Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

HIPAA Compliant Texting

We’re quickly seeing HIPAA compliant texting as a standard in healthcare. Certainly there are some organizations that are resisting, but I fear for those healthcare organizations that are letting SMS run rampant in their organization. SMS is not HIPAA compliant and so that’s a real risk for an organization that allows it to go on. However, I’m seeing organizations across the country adopting a secure text messaging solution.

I’ve often said that the best way to solve a problem is to make doing the right thing easy or better than doing the wrong thing. This can easily be applied to HIPAA compliant texting. I outlined 11 reasons why a secure text message solution was better than SMS before and one of those reasons wasn’t the fear of HIPAA. Can someone really argue that SMS is better or acceptable?

Besides the argument that secure text messaging is dramatically better than SMS, the great part is that a plethora of secure text messaging solutions are available that are just as easy as SMS. I’m personally bias to docBeat since I’m an advisor to them and they’ve created a really great product. However, there are lots of other dedicated secure messaging companies including TigerText, docHalo, qliqSoft, and many more. Plus, that doesn’t even include large companies like Imprivata who offer Cortext and even athenahealth’s Epocrates has secure text messaging built into their product.

The day will soon come when a hospital gets hit with a HIPAA violation (possibly during a HIPAA audit) and insecure SMS will be the culprit. Considering the advancements in secure text messaging options, hospitals won’t have anywhere to hide. It’s very clear that there are HIPAA compliant options available and so I can’t imagine they’ll be lenient with organizations that aren’t doing something about it.

I’d love to hear your experience with HIPAA compliant text messaging. Do you use it in your hospital? What do you love or hate about it? Are you still using SMS?

July 23, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

Large Health Facilities Have Major Patient Data Security Issues

Many healthcare organizations have security holes that leave not only their systems, but their equipment susceptible to cyberattacks, according to two recent studies.

The researchers included Scott Erven, head of information security for multi-state hospital and clinic chain Essentia Health, and Shawn Merdinger, an independent consultant. According to iHealthBeat, the two presented their findings last week at the Shakacon conference.

Erven and his colleagues conducted a two-year study addressing the security of Essentia’s medical equipment. As part of their study they found that hackers could manipulate dosages of drugs provided by drug infusion pumps, deliver random defibrillator shock to patients or prevent medically needed shocks from taking place, and change the temperature settings in refrigerators holding blood and drugs.

The research team also looked for exposed equipment within other healthcare organizations, and the results were appalling. Within only 30 minutes, iHealthBeat notes, they found one healthcare organization which had 68,000 devices that exposed data.  Across all of the health systems they studied, they found 488 exposed cardiology systems, 323 PACS systems, 32 pacemaker systems, 21 anesthesiology systems and and several telemetry systems used to monitor elderly patients and prevent infant abductions.

Both Erven and Merdinger found that the organizations are leaking data because an Internet-connected computer had not been configured securely. Typically, data leaks occurred because sys admins had allowed Server Message Block –a protocol used to help admins find and communicate with computers internally — and allowed it to broadcast information turning private data into publicly-accessible data.

According to Erven, these issues are “global” and impact thousands of healthcare organizations. He suggests that too often, healthcare organizations focus on HIPAA compliance and don’t put enough effort into penetration testing and vulnerability protection.

This should come as no surprise. After all, Proficio’s Takeshi Suganuma notes, HIPAA was developed to protect PHI for a wide range of organizations, and as he puts it, “one size seldom fits all.”  While HIPAA compliance is important, collection, analysis and monitoring of security events are also critical activities for medium- to large-sized organizations, Suganuma suggests.

He also warns that healthcare organizations should be aware that cyberattackers are exploiting not only traditional network vulnerabilities, but also vulnerabilities in printers and medical devices. Networked medical devices are a particularly significant issue, since provider IT teams can’t upgrade the underlying operating system embedded in these devices — and too many of the devices are using older versions of Windows and Linux with known security holes.

The key point Suganuma, Erven and Merdinger are making is that while HIPAA compliance is good, healthcare organizations must pay greater attention to new attack vectors, or they face high odds of security compromise.  Seems like there’s a lot of work (and investment) afoot.

July 2, 2014 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

HIPAA Privacy and Security with Mac McMillan

I’ve been doing a whole series of Google plus hangout video interviews with people across the spectrum of Healthcare IT. I recently did one with Mac McMillan, CEO of Cynergistek that I thought might be of real interest to many people working with hospital EHRs. If you’re concerned about your HIPAA compliance or worried about potential HIPAA audits, take the time and listen to this interview with Mac McMillan. He provides a number of interesting insights including some reasons beyond HIPAA that we should be sure to make sure our security and privacy ducks are in a row.

June 9, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

The CIO’s Guide to HIPAA Compliant Text Messaging

Yesterday I wrote a piece on EMR and EHR where I talk about why Secure Text Messaging is Better Than SMS. I think it makes a solid case for why every organization should be using some sort of secure text messaging solution. Plus, I do so without trying to use fear of HIPAA violations to make the case.

However, you can certainly make the case for a secure text messaging solution in healthcare based on HIPAA compliance. In fact, the people at Imprivata have essentially made that case really well in their CIO Guide to HIPAA Compliant Text Messaging. This is well worth a read if you’re in a healthcare organization that could be at risk for insecure texting (yes, that’s every organization).

They break down the path to compliance into 3 steps:

  1. Policy – Establish an organizational policy
  2. Product – Identify and appropriate text messaging solution
  3. Practice – Implement and actively managing the text messaging solution.

Texting is a reality in hospitals today and the best solution isn’t suppression, but enabling users with a secure solution. The checklists in the CIO Guide to HIPAA Compliant Text Messaging provide a great foundation for making sure your organization is enabling your users in a HIPAA compliant manner.

January 15, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

AHA Asks NIST To Make Cybersecurity Rules Flexible and Voluntary

The American Hospital Association has sent a letter to the National Institute of Standards and Technology asking the organization to make sure that its cybersecurity framework remains flexible and “strictly” voluntary for private sector organizations, according to iHealthBeat.

In late October, NIST opened a comment period  on the proposed cybersecurity framework. It followed on former NSA employee Edward Snowden leaking private government documents stating that NIST’s encryption standards contain a “back door,” allowing NSA to decipher encrypted messages.

NIST’s data encryption standards, which are used in electronic health care data security and exchange, are now undergoing internal and independent formal reviews.

In its letter, the AHA says that it agrees with the five core functions of the proposed framework:

* Identify
* Protect
* Detect
* Respond
* Recover

That being said, the AHA also wants to see the framework look at ways to reconcile various cybersecurity implementation standards, provide plenty of time for implementing changes, and include existing data security roles used in healthcare such as HIPAA and the HITECH Act, iHealthBeat reports.

Also, the AHA advises that several entities that interact with hospitals should be involved in cybersecurity risk assessment and reduction, including medical device companies, physician offices, insurers and individual patients.

And the AHA strongly urges NIST to encourage, not bludgeon, when it comes to bringing these standards to healthcare: “We encourage the federal government to ensure a thorough dialogue with the health sector before any specific incentives are adopted…Further, we recommend that only positive incentives be contemplated, such as reduced premiums for cybersecurity insurance among those who have adopted the framework.”

Regardless of what NIST does with its cybersecurity framework, healthcare leaders have plenty of security issues of their own to handle. As an investigative report published by last year by The Washington Post pointed out, healthcare organizations have their work cut out for them when it come to fixing security holes.

December 19, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

Single Sign-On and Strong Authentication in Hospitals

We’ve often talked about the hundreds of systems that a hospital organization must support. Yes, we often forget about 99 of them because we’re so focused on the enormous EHR software. However, the end users of those systems don’t forget about those other systems. This is particularly true when an organization hasn’t implemented a well done single sign-on solution with strong authentication. Considering the multiple login complaints I still hear from so many people, I think that includes a lot of you.

The authentication and single sign-on experts at Imprivata have put together this pretty comprehensive whitepaper on Single Sign-On and Strong Authentication. As is usually the case, there’s so much more to it than most people think about on face.

Take for example just the list of leading authentication methods:

  • Passwords
  • Strong Passwords
  • ID Tokens
  • Smart Cards
  • Passive Proximity Cards
  • Active Proximity Cards
  • Biometrics

Of course, with all of this I’m still waiting for the day when we have a biometrically controlled experience at a hospital. We’re getting there. Hopefully before that organizations will have figured out all the single sign-on issues we’re still dealing with today.

The best reason to invest in a single sign-on solution is security. Sure, there are some arguments that a single sign on option is less secure because one login can get you into everything. This is mitigated to some degree with two factor authentication. However, even if it is the case, it’s still more secure than a nurse having 20 logins which leads to them writing their usernames and passwords on a sticky note next to their computer. Single sign-on almost completely solves this security problem.

How is your organization approaching single sign-on?

December 13, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

Common Misconceptions About HIEs

Health leaders are  interested in connecting up with other organizations — an interest documented by several studies — but many aren’t moving ahead. HIE expansion is proceeding slowly for a number of reasons, not the least of which are concerns about HIE costs and the great difficulty in establishing interoperable data streams.

But some of the reasons healthcare administrators cite for not moving ahead are actually myths, according to a story in Becker’s Hospital Review.  Becker’s spoke with Carol Parker, executive director of the East Lansing, Mich-based Great Lakes Health Information Exchange, who argued that at least three common beliefs about HIEs are myths.

1. HIEs are costly.  According to Parker, hospitals assume that HIE connections will prove to be as expensive as bringing an EMR on board, which naturally gives them pause.  But the truth is that HIE costs are “negligible” compared to EMR expenses, Parker says. For example, she estimates that a 300-bed hospital would pay less than $50,000 per year, a very small number when compared to EMR costs.

2. HIEs are less secure than current systems. Providers worry that HIEs aren’t going to offer strong enough data security to ensure HIPAA compliance. In fact, according to a HIMSS Analytics report, 39 percent of hospitals who are already on board with HIEs have privacy concerns. But according to Parker, HIEs like hers have tight security measures in place.  GLHIE even has a chief privacy and security officer who audits and monitors the data to make sure security meets government and industry standards.

3. HIEs don’t need to be a priority.  According to Parker, providers overwhelmed by EMR installs have “IT fatigue” and don’t feel they can add this one more thing to their efforts. But Parker argues that participation in an HIE is critical, particularly as hospitals take on population health management, and work under performance-based contracts. “It will be challenging to make that work without having information on care delivered to the patient outside of the health system’s network,” she says.

While Parker is obviously biased in favor of HIEs, I believe she makes some good points. It’s particularly interesting to hear that the annual cost of HIE participation, at least with GLHIE, is a relatively small number. Now, just because it’s inexpensive doesn’t mean joining an HIE isn’t a big deal. But it’s good to hear that the costs are probably doable for most hospitals.

October 30, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.

How Easy Are Hospitals Hacked?

This is an interesting tweet. I find it interesting that a hospital is working with local hackers. I guess it’s even more interesting that an EMR vendor has enough clout to be able to get a local hospital to not install software. Although, knowing the industry like I do, it’s not that surprising. Should a hospital listen to some local hackers or someone they’ve invested hundreds of millions and sometimes billions of dollars in? (yes, an EHR purchase is an investment)

Of course, this tweet reminded me of a great story my best friend in college told me about when he hacked into the major hospital system where he went to high school. Turns out he used a mix of physical and technical hacks to breach the hospital system.

The key to him breaching the hospital system was that he got access to a computer on the hospital system and left a back door for him to access that computer remotely. All he did to do this was put on a jacket, went to an office in the network where he said he was working for their IT department and was there to run some updates on the computer. They happily let him run the “update” on their computer. Instead, he created a back door where he could get access to the hospital network from anywhere.

I’m sure that many reading this will think twice when someone comes in saying they need to update their computer now. It’s not like most people in the hospital know all the tech support people in their hospital.

Of course, this is a simple little hack. Certainly there are plenty of other ways that someone can hack into healthcare systems. The interesting thing is that most people don’t care about healthcare information. They want financial information. So, someone that does hack a healthcare system is unlikely to do much with the healthcare info. Yes, I’ve read the people who say a patient record is worth $50. I’m still waiting to see someone try to sell one at that price.

I should also mention that I think the tweet isn’t actually talking about this type of hacker. I think the tweet is talking about the Fred Trotter version of “hacker” which just puts together a great solution to a problem (ie. a hack). We need more great solutions in healthcare, so I hope that EMR vendors stop impeding local application hackers to work with hospitals.

July 31, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

Are Hospitals Ready for HIPAA Omnibus?

I’ve been thinking quite a bit about the new HIPAA Omnibus rules ever since I interviewed Rita Bowen at HIMSS about the new HIPAA rules. While Rita highlights some other changes that came as part of HIPAA Omnibus, I still think that the biggest change is all of the new details around business associates.

There are a lot of changes when it comes to business associates and the work to make sure everything is in place with business associates requires the healthcare institution and the business associates. Considering the HIPAA Omnibus rule went into effect on March 26th, there’s no time for an organization to delay this work. They’re already behind if they haven’t done this already.

Considering the lack of discussion I’ve seen from hospitals, I have a feeling that many of them haven’t dealt with this issue yet at all. In fact, I wouldn’t be surprised if many of them didn’t even really realize that they had to do anything. Instead, I expect that many just figured it was on the back of the business associate to change. That’s just not the case and the hospital should be consulting their HIPAA lawyer to make sure everything is in place.

I’d love to hear if others are having different experiences. Did you go through the HIPAA Omnibus rule? Did you have to make a lot of changes? Did you change how you work with business associates?

March 30, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 14 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

Hospitals, Health Systems Don’t Feel Prepared For Meaningful Use Stage 2

A new survey by KPMG confirms what most us would have guessed — that hospital and health system leaders aren’t that sure they’re ready to meet Meaningful Use Stage 2 requirements.

The study, which was conducted last month, found that 47 percent of hospital and health system business leaders surveyed were only somewhat confident in their readiness to meet Stage 2 requirements. Just over one-third (36 percent) said they were confident, and four percent weren’t confident at all, KPMG found. Another 11 percent said they didn’t know what their level of readiness was.

Respondents are also worried about meeting privacy and security standards included in both Stage 2 and HIPAA. Forty-seven percent of respondents were only somewhat comfortable with their organization’s ability to meet all parts of HIPAA, including the need for new annual risk assessments and protecting patient-identifiable information. Eight percent of respondents said they weren’t comfortable at all, 13  percent said they weren’t sure and 31 percent said they were comfortable, KPMG reported.

To help close the readiness gap, hospitals and health systems are bringing in outside help. Thirty percent of respondents said their organization had hired new or additional team members to help complete EMR deployment. And 22 percent said they’d hired outside contractors to get the job done.

So why are so many healthcare business leaders insecure about Stage 2?  When asked to name the biggest challenge in complying with Stage 2 requirements, 29 percent cited training and change management issues.

Tied for second were lack of monitoring processes to ensure sustained demonstration of MU, and capturing relevant data as part of the clinical workflow, at 19 percent each. Twelve percent named lack of a dedicated Meaningful Use team, and 6 percent availability of appropriate certified vendor technology. Fourteen percent said “other.”

December 31, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies.