Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

E-Patient Update:  Changing The Patient Data Sharing Culture

Posted on May 19, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I’ve been fighting for what I believe in for most of my life, and that includes getting access to my digital health information. I’ve pleaded with medical practice front-desk staff, gently threatened hospital HIT departments and gotten in the faces of doctors, none of whom ever seem to get why I need all of my data.

I guess you could say that I’m no shrinking violet, and that I don’t give up easily. But lately I’ve gotten a bit, let me say, discouraged when it comes to bringing together all of the data I generate. It doesn’t help that I have a few chronic illnesses, but it’s not easy even for patients with no major issues.

Some these health professionals know something about how EMRs work, how accurate, complete health records facilitate care and how big data analysis can improve population health. But when it comes to helping humble patients participate in this process, they seem to draw a blank.

The bias against sharing patient records with the patients seems to run deep. I once called the PR rep at a hospital EMR vendor and complained casually about my situation, in which a hospital told me that it would take three months to send me records printed from their EMR. (If I’d asked them to send me a CCD directly, the lady’s head might have exploded right there on the phone.)

Though I didn’t ask, the vendor rep got on the phone, reached a VP at the hospital and boom, I had my records. It took a week and a half, a vendor and hospital VP just to get one set of records to one patient. And for most of us it isn’t even that easy.

The methods providers have used to discourage my data requests have been varied. They include that I have to pay $X per page, when state law clearly states that (much lower) $Y is all they can charge. I’ve been told I just have to wait as long as it takes for the HIM department to get around to my request, no matter how time-sensitive the issue. I was even told once that Dr. X simply didn’t share patient records, and that’s that. (I didn’t bother to offer her a primer on state and federal medical records laws.) It gets to be kind of amusing over time, though irritating nonetheless.

Some of these skirmishes can be explained by training gaps or ignorance, certainly. What’s more, even if a provider encourages patient record requests there are still security and privacy issues to navigate. But I believe that what truly underlies provider resistance to giving patients their records is a mix of laziness and fear. In the past, few patients pushed the records issue, so hospitals and medical groups got lazy. Now, patients are getting assertive, and they fear what will happen.

Of course, we all have a right to our medical records, and if patients persist they will almost always get them. But if my experience is any guide, getting those records will remain difficult if attitudes don’t change. The default cultural setting among providers seems to be discomfort and even rebellion when they’re asked to give consumers their healthcare data. My protests won’t change a thing if people are tuning me out.

There’s many reasons for their reaction, including the rise of challenging, self-propelled patients who don’t assume the doctor knows best in all cases. Also, as in any other modern industry, data is power, and physicians in particular are already feeling almost powerless.

That being said, the healthcare industry isn’t going to meet its broad outcomes and efficiency goals unless patients are confident and comfortable with managing their health. Collecting, amassing and reviewing our health information greatly helps patients like me to stay on top of issues, so encumbering our efforts is counter-productive.

To counter such resistance, we need to transform the patient data sharing culture from resistant to supportive. Many health leaders seem to pine for the days when patients could have the data when and if they felt like it, but those days are past. Participating happily in a patient’s data collection efforts needs to become the norm.

If providers hope to meet the transformational goals they’ve set for themselves, they’ll have to help patients get their data as quickly, cheaply and easily as possible. Failing to do this will block or at least slow the progress of much-needed industry reforms, and they’re already a big stretch. Just give patients their data without a fuss – it’s the right thing to do!

Healthcare Ransomware

Posted on May 8, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Health Data Management has a nice article up with insights on healthcare ransomware from GreyCastle Security’s CEO, Reg Harnish. Reg made a great case for why healthcare is seeing so much ransomware:

He contends that healthcare isn’t any more vulnerable to ransomware than other industries. But Harnish observes that—given the value of patient data and medical records—providers are the focus of cyber criminals who are targeting them with file-encrypting malware.

“You take their data away, and it literally threatens lives, patient safety and patient care, so they are much more likely to pay a ransom,” he adds.

I think healthcare organizations do respond differently to ransomware than other organizations and that makes them more vulnerable to an attack since many healthcare organizations feel it’s their obligation to maintain patient safety and that the ransom is worth the money so they can do no harm to patients.

Reg also addressed whether paying the ransom in a ransomware incident was a good idea (it’s not):

On the question of whether or not organizations should give in to the demands of cyber criminals using ransomware, Harnish says that GreyCastle never recommends paying a ransom. “There’s no guarantee that the ransom will work,” he warns. “If you pay the ransom, you may not get decryption keys. And even if you do get decryption keys, they may not be the right ones.”

Further, Harnish cautions that those organizations that pay a ransom then get put on a list of victims who have complied with ransomware demands. As a result, he says they are much more likely to be targeted again as a “paying” customer. “None of our clients have ever paid a ransom,” he adds.

I agree that in 98% of cases, paying the ransomware is a bad idea. Plus, every healthcare organization that pays the ransomware makes it worse for other healthcare organizations. Instead, the key is to have a great backup and disaster recovery strategy if and when ransomware occurs in your organization.

As Reg also points out, ransomware most often comes into your organization through your users. So, it’s worth the investment to educate your end users on possible hacking/ransomware attempts. Education isn’t perfect, but it can help decrease your chances of a ransomware incident.

Cybersecurity, MACRA, MIPS, HIPAA, and PCMH Training Workshops

Posted on May 3, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been partnered with 4MedApproved for a long time offering healthcare IT training courses to my users. If you subscribe to a Healthcare Scene email list, then you’ve probably seen some emails offering a great discount on their training courses. 4Med really tries hard to listen to the community and create courses that are valuable to the healthcare IT professional.

They just sent me their list of upcoming courses and I was really impressed with the wide variety of courses that they’re offering between now and the end of July. Here’s a look a the courses they’re offering:

The good news is that by using any of the links above you’ll get a discount off of each of the courses for being a Healthcare Scene reader. Each of the above sessions is available as a live online training where you can ask the trainer questions. Also, if you miss one of the live sessions, then the recording will be made available to you after the event.

Also, for many of the courses, CEU are available to those who need them.

You can see on the list above that some of the most popular courses are around MACRA and healthcare security. Both are hugely important topics and there’s a lot of information to cover for both topics. If you’re dealing with either of them (which is most of you), these courses are a great resource for you to get up to speed on the latest.

Legacy Health IT Systems – So Old They’re Secure

Posted on April 21, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been thinking quite a bit about the ticking time bomb that is legacy healthcare IT systems. The topic has been top of mind for me ever since Galen Healthcare Solutions wrote their Tackling EHR & EMR Transition series of blog posts. This is an important topic even if it’s not a sexy one.

I don’t think we need to dive into the details of why legacy healthcare IT systems are a security risk for most healthcare organizations. Hospitals and health systems have hundreds of production systems that they’re trying to keep secure. It’s not hard to see why legacy systems get forgotten. Forgotten systems are ripe for hackers and others that want to do nefarious things.

Although, I did hear someone recently talking about legacy health IT systems who said that they had some technology in their organization that was so old it was secure again. I guess there’s something to say about having systems that are so old that hackers don’t have tools that can breach such old systems or that can read old files. Not to mention that many of these older systems weren’t internet connected.

While I find humor in the idea that something could be so old that it’s secure again, that’s not the reality for most legacy systems. Most old systems can be breached and will be breached if they’re not considered “production” when it comes to patching and securing them.

When you think about the costs of updating and securing your legacy systems like you would a production system for security purposes, it’s easy to see why finding a way to sunset these legacy systems is becoming a popular option. Sure, you have to find a way to maintain the integrity of the data, but the tools to do this have come a long way.

The other reason I like the idea of migrating data from a legacy system and sunsetting the old system is that this often opens the door for users to be able to access the legacy data. When the data is stored on the legacy system it’s generally not used unless it’s absolutely necessary. If you migrate that legacy data to an archival platform, then the data can be used by more people to influence care. That’s a good thing.

Legacy health IT systems are a challenge that isn’t going to go away. In fact, it’s likely to get worse as we transition from one software to the next. Having a strategy for these legacy systems which ensures security, compliance, and extracts value is going to be a key to success for every healthcare organization.

Will Data Aggregation For Precision Medicine Compromise Patient Privacy?

Posted on April 10, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Like anyone else who follows medical research, I’m fascinated by the progress of precision medicine initiatives. I often find myself explaining to relatives that in the (perhaps far distant) future, their doctor may be able to offer treatments customized specifically for them. The prospect is awe-inspiring even for me, someone who’s been researching and writing about health data for decades.

That being the case, there are problems in bringing so much personal information together into a giant database, suggests Jennifer Kulynych in an article for OUPblog, which is published by Oxford University Press. In particular, bringing together a massive trove of individual medical histories and genomes may have serious privacy implications, she says.

In arguing her point, she makes a sobering observation that rings true for me:

“A growing number of experts, particularly re-identification scientists, believe it simply isn’t possible to de-identify the genomic data and medical information needed for precision medicine. To be useful, such information can’t be modified or stripped of identifiers to the point where there’s no real risk that the data could be linked back to a patient.”

As she points out, norms in the research community make it even more likely that patients could be individually identified. For example, while a doctor might need your permission to test your blood for care, in some states it’s quite legal for a researcher to take possession of blood not needed for that care, she says. Those researchers can then sequence your genome and place that data in a research database, and the patient may never have consented to this, or even know that it happened.

And there are other, perhaps even more troubling ways in which existing laws fail to protect the privacy of patients in researchers’ data stores. For example, current research and medical regs let review boards waive patient consent or even allow researchers to call DNA sequences “de-identified” data. This flies in the face of conventional wisdom that there’s no re-identification risk, she writes.

On top of all of this, the technology already exists to leverage this information for personal identification. For example, genome sequences can potentially be re-identified through comparison to a database of identified genomes. Law enforcement organizations have already used such data to predict key aspects of an individual’s face (such as eye color and race) from genomic data.

Then there’s the issue of what happens with EMR data storage. As the author notes, healthcare organizations are increasingly adding genomic data to their stores, and sharing it widely with individuals on their network. While such practices are largely confined to academic research institutions today, this type of data use is growing, and could also expose patients to involuntary identification.

Not everyone is as concerned as Kulynych about these issues. For example, a group of researchers recently concluded that a single patient anonymization algorithm could offer a “standard” level of privacy protection to patient, even when the organizations involved are sharing clinical data. They argue that larger clinical datasets that use this approach could protect patient privacy without generalizing or suppressing data in a manner that would undermine its usefulness.

But if nothing else, it’s hard to argue Kulynych’s central concern, that too few rules have been updated to reflect the realities of big genomic and medical data stories. Clearly, state and federal rules  need to address the emerging problems associated with big data and privacy. Otherwise, by the time a major privacy breach occurs, neither patients nor researchers will have any recourse.

E-Patient Update: Reducing Your Patients’ Security Anxiety

Posted on March 31, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Even if you’re not a computer-savvy person, these days you can hardly miss the fact that healthcare data is a desirable target for cyber-criminals. After all, over the past few years, healthcare data breaches have been in the news almost every day, with some affecting millions of consumers.

As a result, many patients have become at least a bit afraid of interacting with health data online. Some are afraid that data stored on their doctor or hospital’s server will be compromised, some are afraid to manage their data on their own, and others don’t even know what they’re worried about – but they’re scared to get involved with health data online.

As an e-patient who’s lived online in one form or another since the 80s (anyone remember GEnie or Compuserve?) I’ve probably grown a bit too blasé about security risks. While I guard my online banking password as carefully as anyone else, I don’t tend to worry too much about abstract threats posed by someone who might someday, somehow find my healthcare data among millions of other files.

But I realize that most patients – and providers – take these issues very seriously, and with good reason. Even if HIPAA weren’t the law of the land, providers couldn’t afford to have patients feel like their privacy wasn’t being respected. After all, patients can’t get the highest-quality treatment available if they aren’t comfortable being candid about their health behaviors.

What’s more, no provider wants to have their non-clinical data hacked either. Protecting Social Security numbers, credit card details and other financial data is a critical responsibility, and failing at it could cost patients more than their privacy.

Still, if we manage to intimidate the people we’re trying to help, that can’t be good either. Surely we can protect health data without alienating too many patients.

Striking a balance

I believe it’s important to strike a balance between being serious about security and making it difficult or frightening for patients to engage with their data. While I’m not a security expert, here’s some thoughts on how to strike that balance, from the standpoint of a computer-friendly patient.

  • Don’t overdo things: Following strong security practices is a good idea, but if they’re upsetting or cumbersome they may defeat your larger purposes. I’m reminded of the policy of one of my parents’ providers, who would only provide a new password for their Epic portal if my folks came to the office in person. Wouldn’t a snail mail letter serve, at least if they used registered mail?
  • Use common-sense procedures: By all means, see to it that your patients access their data securely, but work that into your standard registration process and workflow. By the time a patient leaves your office they should have access to everything they need for portal access.
  • Guide patients through changes: In some cases, providers will want to change their security approach, which may mean that patients have to choose a new ID and password or otherwise change their routine. If that’s necessary, send them an email or text message letting them know that these changes are expected. Otherwise they might be worried that the changes represent a threat.
  • Remember patient fears: While practice administrators and IT staff may understand security basics, and why such protections are necessary, patients may not. Bear in mind that if you take a grim tone when discussing security issues, they may be afraid to visit your portal. Keep security explanations professional but pleasant.

Remember your goals

Speaking as a consumer of patient health data, I have to say that many of the health data sites I’ve accessed are a bit tricky to use. (OK, to be honest, many seem to be designed by a committee of 40-something engineers that never saw a gimmicky interface they didn’t like.)

And that isn’t all. Unfortunately, even a highly usable patient data portal or app can become far more difficult to use if necessary security protections are added to the mix. And of course, sometimes that may be how things have to be.

I guess I’m just encouraging providers who read this to remember their long-term goals. Don’t forget that even security measures should be evaluated as part of a patient’s experience, and at least see that they do as little as possible to undercut that experience.

After all, if a girl-geek and e-patient like myself finds the security management aspect of accessing my data to be a bummer, I can only imagine other consumers will just walk away from the keyboard. With any luck, we can find ways to be security-conscious without imposing major barriers to patient engagement.

Wide Ranging Impact of A Healthcare Cybersecurity Attack

Posted on March 8, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

David Chou recently shared this amazing graphic of the “above the surface” and “beneath the surface” impacts from cyber attacks. The above the surface attacks are those that are better know costs related to an incident. The beneath the surface attacks are the less visible or hidden costs of a cyber attack.

Which of these impacts concerns you most?

If this list of 14 impacts on your organization isn’t enough to wake you up to the importance of cybersecurity, then there isn’t much hope. However, most of the CIOs I’ve seen are well aware of this and it’s why it keeps them up at night.

Costs Of Compromised Credentials Rising

Posted on March 3, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare organizations face unique network access challenges. While some industries only need to control access by professional employees and partners, healthcare organizations are increasingly opening up data to consumers, and the number of consumer access points are multiplying. While other industries face similar problems – banking seems particularly relevant – I don’t know of any other industry that depends on such a sophisticated data exchange with consumers to achieve critical results.

Given the industry’s security issues, I found the following article to be quite interesting. While it doesn’t address healthcare concerns directly, I think it’s relevant nonetheless.

The article, written by InfoArmor CTO Christian Lees, contends that next-generation credentials are “edging toward a precarious place.” He argues that because IT workers are under great pressure to produce, they’re rushing the credentialing process. And that has led to a lack of attention to detail, he says:

“Employees, contractors and even vendors are rapidly credentialed with little attention given to security rules such as limiting access per job roles, enforcing secure passwords, and immediately revoking credentials after an employee moves on…[and as a result], criminals get to choose from a smorgasbord of credentialed identities with which to phish employees and even top executives.”

Meanwhile, if auto-generated passwords are short and ineffective, or so long that users must write them down to remember them, credentials tend to get compromised quickly. What’s more, password sharing and security shortcuts used for sign-in (such as storing a password in a browser) pose further risk, he notes.

Though he doesn’t state this in exactly these words, the problem is obviously multiplied when you’re a healthcare provider. After all, if you’re managing not only thousands of employee and partner credentials, but potentially, millions of consumer credentials for use in accessing portal data, you’re fighting a battle on many fronts.

And unfortunately, the cost of losing control of these credentials is very high. In fact, according to a Verizon study, 63% of confirmed data breaches happening last year involved weak, default or stolen passwords.

To tackle this problem, Lees suggests, organizations should create a work process which handles different types of credentials in different ways.

If you’re providing access to public-facing information, which doesn’t include transaction, identifying or sensitive information, using a standard password may be good enough. The passwords should still be encrypted and protected, but they should still be easy to use, he says.

Meanwhile, if you need to offer users access to highly sensitive information, your IT organization should implement a separate process which assigns stronger, more complex passwords as well as security layers like biometrics, cryptographic keys or out-of-band confirmation codes, Lees recommends.

Another way to improve your credentialing strategy is to associate known behaviors with those credentials. “If you know that Bill comes to the office on Tuesdays and Thursdays but works remotely the rest of the week and that he routinely accesses certain types of files, it becomes much harder for a criminal to use Bill’s compromised credentials undetected,” he writes.

Of course, readers of this blog will have their own strategies in placefor protecting credentials, but Lee’s suggestions are worth considering as well. When you’re dealing with valuable health data, it never hurts to go that extra mile. If you don’t, you might get a visit by the HIPAA police (proverbial, not actual).

Whitepaper: Is Windows 10 HIPAA Compliant?

Posted on February 22, 2017 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
HIPAA One has collaborated with Microsoft on a new whitepaper that addresses Windows 10 and HIPAA compliance.

The whitepaper, HIPAA Compliance with Microsoft Windows 10 Enterprise, provides guidance on how to leverage Microsoft Windows 10 as a HIPAA-compliant, baseline operating system for functionality and security. Additionally, the paper tackles head on (and debunks) the myth that Microsoft Windows is not HIPAA compliant.
In light of the recent focus on HIPAA enforcement actions; hospitals, clinics, healthcare clearinghouses and business associates are trying to understand how to manage modern operating systems with cloud features to meet HIPAA regulatory mandates. Along with adhering to HIPAA, many healthcare organizations are under pressure to broadly embrace the benefits of cloud computing and manage the security implications.

Microsoft has invested heavily in security and privacy technologies to address and mitigate today’s threats. Windows 10 Enterprise has been designed to be the most user-friendly Windows yet and includes deep architectural advancements that have changed the game when navigating hacking and malware threats. For this reason, organizations in every industry, including the Pentagon and Department of Defense have upgraded to Windows 10 Enterprise to improve their security posture. However, as with all software upgrades; functionality, security and privacy implications must be understood and addressed.

The intersection between HIPAA compliance and main stream applications can often be confusing to navigate. This industry-leading whitepaper addresses the questions and concerns that are currently top-of-mind for healthcare IT and legal professionals responsible for managing ePHI and maintain HIPAA compliance.

Download your copy today and learn now Microsoft Windows 10 Enterprise enables its users to meet and/or exceed their HIPAA Security and Privacy requirements.

About Steven Marco
Steven Marco is the President of HIPAA One®, leading provider of HIPAA Risk Assessment software for practices of all sizes.  HIPAA One is a proud sponsor of EMR and HIPAA and the effort to make HIPAA compliance more accessible for all practices.  Are you HIPAA Compliant?  Take HIPAA One’s 5 minute HIPAA security and compliance quiz to see if your organization is risk or learn more at HIPAAOne.com.

Consumers Fear Theft Of Personal Health Information

Posted on February 15, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Probably fueled by constant news about breaches – duh! – consumers continue to worry that their personal health information isn’t safe, according to a new survey.

As the press release for the 2017 Xerox eHealth Survey notes, last year more than one data breach was reported each day. So it’s little wonder that the survey – which was conducted online by Harris poll in January 2017 among more than 3,000 U.S. adults – found that 44% of Americans are worried about having their PHI stolen.

According to the survey, 76% of respondents believe that it’s more secure to share PHI between providers through a secure electronic channel than to fax paper documents. This belief is certainly a plus for providers. After all, they’re already committed to sharing information as effectively as possible, and it doesn’t hurt to have consumers behind them.

Another positive finding from the study is that Americans also believe better information sharing across providers can help improve patient care. Xerox/Harris found that 87% of respondents believe that wait times to get test results and diagnoses would drop if providers securely shared and accessed patient information from varied providers. Not only that, 87% of consumers also said that they felt that quality of service would improve if information sharing and coordination among different providers was more common.

Looked at one way, these stats offer providers an opportunity. If you’re already spending tens or hundreds of millions of dollars on interoperability, it doesn’t hurt to let consumers know that you’re doing it. For example, hospitals and medical practices can put signs in their lobby spelling out what they’re doing by way of sharing data and coordinating care, have their doctors discuss what information they’re sharing and hand out sheets telling consumers how they can leverage interoperable data. (Some organizations have already taken some of these steps, but I’d argue that virtually any of them could do more.)

On the other hand, if nearly half of consumers afraid that their PHI is insecure, providers have to do more to reassure them. Though few would understand how your security program works, letting them know how seriously you take the matter is a step forward. Also, it’s good to educate them on what they can do to keep their health information secure, as people tend to be less fearful when they focus on what they can control.

That being said, the truth is that healthcare data security is a mixed bag. According to a study conducted last year by HIMSS, most organizations conduct IT security risk assessments, many IT execs have only occasional interactions with top-level leaders. Also, many are still planning out their medical device security strategy. Worse, provider security spending is often minimal. HIMSS notes that few organizations spend more than 6% of their IT budgets on data security, and 72% have five or fewer employees allocated to security.

Ultimately, it’s great to see that consumers are getting behind the idea of health data interoperability, and see how it will benefit them. But until health organizations do more to protect PHI, they’re at risk of losing that support overnight.