Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

ONC Kicks Off Blockchain Whitepaper Contest

Posted on July 11, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Hold onto your hats, folks. The ONC has taken an official interest in blockchain technology, a move which suggests that it’s becoming a more mainstream technology in healthcare.

As you may know, blockchain is the backbone for the somewhat shadowy world of bitcoin, a “cryptocurrency” whose users can’t be traced. (For some of you, your first introduction to cryptocurrency may have been when a Hollywood, CA hospitals was forced to pay off ransomware demands with $17K in bitcoins.)

But despite its use by criminals, blockchain still has great potential for creating breakthroughs for legitimate businesses, notably banking and healthcare. Look at dispassionately, a blockchain is just a distributed database, one which maintains a continuously growing list with data records hardened against tampering and revision.

Right now, the most common use the blockchain is to serve as a public ledger of bitcoin transactions. But the concept is bubbling up in the healthcare world, with some even suggesting that blockchain should be used to tackle health data security problems.

And now, the ONC has shown interest in this technology, soliciting white papers that offer thoughtful take on how blockchain can help meet important healthcare industry objectives.

The whitepaper, which may not be no longer than 10 pages, must be submitted by July 29. (Want to participate, but don’t have time to write the paper yourself? Click here.Papers must discuss the cryptography and underlying fundamentals of blockchain technology, explain how the use of blockchain can meet industry interoperability needs, patient centered outcomes research, precision medicine and other healthcare delivery needs, as well as offering recommendations for blockchain’s implementation.

The ONC will choose eight winning papers from among the submissions. Winning authors will have an opportunity to present the paper at a Blockchain & Healthcare Workshop held at NIST headquarters in Gaithersburg, MD on September 26th and 27th.

In hosting this contest, ONC is lending blockchain approaches in healthcare a level of credibility they might not have had in the past. But there’s already a lot of discussion going on about blockchain applications for health IT.

So what are people talking about where blockchain IT is concerned? In one LinkedIn piece, consultant Peter Nichol argues that blockchain can address concerns around scalability and privacy electronic medical records. He also suggests that blockchain technology can provide patients with more sophisticated privacy control of their personal health information, for example, providers can enhance health data security by letting patients combine their own blockchain signature with a hospital’s signature.

But obviously, ONC leaders think there’s a lot more that can be done here. And I’m pretty confident that they’re right. While I’m no security or cryptocurrency expert, I know that when a technology has been kicked around for several years, and used for a sensitive function like financial exchange without racking up any major failures, it’s got to be pretty solid. I’m eager to see what people come up with!

NIST Goes After Infusion Pump Security Vulnerabilities

Posted on January 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As useful as networked medical devices are, it’s become increasingly apparent that they pose major security risks.  Not only could intruders manipulate networked devices in ways that could harm patients, they could use them as a gateway to sensitive patient health information and financial data.

To make a start at taming this issue, the National Institute of Standards and Technology has kicked off a project focused on boosting the security of wireless infusion pumps (Side Note: I wonder if this is in response to Blackberry’s live hack of an infusion pump). In an effort to be sure researchers understand the hospital environment and how the pumps are deployed, NIST’s National Cybersecurity Center of Excellence (NCCoE) plans to work with vendors in this space. The NCCoE will also collaborate on the effort with the Technological Leadership Institute at the University of Minnesota.

NCCoE researchers will examine the full lifecycle of wireless infusion pumps in hospitals, including purchase, onboarding of the asset, training for use, configuration, use, maintenance, decontamination and decommissioning of the pumps. This makes a great deal of sense. After all, points of network connection are becoming so decentralized that every touchpoint is suspect.

The team will also look at what types of infrastructure interconnect with the pumps, including the pump server, alarm manager, electronic medication administration record system, point of care medication, pharmacy system, CPOE system, drug library, wireless networks and even the hospital’s biomedical engineering department. (It’s sobering to consider the length of this list, but necessary. After all, more or less any of them could conceivably be vulnerable if a pump is compromised.)

Wisely, the researchers also plan to look at the way a wide range of people engage with the pumps, including patients, healthcare professionals, pharmacists, pump vendor engineers, biomedical engineers, IT network risk managers, IT security engineers, IT network engineers, central supply workers and patient visitors — as well as hackers. This data should provide useful workflow information that can be used even beyond cybersecurity fixes.

While the NCCoE and University of Minnesota teams may expand the list of security challenges as they go forward, they’re starting with looking at access codes, wireless access point/wireless network configuration, alarms, asset management and monitoring, authentication and credentialing, maintenance and updates, pump variability, use and emergency use.

Over time, NIST and the U of M will work with vendors to create a lab environment where collaborators can identify, evaluate and test security tools and controls for the pumps. Ultimately, the project’s goal is to create a multi-part practice guide which will help providers evaluate how secure their own wireless infusion pumps are. The guide should be available late this year.

In the mean time, if you want to take a broader look at how secure your facility’s networked medical devices are, you might want to take a look at the FDA’s guidance on the subject, “Cybersecurity for Networked Medical Devices Containing Off-the-Shelf Software.” The guidance doc, which was issued last summer, is aimed at device vendors, but the agency also offers a companion document offering information on the topic for healthcare organizations.

If this topic interests you, you may also want to watch this video interview talking about medical device security with Tony Giandomenico, a security expert at Fortinet.

Final EHR Certification Bodies – Meaningful Use Monday

Posted on July 23, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This seems mostly like a formality, but NIST has published the list of Accredited Testing Laboratories (ATLs), that are qualified to test EHR technology under the Permanent EHR Certification Program. You might remember that the permanent EHR certification program was delayed.

Here are the list of companies that are part of the final EHR certification bodies:

  • Drummond Group
  • Certification Commission for Health Information Technology (CCHIT)
  • ICSA Laboratories, Inc.
  • InfoGard Laboratories, Inc.
  • SLI Global Solutions

All of them are familiar names and ones that have been doing work with EHR certification the whole time. I think this is generally good for consistency of EHR certification. Can you imagine if you’d certified your EHR using one of the bodies and then that body didn’t get approved for the permanent EHR certification. Sure, the criteria are still the same, but there’s some differences in the processes each EHR certification body uses.

As most of you know, I’ve been a long opponent to EHR certification. I think it’s pointless and provides no value to physicians. However, someone in Washington put it in the HITECH legislation, so we’re stuck with the idea of a certified EHR. The good thing is that ONC and CMS have basically rendered it meaningless since every EHR vendor has basically become a certified EHR or will be soon. Of course, that also illustrates how pointless the EHR certification really is.

All in all, the EHR certification bodies are going to be around for a number of years more. I’m not sure if they’ll survive post HITECH. I just wish they were providing something “meaningful” (pun intended.

EMR Design Errors That Cause Patient Harm per NIST

Posted on March 28, 2012 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As long as there have been EMRs, there’s been endless debate over what system designs are most appropriate. Unfortunately, no matter how heated a threaded discussion gets, it’s unlikely to solve big problems.

Now, however, we may have a chance to build a consensus on what NOT to do in building out EMRs. A new report from NIST has painstakingly analyzed which EMR design factors have an impact on usability (PDF), including one subset which seems likely to cause patient harm.

The section on design problems which may cause patient harm is (unfortunately) rather long, so I’ll only provide some of the highlights, but you can download the whole PDF by clicking on the link above. (The “potential for harm” section begins on page 66.)

One major area NIST addresses is patient identification errors.  For example, if EMR displays don’t have headers with two patient identifiers, lock out or control multiple accesses to records, or fail to provide full patient identification with integrated apps like imaging, the wrong actions could be performed on the wrong patient.

Another major concern NIST identifies is data accuracy errors. There’s lots of ways EMR design foster data errors, the report notes, including when information is truncated on the display, when accurate information isn’t displayed unless users refresh the data, when discontinued meds aren’t eliminated and when changes in status aren’t displayed accurately.

NIST also identifies data availability errors as a big issue. Among other concerns, clinicians can easily make mistakes if they can’t easily see all the information they need to understand doses without additional navigation; if complex doses aren’t easily understandable without extra navigation; and if information accurately updated in one place shows up accurately and efficiently within other areas or integrated software.

As you can imagine, NIST has a lot more to say here. The report also includes analyses of how mode errors, interpretation errors, errors when physicians are forced to remember data, lack of system feedback when clinicians make inappropriate actions for the context and other tricky designs cause errors that can harm patients.

While I’m not a clinician, so bear this in mind, my feeling is that everyone here ought to read this report. Lots o’ valuable insights here!

Meaningful Use at HIMSS 2012 – Meaningful Use Monday

Posted on February 13, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Since I have HIMSS on the mind (as has probably been seen from my previous posts), I figured I’d talk about what we can expect from meaningful use at HIMSS 2012 in Las Vegas.

Meaningful Use Conversations Dominate
I think with all certainty all of us will be tired of hearing the word meaningful use after HIMSS. I might have to try and keep track of how many conversations I have where the words meaningful use aren’t used. Notice I’m counting the ones where it’s not used since I know that almost every conversation will include meaningful use.

I’m not sure that’s very healthy for the industry, but I think that’s the reality of where we’re at. While I’m sure I’ll ask plenty of questions about meaningful use as well, my favorite EHR vendors are probably going to be those that say: we meet meaningful use, we’ve abstracted meaningful use so its not an annoyance to doctors, and here’s what we’ve done to innovate our product outside of MU.

Meaningful Use Stage 2
Any day now I think that ONC/CMS is going to announce the final details for meaningful use stage 2. I imagine the regulatory process could push this so that ONC/CMS announce meaningful use stage 2 at HIMSS, but from what I’ve read I think they want to get it out before HIMSS. I hope they’re successful in making this happen.

Either way, I’ll be surprised if we don’t know about meaningful use stage 2 before/during HIMSS. So, if you want to be in the know, be prepared to talk about the final details of meaningful use stage 2. In the mean time, check out Lynn’s previous MU Monday post about meaningful use stage 2.

Federal IT Participation at HIMSS 12
Every healthcare related part of the federal government is going to be represented at HIMSS 12. HIMSS has been nice enough to provide a page listing all of HHS, CMS, ONC, AHRQ, CDC, HRSA, NIST, OCR, SSA, and VA sessions at HIMSS 2012. My only complaint with that page is that there are still a bunch of details missing on a number of the sessions. I imagine this is the government dragging their feet, but it sure makes it hard to plan.

While many of the government sessions can be dry and boring (partially attributed to what I call the government muzzle), it can be a really good place to hear the direction of the federal government when it comes to healthcare IT directly from their own mouth.

I also suggest that Farzad Mostashari’s keynote address won’t be nearly as interesting to someone familiar with healthcare IT as his ONC Townhall: Advancing Health IT into the Future session on Wed, 2/22 at 2:15 in San Polo 3503. I know I also want to work in a session on MU stage 2 and the future of EHR certification from the federal perspective as well.

“Meaningful” References
Is it just me, or do other people have a problem using the word meaningful now. At least it’s a challenge with many of my healthcare friends. Although, sometimes I throw it in there just for irony’s sake. Hopefully this post was meaningful to you.

Also, a big thanks to all those that filled out the EMR and HIPAA reader survey. I’ve loved all the feedback. Interestingly enough, one of the more common feedback items was that you liked the Meaningful Use Monday series. We’ll do what we can to keep it going.

ePrescribing Controlled Substances

Posted on August 3, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Back on September 13, 2009 I wrote a post titled, “FDA Approves Pilot Electronic Prescribing of Controlled Substances.” I’d link to the post, but unfortunately the news got sent to me prematurely and so I had to take the post down. It was unfortunate, since there was and still is a lot of interest in being able to ePrescribe controlled substances. In fact, I’d say that not being able to prescribe controlled substances electronically is the current Achilles heal of ePrescribing.

Fast forward to the recent announcement that DrFirst’s announcement of the Nationwide Launch of their ePrescribing Controlled Substances product. Their latest ePrescribing product for controlled substances is called EPCS Gold and is fully certified to meet the prescription processing requirements for Surescripts, the DEA’s requirements in the Interim final rule, and the Identify Proofing requirements set by NIST.

I’m really glad to see ePrescribing of controlled substances moving forward. This will make ePrescribing much more attractive to physicians. Especially physicians that regularly prescribe controlled substances like surgeons and pain doctors.

However, this controlled substance ePrescribing announcement does of course come with it’s limitations. I think they’re described well in this part of the press release:

Prescribers enrolling for EPCS Gold™ will be able to send controlled substance prescriptions electronically after a simple credentialing and identity-proofing process with DrFirst. After providers are certified, they can begin e-prescribing Schedule II-V drugs based on their individual state laws and the ability of the receiving pharmacy to meet the DEA’s requirements to process these prescriptions. To avoid any confusion and eliminate guesswork by providers, EPCS Gold™ automatically detects which substances can be sent electronically.

The two challenges are quite clear: state laws and pharmacy ability to meet the DEA’s requirements. I haven’t done any in depth research on either subject, but I have a feeling that both of these things will be major issues across the country. I’d like to think it won’t be, but knowing the pace of state legislation and pharmacy adoption of these standards I’m not hopeful that they’re ready to receive controlled substance prescriptions electronically.

However, the above step is an important one. You have to have all sides ready to handle the security required to make ePrescribing controlled substances a reality. This is the first step and a very good one.

The NIST Workshop on EHR Usability

Posted on June 14, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As much as I’d like to visit DC (I’ve never been), I wasn’t able to make it out there to attend the NIST workshop on EHR usability. However, Carl Bergman from EHR Selector did make it to the event and sent the following notes on EHR usability according to NIST.  Most of the speakers name link to their slides in PDF format.

National Institute of Standard and Technology’s Workshop on EHR Usability

This week I went to a NIST workshop examining the state of EHR usability. The workshop was at its administrative headquarters, a large 60s building on its sprawling Gaithersburg, MD campus about 20 miles outside Washington.

You might wonder what NIST is doing in the EHR business? I certainly did. NIST’s mission is to promote commerce and technical innovation including methods to determine, independently, the safety and security of a broad range of technologies including software. (It’s part of the Department of Commerce.) Since WW II, this has involved looking at the human factors involved in operation of every thing from nuclear plants to robotics. Interestingly, it’s not a regulatory agency, such as, the FDA or FCC. NIST’s standards work is through consensus building among manufacturers, consumers, regulators, etc.

The workshop, attended by about 200 persons, had two parts:

•      A review of the state of EHR usability studies by academics, practioners and system administrators and,

•      Introduction of NIST’s draft for a usability standard.

Part I. EHR Usability Today. There were many speakers, here’re the ones that had the most new information for me:

•      Mat Quinn of NIST covered its approach and work with ONC on the issue. Notably, NIST has published several documents in the area such as, NIST Guide to the Processes Approach for Improving the Usability of Electronic Health Records, (NISTIR 7741) which promotes a user centric approach to design and development.

•      I was really taken by Muhammad Walji’s study using a unified framework for EHR testing. The study compared user experience with the VA’s Vista program and a prototype system. It looked at:

o   What percent of an operation was substantive and what was overhead?

o   How long it took users to reach various performance levels.

o   How much memorization tasks took.

o   How many steps tasks required.

o   Error and recovery occurrence.

o   Time to complete defined tasks.

The study then applied its findings to rework the EHRs’ structure and workflow showing potential time and effort savings.

•      Anjum Chagpar of Toronto’s University Health Network. A human factors manager for this large healthcare network, she discussed the problems of integrating various vendor products into their system and their approach to usability and user satisfaction.

•      Buckminster Fuller famously declared, “I am a verb.” Dr. Lyle Berkowitz may not be a verb, but he is at least a gerund. His presentation swiftly covered several topics from HIMSS’ EHR Usability Task Force to usability definitions to stakeholder roles, and applying metrics to see how much of the problem was the system and how much the user.

•      The VA’s Dr. Jorge Ferrer provided several key references on usability studies.

Part II. NIST’s Proposed Protocol. If the first part took a broad and free ranging approach to usability, NIST’s staff approach was more focused. After an outline of the study’s setting and approach, the study director, Lana Lowery, outlined the protocol’s goal: prevention of unacceptable medical errors. These include errors of both omission and commission, for example:

•      Writing an order for the wrong patient.

•      Prescribing the wrong dosage.

•      Omitted information causing an error.

•      Critical delays in delivery due to system design errors.

•      Errors due to incorrect sequencing of actions.

Next, came examples of EHRs allowing errors. Unfortunately, several of the examples weren’t well thought out. For example, a patient ID error showed two patient records on the screen. One had the first patient’s x-ray, but the second patient’s name. Most likely, this would be a database problem or an x-ray production error not an EHR problem.

Robert Schumacher of User Centric, outlined how the protocol would be tested. For example, review and update of a problem list or replacement of one medication with another. The plan included testing several of ONC’s meaningful use functions that had usability factors.

Part III. Workshop Reactions. The workshop finally broke into two discussion groups: one for the draft protocol and the other on consensus building. In both cases, the discussion quickly went off script. Participants were quick to criticize the staff’s error oriented protocol as too narrow. Why, for example, did the protocol focus on internal EHR processes to the exclusion of workflow generated errors?

I understand NIST has a high interest in eliminating catastrophic errors, but I think there is not enough solid evidence on the kind and extent of the problem. No one discounts the need to prevent catastrophic errors, however, much of the EHR error focus is due to anecdotal reports of computer prescribing errors. From what I read, many of these reports are both old and recycled. Does anyone know the actual extent of major errors?

The FDA has developed several systems for dealing with medical device errors. These now include the software that the devices use. Even if the FDA does not regulate EHRs, it may step up its efforts to record important errors. I’d sure like to know FDA’s findings before I started an effort to shape EHRs.

This is not to say that safety is not important in EHRs, obviously the types of errors that are outlined by the staff are major. However, I think there are three points that are missing in the NIST approach:

•      Design for Success. You can’t design for failure. You have to design for success. The object of EHRs, as with any system, must be to accomplish certain ends. If you loose sight of that, you may not make mistakes, but you also will fail your objective.

•      Risk Analysis. Risk analysis measures the impact on a given population of an action, its potential and costs broadly defined. It also specifies mitigation efforts. I’d be far more comfortable about the protocol if there were a risk analysis behind it.

•      Error Handling. There should be more thought to error handling. For example, when the stall warning alarm goes off on a plane, it doesn’t grab the stick and take control. It’s a warning, just that. Physicians should be warned if they are about to prescribe beyond the recommended dose, but they may have good clinical reason to do it.

NIST put on a worthwhile workshop. My guess is that the draft protocol is not going to survive without modifications that take into account a broader range of usability issues and approaches.

Permanent EHR Certification Program

Posted on January 5, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Looks like the people at HHS and ONC have been working hard. On Monday this week they published the Permanent EHR Certification Program Final rule. You can find the press release about the Permanent EHR Certification final rule on my new EMR News website (if you have other EMR news, please let me know).

You can download the full Permanent EHR Certification final rule here (Warning: PDF). Although, I must admit that I found the permanent certification fact sheet very interesting. Here’s my summary:
*Testing and certification is expected to begin under the permanent certification program on January 1, 2012 (with an exception if it’s not ready)
*NIST (through its NVLAP) will continue with accrediting organization to test EHR and to work with ONC to create test tools and procedures
*A new ONC-Approved Accreditor of ONC-AA will be chosen every 3 years
*All ONC-ATCB (those bodies certified under the temporary) must apply to be ONC-ATB (permanent certification bodies)
*ONC-ACB have to renew every 3 years
*Gap Certification will be available for future EHR certification criteria.

The most interesting part to me was that ONC will be selecting an ONC-AA (Approved Accreditor) through a competitive bid process. So, they’re going to accredit an accreditor to accredit the certifiers? I think you get the gist. I can see how ONC saves so much by only having to have to deal with one ONC-AA and not the 6 ONC-ATCB (that was in the sarcasm font if you couldn’t tell).

It does make sense to have a gap certification so that EMR vendors that are already certified don’t have to certify against all the criteria every time. I guess in theory changes an EHR vendor has made could have caused issues with their previous functions, but that’s pretty rare. Especially since their users will need it to be able to show meaningful use (which is why EHR certification has little meaning beyond it being required for EHR incentive money).

Whether you agree or disagree with EHR certification (I think you know where I stand), you have to give ONC credit for pushing out the EHR certification program so that there are plenty of certified EHR software out there to choose from. Looks like they’re well on their way to implementing the permanent EHR certification as well.

NIST Posts First Details on EHR Testing Methods

Posted on March 24, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One of EMR and HIPAA’s regular readers, DKBerry, sent me an interesting link to the NIST Health IT Standards and Testing website. I don’t have much time to look over the details of this website since I’m about to leave town, but it looks like this is NIST’s first attempt to define the standards for EHR testing. Here’s some of the major categories they have listed:
Health IT Testing Infrastructure
Meaningful Use Test Methods
What is Conformance Testing?
Health IT Testing and Support

I welcome your comments on what’s found on the website. In fact, if someone has a little more time than I do right now, I’d certainly welcome a guest blog post summarizing what’s been made available.