Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

2013 Health IT Predictions – 3-D Printing in Healthcare

Posted on January 6, 2013 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I never can resist clicking on a tweet that looks at the future landscape of healthcare IT. I love to see what other people are saying about it. Although, as is the case above, I usually find that people are pretty cautious in their predictions. The challenge is that a year is probably not a big enough time frame to really make bold predictions.

For example, the above article suggests the following as major healthcare IT trends: patient portals, mobile devices, and telemedicine. They are absolutely right. Does anyone doubt that all of these things won’t be major happenings in 2013? We know they will because they’ve already started happening today. Next year will just be an extension of this year.

On the other hand, I was intrigued by this tweet about 3-D Printing in healthcare:

If you don’t know about 3-D printing, then check it out on Wikipedia. It is an absolutely incredible technology that’s going to absolutely revolutionize manufacturing products as we know it. That includes many of the products we use in healthcare. Is it going to happen next year? I don’t think so. Certainly much progress will be made in 2013, but 5 years from now 3D printing is going to be able to do insane things when it comes to creating your own products with a simple 3D printer.

I’d love to hear your thoughts. What drastic things do you think will happen in healthcare 5 years from now? Feel free to look even farther out if you prefer.

Does Changing EMRs Make Security Vulnerabilities Worse?

Posted on August 23, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t have good statistics on hand, but changing EMRs isn’t unusual, and changing them a few times isn’t as rare as it should be.  Readers here know that this is a painful proposition for many reasons, including cost and the need to re-tool workflow over at minimum several months.

But I’ve noticed that few if any IT pundits talk about the security risks that must come from making such a shift. A few common sense issues come to mind:

*  Retraining staff:  Your overall security policy might not change, but the security workings of the new software may be somewhat different.  As staff reacclimates, there’s plenty of room for mistakes.

* Transferring patient information:  Whether you’re currently a Web-based EMR or one installed on site, you’ll have to transfer a lot of information to the new system.  What happens if the isn’t encrypted and locked down during or after the transfer?

*  Back door vulnerabilities:  If your existing installed software has any back-door vulnerabilities in it, they may remain or even become even more deeply buried when the new software is put in place.

* Re-establishing device security:  Whatever you’ve done to secure mobile devices may have been sufficient for your last system, but what about your new one?   Even cloud systems with strong back-end data protections aren’t going to make sure smartphones and iPads and laptops are secure against security breaches, and you may need to re-do protections for them.

In proposing these ideas, I’ve mostly envisioned what small- to medium-sized medical practices face. If the EMR change is from Cerner to Epic rather than a small-practice system to another, the problem is vastly more complicated.  Either way though, it isn’t a pretty picture.

So readers, if you were responsible for such a shift, what would your next steps be?  Do you have a transition security checklist you can share?

BIDMC’s Encryption Program Tames BYOD Security Fears

Posted on August 14, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Beth Israel Deaconess Medical Center has begun what it calls an “aggressive” campaign to make sure every mobile device in use by its staff and students is encrypted. This is interesting in light of John’s recent post about encrypting devices to meet HIPAA.  The following update comes from the GeekDoctor blog maintained by Halamka, a resource worth reading in its own right.

The initiative, spearheaded by the indefatigable CIO John Halamka, MD, MS, is massive in scope, affecting as it does 18,000 faculty members and 3,000 doctors, plus a large student population. Costly and time-consuming though it may be, I think it’s an object lesson in what needs to be done to make “bring your own device” a safe and sustainable part of hospital computing.

“It is no longer sufficient to rely on policy alone to secure personal mobile devices,” Halamka said. “Institutions must educate their staff, assist them with encryption, and in some cases purchase software/hardware for personal users to ensure compliance with Federal and State regulations.”

Halamka and his team already began training staff regarding smart phone devices connecting with the Exchange e-mail system using ActiveSync. Under the new regime, those devices must now have password protection.

Next, the Information Systems team is beginning the massive task of encrypting all mobile devices. They’re starting with company-owned laptops and iPad-type tablets, but expect to move out into encrypting other tablets later.

While the process is understandably complex, broadly speaking the IS department is going to take every device currently owned by the institution and give it a complete going over for malware and vulnerabilities, make sure the configuration meets security standards, then fully encrypt it to meet HIPAA/HITECH safe harbor criteria.

The next phase of the program will extend the checkup and encryption process to any personally owned computers and tablets used to access BIDMC data. I’ll be interested to see if people get squeamish about that. There’s a big difference, emotionally, between letting IS strip your work device naked and sharing your personal iPad.  But clearly, if BYOD is to have a future, initiatives like this will need to go on at hospitals across the nation.

Will Growth In Mobile Use Compromise HIPAA Compliance?

Posted on May 31, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

There’s little doubt that giving doctors mobile access to data via their personal devices can be valuable. We’ve probably all read case studies in which doctors saved a great deal of time and made the right clinical call because they reached to via an iPad, smartphone or Android tablet.

And this is as it should be. We’ve been working to push intelligence to the network for at least the two decades I’ve been writing about IT.

That being said, we haven’t yet gotten our arms around the security problems posed by mobile computing during that period, as hard as IT managers have tried.  Adding a HIPAA compliance requirement to the mix makes things even more difficult. As John wrote about previously, Email is Not HIPAA Secure and Text is Not HIPAA Secure either.

According to one security expert, healthcare providers need to do at least the following to meet HIPAA standards with mobile devices:

  • Protect their private data and ePHI on personal-liable (BYOD) mobile devices;
  • Encrypt all corporate email, data and documents in transit and at rest on all devices ;
  • Remotely configure and manage device policies;
  • Apply dynamic policy controls that restrict access to certain data or applications;
  • Enforce strict access controls and data rights on individual apps and services;
  • Continuously monitor device integrity to ensure PHI transmission;
  • Protect against malicious applications, malware and cyber threats;
  • Centrally manage policies and configurations across all devices;
  • Generate comprehensive compliance reporting across all mobile devices and infrastructure.

Just a wild guess here, but my hunch is that very few providers have gone to these lengths to protect the ePHI on clinicians’ devices.  In fact, my sense is that if Mr. Bad Guy stole a few iPads or laptops from doctors at random right now, they’d find a wide open field. True, the thief probably couldn’t log into the EMR(s) the physician uses, but any other clinical observations or notes — think Microsoft Office apps — would be in the clear in most cases.

Being a journalist, not a security PhD, I can’t tell you I know what must be done. But having talked to countless IT administrators, I can definitely see that this is a nasty, hairy problem, for many reasons including the following:

–  I doubt it’s going to be solved by a single vendor, though I bet you will be or are already getting pitches to that effect  — given the diversity of systems even a modestly-large medical practice runs.

– Two factor authentication that locks up the device for all but the right user sounds good, but add-ons like, say, biometrics isn’t cheap.

– Add too many login steps to doctors already tired of extra clicks and you may see mass defections away from EMR use.

– Remotely managing and patching security software on devices with multiple operating systems and network capabilities is no joke.

If you feel your institution has gotten a grip on this problem, please do chime in and tell me. Or feel free to be a mean ol’ pessimist like myself. Either way, I’d love to hear some of your experiences in protecting mobile data.  Maybe you have a good news story to tell.