Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

The CIO’s Guide to HIPAA Compliant Text Messaging

Yesterday I wrote a piece on EMR and EHR where I talk about why Secure Text Messaging is Better Than SMS. I think it makes a solid case for why every organization should be using some sort of secure text messaging solution. Plus, I do so without trying to use fear of HIPAA violations to make the case.

However, you can certainly make the case for a secure text messaging solution in healthcare based on HIPAA compliance. In fact, the people at Imprivata have essentially made that case really well in their CIO Guide to HIPAA Compliant Text Messaging. This is well worth a read if you’re in a healthcare organization that could be at risk for insecure texting (yes, that’s every organization).

They break down the path to compliance into 3 steps:

  1. Policy – Establish an organizational policy
  2. Product – Identify and appropriate text messaging solution
  3. Practice – Implement and actively managing the text messaging solution.

Texting is a reality in hospitals today and the best solution isn’t suppression, but enabling users with a secure solution. The checklists in the CIO Guide to HIPAA Compliant Text Messaging provide a great foundation for making sure your organization is enabling your users in a HIPAA compliant manner.

January 15, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

AHA Asks NIST To Make Cybersecurity Rules Flexible and Voluntary

The American Hospital Association has sent a letter to the National Institute of Standards and Technology asking the organization to make sure that its cybersecurity framework remains flexible and “strictly” voluntary for private sector organizations, according to iHealthBeat.

In late October, NIST opened a comment period  on the proposed cybersecurity framework. It followed on former NSA employee Edward Snowden leaking private government documents stating that NIST’s encryption standards contain a “back door,” allowing NSA to decipher encrypted messages.

NIST’s data encryption standards, which are used in electronic health care data security and exchange, are now undergoing internal and independent formal reviews.

In its letter, the AHA says that it agrees with the five core functions of the proposed framework:

* Identify
* Protect
* Detect
* Respond
* Recover

That being said, the AHA also wants to see the framework look at ways to reconcile various cybersecurity implementation standards, provide plenty of time for implementing changes, and include existing data security roles used in healthcare such as HIPAA and the HITECH Act, iHealthBeat reports.

Also, the AHA advises that several entities that interact with hospitals should be involved in cybersecurity risk assessment and reduction, including medical device companies, physician offices, insurers and individual patients.

And the AHA strongly urges NIST to encourage, not bludgeon, when it comes to bringing these standards to healthcare: “We encourage the federal government to ensure a thorough dialogue with the health sector before any specific incentives are adopted…Further, we recommend that only positive incentives be contemplated, such as reduced premiums for cybersecurity insurance among those who have adopted the framework.”

Regardless of what NIST does with its cybersecurity framework, healthcare leaders have plenty of security issues of their own to handle. As an investigative report published by last year by The Washington Post pointed out, healthcare organizations have their work cut out for them when it come to fixing security holes.

December 19, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Single Sign-On and Strong Authentication in Hospitals

We’ve often talked about the hundreds of systems that a hospital organization must support. Yes, we often forget about 99 of them because we’re so focused on the enormous EHR software. However, the end users of those systems don’t forget about those other systems. This is particularly true when an organization hasn’t implemented a well done single sign-on solution with strong authentication. Considering the multiple login complaints I still hear from so many people, I think that includes a lot of you.

The authentication and single sign-on experts at Imprivata have put together this pretty comprehensive whitepaper on Single Sign-On and Strong Authentication. As is usually the case, there’s so much more to it than most people think about on face.

Take for example just the list of leading authentication methods:

  • Passwords
  • Strong Passwords
  • ID Tokens
  • Smart Cards
  • Passive Proximity Cards
  • Active Proximity Cards
  • Biometrics

Of course, with all of this I’m still waiting for the day when we have a biometrically controlled experience at a hospital. We’re getting there. Hopefully before that organizations will have figured out all the single sign-on issues we’re still dealing with today.

The best reason to invest in a single sign-on solution is security. Sure, there are some arguments that a single sign on option is less secure because one login can get you into everything. This is mitigated to some degree with two factor authentication. However, even if it is the case, it’s still more secure than a nurse having 20 logins which leads to them writing their usernames and passwords on a sticky note next to their computer. Single sign-on almost completely solves this security problem.

How is your organization approaching single sign-on?

December 13, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

Common Misconceptions About HIEs

Health leaders are  interested in connecting up with other organizations — an interest documented by several studies — but many aren’t moving ahead. HIE expansion is proceeding slowly for a number of reasons, not the least of which are concerns about HIE costs and the great difficulty in establishing interoperable data streams.

But some of the reasons healthcare administrators cite for not moving ahead are actually myths, according to a story in Becker’s Hospital Review.  Becker’s spoke with Carol Parker, executive director of the East Lansing, Mich-based Great Lakes Health Information Exchange, who argued that at least three common beliefs about HIEs are myths.

1. HIEs are costly.  According to Parker, hospitals assume that HIE connections will prove to be as expensive as bringing an EMR on board, which naturally gives them pause.  But the truth is that HIE costs are “negligible” compared to EMR expenses, Parker says. For example, she estimates that a 300-bed hospital would pay less than $50,000 per year, a very small number when compared to EMR costs.

2. HIEs are less secure than current systems. Providers worry that HIEs aren’t going to offer strong enough data security to ensure HIPAA compliance. In fact, according to a HIMSS Analytics report, 39 percent of hospitals who are already on board with HIEs have privacy concerns. But according to Parker, HIEs like hers have tight security measures in place.  GLHIE even has a chief privacy and security officer who audits and monitors the data to make sure security meets government and industry standards.

3. HIEs don’t need to be a priority.  According to Parker, providers overwhelmed by EMR installs have “IT fatigue” and don’t feel they can add this one more thing to their efforts. But Parker argues that participation in an HIE is critical, particularly as hospitals take on population health management, and work under performance-based contracts. “It will be challenging to make that work without having information on care delivered to the patient outside of the health system’s network,” she says.

While Parker is obviously biased in favor of HIEs, I believe she makes some good points. It’s particularly interesting to hear that the annual cost of HIE participation, at least with GLHIE, is a relatively small number. Now, just because it’s inexpensive doesn’t mean joining an HIE isn’t a big deal. But it’s good to hear that the costs are probably doable for most hospitals.

October 30, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

How Easy Are Hospitals Hacked?

This is an interesting tweet. I find it interesting that a hospital is working with local hackers. I guess it’s even more interesting that an EMR vendor has enough clout to be able to get a local hospital to not install software. Although, knowing the industry like I do, it’s not that surprising. Should a hospital listen to some local hackers or someone they’ve invested hundreds of millions and sometimes billions of dollars in? (yes, an EHR purchase is an investment)

Of course, this tweet reminded me of a great story my best friend in college told me about when he hacked into the major hospital system where he went to high school. Turns out he used a mix of physical and technical hacks to breach the hospital system.

The key to him breaching the hospital system was that he got access to a computer on the hospital system and left a back door for him to access that computer remotely. All he did to do this was put on a jacket, went to an office in the network where he said he was working for their IT department and was there to run some updates on the computer. They happily let him run the “update” on their computer. Instead, he created a back door where he could get access to the hospital network from anywhere.

I’m sure that many reading this will think twice when someone comes in saying they need to update their computer now. It’s not like most people in the hospital know all the tech support people in their hospital.

Of course, this is a simple little hack. Certainly there are plenty of other ways that someone can hack into healthcare systems. The interesting thing is that most people don’t care about healthcare information. They want financial information. So, someone that does hack a healthcare system is unlikely to do much with the healthcare info. Yes, I’ve read the people who say a patient record is worth $50. I’m still waiting to see someone try to sell one at that price.

I should also mention that I think the tweet isn’t actually talking about this type of hacker. I think the tweet is talking about the Fred Trotter version of “hacker” which just puts together a great solution to a problem (ie. a hack). We need more great solutions in healthcare, so I hope that EMR vendors stop impeding local application hackers to work with hospitals.

July 31, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

Are Hospitals Ready for HIPAA Omnibus?

I’ve been thinking quite a bit about the new HIPAA Omnibus rules ever since I interviewed Rita Bowen at HIMSS about the new HIPAA rules. While Rita highlights some other changes that came as part of HIPAA Omnibus, I still think that the biggest change is all of the new details around business associates.

There are a lot of changes when it comes to business associates and the work to make sure everything is in place with business associates requires the healthcare institution and the business associates. Considering the HIPAA Omnibus rule went into effect on March 26th, there’s no time for an organization to delay this work. They’re already behind if they haven’t done this already.

Considering the lack of discussion I’ve seen from hospitals, I have a feeling that many of them haven’t dealt with this issue yet at all. In fact, I wouldn’t be surprised if many of them didn’t even really realize that they had to do anything. Instead, I expect that many just figured it was on the back of the business associate to change. That’s just not the case and the hospital should be consulting their HIPAA lawyer to make sure everything is in place.

I’d love to hear if others are having different experiences. Did you go through the HIPAA Omnibus rule? Did you have to make a lot of changes? Did you change how you work with business associates?

March 30, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

Hospitals, Health Systems Don’t Feel Prepared For Meaningful Use Stage 2

A new survey by KPMG confirms what most us would have guessed — that hospital and health system leaders aren’t that sure they’re ready to meet Meaningful Use Stage 2 requirements.

The study, which was conducted last month, found that 47 percent of hospital and health system business leaders surveyed were only somewhat confident in their readiness to meet Stage 2 requirements. Just over one-third (36 percent) said they were confident, and four percent weren’t confident at all, KPMG found. Another 11 percent said they didn’t know what their level of readiness was.

Respondents are also worried about meeting privacy and security standards included in both Stage 2 and HIPAA. Forty-seven percent of respondents were only somewhat comfortable with their organization’s ability to meet all parts of HIPAA, including the need for new annual risk assessments and protecting patient-identifiable information. Eight percent of respondents said they weren’t comfortable at all, 13  percent said they weren’t sure and 31 percent said they were comfortable, KPMG reported.

To help close the readiness gap, hospitals and health systems are bringing in outside help. Thirty percent of respondents said their organization had hired new or additional team members to help complete EMR deployment. And 22 percent said they’d hired outside contractors to get the job done.

So why are so many healthcare business leaders insecure about Stage 2?  When asked to name the biggest challenge in complying with Stage 2 requirements, 29 percent cited training and change management issues.

Tied for second were lack of monitoring processes to ensure sustained demonstration of MU, and capturing relevant data as part of the clinical workflow, at 19 percent each. Twelve percent named lack of a dedicated Meaningful Use team, and 6 percent availability of appropriate certified vendor technology. Fourteen percent said “other.”

December 31, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Hospitals Stepping Up Security Risk Analysis, While Practices Lag

As hospitals have implemented EMRs, they’ve created a tempting target for criminal hackers, as the goldmine of patient data they house can be very valuable on the black market.  At the same time, patient access to health data has expanded dramatically, expanding possible points of failure.

Aware of these issues, hospitals are almost all conducting an annual security risk analysis, but fewer medical practices are on the bandwagon, according to new research by HIMSS.

Since 2008, HIMSS has conducted an annual security survey of healthcare providers, supported by the Medical Group Management Association and underwritten by Experian Data Breach Resolution. That first year, three-quarters of respondents (largely hospitals) said their organization had conducted an annual risk analysis.

For 2012, a total of 303 individuals completed the HIMSS survey, a self-selected Web-based survey. Those responding had to answer qualifying questions which verified that they were involved directly in working with security at their organization.

This year, a full 90 percent of hospitals reported conducting an annual risk analysis, while just 65 percent of physician practices said that they do so. (I’m actually surprised that so many physician groups are doing any kind of audit, but maybe the respondents came from larger practices.)

What’s really interesting, though, isn’t the mere fact that these organizations are taking their medicine and doing their risk surveys.  Some other highlights of the study:

* Twenty-two percent of respondent reported a security breach in the last year: While scary to contemplate, it’s nonetheless true that both hospitals and medical practices had a one-in-five chance of being breached this year. Most breaches affected less than 500 patients, but providers can’t count on that being the rule.

* Less than half of the hospitals and doctors had tested their data breach response plan:  Auditing your security arrangements is all well and good, but if you’re not sure your data breach plan will actually help you respond to breaches, it’s not worth the (digital) paper it’s written on.

As the pressure mounts to protect EMR data — across patient portals, mobile devices, laptops, desktops and more — let’s hope that physicians catch up with hospitals when it comes to security.  Otherwise, I think 2013 may be remembered as the year big ‘n ugly physician practice break-ins dominated the news.

December 14, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Healthcare Cloud Spending Slated For Major Growth

Hospitals may still be ambivalent about using the cloud for clinical data transport, but attitudes are likely to undergo a major change over the next few years, according to research firm MarketsandMarkets. The firm projects that the healthcare cloud market will expand by about 20.5 percent per year over the next five years, hitting $5.4 billion by 2017.

Right now, healthcare cloud spending has hit roughly $1.8 billion, which represents penetration of four percent, MarketsandMarkets found.  That’s just a drop in the bucket, particularly given the big competitors who are aiming their guns at the healthcare cloud market today. (Other estimates put healthcare cloud penetration at 16.5 percent of the marketplace, still a small number though meaningfully larger than MarketsandMarkets’ number.)

As our sister site EMRandHIPAA.com previously noted, Verizon’s Enterprise Solutions division is offering five “healthcare-enabled” services, including colocation, managed hosting, enterprise cloud, an “enterprise cloud express edition” and enterprise cloud private edition. Verizon hopes to capture healthcare IT managers who are worried not only about HIPAA-secure clinical data transport, but also HIPAA-appropriate data protection on site, as it’s training hosting workers to be HIPAA-ready.

Another set of deep pocketed healthcare cloud vendors are AT&T and IBM, who are partnering to capture what they deem to be a $14 billion healthcare cloud market.  Under the terms of an agreement announced in early October, IBM will provide data storage facilities and services, while AT&T will provide the network.

What could possibly hold back the advance of such giants?  Well, a number of issues, MarketsandMarkets notes. While vendors large and small may promise to be compliant with healthcare regs, healthcare data is challenging to manage, given that it requires special security, confidentiality, availability to authorized users, traceability of access, reversibility of data and long-term preservation.

My guess is that hospitals will respond to the efforts of vendors to attract cloud business, but that the market for public cloud services in particular won’t shoot upward as MarketsandMarkets predicts, as there’s just too many things that worry CIOs.  How about you, readers?

October 30, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Health Management Associates Makes System-Wide Deal With athenahealth

Cloud-based EMR vendor Athenahealth has struck a deal with hospital chain Health Management Associates that its vendor competitors would die for.

HMA has signed an agreement with athena under which the chain’s 1200+ employed physicians — cutting across 15 states and 300 locations — will now use the vendor’s practice management, EMR and patient communication services. HMA’s 10,000-odd independent physicians will also have access to the systems.

In the announcement, HMA and athena took pains to emphasize that the selection process was a fair and thorough one:

Health Management selected athenahealth after a twelve-month review and due diligence process that involved more than 350 clinical experts, including more than 200 physicians. The evaluation process included detailed questionnaires, onsite and virtual demonstrations, site visits, and clinical template shootouts.

Perhaps those details were included to convince observers that the deal didn’t include some kind of payola. I don’t think doctors are going to be too impressed by the IT talk. (If it were me I’d care about only one demonstration — how it worked for me on Day One.)

HMA may not be the country’s largest hospital chain, but it’s still a heavyweight, operating 66 hospitals spanning 10,330 licensed beds. Its hospitals span Alabama, Arkansas, Florida, Georgia, Kentucky, Mississippi, Missouri, North Carolina, Oklahoma, Pennsylvania, South Carolina, Tennessee, Texas, Washington, and West Virginia.

Particularly given its scale, this deal intrigues me for a few reasons. It raises what seem to me to be important questions:

* Is HMA expecting its independent physicians to dump whatever EMR they may already have in place and switch it out for athena?  Or adopt its practice management module instead of what they use now?  That seems, uh, a bit unrealistic?

* I don’t know what enterprise EMR system HMA uses (do you, readers?) but whatever it is, I doubt it will plug seamlessly into to the athena cloud.  How do the IT types at HMA plan to connect the whole schlemiel?

* If the independent physicians don’t want to adopt the athena package, what will HMA do? Club them like baby seals?  Or just accept that a large percentage of its docs aren’t connected?

September 21, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.