FDA Sloth

Kel Mohror

"Hospital Medical Devices Could Be Vulnerable to Malware, Experts Say," reported iHealthBeat on Thursday, October 18, 2012.

 "Kevin Fu,a member of the medical device panel and a computer scientist at the University of Michigan and the University ofMassachusetts-Amherst, said, "Conventional malware is rampant in hospitals because of medical devices using unpatched operating systems. There's little recourse for hospitals when a manufacturer refuses to allow OS updates or security patches.'"

Defying logic, "Brian Fitzgerald, a deputy director at FDA, said that visits to hospitals around the country indicate that many of them are struggling with malware issues."

"He said that FDA is reviewing its regulatory stance on medical device software, adding, 'This will have to be a gradual process, because it involves changing the culture, changing the technology, bringing in new staff and making a systematic approach to this [address the issues].'"

In other words, providers can waste time and money fighting malware-induced computer failures in devices that could lead to higher patient death rates because medical device malware is not high on the FDA's "to-do" list.

Is the deputy director oblivious to the HITECH Act and CMS' "meaningful use"? Is the deputy unconcerned that billions of taxpayer dollars (oh, that's it- somebody else is "paying the freight") are being lost while FDA is "changing the culture, changing the technology, bringing in new staff and making a systematic approach" to address the issues"?

FDA's "slothful approach" tells the tale. No lions, no tigers, no bears. Oh my, a sloth.

The Patient Portal: The Orphan of Meaningful Use

David Scher, MD,
DLS Healthcare Consulting

I recently attempted to implement a pilot program of wireless health technologies for multiple medical primary practice groups on a statewide level.  The organization I was working with requested the cooperation and possibly sponsorship by a large insurance carrier.  I contacted multiple carriers. The receptions I received were interesting. The most interesting one involved the issue of where the data would flow to. I suggested that the data would ideally flow to the patient’s EHR and to the healthcare provider’s EHR patient health record (PHR) as well. The response was “We don’t care if it goes there, as long as it goes to our PHR.”  I found this troubling on a number of levels. First, the whole goal of Meaningful Use is connectivity among entities. Patient information is shared, thereby, theoretically decreasing redundant tests, increasing patient safety, and decreasing overall healthcare costs.

Most people, when asked in multiple surveys, welcome having a PHR. However, according to a Manhattan Research survey, only 12.6% of adult consumers use a PHR. The vast majority of PHRs are now in use via insurance companies and not providers.  The race for MU implementation financial incentives has relegated PHRs to a low priority.

The PHR is the most high profile digital patient advocacy tool. It is the most concise, direct profile of the patient. For the PHR to be effective, it needs to be frequently accessed and updated by the patient and compared to other medical records, electronic or otherwise, which may exist. Patients and caregivers should see this in the same way in which they see a credit score: something which profoundly influences their lives and over which they may affect significant change to mistakes (not meant to equate the relative importance of these two). The biggest concern patients have (and rightfully so) is security of their PHR). However, I believe the biggest barrier to adoption of PHRs is ignorance about their existence and potential benefit for patients.  Patients need to ask about EHRs and PHRs when seeking out a new provider, and if they are not provided, I tell patients to run for the hills, for lack of these tools represents an unwillingness of the provider to invest in their patients.

Because PHRs might exist for the same patient in different places (insurance company, physician’s office, hospital), it is important to determine if there is connectivity among the PHRs, and if not, to make sure they are all updated and contain the same information. Particularly important is updating medications, providers and patient/caregiver contact information.

The PHR will conceivably be the way in which digital healthcare technology tools will interact with the EHR, having filtered data from the patient downloaded there. This achieves two objectives.  It centralizes the data from potentially multiple sources, and gives ready access to the data both to the patient and provider.  I look forward to the PHR becoming a more utilized source of healthcare information and patient advocacy, decreasing medical errors and empowering patients.  There is a Medicare website about managing your personal health record discussing patient portals which is is a good resource.

David Lee Scher, MD is a former cardiologist and cardiac electrophysiologist, and owner/ director at DLS HEALTHCARE CONSULTING, LLC, uniquely concentrating in advising digital health companies and their partnering institutions, providers, and businesses. A pioneer adopter of remote cardiac monitoring, he lectures worldwide promoting the benefits of digital health technologies. He can be reached at dlschermd@gmail.com, twitter at dlschermd, and linkedin: http://www.linkedin.com/pub/david-lee-scher-md/27/16a/90. Dr Scher blogs at http://davidleescher.com

Healthcare Data Security Rests on Our Ability to Learn

Kel Mohror

 “In a world in which the total of human knowledge is doubling about every 10 years, our security can rest only on our ability to learn.”- Nathaniel Branden- a Canadian psychotherapist and writer known for his work in the psychology of self-esteem.

The path to health data security -- to paraphrase -- also “rests solely on our ability to learn.” An Eligible Professional (EP) or an Eligible Hospital (EH) has nearly unfettered access to millions of websites, white papers, podcasts, presentations, videos, and text files on the subject of “healthcare data security” ~48,300,000 Yahoo!/ Bing results; ~119,000,000 Google results.

An EP or EH can subsequently refine search results to “drill down” for specific knowledge on:

• data security spending and costs
• mobile device data breaches
• most common gaps in healthcare data security (risk assessment)
• tools to tighten healthcare data security and
• healthcare data security fines

(Six- and seven-figure fines have been handed to EPs and EHs nationwide; oft-times learning is hard and painful. Aggregating, sorting, analyzing, and “knowledge mapping” your search results will bolster PHI security.)

“According to "Breach Report 2011: Protected Health Information" from IT security firm Redspin, “19 million patient health records were breached last year, a 97-percent increase from 2010,” reported Taylor Armerding for CSO Online in PHI security is MIA, (April 04, 2012).

Redspin President and CEO Daniel W. Berger observed, “Instead of a person sneaking out of a medical office with 30 patient files, it is now possible to steal millions of records at a time.”

Reasons for the increasing number of breaches include-

• “data on backup tapes stolen from the car of an employee
• rapidly increasing use of portable devices and media in health care
• a lack of security protocols and of sophisticated fraud detection systems
• federal regulations that don't require PHI to be encrypted when it is on transportable devices.”

“But perhaps most significant is that health records can be a financial mother load[sic] for thieves,” Berger emphasized.

"Most importantly, once such a record is breached, it is potentially 'in the wild' forever, unlike credit card numbers, which can simply be changed."

Mr. Amerding concludes by noting-  “But, of course, risks to healthcare organizations for PHI breaches go far beyond penalties imposed by federal regulators. They could include costs of restitution, legal fees, media relations, brand damage, and exposure to class-action lawsuits.”

Jennifer Bayuk, also writing for CSO Online, describes in the six pages of “How to Write an Information Security Policy,“  the steps to take toward establishing an effective ISP (Information Security Policy).

“An Information Security Policy is the cornerstone of an Information Security Program. It should reflect the:

• organization's objectives for security and
• agreed upon management strategy for securing information.”

“In order to be useful in providing authority, it must also be formally agreed upon by executive management.”

“To develop an information security policy document, an organization has to have:

• well-defined objectives for security and
• an agreed-upon management strategy for securing information (without consensus, reliable, robust, and consistent data security cannot be achieved)”

“Since a security policy is a set of management mandates with respect to information security, the first step in shaping a security policy is to determine management’s views on security. “

“Define common themes from management interviews and prepare a mission statement about how the organization as a whole wants its information protected. The time and effort spent to gain executive consensus on policy will pay off in the authority it lends to the policy enforcement process.”

“This framework will be the foundation of the organization's Information Security Program, and service as a guide for creating an information security policy.”

Seven Practical Ideas for Security Awareness makes visible the steps for establishing and sustaining  awareness,  identified by Audry Agle in CSO Online, June 02, 2009.

“It is widely agreed that the single most effective security measure is staff awareness of protecting the confidential information of an organization. Often, technical controls are of little or no use in protecting the organization from information thieves who exploit the trusting nature of those who have legitimate access.”

“In order to create and maintain a security-conscious mindset within the practice or hospital, talk often with a consistent theme about protecting information. People need to hear a message, “rule-of-thumb,” or concept multiple times before it “sinks in” or are convinced of efficacy.”

“A security-aware culture is possible in any organization as long as it is the standard by which everyone operates, and concepts are consistently reinforced:

1.  Get people interested in security by arming them with techniques to secure their personal information.

2.  Make the message visible with posters at fax machines, shred bins, and break rooms.

3.  Provide snacks (pastries, fruits) in conjunction with the security-awareness message.

4.  Establish a clean desk policy. (‘A messy desk is a vulnerable desk’) and perform random desk-checks after hours to reinforce ‘security awareness.’”

5. Bring it to their computer screen via the newsletter, a monthly email. and a Security page on your employee intranet that lists the security policies, important contact information, links, etc.

6. Require training: Training programs will be more effective if they have interactive exercises, contests, games, or give-aways. Try to keep it short, and test comprehension.

7. Walk the walk: Perhaps the most impactful technique is for senior leadership members to display their own penchant for security- if it looks to be important at the top, you can bet it'll be important at the bottom.

• Advertise internally when someone:
  • does something that thwarts a potential attack
  • comes up with a control that bolsters the security of your organization in a cost-effective manner
  • Use incident exercises at all levels, including executive leadership”

“Keep all employees engaged in security processes by soliciting feedback and suggestions. Provide a phone message line and email—anonymous if necessary. Make it easy to use, non-threatening, and welcome ‘stupid’ “questions.”

Healthcare Data Security Rests on Our Ability to Learn

Kel Mohror

 “In a world in which the total of human knowledge is doubling about every 10 years, our security can rest only on our ability to learn.”- Nathaniel Branden- a Canadian psychotherapist and writer known for his work in the psychology of self-esteem.

The path to health data security -- to paraphrase -- also “rests solely on our ability to learn.” An Eligible Professional (EP) or an Eligible Hospital (EH) has nearly unfettered access to millions of websites, white papers, podcasts, presentations, videos, and text files on the subject of “healthcare data security” ~48,300,000 Yahoo!/ Bing results; ~119,000,000 Google results.

An EP or EH can subsequently refine search results to “drill down” for specific knowledge on:

• data security spending and costs
• mobile device data breaches
• most common gaps in healthcare data security (risk assessment)
• tools to tighten healthcare data security and
• healthcare data security fines

(Six- and seven-figure fines have been handed to EPs and EHs nationwide; oft-times learning is hard and painful. Aggregating, sorting, analyzing, and “knowledge mapping” your search results will bolster PHI security.)

“According to "Breach Report 2011: Protected Health Information" from IT security firm Redspin, “19 million patient health records were breached last year, a 97-percent increase from 2010,” reported Taylor Armerding for CSO Online in PHI security is MIA, (April 04, 2012).

Redspin President and CEO Daniel W. Berger observed, “Instead of a person sneaking out of a medical office with 30 patient files, it is now possible to steal millions of records at a time.”

Reasons for the increasing number of breaches include-

• “data on backup tapes stolen from the car of an employee
• rapidly increasing use of portable devices and media in health care
• a lack of security protocols and of sophisticated fraud detection systems
• federal regulations that don't require PHI to be encrypted when it is on transportable devices.”

“But perhaps most significant is that health records can be a financial mother load[sic] for thieves,” Berger emphasized.

"Most importantly, once such a record is breached, it is potentially 'in the wild' forever, unlike credit card numbers, which can simply be changed."

Mr. Amerding concludes by noting-  “But, of course, risks to healthcare organizations for PHI breaches go far beyond penalties imposed by federal regulators. They could include costs of restitution, legal fees, media relations, brand damage, and exposure to class-action lawsuits.”

Jennifer Bayuk, also writing for CSO Online, describes in the six pages of “How to Write an Information Security Policy,“  the steps to take toward establishing an effective ISP (Information Security Policy).

“An Information Security Policy is the cornerstone of an Information Security Program. It should reflect the:

• organization's objectives for security and
• agreed upon management strategy for securing information.”

“In order to be useful in providing authority, it must also be formally agreed upon by executive management.”

“To develop an information security policy document, an organization has to have:

• well-defined objectives for security and
• an agreed-upon management strategy for securing information (without consensus, reliable, robust, and consistent data security cannot be achieved)”

“Since a security policy is a set of management mandates with respect to information security, the first step in shaping a security policy is to determine management’s views on security. “

“Define common themes from management interviews and prepare a mission statement about how the organization as a whole wants its information protected. The time and effort spent to gain executive consensus on policy will pay off in the authority it lends to the policy enforcement process.”

“This framework will be the foundation of the organization's Information Security Program, and service as a guide for creating an information security policy.”

Seven Practical Ideas for Security Awareness makes visible the steps for establishing and sustaining  awareness,  identified by Audry Agle in CSO Online, June 02, 2009.

“It is widely agreed that the single most effective security measure is staff awareness of protecting the confidential information of an organization. Often, technical controls are of little or no use in protecting the organization from information thieves who exploit the trusting nature of those who have legitimate access.”

“In order to create and maintain a security-conscious mindset within the practice or hospital, talk often with a consistent theme about protecting information. People need to hear a message, “rule-of-thumb,” or concept multiple times before it “sinks in” or are convinced of efficacy.”

“A security-aware culture is possible in any organization as long as it is the standard by which everyone operates, and concepts are consistently reinforced:

1.  Get people interested in security by arming them with techniques to secure their personal information.

2.  Make the message visible with posters at fax machines, shred bins, and break rooms.

3.  Provide snacks (pastries, fruits) in conjunction with the security-awareness message.

4.  Establish a clean desk policy. (‘A messy desk is a vulnerable desk’) and perform random desk-checks after hours to reinforce ‘security awareness.’”

5. Bring it to their computer screen via the newsletter, a monthly email. and a Security page on your employee intranet that lists the security policies, important contact information, links, etc.

6. Require training: Training programs will be more effective if they have interactive exercises, contests, games, or give-aways. Try to keep it short, and test comprehension.

7. Walk the walk: Perhaps the most impactful technique is for senior leadership members to display their own penchant for security- if it looks to be important at the top, you can bet it'll be important at the bottom.

• Advertise internally when someone:
  • does something that thwarts a potential attack
  • comes up with a control that bolsters the security of your organization in a cost-effective manner
  • Use incident exercises at all levels, including executive leadership”

“Keep all employees engaged in security processes by soliciting feedback and suggestions. Provide a phone message line and email—anonymous if necessary. Make it easy to use, non-threatening, and welcome ‘stupid’ “questions.”

mHealth and HIPAA

David Scher, MD, DLS Healthcare Consulting

Wireless health technologies are proliferating into various transmission modalities and spectrum of wellness and healthcare. Safety and privacy of data is of paramount importance to providers and patients. HIPAA laws apply to some types of mHealth products and the implications of this are important to recognize.  For example, a patient’s mHealth program that interacts with an EHR system needs to be compliant. In turn, the EHR system should have a way of communicating a breach of its own HIPAA compliance to the mHealth company. The HIPAA compliance extends to parties outside of the mHealth company with which data may be shared (marketers, pharmaceutical or device companies, etc).  Review extensive explanation of HIPAA regulations.

HIPAA compliance should be taken into account with any new type of technology utilized in mHealth.  Apple recently addressed HIPAA compliance as it considers having its Facetime video calling feature utilized in telehealth endeavors.  The company stated that with appropriate adaptation, the iPad can be made HIPAA compliant with encryption.

HIPAA rules would need to be addressed with the use of personal technologies by providers for mHealth, whether it is in the hospital or outpatient setting.  The emergence of EHR connectivity with mobile devices should refocus on this issue, and the security and verification of security needs to be demonstrated.

Of course not all mHealth products need to be HIPAA compliant.  HIPAA rules only apply to “protected health information,” which identifies an individual and that relates to an individual’s physical or mental health, health care services to that individual, or payment for the health care services.  If the technology will be used by or in association with a ‘covered entity (provider, health plan, or medical institution), then HIPAA applies.  Of course, if there is no identifiable personal data, the regulations do not apply.

There are currently no less than 16 bills proposed regarding Internet security and protection of personal information. Chief among the issues addressed are the requirement for prompt notification of compromise of data security, increased penalties for failure to do so, transparency of business relationships of entities involved in the sharing of personal data, and increased powers to investigate and prosecute those without strict security measures in place as well as unlawful access to data.  (Listing of the proposed bills.)

HIPAA regulatory issues arise when dealing with hospital and office wireless equipment.  Newer technologies are being added to the HIT space every day.  Connectivity from a technical as well as HIPAA standpoint needs to be addressed.  Biomedical devices need to be as secure as possible too.  And some of that technology is lagging behind with respect to encryption.  Wireless networks in the hospital need protected from non-users (patients, guests, non-essential employees).

Wireless technologies present many challenges to HIPAA regulatory compliance, by virtue of the fact that they may connect with multiple covered entities and various IT portals.   Hopefully the security will develop in step with the technology and mHealth does not become oppressively over-regulated.

David Lee Scher, MD is a former cardiologist and cardiac electrophysiologist, and owner/ director at DLS HEALTHCARE CONSULTING, LLC, uniquely concentrating in advising digital health companies and their partnering institutions, providers, and businesses. A pioneer adopter of remote cardiac monitoring, he lectures worldwide promoting the benefits of digital health technologies. He can be reached at dlschermd@gmail.com, twitter at dlschermd, and linkedin: http://www.linkedin.com/pub/david-lee-scher-md/27/16a/90. Dr Scher blogs at http://davidleescher.com

 

Healthcare Data Security

Kel Mohror

“Data,” according to PriceWaterhouseCoopers, “is quickly becoming one of the health industry’s most treasured commodities. In just the last year and a half, a breach of personal health information occurred, on average, every other day. Breaches erode productivity and patient trust, are costly, unpredictable, and unfortunately quite common.” The consultancy’s Old data learns new tricks: Managing patient security and privacy on a new data-sharing playground describes those “new tricks” for healthcare’s “new playground.”

Debra Beaulieu in FiercePracticeManagement in a brief from an American Medical News report, writes- “The biggest security threat to your patients' health information isn't malicious hackers, as some practices might think, but rather simple carelessness among your staff.”

“A recent $1 million fine against Massachusetts General Hospital after an employee inadvertently left a stack of papers on a subway car teach us that they can have serious consequences.”

"Humans truly are the biggest vulnerability within an organization with regard to security and privacy," said Rebecca Herold, a privacy and data security consultant based in Iowa.

“A February report from accounting firm Kaufman, Rossin & Co. found, for example, that practices and hospitals are most likely to experience a breach because of an employee losing a thumb drive, mobile device or paperwork, American Medical News reports.”

“To avoid these risks, practices need to be aware of the multiple places where their information is stored and how it flows throughout the organization, regardless of whether it is on paper or electronic, Jorge Rey, an information and IT audit manager for Kaufman, Rossin & Co. told Amednews.

Separately, in an American Medical News Technically Speaking article “How to ensure a lost mobile device won’t cause a data breach,” Pamela Lewis Dolan observed “With an estimated 80% of physicians using a mobile device on the job, a lot of patient data is vulnerable to breaches unless steps are taken to protect it. Data encryption is the one thing that protects physicians from having to report a breach if data go missing.”

Ms. Dolan identifies several steps providers can take to secure data on mobile devices, including-

• picking the right device by explaining to the mobile device vendor exactly what you will use the phone for and what you need to have encrypted using an encryption app and
• providers should not assume that data on a cloud-based app are safe.”

“In most cases, breaches happen not because people have malicious intents. ‘The real lesson,’ Kevin Haley, director of product management at Symantec Security Response, said, ‘is that people are not evil, but curious. So we really need to protect this data.’”

CSO Security and Risk reported in Healthcare security needs a booster shot, “theft of records accounted for 66 percent of reported health data breaches during the previous two years. Also, just over one-third of hospitals and physician groups reported cases of medical identity theft. And 54 percent of health organizations reported at least one issue with information privacy and security over the past two years.”

“Pete Lindstrom, research director at Spire Security warned- ‘The industry is exposing the data to the world and making more complex apps, and they're getting hacked as a result.’"

“As one would suspect, commonly it's insider improper use of protected health information, with 40 percent of providers saying that has happened in their organization during the 24 months prior to the survey.”

Apparently establishing and maintaining healthcare data security are not mere “the sky is falling!” or “cry wolf!” problems. On Mar 28 2012, SiloBreaker linked to a WSJ.com Video – News report FBI Cyber Chief: U.S. Losing War Against Hackers. “We're not winning," FBI executive assistant director Shawn Henry said. “An organization must monitor its data system with the assumption that you have already been breached.”

“The capabilities of hackers with the software tools at their disposal too-often make them more successful at getting data than the people who are paid to prevent unauthorized access to data.”

---

Decision Time, Part 2

Posted by: Kel Mohror

Decision Time, Part 1 mentioned developing a HIT strategic plan for your practice facility, in which you establish 1)what you want to do with HIT (achieve a stage of “meaningful use,” reduce ADEs, or other) and 2) how, in “broad brush-strokes,” you will reach that goal.

Decision Time, Part 2 will put on a spotlight on the “lifeblood” of your medical practice -- patient records. Converting (a.k.a. document imaging or document scanning) those shelves of manila folders of paper and multi-colored “stickies” in them to digital files obviously is essential to having a comprehensive EHR for all patents.

Nearly 2,000 50-page patient files can be stored as PDFs in a stamp-size 10 GB USB drive or memory chip. In the healthcare environment where interruptions and distractions are seemingly never-ending, these tiny storage devices are too-easily left somewhere, creating the potential for PHI breaches and fines.

Your strategic plan must address electronically storing your patient records, which begs the questions -- “How many?” and “How much is this going to cost?” Those numbers will enable you to weigh the ROI  when estimating the cost of converting those shelves of paper when you start your EHR implementation. These numbers will also help when looking for scanning / imaging services that will index the records and create the electronic file structure per your specifications.

An index and structure enable quickly finding the correct record for your immediate use, unlike a web search that throws thousands or millions of “results” at you in a fraction of a second or an undifferentiated Windows® “Search.” (Finding a “needle in a haystack” might be a more rewarding task.)

You can roughly calculate the number of pages to be converted using a standard ream of paper and a measuring tape. Typically a ream of paper is 2 to 2 1/4” thick (use 2 1/8” for simplicity) and has 500 sheets of paper; these two metrics complete the calculation with a patient-record shelf length.

To save time, here are a few common shelf-lengths and the number of pages they support:

• A full 4-foot long shelf supports about 11,295 sheets of records and will use ~ 230 MB of memory.
• A full 5-foot long shelf supports about 14,118 sheets of records and will use ~ 287 MB of memory.
• A full 6-foot long shelf supports about 17,000 sheets of records and will use ~ 1 GB of memory.

For example, if you have 20 full 4-foot shelves, 225,900 pages of records have to be converted. (No, we can’t just sprinkle Holy Water on them and call it a day.)

At $0.08 per page -- depending on your negotiating skills -- to scan /image, index and correctly file the PDF, your cost is:

• For a 4-foot shelf ~ $903
• For a 5-foot shelf ~ $1129
• For a 6-foot shelf ~ $1360

Estimated migration cost for 20 4-foot shelves @ $903 is - $18,060.

Scanning your organization’s records (converting patient charts, administrative records, and x-ray films to electronic form) is a key part of implementing EHR. This task has to be high on your strategic “roadmap.”

“Document scanning is one method of many in a document conversion effort,” according to Vicki Wiler, Director of Publications at ARMA International, an 11,000-member association of professionals who manage records and information on a daily basis.

“Scanning and imaging replicate the appearance of paper documents; the resulting electronic files- usually a PDF- can contain textual and/or graphic information, including signatures, handwritten annotations, and illustrations.”

Thoughtful design of your file folder (directory) structure and creating a data index for each record, will make it easier to quickly retrieve the records of patients who had one on paper. Using the data index key words and phrases, you will optimize search results and save time because records can’t be misfiled nor left in an exam room. Document conversion also fills gaps in the medical record by merging multiple disparate records into an EHR.

It just so happens that the AHIMA has a document titled Practice Brief: Document Imaging as a Bridge to the EHR, which will provide additional “food for thought” and action.

Kel is a Healthcare IT concierge providing answers to HIT questions and solutions to problems. He is completing the final session of three of the Office of the National Coordinator for Health Information Technology (ONC) HIT Workforce Training program (Implementation & Support Specialist track). He makes knowledge “ensnared” in the web visible, understandable, and immediately useful.

Patients Worried About Security of Medical Data on EHRs, Survey Finds

Posted by: Jonena Relth, TBD Consulting, Inc.

iHealthBeat, a blog dedicated to reporting the impact of technology on healthcare, reported the following statistics regarding patients' concerns over medical data, EHRs and security. The following blog is REPOSTED from iHealthBeat blog.

More than 80% of U.S. adults have concerns about the security of their electronic health records, according to a new survey from Xerox and Harris Interactive, Becker's Hospital Review reports.

For the survey, researchers interviewed 2,720 U.S. adults about their opinions on various issues related to EHRs (Herman, Becker's Hospital Review, 7/25).

Findings

Of the 82% of survey respondents who had concerns about EHRs, the survey found that:

• 78% were worried that hackers would steal information from their EHRs;
• 64% were worried that their EHRs would be lost or damaged; and
• 62% were worried that their EHRs would be misused (CMIO, 7/21).

The survey also found that 14% of respondents said they were frightened by the conversion to EHRs, down about two percentage points since 2010. Eleven percent of respondents said they are excited by the conversion to EHRs, up one percentage point from last year.

Of respondents who were familiar with the transition to EHRs, the survey found that:

• 51% said they believe EHRs will lead to better, more efficient care;
• 45% said they believe EHRs are necessary; and
• 34% said they anticipate problems early in the EHR implementation process (Pulley, NextGov, 7/25).

The survey also found that 18% of respondents who have a health care provider said they have been approached by their clinician to discuss EHRs (Miliard, Healthcare IT News, 7/22).

READ THE ENTIRE ARTICLE

Five Things Healthcare Providers Should Know About EHR Security

Posted by: Dr. David Scher, DLS Healthcare Consulting

1. Privilege management

This refers to the management of users with regards to their access to features and data of the EHR system.  Some EHRs predefine the roles and access, and some may be left for the practice to determine.  This is a fluid process and will be dictated by changes in personnel roles over time.  The assignment of IT user roles should be left to the practice or IT managers.  This management is protective from technical as well as HIPPA standpoints.  It should also apply to the Internet in general, as many EHRs are ‘cloud-based’ and this will decrease the introduction viruses and other common problems.

2. EHR security and malpractice issues

All EHR entries are date and time logged.  This applies to the record itself as well as modifications of the record.  The entire staff should be made aware of many medico-legal implications of this.  Schedulers to technicians to all clinical personnel (including physicians, sometimes the worst violation culprits of all) should be taught the usual important points about the medical record: stating just facts, keeping it short, pertinent, and complete, with closed loop follow-up of conversations and treatment changes.  The entry log may be audited by the practice or IT manager, as well as attorneys during discovery.  So it is important to know that once an entry is entered, it is non-erasable.

3. Breaches of hospital EHR security is not by hackers, but by lost or stolen information, or noncompliance with regulations

Seven hospitals were audited by the Inspector General to oversee the Office of Civil Rights which oversees HIPPA compliance. "Although each of the seven hospitals had implemented some controls, policies and procedures to protect ePHI [electronic protected health information] from improper alteration or destruction, none had sufficiently implemented the administrative, technical and physical safeguard provisions of the Security Rule," the report states.  The audits identified 151 vulnerabilities in the systems and controls intended to protect ePHI, of which 124 were categorized as high impact. This emphasizes that strict security measures need to be in place and enforced.  

With regards to technical security, regular changing of security login passwords, eliminating access to personnel suspended or who leave the practice or hospital, mandating logging off after use, all allow for easy identification of users and use.  Interoperability only with systems or products with adequate security provisions is also paramount, and ONC certification of an EHR will not necessarily address this issue.

4. An EHR will NOT provide all necessary security

In a national survey of 200 representative physician practices conducted by CDW Healthcare in 2010, 30% reported that they did not use basic antivirus software, and 34% did not use network firewalls.  This is a recipe for disaster. Some EHR companies offer little in the way of implementation.  It is imperative for practice managers to work with hospital CIOs to make sure the office systems are secure, in addition to the EHR meeting all security standards including the security portion of Meaningful Use.

5. Data must be securely stored        

How data is displayed and transferred from one employee to another is one important aspect of secure storage.  Leaving a computer screen open or leaving a computer tablet where any other employee or patient can see it violates privacy.  Proper training of workers is necessary in this regard.  All computers and tablets should be tagged and regularly controlled to prevent unrecognized theft. Servers need to be secure.  Regular security testing of the system needs to be performed.

Thus, EHR security involves many layers, from personnel to technical assurances both automatic and supervised. It is up to all who deal with the record to do their part to maximize security.  The physician, as usual, holds much of the liability of the record. These tips should help.  

Dr. David Scher was a practicing cardiac electrophysiologist for 20 years with extensive experience as a clinical investigator, reimbursement committee member, and institutional review board chair. He is currently director at DLS HEALTHCARE CONSULTING, LLC with a focus on medical device and mobile health companies. You can reach Dr. Scher at dlschermd@gmail.com or on Twitter at dlschermd.
   

Another Healthcare Breach in Security

Posted by: Jonena Relth, TBD Consulting

It seems like every week we hear about another breach in healthcare security. Although EMRs/EHRs have their own security concerns, I am hoping that once all healthcare facilities are up and running with the new electronic requirements, we will no longer hear of the ridiculous stories of paper medical records haphazardly misplaced or stolen.

Hospital reports security breach

August 02, 2011, 03:12 AM By Michelle Durand Daily Journal Staff

Documents containing personal information of approximately 1,500 Mills-Peninsula Health Services patients were removed from the facility over the course of a year and taken home by a mailroom employee, according to a hospital spokeswoman.

The worker, who has since been terminated, took the documents between November 2009 and September 2010. The Burlingame hospital learned of the breach June 17 when a relative of the employee discovered the documents at the worker’s home and returned them to the hospital.

The reason for the removal is murky.

“We don’t believe they’ve been used for anything. We believe they just sat in a box,” said Margie O’Clair, vice president of communications for Mills-Peninsula Health Services.

The hospital reported the incident to the Burlingame police who are pursuing a criminal investigation, O’Clair said.

READ THE COMPLETE STORY