Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

To-Do List for Making Your Mobile Devices HIPAA Compliant

Posted on March 3, 2014 I Written By

The following is a guest blog post by Joe Grettenberger, HIPAA Security Analyst with HIPAA One.
Joe Grettenberger
Mobile device use in the workplace is becoming more commonplace today, and this is true with many healthcare professionals. Staff members can now more easily communicate through text message or iChat and quickly look up and share a patient’s health information or status through mobile devices.

But it’s also true that the increased use of mobile devices leads to an increased chance of healthcare providers being at risk of protected health information being seen or stolen by unauthorized people, which in turn means an increased chance of dealing with HIPAA compliance issues.

Follow these steps below to ensure your healthcare business and its mobile devices are HIPAA compliant.

  1. Perform a mobile device environment inventory (including all applications, ICT services & security services expected) and risk assessment that includes system threat models per SP 800-124 R1.
  2. Create an “approved mobile device” policy for the company that specifies what approved mobile devices are.
  3. Configure applications and systems that make up the mobile device environment (client & server side) and the mobile devices themselves per the policy (e.g. disable USB ports on laptops & desktops that connect to company network, lock mobile device SIM cards, etc.  See more suggestions below.)
  4. Carefully evaluate current solutions and add mobile device management and mobile device protection software that make sense.
  5. Run a pilot, test it and roll out when the risks are acceptable.
  6. Educate/train users on their portion (their responsibilities) of mobile device security.
  7. Monitor the policy.
  8. Enforce the policy with appropriate sanctions for mobile device security incidents.

Additional suggestions to step 3 are:

Use and activate a phone passcode or some other type of user authentication. All mobile devices allow for a password, PIN, or passcode to be set up before a user can access that device. Typing that information in provides user authentication for that device. Make sure your password, PIN, or passcode is strong so it’s hard for someone to guess it. It’s also wise to keep it a secret and not store it in your mobile device. You can also set up a screen lock so your device locks and requires inputting your user authentication again after a short amount of time of not being used. Doing these things prevents unauthorized access to your mobile device.

Set a required login for apps and research each app before downloading. Some apps save your information after you’ve logged in once, which is convenient because you don’t have to input that information every time you open it. But that also makes it easier for someone who gains access to your phone to gain access to protected health information. Any app you use that stores or delivers this private data should have its settings set to require a login each time you try and open the app. Be sure to also research apps before you download and install them on your mobile device. Verify that each app only performs functions you agree to so you don’t put yourself or your healthcare company at risk.

Install and authorize encryption. Encryption converts your data into a form that can’t be read without a password or the decryption key. You can encrypt data that’s stored on and sent by your mobile device. If your mobile device has an encryption capability, then enable it. If it doesn’t, then download an encryption app. To protect data sent to your device, use a secure browser connection or a virtual private network. When you encrypt data on your mobile device, you prevent unauthorized access to that data.

Install and activate remote wiping or disabling. Remote wiping lets you erase data on your mobile device remotely if for any reason it gets lost or stolen. Remote disabling lets you remotely lock your device or erase the data stores on that device. If and when you recover your device, you have the ability to unlock it with remote disabling. Using one or both of these security tools is quite valuable. No one plans on losing or having their mobile device stolen, but sometimes it happens, and with these security tools you’re able to safeguard any protected data on your device.

Install and enable a personal firewall and security software. A firewall protects your mobile device against unauthorized connections. It intercepts any incoming or outgoing connection attempt and then blocks or permits each attempt based on certain guidelines. Security software protects your device against any malicious software, such as viruses and malware. Make sure to keep your software up to date though. You can enable a personal firewall and security software if your mobile device has them, or you can download and install both if needed. These protect the private health information on your phone and help keep certain information from being accessed by the wrong person.

Keep physical control of your mobile device. Because mobile devices are smaller in size and easily portable, they’re also easily lost or stolen. To keep your device and the confidential information on it secure, always try and keep it with you, don’t let others use it, and keep it safely put away when you’re not using it. All these things help with the prevention of unauthorized user access to your mobile device and the data on it.

Mobile device use with healthcare professionals is only going to continue rising, so it’s extremely important to take all the necessary measures to safeguard your patients’ health information with all mobile phones, tablets and laptops. Following this to-do list will make sure your mobile device is HIPAA compliant, and it will keep you, your mobile device, your healthcare company, and all your patients’ health information protected.

Also see OWASP’s Top 10 Mobile Controls and Design Principles:

https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls

Extra:  The following recommendations are adapted from the 2012 CIS Google Android 4 Benchmark:

  1. Update ‘firmware’ to latest version
  2. Enable ‘password’
  3. Enable ‘Require alphanumeric value’
  4. Set ‘timeout…’ for ‘Sleep’ after 5 seconds
  5. Remove Entries in ‘Wi-Fi’
  6. Disable ‘Network Notification’
  7. Disable ‘Wi-Fi’ where unnecessary
  8. Disable ‘Bluetooth’ where unnecessary
  9. Disable ‘Location Services’ where unnecessary
  10. Enable ‘Airplane Mode’ where signal reception is unnecessary
  11. Erase all data before return, recycle, reassignment, or other disposition
  12. Disable ‘Notifications’
  13. Enable ‘Lock SIM card’
  14. Disable ‘make passwords visible’
  15. Enable ‘Encrypt phone ‘
  16. Disable ‘developer options’
  17. Disable ‘Unknown sources’
  18. Limit the ‘number of messages’ for ‘Text message limit’
  19. Limit the ‘number of messages’ for ‘Multimedia message limit’

About The Author         
Joe Grettenberger is a HIPAA Security Analyst with HIPAA One. Joe has over 25 years experience as an IT Assurance professional, with 8 years of technology auditing experience both in the public and private sectors. Joe is a certified information systems auditor (CISA) and compliance & ethics professional (CCEP). For more information about HIPAA One, please visit their website.

Market For Wireless Health Tracking Technology To Double Over Next Four Years

Posted on January 22, 2014 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Wondering where the market for wireless tracking devices for patients is going?  Well, according to recent research, the market should explode over the next four years, increasing from $9.6 billion in 2012 to double that within four years, according to market research firm BCC Research.

The research firm is projecting the market for such technology climb at a five-year compound annual growth rate of 16.1 percent between 2013 and 2018.

What technologies are they talking about?  Well, it’s a pretty long list, including blood glucose meters, blood pressure monitors, pulse oximetry, stress monitoring devices, pediatric growth trackers and peak flow meters.  According the report, these devices will access a variety of wireless protocols, including 3G, RFID, and Zigbee. (They don’t mention Bluetooth, but it will certainly be part of the mix as well.)

As BCC sees it, these devices are poised not only to streamline data collection and storage options, but also provide important analytical data inside and outside the hospital setting.  The firm argues that such information is extremely useful in tracking patient health, providing alerts and encouraging adherence to medication will teams.

As I see it, there’s a major divide emerging between those who see these devices in the data they deliver as central to future healthcare, and others — notably EMR-scarred doctors — who feel that they’ll be swamped with data they have no time to parse or work with.

As I’ve mentioned before, I’m doubtful that this cornucopia of data will do the good it can until some sort of middleware emerges to filter this incoming tidal wave of data.  But I do think will find a solution soon enough, and then these devices will really shine.

Deploying WiFi For Clinicians, Hospital Guests A Complex Problem

Posted on December 3, 2013 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

These days, offering WiFi for both hospital visitors and clinicians is pretty much de rigeur. The problem is, clinicians need different things from their Wi-Fi connection than consumers do. And as a recent story in Healthcare IT News notes, that can make it difficult to keep up with everyone’s demands.

According to Ali Youssef, senior clinical mobile solutions architect at Detroit-based Henry Ford Health System, maintaining a wireless network that suits everyone’s needs is “moving target.”

Youssef was responsible for planning and implementing the HFHS wireless network, which included expanding coverage from 4 million to 8 million square feet. What’s more, the network rollout had to take into account the needs of the HFHS enterprise EMR system, according to the HIN piece.

For Youssef, one of the most difficult problems health IT managers face in this situation is provisioning bandwidth appropriately to all the different types of devices that will share the bandwidth.

Not surprisingly, Youssef believes that one of the most important ways to see that everyone has enough bandwidth is regular contact with the system’s clinicians.

In some situations, clinicians may need far more bandwidth then the IT department had anticipated, for example, where clinician is launching a new project fueled by grant money, notes the Healthcare IT News piece. (We’re also increasingly see a growing list of wireless medical devices, such as wireless glucometers, edge into mainstream clinical care.)

To cope with these rapidly changing demands, Youssef recommends planning for a high level of wireless system redundancy and conducting site surveys.

And in what may be a more difficult challenge, he recommends that network architects keep continuous tabs on what types of devices are going to be used, and testing them see how they behave on their health system’s network.

Youssef didn’t offer any detailed advice on how to accommodate hospital visitors in this story, but clearly, they will pose a significant challenge to any hospital network architect as well.

Particularly as apps become part of patients’ health system experience, network architects will need to bear consumer experience of the network in mind as well. It will be interesting to see, over the next few years, whether consumer wireless health use demands a fresh approach to network architecture generally.

HIMSS: The FDA Should Tread Carefully With Health IT Oversight

Posted on November 12, 2013 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Of late, the FDA has been looking at into how it will regulate health IT generally, and EMRs especially, under the authority of the Food and Drug Administration Safety Innovation Act of 2012.  This, of course, has the vendor community very nervous, as they’re not eager to have an agency as powerful as the FDA breathing down their neck.

In an effort to soften the blow somewhat, the chairman  and CEO of HIMSS  have written a letter to HHS outlining why health IT products, especially EMRs, have unique functions and requirements.

In the letter, they argue that any regulatory efforts that are made should have the following characteristics:

• Holistic Approach: Any regulatory or oversight framework should recognize that health IT is part of a complex patient care ecosystem involving providers, product developers, vendors, a  wide array of use cases, and consumers as patients and caregivers.
• Shared Responsibility: The safety and efficacy of health IT as it fits within the patient care
system can be enhanced through non-punitive surveillance and reporting systems based on mutual trust and shared responsibility by all participants.
• Clear Oversight Direction: Clear and consistent guidance regarding proposed regulatory and/or  oversight activity is essential to ensure that health IT can continue to provide the innovation and tools necessary to achieve the patient safety and quality improvement goals, and cost efficiencies sought by all stakeholders.
• Role of Intended Use/Functionality: Regulation and oversight actions should be based on the  intended purpose and intended user of a particular product or service.

Cutting a nice wide path for EMRs and related clinical data systems, HIMSS argues that health IT products largely used for transmission, storage and management of data should not be considered medical devices. The execs also argue that there’s a big difference between products which are “integral to the functioning of a medical device,” and those that communicate with such devices. (While there’s definitely a move on to integrate EMRs and medical devices, progress has been scant to date.)

We’ll see how successful HIMSS was at shaping the FDA’s expectations next year, when the agency releases a joint report outlining its strategy in cooperation with the FCC and ONC.

In the mean time, the three agencies have formed a workgroup under the ONC’s HIT  Policy Committee which will provide recommendations to the Health IT Policy Committee.  If you’re as worried as HIMSS is, and there’s no reason not to be, the workgroup may offer a chance to make your voice heard. Getting involved, or at least commenting on draft report docs, is probably a good idea.

mHealth Technology Market Exploding

Posted on June 13, 2013 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Driven largely by the growth in remote patient monitoring, the mobile health marketing is expanding rapidly, with the global market expected to reach $10.2 billion USD by 2018, according to Transparency Market Research.

According to TMR, the global mHealth market added up to just $1.3 billion in 2012, but should grow at a compound annual growth rate of 41.5 percent through 2018, with monitoring services contributing heavily to the total.

According to the researchers, the global mHealth market’s explosion is being driven by factors such as growing adoption of smartphones and the rising incidence of chronic diseases.  Also, the incredible growth in the availability of smartphone applications has created new channels for communication between patients and healthcare providers, a connection which further feeds the emergence of new applications.

According to TMR’s analysis, remote monitoring services currently make up the largest share of the global mHealth market, or about 63 percent, followed by diagnostic services and healthcare systems strengthening. And monitoring services will continue to be the fastest growing segment in global mHealth, given this technology’s ability to help ameliorate acute conditions such as coronary artery disease, hypertension, and congestive heart failure, the group notes.

These findings are underscored by related figures from Kalorama Information, which just released a report tagging the telemedicine patient monitoring market as having grown from $4.2 billion in 2007 to over $10 billion in 2012.

While they’re are clearly engaged in some forms of remote monitoring here and there, this approach is still at an early stage for most hospitals, as reimbursement for hospital-based remote monitoring is scant or non-existent in some cases, Kalorama notes.

However, the home healthcare and remote location health monitoring markets are already well-positioned to grow, and are poised to expand using wireless, handheld and ambulatory devices that replace older monitoring equipment, Kalorama researchers say.

Technologies Hospital Leaders Should Watch

Posted on March 29, 2013 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Courtesy of non-profit research house the ECRI Institute, here’s some of technologies that they believe hospital C-suite execs should be watching this year. This list was generated by ECRI’s in-house analysts, reports HealthLeaders. Not all of these are directly related to EMR/EHR technology, but we’ve included a few that might be of interest on the broader HIT level.

* Electronic Health Records: This is so obvious it hardly bears mentioning, but yes, EHRs are number one on the list. ECRI notes that execs should beware of possible patient harm in the effort to achieve Meaningful Use, as some HIT-related errors are emerging that can lead to serious care issues.

mHealth:  Mobile applications are becoming an increasingly commonplace part of health IT infrastructure, but managing them effectively isn’t as simple as download-install-use.  This is likely to be the year hospitals need to get it right.

Alarm Integration Technology:  Alarm fatigue has been and continues to be a major issue for clinicians, with some critical care docs experiencing 350 alarms  per patient per day.  Increasingly, alarm integration systems are being implemented which send alerts to phones or pages, leading to more controllable alerts and quieter environments.

Imaging and Surgery:  ORs are increasingly hosting full-scale angiography systems to help guide high-risk minimally invasive surgery, as well as guiding combined open and minimally invasive surgery and verifying successful surgical completion. These hybrid ORs are expensive but have arguably improved results.

* PET/MR:  The PET/MR scanner is beginning to emerge as a new mainstay in oncology, improving on the results delivered for years by the hybrid PET/CR. The PET/MR offers greater detail, helping physicians detect cancers and tumors.

I would have expected to see something on the data analytics technology front to appear this year, but it was absent from the list. I might also have expected to see cloud solutions turn up, but again, not this year.  What technologies would you add to this list?

Making Devices Interoperable Offers $30B Savings Opportunity

Posted on March 25, 2013 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Right now, it’s a hit and miss thing whether hospital medical devices can talk to each other or connect with the facility’s EMR. A lack of standards — and money for next-gen devices — has made such interoperability a very tough job. But getting the job done is worth the trouble, a new story in iHealthBeat suggests.

At present, patients in hospitals are treated with six to 12 medical devices in a typical intensive care unit, including defibrillators, electrocardiographs, vital sign monitors, ventilators and infusion pumps, typically from a mix of manufacturers, notes West Health Institute.  Because these devices aren’t inherently interoperable, hospitals spend big on IT infrastructure to connect them.

There’s plenty of reason to make them connect, however. A study by West Health has concluded that if the industry could improve medical device interoperability and adhere to interoperability standards,  it could shave $30 billion off of U.S. healthcare costs.  According to the report, the U.S. spends $36 billion each year on “addressable waste” resulting from a lack of medical device interoperability.  Savings the U.S. could realize breaks down as follows, iHealthBeat reports:

  • $17.8 billion from higher treatment capacity that would result from shorter hospital stays
  • $12.3 billion from increased clinician productivity
  • $3 billion from reducing the cost of providing care
  • $2 billion from reducing adverse events
  • $1.2 billion from wider adoption of interoperability standards

But getting to the point where interoperability is common could take a long time, according to West Health’s Joseph Smith, who recently testified on the Hill on this subject. Right now, only one-third of hospitals using six or more medical devices that can be integrated with EMRs have actually done the integration work, Smith told a House subcommittee.

What’s more, vendors will need to invest in R&D to turn out next-gen interoperable devices, a cost that will be at least partly absorbed rather than passed on to the buyer, Smith noted.

Video Demo of Metro’s Point-of-Care Technologies at HIMSS13

Posted on March 21, 2013 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 6000 articles with John having written over 3000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 13 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit.

One of my goals at HIMSS is to try and give those who can’t attend HIMSS a chance to get a taste of what the experience of visiting the HIMSS exhibit hall floor is like. I’d been doing some writing for Metro on their Point of Care blog recently, and so I took the chance at HIMSS to film Erik VanLaningham doing a demo of some of the Metro point-of-care hospital solutions. It’s a quick video that shows a nice look into BCMA and point of care technologies in action.

Remote Patient Monitoring Going Mainstream

Posted on January 31, 2013 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

This week I read a piece of news which suggests to me that we’re seeing a turning point in the use of remote monitoring technology to manage patients.  It looks like AT&T is taking a major public position in support of remote monitoring via the cloud, via a partnership with a  hot new startup that just raised funding, according to a report in mobihealthews.

According to the mobile health news publication, cloud-based patient monitoring company Intuitive Health just got a $3.4 million investment in what appears to be the company’s first public round of investment.

Intuitive, which completed a pilot with health system Texas Health Resources and AT&T last year, offers cloud-based remote monitoring software which can interface with any device.

The pilot involved monitoring CHF patients remotely for 90 days using wireless pulse oximeters, blood pressure cuffs and weight scales, plus tablets and apps feeding the data to the  patients’ EMR records. During the pilot, THR reduced hospital readmissions for chronic heart failure patients by 27 percent, mobihealthnews reports.

According to a press release from AT&T, Intuitive’s software has since become a key component in the telecom giant’s own SaaS patient monitoring product.

Remote monitoring has been a hot topic of discussion and an emerging approach for several years, but hasn’t found an established place in day-to-day care for most institutions.  With AT&T and Intuitive offering a device-agnostic model, however, I believe they will give a boost to the use of remote monitoring generally.

Personally, I’ve been cheering for remote monitoring to succeed for some time; after all, given how mobile-device-oriented people are anyway, it just makes sense to leverage those capabilities to improve their health.  I hope this represents a turning point for this type of technology and that we see news of more successful pilots this year.

iPad App Helps Patients Understand Inpatient Care Process

Posted on January 14, 2013 I Written By

Anne Zieger is veteran healthcare editor and analyst with 25 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

During an inpatient stay, patients have usually contact with a large number of professionals, including doctors, nurses, x-ray techs, phlebotomists and more.  Without help, however, patients often lose track of who’s delivering their care, forget to ask key questions and generally fail to understand the process of helping them get well.

At Boston Children’s Hospital, they’re hoping to solve the problem with a new iPad app that guides patients through their care process and makes it easy for them to communicate with clinicians. The app, MyPassport, pulls data from the hospital’s Epic and Power Chart apps and displays it in a way which helps patients stay on top of their care process.  It also prepares them for discharge and arms them with home care instructions.

The idea for MyPassport came from a paper booklet which the hospital assembled manually, adding pictures and titles for every care team member as well as pages for lab test results and summaries.  The paper book, which also offered a place for patients to write questions for their providers and information about discharge, was helpful to patients, but took a lot of effort to maintain.

The notion of transforming the paper booklet into an iPad app was spearheaded by urologist Hiep Nguyen, MD, who won a Boston Children’s FastTrack Innovation in Technology award from the hospital’s Innovation Acceleration program to create it.

Not only does the app make it easier for patients to ask questions of clinicians — or in this case, parents of patients — through an instant message-like utility, it also displays lab values in a simple format understandable by caregivers/parents. MyPassport also offers a list of goals a given patient should meet to be ready to go home.

I don’t know about you, readers, but I think this is an excellent idea. Helping patients and caregivers understand and coordinate the process of care, know their clinicians and plan for discharge is a really great use of iPad technology. While the app is undergoing a small pilot now, expect to see MyPassport or other apps like it turn up elsewhere soon. Good show, folks.