Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Cost of a Breach, Proper Medical Record Disposal, and Delayed Breach Notifications

Posted on June 22, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time for a quick roundup of HIPAA related tweets from around the Twittersphere. Check out these tweets and we’ll add in a bit of our commentary.


Matt’s correct that it’s not all avoidable, but at $380 per record that’s expensive. Breaches are expensive everywhere, but especially in healthcare. When you look at how insecure various industries are, my guess is that healthcare would be near the top of the list as well. That’s a problem.


I’m with Danika Brinda as well. I have no idea why this is still happening. Are people really that uneducated and naive when it comes to disposal of paper medical records? Hire a company with a great reputation if you’re not sure how to do it properly yourself.


Happens all the time. The fine for the delay is more than the damage of the breach itself. There should be no reason organization’s delay in their efforts to notify patients of a breach. Doing so can be a very expensive prospect. Plus, it’s the right thing to do for the patients.

Compromise Assessments & Penetration Testing in Healthcare

Posted on June 21, 2017 I Written By

The following is a guest blog post by Steven Marco, CISA, ITIL, HP SA and President of HIPAA One®.
Steven Marco - HIPAA expert
As healthcare providers continue to embrace technology, are patients being left vulnerable? If a recent incident involving patient portals is any indication, then the answer is a resounding “yes.”

True Health Diagnostics, a Frisco, TX-based healthcare services company recently became aware of a security flaw in their patient portal after an IT consultant logged in to view their test results and accessed other patient’s records by accident.  Upon investigating the issue it was determined that because True Health uses sequential numbers on their patient record PDF files, users of the patient portal could easily alter a digit in the URL and therefore view the medical information of other patients (also known as Forceful Browsing).

This recent event should serve as both a reminder and a warning to healthcare organizations using patient portals that in order to prevent a similar disclosure, implementing (and testing!) safeguards is necessary. There are two different actions an organization can take to either understand the scope of a breach and/or assess their level of security to prevent a disclosure.

Compromise Assessment: Due-Diligence Task

A compromise assessment is a due-diligence task used to verify that an organization hasn’t experienced a security breach. Essentially, it answers the question: “Have we been breached?”

Completed by a group of whitehat hackers or IS professionals, the goal is to access an organization’s various systems and verify if/when they were comprised and estimate the damage/exposure that has/could be done on their customer’s data. By gaining an understanding of the extent of the breach, the organization can in turn create a plan to remedy the issue and notify the appropriate parties of the disclosure.

Penetration Testing: Proactive Approach

In simple terms, conducting a penetration test is a proactive approach to finding any security deficiencies before a breach occurs or hackers find a way in. A penetration test answers to the question “How secure are we?”

By performing an authorized simulated attack, organizations can gain a much greater understanding of their security infrastructure. Although penetration testing alone will not ensure a network is compliant or secure, it will identify gaps between the existence threats and controls that an organization has in place.

Penetration testing has many other benefits, including:

  • Revealing where procedures may be failing – Especially if insecure services are being used for administration or if critical security patches are missing due to inadequate configuration and change management processes/procedures.
  • Exposing poor password policy – Including the use of default or weak passwords, password reuse and use of incremental passwords.
  • Justification to management – For approval of additional security technologies. For example: Showing upper management that penetration testers were able to hack into the system and email the entire customer database.
  • Acts as a “second set of eyes” – Critical if using an independent provider when hosting ePHI/PII.

Interested in more details on penetration testing? Check out HIPAA One’s penetration testing blog post.

About Steven Marco
Steven Marco is the President of HIPAA One®, leading provider of HIPAA Risk Assessment software for practices of all sizes.  HIPAA One is a proud sponsor of EMR and HIPAA and the effort to make HIPAA compliance more accessible for all practices.  Are you HIPAA Compliant?  Take HIPAA One’s 5 minute HIPAA security and compliance quiz to see if your organization is risk or learn more at HIPAAOne.com.

Why Small Medical Practices Are at Great Risk for a Cyber Attack

Posted on June 14, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The good people at ClinicSpectrum recently shared a look at why small practices are at risk for a cyber attack. They label it as why your EHR is at risk for a cyber attack, but I think their list is more specific to small practices as opposed to EHR. Take a look at their list:

Each of these issues should be considered by a small medical when it comes to why they are at risk for a cyber attack. However, the first one is one that I see often. Many small practices wonder, “Why would anyone want to hack my office?”

When it comes to that issue, medical practices need to understand how most hackers work. Most hackers aren’t trying to hack someone in particular. Instead, they’re just scouring the internet for easy opportunities. Sure, there are examples where a hacker goes after a specific target. However, the majority are just exploiting whatever vulnerabilities they can find.

This is why it’s a real problem when medical practices think they’re too small or not worth hacking. When you have this attitude, then you leave yourself vulnerable to opportunistic hackers that are just taking advantage of your laziness.

The best thing a medical practice can do to secure their systems is to care enough about having secure systems. You’ll never be 100% secure, but those organizations who act as if they don’t really care about security are almost guaranteed to be hacked. You can imagine how HHS will look at you if you take this approach and then get hacked.

Healthcare Password Cartoon – Fun Friday

Posted on June 9, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve become a fan of @drmaypole on Twitter. He’s a cartoonist pediatrician and regularly tweets out cartoons like the following one:

I don’t know about you, but I’ve become really efficient at the password reset process on a number of websites that I only use once or twice a month. They set such restrictive policies on their passwords that I can never remember them since I use them so rarely. It’s just easier to reset it and create a new one. This cartoon captured the password issue really well.

Legal Ramifications of EHRs Selling Data

Posted on June 6, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Prompted by an engagement with prominent healthcare lawyer, Matt Fisher (@Matt_R_Fisher), on Twitter, Healthcare Scene decided to sit down with Matt to talk about the challenging topic of EHR vendors selling patient data. As a basis for the discussion, I suggested to Matt that EHR vendors were selling the EHR data and so we should dive into the details of when they are legally allowed to sell EHR data and when they are not.

That’s exactly what we did in my video interview with Matt Fisher below. Turns out there are a lot of little nuances to when and how an EHR vendor can sell patient data and HIPAA is only one of them. Plus, Matt and I also talk a bit about how a doctor and a patient can try and find out when and where their patient data is being sold. Learn about all the details in this video:

Is there anything you would add to the discussion? Were there any details or questions you think we missed? Let us know in the comments and we’ll do our best to get the answers.

HIPAA and Facebook Are Diametrically Opposed

Posted on June 5, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I tweeted this from the CHIME Fall Forum last year, but the idea is still on my mind. First, are HIPAA and Facebook diametrically opposed? Second, if they are or they aren’t, what does that mean for healthcare?

I’m not sure the intent of the person who said that Facebook and HIPAA were diametrically opposed, but I think it’s a reasonable observation. Facebook cares about getting and sharing as much information about you as possible. HIPAA cares about trying to protect your information.

While I think this is fundamentally how these companies think, the reality of what they do is much closer than people would think at first glance. While Facebook certainly wants to collect all of your personal data, it also has become quite sophisticated in its efforts to allow you to control how your data is shared. This wasn’t something that came naturally to them, but was forced upon them by years of crazy indiscretions which forced their hand.

HIPAA has come from the other end. While HIPAA is the portability act and not the privacy act (common mistake), that’s not how it was viewed when it was implemented. Everyone in healthcare saw HIPAA as a way to inhibit data sharing as opposed to a way to provide a framework for secure data sharing. In many cases, that’s still how people use HIPAA today. However, we’re starting to see that change as healthcare organizations have realized that their organizations need to share data. While not as progressive as Facebook in their data sharing controls, healthcare has become much more specific about how, when, what, and where they share patient data.

While we can find plenty of privacy and security issues with Facebook and HIPAA, I’d argue that both of them have become much more sophisticated in their approach to privacy and security. I believe this trend will only continue to get better.

What does all of this mean for healthcare?

Healthcare can learn a lot from Facebook when it comes to creating sophisticated privacy options that put the patient in control of their health data and allow the patient to control if and when that data is shared. However, we shouldn’t be surprised when we implement these controls and patients start sharing in ways that might feel risky to us. We may want to consider even more training on these sophisticated sharing options than what Facebook did for their users.

No doubt there’s a power in health data and much of that power is unleashed when it’s shared with the right people. The best thing we can do to unleash this power isn’t to create a free for all data sharing approach, but instead to take a more sophisticated data sharing approach that puts the patient at the center of the decision making process.

E-Patient Update:  Changing The Patient Data Sharing Culture

Posted on May 19, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I’ve been fighting for what I believe in for most of my life, and that includes getting access to my digital health information. I’ve pleaded with medical practice front-desk staff, gently threatened hospital HIT departments and gotten in the faces of doctors, none of whom ever seem to get why I need all of my data.

I guess you could say that I’m no shrinking violet, and that I don’t give up easily. But lately I’ve gotten a bit, let me say, discouraged when it comes to bringing together all of the data I generate. It doesn’t help that I have a few chronic illnesses, but it’s not easy even for patients with no major issues.

Some these health professionals know something about how EMRs work, how accurate, complete health records facilitate care and how big data analysis can improve population health. But when it comes to helping humble patients participate in this process, they seem to draw a blank.

The bias against sharing patient records with the patients seems to run deep. I once called the PR rep at a hospital EMR vendor and complained casually about my situation, in which a hospital told me that it would take three months to send me records printed from their EMR. (If I’d asked them to send me a CCD directly, the lady’s head might have exploded right there on the phone.)

Though I didn’t ask, the vendor rep got on the phone, reached a VP at the hospital and boom, I had my records. It took a week and a half, a vendor and hospital VP just to get one set of records to one patient. And for most of us it isn’t even that easy.

The methods providers have used to discourage my data requests have been varied. They include that I have to pay $X per page, when state law clearly states that (much lower) $Y is all they can charge. I’ve been told I just have to wait as long as it takes for the HIM department to get around to my request, no matter how time-sensitive the issue. I was even told once that Dr. X simply didn’t share patient records, and that’s that. (I didn’t bother to offer her a primer on state and federal medical records laws.) It gets to be kind of amusing over time, though irritating nonetheless.

Some of these skirmishes can be explained by training gaps or ignorance, certainly. What’s more, even if a provider encourages patient record requests there are still security and privacy issues to navigate. But I believe that what truly underlies provider resistance to giving patients their records is a mix of laziness and fear. In the past, few patients pushed the records issue, so hospitals and medical groups got lazy. Now, patients are getting assertive, and they fear what will happen.

Of course, we all have a right to our medical records, and if patients persist they will almost always get them. But if my experience is any guide, getting those records will remain difficult if attitudes don’t change. The default cultural setting among providers seems to be discomfort and even rebellion when they’re asked to give consumers their healthcare data. My protests won’t change a thing if people are tuning me out.

There’s many reasons for their reaction, including the rise of challenging, self-propelled patients who don’t assume the doctor knows best in all cases. Also, as in any other modern industry, data is power, and physicians in particular are already feeling almost powerless.

That being said, the healthcare industry isn’t going to meet its broad outcomes and efficiency goals unless patients are confident and comfortable with managing their health. Collecting, amassing and reviewing our health information greatly helps patients like me to stay on top of issues, so encumbering our efforts is counter-productive.

To counter such resistance, we need to transform the patient data sharing culture from resistant to supportive. Many health leaders seem to pine for the days when patients could have the data when and if they felt like it, but those days are past. Participating happily in a patient’s data collection efforts needs to become the norm.

If providers hope to meet the transformational goals they’ve set for themselves, they’ll have to help patients get their data as quickly, cheaply and easily as possible. Failing to do this will block or at least slow the progress of much-needed industry reforms, and they’re already a big stretch. Just give patients their data without a fuss – it’s the right thing to do!

Healthcare Ransomware

Posted on May 8, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Health Data Management has a nice article up with insights on healthcare ransomware from GreyCastle Security’s CEO, Reg Harnish. Reg made a great case for why healthcare is seeing so much ransomware:

He contends that healthcare isn’t any more vulnerable to ransomware than other industries. But Harnish observes that—given the value of patient data and medical records—providers are the focus of cyber criminals who are targeting them with file-encrypting malware.

“You take their data away, and it literally threatens lives, patient safety and patient care, so they are much more likely to pay a ransom,” he adds.

I think healthcare organizations do respond differently to ransomware than other organizations and that makes them more vulnerable to an attack since many healthcare organizations feel it’s their obligation to maintain patient safety and that the ransom is worth the money so they can do no harm to patients.

Reg also addressed whether paying the ransom in a ransomware incident was a good idea (it’s not):

On the question of whether or not organizations should give in to the demands of cyber criminals using ransomware, Harnish says that GreyCastle never recommends paying a ransom. “There’s no guarantee that the ransom will work,” he warns. “If you pay the ransom, you may not get decryption keys. And even if you do get decryption keys, they may not be the right ones.”

Further, Harnish cautions that those organizations that pay a ransom then get put on a list of victims who have complied with ransomware demands. As a result, he says they are much more likely to be targeted again as a “paying” customer. “None of our clients have ever paid a ransom,” he adds.

I agree that in 98% of cases, paying the ransomware is a bad idea. Plus, every healthcare organization that pays the ransomware makes it worse for other healthcare organizations. Instead, the key is to have a great backup and disaster recovery strategy if and when ransomware occurs in your organization.

As Reg also points out, ransomware most often comes into your organization through your users. So, it’s worth the investment to educate your end users on possible hacking/ransomware attempts. Education isn’t perfect, but it can help decrease your chances of a ransomware incident.

Cybersecurity, MACRA, MIPS, HIPAA, and PCMH Training Workshops

Posted on May 3, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been partnered with 4MedApproved for a long time offering healthcare IT training courses to my users. If you subscribe to a Healthcare Scene email list, then you’ve probably seen some emails offering a great discount on their training courses. 4Med really tries hard to listen to the community and create courses that are valuable to the healthcare IT professional.

They just sent me their list of upcoming courses and I was really impressed with the wide variety of courses that they’re offering between now and the end of July. Here’s a look a the courses they’re offering:

The good news is that by using any of the links above you’ll get a discount off of each of the courses for being a Healthcare Scene reader. Each of the above sessions is available as a live online training where you can ask the trainer questions. Also, if you miss one of the live sessions, then the recording will be made available to you after the event.

Also, for many of the courses, CEU are available to those who need them.

You can see on the list above that some of the most popular courses are around MACRA and healthcare security. Both are hugely important topics and there’s a lot of information to cover for both topics. If you’re dealing with either of them (which is most of you), these courses are a great resource for you to get up to speed on the latest.

Legacy Health IT Systems – So Old They’re Secure

Posted on April 21, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ve been thinking quite a bit about the ticking time bomb that is legacy healthcare IT systems. The topic has been top of mind for me ever since Galen Healthcare Solutions wrote their Tackling EHR & EMR Transition series of blog posts. This is an important topic even if it’s not a sexy one.

I don’t think we need to dive into the details of why legacy healthcare IT systems are a security risk for most healthcare organizations. Hospitals and health systems have hundreds of production systems that they’re trying to keep secure. It’s not hard to see why legacy systems get forgotten. Forgotten systems are ripe for hackers and others that want to do nefarious things.

Although, I did hear someone recently talking about legacy health IT systems who said that they had some technology in their organization that was so old it was secure again. I guess there’s something to say about having systems that are so old that hackers don’t have tools that can breach such old systems or that can read old files. Not to mention that many of these older systems weren’t internet connected.

While I find humor in the idea that something could be so old that it’s secure again, that’s not the reality for most legacy systems. Most old systems can be breached and will be breached if they’re not considered “production” when it comes to patching and securing them.

When you think about the costs of updating and securing your legacy systems like you would a production system for security purposes, it’s easy to see why finding a way to sunset these legacy systems is becoming a popular option. Sure, you have to find a way to maintain the integrity of the data, but the tools to do this have come a long way.

The other reason I like the idea of migrating data from a legacy system and sunsetting the old system is that this often opens the door for users to be able to access the legacy data. When the data is stored on the legacy system it’s generally not used unless it’s absolutely necessary. If you migrate that legacy data to an archival platform, then the data can be used by more people to influence care. That’s a good thing.

Legacy health IT systems are a challenge that isn’t going to go away. In fact, it’s likely to get worse as we transition from one software to the next. Having a strategy for these legacy systems which ensures security, compliance, and extracts value is going to be a key to success for every healthcare organization.