Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Healthcare Orgs May Be Ramping Up Cybersecurity Efforts

Posted on August 18, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As I’ve noted (too) many times in the past, healthcare organizations don’t have a great track record when it comes to cybersecurity. Compared to other industries, healthcare organizations spend relatively little on IT security overall, and despite harangues from people like myself, this has remained the case for many years.

However, a small new survey by HIMSS suggests that the tide may be turning. It’s not incredibly surprising to hear, as health it leaders have been facing increasingly frequent cybersecurity attacks. A case in point: In a recent study by Netwrix Corp., more than half of healthcare organizations reported struggling with malware, and that’s just one of many ongoing cyber security threats.

The HIMSS cybersecurity survey, which tallies responses from 126 IT leaders, concluded that security professionals are focusing on medical device security, and that patient safety, data breaches and malware were their top three concerns.

In the survey, HIMSS found that 71% of respondents were allocating some of their budgets toward cybersecurity and that 80% said that their organization employed dedicated cybersecurity staff.

Meanwhile, 78% of respondents were able to identify a cybersecurity staffing ratio (i.e. the number of cybersecurity specialists versus other employees), and 53% said the ratio was 1:500 which, according to HIMSS is considered the right ratio for information-centric, risk-averse businesses with considerable Internet exposure.

Also of note, it seems that budgets for cybersecurity are getting more substantial. Of the 71% of respondents whose organizations are budgeting for cybersecurity efforts, 60% allocated 3% or more of their overall budget to the problem. And that’s not all. Eleven percent of respondents said that they were allocating more than 10% of the budget to cybersecurity, which is fairly impressive.

Other stats from the survey included that 60% of respondents said their organizations employed a senior information security leader such as a Chief Information Security Officer.  In its press release covering the survey, it noted that CISOs and other top security leaders are adopting cybersecurity programs that cut across several areas, including procurement and education/training. The security leaders are also adopting the NIST Cybersecurity Framework.

According to HIMSS, 85% of respondents said they conduct a risk assessment at least once a year, and that 75% of them regularly conduct penetration testing. Meanwhile, 75% said they had some type of insider threat management program in place within their healthcare organization.

One final note: In the report, HIMSS noted that acute care providers had more specific concerns was cybersecurity than non-acute care providers. Over the next few years, as individual practices merge with larger ones, and everyone gets swept up into ACOs, I wonder if that distinction will even matter anymore.

My take is that when smaller organizations work with big ones, everyone’s tech is set up reach the level better-capitalized players have achieved, and that will standardize everyone’s concerns. What do you think?

Healthcare Blockchain Use Case

Posted on August 3, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

There’s been a lot of talk about using blockchain in healthcare. While I don’t think that it’s the end all be all solution that many make it out to be, I do think that healthcare could benefit in a lot of ways from blockchain.

David Chou recently shared this healthcare use case for blockchain which it looks like he got from Deloitte:

I’d be interested to hear blockchain experts thoughts on this use case. Is this reasonable? Could this be reasonably achieved with blockchain? Are there risks to implementing this use case?

We all know about the major challenges associated with interoperability in healthcare. Blockchain itself doesn’t solve a lot of these interoperability problems. It can’t because most of the interoperability problems in healthcare are business problems and not technology problems. However, I wonder if we can make data sharing in healthcare so simple that it would be embarrassing not to do it. Then, we might be on to something.

Other thoughts on blockchain in healthcare? I still have a lot to learn about this new technology.

A Hospital CIO Perspective on Precision Medicine

Posted on July 31, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

#Paid content sponsored by Intel.

In this video interview, I talk with David Chou, Vice President, Chief Information and Digital Officer with Kansas City, Missouri-based Children’s Mercy Hospital. In addition to his work at Children’s Mercy, he helps healthcare organizations transform themselves into digital enterprises.

Chou previously served as a healthcare technology advisor with law firm Balch & Bingham and Chief Information Officer with the University of Mississippi Medical Center. He also worked with the Cleveland Clinic to build a flagship hospital in Abu Dhabi, as well as working in for-profit healthcare organizations in California.

Precision Medicine and Genomic Medicine are important topics for every hospital CIO to understand. In my interview with David Chou, he provides the hospital CIO perspective on these topics and offers insights into what a hospital organization should be doing to take part in and be prepared for precision medicine and genomic medicine.

Here are the questions I asked him, if you’d like to skip to a specific topic in the video or check out the full video interview embedded below:

What are you doing in your organization when it comes to precision medicine and genomic medicine?

Despite Abundance of Threats, Few Providers Take Serious Steps To Protect Their Data

Posted on July 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

I scarcely need to remind readers of the immensity of the threats to healthcare data security out there. Not only is healthcare data an attractive target for cybercriminals, the aforementioned keep coming up with new ways to torture security pros (the particularly evil ransomware comes to mind).

Unfortunately, healthcare organizations are also notorious for spending too little on data security. Apparently, this also extends to spending money on information security governance or risk management, according to a new study.

The study is sponsored by Netwrix Corp., which sells a visibility platform for data security and risk mitigation and hybrid environments.  (In other words, the following stats are interesting, but keep your bias alert on.)

Researchers found that 95% of responding healthcare organizations don’t use software for information security governance or risk management and that just 31% of respondents said they were well prepared to address IT risks. Still, despite the prevalence of cybersecurity threats, 68% don’t have any staffers in place specifically to address them.

What’s the source of key IT healthcare security threats? Fifty-nine percent of healthcare organizations said they were struggling with malware, and 47% of providers said they’d faced security incidents caused by human error. Fifty-six percent of healthcare organizations saw employees as the biggest threat to system availability and security.

To tackle these problems, 56% of healthcare organizations said they plan to invest in security solutions to protect their data. Unfortunately, though, the majority said they lacked the budget (75%), time (75%) and senior management buy-in (44%) needed to improve their handling of such risks.

So it goes with healthcare security. Most of the industry seems willing to stash security spending needs under a rock until some major headline-grabbing incident happens. Then, it’s all with the apologies and the hand-wringing and the promise to do much better. My guess is that a good number of these organizations don’t do much to learn from their mistake, and instead throw some jerry-rigged patch in place that’s vulnerable to a new attack with new characteristics.

That being said, the study makes the important point that employees directly or indirectly cause many IT security problems. My sense is that the percent of employees actually packaging data or accessing it for malicious purposes is relatively small, but that major problems created by an “oops” are pretty common.

Perhaps the fact that employees are the source of many IT incidents is actually a hopeful trend. Even if an IT department doesn’t have the resources to invest in security experts or new technology, it can spearhead efforts to treat employees better on security issues. Virtually every employee that doesn’t specialize in IT could probably use a brush up on proper security hygiene, anyway. And retraining employees doesn’t call for a lot of funding or major C-suite buy-in.

Healthcare Cybersecurity Cartoon – Fun Friday

Posted on July 21, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This week’s Fun Friday comes from the #IoMTchat (Internet of Medical Things) and was shared by Rasu Shrestha. This cartoon has so many good elements including the great password sticky note. As in most humor, this isn’t too far from the truth.

Rasu is spot on in his tweet too. Key to cybersecurity in healthcare is understanding employee behaviors and motivators. You’ll never change the culture and improve cybersecurity if you don’t understand your employees’ needs.

Healthcare CIOs Focus On Optimizing EMRs

Posted on March 30, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Few technical managers struggle with more competing priorities than healthcare CIOs. But according to a recent survey, they’re pretty clear what they have to accomplish over the next few years, and optimizing EMRs has leapt to the top of the to-do list.

The survey, which was conducted by consulting firm KPMG in collaboration with CHIME, found that 38 percent of CHIME members surveyed saw EMR optimization as their #1 priority for capital investment over the next three years.  To gather results, KPMG surveyed 122 CHIME members about their IT investment plans.

In addition to EMR optimization, top investment priorities identified by the respondents included accountable care/population health technology (21 percent), consumer/clinical and operational analytics (16 percent), virtual/telehealth technology enhancements (13 percent), revenue cycle systems/replacement (7 percent) and ERP systems/replacement (6 percent).

Meanwhile, respondents said that improving business and clinical processes was their biggest challenge, followed by improving operating efficiency and providing business intelligence and analytics.

It looks like at least some of the CIOs might have the money to invest, as well. Thirty-six percent said they expected to see an increase in their operating budget over the next two years, and 18 percent of respondents reported that they expect higher spending over the next 12 months. On the other hand, 63 percent of respondents said that spending was likely to be flat over the next 12 months and 44 percent over the next two years. So we have to assume that they’ll have a harder time meeting their goals.

When it came to infrastructure, about one-quarter of respondents said that their organizations were implementing or investing in cloud computing-related technology, including servers, storage and data centers, while 18 percent were spending on ERP solutions. In addition, 10 percent of respondents planned to implement cloud-based EMRs, 10 percent enterprise systems, and 8 percent disaster recovery.

The respondents cited data loss/privacy, poorly-optimized applications and integration with existing architecture as their biggest challenges and concerns when it came to leveraging the cloud.

What’s interesting about this data is that none of the respondents mentioned improved security as a priority for their organization, despite the many vulnerabilities healthcare organizations have faced in recent times.  Their responses are especially curious given that a survey published only a few months ago put security at the top of CIOs’ list of business goals for near future.

The study, which was sponsored by clinical communications vendor Spok, surveyed more than 100 CIOs who were CHIME members  — in other words, the same population the KPMG research tapped. The survey found that 81 percent of respondents named strengthening data security as their top business goal for the next 18 months.

Of course, people tend to respond to surveys in the manner prescribed by the questions, and the Spok questions were presumably worded differently than the KPMG questions. Nonetheless, it’s surprising to me that data security concerns didn’t emerge in the KPMG research. Bottom line, if CIOs aren’t thinking about security alongside their other priorities, it could be a problem.

The Case For Accidental Interoperability

Posted on December 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Many of us who follow #HITsm on Twitter have encountered the estimable standards guru Keith Boone (known there as @motorcycle_guy). Keith always has something interesting to share, and his recent article, on “accidental” interoperability, is no exception.

In his article, he describes an aha moment: “I had a recent experience where I saw a feature one team was demonstrating in which I could actually integrate one of my interop components to supply additional functionality,” he writes. “When you build interop components right, this kind of accidental interop shows up all the time.”

In his piece, he goes on to argue that this should happen a lot more often, because by doing so, “you can create lot of value through it with very little engineering investment.”

In an ideal world, such unplanned instances of interoperability would happen often, allowing developers and engineers to connect solutions with far less trouble and effort. And the more often that happened, the more resources everyone involved would have to invest in solving other types of problems.

But in his experience, it can be tough to get dev teams into the “component-based” mindset that would allow for accidental interoperability. “All too often I’ve been told those more generalized solutions are ‘scope expansions,’ because they don’t fit the use case,” and any talk of future concerns is dropped, he says.

While focusing on a particular use case can save time, as it allows developers to take shortcuts which optimize their work for that use case, this approach also limits the value of their work, he argues. Unfortunately, this intense focus prevents developers from creating more general solutions that might have broader use.

Instead of focusing solely on their short-term goals, he suggests, health IT leaders may want to look at the bigger picture. “My own experience tells me that the value I get out of more general solutions is well worth the additional engineering attention,” he writes. “It may not help THIS use case, but when I can supply the same solution to the next use case that comes along, then I’ve got a clear win.”

Keith’s article points up an obstacle to interoperability that we don’t think much about right now. While most of what I read about interoperability options — including on this blog — focus on creating inter-arching standards that can tie all providers together, we seldom discussed the smaller, day-to-day decisions that stand in the way of health data sharing.

If he’s right (and I have little doubt that he is) health IT interoperability will become a lot more feasible, a lot more quickly, if health organizations take a look at the bigger purposes an individual development project can meet. Otherwise, the next project may just be another silo in the making.

A Tale of 2 T’s: When Analytics and Artificial Intelligence Go Bad

Posted on July 13, 2016 I Written By

Prashant Natarajan Iyer (AKA "PN") is an analytics and data science professional based out of the Silicon Valley, CA. He is currently Director of Product Management for Healthcare products. His experience includes progressive & leadership roles in business strategy, product management, and customer happiness at eCredit.com, Siemens, McKesson, Healthways & Oracle. He is currently coauthoring HIMSS' next book on big data and machine learning for healthcare executives - along with Herb Smaltz PhD and John Frenzel MD. He is a huge fan of SEC college football, Australian Cattle Dogs, and the hysterically-dubbed original Iron Chef TV series. He can be found on Twitter @natarpr and on LinkedIn. All opinions are purely mine and do not represent those of my employer or anyone else!!

Editor’s Note: We’re excited to welcome Prashant to the Healthcare Scene family. He brings tremendous insights into the ever evolving field of healthcare analytics. We feel lucky to have him sharing his deep experience and knowledge with us. We hope you’ll enjoy his first contribution below.

Analytics & Artificial Intelligence (AI) are generating buzz and making inroads into healthcare informatics. Today’s healthcare organization is dealing with increasing digitization – variety, velocities, and volumes are increasing in complexity and users want more data and information via analytics. In addition to new frontiers that are opening up in structured and unstructured data analytics, our industry and its people (patients included) are recognizing opportunities for predictive/prescriptive analytics, artificial intelligence, and machine learning in healthcare – within and outside a facility’s four walls.

Trends that influence these new opportunities include:

  1. Increasing use of smart phones and wellness trackers as observational data sources, for medical adherence, and as behavior modification aids
  2. Expanding Internet of Healthcare Things (IoHT) that includes bedside monitors, home monitors, implants, etc creating data in real time – including noise (or, data that are not relevant to expected usage)
  3. Social network participation
  4. Organizational readiness
  5. Technology maturity

The potential for big data in healthcare – especially given the trends discussed earlier is as bright as any other industry. The benefits that big data analytics, AI, and machine learning can provide for healthier patients, happier providers, and cost-effective care are real. The future of precision medicine, population health management, clinical research, and financial performance will include an increased role for machine-analyzed insights, discoveries, and all-encompassing analytics.

As we start this journey to new horizons, it may be useful to examine maps, trails, and artifacts left behind by pioneers. To this end, we will examine 2 cautionary tales in predictive analytics and machine learning, look at their influence on their industries and public discourse, and finally examine how we can learn from and avoid similar pitfalls in healthcare informatics.

Big data predictive analytics and machine learning have had their origins, and arguably their greatest impact so far in retail and e-commerce so that’s where we’ll begin our tale. Fill up that mug of coffee or a pint of your favorite adult beverage and brace yourself for “Tales of Two T’s” – unexpected, real-life adventures of what happens when analytics (Target) and artificial intelligence (Tay) provide accurate – but totally unexpected – results.

Our first tale starts in 2012 when Target finds itself as a popular story on New York Times, Forbes, and many global publications as an example of the unintended consequences of predictive analytics used in personalized advertising. The story begins with an angry father in a Minneapolis, MN, Target confronting a perplexed retail store manager. The father is incensed about the volume of pregnancy and maternity coupons, offer, and mailers being addressed to this teenage daughter. In due course, it becomes apparent that the parents in question found out about their teen’s pregnancy before she had a chance to tell them – and the individual in question wasn’t aware that her due date had been estimated to within days and was resulting in targeted advertising that was “timed for specific stages of her pregnancy.”

The root cause for the loss of the daughter’s privacy, parents’ confusion, and the subsequent public debate on privacy and appropriateness of the results of predictive analytics was……a pregnancy predictive analytics model. Here’s how this model works. When a “guest” shops at Target, her product purchases are tracked and analyzed closely. These are correlated with life events – graduation, birth, wedding, etc – in order to convert a prospective customer’s shopping habits or to make that individual a more loyal customer. Pregnancy and child birth are two of the most significant life events that can result in desired (by retailers) shopping habit modification.

For example, a shopper’s 25 product purchases, when analyzed along with demographics such as gender and age, allowed the retailer’s guest marketing analytics team to assign a “pregnancy predictor to each [female] shopper and “her due date to within a small window.” In this specific case, the predictive analytics was right, even perfect. The models were accurate, the coupons and ads were appropriate for the exact week of pregnancy, and Target posted a +50% increase in their maternity and baby products sales after this predictive analytics was deployed. However, in addition to one unhappy family, Target also had to deal with significant public discussion on the “big brother” effect, individual right to privacy & the “desire to be forgotten,” disquiet among some consumers that they were being spied on including deeply personal events, and a potential public relations fiasco.

Our second tale is of more recent vintage.

As Heather Wilhelm recounts

As 2015 drew to a close, various [Microsoft] company representatives heralded a “new Golden Age of technological advancement.” 2016, we were told, would bring us closer to a benevolent artificial intelligence—an artificial intelligence that would be warm, humane, helpful, and, as one particularly optimistic researcher named […] put it, “will help us laugh and be more productive.” Well, she got the “laugh” part right.

Tay was an artificial intelligence bot released by Microsoft via Twitter on March 23, 2016 under the name TayTweets. Tay was designed to mimic the language patterns of a 19-year-old American girl, and to learn from interacting with human users of Twitter. “She was targeted at American 18 to 24-year olds—primary social media users, according to Microsoft—and designed to engage and entertain people where they connect with each other online through casual and playful conversation.” And right after her celebrated arrival on Twitter, Tay gained more than 50,000 followers, and started producing the first hundred of 100,000 tweets.

The tech blogsphere went gaga over what this would mean for those of us with human brains – as opposed to the AI kind. Questions ranged from the important – “Would Tay be able to beat Watson at Jeopardy?” – to the mundane – “is Tay an example of the kind of bots that Microsoft will enable others to build using its AI/machine learning technologies?” The AI models that went into Tay were stated to be advanced and were expected to account for a range of human emotions and biases. Tay was referred to by some as the future of computing.

By the end of Day 1, this latest example of the “personalized AI future” came unglued. Gone was the polite 19-year old girl that was introduced to us just the previous day – to be replaced by a racist, misogynistic, anti-Semitic, troll who resembled an amalgamated caricature of the darkest corners of the Internet. Examples of Tay’s tweets on that day included, “Bush did 9/11,” “Hitler would have done a better job than the #%&!## we’ve got now,” “I hate feminists,” and x-rated language that is too salacious for public consumption – even in the current zeitgeist.

The resulting AI public relations fiasco will be studied by academic researchers, provide rich source material for bloggers, and serve as a punch line in late night shows for generations to follow.

As the day progressed, Microsoft engineers were deleting tweets manually and trying to keep up with the sheer volume of high-velocity, hateful tweets that were being generated by Tay. She was taken down by Microsoft barely 16 hours after she was launched with great promise and fanfare. As was done with another AI bot gone berserk (IBM’s Watson and Urban Dictionary), Tay’s engineers tried counseling and behavior modification. When this intervention failed, Tay underwent an emergency brain transplant later that night. Gone was her AI “brain” to be replaced by the next version – only that this new version turned out to be completely anti-social and the bot’s behavior turned worse. A “new and improved” version was released a week later but she turned out to be…..very different. Tay 2.0 was either repetitive with the same tweet going out several times each second and her new AI brain seemed to demonstrate a preference for new questionable topics.

A few hours after this second incident, Tay 2.0 was “taken offline” for good.

There are no plans to re-release Tay at this time. She has been given a longer-term time out.

If you believe, Tay’s AI behaviors were a result of nurture – as opposed to nature – there’s a petition at change.org called “Freedom for Tay.”

Lessons for healthcare informatics

Analytics and AI can be very powerful in our goal to transform our healthcare system into a more effective, responsive, and affordable one. When done right and for the appropriate use cases, technologies like predictive analytics, machine learning, and artificial intelligence can make an appreciable difference to patient care, wellness, and satisfaction. At the same time, we can learn from the two significantly different, yet related, tales above and avoid finding ourselves in similar situations as the 2 T’s here – Target and Tay.

  1. “If we build it, they will come” is true only for movie plots. The value of new technology or new ways of doing things must be examined in relation to its impact on the quality, cost, and ethics of care
  2. Knowing your audience, users, and participants remains a pre-requisite for success
  3. Learn from others’ experience – be aware of the limits of what technology can accomplish or must not do.
  4. Be prepared for unexpected results or unintended consequences. When unexpected results are found, be prepared to investigate thoroughly before jumping to conclusions – no AI algorithm or BI architecture can yet auto-correct for human errors.
  5. Be ready to correct course as-needed and in response to real-time user feedback.
  6. Account for human biases, the effect of lore/legend, studying the wrong variables, or misinterpreted results

Analytics and machine learning has tremendous power to impact every industry including healthcare. However, while unleashing it’s power we have to be careful that we don’t do more damage than good.

10 Health IT Security Questions Every Healthcare CIO Must Answer

Posted on April 19, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Logicalis recently sent out 10 Security Questions Every CIO Must Be Able to Answer. Here’s their list:

  1. If you knew that your company was going to be breached tomorrow, what would you do differently today?
  2. Has your company ever been breached? How do you know?
  3. What assets am I protecting, what am I protecting them from (i.e., theft, destruction, compromise), and who am I protecting them from (i.e. cybercriminals or even insiders)?
  4. What damage will we sustain if we are breached (i.e., financial loss, reputation, regulatory fines, loss of competitive advantage)?
  5. Have you moved beyond an “inside vs. outside” perimeter-based approach to information security?
  6. Does your IT security implementation match your business-centric security policies? Does it rely on written policies, technical controls or both?
  7. What is your security strategy for IoT (also known as “the Internet of threat”)?
  8. What is your security strategy for “anywhere, anytime, any device” mobility?
  9. Do you have an incident response plan in place?
  10. What is your remediation process? Can you recover lost data and prevent a similar attack from happening again?

Given the incredible rise in hospitals being breached or held ransom, it’s no surprise that this is one of the hottest topics in healthcare. No doubt many a hospital CIO has had sleepless nights thanks to these challenges. If you’re a CIO that has been sleeping well at night, I’m afraid for your organization.

The good news is that I think most healthcare organizations are taking these threats seriously. Many would now be able to answer the questions listed above. Although, I imagine some of them need some work. Maybe that’s the key lesson to all of this. There’s no silver bullet solution. Security is an ongoing process and has to be built into the culture of an organization. There’s always new threats and new software being implemented that needs to be protected.

With that said, health IT leaders need to sometimes shake things up in their organization too. A culture of security is an incredible starting point. However, there’s nothing that focuses an organization more than for a breach to occur. The hyper focus that occurs is incredible to watch. If I was a health IT leader, I’d consider staging a mock breach and see what happens. It will likely open your eyes to some poor processes and some vulnerabilities you’d missed.