Free Hospital EMR and EHR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to Hospital EMR and EHR for FREE!

Phishing Attack On Hospital Could Impact 1.4 Million Patients

Posted on August 3, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A hospital in West Des Moines, Iowa has entered its third month of public disclosure after experiencing a data breach which could impact 1.4 million patients.

On May 31st, UnityPoint Health discovered that a phishing attack on its business email system had created a breach. Its investigation found that the company got a series of fraudulent emails pretending to have come from an executive within UnityPoint. After contacting law enforcement and beginning to research the situation, UnityPoint disclosed the existence of the breach to the public.

The patient information exposed includes names, addresses, dates of birth, medical record numbers and insurance information. Cyber attackers may also have gotten access to patient Social Security numbers and/or drivers’ license numbers. In a limited number of cases, attackers might even have been able to access patients’ payment card or bank account numbers.

Since then, UnityPoint has continued to keep its patients aware of any news on the situation, a painful yet necessary process which can help it rebuild its credibility. After all, it’s likely that the news of UnityPoint’s breach will get consumers very upset.

In fact, a new survey by SCOUT in partnership with The Harris Poll found that 49% of America adults are extremely or very concerned about the security of their personal health information. Given the fact that they’ve been hit with news of such breaches very regularly in recent years, it’s little wonder.

It’s worth noting that many consumers aren’t using online healthcare tools very often. For example, while 39% of those aged 18 to 34 used online portals to access their health information, all told only 36% of Americans overall use this technology.

As their health information knowledge increases, though, most patients become more concerned with what providers do to protect the privacy and security of their healthcare data. They learn how valuable this data is to potential buyers, and how there’s a ready market for their data in clandestine, impossible-to-track sites on the Dark Web.

Also, as the tenor of news coverage shifts from technical terms like “data breach” to tales of what happened to specific consumers, it’s likely that consumers will develop a more realistic view of what’s at stake here. If they’re freaked out at that point, they’ve probably figured out how a breach could impact their lives.

Some Physicians Get Personally Identifiable Information Via Texts Every Day

Posted on June 22, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new survey has concluded that despite efforts to better protect patient data privacy, a substantial number of providers are still getting unsecured messages that contain patient information.

The survey, which was performed by Black Book Market Research, analyze replies from 770 hospital-based users and 1279 physician practices. Researchers looked at how care teams were retaining secure communications.

The market research firm found that 30% of respondents received texts that included individually identifiable data every day. This result should curdle the blood of healthcare cybersecurity experts since I’m pretty sure most of these patients haven’t agreed to these unsecured texts.

However, both hospitals and physicians are pressing forward with platforms that protect patient data while linking teams together. The vast majority of respondents (94% of physicians and 90% of hospitals) told Black Book that mobile technology, in particular, could improve patient safety and outcomes.

The majority of respondents (85% of hospitals and 80% of physician practices) reported that they were committed to investing in secure communications platforms capable of tying together care teams, patients and families. And they’re in a hurry. In fact, 96% of hospitals expected to budget for or invest in comprehensive clinical indication platforms before the close of 2018.

That being said, 63% of study respondents said they were finding it difficult to get mobile technology buy-in from colleagues. Actually, that’s not too surprising. If you ask physicians to switch from an easy-to-use, effective tool like texting to an unknown communications platform, they’re likely to resist. They probably understand intellectually why using secure, collaboration-friendly software is a good idea, but the truth is that these platforms might disrupt physicians’ routines substantially.

Meanwhile, 90% of hospitals and 77% of physician practices that participated in the survey said they were using intrusion detection systems and secure email. However, this news isn’t that encouraging, as the majority of existing physician portals already offer secure email, and intrusion detection systems are pretty much a given by current standards.

The truth is, with healthcare data growing more valuable than ever and the threat landscape expanding rapidly, both hospitals and medical practices will need to step up their game substantially if they want to avoid security breaches. Investing in secure communications platforms is good, but it only addresses part of their security problems.

Over the long haul, both hospitals and doctors will have to get better at protecting both their mobile and enterprise data assets. There are good reasons to focus on secure mobile communications now, but providers can’t let it distract them from enterprise-wide security problems.

 

What? In Some Cases, Additional IT Spending May Not Prevent Breaches

Posted on June 11, 2018 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new research study has come to a sobering conclusion – that investing more in IT security doesn’t necessarily reduce the number of breaches.

The research, which appeared in the MIS Quarterly, looked at how many breaches hospitals experienced relative to their IT security spending. The study authors started with the assumption that hospitals spending more on security would enjoy better protection from breaches.

The researchers assumed that looked at broadly, some security investments were “symbolic,” making superficial improvements that don’t get to the root of their problem, while others were substantive investments which met well-defined security needs.

After reviewing their data, researchers noted that many classes of hospitals turned out to be symbolic security investors, including members of smaller health systems, older hospitals, smaller hospitals and for-profit hospitals. They also noted that faith-based and less-entrepreneurial hospitals were prone to such investments. The only category of hospitals routinely making substantive security investments was teaching hospitals.

But that’s far from all. Their more controversial conclusions focused on the role of IT security investments in preventing security breaches. In short, their conclusion was pretty counterintuitive.

First, they found that larger IT security investments did not in and of themselves lower the likelihood of security breaches. Not only that, researchers concluded that the benefits of substantive adoption wouldn’t generate greater breach protection over time.

Researchers also concluded that the benefits of substantive IT security adoption by hospitals would take time to be realized. If I’m reading this correctly, mature IT security systems should offer more advantages over time, but not necessarily better breach protection.

Meanwhile, researchers concluded that the negative consequences of symbolic adoption would grow worse over time.

I don’t know about you, but I was pretty surprised by these results. Why wouldn’t substantively increasing security spending reduce the occurrence of breaches within hospitals? It’s something of a head-scratcher.

Of course, the answer to this question may lie in what type of substantive security investment hospitals make. The current set of results suggests, to me at least, that current technologies may not be as good at preventing breaches as they should be. Or maybe hospitals are investing in good technology but not hiring enough IT security experts to get the installation done right. Plus, purchasing security infrastructure can only do so much to stop bad user behavior. The issue deserves further research.

Regardless, this study offers food for thought. The industry can’t afford to do a bad job with preventing breaches.

Hospital CIOs Say Better Data Security Is Key Goal

Posted on November 9, 2016 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

A new study has concluded that while they obviously have other goals, an overwhelming majority of healthcare CIOs see data protection as their key objective for the near future. The study, which was sponsored by Spok and administered by CHIME, more than 100 IT leaders were polled on their perspective on communications and healthcare.

In addition to underscoring the importance of data security efforts, the study also highlighted the extent to which CIOs are being asked to add new functions and wear new hats (notably patient satisfaction management).

Goals and investments
When asked what business goals they expected to be focused on for the next 18 months, the top goal of 12 possible options was “strengthening data security,” which was chosen by 81%. “Increasing patient satisfaction” followed relatively closely at 70%, and “improving physician satisfaction” was selected by 65% of respondents.

When asked which factors were most important in making investments in communications-related technologies for their hospital, the top factor of 11 possible options was “best meets clinician/organizational needs” with 82% selecting that choice, followed by “ease of use for end users (e.g. physician/nurse) at 80% and “ability to integrate with current systems (e.g. EHR) at 75%.

When it came to worfklows they hoped to support with better tools, “care coordination for treatment planning” was the clear leader, chosen by 67% of respondents, followed by patient discharge (48%), “patient handoffs within hospital” (46%) and “patient handoffs between health services and facilities” chosen by 40% of respondents selected.

Mobile developments
Turning to mobile, Spok asked healthcare CIOs which of nine technology use cases were driving the selection and deployment of mobile apps. The top choices, by far, were “secure messaging in communications among care team” at 84% and “EHR access/integrations” with 83%.

A significant number of respondents (68%) said they were currently in the process of rolling out a secure texting solution. Respondents said their biggest challenges in doing so were “physician adoption/stakeholder buy-in” at 60% and “technical setup and provisioning” at 40%. A substantial majority (78%) said they’d judge the success of their rollout by the rate the solution was adopted by by physicians.

Finally, when Spok asked the CIOs to take a look at the future and predict which issues will be most important to them three years from now, the top-rated choice was “patient centered care,” which was chosen by 29% of respondents,” “EHR integrations” and “business intelligence.”

A couple of surprises
While much of this is predictable, I was surprised by a couple things.

First, the study doesn’t seem to have been designed for statistical significance, it’s still worth noting that so many CIOs said improving patient satisfaction was one of their top three goals for the next 18 months. I’m not sure what they can do to achieve this end, but clearly they’re trying. (Exactly what steps they should take is a subject for another article.)

Also, I didn’t expect to see so many CIOs engaged in rolling out secure texting, partly because I would’ve expected such rollouts to already have been in place at this point, and partly because I assume that more CIOs would be more focused on higher-level mobile apps (such as EHR interfaces). I guess that while mobile clinical integration efforts are maturing, many healthcare facilities aren’t ready to take them on yet.

Verizon Takes On Healthcare Security, Gives Free Credentials To Millions of Providers

Posted on December 7, 2011 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

Want to know how badly Verizon wants to take a quick leading role in the emerging mHealth business?  Executives are willing to admit right out that the marginal value of using their networks for good ‘ol landline phone calls is effectively gone. Their future lies in solving thorny problems for rapidly evolving verticals like the healthcare industry, it seems.

“Today, the real cost of making a phone call is zero,” said Dr. Peter Tippett, vice president and chief medical information officer for Verizon Connected Healthcare Solutions, who spoke to us on the floor of this week’s mHealth Summit exhibit “That’s why we’re becoming a technology (read, network applications and services) company.”

Among the more interesting services pitched by Dr. Tippett and colleagues was Verizon’s Medical Data Exchange, which, if I understood our chat correctly, is an HIE add-0n which they’ve built to be more flexible and secure than the existing HIE models out there.

Unlike HIE systems, MDE doesn’t store patient data, Dr. Tippett explained. It’s Web services platform allowing providers to push both structured and structured information to each other through transcription platforms and the Verizon Healthc are Provider Portal, along with traditional medical records data.

To keep data secure, Verizon supports the exchange through its related Universal Identity Services for Healthcare, which lets providers get digital health data through the MDE using a secure, private inbox accessible through the provider portal. The identity credentials meet HIPAA requirements for HIST level 3 authentication, allowing for e-prescribing of controlled substances or accessing electronic patient data.

To support the MDE play, Verizon has begun issuing free medical identity credentials  to 2.3 million U.S. doctors physician assistants and nurse practitioners. These credentials should meet HITECH standards for strong identity credentials, VZ  says.

But wait, dear readers — I started out this item telling you I’d offer info on Verizon’s mHealth position. Well, at the risk of being cruel,  if it has any front-end apps or middleware to directly support mHealth deployment in play, Dr. Tippett wasn’t discussing them.

Still, to be fair, there’s approximately a gajillion front-end developers, and many many companies capable of creating middleware which can normalize mobile data and fit into the EMR space. (SAP, for example, told us it was all over the problem.)

It will certainly be interesting to see how Verizon fares in a world where brute force network ownership doesn’t impress, but technical know-how and new mobile deployment models do. Hospital leaders, have you seen any signs that Verizon will be a player in your mobile strategies as of yet?

Hospitals Giving Data Security Way Too Little Attention

Posted on September 14, 2011 I Written By

Anne Zieger is veteran healthcare branding and communications expert with more than 25 years of industry experience. and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also worked extensively healthcare and health IT organizations, including several Fortune 500 companies. She can be reached at @ziegerhealth or www.ziegerhealthcare.com.

I’m not exactly an innocent flower, I wasn’t born yesterday and I didn’t just fall off the turnip truck.

Still, I have to say that I was a bit surprised and disheartened  by the news that popped into my inbox yesterday. It seems that despite having countless reasons to do so — including, of course, the rollout of new EMRs — hospitals haven’t cleaned up their security act much.

According to HIMSS research, less than half of hospitals are doing an annual security risk assessment, according to a new article in Information Week.

The story, which sites a new report from consulting firm CSC, notes that under both Stage 1 Meaningful Use rules and proposed Stage 2 rules, hospitals need to conduct annual risk checks and fix any problems they find.

And then, it reminds us, there’s also tougher HIPAA security requirements on the way, which are likely to require such assessments, as well as demanding new security breach notifications and extension of security requirements to business associates.

But according to HIMSS data cited in the story, only 47 percent of hospitals currently conduct such annual risk assessments, and 58 percent of HIMSS survey respondents didn’t have a single staff member dedicated to security.

Now, as writer Ken Terry appropriately notes, it’s not that that data security isn’t on hospitals’ radar.  When HIMSS surveyed CIOs for its 2011 Leadership Survey, it found that 30 percent said that complying with HIPAA and CMS regs was their biggest security issue.

Still, it seems to me that hospitals are skating on thin ice. What I see in these numbers is IT leaders who are in “hope and pray” mode where data security is concerned, an irresponsible position at best.

Yes, I know, security professionals are hard to find and expensive to retain. I realize that simply maintaining and implementing health IT systems is more challenging than ever in the post-EMR environment. And of course, I realize that virtually all hospitals do have meaningful security measures in place, even if you aren’t checking in on them as often as you’d like.

That being said, I doubt your hospital is ready to pay the price of a security breach, particularly in an era where it the costs include possible CMS sanctions, fines, a public relations nightmare — plus, quite possibly, a heck of a lot of backtracking and hasty patching of systems.  Compared with what an EMR breach could cost, spending even $100K a year for a security specialist is peanuts for all but the smallest players.

I sincerely hope hospital CIOs get in gear quickly on this issue. If I can hardly believe what I’m reading, the feds aren’t going to be too forgiving either.