Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Healthcare Providers and Patients Deserve Better Security

Posted on June 1, 2015 I Written By

The following is a guest blog post by Anna Drachenberg, Founder and CEO of HIPAA Risk Management.
Anna Drachenberg

Our firm has been helping dentists and other healthcare providers with their HIPAA security compliance for several years. Based on our customers’ experience, many dentists lack healthcare IT partners who are committed to data security and HIPAA compliance.  Unfortunately, this lack of commitment appears to be an epidemic across healthcare IT, and healthcare providers and patients need to demand a change.

In our recent alert, Dentrix Vulnerabilities and Mitigation for HIPAA Compliance, we described two major vulnerabilities we’ve had to assist our clients in mitigating in order to protect their patients’ data and comply with our clients’ HIPAA security policies. Our regulatory and data security experts were concerned, on behalf of our clients, with the way Henry Schein handled these two issues. More concerning, this seems to be a trend with many healthcare IT companies.

From the article, “In October 2012, it was reported to the Community Emergency Response Team (CERT) that all Dentrix G5 software was installed with hard-coded credentials to access the back-end database.” Pretty serious, right? The National Vulnerability Database gave this a severity score of 5.0 and an exploitability score of 10.0.  In the CERT notification you can see that the vulnerability was credited to Justin Shafer, not the vendor, Henry Schein, and there are several months between the time that the exploit was reported (11/22/2012) until Henry Schein released a fix for the issue (2/13/2013). Read the linked article for more details on the fix Henry Schein provided.

In a time when most industries are embracing security and offering “bug bounties,” many in the healthcare IT industry are trying to ignore the problem and hope that their customers are ignoring it, too. Take the recent panic over hackers controlling airplanes. What did United Airlines do? Offer a bug bounty that pays out in airlines miles that can be redeemed for free tickets. Most software and IT companies offer similar bug bounty programs and actively cooperate with independent security professionals. These companies know that every bug that is found before it is exploited can save millions of dollars and improve their product.

I’d like to challenge all of the blog readers today to find a healthcare IT vendor who has the same approach to security. For that matter, do a search on CERT vulnerability database or the National Vulnerability Database for any healthcare software or product you know or general terms like medical, hospital, healthcare. Surprised at the lack of issues reported and fixed? Are we really supposed to believe that the healthcare IT developers are superior to other industries?

Note: The only results in a search I did on 5/30/2015 of the National Vulnerability Database for “Epic” returns vulnerabilities in the Epic Games Unreal Tournament Engine. It is good to know that my video game company cares about my data security.

Everyone who purchases, administers, and uses healthcare IT systems and software deserves vendors who are committed to security. Consider for a moment – the customers of these products are the responsible parties for ensuring the security of the data they put in to these systems. Although the change to business associates under the HIPAA Omnibus Rule puts more liability on some of these vendors, the covered entity is still ultimately responsible and takes the hit to its reputation. Patients, the ones who experience harm when these systems are breached, have to rely on their doctors and other healthcare providers to ensure that the healthcare IT software and products are secure.  I don’t know about you, but I really hope that my physician spent more time in medical school learning about medicine than he did about encryption.

It’s time for all of us in the healthcare industry to demand that our vendors have the same level of commitment to security as the healthcare providers who are their customers. It’s time for all of us as patients to demand that these vendors improve the security of the products used by our healthcare providers.

One last note. In our alert, we link to Dentrix’s notice on the type of “encryption” they offer on one of their products. From Dentrix’s article:

“Henry Schein introduced cryptographic technology in Dentrix version G5 to supplement a practice’s employee policies, physical safeguards and data security. Available only in Dentrix G5, we previously referred to this feature as encryption. Based on further review, we believe that referring to it as a data masking technique using cryptographic technology would be more appropriate. Regardless of what you call it…”

To your clients, it matters what the federal government “calls” it, and they don’t call it encryption.

About Anna Drachenberg
Anna Drachenberg has more than 20 years in the software development and healthcare regulatory fields, having held management positions at Pacificare Secure Horizons, Apex Learning and the Food and Drug Administration. Anna co-founded HRM Services, Inc., (hipaarisk.com) a data security and compliance company for healthcare. HRM offers online risk management software for HIPAA compliance and provides consulting services for covered entities and business associates. HRM has clients nationwide and also partners with IT providers, medical associations and insurance companies.

Medicaid Doctors and Dentists Gaming the EHR Incentive Program

Posted on June 29, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I guess I should have known that it would only be a matter of time before I’d see something like this come out. As best I can tell, Dentrix has partnered with Henry Schein to offer what they’re calling Dentrix Meaningful Use Access 7.6. Seems like Henry Schein is using the Dentrix names to get Dentists access to the Medicaid EHR incentive money. On face, I don’t see any problem with this.

Although, once you start to dig into it, it appears that Dentrix and Henry Schein are partnering to get Dentists the first Medicaid EHR incentive check without even implementing the EHR. You have to remember that the Medicaid EHR stimulus money doesn’t require you to show meaningful use of the EHR. You just have to acquire the EHR technology.

Look at some of the verbiage from the website for the program:

Definition of Adopt, Implement, or Upgrade:
For Medicaid, the eligible provider must Adopt, Implement, or Upgrade (AIU) certified EHR software. As posted on the CMS website, for AIU, a provider does not have to have installed certified EHR technology. The definition of AIU in 42 CFR 495.302 allows the provider to demonstrate AIU through any of the following:
*Acquiring, purchasing or securing access to certified EHR technology
*Installing or commencing utilization of certified EHR technology capable of meeting meaningful use requirements
or
*Expanding the available functionality of certified EHR technology capable of meeting meaningful use requirements at the practice site, including staffing, maintenance, and training, or upgrade from existing EHR technology to certified EHR technology per the ONC EHR certification criteria.

Thus, a signed contract indicating that the provider has adopted or upgraded would be sufficient.

To be honest, I’m torn between whether this is genius or filthy. According to the letter of the law, I don’t know of any reason that someone with the right Medicaid population can’t purchase an EHR like this for $2000 and then collect the EHR incentive money. The regulations don’t require them to do any more to collect the money. Although, that’s certainly not the intent of the EHR incentive money and definitely feels like their gaming the system if they do it with no intent to actually implement the EHR.

Another piece from the website:

While Henry Schein currently has no plans to pursue a Meaningful Use solution beyond Stage 1, Year 1 for Dentrix, we continue to monitor healthcare reform to determine what subsequent steps, if any, should be taken regarding Meaningful Use criteria and certification.

At least their up front with the Dentists that they’re not planning to go beyond meaningful use stage 1, but may change their minds. I’m sure this is music to ONC’s ears to hear that they’re only committing to meaningful use stage 1.

If your strategy is to just help these dentists get the first EHR incentive check, then why should you worry about MU stage 2. Wouldn’t you love to be a salesperson for this product? Here’s your pitch: Pay me $2000 for this EHR, go through 5 steps on the government website and you’ll get paid $21,250.00.

I wish I could see something legally wrong with this idea. Someone I talked to mentioned that even for the Medicaid EHR incentive money you have to check some box saying that you comply with the HIPAA requirements. Well, these clinics have to do that anyway. Many don’t, but they’ll check that box anyway thinking that they comply whether they do or not.

The biggest surprise for me might be that Henry Schein is willing to have their name associated with a program like this. I’ll be interested to see who else picks up on this glaring issue with the Medicaid EHR incentive and what ONC/CMS/HHS do to close it up (if they can).

EMR Stimulus Q and A: EMR Stimulus Money and Dentists

Posted on November 18, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I must admit that the following question is one that I don’t have a very good answer to. However, I’ll offer what I know and hopefully the readers of the site can also chime in with their thoughts in the comments of this post. This question was posted in the comments of my previous EMR Stimulus question and answer post.

Can you help out another reader with a pressing question? Where can I find a good listing of EHRs for dentists? I’m looking specifically for ONC certified products that cater to dental practices and I’m coming up short so far. I know that DDS/DMDs can qualify for incentives under ARRA and they’ll be dinged on the Medicare side if they don’t use EHRs, but how are they supposed to comply if the software’s not out there for them? I’ve talked to several vendors with ONC certification who basically said they’re ignoring dentists in their outreach/software development (due to the larger potential market for internal medicine/general practice, the specialization required for dental systems, etc). A lot of dentists have PMS that they mistakenly believe are full EHRs, but it seems like there is a huge market out there for dental EHRs that is being ignored.

There was some discussion in the comments of the post where the above questions and comments were posted about whether Dentists do in fact qualify for EMR stimulus incentives. My understanding was that they could qualify. This of course assumes that they have enough Medicare and they were meaningful users of a certified EHR (as with everyone else). Although, I believe dentists are considered eligible providers (I’m sure someone will correct me in the comments if I’m wrong).

Unfortunately, I haven’t seen any EHR list by ONC or anyone else for that matter that has EHR software for dentists. Of course, I posted a link to the official ONC-ATCB certified EHR list before. So, watching that list might be the place to start. Although, that list is going to grow between now and the end of the year quite quickly. I won’t be surprised if that list is at least double or triple the size that it is now.

I must admit that I don’t know many of the dentist specific EHR, so I couldn’t go through the list to find the EHR software that is a certified EHR for dentists. If someone else does and wants to share it in the comments, I’ll post that list for others to see too.

I have heard of one dentistry software called Dentrix. I asked my friend who does some work with them about their take on the EHR stimulus money for dentists. He said that he’s asked for more info himself and the only answer he gets is that they need to talk to Dentrix Enterprise. I guess they have multiple versions of their software. Sounds like they are a bit like Allscripts with a ton of different EHR packages depending on size of the office. Unfortunately, Dentrix didn’t answer mine (and others) request on Twitter for information about the EHR stimulus for dentists.

One thing is certain. Dentists that try for the EHR stimulus money will likely be happy to evoke the exception clause for some of the meaningful use requirements that don’t apply to them.