Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Release of Information (ROI): What You Don’t Know Will Cost You

Posted on October 17, 2018 I Written By

The following is a guest blog post by Tarun Kabaria, Executive VP, Provider Operations Ciox.

In today’s evolving healthcare environment, the release of information (ROI) process is not a simple function. It involves up to 45 specific steps, each presenting its own complexities and compliance risks. Adding to those complications, HIPAA privacy and security rules under the American Recovery and Reinvestment Act’s (ARRA) HITECH provisions have elevated the importance of ROI and increased its costs.

Furthermore, the healthcare industry is influenced by a variety of factors that are pushing the limits of operating budgets, including rising volumes of requests from government auditors, the drive to meet Promoting Interoperability criteria for electronic health records (EHR) and rapid-fire advances in medical record technology. The “human” checks and balances that protected health information in the past are slowly disappearing as information moves rapidly from paper-based to fully electronic and online. The stakes continue to rise while the financial penalties for wrongful information disclosures grow.

As a result, many more healthcare facilities – large and small, urban and rural – are seeking cost-effective and efficient ways to manage this process. They are revisiting ROI options, evaluating costs and searching for new, more effective solutions.

As the growing demand for ROI continues to impact our evolving healthcare industry, hospitals are experiencing many repercussions. They are legally required to release medical records and often receive hundreds to thousands of requests a day. At the same time, hospitals must ensure that patient privacy, security and confidentiality are protected. It is a delicate balance that requires the proper management of each request along with the knowledge and expertise of a highly skilled ROI specialist.

According to the Association of Health Information Outsourcing Services (AHIOS), nearly 80% of hospitals nationwide have outsourced their ROI function to alleviate the administrative burden of fulfilling medical requests. Of the hospitals that outsourced, an estimated 40% have done so with at least one vendor-supplied ROI consultant. Significant costs can be incurred when retaining legal counsel and a fully staffed HIM department in addition to paying for the technology necessary to manage high volumes of requests, meet time constraints and comply with privacy demands. However, failure to do so can result in lost revenue due to fines for wrongful disclosures and technical denials from payers and recovery contractors.

Although EHRs have made ROI processing faster, there is also a greater risk for information breach. Many of the human checks and balances inherent within the ROI process have been removed. Furthermore, records are now available to many more people, and much more easily. The advantages of ubiquitous access need to be weighed against the risk for security breaches.

For these reasons, many organizations are choosing to partner with an ROI services company that offers extensive industry experience and understanding of the new laws and rules as well as the new risks. Additionally, by outsourcing ROI to a proven, secure service provider, healthcare executives relieve themselves of rising costs and administrative burdens while also reducing their risk of penalties and fines.

For those who have chosen either a full or shared outsourcing approach, the benefits are clear, with convincing evidence of significant cost savings as well as return on investment. There are three approaches to consider when looking to outsource ROI:

On-site Service

The selected ROI vendor sends a customer service representative to the healthcare organization’s office to perform all aspects of medical record release, including capturing, processing, and conducting QA of the record before sending to its distribution center.

Partner Service

The healthcare organization’s staff uses the vendor’s technology to capture, process and QA the medical record. Then, the record is sent to the vendor’s distribution center.

Remote Service

The vendor’s customer service representatives access the healthcare organization’s EHR through secure technology to capture, process and QA the medical record from the vendor’s centralized facility. Then, records are sent to the vendor’s distribution center.

These three options provide the flexibility to select the approach that aligns best with an organization’s capacity, staffing resources and expertise. An ROI service partner can manage everything from reducing immediate backlog, handling specific tasks for the ROI process or coordinating the entire process.

Achieving efficient and effective ROI services is possible. It simply requires careful consideration and evaluation of costs and resources available to comply with new regulations to determine which path is the best one for your organization.

About Ciox
Ciox, a health technology company and proud sponsor of Healthcare Scene, is dedicated to significantly improving U.S. health outcomes by transforming clinical data into actionable insights. Combined with an unmatched network offering ubiquitous access to healthcare data, Ciox’s expertise, relationships, technology and scale allow for the extraction of insights from structured and unstructured clinical data to create value for healthcare stakeholders. Through its HealthSource technology platform, which includes solutions for data acquisition, release of information, clinical coding, data abstraction, and analytics, Ciox helps clients securely and consistently solve the last mile challenges in clinical interoperability. Ciox improves data management and sharing by modernizing workflows and increasing the accuracy and flow of information, while providing transparency across the healthcare ecosystem and helping clients manage disparate medical records. Learn more at www.ciox.com

Quality Payment Program Tops List Of Regulatory Burdens On Medical Practices

Posted on October 10, 2018 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

A new survey by the Medical Group Management Association has found that meeting the demands of the Medicare Quality Payment Program tops the list of regulatory burdens named by respondents in medical practices.

The survey, which collected responses from 426 medical groups, found that their regulatory burdens were climbing, with 86% reporting that such burdens had increased over the past 12 months. A smaller but similar share of respondents (79%) reported that the overall regulatory burden associated with participating in Medicare specifically had increased during the same period.

When asked to name the regulatory requirements they considered to be very or extremely burdensome, 88% named the Quality Payment Program, followed by prior authorization (82%), lack of EHR interoperability (80%), government EHR requirements (77%) and audits/appeals (68%). In contrast, just 49% of respondents saw compliance with HIPAA privacy and security requirements to be a major concern.

Given the challenges it imposes on practices, it’s no wonder that the MGMA respondents struggle with MIPS, with just 9% stating that they were satisfied or very satisfied with the performance feedback the program offers. Two-thirds of respondents told the MGMA that at least in its current form, MIPS doesn’t support their practice’s clinical quality priorities.

Perhaps the most irksome aspects of the MIPS program seemed to be the full-year quality reporting period and scoring methodology. Roughly two-thirds of respondents were dissatisfied or very dissatisfied with these aspects of the program. “The lack of clarity and constant readjusting of the MACRA regulations regarding MIPS/APMs is also frustrating,” one group member said.

In addition, despite ongoing efforts to support patient data exchange, the percent of respondents who rated a lack of EHR interoperability as very or extremely burdensome has climbed over the last 12 months, from 68% last year to 80% in 2018.

Ultimately, this problem could have serious financial consequences for some organizations. “Interoperability will never be achieved at the rate we’re going without bankrupting most private medical practices,” wrote one respondent. “As each of the EHR vendors moves towards their own interpretation of interoperability, they create different versions of their own software that cost all of us more to implement and we can’t afford any more.”

If these issues aren’t addressed, it seems likely Medicare’s drive toward value-based payment will be less successful than its leaders would hope.  Seventy-nine percent of practices responding to the MGMA survey said they didn’t think the move toward value-based payment had been successful to date, and it doesn’t seem likely that this will change if physicians continue to feel overburdened and misunderstood

Three Ways You Might Be Unintentionally Violating HIPAA

Posted on August 6, 2018 I Written By

The following is a guest blog post by Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One.

For the most part, HIPAA is pretty straightforward – if a little extensive. It lays out some fairly clear-cut rules for protecting patient data, and an incredibly specific framework on what constitutes said data. But as with any set of regulatory guidelines, there are some gray areas.

And there are also some lesser-known aspects that a lot of organizations – both healthcare agencies and covered entities – tend to miss. The problem, obviously, is that ignorance in this case is no excuse. A HIPAA violation is a HIPAA violation, no matter how well-meaning the person responsible.

With that in mind, today we’re going to discuss a few of the most common ways both you and your staff might inadvertently run afoul if HIPAA (and more importantly, how to avoid doing so).

Through Employee Posts on Social Media

It’s a pretty common story these days. An employee says something they shouldn’t on social media. Their employer finds out, and next thing you know, they’re being let go.

That’s exactly what happened to Olivia O’Leary in 2017. An X-Ray technician at the Onslow Memorial Hospital in Jacksonville, North Carolina, O’Leary commented on a Facebook post that the victim of a car accident should have been wearing a seatbelt. Here’s the problem – the victim of the accident was brought to the hospital.

There’s some contention over whether or not O’Leary actually violated HIPAA (the news that the victim was not wearing a seatbelt had been made public by the time she commented). Even so, this story should still serve as a warning. It’s your responsibility to make your staff aware that even a seemingly harmless comment could be construed as a HIPAA violation.

By Not Keeping Proper Track of Employee Devices

Personally-owned smartphones and home computers are a huge no-no for HIPAA. Yet all too frequently, clinicians and other healthcare staff bring personal devices into the workplace, or else use them to work on patient data from the comfort of their own home. The problem isn’t that they’re using these devices, per-se.

It’s that they’re doing so without any sort of oversight.

Let’s say, for example, a physician looks at some patient data in her home office. She forgets to turn off her PC, and her husband wanders in to do a quick Google search. He sees the patient data – and suddenly a HIPAA violation falls right into their laps.

Or let’s say two doctors are communicating with one another via SMS, discussing a patient’s records. Instead of being careful about what they’re saying, they openly disseminate PHI between one another.

Again, no one here is necessarily acting maliciously. Even so, they’re still putting patient data at risk. Here’s what you need to do:

  • Incorporate some form of document management system that ensures PHI can only be accessed by authorized personnel – no matter if they’re at home or elsewhere. It should also include a timed expiration function so that if a file is left open for a certain amount of time without any activity, it becomes inaccessible.
  • Utilize endpoint management software that allows you to manage, monitor, and control the devices within your workplace.
  • Train and educate your staff on the importance of keeping PHI to approved, secure channels – and if need be, implement a secure messaging solution so they can still keep in touch.

Via Friends and Family

It seems harmless enough. Someone goes to a hospital for an MRI to check if they have a severe spinal cord injury. A few days later, someone else – a friend or family member – asks about the results.

And the physician tells them. No harm done, right? They’re just concerned about someone they care for.

Here’s the thing – that’s still a HIPAA violation, harmless though it may seem. Sure, it was an innocent inquiry. But unless the patient specifically consented for their information to be shared, it doesn’t matter who asks.

You’re still violating their privacy if you share it.

Caution is Key

There are a lot of little stumbling points in HIPAA that tend to catch many healthcare providers unaware. Things that may seem innocent or harmless can actually land you in a world of trouble with regulatory agencies, costing valuable staff their jobs and even bringing about a lawsuit. The best way to avoid such issues is to just be cautious – to treat PHI with the utmost care.

Do that, and you should be just fine.

About Tim Mullahy
Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.

Tips On Storing Patient Information In The Cloud

Posted on June 27, 2018 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

These days, it’s pretty much a given that providers will store some or all of their data in the cloud, i.e. off-site on a vendor’s servers.  For many providers, doing this is a good idea, as it allows them to avoid buying dedicated hardware or upgrade their own storage capacity.

That being said, all cloud vendors are not made equal, and it’s important to pick the right one. After all, providers can face dire consequences if their patient data is breached. Even if the vendor is at fault, providers will take most or all of the blame.

Before storing data on an outside service, it’s important to check them out carefully.  Here are some tips on evaluating vendors from David McHale of The Doctors Company:

  • Research the vendor’s security practices: Find out of they have a good reputation and strong security policies in place. Whatever time you put into the research is time well spent.
  • Make sure the vendor can handle all of your data: Bear in mind that many cloud services company charge by the amount of storage providers use, so being sure those costs are affordable is important. Also, providers should make sure the vendor can handle the amount of data they’d like to store.
  • Be sure that your data is encrypted at all times: Providers should see to it that their data is encrypted when being uploaded to or downloaded from the cloud. This includes ensuring that browsers or apps require an encrypted connection to the vendor’s server.
  • Patient data should be encrypted when stored in the cloud: Never store data protected by law in the cloud, such as medical information or personal identifiers, unless the stored data is encrypted. Also, don’t let anyone decrypt the data unless they are authorized to do so.
  • Learn how access is stored in your cloud folder: Cloud storage vendors often let providers share access to online folders stored on their servers. and it’s important to know how that sharing works. For example, find out whether data in the folder is read-only or whether users can edit the file, and whether managers can find out who last edited a file.
  • Prepare for the worst: Providers should know what they’ll do if their cloud vendor gets hacked or their data is lost. To find this out, they should read the “terms of service” provisions of their contract, which often states that users have little recourse if their data is breached or lost.

To be sure, cloud storage can be a great way for providers to save money on storage and see that their data is backed up offsite. However, it’s important they do their due diligence and see that the vendor will protect that data carefully.

Some Important Tips On Telemedicine Security

Posted on March 22, 2018 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Recently, WEDI released a paper offering a pretty basic overview of the main categories of telemedicine services. From my standpoint, most of the paper wasn’t that new and exciting, one section had some interesting suggestions worth sharing. While you’ve probably heard some of them before, you probably haven’t seen the full package they shared.

First, WEDI provided some general principles providers should consider when delivering telehealth services, including that all interactions should be conducted through a secure transmission channel and that privacy notices must be displayed or easy to find on the telehealth site. Makes sense but not earthshattering.

Where things got interesting was when WEDI went through its own telemedicine security Q&A. Its feedback on key topics included the following:

  • Make sure you have a policy addressing provider-to-provider disclosures of HIPAA-protected information which is gathered via telemedicine consult.
  • Secure all telemedicine data. Verify and authenticate user identities and their authority levels before patient treatment, possibly through the log-in process. This could include making sure that there’s a one-to-one match with the person logging in to view the data being retained.
  • Set up standards for data storage and retention, as well as establishing policies, procedures and auditability for access, use and transfer of telemedicine-related PHI. Afterward, monitor compliance with those standards.
  • Decide how telehealth data breaches will be handled, and who will be responsible for doing so. Determine who will be notified when a breach occurs, what the timeline is for doing so and who else might need be notified. Also, identify what experts should be part of a breach response process, such as legal, information security and public affairs representatives, and make sure they know what their roles are if a breach takes place.
  • Bear in mind that any technology used for providing telemedicine services needs to be included in your HIPAA risk assessment.

Unless you work for a large organization, you probably won’t dig into security issues this deeply. Particularly if you work for a smaller practice with ten or fewer clinicians, you may end up outsourcing your entire IT function, including security and privacy protection.

However, it’s important to remember that members of your organization are ultimately responsible for any security violations, whether or not a contractor was involved in permitting the breach to happen.

It’s important that at a minimum, you have a security protection and incident response process in place — going well beyond “call the IT consultant” — that protects both patients and your practice from needless health data breaches. As you add telemedicine to the mix, make sure your process embraces that data too.

Crypto Breach at Hospital, EHR Customization, and Some EHR Humor – Twitter Roundup

Posted on February 7, 2018 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

It had been a while since we did a Twitter roundup. So many interesting, entertaining, and insightful things are shared. We decided to keep this one light but valuable. We hope you enjoy the Twitter roundup and some of our own added commentary.


Not sure this is the first, but certain it’s not the last. A lot of money to be made from cryptocurrency mining and hospitals have a lot of CPU that can be stolen to mine cryptocurrency. This is going to become a popular malware. It goes mostly hidden from site and so many organizations don’t even realize what’s happening.


If you’ve been part of an EHR implementation you know that Linda is right. However, there are some general lessons learned that are extremely valuable and help every implementation or now EHR optimization. The question I’d ask is, should EHR be standard?


I should have saved this for a Fun Frdiay post, but why not treat Wednesday like Friday. Some other replies to this tweet were just as hilarious (until you realize what they really mean):
If my patients went unresponsive as often as my EMR, I’d be a coroner. – @FredWuMD

Just spray a little epi into the USB port – @roto_tudor

Yes it would be like an episode of the resident. Multiple codes a day. @CaitlynMooneyMD

5 Tips for HIPAA Compliance

Posted on November 20, 2017 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Planet HIPAA had this great article that shared 5 tips to ensure an effective HIPAA program. The reality is that HIPAA is a pretty flexible program that in many cases is open to some interpretation by the medical practice. There are exceptions, but HIPAA is generally about reducing risk as opposed to strict compliance. That’s reflected in this list of 5 tips from Planet HIPAA:

1. Conduct a Risk Assessment/Analysis

2. Create, Review and/or Update all HIPAA policies and procedures

3. Provide Workforce HIPAA Education

4. Conduct regular HIPAA Audits

5. Use Security Technologies

Most of the items on the list aren’t rocket science. However, my guess is that most medical practices will go through this list and realize that they have work to do. Whether it’s not doing a HIPAA risk assessment regularly (yes, sadly this still happens), or whether it’s not documenting or training, most practices will have something they could improve when it comes to HIPAA compliance. How’s your practice doing? My guess is you know where you’re lacking.

My favorite tip on this list was to use security technologies. HIPAA has some really good elements that help a practice protect PHI, but HIPAA does not equal secure. There is plenty more that a medical practice needs to do to ensure that their practice is secure and protected against the malware, ransomware, viruses, and other online threats that exist and are bombarding their IT infrastructure from every angle. HIPAA is required by law, but security beyond HIPAA is required to avoid a cybersecurity disaster in your organization.

The sad reality for many small practices is that they aren’t keeping up with the HIPAA requirements. This was illustrated by this story from Dr. Jayne:

One of my friends admitted that she had her work laptop stolen and didn’t report it to anyone despite it containing protected health information. That sort of thing is one of the perks (or hazards, depending on how you look at it) of owning your own practice and not fully understanding the huge number of laws that impact our practices. At least she realized after attending the conference that she should have taken additional action.

Dr. Jayne described most small medical practices’ feelings perfectly when she said the “perks (or hazards, depending on how you look at it)” of owning your own practice. Ignorance is bliss until you’re stuck on the front page of the paper or in some lawsuit. I’ll never forget the doctor who told me “They won’t throw us all in jail.” Maybe not, but they won’t be afraid to send you all fines.

An ounce of prevention is worth a pound of cure. This seems quite appropriate when it comes to HIPAA and security in a medical practice.

Mercy Shares De-Identified Data With Medtronic

Posted on October 20, 2017 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Medtronic has always performed controlled clinical trials to check out the safety and performance of its medical devices. But this time, it’s doing something more.

Dublin-based Medtronic has signed a data-sharing agreement with Mercy, the fifth largest Catholic health system in the U.S.  Under the terms of the agreement, the two are establishing a new data sharing and analysis network intended to help gather clinical evidence for medical device innovation, the company said.

Working with Mercy Technology Services, Medtronic will capture de-identified data from about 80,000 Mercy patients with heart failure. The device maker will use that data to explore real-world factors governing their response to Cardiac Resynchronization Therapy, a heart failure treatment option which helps some patients.

Medtronic believes that the de-identified patient data Mercy supplies could help improve device performance, according to Dr. Rick Kuntz, senior vice president of strategic scientific operations with Medtronic. “Having the ability to study patient care pathways and conditions before and after exposure to a medical device is crucial to understanding how those devices perform outside of controlled clinical trial setting,” said Kuntz in a prepared statement.

Mercy’s agreement with Medtronic is not unique. In fact, academic medical centers, pharmaceutical companies, health insurers and increasingly, broad-based technology giants are getting into the health data sharing game.

For example, earlier this year Google announced that it was expanding its partnerships with three high-profile academic medical centers under which they work to better analyze clinical data. According to Healthcare IT News, the partners will examine how machine learning can be used in clinical settings to sift through EMR data and find ways to improve outcomes.

“Advanced machine learning is mature enough to start accurately predicting medical events – such as whether patients will be hospitalized, how long they will stay, and whether the health is deteriorating despite treatment for conditions such as urinary tract infections, pneumonia, or heart failure,” said Google Brain Team researcher Katherine Chou in a blog post.

As with Mercy, the academic medical centers are sharing de-identified data. Chou says that offers plenty of information. “Machine learning can discover patterns in de-identified medical records to predict what is likely to happen next, and thus, anticipate the needs of the patients before they arise,” she wrote.

It’s worth pointing out that “de-identification” refers to a group of techniques for patient data protection which, according to NIST, include suppression of personal identifiers, replacing personal identifiers with an average value for the entire group of data, reporting personal identifiers as being within a given range, exchanging personal identifiers other information and swapping data between records.

It may someday become an issue when someone mixes up de-identification (which makes it quite difficult to define specific patients) and anonymization, a subcategory of de-identification whereby data can never be re-identified. Such confusion would, in short, be bad, as the difference between “de-identified” and “anonymized” matters.

In the meantime, though, de-identified data seems likely to help a wide variety of healthcare organizations do better work. As long as patient data stays private, much good can come of partnerships like the one underway at Mercy.

Current Security Approaches May Encourage EMR Password Sharing

Posted on October 19, 2017 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

In theory, you want everyone who accesses a patient’s health data to leave a clear footprint. As a result, it’s standard to assign every clinician using EMR data to be assigned a unique user ID and password. Most healthcare organizations assume that this is a robust way to document who is using the system and what they do when they’re online.

Unfortunately, this may not be the case, which in turn means that providers may know far less about health data users than they think. In fact, this approach may actually undermine efforts to track health data access, according to a new study appearing in the journal Healthcare Informatics Research.

The researchers behind the study created a Google Forms-based survey asking medical and para-medical personnel whether they’d ever obtained another medical staff member’s password, and if so, how many times and what their reasons were.

They gathered a total of 299 responses to their questions. Of that total, 220 respondents (just under 74%) had “borrowed” another staff member’s password. Only 57% answered the question of how many times this had happened, but among those who did respond the average rate was 4.75 episodes. All of the residents taking part had obtained another medical staff member’s password, compared with 57.5 percent of nurses.

The reasons medical staffers gave for sharing passwords included that “I was not given a user account despite having to use the system to fulfill my duties.” This response was particularly prevalent among students. Researchers got similar results when naming the reason “the permissions granted to me did not allow me to a fulfill my duties.”

Given their working conditions, it may be hard for medical staff members to avoid bending the rules. For example, the authors suggest that doctors will at times feel compelled to share password information, as their duties are wide-ranging and may involve performing unplanned services. Also, during on-call hours, interns and residents may need to perform activities that require them to use others’ EMR account information.

The bottom line, researchers said, is that the existing approach to health data security are deeply flawed. The current password-based approach used by most healthcare organizations is “doomed” by how often clinicians share passwords, they argue.

In other words, putting these particular safeguards in effect may actually have the paradoxical effect. Though organizations might be tempted to strengthen the authentication process, doing so can actually worsen the situation by encouraging system workarounds.

To address this problem over the long-term, widely-accepted standards for information security may need to be rethought, they wrote. Specifically, while the ISO standard bases infosec on the principles of confidentiality, integrity and availability, organizations must add usability to the list. Otherwise, it will be difficult to get an-users to cooperate voluntarily, the article concludes.

Is Lack of Security the Death Knell of Cloud Companies?

Posted on December 28, 2016 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

In the eternal discussion of what’s more secure: cloud or in house, it was recently pointed out to me why many people now believe that a cloud company is more secure than anything you would implement in house. Here’s the reason: If a cloud company gets breached, they’re dead.

I think this is true. At least it’s true in healthcare. I don’t know many healthcare organizations that would select a cloud healthcare IT company that had just been breached. Not many. If you’re a healthcare cloud company and you get breached, your future is basically over as a company. There might be a few that could survive if they have enough money, if there are mitigating circumstances, etc, but that’s going to be pretty rare.

With this in mind, it’s easy to understand why a cloud based healthcare company is going to invest to ensure they don’t get breached. No startup founder or health IT company CEO wants to put their blood, sweat, and tears into a company that gets blown up because they didn’t address proper security and get breached.

What happens if a healthcare organization gets breached? If you’ve ever been there, it’s not a fun experience. It’s embarrassing. This is particularly true if your breach is large enough (500 or more individuals) to end up on the HHS Wall of Shame. I mean the HHS Breach Portal. Yes, there are often even fines associated with a breach as well. It’s not pretty and it’s not fun. However, most healthcare organizations that get breached continue practicing like usual. Sure, they likely make an investment in some more security, a proper risk assessment, etc, but the company still continues providing healthcare services like usual.

Fear isn’t always the best driver in life, but it can be a good one. Cloud healthcare companies have a healthy fear of being breached because their company’s future depends on it. That’s a powerful motivator to make sure you avoid breaches. I’m sorry to say that most healthcare organizations don’t have this same fear and motivation. Most of them still employ what I call the “Just Enough” approach to security and privacy. Note that it’s “Just Enough” to sleep at night as opposed to “Just Enough” to be secure. There’s a difference.

No doubt there are exceptions to the above on both sides of the aisle. Some cloud healthcare companies don’t do a good job securing their technology. Some healthcare organizations do a really excellent job securing their organizations. However, as a rule, I think it’s fair to say that most cloud healthcare companies are more secure than hosting something in house.