Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Patient Portal Use Rising Rapidly

Posted on October 25, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

A new study has concluded that patient portal use has shot up over the past few years, with a substantial majority of patients reporting that they use provider portals if possible.

The purpose of the study, results of which was published in Perspectives in Health Information Management, was to examine how healthcare consumers saw their interactions with provider portals, their use of personal health records and their take on the process of releasing health data.

According to a 2015 study cited by the article’s authors, 53% of HIM professionals reported charging consumers for both electronic and paper copies of their health information. Thirty-eight percent said they had a patient portal, but less than 5% of patients were using it.

Over the last two years, however, the picture has changed a great deal. Researchers conducting the current study found that only 10% of consumers were charged for their health information. In addition, 49% reported that they maintained a personal health record. Eighty-three percent of respondents said that their providers had portals, and 82% said that they were taking advantage of their provider’s portal where available.

Patient uses for portals included viewing lab results (35%), requesting medication refills (19%), requesting appointments (22%), secure messaging (19%) and other (5%). Among portal users, 53% were very satisfied and 38% were satisfied with their experiences.

Meanwhile, 49% of respondents said they maintained PHRs, with top record format being combined paper and electronic (46%), followed by paper only (35%), electronic only (18%) and other (1%).

It’s important to note that the study population was especially healthcare-savvy. Participants chosen were campus-based and online students enrolled in a College of Health Professions course, alumni of BA programs in HIM at the researchers’ university, local AHIMA members and the researchers’ family and friends.

The article argues that because the participants were all current healthcare consumers, they were qualified participants. That may be so, but the high concentration of HIM-friendly respondents probably stacked the deck somewhat. (To be fair, the authors admit this.)

That being said, even these relatively sophisticated respondents weren’t completely comfortable with the health data access they had. Complaints cited by consumers included a lack of interoperability between physicians’ offices and electronic PHI, as well as the difficulty of getting data into the portal or updated when already present. Others reported having concerns about health data security.

All told, it looks like the hoped-for growth in patient health data use is taking place over time. I suspect that a direct comparison between less-informed consumers from 2015 and today would show less pronounced changes, though.

 

Costs Of Compromised Credentials Rising

Posted on March 3, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Healthcare organizations face unique network access challenges. While some industries only need to control access by professional employees and partners, healthcare organizations are increasingly opening up data to consumers, and the number of consumer access points are multiplying. While other industries face similar problems – banking seems particularly relevant – I don’t know of any other industry that depends on such a sophisticated data exchange with consumers to achieve critical results.

Given the industry’s security issues, I found the following article to be quite interesting. While it doesn’t address healthcare concerns directly, I think it’s relevant nonetheless.

The article, written by InfoArmor CTO Christian Lees, contends that next-generation credentials are “edging toward a precarious place.” He argues that because IT workers are under great pressure to produce, they’re rushing the credentialing process. And that has led to a lack of attention to detail, he says:

“Employees, contractors and even vendors are rapidly credentialed with little attention given to security rules such as limiting access per job roles, enforcing secure passwords, and immediately revoking credentials after an employee moves on…[and as a result], criminals get to choose from a smorgasbord of credentialed identities with which to phish employees and even top executives.”

Meanwhile, if auto-generated passwords are short and ineffective, or so long that users must write them down to remember them, credentials tend to get compromised quickly. What’s more, password sharing and security shortcuts used for sign-in (such as storing a password in a browser) pose further risk, he notes.

Though he doesn’t state this in exactly these words, the problem is obviously multiplied when you’re a healthcare provider. After all, if you’re managing not only thousands of employee and partner credentials, but potentially, millions of consumer credentials for use in accessing portal data, you’re fighting a battle on many fronts.

And unfortunately, the cost of losing control of these credentials is very high. In fact, according to a Verizon study, 63% of confirmed data breaches happening last year involved weak, default or stolen passwords.

To tackle this problem, Lees suggests, organizations should create a work process which handles different types of credentials in different ways.

If you’re providing access to public-facing information, which doesn’t include transaction, identifying or sensitive information, using a standard password may be good enough. The passwords should still be encrypted and protected, but they should still be easy to use, he says.

Meanwhile, if you need to offer users access to highly sensitive information, your IT organization should implement a separate process which assigns stronger, more complex passwords as well as security layers like biometrics, cryptographic keys or out-of-band confirmation codes, Lees recommends.

Another way to improve your credentialing strategy is to associate known behaviors with those credentials. “If you know that Bill comes to the office on Tuesdays and Thursdays but works remotely the rest of the week and that he routinely accesses certain types of files, it becomes much harder for a criminal to use Bill’s compromised credentials undetected,” he writes.

Of course, readers of this blog will have their own strategies in placefor protecting credentials, but Lee’s suggestions are worth considering as well. When you’re dealing with valuable health data, it never hurts to go that extra mile. If you don’t, you might get a visit by the HIPAA police (proverbial, not actual).

Consumers Fear Theft Of Personal Health Information

Posted on February 15, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Probably fueled by constant news about breaches – duh! – consumers continue to worry that their personal health information isn’t safe, according to a new survey.

As the press release for the 2017 Xerox eHealth Survey notes, last year more than one data breach was reported each day. So it’s little wonder that the survey – which was conducted online by Harris poll in January 2017 among more than 3,000 U.S. adults – found that 44% of Americans are worried about having their PHI stolen.

According to the survey, 76% of respondents believe that it’s more secure to share PHI between providers through a secure electronic channel than to fax paper documents. This belief is certainly a plus for providers. After all, they’re already committed to sharing information as effectively as possible, and it doesn’t hurt to have consumers behind them.

Another positive finding from the study is that Americans also believe better information sharing across providers can help improve patient care. Xerox/Harris found that 87% of respondents believe that wait times to get test results and diagnoses would drop if providers securely shared and accessed patient information from varied providers. Not only that, 87% of consumers also said that they felt that quality of service would improve if information sharing and coordination among different providers was more common.

Looked at one way, these stats offer providers an opportunity. If you’re already spending tens or hundreds of millions of dollars on interoperability, it doesn’t hurt to let consumers know that you’re doing it. For example, hospitals and medical practices can put signs in their lobby spelling out what they’re doing by way of sharing data and coordinating care, have their doctors discuss what information they’re sharing and hand out sheets telling consumers how they can leverage interoperable data. (Some organizations have already taken some of these steps, but I’d argue that virtually any of them could do more.)

On the other hand, if nearly half of consumers afraid that their PHI is insecure, providers have to do more to reassure them. Though few would understand how your security program works, letting them know how seriously you take the matter is a step forward. Also, it’s good to educate them on what they can do to keep their health information secure, as people tend to be less fearful when they focus on what they can control.

That being said, the truth is that healthcare data security is a mixed bag. According to a study conducted last year by HIMSS, most organizations conduct IT security risk assessments, many IT execs have only occasional interactions with top-level leaders. Also, many are still planning out their medical device security strategy. Worse, provider security spending is often minimal. HIMSS notes that few organizations spend more than 6% of their IT budgets on data security, and 72% have five or fewer employees allocated to security.

Ultimately, it’s great to see that consumers are getting behind the idea of health data interoperability, and see how it will benefit them. But until health organizations do more to protect PHI, they’re at risk of losing that support overnight.

Connected Wearables Pose Growing Privacy, Security Risks

Posted on December 26, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

In the past, the healthcare industry treated wearables as irrelevant, distracting or worse. But over that last year or two, things have changed, with most health IT leaders concluding that wearables data has a place in their data strategies, at least in the aggregate.

The problem is, we’re making the transition to wearable data collection so quickly that some important privacy and security issues aren’t being addressed, according to a new report by American University and the Center for Digital Democracy. The report, Health Wearable Devices in the Big Data Era: Ensuring Privacy, Security, and Consumer Protection, concludes that the “weak and fragmented” patchwork of state and federal health privacy regulations doesn’t really address the problems created by wearables.

The researchers note that as smart watches, wearable health trackers, sensor-laden clothing and other monitoring technology get connected and sucked into the health data pool, the data is going places the users might not have expected. And they see this as a bit sinister. From the accompanying press release:

Many of these devices are already being integrated into a growing Big Data digital health and marketing ecosystem, which is focused on gathering and monetizing personal and health data in order to influence consumer behavior.”

According to the authors, it’s high time to develop a comprehensive approach to health privacy and consumer protection, given the increasing importance of Big Data and the Internet of Things. If safeguards aren’t put in place, patients could face serious privacy and security risks, including “discrimination and other harms,” according to American University professor Kathryn Montgomery.

If regulators don’t act quickly, they could miss a critical window of opportunity, she suggested. “The connected health system is still in an early, fluid stage of development,” Montgomery said in a prepared statement. “There is an urgent need to build meaningful, effective, and enforceable safeguards into its foundation.”

The researchers also offer guidance for policymakers who are ready to take up this challenge. They include creating clear, enforceable standards for both collection and use of information; formal processes for assessing the benefits and risks of data use; and stronger regulation of direct-to-consumer marketing by pharmas.

Now readers, I imagine some of you are feeling that I’m pointing all of this out to the wrong audience. And yes, there’s little doubt that the researchers are most worried about consumer marketing practices that fall far outside of your scope.

That being said, just because providers have different motives than the pharmas when they collect data – largely to better treat health problems or improve health behavior – doesn’t mean that you aren’t going to make mistakes here. If nothing else, the line between leveraging data to help people and using it to get your way is clearer in theory than in practice.

You may think that you’d never do anything unethical or violate anyone’s privacy, and maybe that’s true, but it doesn’t hurt to consider possible harms that can occur from collecting a massive pool of data. Nobody can afford to get complacent about the downside privacy and security risks involved. Plus, don’t think the nefarious and somewhat nefarious healthcare data aggregators aren’t coming after provider stored health data as well.

E-Patient Update:  Is Technology Getting Ahead Of Medical Privacy?

Posted on December 9, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

I don’t know about y’all, but I love, love, love interacting with Google’s AI on my smartphone. It’s beyond convenient – it seems to simply read my mind and dish out exactly the content I needed.

That could have unwelcome implications, however, when you bear in mind that Google might be recording your question. Specifically, for a few years now, Google’s AI has apparently been recording users’ conversations whenever it is triggered. While Google makes no secret of the matter, and apparently provides directions on how to erase these recordings, it doesn’t affirmatively ask for your consent either — at least not in any terribly conspicuous way — though it might have buried the request in a block of legal language.

Now, everybody has a different tolerance for risk, and mine is fairly high. So unless an entity does something to suggest to me that it’s a cybercrook, I’m not likely to lose any sleep over the information it has harvested from my conversations. In my way of looking at the world, the odds that gathering such information will harm me are low, while the odds collection will help me are much greater. But I know that others feel much differently than myself.

For these reasons, I think it’s time to stop and take a look at whether we should regulate potential medical conversations with intermediaries like Google, whether or not they have a direct stake in the healthcare world. As this example illustrates, just because they’re neither providers, payers or business associates doesn’t mean they don’t manage highly sensitive healthcare information.

In thinking this over, my first reaction is to throw my hands in the air and give up. After all, how can we possibly track or regulate the flow of medical information falls outside the bounds of HIPAA or state privacy laws? How do we decide what behavior might constitute an egregious leak of medical information, and what could be seen as a mild mistake, given that the rules around provider and associate behavior may not apply? This is certainly a challenging problem.

But the more I consider these issues, the more I am convinced that we could at least develop some guidelines for handling of medical information by non-medical third parties, including what type of consumer disclosures are required when collecting data that might include healthcare information, what steps the intermediary takes to protect the data and how to opt out of data collection.

Given how complex these issues are, it’s unlikely we would succeed at regulating them effectively the first time, or even the fourth or fifth. And realistically, I doubt we can successfully apply the same standards to non-medical entities fielding health questions as we can to providers or business associates. That being said, I think we should pay more attention to such issues. They are likely to become more important, not less, as time goes by.

Breach Affecting 2.2M Patients Highlights New Health Data Threats

Posted on April 4, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

A Fort Myers, FL-based cancer care organization is paying a massive price for a health data breach that exposed personal information on 2.2 million patients late last year. This incident is also shedding light on the growing vulnerability of non-hospital healthcare data, as you’ll see below.

Recently, 21st Century Oncology was forced to warn patients that an “unauthorized third party” had broken into one of its databases. Officials said that they had no evidence that medical records were accessed, but conceded that breached information may have included patient names Social Security numbers, insurance information and diagnosis and treatment data.

Notably, the cancer care chain — which operates on hundred and 45 centers in 17 states — didn’t learn about the breach until the FBI informed the company that it had happened.

Since that time, 21st Century has been faced with a broad range of legal consequences. Three lawsuits related to the breach have been filed against the company. All are alleging that the breach exposed them to a great possibility of harm.  Patient indignation seems to have been stoked, in part, because they did not learn about the breach until five months after it happened, allegedly at the request of investigating FBI officials.

“While more than 2.2 million 21st Century Oncology victims have sought out and/or pay for medical care from the company, thieves have been hard at work, stealing and using their hard-to-change Social Security numbers and highly sensitive medical information,” said plaintiff Rona Polovoy in her lawsuit.

Polovoy’s suit also contends that the company should have been better prepared for such breaches, given that it suffered a similar security lapse between October 2011 and August 2012, when an employee used patient names Social Security numbers and dates of birth to file fraudulent tax refund claims. She claims that the current lapse demonstrates that the company did little to clean up its cybersecurity act.

Another plaintiff, John Dickman, says that the breach has filled his life with needless anxiety. In his legal filings he says that he “now must engage in stringent monitoring of, among other things, his financial accounts, tax filings, and health insurance claims.”

All of this may be grimly entertaining if you aren’t the one whose data was exposed, but there’s more to this case than meets the eye. According to a cybersecurity specialist quoted in Infosecurity Magazine, the 21st Century network intrusion highlights how exposed healthcare organizations outside the hospital world are to data breaches.

I can’t help but agree with TrapX Security executive vice president Carl Wright, who told the magazine that skilled nursing facilities, dialysis centers, imaging centers, diagnostic labs, surgical centers and cancer treatment facilities like 21st are all in network intruders’ crosshairs. Not only that, he notes that large extended healthcare networks such as accountable care organizations are vulnerable.

And that’s a really scary thought. While he doesn’t say so specifically, it’s logical to assume that the more unrelated partners you weld together across disparate networks, it multiplies the number of security-related points of failure. Isn’t it lovely how security threats emerge to meet every advance in healthcare?

To Improve Health Data Security, Get Your Staff On Board

Posted on February 2, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

As most readers know, last year was a pretty lousy one for healthcare data security. For one thing, there was the spectacular attack on health insurer Anthem Inc., which exposed personal information on nearly 80 million people. But that was just the headline event. During 2015, the HHS Office for Civil Rights logged more than 100 breaches affecting 500 or more individuals, including four of the five largest breaches in its database.

But will this year be better? Sadly, as things currently stand, I think the best guess is “no.” When you combine the increased awareness among hackers of health data’s value with the modest amounts many healthcare organizations spend on security, it seems like the problem will actually get worse.

Of course, HIT leaders aren’t just sitting on their hands. According to a HIMSS estimate, hospitals and medical practices will spend about $1 billion on cybersecurity this year. And recent HIMSS survey of healthcare executives found that information security had become a top business priority for 90% of respondents.

But it will take more than a round of new technical investments to truly shore up healthcare security. I’d argue that until the culture around healthcare security changes — and executives outside of the IT department take these threats seriously — it’ll be tough for the industry to make any real security progress.

In my opinion, the changes should include following:

  • Boost security education:  While your staff may have had the best HIPAA training possible, that doesn’t mean they’re prepared for growing threat cyber-strikes pose. They need to know that these days, the data they’re protecting might as well be money itself, and they the bankers who must keep an eye on the vault. Health leaders must make them understand the threat on a visceral level.
  • Make it easy to report security threats: While readers of this publication may be highly IT-savvy, most workers aren’t. If you haven’t done so already, create a hotline to report security concerns (anonymously if callers wish), staffed by someone who will listen patiently to non-techies struggling to explain their misgivings. If you wait for people who are threatened by Windows to call the scary IT department, you’ll miss many legit security questions, especially if the staffer isn’t confident that anything is wrong.
  • Reward non-IT staffers for showing security awareness: Not only should organizations encourage staffers to report possible security issues — even if it’s a matter of something “just not feeling right” — they should acknowledge it when staffers make a good catch, perhaps with a gift card or maybe just a certificate. It’s pretty straightforward: reward behavior and you’ll get more of it.
  • Use security reports to refine staff training: Certainly, the HIT department may benefit from alerts passed on by the rest of the staff. But the feedback this process produces can be put to broader use.  Once a quarter or so, if not more often, analyze the security issues staffers are bringing to light. Then, have brown bag lunches or other types of training meetings in which you educate staffers on issues that have turned up regularly in their reports. This benefits everyone involved.

Of course, I’m not suggesting that security awareness among non-techies is sufficient to prevent data breaches. But I do believe that healthcare organizations could prevent many a breach by taking advantage of their staff’s instincts and observational skills.