Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Achieve Cybersecurity While Complying with HIPAA Standards

Posted on March 8, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Tony Jeffs, Cisco
The following is a guest post written by Tony Jeffs, Sr. Director, Product Management & Marketing, Global Government Solutions Group at Cisco.

Within the past 24 months, nine out of 10 hospitals in the U.S. have fallen victim to an attack or data breach, according to a recent report from the Ponemon Institute. The landscape of the healthcare IT industry is transforming rapidly due to significant changes in patient information management and today’s evolving threat landscape. Advancements in technology and government regulations have powered an explosive growth in the creation and storage of protected healthcare information (PHI). To prepare for new attacks targeting sensitive patient data, healthcare organizations need to recognize the risks of noncompliance and how the deployment of certified, secure, and trusted technologies will help ensure compliance with Health Insurance Portability and Accountability Act (HIPAA) standards.

According to the 2012 National Preparedness Report conducted by the Federal Emergency Management Agency, the healthcare industry is already prepared for many types of emergencies and contingencies. However, the same study showed that healthcare organizations are overall still unprepared for most cyber attacks.

The report highlighted that cybersecurity “was the single core capability where states had made the least amount of overall progress.” Of the state officials surveyed, merely 42 percent feel they are adequately prepared. The report also showed that in the last six years, less than two-thirds of all companies in the U.S. have sustained cyberattacks. From 2006 to 2010, the number of reported attacks in the U.S. rose by 650 percent. During the Aspen Security Forum last year, Keith B. Alexander, head of the National Security Agency and the new United States Cyber Command, indicated that the U.S. has seen a 17-fold rise in attacks against its infrastructure from 2009 through 2011.

In such an environment, it is a top priority for healthcare organizations to comply with HIPAA standards. Before the signing of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009, it was understood industry-wide that HIPAA was not strictly enforced. Under HITECH, healthcare providers could be penalized for “willful neglect” if they failed to demonstrate reasonable compliance with the Act. The penalties could be as high as $250,000 with fines for uncorrected violations costing up to $1.5 million.

In certain instances, HIPAA’s civil and criminal penalties now encompass business associates. While a citizen cannot directly sue their healthcare provider, the state attorney general could bring an action on behalf of state residents. In addition, the U.S. Department of Health and Human Services (HHS) is now required to periodically audit covered entities and business associates. This implies that healthcare providers are required to have systems in place to monitor relationships and business practices to guarantee consistent security for all medical data.

If information systems are left vulnerable to attack, providers face significant risks to their business. These targeted attacks in the healthcare industry can come in a variety of forms. In Bakerfield, CA, the Kern Medical Center was attacked by a virus that crippled its computer systems. The hospital took approximately 10 days to bring the doctors and nurses back online. A Chicago hospital was attacked by a piece of malware that forced the hospital’s computers into a botnet controlled by the hacker. A year later, the hospital was still dealing with the attack’s aftermath. Following the theft of a computer tape containing unencrypted personal health information from an employee’s automobile, the DoD faced a multi-billion-dollar lawsuit. The Veterans Administration (VA) fought a two-year battle against intrusions into wireless networks and medical devices, including picture archiving and communication systems (PACS), glucometers and pharmacy dispensing cabinets.

Patients are protected against identity theft if medical information is encrypted and secured. Simultaneously, information must be kept readily available when necessary, such as for emergency personnel. The subsequent benefits are important in order to keep businesses competitive, including better quality of patient care, improved patient outcomes, increased productivity and workflow efficiency, better information at the point of care and improved and integrated communications between doctors and patients.

The Key to HIPAA Compliance

In order to meet the HITECH Act requirements, encryption must be used on the main service provider network as well as its associated partner networks. Encryption uses an algorithm to convert data in a document or file into an indecipherable format prior to being delivered, and then decrypts the data once received to prevent unauthorized personnel from accessing it. Successful use of encryption depends on the strength of the algorithm and the security of the decryption “key” or process when data is in motion and moving through a network or data is at rest in databases, file systems, or other structured storage methods.

In order to achieve HIPAA compliance, healthcare providers should leverage verified, certified network security products and architectures. Recommended by the HHS and mandated by the U.S. Department of Defense (DoD) for encryption, Federal Information Process Standard (FIPS) 140-2 encryption certified products reliably safeguard healthcare data with reliable and proven security in order to diminish risks without increasing costs.

Technologies that are fully FIPS-140 certified provide organizations a level of security that will remain compliant through at least 2030, unlike legacy cryptographic systems.

A New Degree of Confidence

Today, closed networks are almost nonexistent as most offices have Internet access, at the minimum. With the use of electronic transactions increasing in healthcare, including e-prescriptions and electronic communication, many medical organizations use open systems that necessitate the use of encryption technologies.

Technology providers can easily assert that a system is secure by using the highest level of encryption technologies on the market. With the degree of public visibility of breaches of trust, organizations have no reason to risk exposure with technology systems that fail to meet the FIPS 140-2 standard for data encryption. Without this certification, the cryptography function on the network has demonstrated a less than 50 percent chance of being correctly implemented, which also implies there is a 50 percent chance that the cryptography can be cracked. By purchasing solutions with FIPS validation, healthcare organizations achieve a new degree of reassurance that their critical data is secure, allowing them to minimize risk without an increase in costs.

Phone Tree EHR Integration

Posted on October 7, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

While at the AAFP conference recently, I saw a company called PhoneTree that I found interesting. They essentially take care of all the automated calling for the doctors office.

I was a bit surprised that a company like this is still around. Is there still a market for narrowly focused products like this? I know that many EHR vendors have integrated these types of features into their PMS and EMR software.

The other problem I had with this company was that they only have a one way interface for calling. Basically, you dump a csv file out from your scheduling system and they make the calls. However, there’s no method of getting the data back to the EHR software so you can know who confirmed and who didn’t in your EHR. Seems like a no brainer feature to me, but seemed to barely be on their radar. Probably because it would require an interface and interfaces are the worst to manage.

Of course, the really cool technology with phones is coming from the Cisco IP phones. I love the integrations that you can do with a Cisco phone and I love the idea of a soft phone on your computer even more. Too bad Cisco is so bloody expensive.

EMR Integration with Cisco IP Phones

Posted on September 10, 2009 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One of the lunch demos I saw at the EHR Stimulus tour was a demo of the integration of a Cisco IP phone with an EMR. I’ll admit that they are VERY brave souls to try and do a demo like this since it’s just prone to problems. Demos are always that way. Plus, I think you can get the picture of what’s happening without seeing it. At least I could have and everyone else that couldn’t probably just saw all the configuration and thought it was too complex to even consider.

That part aside, there were a couple of things that were intriguing about the demo. First, as they said, it’s interesting to see how hardware can really affect and interact with your EMR. That’s an interesting concept that I think is worth exploring a lot more. Second, if setup correctly there are a couple features that are interesting and useful. However, I’m not sure it’s really worth the cost or hassle to get these features. They are kind of nice to have, but aren’t deal breakers or makers.

The features that I did find interesting was that it would bring up the patient name/information on the phone when they are calling. I’d be interested to see how much information can really fit on the phone. However, even if it’s just a patient ID which you can use to quickly pull up the patient’s chart, then it’s a nice time saver. Plus, you can quickly verify that it is indeed the patient that’s calling using the information on the phone. Very cool feature and pretty useful. I imagine if you worked in an office with this you’d take it for granted until you moved to an office that didn’t have it and you’d miss it.

The other feature that’s cool is really just IP phone specific and that’s having a soft phone on your computer (basically the phone just runs on your computer and you can use a headset plugged into your computer). Saves on the cost of the often expensive IP phones and I expect we’re going to see some pretty amazing advances in soft phones.

Like I said. These weren’t things that should change your EMR decision, but it is a preview of some of the types of technologies we can see integrated with an EMR.

EHR Stimulus Alliance Sickens Me

Posted on May 18, 2009 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I previously posted about the EHR stimulus tour (no link since I don’t want to promote them). Today I saw what seems to amount to a press release that talks about the “EHR Stimulus Alliance” and their tour to “educate 500,000 U.S. physicians about opportunities aligned with the American Recovery and Reinvestment Act (ARRA) of 2009.”

This type of puffery just makes me sick. No. Not the educating 500,000 physicians. That’s a good thing and part of the motivation for this blog. The thing that makes me sick is this seems like just a big marketing campaign for Allscripts. Sure they have a list of other partners, but they’re basically partners of Allscripts. Check out the list: Allscripts, Cisco, Citrix, Dell, Intel, Intuit, Microsoft Corp., and Nuance. The press release calls it a “broad coalition of healthcare and technology companies.” Too bad Allscripts is the only true healthcare company in that list. All the others are technology companies that sell some healthcare products.

I just don’t like when an “education tool” is really just being used as a marketing tool for a certain EHR company. If they really wanted to help adoption, they’d sponsor a tour with a whole variety of EHR vendors where they can help doctors to be able to see the wide variety of EHR vendors that exist.

Someone recently emailed me about any conferences that exist for a doctor to be able to evaluate EHR companies all in one place. I know there have been a number of other ones in the past that no longer exist. The only one I know is still going is HIMSS. Does anyone else know of other places where doctors can see a bunch of great EHR? I ask this knowing that many really great EHR just haven’t seen the benefit of these types of shows.

Also, if anyone has a chance to go to one of these EHR Stimulus tour stops, I’d love to have you do a guest post on the experience. I sent them a tweet asking if they can stop in Las Vegas so I can check it out.

EHR Stimulus Tour

Posted on May 4, 2009 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Turns out the fish are starting to feed. Check out this website that talks about the “EHR Stimulus Tour: Educating the Nation.” Ok, I don’t really want you to check out the website, since I think it’s kind of sad. At the bottom it lists the “EHR Stimulus Alliance.” The following companies are listed in this EHR alliance:
Allscripts
Cisco
Citrix
Dell
intel
intuit
Microsoft
Nuance

What a group of large companies trying to sell a bunch of product. I guess we should have expected something like this, but maybe I’m just a little surprised that they made a website for an EHR stimulus tour and everything. Interestingly the twitter link on the site goes to an Allscripts twitter account. I think we can clearly see who’s behind this website.

Honestly, this reminds me of an Amway or other MLM convention. Is it any wonder the type of information that will be given at this type of tour? I guess $18 billion is a lot of motivation to market your EHR software. I just wish they were stopping in Las Vegas so that I could go and check them out.