Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Nuance Takes Page from Healthcare Clients in Petya Outage Aftermath

Posted on November 6, 2017 I Written By

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He is currently an independent marketing consultant working with leading healthIT companies. Colin is a member of #TheWalkingGallery. His Twitter handle is: @Colin_Hung.

On June 27th the Petya Malware (or NotPetya or ExPteya) struck Nuance Communications (NASDAQ: NUAN). For days the company’s eScription speech-recognition platform were unavailable, forcing thousands of healthcare clients to find alternatives for their medical transcription. During the crisis and in the weeks that followed, Nuance borrowed a page from their healthcare clients: not offering false hope and deconstructing the incident to learn from it.

At the recent CHIME Fall Forum in San Antonio Texas, I had the opportunity to sit down with Brenda Hodge, Chief Marketing Officer – Healthcare and Ed Rucinski, Senior Vice President of World Wide Healthcare Sales of Nuance to talk about the Petya outage and where the company is headed.

“The challenge we faced with Petya brought us all together as a company,” explained Ed. “When our systems went offline, the entire organization rallied together. We had engineers and support staff who slept at the office on couches and cots. We had developers who went with less than 2hrs of sleep for 4 days straight because they wanted to help clients and bring our systems back online as quickly as possible. We became a nameless and rank-less organization working towards a common goal.”

As the outage went from minutes to hours to days, Nuance resisted the temptation to offer false hope to its clients. Instead, the company opted to be truthful and transparent. Nuance sent emails and directly called clients to let them know they had suffered a cyber attack, that the full extent of the damage was not known and that they did not know when their systems would be back online. The company did, however, commit to providing regular updates and being available to answer questions and address concerns.

The following is an abbreviated excerpt from a Nuance communication posted online by one of its clients:

Nuance corporate systems were unfortunately affected by a global cyber attack today. We went into immediate security protocol by shutting down our hosted production systems and platforms. There is no update at this time as to when the accounts will be back online but we will be holding regular calls throughout the day and night to gain insight into the timeline for resolution and I will update you again when I have more info. We are sorry for the inconvenience this outage has caused and we are working diligently to get things back online.

Clinicians are coached never to give patients in crisis or their families false hope. They calmly explain what happened, state the facts and talk about potential next steps. They do not, however, say that “things will be alright”, even though they know that is what everyone desperately wants to hear. Nuance used this same protocol during the Petya outage.

The company also used protocols similar to those used following an adverse event.

Healthcare is complex and despite the best efforts and best intentions of care teams, errors occur. These errors are referred to as adverse events. Adverse events that impact patient safety or that cause actual harm to patients are thoroughly documented, deconstructed and analyzed by clinical leaders as well as risk managers. The lessons gleaned from these unfortunate events are captured and used to improve operations. The goal is to prevent or mitigate the impact of similar events in the future.

After their systems were fully restored, the Nuance team embarked on a thorough review of the incident – from technical procedures to client communication protocols.

“We learned a lot through this incident” says Hodge. “We got a first-hand education on how sophisticated malware has become. We’ve gone from viruses to malware to ransomware to coordinated nation-state attacks. That’s what Petya really is – a coordinated attack on company infrastructure. Now that we have been through this type of attack, we have put in new processes and technologies to prevent similar attacks in the future. Most importantly we have made investments in improving our response to these types of attacks.”

Nuance has gone one step further. They have committed to sharing their painful lessons learned with other companies and healthcare institutions. “Like it or not, we are all in this together”, continued Hodge. “The Petya attack came on the heels of the WannaCry ransomware attack that impacted many of our healthcare clients – so there was a lot of empathy from our clients. In fact this whole incident has created a sense of solidarity in the healthcare technology community. Cyber attacks are not going to stop and we need to come together as an industry so that we are as prepared as we can be for the next one.”

“It’s unfortunate that it took an incident like this to show us what we are made of,” says Rucinski. “We had executives making coffee and fetching lunch for the support teams. We had leaders offering to run errands for staff because they knew they were too tired to keep up with those types of things. In the end we found out we truly embody the values and principles that we have hanging on posters around the office.”

The State of the Healthcare CIO

Posted on November 2, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As I’ve talked to hundreds of healthcare CIOs this week at the CHIME Fall Forum, a number of themes keep coming up. No doubt there’s always a lot of excitement in the air at a conference like this. In many ways, it’s great that there’s a good, optimistic energy at a conference. A conference wouldn’t be very good without that energy, but under the covers, there’s often more to the story. Here are some broad insights into the state of the healthcare CIO that goes beyond the natural excitement and energy of a conference.

No More Systems – Most of the CIOs who I’ve talked to feel like they have all the IT systems they need. In fact, most are trying to find ways to get rid of IT systems. They’re not looking to add any more IT systems to their mix. There’s a strong desire to simplify their current setup and to maximize the benefits their current IT systems. They don’t want to add new ones.

Do Want Solutions – While healthcare CIOs don’t want to add new systems, they do want to find solutions that will be complementary to their existing systems. There is a massive desire to optimize what they’re doing and show value from their current IT systems. Solutions that are proven and work on top of their existing infrastructure are welcomed by these CIOs.

Security Is Still a Concern – I have a feeling that this topic may never die. Security is still a huge concern for CIOs and something that will continue to be important for a long time to come. Most now have some kind of security strategy in place, but I haven’t met anyone that’s totally comfortable with their security strategy. It seems that this is what keeps CIOs up at night more than any other issue.

Analytics Is a Challenge – Most of the healthcare CIOs know that analytics is going to be an important part of their future. They can see the potential value that analytics can provide, but most don’t know where to find these analytics. Most organizations don’t have a clear analytics strategy or direction. We’re still just seeing anecdotal results for very specific solutions. There’s no clear direction that every healthcare CIO is following for analytics.

CIOs are Stressed – It was very appropriate that yesterday’s keynote presentation was on turning stress into a positive. Most of the healthcare CIOs I met are quite stressed. They have a lot on their plates and most don’t know how they’re going to manage it all. Plus, they’re still overwhelmed by all the changing regulations and reimbursement changes. The fact that there doesn’t seem to be any end in sight adds to that stress.

Turnover is Still High – It seems that there’s still a lot of turnover that’s happening with CIOs. This is a challenge when it comes to continuity at organizations. However, those CIOs that have been able to stay at an organization for a longer period of time are starting to see new opportunities to be more strategic. They’ve fought all the initial fires and cleaned up the processes and now they can start working on more strategic initiatives.

Holding On vs Embracing Change – I see two different views evolving by CIOs. Many are holding on tightly to the old Chief Infrastructure Officer versus embracing the new Chief Innovation Officer mindset. CHIME is certainly espousing the view of the CIO becoming a Chief Innovation Officer and it’s the view that I think is best as well. However, there are plenty of CIOs that just want to provide the technology to their organization. It will be interesting to see what happens to both of these approaches to the CIO position.

Those are some high-level thoughts from talking with CIOs at the CHIME Fall Forum. What are you seeing? Are you seeing or hearing anything different from what I described above? We’d love to hear your thoughts in the comments.

Healthcare Security Cartoon – Fun Friday

Posted on August 11, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It’s Friday and school is beginning in a lot of places around the country. I know we’re ready for school to start in our house. They moved it up a couple weeks in Las Vegas and so we had a short summer, but we’re excited for the rhythm that school brings.

The last Friday in summer seems the perfect time for a Fun Friday blog post. This cartoon was shared by Fogo Data centers that highlights the always challenging balance between security and convenience.

Do your security policies seem a bit like this picture? Or do you edge on the other side of too convenient and not secure enough?

Why Small Medical Practices Are at Great Risk for a Cyber Attack

Posted on June 14, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The good people at ClinicSpectrum recently shared a look at why small practices are at risk for a cyber attack. They label it as why your EHR is at risk for a cyber attack, but I think their list is more specific to small practices as opposed to EHR. Take a look at their list:

Each of these issues should be considered by a small medical when it comes to why they are at risk for a cyber attack. However, the first one is one that I see often. Many small practices wonder, “Why would anyone want to hack my office?”

When it comes to that issue, medical practices need to understand how most hackers work. Most hackers aren’t trying to hack someone in particular. Instead, they’re just scouring the internet for easy opportunities. Sure, there are examples where a hacker goes after a specific target. However, the majority are just exploiting whatever vulnerabilities they can find.

This is why it’s a real problem when medical practices think they’re too small or not worth hacking. When you have this attitude, then you leave yourself vulnerable to opportunistic hackers that are just taking advantage of your laziness.

The best thing a medical practice can do to secure their systems is to care enough about having secure systems. You’ll never be 100% secure, but those organizations who act as if they don’t really care about security are almost guaranteed to be hacked. You can imagine how HHS will look at you if you take this approach and then get hacked.

Kill Passwords

Posted on January 13, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One time I was attending the crazy SXSW conference in Austin. As part of the event, there was a startup company from Las Vegas (where I live) that had a small tower in the big Vegas Tech booth. Their startup was a method to use your phone as your password and a few other password related things. I’m not sure how they came up with this idea, but half way through the conference they switched their monitor which previously had their logo on it to just say “Kill Passwords” in big black letters with a white background. It was amazing how much traffic they drove to their small table because of that simple digital signage.

While this is a story in marketing that’s worthy of the Healthcare IT Marketing and PR Conference which I host, it also illustrated how much we hate passwords. Turns out that this is a universal truth, but it’s particularly poignant in healthcare because of absurd password policies that many healthcare organizations put in place in the name of security (even if many of the choices they make don’t actually improve security).

Doctors password frustration was illustrated well in the latest ZDoggMD video “Doc Vader on The Password Menace.” Check it out below:

I felt it was appropriate to use ZDoggMD’s latest video in today’s Fun Friday post, but I do it with some sadness. A couple days ago, ZDoggMD announced that his Turntable Health clinic in Las Vegas was shutting down. As a Vegas resident and former member of Turntable Health, I was sorry to see this happen. No doubt this is not the end for ZDoggMD. In fact, for those that are fans of his video and his message, I think this will give him more time to evangelize and inspire. So, that’s a good thing. Healthcare can use a shakeup that points out the challenges we face with a little lot of humor. Thanks ZDoggMD for all you do.

Now, I agree that passwords are a pain. Although, I think we’ve all learned to deal with them. I do look forward to the day when passwords will no longer exist in their current form. I’m not sure what it will look like, but it will be a welcome day!

How Many Points of Vulnerability Do You Have in Your Healthcare Organization?

Posted on December 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Far too often I hear healthcare CIOs talk about all of the various electronic devices they have in their organization and how this device proliferation has created a really large risk surface that makes their organization vulnerable to breaches and other nefarious actions. This is true to some extent since organizations now have things like:

  • Servers
  • Desktops
  • Mobile Devices
  • Network Devices
  • Internet Access
  • Medical Devices
  • Internet of Thing Devices
  • etc

As tech progresses, the number of devices we have in our healthcare organizations is only going to continue to grow. No doubt this can pose a challenge to any Chief Security Officer (CSO). However, I actually think this is the easiest part of a CSO’s job when it comes to making sure a healthcare organization is secure. I think it’s much harder to make sure the people in your organization are acting in a way that doesn’t compromise your organization’s security.

As one hospital CIO told me, “I’m most concerned with the 21,000 security vulnerabilities that existed in my organization. I’m talking about the 21,000 employees.

Granted, this CIO worked at a very large organization. However, I think he’s right. Creating a security plan for a device is pretty easily accomplished. It will never be perfect, but you can put together a really good, effective plan. People are wild cards. It’s much harder to keep them from doing something that compromises your organization. Especially since the hackers have gotten so pernicious and effective in the tactics they use.

At the end of the day, I look at security as similar to child proofing your house when you have a young child. You’ll never make it 100% completely safe, but you can really mitigate most of the issues that could cause harm to your child. The same is true in your approach to securing your healthcare organization. You can never ensure you won’t have any security incidents, but you can mitigate a lot of the really dangerous things. Then, you just have to deal with the times something surprising happens. Now if we would just care as much about keeping our healthcare organizations secure as we do keeping our children safe, then we’d be in a much better place.

Patient Portal Security Is A Tricky Issue

Posted on April 25, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

Much of the discussion around securing health data on computers revolves around enterprise networks, particularly internal devices. But it doesn’t hurt to look elsewhere in assessing your overall vulnerabilities. And unfortunately, that includes gaps that can be exposed by patients, whose security practices you can’t control.

One vulnerability that gets too little attention is the potential for a cyber attack accessing the provider’s patient portal, according to security consultant Keith Fricke of tw-Security in Overland Park, Kan. Fricke, who spoke with Information Management, noted that cyber criminals can access portal data relatively easily.

For example, they can insert malicious code into frequently visited websites, which the patient may inadvertently download. Then, if your patient’s device or computer isn’t secure, you may have big problems. When the patient accesses a hospital or clinic’s patient portal, the attacker can conceivably get access to the health data available there.

Not only does such an attack give the criminal access to the portal, it may also offer the them access to many other patients’ computers, and the opportunity to send malware to those computers. So one patient’s security breach can become a victim of infection for countless patients.

When patients access the portal via mobile device, it raises another set of security issues, as the threat to such devices is growing over time. In a recent survey by Ponemon Institute and CounterTack, 80% of respondents reported that their mobile endpoints have been the target of malware the past year. And there’s little doubt that the attacks via mobile device will more sophisticated over time.

Given how predictable such vulnerabilities are, you’d think that it would be fairly easy to lock the portals down. But the truth is, patient portals have to strike a particularly delicate balance between usability and security. While you can demand almost anything from employees, you don’t want to frustrate patients, who may become discouraged if too much is expected from them when they log in. And if they aren’t going to use it, why build a patient portal at all?

For example, requiring a patient to change your password or login data frequently may simply be too taxing for users to handle. Other barriers include demanding that a patient use only one specific browser to access the portal, or requiring them to use digits rather than an alphanumeric name that they can remember. And insisting that a patient use a long, computer-generated password can be a hassle that patients won’t tolerate.

At this point, it would be great if I could say “here’s the perfect solution to this problem.” But the truth is, as you already know, that there’s no one solution that will work for every provider and every IT department. That being said, in looking at this issue, I do get the sense that providers and IT execs spend too little time on user-testing their portals. There’s lots of room for improvement there.

It seems to me that to strike the right balance between portal security and usability, it makes more sense to bring user feedback into the equation as early in the game as possible. That way, at least, you’ll be making informed choices when you establish your security protocols. Otherwise, you may end up with a white elephant, and nobody wants to see that happen.

Could the Drive to Value-Based Healthcare Undermine Security?

Posted on November 27, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she’s served as editor in chief of several healthcare B2B sites.

As we all know, the healthcare industry’s move toward value-based healthcare is forcing providers to make some big changes. In fact, a recent report by peer60 found that 64% of hospitals responding cited oncoming value-based reimbursement as their top challenge. Meanwhile, only 30% could say the same of improving information security according to peer60, which recently surveyed 320 hospital leaders.

Now, the difference in concern over the two issues can be chalked up, at least in part, to the design of the survey. Obviously, there’s a good chance that a survey of CIOs would generate different results. But as the report’s authors noted, the survey might also have exposed a troublesome gap in priorities between health IT and the rest of the hospital C-suite.

It’s hardly surprising hospital leaders are focused on the life-and-death effects of a major change in payment policy. Ultimately, if a hospital can’t stay in business, protecting data won’t be an issue anymore. But if a hospital keeps its doors open, protecting patient data must be given a great deal of attention.

If there is a substantial gap between CIOs and their colleagues on security, my guess is that the reasons include the following:

  • Assuming CIOs can handle things:  Lamentable though it may be, less-savvy healthcare leaders may think of security as a tech-heavy problem that doesn’t concern them on a day-to-day level.
  • Managing by emergency:  Though they might not admit it publicly, reactive health executives may see security problems as only worth addressing when something needs fixing.
  • Fear of knowing what needs to be done:  Any intelligent, educated health exec knows that they can’t afford to let security be compromised, but they don’t want to face up to the time, money and energy it takes to do infosec right.
  • Overconfidence in existing security measures:  After approving the investment of tens or even hundreds of millions on health IT, non-tech health leaders may find it hard to believe that perfect security isn’t “built in” and complete.

I guess the upshot of all of this is that even sophisticated healthcare executives may have dysfunctional beliefs about health data security. And it’s not surprising that health leaders with limited technical backgrounds may prefer to attack problems they do understand.

Ultimately, this suggests to me that CIOs and other HIT leaders still have a lot of ‘splaining to do. To do their best with security challenges, health IT execs need the support from the entire leadership team, and that will mean educating their peers on some painful realities of the trade.

After all, if security is to be an organization-wide process — not just a few patches and HIPAA training sessions — it has to be ingrained in everything employees do. And that may mean some vigorous exchanges of views on how security fosters value.

The Shifting Health Care IT Markets

Posted on November 5, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m at the end of my Fall Healthcare IT Conference season (although I’m still considering attending RSNA for my first time) and besides being thankful to be done with all the travel, I’m also taking a second to think about what I’ve learned over the past couple months as I’ve traveled to a wide variety of conferences.

While the EHR market has been hot for so many years, I’m seeing a big shift in purchasing to three areas: Analytics/Population Health, Revenue Cycle Management, and Privacy/Security. This isn’t a big surprise, but the EHR market has basically matured and now even EHR vendors are looking at new ways to market their products. These are the three main areas where I see the market evolving.

Analytics and Population Health
I could have easily added the other buzzword “patient engagement” to this category as well. There’s a whole mixture of technologies and approaches for this category of healthcare IT. In fact, it’s where I see some of the most exciting innovations in healthcare. Most of it is driven by some form of value based reimbursement or organizations efforts to prepare for the shift to value based reimbursement. However, there’s also a great interest by many organizations to try and extract value from their EHR investment. Many are betting on these tools being able to help them realize value from their EHR data.

Revenue Cycle Management
We’re seeing a whole suite of revenue cycle solutions. For many years we’ve seen solutions that optimized an organization’s relationships with payers. Those are still popular since it seems like most organizations never really fix the problem so their need for revenue cycle management is cyclical. Along with these payer solutions, we’re seeing a whole suite of products and companies that are focused on patient payment solutions. This shift has been riding the wave of high deductible plans in healthcare. As an organization’s patient pay increases, they’re looking for better ways to collect the patient portion of the bill.

Privacy and Security
There have been so many health care breaches, it’s hard to even keep up. Are we becoming numb to them? Maybe, but I still see many organizations investing in various privacy and security programs and tools whenever they hear about another breach. Plus, the meaningful use requirement to do a HIPAA Risk Assessment has built an entire industry focused on those risk assessments. You can be sure the coming HIPAA audits will accelerate those businesses even more.

What other areas are you seeing become popular in health care IT?

Top 10 Healthcare CIO Budget Priorities

Posted on September 22, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

For those on the email list that can’t see the image that Charles Webster, MD shared, here are the list of top technology priorities:
1. BI/Analytics
2. CRM
3. Digitalization/Digital Marketing
4. Legacy Modernization
5. Industry-Specific Applications
6. Enterprise Applications
7. Infrastructure and Data Center
8. Application Development
9. Architecture
10. BPM
11. Cloud
12. Collaboration

Sure makes the life of a CIO look pretty easy, doesn’t it? (That was my sarcasm font in case you don’t have that font installed on your computer)

As I chew on this list, I’m processing Will Weider, CIO at Ministry Health Care’s response to me asking him what would he consider the 3 key focus areas for healthcare CIO’s: