Free Healthcare IT Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Get all the latest Health IT updates from Neil Versel for FREE!

Here’s why everyone is mum after ransomware attacks

Did you see the news yesterday about the ransomware attack against Emory Healthcare in Atlanta?

According to Health Data Management, a hacker breached the appointment scheduling system at the Emory Clinic’s Orthopedics and Spine Center and the Brain Health Center, and demanded an unspecified ransom. The breach affected 79,930 patients.

Emory Healthcare said it learned of the hack on Jan. 3, and the organization submitted a breach report to the HHS Office for Civil Rights on Feb. 21.

But that’s all the organization said, and for good reason. It’s the same reason why MedStar Health in the Washington-Baltimore areas has not spoken to the press about its ransomware attack last March and April.

At a preconference symposium before last week’s HIMSS conference in Orlando, Florida, a security expert told attendees that the FBI instructs health systems not to talk publicly about such attacks, or disclose whether they have paid ransom. Hollywood Presbyterian Medical Center in Los Angeles did confirm that it paid about $17,000 ransom a year ago, but as I wrote at the time, the hospital doesn’t seem to have much of a clue about a lot of things, including patient safety and public ratings.

But if you’re wondering why you haven’t heard much follow-up from hacked hospitals, it’s likely because of the FBI, which doesn’t much like to compromise criminal investigations.

March 2, 2017 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Kill your fax machine (redux) and watch out for HIPAA violations

Today, noted medical informatics professor and professional Dr. Bill Hersh had this exchange on Twitter with his daughter, a new medical student.

 

Later today, I stopped to pick up my mail in this multi-unit building and saw this sticking out of someone else’s mailbox.

A HIPAA violation waiting to happen

A HIPAA violation waiting to happen

That’s right, it’s a “personal and confidential” letter from Quest Diagnostics, presumably either medical test results or a bill. Either way, it’s a HIPAA violation waiting to happen. In fact, it’s probably already a HIPAA violation because people now know what lab this person used. The envelope is hanging out of this mailbox because it was misdelivered and whoever got it by accident placed it there for the intended recipient. But who’s to say it does wind up in the right hands before someone opens it?

Anyone who thinks paper is still a safeguard against privacy and security breaches, raise your hand. (Crickets.) Sure, electronic transmissions can be intercepted and databases hacked, but if you take the time to encrypt them, you lessen the risk. And should there be a breach, the audit trail that HIPAA requires can help investigators pinpoint the culprit and create a disincentive for employees to leak data.

As for the fax, it’s sadly ironic that a twentysomething is encountering a fax machine for the first time when she enters a healthcare environment. Kill your fax machine! It’s 2014. Why are we still using 1980s technology to transfer health information?

January 13, 2014 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Podcast: MMRGlobal’s Bob Lorsch addresses the ‘patent troll’ issue

Two weeks ago, I picked apart a terribly misleading, ideologically steeped Fox News story that wrongly linked the initial failure of the healthcare.gov Affordable Care Act insurance exchange to the Meaningful Use EHR incentive program. Among my many criticisms was the reporter’s apparent confusion between an actual EHR and My Medical Records, the untethered PHR offered by MMRGlobal.

In that post, I said, “I haven’t seen a whole lot of evidence that MMRGlobal isn’t much more than a patent troll.”

Bob Lorsch, CEO of that company, posted in the comments that I should put my money where my mouth is and interview him. (I had interviewed Lorsch before, but never wrote a story because of my longstanding policy of not paying attention to untethered PHRs since none that I know of has gained any market traction, despite years of hype.)

As this podcast demonstrates, I took Lorsch up on his offer. It was at times contentious, in part because I challenged many of his statements in the Fox story and to me, and in part because he challenged some of mine.

He asked me a pointed question, whether I still thought he was a patent troll. Based on the fact that MMR actually earned patents on a product it actively markets and didn’t just purchase someone else’s patents for the point of suing others, it’s hard to conclude that he is a patent troll.

Investopedia defines patent troll as:

A derogatory term used to describe people or companies that misuse patents as a business strategy. A patent troll obtains the patents being sold at auctions by bankrupt companies attempting to liquidate their assets, or by doing just enough research to prove they had the idea first. They can then launch lawsuits against infringing companies, or simply hold the patent without planning to practise the idea in an attempt to keep other companies productivity at a standstill.

By that definition, MMR is not. I still don’t think an untethered PHR is a good business model, a belief supported by the fact that publicly traded MMR is a penny stock, currently trading at less than 3 cents per share. I have said that patient engagement, called for on a small scale by Meaningful Use Stage 2 rules, could change the landscape for PHRs—with a better chance in pediatrics than for adult populations—but it certainly will take a few years.

I stand by my original statement that the Fox News story did health IT a huge disservice by latching onto one problem and trying to tie it to an unrelated issue simply because it fits an ideological narrative. As for MMR, well, take a listen and then judge for yourself. It’s a long podcast, but I went through the trouble of breaking it down by discussion point so you can skip around as necessary.

Podcast details: Interview with Bob Lorsch, CEO of MMRGlobal, recorded Oct. 18, 2013. MP3, mono, 128 bps, 49.5 MB, running time 54:07

2:03        About My Medical Records
3:26        Why he believes his product is better than traditional EHRs
5:00        My skepticism of untethered PHRs
6:28        Lorsch’s interview with HIStalk from February
6:40        MMR’s user base
8:00        Why he thinks MMR could facilitate health information exchange
9:40        Health information exchanges vs. health insurance exchanges
10:15     Patient-centered HIE as an alternative to multiple patient portals
12:20     Physician trust of patient-supplied data, and other workflow issues
15:05     Emergency use case
15:50     How MMR is different from other PHRs
16:32     “Last mile” of connectivity
18:17     His assertion in Fox story that patients lose control of health information and privacy under ACA, despite HIPAA
24:15     MMR carries cyber liability insurance
25:00     Scope of MMR’s patents
26:45     “Likely” infringement of patents
27:45     Lawsuits and licensing
29:30     Patent troll?
31:10     Negotiations with WebMD and others
33:00     MMR’s reputation
35:00     “We build and sell what we have intellectual property rights to.”
36:25     Other vendors ignoring patients?
36:50     Standardization in health IT
38:38     MMR’s low stock price
39:20     Patient engagement boosting PHR use?
42:00     Interest from WellPoint
42:48     Payers building trust with PHRs
44:18     Other features of MMR’s PHR
46:45     Segmentation of sensitive parts of medical records
49:08     Putting me on the spot
50:35     His objective in asserting patent rights
51:15     MMR’s issue with Walgreens
52:25     Revenue sharing vs. licensing

October 31, 2013 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Do you trust the cloud for EHRs?

Do you trust the cloud for EHRs? That’s the question I ask in my weekly post for EMR and HIPAA. Check it out, and share your opinion.

May 26, 2011 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

ONC opens comments on federal HIT strategic plan

The Office of the National Coordinator for Health Information Technology today opened a four-week comment period on proposed revisions to the Federal Health IT Strategic Plan (pdf). Last updated in 2008, the plan spells out ONC’s strategy for meeting national health IT goals for the five-year period beginning in 2011. The HITECH Act requires this revision.

According to a blog post by national coordinator Dr. David Blumenthal:

Some components of the Plan may already be familiar, including the Medicare and Medicaid Electronic Health Record Incentive Programs and the grant programs created by the HITECH Act, which are creating an infrastructure to support meaningful use. However, the Plan also charts new ground for the federal health IT agenda:

  • In Goal I, the health information exchange strategy focuses on first fostering business models that create health information exchange, supporting exchange where it is not taking place, and ensuring that information exchange takes place across different business models.
  • In Goal II, we discuss how integral health IT is to the National Health Care Quality Strategy and Plan that is required by the Affordable Care Act.
  • In Goal III, we highlight efforts to step up protections to improve privacy and security of health information, and discuss a major investment in an education and outreach strategy to increase the provider community and the public’s understanding of electronic health information, how their information can be used, and their privacy and security rights under the HIPAA Privacy and Security rules.
  • In Goal IV, we recognize the importance of empowering individuals with access to their electronic health information through useful tools that can be a powerful driver in moving toward more patient-centered care.
  • In Goal V, we have developed a path forward for building a “learning health system,” that can aggregate, analyze, and leverage health information to improve knowledge about health care across populations.

ONC is accepting comments through April 22 via the blog site.

 

March 25, 2011 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Virginia gets $10 million ransom demand for data breach

From InformationWeek via the Health Care Law Blog comes news that the Virginia Department of Health Professions has received a $10 million ransom demand for 8.3 million patient records and 35.6 million prescription records.

Let me repeat: someone allegedly is extorting the State of Virginia for $10 million over a security breach involving millions of electronic health records.

I’d write more, but it seems like Bob Coffield has covered the issue pretty comprehensively on the Health Care Law Blog. He cites the alleged ransom note, Virginia’s response and a very interesting blog post about HIPAA notification responsibilities from John Moore of Chilmark Research.

May 5, 2009 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Too candid?

CHICAGO—I’m sitting in a HIMSS session where reformed hacker extraordinaire Kevin Mitnick is demonstrating how bad guys exploit security vulnerabilities, and asked for a volunteer from the audience. The volunteer was Will Weider, aka the Candid CIO. Mitnick entered Weider’s name and home state (Wisconsin) into a personal-search database and came up with Weider’s Social Security number that displayed on the two giant projector screens in the meeting room.

I can’t wait to read what Will has to say about the experience.

April 7, 2009 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Does HITECH have teeth? Google may not think so

I was astounded today to read in Modern Healthcare (the fact that I apparently was blacklisted from writing there for reasons never explained to me makes me reluctant to link to the story) that Google says the new privacy and security rules won’t change its PHR plans.

The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted last month as Title XIII of the American Recovery and Reinvestment Act of 2009, strengthens much of the privacy and security language of HIPAA. Some of the language effectively gives business associates the same responsibilities as covered entities when it comes to protecting patient data. Section 13408 specifically includes personal health records.

Reporter Joe Conn, my former boss and an all-round good guy (rare at MHC these days), quotes Google Health Product Manager Roni Zeiger, M.D., as saying the new legislation has no effect on the company’s offering. Zeiger actually said that Google Health, as a service offered directly to consumers, is neither a covered entity nor a business associate under the new law.

Excuse me? I’ve been struck since Day 1 with the arrogance Google seems to be exhibiting with its entry into healthcare (actually, since before Day 1, since Google says CEO Eric Schmidt’s speech to the 2008 HIMSS conference was not technically a product introduction), but it seems to me Zeiger is intimating that the law doesn’t apply to Google.

This is almost as ludicrous as former Vice President Dick Cheney suggesting in 2007 that he was a fourth branch of government.

March 4, 2009 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Audio and transcript of meeting on identity theft

In case, as I did, you missed the Office of the National Coordinator for Health Information Technology‘s Oct. 15 town hall on medical identity theft, you can download an MP3 audio recording and a transcript (Microsoft Word document) of the proceedings.

Warning: the MP3 file is a whopping 286 MB. It took me about 7 minutes to download on a typical residential cable Internet connection. It will take you 5 hours and 12 minutes to listen to the whole thing if you’re so inclined.

More details of the ONC-sponsored assessment on medical identity theft are at http://www.hhs.gov/healthit/privacy/identytheft.html

ONC promises a full report sometime this winter on issues related to health IT and identity theft, as well as a recommended roadmap for addressing these issues.

January 5, 2009 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.

Privacy, please

A weekend trip to Maine for a family wedding turned into a business trip (and a tax deduction) when I was reminded that the 16th National HIPAA Summit and related Privacy Symposium were taking place at Harvard University this week. Since I was flying in and out of Boston, I hesitantly forked over the $150 extortion—er, change—fee to American Airlines and sprung for a hotel room, mostly so I could attend a heated debate—er, “roundtable discussion” (even though the table was not round)—about whether patient privacy rules were effective.

I’m pretty sure it was worth the money. Boston usually is. While in the area, I also got a tour of athenahealth’s Watertown headquarters. I learned that “chief athenista” and new daddy Todd Park is on paternity leave for the next several months, is relocating to the west coast and will come back as a board member only while he dedicates much of his time to some new ventures.

But I digress once again.

The roundtable featured a couple of heavy hitters in the privacy world, namely Dr. Deborah Peel and Dr. Bill Braithwaite, as well as Partners HealthCare System Chief Privacy Officer Karen Grant, Linda Sanches, representing the HHS Office of Civil Rights, and, via telephone, Jodi Daniel, from the Office of the National Coordinator. Given the expense I just incurred, I wrote a story Tuesday about the Peel-Braithwaite debate for someone who actually will pay me, Digital HealthCare & Productivity.

In the interest of getting the news out and getting picked up by this week’s Health Wonk Review, I’m going to give you for free some notes from other Tuesday sessions.

On Friday, HHS released some proposed dates for transitioning to the next generation of HIPAA transactional code sets—otherwise known as ANSI X12 version 5050—as well as to ICD-10 standards for E&M coding. The proposal also includes the the National Council for Prescription Drug Programs standard version D.0 for electronic pharmacy transactions.

The full language is at http://www.cms.hhs.gov/TransactionCodeSetsStands/02_TransactionsandCodeSetsRegulations.asp#TopOfPage and will appear in this Friday’s Federal Register to trigger a 60-day comment period, closing Oct. 21.

“This is not a do-over of HIPAA,” said Workgroup for Electronic Data Interchange Chairman James Whicker, who also phoned in to the HIPAA Summit. Whicker, director of EDI and e-commerce at Intermountain Healthcare in Salt Lake City, said that changes are necessary because the current version 4010A1 is more than six years old already and has significant shortcomings.

Among the changes he highlighted:

  • The 835 transaction for remittance advice adds an embedded link to payer URLs for some payment adjustment and denial codes.
  • 834 will allow ICD-10 to report pre-existing conditions and address some privacy concerns
  • 270 and 271 eligibility transactions bring what Whicker called “a significant number of changes and improvements” from the provider perspective. For example, he said, the new code sets clarify instructions for sending inquiries based on whether the patient is the health plan’s primary enrollee or a dependent. If the eligibility date, plan name or benefit effective date for a particular encounter is different from that of the overall coverage, the health plan must report it as part of the transaction. Version 5010 also requires alternate search options for 270 and 271 transactions so a provider can search by member ID, last name only or date of birth to help eliminate false negatives and phone calls, Whicker said.
  • 276 and 277 transactions for healthcare claims status have minor changes addressing privacy concerns over sensitive patient information that is unnecessary for business purposes.
  • Implementation guides will no longer be free when 5010 takes effect.

I personally don’t know what to make of the 5010 news, but I know that there is significant opposition to the proposed Oct. 1, 2011, compliance date for ICD-10. As Whicker spoke, I was reading a press release from the Medical Group Management Association denouncing the idea, and would wager a large sum that the American Medical Association thinks three years and two months is not long enough.

And now back to the privacy debate.

In a separate session, Sanches vigorously defended OCR’s record on HIPAA privacy enforcement, despite the fact the office has not assessed a single civil monetary penalty in the five years the rules have been in effect. “Our enforcement has resulted in changes,” Sanches said, a sentiment also expressed by Michael Phillips, a health insurance specialist in the CMS Office of E-Health Standards and Services regarding enforcement of HIPAA security regulations.

Sanches said most privacy complaints have either been dismissed or resolved with corrective action, while some, as with Providence Health and Services last month, have been settled with with “resolution agreements,” usually resulting in a fine. Sanches described the resolution agreements as “forward-looking,” since they require corrective action even though there is no admission of liability. “We will be monitoring their compliance,” Sanches said of Providence, which agreed to pay $100,000 as part of the deal.

Suffice it to say, OCR still has plenty of critics. Deven McGraw, director of the Health Privacy Project at the Washington-based Center for Democracy & Technology, said that enforcement clearly is lacking. “When you haven’t imposed a single civil monetary penalty, you are not sending a message that you are going to hit people in the pocketbook,” McGraw said during a joint session with Peel.

Those who don’t know Peel well might think she would wholeheartedly agree with this sentiment, but she says the August 2002 HIPAA privacy amendments that created the “treatment, payment and healthcare operations” exemption effectively neutered the rule. “We believe there is nothing for OCR to enforce because there isn’t a privacy law anymore,” she said, arguing that lack of privacy is keeping people from seeking treatment for some conditions, including Iraq war veterans who might suffer from depression or post-traumatic stress disorder.

As for HIPAA security enforcement, Phillips said OCR gets many more privacy complaints per year than CMS does for the security rule, largely because so many violations involve paper PHI and the security rule only applies to electronic information. He said that CMS has received 350 security rule complaints, to date, but, surprisingly, given all the attention paid to laptop theft, only 10 percent have involved lost or stolen devices.

Of those 350 complaints, 248 have been resolved and 102 investigation remain open.
Phillips also discussed the CMS contract with PricewaterhouseCoopers to conduct 10 compliance reviews this year, saying that the audit firm has done six reviews, including the well-publicized critique of Piedmont Healthcare in Atlanta. Phillips said CMS will share information about one of the 10 cases when all the reports are done.

Another conference session focused on the Piedmont case, and I think I will do a story for one of my publication clients in the next week or two. Stay tuned.

And finally, since anything involving David Brailer tends to generate a lot of traffic to this site, I shall call your attention to the following from former U.S. Sen. Dave Durenberger (R-Minn.), who founded and chairs the National Institute of Health Policy and sits on the Medicare Payment Advisory Commission:

DAVID BRAILER a few short years ago was the No. 1 name in American healthcare according to the annual Modern Healthcare survey of important people in the field. His job then was to be President Bush’s “Health Information Czar” to get the medical system moving toward automation and electronic information interchange.

Today he runs Health Evolution Partners out of San Francisco. He says HEP was founded to accelerate the best in the inevitable change taking place in the healthcare market. It will focus on redefining quality, efficiency and accountability of healthcare services to consumers and payers. He has developed a “Purchaser Value Initiative” as well, and raised nearly a billion dollars from CALPERS and from an additional four or five state public employees retirement funds (including Minnesota).

Susan and I enjoyed lunch with David recently at the Buckeye Roadhouse just off CA Highway 101 near Sausalito. David’s no. 1 interest these days is in his family, especially his seven-year old son and year old daughter. I listened to much of a fascinating discussion over elementary education in San Francisco and the merits of various institutions before we got to passion no. 2. How health system entrepreneurs will use the cost-quality-access quandary we face in this country, to innovate our way to better health, medical care and health management services.

Listening to Brailer, you get the impression that there may have been a lot not to like in the Bush administration’s approach to “consumer driven healthcare.” On the other hand, it focused us on a critical reality. Everyone in America is a potential consumer of better health, more appropriate medical services and, someday, good judges of value in the healthcare system. Entrepreneur innovators are doing it right now, and Brailer’s EHP team will help make sure they succeed.

August 19, 2008 I Written By

I'm a freelance healthcare journalist, specializing in health IT, mobile health, healthcare quality fast $5000 loans-cash.net with bad credit, hospital/physician practice management and healthcare finance.