Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Pager Breach Exposes Patient Data From Six Hospitals

Posted on July 6, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The IT worker was shocked. All he had done was buy an antenna and try to get TV channels on his laptop computer, but to his amazement, he inadvertently intercepted a flood of unencrypted pager messages chock full of private patient data.

The pager messages flooded in from six Kansas City area hospitals, including the University of Kansas Hospital, Cass County Regional, Liberty Hospital, Children’s Mercy Hospital, St. Mary’s Medical Center and Wesley Medical Center.  All told, the man had gotten access to information on hundreds of patients, in a fusillade of potential HIPAA violations.

According to an article in the Kansas City Star, patients who learned about the breach were horrified. “Who knows what else is going on, if it’s that easy for that information to get out there?” one woman told the newspaper. “There’s a big security breach there that needs to be stopped.”

When the paper spoke to the hospitals involved, some punted and didn’t respond to questions. Others shrugged off the problem or suggested that the breach was not a big deal.

For example, the University of Kansas told the reporter that the pager vulnerability was due to “a specific vulnerability in our paging system that may allow access to certain personal health information in limited circumstances.” It seems that an apology was not forthcoming.

Another hospital, Children’s Mercy, told the Star that the IT worker was to blame for the problem, contending that the pager data was only accessible to “local hackers with specific scanning and decoding equipment —- and technical knowledge of how to use it for this specific purpose.” In other words, the breach wasn’t really its fault.

As the article points out, the IT worker could be accused of violating the Electronic Communications Protection Act, which restricts the interception of electronic communications. For that reason, the paper never identifies him. But the article strongly suggests that he was surprised to see the messages and operated in good faith.

The worker, for his part, sensibly argues that the hospitals should have realized that the messages were in the clear. “It’s security by obscurity at this point —- and that’s scary,” he told the paper. “In my line of work you see a lot of ‘Let’s hope nobody finds it,’ [or] ‘It’s hard to find, so it’s pretty secure.’ That’s not enough. We can’t just trust people won’t stumble upon it. We have to assume that they do.”

Some Physicians Get Personally Identifiable Information Via Texts Every Day

Posted on June 22, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new survey has concluded that despite efforts to better protect patient data privacy, a substantial number of providers are still getting unsecured messages that contain patient information.

The survey, which was performed by Black Book Market Research, analyze replies from 770 hospital-based users and 1279 physician practices. Researchers looked at how care teams were retaining secure communications.

The market research firm found that 30% of respondents received texts that included individually identifiable data every day. This result should curdle the blood of healthcare cybersecurity experts since I’m pretty sure most of these patients haven’t agreed to these unsecured texts.

However, both hospitals and physicians are pressing forward with platforms that protect patient data while linking teams together. The vast majority of respondents (94% of physicians and 90% of hospitals) told Black Book that mobile technology, in particular, could improve patient safety and outcomes.

The majority of respondents (85% of hospitals and 80% of physician practices) reported that they were committed to investing in secure communications platforms capable of tying together care teams, patients and families. And they’re in a hurry. In fact, 96% of hospitals expected to budget for or invest in comprehensive clinical indication platforms before the close of 2018.

That being said, 63% of study respondents said they were finding it difficult to get mobile technology buy-in from colleagues. Actually, that’s not too surprising. If you ask physicians to switch from an easy-to-use, effective tool like texting to an unknown communications platform, they’re likely to resist. They probably understand intellectually why using secure, collaboration-friendly software is a good idea, but the truth is that these platforms might disrupt physicians’ routines substantially.

Meanwhile, 90% of hospitals and 77% of physician practices that participated in the survey said they were using intrusion detection systems and secure email. However, this news isn’t that encouraging, as the majority of existing physician portals already offer secure email, and intrusion detection systems are pretty much a given by current standards.

The truth is, with healthcare data growing more valuable than ever and the threat landscape expanding rapidly, both hospitals and medical practices will need to step up their game substantially if they want to avoid security breaches. Investing in secure communications platforms is good, but it only addresses part of their security problems.

Over the long haul, both hospitals and doctors will have to get better at protecting both their mobile and enterprise data assets. There are good reasons to focus on secure mobile communications now, but providers can’t let it distract them from enterprise-wide security problems.

 

What? In Some Cases, Additional IT Spending May Not Prevent Breaches

Posted on June 11, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new research study has come to a sobering conclusion – that investing more in IT security doesn’t necessarily reduce the number of breaches.

The research, which appeared in the MIS Quarterly, looked at how many breaches hospitals experienced relative to their IT security spending. The study authors started with the assumption that hospitals spending more on security would enjoy better protection from breaches.

The researchers assumed that looked at broadly, some security investments were “symbolic,” making superficial improvements that don’t get to the root of their problem, while others were substantive investments which met well-defined security needs.

After reviewing their data, researchers noted that many classes of hospitals turned out to be symbolic security investors, including members of smaller health systems, older hospitals, smaller hospitals and for-profit hospitals. They also noted that faith-based and less-entrepreneurial hospitals were prone to such investments. The only category of hospitals routinely making substantive security investments was teaching hospitals.

But that’s far from all. Their more controversial conclusions focused on the role of IT security investments in preventing security breaches. In short, their conclusion was pretty counterintuitive.

First, they found that larger IT security investments did not in and of themselves lower the likelihood of security breaches. Not only that, researchers concluded that the benefits of substantive adoption wouldn’t generate greater breach protection over time.

Researchers also concluded that the benefits of substantive IT security adoption by hospitals would take time to be realized. If I’m reading this correctly, mature IT security systems should offer more advantages over time, but not necessarily better breach protection.

Meanwhile, researchers concluded that the negative consequences of symbolic adoption would grow worse over time.

I don’t know about you, but I was pretty surprised by these results. Why wouldn’t substantively increasing security spending reduce the occurrence of breaches within hospitals? It’s something of a head-scratcher.

Of course, the answer to this question may lie in what type of substantive security investment hospitals make. The current set of results suggests, to me at least, that current technologies may not be as good at preventing breaches as they should be. Or maybe hospitals are investing in good technology but not hiring enough IT security experts to get the installation done right. Plus, purchasing security infrastructure can only do so much to stop bad user behavior. The issue deserves further research.

Regardless, this study offers food for thought. The industry can’t afford to do a bad job with preventing breaches.

AHA Asks Congress To Reduce Health IT Regulations for Medicare Providers

Posted on September 22, 2017 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

The American Hospital Association has sent a letter to Congress asking members to reduce regulatory burdens for Medicare providers, including mandates affecting a wide range of health IT services.

The letter, which is addressed to the House Ways and Means Health subcommittee, notes that in 2016, CMS and other HHS agencies released 49 rules impacting hospitals and health systems, which make up nearly 24,000 pages of text.

“In addition to the sheer volume, the scope of changes required by the new regulations is beginning to outstrip the field’s ability to absorb them,” says the letter, which was signed by Thomas Nickels, executive vice president of government relations and public policy for the AHA. The letter came with a list of specific changes AHA is proposing.

Proposals of potential interest to health IT leaders include the following. The AHA is asking Congress to:

  • Expand Medicare coverage of telehealth to patients outside of rural areas and expand the types of technology that can be used. It also suggests that CMS should automatically reimburse for Medicare-covered services when delivered via telehealth unless there’s an individual exception.
  • Remove HIPAA barriers to sharing patient medical information with providers that don’t have a direct relationship with that patient, in the interests of improving care coordination and outcomes in a clinically-integrated setting.
  • Cancel Stage 3 of the Meaningful Use program, institute a 90-day reporting period for future program years and eliminate the all-or-nothing approach to compliance.
  • Suspend eCQM reporting requirements, given how difficult it is at present to pull outside data into certified EHRs for quality reporting.
  • Remove requirements that hospitals attest that they have bought technology which supports health data interoperability, as well as that they responded quickly and in good faith to requests for exchange with others. At present, hospitals could face penalties for technical issues outside their control.
  • Refocus the ONC to address a narrower scope of issues, largely EMR standards and certification, including testing products to assure health data interoperability.

I am actually somewhat surprised to say that these proposals seem to be largely reasonable. Typically, when they’re developed by trade groups, they tend to be a bit too stacked in favor of that group’s subgroup of concerns. (By the way, I’m not taking a position on the rest of the regulatory ideas the AHA put forth.)

For example, expanding Medicare telehealth coverage seems prudent. Given their age, level of chronic illness and attendant mobility issues, telehealth could potentially do great things for Medicare beneficiaries.

Though it should be done carefully, tweaking HIPAA rules to address the realities of clinical integration could be a good thing. Certainly, no one is suggesting that we ought to throw the rulebook out the window, it probably makes sense to square it with today’s clinical realities.

Also, the idea of torquing down MU 3 makes some sense to me as well, given the uncertainties around the entirety of MU. I don’t know if limiting future reporting to 90-day intervals is wise, but I wouldn’t take it off of the table.

In other words, despite spending much of my career ripping apart trade groups’ legislative proposals, I find myself in the unusual position of supporting the majority of the ones I list above. I hope Congress gives these suggestions some serious consideration.

WannaCry Will Make a CIO Cry

Posted on July 3, 2017 I Written By

David Chou is the Vice President / Chief Information & Digital Officer for Children’s Mercy Kansas City. Children’s Mercy is the only free-standing children's hospital between St. Louis and Denver and provide comprehensive care for patients from birth to 21. They are consistently ranked among the leading children's hospitals in the nation and were the first hospital in Missouri or Kansas to earn the prestigious Magnet designation for excellence in patient care from the American Nurses Credentialing Center Prior to Children’s Mercy David held the CIO position at University of Mississippi Medical Center, the state’s only academic health science center. David also served as senior director of IT operations at Cleveland Clinic Abu Dhabi and CIO at AHMC Healthcare in California. His work has been recognized by several publications, and he has been interviewed by a number of media outlets. David is also one of the most mentioned CIOs on social media, and is an active member of both CHIME and HIMSS. Subscribe to David's latest CXO Scene posts here and follow me at Twitter Facebook.

If you like CXO scene, you can subscribe to future Health Care CXO Scene posts here or read through the CXO Scene archive. Also, join us for the live recording of our first ever CXO Scene podcast on Thursday, 7/6/17 at 1 PM ET (10 AM PT) where we’ll be talking Petya, MACRA, and Organizational Blindness.

As continuous research is done to create better defenses against malicious computer attacks, cybercriminals have also come up with more ways to get cash into their pockets as quickly as possible.  In the past years, a new breed of computer virus has started infecting computers and mobile devices. These viruses are unlike the previous malware as they lock down the computer including the precious files in it and only unlocks it when the user has paid the demanded amount. WananCry, Cryptolocker, Cryptowall, and TeslaCrypt are the new computer viruses that belong to a family of infections known as ransomware.

Cryptolocker is the earliest version of ransomware that started infecting computers in 2013. It easily infects computers through phishing links usually found in email attachments and through computer downloads.  Once a computer has been infected with ransomware, all the computer files are held as ‘hostage’ of the cybercriminals. In some cases, ads of pornographic websites appear on the screen each time a user clicks. These cybercriminals demand payment in order to unlock the files and restore the computer to its previous state.  As an added pressure, these criminals threaten users to delete all files if certain demands are not met within a specified period (usually within 24 hours). The desperate user usually doesn’t have any choice but to give in.

Ransomware Threat in Hospitals

Threats from ransomware has been widespread and it has affected computers of hospitals. In a Reuters report, it stated that a study from Health Information Trust Alliance on 30 mid-sized U.S. hospitals revealed that over half of these establishments (52%) were infected with the malicious software.  Recently we are starting to see countries get shutdown due these attacks while a global voice dictation vendor was shut down and this interfered with the doctor’s ability to voice dictate their notes.

How Companies Can Prevent Ransomware Attacks

Ransomware attacks are serious threats in healthcare. When computers in hospitals stop functioning, there will be delay in information access and flow and may compromise the safety of the patients. When there is ransomware attack, caregivers will have no access to patients’ data which can be crucial for those who are unconscious. It can also result in delayed or undelivered lab requests and prescriptions. And since there are medical devices that rely on computers to be operated, they can be inoperable all throughout the period the computer is held ‘hostage.’

With more medical facilities relying heavily on technology for its operation, it’s crucial to keep the computers malware-free. The following are some tips on how you can prevent these ransomware attacks:

  • Back up your data
    One of the best things companies can do to protect themselves from ransomware is to regularly do backups. Regularly backing up your files can give you a peace of mind even if a malicious attack happens. Since ransomware can also encrypt files on mapped drives, it’s important to have a backup regimen on external drives or backup services that are not assigned a drive letter. The one key element that is missing during the backup process is testing the backup to make sure that it is working. Do not miss the testing step.
  • Make file extensions visible
    In many cases, ransomware arrives as a file with a .PDF.EXE extension. By adjusting the settings to make these file extensions visible, you can easily spot these suspicious files. It also helps to filter email files with .EXE extension. Instead of exchanging executable files, you may opt for zip files instead.
  • Take advantage of a ransomware prevention kit
    The rise of ransomware and its threats have paved way for cybersecurity companies to come up with ransomware prevention kits. These kits protect the computer by disabling files that are run from the App Data, Local App Data folders, and executable files run from Temp directory.
  • Disable the RDP
    The RDP or Remote Desktop Protocol is a Windows utility that enables others to access your desktop remotely. If there is no practical use of RDP in your daily operations, then it’s best to disable it as it’s often used by ransomware to access targeted machines.
  • Update your software regularly
    Running outdated software makes your computer more vulnerable to ransomware attacks. So, make sure to regularly update your software.
  • Install a reliable anti-malware software and firewall
    This is applicable to malware in general. Having both the anti-malware software and firewall creates a double-wall protection against these malicious attacks. If some gets past the software, the firewall serves as the second level of protection from the malware.
  • When ransomware attack is suspected, disconnect immediately from the network
    While this isn’t a foolproof solution, disconnecting immediately from the network or unplugging from the WiFi as soon as ransomware file is suspected can reduce the damage caused by the malware. It may take some time to recover some files but doing this can sometimes cut back the damage.

Ransomware poses a serious threat not just to the security of hospital files but as well to the patients’ safety. Hence, companies, especially healthcare facilities, must not take this malware issue lightly.  Your biggest security risk exposure is internal so make the effort to educate your internal workforce as a priority as well.

If you’d like to receive future health care C-Level executive posts by David in your inbox, you can subscribe to future Health Care CXO Scene posts here.

The Disconnect Between Patient Experience and Records Requests – HIM Scene

Posted on April 19, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is part of the HIM Series of blog posts. If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

This week I met with one of the digital marketing team at a children’s hospital. We had a great conversation about the hospital website and the way the hospital’s website represented the organization to the patient. Plus, we talked about how patients choose to interact with the hospital through their website. There are a wide variety of patient requests through the website, but one of those requests was a request for their patient record.

It wasn’t really a surprise that this digital marketer didn’t really know the details of what’s required for a patient to make an appropriate medical record request from his hospital. In his defense, he didn’t usually answer the questions, but just created the website that collected the questions. However, it was quite clear that the workflow for any medical records request was to send it to their HIM department and let them figure it out.

Most organization then have their HIM staff play phone tag with the patient to explain how to make a proper records request which will allow them to release the information to the patient. The progressive organizations might send the patient an email. However, many of them will then ask the patient to mail, drop off or fax in the official records request. If this sounds painful, I can assure you that it’s as painful as it sounds.

This illustrates the massive disconnect between creating a great patient experience and most organization’s current records request process. Please note that I’m not blaming the digital team at hospitals for the issue and I’m not blaming the HIM people for this problem. I’m blaming the disconnect between the two organizations because the only way to solve this problem is to have both organizations involved.

The best patient experience would actually be for the patient to go to their patient portal and download their whole record. Maybe we’ll get their one day, but there are hundreds of systems in a hospital where a patient’s data is stored. So, it’s going to take a while for us to reach the point where a patient can self-service their data requests.

Since I’m not holding my breath on this amount of data sharing happening between disparate systems, I’m more interested in making the current processes so it’s a seamless experience for the patient. If you can model a medical records request on paper, then you can do it digitally. To their credit, I’ve seen a few organizations working on this. In fact, their system is part education about records requests and part getting the information that’s needed to fulfill a records request.

It’s time that HIM and a hospital’s digital and tech teams come together to make the process for requesting records a seamless patient experience. And if you think using a fax machine is a seamless experience for patients, then you’re part of the problem.

If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

An Approach For Privacy – Protecting Big Data

Posted on February 6, 2017 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

There’s little doubt that the healthcare industry is zeroing in on some important discoveries as providers and researchers mine collections of clinical and research data. Big data does come with some risks, however, with some observers fearing that aggregated and shared information may breach patient privacy. However, at least one study suggests that patients can be protected without interrupting data collection.

In what it calls a first, a new study appearing in the Journal of the American Medical Informatics Association has demonstrated that protecting the privacy of patients can be done without too much fuss, even when the patient data is pulled into big data stores used for research.

According to the study, a single patient anonymization algorithm can offer a standard level of privacy protection across multiple institutions, even when they are sharing clinical data back and forth. Researchers say that larger clinical datasets can protect patient anonymity without generalizing or suppressing data in a manner which would undermine its use.

To conduct the study, researchers set a privacy adversary out to beat the system. This adversary, who had collected patient diagnoses from a single unspecified clinic visit, was asked to match them to a record in a de-identified research dataset known to include the patient. To conduct the study, researchers used data from Vanderbilt University Medical Center, Northwestern Memorial Hospital in Chicago and Marshfield Clinic.

The researchers knew that according to prior studies, the more data associated with each de-identified record, and the more complex and diverse the patient’s problems, the more likely it was that their information would stick out from the crowd. And that would typically force managers to generalize or suppress data to protect patient anonymity.

In this case, the team hoped to find out how much generalization and suppression would be necessary to protect identities found within the three institutions’ data, and after, whether the protected data would ultimately be of any use to future researchers.

The team processed relatively small datasets from each institution representing patients in a multi-site genotype-disease association study; larger datasets to represent patients in the three institutions’ bank of de-identified DNA samples; and large sets which stood in for each’s EMR population.

Using the algorithm they developed, the team found that most of the data’s value was preserved despite the occasional need for generalization and suppression. On average, 12.8% of diagnosis codes needed generalization; the medium-sized biobank models saw only 4% of codes needing generalization; and among the large databases representing EMR populations, only 0.4% needed generalization and no codes required suppression.

More work like this is clearly needed as the demand for large-scale clinical, genomic and transactional datasets grows. But in the meantime, this seems to be good news for budding big data research efforts.

Are Security Certifications Needed to Simplify the Acquisition Process?

Posted on January 20, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I’m generally someone who hates certifications. However, I hate them because they’re often implemented poorly and easily gamed. When they’re implemented effectively, they can be extremely helpful. Think about all the safety certifications that electronics have you go through. I’m sure they’ve saved our lives and saved our houses getting burnt down many times over.

I’ve wondered if a security certification would be useful for healthcare IT applications. Certainly it wouldn’t be perfect (security never is), but it could serve as a baseline security check that would help healthcare organizations with their acquisition process.

The reality is that many organizations don’t properly vet the healthcare IT applications they purchase for security. They aren’t consistent and they have limited resources. A security certification in theory would spread the costs of certifying a healthcare application’s security across a large number of organizations and thus save everyone money.

The key to this certification is not to have it as a kind of pass/fail certification. Sure, you want to say that it meets a certain standard of security, but more importantly it would also create a report on what type of security was implemented for that software.

Take encryption for example. Every healthcare organization looks for encryption. A security certification could ensure that the software system has implemented certification appropriately and also describe how the encryption was implemented. Is it end to end security encryption. Do they encrypt the data at rest? What about encryption of the data being stored on the customer’s device? etc etc etc

One challenge with this idea is that CIOs, health IT companies, and other technology professionals can become over reliant on certifications. It would have to be clear that the security certification was just a baseline and not a 100% foolproof way to secure your IT software. This is a challenge since health IT sales reps are going to position a security certification as such. It would take some effective marketing for people to know that the security certification could save them time in their security analysis of a new health IT software purchase, but wasn’t the end all be all.

I imagine some people would argue that this type of certification and details about how an organization or software company implements their security would be a treasure trove for hackers. Certainly you’d have to be careful with what you share and how you share it. However, most of the details are things that a good hacker could figure out anyway.

As it is today, health IT companies just say they’re HIPAA compliant (whatever that means) and many healthcare CIOs are floundering with limited resources for evaluating the security of the applications they buy. A security certification could help them make some headway on this I think.

Done the right way, a security certification could help set a new bar for how vendors approach security. That could be a very good thing. Of course, if not updated regularly and effectively, it could also require a bunch of hoop jumping that doesn’t provide real value. It’s a tricky challenge.

HIM’s Role in Healthcare Security and Privacy – HIM Scene

Posted on November 30, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

This post is part of the HIM Series of blog posts. If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

One of my go-to experts on healthcare privacy and security is Mac McMillan, CEO and Co-Founder of CynergisTek. He’s built a really great company that focuses on privacy and security in healthcare and he’s a true expert.

While at AHIMA 2016, I talked with Mac about the role that HIM plays in healthcare privacy and security. We also talk about where healthcare privacy is heading and which part of healthcare privacy and security doesn’t get enough attention. I also asked Mac to make a big 20 year prediction on what will happen with privacy and security in healthcare.

Check out our interview with Mac McMillan, CEO and Co-Founder of CynergisTek:

We shot a number of other videos at AHIMA 2016 which we’ll be posting shortly. If you enjoyed this video, be sure to Subscribe to Healthcare Scene on YouTube and watch our full archive of Healthcare Scene interviews.

If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.

E-Patient Update: Hospitals Should Share Ransomware Updates

Posted on October 14, 2016 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A few weeks ago, a California hospital quietly fended off a ransomware attack without paying a ransom to the attackers. According to Health Leaders Media, Keck Medical Center of USC was hit with a ransomware assault on servers at two hospitals, but managed to fix the problem and retrieve its data.

Employees at Keck Hospital of USC and Norris Comprehensive Cancer Care found ransomware on two servers on August 1, said Keck Hospitals CEO Rod Hanners in a statement on the matter. The attack encrypted files on the servers, which made their data unavailable to hospital employees. However, Hanners reported, the hospitals had no evidence of a breach of patient information.

Still, given that some sensitive information was contained in folders encrypted by the malware, USC notified patients about the breach, Health Leaders reports. Data that could (at least theoretically) have been accessed by the attackers included names and dates of birth, health information such as treatment and diagnosis information and some Social Security numbers.

If what I’ve read is accurate, the crew at Keck did a great job. They got things under control very quickly, and chose to do the right thing in notifying patients about the breach. (And in all truth, the attack might not have been much of a big deal — perhaps one launched by a script kiddie using Ransomware as a Service tools — which could explain why the hospitals seem to be relatively unruffled.) Still, my feeling is that they could have communicated more.

A patient’s perspective

As I ponder the events above, I do wonder whether the professionals managing this particular ransomware attack understand what it’s like to be on the receiving end of a ransomware episode. So here’s a few things to consider from a patient’s perspective:

  • Ransomware is scary: While I’m healthcare technology writer and somewhat familiar with ransomware attacks, they are still new to most of the public. They may turn out to be just another infection vector for your network, but they come across as a dark force to consumers. Be prepared to educate and calm us.
  • People don’t know what to expect: I was due to have a cardiac procedure done by a doctor affiliated with Washington, D.C.-based MedStar Health a couple of weeks after it suffered a ransomware attack. While the news media made it clear that the hospital chain was paralyzed for a time, nobody bothered to tell me what the impact of this paralysis would be. It would have been better if MedStar facilities and doctors reached out to patients in immediate and near-term need of care to clarify.
  • We need progress reports: Clearly, the Keck attack didn’t amount to much, but other ransomware attacks, such as the MedStar incident, can’t be resolved overnight. As patients, we need to know roughly how long our providers may be at less than full capacity. Keep us updated or you’ll lose our trust.

With any luck, healthcare organizations will continue to improve their ability to fight back ransomware attacks, and in time, be prepared to treat them as little more than road bumps in their security efforts. But until then, it makes sense to pull out all the stops and keep patients extra well-informed.