Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Emerging Health Apps Pose Major Security Risk

Posted on May 18, 2015 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As new technologies like fitness bands, telemedicine and smartphone apps have become more important to healthcare, the issue of how to protect the privacy of the data they generate has become more important, too.

After all, all of these devices use the public Internet to broadcast data, at least at some point in the transmission. Typically, telemedicine involves a direct connection via an unsecured Internet connection with a remote server (Although, they are offering doing some sort of encryption of the data that’s being sent on the unsecured connection).  If they’re being used clinically, monitoring technologies such as fitness bands use hop from the band across wireless spectrum to a smartphone, which also uses the public Internet to communicate data to clinicians. Plus, using the public internet is just the pathway that leads to a myriad of ways that hackers could get access to this health data.

My hunch is that this exposure of data to potential thieves hasn’t generated a lot of discussion because the technology isn’t mature. And what’s more, few doctors actually work with wearables data or offer telemedicine services as a routine part of their practice.

But it won’t be long before these emerging channels for tracking and caring for patients become a standard part of medical practice.  For example, the use of wearable fitness bands is exploding, and middleware like Apple’s HealthKit is increasingly making it possible to collect and mine the data that they produce. (And the fact that Apple is working with Epic on HealthKit has lured a hefty percentage of the nation’s leading hospitals to give it a try.)

Telemedicine is growing at a monster pace as well.  One study from last year by Deloitte concluded that the market for virtual consults in 2014 would hit 70 million, and that the market for overall telemedical visits could climb to 300 million over time.

Given that the data generated by these technologies is medical, private and presumably protected by HIPAA, where’s the hue and cry over protecting this form of patient data?

After all, though a patient’s HIV or mental health status won’t be revealed by a health band’s activity status, telemedicine consults certainly can betray those concerns. And while a telemedicine consult won’t provide data on a patient’s current cardiovascular health, wearables can, and that data that might be of interest to payers or even life insurers.

I admit that when the data being broadcast isn’t clear text summaries of a patient’s condition, possibly with their personal identity, credit card and health plan information, it doesn’t seem as likely that patients’ well-being can be compromised by medical data theft.

But all you have to do is look at human nature to see the flaw in this logic. I’d argue that if medical information can be intercepted and stolen, someone can find a way to make money at it. It’d be a good idea to prepare for this eventuality before a patient’s privacy is betrayed.

Government Surveillance and Privacy of Personal Data

Posted on April 6, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Dr. Deborah Peel from Patient Privacy Rights always keeps me updated on some of the latest news coverage around privacy and government surveillance. Obviously, it’s a big challenge in healthcare and she’s the leading advocate for patient privacy.

Today she sent me a link to this John Oliver interview with Snowden. The video is pretty NSFW with quite a bit of vulgarity in it (It’s John Oliver on HBO, so you’ve been warned). However, much like Stephen Colbert and John Stewart, they talk about some really important topics in a funny way. Plus, the part where he’s waiting to see if Snowden is going to actually show for the interview is hilarious.

The humor aside, about 10 minutes in John Oliver makes this incredibly insightful observation:

There are no easy answers here. We all naturally want perfect privacy and perfect safety, but those two things cannot coexist.

Either you have to lose one of them or you have to accept some reasonable restrictions on both of them.

This is the challenge of privacy and security. There are risks to having data available electronically and flowing between healthcare providers. However, there are benefits as well.

I’ve found the right approach is to keenly focused on the benefits you want to achieve in using technology in your organization. Then, after you’ve focused the technology on the benefits, work through all of the risks you face. Once you have that list of risks, you work to mitigate those risks as much as possible.

As my hacker friend said, “You’ll never be 100% secure. Someone can always get in if they’re motivated enough. However, you can make it hard enough for them to breach that they’ll go somewhere else.”

Wearables And Mobile Apps Pose New Data Security Risks

Posted on December 30, 2014 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In the early days of mobile health apps and wearable medical devices, providers weren’t sure they could cope with yet another data stream. But as the uptake of these apps and devices has grown over the last two years, at a rate surpassing virtually everyone’s expectations, providers and payers both have had to plan for a day when wearable and smartphone app data become part of the standard dataflow. The potentially billion-dollar question is whether they can figure out when, where and how they need to secure such data.

To do that, providers are going to have to face up to new security risks that they haven’t faced before, as well as doing a good job of educating patients on when such data is HIPAA-protected and when it isn’t. While I am most assuredly not an attorney, wiser legal heads than mine have reported that once wearable/app data is used by providers, it’s protected by HIPAA safeguards, but in other situations — such as when it’s gathered by employers or payers — it may not be protected.

For an example of the gray areas that bedevil mobile health data security, consider the case of upstart health insurance provider Oscar Health, which recently offered free Misfit Flash bands to its members. The company’s leaders have promised members that use the bands that if their collected activity numbers look good, they’ll offer roughly $240 off their annual premium. And they’ve promised that the data will be used for diagnostics or any other medical purpose. This promise may be worthless, however, if they are still legally free to resell this data to say, pharmaceutical companies.

Logical and physical security

Meanwhile, even if providers, payers and employers are very cautious about violating patients’ privacy, their careful policies will be worth little if they don’t take a look at managing the logical and physical security risks inherent in passing around so much data across multiple Wi-Fi, 4G and corporate networks.

While it’s not yet clear what the real vulnerabilities are in shipping such data from place to place, it’s clear that new security holes will pop up as smartphone and wearable health devices ramp up to sharing data on massive scale. In an industry which is still struggling with BYOD security, corralling data that facilities already work with on a daily basis, it’s going to pose an even bigger challenge to protect and appropriately segregate connected health data.

After all, every time you begin to rely on a new network model which involves new data handoff patterns — in this case from wired medical device or wearable data streaming to smartphones across Wi-Fi networks, smart phones forwarding data to providers via 4G LTE cellular protocols and providers processing the data via corporate networks, there has to be a host of security issues we haven’t found yet.

Cybersecurity problems could lead to mHealth setbacks

Worst of all, hospitals’ and medical practices’ cyber security protocols are quite weak (as researcher after researcher has pointed out of late). Particularly given how valuable medical identity data has become, healthcare organizations need to work harder to protect their cyber assets and see to it that they’ve at least caught the obvious holes.

But to date, if our experiences with medical device security are any indication, not only are hospitals and practices vulnerable to standard cyber hacks on network assets, they’re also finding it difficult to protect the core medical devices needed to diagnose and treat patients, such as MRI machines, infusion pumps and even, in theory, personal gear like pacemakers and insulin pumps.  It doesn’t inspire much confidence that the Conficker worm, which attacked medical devices across the world several years ago, is still alive and kicking, and in fact, accounted for 31% the year’s top security threats.

If malevolent outsiders mount attacks on the flow of connected health data, and succeed at stealing it, not only is it a brand-new headache for healthcare IT administrators, it could create a crisis of confidence among mHealth shareholders. In other words, while patients, providers, payers, employers and even pharmaceutical companies seem comfortable with the idea of tapping digital health data, major hacks into that data could slow the progress of such solutions considerably. Let’s hope those who focus on health IT security take the threat to wearables and smartphone health app data seriously going into 2015.

Email vs Text for Healthcare Communication

Posted on April 8, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The idea of improving communication in healthcare is always a hot one. For fear of HIPAA and other factors, healthcare seems to lag behind when adopting the latest communication technologies. The most simple examples are email and text message. Both are simple and widely adopted communication technologies and most in healthcare are afraid to use them.

At the core of why people are afraid is because native email is not HIPAA secure and native SMS is not HIPAA secure either. Although, there are a whole suite of communication products that are working to solve the healthcare communication security challenges while still keeping the simplicity of an email or text message. In fact, both of the other companies I’ve started or advise, Physia and docBeat, are focused on the problems of secure email and secure text. Plus, there are dozens of other companies working to improve healthcare communication and hundreds of EMR, PHR, and HIE applications that are integrating these forms of communication into their systems.

As we enter this brave new world of healthcare communication, it’s worth considering some of the intricacies of email vs text. The following tweet is a good place to start.

This is really interesting to note and I can confirm those are the general statistics for most email campaigns out there today. I’m not sure of the number of texts that are open, but it’s clear that the number of text messages that are opened is very high.

The reason this is the case is because of the expectation of what’s inside a text message vs an email. When you receive a text, you can be sure that it won’t take up more than a moment of your time. You can consume it quickly and move on with your life. The same is usually not the case with email (especially email lists). Most of the emails that are sent are lengthy because they can be. We try and pack every option imaginable into an email and so people have an expectation that if they start with the email they’re going to need time. I know this is the case because my email subscribers often thank me for my emails because they know they can get something of value quickly.

I think it was Dan Munro that pointed out an exception to the email open rate. His idea was that if the email contains an action item, then open rates are much higher. This was a good insight. There’s little doubt that if an email contains something that you have to do, then more people will open it and do the action. I don’t get a bill in my email and then don’t open it. I have to open it so I can pay the bill. I’m sure this principle can be applied in a number of ways to healthcare.

As we finally bring these common communication technologies to healthcare we need to be thoughtful about which ones we use and when we use them.

Patients Want to Share Their Medical Data

Posted on March 29, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

During the recent Dell Healthcare Think Tank which I took part in, I had an idea that I think is incredibly powerful and not talked about nearly enough. In fact, I think its reasonable to say that if we want to get healthcare costs down, then we have to learn how to do this well.

The idea revolves around how we talk about privacy of health information with patients. Far too often, patients just hear news reports that talk about all of the reasons they should fear their health information getting out in the open. Instead, they almost never hear stories about how having their health information shared with the right people will actually improve their health.

The simple fact is that if you lead with all the bad things that could possibly happen with health information in the wrong hands, then of course no patient is going to want their patient information shared. However, if they know how sharing their health information with the right people will improve their care, then patients are more than willing to share away.

Basically, what I’m saying is that sharing healthcare data has been marketed wrong. The privacy advocates are well organized and have many people fearful for what will happen with their health information. I don’t have any problem with privacy advocates, because they help us to pause to take a reasonable look at the importance of privacy. However, the need for proper privacy controls doesn’t mean that we don’t share healthcare information at all.

The beauty of all of this is that the majority of people think this is how it happens in healthcare today. They don’t realize that quite often their healthcare information isn’t traveling with them to specialists and hospitals. In fact, when patients discover that it doesn’t they’re usually quite surprised and don’t understand why it doesn’t.

I hope we can work on the data sharing message. We can share your data with the people who need it so we can improve your care. If patients hear this message, healthcare data sharing will not be feared but embraced.

Does Healthcare IT Need Stability?

Posted on February 12, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Last night during one of my favorite TV shows, Charlie Rose, he interviewed a guy about the economy. One of the discussion points that came out of this interview and that I’ve heard a lot in all the discussions about the economy is having some stability to the economy. Many argue that one of the biggest things holding our economy back is all the unknowns. When there are unknowns companies get paralyzed and hold back doing things they’d do if the economy felt stable.

I wonder if we’re experiencing the same thing in healthcare IT? Could we use some stability in healthcare IT?

Think about all the various unknowns that exist in healthcare IT. Let’s start with ICD-10. The pending ICD-10 implementation date is looming, but that date has been pushed back so many times it’s still unknown if it’s really going to happen this time. That’s the opposite of stability.

I’m sure that many also wonder if the same will be the case with EHR penalties. Will the EHR penalties go into effect? What exceptions will be made for the EHR penalties? I could easily see the EHR penalties being delayed, but then again what if they’re not?

Is it hard for anyone else to keep up with what’s happening with meaningful use? I do this every day and so I have a pretty good idea, but even I’m getting confused as it gets more complex. Imagine being a doctor who rarely looks at meaningful use. So, we’re in meaningful use stage 1, but meaningful use stage 2 is coming, unless you didn’t start meaningful use stage 1 and then meaningful use stage 2 won’t come until later. Oh, and they’re making changes to meaningful use stage 2. That’s right and they’re also coming out with meaningful use stage 3. However, don’t worry too much about meaningful use stage 3 because a lot of people are calling for it to be slowed down. So, does that mean that meaningful use will be delayed? Now how does the meaningful use stages match with the EHR certifications? Which version of my EHR software does which stage of meaningful use?

I think you get the picture.

Of course, I haven’t even mentioned things like ACO’s, HIE’s, 5010, HIPAA, RAC Audits, Medicare/Medicaid cuts, or healthcare reform (ACA) to name a few others.

It’s a messy healthcare IT environment right now. We could definitely use some stability in healthcare.

Telemedicine Panel at CES Hosted by HealthSpot

Posted on January 9, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I had the chance to attend a Telemedicine panel today at CES that was put together by HealthSpot (see my previous post about HealthSpot at CES). They put together a good panel that included:
Peter Tippett, MD, PHD – Vice President, Connected Healthcare Solutions, Verizon
John F. Jesser – Vice President, Health Care Management, WellPoint
William Wulf, M.D. — Central Ohio Primary Care
Leslie Kelly Hall — Healthwise

The panel was an interesting discussion, but I think the underlying discussion really centered around how screwed up many parts of healthcare are right now. This showed itself in two different ways. One was that telemedicine could possibly fix some of those screwed up parts of healthcare. Second, telemedicine is actually hard to execute because of some of the screwed up parts of healthcare. It’s kind of odd to look at it that way.

I tweeted a number of the comments that struck me and so I thought I’d share them here for those who weren’t following along on Twitter.


This was a fitting comment at a “consumer” electronics show.


I think there are still some wackos;-), but I think the message they send is clear.


This would be a monumental achievement if we can embrace HIPAA and make the technology happen. I think the key message is: HIPAA should not be used as an excuse.


Such a no brainer question with an easy answer. Why is it so hard to do?


Will telemedicine become the “standard of care” so that this becomes a big issue? I hope we don’t reach the point that this is the reason we implement telemedicine, but it might take something like it to get people off the proverbial couch.

Hospitals Use EMR Data To Target Marketing Campaigns

Posted on November 14, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

When we talk about the benefits we can derive from compiling and analyzing EMR data, most of us focus on care and efficiency improvements, and to some extent population health.  But what if hospitals used EMRs to find appropriate targets for marketing efforts?  Is that kosher?

I don’t know, but it’s clear some hospitals have decided that it is. For example, a recent article in the Columbus Dispatch tells the tale of two health systems which have been data-mining their EMRs to target mailings on health issues to patients in the community.

According to the piece, regional health system OhioHealth has been using this approach for six years, and Mount Carmel Health System has for two years. Both are non-profit systems with large presences in the areas they serve.

It seems that these health systems are largely using these mailings to address patients’ specific health concerns. For example, OhioHealth has sent messages to diabetic patients and others with heart disease. Mount Carmel, for its part, has sent out mammograms and colorectal screenings, as well as to invite patients to seminars on joint replacement and health fairs.

But OhioHealth goes a step further and targets households with higher incomes.

Of course, both parties swear on a stack that none of this violates HIPAA, because marketers never see an individual’s health information.  And maybe they’re right.

As for me, I could go either way as to whether this is an ethical use of medical data. While it may indeed be legal, it’s discomfiting to know that hospitals might be using my clinical data for non-clinical purposes.

That being said, if health education and marketing efforts are done in a tasteful way which doesn’t invade my privacy — or expose my medical situation to the mailman — I can see the benefits.  Sometimes the right reminder or piece of  education can change a patient’s behavior in a timely manner.

And the truth is, if hospitals are going to spend millions and millions on EMRs, maybe this is a way to squeeze those extra bucks out of the system that will help pay for the investment.

I don’t know. I guess it’s something of a tossup. Readers, how do you feel about this issue? Is your hospital mining EMRs for marketing purposes?

Hospital Forced To Provide EMR Data Access By Court

Posted on November 13, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A New Hampshire hospital has been forced by the state’s Superior Court to provide public health officials with access to its EMR so they can further investigate a major hepatitis C outbreak.

Exeter Hospital had been ordered by the state’s Division of Public Health Services to release patient records, but had  challenged the order, arguing that it would be violating state and federal law if it provided free access to EMR records.

The issue dates back to July, when a lab technician formerly employed by the hospital was arrested in connection of a hep C outbreak affecting more than 30 patients. The lab tech, who has hep C, allegedly stole fentanyl-filled syringes from the hospital, injected the fentanyl, then refilled the dirty syringes with another substance.

The hospital sought guidance from the courts in an effort to learn just how much access it would have to provide without running afoul of HIPAA and state privacy laws.  (If I were running Exeter Hospital I certainly would have done the same thing; otherwise, one would think  it’d be wide-open liable to suits by patients who objected to the data sharing.)

Now, it seems, the hospital is satisfied that patients involved in the outbreak are adequately protected. From its official statement on the matter:

The Court pointed out that the State needs to follow very specific, CDC-sanctioned protocols in collecting data from Exeter Hospital’s electronic medical record system and can only obtain the minimum amount of information necessary to complete its investigation. The Court has also emphasized that the information collected by the State cannot be re-published which helps to protect the privacy of patients.

For both the patients’ and Exeter’s sake, let’s hope that the public health authorities involved handle such explosive data with extreme care.  A data breach at this point would not only have devastating consequences — particularly if the hepatitis C sufferers’ names were made public — it would also plunge all involved into a legal nightmare. For their sake, I’m hoping for the best.

Access To Clinical Data Too Easy Via Phone

Posted on October 26, 2012 I Written By

Katherine Rourke is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Lately, I’ve had reason to be in touch with my health insurance company, my primary care doctor and multiple specialists.  In speaking with each, what I’ve noticed is that the data they collect to “protect my privacy” isn’t likely to do a good job. And I’ve been wondering whether an EMR can actually help tighten up access.

When I called to discuss clinical matters, both the payer and providers asked for the same information: My date of birth, my street address and my name. As far as I know, folks, you can get all of that information on a single card, a driver’s license.  So, anyone how finds or steals or has access to my wallet has all the info they need to crawl through my PHI.

So, OK, let’s say providers and payers add a requirement that you name the last four digits of your social security card.

There’s a few problems with that approach. First, anyone who has your wallet may well have your Social Security Card.  Second, storing patients’ SSNs in the clear in an EMR is an invitation to be hacked, as the SSN is the gold standard for identity theft. Third, if you want to store them in a form that only allows the last four digits to be read, that’s another function you need to add to your system.

So, what’s the solution? Would it work to have patients identify which doctor they see (something a thief wouldn’t know) or a recent treatment or procedure they’d had?  Probably, although some patients — forgetful elderly, or the chronically ill with multiple providers — might not remember the answers.

Seems to me that when there’s universal use of patient portals by both providers and payers, this problem will largely go away, as patients will be able to be looking at their own records when talking to providers. This will make a more sophisticated security screening possible.

But in the mean time, I’m troubled to know that my payer and several of my doctors use a security method which can be so easily compromised.  Do any of you have suggestions as to what those offices might do in the interim between now and when they have a useful portal to offer?