Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The State Of Healthcare Cybersecurity (Part 2)

Posted on May 22, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In Part 1 of this series, which drew data from a study by Black Book Market Research, I described how insecure healthcare leaders felt their cybersecurity protections to be. I also noted that a large number of providers are struggling to recruit senior health IT experts, and as a result are basically winging it when it comes to breach protection.

Healthcare organizations’ data security problems run deeper than that, however, the study suggests. Not only are C-level execs finding security investments to be troublesome, IT managers responding to the survey admit that they, too, feel that they are not fully prepared to defend their institution’s data.

To begin with, 74% of surveyed CIOs admitted that they failed to evaluate the total cost of ownership before signing a deal with a cybersecurity solution or service provider, and 89% said they bought their cybersecurity solution to be compliant with security regs, and often, not necessarily to reduce security risks.

And the failure to protect critical information doesn’t stop there.  For example, 57% of IT managers said that they hadn’t taken stock of the full variety of cybersecurity solutions that currently exist, notably mobile security environments, intrusion detection, attack prevention, forensics and testing.

Also, many healthcare institutions seem to react only after they’ve been invaded. According to Black Book, 58% of hospitals didn’t select their current security vendor until after a data security incident, and 32% of healthcare organizations hadn’t scanned for vulnerabilities before an attack.

What’s more, 83% of healthcare organizations haven’t staged a cybersecurity drill which included an incident response process, which arguably leaves them particularly unprepared. Not only that, when an attack comes, some won’t catch it right away, as 29% said they don’t have an adequate solution to instantly detect and respond to cyberattacks.

Meanwhile, 16% of respondents reported being uncomfortable working with vendors that do a hard sell when they find security flaws and vulnerabilities. These insecurities aren’t surprising given that 60% of healthcare enterprises haven’t formally identified specific security objectives and requirements and integrated them into a strategic and tactical plan for breach prevention.

Given how unfocused many security plans are, it’s not surprising that 22% of provider organizations believe their cybersecurity position will worsen between now and the second quarter of 2019. Only 12% of hospitals and 9% of physician organizations reported that they expected to see cybersecurity improvements.

The bottom line here is that if the Black Book research is correct, many healthcare organizations are frighteningly unprepared to protect their data, much less survive a serious attack relatively unscathed. For everyone’s sake, let’s hope that providers wise up to the need for strategic, substantial investments in security technology and staff.

The State Of Healthcare Cybersecurity (Part 1)

Posted on May 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare data has never been under more outside threats than it is today. For a number of reasons, this data has become more attractive to cybercriminals and can be sold on the dark web for a pretty penny. Not only that, emerging threats like ransomware attacks are hitting home and wreaking havoc with the institutions they target.

Unfortunately, according to a new study by Black Book Market Research, healthcare organizations don’t seem to be adequately prepared for this onslaught.

The survey, which collected responses from more than 2,464 security pros working at 680 provider organizations, found that health IT leaders aren’t confident they can defend themselves against cyberattacks. In fact, 96% of IT professionals who responded said that the attackers are significantly ahead of them and could probably cut through the protection their organizations have in place.

Given that stat, it’s not surprising that over 90% of healthcare organizations have seen a data breach since Q3 2016. Worse, almost 50% reported that they had more than five data breaches during this period. Not only that, more than 180 million records have been stolen since 2015, a staggering haul which affects roughly one in every 12 healthcare consumers.

On the surface, it might seem surprising that healthcare organizations haven’t toughened their defenses given the number of threats they face. Actually, they are, but they’re being outgunned. It’s not that they’re not making cybersecurity investments, but both the level of investment and their strategy for deployment may be inadequate.

In a surprisingly frank set of disclosures, one-third of hospital executives that bought cybersecurity solutions between 2016 and 2018 said they did so blindly without much vision or understanding of what they were getting for their money. Respondents said that 92% of data security product and services buying decisions were made at the C-level, and the process didn’t include any users or affected department managers.

One reason that C-level executives with little relevant knowledge are making security investment decisions because they don’t have anyone senior to consult – and the problem is extremely common.

The survey found that 84% of hospitals responding had no dedicated security executive in place. Most say that it’s difficult to recruit a qualified chief security officer, which is why they’re going bare on data security and stumbling through the buying process as best they can.

Some organizations are responding to the shortage of C-level tech talent by outsourcing the function. Twenty-one percent said they outsource security to partners, consultants or selected security-as-a-service options as a placeholder.

Given this interest in outsourcing, healthcare organizations are signing deals with security services and outsourcing companies five times more often than they’re buying cybersecurity products and software. Vendors, in turn, are responding by diversifying the portfolio of services they offer. Still, that’s unlikely to be enough over the long term.

All of this suggests that the healthcare industry is in a security crisis. I’ll offer more details on the situation in part two of this series.

More Than 1.1 Million Patient Records Breached During Q1 of 2018

Posted on May 14, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Well, this isn’t a pretty picture. According to research by Protenus, roughly 1.3 million patient records were breached between January and March of this year. (The actual number is 1,129,744 records, for those who like to be precise.)

During that quarter, the healthcare industry saw an average of at least one data breach per day, racking up 110 health data breaches during this period, according to the Protenus Breach Barometer.

The researchers found that the single largest breach taking place during Q1 2018 was an intrusion involving an Oklahoma-based healthcare organization. The breach, which exposed patient billing information for 279,856 patients, resulted from an unauthorized third-party gaining access to the health system’s network.

If you assume that the other breaches were also executed by external cyberattackers, think again. According to the data, healthcare staffers represented a far bigger risk of being involved with security violations.

The data suggests that such insiders were most likely to illegally access data on the family members, a problem which accounted for 77.1% of privacy violations in the first quarter of this year. Accessing records on coworkers was the second most common insider-related violation, followed by accessing neighbor and VIP records.

Not only that, Protenus researchers found that if a healthcare employee breaches patient privacy once, there’s a greater than 20% chance they will breach privacy again in three months’ time. Worse, there’s a greater than 54% chance they will do so again in a years’ time. That’s a pretty nasty form of compounding risk.

Not only that, do healthcare institutions catch breaches right away? According to Protenus research, it takes healthcare organizations an average of 244 days to detect breaches once they take place. As readers know, some of these events involve information being exposed to the Internet, offering private information to the public via an unprotected interface. Also pretty ugly, and also a source of lousy PR for the organization.

This research is a sobering follow-up to the company’s year-end report for 2017. Last year, according to Protenus research, there was an average of one health data breach per year in 2017. The 407 incidents it identified affected 5,579,438 patient records.

The largest breach taking place in last year involved a rogue insider, a hospital employee, who inappropriately accessed billing information on 697,800 patients. The rest of the top 10 largest data breaches largely sprang from insider errors.

Wow. If it wasn’t evident already, it’s pretty clear now that healthcare organizations need to tighten up their internal data security measures and training substantially.

While there will always be some folks who want to snoop on celebrity records to find imaging medical information on their ex, and some who plan to sell the information outright, a greater number simply need to be reminded what the rules are. (Or so I assume and fervently hope.)

Google And Fitbit Partner On Wearables Data Options

Posted on May 7, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Fitbit and Google have announced plans to work together, in a deal intended to “transform the future of digital health and wearables.” While the notion of transforming digital health is hyperbole even for companies the size of Google and Fitbit, the pairing does have plenty of potential.

In a nutshell, Fitbit and Google expect to take on both consumer and enterprise health projects that integrate data from EMRs, wearables and other sources of patient information together. Given the players involved, it’s hard to doubt that at least something neat will emerge from their union.

Among the first things the pair plans to use Google’s new Cloud Healthcare API to connect Fitbit data with EMRs. Of course, readers will know that it’s one thing to say this and another to actually do it, but gross oversimplifications aside, the idea is worth pursuing.

Also, using services such as those offered by Twine Health– a recent Fitbit acquisition — the two companies will work to better manage chronic conditions such as diabetes and hypertension. Twine offers a connected health platform which leverages Fitbit data to offer customized health coaching.

Of course, as part of the deal Fitbit is moving to the Google Cloud Platform, which will supply the expected cloud services and engineering support.

The two say that moving to the Cloud Platform will offer Fitbit advanced security capabilities which will help speed up the growth of Fitbit Health Solutions business. They also expect to make inroads in population health analysis. For its part, Google also notes that it will bring its AI, machine learning capabilities and predictive analytics algorithms to the table.

It might be worth a small caution here. Google makes a point of saying it is “committed” to meeting HIPAA standards, and that most Google Cloud products do already. That “most” qualifier would make me a little bit nervous as a provider, but I know, why worry about these niceties when big deals are afoot. However, fair warning that when someone says general comments like this about meeting HIPAA standards, it probably means they already employ high security standards which are likely better than HIPAA. However, it also means that they probably don’t comply with HIPAA since HIPAA is about more than security and requires a contractual relationship between provider and business associate and the associated liability of being a business associate.

Anyway, to round out all of this good stuff, Fitbit and Google said they expect to “innovate and transform” the future of wearables, pairing Fitbit’s brand, community, data and high-profile devices with Google’s extreme data management and cloud capabilities.

You know folks, it’s not that I don’t think this is interesting. I wouldn’t be writing about if I didn’t. But I do think it’s worth pointing out how little this news announcement says, really.

Yes, I realize that when partnerships begin, they are by definition all big ideas and plans. But when giants like Google, much less Fitbit, have to fall back on words like innovate and transform (yawn!), the whole thing is still pretty speculative. Just sayin’.

Privacy Fears May Be Holding Back Digital Therapeutics Adoption

Posted on May 3, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Consumers were already afraid that their providers might not be able to protect the privacy of their health data. Given the daily news coverage of large data breaches and since the Facebook data scandal blew up, consumers may be even less likely try out new digital health approaches.

For example, a new study by innovation consultancy Enspektos has concluded that patients may be afraid to adopt digital therapeutics options. Many fear that the data might be compromised or the technology may subject them to unwanted personal surveillance.

Without a doubt, digital therapeutics could have a great future. Possibilities include technologies such as prescription drugs with embedded sensors tracking medication compliance, as well as mobile apps that could potentially replace drugs. However, consumers’ appetite for such innovations may be diminishing as consumer fears over data privacy grow.

The research, which was done in collaboration with Savvy Cooperative, found that one-third of respondents fear that such devices will be used to track their behavior in invasive ways or that the data might be sold to a third party without the permission. As the research authors note, it’s hard to argue that the Facebook affair has ratcheted up these concerns.

Other research by Enspektos includes some related points:

  • Machine-aided diagnosis is growing as AI, wearables and data analytics are combined to predict and treat diseases
  • The deployment of end-to-end digital services is increasing as healthcare organizations work to create comprehensive platforms that embrace a wide range of conditions

It’s worth noting that It’s not just consumers who are worried about new forms of hacker intrusions. Industry CIOs have been fretting as it’s become more common for cybercriminals to attack healthcare organizations specifically. In fact, just last month Symantec identified a group known as Orangeworm that is breaking into x-ray, MRI and other medical equipment.

If groups like Orangeworm have begun to attack medical devices — something cybersecurity experts have predicted for years — we’re looking at a new phase in the battle to protect hospital devices and data. If one cybercriminal decides to focus on healthcare specifically, it’s likely that others will as well.

It’s bad enough that people are worried about the downsides of digital therapeutics. If they really knew how insecure their overall medical data could be going forward, they might be afraid to even sign in to their portal again.

Is Health Data Privacy On Its Way Out?

Posted on April 30, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As healthcare providers gradually improve their HIPAA data security and privacy compliance, one might think that the odds of a breach occurring are getting lower. Maybe that’s true within the provider organizations themselves, but there are forces outside of healthcare which will make it impossible to protect personal data in the future, according to a post on Axoblog.

The piece argues that the notion of data privacy is dying. “To the extent that emails and other communications meant for designated recipients are analyzed, scraped aggregated and stored it is the opinion of this author that the protection of PHI is illusory,” the article says.

As the piece correctly notes, unscrupulous companies and can learn a great deal about consumers by analyzing their Internet search history. And of course, there are social media stalkers like Facebook, which monitors Internet activity even when the subscriber is logged off. (It’s hard to believe that other Internet companies aren’t doing the same thing in a less public manner.)

By using a rich source like Facebook user data and aggregating it with information from other social media networks, outsiders can pull together a personal profile of users. This database could easily expose medical information that should be protected under HIPAA and HITECH.

And it’s not just Facebook data that is of concern. By buying available data from all the social media networks, then matching that data with commercial databases offering details such as address, phone number and location, it’s possible to develop an astonishingly detail portrait of individuals.

So what should providers do in the age of minimum privacy? Be aware of emerging threats, the author suggests:

  • Be aware that social media outlets aren’t subject to the legal requirements providers are when compiling health information.
  • Keep your eye on data aggregators, which are selling data to everyone you can think of, plus others you wouldn’t even have considered, including marketers, advertisers and researchers.
  • The government has only now begun trying to understand how social media networks handle privacy and how well they explain their practices to consumers
  • In the wake of Facebook scandals, social media giants might develop protocols for managing sensitive data, but they may fail at doing this, in which case the government is likely to step in
  • Though Facebook has been asked by regulators how the company manages and shares data, it seems that no one’s asking about the aggregation of data and how it is stored and protected

Now, I’d like to think the article described above is a bit too pessimistic. If nothing else, I’m not sure that the aggregation of other forms of data means that medical privacy will become impossible to defend. Still, the piece makes it clear that we have a long way to go before we can sure PHI is protected by companies like Facebook.

Be Skeptical About Health IT Research Reports

Posted on April 26, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Look, I get it. While advice from colleagues is fine, it’s even better to have an objective research organization tell you which vendors dominate the market and which seem to have a lot of fans.

You know some of the headlines, in big bold letters: “Epic has the biggest EMR market share in the US” or “Doctors are very satisfied with eClinicalWorks.” Hey, if nothing else, you can wave the report in your boss’ face if your new system doesn’t work out.

The thing is, are you getting valuable, fair, unbiased feedback from research vendors? Not necessarily.

  • Pay for play: Some research firms are getting paid to promote certain products or organizations in their reports and client notes. The payment can be as subtle as a few introductions to potential customers or a straight up bundle of cash. Sadly, not all analyst firms who engage in this practice will tell you that they do.
  • Lack of experience: While some research reports are written by senior people with a long institutional memory, sometimes they are farmed out to junior staff members with a lot less perspective. I’m not suggesting that the younger people get it wrong, but they simply can’t offer the kind of insight senior people can.
  • Beauty contests: Be warned: sometimes reports are just not about you. It may appear, on the surface, that the research firm is offering you valuable insights, but the truth is that the research isn’t that substantial. In cases like these, the firms simply line up all the vendors in a row and rate them on scales they basically make up in their head.
  • Value of the data: Sure, it’s sort of fun and interesting to know whether Epic has nudged out Cerner or MEDITECH in the battle for US market share. It’s something to share over the health IT water cooler. And it seems to give you a sense of which vendors are offering the most value. But does it really? In most case, it probably isn’t that helpful to track market share unless you hold stock in one of these companies.

For what it’s worth, I’ve written several in-depth research reports of my own, and I feel pretty good about the industry analysis I did. But thankfully, none of the publishers suggested that I was the Oracle of truth. I simply gathered up a pile the facts and tried to fit them together.

In saying all this, I’m not suggesting that health IT industry research is a waste of time. If a report offers context, input from your peers and no-nonsense answers to questions you have, it may well be worth the price. But don’t let one of these firms sell you a bunch of hot air.

 

More Ways AI Can Transform Healthcare

Posted on April 25, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

You’ve probably already heard a lot about how AI will change healthcare. Me too. Still, given its potential, I’m always interested in hearing more, and the following article struck me as offering some worthwhile ideas.

The article, which was written by Humberto Alexander Lee of Tesser Health, looks at ways in which AI tools can reduce data complexity and detect patterns which would be difficult or even impossible for humans to detect.

His list of AI’s transformative powers includes the following:

  • Identifying diseases and providing diagnoses

AI algorithms can predict when people are likely to develop heart disease far more accurately than humans. For example, at Google healthcare technology subsidiary Verily, scientists created an algorithm that can predict heart disease by looking at the back of a person’s eyes and pinpoint early signs of specific heart conditions.

  • Crowdsourcing treatment options and monitoring drug response

As wearable devices and mobile applications mature, and data interoperability improves thanks to standards such as FHIR, data scientists and clinicians are beginning to generate new insights using machine learning. This is leading to customizable treatments that can provide better results than existing approaches.

  • Monitoring health epidemics

While performing such a task would be virtually impossible for humans, AI and AI-related technologies can sift through staggering pools of data, including government intelligence and millions of social media posts, and combine them with ecological, biogeographical and public health information, to track epidemics. In some cases, this process will predict health threats before they blossom.

  • Virtual assistance helping patients and physicians communicate clearly

AI technology can improve communication between patients and physicians, including by creating software that simplifies patient communication, in part by transforming complex medical terminology into digestible information. This helps patients and physicians engage in a meaningful two-way conversation using mobile devices and portals.

  • Developing better care management by improving clinical documentation

Machine learning technology can improve documentation, including user-written patient notes, by analyzing millions of rows of data and letting doctors know if any data is missing or clarification is needed on any procedures. Also, Deep Neural Network algorithms can sift through information in written clinical documentation. These processes can improve outcomes by identifying patterns almost invisible to human eyes.

Lee is so bullish on AI that he believes we can do even more than he has described in his piece. And generally speaking, it’s hard to disagree with him that there’s a great deal of untapped potential here.

That being said, Lee cautions that there are pitfalls we should be aware of when we implement AI. What risks do you see in widespread AI implementation in healthcare?

London Doctors Stage Protest Over Rollout Of App

Posted on April 18, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

We all know that doctors don’t take kindly to being forced to use health IT tools. Apparently, that’s particularly the case in London, where a group of general practitioners recently held a protest to highlight their problems with a telemedicine app rolled out by the National Health Service.

The doctors behind the protest are unhappy with the way the NHS structured its rollout of the smartphone app GP at Hand, which they say has created extra work and confusion among the patients.

The service, which is run by UK-based technology company Babylon Health, launched in November of last year. Using the app, patients can either have a telemedicine visit or schedule an in-person appointment with a GP’s office. Telemedicine services are available 24/7, and patients can be seen in minutes in some cases.

GP at Hand seems to be popular with British consumers. Since its launch, over 26,000 patients have registered for the service, according to the NHS.

However, to participate in the service, patients are automatically de-registered from their existing GP office when they register for GP at Hand. Many patients don’t seem to have known this. According to the doctors at the protest, they’ve been getting calls from angry former patients demanding that they be re-registered with their existing doctor’s office.

The doctors also suggest that the service gets to cherry-pick healthier, more profitable patients, which weighs down their practice. “They don’t want patients with complex mental health problems, drug problems, dementia, a learning disability or other challenging conditions,” said protest organizer Dr. Jackie Applebee. “We think that’s because these patients are expensive.” (Presumably, Babylon is paid out of a separate NHS fund than the GPs.)

Is there lessons here for US-based healthcare providers? Perhaps so.

Of course, the National Health Service model is substantially different from the way care is delivered in this country, so the administrative challenges involved in rolling out a similar service could be much different. But this news does offer some lessons to consider nonetheless.

For one thing, it reminds us that even in a system much different than ours, financing and organizing telemedicine services can be fraught with conflict. Reimbursement would be an even bigger issue than it seems to have been in the UK.

Also, it’s also of note that the NHS and Babylon Health faced a storm of patient complaints about the way the service was set up. It’s entirely possible that any US-based efforts would generate their own string of unintended consequences, the magnitude which would be multiplied by the fact that there’s no national entity coordinating such a rollout.

Of course, individual health systems are figuring out how to offer telemedicine and blend it with access to in-person care. But it’s telling that insurers with a national presence such as CIGNA or Humana aren’t plunging into telemedicine with both feet. At least none of them have seen substantial success in their efforts. Bottom line, offering telehealth is much harder than it looks.

Hospital Recycling Bins May Contain Sensitive PHI

Posted on April 6, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A group of Canadian researchers studying hospitals information security practices found that hospital recycling bins contained a substantial amount of PHI.

The researchers, who summarized their findings in a letter published in JAMA, spent two years collecting materials from the recycling bins at five teaching hospitals in Toronto. The “recycling audit,” which took place November 2014 and May 2016, included­­­­ data for inpatient and outpatient care settings, emergency departments, physician offices and ICUs.

When they did their audit, the researchers found more than 2,600 items which contained personally identifiable information, including 1,885 items related to medical care. The majority of the items containing PHI (65%) had been created by medical groups.

Their audit also found that the most common locations at which they found particularly sensitive patient-identifiable information for physician offices (65%) and inpatient wards (19%).

The most commonly-found items included patient-identifiable information included clinical notes, medical reports (30%), followed by labels and patient identifiers (14%). Other items which contained PHI included diagnostic test results, prescriptions, handwritten notes, requests and communications, and scheduling materials.

According to the researchers, each of the five hospitals they audited had policies in place to protect PHI, along with secure shredding containers for packaging up private information. That being said, they guessed that as the hospitals transitioned to EHRs, they were discarding a high volume of paper records and losing control of how they were handled.

I don’t know what the EHR adoption rate is in Canada, but nearly all U.S. hospitals already have an EHR in place, so on first glance, it might appear that this couldn’t happen here. After all, once a hospital has digitized records, one would think the only way hospitals would expose PHI would be when someone deliberately steals data.

But the truth is, a great deal of hospital business still gets done on paper, and it seems likely that one could find a significant number of documents with PHI on them in U.S. recycling bins. (If someone was willing to do the dirty work, there might be a meaningful amount of PHI found in regular garbage cans as well.)

What I take away from this is that hospitals need to have stiffer policies in place to protect against paper-based security breaches. It may be time for hospital administrators to pay closer attention to this problem.