Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Study Shows Value of NLP in Pinpointing Quality Defects

Posted on August 25, 2011 I Written By

For years, we’ve heard about how much clinical information is locked away in payer databases. Payers have offered to provide clinical summaries, electronic and otherwise, The problem is, it’s potentially inaccurate clinical information because it’s all based on billing claims. (Don’t believe me? Just ask “E-Patient” Dave de Bronkart.) It is for this reason that I don’t much trust “quality” ratings based on claims data.

Just how much of a difference there was between claims data and true clinical data hasn’t been so clear, though. Until today.

A paper just published online in the Journal of the American Medical Association found that searching EMRs with natural-language processing identified up to 12 times the number of pneumonia cases and twice the rate of kidney failure and sepsis as did searches based on billing codes—ironically called “patient safety indicators” in the study—for patients admitted for surgery at six VA hospitals. That means that hundreds of the nearly 3,000 patients whose were reviewed had postoperative complications that didn’t show up in quality and performance reports.

Just think of the implications of that as we move toward Accountable Care Organizations and outcomes-based reimbursement. If healthcare continues to rely on claims data for “quality” measurement, facilities that don’t take steps to prevent complications and reduce hospital-acquired infections could score just as high—and earn just as much bonus money—as those hospitals truly committed to patient safety. If so, quality rankings will remain false, subjective measures of true performance.

So how do we remedy this? It may not be so easy. As Cerner’s Dr. David McCallie told Bloomberg News, it will take a lot of reprogramming to embed natural-language search into existing EMRs, and doing so could, according to the Bloomberg story, “destabilize software systems” and necessitate a lot more training for physicians.

I’m no technical expert, so I don’t know how NLP could destabilize software. From a layman’s perspective, it almost sounds as if vendors don’t want to put the time and effort into redesigning their products. Could it be?

I suppose there is still a chance that HHS could require NLP in Stage 3 of meaningful use—it’s not gonna happen for Stage 2—but I’m sure vendors and providers alike will say it’s too difficult. They may even say there just isn’t enough evidence; this JAMA study certainly would have to be replicated and corroborated. But are you willing to take the chance that the hospital you visit for surgery doesn’t have any real incentive to take steps to prevent complications?


Silicon Valley Hype Machine Revs Up Again

Posted on August 18, 2011 I Written By

I hate to keep bashing Silicon Valley, since I’ve come to think that it’s venture capitalists, not tied to one particular region, who are the ones not “getting” healthcare. That said, we got a bit more overblown hyperbole coming out of Northern California this morning from drchrono.

The Mountain View, Calif.-based company, which likely is correct when it says it created the first EHR that it native to the iPad—and a free one at that—announced today that it has received an new round of $650,000 in seed funding  from the VC community. (Congratulations on that.) Drchrono today also introduced OnPatient, an iPad app that replaces the hated clipboard and paper form for taking patient history at the doctor’s office. Here are the details, from the drchrono press release:

drchrono Launches iPad App to Replace Paper-Based Check-In at Doctor’s Office; Closes Additional $650,000 in Seed Funding

Free OnPatient App Digitizes Patient Waiting Room and Integrates Seamlessly with Electronic Medical Records

Mountain View, CA – August 18, 2011 – drchrono, the company modernizing healthcare through a free Electronic Health Record (EHR) platform on the iPad, today announced a new patient check-in app which replaces the traditional paper check-in process in the physician waiting room. OnPatient is an app that can be downloaded to the iPad for free and integrated into a medical practice as a stand alone onboard app. The patient check-in app also seamlessly integrates with drchrono’s Meaningful Use-certified iPad EHR.

On the heels of the OnPatient product launch, drchrono recently closed an additional $650,000 in seed funding from prominent start-up investor Yuri Milner, founder of DST Global, and venture capital firm General Catalyst. This follows $675,000 in seed funding from General Catalyst, Charles River Ventures, 500 Startups and angel investors, previously announced in July.

“The OnPatient check-in app digitizes the waiting room and eliminates significant barriers to mass adoption of patient check-in technology by leveraging sophisticated iPad technology. Proprietary check-in hardware is prohibitively expensive and integration with existing EHR systems is too complex,” said Michael Nusimow, co-founder and CEO of drchrono. “We designed the OnPatient app to be intuitive for both physicians and patient users to create a better patient check-in experience.”

OnPatient is a full-featured app with customizable templates that enable physicians to eliminate paper forms and clipboards in the waiting room. There are no contracts or monthly fees; the only hardware investment is the iPad itself. Upon download, the OnPatient app allows patients to:

  • Complete family medical history and demographic information
  • Complete insurance information
  • Snap a profile photo
  • Sign the HIPAA consent form with a digital signature

The touch screen interface is user-friendly and the information auto-populates directly into the drchrono EHR platform. On subsequent visits, patients do not have to complete duplicate forms—they need only review their information and make any necessary changes on the iPad. OnPatient meets all industry security standards, ensuring the privacy and safety of patient data.

For more information on drchrono and the OnPatient app, please visit

About drchrono: 

drchrono focuses on Apple’s iPad and cloud computing to build a better healthcare experience.

They offer a free EHR platform built on the iPad that is Meaningful Use certified.  drchrono is also the first iPad EHR to implement real time clinical speech-to-text. drchrono handles everything a doctor needs to run their practice, including medical records, electronic prescribing, medical billing, and patient management.  For more information, visit

The drchrono iPad EHR is 2011/2012 compliant and has been certified by InfoGard Laboratories, an ONC-ATCB, as a complete EHR in accordance with the applicable certification criteria adopted by the Secretary of Health and Human Services. This certification does not represent an endorsement by the U.S. Department of Health and Human Services or guarantee the receipt of incentive payments. drchrono version 9.0 was Stage 1 certified on June 3, 2011. The ONC certification ID number is IG-2492-11-0083


What got me was the claim in the e-mail that accompanied the press release. “Today, drchrono, a hot Y Combinator start-up focused on Apple’s iPad and cloud computing to build a better healthcare experience, announced OnPatient, a groundbreaking app that digitizes the medical practice waiting room,” the message started. This was the same claim that drchrono included in a media advisory earlier in the week.

Sorry, there is nothing “groundbreaking” about software that collects medical history electronically and automatically populates an EHR with this information. Instant Medical History, a program from Primetime Medical Software, Columbia, S.C., has been doing this for years. Though it is primarily a PHR vendor,‘s name betrays one of its products, a patient portal for medical practices that collects patient history online. is similar.

No, IMH does not have a native iPad app, but it’s worked on tablets going back to the bulky Windows tablets circa 2003, even if few customers actually chose that option. is Web-based, which means it’s accessible from any device with a Web browser such as, say, an iPad.

When I called the publicist on the “groundbreaking” claim, I got this back. “Of the physicians I’ve spoken to, the user-friendly interface of the iPad app really makes patient onboarding easy and they love the ‘novelty factor’ of using the iPad as well. It’s less intimidating for patients who have limited experience with healthcare IT.”

Fair enough. But that doesn’t make OnPatient “groundbreaking.” The iPad is groundbreaking. OnPatient is interesting, useful and frankly, long-overdue competition to Instant Medical History. I hope it catches on. But it’s not much of a breakthrough.

I can’t wait to see the breathless coverage from the other tech press who don’t know the, ahem, history (sorry, couldn’t resist). If you want the unvarnished, occasionally acidic truth, come here.

For that matter, here’s the company’s own message, via video:

It’s rather low-key, actually. I have just one question: Why do they say “tax breaks” for meaningful use? The money is in the form of Medicare/Medicaid bonus payments. As EMR and HIPAA readers know, those payments are considered taxable income. Just sayin’.


ICSA Labs Questions Strength of ONC Certification Rules

Posted on August 11, 2011 I Written By

You’ve undoubtedly heard the argument before: EHR certification is about assuring that systems meet minimum requirements for functionality and interoperability, but the certification process falls way short in terms of usability, privacy and security. But have you heard the argument from one of the ONC-authorized certification bodies?

This is an excerpt from an e-mail I received today:

Meaningful Use criteria have become a massive EHR certification driver for healthcare organizations. Hospitals and other providers rely on the criteria to ensure that their health IT systems meet minimum government-specified functionality and interoperability requirements to support Stage 1 of Meaningful Use.  Achieving Meaningful Use also ensures a health care organization qualifies for reimbursement under the American Recovery and Reinvestment Act as a way to incent adoption of e-health processes among health organizations. The ultimate goal is to improve our nation’s healthcare system by leveraging technology to allow greater access to important health information and empower patients to securely access their own health information.

However, as one of only five organizations authorized to test both complete and modular EHRs by the Office of the National Coordinator (ONC) for Health IT, ICSA Labs questions whether EHR certifications are enough as the criteria represents only minimum requirements. Amit Trivedi, healthcare program manager at ICSA Labs, believes providers should take further steps to heighten the security and privacy of their health IT systems. He also suggests vendors should look beyond the current regulations to address and improve usability, data portability, and information exchange in their products.

That’s right, ICSA Labs, one of five organizations currently authorized to test and certify complete EHRs on behalf of the Office of the National Coordinator for Health Information Technology, seems to think that the standards it tests EHRs against are inadequate, which is something that critics of certification—particularly critics of the Certification Commission for Healthcare Information Technology—have been saying for years. Critics of many of the larger vendors have been saying that, too. But it’s shockingly refreshing to hear this from an actual certification body.

In fact, the publicist for ICSA, a unit of Verizon Business, has offered interviews with executives of two lesser-known vendors,  Health System Technology and Design Clinicals, to talk about how they are going beyond the minimum certification requirements. Deadlines beckon, so I didn’t really have time to wait for the publicist to try to find me an schedule opening for one of the executives, but here’s a statement from a March 30 ICSA press release that is somewhat telling:

“This year we are expanding our certification programs into health IT, a much-needed area of focus to help modernize today’s health care system,” said George Japak, managing director for ICSA Labs. “With our new focus on safeguarding patient information within electronic health records, we are committed to helping accelerate the adoption of health IT.”

We don’t hear too much about security in the context of certification from too many other camps, so it’s nice to hear that at least one certification organization is critical of the rules it is under contract to follow. Perhaps we’ll see tougher usability, privacy and security standards in the permanent certification program ONC needs to have in place by the beginning of 2012 to support the forthcoming Stage 2 “meaningful use” requirements from CMS.

Wishful thinking?

Random Thoughts: EMR Projects Decentralized; Problems Persist Despite ‘Solutions’

Posted on August 4, 2011 I Written By

Once in a while, I run out of Big Ideas to share and resort to a rundown of short items. This is one of those times. Often, though, that approach turns out to be more interesting than a well-thought-out commentary. (Thus, the popularity of Twitter, right?)

Speaking of Big Ideas, I’m thinking that the age of the massive EMR project may be coming to an end. You may have seen my piece in InformationWeek today about the reported end of the national EMR in England. London’s The Independent reported earlier this week that the Cameron government will announce next month that it will scrap the national strategy in favor of allowing local hospitals and trusts to make independent EMR purchasing and implementation decisions.

This news comes on the heels of a decision by the government of Ontario to give up on hopes for a single EMR for all of Canada’s most populous province.

On the other hand, here in the States, we’ve seen a lot of consolidation among healthcare providers, but I’m guessing that has more to do with administrative Accountable Care Organizations and the prospect of bundled payments than any desire to build a more unified EMR. Though, consolidation does make health information exchange somewhat easier, and that’s going to be key to earning “meaningful use” dollars beyond 2013.

On a somewhat similar note, doesn’t a headline like, “Positive Outlook for Small Practice EHR Adoption” sound like a no-brainer? I mean, isn’t that the segment of healthcare providers that historically has had the slowest adoption rates? More than anyone else, small practices—particularly small, primary care practices—are the intended target of the federal EHR incentive program. And most of the news from health IT vendors of late has been about how they are going after this long-neglected market, right? The innovation seems to be happening in ambulatory EMRs, as evidenced by DrChrono’s newly certified iPad EHR app, aimed squarely at independent physicians.

That said, vendors and publicists, please do not start inundating me with news about other EHRs getting certified. There are hundreds of certified products out there now, and I cannot and will not write about, oh, about 95 percent of them.

While you’re at it, please stop using the word “solution” as a synonym for “product” or “service.” Tech journalists hate this trite, lazy and, frankly, inaccurate term so much that I’ve been instructed by the editors of InformationWeek not to use it, except in direct quotes. In fact, I get reminded not to use it pretty much every time I’m forwarded a press release laden with news about someone’s “solution.” Solution to what? I’ve been seeing that term since I started covering health IT more than a decade ago, and I still don’t see much getting solved in healthcare. With all the “solutions” out there, you’d think that healthcare had been fixed by now.

I could get a whole lot more curmudgeonly on you, but I think I’ll stop now and await your comments.


Highly Functional EMRs Aren’t Necessarily High-Functioning

Posted on July 28, 2011 I Written By

I’ve just turned in a story for InformationWeek Healthcare about the new “Essentials of the U.S. Hospital IT Market, 6th Edition” report from HIMSS Analytics. That report details the progress hospitals and integrated delivery networks have made in IT over the past year and gives an update on how far along providers are according to the HIMSS Analytics EMR Adoption Model. That’s the seven-level scale (eight if you count Stage Zero) that measures adoption of various EMR components.

At the top of the scale, 1 percent of nonfederal hospitals in the U.S. attained Stage 7 in 2010, meaning that the EMR served as the legal medical record for all departments, was capable of exporting patient records as Continuity of Care Documents and had data warehousing and mining in place. That was up from 0.7 percent in 2009. The number of Stage 6 hospitals—with electronic clinician documentation, full clinical decision support and full PACS for radiology—doubled in the same time frame, from 1.8 percent in 2009 to 3.2 percent in 2010.

Here’s how the entire scale breaks down:


Actually, the EMRAM Web page shows newer numbers, through the 2011 second quarter. We’re up to 1.1 percent for Stage 7, 4 percent for Stage 6, 6.1 percent for Stage 5 and 12.3 percent for Stage 4. HIMSS considers Stage 4 to be the closest to the current requirements for “meaningful use” of EMRs.

It’s nice to see progress in installing technology and it’s nice to see hospitals using EMRs in a “meaningful” way, but that doesn’t mean there won’t be problems. As everyone in health IT knows, EMR certification, a prerequisite for meaningful use, does not measure usability, and this still is the first of three stages for meaningful use. That means we’re a long way from perfect, or even ideal. How do I know this?

The mother of a good friend of mine is now on dialysis and eventually will need a kidney transplant because she was given a medication that is contraindicated for Type 2 diabetes, which she suffers from. The harmful interaction resulted in her losing about 80 percent of normal kidney function. This happened at a HIMSS Analytics EMRAM Stage 7 hospital. Apparently, either the patient record didn’t show she was diabetic, the medication order didn’t get flagged, or the ordering physician, pharmacy and administering nurse all missed or ignored an alert. As the chart above illustrates, the medication loop should have been closed by Stage 5.

I’m not going to name the hospital or give any more details because there’s a good chance a malpractice suit is coming. I’m also aware of a medical informaticist with a long history of implementing and working with EMRs losing his mother due to a medical error that an EMR exacerbated. Again, I’ve been asked not to say more because of the legal ramifications.

It’s no secret that healthcare is in trouble. In this push to install technology and earn Medicare and Medicaid bonuses for meaningful use, we can’t take our eyes off the ultimate goal, creating a safer health system.

What Will Happen to Google Health Data After 2012?

Posted on July 21, 2011 I Written By

Let’s face it, I haven’t actually been nice to Google of late when it comes to healthcare (or maybe I have, just once). While I believe the criticisms are justified, I can see why some people might think I’m beating a dead horse, namely Google Health. But there are some unresolved questions in the area of privacy that Google really should answer.

Google’s ill-fated attempt at a PHR isn’t completely dead. The company won’t “retire” the online service until January, and will allow users to download their data through Jan. 1, 2013. Naturally, others have stepped up to try to fill the (tiny) void left by Google Health’s demise. To nobody’s surprise, Microsoft is helping the remarkably small number of Google Health users transition their accounts to HealthVault, Microsoft’s own overly hyped, underutilized PHR platform.

What concerns me is what will happen to data already on Google’s servers. Will records be archived? Will sensitive patient health data stay on Google’s servers in perpetuity? Nobody has said for sure.

Are records safe from Google’s data-mining juggernaut? Google has consistently said that it would not use health records for anything other than to steer traffic to its core search engine, but let’s face it, Google’s primary source of revenue is from algorithm-driven advertising.

But, you say, HIPAA protects patients from unauthorized uses of their data, right? Well, remember back to 2009, when the American Recovery and Reinvestment Act expressly made third-party data repositories, health information networks and, yes, personal health records, into HIPAA business associates, effectively holding them to the same rules as covered entities under HIPAA.

Wouldn’t you know, both Google and Microsoft came out and said they were not subject to this provision. No less an insider than former national health IT coordinator Dr. David Brailer, who was a part of the legislative negotiations, told me then that lawmakers had Google Health and HealthVault specifically in mind when they crafted the ARRA language. As far as I know, there haven’t been any reported data breaches involving either PHR platform, so there’s been no need to test whether ARRA actually does apply to them, but if I had my data on Google’s or Microsoft’s servers, I’d be concerned. I’d particularly want to know what Google plans on doing with the data it’s been holding once Google Health does shut down.

Perhaps it’s time for me to make some phone calls.

Mostashari Plays Good Cop, Unintentionally Making CMS Look Inflexible

Posted on July 14, 2011 I Written By

Probably unintentionally, it seems like various HHS branches are playing good cop-bad cop right now.

I’m in Ojai, Calif., right now (please don’t hate me because of it) for the annual Association of Medical Directors of Information Systems (AMDIS) Physician-Computer Connection meeting, a gathering of chief medical information officers and others in the field of what AMDIS likes to call applied medical informatics. That contrasts with the American Medical Informatics Association (AMIA), which tends to draw more from the academic side.

The Office of the National Coordinator for Health Information Technology (ONC) apparently is the good cop. National health IT coordinator Dr. Farzad Mostashari was unable to make it out here from Washington, but he addressed the gathering by telephone. Unfortunately, he called into a cell phone hooked up to the PA system in a room already suffering from poor cellular coverage, so some of his words were clipped. But a few things were clear.

Mostashari indicated that he was in favor of delaying the start of Stage 2 of “meaningful use” to 2014, even for those who meet Stage 1 requirements this year. That’s the recommendation that the Health IT Policy Committee made to him a couple of weeks ago. Furthermore, if CMS approves the delay—CMS is producing and administering the EMR incentive program—Mostashari said that providers will be able to earn three years of Medicare and/or Medicaid bonus payments, not just two years’ worth, prior to the start of Stage 2.

That, not surprisingly, elicited some smiles and nodding from attendees. Mostashari, himself a medical informatics veteran with a primary care and public-health slant, played to the crowd by pointing out how health IT is accelerating real reform of American healthcare—not just an expansion of insurance coverage that to me is just throwing more money at a broken system. “We’re moving away from the fee-for-service model comfortably faster than we had anticipated,” he said.

Meanwhile, CMS came off looking like the bad guy, at least in contrast to ONC.

The agency already is taking a lot of heat from many parts of the healthcare world, which has heaped tons of criticism on the proposed Accountable Care Organizations rule. Just after Mostashari’s session, Ethan Moore, a health IT and HITECH Act specialist at CMS, hosted an update on the Medicare and Medicaid agency’s efforts in health IT, which included two other CMS technical specialists calling in on the phone.

One of the callers delivered a disheartening message to the 200 or so informaticists present: the Oct. 1, 2013, deadline to convert to ICD-10 coding is “firm.” That may not have surprised anyone, but it certainly seemed disappointing, given that there’s probably going to be more time available to achieve later stages of meaningful use.

Moore also showed slides that walked through the online application for attesting to meaningful use. Moore was an engaging speaker, albeit not as enthusiastic as Mostashari, but a lot of eyes still glazed over. Blame it either on the relatively early hour if you want, but I think it had more to do with the bureaucratic nature of the process. I suppose there isn’t much anyone can do about that. If there is, I’d love to know exactly what.

Meaningful Use Doesn’t Address ‘Hybrid’ Transition Period

Posted on July 7, 2011 I Written By

Some 10 years ago, when I first started covering health IT, a lot of the talk was about the “modular” approach to EMR adoption, i.e., put in a piece at a time during a transition period. Much of that had to do with the state of technology at the tail end of the dot-com bubble, when companies developed applications to address one small problem, often in the hopes of getting a larger firm to shell out big bucks for their idea. (Wouldn’t you know, that’s how many vendors, most notably GE Healthcare, put together end-to-end enterprise systems.)

Implicit in any step-by-step transition to EMRs was the idea that there would be an interim period where providers would have to run dual electronic and paper systems. It’s a notion that’s always been with us, but how many people still think of it?

I got a reminder this afternoon when I spoke to Ken Rubin, Iron Mountain‘s senior VP and GM for healthcare, who was talking about results of a new survey on progress toward meaningful use. (I was ostensibly doing that interview for InformationWeek Healthcare, so look there tomorrow for coverage. Here, I just want to talk about one aspect of the conversation.) Rubin noted that there seems to be a sort of “no-man’s land” between the paper and digital. “I don’t see a real, well-defined way of dealing with the hybrid world,” when hospitals and medical systems are switching to EMRs while still retaining old paper records.

Obviously, Iron Mountain would like to sell some scanning, data management and shredding services to healthcare organizations, but Rubin has a point. The rules for meaningful use Stage 1 don’t say a thing about what you’re supposed to do with existing paper files, and it doesn’t appear that Stage 2 will address that issue either.

Do you scan all the old files immediately, or wait until each patient’s next visit, then chart electronically going forward? What do you do with the files of inactive patients? Do you archive records in house or offsite? Do you still need rows of files taking up valuable square footage that could be put to better use? What do you do with clerical staff?  Do file clerks become managers of electronic health information, or do you need to replace those people with others trained in HIM?

Rubin noted that this limbo often works against organizations trying to overcome physician resistance to change. “The faster you can get to the other side, the faster you’ll get physician adoption,” he said.

That all makes good sense to me. CIOs and practice managers, what do you think? Have you addressed hybrid workflow during this transition period, or is the siren call of federal dollars for meaningful use too strong?


Private Payers Need to Join Humana, CMS With EHR Subsidies

Posted on June 30, 2011 I Written By

Ever since the American Recovery and Reinvestment Act became law in February 2009, giving birth to the phrase “meaningful use,” I’ve wondered when private insurers would follow the federal government’s lead and start offering financial carrots and sticks for using and not using EHRs. After all, one of the purposes of the Medicare and Medicaid incentive program was to address the fact that payers tend to reap the greatest financial gains from hospitals and physicians adopting EHRs, even though most if not all of the cost of acquiring the technology falls on the provider.

Federal officials have made it clear all along that “meaningful use” is just that, the meaningful use of the technology. The government was not simply going to write checks so providers could go out and buy technology. As the country’s largest purchaser of  healthcare services, CMS wanted some value for its money (not exactly something you hear every day when it comes to government spending).

I’d been hearing for years that major commercial health insurers also were willing to share some of the savings from EHR adoption, but not until the largest payer of them all, Medicare, did so first. The private sector usually does follow Medicare’s lead when it comes to major policy shifts. Medicare now has done so, but private payers have been mostly silent. Mostly.

This month, as InformationWeek reports, Humana teamed up with Allscripts Healthcare Solutions to offer physician practices financial incentives for purchasing Allscripts EHR systems. The deal is similar to one Humana cut last year with Athenahealth. A few Blue Cross and Blue Shield plans, notably in Massachusetts and Rhode Island, have led similar programs at the state level, with eClinicalWorks the main partner.

But unless I’m forgetting something, Humana is the only big payer that has jumped into the game. Where are the UnitedHealthcares, Aetnas, Cignas and WellPoints of the world?

Payers, it’s time to make good on the lip service you gave years ago and start passing on some of the savings you will realize from Medicare, Medicaid and hundreds of thousands of providers spending billions of dollars on EHR technology and health information exchange efforts.


How Serious Is the Security Threat to Connected Medical Devices?

Posted on June 23, 2011 I Written By

I’m in New York City this week for the second Mobile Health Expo, which wrapped up Thursday afternoon. You may have seen the story I wrote for InformationWeek based on one session related to the security of networked medical devices.

Since I just do news and not commentary for InformationWeek, I figured EMR and HIPAA—specifically, the HIPAA part— was the perfect forum to discuss a small controversy that I may have stirred up with that story.

The two presenters from Indianapolis-based security firm eProtex talked about how connected medical devices have recently been popping up all over the place. “As little as two years ago, we checked some hospitals and found that there was less than one networked clinical device per bed,” eProtex Executive Director Earl Reber said.

With network connection and exposure to the Internet came heightened threats from viruses and malware, both internal and external, Reber and eProtex Chief Security Officer Derek Brost said. Sometimes it’s because devices are so old that they still run DOS and simply weren’t built for the HIPAA era. Other times, the greater reliance on various versions of Windows makes medical devices vulnerable to attacks.

Often, Brost said, hospitals are trying to protecting the wrong assets. “It’s not the actual medical device in most cases [that is at risk]. It’s the individual patient’s health information,” he said.

All this makes a lot of sense, though it is important to note that the warnings are coming from a security vendor with a real interest in selling products and services to prevent and combat insidious threats to medical equipment and other connected devices such as smartphones and tablets.

This was not lost on at least one person, “ZigZagZeke.” In a comment titled “Ignorance,” this poster said in no uncertain terms:

The speaker is using scare tactics to try to make sales of his protection software. Makers of such software are desperately trying to convince people that their Apple products need protection, because as more and more users switch to Apple, sales of anti-virus software are declining. This use of scare tactics is know by an acronym: FUD, which stands for “fear, uncertainty, and doubt.” It is the speaker’s only hope.

I suspect some of the criticism was directed at me for not differentiating between malware and viruses or between Linux/Unix/Macintosh and Windows.

Did I screw up here by not pressing the speakers on these differences, or are Apple devices and operating systems becoming just as vulnerable to data corruption as Windows? Windows became a prime target not just because of security holes, but because of its ubiquity. Now, the iPad and iPhone seem to rule at least the physician market. Wouldn’t that critical mass put Apple iOS in the crosshairs of a growing number of hackers and malware spreaders?

So what’s the real story here? As devices get connected to EMRs and hospital networks and produce more protected health information (PHI), should healthcare providers be concerned about greater HIPAA liability? If so, where should they focus prevention efforts?