Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Nearly 6 Million Patient Records Breached In 2017

Posted on February 1, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Just how bad a year was 2017 for health data? According to one study, it was 5.6 million patient records bad.

According to health data security firm Protenus, which partnered with DataBreaches.net to conduct its research, last year saw an average of at least one health data breach per day. The researchers based their analysis on 477 health data breaches reported to the public last year.

While Protenus only had 407 such incidents, those alone affected 5,579,438 patient records. The gross number of exposed records fell dramatically from 2016, which saw 27.3 million records compromised by breaches. However, the large number of records exposed in 2016 stems from the fact that there were a few massive incidents that year.

According to researchers, the largest breach reported in 2017 stemmed from a rogue insider, a hospital employee who inappropriately accessed billing information on 697,800 patients. The rest of the top 10 largest data breaches sprung from insider errors, hacking, and one other incident involving insider wrongdoing.

Insider wrongdoing seems to be a particular problem, accounting for 37% of the total number of breaches last year. These insider incidents affected 30% of compromised patient data, or more than 1.7 million records.

As bad as those stats may be, however, ransomware and malware seem to be even bigger threats. As the study notes, last year a tidal wave of hacking incidents involving malware and ransomware hit healthcare organizations.

Not surprisingly, last year’s wave of attacks seems to be part of a larger trend. According to a Malwarebytes report, ransomware attacks on businesses overall increased 90 percent last year, led by GlobeImposter and WannaCry incidents.

That being said, healthcare appears to be a particularly popular target for cybercriminals. In 2016, healthcare organizations reported 30 incidents of ransomware and malware attacks, and last year, 64 organizations reported attacks of this kind. While the increase in ransomware reports could be due to organizations being more careful about reporting such incidents, researchers warn that the volume of such attacks may be growing.

So what does this suggest about the threat landscape going forward?  In short, it doesn’t seem likely the situation will improve much over the next 12 months. The report suggests that last year’s trend of one breach per day should continue this year. Moreover, we may see a growth in the number of incidents reported to HHS, though again, this could be because the industry is getting better at breach detection.

If nothing else, one might hope that healthcare organizations get better at detecting attacks quickly. Researchers noted that of the 144 healthcare data breaches for which they have data, it took an average of 308 days for the organization to find out about the breach. Surely we can do better than this.

Hospitals Still Lagging On Mobile

Posted on January 18, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

One would think that these days, when the desktop computer is an extension of mobile devices rather than the other way around, hospitals would have well-defined, mature plans in place for managing mobile technology. But according to one survey, that’s definitely not the case.

In a study sponsored by Spok, which provides clinical communication services, many healthcare providers are still in the early years of developing a mobile strategy.

The study, which drew on contacts with more than 300 healthcare professionals in the US, found that 21% had had a mobile strategy in place for less than one year, 40% for one to three years,14% for 3 to 5 years and 25% for more than five years. In other words, while one-quarter of organizations had settled in and developed a mobile approach, an almost equal amount were just getting their feet wet.

Not only that, many of those who do have a mobile strategy in place may be shooting from the hip. While 65% of those surveyed had a documented mobility strategy in place, 35% didn’t.

That being said, it seems that organizations that have engaged with mobile are working hard to tweak their strategy regularly. According to Spok, their reasons for updating the strategy include:

* Shifting mobile needs of end-users (44%)
* The availability of new mobile devices (35%)
* New capabilities from the EHR vendor (26%)
* Changes in goals of mobile strategy (23%)
* Challenges in implementing the strategy (21%)
* Changes in hospital leadership (16%)

(Seven percent said their mobile strategy had not changed since inception, and 23% weren’t sure what changes had been made.)

Nonetheless, other data suggest there has been little progress in integrating mobile strategy with broader hospital goals.

For example, while 53% wanted to improve physician-to-physician communications, only 19% had integrated mobile strategy with this goal. Fifty-three percent saw nurse-to-physician communications as a key goal, but only 18% had integrated this goal with their mobile plans. The gaps between other top strategies and integration with mobile plans were similar across the strategic spectrum.

Ultimately, it’s likely that it will take a team approach to bring these objectives together, but that’s not happening in the near future. According to respondents, the IT department will implement mobile in 82% of institutions surveyed, 60% clinical leadership, 37% doctors, 34% telecom department, 27% nurses and 22% outside help from consultants and vendors. (Another 16% didn’t plan to have a dedicated team in place.)

The whole picture suggests that while the hospital industry is gradually moving towards integrating mobile into its long-term thinking, it has a ways to go. Given the potential benefits of smart mobile use, let’s hope providers catch up quickly.

Key Articles in Health IT from 2017 (Part 2 of 2)

Posted on January 4, 2018 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

The first part of this article set a general context for health IT in 2017 and started through the year with a review of interesting articles and studies. We’ll finish the review here.

A thoughtful article suggests a positive approach toward health care quality. The author stresses the value of organic change, although using data for accountability has value too.

An article extolling digital payments actually said more about the out-of-control complexity of the US reimbursement system. It may or not be coincidental that her article appeared one day after the CommonWell Health Alliance announced an API whose main purpose seems to be to facilitate payment and other data exchanges related to law and regulation.

A survey by KLAS asked health care providers what they want in connected apps. Most apps currently just display data from a health record.

A controlled study revived the concept of Health Information Exchanges as stand-alone institutions, examining the effects of emergency departments using one HIE in New York State.

In contrast to many leaders in the new Administration, Dr. Donald Rucker received positive comments upon acceding to the position of National Coordinator. More alarm was raised about the appointment of Scott Gottlieb as head of the FDA, but a later assessment gave him high marks for his first few months.

Before Dr. Gottlieb got there, the FDA was already loosening up. The 21st Century Cures Act instructed it to keep its hands off many health-related digital technologies. After kneecapping consumer access to genetic testing and then allowing it back into the ring in 2015, the FDA advanced consumer genetics another step this year with approval for 23andMe tests about risks for seven diseases. A close look at another DNA site’s privacy policy, meanwhile, warns that their use of data exploits loopholes in the laws and could end up hurting consumers. Another critique of the Genetic Information Nondiscrimination Act has been written by Dr. Deborah Peel of Patient Privacy Rights.

Little noticed was a bill authorizing the FDA to be more flexible in its regulation of digital apps. Shortly after, the FDA announced its principles for approving digital apps, stressing good software development practices over clinical trials.

No improvement has been seen in the regard clinicians have for electronic records. Subjective reports condemned the notorious number of clicks required. A study showed they spend as much time on computer work as they do seeing patients. Another study found the ratio to be even worse. Shoving the job onto scribes may introduce inaccuracies.

The time spent might actually pay off if the resulting data could generate new treatments, increase personalized care, and lower costs. But the analytics that are critical to these advances have stumbled in health care institutions, in large part because of the perennial barrier of interoperability. But analytics are showing scattered successes, being used to:

Deloitte published a guide to implementing health care analytics. And finally, a clarion signal that analytics in health care has arrived: WIRED covers it.

A government cybersecurity report warns that health technology will likely soon contribute to the stream of breaches in health care.

Dr. Joseph Kvedar identified fruitful areas for applying digital technology to clinical research.

The Government Accountability Office, terror of many US bureaucracies, cam out with a report criticizing the sloppiness of quality measures at the VA.

A report by leaders of the SMART platform listed barriers to interoperability and the use of analytics to change health care.

To improve the lower outcomes seen by marginalized communities, the NIH is recruiting people from those populations to trust the government with their health data. A policy analyst calls on digital health companies to diversify their staff as well. Google’s parent company, Alphabet, is also getting into the act.

Specific technologies

Digital apps are part of most modern health efforts, of course. A few articles focused on the apps themselves. One study found that digital apps can improve depression. Another found that an app can improve ADHD.

Lots of intriguing devices are being developed:

Remote monitoring and telehealth have also been in the news.

Natural language processing and voice interfaces are becoming a critical part of spreading health care:

Facial recognition is another potentially useful technology. It can replace passwords or devices to enable quick access to medical records.

Virtual reality and augmented reality seem to have some limited applications to health care. They are useful foremost in education, but also for pain management, physical therapy, and relaxation.

A number of articles hold out the tantalizing promise that interoperability headaches can be cured through blockchain, the newest hot application of cryptography. But one analysis warned that blockchain will be difficult and expensive to adopt.

3D printing can be used to produce models for training purposes as well as surgical tools and implants customized to the patient.

A number of other interesting companies in digital health can be found in a Fortune article.

We’ll end the year with a news item similar to one that began the article: serious good news about the ability of Accountable Care Organizations (ACOs) to save money. I would also like to mention three major articles of my own:

I hope this review of the year’s articles and studies in health IT has helped you recall key advances or challenges, and perhaps flagged some valuable topics for you to follow. 2018 will continue to be a year of adjustment to new reimbursement realities touched off by the tax bill, so health IT may once again languish somewhat.

Key Articles in Health IT from 2017 (Part 1 of 2)

Posted on January 2, 2018 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site (http://oreilly.com/) and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

This article provides a retrospective of 2017 in Health It–but a retrospective from an unusual perspective. I will highlight interesting articles I’ve read from the year as pointers to trends we should follow up on in the upcoming years.

Indubitably, 2017 is a unique year due to political events that threw the field of health care into wild uncertainty and speculation, exemplified most recently by the attempts to censor the use of precise and accurate language at the Centers for Disease Control (an act of political interference that could not be disguised even by those who tried to explain it away). Threats to replace the Affordable Care Act (another banned phrase) drove many institutions, which had formerly focused on improving communications or implementing risk sharing health care costs, to fall back into a lower level of Maslow’s hierarchy of needs, obsessing over whether insurance payments would cease and patients would stop coming. News about health IT was also drowned out by more general health topics such as drug pricing, the opiate crisis, and revenue pressures that close hospitals.

Key issues

But let’s start our retrospective on an upbeat note. A brief study summary from January 4 reported lower costs for some surgeries when hospitals participated in a modest bundled payment program sponsored by CMS. This suggests that fee-for-value could be required more widely by payers, even in the absence of sophisticated analytics and care coordination. Because only a small percentage of clinicians choose bold risk-sharing reimbursement models, this news is important.

Next, a note on security. Maybe we should reprioritize clinicians’ defenses against the electronic record breaches we’ve been hearing so much about. An analysis found that the most common reason for an unauthorized release of data was an attack by an insiders (43 percent). This contrasts with 26.8 percent from outside intruders. (The article doesn’t say how many records were compromised by each breach, though–if they had, the importance of outside intruders might have skyrocketed.) In any case, watch your audit logs and don’t trust your employees.

In a bracing and rare moment of candor, President Obama and Vice President Biden (remember them?) sharply criticized current EHRs for lack of interoperability. Other articles during the year showed that the political leaders were on target, as interoperability–an odd health care term for what other industries call “data exchange”–continues to be just as elusive as ever. Only 30% of hospitals were able to exchange data (although the situation has probably improved since the 2015 data used in the study). Advances in interoperability were called “theoretical” and the problem was placed into larger issues of poor communication. The Harvard Business Review weighed in too, chiding doctors for spending so much money on systems that don’t communicate.

The controversy sharpened as fraud charges were brought against a major EHR vendor for gaming the certification for Meaningful Use. A couple months later, strangely, the ONC weakened its certification process and announced it would rely more on the vendors to police themselves.

A long article provided some historical background on the reasons for incompatibility among EHRS.

Patients, as always, are left out of the loop: an ONC report finds improvements but many remaining barriers to attempts by patients to obtain the medical records that are theirs by law. And should the manufacturers of medical devices share the data they collect with patients? One would think it an elementary right of patients, but guidance released this year by the FDA was remarkably timid, pointing out the benefits of sharing but leaving it as merely a recommendation and offering big loopholes.

The continued failure to exchange data–which frustrates all attempts to improve treatments and cut costs–has led to the question: do EHR vendors and clinicians deliberately introduce technical measures for “information blocking”? Many leading health IT experts say no. But a study found that explicit information blocking measures are real.

Failures in interoperability and patient engagement were cited in another paper.

And we can’t leave interoperability without acknowledging the hope provided by FHIR. A paper on the use of FHIR with the older Direct-based interoperability protocols was released.

We’ll make our way through the rest of year and look at some specific technologies in the next part of the article.

Health Data Tracking Is Creeping Into Professional Sports

Posted on October 27, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Pro athletes are used to having their performance tracked minutely, not only by team owners but also by legions of fans for whom data on their favorite players is a favored currency. However, athletic data tracking has taken on a shape with the emergence of wearable devices.

For example, in spring of last year, Major League Baseball approved two devices for use during games, the Motus Baseball Sleeve, which tracks stress on elbows, and the Zephyr Bioharness, which monitors heart and breathing rates, skin temperature and sleep cycle.

In what must be a disappointment to fans, data from the devices isn’t available in real time and only can be downloaded after games. Also, clubs use the data for internal purposes only, which includes sharing it with the player but no one else. Broadcasters and other commercial entities can’t access it.

More recently, in April of this year, the National Football League Players Association struck a deal with wearables vendor WHOOP under which its band will track athletes’ performance data. The WHOOP Strap 2.0 measures data 100 times per second then transmits the data automatically to its mobile and web apps for analysis and performance recommendations.

Unlike with the MLB agreement, NFL players own and control the individual data collected by the device, and retain the rights to sell their WHOOP data through the Players Association group licensing program.

Not all athletes are comfortable with the idea of having their performance data collected. For example, as an article in The Atlantic notes, players in the National Basketball Association included the right to opt out of using biometric trackers in their latest collective-bargaining agreement, which specifies that teams requesting a player wear one explain in writing what’s being tracked and how the team will use the information.  The agreement also includes a clause stating that the data can’t be used or referenced as part of player contract negotiations.

Now, it’s worth taking a moment to note that concerns over the management of professional athlete performance data file into a different bucket than the resale of de-identified patient data. The athletic data is generated only during the game, while consumer wearables collect data the entire time a patient is awake and sometimes when they sleep. The devices targeting athletes are designed to capture massive amounts of data, while consumer wearables collect data sporadically and perhaps not so accurately at times.

Nonetheless, the two forms of data collection are part of a larger pattern in which detailed health data tracking is becoming the norm. Athletic clubs may put it to a different purpose, but both consumer and professional data use are part of an emerging trend in which health monitoring is a 24/7 thing. Right now, consumers themselves generally can’t earn money by selling their individual data, but maybe there should be an app for that.

FDA Announces Precertification Program For Digital Health Tools

Posted on October 5, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The FDA has recruited some the world’s top technology and medical companies to help it pilot test a program under which digital health software could be marketed without going through the through the agency’s entire certification process.

The participants, which include Apple, Fitbit, Johnson & Johnson, Samsung and Roche, will give the agency access to the measures they’re using to develop, test and maintain their software, and also how they collect post-market data.

Once armed with this information, the FDA will leverage it to determine the key metrics and performance indicators it uses to see if digital health software meets its quality standards.

Companies that meet these new standards could become pre-certified, a status which grants them a far easier path to certification than in the past. This represents a broad shift in the FDA’s regulatory philosophy, “looking first at the software developer digital health technology developer, not the product,” according to a report previously released by the agency.

If the pilot works as planned, the FDA is considering making some significant changes to the certification process. If their processes pass muster, pre-certified companies may be allowed to submit less information to the FDA than they currently must before marketing a new digital health tool.  The agency is also considering the more radical step of allowing pre-certified companies to avoid submitting a product for premarket review in some cases. (It’s worth noting that these rules would apply to lower-risk settings.)

The prospect of pre-certifying companies does raise some concerns. In truth, the argument could be made that digital health software should be regulated more tightly, not less. In particular, the mobile healthcare world is still something of a lawless frontier, with very few apps facing privacy, security or accuracy oversight.

The fact is, it’s little wonder that physicians aren’t comfortable using mobile health app data given how loosely it can be constructed at times, not to mention the reality that it might not even measure basic vital signs reliably.

It’s not that the healthcare industry isn’t aware of these issues. about a year ago, a group of healthcare organizations including HIMSS, the American Medical Association and the American Heart Association came together to develop a framework of principles dressing app quality. Still, that’s far short of establishing a certification body.

On the other hand, the FDA does have a point when it notes that a pre-certification program could make it easier for useful digital health tools to reach the marketplace. Assuming the program is constructed well, it seems to me that this is a good idea.

True, it’s pretty unusual to see the FDA loosen up its certification process – a fairly progressive move for a stodgy agency – while the industry fails to self-regulate, but it’s a welcome change of style. I guess digital health really is changing things up.

 

Will Medical Device Makers Get Interoperability Done?

Posted on September 20, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Most of the time, when I think about interoperability, I visualize communication between various database-driven applications, such as EMRs, laboratory information systems and claims records. The truth is, however, that this is a rather narrow definition of interoperability. It’s time we take medical device data into account, the FDA reminds us.

In early September, the FDA released its final guidance on how healthcare organizations can share data between medical devices and other information systems. In the guidance, the agency asserts that the time has come to foster data sharing between medical devices, as well as data exchange between devices and information systems like the ones I’ve listed above.

Specifically, the agency is offering guidelines to medical device manufacturers, recommending that they:

  • Design devices with interoperability in mind
  • Conduct appropriate verification, validation and risk management to ensure interoperability
  • Make sure users clearly understand the device’s relevant functional, performance and interface characteristics

Though these recommendations are interesting, I don’t have much context on their importance. Luckily, Bakul Patel has come to the rescue. Patel, who is associate director for digital health the FDA‘s Center for Devices and Radiological Health, offered more background on medical device interoperability in a recent blog entry.

As the article points out, the stakes here are high. “Errors and inadequate interoperability, such as differences in units of measure (e.g., pounds vs. kilograms) can occur in devices connected to a data exchange system,” Patel writes. Put another way, in non-agency-speak, incompatibilities between devices and information systems can hurt or even kill patients.

Unfortunately, device-makers seem to be doing their own thing when it comes to data sharing. While some consensus standards exist to support interoperability, specifying things like data formats and interoperability architecture design, manufacturers aren’t obligated to choose any particular standard, Patel notes.

Honestly, the idea of varied medical devices using multiple data formats sounds alarming to me. But Patel seems comfortable with the idea. He contends that if device manufacturers explain carefully how the standards work and what the interface requires, all will be well.

All told, If I’m understanding all this correctly, the FDA is fairly optimistic that the healthcare industry can network medical devices on the IoT with traditional information systems.

I’m glad that the agency believes we can work this out, but I’d argue that such optimism may be premature. Patel’s assurances raise a bunch of questions for me, including:

  • Do we really need another set of competing data exchange standards to resolve, this time for medical device interoperability?
  • If so, how do we lend the consensus medical device standards with consensus information system standards?
  • Do we need to insist that manufacturers provide more-consistent software upgrades for the devices before interoperability efforts make sense?

Hey, I’m sure medical device manufacturers want to make device-to-device and device-to-database data sharing as simple and efficient as possible. That’s what their customers want, after all.

Unfortunately, though, the industry doesn’t have a great track record even for maintaining their devices’ operating systems or patching industrial-grade security holes. Designing devices that handle interoperability skillfully may be possible, but will device-makers step up and get it done anytime soon?

A Programmatic Approach to Print Security

Posted on July 17, 2017 I Written By

The following is a guest blog post by Sean Hughes, EVP Managed Document Services at CynergisTek.

Print devices are a necessary tool to support our workflows but at the same time represent an increasing threat to the security of our environment.

Most organizations today have a variety of devices; printers, copiers, scanners, thermal printers and even fax machines that make up their “print fleet”. This complex fleet often represents a wide variety of manufacturers, makes and models of devices critical to supporting the business of healthcare.

Healthcare organizations continue to print a tremendous amount of paper as evidenced by an estimated 11% increase in print despite the introduction of the EHR and other new systems (ERPs, CRMs, etc.). More paper generally means more devices, and more devices means more risk, resulting in increased security and privacy concerns.

Look inside most healthcare organizations today and even those with a Managed Print Services program (MPS) probably have a very disjointed management responsibility of their inventory. Printers are most often the responsibility of IT, copiers run through supply chain with the manufacturer providing support, and fax machines may even be part of Telecommunications. Those organizations that have an MPS provider probably don’t have all devices managed under that program – what about devices in research or off-site locations, or what if you have an academic medical facility or are part of a university?

These devices do have a couple of things in common that are of concern – they are somehow connected to your network and they hold or process PHI.

This fact and the associated risk requires an organization to look at how these devices are being managed and whether the responsibility for security and privacy are being met. Are they part of your overall security program, does your third party manage that for you, do you even know where they all are and what risks are in your fleet today?  If multiple organizations manage, do they follow consistent security practices?

Not being able to answer these questions is a source of concern and probably means that the risk is real. So how do we resolve this?

We need to take a programmatic approach to print and print security to ensure we are addressing the whole. Let’s lay out some steps to accomplish this.

  • Know your environment – the first thing we must do is identify ALL print devices in our organization. This includes printers, scanners, copiers, thermals, and fax machines, whether they are facility owned, third-party managed, networked or local, or sitting in a storage room.
  • Assess your risk – perform a comprehensive security risk assessment of the entire fleet and develop a remediation plan. This is not a one-time event but rather needs to be part of your overall security plan.
  • Assign singular ownership of assets – either through an internal program or a third-party program, the healthcare organization should fold all print-related devices into a single program for accountability and management.
  • Workflow optimization – you probably have millions of dollars of software in your organization that is the source of the output of these devices. Even more was spent securing the environment these applications are housed in, and accessed from, to make sure the data is secure and privacy is maintained. The data in those systems is at its lowest price point, most optimal from a workflow efficiency standpoint, and most secure — yet every time we hit print we multiply the cost, decrease the operational efficiency and increase the risk to that data.
  • Decrease risk – while it is great that we identify all the devices, assess and document risk and develop a mitigation/remediation plan, the goal should be to put controls in place to stem the proliferation of devices and ultimately to begin the process of decreasing the unnecessary devices thereby eliminating the risk associated to those devices.

The concept of trying to reduce the number of printers from a cost perspective is not new to healthcare. However, many have achieved mixed results, even those that have used an MPS partner. The reason that happens is generally because they are focused on the wrong things.

The best way to accomplish a cost-effective print program is to understand what is driving the need or want for printers, and that is volume. You don’t need a print device if you don’t need to print. I know it sounds like I am talking about the nirvana that is the paperless environment but I am not. This is simply understanding what and where is unnecessary to print and eliminating it, thereby eliminating the underlying need for the associated device, and with it the inherent security risk as well as the privacy concern of the printed page. Refocusing on volume helps us to solve many problems simultaneously.

Putting a program in place that provides this visibility, and using that data to make the decisions on device reduction can significantly reduce your current risk. Couple this with security and privacy as part of your acquisition determination, and you can make intelligent decisions that ensure you only add those devices you need, and when you do add a device it meets your security and privacy requirements. More often than not the first line of defense in IT is better management of the environment.

No Duh, FTP Servers Pose PHI Security Risk

Posted on April 12, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

The File Transfer Protocol is so old – it was published in April 1971 – that it once ran on NCP, the predecessor of TCP/IP. And surprise, surprise, it’s not terribly secure, and was never designed to be so either.

Security researchers have pointed out that FTP servers are susceptible to a range of problems, including brute force attacks, FTP bounce attacks, packet capture, port stealing, spoofing attacks and username enumeration.

Also, like many IP specifications designed prior before standard encryption approaches like SSL were available, FTP servers don’t encrypt traffic, with all transmissions in clear text and usernames, passwords, commands and data readable by anyone sniffing the network.

So why am I bothering to remind you of all of this? I’m doing so because according to the FBI, cybercriminals have begun targeting FTP servers and in doing so, accessing personal health information. The agency reports that these criminals are attacking anonymous FTP servers associated with medical and dental facilities. Plus, don’t even know they have these servers running.

Getting into these servers is a breeze, the report notes. With anonymous FTP servers, attackers can authenticate to the FTP server using meaningless credentials like “anonymous” or “ftp,” or use a generic password or email address to log in. Once they gain access to PHI, and personally identifiable information (PII), they’re using it to “intimidate, harass, and blackmail business owners,” the FBI report says.

As readers may know, once these cybercriminals get to an anonymous FTP server, they can not only attack it, but also gain write access to the server and upload malicious apps.

Given these concerns, the FBI is recommending that medical and dental entities ask their IT staff to check their networks for anonymous FTP servers. And if they find any, the organization should at least be sure that PHI or PII aren’t stored on those servers.

The obvious question here is why healthcare organizations would host an anonymous FTP server in the first place, given its known vulnerabilities and the wide variety of available alternatives. If nothing else, why not use Secure FTP, which adds encryption for passwords and data transmission while retaining the same interface as basic FTP? Or what about using the HTTP or HTTPS protocol to share files with the world? After all, your existing infrastructure probably includes firewalls, intrusion detection/protection solutions and other technologies already tuned to work with web servers.

Of course, healthcare organizations face a myriad of emerging data security threats. For example, the FDA is so worried about the possibility of medical device attacks that it issued agency guidance on the subject. The agency is asking both device manufacturers and healthcare facilities to protect medical devices from cybersecurity threats. It’s also asking hospitals and healthcare facilities to see that they have adequate network defenses in place.

But when it comes to hosting anonymous FTP servers on your network, I’ve got to say “really?” This has to be a thing that the FBI tracks and warns providers to avoid? One would think that most health IT pros, if not all, would know better than to expose their networks this way. But I suppose there will always be laggards who make life harder for the rest of us!

Health IT Leaders Struggle With Mobile Device Management, Security

Posted on January 30, 2017 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new survey on healthcare mobility has concluded that IT leaders aren’t thrilled with their security arrangements, and that a significant minority don’t trust their mobile device management solution either. The study, sponsored by Apple device management vendor Jamf, reached out to 550 healthcare IT leaders in the US, UK, France, Germany and Australia working in organizations of all sizes.

Researchers found that 83% or organizations offer smartphones or tablets to their providers, and that 32% of survey respondents hope to offer mobile devices to consumers getting outpatient care over the next two years.  That being said, they also had significant concerns about their ability to manage these devices, including questions about security (83%), data privacy (77%) and inappropriate employee use (49%).

The survey also dug up some tensions between their goals and their capacity to support those goals. Forty percent of respondents said staff access to confidential medical records while on the move was their key reason for their mobile device strategy. On the other hand, while 84% said that their organization was HIPAA-compliant, almost half of respondents said that they didn’t feel confident in their ability to adapt quickly to changing regulations.

To address their concerns about mobile deployments, many providers are leveraging mobile device management platforms.  Of those organizations that either have or plan to put an MDM solution in place, 80% said time savings was the key reason and 79% said enhanced employee productivity were the main benefits they hoped to realize.

Those who had rolled out an MDM solution said the benefits have included easier access to patient data (63%), faster patient turnaround (51%) and enhanced medical record security (48%). At the same time, 27% of respondents whose organizations had an MDM strategy in place said they didn’t feel especially confident about the capabilities of their solution.

In any event, it’s likely that MDM can’t solve some of the toughest mobile deployment problems faced by healthcare organizations anyway.

Health organizations that hope to leverage independently-developed apps will need to vet them carefully, as roughly one-quarter of these developers didn’t have privacy policies in place as of late last year. And the job of selecting the right apps is a gargantuan one. With the volume of health apps hitting almost 260,000 across the Google and Apple app marketplaces, it’s hard to imagine how any provider could keep up.

So yes, the more capabilities MDM systems can offer, the better. But choosing the right apps with the right pedigree strikes me as posing an even bigger challenge.