Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Healthcare Providers and Patients Deserve Better Security

Posted on June 1, 2015 I Written By

The following is a guest blog post by Anna Drachenberg, Founder and CEO of HIPAA Risk Management.
Anna Drachenberg

Our firm has been helping dentists and other healthcare providers with their HIPAA security compliance for several years. Based on our customers’ experience, many dentists lack healthcare IT partners who are committed to data security and HIPAA compliance.  Unfortunately, this lack of commitment appears to be an epidemic across healthcare IT, and healthcare providers and patients need to demand a change.

In our recent alert, Dentrix Vulnerabilities and Mitigation for HIPAA Compliance, we described two major vulnerabilities we’ve had to assist our clients in mitigating in order to protect their patients’ data and comply with our clients’ HIPAA security policies. Our regulatory and data security experts were concerned, on behalf of our clients, with the way Henry Schein handled these two issues. More concerning, this seems to be a trend with many healthcare IT companies.

From the article, “In October 2012, it was reported to the Community Emergency Response Team (CERT) that all Dentrix G5 software was installed with hard-coded credentials to access the back-end database.” Pretty serious, right? The National Vulnerability Database gave this a severity score of 5.0 and an exploitability score of 10.0.  In the CERT notification you can see that the vulnerability was credited to Justin Shafer, not the vendor, Henry Schein, and there are several months between the time that the exploit was reported (11/22/2012) until Henry Schein released a fix for the issue (2/13/2013). Read the linked article for more details on the fix Henry Schein provided.

In a time when most industries are embracing security and offering “bug bounties,” many in the healthcare IT industry are trying to ignore the problem and hope that their customers are ignoring it, too. Take the recent panic over hackers controlling airplanes. What did United Airlines do? Offer a bug bounty that pays out in airlines miles that can be redeemed for free tickets. Most software and IT companies offer similar bug bounty programs and actively cooperate with independent security professionals. These companies know that every bug that is found before it is exploited can save millions of dollars and improve their product.

I’d like to challenge all of the blog readers today to find a healthcare IT vendor who has the same approach to security. For that matter, do a search on CERT vulnerability database or the National Vulnerability Database for any healthcare software or product you know or general terms like medical, hospital, healthcare. Surprised at the lack of issues reported and fixed? Are we really supposed to believe that the healthcare IT developers are superior to other industries?

Note: The only results in a search I did on 5/30/2015 of the National Vulnerability Database for “Epic” returns vulnerabilities in the Epic Games Unreal Tournament Engine. It is good to know that my video game company cares about my data security.

Everyone who purchases, administers, and uses healthcare IT systems and software deserves vendors who are committed to security. Consider for a moment – the customers of these products are the responsible parties for ensuring the security of the data they put in to these systems. Although the change to business associates under the HIPAA Omnibus Rule puts more liability on some of these vendors, the covered entity is still ultimately responsible and takes the hit to its reputation. Patients, the ones who experience harm when these systems are breached, have to rely on their doctors and other healthcare providers to ensure that the healthcare IT software and products are secure.  I don’t know about you, but I really hope that my physician spent more time in medical school learning about medicine than he did about encryption.

It’s time for all of us in the healthcare industry to demand that our vendors have the same level of commitment to security as the healthcare providers who are their customers. It’s time for all of us as patients to demand that these vendors improve the security of the products used by our healthcare providers.

One last note. In our alert, we link to Dentrix’s notice on the type of “encryption” they offer on one of their products. From Dentrix’s article:

“Henry Schein introduced cryptographic technology in Dentrix version G5 to supplement a practice’s employee policies, physical safeguards and data security. Available only in Dentrix G5, we previously referred to this feature as encryption. Based on further review, we believe that referring to it as a data masking technique using cryptographic technology would be more appropriate. Regardless of what you call it…”

To your clients, it matters what the federal government “calls” it, and they don’t call it encryption.

About Anna Drachenberg
Anna Drachenberg has more than 20 years in the software development and healthcare regulatory fields, having held management positions at Pacificare Secure Horizons, Apex Learning and the Food and Drug Administration. Anna co-founded HRM Services, Inc., ( a data security and compliance company for healthcare. HRM offers online risk management software for HIPAA compliance and provides consulting services for covered entities and business associates. HRM has clients nationwide and also partners with IT providers, medical associations and insurance companies.

Medicaid Doctors and Dentists Gaming the EHR Incentive Program

Posted on June 29, 2012 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I guess I should have known that it would only be a matter of time before I’d see something like this come out. As best I can tell, Dentrix has partnered with Henry Schein to offer what they’re calling Dentrix Meaningful Use Access 7.6. Seems like Henry Schein is using the Dentrix names to get Dentists access to the Medicaid EHR incentive money. On face, I don’t see any problem with this.

Although, once you start to dig into it, it appears that Dentrix and Henry Schein are partnering to get Dentists the first Medicaid EHR incentive check without even implementing the EHR. You have to remember that the Medicaid EHR stimulus money doesn’t require you to show meaningful use of the EHR. You just have to acquire the EHR technology.

Look at some of the verbiage from the website for the program:

Definition of Adopt, Implement, or Upgrade:
For Medicaid, the eligible provider must Adopt, Implement, or Upgrade (AIU) certified EHR software. As posted on the CMS website, for AIU, a provider does not have to have installed certified EHR technology. The definition of AIU in 42 CFR 495.302 allows the provider to demonstrate AIU through any of the following:
*Acquiring, purchasing or securing access to certified EHR technology
*Installing or commencing utilization of certified EHR technology capable of meeting meaningful use requirements
*Expanding the available functionality of certified EHR technology capable of meeting meaningful use requirements at the practice site, including staffing, maintenance, and training, or upgrade from existing EHR technology to certified EHR technology per the ONC EHR certification criteria.

Thus, a signed contract indicating that the provider has adopted or upgraded would be sufficient.

To be honest, I’m torn between whether this is genius or filthy. According to the letter of the law, I don’t know of any reason that someone with the right Medicaid population can’t purchase an EHR like this for $2000 and then collect the EHR incentive money. The regulations don’t require them to do any more to collect the money. Although, that’s certainly not the intent of the EHR incentive money and definitely feels like their gaming the system if they do it with no intent to actually implement the EHR.

Another piece from the website:

While Henry Schein currently has no plans to pursue a Meaningful Use solution beyond Stage 1, Year 1 for Dentrix, we continue to monitor healthcare reform to determine what subsequent steps, if any, should be taken regarding Meaningful Use criteria and certification.

At least their up front with the Dentists that they’re not planning to go beyond meaningful use stage 1, but may change their minds. I’m sure this is music to ONC’s ears to hear that they’re only committing to meaningful use stage 1.

If your strategy is to just help these dentists get the first EHR incentive check, then why should you worry about MU stage 2. Wouldn’t you love to be a salesperson for this product? Here’s your pitch: Pay me $2000 for this EHR, go through 5 steps on the government website and you’ll get paid $21,250.00.

I wish I could see something legally wrong with this idea. Someone I talked to mentioned that even for the Medicaid EHR incentive money you have to check some box saying that you comply with the HIPAA requirements. Well, these clinics have to do that anyway. Many don’t, but they’ll check that box anyway thinking that they comply whether they do or not.

The biggest surprise for me might be that Henry Schein is willing to have their name associated with a program like this. I’ll be interested to see who else picks up on this glaring issue with the Medicaid EHR incentive and what ONC/CMS/HHS do to close it up (if they can).

HIMSS11 Thoughts – Day 2

Posted on February 21, 2011 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Hopefully none of you were expecting Meaningful Use Mondays. We’re taking the week off thanks to HIMSS, but there will certainly be some meaningful use discussion in my day 2 experience at HIMSS11.

I must admit that my morning was a little disappointing. I’d wanted to see Reich speak, but it ended up being too early for me. So, I followed what he said on Twitter. I’m afraid to say that following it on Twitter might possibly have been better than being there. There’s something really cool about the Twitter back channel conversation at a conference.

I was excited to go to the session Dr. No: The Response to HITECH, but it was a dud for me. Maybe it means I’m just too involved with the HITECH act that she didn’t offer me much to chew on. Plus, the presentation was pretty dry and flat. Oh well, at least I could enjoy the interesting Twitter chatter about the social media session by Mayo Clinic. Makes sense that Twitter would go wild during a social media session.

Next I attended the HIT X.0 presentation with John Glaser and Aneesh Chopra. Aneesh brought the rock star energy like usual, but John Glaser was pretty terribly boring. It’s not a good sign when the most memorable part of their presentation was Aneesh calling him Johnny G. I also was glad that they had the Twitter comments on screen. Too bad they were too strict with the filter of it, but baby steps.

Lots of interesting content from my meeting with GE healthcare. I loved how organized and professional they were about it all. Plus, their government liaison made an interesting comment about how the time frame for delivering meaningful use stage 2 details (Summer 2012 I think) and when hospitals need to show meaningful use stage 2 (October 2012 I think) is too compressed.

I also got a chance to look at the GE Centricity Advance iPad app. They’re following the same iPad EMR strategy I suggested previously where you only implement a subset of the EMR functionality on the iPad and as native iPad app that maximizes the iPad interface. I see most EMR vendors doing the same.

I had a very interesting chat with Jonathan Bush from Athena Health. I was excited to meet with him since you never know what’s going to come out of his mouth. I took a video of him where I did a “Tell me something I don’t know” with the most common HIMSS buzzwords. Once I get home, I’ll upload the video and post it on the blog.

After that I met with Rohit Nayak, from MedPlus (Quest Diagnostic’s EMR company that offers the Care360 EMR). Another day I’ll do a post to talk more about the Care360 positioning and what makes them unique. It’s really fascinating to see how a lab company is attacking the EMR market. It’s pretty unique.

Care360 recently made an announcement about Care360’s participation with Microsoft HealthVault and the Direct Project. Aneesh actually made the prediction in the session mentioned earlier that by the end of 2012 80% of doctors will have a direct project address. Rohit agreed that it was possible and that Care360 would be playing a major part. He even said that Aneesh was considering a leaderboard for which company assigns the most direct project addresses. I’d be very interested to see that happen. It’s amazing how having your name on a leaderboard will motivate companies.

After this I met with a whole set of people from Henry Schein (which offers the MicroMD EMR). The dynamics of a large successful company with an EMR division (similar to Quest) I find really interesting. Plus, Henry Schein has had their Practice Management software for a long time (14,000 PMS users).

I was impressed by MicroMD’s approach to marketing their software. They acknowledged that it’s hard to be all things for every type of potential EMR user. So, they’re all about focusing on those specialties where their EHR fits well.

I was interested in how they were approaching meaningful use. Similar to how they’ve done ePrescribing tracking, they’re meaningful use certified EHR will be reporting back how many of their users are meeting the meaningful use requirements. I’m hopeful that once they start collecting this information in full, that they’ll share that information on here. They sounded open to the idea. It would be quite interesting to know which meaningful use measures doctors were generally finding hard to meet.

I already wrote about my time at the MTIA name change. Go and read it if you’re someone that transcription is dead.

Then, off to HIStalkapalooza. I was actually surprised that the event was pretty empty. Much nicer than last year where you basically couldn’t move. Plus, it was great to see the ESD people and see them get featured for their great set of shoes. They also loved the special ESD HIMSS top 10 shirt I was wearing. It was perfect for the event. Here’s what was on the shirt:

The Top 10 REAL Reasons I’m at HIMSS Orlando:
#10 Disney World totally beats Coke World.
#9 Orlando won’t have snow like Atlanta did last year.
#8 ESD’s plantable seed card which turned into a real dill plany for ccooking. The swag that keeps on giving!
#7 I’m secretly hoping Colbie Calliat will do an encore performance this year.
#6 I need to walk off those holiday cookies.
#5 I hope I get scanned by the RFID devices and magically transported to a tropical island.
#4 Booth Babes!
#3 Can you say parties?
#2 I’m just here for the food.
And the #1 reason….Anything for the fan girls.
Enterprise Software Deployment – We Implement IT

I thought about going to a couple other events, but just opted to come back and write a few blog posts. Lots lots more planned tomorrow. Be sure to find me at HIMSS tomorrow so you can win a free HD TV.’s HIMSS11 coverage is sponsored by Practice Fusion, provider of the free, web-based Electronic Medical Records (EMR) system used by over 70,000 healthcare providers in the US.