Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Firewall & Windows XP HIPAA Penalties

Posted on December 11, 2014 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Anchorage Community Mental Health Services, Inc, has just been assessed a $150,000 penalty for a HIPAA data breach. The title of the OCR bulletin for the HIPAA settlement is telling: “HIPAA Settlement Underscores the Vulnerability of Unpatched and Unsupported Software.” It seems that OCR wanted to communicate clearly that unpatched and unsupported software is a HIPAA violation.

If you’re a regular reader of EMR and HIPAA, then you might remember that we warned you that continued use of Windows XP would be a HIPAA violation since Windows stopped providing updates to it on April 8, 2014. Thankfully, it was one of our most read posts with ~35,000 people viewing it. However, I’m sure many others missed the post or didn’t listen. The above example is proof that using unsupported software will result in a HIPAA violation.

Mike Semel has a great post up about this ruling and he also points out that Microsoft Office 2003 and Microsft Exchange Server 2003 should also be on the list of unsupported software alongside Windows XP. He also noted that Windows Server 2003 will stop being supported on July 14, 2015.

Along with unsuppported and unpatched software, Mike Semel offers some great advice for Firewalls and HIPAA:

A firewall connects your network to the Internet and has features to prevent threats such as unauthorized network intrusions (hacking) and malware from breaching patient information. When you subscribe to an Internet service they often will provide a router to connect you to their service. These devices typically are not firewalls and do not have the security features and update subscriptions necessary to protect your network from sophisticated and ever-changing threats.

You won’t find the word ‘firewall’ anywhere in HIPAA, but the $ 150,000 Anchorage Community Mental Health Services HIPAA penalty and a $ 400,000 penalty at Idaho State University have referred to the lack of network firewall protection.

Anyone who has to protect health information should replace their routers with business-class firewalls that offer intrusion prevention and other security features. It is also wise to work with an IT vendor who can monitor your firewalls to ensure they continue to protect you against expensive and embarrassing data breaches.

Be sure to read Mike Semel’s full article for other great insights on this settlement and what it means.

As Mike aptly points out, many organizations don’t want to incur the cost of updating Windows XP or implementing a firewall. It turns out, it’s much cheaper to do these upgrades than to pay the HIPAA fines for non-compliance. Let alone the hit to your reputation.

Hospital CIO Interview – Will Weider

Posted on July 26, 2012 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

When I first started blogging, I came across a hospital CIO blog called Candid CIO that is written by Will Wieder, CIO of Ministry Health Care. Six years later he’s still my favorite hospital CIO blogger out there. My only complaint is that he doesn’t blog enough (understandably so). I’ve never had a chance to meet Will in person, but I hope to one day have that opportunity.

Will recently commented on one of my posts. After seeing his comment I had the genius idea to ask him for an interview. I’m not sure why I hadn’t thought of it before since we go so far back, but when you see the content of the interview you’ll see why I’m planning to reach out to more CIOs. I hope you enjoy Will’s comments as much as I did.

You have a great CIO blog at, what made you start blogging and why do you continue blogging today?
Thanks. I originally started the blog for two reasons. Firstly, I follow tech trends and like to try anything that is emerging. So, I started this blog a long time ago. Secondly, I always desired an outlet where I could express my views of healthcare IT. At the time I started the blog a lot of the HIT press was driving me crazy with superficial stories that didn’t explore difficult questions. One would get the impression that every single IT project ever started was a worthwhile success. So, I wanted to be able to challenge conventional wisdom.

Today there are many great blogs and thousands of voices on Twitter.

Do you think other CIO’s should blog?
I hope that they do, because we have a lot to learn from each other. But it does take time, I have found it impossible to post consistently these days. I am big fan of tech blogger, John Gruber. His posts are almost always two or three sentences. I used to always write long posts. Recently I am mostly writing shorter posts that matches what I would like to read, given my attention span.

How do you deal with the challenge of a blog and Twitter account making you “too” accessible as a CIO?
People generally respect boundaries. Part of my life is to ignore cold callers (unless they are serendipitously offering something on my priority list), I would love to get back to every person that wants to meet me for lunch and talk about my organization’s prioirites, but there isn’t enough time in the day to respond – let alone have all those meetings. I have met a lot of great people on Twitter and I have hired a few, all of those have turned out great.

What’s the biggest issue on your plate as a hospital CIO today?
Managing demand. The best part of being a health care CIO is that there are so many great new solutions that solve business problems, especially in the clinical arena. The worst part is that everybody wants those solutions and they want them now. Even if senior management makes some hard decisions about priorities, the managers that submitted projects that didn’t make the priority list are disappointed and frustrated. I would feel the same way (and do feel the same way when my projects don’t make the cut).

What are the top 3 hospital CIO issues you can see on the horizon?
1. Hone project management so projects are done more quickly and successfully (see above)
2. Security
3. IT Operations – as our doctors and nurses become increasingly more dependent on IT we need to improve our processes that drive system availability and response time.
4. Consumerization of enterprise IT (rise of the iPads)

How has meaningful use impacted your hospital for good and bad?
I have heard a lot of people state that Meaningful Use was a clinical project and that they expected the results to be really meaningful. That wasn’t our experience. We were already working on meaningful clinical IT projects. Much of the objectives were things we had done or started. Our focus was to stay the course and make a few modifications so we hit every objective as written.

Our internal customers (our management team, physicians, nurses, etc.) would probably say that Stage 1 Meaningful Use has been a non-event for them. I like to think that is a testament to the many things that we were doing right. For example, our hospital in Weston, WI is all-digital. There are no charts on the floor; there is not even a file room. It is the only Wisconsin hospital (except a Children’s Hospital) recognized by Leapfrog Group as having fully met the CPOE leap. So, Meaningful Use was mostly about taking the time to properly measure everything and create quality measures to the appropriate specification.

Do you follow the All in One or Best of Breed software approach and why?
I would have to describe us as a Best of Breed IT organization. Many of our admissions come from Marshfield Clinic doctors. The Marshfield Clinic developed their own EHR and have been perfecting it over the last 20 years. About 5 years ago we made the decision to use the Marshfield Clinic EHR in our Ministry clinics and to interface that EHR to our hospitals.

Sharing that EHR was in the best interest of our patients. Our primary care doctors, our hospitals and Marshfield Clinic specialists are all contributing to a common patient record. Once we made that decision for our patients, it was no longer possible to have an All in One solution (Marshfield Clinic does not have a Hospital Information System).

If you could snap your fingers and change one thing about healthcare, what would it be?
Reduce costs. Quality improves year over year as medical knowledge increases, processes improve and new technologies (including information technologies) evolve. But the cost here in the US continues to skyrocket (18% of GDP, double that of the second most expensive industrialized nation). Frustratingly, there isn’t even agreement on why the cost is increasing. I want healthcare to be affordable to the working families here in Wisconsin.

Are you seeing and experience an experienced health IT staff shortage? How do you suggest people without healthcare experience get a health IT job?
More so in the technical areas where we are competing with all industries. We are able to recruit and/or develop applications analyst.

What’s your most important IT project today?
Ministry Health Care was traditionally a less consolidated organization that had 7 or 8 different IT departments. As a result of that we still have a lot of fragmented systems, 740 different applications running on 1,500 servers. Our environment is too complex and it makes us too inefficient. We have plans to greatly simplify that environment. But, it will take us several years and scores of projects to get there. This is paramount to our competitiveness.

From a more short-term perspective this ICD-10 thing is a complicated beast that must go well. After looking at the cost for our organization, and then extrapolating that to the entire industry, I don’t see how the money spent will be worth the value received.

Which IT project doesn’t get enough attention and why?
The need to abandon Windows XP by the time Microsoft ends support in April of 2014 is a ticking time bomb and I am not hearing anyone talk about it. We will spend more time and money (about $5M) on this than we spent working on Stage 1 of Meaningful Use.

Any final thoughts?
Two things: Firstly, I have a great job and I work with incredible people in IT and throughout Ministry. Secondly, the Packers are going to win the Super Bowl this year.

John’s Note: I’ll forgive him for his Packer fandom which is understandable for where he lives. Personally I just hope my Dolphins can turn things around.

Cost to Update to Meaningful Use Certified EHR Software

Posted on September 20, 2010 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In my previous post about the EHR certification costs, a reader emailed me that I’d missed an important downstream cost. It’s not as much a cost for the EHR company as it is for the current user of an EHR system. It’s the cost for a current EHR user to upgrade their software to the latest and greatest version of the EHR software. You know, the one that is certified and allows you to show meaningful use of that EHR.

All EHR Will Need to Update
Lest you don’t think this is going to happen, I can pretty much guarantee that EVERY EHR company will need to upgrade their software to become a certified EHR and meet all the meaningful use requirements. The good thing is that most EHR users have a contract that provides them with all the upgrades free. Although, there might be some users that will incur a cost to upgrade.

Less Visible Update Costs
Beyond the potential cost to get the upgraded software, there’s also the cost to physically update your EHR software. There’s the very apparent cost of having to run a software install on all the computers in your clinic. This is pretty negligible for a small clinic with only a couple computers. However, in one clinic I supported we had 100+ computers and so the update process did take time.

However, more important than the actual software update is the process of preparing for the update. Certainly you could just update the software and go forward with it. Although, this is far from recommended and can be really problematic. I should cover this topic in a future blog post, but suffice it to say that the upgrade process goes much better when you 1. Look over the new features/changes to the EHR softare 2. Test the changes to see how they work 3. Train your staff on the new changes and how it will affect their workflow. These are all pretty academic steps, but they do take time.

SaaS EHR Vendors
Of course, the SaaS-hosted EHR vendors will all really enjoy this part of the process. They can easily update their EHR software to meet the guidelines with little interaction or work from the customer end. They still could cause the headache of an update to their EHR software affecting a clinic’s workflow. However, most SaaS EHR software companies are doing many regularly scheduled smaller updates as opposed to the large traditional client server EHR updates. These smaller changes generally cause fewer issues or at least spreads those issues out over time.

Even More Hidden Update Costs
I recently was aghast to learn of the EHR update requirements for a certain very popular EHR vendor. They’d told a clinic (or at least given them the impression) that in order to update their clinic to the latest EHR software that met the meaningful use and certified EHR guidelines (which is kind of silly since there still aren’t any officially recognized Certified EHR, but I digress) that the clinic would need to have computers that ran the Windows 7 Operating System. The sad news for this clinic was their current Windows XP machines weren’t powerful enough to run the Windows 7 operating system.

Let me translate what this means for the less tech savvy readership. The clinic would need to buy all new computers and the Windows 7 operating system (which should come on the new computers) in order to upgrade their EHR software to the latest meaningful use-certified EHR software. One could certainly argue that the clinic might need to upgrade these older computers anyway, but something doesn’t feel right about this being “forced” on a clinic. I personally still use Windows XP and don’t see much benefit to pay for a new computer with Windows 7. I will at some point, but there’s no compelling reason for me to move now. Why should clinics be forced into this expense by an EHR vendor?

Certainly Windows 7 and Windows XP are not ALL that different, but be sure that the change will cause some heartache in a clinic. Some mundane task that a user use to do easily in Windows XP will require a change to make it work in Windows 7. It’s easy to quantify the cost of new computers with Windows 7. It’s much harder to quantify the cost of this heartache.

Ongoing Update Costs
Many of these costs aren’t generally meaningful use specific. These costs or some variation are going to be part of the EMR update costs going forward. Unless your EMR vendor stops updating. Although, if your EMR vendor stops putting out updates, then you have a much different problem to deal with.