Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Access to Encrypted iPhones – The Apple Encryption Debate

Posted on February 19, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The tech world is in a frenzy over the letter Apple’s CEO Tim Cook sent to the FBI in response to a request for Apple to create essentially a backdoor to be able to access the San Bernardino terrorists iPhone. It’s a messy and a complex situation which puts government against industry and privacy advocates against security advocates. Tim Cook in his letter is right that “this moment calls for public discussion.”

My favorite venture capitalist blogger, Fred Wilson, summed it up best for me when he said this in response to Tim Cook’s assertion that the contents of your iPhone are none of Apple’s business:

That is not an open and shut case to me.

Of course I’d like the contents of my iPhone to be out of reach of everyone other than me. But if that means the contents of the iPhones of child pornographers, sex slaverunners, narco gangsters, terrorists, and a host of other bad people are “none of our business” then that gives me pause.

I don’t think we can have it both ways. We have to choose one way or the other.

I think this is also complicated by the fact that Apple had unlocked phones previously. Albert Wenger expresses my fears around this subject:

We cannot and should not be living in digital fortresses any more than we are living in physical fortresses at home. Our homes are safe from thieves and from government not because they couldn’t get in if they wanted to but because the law and its enforcement prevents them from doing so. All we have to do is minimal physical security (lock the doors when you are out).

Please repeat after me: Surveillance is a political and legal problem, not a technical problem.

This quote is particularly interesting to me since this weekend when my family and I were away on a trip for President’s Day weekend, someone broke into our house (Side Note: We’re all fine and they realized once they got in that we didn’t have anything valuable to take. We mostly just had to deal with a broken door).

I feel similar to my favorite VC who said “I am struggling with this issue this morning, and I imagine many others are too.”

Turning to the healthcare perspective, privacy and security of health information is so important. It’s literally the intimate details of your life. I’ve heard some argue that Apple creating a way for the FBI to access this one phone would mean that all of our health information on iPhones would be at great risk of being compromised. I think that’s an exaggeration of what’s happening, but I understand the slippery slope argument.

What’s interesting is that none of us want our healthcare data to be compromised. However, if we were in a coma and the life saving information was on our iPhone, we’d love for someone to have a way to access that information. I’ve seen startup companies who’ve built that ability into the iPhone home screen for just this purpose.

I guess I’m torn on the issue. Privacy is important, but so is security. This weekend I’m going to be chewing on “We cannot and should not be living in digital fortresses any more than we are living in physical fortresses at home.” The problem with this concept is that fortresses are something we can plan and build. The other solutions are much more complex.

Could the Drive to Value-Based Healthcare Undermine Security?

Posted on November 27, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As we all know, the healthcare industry’s move toward value-based healthcare is forcing providers to make some big changes. In fact, a recent report by peer60 found that 64% of hospitals responding cited oncoming value-based reimbursement as their top challenge. Meanwhile, only 30% could say the same of improving information security according to peer60, which recently surveyed 320 hospital leaders.

Now, the difference in concern over the two issues can be chalked up, at least in part, to the design of the survey. Obviously, there’s a good chance that a survey of CIOs would generate different results. But as the report’s authors noted, the survey might also have exposed a troublesome gap in priorities between health IT and the rest of the hospital C-suite.

It’s hardly surprising hospital leaders are focused on the life-and-death effects of a major change in payment policy. Ultimately, if a hospital can’t stay in business, protecting data won’t be an issue anymore. But if a hospital keeps its doors open, protecting patient data must be given a great deal of attention.

If there is a substantial gap between CIOs and their colleagues on security, my guess is that the reasons include the following:

  • Assuming CIOs can handle things:  Lamentable though it may be, less-savvy healthcare leaders may think of security as a tech-heavy problem that doesn’t concern them on a day-to-day level.
  • Managing by emergency:  Though they might not admit it publicly, reactive health executives may see security problems as only worth addressing when something needs fixing.
  • Fear of knowing what needs to be done:  Any intelligent, educated health exec knows that they can’t afford to let security be compromised, but they don’t want to face up to the time, money and energy it takes to do infosec right.
  • Overconfidence in existing security measures:  After approving the investment of tens or even hundreds of millions on health IT, non-tech health leaders may find it hard to believe that perfect security isn’t “built in” and complete.

I guess the upshot of all of this is that even sophisticated healthcare executives may have dysfunctional beliefs about health data security. And it’s not surprising that health leaders with limited technical backgrounds may prefer to attack problems they do understand.

Ultimately, this suggests to me that CIOs and other HIT leaders still have a lot of ‘splaining to do. To do their best with security challenges, health IT execs need the support from the entire leadership team, and that will mean educating their peers on some painful realities of the trade.

After all, if security is to be an organization-wide process — not just a few patches and HIPAA training sessions — it has to be ingrained in everything employees do. And that may mean some vigorous exchanges of views on how security fosters value.

The Shifting Health Care IT Markets

Posted on November 5, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m at the end of my Fall Healthcare IT Conference season (although I’m still considering attending RSNA for my first time) and besides being thankful to be done with all the travel, I’m also taking a second to think about what I’ve learned over the past couple months as I’ve traveled to a wide variety of conferences.

While the EHR market has been hot for so many years, I’m seeing a big shift in purchasing to three areas: Analytics/Population Health, Revenue Cycle Management, and Privacy/Security. This isn’t a big surprise, but the EHR market has basically matured and now even EHR vendors are looking at new ways to market their products. These are the three main areas where I see the market evolving.

Analytics and Population Health
I could have easily added the other buzzword “patient engagement” to this category as well. There’s a whole mixture of technologies and approaches for this category of healthcare IT. In fact, it’s where I see some of the most exciting innovations in healthcare. Most of it is driven by some form of value based reimbursement or organizations efforts to prepare for the shift to value based reimbursement. However, there’s also a great interest by many organizations to try and extract value from their EHR investment. Many are betting on these tools being able to help them realize value from their EHR data.

Revenue Cycle Management
We’re seeing a whole suite of revenue cycle solutions. For many years we’ve seen solutions that optimized an organization’s relationships with payers. Those are still popular since it seems like most organizations never really fix the problem so their need for revenue cycle management is cyclical. Along with these payer solutions, we’re seeing a whole suite of products and companies that are focused on patient payment solutions. This shift has been riding the wave of high deductible plans in healthcare. As an organization’s patient pay increases, they’re looking for better ways to collect the patient portion of the bill.

Privacy and Security
There have been so many health care breaches, it’s hard to even keep up. Are we becoming numb to them? Maybe, but I still see many organizations investing in various privacy and security programs and tools whenever they hear about another breach. Plus, the meaningful use requirement to do a HIPAA Risk Assessment has built an entire industry focused on those risk assessments. You can be sure the coming HIPAA audits will accelerate those businesses even more.

What other areas are you seeing become popular in health care IT?

Dishonesty Ruins So Many Things

Posted on September 5, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m always struck by this simple concept: Dishonesty make so many things more difficult than they should be.

We see this all over healthcare. Look for example at patient privacy and security. If people were just honest and thoughtful with patient data, our privacy and security challenges would be so much simpler. Imagine how much time and heartache we’d save if people were just honest when it comes to privacy and security. Yes, I’m looking at the million of hackers that are trying to take people’s personal information. Imagine if we could focus all the money and time we spend securing applications and apply it to improving healthcare. What a difference that would make.

The same could be said for reimbursement. Our reimbursement system would look drastically different if people were just honest. Yes, I’m talking about the billions of dollars of Medicare and other insurance fraud that’s out there. What a sad expense on our current healthcare system as dishonest people try and make a quick buck. While that expense is large, the even larger cost to our healthcare system is the toll that fraud adds to the honest actors.

Look at our current model of reimbursement for healthcare. So much of our insane documentation efforts are tied to the fact that insurance companies are trying to combat fraud. They don’t and can’t trust providers billing levels and so they’ve created layer and layer of requirements that makes the healthcare documentation process miserable. If you don’t agree with me, then you aren’t someone that’s involved in healthcare reimbursement.

This expense gets passed on to the employer and patients as well. Have you ever tried to make sense of the bill or statement of benefits coming from your doctor or insurance company? It’s like trying to make sense of a new language. It doesn’t make sense since you as a patient don’t know that language. Are they screwing you over in what they’re billing you or not? You don’t know either way and good luck trying to find out the answer. The person on the other end of the phone likely isn’t sure either because it’s so complex.

I first learned this principle in the credit card world. Why on earth do we pay 3+% of every transaction we do on our credit card. The answer is simple. Credit card fraud (otherwise known as dishonesty) is rampant and why credit card transactions cost so much. Imagine a world where the doctor wasn’t giving 3% of their business to process a credit card transaction since the cost to change digital digits should be nothing.

Unfortunately, the reality is we do live in a world with a lot of dishonest people who try and game anything and everything. We have to pay attention to security and privacy with these dishonest people in mind. We have to deal with insane reimbursement requirements as these payers try and combat fraud. We have to deal with credit card fraud and pay for it in the process.

It’s unfortunate, because dishonesty almost always catches up with people. Even when we think it doesn’t, dishonesty pays its own toll on a person as they can never be comfortable. Having a clear, honest conscious is one of the most beautiful things in life.

Fitbit Privacy or Lack Thereof – Exposing Sexual Activity of Its Users

Posted on September 13, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Well, privacy rears its ugly head in healthcare again. I don’t want to treat a person’s privacy lightly, but I must admit that I kind of had to laugh at the breach I’m about to tell you about. I think you’ll see why.

I first read about this privacy breach on this Techcrunch article (They originally found it on nextWeb). Here’s a quote from the Techcrunch article:

Yikes. Users of fitness and calorie tracker Fitbit may need to be more careful when creating a profile on the site. The sexual activity of many of the users of the company’s tracker and online platform can be found in Google Search results, meaning that these users’ profiles are public and searchable.

I’ve been a big fan of Fitbit and other devices like that which are trying to track a person’s health and fitness. I think there’s a real market for these devices, but this is a pretty ugly misstep for Fitbit. Although, a search for sexual activity and FitBit isn’t returning results any more. Here’s the Fitbit blog post which details the steps they’ve taken to secure their users profiles. Seems like a reasonable and a smart response to the privacy issue.

Before I go any farther, we should be clear that this isn’t a HIPAA violation. The patient put their information online and agreed to have that information out there. We could argue how much they really agreed to have their profile public, but I’m quite sure that Fitbit would be fine in a HIPAA lawsuit. However, that doesn’t mean they’re not taking the hit for poor decisions.

What can future healthcare app and device companies learn from the Privacy issues at Fitbit?

1. Default healthcare profiles to private. Allow the user to opt in to make it public. Some might want it public, but no company should assume it should be public. This isn’t Facebook.

2. Consider more granular privacy controls. I may want part of my profile public, but part private (ie. sexual activity in a fitness application).

3. Be aware of what you allow search engines to index. There’s a whole category of hackers called Google Hackers. They use Google to find sensitive information like the story above. It’s amazing the power of Google hacking.

Some suggestions to e-patients that put their health data online:

1. Be careful about what information you’re putting online.

2. Check out where the information you put online will be available. Is it private? Is it public? Is it partially public? Can search engines see it?

There’s little doubt that more and more healthcare information is going to be put online by patients. We’re going to see more and more privacy issues like the one mentioned above. This incident will do little to deter this trend. However, hopefully it can serve as a learning experience for Fitbit and other healthcare companies that are entering this new world of online health information.