yet another level – UMass didn’t conduct an accurate and thorough risk analysis until September 2015, well after the original breach.

In the end, things didn’t go well for the university. Not only did OCR impose a fine, it also demanded that UMass take corrective action.

According to law firm Baker Donelson, this is a clear sign that the OCR is going to begin coming down on hybrid entities that don’t protect their PHI appropriately or erect walls between healthcare components and non-components. “Hybrid designation requires precise documentation and routine updating and review,” the firm writes. “It also requires implementation of appropriate administrative, technical and physical safeguards to prevent non-healthcare components from gaining PHI access.”

And the process of selecting out healthcare components for special treatment should never end completely. The firm advises its clients review the status of components whenever they are added – such as, for example, a walk-in or community clinic – or even when new enterprise-wide systems are implemented.

My instinct is that problems like the one taking place at UMass, in which hybrid institutions struggle to separate components logically and physically, are only likely to get worse as healthcare organizations consolidate into ACOs.

I assume that under these loosely consolidated business models, individual entities will still have to mind their own security. But at the same time, if they hope to share data and coordinate care effectively, extensive network interconnections will be necessary, and mapping who can and can’t look at PHI is already tricky. I don’t know what such partners will do to keep data not only within their network, but out of the hands of non-components, but I’m sure it’ll be no picnic.

Consumers Want Their Doctors To Offer Video Visits

Posted on February 6, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new survey by telemedicine provider American Well has concluded that many consumers are becoming interested in video visits, and that some of consumers would be willing to switch doctors to get video visits as part of their care. Of course, given that American Well provides video visits this is a self-interested conclusion, but my gut feeling is that it’s on target nonetheless.

According to the research, 72% of parents with children under 18 were willing to see a doctor via video, as well as 72% of consumers aged 45-54 and 53% of those over age 65. Americal Well’s study also suggests that the respondents see video visits as more effective than in-person consults, with 85% reporting that a video visit resolved their issues, as compared with 64% of those seeing a doctor in a brick-and-mortar setting.

In addition, respondents said they want their existing doctors to get on board. Of those with a PCP, 65% were very or somewhat interested in conducting video visits with their PCP.  Meanwhile, 20% of consumers said they would switch doctors to get access to video visits, a number which rises to 26% among those aged 18 to 34, 30% for those aged 35 to 44 and and 34% for parents of children under age 18.

In addition to getting acute consults via video visit, 60% of respondents said that they would be willing to use them to manage a chronic condition, and 52% of adults reported that they were willing to participate in post-surgical or post-hospital-discharge visits through video.

Consumers also seemed to see video visits as a useful way to help them care for ill or aging family members. American Well found that 79% of such caregivers would find this approach helpful.

Meanwhile, large numbers of respondents seemed interested in using video visits to handle routine chronic care. The survey found that 78% of those willing to have a video visit with a doctor would be happy to manage chronic conditions via video consults with their PCP.

What the researchers draw from all of this is that it’s time for providers to start marketing video visit capabilities. Americal Well argues that by promoting these capabilities, providers can bring new patients into their systems, divert patients away from the ED and into higher-satisfaction options and improve their management of chronic conditions by making it easier for patients to stay in touch.

Ultimately, of course, providers will need to integrate video into the rest of their workflow if this channel is to mature fully. And providers will need to make sure their video visits meet the same standards as other patient interactions, including HIPAA-compliant security for the content, notes Dr. Sherry Benton of TAO Connect. Providers will also need to figure out whether the video is part of the official medical record, and if so, how they will share copies if the patient request them. But there are ways to address these issues, so they shouldn’t prevent providers from jumping in with both feet.

5 Lessons In One Big HIPAA Penalty

Posted on February 2, 2017 I Written By

The following is a guest blog post by Mike Semel, President and Chief Compliance Officer at Semel Consulting.

The federal Office for Civil Rights just announced a $ 3.2 million penalty against Children’s Medical Center of Dallas.

5 Lessons Learned from this HIPAA Penalty

  1. Don’t ignore HIPAA
  2. Cooperate with the enforcers
  3. Fix the problems you identify
  4. Encrypt your data
  5. Not everyone in your workforce should be able to access Protected Health Information

If you think complying with HIPAA isn’t important, is expensive, and annoying, do you realize you could be making a $3.2 million decision? In this one penalty there are lots of hidden and not-so-hidden messages.

1. A $ 3.2 million penalty for losing two unencrypted devices, 3 years apart.

LESSON LEARNED: Don’t ignore HIPAA.

If Children’s Medical Center was paying attention to HIPAA as it should have, it wouldn’t be out $3.2 million that should be used to treat children’s medical problems. Remember that you protecting your patients’ medical information is their Civil Right and part of their medical care.

2. This is a Civil Money Penalty, not a Case Resolution.

What’s the difference? A Civil Money Penalty is a fine. It could mean that the entity did not comply with the investigation; (as in this case) did not respond to an invitation to a hearing; or did not follow corrective requirements from a case resolution. Most HIPAA penalties are Case Resolutions, where the entity cooperates with the enforcement agency, and which usually results in a lower dollar penalty than a Civil Money Penalty.

LESSON LEARNED: Cooperate with the enforcers. No one likes the idea of a federal data breach investigation, but you could save a lot of money by cooperating and asking for leniency. Then you need to follow the requirements outlined in your Corrective Action Plan.

3. They knew they had security risks in 2007 and never addressed them until 2013, after a SECOND breach.

Children’s Medical Center had identified its risks and knew it needed to encrypt its data as far back as 2007, but had a breach of unencrypted data in 2010 and another in 2013.

LESSON LEARNED: Don’t be a SLOW LEARNER. HIPAA requires that you conduct a Security Risk Analysis AND mitigate your risks. Self-managed risk analyses can miss critical items that will result in a breach. Paying for a risk analysis and filing away the report without fixing the problems can turn into a $ 3.2 million violation. How would you explain that to your management, board of directors, your patients, and the media, if you knew about a risk and never did anything to address it? How will your management and board feel about you when they watch $3.2 million be spent on a fine?

4. There is no better way to protect data than by encrypting it.

HIPAA gives you some leeway by not requiring you to encrypt all of your devices, as long as the alternative methods to secure the data are as reliable as encryption. There’s no such thing.

If an unencrypted device is lost or stolen, you just proved that your alternative security measures weren’t effective. It amazes me how much protected data we find floating around client networks. Our clients swear that their protected data is all in their patient care system; that users are given server shares and always use them; that scanned images are directly uploaded into applications; and that they have such good physical security controls that they do not need to encrypt desktop computers and servers.

LESSON LEARNED: You must locate ALL of your data that needs to be protected, and encrypt it using an acceptable method with a tracking system. We use professional tools to scan networks looking for protected data.

5. Not everyone in your workforce needs access to Protected Health Information.

We also look at paper records storage and their movement. This week we warned a client that we thought too many workforce members had access to the rooms that store patient records. The Children’s Medical Center penalty says they secured their laptops but “provided access to the area to workforce not authorized to access ePHI.”

LESSON LEARNED: Is your Protected Health Information (on paper and in electronic form) protected against unauthorized physical access by your workforce members not authorized to access PHI?

You can plan your new career after your current organization gets hit with a preventable $ 3.2 million penalty, just like Children’s Medical Center. Or, you can take HIPAA seriously, and properly manage your risks.

Your choice.

About Mike Semel
mike-semel-hipaa-consulting
Mike Semel is the President and Chief Compliance Officer for Semel Consulting. He has owned IT businesses for over 30 years, has served as the Chief Information Officer for a hospital and a K-12 school district, and as the Chief Operating Officer for a cloud backup company. Mike is recognized as a HIPAA thought leader throughout the healthcare and IT industries, and has spoken at conferences including NASA’s Occupational Health conference, the New York State Cybersecurity conference, and many IT conferences. He has written HIPAA certification classes and consults with healthcare organizations, cloud services, Managed Service Providers, and other business associates to help build strong cybersecurity and compliance programs. Mike can be reached at 888-997-3635 x 101 or mike@semelconsulting.com.

Healthcare Robots! – #HITsm Chat Topic

Posted on January 31, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 2/3 at Noon ET (9 AM PT). This week’s chat will be hosted by Mr RIMP (@MrRimp, Robot-In-My-Pocket), mascot of the first ever #HIMSS17 Innovation Makerspace! (Booth 7785) (with assistance from @wareflo) We’ll be discussing the topic “Healthcare Robots!” and so it seems appropriate to have a robot hosting the chat.

In a first, #HIMSS17 has a #makerspace (Booth 7785), in the HIMSS17 Innovation Zone. It has robots! They are rudimentary, but educational and fun. One of those robots is @MrRIMP, for Robot-In-My-Pocket. Here is an YouTube interview with @MrRIMP. As you can tell, little Mr. R. has a bit of an attitude. He also wrote the questions below and will moderate tweets about them during the #HITsm tweetchat.

From the recent “How medical robots will change healthcare” (@PeterBNichol), there are three main areas of robotic health:

1. Direct patient care robots: surgical robots (used for performing clinical procedures), exoskeletons (for bionic extensions of self like the Ekso suit), and prosthetics (replacing lost limbs).  Over 500 people a day loses a limb in America with 2 million Americans living with limb loss according to the CDC.

2. Indirect patient care robots: pharmacy robots (streamlining automation, autonomous robots for inventory control reducing labor costs), delivery robots (providing medical goods throughout a hospital autonomously), and disinfection robots (interacting with people with known infectious diseases such as healthcare-associated infections or HAIs).

3. Home healthcare robots: robotic telepresence solutions (addressing the aging population with robotic assistance).

Before the #HITsm tweetchat I hope you’ll watch Robot & Frank, about a household robot and an increasingly infirm retiree (86% on Rotten Tomatoes, available on YouTube, Amazon, Itunes, Vudu, and Google for $2.99) I’ll also note a subcategory to the direct care robots: pediatric therapy robots. Consider, for example, New Friends 2016, The Second International Conference on Social Robots in Therapy and Education. I, Mr. RIMP, have a special interest in this area.

Join us as we discuss Healthcare Robots during the February 3rd #HITsm chat. Here are the questions we’ll discuss:

T1: What is your favorite robot movie? Why? How many years in the future would you guess it will take to achieve similar robots? #HITsm

T2: Robots promise to replace a lot of human labor. Cost-wise, humanity-wise, will this be more good than bad, or more bad than good? #HITsm

T3: Have you played with, or observed any “toy” robots. Impressed? Not impressed? Why? #HITsm

T4: IMO, “someday” normal, everyday people will be able design and program their own robots. What kind of robot would you design for healthcare? #HITsm

T5: Robots and workflow? Connections? Think about healthcare robots working *together* with healthcare workers. What are potential implications? #HITsm

Bonus: Isn’t @MrRIMP (Robot-In-My-Pocket) the cutest, funniest, little, robot you’ve ever seen? Any suggestions for the next version (V.4) of me? #HITsm

Here’s a look at the upcoming #HITsm chat schedule:
2/10 – Maximizing Your HIMSS17 Experience – Whether Attending Physically or Virtually
Hosted by Steve Sisko (@HITConfGuy and @shimcode)

2/17 – Enough talk, lets #GSD (Get Stuff Done)
Hosted by Burt Rosen (@burtrosen) from @healthsparq

2/24 – HIMSSanity Recovery Chat
With #HIMSS17 happening the week of this chat, we’ll take the week off from a formal chat. However, we encourage people that attended HIMSS or watched HIMSS remotely to share a “Tweetstorm” that tells a #HIMSS17 story, shares insights about a topic, rants on a topic of interest, or shows gratitude. Plus, it will be fun to test out a new form of tweetstorm Twitter chat. We’ll post more details as we get closer.

We look forward to learning from the #HITsm community! As always let us know if you have ideas for how to make #HITsm better.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Health IT Leaders Struggle With Mobile Device Management, Security

Posted on January 30, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new survey on healthcare mobility has concluded that IT leaders aren’t thrilled with their security arrangements, and that a significant minority don’t trust their mobile device management solution either. The study, sponsored by Apple device management vendor Jamf, reached out to 550 healthcare IT leaders in the US, UK, France, Germany and Australia working in organizations of all sizes.

Researchers found that 83% or organizations offer smartphones or tablets to their providers, and that 32% of survey respondents hope to offer mobile devices to consumers getting outpatient care over the next two years.  That being said, they also had significant concerns about their ability to manage these devices, including questions about security (83%), data privacy (77%) and inappropriate employee use (49%).

The survey also dug up some tensions between their goals and their capacity to support those goals. Forty percent of respondents said staff access to confidential medical records while on the move was their key reason for their mobile device strategy. On the other hand, while 84% said that their organization was HIPAA-compliant, almost half of respondents said that they didn’t feel confident in their ability to adapt quickly to changing regulations.

To address their concerns about mobile deployments, many providers are leveraging mobile device management platforms.  Of those organizations that either have or plan to put an MDM solution in place, 80% said time savings was the key reason and 79% said enhanced employee productivity were the main benefits they hoped to realize.

Those who had rolled out an MDM solution said the benefits have included easier access to patient data (63%), faster patient turnaround (51%) and enhanced medical record security (48%). At the same time, 27% of respondents whose organizations had an MDM strategy in place said they didn’t feel especially confident about the capabilities of their solution.

In any event, it’s likely that MDM can’t solve some of the toughest mobile deployment problems faced by healthcare organizations anyway.

Health organizations that hope to leverage independently-developed apps will need to vet them carefully, as roughly one-quarter of these developers didn’t have privacy policies in place as of late last year. And the job of selecting the right apps is a gargantuan one. With the volume of health apps hitting almost 260,000 across the Google and Apple app marketplaces, it’s hard to imagine how any provider could keep up.

So yes, the more capabilities MDM systems can offer, the better. But choosing the right apps with the right pedigree strikes me as posing an even bigger challenge.

Key Components of #HealthIT Strategy and Disaster Recovery – #HITsm Chat Topic

Posted on January 24, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 1/27 at Noon ET (9 AM PT). This week’s chat will be hosted by Bill Esslinger (@billesslinger) from @FogoDataCenters on the topic of “Key Components of Health IT Strategy and Disaster Recovery“.

Medical records are worth more on the Black Market than credit cards. The value is greater because a medical record contains multiple credentials that can be used by hackers more than once or twice. A medical record contains not only a social security number but additional qualifying information, allowing thieves to penetrate layers of data, and conduct multiple acts of fraud before the data is even missing.

As healthcare organizations embark on the improved use of data sets, from analytics to precision medicine and value based care, Cybersecurity rises to the number one concern for CIO’s.

How secure is your cloud based data strategy?

Consideration must be given to the different models of service

With each delivery model: Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS), comes a new set of requirements and responsibilities. The key considerations for deployment and ongoing data management include on-demand 24/7 access to critical healthcare information, support for big data and small data sets, traceability, HIPAA compliance and a thorough understanding of the healthcare environment from both a security and a legal perspective.

Join us as we discuss Key Components of #HealthIT Strategy and Disaster Recovery during the January 27th #HITsm chat.

T1: How can we prepare for the unexpected in data security? #HITsm

T2: Are we making Cybersecurity a priority in risk management? #HITsm

T3: Is Your Prevention Strategy Scalable for a Ransomware Attack? #HITsm

T4: What are the top threats regarding healthcare data today? #HITsm

T5: What Service Levels are Necessary for Redundancy in Data, Power, Cooling, and Connectivity? #HITsm

Bonus: Do you worry about the security of your health information? Why or why not? #HITsm

About Fogo Data Centers
Fogo Data Centers are SSAE16, SOCII, and HIPAA compliant as well as PCI compliant. Each site provides redundancies across all support systems. Our centers of excellence provide flexible and scalable solutions to protect your critical data and applications. Colocation at a Fogo Data Centers can ease the cost of building your own facility and maintaining your own on-site dedicated servers. Properties feature full perimeter fencing with an electric gate requiring keycard access and audio/video check-in.

Our hashtag is #KnowYourCloud. We stand ready 24/7, with years of experience, integrity and legal know-how, to protect data and securely manage your cloud strategy. In the event of a disaster or incident the Fogo team can have your facility back-up and running within hours. Call us today or take a look at our facility page to learn more.

Here’s a look at the upcoming #HITsm chat schedule:

2/3 – Healthcare Robots!
Hosted by Mr RIMP (@MrRimp, Robot-In-My-Pocket), mascot of the first ever #HIMSS17 Innovation Makerspace! (Booth 7785) (with assistance from @wareflo)

2/10 – Maximizing Your HIMSS17 Experience – Whether Attending Physically or Virtually
Hosted by Steve Sisko (@HITConfGuy and @shimcode)

2/17 – Enough talk, lets #GSD (Get Stuff Done)
Hosted by Burt Rosen (@burtrosen) from @healthsparq

2/24 – HIMSSanity Recovery Chat
With #HIMSS17 happening the week of this chat, we’ll take the week off from a formal chat. However, we encourage people that attended HIMSS or watched HIMSS remotely to share a “Tweetstorm” that tells a #HIMSS17 story, shares insights about a topic, rants on a topic of interest, or shows gratitude. Plus, it will be fun to test out a new form of tweetstorm Twitter chat. We’ll post more details as we get closer.

We look forward to learning from the #HITsm community! As always let us know if you have ideas for how to make #HITsm better.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

The “Disconnects” That Threaten The Connected World

Posted on January 11, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I’m betting that most readers are intimately familiar with the connected health world. I’m also pretty confident that you’re pretty excited about its potential – after all, who wouldn’t be?  But from what I’ve seen, the health IT world has paid too little attention to problems that could arise in building out a connected health infrastructure. That’s what makes a recent blog post on connected health problems so interesting.

Phil Baumann, an RN and digital strategist at Telerx, writes that while the concept of connecting things is useful, there’s a virtually endless list of “disconnects” that could lead to problems with connected health. Some examples he cites include:

  • The disconnect between IoT hardware and software
  • The disconnect between IoT software and patches (which, he notes, might not even exist)
  • The disconnect between the Internet’s original purpose and the fast-evolving purposes created in the Connected World
  • The disconnects among communication protocols
  • The disconnect between influencers and reality (which he says is “painfully wide”)
  • The disconnects among IoT manufacturers
  • The disconnects among supply chains and vendors

According to Baumann, businesses that use IoT devices and other connected health technologies may be diving in too quickly, without taking enough time to consider the implications of their decisions. He writes:

Idea generation and deployment of IoT are tasks with enormous ethical, moral, economic, security, health and safety responsibilities. But without considering – deeply, diligently – the disconnects, then the Connected World will be nothing of the sort. It will be a nightmare without morning.

In his piece, Baumann stuck to general tech issues rather than pointing a finger at the healthcare industry specifically. But I’d argue that the points he makes are important for health IT leaders to consider.

For example, it’s interesting to think about vulnerable IoT devices posing a mission-critical security threat to healthcare organizations. To date, as Baumann rightly notes, manufacturers have often fallen way behind in issuing software updates and security patches, leaving patient data exposed. Various organizations – such as the FDA – are attempting to address medical device cybersecurity, but these issues won’t be addressed quickly.

Another item on his disconnect list – that connected health deployment goes far beyond the original design of the Internet – also strikes me as particularly worth taking to heart. While past networking innovations (say, Ethernet) have led to rapid change, the changes brought on by the IoT are sprawling and almost unmanageable under current conditions. We’re seeing chaotic rather than incremental or even disruptive change. And given that we’re dealing with patient lives, rather than, for example, sensors tracking packages, this is a potentially dangerous problem.

I’m not at all suggesting that healthcare leaders should pull the plug on connected health innovations. It seems clear that the benefits that derive from such approaches will outweigh the risks, especially over time. But it does seem like a good idea to stop and think about those risks more carefully.

FDA Weighs In On Medical Device Cybersecurity

Posted on January 5, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In the past, medical devices lived in a separate world from standard health IT infrastructure, typically housed in a completely separate department. But today, of course, medical device management has become much more of an issue for health IT managers, given the extent to which such devices are being connected to the Internet and exposed to security breaches.

This has not been lost on the FDA, which has been looking at medical device security problems for a long time. And now – some would say “at long last” – the FDA has released final guidance on managing medical device cybersecurity. This follows the release of earlier final guidance on the subject released in October 2014.

While the FDA’s advice is aimed at device manufactures, rather than the health IT managers who read this blog, I think it’s good for HIT leaders to review. (After all, you still end up managing the end product!)

In the guidance, the FDA argues that the best way to bake cybersecurity protections into medical devices is for manufacturers to do so from the outset, through the entire product lifecycle:

Manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.

Specifically, the agency is recommending that manufacturers take the following steps:

  • Have a way to monitor and detect cybersecurity vulnerabilities in their devices
  • Know assess and detect the level of risk vulnerabilities pose to patient safety
  • Establish a process for working with cybersecurity researchers and other stakeholders to share information about possible vulnerabilities
  • Issue patches promptly, before they can be exploited

The FDA also deems it of “paramount” importance that manufacturers and stakeholders consider applying core NIST principles for improving critical infrastructure cybersecurity.

All of this sounds good. But considering the immensity of the medical device infrastructure – and the rate of its growth – don’t expect these guidelines to make much of an impact on the device cybersecurity problem.

After all, there are an estimated 10 million to 15 million medical devices in US hospitals today, according to health tech consultant Stephen Grimes, who spoke on biomedical device security at HIMSS ’16. Grimes, a past chair of the HIMSS Medical Device Security Task Force, notes that one 500-bed hospital could have 7,500 devices on board, most of which will be networked. And each networked monitor, infusion pump, ventilator, CT or MRI scanner could be vulnerable to attack.

Bottom line, we’re looking at some scary risks regardless of what manufacturers do next. After all, even if they do a much better job of securing their devices going forward, there’s a gigantic number of existing devices which can be hacked. And we haven’t even gotten into the vulnerabilities that can be exploited among home-based connected devices.

Don’t get me wrong, I’m glad to see the FDA stepping in here. But if you look at the big picture, it’s pretty clear that their guidance is clearly just a small step in a very long and complicated process.