Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Stanford Survey Generates Predictable Result: Doctors Want EHR Changes

Posted on June 11, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I know you’re going to have trouble believing this, but many PCPs think EHRs need substantial changes.

Such is the unsurprising conclusion drawn by a survey conducted by The Harris Poll on behalf of Stanford Medicine. The poll, which took place between March 2 and March 27 of this year, surveyed 521 PCPs licensed to practice in the U.S. who have been using their current EHR system for at least one month.

The physicians were recruited via snail mail from the American Medical Association Masterfile. Figures for years in practice by gender, region and primary medical specialty were weighted where necessary to bring them into line with their actual proportions in the population of PCPs in the U.S.

According to the survey, about two-thirds of PCPs think EHRs have generally improved care (63%). Two-thirds said they were at least somewhat satisfied with their current systems, though only 18% were very satisfied.

Meanwhile, a total of 34% were somewhat or very dissatisfied with their system, and 40% of PCPs said that EHRs create more challenges than benefits. Also, 49% of office-based PCPs reported that using an EHR detracts from their clinical effectiveness.  Forty-four percent of PCPs said that primary value of EHRs is data storage, while just 8% said that the biggest benefits were clinically-related.

To improve EHRs’ clinical value, it will take a lot of effort, with 51% saying they think EHRs need a complete overhaul.  Seventy-two percent of PCPs said that improving user interfaces could best address their needs in the immediate future.

Meanwhile, 67% of respondents said that solving interoperability problems should be the top priority for EHR development over the next decade, and 43% reported wanting improved predictive analytics capabilities.

Nearly all (99%) of PCPs said that EHR capabilities should include maintaining a high-quality record of patient data over time, followed closely by providing an intuitive user experience. Also, 88% said that providing clinical decision support at the moment of care was important, followed by identifying high-risk patients in their patient panel (86%).

When asked what EHR features they found most satisfying, they cited maintaining a high-quality patient record (73%), offering patients access to medical records (71%), sharing information with providers across the care continuum (65%) and supporting practice/revenue cycle management needs (60%).

However, EHRs still have a long way to go in offering other preferred capabilities, including changing and adapting in response to user feedback, improving patient-provider interaction, coordinating care for patients with complex conditions and engaging patients in prescribed care plans through mobile technologies. Vendors, you have been warned.

IBM Watson Health Layoffs Suggests AI Strategy Isn’t Working

Posted on June 6, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

IBM Watson Health is apparently making massive cuts to its staff, in a move suggesting that its healthcare AI isn’t working.

Watson Health leaders have argued that AI (which Watson Health leaders call “cognitive computing”) as the solution to many of the healthcare industry’s problems. IBM pitched Watson technology as a revolutionary tool which could get to the root of difficult medical problems.

Over time, however, it’s begun to look like this wasn’t going to happen, at least for the present. Among other high-profile goofs, IBM Watson has struggled with applying the supercomputing tech to oncology, which was one of its main goals.

Now IBM Watson Health has slashed up to 70% of its staff, according to sources speaking to The Register. The site reports that most of the layoffs are cutting staff within companies IBM has brought in an effort to build out its healthcare credentials. These include medical data company Truven, acquired in 2016 for $2.6 billion, medical imaging firm Merge, bought in 2015 for $1 billion and healthcare management firm Phytel, the site reports.

The cuts reflect a major strategic shift for Watson Health, which was one of IBM’s flagship divisions until recently. Having invested heavily in businesses that might have helped it dominate the health IT world, it now appears to be rethinking it’s all in approach.

That being said, no one has suggested that IBM Watson Health will disappear in a poof of smoke. IBM corporate leaders seem dedicated to an AI future. However, if this report is correct, Watson Health is being reorganized completely. Not too much of a surprise since given how hyped it was, it would have been almost impossible for it to live up to the hype.

To me, this suggests that rolling out healthcare AI tools might call for a completely different business model. Rather than applying brute force supercomputing tools to enterprise healthcare issues, it may be better to build from the ground up.

For example, consider Google’s approach to healthcare AI supercomputing. UK-based DeepMind is building relationships and products from the ground up. Working with the National Health Service DeepMind Health is bringing mobile tools and AI research to hospitals. Its mobile health tools include Streams, a secure mobile phone app which feeds critical medical information to doctors and hospitals.

In my opinion, the future of AI in healthcare will look more like the DeepMind model and less like IBM Watson’s top-down approach. Building out AI-based tools and platforms for physicians and nurses first just makes sense.

“Shadow” Devices Expose Networks To New Threats

Posted on June 4, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new report by security vendor Infoblox suggests that threats posed by “shadow” personal devices connected to healthcare networks are getting worse.

The study, which looks at healthcare organizations in the US, UK, Germany, and UAE, notes that the average organization has thousands of personal devices connected to their enterprise network. Including personal laptops, Kindles and mobile phones.

Employees from the US and the UK report using personal devices connected to their enterprise network for multiple activities, including social media use (39%), downloading apps (24%), games (13%) and films (7%), the report says.

It would be bad enough if these pastimes only consumed network resources and time, but the problem goes far beyond that. Use of these shadow devices can open up healthcare networks to nasty attacks. For example, social media is increasingly a vector of malware infection, where bad actors launch attacks successfully urging them to download unfamiliar files.

Health IT directors responding to the study also said there were a significant number of non-business IoT devices connected to their network including fitness trackers (49%), digital assistants like Amazon Alexa (47%), smart TVs (46%), smart kitchen devices such as connected kettles of microwaves (33%) and game consoles such as the Xbox or PlayStation (30%).

In many cases, exploits can take total control of these devices, with serious potential consequences. For example, one can turn a Samsung Smart TV into a live microphone and other smart TVs could be used to steal data and install unwanted apps.

Of course. IT directors aren’t standing around and ignoring these threats and have developed policies for dealing with them. But the report argues that their security policies for connected devices aren’t as effective as they think. For example, while 88% of the IT leaders surveyed said their security policy was either effective or very effective, employees didn’t even know it was in effect in many cases.

In addition, 85% of healthcare organizations have also increased their cybersecurity spending over the past year, and 12% of organizations have increased it by over 50%. Most HIT leaders appear to be focused on traditional solutions, including antivirus software (60%) and cybersecurity investments (57%). In addition, more than half of US healthcare IT professionals said their company invests in encryption software.

Also, about one-third of healthcare IT professionals said the company is investing in employee education (35%), email security solutions and threat intelligence (30%). One in five were investing in biometric solutions.

Ultimately, what this report makes clear is that health IT organizations need to reduce the number of unauthorized personal devices connected to their network. Nearly any other strategy just puts a band-aid on a gaping wound.

Alexa Voice Assistant Centerpiece Of Amazon Health Effort

Posted on June 1, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I don’t know about you, but until recently I had thought of the Amazon Echo is something of a toy. From what I saw, it seemed too cute, too gimmicky and definitely too expensive for my taste. Then I had a chance to try out the Echo my mother kept in her kitchen.

It’s almost embarrassing to say how quickly I was hooked. I didn’t even use many of Alexa’s capabilities. All I had to do was command her to play some music, answer some questions and do a search on the Amazon.com site and I was convinced I needed to have one. Its $99 price suddenly seemed like a bargain.

Of course, being a health IT geek I immediately wondered how the Alexa voice assistant might play a part in applications like telemedicine, but I was spending too much time playing “Name That Song” (I’m an 80s champ) to think things through.

But I had the right instincts. It’s become increasingly clear that Amazon sees Alexa as a key channel for reaching healthcare decision-makers.

According to a story appearing on the CNBC website, Amazon has built a 12-person team within the Alexa voice-assisted division called “health & wellness” whose focus is to make Alexa more useful to healthcare patients and providers. Its first targets include diabetes management, care for mothers and infants and aging, according to people who spoke anonymously with CNBC.

Of course, this effort would involve working through HIPAA rules, but it’s hard to imagine that a company like Amazon couldn’t buy and/or cultivate that expertise.

In the piece, writers Eugene Kim and Christina Farr argue that the mere existence of the health & wellness group is a clear sign that Amazon plans to bring Alexa to healthcare. As long as the Echo can share and upload data in a secure, HIPAA-compliant fashion, the possibilities are almost endless. In addition to sharing data with patients and clinicians, this would make it possible to integrate the data with secure third-party apps.

Of course, a 12-person unit is microscopic in size within a company like Amazon, and from that standpoint, the group might seem like a one-off experiment. On the other hand, its work seems more important when you consider the steps Amazon has already taken in the healthcare space.

The most conspicuous move Amazon has made in healthcare came in early 2018, when it announced a joint initiative with Berkshire Hathaway and J.P. Morgan focused on improving healthcare services. To date, the partnership hasn’t said much about its plans, but it’s hard to argue that something huge could emerge from bringing together players of this size.

In another, less conspicuous move, Alexa took a step towards competing in the diabetes care market. In the summer of 2017, working with Merck, Amazon offered a prize to developers building Alexa “skills” which could help people with diabetes manage all aspects of their care. One might argue that this kind of project could be more important than something big and splashy.

It’s worth noting at this point that even a monster like Google still hasn’t made bold moves in healthcare (though it does have extraordinarily ambitious plans). Amazon may not find it easy to compete. Still, it will certainly do some interesting things, and I’m eager to see them play out. In fact, I’m on the edge of my seat – aren’t you?

How to Introduce Microservices in a Legacy Healthcare Environment

Posted on May 31, 2018 I Written By

The following is a guest blog post by Nick Vennaro, Co-founder of Capto Consulting.

Healthcare as a whole is finding new ways to use technology to improve population health and patient experience. Population health is looking for a spectrum of precision in patient and provider data as well as clinical cost metrics and matching that data to patient communication, metrics and clinical outcomes. Patient experience requires streamlining information that is both timely and personalized, which is hard to accomplish with monolithic systems.

A monolithic system is usually one that has grown over many years and performs numerous functions that are not architecturally separated. These systems tend to be brittle and not easily changed.  The proliferation of mergers and acquisitions in healthcare further exacerbates the complexity of operating multiple monolithic systems within a healthcare network. It is not unheard of to operate 5, 8 or even 12 billing systems in parallel, because combining them would take so much more time, and it is more cost effective to let them operate individually.

An increasingly popular architectural style known as microservices are much better equipped to help healthcare organizations move forward rapidly than are the current monolithic, unstructured and difficult to maintain systems. While currently, no consensus exists on how to define microservices, it’s generally agreed that they are an architectural pattern that is composed of loosely coupled, autonomous, and independently deployable services that communicate using a lightweight mechanism such as HTTP/REST.

Now is the time for healthcare organizations to be investigating how best to introduce microservices in their legacy environments if they expect to realize a digital transformation. This is particularly important to enterprises that need to make frequent changes to their systems and where time-to-market is paramount.

The benefits and potential hurdles associated with adopting microservices are well documented. On the plus side, the modular and independent nature of microservices enables improvements in efficiency, scalability, speed and flexibility—all the features a nimble healthcare enterprise requires.  Detractors, however, frequently point to management and security challenges, especially when they pertain to customer-facing applications and services.   These challenges can be overcome with due diligence and planning.

Like virtually all technology decisions, it’s critical to balance risk with reward and, when it comes to microservices, embracing an evolutionary approach and process. After all, lessons can be learned from both success and failure, and the same is true for implementing microservices that can increase product and service quality, ensure systems are more resilient and secure, and drive revenue growth. This blog post will explain how business and technology leaders can smoothly and successfully introduce microservices in a legacy environment.

It’s all about the monkey

A key requirement of microservices design is to focus service boundaries around application business boundaries. A keen awareness and understanding of service and business boundaries helps right-size services and keeps technology professionals focused on doing one thing and doing it very well.

Astro Teller, the “Captain of Google Moonshots” humorously advocates that companies “tackle the monkey first” meaning they should avoid allocating all of their resources on the easy stuff and instead start by addressing the hard problems. The monkey, when deploying microservices in a large, established environment, is understanding and decomposing the legacy systems.

Decompose the legacy environment by identifying seams

In his book, “Working Effectively with Legacy Code,” Michael Feathers presented the idea of a seam as a way to identify portions of code that can be modified without affecting the rest of the code base. This notion of seams can be extended as a method to divide a monolithic system into bounded contexts from which services can be quickly and seamlessly created.

Uncovering seams in applications and building bounded contexts is an important first step in breaking down the monolith. Here are two steps to identify seams:

  • Interview domain experts. This is a key step to learning where the seams are and identifying bounded contexts. Having domain experts that understand what the business should be doing not just what the system currently does is critically important.
  • Understand the organizational structure – Often, organizational structure will provide clues to where the seams can be found.

Once the boundaries are identified, along with the programming language and environment that support them, creating packages and sub-packages that contain these bounded contexts should closely follow. This approach will afford a careful analysis of package usage and dependencies, which are paramount to fully and quickly understanding and ensuring that testing and instrumenting code is being done properly.

Healthcare is a prime candidate for using microservices to find the seams and decompose the monolithic infrastructure. It allows modernization as well as merging technologies without a complete and disruptive overhaul of the monolith at one time. This will allow the healthcare organization more flexibility and ability to compete on many levels, it’s a relatively fast route to a more agile delivery of population health and patient experience.

About Nick Vennaro
Nick Vennaro is cofounder of Capto, a management consulting firm. Nick has more than 25 years of experience leading enterprise-scale technology and business management initiatives for Fortune 500 companies. Nick will be presenting May 31 at the Healthcare IT Expo on “Using Outcomes-based Contracts to Increase Performance and Innovation.”

What Will 5G Mean for Healthcare?

Posted on May 29, 2018 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The above tweet also included an image, but I decided it was too disturbing to embed on this blog. Yeah, I know that means you all just clicked through to see it. While a bit disturbing, the picture definitely made me stop and ask the question, “What does 5G mean for healthcare?”

I’m not sure how many people have been following 5G, but it’s getting really close to becoming a reality. For those not familiar with the technology, here’s an anecdote that highlights how fast 5G can be “In testing, the transfer speeds for the “5G” network sent data at 1.056 Gbit/s to a distance of up to 2 kilometers.”

1 Gig per second. What would it mean that you could transfer 1 Gig per second wirelessly? Now, I should note that it’s going to take some time for the devices to be able to support these kinds of speeds. Plus, it will also take the applications time to figure out what to do with this type of speed. However, it changes how we think about what we’re streaming completely.

In healthcare, those radiology images that are so big would be nothing to share with anyone anywhere anytime. You could literally have multiple HD cameras filming your healthcare experience live in real time with no issues at that speed. Genomic data is huge, but it could easily be shared with these types of speeds to anyone that needs it anywhere.

This is just the obvious stuff. What’s so incredible about reaching new types of breakthrough speeds like this is that it enables us to discover new opportunities that we couldn’t even think of previously because the speeds made that type of thinking impossible. When you look at the volume of data that sensors will be streaming about our lives, you can see why these speeds could be extremely valuable. Plus, at these speeds, federated data becomes much easier to stomach because you know even large data sources are available with ease.

What do you think of 5G data? How do you think it will impact healthcare? It’s amazing how broadband changed so many things we do online and enabled so many new services. 5G could and likely will do the same.

The State Of Healthcare Cybersecurity (Part 2)

Posted on May 22, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In Part 1 of this series, which drew data from a study by Black Book Market Research, I described how insecure healthcare leaders felt their cybersecurity protections to be. I also noted that a large number of providers are struggling to recruit senior health IT experts, and as a result are basically winging it when it comes to breach protection.

Healthcare organizations’ data security problems run deeper than that, however, the study suggests. Not only are C-level execs finding security investments to be troublesome, IT managers responding to the survey admit that they, too, feel that they are not fully prepared to defend their institution’s data.

To begin with, 74% of surveyed CIOs admitted that they failed to evaluate the total cost of ownership before signing a deal with a cybersecurity solution or service provider, and 89% said they bought their cybersecurity solution to be compliant with security regs, and often, not necessarily to reduce security risks.

And the failure to protect critical information doesn’t stop there.  For example, 57% of IT managers said that they hadn’t taken stock of the full variety of cybersecurity solutions that currently exist, notably mobile security environments, intrusion detection, attack prevention, forensics and testing.

Also, many healthcare institutions seem to react only after they’ve been invaded. According to Black Book, 58% of hospitals didn’t select their current security vendor until after a data security incident, and 32% of healthcare organizations hadn’t scanned for vulnerabilities before an attack.

What’s more, 83% of healthcare organizations haven’t staged a cybersecurity drill which included an incident response process, which arguably leaves them particularly unprepared. Not only that, when an attack comes, some won’t catch it right away, as 29% said they don’t have an adequate solution to instantly detect and respond to cyberattacks.

Meanwhile, 16% of respondents reported being uncomfortable working with vendors that do a hard sell when they find security flaws and vulnerabilities. These insecurities aren’t surprising given that 60% of healthcare enterprises haven’t formally identified specific security objectives and requirements and integrated them into a strategic and tactical plan for breach prevention.

Given how unfocused many security plans are, it’s not surprising that 22% of provider organizations believe their cybersecurity position will worsen between now and the second quarter of 2019. Only 12% of hospitals and 9% of physician organizations reported that they expected to see cybersecurity improvements.

The bottom line here is that if the Black Book research is correct, many healthcare organizations are frighteningly unprepared to protect their data, much less survive a serious attack relatively unscathed. For everyone’s sake, let’s hope that providers wise up to the need for strategic, substantial investments in security technology and staff.

The State Of Healthcare Cybersecurity (Part 1)

Posted on May 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Healthcare data has never been under more outside threats than it is today. For a number of reasons, this data has become more attractive to cybercriminals and can be sold on the dark web for a pretty penny. Not only that, emerging threats like ransomware attacks are hitting home and wreaking havoc with the institutions they target.

Unfortunately, according to a new study by Black Book Market Research, healthcare organizations don’t seem to be adequately prepared for this onslaught.

The survey, which collected responses from more than 2,464 security pros working at 680 provider organizations, found that health IT leaders aren’t confident they can defend themselves against cyberattacks. In fact, 96% of IT professionals who responded said that the attackers are significantly ahead of them and could probably cut through the protection their organizations have in place.

Given that stat, it’s not surprising that over 90% of healthcare organizations have seen a data breach since Q3 2016. Worse, almost 50% reported that they had more than five data breaches during this period. Not only that, more than 180 million records have been stolen since 2015, a staggering haul which affects roughly one in every 12 healthcare consumers.

On the surface, it might seem surprising that healthcare organizations haven’t toughened their defenses given the number of threats they face. Actually, they are, but they’re being outgunned. It’s not that they’re not making cybersecurity investments, but both the level of investment and their strategy for deployment may be inadequate.

In a surprisingly frank set of disclosures, one-third of hospital executives that bought cybersecurity solutions between 2016 and 2018 said they did so blindly without much vision or understanding of what they were getting for their money. Respondents said that 92% of data security product and services buying decisions were made at the C-level, and the process didn’t include any users or affected department managers.

One reason that C-level executives with little relevant knowledge are making security investment decisions because they don’t have anyone senior to consult – and the problem is extremely common.

The survey found that 84% of hospitals responding had no dedicated security executive in place. Most say that it’s difficult to recruit a qualified chief security officer, which is why they’re going bare on data security and stumbling through the buying process as best they can.

Some organizations are responding to the shortage of C-level tech talent by outsourcing the function. Twenty-one percent said they outsource security to partners, consultants or selected security-as-a-service options as a placeholder.

Given this interest in outsourcing, healthcare organizations are signing deals with security services and outsourcing companies five times more often than they’re buying cybersecurity products and software. Vendors, in turn, are responding by diversifying the portfolio of services they offer. Still, that’s unlikely to be enough over the long term.

All of this suggests that the healthcare industry is in a security crisis. I’ll offer more details on the situation in part two of this series.

More Than 1.1 Million Patient Records Breached During Q1 of 2018

Posted on May 14, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Well, this isn’t a pretty picture. According to research by Protenus, roughly 1.3 million patient records were breached between January and March of this year. (The actual number is 1,129,744 records, for those who like to be precise.)

During that quarter, the healthcare industry saw an average of at least one data breach per day, racking up 110 health data breaches during this period, according to the Protenus Breach Barometer.

The researchers found that the single largest breach taking place during Q1 2018 was an intrusion involving an Oklahoma-based healthcare organization. The breach, which exposed patient billing information for 279,856 patients, resulted from an unauthorized third-party gaining access to the health system’s network.

If you assume that the other breaches were also executed by external cyberattackers, think again. According to the data, healthcare staffers represented a far bigger risk of being involved with security violations.

The data suggests that such insiders were most likely to illegally access data on the family members, a problem which accounted for 77.1% of privacy violations in the first quarter of this year. Accessing records on coworkers was the second most common insider-related violation, followed by accessing neighbor and VIP records.

Not only that, Protenus researchers found that if a healthcare employee breaches patient privacy once, there’s a greater than 20% chance they will breach privacy again in three months’ time. Worse, there’s a greater than 54% chance they will do so again in a years’ time. That’s a pretty nasty form of compounding risk.

Not only that, do healthcare institutions catch breaches right away? According to Protenus research, it takes healthcare organizations an average of 244 days to detect breaches once they take place. As readers know, some of these events involve information being exposed to the Internet, offering private information to the public via an unprotected interface. Also pretty ugly, and also a source of lousy PR for the organization.

This research is a sobering follow-up to the company’s year-end report for 2017. Last year, according to Protenus research, there was an average of one health data breach per year in 2017. The 407 incidents it identified affected 5,579,438 patient records.

The largest breach taking place in last year involved a rogue insider, a hospital employee, who inappropriately accessed billing information on 697,800 patients. The rest of the top 10 largest data breaches largely sprang from insider errors.

Wow. If it wasn’t evident already, it’s pretty clear now that healthcare organizations need to tighten up their internal data security measures and training substantially.

While there will always be some folks who want to snoop on celebrity records to find imaging medical information on their ex, and some who plan to sell the information outright, a greater number simply need to be reminded what the rules are. (Or so I assume and fervently hope.)

Why You Shouldn’t Take Calculated Risks with Security

Posted on May 9, 2018 I Written By

The following is a guest blog post by Erin Gilmer (@GilmerHealthLaw).

Calculated risks are often lauded in innovation.  However, with increasing security breaches in the tech industry, it is time to reassess the calculated risks companies take in healthcare.

Time and again, I have advised technology companies and medical practices to invest in security and yet I am often met with resistance, a culture of calculated risk prevails.  To these companies and practices, this risk may make sense to them in the short term. Resources are often limited and so they often believe that they needn’t spend the time and money in security.  However, the notion that a company or a practice can take this chance is ill advised.

As a recent study conducted by HIMSS (and reviewed by Ann Zieger here) warns, “significant security incidents are projected to continue to grow in number, complexity and impact.” Thus in taking the calculated risk not to invest in security, companies and practices are creating greater risk for in the long run, one that comes with severe consequences.

As we have seen outside of healthcare, even “simple” breaches of user names and passwords as happened to Under Armour’s MyFitnessPal app, become relatively important use cases as examples of the impact a security breach can have. While healthcare companies typically think of this in terms of HIPAA compliance and oversight by the Office for Civil Rights (OCR), the consequences reach far wider.  Beyond the fines or even jail time that the OCR can impose, what these current breaches show us is how easy it is for the public to lose trust in an entity.  For a technology company, this means losing valuation which could signal a death knell for a startup. For a practice, this may mean losing patients.  For any entity, it will likely result in substantial legal fees.

Why take the risk not to invest in security? A company may think they are saving time and money up front and the likelihood of a breach or security incident is low. But in the long run, the risk is too great – no company wants to end up with their name splashed across the headlines, spending more money on legal fees, scrambling to notify those whose information has been breached, and rebuilding lost trust.  The short term gain of saving resources is not worth this risk.

The best thing a company or practice can do to get started is to run a detailed risk assessment. This is already required under HIPAA but is not always made a priority.  As the HIMSS report also discussed, there is no one standard for risk assessment and often the OCR is flexible knowing entities may be different sizes and have different resource. While encryption standards and network security should remain a high priority with constant monitoring, there are a few standard aspects of risk assessment including:

  • Identifying information (in either physical or electronic format) that may be at risk including where it is and whether the entity created, received, and/or is storing it;
  • Categorizing the risk of each type of information in terms of high, medium, or low risk and the impact a breach would have on this information;
  • Identifying who has access to the information;
  • Developing backup systems in case information is lost, unavailable, or stolen; and
  • Assessing incidence response plans.

Additionally, it is important to ensure proper training of all staff members on HIPAA policies and procedures including roles and responsibilities, which should be detailed and kept up to date in the office.

This is merely a start and should not be the end of the security measures companies and practices take to ensure they do not become the next use case. When discussing a recent $3.5 million settlement, OCR Director Roger Severino recently emphasized that, “there is no substitute for an enterprise-wide risk analysis for a covered entity.” Further, he stressed that “Covered entities must take a thorough look at their internal policies and procedures to ensure they are protecting their patients’ health information in accordance with the law.”

Though this may seem rudimentary, healthcare companies and medical practices are still not following simple steps to address security and are taking the calculated risk not to – which will likely be at their own peril.

About Erin Gilmer
Erin Gilmer is a health law and policy attorney and patient advocate. She writes about a range of issues on different forums including technology, disability, social justice, law, and social determinants of health. She can be found on twitter @GilmerHealthLaw or on her blog at www.healthasahumanright.wordpress.com.