Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Mobile Health App Makers Still Shaky On Privacy Policies

Posted on September 16, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new study has concluded that while mobile health app developers are developing better privacy practices, these developers vary widely in how they share those policies with consumers. The research, part of a program launched in 2011 by the Future of Privacy Forum, concludes that while mHealth app makers have improved their practices, too many are still not as clear as they could be with users as to how they handle private health information.

This year’s FPF Mobile App Study notes that mHealth players are working to make privacy policies available to users before purchase or download, by posting links on the app listing page. It probably has helped that the two major mobile health app distribution sites require apps that collect personal info to have a privacy policy in place, but consumer and government pressure has played a role as well, the report said. According to FPF researchers, mHealth app makers are beginning to explain how personal data is collected, used and shared, a step privacy advocates see as the bare minimum standard.

Researchers found that this year, 76% of top overall apps on the iOS App Store and Google Play had a privacy policy, up from 68% noted in the previous iteration of the study. In contrast, only 61% of health and fitness apps surveyed this year included a link to their privacy policies in their app store listing, 10% less than among top apps cutting across all categories.  “Given that some health and fitness apps can access sensitive, physiological data collected by sensors on a mobile phone, wearable, or other device, their below-average performance is both unexpected and troubling,” the report noted.

This disquieting lack of thorough privacy protections extended even to apps collecting some of the most intimate data, the FPF report pointed out. In particular, a subset of mHealth developers aren’t doing anything much to make their policies accessible.

For example, researchers found that while 80% of apps helping women track periods and fertility across Google Play and the iOS App Store had privacy policies, just 63% of the apps had posted links to these policies. In another niche, sleep tracking apps, only 66% of even had a privacy policy in place, and just 54% of these apps linked back to the policy on their store page. (FPF terms this level of performance “dismal,” and it’s hard to disagree.)

Underlying this analysis is the unfortunate truth that there’s still no gold standard for mHealth privacy policies. This may be due more to the complexity of the still-maturing mobile health ecosystem than resistance to creating robust policies, certainly. But either way, this issue won’t go away on its own, so mHealth app developers will need to give their privacy strategy more thought.

NFL Players’ Medical Records Stolen

Posted on June 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’d been meaning to write about this story for a while now, but finally got around to it. In case you missed it, Thousands of NFL players’ medical records were stolen. Here’s a piece of the DeadSpin summary of the incident:

In late April, the NFL recently informed its players, a Skins athletic trainer’s car was broken into. The thief took a backpack, and inside that backpack was a cache of electronic and paper medical records for thousands of players, including NFL Combine attendees from the last 13 years. That would encompass the vast majority of NFL players

The Redskins later issues this statement:

The Washington Redskins can confirm that a theft occurred mid-morning on April 15 in downtown Indianapolis, where a thief broke through the window of an athletic trainer’s locked car. No social security numbers, Protected Health Information (PHI) under HIPAA, or financial information were stolen or are at risk of exposure.

The laptop was password-protected but unencrypted, but we have no reason to believe the laptop password was compromised. The NFL’s electronic medical records system was not impacted.

It’s interesting that the Redskins said that it didn’t include any PHI that would be covered by HIPAA rules and regulations. I was interested in how HIPAA would apply to an NFL team, so I reached out to David Harlow for the answer. David Harlow, Health Blawg writer, offered these insights into whether NFL records are required to comply with HIPAA or not:

These records fall in a gray zone between employment records and health records. Clearly the NFL understands what’s at stake if, as reported, they’ve proactively reached out to the HIPAA police. At least one federal court is on record in a similar case saying, essentially, C’mon, you know you’re a covered entity; get with the program.

Michael Magrath, current Chairman, HIMSS Identity Management Task Force, and Director of Healthcare Business, VASCO Data Security offered this insight into the breach:

This is a clear example that healthcare breaches are not isolated to healthcare organizations. They apply to employers, including the National Football League. Teams secure and protect their playbooks and need to apply that philosophy to securing their players’ medical information.

Laptop thefts are common place and one of the most common entries (310 incidents) on the HHS’ Office of Civil Rights portal listing Breaches Affecting 500 or More Individuals. Encryption is one of the basic requirements to secure a laptop, yet organizations continue to gamble without it and innocent victims can face a lifetime of identity theft and medical identity theft.

Assuming the laptop was Windows based, security can be enhanced by replacing the static Windows password with two-factor authentication in the form of a one-time password. Without the authenticator to generate the one-time password, gaining entry to the laptop will be extremely difficult. By combining encryption and strong authentication to gain entry into the laptop the players and prospects protected health information would not be at risk, all because organizations and members wish to avoid few moments of inconvenience.

This story brings up some important points. First, healthcare is far from the only industry that has issues with breaches and things like stolen or lost laptops. Second, healthcare isn’t the only one that sees the importance of encrypting mobile devices. However, despite the importance, many organizations still aren’t doing so. Third, HIPAA is an interesting law since it only covers PHI and covered entities. HIPAA omnibus expanded that to business associates. However, there are still a bunch of grey areas that aren’t sure if HIPAA applies. Plus, there are a lot of white areas where your health information is stored and HIPAA doesn’t apply.

Long story short, be smart and encrypt your health data no matter where it’s stored. Be careful where you share your health data. Anyone could be breached and HIPAA will only protect you so much (covered entity or not).

Steps In Integrating Patient-Generated Health Data

Posted on May 24, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As the number of connected health devices in use has expanded, healthcare leaders have grappled with how to best leverage the data they generate. However, aside from a few largely experimental attempts, few providers are making active use of such data.

Part of the reason is that the connected health market is still maturing. With health tracking wearables, remote monitoring set-ups, mobile apps and more joining the chorus, it might be too soon to try and normalize all this data, much less harvest it for clinical use. Also, few healthcare organizations seem to have a mature strategy in place for digital health.

But technical issues may be the least of our problems. It’s important to note that providers have serious concerns around patient-generated health data (PGHD), ranging from questions about its validity to fears that such data will overwhelm them.

However, it’s possible to calm these fears, argues Christina Caraballo, senior healthcare strategist at Get Real Health.  Here’s her list of the top five concerns she’s heard from providers, with responses that may help put providers at ease:

  • Fear they’ll miss something in the flood of data. Add disclaimers, consent forms, video clips or easy-to-digest graphics clarifying what consumers can and can’t expect, explicitly limiting provider liability.
  • Worries over data privacy and security: Give consumers back some of the risk, by emphasizing that no medium is perfectly secure, including paper health records, and that they must determine whether the benefits of using digital health devices outweigh the risks.
  • Questions about data integrity and standardization: Emphasize that while the industry has made great process and standardization, interoperability, authentication, data provenance, reliability, validity, clinical value and even workflow, the bottom line is that the data still comes from patients, who don’t always report everything regardless of how you collect the data.
  • Concerns about impact on workflow: Underscore that if the data is presented in the right framework, it will be digestible in much the same way as other electronic medical data.
  • Resistance to pressure from consumers: Don’t demand that providers leverage PGHD out of the gate; instead, move incrementally into the PGHD management by letting patients collect data electronically, and then incorporate data into clinical systems once all stakeholders are on board.

Now, I’m not totally uncritical of Ms. Caraballo’s article. In particular, I take issue with her assertion that providers who balk at using PGHD are “naysayers” who “simply don’t want to change.” While there are always a few folks fitting this description in any profession, the concerns she outlines aren’t trivial, and brushing them off with vague reassurances won’t work.

Truthfully, if I were a provider I doubt I would be comfortable relying on PGHD, especially biometric data. As Ingrid Oakley-Girvan of Medable notes, wearables giant Fitbit was hit with a lawsuit earlier this year alleging that its heart rate monitoring technology is inaccurate, and I wouldn’t be surprised other such suits arise. Digital health trackers and apps have transitioned from novelty to quasi-official medical device very quickly — some might say too quickly – and being cautious about their output just makes sense.

Nonetheless, PGHD will play a role in patient care and management at some point in the future, and it makes sense to keep providers in the loop as these technologies progress. But rushing them into using such data would not be wise. Let’s make sure such technologies are vetted before they assume a routine role in care.

Are Ransomware Attacks A HIPAA Issue, Or Just Our Fault?

Posted on April 18, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

With ransomware attacks hitting hospitals in growing numbers, it’s growing more urgent for healthcare organizations to have a routine and effective response to such attacks. While over the short term, providers are focused mostly on survival, eventually they’ll have to consider big-picture implications — and one of the biggest is whether a ransomware intrusion can be called a “breach” under federal law.

As readers know, providers must report any sizable breach to the HHS Office for Civil Rights. So far, though, it seems that the feds haven’t issued any guidance as to how they see this issue. However, people in the know have been talking about this, and here’s what they have to say.

David Holtzman, a former OCR official who now serves as vice president of compliance strategies at security firm CynergisTek, told Health Data Management that as long as the data was never compromised, a provider may be in the clear. If an organization can show OCR proof that no data was accessed, it may be able to avoid having the incident classed as a breach.

And some legal experts agree. Attorney David Harlow, who focuses on healthcare issues, told Forbes: “We need to remember that HIPAA is narrowly drawn and data breaches defined as the unauthorized ‘access, acquisition, use or disclosure’ of PHI. [And] in many cases, ransomware “wraps” PHI rather than breaches it.”

But as I see it, ransomware attacks should give health IT security pros pause even if they don’t have to report a breach to the federal government. After all, as Holtzman notes, the HIPAA security rule requires that providers put appropriate safeguards in place to ensure the confidentiality, the integrity and availability of ePHI. And fairly or not, any form of malware intrusion that succeeds raises questions about providers’ security policies and approaches.

What’s more, ransomware attacks may point to underlying weaknesses in the organization’s overall systems architecture. “Why is the operating system allowing this application to access this data?” asked one reader in comments on a related EMR and HIPAA post. “There should be no possible way for a database that is only read/write for specified applications to be modified by a foreign encryption application,” the reader noted. “The database should refuse the instruction, the OS should deny access, and the security system should lock the encryption application out.”

To be fair, not all intrusions are someone’s “fault.” Ransomware creators are innovating rapidly, and are arguably equipped to find new vectors of infection more quickly than security experts can track them. In fact, easy-to-deploy ransomware as a service is emerging, making it comparatively simple for less-skilled criminals to use. And they have a substantial incentive to do so. According to one report, one particularly sophisticated ransomware strain has brought $325 million in profits to groups deploying it.

Besides, downloading actual data is so five years ago. If you’re attacking a provider, extorting payment through ransomware is much easier than attempting to resell stolen healthcare data. Why go to all that trouble when you can get your cash up front?

Still, the reality is that healthcare organizations must be particularly careful when it comes to protecting patient privacy, both for ethical and regulatory reasons. Perhaps ransomware will be the jolt that pushes lagging players to step up and invest in security, as it creates a unique form of havoc that could easily put patient care at risk. I certainly hope so.

Health Data Sharing and Patient Centered Care with DataMotion Health

Posted on April 13, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Now that the HIMSS Haze has worn off, we thought we’d start sharing some of the great video interviews we did at HIMSS 2016. In this case, we did a 3 pack of interviews at the DataMotion Health booth where we got some amazing insights into health data sharing, engaging patients, and providing patient centered care.

First up is our chat with Dr. Peter Tippett, CEO of Healthcelerate and Co-Chairman of DataMotion Health, about the evolution of healthcare data sharing. Dr. Tippett offers some great insights into the challenge of structured vs unstructured data. He also talks about some of the subtleties of medicine that are often lost when trying to share data. Plus, you can’t talk with Dr. Tippett without some discussion of ensuring the privacy and security of health data.

Next up, we talked with Dennis Robbins, PHD, MPH, National Thought Leader and member of DataMotion Health’s Advisory Board, about the patient perspective on all this technology. He provides some great insights into patients’ interest in healthcare and how we need to treat them more like people than like patients. Dr. Robbins was a strong voice for the patient at HIMSS.

Finally we talked with Bob Janacek, Co-Founder and CTO of DataMotion Health, about the challenges associated with coordinating the entire care team in healthcare. The concept of the care team is becoming much more important in healthcare and making sure the care team is sharing the most accurate data is crucial to their success. Learn from Bob about the role Direct plays in this data sharing.

Thanks DataMotion Health for having us to your booth and having your experts share their insights with the healthcare IT community. I look forward to seeing you progress in your continued work to make health data sharing accessible, secure, and easy for healthcare organizations.

Breach Affecting 2.2M Patients Highlights New Health Data Threats

Posted on April 4, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A Fort Myers, FL-based cancer care organization is paying a massive price for a health data breach that exposed personal information on 2.2 million patients late last year. This incident is also shedding light on the growing vulnerability of non-hospital healthcare data, as you’ll see below.

Recently, 21st Century Oncology was forced to warn patients that an “unauthorized third party” had broken into one of its databases. Officials said that they had no evidence that medical records were accessed, but conceded that breached information may have included patient names Social Security numbers, insurance information and diagnosis and treatment data.

Notably, the cancer care chain — which operates on hundred and 45 centers in 17 states — didn’t learn about the breach until the FBI informed the company that it had happened.

Since that time, 21st Century has been faced with a broad range of legal consequences. Three lawsuits related to the breach have been filed against the company. All are alleging that the breach exposed them to a great possibility of harm.  Patient indignation seems to have been stoked, in part, because they did not learn about the breach until five months after it happened, allegedly at the request of investigating FBI officials.

“While more than 2.2 million 21st Century Oncology victims have sought out and/or pay for medical care from the company, thieves have been hard at work, stealing and using their hard-to-change Social Security numbers and highly sensitive medical information,” said plaintiff Rona Polovoy in her lawsuit.

Polovoy’s suit also contends that the company should have been better prepared for such breaches, given that it suffered a similar security lapse between October 2011 and August 2012, when an employee used patient names Social Security numbers and dates of birth to file fraudulent tax refund claims. She claims that the current lapse demonstrates that the company did little to clean up its cybersecurity act.

Another plaintiff, John Dickman, says that the breach has filled his life with needless anxiety. In his legal filings he says that he “now must engage in stringent monitoring of, among other things, his financial accounts, tax filings, and health insurance claims.”

All of this may be grimly entertaining if you aren’t the one whose data was exposed, but there’s more to this case than meets the eye. According to a cybersecurity specialist quoted in Infosecurity Magazine, the 21st Century network intrusion highlights how exposed healthcare organizations outside the hospital world are to data breaches.

I can’t help but agree with TrapX Security executive vice president Carl Wright, who told the magazine that skilled nursing facilities, dialysis centers, imaging centers, diagnostic labs, surgical centers and cancer treatment facilities like 21st are all in network intruders’ crosshairs. Not only that, he notes that large extended healthcare networks such as accountable care organizations are vulnerable.

And that’s a really scary thought. While he doesn’t say so specifically, it’s logical to assume that the more unrelated partners you weld together across disparate networks, it multiplies the number of security-related points of failure. Isn’t it lovely how security threats emerge to meet every advance in healthcare?

Access to Encrypted iPhones – The Apple Encryption Debate

Posted on February 19, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The tech world is in a frenzy over the letter Apple’s CEO Tim Cook sent to the FBI in response to a request for Apple to create essentially a backdoor to be able to access the San Bernardino terrorists iPhone. It’s a messy and a complex situation which puts government against industry and privacy advocates against security advocates. Tim Cook in his letter is right that “this moment calls for public discussion.”

My favorite venture capitalist blogger, Fred Wilson, summed it up best for me when he said this in response to Tim Cook’s assertion that the contents of your iPhone are none of Apple’s business:

That is not an open and shut case to me.

Of course I’d like the contents of my iPhone to be out of reach of everyone other than me. But if that means the contents of the iPhones of child pornographers, sex slaverunners, narco gangsters, terrorists, and a host of other bad people are “none of our business” then that gives me pause.

I don’t think we can have it both ways. We have to choose one way or the other.

I think this is also complicated by the fact that Apple had unlocked phones previously. Albert Wenger expresses my fears around this subject:

We cannot and should not be living in digital fortresses any more than we are living in physical fortresses at home. Our homes are safe from thieves and from government not because they couldn’t get in if they wanted to but because the law and its enforcement prevents them from doing so. All we have to do is minimal physical security (lock the doors when you are out).

Please repeat after me: Surveillance is a political and legal problem, not a technical problem.

This quote is particularly interesting to me since this weekend when my family and I were away on a trip for President’s Day weekend, someone broke into our house (Side Note: We’re all fine and they realized once they got in that we didn’t have anything valuable to take. We mostly just had to deal with a broken door).

I feel similar to my favorite VC who said “I am struggling with this issue this morning, and I imagine many others are too.”

Turning to the healthcare perspective, privacy and security of health information is so important. It’s literally the intimate details of your life. I’ve heard some argue that Apple creating a way for the FBI to access this one phone would mean that all of our health information on iPhones would be at great risk of being compromised. I think that’s an exaggeration of what’s happening, but I understand the slippery slope argument.

What’s interesting is that none of us want our healthcare data to be compromised. However, if we were in a coma and the life saving information was on our iPhone, we’d love for someone to have a way to access that information. I’ve seen startup companies who’ve built that ability into the iPhone home screen for just this purpose.

I guess I’m torn on the issue. Privacy is important, but so is security. This weekend I’m going to be chewing on “We cannot and should not be living in digital fortresses any more than we are living in physical fortresses at home.” The problem with this concept is that fortresses are something we can plan and build. The other solutions are much more complex.

Biometric Use Set To Grow In Healthcare

Posted on January 15, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t know about you, but until recently I thought of biometrics as almost a toy technology, something you’d imagine a fictional spy like James Bond circumvent (through pure manliness) when entering the archenemy’s hideout. Or perhaps retinal or fingerprint scans would protect Batman’s lair.

But today, in 2016, biometric apps are far from fodder for mythic spies. The price of fingerprint scan-based technology has fallen to nearly zero, with vendors like Apple offering fingerprint-based security options as a standard part of its iOS iPhone operating system. Another free biometric security option comes courtesy of Intel’s True Key app, which allows you to access encrypted app data by scanning and recognizing your facial features. And these are just trivial examples. Biometrics technologies, in short, have become powerful, usable and relatively affordable — elevating them well above other healthcare technologies for some security problems.

If none of this suggests to you that the healthcare industry needs to adopt biometrics, you may have a beef with Raymond Aller, MD, director of informatics at the University of Southern California. In an interview with Healthcare IT News, Dr. Aller argues that our current system of text-based patient identification is actually dangerous, and puts patients at risk of improper treatments and even death. He sees biometric technologies as a badly needed, precise means of patient identification.

What’s more, biometrics can be linked up with patients’ EMR data, making sure the right history is attached to the right person. One health system, Novant Health, uses technology registering a patient’s fingerprints, veins and face at enrollment. Another vendor is developing software that will notify the patient’s health insurer every time that patient arrives and leaves, steps which are intended to be sure providers can’t submit fradulent bills for care not delivered.

As intriguing as these possibilities are, there are certainly some issues holding back the use of biometric approaches in healthcare. And many are exposed, such as Apple’s Touch ID, which is vulnerable to spoofing. Not only that, storing and managing biometric templates securely is more challenging than it seems, researchers note. What’s more, hackers are beginning to target consumer-focused fingerprint sensors, and are likely to seek access to other forms of biometric data.

Fortunately, biometric security solutions like template protection and biocryptography are becoming more mature. As biometric technology grows more sophisticated, patients will be able to use bio-data to safely access their medical records and also pay their bills. For example, MasterCard is exploring biometric authentication for online payments, using biometric data as a password replacement. MasterCard Identity Check allows users to authenticate transactions via video selfie or via fingerprint scanning.

As readers might guess from skimming the surface of biometric security, it comes with its own unique security challenges. It could be years before biometric authentication is used widely in healthcare organizations. But biometric technology use is picking up speed, and this year may see some interesting developments. Stay tuned.

Tiny Budgets Undercut Healthcare’s Cyber Security Efforts

Posted on January 4, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

This has been a lousy year for healthcare data security — so bad a year that IBM has dubbed 2015 “The Year of The Healthcare Security Breach.” In a recent report, Big Blue noted that nearly 100 million records were compromised during the first 10 months of this year.

Part of the reason for the growth in healthcare data breaches seems to be due to the growing value of Protected Health Information. PHI is worth 10x as much as credit card information these days, according to some estimates. It’s hardly surprising that cyber criminals are eager to rob PHI databases.

But another reason for the hacks may be — to my way of looking at things — an indefensible refusal to spend enough on cybersecurity. While the average healthcare organization spends about 3% of their IT budget on cybersecurity, they should really allocate 10% , according to HIMSS cybersecurity expert Lisa Gallagher.

If a healthcare organization has an anemic security budget, they may find it difficult to attract a senior healthcare security pro to join their team. Such professionals are costly to recruit, and command salaries in the $200K to $225K range. And unless you’re a high-profile institution, the competition for such seasoned pros can be fierce. In fact, even high-profile institutions have a challenge recruiting security professionals.

Still, that doesn’t let healthcare organizations off the hook. In fact, the need to tighten healthcare data security is likely to grow more urgent over time, not less. Not only are data thieves after existing PHI stores, and prepared to exploit traditional network vulnerabilities, current trends are giving them new ways to crash the gates.

After all, mobile devices are increasingly being granted access to critical data assets, including PHI. Securing the mix of corporate and personal devices that might access the data, as well as any apps an organization rolls out, is not a job for the inexperienced or the unsophisticated. It takes a well-rounded infosec pro to address not only mobile vulnerabilities, but vulnerabilities in the systems that dish data to these devices.

Not only that, hospitals need to take care to secure their networks as devices such as insulin pumps and heart rate monitors become new gateways data thieves can use to attack their networks. In fact, virtually any node on the emerging Internet of Things can easily serve as a point of compromise.

No one is suggesting that healthcare organizations don’t care about security. But as many wiser heads than mine have pointed out, too many seem to base their security budget on the hope-and-pray model — as in hoping and praying that their luck will hold.

But as a professional observer and a patient, I find such an attitude to be extremely reckless. Personally, I would be quite inclined to drop any provider that allowed my information to be compromised, regardless of excuses. And spending far less on security than is appropriate leaves the barn door wide open.

I don’t know about you, readers, but I say “Not with my horses!”

Medical Device and Healthcare IT Security

Posted on December 21, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In case you haven’t noticed, we’ve been starting to do a whole series of Healthcare Scene interviews on a new video platform called Blab. We also archive those videos to the Healthcare Scene YouTube channel. It’s been exciting to talk with so many smart people. I’m hoping in 2016 to average 1 interview a week with the top leaders in healthcare IT. Yes, 52 interviews in a year. It’s ambitious, but exciting.

My most recent interview was with Tony Giandomenico, a security expert at Fortinet, where we talked about healthcare IT security and medical device security. In this interview we cover a lot of ground with Tony around healthcare IT security and medical device security. We had a really broad ranging conversation talking about the various breaches in healthcare, why people want healthcare data, the value of healthcare data, and also some practical recommendations for organizations that want to do better at privacy and security in their organization. Check out the full interview below:

After every interview we do, we hold a Q&A after party where we open up the floor to questions from the live audience. We even allow those watching live to hop on camera and ask questions and talk with our experts. This can be unpredictable, but can also be a lot of fun. In this after party we were lucky enough to have Tony’s colleague Aamir join us and extend the conversation. We also talked about the impact of a national patient identifier from a security and privacy perspective. Finally, we had a patient advocate join us and remind us all of the patient perspective when it comes to the loss of trust that happens when a healthcare organization doesn’t take privacy and security seriously. Enjoy the video below: