Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

California’s Information Privacy for Connected Devices Law is a Good Start, But Doesn’t Apply to Healthcare

Posted on December 13, 2018 I Written By

The following is a guest blog post by Mike Nelson, Vice President of IoT Security, DigiCert.

As the nation’s most populous state, California often serves as an incubator for national legislative and regulatory policy, and it’s great to see them take a leadership position in IoT cybersecurity. The announcement of California’s ‘IoT Cybersecurity Law’ is a move in the right direction. The new law will require manufacturers of connected devices to produce them with “reasonable” security features.

However, this law specifically excludes healthcare IoT devices. It states that a covered entity, provider of healthcare, business associate, healthcare service plan, contractor, employer, or any other person subject to HIPAA or the Confidentiality of Medical Information Act shall not be subject to this title with respect to any activity regulated by those acts.

While HIPAA has made great strides to help protect the privacy of personal health information, it does very little to protect the many connected medical devices that are in use today. California lawmakers missed an opportunity to drive strong IoT security requirements that protect consumers and the data they want kept confidential.

Additionally, this law will not solve the majority of cybersecurity issues that are being found in IoT devices. For example, the law requires good password practices, which includes the elimination of hard-coded passwords.  While this is a security best practice and is important for user authentication, it doesn’t cover the many back end connections that also need to be authenticated, such as over-the-air updates. Asking for “reasonable” security features to be produced simply isn’t directional enough.  It misses an opportunity to drive requirements around essential cybersecurity practices, like encryption of sensitive data, risk assessments, authenticating all connections to a device, and digitally signing code to ensure integrity.

A general rule of cybersecurity and connectivity is that whenever something becomes connected, it will eventually get hacked. The risks inherent with connected devices are real – especially in healthcare where in many cases, people rely on these devices to sustain life.  The risks of connectivity are diverse, including intercepting and manipulating sensitive data, or embedding malware that causes a device to malfunction and cause harm to a patient. The risks not only can impact patients, they can also harm the device manufacturers as well. 

St. Jude Medical, now Abbott Laboratories, learned this the hard way. A hacking organization publicized a vulnerability in a cardiac device after purchasing a short position of their stock. Upon release of this vulnerability, the company’s s stock dropped significantly, causing financial and reputational damage to St. Jude. Considering all these risks, and the many others I haven’t mentioned, it becomes clear that simply putting in place good password protections isn’t enough. More direction is needed. While it may sound like I’m advocating for stronger regulation, I’m not. I believe industries do much better when they come together and collaboratively develop best practices that are broadly adopted. Regulators can only do so much. Real solutions require the in-depth knowledge of healthcare practices and what the market can bear – something only companies and practitioners can tackle effectively, but the private sector needs to do more.

We need to begin looking at security more broadly than just hardcoded passwords. As a healthcare industry, we need to practice robust penetration testing and work to develop risk assessments on all connected medical devices. We need to make the encryption of sensitive data, both at rest and in transit, standard practice. No medical device should accept an unauthenticated message. No code or package should be executed on a device that is absent a digital signature verifying trust. Driving requirements around these types of best practices would have a much greater effect on the security of connected devices than the new California law currently does.

Though the IoT Cybersecurity Law is primitive in its protections and lacks many details to require strong security measures that would move the needle, at least California is trying to do something – absent the development of industry standards by collaborative groups. As the first of its kind at the state level, the effort should be applauded, as California is recognizing the need for manufacturers to address cybersecurity in the manufacturing process for connected devices. Time will tell if manufacturers will take responsibility and the initiative for security themselves, before further regulation requires them to act.

Balancing Simplicity With the Exploding Challenges of Medical Device Security

Posted on December 3, 2018 I Written By

The following is a guest post by Gus Malezis, President and CEO of Imprivata.

The digitization of healthcare has allowed healthcare organizations to utilize robust technology such as network-connected medical devices to help improve both patient care and provider experience across the entire care continuum. Within this Internet of Medical Things (IoMT), medical devices can track and monitor patient stats, provide diagnostic information, help ensure lifesaving care delivery, and even make recommendations on treatment and clinical decision support – all while communicating directly with healthcare IT systems to ensure more complete and accurate patient medical records.

With these benefits of digitally connected medical devices, however, we now must consider and address a series of issues that are introduced with network connectivity and automated data integration; issues that relate to patient health and safety, cybersecurity, and compliance.

Simply put, advanced network-connected technology opens these devices to the risk of exploitation and compromised patient safety from both internal and external threats. Whether it’s an uninformed patient making changes to an unlocked infusion pump, someone stealing valuable protected health information (PHI) stored on an unattended device, or a cybercriminal using a network-connected medical device to gain backdoor access to a hospital’s entire network or disable the function of the devices (for the purpose of extracting ransomware), medical devices are now a source of risk for both healthcare organizations and patients. Compounding this issue is the fact that medical devices frequently run outdated operating systems and applications, all of which are difficult, or even impossible, to patch or otherwise protect with other standard security measures.

By 2020, the number of IoT devices is expected to reach 20.4 billion, and the number of IoMT devices is expected to reach 161 million. These numbers of incremental networked devices are truly staggering, which proportionally increases the risks of hacking, compliance, and health and safety. Clearly, healthcare IT can no longer afford to manage medical devices under current security protocols.

How locking down affects provider workflow

To address this threat and mitigate the risk posed by IoMT devices, organizations naturally look to implement security systems and tools that will safeguard the devices, enable only authorized personnel to interact and adjust/calibrate the devices, and safeguard access to patient records, clinical applications, and other sensitive data. Before implementing such solutions, however, healthcare organizations should consider several factors – particularly those relating to workflow.

Unlike other industries, healthcare can’t simply lock down information by building multi-layer security. Additionally, the focus is always on patient care, so minutes…and even seconds…truly matter, and clinicians need fast, unimpeded access to patient information. Layering in cumbersome security protocols has the potential to introduce new workflows, or create barriers to care. It is therefore critical that healthcare systems designers and architects consider several key factors when evaluating security options.

For starters, think about workflow integration: Any security tool should allow for optimal workflow efficiency among users, and that means the clinical staff and providers should not need to be “trained” on something new, or adopt a new workflow. Ideally, this means finding flexible and easy-to-use security tools that meet current existing workflows and preferences. Choosing easy-to-use options allows for security to be transparent so providers can focus on patient care, not on technology. For example, clinicians are accustomed to Tap-in and Tap-out (TITO) technology as a means of accessing HIT windows-based systems. This same workflow should be integrated and facilitated in anything new, thereby enabling secure and compliant access by utilizing a current and well known and adopted workflow. This is a win-win-win…the clinical staff win by using the same workflow, while IT, Cybersecurity, and Compliance teams also achieve their goals.

Another key factor is extensibility to other workflows: The need for security stretches across a number of different business and clinical workflows and applications. Healthcare organizations should look into a solution that provides the extensibility to meet all workflow needs, with the same consistent and transparent workflow model.

Addressing this challenge requires fast, efficient, and secure authentication for all devices that require security, including medical devices. For medical devices already requiring user authentication, appropriate security tools can improve efficiency by replacing the cumbersome manual entry of usernames and passwords with fast, automated authentication through the simple tap of a badge. Here we want to leverage the same consistent and transparent workflow model.

This way, organizations can optimize their use of interconnected medical devices to improve the delivery of care. They also maintain security and meet regulatory compliance requirements while ensuring efficiency for providers and giving them more time to focus on patient care.

Focusing on physical security and ID/Access control can enable the right balance — something that’s uniquely necessary in healthcare. A healthcare organization’s medical device access security plan should be part of a comprehensive identity and multifactor authentication platform for fast, secure authentication workflows across the healthcare enterprise. The medical device piece should combine security and convenience by enabling fast, secure authentication across enterprise workflows while creating a secure, auditable chain of trust wherever, whenever, and however users interact with patient records and other sensitive data.

As organizations are tuning in to the unique challenges of the IoMT era, it’s time to implement foundational security best practices with modalities that are tailored specifically to clinical workflows. Doing so achieves the balance necessary to ensure both security and flexibility.

About Gus Malezis
Gus Malezis is the President and Chief Executive Officer of Imprivata. Gus is widely recognized as a visionary leader in the information technology security industry where he brings more than 30 years of experience driving innovation and growth while building market leading organizations. Prior to joining Imprivata, Gus was most recently the President of Tripwire, a leading global provider of endpoint detection and response, security and compliance solutions. In his career, Gus has built a strong track record of delivering growth and innovation for leading technology and security companies such as Tripwire, McAfee, and 3Com.

Cybersecurity Confidence and Cybersecurity Maturity

Posted on November 21, 2018 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Cybersecurity is the number one topic on most healthcare CIOs minds. It’s the number one thing that keeps them up at night. No doubt, it’s become one of the most challenging parts of their job.

These facts were illustrated really well in this chart that CIO, David Chou, shared on CIOs self reported confidence in IT security.

There’s been a drop in security trust in almost every industry, but the drop in healthcare’s trust in IT security is dramatic. As David Chou mentions, it’s likely due to all the incidents of ransomware and malware that have been all over healthcare.

What then can an organization do to improve this situation? What’s the right approach to be able to improve your confidence in your IT security?

David Chou also offered a great response to these questions in this cybersecurity maturity chart and the key to successfully implementing what’s in this chart:


There’s little doubt that effective cybersecurity takes the entire organization being on board. It can’t just be the job of the CIO or CEO or CISO. If that’s the case, it will fail and a breach will occur.

Looking at this chart, how is your organization doing on cybersecurity? How mature are your efforts? Is there room to improve?

A HIPAA Life Sentence… and SO Many Lessons

Posted on November 15, 2018 I Written By

Mike Semel is a noted thought leader, speaker, blogger, and best-selling author of HOW TO AVOID HIPAA HEADACHES . He is the President and Chief Security Officer of Semel Consulting, focused on HIPAA and other compliance requirements; cyber security; and Business Continuity planning. Mike is a Certified Business Continuity Professional through the Disaster Recovery Institute, a Certified HIPAA Professional, Certified Security Compliance Specialist, and Certified Health IT Specialist. He has owned or managed technology companies for over 30 years; served as Chief Information Officer (CIO) for a hospital and a K-12 school district; and managed operations at an online backup company.

In 2012 Accretive Health Care was banned from doing business in Minnesota for 2 – 6 years for a HIPAA violation.

In 2018 New York State suspended a nurse’s license for a year for a HIPAA violation.

But, a life sentence?

The New Jersey Attorney General announced a $ 200,000 HIPAA and consumer fraud penalty against an out-of-business Georgia medical transcription company. In 2016 ATA Consulting LLC d/b/a Best Medical Transcription breached the medical records of over 1,650 people treated by three New Jersey healthcare providers by publicly exposing their medical records to the Internet. And, their customer, Virtua Health, paid a $ 418,000 settlement for violations of both HIPAA and the New Jersey Consumer Fraud Act.

Tushar Mathur, owner of Best Medical Transcription, agreed to a permanent ban on managing or owning a business in New Jersey.

Wow.

A life sentence for a HIPAA violation.

And the medical clinic paying a $ 418,000 penalty for the actions of its vendor.

By a state, not the federal government.

What can you learn from this?

1. It’s shocking to see how many servers have been misconfigured, or protected data being stored on web servers, exposing patient records to the Internet. These HIPAA penalties were all for exposing patient records through the Internet:

LESSONS –

  • Have your servers installed by a certified professional using a detailed checklist to ensure that no data is exposed to the Internet.
  • Make sure your organization has enough data breach insurance to cover millions of dollars in penalties; that you live up to all the requirements of your policy; and that you consistently implement the security controls you said you have in place on your insurance application.
  • Make sure your outsourced IT provider has enough Errors & Omissions insurance to cover your penalties

2. Many doctors and business owners tell me that “the federal government will never get them” or that they are “too small to be of interest” to federal regulators.

LESSONS –

  • Regulators go after small businesses, which doesn’t always make headlines. The Federal Trade Commission forced a 20-employee medical lab to go out of business. The business owner fought the FTC and ultimately won in court, but his business was gone.
  • Don’t ignore your risk that your state Attorney General (who probably wants to be governor) wants by getting headlines about protecting consumers. The HITECH Act (2009) gave state Attorneys General the authority to enforce HIPAA. Violations also can be tied to consumer protection laws, not just HIPAA.
  • Lawyers are representing patients whose information was released without authorization. Patients have successfully sued doctors for HIPAA violations.
  • Doctors shouldn’t laugh off HIPAA or just complain (INCORRECTLY) that it interferes with patient care. A doctor went to jail for a HIPAA violation.

3. HIPAA is only one regulation with which you must comply.

LESSONS –

  • Don’t think that a ‘We Make HIPAA Easy’ web-based solution is enough to protect your assets from all your regulatory challenges.
  • Don’t think that a self-conducted Security Risk Analysis is a substitute for a professionally-designed HIPAA compliance program that will meet all the federal and state requirements you must follow.
  • Don’t think that an IT Security company doing a vulnerability or penetration test is a substitute for a HIPAA Security Risk Analysis or a robust compliance program.
  • Every state now has data breach laws the state Attorneys General love to enforce. These consumer protection laws protect Personally Identifiable Information (PII) held by medical practices. State laws have different requirements than HIPAA. For example, HIPAA requires that patients be notified no later than 60 days after a data breach. California requires just 15 days.
  • Because of the opioid crisis, many types of medical practices are now offering substance abuse treatment, which requires additional confidentiality measures. So do HIV, mental health, and STD treatments. You need to address all the regulations that apply to you.

4. Don’t blindly trust your vendors.

LESSONS –

  • Signing a Business Associate Agreement (BAA) isn’t evidence that your vendor really complies with HIPAA. According to the NJ Attorney General, Best Transcription signed a BAA with Virtua Health but:
  • Failed to conduct an accurate and thorough risk assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI it held;
  • Failed to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with the Security Rule;
  • Failed to implement policies and procedures to protect ePHI from improper alteration or destruction;
  • Failed to notify VMG of the breach of unsecured PHI; and
  • Improperly used and/or disclosed ePHI in contravention of its obligations under its Business Associate Agreement with VMG.

Make sure your vendors understand their HIPAA obligations. Even after five years, my experience is that many Business Associates have failed to keep up with the changes required by the 2013 HIPAA Omnibus Final Rule. Many talk about HIPAA in their sales and marketing but do not comply.

Remember that you are responsible for the actions of your vendors.

WHEN YOU ARE LYING AWAKE TONIGHT, ASK YOURSELF:

  • Are you really sure you can survive an investigation by your state attorney general?
  • Are you really sure your Business Associate vendors have conducted a HIPAA risk analysis; have implemented HIPAA security measures; have implemented HIPAA policies and procedures, are really protecting your PHI, and will notify you if there is a breach?
  • Are you willing to bet $ 418,000 (what Virtua paid) on it?
  • If you are a Business Associate, what do you think it will feel like if you are banned for life from doing business?

Doctors send patients to specialists all the time. Whether you are a medical provider or a vendor, do you have the trained and certified specialists you need that can help with all your regulatory challenges? Does your team need expert help to validate what is you and your vendors are doing and help you address any gaps?

Don’t risk your assets. Don’t risk a life sentence.

 

 

Number Of Health Data Breaches Grew Steadily Over Last Several Years

Posted on October 5, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

New research has found that while the number of patient records exposed per breach has varied widely, the number of health data breaches reported grew substantially between 2010 and 2017.

The study, which was conducted by researchers with Massachusetts General Hospital, was published in JAMA. Its aim was to look at the changes in data breach patterns as EHRs have come into wider use.

The authors analyzed 2,149 reported breaches over the previous seven years. The number of records breached for incident varied from 500 to almost 79 million patient records.

Researchers behind the study put breaches reported in three categories: those taking place at healthcare provider sites, within health plans, and at business associate locations.

One thing that stuck out from among the data points was that over that seven-year period, the number of breaches increased from 199 the first year to 344 in 2017. During that period, the only year that did not see an increase in incident volume was 2015.

Another notable if unsurprising conclusion drawn by the researchers was that while 70% of all breaches took place within provider organizations, incidents involving health plans accounted for 63% of all breached records.

Overall, the greatest number of patient records breached was due to compromised network servers or email messages. However, the top reasons for breaches have varied from year-to-year, the analysis found.

For example, the most common type of breach reported in 2010 was theft of physical records. The most commonly breached type of media that year was laptop computer data storage, followed by paper and film records.

Meanwhile, by 2017 data hacking or other information technology incidents accounted for the largest number of breaches, followed by unauthorized access to or disclosure of patient data. In addition, a large number of breaches could be attributed to compromised network servers or email messages.

The number of patient records exposed differed depending on what media was breached. For example, while the total of 510 breaches of paper and film records impact about 3.4 million patient records, 410 breaches of network servers affected nearly 140 million records.

Being Honest About Your Reasons For Cybersecurity Decisions

Posted on August 16, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

This week, a team of McAfee researchers released a paper outlining a terrifying exploit. The paper describes, in great technical detail, how a malicious attacker could flip a cardiac rhythm display from 80 beats per minute to zero within less than five seconds.

This might not lead to severe harm or death, but it’s possible that other very negative outcomes could occur, notes Shaun Nordeck, MD, who’s quoted in the report. “Fictitious cardiac rhythms, even intermittent, could lead to extended hospitalization, additional testing, and side effects from medications prescribed to control heart rhythm and/or prevent clots,” he notes.

The paper does point out that if the bedside monitor is working normally, nurses have access to other accurate data, which could diminish the impact of such disruptions to some extent. However, the potential for adverse events is clearly higher than normal if someone scrambles a patient’s vitals.

Unfortunately, this is far from the only attack which wasn’t possible before connected devices became the norm. At various points, we’ve seen that pacemakers, insulin pumps and even MRIs can be hacked externally, particularly if their operating systems aren’t patched as required or haven’t put even basic security protections in place. (Think using “password” as a password.)

But while these vulnerabilities are largely known at this point, some healthcare organizations haven’t begun to tackle them. Solving these problems takes work, and costs money, The best-intentioned CIO might not get the budget to fix these problems if their CEO doesn’t see them as urgent.

Or let’s say the budget is available to begin the counterattack. Even if everyone agrees to tackle connected device vulnerabilities, where do we begin the counterattack? Which of these new connected health vulnerabilities are the most critical?  On the one hand, hacking individual pacemakers doesn’t seem profitable enough to attract many cybercriminals. On the other, if I were a crook I might see the threat of meddling with a hospitals’ worth of patient monitors to be a great source of ransom money.

And this brings us to some tough ethical questions. Should we evaluate these threats by how many patients would be affected, or how many of the sickest patients?  How do we calculate the clinical impact of vital signs hacking vs. generating inaccurate MRI results? To what extent should the administrative impact of these attacks be a factor in deciding how to defeat these challenges, if at all?

I know you’re going to tell me that this isn’t an all or nothing proposition, and that to some extent standard network intrusion detection techniques and tools will work. I’m not disputing this. However, I think we need to admit out loud that these kinds of attacks threaten individual lives in a way that traditional cyberattacks do not. For that reason, we need to get honest about who we need to protect — and why.

More Than 3 Million Patient Records Breached During Q2 2018

Posted on August 15, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A new study by data security vendor Protenus has concluded that more than 3 million patient records were breached during the second quarter of 2018, in a sharp swing upward from the previous quarter with no obvious explanation.

The Protenus Breach Barometer study, which drew on both reports to HHS and media disclosures, found that there were 143 data breach incidents between April and June 2018, affecting 3,143,642 million patient records. The number of affected records has almost tripled from Q1 of this year, when 1.13 million records were breached.

During this quarter, roughly 30% of privacy violations were by healthcare organizations that had previously reported a data breach. The report suggests that it is because they might not have identified existing threats or improved security training for employees either. (It could also be because cyberattackers smell blood in the water.)

Protenus concluded that among hospital teams, an investigator monitors around 4,000 EHR users, and that each was responsible for an average of 2.5 hospitals and 25 cases each. The average case took about 11 days to resolve, which sounds reasonable until you consider how much can happen while systems remain exposed.

With investigators being stretched so thin, not only external attackers but also internal threats become harder to manage. The research found that on average, 9.21 per 1,000 healthcare employees breached patient privacy during the second quarter of this year. This is up from 5.08 employee threats found during Q1 of this year, which the study attributes to better detection methods rather than an increase in events.

All told, Protenus said, insiders were responsible for 31% of the total number of reported breaches for this period. Among incidents where details were disclosed, 422,180 records were breached, or 13.4% of total breached patient records during Q2 2018. The top cause of data breaches was hacking, which accounted for 36.62% of disclosed incidents. A total of 16.2% of incidents involved loss or theft of data, with another 16.2% due to unknown causes.

In tackling insider events, the study sorted such incidents into two groups, “insider error” or “insider wrongdoing.” Its definition for insider error included incidents which had no malicious intent or could otherwise be qualified as human error, while it described the theft of information, snooping in patient files and other cases where employees knowingly violated the law as insider wrongdoing.

Protenus found 25 publicly-disclosed incidents of insider error between April and June 2018. The 14 of which for which details were disclosed affected 343,036 patient records.

Meanwhile, the researchers found 18 incidents involving insider wrongdoing, with 13 events for which data was disclosed. The number of patient records breached as a result of insider wrongdoing climbed substantially over the past two quarters, from 4,597 during Q1 to 70,562 during Q2 of 2018.

As in the first quarter, the largest category of insider-related breaches (71.4%) between April and June 2018 was healthcare employees taking a look at family members’ health records. Other insider wrongdoing incidents including phishing attacks, insider credential sharing, downloading records for sale and identity theft.

HIPAA Security Infographic

Posted on August 6, 2018 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

There are a lot of nuances to HIPAA. Hopefully, you’ve addressed them as part of your security risk analysis and any mitigation work that’s required as part of that analysis. Unfortunately, even an organization that does a solid HIPAA security risk analysis often doesn’t communicate what was done in that analysis to the rest of the organization.

With this in mind, I found this HIPAA security infographic by eFax to be valuable for those that aren’t deep in the nuances of HIPAA, but that want a quick overview of some common HIPAA issues that they should know about.

Healthcare Security Humor – Fun Friday

Posted on August 3, 2018 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

After Mike Semel’s recent post on embarrassment, career suicide, or jail, it may seem a bit ironic to offer some healthcare security humor. That’s exactly why we think it’s good to share some healthcare security humor. We love irony and we often have to remember that what we do is extremely serious, but we shouldn’t take ourselves too seriously. Plus, humor can often get a point across in a way that is extremely memorable. That’s how I felt when I saw the healthcare security cartoon below:

This cartoon reminds me of the hospital CIO who told me “I’m most concerned with the 21,000 security vulnerabilities that existed in my organization. I’m talking about the 21,000 employees.” This is a real problem and one that many people don’t take serious enough in healthcare. It’s not something you can just put as a line item on a budget. It takes shaping the culture of your organization and that’s hard, but essential.

Healthcare CIOs Focused On Patient Experience And Innovation

Posted on August 2, 2018 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Not long ago, 22 healthcare CIOs had a sit-down to discuss their CEOs’ top IT-related priorities. At the meeting, which took place during the 2018 Scottsdale Institute Annual Conference, the participants found that they were largely on the same page, according to researchers that followed the conversation.

Impact Advisors, which co-sponsored the research, found that improving patient experiences was priority number one. More than 80% of CIOs said patient engagement and better patient experiences were critical, and that deploying digital health strategies could get the job done.

The technologies they cited included patient-facing options like wearables, mobile apps and self-service tools. They also said they were looking at a number of provider-facing solutions which could streamline transitions of care and improve patient flow, including care coordination apps and tools and next-generation decision support technologies such as predictive analytics.

Another issue near the top of the list was controlling IT costs and/or increasing IT value, which was cited by more than 60% of CIOs at the meeting. They noted that in the past, their organizations had invested large amounts of money to purchase, implement and upgrade enterprise EHRs, in an effort to capture Meaningful Use incentive payments, but that things were different now.

Specifically, as their organizations are still recovering from such investments, CIOs said they now need to stretch their IT budgets, They also said that they were being asked to prove that their organization’s existing infrastructure investments, especially their enterprise EHR, continue to demonstrate value. Many said that they are under pressure to prove that IT spending keeps offering a defined return on investment.

Yet another important item on their to-do list was to foster innovation, which was cited by almost 60% of CIOs present. To address this need, some CIOs are launching pilots focused on machine learning and AI, while others are forming partnerships with large employers and influential tech firms. Others are looking into establishing dedicated innovation centers within their organization. Regardless of their approach, the CIOs said, innovation efforts will only work if innovation efforts are structured and governed in a way that helps them meet their organization’s broad strategic goals.

In addition, almost 60% said that they were expected to support their organization’s growth. The CIOs noted that given the constant changes in the industry, they needed to support initiatives such as expansion of service lines or building out new ones, as well as strategic partnerships and acquisitions.

Last, but by no means least, more than half of the CIOs said cybersecurity was important. On the one hand, the participants at the roundtable said, it’s important to be proactive in defending their organization. At the same time, they emphasized that defending their organization involves having the right policies, processes, governance structure and culture.