Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Healthcare Security Cartoon – Fun Friday

Posted on August 11, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It’s Friday and school is beginning in a lot of places around the country. I know we’re ready for school to start in our house. They moved it up a couple weeks in Las Vegas and so we had a short summer, but we’re excited for the rhythm that school brings.

The last Friday in summer seems the perfect time for a Fun Friday blog post. This cartoon was shared by Fogo Data centers that highlights the always challenging balance between security and convenience.

Do your security policies seem a bit like this picture? Or do you edge on the other side of too convenient and not secure enough?

Why Small Medical Practices Are at Great Risk for a Cyber Attack

Posted on June 14, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

The good people at ClinicSpectrum recently shared a look at why small practices are at risk for a cyber attack. They label it as why your EHR is at risk for a cyber attack, but I think their list is more specific to small practices as opposed to EHR. Take a look at their list:

Each of these issues should be considered by a small medical when it comes to why they are at risk for a cyber attack. However, the first one is one that I see often. Many small practices wonder, “Why would anyone want to hack my office?”

When it comes to that issue, medical practices need to understand how most hackers work. Most hackers aren’t trying to hack someone in particular. Instead, they’re just scouring the internet for easy opportunities. Sure, there are examples where a hacker goes after a specific target. However, the majority are just exploiting whatever vulnerabilities they can find.

This is why it’s a real problem when medical practices think they’re too small or not worth hacking. When you have this attitude, then you leave yourself vulnerable to opportunistic hackers that are just taking advantage of your laziness.

The best thing a medical practice can do to secure their systems is to care enough about having secure systems. You’ll never be 100% secure, but those organizations who act as if they don’t really care about security are almost guaranteed to be hacked. You can imagine how HHS will look at you if you take this approach and then get hacked.

Kill Passwords

Posted on January 13, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One time I was attending the crazy SXSW conference in Austin. As part of the event, there was a startup company from Las Vegas (where I live) that had a small tower in the big Vegas Tech booth. Their startup was a method to use your phone as your password and a few other password related things. I’m not sure how they came up with this idea, but half way through the conference they switched their monitor which previously had their logo on it to just say “Kill Passwords” in big black letters with a white background. It was amazing how much traffic they drove to their small table because of that simple digital signage.

While this is a story in marketing that’s worthy of the Healthcare IT Marketing and PR Conference which I host, it also illustrated how much we hate passwords. Turns out that this is a universal truth, but it’s particularly poignant in healthcare because of absurd password policies that many healthcare organizations put in place in the name of security (even if many of the choices they make don’t actually improve security).

Doctors password frustration was illustrated well in the latest ZDoggMD video “Doc Vader on The Password Menace.” Check it out below:

I felt it was appropriate to use ZDoggMD’s latest video in today’s Fun Friday post, but I do it with some sadness. A couple days ago, ZDoggMD announced that his Turntable Health clinic in Las Vegas was shutting down. As a Vegas resident and former member of Turntable Health, I was sorry to see this happen. No doubt this is not the end for ZDoggMD. In fact, for those that are fans of his video and his message, I think this will give him more time to evangelize and inspire. So, that’s a good thing. Healthcare can use a shakeup that points out the challenges we face with a little lot of humor. Thanks ZDoggMD for all you do.

Now, I agree that passwords are a pain. Although, I think we’ve all learned to deal with them. I do look forward to the day when passwords will no longer exist in their current form. I’m not sure what it will look like, but it will be a welcome day!

How Many Points of Vulnerability Do You Have in Your Healthcare Organization?

Posted on December 21, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Far too often I hear healthcare CIOs talk about all of the various electronic devices they have in their organization and how this device proliferation has created a really large risk surface that makes their organization vulnerable to breaches and other nefarious actions. This is true to some extent since organizations now have things like:

  • Servers
  • Desktops
  • Mobile Devices
  • Network Devices
  • Internet Access
  • Medical Devices
  • Internet of Thing Devices
  • etc

As tech progresses, the number of devices we have in our healthcare organizations is only going to continue to grow. No doubt this can pose a challenge to any Chief Security Officer (CSO). However, I actually think this is the easiest part of a CSO’s job when it comes to making sure a healthcare organization is secure. I think it’s much harder to make sure the people in your organization are acting in a way that doesn’t compromise your organization’s security.

As one hospital CIO told me, “I’m most concerned with the 21,000 security vulnerabilities that existed in my organization. I’m talking about the 21,000 employees.

Granted, this CIO worked at a very large organization. However, I think he’s right. Creating a security plan for a device is pretty easily accomplished. It will never be perfect, but you can put together a really good, effective plan. People are wild cards. It’s much harder to keep them from doing something that compromises your organization. Especially since the hackers have gotten so pernicious and effective in the tactics they use.

At the end of the day, I look at security as similar to child proofing your house when you have a young child. You’ll never make it 100% completely safe, but you can really mitigate most of the issues that could cause harm to your child. The same is true in your approach to securing your healthcare organization. You can never ensure you won’t have any security incidents, but you can mitigate a lot of the really dangerous things. Then, you just have to deal with the times something surprising happens. Now if we would just care as much about keeping our healthcare organizations secure as we do keeping our children safe, then we’d be in a much better place.

Patient Portal Security Is A Tricky Issue

Posted on April 25, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

Much of the discussion around securing health data on computers revolves around enterprise networks, particularly internal devices. But it doesn’t hurt to look elsewhere in assessing your overall vulnerabilities. And unfortunately, that includes gaps that can be exposed by patients, whose security practices you can’t control.

One vulnerability that gets too little attention is the potential for a cyber attack accessing the provider’s patient portal, according to security consultant Keith Fricke of tw-Security in Overland Park, Kan. Fricke, who spoke with Information Management, noted that cyber criminals can access portal data relatively easily.

For example, they can insert malicious code into frequently visited websites, which the patient may inadvertently download. Then, if your patient’s device or computer isn’t secure, you may have big problems. When the patient accesses a hospital or clinic’s patient portal, the attacker can conceivably get access to the health data available there.

Not only does such an attack give the criminal access to the portal, it may also offer the them access to many other patients’ computers, and the opportunity to send malware to those computers. So one patient’s security breach can become a victim of infection for countless patients.

When patients access the portal via mobile device, it raises another set of security issues, as the threat to such devices is growing over time. In a recent survey by Ponemon Institute and CounterTack, 80% of respondents reported that their mobile endpoints have been the target of malware the past year. And there’s little doubt that the attacks via mobile device will more sophisticated over time.

Given how predictable such vulnerabilities are, you’d think that it would be fairly easy to lock the portals down. But the truth is, patient portals have to strike a particularly delicate balance between usability and security. While you can demand almost anything from employees, you don’t want to frustrate patients, who may become discouraged if too much is expected from them when they log in. And if they aren’t going to use it, why build a patient portal at all?

For example, requiring a patient to change your password or login data frequently may simply be too taxing for users to handle. Other barriers include demanding that a patient use only one specific browser to access the portal, or requiring them to use digits rather than an alphanumeric name that they can remember. And insisting that a patient use a long, computer-generated password can be a hassle that patients won’t tolerate.

At this point, it would be great if I could say “here’s the perfect solution to this problem.” But the truth is, as you already know, that there’s no one solution that will work for every provider and every IT department. That being said, in looking at this issue, I do get the sense that providers and IT execs spend too little time on user-testing their portals. There’s lots of room for improvement there.

It seems to me that to strike the right balance between portal security and usability, it makes more sense to bring user feedback into the equation as early in the game as possible. That way, at least, you’ll be making informed choices when you establish your security protocols. Otherwise, you may end up with a white elephant, and nobody wants to see that happen.

Could the Drive to Value-Based Healthcare Undermine Security?

Posted on November 27, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As we all know, the healthcare industry’s move toward value-based healthcare is forcing providers to make some big changes. In fact, a recent report by peer60 found that 64% of hospitals responding cited oncoming value-based reimbursement as their top challenge. Meanwhile, only 30% could say the same of improving information security according to peer60, which recently surveyed 320 hospital leaders.

Now, the difference in concern over the two issues can be chalked up, at least in part, to the design of the survey. Obviously, there’s a good chance that a survey of CIOs would generate different results. But as the report’s authors noted, the survey might also have exposed a troublesome gap in priorities between health IT and the rest of the hospital C-suite.

It’s hardly surprising hospital leaders are focused on the life-and-death effects of a major change in payment policy. Ultimately, if a hospital can’t stay in business, protecting data won’t be an issue anymore. But if a hospital keeps its doors open, protecting patient data must be given a great deal of attention.

If there is a substantial gap between CIOs and their colleagues on security, my guess is that the reasons include the following:

  • Assuming CIOs can handle things:  Lamentable though it may be, less-savvy healthcare leaders may think of security as a tech-heavy problem that doesn’t concern them on a day-to-day level.
  • Managing by emergency:  Though they might not admit it publicly, reactive health executives may see security problems as only worth addressing when something needs fixing.
  • Fear of knowing what needs to be done:  Any intelligent, educated health exec knows that they can’t afford to let security be compromised, but they don’t want to face up to the time, money and energy it takes to do infosec right.
  • Overconfidence in existing security measures:  After approving the investment of tens or even hundreds of millions on health IT, non-tech health leaders may find it hard to believe that perfect security isn’t “built in” and complete.

I guess the upshot of all of this is that even sophisticated healthcare executives may have dysfunctional beliefs about health data security. And it’s not surprising that health leaders with limited technical backgrounds may prefer to attack problems they do understand.

Ultimately, this suggests to me that CIOs and other HIT leaders still have a lot of ‘splaining to do. To do their best with security challenges, health IT execs need the support from the entire leadership team, and that will mean educating their peers on some painful realities of the trade.

After all, if security is to be an organization-wide process — not just a few patches and HIPAA training sessions — it has to be ingrained in everything employees do. And that may mean some vigorous exchanges of views on how security fosters value.

The Shifting Health Care IT Markets

Posted on November 5, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m at the end of my Fall Healthcare IT Conference season (although I’m still considering attending RSNA for my first time) and besides being thankful to be done with all the travel, I’m also taking a second to think about what I’ve learned over the past couple months as I’ve traveled to a wide variety of conferences.

While the EHR market has been hot for so many years, I’m seeing a big shift in purchasing to three areas: Analytics/Population Health, Revenue Cycle Management, and Privacy/Security. This isn’t a big surprise, but the EHR market has basically matured and now even EHR vendors are looking at new ways to market their products. These are the three main areas where I see the market evolving.

Analytics and Population Health
I could have easily added the other buzzword “patient engagement” to this category as well. There’s a whole mixture of technologies and approaches for this category of healthcare IT. In fact, it’s where I see some of the most exciting innovations in healthcare. Most of it is driven by some form of value based reimbursement or organizations efforts to prepare for the shift to value based reimbursement. However, there’s also a great interest by many organizations to try and extract value from their EHR investment. Many are betting on these tools being able to help them realize value from their EHR data.

Revenue Cycle Management
We’re seeing a whole suite of revenue cycle solutions. For many years we’ve seen solutions that optimized an organization’s relationships with payers. Those are still popular since it seems like most organizations never really fix the problem so their need for revenue cycle management is cyclical. Along with these payer solutions, we’re seeing a whole suite of products and companies that are focused on patient payment solutions. This shift has been riding the wave of high deductible plans in healthcare. As an organization’s patient pay increases, they’re looking for better ways to collect the patient portion of the bill.

Privacy and Security
There have been so many health care breaches, it’s hard to even keep up. Are we becoming numb to them? Maybe, but I still see many organizations investing in various privacy and security programs and tools whenever they hear about another breach. Plus, the meaningful use requirement to do a HIPAA Risk Assessment has built an entire industry focused on those risk assessments. You can be sure the coming HIPAA audits will accelerate those businesses even more.

What other areas are you seeing become popular in health care IT?

Top 10 Healthcare CIO Budget Priorities

Posted on September 22, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

For those on the email list that can’t see the image that Charles Webster, MD shared, here are the list of top technology priorities:
1. BI/Analytics
2. CRM
3. Digitalization/Digital Marketing
4. Legacy Modernization
5. Industry-Specific Applications
6. Enterprise Applications
7. Infrastructure and Data Center
8. Application Development
9. Architecture
10. BPM
11. Cloud
12. Collaboration

Sure makes the life of a CIO look pretty easy, doesn’t it? (That was my sarcasm font in case you don’t have that font installed on your computer)

As I chew on this list, I’m processing Will Weider, CIO at Ministry Health Care’s response to me asking him what would he consider the 3 key focus areas for healthcare CIO’s:

HHS Privacy and Security Rules Cheat Sheet Infographic

Posted on August 6, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Scrypt has put out the infographic below to help summarize the guide to Privacy and Security of Electronic Health Information that HHS put out. Of course, the full guide is 62 pages of detailed information, but this will give you a flavor for what’s in the guide.
HHS Privacy and Security Rule Infographic

Dishonesty Ruins So Many Things

Posted on September 5, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m always struck by this simple concept: Dishonesty make so many things more difficult than they should be.

We see this all over healthcare. Look for example at patient privacy and security. If people were just honest and thoughtful with patient data, our privacy and security challenges would be so much simpler. Imagine how much time and heartache we’d save if people were just honest when it comes to privacy and security. Yes, I’m looking at the million of hackers that are trying to take people’s personal information. Imagine if we could focus all the money and time we spend securing applications and apply it to improving healthcare. What a difference that would make.

The same could be said for reimbursement. Our reimbursement system would look drastically different if people were just honest. Yes, I’m talking about the billions of dollars of Medicare and other insurance fraud that’s out there. What a sad expense on our current healthcare system as dishonest people try and make a quick buck. While that expense is large, the even larger cost to our healthcare system is the toll that fraud adds to the honest actors.

Look at our current model of reimbursement for healthcare. So much of our insane documentation efforts are tied to the fact that insurance companies are trying to combat fraud. They don’t and can’t trust providers billing levels and so they’ve created layer and layer of requirements that makes the healthcare documentation process miserable. If you don’t agree with me, then you aren’t someone that’s involved in healthcare reimbursement.

This expense gets passed on to the employer and patients as well. Have you ever tried to make sense of the bill or statement of benefits coming from your doctor or insurance company? It’s like trying to make sense of a new language. It doesn’t make sense since you as a patient don’t know that language. Are they screwing you over in what they’re billing you or not? You don’t know either way and good luck trying to find out the answer. The person on the other end of the phone likely isn’t sure either because it’s so complex.

I first learned this principle in the credit card world. Why on earth do we pay 3+% of every transaction we do on our credit card. The answer is simple. Credit card fraud (otherwise known as dishonesty) is rampant and why credit card transactions cost so much. Imagine a world where the doctor wasn’t giving 3% of their business to process a credit card transaction since the cost to change digital digits should be nothing.

Unfortunately, the reality is we do live in a world with a lot of dishonest people who try and game anything and everything. We have to pay attention to security and privacy with these dishonest people in mind. We have to deal with insane reimbursement requirements as these payers try and combat fraud. We have to deal with credit card fraud and pay for it in the process.

It’s unfortunate, because dishonesty almost always catches up with people. Even when we think it doesn’t, dishonesty pays its own toll on a person as they can never be comfortable. Having a clear, honest conscious is one of the most beautiful things in life.