Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

The State Of Healthcare Cybersecurity (Part 2)

Posted on May 22, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

In Part 1 of this series, which drew data from a study by Black Book Market Research, I described how insecure healthcare leaders felt their cybersecurity protections to be. I also noted that a large number of providers are struggling to recruit senior health IT experts, and as a result are basically winging it when it comes to breach protection.

Healthcare organizations’ data security problems run deeper than that, however, the study suggests. Not only are C-level execs finding security investments to be troublesome, IT managers responding to the survey admit that they, too, feel that they are not fully prepared to defend their institution’s data.

To begin with, 74% of surveyed CIOs admitted that they failed to evaluate the total cost of ownership before signing a deal with a cybersecurity solution or service provider, and 89% said they bought their cybersecurity solution to be compliant with security regs, and often, not necessarily to reduce security risks.

And the failure to protect critical information doesn’t stop there.  For example, 57% of IT managers said that they hadn’t taken stock of the full variety of cybersecurity solutions that currently exist, notably mobile security environments, intrusion detection, attack prevention, forensics and testing.

Also, many healthcare institutions seem to react only after they’ve been invaded. According to Black Book, 58% of hospitals didn’t select their current security vendor until after a data security incident, and 32% of healthcare organizations hadn’t scanned for vulnerabilities before an attack.

What’s more, 83% of healthcare organizations haven’t staged a cybersecurity drill which included an incident response process, which arguably leaves them particularly unprepared. Not only that, when an attack comes, some won’t catch it right away, as 29% said they don’t have an adequate solution to instantly detect and respond to cyberattacks.

Meanwhile, 16% of respondents reported being uncomfortable working with vendors that do a hard sell when they find security flaws and vulnerabilities. These insecurities aren’t surprising given that 60% of healthcare enterprises haven’t formally identified specific security objectives and requirements and integrated them into a strategic and tactical plan for breach prevention.

Given how unfocused many security plans are, it’s not surprising that 22% of provider organizations believe their cybersecurity position will worsen between now and the second quarter of 2019. Only 12% of hospitals and 9% of physician organizations reported that they expected to see cybersecurity improvements.

The bottom line here is that if the Black Book research is correct, many healthcare organizations are frighteningly unprepared to protect their data, much less survive a serious attack relatively unscathed. For everyone’s sake, let’s hope that providers wise up to the need for strategic, substantial investments in security technology and staff.

Barriers to Better Healthcare Cybersecurity

Posted on May 4, 2018 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We often say in healthcare that we need to learn from other industries. We try to do that as much as possible on this blog and this is one of those cases. HIPAAEx recently shared this image that illustrates many of the barriers that local governments face to better cybersecurity. Many of them are money issues like paying high prices cybersecurity salaries and hiring and training cybersecurity staff, but the largest barrier is lack of support. See the details below:

Does this sound like some of the same issues that we have when it comes to barriers to effective cybersecurity in healthcare? It does to me.

While healthcare does deal with these same challenges, I have to admit how drastic the change has been when it comes to support for cybersecurity efforts from healthcare leaders. It used to not even be an after thought. That’s still sadly true in many healthcare organizations. However, I’m seeing more and more healthcare organizations that have seen cybersecurity as a strategic priority.

Healthcare organizations know the damage that’s caused when they have a massive breach occur that shouldn’t happen. They’re finally starting to wake up to this fact. Most are taking a two fold approach: how do I prevent a breach from occurring and what’s my process when a breach occurs?

The problem with cybersecurity is that it’s never done. You can’t look at cybersecurity as a project that’s complete and now you can move on to something else. Cybersecurity is always changing and has to become part of the culture of your organization if you want to have any hope of keeping up and avoiding any major cybersecurity disasters.

How does this chart stack up with your experience? What are your barriers to healthcare cybersecurity? Please share your thoughts and experiences in the comments and with us on social media @HealthcareScene.

Procrastinator’s Guide to #HIMSS18 and Other Conferences

Posted on March 1, 2018 I Written By

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He is currently an independent marketing consultant working with leading healthIT companies. Colin is a member of #TheWalkingGallery. His Twitter handle is: @Colin_Hung.

I have a confession to make. I have never actually managed to follow any of the popular advice that encourages people to prepare for HIMSS weeks in advance.

As I think back across the 12 HIMSS conferences I have attended, I can’t remember a single time when I started earlier than the week before (the only exception being booth logistics). I never reached out to people to pre-arrange meetings. I never looked at the session schedule more than 5 days before the conference. Even when I was in a sales and business development role, I always found myself scrambling with a week to go.

As I moved into Marketing roles, I did do a little more planning, but it was mostly to make sure the booth had power, carpet, etc. Inevitably I would start my personal HIMSS planning the week before the big event.

So if you find yourself in the same situation for #HIMSS18 (which starts next week) take heart. There is still time to maximize your HIMSS time. Here is my Procrastinator’s Guide to HIMSS18 (and other conferences as well). Enjoy.

Attend as many meetups as you can

Meetups are hands-down the most productive networking events at HIMSS. It doesn’t matter if it’s an official HIMSS meetup (usually held at HIMSS Spot or in the HIMSS Booth) or one that is hosted by a company. Meetups attract thought-leaders and key industry influencers. This is a double-bonus. Not only will you get the chance to connect with the experts leading the discussion, but they will draw in a big crowd of people which provides the opportunity for rich networking.

Do a quick search on Twitter, Facebook, LinkedIn or even Google for “HIMSS18 meetup”. Find a meetup that matches your interests or is aligned with the product/service you offer and put it in your calendar. Another great starting point is this list of meetups that John Lynn put together for #HIMSS18.

Arrive to the meetup 10min before it starts, smile and meet as many people as you can. When you hear an interesting idea, turn to the person next to you and comment on it. Don’t worry, audience participation is encouraged at meetups (it’s not a panel presentation after all). Even better, ask a good question or offer up an interesting fact.

At each meetup it is possible to connect with 5-10 people. Who says you need to pre-arrange all your HIMSS meetings?

Search for sessions where your target audience will be

If you are in a Sales or Marketing role one of the best ways to meet people who might be interested in the products/services you offer is to attend related sessions. Use the HIMSS Session Search feature on the conference website or in the HIMSS app and look for educational sessions on topics that align. For example: “remote patient monitoring” or “care coordination” or “physician communication”.

Attend the session and get to know as many of your fellow audience members as you can. In Marketing-speak, anyone in the audience has just self-identified themselves as an early stage buyer. Mine for the gold!

Pro Tip I: Arrive early. Preferably as the prior session is ending so that you can get in and secure a good seat.

Pro Tip II: If you are interested in connecting with someone from a specific organization. Use the session search on the HIMSS website and type in the name of the organization. Anybody speaking from that organization will appear in the results. Hang out after the presentation for your chance to connect.

Download interesting presentations ahead of time

One of the toughest challenges when building slide decks and blog posts is finding relevant statistics. Luckily HIMSS presentations are full of useful facts and figures. Search for sessions on topics that interest you or that you sell into and download the presentation. Voila your research is done.

Plan on visiting with industry media

If you are a small or medium-sized company, it is almost impossible to get the attention of editors, reporters and writers at healthcare publications at HIMSS. This is my first year attending HIMSS as a member of the press and I can tell you first-hand that there is literally no way I can fit another meeting into my calendar and it was filled a couple of weeks ago. As a result I have dozens of unread media-request emails that I simply cannot get to.

If connecting with media is on your HIMSS to-do list, then use the HIMSS Exhibitor Search feature to see if the particular publication has a booth in the exhibit hall. Be friendly to the business development folks in the booth and they will help get you in touch with the writer/editor that you are trying to connect with.

Pro Tip III: If you REALLY want to connect with a particular person at a publication, you can try heading to the HIMSS Press Room and asking for them. The Press Room is the place that HIMSS sets aside for people to write their articles and conduct interviews. It’s also the unofficial place where media folks hang out when they have a lull in their schedule.

Pro Tip IV: Check out the New Media Meetup which Healthcare Scene organizes every year. The event attracts bloggers, podcasters, YouTubers and traditional media. It is a fantastic place to connect. This year’s event is sponsored by CareCognitics.

Team up with one of your clients and become their party agent

There is no shortage of evening events at HIMSS, especially when it is in Las Vegas. If you didn’t get a pre-HIMSS invitation, don’t worry (for years I never got a single invite and I still only get a handful). Many companies recruit attendees to their evening soirees during the conference itself. If you are a fellow vendor, however, it can sometimes be awkward to try and get into someone else’s event.

In the past I have teamed up with one of my clients (usually one I enjoy hanging out with) and I become their party “agent”. I grab a few of my client’s business card at the start of HIMSS and I carry them with me. When I see an interesting party I walk up and ask for an invitation for myself and my client. I drop their card to show that I am legitimately asking on their behalf. It won’t be long before your evening is full. Just don’t be that person that uses this tip and then doesn’t bring the client.

Buy coffee for a stranger

Many salespeople and marketers attending HIMSS are measured on the number of “new contacts” garnered from the event. This type of measure encourages booth denizens to aggressively flag down people walking past their booths to try and scan their badge. I admit I used to do this, but it always made me feel slimy. Then one day I stumbled onto a better method when I decided to do a good deed at HIMSS09. I bought a coffee for a total stranger. Seriously.

One morning I decided that I wanted to brighten someone else’s day. I was in line at Starbucks and I just decided to pay for the order of the person who had also just ordered at the register next to me. The gentlemen, who had been in a #HIMSSHaze perked up and smiled. It turned out he was the CIO of mid-sized hospital. We spoke for 15min at the Starbucks and we exchanged cards. I tried it five more times that day and each time I had a great conversation and ended up with a strong connection.

Try it. You’ll be surprised at how effective this is…and you’ll feel amazing having done a good deed.

So there you have it. With just a few days before #HIMSS18 there is still time to do all the things above. Play your cards right at #HIMSS18 (sorry couldn’t resist the Vegas cliché) and you’ll come home with new friends and valuable connections.

See you in Vegas!


Three Pillars of Clinical Process Improvement and Control

Posted on February 21, 2018 I Written By

The following is a guest blog post by Brita Hansen, MD, Chief Medical Officer at LogicStream Health.

In a value-based care environment, achieving quality and safety measures is a priority. Health systems must have the capabilities to measure a process following its initial implementation. The reality, however, is that traditional improvement methods are often plagued with lagging indicators that provide little (if any) insight into areas requiring corrective actions. Health systems have an opportunity to make a significant impact on patient care by focusing on three pillars of clinical process improvement and control: quality and safety, appropriate utilization and clinician engagement.

Quality and Safety

Data in a health system’s electronic health record (EHR) typically is not easily accessible. Providers struggle to aggregate the data they need in a timely manner, often with limited resources, thereby hindering efforts to measure process efficacy and consistency. To achieve sustainable quality improvements, clinical leaders must equip their teams with advanced software solutions capable of delivering highly-actionable insights in near-real-time, thereby allowing them to gain a true understanding of clinical processes and how to avoid clinical errors and care variations.

Clinicians need instant insights into what clinical content in their EHR is being used; by whom; and how it affects patient care. This data empowers providers with the ability to continuously analyze and address care gaps and inefficient workflows.

For example, identifying inappropriate uses of Foley catheters that lead to catheter associated urinary tract infections (CAUTI) allows clinical leaders make targeted improvements to the care process or to counsel individual clinician outliers on appropriate best practices. This will, in turn, reduce CAUTI rates. To most effectively improve clinical processes, clinicians need software tools that enable them to examine those processes in their entirety, including process steps within the EHR, patient data and the actions of individual clinicians or groups as they interact with the care process every day.

Only with instant insight into how the care process is being followed can clinicians see in real-time what is happening and where to intervene, make the necessary changes in the EHR workflow, then measure and monitor the effects over time to improve care delivery in a sustainable way.

Appropriate Utilization

Verifying appropriate utilization of best practices also plays a critical role in optimizing clinical processes. Yet healthcare organizations often lack the ability to identify and correct the use of obsolete tests, procedures and medications. When armed with dynamic tools that quickly and easily allow any individual to understand the exact location of ordering opportunities for these components, an organization can evaluate its departments, clinicians, and patient populations for ineffective ordering patterns and areas that require greater compliance. By assessing areas in need of intervention, organizations can notify clinicians of the most up-to-date best practices that, when integrated into clinical workflows, will improve care and yield significant cost savings. Through targeted efforts to ensure proper usage of high-cost and high-volume medications, lab tests and other orderables, for example, health systems can achieve significant savings while improving the quality of care delivery.

The benefits of such an approach are reflected in one health system’s implementation of clinical process improvement and control software, which allowed them to more effectively manage the content in their EHR, including oversight of order sets. Specifically, the organization focused on reviewing the rate of tests used diagnose acute myocardial infarctions (heart attacks). It discovered that physicians were regularly ordering an outdated Creatine kinase-MB (CKMB) lab test along with a new, more efficient test for no other reason than it was pre-checked on numerous order sets.

Although the test itself was inexpensive, the high order rate led to massive waste and increased the cost of care. Leveraging the software enabled the organization to quickly identify the problem, then significantly reduce costs and save resources by eliminating an unnecessary test that otherwise would have remained hidden within the EHR.

Clinician Engagement

Enhancing clinician engagement is key to addressing dissatisfaction and burnout, often traced to alert fatigue and a lack of order set optimization within an EHR. The typical health system averages 24 million alert firings per year. Confronted with a high volume of unnecessary warnings, clinicians ignore alerts 49 percent to 96 percent of the time, resulting in poor compliance with care protocols. EHRs often contain an overwhelming number of order sets that can lead to confusion about best practices for patient care and a frustrating amount of choice to navigate. To increase engagement, alerts must be designed to send the right information, to the right person, in the right format, through the right channel, at the right time in the workflow; and order sets should be streamlined and make it easy for clinicians to follow the up-to-date best clinical practices.

For example, one hospital utilized EHR-generated alerts targeting potential cases of sepsis. These alerts, however, were rarely acted upon as they were not specific enough and fired inappropriately at such exhaustive rates clinicians grew to simply ignore them, creating a clear case of alert fatigue. By fine-tuning alerts and adjusting the workflow to ensure alerts were sent to the right clinician at the optimal time, the hospital was able to achieve and maintain nearly full compliance with its initiative. As early detection and treatment of sepsis increased, the hospital also reduced length of stay in its intensive care unit. Data-driven targeted interventions were developed to address outliers whose actions were driving unnecessary variation in the process.

Ultimately, when the three pillars—quality and safety, appropriate utilization and clinician engagement—are used as the building blocks for standardizing and controlling vital clinical processes, multiple objectives can be realized. Empowered with technology that supports these factors, healthcare organizations can truly achieve sustainable, proactive clinical process improvement and control.

Dr. Brita Hansen is a hospitalist at Hennepin County Medical Center in Minneapolis and Assistant Professor of Medicine at the University of Minnesota School of Medicine. Dr. Hansen also serves as Chief Medical Officer of LogicStream Health.

Health IT Leaders Spending On Security, Not AI And Wearables

Posted on December 18, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

While breakout technologies like wearables and AI are hot, health system leaders don’t seem to be that excited about adopting them, according to a new study which reached out to more than 20 US health systems.

Nine out of 10 health systems said they increased their spending on cybersecurity technology, according to research by the Center for Connected Medicine (CCM) in partnership with the Health Management Academy.

However, many other emerging technologies don’t seem to be making the cut. For example, despite the publicity it’s received, two-thirds of health IT leaders said using AI was a low or very low priority. It seems that they don’t see a business model for using it.

The same goes for many other technologies that fascinate analysts and editors. For example, while many observers which expect otherwise, less than a quarter of respondents (17%) were paying much attention to wearables or making any bets on mobile health apps (21%).

When it comes to telemedicine, hospitals and health systems noted that they were in a bind. Less than half said they receive reimbursement for virtual consults (39%) or remote monitoring (46%}. Things may resolve next year, however. Seventy-one percent of those not getting paid right now expect to be reimbursed for such care in 2018.

Despite all of this pessimism about the latest emerging technologies, health IT leaders were somewhat optimistic about the benefits of predictive analytics, with more than half of respondents using or planning to begin using genomic testing for personalized medicine. The study reported that many of these episodes will be focused on oncology, anesthesia and pharmacogenetics.

What should we make of these results? After all, many seem to fly in the face of predictions industry watchers have offered.

Well, for one thing, it’s good to see that hospitals and health systems are engaging in long-overdue beefing up of their security infrastructure. As we’ve noted here in the past, hospital spending on cybersecurity has been meager at best.

Another thing is that while a few innovative hospitals are taking patient-generated health data seriously, many others are taking a rather conservative position here. While nobody seems to disagree that such data will change the business, it seems many hospitals are waiting for somebody else to take the risks inherent in investing in any new data scheme.

Finally, it seems that we are seeing a critical mass of influential hospitals that expect good things from telemedicine going forward. We are already seeing some large, influential academic medical centers treat virtual care as a routine part of their service offerings and a way to minimize gaps in care.

All told, it seems that at the moment, study respondents are less interested in sexy new innovations than the VCs showering them with money. That being said, it looks like many of these emerging strategies might pay off in 2018. It should be an interesting year.

Optimization Dominates CHIME17 Discussions

Posted on November 8, 2017 I Written By

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He is currently an independent marketing consultant working with leading healthIT companies. Colin is a member of #TheWalkingGallery. His Twitter handle is: @Colin_Hung.

“Our EHR Implementation is done”

“We completed our EHR roll-out last year”

“The last EHR module has gone live”

With these words, CIO presenters at the recent CHIME Fall CIO Forum (CHIME17) ushered in a new era in Healthcare IT. Instead of EHR implementations dominating the discussion, optimization was the hot topic of discussion at the event.

“It’s clear to us that CIOs are dedicating more time and energy towards optimizing their systems rather than just implementing them”, says Ed Rucinski, Senior Vice President Worldwide Healthcare Sales at Nuance and CHIME17 attendee. “Our clients, for example, are looking for ways to simplify the documentation physicians have to do in their EHRs so that they can focus their attention back on helping patients.”

Finding ways to better utilize the EHR infrastructure was the subject of many CHIME17 sessions. In one, Sallie Arnett, Vice President Information Systems and Chief Information Officer at Licking Memorial Health Systems, presented how her organization is leveraging EHR and patient monitoring data to detect the early signs of sepsis. Over 62 lives were saved through the work of Arnett and the staff at Licking Memorial.

These results would not have been possible without the investments made in EHR implementations and other digitization efforts.

Several sessions at CHIME17 were centered on the changing role of CMIOs. For the past several years CMIOs have been synonymous with EHR implementations. Now with EHRs up and running, CHIME presenters spoke about how CMIOs were morphing into CHIOs – Chief Health Information Officers – charged with extracting clinical value from the data within the hospital’s systems. This shift in focus is further evidence that healthcare is beginning to move beyond implementation and that we are entering a time of EHR optimization.

The new focus on optimization is a welcome development. It signifies that we are finally near the end of the road-building phase of the inudstry’s EHR journey and we are getting to the phase where we start building things to make the roads useful (like gas stations, diners and cars).

Personally I am looking forward to what the next few years will bring. It will be exciting to see how decision support tools, predictive analytics, artificial intelligence, personalized medicine applications and population health systems will leverage the data that is accumulating in EHRs. The next few years will be truly interesting for CIOs.

The State of the Healthcare CIO

Posted on November 2, 2017 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As I’ve talked to hundreds of healthcare CIOs this week at the CHIME Fall Forum, a number of themes keep coming up. No doubt there’s always a lot of excitement in the air at a conference like this. In many ways, it’s great that there’s a good, optimistic energy at a conference. A conference wouldn’t be very good without that energy, but under the covers, there’s often more to the story. Here are some broad insights into the state of the healthcare CIO that goes beyond the natural excitement and energy of a conference.

No More Systems – Most of the CIOs who I’ve talked to feel like they have all the IT systems they need. In fact, most are trying to find ways to get rid of IT systems. They’re not looking to add any more IT systems to their mix. There’s a strong desire to simplify their current setup and to maximize the benefits their current IT systems. They don’t want to add new ones.

Do Want Solutions – While healthcare CIOs don’t want to add new systems, they do want to find solutions that will be complementary to their existing systems. There is a massive desire to optimize what they’re doing and show value from their current IT systems. Solutions that are proven and work on top of their existing infrastructure are welcomed by these CIOs.

Security Is Still a Concern – I have a feeling that this topic may never die. Security is still a huge concern for CIOs and something that will continue to be important for a long time to come. Most now have some kind of security strategy in place, but I haven’t met anyone that’s totally comfortable with their security strategy. It seems that this is what keeps CIOs up at night more than any other issue.

Analytics Is a Challenge – Most of the healthcare CIOs know that analytics is going to be an important part of their future. They can see the potential value that analytics can provide, but most don’t know where to find these analytics. Most organizations don’t have a clear analytics strategy or direction. We’re still just seeing anecdotal results for very specific solutions. There’s no clear direction that every healthcare CIO is following for analytics.

CIOs are Stressed – It was very appropriate that yesterday’s keynote presentation was on turning stress into a positive. Most of the healthcare CIOs I met are quite stressed. They have a lot on their plates and most don’t know how they’re going to manage it all. Plus, they’re still overwhelmed by all the changing regulations and reimbursement changes. The fact that there doesn’t seem to be any end in sight adds to that stress.

Turnover is Still High – It seems that there’s still a lot of turnover that’s happening with CIOs. This is a challenge when it comes to continuity at organizations. However, those CIOs that have been able to stay at an organization for a longer period of time are starting to see new opportunities to be more strategic. They’ve fought all the initial fires and cleaned up the processes and now they can start working on more strategic initiatives.

Holding On vs Embracing Change – I see two different views evolving by CIOs. Many are holding on tightly to the old Chief Infrastructure Officer versus embracing the new Chief Innovation Officer mindset. CHIME is certainly espousing the view of the CIO becoming a Chief Innovation Officer and it’s the view that I think is best as well. However, there are plenty of CIOs that just want to provide the technology to their organization. It will be interesting to see what happens to both of these approaches to the CIO position.

Those are some high-level thoughts from talking with CIOs at the CHIME Fall Forum. What are you seeing? Are you seeing or hearing anything different from what I described above? We’d love to hear your thoughts in the comments.

Making Stress Your Friend, Not Your Enemy – #CHIME17 Keynote Twitter Roundup

Posted on November 1, 2017 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This week I’m at the CHIME 2017 Fall Forum in San Antonio. It’s a great event that is no doubt the largest gathering of healthcare CIOs in one place. Today they kicked off the event with a great keynote speech from Kelly McGonigal that reframed stress in a really unique way. Here are some of the tweets that captured the essence of Kelly’s message.

You can see there are some powerful reframes when it comes to stress. It’s amazing the impact that just thinking of stress as a positive thing in your life can have on the outcomes. That’s a lesson we can all use since we all experience stress.

Along with the keynote, CHIME also did a great tribute to Neal Patterson, CEO of Cerner who passed away recently. It was very nice to take a moment to talk about Neal and his impact on the healthcare IT industry.

Top Five Challenges of Healthcare Cloud Deployments and How to Solve Them

Posted on October 2, 2017 I Written By

The following is a guest blog post by Chad Kissinger, Founder of OnRamp.

According to the HIMSS 2016 Survey, 84 percent of providers are currently using a cloud service, showing security and compliance issues are not preventing organizations from deploying cloud environments. Despite growing adoption rates, breaches and security incidents continue to rise. Cloud deployments and ongoing environment management errors are to blame. 

Cloud services offer clear benefits—performance, cost savings, and scalability to name a few—so it’s no wonder healthcare organizations, like yours, are eager to take advantage of all that the cloud has to offer. Unfortunately, vulnerabilities are often introduced to your network when you adopt new technology. Let’s discuss how to identify and overcome common challenges in secure, compliant cloud deployments so you can opportunistically adopt cloud-based solutions while remaining on the right side of the law.

1. Ambiguous Delegation of Responsibilities
When technology is new to an organization, the responsibility of finding and managing that solution is often unclear. You must determine who owns your data. Is it your IT Department? Or perhaps your Security Department? It’s difficult to coordinate different people across departments, and even more difficult to communicate effectively between your organization and your provider. The delegation of responsibilities between you and your business associate will vary based on your service model—i.e. software as a service, infrastructure as a service, etc.

To prevent these issues, audit operational and business processes to determine the people, roles, and responsibilities for your team internally. Repeat the process for those services you will outsource to your cloud provider. Your business associate agreement should note the details of each party’s responsibilities, avoiding ambiguity and gaps in security or compliance. Look for provider credentials verified by third-party entities that demonstrate security levels at the data center level, such as HITRUST CSF and SSAE 16 SOC 2 Type 2 and SOC3.

2.    Lack of Policies, Standards, and Security Practices
If your organization doesn’t have a solid foundation of policies, standards, and security practices, you will likely experience one or more of the security-related issues outlined below. It’s necessary to not only create policies, but also ensure your organization is able to enforce them consistently.

  • Shadow IT. According to a recent HyTrust Cloud Survey of 51 organizations, 40% of cloud services are commissioned without IT input.
  • Cloud Portability and Mobility. Mitigating risks among many endpoints, from wearables to smart beds, becomes more difficult as you add more end points.
  • Privileged User Access. Divide your user access by work role and limit access to mitigate malicious insider attacks.
  • Ongoing Staff Education and Training. Your team needs to be properly trained in best practices and understand the role that they play in cybersecurity.

Proper security and compliance also involves the processes that safeguard your data and the documentation that proves your efforts. Such processes include auditing operational and business processes, managing people, roles and identities, ensuring proper protection of data and information, assessing the security provisions for cloud applications, and data decommissioning.

Communicate your security and compliance policies to your cloud provider to ensure their end of the operations falls in line with your overall plan.

3. Protecting Data and Meeting HIPAA Controls
The HIPAA Privacy Rule, the HIPAA Security Rule, and HITECH all aim to secure your electronic protected health information (ePHI) and establish the national standards. Your concern is maintaining the confidentiality, availability, and integrity of sensitive data. In practice, this includes:

  • Technology
  • Safeguards (Physical & Administrative)
  • Process
  • People
  • Business Associates & Support
  • Auditable Compliance

Network solution experts recognize HIPAA compliant data must be secure, but also needs to be readily available to users and retain integrity across platforms. Using experienced cloud solution providers will bridge the gap between HIPAA requirements, patient administration, and the benefit of technology to treat healthcare clients and facilitate care.

Seek the right technology and implement controls that are both “required and addressed” within HIPAA’s regulations. When it comes to security, you can never be too prepared. Here are some of the measures you’ll want to implement:

  • Data encryption in transit and at rest
  • Firewalls
  • Multi-factor Authentication
  • Cloud Encryption Key Management
  • Audit logs showing access to ePHI
  • Vulnerability scanning, intrusion detection/prevention
  • Hardware and OS patching
  • Security Audits
  • Contingency Planning—regular data backup and disaster recovery plan

The number one mistake organizations make in protected data in a cloud deployment is insufficient encryption, followed by key management. Encryption must be FIPS 140-2 compliant.

4.    Ensuring Data Availability, Reliability, and Integrity
The key to service reliability and uptime is in your data backups and disaster recovery (DR) efforts. Data backup is not the same as disaster recovery—this is a common misconception. Data backup is part of business continuity planning, but requires much more. There’s a gap between how organizations perceive their track records and the reality of their DR capabilities. The “CloudEndure Survey of 2016” notes that 90% of respondents claim they meet their availability, but only 38% meet their goals consistently, and 22% of the organizations surveyed don’t measure service availability at all. Keep in mind that downtime can result from your cloud provider—and this is out of your control. For instance, the AWS outage earlier this year caused a ruckus after many cloud-based programs stopped functioning.

5.    Ability to Convey Auditable Compliance (Transparency)
Investors, customers, and regulators cannot easily discern that your cloud environment is compliant because it’s not as visible as other solutions, like on-premise hosting. You will have to work closely with your cloud provider to identify how to document your technology, policies, and procedures in order to document your efforts and prove auditable compliance.

Putting It All Together
The cloud provides significant advantages, but transitioning into the cloud requires a thorough roadmap with checkpoints for security and compliance along the way. Remember that technology is just the first step in a secure cloud deployment—proper security and compliance also involves the processes that protect your sensitive data and the documentation that proves your compliance efforts. You’ll want to identify resources from IT, security and operations to participate in your cloud deployment process, and choose a cloud provider that’s certified and knowledgeable in the nuances of healthcare cloud deployments.

For more information download the white paper “HOW TO DEPLOY A SECURE, COMPLIANT CLOUD FOR HEALTHCARE.”

About OnRamp

OnRamp is a HITRUST-certified data center services company that specializes in high security and compliant hybrid hosting and is a proud sponsor of Healthcare Scene. Our solutions help organizations meet compliance standards including, HIPAA, PCI, SOX, FISMA and FERPA. As an SSAE 16 SOC 2 Type 2 and SOC 3, PCI-DSS certified, and HIPAA compliant company, OnRamp operates multiple enterprise-class data centers to deploy cloud computing, colocation, and managed services. Visit or call 888.667.2660 to learn more.

Healthcare Orgs May Be Ramping Up Cybersecurity Efforts

Posted on August 18, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As I’ve noted (too) many times in the past, healthcare organizations don’t have a great track record when it comes to cybersecurity. Compared to other industries, healthcare organizations spend relatively little on IT security overall, and despite harangues from people like myself, this has remained the case for many years.

However, a small new survey by HIMSS suggests that the tide may be turning. It’s not incredibly surprising to hear, as health it leaders have been facing increasingly frequent cybersecurity attacks. A case in point: In a recent study by Netwrix Corp., more than half of healthcare organizations reported struggling with malware, and that’s just one of many ongoing cyber security threats.

The HIMSS cybersecurity survey, which tallies responses from 126 IT leaders, concluded that security professionals are focusing on medical device security, and that patient safety, data breaches and malware were their top three concerns.

In the survey, HIMSS found that 71% of respondents were allocating some of their budgets toward cybersecurity and that 80% said that their organization employed dedicated cybersecurity staff.

Meanwhile, 78% of respondents were able to identify a cybersecurity staffing ratio (i.e. the number of cybersecurity specialists versus other employees), and 53% said the ratio was 1:500 which, according to HIMSS is considered the right ratio for information-centric, risk-averse businesses with considerable Internet exposure.

Also of note, it seems that budgets for cybersecurity are getting more substantial. Of the 71% of respondents whose organizations are budgeting for cybersecurity efforts, 60% allocated 3% or more of their overall budget to the problem. And that’s not all. Eleven percent of respondents said that they were allocating more than 10% of the budget to cybersecurity, which is fairly impressive.

Other stats from the survey included that 60% of respondents said their organizations employed a senior information security leader such as a Chief Information Security Officer.  In its press release covering the survey, it noted that CISOs and other top security leaders are adopting cybersecurity programs that cut across several areas, including procurement and education/training. The security leaders are also adopting the NIST Cybersecurity Framework.

According to HIMSS, 85% of respondents said they conduct a risk assessment at least once a year, and that 75% of them regularly conduct penetration testing. Meanwhile, 75% said they had some type of insider threat management program in place within their healthcare organization.

One final note: In the report, HIMSS noted that acute care providers had more specific concerns was cybersecurity than non-acute care providers. Over the next few years, as individual practices merge with larger ones, and everyone gets swept up into ACOs, I wonder if that distinction will even matter anymore.

My take is that when smaller organizations work with big ones, everyone’s tech is set up reach the level better-capitalized players have achieved, and that will standardize everyone’s concerns. What do you think?