Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Being Honest About Your Reasons For Cybersecurity Decisions

Posted on August 16, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

This week, a team of McAfee researchers released a paper outlining a terrifying exploit. The paper describes, in great technical detail, how a malicious attacker could flip a cardiac rhythm display from 80 beats per minute to zero within less than five seconds.

This might not lead to severe harm or death, but it’s possible that other very negative outcomes could occur, notes Shaun Nordeck, MD, who’s quoted in the report. “Fictitious cardiac rhythms, even intermittent, could lead to extended hospitalization, additional testing, and side effects from medications prescribed to control heart rhythm and/or prevent clots,” he notes.

The paper does point out that if the bedside monitor is working normally, nurses have access to other accurate data, which could diminish the impact of such disruptions to some extent. However, the potential for adverse events is clearly higher than normal if someone scrambles a patient’s vitals.

Unfortunately, this is far from the only attack which wasn’t possible before connected devices became the norm. At various points, we’ve seen that pacemakers, insulin pumps and even MRIs can be hacked externally, particularly if their operating systems aren’t patched as required or haven’t put even basic security protections in place. (Think using “password” as a password.)

But while these vulnerabilities are largely known at this point, some healthcare organizations haven’t begun to tackle them. Solving these problems takes work, and costs money, The best-intentioned CIO might not get the budget to fix these problems if their CEO doesn’t see them as urgent.

Or let’s say the budget is available to begin the counterattack. Even if everyone agrees to tackle connected device vulnerabilities, where do we begin the counterattack? Which of these new connected health vulnerabilities are the most critical?  On the one hand, hacking individual pacemakers doesn’t seem profitable enough to attract many cybercriminals. On the other, if I were a crook I might see the threat of meddling with a hospitals’ worth of patient monitors to be a great source of ransom money.

And this brings us to some tough ethical questions. Should we evaluate these threats by how many patients would be affected, or how many of the sickest patients?  How do we calculate the clinical impact of vital signs hacking vs. generating inaccurate MRI results? To what extent should the administrative impact of these attacks be a factor in deciding how to defeat these challenges, if at all?

I know you’re going to tell me that this isn’t an all or nothing proposition, and that to some extent standard network intrusion detection techniques and tools will work. I’m not disputing this. However, I think we need to admit out loud that these kinds of attacks threaten individual lives in a way that traditional cyberattacks do not. For that reason, we need to get honest about who we need to protect — and why.

MD Anderson Fined $4.3 Million For HIPAA Violations

Posted on June 21, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

An administrative law judge has ruled that MD Anderson Cancer Center must pay $4.3 million to the HHS Office of Civil Rights due to multiple HIPAA violations. This is the fourth largest penalty ever awarded to OCR.

OCR kicked off an investigation of MD Anderson in the wake of three separate data breach reports in 2012 and 2013. One of the breaches sprung from the theft of an unencrypted laptop from the home of an MD Anderson employee. The other two involved the loss of unencrypted USB thumb drives which held protected health information on over 33,500 patients.

Maybe — just maybe — MD Anderson could’ve gotten away with this or paid a much smaller fine. But given the circumstances, it was not going to get away that easily.

OCR found that while the organization had written encryption policies going back to 2006, it wasn’t following them that closely. What’s more, MD Anderson’s own risk analyses had found that a lack of device-level encryption could threaten the security of ePHI.

Adding insult to injury, MD Anderson didn’t begin to adopt enterprise-wide security technology until 2011. Also, it didn’t take action to encrypt data on its devices containing ePHI during the period between March 2011 and January 2013.

In defending itself, the organization argued that it was not obligated to encrypt data on its devices. It also claimed that the ePHI which was breached was for research, which meant that it was not subject to HIPAA penalties. In addition, its attorneys argued that the penalties accrued to OCR were unreasonable.

The administrative law judge wasn’t buying it. In fact, the judge took an axe to its arguments, saying that MD Anderson’s “dilatory conduct is shocking given the high risk to its patients resulting from the unauthorized disclosure of ePHI,” noting that its leaders “not only recognized, but [also] restated many times.” That’s strong language, the like of which I’ve never seen in HIPAA cases before.

You won’t be surprised to learn that the administrative law judge agreed to OCR’s sanctions, which included penalties for each day of MD Anderson’s lack of HIPAA compliance and for each record of individuals breached.

All I can say is wow. Could the Cancer Center’s leaders possibly have more chutzpah? It’s bad enough to have patient data breached three times. Defending yourself by essentially saying it was no big deal is even worse. If I were the judge I would’ve thrown the book at them too.

Privacy Fears May Be Holding Back Digital Therapeutics Adoption

Posted on May 3, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Consumers were already afraid that their providers might not be able to protect the privacy of their health data. Given the daily news coverage of large data breaches and since the Facebook data scandal blew up, consumers may be even less likely try out new digital health approaches.

For example, a new study by innovation consultancy Enspektos has concluded that patients may be afraid to adopt digital therapeutics options. Many fear that the data might be compromised or the technology may subject them to unwanted personal surveillance.

Without a doubt, digital therapeutics could have a great future. Possibilities include technologies such as prescription drugs with embedded sensors tracking medication compliance, as well as mobile apps that could potentially replace drugs. However, consumers’ appetite for such innovations may be diminishing as consumer fears over data privacy grow.

The research, which was done in collaboration with Savvy Cooperative, found that one-third of respondents fear that such devices will be used to track their behavior in invasive ways or that the data might be sold to a third party without the permission. As the research authors note, it’s hard to argue that the Facebook affair has ratcheted up these concerns.

Other research by Enspektos includes some related points:

  • Machine-aided diagnosis is growing as AI, wearables and data analytics are combined to predict and treat diseases
  • The deployment of end-to-end digital services is increasing as healthcare organizations work to create comprehensive platforms that embrace a wide range of conditions

It’s worth noting that It’s not just consumers who are worried about new forms of hacker intrusions. Industry CIOs have been fretting as it’s become more common for cybercriminals to attack healthcare organizations specifically. In fact, just last month Symantec identified a group known as Orangeworm that is breaking into x-ray, MRI and other medical equipment.

If groups like Orangeworm have begun to attack medical devices — something cybersecurity experts have predicted for years — we’re looking at a new phase in the battle to protect hospital devices and data. If one cybercriminal decides to focus on healthcare specifically, it’s likely that others will as well.

It’s bad enough that people are worried about the downsides of digital therapeutics. If they really knew how insecure their overall medical data could be going forward, they might be afraid to even sign in to their portal again.

A Whole New Way of Being Old: Book Review of The New Mobile Age

Posted on March 15, 2018 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The recently released overview of health care for the aging by Dr. Joseph Kvedar and his collaborators, The New Mobile Age: How Technology Will Extend the Healthspan and Optimize the Lifespan, is aimed at a wide audience of people who can potentially benefit: health care professionals and those who manage their clinics and hospitals, technologists interested in succeeding in this field, and policy makers. Your reaction to this book may depend on how well you have asserted the impact of your prefrontal cortex over your amygdala before reading the text–if your mood is calm you can see numerous possibilities and bright spots, whereas if you’re agitated you will latch onto the hefty barriers in the way.

Kvedar highlights, as foremost among the culture changes needed to handle aging well, is a view of aging as a positive and productive stage of life. Second to that comes design challenges: technologists must make devices and computer interfaces that handle affect, adapt smoothly to different individuals and their attitudes, and ultimately know both when to intervene and how to present healthy options. As an example, Chapter 8 presents two types of robots, one of which was accepted more by patients when it was “serious” and the other when it was “playful.” The nuances of interface design are bewildering.

The logical argument in The New Mobile Age proceeds somewhat like this:

  1. Wholesome and satisfying aging is possible, but particularly where chronic conditions are involved, it involves maintaining a healthful and balanced lifestyle, not just fixing disease.

  2. Support for health, particularly in old age, thus involves public health and socio-economic issues such as food, exercise, and especially social contacts.

  3. Each person requires tailored interventions, because his or her needs and desires are unique.

  4. Connected technology can help, but must adapt to the conditions and needs of the individual.

The challenges of health care technology emerged in my mind, during the reading of this book, as a whole new stage of design. Suppose we broadly and crudely characterize the first 35 years of computer design as number-crunching, and the next 35 years–after the spread of the personal computer–as one of augmenting human intellect (a phrase popularized by pioneer Douglas Engelbart).

We have recently entered a new era where computers use artificial intelligence for decision-making and predictions, going beyond what humans can anticipate or understand. (For instance, when I pulled up The New Mobile Age on Amazon.com, why did it suggest I check out a book about business and technology that I have already read, Machine, Platform, Crowd? There is probably no human at Amazon.com or elsewhere who could explain the algorithm that made the connection.)

So I am suggesting that an equally momentous shift will be required to fulfill Kvedar’s mandate. In addition to the previous tasks of number-crunching, augmenting human intellect, and predictive analytics, computers will need to integrate with human life in incredibly supple, subtle ways.

The task reminds me of self-driving cars, which business and tech observers assure us will replace human drivers in a foreseeable time span. As I write this paragraph, snow from a nor’easter is furiously swirling through the air. It is hard to imagine that any intelligence, whether human, AI, or alien, can safely navigate a car in that mess. Self-driving cars won’t catch on until computers can instantly handle real-world conditions perfectly–and that applies to technology for the aging too.

This challenge applies to physical services as well as emotional ones. For instance, Kvedar suggests in Chapter 8 that a robot could lift a person from a bed to a wheelchair. That’s obviously riskier and more nuanced than carting goods around a warehouse. And that robot is supposed to provide encouragement, bolster the spirits of the patient, and guide the patient toward healthful behavior as well.

Although I have no illusions about the difficulty of the tasks set before computers in health care, I believe the technologies offer enormous potential and cheer on the examples provided by Kvedar in his book. It’s important to note that the authors, while delineating the different aspects of conveying care to the aging, always start with a problem and a context, taking the interests of the individual into account, and then move to the technical parts of the solution.

Therefore, Kvedar brings us face to face with issues we cannot shut our eyes to, such as the widening gap between the increasing number of elderly people in the world and the decreasing number of young people who can care for them or pay for such care. A number of other themes appear that will be familiar to people following the health care field: the dominance of lifestyle-related chronic conditions among our diseases, the clunkiness and unfriendliness of most health-related systems (most notoriously the electronic health record systems used by doctors), the importance of understanding the impact of behavior and phenotypical data on health, but also the promise of genetic sequencing, and the importance of respecting the dignity and privacy of the people whose behavior we want to change.

And that last point applies to many aspects of accommodating diverse populations. Although this book is about the elderly, it’s not only they who are easily infantilized, dismissed, ignored, or treated inappropriately in the health care system: the same goes for the mentally ill, the disabled, LGBTQ people, youth, and many other types of patients.

The New Mobile Age highlights exemplary efforts by companies and agencies to use technology to meet the human needs of the aging. Kvedar’s own funder, Partners Healthcare, can afford to push innovation in this area because it is the dominant health care provider in the Boston area (where I live) and is flush with cash. When will every institution do these same things? The New Mobile Age helps to explain what we need in order to get to that point.

Nokia May Exit Digital Health Business

Posted on March 2, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The digital health market has become phenomenally competitive over the last few years, with giants like Google and Apple duking it out with smaller, fast-moving startups over the choicest opportunities in the sector.

Even with a behemoth like Google, you expect to see some stumbles, and the Internet giant has taken a few. But seldom have we seen a billion-dollar company walk away from the digital health market, which arguably stands to grow far more. Still, according to a recent news report, that’s just what Nokia may be doing.

A story published in The Verge reports that the Finnish telecom giant has launched a strategic review of its health division. While Nokia apparently isn’t spilling the beans on its plans, the news site got a look at an internal company memo which suggests that its digital health business is indeed in trouble.

In the memo, The Verge says, Nokia chief strategy officer Kathrin Buvac wrote that “our digital health business has struggled to scale and meet its growth expectations… [And] currently, we don’t see a path for [the digital health business] to become a meaningful part of a company as large as Nokia.”

While it’s hard to tell much from a press release, it notes that Nokia’s digital health division makes and sells an ecosystem of hybrid smart watches, scales and digital health devices to consumers and enterprises. Its digital health history includes the acquisition of Withings, a French startup with a sexy line up of connected health-focused digital health devices.

This may be in part because it just hasn’t been aggressive enough or offered anything unique. In the wake of the Withings acquisition, Nokia doesn’t seem to have done much to build on Withings’ product line. Though much of the success in this market depends on execution, its current roster of products doesn’t sound like anything too exciting or differentiated.

It’s interesting to note that Buvac blames at least part of the failure of its digital health excursion on Nokia’s size. That doesn’t seem to be a problem for industry-leading companies like Apple, which seems to be carving out its digital health footprint one launch at a time and cultivating health leaders along the way. For example, Apple recently partnered with Stanford Medicine launch an app using its smartwatch to collect data on irregular heart rhythms. Arguably, this is the way to win markets and influence people — slow and steady.

In the end, though, Buvac is probably right about is digital health prospects. Nokia’s seeming failure may indeed be attributed to its sprawling portfolio, and probably an inflexible internal culture as well. The moral of the story may be that winning at the digital health game has far more to do with understanding the market than it does with having very deep pockets.

Nearly 6 Million Patient Records Breached In 2017

Posted on February 1, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Just how bad a year was 2017 for health data? According to one study, it was 5.6 million patient records bad.

According to health data security firm Protenus, which partnered with DataBreaches.net to conduct its research, last year saw an average of at least one health data breach per day. The researchers based their analysis on 477 health data breaches reported to the public last year.

While Protenus only had 407 such incidents, those alone affected 5,579,438 patient records. The gross number of exposed records fell dramatically from 2016, which saw 27.3 million records compromised by breaches. However, the large number of records exposed in 2016 stems from the fact that there were a few massive incidents that year.

According to researchers, the largest breach reported in 2017 stemmed from a rogue insider, a hospital employee who inappropriately accessed billing information on 697,800 patients. The rest of the top 10 largest data breaches sprung from insider errors, hacking, and one other incident involving insider wrongdoing.

Insider wrongdoing seems to be a particular problem, accounting for 37% of the total number of breaches last year. These insider incidents affected 30% of compromised patient data, or more than 1.7 million records.

As bad as those stats may be, however, ransomware and malware seem to be even bigger threats. As the study notes, last year a tidal wave of hacking incidents involving malware and ransomware hit healthcare organizations.

Not surprisingly, last year’s wave of attacks seems to be part of a larger trend. According to a Malwarebytes report, ransomware attacks on businesses overall increased 90 percent last year, led by GlobeImposter and WannaCry incidents.

That being said, healthcare appears to be a particularly popular target for cybercriminals. In 2016, healthcare organizations reported 30 incidents of ransomware and malware attacks, and last year, 64 organizations reported attacks of this kind. While the increase in ransomware reports could be due to organizations being more careful about reporting such incidents, researchers warn that the volume of such attacks may be growing.

So what does this suggest about the threat landscape going forward?  In short, it doesn’t seem likely the situation will improve much over the next 12 months. The report suggests that last year’s trend of one breach per day should continue this year. Moreover, we may see a growth in the number of incidents reported to HHS, though again, this could be because the industry is getting better at breach detection.

If nothing else, one might hope that healthcare organizations get better at detecting attacks quickly. Researchers noted that of the 144 healthcare data breaches for which they have data, it took an average of 308 days for the organization to find out about the breach. Surely we can do better than this.

Hospitals Still Lagging On Mobile

Posted on January 18, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

One would think that these days, when the desktop computer is an extension of mobile devices rather than the other way around, hospitals would have well-defined, mature plans in place for managing mobile technology. But according to one survey, that’s definitely not the case.

In a study sponsored by Spok, which provides clinical communication services, many healthcare providers are still in the early years of developing a mobile strategy.

The study, which drew on contacts with more than 300 healthcare professionals in the US, found that 21% had had a mobile strategy in place for less than one year, 40% for one to three years,14% for 3 to 5 years and 25% for more than five years. In other words, while one-quarter of organizations had settled in and developed a mobile approach, an almost equal amount were just getting their feet wet.

Not only that, many of those who do have a mobile strategy in place may be shooting from the hip. While 65% of those surveyed had a documented mobility strategy in place, 35% didn’t.

That being said, it seems that organizations that have engaged with mobile are working hard to tweak their strategy regularly. According to Spok, their reasons for updating the strategy include:

* Shifting mobile needs of end-users (44%)
* The availability of new mobile devices (35%)
* New capabilities from the EHR vendor (26%)
* Changes in goals of mobile strategy (23%)
* Challenges in implementing the strategy (21%)
* Changes in hospital leadership (16%)

(Seven percent said their mobile strategy had not changed since inception, and 23% weren’t sure what changes had been made.)

Nonetheless, other data suggest there has been little progress in integrating mobile strategy with broader hospital goals.

For example, while 53% wanted to improve physician-to-physician communications, only 19% had integrated mobile strategy with this goal. Fifty-three percent saw nurse-to-physician communications as a key goal, but only 18% had integrated this goal with their mobile plans. The gaps between other top strategies and integration with mobile plans were similar across the strategic spectrum.

Ultimately, it’s likely that it will take a team approach to bring these objectives together, but that’s not happening in the near future. According to respondents, the IT department will implement mobile in 82% of institutions surveyed, 60% clinical leadership, 37% doctors, 34% telecom department, 27% nurses and 22% outside help from consultants and vendors. (Another 16% didn’t plan to have a dedicated team in place.)

The whole picture suggests that while the hospital industry is gradually moving towards integrating mobile into its long-term thinking, it has a ways to go. Given the potential benefits of smart mobile use, let’s hope providers catch up quickly.

Key Articles in Health IT from 2017 (Part 2 of 2)

Posted on January 4, 2018 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The first part of this article set a general context for health IT in 2017 and started through the year with a review of interesting articles and studies. We’ll finish the review here.

A thoughtful article suggests a positive approach toward health care quality. The author stresses the value of organic change, although using data for accountability has value too.

An article extolling digital payments actually said more about the out-of-control complexity of the US reimbursement system. It may or not be coincidental that her article appeared one day after the CommonWell Health Alliance announced an API whose main purpose seems to be to facilitate payment and other data exchanges related to law and regulation.

A survey by KLAS asked health care providers what they want in connected apps. Most apps currently just display data from a health record.

A controlled study revived the concept of Health Information Exchanges as stand-alone institutions, examining the effects of emergency departments using one HIE in New York State.

In contrast to many leaders in the new Administration, Dr. Donald Rucker received positive comments upon acceding to the position of National Coordinator. More alarm was raised about the appointment of Scott Gottlieb as head of the FDA, but a later assessment gave him high marks for his first few months.

Before Dr. Gottlieb got there, the FDA was already loosening up. The 21st Century Cures Act instructed it to keep its hands off many health-related digital technologies. After kneecapping consumer access to genetic testing and then allowing it back into the ring in 2015, the FDA advanced consumer genetics another step this year with approval for 23andMe tests about risks for seven diseases. A close look at another DNA site’s privacy policy, meanwhile, warns that their use of data exploits loopholes in the laws and could end up hurting consumers. Another critique of the Genetic Information Nondiscrimination Act has been written by Dr. Deborah Peel of Patient Privacy Rights.

Little noticed was a bill authorizing the FDA to be more flexible in its regulation of digital apps. Shortly after, the FDA announced its principles for approving digital apps, stressing good software development practices over clinical trials.

No improvement has been seen in the regard clinicians have for electronic records. Subjective reports condemned the notorious number of clicks required. A study showed they spend as much time on computer work as they do seeing patients. Another study found the ratio to be even worse. Shoving the job onto scribes may introduce inaccuracies.

The time spent might actually pay off if the resulting data could generate new treatments, increase personalized care, and lower costs. But the analytics that are critical to these advances have stumbled in health care institutions, in large part because of the perennial barrier of interoperability. But analytics are showing scattered successes, being used to:

Deloitte published a guide to implementing health care analytics. And finally, a clarion signal that analytics in health care has arrived: WIRED covers it.

A government cybersecurity report warns that health technology will likely soon contribute to the stream of breaches in health care.

Dr. Joseph Kvedar identified fruitful areas for applying digital technology to clinical research.

The Government Accountability Office, terror of many US bureaucracies, cam out with a report criticizing the sloppiness of quality measures at the VA.

A report by leaders of the SMART platform listed barriers to interoperability and the use of analytics to change health care.

To improve the lower outcomes seen by marginalized communities, the NIH is recruiting people from those populations to trust the government with their health data. A policy analyst calls on digital health companies to diversify their staff as well. Google’s parent company, Alphabet, is also getting into the act.

Specific technologies

Digital apps are part of most modern health efforts, of course. A few articles focused on the apps themselves. One study found that digital apps can improve depression. Another found that an app can improve ADHD.

Lots of intriguing devices are being developed:

Remote monitoring and telehealth have also been in the news.

Natural language processing and voice interfaces are becoming a critical part of spreading health care:

Facial recognition is another potentially useful technology. It can replace passwords or devices to enable quick access to medical records.

Virtual reality and augmented reality seem to have some limited applications to health care. They are useful foremost in education, but also for pain management, physical therapy, and relaxation.

A number of articles hold out the tantalizing promise that interoperability headaches can be cured through blockchain, the newest hot application of cryptography. But one analysis warned that blockchain will be difficult and expensive to adopt.

3D printing can be used to produce models for training purposes as well as surgical tools and implants customized to the patient.

A number of other interesting companies in digital health can be found in a Fortune article.

We’ll end the year with a news item similar to one that began the article: serious good news about the ability of Accountable Care Organizations (ACOs) to save money. I would also like to mention three major articles of my own:

I hope this review of the year’s articles and studies in health IT has helped you recall key advances or challenges, and perhaps flagged some valuable topics for you to follow. 2018 will continue to be a year of adjustment to new reimbursement realities touched off by the tax bill, so health IT may once again languish somewhat.

Key Articles in Health IT from 2017 (Part 1 of 2)

Posted on January 2, 2018 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

This article provides a retrospective of 2017 in Health It–but a retrospective from an unusual perspective. I will highlight interesting articles I’ve read from the year as pointers to trends we should follow up on in the upcoming years.

Indubitably, 2017 is a unique year due to political events that threw the field of health care into wild uncertainty and speculation, exemplified most recently by the attempts to censor the use of precise and accurate language at the Centers for Disease Control (an act of political interference that could not be disguised even by those who tried to explain it away). Threats to replace the Affordable Care Act (another banned phrase) drove many institutions, which had formerly focused on improving communications or implementing risk sharing health care costs, to fall back into a lower level of Maslow’s hierarchy of needs, obsessing over whether insurance payments would cease and patients would stop coming. News about health IT was also drowned out by more general health topics such as drug pricing, the opiate crisis, and revenue pressures that close hospitals.

Key issues

But let’s start our retrospective on an upbeat note. A brief study summary from January 4 reported lower costs for some surgeries when hospitals participated in a modest bundled payment program sponsored by CMS. This suggests that fee-for-value could be required more widely by payers, even in the absence of sophisticated analytics and care coordination. Because only a small percentage of clinicians choose bold risk-sharing reimbursement models, this news is important.

Next, a note on security. Maybe we should reprioritize clinicians’ defenses against the electronic record breaches we’ve been hearing so much about. An analysis found that the most common reason for an unauthorized release of data was an attack by an insiders (43 percent). This contrasts with 26.8 percent from outside intruders. (The article doesn’t say how many records were compromised by each breach, though–if they had, the importance of outside intruders might have skyrocketed.) In any case, watch your audit logs and don’t trust your employees.

In a bracing and rare moment of candor, President Obama and Vice President Biden (remember them?) sharply criticized current EHRs for lack of interoperability. Other articles during the year showed that the political leaders were on target, as interoperability–an odd health care term for what other industries call “data exchange”–continues to be just as elusive as ever. Only 30% of hospitals were able to exchange data (although the situation has probably improved since the 2015 data used in the study). Advances in interoperability were called “theoretical” and the problem was placed into larger issues of poor communication. The Harvard Business Review weighed in too, chiding doctors for spending so much money on systems that don’t communicate.

The controversy sharpened as fraud charges were brought against a major EHR vendor for gaming the certification for Meaningful Use. A couple months later, strangely, the ONC weakened its certification process and announced it would rely more on the vendors to police themselves.

A long article provided some historical background on the reasons for incompatibility among EHRS.

Patients, as always, are left out of the loop: an ONC report finds improvements but many remaining barriers to attempts by patients to obtain the medical records that are theirs by law. And should the manufacturers of medical devices share the data they collect with patients? One would think it an elementary right of patients, but guidance released this year by the FDA was remarkably timid, pointing out the benefits of sharing but leaving it as merely a recommendation and offering big loopholes.

The continued failure to exchange data–which frustrates all attempts to improve treatments and cut costs–has led to the question: do EHR vendors and clinicians deliberately introduce technical measures for “information blocking”? Many leading health IT experts say no. But a study found that explicit information blocking measures are real.

Failures in interoperability and patient engagement were cited in another paper.

And we can’t leave interoperability without acknowledging the hope provided by FHIR. A paper on the use of FHIR with the older Direct-based interoperability protocols was released.

We’ll make our way through the rest of year and look at some specific technologies in the next part of the article.

Health Data Tracking Is Creeping Into Professional Sports

Posted on October 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Pro athletes are used to having their performance tracked minutely, not only by team owners but also by legions of fans for whom data on their favorite players is a favored currency. However, athletic data tracking has taken on a shape with the emergence of wearable devices.

For example, in spring of last year, Major League Baseball approved two devices for use during games, the Motus Baseball Sleeve, which tracks stress on elbows, and the Zephyr Bioharness, which monitors heart and breathing rates, skin temperature and sleep cycle.

In what must be a disappointment to fans, data from the devices isn’t available in real time and only can be downloaded after games. Also, clubs use the data for internal purposes only, which includes sharing it with the player but no one else. Broadcasters and other commercial entities can’t access it.

More recently, in April of this year, the National Football League Players Association struck a deal with wearables vendor WHOOP under which its band will track athletes’ performance data. The WHOOP Strap 2.0 measures data 100 times per second then transmits the data automatically to its mobile and web apps for analysis and performance recommendations.

Unlike with the MLB agreement, NFL players own and control the individual data collected by the device, and retain the rights to sell their WHOOP data through the Players Association group licensing program.

Not all athletes are comfortable with the idea of having their performance data collected. For example, as an article in The Atlantic notes, players in the National Basketball Association included the right to opt out of using biometric trackers in their latest collective-bargaining agreement, which specifies that teams requesting a player wear one explain in writing what’s being tracked and how the team will use the information.  The agreement also includes a clause stating that the data can’t be used or referenced as part of player contract negotiations.

Now, it’s worth taking a moment to note that concerns over the management of professional athlete performance data file into a different bucket than the resale of de-identified patient data. The athletic data is generated only during the game, while consumer wearables collect data the entire time a patient is awake and sometimes when they sleep. The devices targeting athletes are designed to capture massive amounts of data, while consumer wearables collect data sporadically and perhaps not so accurately at times.

Nonetheless, the two forms of data collection are part of a larger pattern in which detailed health data tracking is becoming the norm. Athletic clubs may put it to a different purpose, but both consumer and professional data use are part of an emerging trend in which health monitoring is a 24/7 thing. Right now, consumers themselves generally can’t earn money by selling their individual data, but maybe there should be an app for that.