Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Google Glass’ Impact on Healthcare

In today’s #HITsm chat one of the topics brought up the impact of Google Glass on healthcare. I provided a few insights into Google Glass (Yes, I own a Google Glass and so I can speak first hand on it) that I thought would be beneficial to others.


I believe Google Glass will have a powerful role in the hospital. However, it won’t be ubiquitous. It’s not like you’ll get hired at a hospital and be issued your access card and a pair of Google Glass (Yes, Glass could be your access card, but that’s an expensive access card). With that said, Google Glass will find some incredibly powerful uses and become an indispensable part of many hospital workflows.


While this post has been about Google Glass. I think Google Glass represents a whole class of eyeware technologies which are coming to market. I’m not sure that Google Glass will win that market, but they’re definitely the ones that defined the market and so that’s why we talk about them. Watch for other competitors that do something similar, but might actually be the dominate leader in eyeware technology.


I agree that Google Glass and other related technologies have their own HIPAA privacy and security issues. However, they can be made to be as HIPAA compliant and secure as any other device. The form factor doesn’t really change the privacy and security. It’s what you do with the device and how you implement the software on the device which determines the HIPAA compliance of the product.

March 28, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

A HIPAA Compliance Dashboard

One of the interesting announcements coming out of HIMSS was a HIPAA Compliance Dashboard that was announced by INetU. The concept of a dashboard that shows you your HIPAA compliance is fascinating for me. The key question I’ve asked myself is can HIPAA compliance be automated into a dashboard?

Here’s a look at the HIPAA Compliance Dashboard they’ve created:

This slideshow requires JavaScript.

INetU claims that the dashboard will keep track of both the business associate’s (in this case INetU’s) HIPAA compliance and the covered entities compliance with HIPAA. I need to dig into it some more, but I’d love to hear from some other HIPAA experts out there. Aren’t there pieces of HIPAA compliance that can’t be automated to a dashboard? I’d love to be proven wrong.

I also think the Dashboard is a nice building block to doing security beyond just HIPAA. It reminds me of this post titled, “Why HIPAA isn’t Enough to Keep Patient Data Secure.” This dashboard could provide a deeper look into security beyond just HIPAA. Although, it makes sense why they’re leading with HIPAA since organizations don’t mind coughing up money to ensure their HIPAA compliant.

What do you think of this idea? Can HIPAA Compliance benefit from a dashboard like this? Of course, this can be taken too far as well. We don’t need CIO’s that become complacent, because the dashboard says “HIPAA Compliant.”

March 26, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

To-Do List for Making Your Mobile Devices HIPAA Compliant

The following is a guest blog post by Joe Grettenberger, HIPAA Security Analyst with HIPAA One.
Joe Grettenberger
Mobile device use in the workplace is becoming more commonplace today, and this is true with many healthcare professionals. Staff members can now more easily communicate through text message or iChat and quickly look up and share a patient’s health information or status through mobile devices.

But it’s also true that the increased use of mobile devices leads to an increased chance of healthcare providers being at risk of protected health information being seen or stolen by unauthorized people, which in turn means an increased chance of dealing with HIPAA compliance issues.

Follow these steps below to ensure your healthcare business and its mobile devices are HIPAA compliant.

  1. Perform a mobile device environment inventory (including all applications, ICT services & security services expected) and risk assessment that includes system threat models per SP 800-124 R1.
  2. Create an “approved mobile device” policy for the company that specifies what approved mobile devices are.
  3. Configure applications and systems that make up the mobile device environment (client & server side) and the mobile devices themselves per the policy (e.g. disable USB ports on laptops & desktops that connect to company network, lock mobile device SIM cards, etc.  See more suggestions below.)
  4. Carefully evaluate current solutions and add mobile device management and mobile device protection software that make sense.
  5. Run a pilot, test it and roll out when the risks are acceptable.
  6. Educate/train users on their portion (their responsibilities) of mobile device security.
  7. Monitor the policy.
  8. Enforce the policy with appropriate sanctions for mobile device security incidents.

Additional suggestions to step 3 are:

Use and activate a phone passcode or some other type of user authentication. All mobile devices allow for a password, PIN, or passcode to be set up before a user can access that device. Typing that information in provides user authentication for that device. Make sure your password, PIN, or passcode is strong so it’s hard for someone to guess it. It’s also wise to keep it a secret and not store it in your mobile device. You can also set up a screen lock so your device locks and requires inputting your user authentication again after a short amount of time of not being used. Doing these things prevents unauthorized access to your mobile device.

Set a required login for apps and research each app before downloading. Some apps save your information after you’ve logged in once, which is convenient because you don’t have to input that information every time you open it. But that also makes it easier for someone who gains access to your phone to gain access to protected health information. Any app you use that stores or delivers this private data should have its settings set to require a login each time you try and open the app. Be sure to also research apps before you download and install them on your mobile device. Verify that each app only performs functions you agree to so you don’t put yourself or your healthcare company at risk.

Install and authorize encryption. Encryption converts your data into a form that can’t be read without a password or the decryption key. You can encrypt data that’s stored on and sent by your mobile device. If your mobile device has an encryption capability, then enable it. If it doesn’t, then download an encryption app. To protect data sent to your device, use a secure browser connection or a virtual private network. When you encrypt data on your mobile device, you prevent unauthorized access to that data.

Install and activate remote wiping or disabling. Remote wiping lets you erase data on your mobile device remotely if for any reason it gets lost or stolen. Remote disabling lets you remotely lock your device or erase the data stores on that device. If and when you recover your device, you have the ability to unlock it with remote disabling. Using one or both of these security tools is quite valuable. No one plans on losing or having their mobile device stolen, but sometimes it happens, and with these security tools you’re able to safeguard any protected data on your device.

Install and enable a personal firewall and security software. A firewall protects your mobile device against unauthorized connections. It intercepts any incoming or outgoing connection attempt and then blocks or permits each attempt based on certain guidelines. Security software protects your device against any malicious software, such as viruses and malware. Make sure to keep your software up to date though. You can enable a personal firewall and security software if your mobile device has them, or you can download and install both if needed. These protect the private health information on your phone and help keep certain information from being accessed by the wrong person.

Keep physical control of your mobile device. Because mobile devices are smaller in size and easily portable, they’re also easily lost or stolen. To keep your device and the confidential information on it secure, always try and keep it with you, don’t let others use it, and keep it safely put away when you’re not using it. All these things help with the prevention of unauthorized user access to your mobile device and the data on it.

Mobile device use with healthcare professionals is only going to continue rising, so it’s extremely important to take all the necessary measures to safeguard your patients’ health information with all mobile phones, tablets and laptops. Following this to-do list will make sure your mobile device is HIPAA compliant, and it will keep you, your mobile device, your healthcare company, and all your patients’ health information protected.

Also see OWASP’s Top 10 Mobile Controls and Design Principles:

https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Controls

Extra:  The following recommendations are adapted from the 2012 CIS Google Android 4 Benchmark:

  1. Update ‘firmware’ to latest version
  2. Enable ‘password’
  3. Enable ‘Require alphanumeric value’
  4. Set ‘timeout…’ for ‘Sleep’ after 5 seconds
  5. Remove Entries in ‘Wi-Fi’
  6. Disable ‘Network Notification’
  7. Disable ‘Wi-Fi’ where unnecessary
  8. Disable ‘Bluetooth’ where unnecessary
  9. Disable ‘Location Services’ where unnecessary
  10. Enable ‘Airplane Mode’ where signal reception is unnecessary
  11. Erase all data before return, recycle, reassignment, or other disposition
  12. Disable ‘Notifications’
  13. Enable ‘Lock SIM card’
  14. Disable ‘make passwords visible’
  15. Enable ‘Encrypt phone ‘
  16. Disable ‘developer options’
  17. Disable ‘Unknown sources’
  18. Limit the ‘number of messages’ for ‘Text message limit’
  19. Limit the ‘number of messages’ for ‘Multimedia message limit’

About The Author         
Joe Grettenberger is a HIPAA Security Analyst with HIPAA One. Joe has over 25 years experience as an IT Assurance professional, with 8 years of technology auditing experience both in the public and private sectors. Joe is a certified information systems auditor (CISA) and compliance & ethics professional (CCEP). For more information about HIPAA One, please visit their website.

March 3, 2014 I Written By

The CIO’s Guide to HIPAA Compliant Text Messaging

Yesterday I wrote a piece on EMR and EHR where I talk about why Secure Text Messaging is Better Than SMS. I think it makes a solid case for why every organization should be using some sort of secure text messaging solution. Plus, I do so without trying to use fear of HIPAA violations to make the case.

However, you can certainly make the case for a secure text messaging solution in healthcare based on HIPAA compliance. In fact, the people at Imprivata have essentially made that case really well in their CIO Guide to HIPAA Compliant Text Messaging. This is well worth a read if you’re in a healthcare organization that could be at risk for insecure texting (yes, that’s every organization).

They break down the path to compliance into 3 steps:

  1. Policy – Establish an organizational policy
  2. Product – Identify and appropriate text messaging solution
  3. Practice – Implement and actively managing the text messaging solution.

Texting is a reality in hospitals today and the best solution isn’t suppression, but enabling users with a secure solution. The checklists in the CIO Guide to HIPAA Compliant Text Messaging provide a great foundation for making sure your organization is enabling your users in a HIPAA compliant manner.

January 15, 2014 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.

The Cloud and Hospitals

Let’s talk about The Cloud and Hospitals for a minute. At a session I attended at CHIME a hospital CIO said, “There’s still a lot of unknown with cloud.”

At first I was a little taken back by the comment. As an IT guy, it seems like cloud has been around forever. Plus, I would bet that every single hospital has a number of cloud based IT systems in their IT environment.

What then could be the unknown issues with the cloud that this CIO was talking about?

I found this really great resource on the IBM website about the cloud and healthcare. They hit on what is probably the biggest unknown with the cloud, HIPAA. Here’s a section which describes why it’s such an unknown.

Cloud providers hold a unique position as BAs entrusted with EPHI. When HIPAA was enacted, the concept of “the cloud” didn’t exist and probably could not have been predicted. Covered entities and other BAs are increasingly choosing to store health information in the cloud.

Then he adds in these cloud challenges:

Transferring data to the cloud comes with unique issues that complicate HIPAA compliance for covered entities, traditional BAs, and now cloud providers themselves. They include issues of control, access, availability, shared multitenant environments, incident preparedness and response, and data protection

All of these should provide any hospital CIO a moment of pause. As another hospital CIO I talked with said, “we’re still doing the cloud, but we are careful about who we work with in the cloud and how we do it.”

I think this will be the reality for the forseeable future. It takes a really well done trusted relationship for a hospital to trust a cloud provider. In the small ambulatory practice space it’s very different since there’s little doubt that the cloud provider can do much better than your neighborhood tech guy. However, this is not the case in hospitals where the decision to use the cloud or your existing in house IT staff and resources is much more complex.

The reality is that every hospital is likely going to have a mixed hosting strategy with some software hosted in house and some software hosted in the cloud. This means that every hospital CIO is going to have to figure out the cloud even if there’s still some difficult to answer questions.

November 1, 2012 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 15 blogs containing almost 5000 articles with John having written over 2000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 9.3 million times. John also recently launched two new companies: InfluentialNetworks.com and Physia.com, and is an advisor to docBeat. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and Google Plus.