Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

HIM’s Role in Healthcare Security and Privacy – HIM Scene

Posted on November 30, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is part of the HIM Series of blog posts. If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

One of my go-to experts on healthcare privacy and security is Mac McMillan, CEO and Co-Founder of CynergisTek. He’s built a really great company that focuses on privacy and security in healthcare and he’s a true expert.

While at AHIMA 2016, I talked with Mac about the role that HIM plays in healthcare privacy and security. We also talk about where healthcare privacy is heading and which part of healthcare privacy and security doesn’t get enough attention. I also asked Mac to make a big 20 year prediction on what will happen with privacy and security in healthcare.

Check out our interview with Mac McMillan, CEO and Co-Founder of CynergisTek:

We shot a number of other videos at AHIMA 2016 which we’ll be posting shortly. If you enjoyed this video, be sure to Subscribe to Healthcare Scene on YouTube and watch our full archive of Healthcare Scene interviews.

If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

E-Patient Update: Hospitals Should Share Ransomware Updates

Posted on October 14, 2016 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A few weeks ago, a California hospital quietly fended off a ransomware attack without paying a ransom to the attackers. According to Health Leaders Media, Keck Medical Center of USC was hit with a ransomware assault on servers at two hospitals, but managed to fix the problem and retrieve its data.

Employees at Keck Hospital of USC and Norris Comprehensive Cancer Care found ransomware on two servers on August 1, said Keck Hospitals CEO Rod Hanners in a statement on the matter. The attack encrypted files on the servers, which made their data unavailable to hospital employees. However, Hanners reported, the hospitals had no evidence of a breach of patient information.

Still, given that some sensitive information was contained in folders encrypted by the malware, USC notified patients about the breach, Health Leaders reports. Data that could (at least theoretically) have been accessed by the attackers included names and dates of birth, health information such as treatment and diagnosis information and some Social Security numbers.

If what I’ve read is accurate, the crew at Keck did a great job. They got things under control very quickly, and chose to do the right thing in notifying patients about the breach. (And in all truth, the attack might not have been much of a big deal — perhaps one launched by a script kiddie using Ransomware as a Service tools — which could explain why the hospitals seem to be relatively unruffled.) Still, my feeling is that they could have communicated more.

A patient’s perspective

As I ponder the events above, I do wonder whether the professionals managing this particular ransomware attack understand what it’s like to be on the receiving end of a ransomware episode. So here’s a few things to consider from a patient’s perspective:

  • Ransomware is scary: While I’m healthcare technology writer and somewhat familiar with ransomware attacks, they are still new to most of the public. They may turn out to be just another infection vector for your network, but they come across as a dark force to consumers. Be prepared to educate and calm us.
  • People don’t know what to expect: I was due to have a cardiac procedure done by a doctor affiliated with Washington, D.C.-based MedStar Health a couple of weeks after it suffered a ransomware attack. While the news media made it clear that the hospital chain was paralyzed for a time, nobody bothered to tell me what the impact of this paralysis would be. It would have been better if MedStar facilities and doctors reached out to patients in immediate and near-term need of care to clarify.
  • We need progress reports: Clearly, the Keck attack didn’t amount to much, but other ransomware attacks, such as the MedStar incident, can’t be resolved overnight. As patients, we need to know roughly how long our providers may be at less than full capacity. Keep us updated or you’ll lose our trust.

With any luck, healthcare organizations will continue to improve their ability to fight back ransomware attacks, and in time, be prepared to treat them as little more than road bumps in their security efforts. But until then, it makes sense to pull out all the stops and keep patients extra well-informed.

Thoughts On Hospital Telecommunications Infrastructure

Posted on August 31, 2016 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Given the prevalence of broadband telecom networks in place today, hospital IT leaders may feel secure – that their networks can handle whatever demands are thrown at them. But given the progress of new health IT initiatives and data use, they still might face bandwidth problems. And as healthcare technical architect Lanny Hart notes in a piece for SearchHealthIT, the networks need to accommodate new security demands as well.

These days, he notes healthcare networks must carry not only more-established data and voice data, but also growing volumes of EMR traffic. Not only that, hospital IT execs need to plan for connected device traffic and patient/visitor access to Wi-Fi, along with protecting the network from increasingly sophisticated data thieves hungry for health data.

So what’s a healthcare CIO to do when thinking about building out hospital telecommunications infrastructure?  Here’s some of Hart’s suggestions:

  • When building your network, keep cybersecurity at the top of your priorities, whether you handle it at the network layer or on applications layered over the network.
  • Use an efficient network topology. At most, create a hub-and-spoke design rather than a daisy chain of linked sub-networks and switches.
  • Avoid establishing a single point of failure for networks. Use two separate runs of fiber or cable from the network’s edge switches to ensure redundancy and increase uptime.
  • Use virtual local area networks for PACS and for separate hospital departments.
  • Segment access to your virtual networks – including your guest Wi-Fi service – allowing only authorized users to access individual networks.
  • Build as much wireless network connectivity into new hospital construction, and blend wireless and wired networks when you upgrade networks in older buildings.
  • When planning network infrastructure, bear in mind that hospital networks can’t be completely wireless yet, because big hardware devices like CT scans and MRIs can’t run off of wireless connections.
  • Bigger hospitals that use real-time location services should factor that traffic in when planning network capacity.

In addition to all of these considerations, I’d argue that hospital network planners need to keep a close eye on changes in network usage that affect where demand is going. For example, consider the ongoing shift from desktop computers to mobile devices use of cellular networks have on network bandwidth requirements.

If physicians and other clinical staffers are using cell connections to roam, they’re probably transferring large files and perhaps using video as well. (Of course, their video use is likely to increase as telemedicine rollouts move ahead.)

If you’re paying for those connections, why not evaluate whether there’s ways you could save by extending Internet connectivity? After all, closing gaps in your wireless network could both improve your clinicians’ mobile experience and help you understand how they work. It never hurts to know where the data is headed!

More Ideas On Tightening Hospital IT Security

Posted on August 29, 2016 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Security deserves all of the attention you can spare, and it never hurts to revisit the fundamentals, in part because the cost of lagging security measures is so high. After all, it’s more than likely that your organization will face a breach, as almost 90% of healthcare organizations experienced at least one breach within the past two years, according to a Poneman Institute study done earlier this year.

Here’s some options to consider when tightening up your security operations, courtesy of Healthcare IT Leaders, whose suggestions include the following:

Hire white hat hackers: Mayo Clinic reportedly tried this a few years ago, and learned a great deal. While its security measures seem to have gotten something of a beatdown, the Clinic also found a bunch of security holes and got recommendations on how to close those holes.

Lock down employee mobile devices: As mobile technology increasingly becomes a key part of your infrastructure, it’s important to keep it secured – but that can be tough when employees own the phone. One question to ask is whether your IT could lock or wipe data from employee phones and tablets if need be. What are your legal options for securing critical data on employee-owned devices?

Review medical device security:  Networked medical devices – from respirators and infusion pumps to MRI scanners – increasingly pose security threats, as any device that receives and transmits data can be a target for attackers.  It’s critical to audit these devices, while setting careful security standards for device makers.

Train staff on security issues:  Often, breaches are due to human error, so it’s critical to educate non-IT employees on the basics of security hygiene. Offering basic security training should cover not only cover ways to avoid security breakdowns – such as avoiding generic or default passwords and phishing e-mails — but also explanations of how such breaches affect patients.

Encourage risk reporting:  According to Poneman, almost half of healthcare organizations discovered a breach through an employee within the past two years. What’s more, nearly one-third of data breaches came to light due to patient complaints. It’s smart to encourage these reports, as IT staff can’t have eyes everywhere.

Disable laptop cameras and microphones:  Laptops generally come with a webcam and microphone, but at least in an enterprise setting, it may be better to disable these functions. Why? For one thing, attackers may be able to listen to private conversations through the microphone.

As I see it, the bottom line on all of these activities is to infuse security thinking into as many IT interactions as possible.  It may be trite to talk about a culture of security (it’s easier said than done, and too many organizations make empty promises) but such a culture can actually make a big impact on your security status.

To have the biggest impact, though, that culture has to extend all the way to the C-suite, and unfortunately, that rarely seems to happen. When I read research on how often healthcare organizations underspend on security, it seems pretty clear that many senior execs don’t take this issue as seriously as that should. And if the staggering level of health data breaches happening lately isn’t enough to scare them straight, I don’t know what will.

HHS OIG Says Unplanned Hospital EMR Outages Are Fairly Common

Posted on August 24, 2016 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

More than half of U.S. hospitals responding to a new survey reported having unplanned EMR outages, according to a new report issued by the HHS Office of the Inspector General, due to a variety of common but difficult-to-predict technical problems. Some of these outages have merely been inconveniences, but some resulted in patient care problems, the OIG report said.

The agency said that it conducted this study as a follow up to its prior research, which found that both natural disasters and cyberattacks were having a major impact on EMR availability. For example, it noted, hospitals faced substantial health IT availability challenges in the wake of Superstorm Sandy, include damage to HIT systems and problems with access to patient records.

According to the survey, 59% of the hospitals reported having unplanned EMR outages. One-quarter said that the outages created delays in patient care and 15% said that the outage lead to rerouted patient care. Only 1 percent of outages were caused by hacking or breaches.

The most common causes, in order, were topped by hardware malfunctions, followed by Internet connectivity problems, power failures and natural disasters. (For more detail on the root causes of outages, see this great post by my colleague John Lynn.)

It’s worth noting that these hospitals were selected for having their act together to some degree. To conduct the study, researchers spoke with 400 hospitals which were getting Meaningful Use incentive payments for using a certified EMR system in place as of September 2014.

Nearly all of these hospitals reported having a HIPAA-required EMR contingency plan in place. Also, two thirds of the hospitals addressed the four HIPAA requirements reviewed by OIG researchers. Eighty-three percent of surveyed hospitals reported having a data backup plan, 95% had an emergency mode operations mode plan, 95% said they had a disaster recovery plan and 73% said they had testing and revision procedures in place.

Not only that, most of the hospitals contacted by the study were implementing many ONC and NIST-recommended practices for creating EMR contingency plans. Nearly all had implemented practices such as using paper records for backup and putting alternative power sources like generators in place.

Also, most hospitals said that they reviewed their EMR contingency plans regularly to stay current with system or organizational changes, and 88% said they’d reviewed such plans within the previous two years. Most responding hospitals said they regularly trained their staff on EMR outage contingency plans, though just 45% reported training staff through recommended drills on how to address EMR system downtime. And 40% of hospitals that activated contingency plans in the wake of an outage reported that they saw no disruption to patient care or adverse events.

Still, the OIG’s take on this data is that it’s time to better monitor hospitals’ ability to address EMR outages. Now more than ever, the agency would like to see the HHS Office for Civil Rights fully implement a permanent HIPAA compliance program, particularly given the mounting level of cyberattacks endured by the industry. The OIG admitted that HIPAA standards aren’t crafted specifically to address these types of outages, so it’s not clear such monitoring can solve the problem, but the agency would prefer to forge ahead with existing standards given the risks that are emerging.

Managing Health Information to Ensure Patient Safety

Posted on August 17, 2016 I Written By

Erin Head is the Director of Health Information Management (HIM) and Quality for an acute care hospital in Titusville, FL. She is a renowned speaker on a variety of healthcare and social media topics and currently serves as CCHIIM Commissioner for AHIMA. She is heavily involved in many HIM and HIT initiatives such as information governance, health data analytics, and ICD-10 advocacy. She is active on social media on Twitter @ErinHead_HIM and LinkedIn. Subscribe to Erin's latest HIM Scene posts here.

This post is part of the HIM Series of blog posts. If you’d like to receive future HIM posts by Erin in your inbox, you can subscribe to future HIM Scene posts here.

Electronic Medical Records (EMRs) have been a great addition to healthcare organizations and I know many would agree that some tasks have been significantly improved from paper to electronic. Others may still be cautious with EMRs due to the potential patient safety concerns that EMRs bring to light.

The Joint Commission expects healthcare organizations to engage in the latest health information technologies but we must do so safely and appropriately. In 2008, The Joint Commission released Sentinel Event Alert Issue 42 which advised organizations to be mindful of the patient safety risks that can result from “converging technologies”.

The electronic technologies we use to gather patient data could pose potential threats and adverse events. Some of these threats include the use of computerized physician order entry (CPOE), information security, incorrect documentation, and clinical decision support (CDS).  Sentinel Event Alert Issue 54 in 2015 again addressed the safety risks of EMRs and the expectation that healthcare organizations will safely implement health information technology.

Having incorrect data in the EMR poses serious patient safety risks that are preventable which is why The Joint Commission has put this emphasis on safely using the technology. We will not be able to blame patient safety errors on the EMR when questioned by surveyors, especially when they could have been prevented.

Ensuring medical record integrity has always been the objective of HIM departments. HIM professionals’ role in preventing errors and adverse events has been apparent from the start of EMR implementations. HIM professionals should monitor and develop methods to prevent issues in the following areas, to name a few:

Copy and paste

Ensure policies are in place to address copy and paste. Records can contain repeated documentation from day to day which could have been documented in error or is no longer current. Preventing and governing the use of copy and paste will prevent many adverse issues with conflicting or erroneous documentation.

Dictation/Transcription errors

Dictation software tools are becoming more intelligent and many organizations are utilizing front end speech recognition to complete EMR documentation. With traditional transcription, we have seen anomalies remaining in the record due to poor dictation quality and uncorrected errors. With front end speech recognition, providers are expected to review and correct their own dictations which presents similar issues if incorrect documentation is left in the record.

Information Security

The data that is captured in the EMR must be kept secure and available when needed. We must ensure the data remains functional and accessible to the correct users and not accessible by those without the need to know. Cybersecurity breaches are a serious threat to electronic data including those within the EMR and surrounding applications.

Downtime

Organizations must be ready to function if there is a planned or unexpected downtime of systems. Proper planning includes maintaining a master list of forms and order-sets that will be called upon in the case of a downtime to ensure documentation is captured appropriately. Historical information should be maintained in a format that will allow access during a downtime making sure users are able to provide uninterrupted care for patients.

Ongoing EMR maintenance

As we continue to enhance and optimize EMRs, we must take into consideration all of the potential downstream effects of each change and how these changes will affect the integrity of the record. HIM professionals need prior notification of upcoming changes and adequate time to test the new functionality. No changes should be made to an EMR without all of the key stakeholders reviewing and approving the changes downstream implications. The Joint Commission claims, “as health IT adoption becomes more widespread, the potential for health IT-related patient harm may increase.”

If you’d like to receive future HIM posts by Erin in your inbox, you can subscribe to future HIM Scene posts here.

The Cost of Encouraging Patient Engagement

Posted on June 15, 2016 I Written By

Erin Head is the Director of Health Information Management (HIM) and Quality for an acute care hospital in Titusville, FL. She is a renowned speaker on a variety of healthcare and social media topics and currently serves as CCHIIM Commissioner for AHIMA. She is heavily involved in many HIM and HIT initiatives such as information governance, health data analytics, and ICD-10 advocacy. She is active on social media on Twitter @ErinHead_HIM and LinkedIn. Subscribe to Erin's latest HIM Scene posts here.

We all know that healthcare providers want to encourage patient engagement to ensure patients have the information they need to manage conditions and share information with other providers. There has been a longstanding push for the adoption and maintenance of personal health records for many years to give patients the power to share and disseminate information wherever it is needed. We have seen a remarkable new interest in this with Meaningful Use and population health initiatives. Since HIM professionals are charged with maintaining and producing legal copies of records, we are aware that the tasks surrounding these processes can be very expensive. This is especially true if any of the tasks are not handled properly and breaches of protected information occur.

My concern is that lately I have heard many discussions that are pushing for more access yet with fewer costs to patients to encourage patient engagement. Some are even pushing for patients to have “free” access to records- paper or electronic. Don’t get me wrong, I am a huge proponent for patients having copies of their records and I personally keep copies of my own records. The Office of Civil Rights (OCR) recently published further guidance on charging for records. In a nutshell, the OCR says: “copying fees should be reasonable. They may include the cost of labor for creating and delivering electronic or paper copies; the cost of supplies, including paper and portable media such as CDs or USB drives; and the cost of postage when copies of records are mailed to patients at their request.” The OCR actually has the authority to audit the costs of producing records if they feel your organization is violating this patient right and overcharging for release of information.

Living in a state such as Florida where the state law has allowed facilities to charge up to $1 per page means most facilities have charged $1 per page without blinking an eye. The latest OCR guidance has led to questioning if that amount is actually “reasonable” or true to cost. Afterall, HIM professionals must use expensive systems, supplies, and labor costs to produce these records. Many organizations have outsourced release of information functions (another cost) but it is still the responsibility of the custodian of records to oversee the processes for compliance.

That being said, it is beneficial for HIM departments to evaluate the expenses and methods used to produce records as technologies and laws change. Dr. Karen Desalvo of the Office of the National Coordinator (ONC) strives to lead the EMR interoperability movement. At the top of the ONC’s list of commitments is consumer access to records. HIM professionals should continue to assist in the quest for interoperability and electronic data sharing at the notion of patient engagement. We must lead patients to use EMR patient portals and facilitate the efficient electronic data sharing among healthcare providers. We must be creative in lowering overhead costs to produce and maintain the records in order to ensure costs are affordable for healthcare consumers. There will always be costs associated with this important task, whether on the provider’s end or the patient’s end, just as costs are incurred with most services or products in every industry.

If you’d like to receive future HIM posts by Erin in your inbox, you can subscribe to future HIM Scene posts here.

HealthIT Trends from Healthcare Marketing Leaders

Posted on April 15, 2016 I Written By

Colin Hung is the co-founder of the #hcldr (healthcare leadership) tweetchat one of the most popular and active healthcare social media communities on Twitter. Colin is a true believer in #HealthIT, social media and empowered patients. Colin speaks, tweets and blogs regularly about healthcare, technology, marketing and leadership. He currently leads the marketing efforts for @PatientPrompt, a Stericycle product. Colin’s Twitter handle is: @Colin_Hung

Last week 180+ HealthIT Marketers gathered in Atlanta for the #HITMC conference hosted by John Lynn and Shahid Shah. This annual event brings together content creators, editors, graphics artists, strategists, analysts and managers from across the healthcare industry. It is a truly unique opportunity to learn from those that work at marketing agencies, publications, provider organizations, HealthIT companies and marketing vendors.

One of the things I love to do at #HITMC is ask fellow marketers what topics they are being asked to write about and create content for. This informal poll is a fantastic way to gain insight into what will be trending over the next few months in healthcare. Why? Because if someone in the #HITMC audience is writing about it, you can rest assured it’ll be something you will soon see in your Twitter, LinkedIn, RSS or Facebook feed.

Here is a sampling of the responses I gathered at #HITMC:

Chris Slocumb @CSlocumb – CQ Marketing

“We’re doing a lot of work on security. From the provider side we’re talking about whether the right safeguards are in place and from the vendor side we’re writing about how their tools can help with securing an organization. Analytics, HIEs and interoperability are also topics we are creating content for. Conversely we’re not seeing much in the area of patient engagement right now.”

Shereese Maynard MS @ShereesePubHlth – Envisioncare

“I find that I’m doing work in the area of Home Health right now. It’s something that providers are waking up to – the potential for care at home to help patients stay healthier at lower cost. Providers and patients alike are looking to read more on that topic. Personally I’m very interested in Direct Primary Care. I think it’s a topic that will bubble to the top soon.”

Scott CollinsAria Marketing

“Thought leadership is hot right now. It’s not exactly a specific topic, but I’m seeing a lot of companies hop onto the thought leadership bandwagon. It’s like vendors have suddenly woken up to the fact that getting ‘out there’ and demonstrating your expertise on a subject is going to lead to more business. It’s exciting. In terms of a topic, population health is something I’m seeing a lot of, but one level deeper than before. Instead of just defining it we’re going to be talking about how it will help specific communities. Oh and security is BIG.”

Beth Friedman @HealthITPR – Agency Ten22

“I’m seeing a lot of requests for content around bundled payments, revenue cycle and the new self-pay patient. The financial side of healthcare is changing.”

From the conversations at #HITMC, I would definitely say security and payment are the two hottest topics right now. Security isn’t really all that surprising given the number of recent ransomware attacks. The topic of payment and revenue cycle, however, caught me a little by surprise. I thought (hoped) interoperability or patient data access would have been a trending topic. Given the changes to reimbursement models, the movement to value-based care and the popularity of high-deductible health plans, it’s no wonder this is garnering a lot of readership/interest.

Shameless Plug: If you work in HealthIT marketing or for a HealthIT publication, I would strongly encourage you to attend #HITMC next year. Not only are the sessions educational, but by listening to the attendees you’ll get a pulse of what is trending in healthcare. Hopefully we’ll see you next year!

Making the Case for a Unique Patient Identifier – #MyHealthID

Posted on April 13, 2016 I Written By

Erin Head is the Director of Health Information Management (HIM) and Quality for an acute care hospital in Titusville, FL. She is a renowned speaker on a variety of healthcare and social media topics and currently serves as CCHIIM Commissioner for AHIMA. She is heavily involved in many HIM and HIT initiatives such as information governance, health data analytics, and ICD-10 advocacy. She is active on social media on Twitter @ErinHead_HIM and LinkedIn. Subscribe to Erin's latest HIM Scene posts here.

Healthcare is a high priority for the US Government and as HIM professionals, we know the importance of keeping our fingers on the pulse of issues facing our nation. We must stay current with proposed regulatory changes and those that address the needs of the US healthcare system as they relate to HIM, privacy and security, and Health IT. One issue our nation has struggled with is secure universal identification for citizens. Social security numbers were not originally meant to be secure identifiers yet they have controversially been used as unique identifiers by Centers for Medicare and Medicaid Services (CMS) for many years.

In our line of work, we see all of the potential negative implications and the important role that patient identification plays in patient safety, HIPAA compliance, and health record accuracy. When patients are not appropriately identified throughout the continuum of care, many issues arise that can lead to misdiagnosing, incomplete information, unnecessary testing, and fraud to name a few. Duplicates and overlays are far too common due to issues matching patient names and dates of birth versus using a universal secure identifier. Sharing information through health information exchange is nearly impossible when patients are registered in multiple systems with different spellings or misidentification.

The HITECH act of 2009 laid the ground work for the Department of Health and Human Services (HHS) to standardize unique health identifiers among other tasks but we have yet to see any real progress on this subject due to federal budget barriers. In response to this, AHIMA sees this as a critical need and has started a petition to the White House to:

“Remove the federal budget ban that prohibits the U.S. Department of Health and Human Services (HHS) from participating in efforts to find a patient identification solution. We support a voluntary patient safety identifier. Accurate patient identification is critical in providing safe care, but the sharing of electronic health information is being compromised because of patient identification issues. Let’s start the conversation and find a solution.”

The campaign is called MyHealthID and looks to have 100,000 signatures on the petition to garner the attention of the US Government. HIM professionals recently took to Washington, DC to visit with Congressmen and Senators from each state to advocate for MyHealthID. The message that “there’s only one you,” hopes to resonate with politicians and make the case that a unique patient identifier is necessary and important to healthcare.

I encourage all healthcare professionals to sign this petition and assist the advocacy efforts toward a unique patient identifier. MyHealthID will not only help with HIM and Health IT initiatives; it will be in the best interest of healthcare consumers nationwide.

If you’d like to receive future HIM posts by Erin in your inbox, you can subscribe to future HIM Scene posts here.

Another Day…Another Healthcare Breach

Posted on March 19, 2015 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

We all know about the Anthem Healthcare breach of millions of patient records. That’s been followed by an announcement by Premera Blue Cross that they’ve had 11 million records breached as well. Plus, I’m sure we’re just at the start of healthcare data breaches that are going to occur.

What’s astonishing to me is that many seem to be playing this up as a new thing. I remember about 15 years ago when I was in college and a guy I knew told stories about hacking through an entire hospital system. In fact, he casually made the comment, “You don’t want to hack the government cause they’ll come after you, but hospitals and universities you can easily hack and nothing will happen.”

This story illustrates two points. First, breaches of healthcare organizations have been happening for a long time. This isn’t something new. Second, we’re just now starting to put in place the technology that will detect breaches. That’s a good thing. In fact, in some ways we should applaud the fact that we actually know these breaches are happening now. I’m certain that many of these breaches happened before and we just never knew about it because you don’t have to report a breach you don’t know about.

Now that we know about these breaches, will that spur action? I think it will in some organizations. It certainly won’t be a bad thing for security and privacy. Unless we’ve become so callous to the breaches (like the title of this post suggests) that we stop caring about breaches because “they’re bound to happen.”

I hope that this post doesn’t encourage apathy on the part of healthcare organizations security and privacy. I assure you that no hospital wants to go through a breach of healthcare data. While impossible to guarantee it won’t happen, a sincere effort to create a culture of compliance in your hospital can go a long way to preventing many breaches.

As my college hacker friend told me many years ago, “You can never make something 100% secure, but you can make it hard enough for someone to hack that it’s not worth their time.” If it’s not worth their time, they’ll usually move on to someone easier.