Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Pre-#HIMSS17 Fun Friday

Posted on February 17, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It’s Friday and not just any normal Friday, the Friday before the 2017 HIMSS Annual Conference. So, this Fun Friday entry is especially appreciated. I’m pretty sure I’m going to have a conversation about this first cartoon many times next week.

Everyone travel safe to HIMSS if you’re going. If you’re grinding away at home, I’ll do my best to bring you some unique, interesting, and valuable perspectives from the conference across my network of Healthcare Scene sites.

#MakeHITCount

Posted on February 16, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’ll admit I’m a bit of a sucker for a new hashtag. Especially one that points to moving healthcare IT forward. So, you can imagine I was interested when my friends at Iron Mountain let me know that they were working on a new hashtag called #MakeHITCount.

Throughout HIMSS 2017, Iron Mountain will be collecting any mentions of #MakeHITCount on Twitter, Instagram, Facebook, or LinkedIn and using those tweets to create a cool photomosaic like the one below (click on it to see it in action):

I love those photomosaics, but I love showing appreciation for people even more. I also love the idea of pointing out the parts of Healthcare IT that are making a difference in people’s lives. Here are a list of ways that you can participate in the #MakeHITCount hashtag:

  • Share your story of why it’s important to #makeHITcount now more than ever
  • Share your story of how you #makeHITcount in your job role
  • Share your story of how health IT can #makeHITcount for clinicians or patients
  • Share your Health IT Hero, the person who inspires you to #makeHITcount
  • Challenge others to tell you how they #makeHITcount

It’s too easy for us to complain about healthcare IT. We need to spend more time sharing about how IT makes our lives better and show gratitude to the people that are making it better. I’m not saying we should ignore the challenges of using healthcare IT appropriately, but we also shouldn’t take for granted all the benefits that IT can and should provide.

I look forward to what you all share on #MakeHITCount. Maybe a wave of good can open our eyes to new possibilities, inspire people who are working in healthcare IT, and make Health IT live up to its potential.

Full Disclosure: Healthcare Scene occasionally gets paid to write blog posts for Iron Mountain’s blogs.

Consumers Fear Theft Of Personal Health Information

Posted on February 15, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Probably fueled by constant news about breaches – duh! – consumers continue to worry that their personal health information isn’t safe, according to a new survey.

As the press release for the 2017 Xerox eHealth Survey notes, last year more than one data breach was reported each day. So it’s little wonder that the survey – which was conducted online by Harris poll in January 2017 among more than 3,000 U.S. adults – found that 44% of Americans are worried about having their PHI stolen.

According to the survey, 76% of respondents believe that it’s more secure to share PHI between providers through a secure electronic channel than to fax paper documents. This belief is certainly a plus for providers. After all, they’re already committed to sharing information as effectively as possible, and it doesn’t hurt to have consumers behind them.

Another positive finding from the study is that Americans also believe better information sharing across providers can help improve patient care. Xerox/Harris found that 87% of respondents believe that wait times to get test results and diagnoses would drop if providers securely shared and accessed patient information from varied providers. Not only that, 87% of consumers also said that they felt that quality of service would improve if information sharing and coordination among different providers was more common.

Looked at one way, these stats offer providers an opportunity. If you’re already spending tens or hundreds of millions of dollars on interoperability, it doesn’t hurt to let consumers know that you’re doing it. For example, hospitals and medical practices can put signs in their lobby spelling out what they’re doing by way of sharing data and coordinating care, have their doctors discuss what information they’re sharing and hand out sheets telling consumers how they can leverage interoperable data. (Some organizations have already taken some of these steps, but I’d argue that virtually any of them could do more.)

On the other hand, if nearly half of consumers afraid that their PHI is insecure, providers have to do more to reassure them. Though few would understand how your security program works, letting them know how seriously you take the matter is a step forward. Also, it’s good to educate them on what they can do to keep their health information secure, as people tend to be less fearful when they focus on what they can control.

That being said, the truth is that healthcare data security is a mixed bag. According to a study conducted last year by HIMSS, most organizations conduct IT security risk assessments, many IT execs have only occasional interactions with top-level leaders. Also, many are still planning out their medical device security strategy. Worse, provider security spending is often minimal. HIMSS notes that few organizations spend more than 6% of their IT budgets on data security, and 72% have five or fewer employees allocated to security.

Ultimately, it’s great to see that consumers are getting behind the idea of health data interoperability, and see how it will benefit them. But until health organizations do more to protect PHI, they’re at risk of losing that support overnight.

#FakeICDCodes for #HIMSS17

Posted on February 13, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In the world of Healthcare IT, we’re all consumed by the HIMSS Annual Conference happening next week in Orlando. You’ve probably realized that as you’ve read about my HIMSS17 Meetups, my HIMSS17 Conference and Social Media Resources, and my HIMSS17 Tips for Hospital Professionals. Oh yes, and of course my New Media Meetup Party (Be sure to register if you plan to attend). We’ll get back to our regularly scheduled programming after next week. Until then, we’ll try to give you a glimpse into the HIMSS conference experience along with insights, perspectives, and a little industry humor.

With that in mind, I was really excited when the brilliant Sarah Bennight, Marketing Strategist at Stericycle’s Enterprise Healthcare Group, shared the idea of #FakeICDCodes with me. In a lot of ways, this is a take off of the humorous ICD-10 codes list that were so popular, but applied to HIMSS17 and the healthcare IT industry as a whole with a little nod to the #FakeNews world.

Here are some sample #FakeICDCodes that I’m sure you’ll appreciate if you’ve taken part in HIMSS or some other large conference.

We’ll be sharing a bunch of other humorous #FakeICDCodes over the next couple weeks if you want to see them all on Twitter. Plus, this doesn’t just apply to #HIMSS17. These codes can apply to the industry year round. Feel free to join in and share your own #FakeICDCodes. We look forward to seeing what creative ones you come up with and share.

#HIMSS17 Conference and Social Media Resources

Posted on February 10, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

HIMSS 2017 is a massive conference. Luckily, there are a lot of tools and resources out there to help you make the most of your HIMSS 2017 experience. Here are a few of them that I’ve found useful. Feel free to add more suggestions in the comments.

The first key to the HIMSS Conference is planning your schedule. I’d be remiss if my first schedule suggestion wasn’t to take a look at this series of HIMSS17 meetups. No doubt you’ll find something that’s of interest to you and your organization. If nothing else, you should join us at the 8th Annual New Media Meetup event on Tuesday evening. It’s a lot of fun and if you can read this blog post, you’re invited.

Of course, HIMSS also offers a HIMSS17 Conference Planning page. This page will show you how you can sign in, build your agenda, add sessions to that agenda, create an exhibitor list and so much more. This feature has come a long way since past HIMSS, so check it out.

Next up, you should download the HIMSS17 mobile app (iOS and Android). The nice part is that it looks like your login and agenda should sync everything between the website and the mobile app. I’ve been using the mobile app and it’s the best experience HIMSS has created on mobile yet. It’s still a little hard to navigate in some cases, but I especially like the feature that lets you search other attendees using the mobile app (Note: The attendees on the mobile app are only those that have downloaded the app). I’m also interested to see if I love or hate the geo-location portions of the mobile app and the beacons. Feels kind of big brothery, but I like my big brother.

Speaking of the HIMSS Schedule, I think the HIMSS Schedule at a Glance is extremely useful as well. It lets you know all the times for the keynotes, parties, special sessions, and exhibit hall hours. All important things.

In case you’re looking for a specific exhibitor, this list of exhibitors and products will come in handy. It’s also available on the mobile app. This interactive map is a great way to get an idea of where booths are located and how the exhibit hall is laid out so you don’t get too lost.

If you’re into social media (and if you’re not you should be), an important trick is to learn about Twitter’s advanced search. The number of tweets sent last year (~200,000 tweets) was so massive that the best way to get value out of social media during HIMSS17 is to use the advanced search to find the most interesting tweets that relate to you. Plus, you can do neat tricks like excluding words that are likely promotional in nature.

Another option to help filter through the social media noise is to check out the #HIMSS17 hashtag guide. This guide essentially represents sub-communities within the larger HIMSS conference. By following these other hashtags, you can find a more concentrated discussion around the topics that interest you most. It can also serve as a guide for your participation in social media at HIMSS17. Plus, if you’re an exhibitor at HIMSS17, HIMSS did a social media webinar that you might find useful.

Another great method to enjoy social media, but not get blown away by the firehose of tweets is to follow this Twitter list of HIMSS17 Social Media Ambassadors. In fact, there’s no reason to wait until the conference. Start following this list now. There’s lots of great content being shared by that group.

Those are some of the resources that I’ve found useful. Let us know if you have others you’d recommend in the comments below. Also, take a minute to read through some suggestions and tips for making the most of your HIMSS17 Experience.

See you in Orlando!

Maximizing Your #HIMSS17 Experience – Whether Attending Physically or Virtually – #HITsm Chat Topic

Posted on February 7, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We’re excited to share the topic and questions for this week’s #HITsm chat happening Friday, 2/10 at Noon ET (9 AM PT). This week’s chat will be hosted by Steve Sisko (@HITConfGuy and @shimcode). We’ll be discussing the topic “Maximizing Your HIMSS17 Experience – Whether Attending Physically or Virtually“.

To most of of us who operate in the healthcare and information technology space, the HIMSS Conference & Exhibition is considered to be the SuperBowl of all healthcare conferences. It’s been happening for a long time (since 1961), it’s attended by a huge number of people (about 45,000 attendees projected for 2017), it’s surrounded by lots of pomp and circumstance leading up to the event and it can be enjoyed by not only those attending in person but also those attending “virtually.”

The intention for the #HITsm chat on February 10th is to share information, ideas, opinions and tips for getting the most out of this annual healthcare mega-event.

The Topics
Here are the topics to help flesh out the theme of ‘Maximizing Your HIMSS17 Experience – Whether Attending Physically or Virtually.’

T1: What do you think will be ‘stand out’ topic(s,) technologies, presentations & exhibitors at #HIMSS17 and why? #HITsm

T2: What are the 2 or 3 top things you hope to leave #HIMSS17 with and how will you use them to create value after the event? #HITsm

T3: What are your favorite sources & tips for getting the most out of your physical or virtual attendance at the #HIMSS17 Conference? #HITsm

T4: What type of content, info, and/or media do you want those attending the #HIMSS17 conference to share via their social channels? #HITsm

T5: If you could ask a #HIMSS17 conference attendee to share w/ you only one thing from the conference, what would it be? #HITsm

Bonus: Who should have been a #HIMSS17 Social Media ambassador and wasn’t but that you’d recommend to your followers? #HITsm

#HIMSS17 Meetup with #HITsm and #hcldr
If you’ll be at HIMSS, we’re doing a physical #HITsm meetup combined with the #hcldr community on Tuesday, 2/21 from 10:00-10:45 AM ET at the Orlando Convention Center Lobby Hall D. There will likely be many people participating in the meetup virtually using the #HITsm and #hcldr hashtags as well. Here’s a link to find more details on this meetup and other Healthcare Scene meetups at HIMSS17.

Upcoming #HITsm Chat Schedule
2/17 – Enough talk, lets #GSD (Get Stuff Done)
Hosted by Burt Rosen (@burtrosen) from @healthsparq

2/24 – HIMSSanity Recovery Chat
With #HIMSS17 happening the week of this chat, we’ll take the week off from a formal chat. However, we encourage people that attended HIMSS or watched HIMSS remotely to share a “Tweetstorm” that tells a #HIMSS17 story, shares insights about a topic, rants on a topic of interest, or shows gratitude. Plus, it will be fun to test out a new form of tweetstorm Twitter chat. We’ll post more details as we get closer.

We look forward to learning from the #HITsm community! As always let us know if you have ideas for how to make #HITsm better.

If you’re searching for the latest #HITsm chat, you can always find the latest #HITsm chat and schedule of chats here.

Where to Meetup and Connect with People at #HIMSS17

Posted on February 1, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The 2017 HIMSS Annual Conference is just around the corner. For those not familiar with the event, it’s the mecca of healthcare IT conferences that brings together somewhere in the neighborhood of 50,000 attendees and 1300 exhibitors in one place. It’s a weekly long feast for someone like me who eats, breathes, and sleeps healthcare IT. Although, it can be a bit overwhelming for those attending for their first time.

One of the things I’ve learned over my years attending HIMSS is that my favorite part of the conference is meeting and connecting with other brilliant healthcare IT minds. There are certainly some great educational opportunities that I’ll never forget and I’m always interested in what’s happening with the exhibitors at HIMSS, but the most satisfying experiences I have at HIMSS are the discussions, debates, and insight sharing that occurs with attendees.

With this in mind, I’ve put together a whole schedule of HIMSS 2017 meetups where anyone can join and participate in the discussion with myself and other experts. We welcome everyone to join us and share an alternate point of view, ask hard questions, and share insights that might help others in attendance. These meetups are a judgement free zone where everyone is welcome. However, you should expect vigorous debate, strong opinions, and respectful perspectives. That’s how we all learn and grow together.

You’ll find all the Healthcare Scene meetups listed below. Each meetup has its own topic, so browse through the list and select the ones that interest you most. Please invite any of your friends and/or colleagues who have an interest, experience, or expertise in any of these areas as well. A few have a registration, but the rest you can just plan to show up at the location at the specified time. Ask for the meetup and we’ll be easy to find.

Monday, February 20, 2017 HIMSS Meetups

HIMSS Social Media Ambassador Meetup – Monday, 2/20, 11:00-11:45 AM at the HIMSS Spot (Lobby C)
We’re honored that Healthcare Scene’s very own @techguy was selected as 1 of 20 HIMSS Social Media Ambassadors. This is a select group of some of the most influential people in healthcare IT social media. This meetup organized by HIMSS will bring together the 20 social media ambassadors to talk about insights into healthcare IT, HIMSS17 and social media.

Healthcare Consumerism Meetup – Monday, 2/20, 1:00-2:00 PM at the Dell EMC Booth #3161
At this meetup, we welcome you to join us in a discussion about a topic which will impact all of us: Healthcare Consumerism. It’s clear that patients are becoming more active, involved and informed in their healthcare. At this meetup, we’ll discuss how far healthcare consumerism will go and what this means for healthcare. We’ll discuss the challenges and opportunities this presents along with a realistic discussion of who holds the power in healthcare today and where that could go in the future. We’ll be tweeting on the #TransformHIT hashtag during the event.

Cloud Security Meetup – Monday, 2/20, 3:00-4:00 PM at the CDW Healthcare Booth #2761
This meetup and discussion will be led by my partner Shahid Shah (@shahidnshah), Neal Clark, Cloud Client Executive at CDW Healthcare, and myself. If you’re like most healthcare organizations and one of your bigggest challenges is cloud security, you’ll want to take part in this discussion. We’ll be discussing topics such as ransomware, the shadow IT risk, and ensuring cloud security from HIPAA business associates. Be sure to register for the meetup here.

Tuesday, February 21, 2017 HIMSS Meetups

#HITsm and #hcldr Meetup – Tuesday, 2/21, 10:00-10:45 AM at the Orlando Convention Center Lobby Hall D
We’re going back to our roots and doing a true tweetup with the combined #HITsm and #hcldr crowds at HIMSS 2017. I think we have got some ideas on how to make this meetup special. First of all, we’ve enlisted the help of community rock stars Sarah Bennight (@SarahBennight), Mandi Bishop (@MandiBPro), and Shahid Shah (@ShahidNShah) to help us facilitate the meetup. This way everyone who comes will hopefully feel welcome and get a chance to meet and connect with incredible members of the #HITsm and #hcldr communities. Join us as we connect and collaborate to improve healthcare.

Digital Transformation Meetup – Tuesday, 2/21, 11:30-12:30 PM at the Dell EMC Booth #3161
We all hear about and talk about Healthcare Transformation or Healthcare Disruption, but what does this really mean to the healthcare Industry? Join us at this meetup where we’ll cut through the jargon and hype and talk about how we can pursue authentic collaboration that truly transforms healthcare. Plus, we’ll discuss trends in healthcare that are going to disrupt the status quo and how we can make sure our organizations are prepared for those changes. I’m also really pleased that the HC Disruptors group that Michael Joseph (@HealthData4All) started will be joining us. At the end of the day, our goal for this meetup is to explore how we can all be agents for change in making healthcare better. Join us for this open discussion. We’ll be tweeting on the #TransformHIT hashtag during the event.

Get Ready for Precision Health Meetup – Tuesday, 2/21, 2:00-2:45 PM at the Intel Booth #2661
Precision Health is the future of healthcare, but many healthcare organizations are still trying to figure out what they can do with all this data. Join us at this meetup to discuss the impact of precision medicine on patients, clinicians, and IT experts. Plus, we’ll dive into what your organization can do today to make sure you’re ready for precision health. If your organization is up to your ears in data and not sure how to use it, join us for this discussion. This meetup will also be available live via Periscope on @IntelHealth.

Strategies to Enhance Your Professional Profile Meetup – Tuesday, 2/21, 4:00-5:00 PM at the Hyatt Regency Orlando – HIMSS Career Fair – 4Medapproved Booth #12
For those career concious people, this meetup will take place at the HIMSS Career Fair that’s across the street at the Hyatt Regency. We’re pleased to have Wendy Whitmore from 4Medapproved, Jeff Cunio from Pivot Point Consulting (A Vaco Company), Christine “Chris” Hutchison from Encore (A Quintiles Company), and myself leading the discussion. If you’re looking for a job or you’re looking to hire someone, join us at this meetup and you will not be disappointed by the engaging discussion and networking. Be sure to sign up if you plan to attend.

New Media Meetup – Tuesday, 2/21, 6:00-8:00 PM at Cuba Libre at Pointe Orlando
This is the 8th annual New Media Meetup at HIMSS. This event brings together most of the influential people in Healthcare IT social media and a wide variety of journalists, bloggers and readers as well. Plus, thanks to our sponsor, Stericycle Communication Solutions, we’ll have food, drinks, and some killer giveaways. This event does require you to register to attend, so please be sure to register if you plan to join us.

That’s all the HIMSS 2017 meetups we have scheduled for now. That’s probably enough, but if we add any more, we’ll be sure to update this post with others.

Dell, CDW, Intel, and Stericycle are all sponsors of Healthcare Scene and paid to sponsor a number of these meetups.

8th Annual New Media Meetup at #HIMSS17 Sponsored by Stericycle Communication Solutions

Posted on January 12, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

8th Annual New Media Meetup - HIMSS17 in Orlando

For those of you planning to attend the HIMSS 2017 conference in Orlando, I’m excited to share the details of the 8th Annual New Media Meetup at HIMSS. For those who’ve missed the last 7 events, it’s a unique event that brings together healthcare IT bloggers, tweeters, and other social media influencers at the mecca of Healthcare IT conferences.

It’s incredible to think how far social media, blogging, and other new media formats have changed since we first started the New Media Meetup 8 years ago. What hasn’t changed is how many incredible connections happen on social media and how much fun we have meeting in person at the New Media Meetup during HIMSS. We’re lucky to have Stericycle Communication Solutions supporting our desire to bring together the best healthcare IT influencers at this incredible event. I hope everyone will spend some time checking out Stericycle Communication Solutions and thank them for sponsoring the event.

If you’d like to attend the event, please make sure you register.

Here’s a quick summary of what we have planned for the event:
When: Tuesday 2/21 6:00-8:00 PM
Where: Cuba Libre at Pointe Orlando, 9101 International Dr, Orlando, FL 32819 MAP (Cuba Libre is a short walk from the convention center.)
Who: Anyone who uses or is interested in New Media (Blogs, Twitter, Social Media, YouTube Live, Facebook, etc)
What: Food, Drinks, Dance Floor, Giveaways, and Amazing People

Register Now!

Sponsored by Stericycle Communication Solutions
SRCL Communication Solutions
Stericycle Communication Solutions helps bring patients and healthcare organizations closer together. We believe that the key to patient engagement and positive patient experiences is effective and timely communication. Stericycle Communication Solutions is a leading provider of live agent services and technology solutions including high quality telephone answering, online appointment scheduling, and automated communication services; allowing patients and providers to interact through multiple communication channels such as phone, email, voice, text and online.

Learn more at: www.stericyclecommunications.com

Those interested in the New Media Meetup at HIMSS will want to check out the full scale Healthcare IT Marketing and PR Conference that we’re hosting in Las Vegas April 5-7, 2017. It’s a special 3 days devoted to health IT marketing and PR professionals.

A really big thank you also goes out to all the members of Influential Networks and Healthcare Scene that help promote the New Media Meetup. This event was originally brought together through social media and is still largely organized thanks to social media.

Let me know if you have any questions and I look forward to seeing many of you in Orlando very soon!

FDA Weighs In On Medical Device Cybersecurity

Posted on January 5, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In the past, medical devices lived in a separate world from standard health IT infrastructure, typically housed in a completely separate department. But today, of course, medical device management has become much more of an issue for health IT managers, given the extent to which such devices are being connected to the Internet and exposed to security breaches.

This has not been lost on the FDA, which has been looking at medical device security problems for a long time. And now – some would say “at long last” – the FDA has released final guidance on managing medical device cybersecurity. This follows the release of earlier final guidance on the subject released in October 2014.

While the FDA’s advice is aimed at device manufactures, rather than the health IT managers who read this blog, I think it’s good for HIT leaders to review. (After all, you still end up managing the end product!)

In the guidance, the FDA argues that the best way to bake cybersecurity protections into medical devices is for manufacturers to do so from the outset, through the entire product lifecycle:

Manufacturers should build in cybersecurity controls when they design and develop the device to assure proper device performance in the face of cyber threats, and then they should continuously monitor and address cybersecurity concerns once the device is on the market and being used by patients.

Specifically, the agency is recommending that manufacturers take the following steps:

  • Have a way to monitor and detect cybersecurity vulnerabilities in their devices
  • Know assess and detect the level of risk vulnerabilities pose to patient safety
  • Establish a process for working with cybersecurity researchers and other stakeholders to share information about possible vulnerabilities
  • Issue patches promptly, before they can be exploited

The FDA also deems it of “paramount” importance that manufacturers and stakeholders consider applying core NIST principles for improving critical infrastructure cybersecurity.

All of this sounds good. But considering the immensity of the medical device infrastructure – and the rate of its growth – don’t expect these guidelines to make much of an impact on the device cybersecurity problem.

After all, there are an estimated 10 million to 15 million medical devices in US hospitals today, according to health tech consultant Stephen Grimes, who spoke on biomedical device security at HIMSS ’16. Grimes, a past chair of the HIMSS Medical Device Security Task Force, notes that one 500-bed hospital could have 7,500 devices on board, most of which will be networked. And each networked monitor, infusion pump, ventilator, CT or MRI scanner could be vulnerable to attack.

Bottom line, we’re looking at some scary risks regardless of what manufacturers do next. After all, even if they do a much better job of securing their devices going forward, there’s a gigantic number of existing devices which can be hacked. And we haven’t even gotten into the vulnerabilities that can be exploited among home-based connected devices.

Don’t get me wrong, I’m glad to see the FDA stepping in here. But if you look at the big picture, it’s pretty clear that their guidance is clearly just a small step in a very long and complicated process.

What Would a Patient-Centered Security Program Look Like? (Part 2 of 2)

Posted on August 30, 2016 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The previous part of this article laid down a basic premise that the purpose of security is to protect people, not computer systems or data. Let’s continue our exploration of internal threats.

Security Starts at Home

Before we talk about firewalls and anomaly detection for breaches, let’s ask why hospitals, pharmacies, insurers, and others can spread the data from health care records on their own by selling this data (supposedly de-identified) to all manner of third parties, without patient consent or any benefit to the patient.

This is a policy issue that calls for involvement by a wide range of actors throughout society, of course. Policy-makers have apparently already decided that it is socially beneficial–or at least the most feasible course economically–for clinicians to share data with partners helping them with treatment, operations, or payment. There are even rules now requiring those partners to protect the data. Policy-makers have further decided that de-identified data sharing is beneficial to help researchers and even companies using it to sell more treatments. What no one admits is that de-identification lies on a slope–it is not an all-or-nothing guarantee of privacy. The more widely patient data is shared, the more risk there is that someone will break the protections, and that someone’s motivation will change from relatively benign goals such as marketing to something hostile to the patient.

Were HIMSS to take a patient-centered approach to privacy, it would also ask how credentials are handed out in health care institutions, and who has the right to view patient data. How do we minimize the chance of a Peeping Tom looking at a neighbor’s record? And what about segmentation of data, so that each clinician can see only what she needs for treatment? Segmentation has been justly criticized as impractical, but observers have been asking for it for years and there’s even an HL7 guide to segmentation. Even so, it hasn’t proceeded past the pilot stage.

Nor does it make sense to talk about security unless we talk about the rights of patients to get all their data. Accuracy is related to security, and this means allowing patients to make corrections. I don’t know what I think would be worse: perfectly secure records that are plain wrong in important places, or incorrect assertions being traded around the Internet.

Patients and the Cloud

HIMSS did not ask respondents whether they stored records at their own facilities or in third-party services. For a while, trust in the cloud seemed to enjoy rapid growth–from 9% in 2012 to 40% in 2013. Another HIMSS survey found that 44% of respondents used the cloud to host clinical applications and data–but that was back in 2014, so the percentage has probably increased since then. (Every survey measures different things, of course.)

But before we investigate clinicians’ use of third parties, we must consider taking patient data out of clinicians’ hands entirely and giving it back to patients. Patients will need security training of their own, under those conditions, and will probably use the cloud to avoid catastrophic data loss. The big advantage they have over clinicians, when it comes to avoiding breaches, is that their data will be less concentrated, making it harder for intruders to grab a million records at one blow. Plenty of companies offer personal health records with some impressive features for sharing and analytics. An open source solution called HEART, described in another article, is in the works.

There’s good reason to believe that data is safer in the cloud than on local, network-connected systems. For instance, many of the complex technologies mentioned by HIMSS (network monitoring, single sign on, intrusion detection, and so on) are major configuration tasks that a cloud provider can give to its clients with a click of a button. More fundamentally, hospital IT staffs are burdened with a large set of tasks, of which security is one of the lowest-priority because it doesn’t generate revenue. In contrast, IT staff at the cloud environment spend gobs of time keeping up to date on security. They may need extra training to understand the particular regulatory requirements of health care, but the basic ways of accessing data are the same in health care as any other industry. Respondents to the HIMSS survey acknowledged that cloud systems had low vulnerability (p. 6).

There won’t be any more questions about encryption once patients have their data. When physicians want to see it, they will have to so over an encrypted path. Even Edward Snowden unreservedly boasted, “Encryption works.”

Security is a way of behaving, not a set of technologies. That fundamental attitude was not addressed by the HIMSS survey, and might not be available through any survey. HIMSS treated security as a routine corporate function, not as a patient right. We might ask the health care field different questions if we returned to the basic goal of all this security, which is the dignity and safety of the patient.

We all know the health record system is broken, and the dismal state of security is one symptom of that failure. Before we invest large sums to prop up a bad record system, let’s re-evaluate security on the basis of a realistic and respectful understanding of the patients’ rights.