Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Medical Device Security At A Crossroads

Posted on April 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As anyone reading this knows, connected medical devices are vulnerable to attacks from outside malware. Security researchers have been warning healthcare IT leaders for years that network-connected medical devices had poor security in place, ranging from image repository backups with no passwords to CT scanners with easily-changed configuration files, but far too many problems haven’t been addressed.

So why haven’t providers addressed the security problems? It may be because neither medical device manufacturers nor hospitals are set up to address these issues. “The reality is both sides — providers and manufacturers — do not understand how much the other side does not know,” said John Gomez, CEO of cybersecurity firm Sensato. “When I talk with manufacturers, they understand the need to do something, but they have never had to deal with cyber security before. It’s not a part of their DNA. And on the hospital side, they’re realizing that they’ve never had to lock these things down. In fact, medical devices have not even been part of the IT group and hospitals.

Gomez, who spoke with Healthcare IT News, runs one of two companies backing a new initiative dedicated to securing medical devices and health organizations. (The other coordinating company is healthcare security firm Divurgent.)

Together, the two have launched the Medical Device Cybersecurity Task Force, which brings together a grab bag of industry players including hospitals, hospital technologists, medical device manufacturers, cyber security researchers and IT leaders. “We continually get asked by clients with the best practices for securing medical devices,” Gomez told Healthcare IT News. “There is little guidance and a lot of misinformation.“

The task force includes 15 health systems and hospitals, including Children’s Hospital of Atlanta, Lehigh Valley Health Network, Beebe Healthcare and Intermountain, along with tech vendors Renovo Solutions, VMware Inc. and AirWatch.

I mention this initiative not because I think it’s huge news, but rather, as a reminder that the time to act on medical device vulnerabilities is more than nigh. There’s a reason why the Federal Trade Commission, and the HHS Office of Inspector General, along with the IEEE, have launched their own initiatives to help medical device manufacturers boost cybersecurity. I believe we’re at a crossroads; on one side lies renewed faith in medical devices, and on the other nothing less than patient privacy violations, harm and even death.

It’s good to hear that the Task Force plans to create a set of best practices for both healthcare providers and medical device makers which will help get their cybersecurity practices up to snuff. Another interesting effort they have underway in the creation of an app which will help healthcare providers evaluate medical devices, while feeding a database that members can access to studying the market.

But reading about their efforts also hammered home to me how much ground we have to cover in securing medical devices. Well-intentioned, even relatively effective, grassroots efforts are good, but they’re only a drop in the bucket. What we need is nothing less than a continuous knowledge feed between medical device makers, hospitals, clinics and clinicians.

And why not start by taking the obvious step of integrating the medical device and IT departments to some degree? That seems like a no-brainer. But unfortunately, the rest of the work to be done will take a lot of thought.

A Vision for Why and How We Make the Science of Health Care Shareable

Posted on October 30, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently heard Stan Huff, CMIO at Intermountain, talk at the Healthcare IT Transformation Assembly about the Healthcare Services Platform Consortium. As he presented what they’re working on he highlighted so well the challenges that I’ve been seeing in healthcare IT. I’ve long be asking people how healthcare IT innovations that happen in one hospital or practice are going to get shared with all of healthcare. Turns out, Stan has been thinking a lot about this problem as well.

In his presentation, Stan framed the discussion perfectly when he said, “No matter what you do, you can’t teach people to be perfect information processors.” I’d also mentioned in a previous post that the human mind can’t detect the difference between something that causes errors 3 in 100 versus 4 in 100. However, with the right data, computers can tell the difference. Plus, computers can assist humans in the information processing.

These points illustrate why building and sharing clinical decision support is so important. The human mind is incredible, but medicine is so complex it’s impossible for the human mind to process it all. Ideally all of the work that Stan Huff and his team at Intermountain are doing on clinical decision support should be “plug n play interoperable” with the rest of the healthcare system. That seems to be the goal of the Healthcare Services Platform Consortium.

Many might wonder why Intermountain would want to share all the work they’ve been doing with the rest of healthcare. Isn’t that their proprietary intellectual property? It’s actually easy to see why. Stan described that Intermountain has implemented or is currently working on ~150 decision support rules or modules. Given their organization’s budget and staff constraints he could see how those 150 could be expanded to 300 or so, but likely not more. That sounds great until you think that there could be 5000+ decision support rules or modules if there was enough time and budget.

The problem is that there was no path for Intermountain to go from 150 to 5000 decision support rules or modules on their own. The only way to get where they need to go is for everyone in healthcare to work together and share their findings and workflows.

Stan and the Healthcare Services Platform Consortium are building the framework for creating and sharing interoperable clinical decision support apps on the back of FHIR and Smart Apps. This diagram illustrates what they have in mind:
HSPC for 2015 Healthcare Transformation Assembly 151026
I think that Stan is spot on in his assessment of what needs to be done to get where we need to go with clinical decision support in health care. However, there are also plenty of reasons for being cautiously optimistic.

As Stan told us at the event, “If everyone says that their workflow is the only way, we won’t get very far.” Then Stan passionately argued for why physician independence allows the opportunity for doctors to take improper care of patients. “If we allow physicians to do whatever they want, we’re allowing them the right to take improper care of patients.”

Obviously Stan isn’t saying that there shouldn’t be rigorous debate about the best treatment. By putting these algorithms out to other organizations he’s actually inviting criticism and discussion of the work they’re doing. Plus, I have no doubt Stan understands where health care is an art and where it’s a science. However, I believe he rightly argues that where the science is clear, proclaiming the art of medicine is a poor excuse for doing something different.

In my mind, the Healthcare Services Platform Consortium should be focused on making the science of health care easily shareable and usable for all of health care regardless of EHR system. That’s a vision we should all get behind.

How Will Patients Choose Healthcare?

Posted on May 19, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In a recent conversation with Medhost CEO, Bill Anderson, he asked the question that’s the title of this blog post: “How Will Patients Choose Healthcare?” He then proceeded to answer his question by saying, “Healthcare will buy on brand like they do in their other purchasing decisions.” It’s worth adding that Bill and Medhost are working to build their YourCare Everywhere brand in healthcare. You can decide if their business efforts are skewing his perspective or not.

For me, I find the question absolutely fascinating and an extremely important question for healthcare organizations. This question is becoming more and more important since the shift to high deductible plans is forcing patients to be more selective in how they choose their healthcare provider. Will brand be the way that people choose healthcare?

One challenge I have with this idea is that healthcare is a complex decision. I don’t know many people who make impulse healthcare provider decisions. I wonder if there are other complex decisions we could learn from. What is true is that healthcare decisions are often crisis decisions. In a crisis, where do people turn? I think the answer is the brands they know.

As I look at healthcare, which organizations have a true national healthcare brand? The first one that comes to mind is Mayo Clinic. Cleveland Clinic seems to be working down a similar path. Are their others? There are very few national healthcare brands that are trusted.

There are many local healthcare brands. Dignity Health has been pouring money into commercials in Vegas to build their brand. I assure you the commercials are all brand. Intermountain has a brand in Utah and Partners Healthcare has a brand in Boston. We could argue whether they have good or bad brands since they are both so dominant in their region. There are many other examples of local healthcare brands.

On the other side of healthcare brands is the CVS Minute Clinic, Walmart, and all the other retailers trying to make a space for themselves in healthcare. Also competing for brand recognition with a similar direct to consumer, retail healthcare play are the telemedicine providers like MD Live.

Long story short, we’re seeing patients having more power when it comes to selecting their healthcare provider and we see a ton of brand competition. Will a healthcare organization be able to survive without a major investment in their brand? What does this mean for small physician practices?

I’d love to hear your thoughts about what’s happening with healthcare brands. Do they matter? In what ways will they matter? What should a healthcare organization be doing to shore up its brand?

Killing Meaningful Use and Proposals to Change It

Posted on September 16, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Isn’t it nice that National Health IT Week brings people together to complain about meaningful use? Ok, that’s only partially in jest. Marc Probst, CIO of Intermountain and a member of the original meaningful use/EHR Certification committee (I lost track of the formal name), is making a strong statement as quoted by Don Fluckinger above.

Marc Probst is right that the majority of healthcare would be really happy to put a knife in meaningful use and move on from it. That’s kind of what I proposed when I suggested blowing up meaningful use. Not to mention my comments that meaningful use is on shaky ground. Comments from people like Marc Probst are proof of this fact.

In a related move, CHIME, AMDIS and 15 other healthcare organizations sent a letter to the HHS Secretary calling for immediate action to amend the 2015 meaningful use reporting period. These organizations believed that the final rule on meaningful use flexibility would change the reporting period, but it did not. It seems like they’re coming out guns blazing.

In even bigger news (albeit probably related), Congresswoman Renee Ellmers (R-NC) and Congressman Jim Matheson (D-UT) just introduced the Flexibility in Health IT Reporting (Flex-IT) act. This act would “allow providers to report their Health IT upgrades in 2015 through a 90-day reporting period as opposed to a full year.” I have yet to see any prediction on whether this act has enough support in Congress to get passed, but we could once again see congress act when CMS chose a different course of action like they did with ICD-10.

This story is definitely evolving and the pressure to change the reporting period to 90 days is on. My own personal prediction is that CMS will have to make the change. I’d love to hear your thoughts.

Happy National Health IT Week!

Intermountain Chooses Cerner, International EMR, and Patient Focused EMR

Posted on September 29, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


This was really big news this week. I’m not sure it’s quite a turning point for EMR. I think we’re still early in the war, but this was a big battle for Cerner to win. We’ll see what GE decides to do after losing this deal. Will GE leave this business behind or buy another vendor?


I think we don’t look nearly enough at the international EMR experience. We could learn a lot in the US from what’s happening nationally. Plus, for many EHR vendors the international opportunity is a big one that most don’t even consider.


I’ve been preaching this for so long I can’t remember. I know there are EHR vendors that focus as much as they can on the patient, but compliance and reimbursement still means you have to make compromises. That’s not an indictment of those companies, but a reality of the situation.

CPOE and MU with Marc Probst and M*Modal

Posted on June 26, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As part of my ongoing series of EHR videos, I had the chance to sit down with Marc Probst, CIO of Intermountain and a member of a number of important healthcare IT committees, Mike Raymer, Senior Vice President of Solutions Management at M*Modal and Dr. Jonathan Handler, CMIO of M*Modal to talk about CPOE and Meaningful Use. It’s another great addition to the Healthcare Scene YouTube channel.

In the interview we have a chance to talk about Intermountain’s move from zero CPOE to mobile, voice recognized CPOE. We talk about the future possibilities of voice in healthcare. I also ask Marc Probst about his views on EHR certification, meaningful use, and CommonWell.


*Note: Marc Probst’s sound was less than ideal. Next time we’ll be sure he has a better microphone.

Starting the Health IT Ball Rolling

Posted on April 4, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Early on in my EHR implementation experience I had an enlightening moment. In the clinic I was working at, we decided to just do a partial implementation of the EHR software in order for us to replace the scheduling and billing side of our current processes. The clinic was using some old scantron like billing technology that needed to be replaced quickly. So, instead of leaving behind the paper charts, we decided to start by just implementing part of the EHR to start.

As part of this partial EHR implementation we had the clinicians entering the diagnosis and charge capture into a note in the EHR. After a couple weeks of doing this, I was sitting with one of the providers and she said, “John, why can’t I just enter my note right here where it says subjective and objective instead of in the paper chart?” After hearing this, I went to the director’s office and told her what I’d heard. We realized it was a tremendous opportunity for us to finish the full EHR implementation.

It was quite an interesting realization to have them driving us to implement more of the features. I think we see this phenomenon in other areas as well.

I was talking with the hospital CTO of Intermountain, Fred Holston, about their new mobile CPOE app they built together with MModal. I asked if he was concerned about adoption of the CPOE app. It seemed that it was possible that they built an app that doctors would just choose not to use. Fred made some suggestions about why he thought this wouldn’t be an issue, but then he offered an even more valuable insight. Fred suggested that their bigger concern wasn’t whether doctors would use the CPOE mobile app. Instead, they were more concerned that once they rolled out the CPOE mobile app that doctors would start asking for a whole laundry list of other features and applications that were similar to it. Were they ready for that onslaught of requests?

Yesterday, I got a demo of the latest version of the Sfax secure faxing software (Full Disclosure: Sfax is an advertiser on this site.). During the demo, I asked about another possible feature and a really good comment was made, “Once you roll out new features, people start asking for even more features.” We then had a nice discussion about how the product development process is never done.

In some cases, the desire for more features can lead to really unhappy users. If we’d not finished the full EHR implementation quickly, no doubt those providers would have hated the product. If Intermountain doesn’t add more of the requested capabilities to their CPOE mobile app, then their users will be unhappy that the app can’t do more. If Sfax doesn’t continue to add features to their product their users will grow unhappy with the service.

However, the opposite is also true. This desire to use technology in new ways can be a real driver of adoption. We didn’t have to sale the providers on the finishing the full EHR implementation. They’d already sold themselves. Sometimes you just have to get the ball rolling when it comes to health IT. Once the ball is rolling, just be ready to keep up with with the new ideas that start coming as people see new possibilities.