Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Rate Of Healthcare Ransomware Attacks Falls In First Half of 2018

Posted on July 12, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Most research I’ve read lately suggests that the rate of healthcare cyberattacks is at an all-time high, and that ransomware is leading the parade.

But is that really true? Maybe not. A new security report has concluded that the rate of ransomware attacks on healthcare organizations actually fell during the first half of this year, and what’s more, that such attacks trended lower during the same period.

The study, which comes from security firm CryptoniteNXT, notes that cybercriminals target healthcare because they can fetch great prices for the data by reselling it on the dark web. Also, given the complexity of healthcare networks and the high number of vulnerabilities in those networks, thieves see providers as a fat and easy target.

However, when it comes to ransomware, the landscape may be changing. CryptoniteNXT found that the number of ransomware attacks impacting over 500 patient records dropped from 19 major data breaches in the first half of 2017 to 8 major breaches in the first half of 2018. That’s an impressive 57% decrease.

The biggest reported records IT/hacker-driven breach hit LifeBridge Health, affecting 538,127 individuals. Other organizations targeted included academic medical centers, medical practices, ambulatory surgical centers, health plans and government agencies.

Meanwhile, the rate of ransomware attacks as a percentage of IT/hacking events has fallen substantially, from 30.16% during the first half of 2017 to 13.6% during the first half of this year.

On the other hand, the volume of patients affected has climbed. Roughly 1.9 million patient records were breached in the first half of this year, compared with 1.7 million records the first half of 2017 and 1.8 million records the second half of that year, it concludes.

Also, the report notes that ransomware attackers are far from done with the industry. The authors say that ransomware will still pose a “formidable threat” to healthcare organizations and that new variants such as AI-based malware will pose a major threat to healthcare organizations for the next couple of years.

To fend off hacking attacks, CryptoniteNXT recommends adopting new best practices such as moving target cyber defense and network micro-segmentation, which can address the inherent weakness of TCP/IP networks.

Pager Breach Exposes Patient Data From Six Hospitals

Posted on July 6, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The IT worker was shocked. All he had done was buy an antenna and try to get TV channels on his laptop computer, but to his amazement, he inadvertently intercepted a flood of unencrypted pager messages chock full of private patient data.

The pager messages flooded in from six Kansas City area hospitals, including the University of Kansas Hospital, Cass County Regional, Liberty Hospital, Children’s Mercy Hospital, St. Mary’s Medical Center and Wesley Medical Center.  All told, the man had gotten access to information on hundreds of patients, in a fusillade of potential HIPAA violations.

According to an article in the Kansas City Star, patients who learned about the breach were horrified. “Who knows what else is going on, if it’s that easy for that information to get out there?” one woman told the newspaper. “There’s a big security breach there that needs to be stopped.”

When the paper spoke to the hospitals involved, some punted and didn’t respond to questions. Others shrugged off the problem or suggested that the breach was not a big deal.

For example, the University of Kansas told the reporter that the pager vulnerability was due to “a specific vulnerability in our paging system that may allow access to certain personal health information in limited circumstances.” It seems that an apology was not forthcoming.

Another hospital, Children’s Mercy, told the Star that the IT worker was to blame for the problem, contending that the pager data was only accessible to “local hackers with specific scanning and decoding equipment —- and technical knowledge of how to use it for this specific purpose.” In other words, the breach wasn’t really its fault.

As the article points out, the IT worker could be accused of violating the Electronic Communications Protection Act, which restricts the interception of electronic communications. For that reason, the paper never identifies him. But the article strongly suggests that he was surprised to see the messages and operated in good faith.

The worker, for his part, sensibly argues that the hospitals should have realized that the messages were in the clear. “It’s security by obscurity at this point —- and that’s scary,” he told the paper. “In my line of work you see a lot of ‘Let’s hope nobody finds it,’ [or] ‘It’s hard to find, so it’s pretty secure.’ That’s not enough. We can’t just trust people won’t stumble upon it. We have to assume that they do.”

Some Physicians Get Personally Identifiable Information Via Texts Every Day

Posted on June 22, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new survey has concluded that despite efforts to better protect patient data privacy, a substantial number of providers are still getting unsecured messages that contain patient information.

The survey, which was performed by Black Book Market Research, analyze replies from 770 hospital-based users and 1279 physician practices. Researchers looked at how care teams were retaining secure communications.

The market research firm found that 30% of respondents received texts that included individually identifiable data every day. This result should curdle the blood of healthcare cybersecurity experts since I’m pretty sure most of these patients haven’t agreed to these unsecured texts.

However, both hospitals and physicians are pressing forward with platforms that protect patient data while linking teams together. The vast majority of respondents (94% of physicians and 90% of hospitals) told Black Book that mobile technology, in particular, could improve patient safety and outcomes.

The majority of respondents (85% of hospitals and 80% of physician practices) reported that they were committed to investing in secure communications platforms capable of tying together care teams, patients and families. And they’re in a hurry. In fact, 96% of hospitals expected to budget for or invest in comprehensive clinical indication platforms before the close of 2018.

That being said, 63% of study respondents said they were finding it difficult to get mobile technology buy-in from colleagues. Actually, that’s not too surprising. If you ask physicians to switch from an easy-to-use, effective tool like texting to an unknown communications platform, they’re likely to resist. They probably understand intellectually why using secure, collaboration-friendly software is a good idea, but the truth is that these platforms might disrupt physicians’ routines substantially.

Meanwhile, 90% of hospitals and 77% of physician practices that participated in the survey said they were using intrusion detection systems and secure email. However, this news isn’t that encouraging, as the majority of existing physician portals already offer secure email, and intrusion detection systems are pretty much a given by current standards.

The truth is, with healthcare data growing more valuable than ever and the threat landscape expanding rapidly, both hospitals and medical practices will need to step up their game substantially if they want to avoid security breaches. Investing in secure communications platforms is good, but it only addresses part of their security problems.

Over the long haul, both hospitals and doctors will have to get better at protecting both their mobile and enterprise data assets. There are good reasons to focus on secure mobile communications now, but providers can’t let it distract them from enterprise-wide security problems.

 

What? In Some Cases, Additional IT Spending May Not Prevent Breaches

Posted on June 11, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new research study has come to a sobering conclusion – that investing more in IT security doesn’t necessarily reduce the number of breaches.

The research, which appeared in the MIS Quarterly, looked at how many breaches hospitals experienced relative to their IT security spending. The study authors started with the assumption that hospitals spending more on security would enjoy better protection from breaches.

The researchers assumed that looked at broadly, some security investments were “symbolic,” making superficial improvements that don’t get to the root of their problem, while others were substantive investments which met well-defined security needs.

After reviewing their data, researchers noted that many classes of hospitals turned out to be symbolic security investors, including members of smaller health systems, older hospitals, smaller hospitals and for-profit hospitals. They also noted that faith-based and less-entrepreneurial hospitals were prone to such investments. The only category of hospitals routinely making substantive security investments was teaching hospitals.

But that’s far from all. Their more controversial conclusions focused on the role of IT security investments in preventing security breaches. In short, their conclusion was pretty counterintuitive.

First, they found that larger IT security investments did not in and of themselves lower the likelihood of security breaches. Not only that, researchers concluded that the benefits of substantive adoption wouldn’t generate greater breach protection over time.

Researchers also concluded that the benefits of substantive IT security adoption by hospitals would take time to be realized. If I’m reading this correctly, mature IT security systems should offer more advantages over time, but not necessarily better breach protection.

Meanwhile, researchers concluded that the negative consequences of symbolic adoption would grow worse over time.

I don’t know about you, but I was pretty surprised by these results. Why wouldn’t substantively increasing security spending reduce the occurrence of breaches within hospitals? It’s something of a head-scratcher.

Of course, the answer to this question may lie in what type of substantive security investment hospitals make. The current set of results suggests, to me at least, that current technologies may not be as good at preventing breaches as they should be. Or maybe hospitals are investing in good technology but not hiring enough IT security experts to get the installation done right. Plus, purchasing security infrastructure can only do so much to stop bad user behavior. The issue deserves further research.

Regardless, this study offers food for thought. The industry can’t afford to do a bad job with preventing breaches.

AHA Asks Congress To Reduce Health IT Regulations for Medicare Providers

Posted on September 22, 2017 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The American Hospital Association has sent a letter to Congress asking members to reduce regulatory burdens for Medicare providers, including mandates affecting a wide range of health IT services.

The letter, which is addressed to the House Ways and Means Health subcommittee, notes that in 2016, CMS and other HHS agencies released 49 rules impacting hospitals and health systems, which make up nearly 24,000 pages of text.

“In addition to the sheer volume, the scope of changes required by the new regulations is beginning to outstrip the field’s ability to absorb them,” says the letter, which was signed by Thomas Nickels, executive vice president of government relations and public policy for the AHA. The letter came with a list of specific changes AHA is proposing.

Proposals of potential interest to health IT leaders include the following. The AHA is asking Congress to:

  • Expand Medicare coverage of telehealth to patients outside of rural areas and expand the types of technology that can be used. It also suggests that CMS should automatically reimburse for Medicare-covered services when delivered via telehealth unless there’s an individual exception.
  • Remove HIPAA barriers to sharing patient medical information with providers that don’t have a direct relationship with that patient, in the interests of improving care coordination and outcomes in a clinically-integrated setting.
  • Cancel Stage 3 of the Meaningful Use program, institute a 90-day reporting period for future program years and eliminate the all-or-nothing approach to compliance.
  • Suspend eCQM reporting requirements, given how difficult it is at present to pull outside data into certified EHRs for quality reporting.
  • Remove requirements that hospitals attest that they have bought technology which supports health data interoperability, as well as that they responded quickly and in good faith to requests for exchange with others. At present, hospitals could face penalties for technical issues outside their control.
  • Refocus the ONC to address a narrower scope of issues, largely EMR standards and certification, including testing products to assure health data interoperability.

I am actually somewhat surprised to say that these proposals seem to be largely reasonable. Typically, when they’re developed by trade groups, they tend to be a bit too stacked in favor of that group’s subgroup of concerns. (By the way, I’m not taking a position on the rest of the regulatory ideas the AHA put forth.)

For example, expanding Medicare telehealth coverage seems prudent. Given their age, level of chronic illness and attendant mobility issues, telehealth could potentially do great things for Medicare beneficiaries.

Though it should be done carefully, tweaking HIPAA rules to address the realities of clinical integration could be a good thing. Certainly, no one is suggesting that we ought to throw the rulebook out the window, it probably makes sense to square it with today’s clinical realities.

Also, the idea of torquing down MU 3 makes some sense to me as well, given the uncertainties around the entirety of MU. I don’t know if limiting future reporting to 90-day intervals is wise, but I wouldn’t take it off of the table.

In other words, despite spending much of my career ripping apart trade groups’ legislative proposals, I find myself in the unusual position of supporting the majority of the ones I list above. I hope Congress gives these suggestions some serious consideration.

The Important Role of HIM in Healthcare Cybersecurity – HIM Scene

Posted on June 21, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is part of the HIM Series of blog posts. If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

Healthcare organizations that rely on their CSO (Chief Security Officer) to handle cybersecurity in their organizations always annoy me. Cybersecurity requires everyone at the organization to be involved in the effort. One person can have a large influence, but your healthcare organization will never be secure if you don’t have everyone working their best to ensure your organization is secure.

A great example of someone who’s often forgotten in healthcare cybersecurity efforts are HIM professionals. Organizations that do this, do so at their own peril. If you’re not involving your HIM professionals in your cybersecurity efforts, I exhort you to do so today.

One of the best reasons to involve HIM professionals in your security efforts is that they’re often experts on the patchwork of healthcare privacy and security laws. It’s not enough to just ensure you’re being HIPAA compliant. That’s essential, but not sufficient.

Healthcare privacy and security are so important, there are multiple layers of laws trying to protect your health information. Or maybe the laws just aren’t well planned and that’s why we have so many. I’ll let you decide. Either way, in your privacy and security efforts you’re going to need to know HIPAA, HITECH, MACRA, and of course don’t forget the state specific privacy and security laws. No doubt there are more and your HIM professionals are likely some of the people in your organization that knows these laws the best.

Beyond the fact that HIM professionals know the privacy and security laws, HIM professionals are usually well versed in ensuring the right access to the right information in your system. One of the biggest form of breaches is internal breaches from people who were given the wrong permissions on your IT systems.

Making sure someone is auditing and monitoring these permissions is a very important part of your cybersecurity efforts. Plus, don’t forget to have a solid process for removing users when they leave your organization as well. Those zombie user accounts are a ticking time bomb in your security efforts. When your employees verify that their records are in order before they leave with HIM, that might be a good time to remove their access.

Another place HIM professionals can help with healthcare cybersecurity efforts is around information governance. More specifically, HIM can help you properly manage your health data and legacy systems. HIM can ensure that your legacy systems are properly managed until their end of life. No doubt this will be done in tandem with your IT professionals who have to keep these legacy systems secure (not always an easy task). However, an HIM professional can assist with your information governance efforts that impact cybersecurity.

In what other ways can HIM be involved in healthcare cybersecurity?

Cybersecurity is always going to be a team effort. That’s why it’s shocking to me when healthcare organizations don’t involve every part of their team. HIM professionals should step up and make the case for why they should be involved in healthcare’s cybersecurity efforts. However, when they don’t, a great leader will make sure HIM is involved just the same.

If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

Healthcare Security is Scaring Hospital CIOs

Posted on November 16, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is sponsored by Samsung Business. All thoughts and opinions are my own.

Coming out of the CHIME CIO Forum, I had a chance to mix and mingle with hundreds of hospital CIOs. There was one major theme at the conference: security. If you asked these hospital CIOs what was keeping them up at night, I’m sure that almost every one of them would say security. They see it as a major challenge and the job is never done.

I had more than one CIO tell me that breaches of their healthcare system are going to happen. That’s why it’s extremely important to have a 2 prong security strategy in healthcare that includes both creating security barriers and also a mitigation and response strategy.

One of the most challenging pieces of security identified by these healthcare CIOs was the proliferation of endpoints. That includes the proliferation of devices including mobile devices and the increase in the number of users using these technologies. There was far less concern about the mobile devices since there are some really deeply embedded software and hardware security built into mobile devices like Samsung’s Knox which has made mobile device security a lot easier to implement. The same can’t be said for the number of people using these devices. One hospital CIO described it as 21,000 points of vulnerability when he talked about the 21,000 people who worked at his organization. Sadly, there’s no one software solution to prevent human error.

This is why we see so much investment in security awareness programs and breach detection. Your own staff are often your biggest vulnerability. Training them is a good start and can prevent some disasters, but the malware has gotten so sophisticated that it’s really impossible to completely stop. That’s why you need great software that can detect when a breach has occurred so you can deal with it quickly.

On the one hand, it’s one of the most exciting times to be in healthcare IT. We have so much more data available to us that we can use to improve care. However, with all that data and technology comes an increased need to make sure that data and technology is kept secure. The good news is that many hospital boards have woken up to this fact and are finally funding security efforts as a priority for their organization. Is your organization prepared?

For more content like this, follow Samsung on Insights, Twitter, LinkedIn , YouTube and SlideShare.

E-Patient Update: Hospitals Should Share Ransomware Updates

Posted on October 14, 2016 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A few weeks ago, a California hospital quietly fended off a ransomware attack without paying a ransom to the attackers. According to Health Leaders Media, Keck Medical Center of USC was hit with a ransomware assault on servers at two hospitals, but managed to fix the problem and retrieve its data.

Employees at Keck Hospital of USC and Norris Comprehensive Cancer Care found ransomware on two servers on August 1, said Keck Hospitals CEO Rod Hanners in a statement on the matter. The attack encrypted files on the servers, which made their data unavailable to hospital employees. However, Hanners reported, the hospitals had no evidence of a breach of patient information.

Still, given that some sensitive information was contained in folders encrypted by the malware, USC notified patients about the breach, Health Leaders reports. Data that could (at least theoretically) have been accessed by the attackers included names and dates of birth, health information such as treatment and diagnosis information and some Social Security numbers.

If what I’ve read is accurate, the crew at Keck did a great job. They got things under control very quickly, and chose to do the right thing in notifying patients about the breach. (And in all truth, the attack might not have been much of a big deal — perhaps one launched by a script kiddie using Ransomware as a Service tools — which could explain why the hospitals seem to be relatively unruffled.) Still, my feeling is that they could have communicated more.

A patient’s perspective

As I ponder the events above, I do wonder whether the professionals managing this particular ransomware attack understand what it’s like to be on the receiving end of a ransomware episode. So here’s a few things to consider from a patient’s perspective:

  • Ransomware is scary: While I’m healthcare technology writer and somewhat familiar with ransomware attacks, they are still new to most of the public. They may turn out to be just another infection vector for your network, but they come across as a dark force to consumers. Be prepared to educate and calm us.
  • People don’t know what to expect: I was due to have a cardiac procedure done by a doctor affiliated with Washington, D.C.-based MedStar Health a couple of weeks after it suffered a ransomware attack. While the news media made it clear that the hospital chain was paralyzed for a time, nobody bothered to tell me what the impact of this paralysis would be. It would have been better if MedStar facilities and doctors reached out to patients in immediate and near-term need of care to clarify.
  • We need progress reports: Clearly, the Keck attack didn’t amount to much, but other ransomware attacks, such as the MedStar incident, can’t be resolved overnight. As patients, we need to know roughly how long our providers may be at less than full capacity. Keep us updated or you’ll lose our trust.

With any luck, healthcare organizations will continue to improve their ability to fight back ransomware attacks, and in time, be prepared to treat them as little more than road bumps in their security efforts. But until then, it makes sense to pull out all the stops and keep patients extra well-informed.

HHS OIG Says Unplanned Hospital EMR Outages Are Fairly Common

Posted on August 24, 2016 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

More than half of U.S. hospitals responding to a new survey reported having unplanned EMR outages, according to a new report issued by the HHS Office of the Inspector General, due to a variety of common but difficult-to-predict technical problems. Some of these outages have merely been inconveniences, but some resulted in patient care problems, the OIG report said.

The agency said that it conducted this study as a follow up to its prior research, which found that both natural disasters and cyberattacks were having a major impact on EMR availability. For example, it noted, hospitals faced substantial health IT availability challenges in the wake of Superstorm Sandy, include damage to HIT systems and problems with access to patient records.

According to the survey, 59% of the hospitals reported having unplanned EMR outages. One-quarter said that the outages created delays in patient care and 15% said that the outage lead to rerouted patient care. Only 1 percent of outages were caused by hacking or breaches.

The most common causes, in order, were topped by hardware malfunctions, followed by Internet connectivity problems, power failures and natural disasters. (For more detail on the root causes of outages, see this great post by my colleague John Lynn.)

It’s worth noting that these hospitals were selected for having their act together to some degree. To conduct the study, researchers spoke with 400 hospitals which were getting Meaningful Use incentive payments for using a certified EMR system in place as of September 2014.

Nearly all of these hospitals reported having a HIPAA-required EMR contingency plan in place. Also, two thirds of the hospitals addressed the four HIPAA requirements reviewed by OIG researchers. Eighty-three percent of surveyed hospitals reported having a data backup plan, 95% had an emergency mode operations mode plan, 95% said they had a disaster recovery plan and 73% said they had testing and revision procedures in place.

Not only that, most of the hospitals contacted by the study were implementing many ONC and NIST-recommended practices for creating EMR contingency plans. Nearly all had implemented practices such as using paper records for backup and putting alternative power sources like generators in place.

Also, most hospitals said that they reviewed their EMR contingency plans regularly to stay current with system or organizational changes, and 88% said they’d reviewed such plans within the previous two years. Most responding hospitals said they regularly trained their staff on EMR outage contingency plans, though just 45% reported training staff through recommended drills on how to address EMR system downtime. And 40% of hospitals that activated contingency plans in the wake of an outage reported that they saw no disruption to patient care or adverse events.

Still, the OIG’s take on this data is that it’s time to better monitor hospitals’ ability to address EMR outages. Now more than ever, the agency would like to see the HHS Office for Civil Rights fully implement a permanent HIPAA compliance program, particularly given the mounting level of cyberattacks endured by the industry. The OIG admitted that HIPAA standards aren’t crafted specifically to address these types of outages, so it’s not clear such monitoring can solve the problem, but the agency would prefer to forge ahead with existing standards given the risks that are emerging.

Managing Health Information to Ensure Patient Safety

Posted on August 17, 2016 I Written By

Erin Head is the Director of Health Information Management (HIM) and Quality for an acute care hospital in Titusville, FL. She is a renowned speaker on a variety of healthcare and social media topics and currently serves as CCHIIM Commissioner for AHIMA. She is heavily involved in many HIM and HIT initiatives such as information governance, health data analytics, and ICD-10 advocacy. She is active on social media on Twitter @ErinHead_HIM and LinkedIn. Subscribe to Erin's latest HIM Scene posts here.

This post is part of the HIM Series of blog posts. If you’d like to receive future HIM posts by Erin in your inbox, you can subscribe to future HIM Scene posts here.

Electronic Medical Records (EMRs) have been a great addition to healthcare organizations and I know many would agree that some tasks have been significantly improved from paper to electronic. Others may still be cautious with EMRs due to the potential patient safety concerns that EMRs bring to light.

The Joint Commission expects healthcare organizations to engage in the latest health information technologies but we must do so safely and appropriately. In 2008, The Joint Commission released Sentinel Event Alert Issue 42 which advised organizations to be mindful of the patient safety risks that can result from “converging technologies”.

The electronic technologies we use to gather patient data could pose potential threats and adverse events. Some of these threats include the use of computerized physician order entry (CPOE), information security, incorrect documentation, and clinical decision support (CDS).  Sentinel Event Alert Issue 54 in 2015 again addressed the safety risks of EMRs and the expectation that healthcare organizations will safely implement health information technology.

Having incorrect data in the EMR poses serious patient safety risks that are preventable which is why The Joint Commission has put this emphasis on safely using the technology. We will not be able to blame patient safety errors on the EMR when questioned by surveyors, especially when they could have been prevented.

Ensuring medical record integrity has always been the objective of HIM departments. HIM professionals’ role in preventing errors and adverse events has been apparent from the start of EMR implementations. HIM professionals should monitor and develop methods to prevent issues in the following areas, to name a few:

Copy and paste

Ensure policies are in place to address copy and paste. Records can contain repeated documentation from day to day which could have been documented in error or is no longer current. Preventing and governing the use of copy and paste will prevent many adverse issues with conflicting or erroneous documentation.

Dictation/Transcription errors

Dictation software tools are becoming more intelligent and many organizations are utilizing front end speech recognition to complete EMR documentation. With traditional transcription, we have seen anomalies remaining in the record due to poor dictation quality and uncorrected errors. With front end speech recognition, providers are expected to review and correct their own dictations which presents similar issues if incorrect documentation is left in the record.

Information Security

The data that is captured in the EMR must be kept secure and available when needed. We must ensure the data remains functional and accessible to the correct users and not accessible by those without the need to know. Cybersecurity breaches are a serious threat to electronic data including those within the EMR and surrounding applications.

Downtime

Organizations must be ready to function if there is a planned or unexpected downtime of systems. Proper planning includes maintaining a master list of forms and order-sets that will be called upon in the case of a downtime to ensure documentation is captured appropriately. Historical information should be maintained in a format that will allow access during a downtime making sure users are able to provide uninterrupted care for patients.

Ongoing EMR maintenance

As we continue to enhance and optimize EMRs, we must take into consideration all of the potential downstream effects of each change and how these changes will affect the integrity of the record. HIM professionals need prior notification of upcoming changes and adequate time to test the new functionality. No changes should be made to an EMR without all of the key stakeholders reviewing and approving the changes downstream implications. The Joint Commission claims, “as health IT adoption becomes more widespread, the potential for health IT-related patient harm may increase.”

If you’d like to receive future HIM posts by Erin in your inbox, you can subscribe to future HIM Scene posts here.