Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

What Would a Patient-Centered Security Program Look Like? (Part 2 of 2)

Posted on August 30, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The previous part of this article laid down a basic premise that the purpose of security is to protect people, not computer systems or data. Let’s continue our exploration of internal threats.

Security Starts at Home

Before we talk about firewalls and anomaly detection for breaches, let’s ask why hospitals, pharmacies, insurers, and others can spread the data from health care records on their own by selling this data (supposedly de-identified) to all manner of third parties, without patient consent or any benefit to the patient.

This is a policy issue that calls for involvement by a wide range of actors throughout society, of course. Policy-makers have apparently already decided that it is socially beneficial–or at least the most feasible course economically–for clinicians to share data with partners helping them with treatment, operations, or payment. There are even rules now requiring those partners to protect the data. Policy-makers have further decided that de-identified data sharing is beneficial to help researchers and even companies using it to sell more treatments. What no one admits is that de-identification lies on a slope–it is not an all-or-nothing guarantee of privacy. The more widely patient data is shared, the more risk there is that someone will break the protections, and that someone’s motivation will change from relatively benign goals such as marketing to something hostile to the patient.

Were HIMSS to take a patient-centered approach to privacy, it would also ask how credentials are handed out in health care institutions, and who has the right to view patient data. How do we minimize the chance of a Peeping Tom looking at a neighbor’s record? And what about segmentation of data, so that each clinician can see only what she needs for treatment? Segmentation has been justly criticized as impractical, but observers have been asking for it for years and there’s even an HL7 guide to segmentation. Even so, it hasn’t proceeded past the pilot stage.

Nor does it make sense to talk about security unless we talk about the rights of patients to get all their data. Accuracy is related to security, and this means allowing patients to make corrections. I don’t know what I think would be worse: perfectly secure records that are plain wrong in important places, or incorrect assertions being traded around the Internet.

Patients and the Cloud

HIMSS did not ask respondents whether they stored records at their own facilities or in third-party services. For a while, trust in the cloud seemed to enjoy rapid growth–from 9% in 2012 to 40% in 2013. Another HIMSS survey found that 44% of respondents used the cloud to host clinical applications and data–but that was back in 2014, so the percentage has probably increased since then. (Every survey measures different things, of course.)

But before we investigate clinicians’ use of third parties, we must consider taking patient data out of clinicians’ hands entirely and giving it back to patients. Patients will need security training of their own, under those conditions, and will probably use the cloud to avoid catastrophic data loss. The big advantage they have over clinicians, when it comes to avoiding breaches, is that their data will be less concentrated, making it harder for intruders to grab a million records at one blow. Plenty of companies offer personal health records with some impressive features for sharing and analytics. An open source solution called HEART, described in another article, is in the works.

There’s good reason to believe that data is safer in the cloud than on local, network-connected systems. For instance, many of the complex technologies mentioned by HIMSS (network monitoring, single sign on, intrusion detection, and so on) are major configuration tasks that a cloud provider can give to its clients with a click of a button. More fundamentally, hospital IT staffs are burdened with a large set of tasks, of which security is one of the lowest-priority because it doesn’t generate revenue. In contrast, IT staff at the cloud environment spend gobs of time keeping up to date on security. They may need extra training to understand the particular regulatory requirements of health care, but the basic ways of accessing data are the same in health care as any other industry. Respondents to the HIMSS survey acknowledged that cloud systems had low vulnerability (p. 6).

There won’t be any more questions about encryption once patients have their data. When physicians want to see it, they will have to so over an encrypted path. Even Edward Snowden unreservedly boasted, “Encryption works.”

Security is a way of behaving, not a set of technologies. That fundamental attitude was not addressed by the HIMSS survey, and might not be available through any survey. HIMSS treated security as a routine corporate function, not as a patient right. We might ask the health care field different questions if we returned to the basic goal of all this security, which is the dignity and safety of the patient.

We all know the health record system is broken, and the dismal state of security is one symptom of that failure. Before we invest large sums to prop up a bad record system, let’s re-evaluate security on the basis of a realistic and respectful understanding of the patients’ rights.

What Would a Patient-Centered Security Program Look Like? (Part 1 of 2)

Posted on August 29, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

HIMSS has just released its 2016 Cybersecurity Survey. I’m not writing this article just to say that the industry-wide situation is pretty bad. In fact, it would be worth hiring a truck with a megaphone to tour the city if the situation was good. What I want to do instead is take a critical look at the priorities as defined by HIMSS, and call for a different industry focus.

We should start off by dispelling notions that there’s anything especially bad about security in the health care industry. Breaches there get a lot of attention because they’re relatively new and because the personal sensitivity of the data strikes home with us. But the financial industry, which we all thought understood security, is no better–more than 500 million financial records were stolen during just a 12-month period ending in October 2014. Retailers are frequently breached. And what about one of the government institutions most tasked with maintaining personal data, the Office of Personnel Management?

The HIMSS report certainly appears comprehensive to a traditional security professional. They ask about important things–encryption, multi-factor authentication, intrusion detection, audits–and warn the industry of breaches caused by skimping on such things. But before we spend several billion dollars patching the existing system, let’s step back and ask what our priorities are.

People Come Before Technologies

One hint that HIMSS’s assumptions are skewed comes in the section of the survey that asked its respondents what motivated them to pursue greater security. The top motivation, at 76 percent, was a phishing attack (p. 6). In other words, what they noticed out in the field was not some technical breach but a social engineering attack on their staff. It was hard to interpret the text, but it appeared that the respondents had actually experienced these attacks. If so, it’s a reminder that your own staff is your first line of defense. It doesn’t matter how strong your encryption is if you give away your password.

It’s a long-held tenet of the security field that the most common source of breaches is internal: employees who were malicious themselves, or who mistakenly let intruders in through phishing attacks or other exploits. That’s why (you might notice) I don’t use the term “cybersecurity” in this article, even though it’s part of the title of the HIMSS report.

The security field has standardized ways of training staff to avoid scams. Explain to them the most common vectors of attack. Check that they’re creating strong passwords, where increased computing power is creating an escalating war (and the value of frequent password changes has been challenged). Best yet, use two-factor authentication, which may help you avoid the infuriating burden of passwords. Run mock phishing scams to test your users. Set up regular audits of access to sensitive data–a practice that HIMSS found among only 60% of respondents (p. 3). And give someone the job of actually checking the audit logs.

Why didn’t HIMSS ask about most of these practices? It began the project with a technology focus instead a human focus. We’ll take the reverse approach in the second part of this article.

The Need for an Improved Patient Focus and Patient Experience in Healthcare

Posted on July 1, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I had a chance to talk with Colin Hung from Stericycle, a real thought leader in the world of healthcare IT and patient engagement. You can watch our discussion below where we talk about the lack of patients at healthcare IT conferences and a healthcare IT vendor perspective around interaction with patients. Plus, we dive into the concept of patient experience and patient’s desire to communicate and interact with their physician. We also talk about self-scheduling appointments in healthcare and involving patients in product design.

Thanks to Colin for sharing a bit about the benefits of involving more patients in healthcare IT. I’m sure we could have talked for a few more hours about this topic.

The Senate is Promoting Healthcare Innovation – How Organizations Can Keep Pace – Breakaway Thinking

Posted on April 20, 2016 I Written By

The following is a guest blog post by Mark Muddiman, Engagement Manager at The Breakaway Group (A Xerox Company). Check out all of the blog posts in the Breakaway Thinking series.
Mark Muddiman
On March 9, 2016 the Senate Committee on Health Education Labor and Pensions (HELP) approved S.1101, better known as the Medical Electronic Data Technology Enhancement for Consumers’ Health (MEDTECH) Act. As HIMSS reports, the bill aims to limit the regulatory oversight of “low-risk” medical device software, while simultaneously making a clear distinction of the FDA’s reach of authority.

But how do you define “low-risk” when it comes to a person’s health?

The answer might surprise you. These items are deemed low-risk by the MEDTECH act and will no longer require oversight:

  • administrative, operational, or financial records software used in healthcare settings
  • software for maintaining or encouraging a healthy lifestyle unrelated to medical treatment
  • electronic patient records, excluding software for interpreting or analyzing medical image data
  • software for clinical laboratory testing, excluding software for interpreting or analyzing test data
  • software that provides medical recommendations and the basis for those recommendations to healthcare professionals, excluding software for acquiring, processing, or analyzing medical images or signals

Regulations serve a purpose in ensuring that the devices used do not put patients at risk, and some fear that the loosening of these restrictions could be problematic. But the number of policies vendors were previously required to abide by was staggering. There is little value in subjecting vendors or healthcare leaders to such stringent policies with software and devices that are unlikely to lead to increased risk or an adverse event. Unnecessary regulation ultimately restricts patient access to the most current technology and impedes more successful clinical outcomes.

As HIMSS further clarified, the MEDTECH act still allows the FDA to oversee medical software if it considers the product “reasonably likely to cause serious adverse consequences.” The congressional summary goes on to note that the FDA may assess a software function for safety and effectiveness if the medical device has multiple functions. For example, mobile applications do not need supervision if integrated by a vendor unless they become linked to something of medium or high risk such as medication administration. In short, vendors get the freedom they need to explore new avenues, but the FDA doesn’t cede total control and retains an option that can be interpreted broadly enough to intervene when needed. In this sense, the MEDTECH act finds a middle ground using a risk-based approach to focus oversight where it’s needed most.

Key players in the industry have supported the bill; Health IT Now and the American Medical Informatics Association (AMIA) both praised the passage of the act, while major vendors including Athenahealth, IBM, and McKesson strongly supported the push to pass the bill. Undoubtedly, the passing of the MEDTECH act was great news for vendors.

The benefits to patients and vendors are clear, but what about healthcare providers and administrators?

CIOs and CMIOs already have their hands full in keeping pace with a seemingly endless set of transformations in health IT. Now the senate is aiming to quicken innovation and promote shorter times for technology to reach the market, inevitably resulting in a faster rate at which organizations must adopt that technology. Some providers likely viewed the passage of the act with an exasperated palm to the face. The frustration is real; the move to ICD-10 occurred less than seven months ago, not to mention many organizations have implemented EHRs but are focusing on optimization to improve their ROI.

Simply put, there is no end in sight to new technologies arriving in healthcare, and there will not be a slowdown anytime soon. Healthcare organizations must proactively plan a long-term adoption strategy that accounts for continual enhancements in technology, with a focused ability to quickly bring staff to a high level of proficiency. Those that achieve such agility will be able to leverage the best technology to offer the highest standards of care.

Xerox is a sponsor of the Breakaway Thinking series of blog posts. The Breakaway Group is a leader in EHR and Health IT training.

The Burnt Out Healthcare IT Industry – Time for a Reset

Posted on March 14, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Colin Hung recently posted that HIMSS 2016 didn’t really have a theme and that this was a good thing. I think that’s a fair assessment. There wasn’t any one topic or initiative that was grabbing everyone’s attention. However, I would argue that there was a theme coming out of HIMSS 2016:

The Healthcare IT industry is tired and burnt out.

You know the feeling when you’re burnt out. You can’t think about any more topics. You can’t add anything new to your plate. You just need some time to re-energize yourself before you start taking on new initiatives. You need some time to reset.

While at HIMSS I heard and read a few people mention that the healthcare IT world feels a bit like it did after the craziness of Y2K. They described the feeling at HIMSS after Y2K similar to what it was like at HIMSS 2016.

I’ll admit that I was off in Italy without technology for Y2K, so I can’t compare it first hand, but the comparison makes a lot of sense. I did see how companies and organizations were trying to prepare for Y2K. After putting so much focus and worry on a project for an extended period, you need some down time to reset your priorities.

I see the same happening today. However, it isn’t just one thing that’s tied up healthcare executives. Meaningful use has been all consuming for many organizations. ICD-10 took up a whole lot of focus and training to ensure that everything went smoothly with that transition. HIPAA Omnibus and this wave of breaches along with the HIPAA Security Risk assessment requirements has caused organizations to focus on security. All of that has consumed healthcare executives focus the past couple years. It’s definitely time for a well deserved reset.

However, it’s not just the leaders that need a reset. The entire organization needs a reset and some space to relax after executing so many major projects at once (often in a very compressed time frame).

The problem is that there won’t be much time to sit back and relax. Most EHR implementations still need a lot of work. Doctors are getting more and more frustrated with their EHR and we’re going to need to do something about it before it adds to the already burnt out doctors. However, looking back I think we’ll see HIMSS 2016 as the year of the Healthcare IT reset. I don’t think that’s a bad thing. In fact, I think it’s necessary.

The Sick State of Healthcare Data Breaches Infographic

Posted on March 9, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One of the topics discussed at HIMSS 2016 last week is the number of healthcare data breaches that have happened recently. Most people predicted that it was likely to get worse. I agree with them. It’s amazing how many healthcare organizations are playing the “ignorance is bliss” card when it comes to these breaches.

This infographic from LightCyber should put a little perspective on the quantity and impact of all these health care data breaches. If I were the leader of a healthcare organization, I’d be making this one of my top priorities.

The Sick State of Healthcare Data Breaches Infographic

No Single Theme Dominated HIMSS16 and That’s Exciting!

Posted on March 8, 2016 I Written By

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin is a true believer in #HealthIT, social media and empowered patients. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He currently leads the marketing efforts for @PatientPrompt, a Stericycle product. Colin’s Twitter handle is: @Colin_Hung

HIMSS 2016 Attendance Numbers

Last week, over 41,000 people descended on Las Vegas for the annual HIMSS conference, #HIMSS16. Attendance was down slightly compared to the previous year, but it sure didn’t feel like it in the crowded hallways and aisles in the Sands Expo Center.

I truly enjoy HIMSS in Vegas. I find that people are more energetic and more willing to conduct business when the conference is held there. It feels like it is easier to have conversations with people in Vegas. Perhaps it is the oxygen they pump into the casinos or perhaps it is simply the aura of the town rubbing off on people.

Having impromptu conversations is one of things I love most about HIMSS. I always gain a tremendous amount of perspective when I randomly stop and chat with people in the exhibit hall. That trend continued this year, but after the first day, I felt something was missing from my discussions. It wasn’t until today that I realized what that was…there was no single consistent theme from #HIMSS16.

Over the past several years there has always been a single topic that dominated the conversations at HIMSS. Interoperability, Meaningful Use, Big Data, Patient Engagement and Population Health have all been hot-button HIMSS themes. This year, no single dominant topic emerged. There was certainly talk about gender parity, interoperability, moving to a value-based system, telehealth and Big Data, but there was no consistency to the conversations I had with fellow attendees.

I think this is a good sign. In fact, I’m excited about it.

HealthIT is in a state of flux right now. Meaningful Use is winding down, ICD-10 is in the rearview mirror and the hype around digital health is starting to wane. For the first time in years, vendors and healthcare CIOs are free to chart their own paths, pursue their own interests. This is something that hasn’t happened since the EHR incentive program started back in 2010.

Through this lens, the conversations at #HIMSS16 show me that we are about to see progress on many different fronts. Some people I spoke to are looking to invest in new decision support tools that employ the latest in artificial intelligence. Others are seeking new ways of using public data to assist in population health. Everyone I spoke to had one or two projects that they were FINALLY going to get a chance to start in 2016.

This is very exciting and I can’t wait to see how all this pent-up innovative energy manifests for the remainder of 2016.

Where Do We See Positive Things Happening in Healthcare IT? – Post #HIMSS16 Blab

Posted on March 4, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

UPDATE: In case you missed the live video interview, you can watch the recording of our discussion in the video embedded below:

This post is sponsored by Samsung Business and Dell is sponsoring my trip to participate in the Dell Healthcare Think Tank. All thoughts and opinions are my own.

Where Do We See Positive Things Happening in Healthcare IT-blog

On Tuesday, March 8, 2016 at 1 PM ET (10 AM PT) I’ll be hosting a live video interview with the Chief Medical Officers of both Samsung and Dell. As we recover from HIMSS 2016, we’ll be sharing the positive things we saw, heard and are doing in healthcare IT. Far too many people at HIMSS are focusing on the challenges and downside of healthcare IT. In this live video chat, we’re going to focus our discussion on the innovations and amazing technologies that are making healthcare better for everyone.

The great part is that you can join my live conversation with this panel of experts and even add your own comments to the discussion or ask them questions. All you need to do to watch live is visit this blog post on Tuesday, March 8, 2016 at 1 PM ET (10 AM PT) and watch the video embed at the bottom of the post or you can subscribe to the blab directly. We’ll be doing a more formal interview for the first 30 minutes and then open up the Blab to others who want to add to the conversation or ask us questions. The conversation will be recorded as well and available on this post after the interview.

Here are a few more details about our panelists:

We hope you’ll join us live or enjoy the recorded version of our conversation. Plus, considering the size of HIMSS, the three of us likely only saw a small portion of the amazing innovations and technologies that were on display at HIMSS. Please join us on blab and share things you found at HIMSS that everyone should know about.

If you’d like to see the archives of Healthcare Scene’s past interviews, you can find and subscribe to all of Healthcare Scene’s interviews on YouTube.

For more content like this, follow Samsung on Insights, Twitter, LinkedIn , YouTube and SlideShare.

Also, you can see Dr. Nick and myself on the Dell Healthcare Think Tank event March 15th on Twitter using the #DoMoreHIT hashtag and the Livestream.

Best Part of #HIMSS16

Posted on I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Today was the last day of the exhibit hall at the HIMSS 2016 Annual Conference. As I ponder on the #HIMSSsanity of the last 5 days, I’m struck with one big takeaway.

The people at HIMSS 2016 are the best part of the conference!

Sure, there are outliers in every community. Plus, we all have our weaknesses. However, from my experience, HIMSS 2016’s 41,712 attendees represent and extraordinary group of people.

While healthcare has many challenges. Considering the many amazing people involved in healthcare IT, I have to be very optimistic about our future.

Tomorrow’s the last day and has 2 keynotes. Then, I’ll sleep the whole weekend.

EHR Vendor Commitments to Make Data Work at #HIMSS16

Posted on March 2, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As I think back on the first day and a half of HIMSS, I think that this might be the biggest news of the conference so far:

It seems that most people see this as a hollow commitment. Some might argue that we’re jaded by past history and they’d be right. However I’d make a different argument. Interoperability is hard and there are plenty of incentives not to do it. I don’t see this changing because EHR vendors commit to being interoperable.

Let’s be honest. Saying that they’ve “committed” doesn’t matter if they have no skin in the game. There’s no payment for successfully creating a product that’s interoperable. There’s no penalty for not being interoperable. That’s not ONC and HHS’ fault. They only have the levers that the government provides them. There are just so many easy ways for EHR vendors to feign interest in a real commitment to interoperability without actually executing on that vision.

While this type of announcement at HIMSS doesn’t really make me think that the dynamics around healthcare interoperability will change, I do like HHS’ decision to have EHR vendors work out the interoperability problem. If the government couldn’t solve interoperability with $36 billion in incentive money and penalties to boot, do we really think they can do anything to change the equation? At least on their own. This has to be an industry focused effort or it won’t happen.

While I must admit that I’m slowly becoming a skeptic of ever achieving true interoperability of health data, I think we will see point examples where data is being shared. I’m always intrigued by great companies who realize that they can’t be everything, but they can be something. I think we’ll see more of more companies like this.