Free Healthcare IT Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Get all the latest Health IT updates from Neil Versel for FREE!

Here’s why everyone is mum after ransomware attacks

Did you see the news yesterday about the ransomware attack against Emory Healthcare in Atlanta?

According to Health Data Management, a hacker breached the appointment scheduling system at the Emory Clinic’s Orthopedics and Spine Center and the Brain Health Center, and demanded an unspecified ransom. The breach affected 79,930 patients.

Emory Healthcare said it learned of the hack on Jan. 3, and the organization submitted a breach report to the HHS Office for Civil Rights on Feb. 21.

But that’s all the organization said, and for good reason. It’s the same reason why MedStar Health in the Washington-Baltimore areas has not spoken to the press about its ransomware attack last March and April.

At a preconference symposium before last week’s HIMSS conference in Orlando, Florida, a security expert told attendees that the FBI instructs health systems not to talk publicly about such attacks, or disclose whether they have paid ransom. Hollywood Presbyterian Medical Center in Los Angeles did confirm that it paid about $17,000 ransom a year ago, but as I wrote at the time, the hospital doesn’t seem to have much of a clue about a lot of things, including patient safety and public ratings.

But if you’re wondering why you haven’t heard much follow-up from hacked hospitals, it’s likely because of the FBI, which doesn’t much like to compromise criminal investigations.

March 2, 2017 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Kill your fax machine (redux) and watch out for HIPAA violations

Today, noted medical informatics professor and professional Dr. Bill Hersh had this exchange on Twitter with his daughter, a new medical student.

 

Later today, I stopped to pick up my mail in this multi-unit building and saw this sticking out of someone else’s mailbox.

A HIPAA violation waiting to happen

A HIPAA violation waiting to happen

That’s right, it’s a “personal and confidential” letter from Quest Diagnostics, presumably either medical test results or a bill. Either way, it’s a HIPAA violation waiting to happen. In fact, it’s probably already a HIPAA violation because people now know what lab this person used. The envelope is hanging out of this mailbox because it was misdelivered and whoever got it by accident placed it there for the intended recipient. But who’s to say it does wind up in the right hands before someone opens it?

Anyone who thinks paper is still a safeguard against privacy and security breaches, raise your hand. (Crickets.) Sure, electronic transmissions can be intercepted and databases hacked, but if you take the time to encrypt them, you lessen the risk. And should there be a breach, the audit trail that HIPAA requires can help investigators pinpoint the culprit and create a disincentive for employees to leak data.

As for the fax, it’s sadly ironic that a twentysomething is encountering a fax machine for the first time when she enters a healthcare environment. Kill your fax machine! It’s 2014. Why are we still using 1980s technology to transfer health information?

January 13, 2014 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Podcast: MMRGlobal’s Bob Lorsch addresses the ‘patent troll’ issue

Two weeks ago, I picked apart a terribly misleading, ideologically steeped Fox News story that wrongly linked the initial failure of the healthcare.gov Affordable Care Act insurance exchange to the Meaningful Use EHR incentive program. Among my many criticisms was the reporter’s apparent confusion between an actual EHR and My Medical Records, the untethered PHR offered by MMRGlobal.

In that post, I said, “I haven’t seen a whole lot of evidence that MMRGlobal isn’t much more than a patent troll.”

Bob Lorsch, CEO of that company, posted in the comments that I should put my money where my mouth is and interview him. (I had interviewed Lorsch before, but never wrote a story because of my longstanding policy of not paying attention to untethered PHRs since none that I know of has gained any market traction, despite years of hype.)

As this podcast demonstrates, I took Lorsch up on his offer. It was at times contentious, in part because I challenged many of his statements in the Fox story and to me, and in part because he challenged some of mine.

He asked me a pointed question, whether I still thought he was a patent troll. Based on the fact that MMR actually earned patents on a product it actively markets and didn’t just purchase someone else’s patents for the point of suing others, it’s hard to conclude that he is a patent troll.

Investopedia defines patent troll as:

A derogatory term used to describe people or companies that misuse patents as a business strategy. A patent troll obtains the patents being sold at auctions by bankrupt companies attempting to liquidate their assets, or by doing just enough research to prove they had the idea first. They can then launch lawsuits against infringing companies, or simply hold the patent without planning to practise the idea in an attempt to keep other companies productivity at a standstill.

By that definition, MMR is not. I still don’t think an untethered PHR is a good business model, a belief supported by the fact that publicly traded MMR is a penny stock, currently trading at less than 3 cents per share. I have said that patient engagement, called for on a small scale by Meaningful Use Stage 2 rules, could change the landscape for PHRs—with a better chance in pediatrics than for adult populations—but it certainly will take a few years.

I stand by my original statement that the Fox News story did health IT a huge disservice by latching onto one problem and trying to tie it to an unrelated issue simply because it fits an ideological narrative. As for MMR, well, take a listen and then judge for yourself. It’s a long podcast, but I went through the trouble of breaking it down by discussion point so you can skip around as necessary.

Podcast details: Interview with Bob Lorsch, CEO of MMRGlobal, recorded Oct. 18, 2013. MP3, mono, 128 bps, 49.5 MB, running time 54:07

2:03        About My Medical Records
3:26        Why he believes his product is better than traditional EHRs
5:00        My skepticism of untethered PHRs
6:28        Lorsch’s interview with HIStalk from February
6:40        MMR’s user base
8:00        Why he thinks MMR could facilitate health information exchange
9:40        Health information exchanges vs. health insurance exchanges
10:15     Patient-centered HIE as an alternative to multiple patient portals
12:20     Physician trust of patient-supplied data, and other workflow issues
15:05     Emergency use case
15:50     How MMR is different from other PHRs
16:32     “Last mile” of connectivity
18:17     His assertion in Fox story that patients lose control of health information and privacy under ACA, despite HIPAA
24:15     MMR carries cyber liability insurance
25:00     Scope of MMR’s patents
26:45     “Likely” infringement of patents
27:45     Lawsuits and licensing
29:30     Patent troll?
31:10     Negotiations with WebMD and others
33:00     MMR’s reputation
35:00     “We build and sell what we have intellectual property rights to.”
36:25     Other vendors ignoring patients?
36:50     Standardization in health IT
38:38     MMR’s low stock price
39:20     Patient engagement boosting PHR use?
42:00     Interest from WellPoint
42:48     Payers building trust with PHRs
44:18     Other features of MMR’s PHR
46:45     Segmentation of sensitive parts of medical records
49:08     Putting me on the spot
50:35     His objective in asserting patent rights
51:15     MMR’s issue with Walgreens
52:25     Revenue sharing vs. licensing

October 31, 2013 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

More on Blue Button Plus and MU2

My last post, based on comments from Frost & Sullivan health IT analyst Nancy Fabozzi at last week’s Healthcare Unbound conference, has generated a bit of controversy. Fabozzi said that “Blue Button Plus is totally disruptive,” possibly eliminating the need for some providers to get full-fledged patient portals in order to meet Meaningful Use Stage 2 standards.

In the comments under that post, David Smith of HealthInsight.org, a health improvement consortium in three Western states, correctly pointed out that MU2 requires not just that providers give 50 percent of patients electronic access to their records, but also that 5 percent of patients actually view, download and/or transmit information back to their doctors or hospitals. I also got an e-mail from a GE Healthcare executive reminding me that of the view/download requirement as well as the fact that EHR technology had to be certified by an ONC-approved certification and testing body.

The viewing and downloading certainly can be accomplished with Blue Button Plus apps or widgets. In fact, ONC’s Lygeia Ricciardi has said Blue Button Plus could be part of the Stage 3 rules.

Transmitting would seem to necessitate a portal since HIPAA demands — and patients should expect — security when sending protected health information over the Internet. Standard e-mail doesn’t cut it, but e-mail following Direct Project protocols does. MU2 already sanctions Direct Project for health information exchange between healthcare entities. There is no reason why it can’t work for individuals as well, as Dr. Deborah Peel’s Patient Privacy Rights Foundation is trying to facilitate.

This might be a bit unwieldy, asking each patient to set up a Direct e-mail address, but remember, providers only need 5 percent to do so in Stage 2. I see it as perfectly feasible that some small physician practices could bypass the portal and just make do with freely available resources like Blue Button Plus — though Blue Button Plus app developers likely will charge fees — and open-source Direct standards.

UPDATE, July 18, 12:40 a.m. CDT:

HHS itself says Blue Button Plus meets MU2 standards.

From http://www.hhs.gov/digitalstrategy/open-data/introducing-blue-button-plus.html:

Blue Button Plus is a blueprint for the structured and secure transmission of personal health data. It meets and builds on the view, download, and transmit requirements in Meaningful Use Stage 2 for certified EHR technology in the following ways —

Structure: The recommended standard for clinical health data is the HL7 Consolidated Clinical Document Architecture or Consolidated CDA. The C-CDA is a XML-based standard that specifies the encoding, structure, and semantics of a clinical document. Blue Button Plus adopts the requirements for sections and fields from Meaningful Use Stage 2.

Transmit: In alignment with Meaningful Use Stage 2 standards, Blue Button Plus uses Direct protocols to securely transport health information from providers to third party applications. Direct uses SMTP, S/MIME, and X.509 certificates to achieve security, privacy, data integrity, and authentication of sender and receiver.

It sounds to me like compliance is just a matter of making sure that a Blue Button Plus app is certified as an EHR module.

July 17, 2013 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

‘Five rights’ for data administration

You know about the “five rights” for medication administrations: the right drug, for the right patient, in the right dosage, on the right route, at the right time.

More recently we’ve seen “five rights” for effective clinical decision support: the right information, to the right stakeholder, at the right point in workflow, through the right channel, in the right format.

Now, security vendor Symantec brings us the “five rights” for data administration: Read more..

September 21, 2011 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Facebook + health data = all sorts of HIPAA questions

“Time’s Person of the Year is Mark Zuckerberg. Sorry, Julian Assange, I guess you didn’t violate enough people’s privacy.” — Stephen Colbert, Dec. 15, 2010.

Yes, Facebook has issues with privacy. Just Monday, the Electronic Privacy Information Center, the Center for Digital Democracy, Consumer Watchdog and the Privacy Rights Clearinghouse formally asked the Federal Trade Commission to stop Facebook from launching a facial-recognition feature. Last week, European regulators said they would investigate Facebook after it came out that Facebook’s 500 million to 700 million users were automatically opted in to facial recognition.

And now we hear that Microsoft is adding Facebook authentication to its HealthVault health information platform.

Let me repeat: You can now sign in via Facebook to a HealthVault personal health record.

Though I’m not a lawyer, I’m wondering if Microsoft might not be treading in some dangerous territory. What if it’s possible to link HealthVault updates to Facebook so your entire social network knows that you just got a lab test result back? What if the Facebook location tagger indicates that you’ve just visited an STD clinic? Yeah, sometimes discretion is in order, and Facebook generally isn’t the place to be discreet.

According to Healthcare IT News’ MobileHealthWatch blog, Microsoft’s Sean Nolan was practically giddy about this arrangement helping HealthVault go mobile. I think mobility will help make PHRs a bit more attractive to patients, but I still think PHRs are DOA if they don’t link to EHRs.

I just don’t see a lot of medical practices being willing to send electronic data back and forth to HealthVault accounts if Facebook is handling the security, making MobileHealthWatch’s claim that, in wake of the supposed demise or at least de-emphasis of Google Health, HealthVault is now “more or less unchallenged as the PHR of record” a joke. There’s no such thing as a PHR of record, and there won’t be as long as authentication passes through Facebook.

 

June 13, 2011 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Do you trust the cloud for EHRs?

Do you trust the cloud for EHRs? That’s the question I ask in my weekly post for EMR and HIPAA. Check it out, and share your opinion.

May 26, 2011 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Blogging by Twitter?

Oh man, I’ve been busy. I filled in as writer of the Midwest edition of Payers and Providers the last two weeks because regular editor Duncan Moore, a former colleague, had been hospitalized. (Get well soon, Duncan.) I’ve been at the Institute for Health Technology Transformation health IT summit in Fort Lauderdale, Fla., since yesterday, and I’ve also had my regular deadlines for InformationWeek and MobiHealthNews.

I moderated two IHT2 conference sessions yesterday, on how health IT underpins Accountable Care Organizations and how business intelligence can create a framework for health information exchange. I haven’t had time to blog about those, but several people seem to have tweeted during those sessions. I therefore present a rundown via Twitter.

@narmi91 #iHT2 FMA #HIE strategy: Simple HIE gives physicians instant value, allows them to dip their tow in the water.

@narmi91 #iHT2 #HIE strategy: Adopt exchange before adopting #EHR. Which would you choose Internet (HIE) or PC (EHR)?

@narmi91 #iHT2 #HIT for #ACO: Primary care medical home is a must for ACO. Paying patients to perform. Also focus on medical assistants & nurses.

@narmi91 #iHT2 #HIT for #ACO: Changing patient behavior: need to engage patients. BCBS has new benefit plan $300-700 cash for manage health and qual.

@narmi91 #iHT2 #HIT for #ACO: Fed/state gov are more on the side of privacy but security always comes down to human behavior.

@narmi91 #iHT2 #HIT for #ACO: Pace of tech adoption in healthcare is much slower than other industries: Privacy & security, care coord, social sci.

@ICALeader Dr Freeman says healthcare is more focused on quality assurance than quality improvement, need multi-disciplinary groups to achieve QI #iHT2

@narmi91 #iHT2 #HIT for #ACO: Quality improvement process can help identify clinical decision support.

@narmi91 #iHT2 #HIT for #ACO: Victor from HRSA – HIE challenges include security issues and not enough discrete data. Most #EHR not designed for qual

@ICALeader Kevin Mather says upside & downside risk must be high & metrics must be measured for quality & cost monthly for ACO success #iHT2 #HIE #ACO

@ICALeader Dr. Freeman reminds #ACO & #HIE not to forget federal healthcare DOD, VA & IHS agencies in effort to coordinate care @ #iHT2 FTL

@bhparrish: Patient-centered #HIE with secure communication will be essential infrastructure for #ACO development. <RT @ICALeader> #iHT2


May 11, 2011 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Spring training for Health Wonk Review

 

The sun is shining here in Chicago and the mercury is supposed to hit 60 degrees today for the first time in months. That could mean only one thing: Spring is in the air, and hope springs eternal, even for the star-crossed Cubs. Though it’s still spring training, noted Yankees fan Glenn Laffel of the Pizaazz blog is in midseason form as he hosts this week’s Health Wonk Review, with an all-star lineup of contributors.

My impassioned defense of Don Berwick makes the big-league roster among the sluggers (health policy), while health IT gets its due respect as a disruptive force by being categorized as the base-stealers.

Of note, longtime HIT blogger Shahid Shah, known as the Healthcare IT Guy, talks security. “I hear a lot of naive talk about how systems are secure because ‘we use SSL encryption’ or ‘we’re secure because we have a firewall.’  Anybody who’s been security and privacy work for more than a few months would know how false those statements are,” he writes. To continue the baseball analogy, it’s like a pitcher making a couple of light tosses over to first to keep the base runner honest, then leaving the next pitch out over the middle of the plate.

And now back to an afternoon of watching basketball, er, I mean, answering e-mail or something. o:-)

 

March 17, 2011 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.