Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

What? In Some Cases, Additional IT Spending May Not Prevent Breaches

Posted on June 11, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new research study has come to a sobering conclusion – that investing more in IT security doesn’t necessarily reduce the number of breaches.

The research, which appeared in the MIS Quarterly, looked at how many breaches hospitals experienced relative to their IT security spending. The study authors started with the assumption that hospitals spending more on security would enjoy better protection from breaches.

The researchers assumed that looked at broadly, some security investments were “symbolic,” making superficial improvements that don’t get to the root of their problem, while others were substantive investments which met well-defined security needs.

After reviewing their data, researchers noted that many classes of hospitals turned out to be symbolic security investors, including members of smaller health systems, older hospitals, smaller hospitals and for-profit hospitals. They also noted that faith-based and less-entrepreneurial hospitals were prone to such investments. The only category of hospitals routinely making substantive security investments was teaching hospitals.

But that’s far from all. Their more controversial conclusions focused on the role of IT security investments in preventing security breaches. In short, their conclusion was pretty counterintuitive.

First, they found that larger IT security investments did not in and of themselves lower the likelihood of security breaches. Not only that, researchers concluded that the benefits of substantive adoption wouldn’t generate greater breach protection over time.

Researchers also concluded that the benefits of substantive IT security adoption by hospitals would take time to be realized. If I’m reading this correctly, mature IT security systems should offer more advantages over time, but not necessarily better breach protection.

Meanwhile, researchers concluded that the negative consequences of symbolic adoption would grow worse over time.

I don’t know about you, but I was pretty surprised by these results. Why wouldn’t substantively increasing security spending reduce the occurrence of breaches within hospitals? It’s something of a head-scratcher.

Of course, the answer to this question may lie in what type of substantive security investment hospitals make. The current set of results suggests, to me at least, that current technologies may not be as good at preventing breaches as they should be. Or maybe hospitals are investing in good technology but not hiring enough IT security experts to get the installation done right. Plus, purchasing security infrastructure can only do so much to stop bad user behavior. The issue deserves further research.

Regardless, this study offers food for thought. The industry can’t afford to do a bad job with preventing breaches.

Hospital CIOs Say Better Data Security Is Key Goal

Posted on November 9, 2016 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new study has concluded that while they obviously have other goals, an overwhelming majority of healthcare CIOs see data protection as their key objective for the near future. The study, which was sponsored by Spok and administered by CHIME, more than 100 IT leaders were polled on their perspective on communications and healthcare.

In addition to underscoring the importance of data security efforts, the study also highlighted the extent to which CIOs are being asked to add new functions and wear new hats (notably patient satisfaction management).

Goals and investments
When asked what business goals they expected to be focused on for the next 18 months, the top goal of 12 possible options was “strengthening data security,” which was chosen by 81%. “Increasing patient satisfaction” followed relatively closely at 70%, and “improving physician satisfaction” was selected by 65% of respondents.

When asked which factors were most important in making investments in communications-related technologies for their hospital, the top factor of 11 possible options was “best meets clinician/organizational needs” with 82% selecting that choice, followed by “ease of use for end users (e.g. physician/nurse) at 80% and “ability to integrate with current systems (e.g. EHR) at 75%.

When it came to worfklows they hoped to support with better tools, “care coordination for treatment planning” was the clear leader, chosen by 67% of respondents, followed by patient discharge (48%), “patient handoffs within hospital” (46%) and “patient handoffs between health services and facilities” chosen by 40% of respondents selected.

Mobile developments
Turning to mobile, Spok asked healthcare CIOs which of nine technology use cases were driving the selection and deployment of mobile apps. The top choices, by far, were “secure messaging in communications among care team” at 84% and “EHR access/integrations” with 83%.

A significant number of respondents (68%) said they were currently in the process of rolling out a secure texting solution. Respondents said their biggest challenges in doing so were “physician adoption/stakeholder buy-in” at 60% and “technical setup and provisioning” at 40%. A substantial majority (78%) said they’d judge the success of their rollout by the rate the solution was adopted by by physicians.

Finally, when Spok asked the CIOs to take a look at the future and predict which issues will be most important to them three years from now, the top-rated choice was “patient centered care,” which was chosen by 29% of respondents,” “EHR integrations” and “business intelligence.”

A couple of surprises
While much of this is predictable, I was surprised by a couple things.

First, the study doesn’t seem to have been designed for statistical significance, it’s still worth noting that so many CIOs said improving patient satisfaction was one of their top three goals for the next 18 months. I’m not sure what they can do to achieve this end, but clearly they’re trying. (Exactly what steps they should take is a subject for another article.)

Also, I didn’t expect to see so many CIOs engaged in rolling out secure texting, partly because I would’ve expected such rollouts to already have been in place at this point, and partly because I assume that more CIOs would be more focused on higher-level mobile apps (such as EHR interfaces). I guess that while mobile clinical integration efforts are maturing, many healthcare facilities aren’t ready to take them on yet.

Verizon Takes On Healthcare Security, Gives Free Credentials To Millions of Providers

Posted on December 7, 2011 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Want to know how badly Verizon wants to take a quick leading role in the emerging mHealth business?  Executives are willing to admit right out that the marginal value of using their networks for good ‘ol landline phone calls is effectively gone. Their future lies in solving thorny problems for rapidly evolving verticals like the healthcare industry, it seems.

“Today, the real cost of making a phone call is zero,” said Dr. Peter Tippett, vice president and chief medical information officer for Verizon Connected Healthcare Solutions, who spoke to us on the floor of this week’s mHealth Summit exhibit “That’s why we’re becoming a technology (read, network applications and services) company.”

Among the more interesting services pitched by Dr. Tippett and colleagues was Verizon’s Medical Data Exchange, which, if I understood our chat correctly, is an HIE add-0n which they’ve built to be more flexible and secure than the existing HIE models out there.

Unlike HIE systems, MDE doesn’t store patient data, Dr. Tippett explained. It’s Web services platform allowing providers to push both structured and structured information to each other through transcription platforms and the Verizon Healthc are Provider Portal, along with traditional medical records data.

To keep data secure, Verizon supports the exchange through its related Universal Identity Services for Healthcare, which lets providers get digital health data through the MDE using a secure, private inbox accessible through the provider portal. The identity credentials meet HIPAA requirements for HIST level 3 authentication, allowing for e-prescribing of controlled substances or accessing electronic patient data.

To support the MDE play, Verizon has begun issuing free medical identity credentials  to 2.3 million U.S. doctors physician assistants and nurse practitioners. These credentials should meet HITECH standards for strong identity credentials, VZ  says.

But wait, dear readers — I started out this item telling you I’d offer info on Verizon’s mHealth position. Well, at the risk of being cruel,  if it has any front-end apps or middleware to directly support mHealth deployment in play, Dr. Tippett wasn’t discussing them.

Still, to be fair, there’s approximately a gajillion front-end developers, and many many companies capable of creating middleware which can normalize mobile data and fit into the EMR space. (SAP, for example, told us it was all over the problem.)

It will certainly be interesting to see how Verizon fares in a world where brute force network ownership doesn’t impress, but technical know-how and new mobile deployment models do. Hospital leaders, have you seen any signs that Verizon will be a player in your mobile strategies as of yet?

Hospitals Giving Data Security Way Too Little Attention

Posted on September 14, 2011 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

I’m not exactly an innocent flower, I wasn’t born yesterday and I didn’t just fall off the turnip truck.

Still, I have to say that I was a bit surprised and disheartened  by the news that popped into my inbox yesterday. It seems that despite having countless reasons to do so — including, of course, the rollout of new EMRs — hospitals haven’t cleaned up their security act much.

According to HIMSS research, less than half of hospitals are doing an annual security risk assessment, according to a new article in Information Week.

The story, which sites a new report from consulting firm CSC, notes that under both Stage 1 Meaningful Use rules and proposed Stage 2 rules, hospitals need to conduct annual risk checks and fix any problems they find.

And then, it reminds us, there’s also tougher HIPAA security requirements on the way, which are likely to require such assessments, as well as demanding new security breach notifications and extension of security requirements to business associates.

But according to HIMSS data cited in the story, only 47 percent of hospitals currently conduct such annual risk assessments, and 58 percent of HIMSS survey respondents didn’t have a single staff member dedicated to security.

Now, as writer Ken Terry appropriately notes, it’s not that that data security isn’t on hospitals’ radar.  When HIMSS surveyed CIOs for its 2011 Leadership Survey, it found that 30 percent said that complying with HIPAA and CMS regs was their biggest security issue.

Still, it seems to me that hospitals are skating on thin ice. What I see in these numbers is IT leaders who are in “hope and pray” mode where data security is concerned, an irresponsible position at best.

Yes, I know, security professionals are hard to find and expensive to retain. I realize that simply maintaining and implementing health IT systems is more challenging than ever in the post-EMR environment. And of course, I realize that virtually all hospitals do have meaningful security measures in place, even if you aren’t checking in on them as often as you’d like.

That being said, I doubt your hospital is ready to pay the price of a security breach, particularly in an era where it the costs include possible CMS sanctions, fines, a public relations nightmare — plus, quite possibly, a heck of a lot of backtracking and hasty patching of systems.  Compared with what an EMR breach could cost, spending even $100K a year for a security specialist is peanuts for all but the smallest players.

I sincerely hope hospital CIOs get in gear quickly on this issue. If I can hardly believe what I’m reading, the feds aren’t going to be too forgiving either.