Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

EMR ROI, Steve Jobs EMR, $1 Billion in EHR Stimulus, and EMR Data Security

Posted on December 11, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Some really interested EMR related tweets in tonight’s round up from around the EMR twittersphere. I’m testing out the new Twitter embed function. We’ll see how it does. It’s a convenient thing, but might need some tweaking.

As always, feel free to follow me on Twitter @techguy and/or @ehrandhit. If you’re on Twitter, let me know so I can make sure I’m following you as well.

Well said! EMR ROI can’t be certified, but it can be measured and planned for.

I wrote a bit about Steve Jobs and EMR before. The icon of Steve Jobs and creating something the way Steve Jobs did is going to be around for a very long time to come.

Over 10k eligible providers and $1 billion in stimulus money. I wonder how many of those 10k providers already had an EMR and how many implemented an EMR to get the stimulus money.

Definitely much higher than I’d have thought as well. Sure, every doctor wants their systems to be secure, but very few make it any sort of priority beyond expecting it to be secure.

EHR and Encryption, Down Computers and EHR, and State Health Exchanges Might Not Be Sustainable

Posted on November 13, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Time again for our weekend EHR Twitter round up. Let the fun begin.

@ahier – Brian Ahier
#EHR’s need encryption says @HealthPrivacy to Senate panel bitly.com/rTnx6s

Is there an EHR software that doesn’t use encryption? Is there a doctor’s office that’s paying for an EHR that doesn’t use encryption? Certainly not all EHR encryption implementations are created equal. In fact, I wish that things like encrypting data were part of an EHR certification. Why? Cause that’s something you can actually certify in a meaningful manner.

@drmikesevilla – Mike Sevilla, MD
RT @SeattleMamaDoc Computers all down in the exam rooms today. One major limitation of an EMR/EHR (dependence on a computer)

Definitely is one challenge with an EMR/EHR. I wonder how many patients were seen without the chart, because it couldn’t be found quickly. There are always pros and cons to IT. It does highlight the need to have a well thought out plan for how you’re going to care for patients when your EHR is down.

@iWatch – iWatch News
State health exchanges might not be sustainable after $548M in stimulus money runs out: bit.ly/t9QfSl #HIE #EHR

Wait, so changing the name of them from RHIO to HIE didn’t solve any of the problems with these exchanges? Oh yes, I forgot to mention the extra $548 million to help solve the problems. I think this best illustrates that money isn’t the issue or at least there are more issues with HIE than just the money.

EMR Security Monitoring Systems

Posted on September 21, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

There’s been an interesting situation going on between a couple EHR vendors. I first saw this when I got the press release that meridianEMR filed a lawsuit against UroChart. The lawsuit claims that UroChart obtained access to meridianEMR’s data.(Note: See this comment from IT Director of meridianEMR that discusses more details of what happened and how no data was breached.)

Lawsuits aside, meridianEMR is trying to capitalize on the situation by talking about their EMR security monitoring system was what notified them of the breach attack by UroChart. They call it their Advanced Monitoring System (AMS) and say it responds immediately to any breaches attacks and protects patient records.

I’m not sure if it’s a smart move to use a breach of their system as a way to promote their ability to protect patient records. I guess they can argue that their monitoring service was what protected their patient records. However, the lawsuit is claiming that patient records were at risk. I don’t think that’s something any EMR vendor wants tied to their name, is it?

Marketing strategy aside, this security monitoring service is interesting and I can’t say I’ve really seen something like it in any other EMR system. Sure, they all have some sort of audit tracking and trail. However, I think most EMR vendor’s strategy is not detection, but prevention. They harden their systems using the best techniques, but don’t do much to try and detect breaches. Should that be changed?

One problem with breaches is that good hackers know how to even avoid the detection part. I still remember when my friend showed me how he had hacked into a server and you could see him logged in. Then, he ran a script and you couldn’t see him anymore. I guess if you compare it to the physical world, it’s like having a camera watching the front door, but no camera on the back door. However, in the digital world there are lots of different doors, including those we don’t know about.

Some might argue that ignorance is bliss in this instance. Sure, no EMR vendor is going to admit that in public. Neither is a doctor. However, the regulations have made it pretty harsh when you know that there’s been a breach of your system. You basically have to make it known to all the world. However, if you don’t know that your EMR system has been compromised, then you have no such requirements.

I’m sure some people won’t like me saying this, but be sure that many doctors and EMR vendors have thought about this. I’m sure there were parallels in the paper world too. So, let’s not act like this is really that new. Although, certainly technology has made it possible to have much larger breaches.

One thing worth noting is that I haven’t seen a group of healthcare hackers forming. There’s no underground group of people that I’ve heard of that are trying to hack and get access to healthcare data. Financial data is much easier to monetize for a hacker than healthcare data. That’s not to say that healthcare data isn’t valuable and can’t have consequences if it’s put in the wrong hands. However, most hackers do it for the Lulz, for financial gain, or vengeance. Things could certainly change, but I haven’t seen healthcare as a prime target for hackers. I’d love to see if you have evidence that says otherwise.

If you evaluate the list of breaches that are published by HHS, this seems to agree with my above evaluation. Almost every single breach was just due to something being lost, a physical device being stolen (which you can almost guarantee they wanted the laptop and not the healthcare data which they probably didn’t even know was on the laptop), or inappropriate use by someone on a system already.

It will be interesting to see how these EMR security monitoring systems evolve. Plus, will we see more need for these type of protections and monitoring of EMR systems?

Can Providers Cope With EMR Security Challenges?

Posted on June 15, 2011 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Boy, back in the good old days, protecting patient data was comparatively easy. All you had to do was make sure that nobody got their hands on a patient’s paper chart who shouldn’t be looking at it.

After all, simple stuff like locking file rooms and making sure charts never get left in a public place are pretty easy to understand. Sure, paper records get stolen or rifled through now and then — no system is perfect — but putting processes in place to prevent unauthorized chart access isn’t that complicated.

On the other hand, introducing electronic medical records  — plus e-prescribing, digital sharing of lab results and more — is a completely different kettle of fish.

For one thing, providers must control access to medical information stored in their EMR in a far more sophisticated way than they had with paper charts.  For example, while role-based access to data may not sound too threatening to your average IT boss, it’s not exactly intuitive if you’re not a geek. Figuring out just who should get access to what gets a lot more complicated than when you used to just have to pull and route a chart.

Another issue: few clinicians know much about data security, and it’s not likely that they’re going to suddenly get wildly excited about encryption or VPNs.  Sure, you can warn them that it comes down to whether some random stranger (or even a staff member) will steal their patients’ Social Security numbers or broadcast medical secrets. But it’s just about impossible to explain security issues without wandering into scary jargon that will alienate the heck out of many doctors.

Of course, healthcare organizations can make sure their clinicians are trained to understand the importance of  securing their EMR. And they can even explain why specific types of security measures will limit their HIPAA exposure, the best pitch you can make to non-techies.

Still, the bottom line is that moving from paper to EMRs isn’t just a change-management exercise. It forces clinicians to think about how they use, distribute and share data on a profound level. I hope it does, anyway…cause if providers aren’t ready to think about these issues, things aren’t going to be pretty.

HIPAA Lawsuit – PHI by Un-encrypted Email

Posted on December 29, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In kind of ironic timing, the news was recently reported of a patient talking to lawyers about a possible lawsuit against a doctor who sent her protected health information (PHI) to his home email in an un-encrypted format. The irony is that for the past week, my post on Email not being HIPAA secure has been having a really good discussion happening in the comments about these very issues (you should go read through the comments, they’re very interesting).

One interesting part of the above news story is that it didn’t even include the most common personal information used for identity theft. Certainly a person’s name and medical information should be kept private as well and could have consequences related to its release on the internet. However, it definitely doesn’t bring out the privacy critics like a breach of financial related info would bring.

While I personally hate lawsuits, a part of me kind of hopes that this or some other lawsuit happens related to email and PHI. Not because I like lawsuits or I want someone to be held responsible. Mostly because we could use some legal precedent to better enable those who want to use technology like email. Until the precedence is set (or a more specific law), I think that many people are just too afraid to use email for any sort of health care related communication.

In the comments I mentioned above, someone even commented about them wanting a doctor who would let them waive their right to privacy in the name of convenience. Basically, they would rather use email to communicate even PHI at the risk of someone seeing their health information so that they can use communication tools like email in their healthcare. I bet there are a lot more people who would opt in for this also. The problem is that the law is such that I don’t know many doctors who are willing to take the risk even if the patient gives them permission.

The best alternative right now is the patient portal where a patient receives an email saying something has been added or updated on the portal and invites them to login to the private secured portal to see the PHI or other health information. Not perfect and not that broadly adopted.

Lots of other issues related to email with doctors, but at least resolving the privacy and security ones would allow us to focus on those other issues.

Healthcare Data Breaches

Posted on September 23, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was recently sent an Information Week article on the “Steady Bleed: State of HealthCare Data Breaches.” The article basically tries to list out all of the data breaches that are happening in healthcare and how healthcare companies aren’t doing what they need to do to protect patient data.

Now, I’ll be the first to acknowledge that more can always be done. I even agree that more can and needs to be done to protect patient information. However, I don’t agree with the article’s assertion that the use of an electronic health record (EHR) is the reason why health care providers are so poorly securing patient information.

Many of you might remember my post on EMR and EHR about HIPAA Breaches related to EMR. In that post, I discuss how it’s unfair for someone to automatically assume that if there was a breach, then it was the electronic medical record software’s fault. In the analysis I did in the above post, I found that most of the HHS list had nothing to do with EMR software. In fact, many of the HIPAA breaches were lost devices which contained lists of insurance information. EHR had nothing to do with that.

I’m not saying that breaches don’t happen with an EMR. They do. However, most of the examples given in the Information Week article could have happened just as easily in the paper world. It didn’t take an electronic health record for people to start looking up famous sports stars health information.

Maybe the real difference with an EHR is that now we can know and track who accesses each patient record. That just means that now we actually know about all the violations whereas with paper charts they’d just happen and we’d likely never know about it or have a way to prove that it happened. So, yes, the number of reported HIPAA breaches should be going up. We have more information to report on.

The good thing long term is that with an EHR we now have tracking mechanisms that allow us to hold someone accountable for their breaches of HIPAA. If this accountability is taken seriously, the number of breaches will go down. That’s a much better long term solution than the naive ignorance of not knowing about breaches in the paper chart world.

Sure not all EHR software is secure. They need to fix that and improve that. However, the numbers and reports I’ve seen don’t seem to indicate that breaching an EHR software’s security is the real problem. There are far easier ways to take patient data than trying to breach an EHR’s security system. Let’s focus on those other ways that people take patient data and punish it appropriately. That’s far more productive than saying that we’re rushing too quickly into an unsecured EHR world.

EMR Security Problem

Posted on November 11, 2009 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

On EMR Update a user posted an interesting security problem with their EMR software:

I was on our user’s forum reading about a security flaw in our EMR. There were some discussions about the ability to circumnavigate prescription privileges and have your staff write themselves narcotics. We couldn’t figure out if anyone had done anything like this in our office, so I had our IT guy spend some time in the system. He was able to determine that one of our staff members had in fact been printing out an old script that had been written in the past and manually faxing it to pharmacies around town. The problem with the software is that it lets you print out a script from a locked note, and it prints out with the present date so it can be filled!

Has anyone else had staff in their EMR get away with writing bogus prescriptions? If you don’t know, you may want to check your system. Obviously this is an intolerable situation. We are hoping our vendor will take this seriously for once and get it fixed quickly. Otherwise, we will be forced to look elsewhere for a replacement EMR that doesn’t have this issue.

I love this story, because it highlights a number of interesting things.

1. The challenge of creating a secure, usable, and effective EMR. It’s NOT easy.

2. How responsive will your EMR vendor be to end user requests?

3. What would it take for you to switch EMR software? Can you imagine?