Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Hospitals Stumble When Asked To Share Medical Records With Patients

Posted on October 19, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

By this point, few would argue that patients are unlikely to be engaged with their medical care if they don’t have free, unfettered access to the medical records. However, unfortunately, research continues to suggest that providers are struggling to meet these goals — and from my point of view, shows signs that they don’t take the entire process that seriously.

Most recently a new study found that not only may hospitals be failing to meet state and federal rules on patient medical record sharing, they may not even be communicating about their own policies consistently.  As a patient with complex medical needs, I found this troubling, though sadly, not so surprising given my past experiences.

The study, which appeared in JAMA Network Open, looked at the way in which 83 US hospitals handled medical record requests by patients. The research team conducted the requests between August 1 and December 7, 2017, tracking what medical information was made requestable, what formats of release were available, costs to receive the information and request processing times. Researchers reviewed hospital processes using medical record release authorization forms and telephone calls with medical records departments.

After analyzing their data, the researchers concluded at least some hospitals weren’t complying with regulations regarding medical information request processing times. Of the 81 hospitals that responded to the researchers with mean times of release for records, seven had ranges extending beyond state requirements before applying the single 30-day extension granted by HIPAA.

In addition, they found that patients obtained different information regarding medical records request processes when they filled out form versus when they communicated directly with medical records departments. For example, just 53% of hospitals gave patients the option to request the entire medical record on their record request forms, while when the medical record department was contacted, all the hospitals said they were able to and release an entire medical record to patients.

Perhaps offering some insight into why patient portals aren’t as muscular as they could be, just 25% of hospital medical record departments said via phone that they were able to release records to online patient portals, and less than half (40%) shared this detail this on their forms.

Another issue highlighted by the study was that the hospitals studied seem to be vague about the costs patients faced in receiving records. Apparently, 22% of hospitals disclosed they would charge patients for such records but did not specify cost, and 43% didn’t specify that there would be a fee.

Having inadvertently walked into a cost backsaw once or twice in my pre-HIT days, I can’t stress enough how disheartening unexpected records fees can be for patients. After all, in some cases patients don’t get the care they need if they don’t have up-to-date-records, and until we have a completely universal interoperability scheme in place patients are on the hook to make this happen.

Getting the records seems to have been pricey. All but one of the hospitals were able to quote the cost for receiving records on paper, at prices which began at zero but went as high as $541.50 for a 200-page record. On the digital side, 59% of the hospital stated a cost of release above the federally-recommended $6.50 flat fee per page for electronically-maintained records.

As the study authors note, it would be helpful if federal regulators keep their eye on issues related to patient medical record access, which is more costly, confusing and time-consuming than it might appear at first glance. In the meantime, hospitals might consider doing a self-audit to see if they are offering patients consistent information on the process when we ask for badly-needed medical data.

 

Medical Device Vulnerability List Topped By User Authentication Problems

Posted on August 27, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a government organization which addresses threats to US infrastructure, helps numerous industries share data on cybersecurity threats. This includes building a repository of cybersecurity advisories which medical device manufacturers can use to communicate with customers.

According to a new analysis by security vendor MedCrypt, the number of cybersecurity threats reported to ICS-CERT has been growing over time. ICS-CERT released 47 advisories related to medical devices between 2013 and August 1, 2018, which included a total of 122 cybersecurity vulnerabilities.  While 12 advisories were released between October 2013 and late December 2016, it issued 35 advisories between late December 2016 to August 1 of this year. Also, while six companies were identified as having faced cybersecurity issues during the first interval, 18 were noted during the second.

The number of vulnerabilities noted has climbed as well, from 37 during the first time period to 85 during the second. According to the MedCrypt analysis, 66% of the reported advisories were related to code defects and user authentication issues. The most common cause was user authentication, which climbed from 16 to 36 instances between the two time periods, followed by code defects, which increased from 5 to 24 instances. Other areas of vulnerability included encryption issues, third-party libraries, system configuration and operating system problems.

It’s hard to determine what all of this means by scanning these statistics, interesting though they may be, but MedCrypt had some additional observations to share about the ICS-CERT data as a whole:

  • The complexity of the vulnerabilities discovered is likely to increase. Some of the more deeply technical kinds of vulnerabilities found in other ICS-CERT participating industries haven’t turned up in medical device disclosure data, including less than 10% of those found in subcategories, but they will. “Most [advisories] have focused on ‘low hanging fruit,’ like user authentication,” the report observes.
  • So far, ICS-CERT participants have reported finding few vulnerabilities related to cryptography issues, such as vulnerability reports citing the commonly-used OpenSSL open-source encryption library.
  • User authentication problems are becoming more common, accounting for 42.3% of vulnerabilities included in advisories after January 1, 2017. The report suggests the future advisories will address concerns emerging from deeper in the technology stack as medical device cybersecurity matures.

As connected medical devices become standard in healthcare organizations, medical device makers will spend more resources on securing them, and eventually, they will bake cybersecurity protections into their engineering, R&D and quality processes, MedCrypt predicts.

Pager Breach Exposes Patient Data From Six Hospitals

Posted on July 6, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The IT worker was shocked. All he had done was buy an antenna and try to get TV channels on his laptop computer, but to his amazement, he inadvertently intercepted a flood of unencrypted pager messages chock full of private patient data.

The pager messages flooded in from six Kansas City area hospitals, including the University of Kansas Hospital, Cass County Regional, Liberty Hospital, Children’s Mercy Hospital, St. Mary’s Medical Center and Wesley Medical Center.  All told, the man had gotten access to information on hundreds of patients, in a fusillade of potential HIPAA violations.

According to an article in the Kansas City Star, patients who learned about the breach were horrified. “Who knows what else is going on, if it’s that easy for that information to get out there?” one woman told the newspaper. “There’s a big security breach there that needs to be stopped.”

When the paper spoke to the hospitals involved, some punted and didn’t respond to questions. Others shrugged off the problem or suggested that the breach was not a big deal.

For example, the University of Kansas told the reporter that the pager vulnerability was due to “a specific vulnerability in our paging system that may allow access to certain personal health information in limited circumstances.” It seems that an apology was not forthcoming.

Another hospital, Children’s Mercy, told the Star that the IT worker was to blame for the problem, contending that the pager data was only accessible to “local hackers with specific scanning and decoding equipment —- and technical knowledge of how to use it for this specific purpose.” In other words, the breach wasn’t really its fault.

As the article points out, the IT worker could be accused of violating the Electronic Communications Protection Act, which restricts the interception of electronic communications. For that reason, the paper never identifies him. But the article strongly suggests that he was surprised to see the messages and operated in good faith.

The worker, for his part, sensibly argues that the hospitals should have realized that the messages were in the clear. “It’s security by obscurity at this point —- and that’s scary,” he told the paper. “In my line of work you see a lot of ‘Let’s hope nobody finds it,’ [or] ‘It’s hard to find, so it’s pretty secure.’ That’s not enough. We can’t just trust people won’t stumble upon it. We have to assume that they do.”

Some Physicians Get Personally Identifiable Information Via Texts Every Day

Posted on June 22, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new survey has concluded that despite efforts to better protect patient data privacy, a substantial number of providers are still getting unsecured messages that contain patient information.

The survey, which was performed by Black Book Market Research, analyze replies from 770 hospital-based users and 1279 physician practices. Researchers looked at how care teams were retaining secure communications.

The market research firm found that 30% of respondents received texts that included individually identifiable data every day. This result should curdle the blood of healthcare cybersecurity experts since I’m pretty sure most of these patients haven’t agreed to these unsecured texts.

However, both hospitals and physicians are pressing forward with platforms that protect patient data while linking teams together. The vast majority of respondents (94% of physicians and 90% of hospitals) told Black Book that mobile technology, in particular, could improve patient safety and outcomes.

The majority of respondents (85% of hospitals and 80% of physician practices) reported that they were committed to investing in secure communications platforms capable of tying together care teams, patients and families. And they’re in a hurry. In fact, 96% of hospitals expected to budget for or invest in comprehensive clinical indication platforms before the close of 2018.

That being said, 63% of study respondents said they were finding it difficult to get mobile technology buy-in from colleagues. Actually, that’s not too surprising. If you ask physicians to switch from an easy-to-use, effective tool like texting to an unknown communications platform, they’re likely to resist. They probably understand intellectually why using secure, collaboration-friendly software is a good idea, but the truth is that these platforms might disrupt physicians’ routines substantially.

Meanwhile, 90% of hospitals and 77% of physician practices that participated in the survey said they were using intrusion detection systems and secure email. However, this news isn’t that encouraging, as the majority of existing physician portals already offer secure email, and intrusion detection systems are pretty much a given by current standards.

The truth is, with healthcare data growing more valuable than ever and the threat landscape expanding rapidly, both hospitals and medical practices will need to step up their game substantially if they want to avoid security breaches. Investing in secure communications platforms is good, but it only addresses part of their security problems.

Over the long haul, both hospitals and doctors will have to get better at protecting both their mobile and enterprise data assets. There are good reasons to focus on secure mobile communications now, but providers can’t let it distract them from enterprise-wide security problems.

 

What? In Some Cases, Additional IT Spending May Not Prevent Breaches

Posted on June 11, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new research study has come to a sobering conclusion – that investing more in IT security doesn’t necessarily reduce the number of breaches.

The research, which appeared in the MIS Quarterly, looked at how many breaches hospitals experienced relative to their IT security spending. The study authors started with the assumption that hospitals spending more on security would enjoy better protection from breaches.

The researchers assumed that looked at broadly, some security investments were “symbolic,” making superficial improvements that don’t get to the root of their problem, while others were substantive investments which met well-defined security needs.

After reviewing their data, researchers noted that many classes of hospitals turned out to be symbolic security investors, including members of smaller health systems, older hospitals, smaller hospitals and for-profit hospitals. They also noted that faith-based and less-entrepreneurial hospitals were prone to such investments. The only category of hospitals routinely making substantive security investments was teaching hospitals.

But that’s far from all. Their more controversial conclusions focused on the role of IT security investments in preventing security breaches. In short, their conclusion was pretty counterintuitive.

First, they found that larger IT security investments did not in and of themselves lower the likelihood of security breaches. Not only that, researchers concluded that the benefits of substantive adoption wouldn’t generate greater breach protection over time.

Researchers also concluded that the benefits of substantive IT security adoption by hospitals would take time to be realized. If I’m reading this correctly, mature IT security systems should offer more advantages over time, but not necessarily better breach protection.

Meanwhile, researchers concluded that the negative consequences of symbolic adoption would grow worse over time.

I don’t know about you, but I was pretty surprised by these results. Why wouldn’t substantively increasing security spending reduce the occurrence of breaches within hospitals? It’s something of a head-scratcher.

Of course, the answer to this question may lie in what type of substantive security investment hospitals make. The current set of results suggests, to me at least, that current technologies may not be as good at preventing breaches as they should be. Or maybe hospitals are investing in good technology but not hiring enough IT security experts to get the installation done right. Plus, purchasing security infrastructure can only do so much to stop bad user behavior. The issue deserves further research.

Regardless, this study offers food for thought. The industry can’t afford to do a bad job with preventing breaches.

AHA Asks Congress To Reduce Health IT Regulations for Medicare Providers

Posted on September 22, 2017 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The American Hospital Association has sent a letter to Congress asking members to reduce regulatory burdens for Medicare providers, including mandates affecting a wide range of health IT services.

The letter, which is addressed to the House Ways and Means Health subcommittee, notes that in 2016, CMS and other HHS agencies released 49 rules impacting hospitals and health systems, which make up nearly 24,000 pages of text.

“In addition to the sheer volume, the scope of changes required by the new regulations is beginning to outstrip the field’s ability to absorb them,” says the letter, which was signed by Thomas Nickels, executive vice president of government relations and public policy for the AHA. The letter came with a list of specific changes AHA is proposing.

Proposals of potential interest to health IT leaders include the following. The AHA is asking Congress to:

  • Expand Medicare coverage of telehealth to patients outside of rural areas and expand the types of technology that can be used. It also suggests that CMS should automatically reimburse for Medicare-covered services when delivered via telehealth unless there’s an individual exception.
  • Remove HIPAA barriers to sharing patient medical information with providers that don’t have a direct relationship with that patient, in the interests of improving care coordination and outcomes in a clinically-integrated setting.
  • Cancel Stage 3 of the Meaningful Use program, institute a 90-day reporting period for future program years and eliminate the all-or-nothing approach to compliance.
  • Suspend eCQM reporting requirements, given how difficult it is at present to pull outside data into certified EHRs for quality reporting.
  • Remove requirements that hospitals attest that they have bought technology which supports health data interoperability, as well as that they responded quickly and in good faith to requests for exchange with others. At present, hospitals could face penalties for technical issues outside their control.
  • Refocus the ONC to address a narrower scope of issues, largely EMR standards and certification, including testing products to assure health data interoperability.

I am actually somewhat surprised to say that these proposals seem to be largely reasonable. Typically, when they’re developed by trade groups, they tend to be a bit too stacked in favor of that group’s subgroup of concerns. (By the way, I’m not taking a position on the rest of the regulatory ideas the AHA put forth.)

For example, expanding Medicare telehealth coverage seems prudent. Given their age, level of chronic illness and attendant mobility issues, telehealth could potentially do great things for Medicare beneficiaries.

Though it should be done carefully, tweaking HIPAA rules to address the realities of clinical integration could be a good thing. Certainly, no one is suggesting that we ought to throw the rulebook out the window, it probably makes sense to square it with today’s clinical realities.

Also, the idea of torquing down MU 3 makes some sense to me as well, given the uncertainties around the entirety of MU. I don’t know if limiting future reporting to 90-day intervals is wise, but I wouldn’t take it off of the table.

In other words, despite spending much of my career ripping apart trade groups’ legislative proposals, I find myself in the unusual position of supporting the majority of the ones I list above. I hope Congress gives these suggestions some serious consideration.

WannaCry Will Make a CIO Cry

Posted on July 3, 2017 I Written By

David Chou is the Vice President / Chief Information & Digital Officer for Children’s Mercy Kansas City. Children’s Mercy is the only free-standing children's hospital between St. Louis and Denver and provide comprehensive care for patients from birth to 21. They are consistently ranked among the leading children's hospitals in the nation and were the first hospital in Missouri or Kansas to earn the prestigious Magnet designation for excellence in patient care from the American Nurses Credentialing Center Prior to Children’s Mercy David held the CIO position at University of Mississippi Medical Center, the state’s only academic health science center. David also served as senior director of IT operations at Cleveland Clinic Abu Dhabi and CIO at AHMC Healthcare in California. His work has been recognized by several publications, and he has been interviewed by a number of media outlets. David is also one of the most mentioned CIOs on social media, and is an active member of both CHIME and HIMSS. Subscribe to David's latest CXO Scene posts here and follow me at Twitter Facebook.

If you like CXO scene, you can subscribe to future Health Care CXO Scene posts here or read through the CXO Scene archive. Also, join us for the live recording of our first ever CXO Scene podcast on Thursday, 7/6/17 at 1 PM ET (10 AM PT) where we’ll be talking Petya, MACRA, and Organizational Blindness.

As continuous research is done to create better defenses against malicious computer attacks, cybercriminals have also come up with more ways to get cash into their pockets as quickly as possible.  In the past years, a new breed of computer virus has started infecting computers and mobile devices. These viruses are unlike the previous malware as they lock down the computer including the precious files in it and only unlocks it when the user has paid the demanded amount. WananCry, Cryptolocker, Cryptowall, and TeslaCrypt are the new computer viruses that belong to a family of infections known as ransomware.

Cryptolocker is the earliest version of ransomware that started infecting computers in 2013. It easily infects computers through phishing links usually found in email attachments and through computer downloads.  Once a computer has been infected with ransomware, all the computer files are held as ‘hostage’ of the cybercriminals. In some cases, ads of pornographic websites appear on the screen each time a user clicks. These cybercriminals demand payment in order to unlock the files and restore the computer to its previous state.  As an added pressure, these criminals threaten users to delete all files if certain demands are not met within a specified period (usually within 24 hours). The desperate user usually doesn’t have any choice but to give in.

Ransomware Threat in Hospitals

Threats from ransomware has been widespread and it has affected computers of hospitals. In a Reuters report, it stated that a study from Health Information Trust Alliance on 30 mid-sized U.S. hospitals revealed that over half of these establishments (52%) were infected with the malicious software.  Recently we are starting to see countries get shutdown due these attacks while a global voice dictation vendor was shut down and this interfered with the doctor’s ability to voice dictate their notes.

How Companies Can Prevent Ransomware Attacks

Ransomware attacks are serious threats in healthcare. When computers in hospitals stop functioning, there will be delay in information access and flow and may compromise the safety of the patients. When there is ransomware attack, caregivers will have no access to patients’ data which can be crucial for those who are unconscious. It can also result in delayed or undelivered lab requests and prescriptions. And since there are medical devices that rely on computers to be operated, they can be inoperable all throughout the period the computer is held ‘hostage.’

With more medical facilities relying heavily on technology for its operation, it’s crucial to keep the computers malware-free. The following are some tips on how you can prevent these ransomware attacks:

  • Back up your data
    One of the best things companies can do to protect themselves from ransomware is to regularly do backups. Regularly backing up your files can give you a peace of mind even if a malicious attack happens. Since ransomware can also encrypt files on mapped drives, it’s important to have a backup regimen on external drives or backup services that are not assigned a drive letter. The one key element that is missing during the backup process is testing the backup to make sure that it is working. Do not miss the testing step.
  • Make file extensions visible
    In many cases, ransomware arrives as a file with a .PDF.EXE extension. By adjusting the settings to make these file extensions visible, you can easily spot these suspicious files. It also helps to filter email files with .EXE extension. Instead of exchanging executable files, you may opt for zip files instead.
  • Take advantage of a ransomware prevention kit
    The rise of ransomware and its threats have paved way for cybersecurity companies to come up with ransomware prevention kits. These kits protect the computer by disabling files that are run from the App Data, Local App Data folders, and executable files run from Temp directory.
  • Disable the RDP
    The RDP or Remote Desktop Protocol is a Windows utility that enables others to access your desktop remotely. If there is no practical use of RDP in your daily operations, then it’s best to disable it as it’s often used by ransomware to access targeted machines.
  • Update your software regularly
    Running outdated software makes your computer more vulnerable to ransomware attacks. So, make sure to regularly update your software.
  • Install a reliable anti-malware software and firewall
    This is applicable to malware in general. Having both the anti-malware software and firewall creates a double-wall protection against these malicious attacks. If some gets past the software, the firewall serves as the second level of protection from the malware.
  • When ransomware attack is suspected, disconnect immediately from the network
    While this isn’t a foolproof solution, disconnecting immediately from the network or unplugging from the WiFi as soon as ransomware file is suspected can reduce the damage caused by the malware. It may take some time to recover some files but doing this can sometimes cut back the damage.

Ransomware poses a serious threat not just to the security of hospital files but as well to the patients’ safety. Hence, companies, especially healthcare facilities, must not take this malware issue lightly.  Your biggest security risk exposure is internal so make the effort to educate your internal workforce as a priority as well.

If you’d like to receive future health care C-Level executive posts by David in your inbox, you can subscribe to future Health Care CXO Scene posts here.

The Disconnect Between Patient Experience and Records Requests – HIM Scene

Posted on April 19, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is part of the HIM Series of blog posts. If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

This week I met with one of the digital marketing team at a children’s hospital. We had a great conversation about the hospital website and the way the hospital’s website represented the organization to the patient. Plus, we talked about how patients choose to interact with the hospital through their website. There are a wide variety of patient requests through the website, but one of those requests was a request for their patient record.

It wasn’t really a surprise that this digital marketer didn’t really know the details of what’s required for a patient to make an appropriate medical record request from his hospital. In his defense, he didn’t usually answer the questions, but just created the website that collected the questions. However, it was quite clear that the workflow for any medical records request was to send it to their HIM department and let them figure it out.

Most organization then have their HIM staff play phone tag with the patient to explain how to make a proper records request which will allow them to release the information to the patient. The progressive organizations might send the patient an email. However, many of them will then ask the patient to mail, drop off or fax in the official records request. If this sounds painful, I can assure you that it’s as painful as it sounds.

This illustrates the massive disconnect between creating a great patient experience and most organization’s current records request process. Please note that I’m not blaming the digital team at hospitals for the issue and I’m not blaming the HIM people for this problem. I’m blaming the disconnect between the two organizations because the only way to solve this problem is to have both organizations involved.

The best patient experience would actually be for the patient to go to their patient portal and download their whole record. Maybe we’ll get their one day, but there are hundreds of systems in a hospital where a patient’s data is stored. So, it’s going to take a while for us to reach the point where a patient can self-service their data requests.

Since I’m not holding my breath on this amount of data sharing happening between disparate systems, I’m more interested in making the current processes so it’s a seamless experience for the patient. If you can model a medical records request on paper, then you can do it digitally. To their credit, I’ve seen a few organizations working on this. In fact, their system is part education about records requests and part getting the information that’s needed to fulfill a records request.

It’s time that HIM and a hospital’s digital and tech teams come together to make the process for requesting records a seamless patient experience. And if you think using a fax machine is a seamless experience for patients, then you’re part of the problem.

If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

An Approach For Privacy – Protecting Big Data

Posted on February 6, 2017 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

There’s little doubt that the healthcare industry is zeroing in on some important discoveries as providers and researchers mine collections of clinical and research data. Big data does come with some risks, however, with some observers fearing that aggregated and shared information may breach patient privacy. However, at least one study suggests that patients can be protected without interrupting data collection.

In what it calls a first, a new study appearing in the Journal of the American Medical Informatics Association has demonstrated that protecting the privacy of patients can be done without too much fuss, even when the patient data is pulled into big data stores used for research.

According to the study, a single patient anonymization algorithm can offer a standard level of privacy protection across multiple institutions, even when they are sharing clinical data back and forth. Researchers say that larger clinical datasets can protect patient anonymity without generalizing or suppressing data in a manner which would undermine its use.

To conduct the study, researchers set a privacy adversary out to beat the system. This adversary, who had collected patient diagnoses from a single unspecified clinic visit, was asked to match them to a record in a de-identified research dataset known to include the patient. To conduct the study, researchers used data from Vanderbilt University Medical Center, Northwestern Memorial Hospital in Chicago and Marshfield Clinic.

The researchers knew that according to prior studies, the more data associated with each de-identified record, and the more complex and diverse the patient’s problems, the more likely it was that their information would stick out from the crowd. And that would typically force managers to generalize or suppress data to protect patient anonymity.

In this case, the team hoped to find out how much generalization and suppression would be necessary to protect identities found within the three institutions’ data, and after, whether the protected data would ultimately be of any use to future researchers.

The team processed relatively small datasets from each institution representing patients in a multi-site genotype-disease association study; larger datasets to represent patients in the three institutions’ bank of de-identified DNA samples; and large sets which stood in for each’s EMR population.

Using the algorithm they developed, the team found that most of the data’s value was preserved despite the occasional need for generalization and suppression. On average, 12.8% of diagnosis codes needed generalization; the medium-sized biobank models saw only 4% of codes needing generalization; and among the large databases representing EMR populations, only 0.4% needed generalization and no codes required suppression.

More work like this is clearly needed as the demand for large-scale clinical, genomic and transactional datasets grows. But in the meantime, this seems to be good news for budding big data research efforts.

Are Security Certifications Needed to Simplify the Acquisition Process?

Posted on January 20, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m generally someone who hates certifications. However, I hate them because they’re often implemented poorly and easily gamed. When they’re implemented effectively, they can be extremely helpful. Think about all the safety certifications that electronics have you go through. I’m sure they’ve saved our lives and saved our houses getting burnt down many times over.

I’ve wondered if a security certification would be useful for healthcare IT applications. Certainly it wouldn’t be perfect (security never is), but it could serve as a baseline security check that would help healthcare organizations with their acquisition process.

The reality is that many organizations don’t properly vet the healthcare IT applications they purchase for security. They aren’t consistent and they have limited resources. A security certification in theory would spread the costs of certifying a healthcare application’s security across a large number of organizations and thus save everyone money.

The key to this certification is not to have it as a kind of pass/fail certification. Sure, you want to say that it meets a certain standard of security, but more importantly it would also create a report on what type of security was implemented for that software.

Take encryption for example. Every healthcare organization looks for encryption. A security certification could ensure that the software system has implemented certification appropriately and also describe how the encryption was implemented. Is it end to end security encryption. Do they encrypt the data at rest? What about encryption of the data being stored on the customer’s device? etc etc etc

One challenge with this idea is that CIOs, health IT companies, and other technology professionals can become over reliant on certifications. It would have to be clear that the security certification was just a baseline and not a 100% foolproof way to secure your IT software. This is a challenge since health IT sales reps are going to position a security certification as such. It would take some effective marketing for people to know that the security certification could save them time in their security analysis of a new health IT software purchase, but wasn’t the end all be all.

I imagine some people would argue that this type of certification and details about how an organization or software company implements their security would be a treasure trove for hackers. Certainly you’d have to be careful with what you share and how you share it. However, most of the details are things that a good hacker could figure out anyway.

As it is today, health IT companies just say they’re HIPAA compliant (whatever that means) and many healthcare CIOs are floundering with limited resources for evaluating the security of the applications they buy. A security certification could help them make some headway on this I think.

Done the right way, a security certification could help set a new bar for how vendors approach security. That could be a very good thing. Of course, if not updated regularly and effectively, it could also require a bunch of hoop jumping that doesn’t provide real value. It’s a tricky challenge.