Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Medical Device Security At A Crossroads

Posted on April 28, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As anyone reading this knows, connected medical devices are vulnerable to attacks from outside malware. Security researchers have been warning healthcare IT leaders for years that network-connected medical devices had poor security in place, ranging from image repository backups with no passwords to CT scanners with easily-changed configuration files, but far too many problems haven’t been addressed.

So why haven’t providers addressed the security problems? It may be because neither medical device manufacturers nor hospitals are set up to address these issues. “The reality is both sides — providers and manufacturers — do not understand how much the other side does not know,” said John Gomez, CEO of cybersecurity firm Sensato. “When I talk with manufacturers, they understand the need to do something, but they have never had to deal with cyber security before. It’s not a part of their DNA. And on the hospital side, they’re realizing that they’ve never had to lock these things down. In fact, medical devices have not even been part of the IT group and hospitals.

Gomez, who spoke with Healthcare IT News, runs one of two companies backing a new initiative dedicated to securing medical devices and health organizations. (The other coordinating company is healthcare security firm Divurgent.)

Together, the two have launched the Medical Device Cybersecurity Task Force, which brings together a grab bag of industry players including hospitals, hospital technologists, medical device manufacturers, cyber security researchers and IT leaders. “We continually get asked by clients with the best practices for securing medical devices,” Gomez told Healthcare IT News. “There is little guidance and a lot of misinformation.“

The task force includes 15 health systems and hospitals, including Children’s Hospital of Atlanta, Lehigh Valley Health Network, Beebe Healthcare and Intermountain, along with tech vendors Renovo Solutions, VMware Inc. and AirWatch.

I mention this initiative not because I think it’s huge news, but rather, as a reminder that the time to act on medical device vulnerabilities is more than nigh. There’s a reason why the Federal Trade Commission, and the HHS Office of Inspector General, along with the IEEE, have launched their own initiatives to help medical device manufacturers boost cybersecurity. I believe we’re at a crossroads; on one side lies renewed faith in medical devices, and on the other nothing less than patient privacy violations, harm and even death.

It’s good to hear that the Task Force plans to create a set of best practices for both healthcare providers and medical device makers which will help get their cybersecurity practices up to snuff. Another interesting effort they have underway in the creation of an app which will help healthcare providers evaluate medical devices, while feeding a database that members can access to studying the market.

But reading about their efforts also hammered home to me how much ground we have to cover in securing medical devices. Well-intentioned, even relatively effective, grassroots efforts are good, but they’re only a drop in the bucket. What we need is nothing less than a continuous knowledge feed between medical device makers, hospitals, clinics and clinicians.

And why not start by taking the obvious step of integrating the medical device and IT departments to some degree? That seems like a no-brainer. But unfortunately, the rest of the work to be done will take a lot of thought.

A Vision for Why and How We Make the Science of Health Care Shareable

Posted on October 30, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently heard Stan Huff, CMIO at Intermountain, talk at the Healthcare IT Transformation Assembly about the Healthcare Services Platform Consortium. As he presented what they’re working on he highlighted so well the challenges that I’ve been seeing in healthcare IT. I’ve long be asking people how healthcare IT innovations that happen in one hospital or practice are going to get shared with all of healthcare. Turns out, Stan has been thinking a lot about this problem as well.

In his presentation, Stan framed the discussion perfectly when he said, “No matter what you do, you can’t teach people to be perfect information processors.” I’d also mentioned in a previous post that the human mind can’t detect the difference between something that causes errors 3 in 100 versus 4 in 100. However, with the right data, computers can tell the difference. Plus, computers can assist humans in the information processing.

These points illustrate why building and sharing clinical decision support is so important. The human mind is incredible, but medicine is so complex it’s impossible for the human mind to process it all. Ideally all of the work that Stan Huff and his team at Intermountain are doing on clinical decision support should be “plug n play interoperable” with the rest of the healthcare system. That seems to be the goal of the Healthcare Services Platform Consortium.

Many might wonder why Intermountain would want to share all the work they’ve been doing with the rest of healthcare. Isn’t that their proprietary intellectual property? It’s actually easy to see why. Stan described that Intermountain has implemented or is currently working on ~150 decision support rules or modules. Given their organization’s budget and staff constraints he could see how those 150 could be expanded to 300 or so, but likely not more. That sounds great until you think that there could be 5000+ decision support rules or modules if there was enough time and budget.

The problem is that there was no path for Intermountain to go from 150 to 5000 decision support rules or modules on their own. The only way to get where they need to go is for everyone in healthcare to work together and share their findings and workflows.

Stan and the Healthcare Services Platform Consortium are building the framework for creating and sharing interoperable clinical decision support apps on the back of FHIR and Smart Apps. This diagram illustrates what they have in mind:
HSPC for 2015 Healthcare Transformation Assembly 151026
I think that Stan is spot on in his assessment of what needs to be done to get where we need to go with clinical decision support in health care. However, there are also plenty of reasons for being cautiously optimistic.

As Stan told us at the event, “If everyone says that their workflow is the only way, we won’t get very far.” Then Stan passionately argued for why physician independence allows the opportunity for doctors to take improper care of patients. “If we allow physicians to do whatever they want, we’re allowing them the right to take improper care of patients.”

Obviously Stan isn’t saying that there shouldn’t be rigorous debate about the best treatment. By putting these algorithms out to other organizations he’s actually inviting criticism and discussion of the work they’re doing. Plus, I have no doubt Stan understands where health care is an art and where it’s a science. However, I believe he rightly argues that where the science is clear, proclaiming the art of medicine is a poor excuse for doing something different.

In my mind, the Healthcare Services Platform Consortium should be focused on making the science of health care easily shareable and usable for all of health care regardless of EHR system. That’s a vision we should all get behind.

How Will Patients Choose Healthcare?

Posted on May 19, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In a recent conversation with Medhost CEO, Bill Anderson, he asked the question that’s the title of this blog post: “How Will Patients Choose Healthcare?” He then proceeded to answer his question by saying, “Healthcare will buy on brand like they do in their other purchasing decisions.” It’s worth adding that Bill and Medhost are working to build their YourCare Everywhere brand in healthcare. You can decide if their business efforts are skewing his perspective or not.

For me, I find the question absolutely fascinating and an extremely important question for healthcare organizations. This question is becoming more and more important since the shift to high deductible plans is forcing patients to be more selective in how they choose their healthcare provider. Will brand be the way that people choose healthcare?

One challenge I have with this idea is that healthcare is a complex decision. I don’t know many people who make impulse healthcare provider decisions. I wonder if there are other complex decisions we could learn from. What is true is that healthcare decisions are often crisis decisions. In a crisis, where do people turn? I think the answer is the brands they know.

As I look at healthcare, which organizations have a true national healthcare brand? The first one that comes to mind is Mayo Clinic. Cleveland Clinic seems to be working down a similar path. Are their others? There are very few national healthcare brands that are trusted.

There are many local healthcare brands. Dignity Health has been pouring money into commercials in Vegas to build their brand. I assure you the commercials are all brand. Intermountain has a brand in Utah and Partners Healthcare has a brand in Boston. We could argue whether they have good or bad brands since they are both so dominant in their region. There are many other examples of local healthcare brands.

On the other side of healthcare brands is the CVS Minute Clinic, Walmart, and all the other retailers trying to make a space for themselves in healthcare. Also competing for brand recognition with a similar direct to consumer, retail healthcare play are the telemedicine providers like MD Live.

Long story short, we’re seeing patients having more power when it comes to selecting their healthcare provider and we see a ton of brand competition. Will a healthcare organization be able to survive without a major investment in their brand? What does this mean for small physician practices?

I’d love to hear your thoughts about what’s happening with healthcare brands. Do they matter? In what ways will they matter? What should a healthcare organization be doing to shore up its brand?

Killing Meaningful Use and Proposals to Change It

Posted on September 16, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Isn’t it nice that National Health IT Week brings people together to complain about meaningful use? Ok, that’s only partially in jest. Marc Probst, CIO of Intermountain and a member of the original meaningful use/EHR Certification committee (I lost track of the formal name), is making a strong statement as quoted by Don Fluckinger above.

Marc Probst is right that the majority of healthcare would be really happy to put a knife in meaningful use and move on from it. That’s kind of what I proposed when I suggested blowing up meaningful use. Not to mention my comments that meaningful use is on shaky ground. Comments from people like Marc Probst are proof of this fact.

In a related move, CHIME, AMDIS and 15 other healthcare organizations sent a letter to the HHS Secretary calling for immediate action to amend the 2015 meaningful use reporting period. These organizations believed that the final rule on meaningful use flexibility would change the reporting period, but it did not. It seems like they’re coming out guns blazing.

In even bigger news (albeit probably related), Congresswoman Renee Ellmers (R-NC) and Congressman Jim Matheson (D-UT) just introduced the Flexibility in Health IT Reporting (Flex-IT) act. This act would “allow providers to report their Health IT upgrades in 2015 through a 90-day reporting period as opposed to a full year.” I have yet to see any prediction on whether this act has enough support in Congress to get passed, but we could once again see congress act when CMS chose a different course of action like they did with ICD-10.

This story is definitely evolving and the pressure to change the reporting period to 90 days is on. My own personal prediction is that CMS will have to make the change. I’d love to hear your thoughts.

Happy National Health IT Week!

Intermountain Chooses Cerner, International EMR, and Patient Focused EMR

Posted on September 29, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.


This was really big news this week. I’m not sure it’s quite a turning point for EMR. I think we’re still early in the war, but this was a big battle for Cerner to win. We’ll see what GE decides to do after losing this deal. Will GE leave this business behind or buy another vendor?


I think we don’t look nearly enough at the international EMR experience. We could learn a lot in the US from what’s happening nationally. Plus, for many EHR vendors the international opportunity is a big one that most don’t even consider.


I’ve been preaching this for so long I can’t remember. I know there are EHR vendors that focus as much as they can on the patient, but compliance and reimbursement still means you have to make compromises. That’s not an indictment of those companies, but a reality of the situation.

The HP ElitePad in Healthcare

Posted on August 12, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

One thing I often forget when thinking about mobile computing in healthcare is that it’s not just the smart phone. Certainly the smart phone is incredibly powerful and has a strong place in the future of mobile health. However, it has its limitations. Often you just need more screen real estate to do what you need to in healthcare. This is particularly true on the enterprise healthcare side of the world compared to the consumer side.

This is what makes the Windows 8 and iPad tablets such an important part of the mobile health ecosystem. In fact, I think these tablets could do more to transform healthcare than their smaller smart phone counterparts. In fact, these tablets are more powerful than your smart phone in every single way except size.

I was reminded of the power of these tablets when I got the chance to use the HP ElitePad. It was my first time to really dig into a Windows 8 tablet and I was really interested to see how well it performed.
HP ElitePad 900_Front Center
My intrigue in the Windows 8 tablets had been originally sparked by Fred Holsten, CIO of Intermountain, who told me that in their hospital they didn’t allow Android tablets, but they did allow Window 8 tablets. They had real security concerns with the Android tablets, but felt confident in the security of the Window 8 tablet. Plus, he even was fond of the way that the Windows 8 tablet handled application management.

With this in mind, I wanted to see how the HP ElitePad felt in my hand. From a pure hardware perspective, it was well designed and as comfortable as any other tablet of similar screen size. I also had the HP ElitePad expansion jacket. I had mixed feelings about the expansion jacket. The tablet felt pretty bulky with it on, but I also felt the jacket seemed to be a pretty good protection for the device. In the end, I usually leaned towards using it with the expansion jacket off. Either way, the tablet definitely passed the look and feel test.

When I first started actually using the ElitePad, I wasn’t sure I was going to like the interface. It took me a little while to get use to the separation of apps from the more standard windows interface. Plus, I had to get use to swiping the side to pull up the menu. After using it a little bit I really grew to like the interface. It balanced the touch interface applications with the ability to run any regular windows applications quite well.

I could see how this balance of applications could work really well in healthcare. Many healthcare applications won’t be ported over to become a native tablet application. At least they won’t be moved over in the near future. So, there’s a need for devices that can handle both native and legacy applications. The app store was a bit disappointing, but I think that will continue to change over time. Plus, when it wasn’t in the app store, I could find a regular windows application that worked fine. Not to mention most of what I needed was also available in a web browser.

I do wish that there were some native external keyboard options for the device, but a simple USB keyboard worked just fine and are available in every shape and size. I didn’t try using voice recognition on the device, but it has a nice microphone and would have likely worked well. However, sometimes I just like a nice keyboard for data entry. I did use the built in camera and microphone on a Google Plus hangout and that worked perfectly. You can easily see a telemedicine visit happening with this device.

Overall the device worked really well for me. My only real complaint with the device was the charger connection. The charger doesn’t really snap into the hole and so it’s hard to know if the charger is connected properly or not. Plus, the charger can bend back and forth in the charging hole. I often had to check to make sure that the device was indeed charging. It usually was plugged in just fine, but it would be much nicer if the charging plug kind of locked into place so you knew it was connected properly.

Overall, I can definitely see a place for a Windows 8 tablet like the HP ElitePad in healthcare. I think this is particularly true in the hospital and practice environment where they want to use their existing security software to manage their computing devices. However, with the built in camera and microphone, I can also see a number of telemedicine applications really liking this device as well.

This post is sponsored by HP Healthcare, however opinions on products and services expressed here are my own. Disclosure per FTC’s 16 CFR, Part 255.

CPOE and MU with Marc Probst and M*Modal

Posted on June 26, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

As part of my ongoing series of EHR videos, I had the chance to sit down with Marc Probst, CIO of Intermountain and a member of a number of important healthcare IT committees, Mike Raymer, Senior Vice President of Solutions Management at M*Modal and Dr. Jonathan Handler, CMIO of M*Modal to talk about CPOE and Meaningful Use. It’s another great addition to the Healthcare Scene YouTube channel.

In the interview we have a chance to talk about Intermountain’s move from zero CPOE to mobile, voice recognized CPOE. We talk about the future possibilities of voice in healthcare. I also ask Marc Probst about his views on EHR certification, meaningful use, and CommonWell.


*Note: Marc Probst’s sound was less than ideal. Next time we’ll be sure he has a better microphone.

CPOE and Meaningful Use with Marc Probst, Mike Raymer, and Dr. Jonathan Handler – Google Plus Hangout

Posted on June 10, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Note: The following image will become the live video stream about 5 minutes before the start of the G+ hangout and then will be the embedded video after the hangout. Subscribe Here to be notified of future hangouts.

What: A Google+ Video Hangout with Marc Probst, Mike Raymer, and Dr. Jonathan Handler discussing CPOE (Comuterized Physician Order Entry) and Meaningful Use
Date: Thursday, June 13, 2013
Time: 4:00 – 4:30 p.m. EST
Location: About 5 minutes before the event, we’ll embed the video stream on this page or you can find the video stream on the event’s Google+ page as well.

Subscribe Here to be notified of future EHR and Healthcare IT hangouts.

Details:
Mark your calendars to join the following healthcare experts as they discuss CPOE and Meaningful Use

The video will be available to view live on this page and the recorded video will be embedded on this page after the hangout as well.

If you have any questions you’d like to pose before or during the hangout, send them to @ehrandhit on Twitter or the G+ Event page and we’ll do our best to incorporate them into the discussion.

Marc Probst, CIO of Intermountain
Marc Probst - Intermountain

Mike Raymer, Senior Vice President of Solutions Management at M*Modal
Mike Raymer - MModal

Dr. Jonathan Handler, CMIO of M*Modal
Dr Jon Handler - MModal

Utah Hospital Helps Parents of Babies in NICUs Be More Involved

Posted on May 6, 2013 I Written By

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

Right after I posted about the Cedars-Sinai Medical Center using FaceTime to connect moms to their babies in the NICU, I saw this article about an Intermountain hospital in Utah doing something similar.

Utah Valley Regional Medical Center, a hospital in Provo, Utah, has equipped all of the NICU beds with three cameras. These will give parents 24 hour access to a live video of their baby.

This hit home because, well, I live right across from the hospital this article talks about, and my son spent eight days there when he was just two weeks old. While we were allowed to be in his room with him the entire time, if he’d been in the NICU, this would have been wonderful to have. And, if we stay in Utah, and we had a baby who had to stay in the NICU, we may benefit from this. This is part of the redesign of the NICU department at UVRMC.

Stephen Minton, MD, is overseeing this project. He is a neonatologist at Intermountain Healthcare, and in an interview he emphasized the importance of communication with parents who have infants in the NICU. He has been at this particular NICU unit since 1979, cared for 26,000 babies, and in all that time never had a lawsuit filed against him. He said that this is not because he didn’t make mistakes, but because of how he interacts with the parents:

It’s really unusual in critical care medicine to go quite that long [without a lawsuit.] The reason is because I communicate with parents, and so they understand what you’re really trying to do. That’s really all what people want. They want to be involved, and they want to feel like they have a voice and that you care.

Minton believes that implementing these cameras will allow the parents to be involved even more, and have a better understanding of the care their infant is receiving.  They can see what is being done at all times, and communicate with the attending physician.

UVRMC isn’t the first hospital to implement this type of technology, but it is definitely one of the first. I hope to see more hospitals doing something like this in the future, and perhaps extend it to other areas in the hospital.

Starting the Health IT Ball Rolling

Posted on April 4, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Early on in my EHR implementation experience I had an enlightening moment. In the clinic I was working at, we decided to just do a partial implementation of the EHR software in order for us to replace the scheduling and billing side of our current processes. The clinic was using some old scantron like billing technology that needed to be replaced quickly. So, instead of leaving behind the paper charts, we decided to start by just implementing part of the EHR to start.

As part of this partial EHR implementation we had the clinicians entering the diagnosis and charge capture into a note in the EHR. After a couple weeks of doing this, I was sitting with one of the providers and she said, “John, why can’t I just enter my note right here where it says subjective and objective instead of in the paper chart?” After hearing this, I went to the director’s office and told her what I’d heard. We realized it was a tremendous opportunity for us to finish the full EHR implementation.

It was quite an interesting realization to have them driving us to implement more of the features. I think we see this phenomenon in other areas as well.

I was talking with the hospital CTO of Intermountain, Fred Holston, about their new mobile CPOE app they built together with MModal. I asked if he was concerned about adoption of the CPOE app. It seemed that it was possible that they built an app that doctors would just choose not to use. Fred made some suggestions about why he thought this wouldn’t be an issue, but then he offered an even more valuable insight. Fred suggested that their bigger concern wasn’t whether doctors would use the CPOE mobile app. Instead, they were more concerned that once they rolled out the CPOE mobile app that doctors would start asking for a whole laundry list of other features and applications that were similar to it. Were they ready for that onslaught of requests?

Yesterday, I got a demo of the latest version of the Sfax secure faxing software (Full Disclosure: Sfax is an advertiser on this site.). During the demo, I asked about another possible feature and a really good comment was made, “Once you roll out new features, people start asking for even more features.” We then had a nice discussion about how the product development process is never done.

In some cases, the desire for more features can lead to really unhappy users. If we’d not finished the full EHR implementation quickly, no doubt those providers would have hated the product. If Intermountain doesn’t add more of the requested capabilities to their CPOE mobile app, then their users will be unhappy that the app can’t do more. If Sfax doesn’t continue to add features to their product their users will grow unhappy with the service.

However, the opposite is also true. This desire to use technology in new ways can be a real driver of adoption. We didn’t have to sale the providers on the finishing the full EHR implementation. They’d already sold themselves. Sometimes you just have to get the ball rolling when it comes to health IT. Once the ball is rolling, just be ready to keep up with with the new ideas that start coming as people see new possibilities.