Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

EMR Security Monitoring Systems

Posted on September 21, 2011 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

There’s been an interesting situation going on between a couple EHR vendors. I first saw this when I got the press release that meridianEMR filed a lawsuit against UroChart. The lawsuit claims that UroChart obtained access to meridianEMR’s data.(Note: See this comment from IT Director of meridianEMR that discusses more details of what happened and how no data was breached.)

Lawsuits aside, meridianEMR is trying to capitalize on the situation by talking about their EMR security monitoring system was what notified them of the breach attack by UroChart. They call it their Advanced Monitoring System (AMS) and say it responds immediately to any breaches attacks and protects patient records.

I’m not sure if it’s a smart move to use a breach of their system as a way to promote their ability to protect patient records. I guess they can argue that their monitoring service was what protected their patient records. However, the lawsuit is claiming that patient records were at risk. I don’t think that’s something any EMR vendor wants tied to their name, is it?

Marketing strategy aside, this security monitoring service is interesting and I can’t say I’ve really seen something like it in any other EMR system. Sure, they all have some sort of audit tracking and trail. However, I think most EMR vendor’s strategy is not detection, but prevention. They harden their systems using the best techniques, but don’t do much to try and detect breaches. Should that be changed?

One problem with breaches is that good hackers know how to even avoid the detection part. I still remember when my friend showed me how he had hacked into a server and you could see him logged in. Then, he ran a script and you couldn’t see him anymore. I guess if you compare it to the physical world, it’s like having a camera watching the front door, but no camera on the back door. However, in the digital world there are lots of different doors, including those we don’t know about.

Some might argue that ignorance is bliss in this instance. Sure, no EMR vendor is going to admit that in public. Neither is a doctor. However, the regulations have made it pretty harsh when you know that there’s been a breach of your system. You basically have to make it known to all the world. However, if you don’t know that your EMR system has been compromised, then you have no such requirements.

I’m sure some people won’t like me saying this, but be sure that many doctors and EMR vendors have thought about this. I’m sure there were parallels in the paper world too. So, let’s not act like this is really that new. Although, certainly technology has made it possible to have much larger breaches.

One thing worth noting is that I haven’t seen a group of healthcare hackers forming. There’s no underground group of people that I’ve heard of that are trying to hack and get access to healthcare data. Financial data is much easier to monetize for a hacker than healthcare data. That’s not to say that healthcare data isn’t valuable and can’t have consequences if it’s put in the wrong hands. However, most hackers do it for the Lulz, for financial gain, or vengeance. Things could certainly change, but I haven’t seen healthcare as a prime target for hackers. I’d love to see if you have evidence that says otherwise.

If you evaluate the list of breaches that are published by HHS, this seems to agree with my above evaluation. Almost every single breach was just due to something being lost, a physical device being stolen (which you can almost guarantee they wanted the laptop and not the healthcare data which they probably didn’t even know was on the laptop), or inappropriate use by someone on a system already.

It will be interesting to see how these EMR security monitoring systems evolve. Plus, will we see more need for these type of protections and monitoring of EMR systems?

Argenal Pediatric, Powered by Cerner: A Testimonial

Posted on I Written By

“Doctors who have never experienced EMR or have limited experience, they feel that it’s only a burden. But if they only realized that you can copy and paste — you can fill precompleted notes from your files. When I do a precompleted note, something that is pretty standard in my practice, it might take me a minute or two at the most to complete the entire chart with a pretty decent amount of documentation.”

Step into Dr. Rodrigo Argenal’s Pediatric office in McAllen, Texas. From the beginning, Dr. Argenal has kept everything in the office electronic since Day One of opening his practice. Dr. Wells recently joined Dr. Argenal’s office from a 25 year practice where she operated on only paper. “Within a month or so, she was a master at it,” says Dr. Argenal.

Dr. Argenal has a unique style of practice, taking his laptop into each room with him so he can show patient growth charts and review previous visits, because “When it comes to patient care in pediatrics, a lot of detail makes a big difference. At a click of a button, I can see all of my previous visits and things that may be pertinent to particular that visit.”

 

 

Watch the video here.

Regulation of Medical Apps Debated at FDA Medical Apps Workshop

Posted on I Written By

[blackbirdpie url=”http://twitter.com/#!/OrcaMD/status/114139120367968256″]

This appears to be growing in popularity as a matter of discussion.  There is little doubt that the government will step in an regulate medical apps they way they regulate everything else in the healthcare industry.  What remains to be seen is what exactly that regulation will entail.

One of the points that I found interesting from this article was the thought the consumers should simply regulate quality apps through their purchasing power.  Simply put, if an app is garbage, people won’t buy it, and it will disappear.  While this would be the easiest way, it would also be the lazy way, and in the end would likely result in more work do to the magnitude of lawsuits that are bound to appear.

Some seem to believe that regulation similar to that put on other medical devices would be more appropriate.  This just doesn’t make sense to me, and creates somewhat of a slippery slope.  How can we possibly consider x-ray machines and sophisticated surgery equipment to be on the same level as something that measures you blood pressure through your phone?

If we do start to regulate these apps on the same scale, you open up the need to regulate everything that even remotely relates to healthcare.  What makes more sense to me is to provide guidelines for development, and maybe even classification groups so that developers can have a clear understanding of what would be expected for certain levels of devices.

As is mentioned in the article, regulation ultimately comes back to liability.  No one wants to pay a huge price for developing a small app that was intended to help people.  In this day and age, it is increasingly important to cover your bases to ensure your original intent to do good doesn’t end up in a lawsuit where nobody wins.

I understand the FDA’s lack of direction at this point since the market has developed so rapidly.  Only a few years ago the most complicated apps would give you the news and some sports scores.  Now they can do just about anything, and more are being developed everyday.  What I would like to see is the FDA do or say something.

If a reasonable set of regulations can be established now, then there will be much less heartache later.  I have to think that there are numerous developers out there who are anxious to take advantage of this opportunity but are afraid to do so because they don’t know where the boundaries are.  The really quality developers will want to do it right the first time, and these are the people who will provide us with the best apps in the long run.