Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Tips On Storing Patient Information In The Cloud

Posted on June 27, 2018 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

These days, it’s pretty much a given that providers will store some or all of their data in the cloud, i.e. off-site on a vendor’s servers.  For many providers, doing this is a good idea, as it allows them to avoid buying dedicated hardware or upgrade their own storage capacity.

That being said, all cloud vendors are not made equal, and it’s important to pick the right one. After all, providers can face dire consequences if their patient data is breached. Even if the vendor is at fault, providers will take most or all of the blame.

Before storing data on an outside service, it’s important to check them out carefully.  Here are some tips on evaluating vendors from David McHale of The Doctors Company:

  • Research the vendor’s security practices: Find out of they have a good reputation and strong security policies in place. Whatever time you put into the research is time well spent.
  • Make sure the vendor can handle all of your data: Bear in mind that many cloud services company charge by the amount of storage providers use, so being sure those costs are affordable is important. Also, providers should make sure the vendor can handle the amount of data they’d like to store.
  • Be sure that your data is encrypted at all times: Providers should see to it that their data is encrypted when being uploaded to or downloaded from the cloud. This includes ensuring that browsers or apps require an encrypted connection to the vendor’s server.
  • Patient data should be encrypted when stored in the cloud: Never store data protected by law in the cloud, such as medical information or personal identifiers, unless the stored data is encrypted. Also, don’t let anyone decrypt the data unless they are authorized to do so.
  • Learn how access is stored in your cloud folder: Cloud storage vendors often let providers share access to online folders stored on their servers. and it’s important to know how that sharing works. For example, find out whether data in the folder is read-only or whether users can edit the file, and whether managers can find out who last edited a file.
  • Prepare for the worst: Providers should know what they’ll do if their cloud vendor gets hacked or their data is lost. To find this out, they should read the “terms of service” provisions of their contract, which often states that users have little recourse if their data is breached or lost.

To be sure, cloud storage can be a great way for providers to save money on storage and see that their data is backed up offsite. However, it’s important they do their due diligence and see that the vendor will protect that data carefully.

Some Important Tips On Telemedicine Security

Posted on March 22, 2018 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

Recently, WEDI released a paper offering a pretty basic overview of the main categories of telemedicine services. From my standpoint, most of the paper wasn’t that new and exciting, one section had some interesting suggestions worth sharing. While you’ve probably heard some of them before, you probably haven’t seen the full package they shared.

First, WEDI provided some general principles providers should consider when delivering telehealth services, including that all interactions should be conducted through a secure transmission channel and that privacy notices must be displayed or easy to find on the telehealth site. Makes sense but not earthshattering.

Where things got interesting was when WEDI went through its own telemedicine security Q&A. Its feedback on key topics included the following:

  • Make sure you have a policy addressing provider-to-provider disclosures of HIPAA-protected information which is gathered via telemedicine consult.
  • Secure all telemedicine data. Verify and authenticate user identities and their authority levels before patient treatment, possibly through the log-in process. This could include making sure that there’s a one-to-one match with the person logging in to view the data being retained.
  • Set up standards for data storage and retention, as well as establishing policies, procedures and auditability for access, use and transfer of telemedicine-related PHI. Afterward, monitor compliance with those standards.
  • Decide how telehealth data breaches will be handled, and who will be responsible for doing so. Determine who will be notified when a breach occurs, what the timeline is for doing so and who else might need be notified. Also, identify what experts should be part of a breach response process, such as legal, information security and public affairs representatives, and make sure they know what their roles are if a breach takes place.
  • Bear in mind that any technology used for providing telemedicine services needs to be included in your HIPAA risk assessment.

Unless you work for a large organization, you probably won’t dig into security issues this deeply. Particularly if you work for a smaller practice with ten or fewer clinicians, you may end up outsourcing your entire IT function, including security and privacy protection.

However, it’s important to remember that members of your organization are ultimately responsible for any security violations, whether or not a contractor was involved in permitting the breach to happen.

It’s important that at a minimum, you have a security protection and incident response process in place — going well beyond “call the IT consultant” — that protects both patients and your practice from needless health data breaches. As you add telemedicine to the mix, make sure your process embraces that data too.

When It Comes To Security Threats, Doctors Are Less Aware

Posted on February 22, 2018 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

A new study suggests that while most healthcare employees aren’t very aware of privacy and security threats, doctors may be further behind.

According to the Verizon Enterprises Data Breach Investigations Report, 78% of healthcare employees were less than prepared for such risks. Given the threat environment out there, that’s bad enough. Other aspects of the survey found that 24% of healthcare employees had trouble identifying some common signs of malware, as compared with 12% of respondents in the general population.

However, physicians appear to be even less prepared than their healthcare peers. For example, 24% of physicians and other types of direct healthcare providers showed a lack of awareness of phishing emails, a deficit which could cause big problems. (Their rate of identifying phishing emails was three times worse than their non-physician counterparts.) Half of the physicians studied scored in the overall “risk” category, which meant that their actions could impose a privacy or security threat.

Looking again at the healthcare industry as a whole, 23% of respondents failed to report a variety of potential security or privacy incidents such as unsecured personnel files and potentially malware-infected computers. Twenty-one percent of survey respondents didn’t recognize some forms of personally identifiable information, but perhaps more alarmingly, more clinicians exhibited risky behaviors in this category than their non-clinician peers.

In wrapping up the report, the authors make the important point that educating healthcare workers and clinicians on HIPAA rules is far from enough to help organizations protect themselves cyberattackers. “Keeping within HIPAA regulations, while vital, does not educate users on how to spot a phishing attack,” they wrote. “[And] mere compliance does not equate to a fully security-aware culture.”

Ultimately, the study makes a point that can’t be made too often. When security education occurs in silos, be they HIPAA compliance, abating risks of internal malfeasance and errors or training employees to catch sneak attacks such as phishing emails, no one of these strategies is enough to protect organizations from cyber-intrusions.

The key, as the authors rightly point out, is to cultivate a risk-aware culture across the healthcare organization’s entire population, including (perhaps most particularly) clinicians who make the closest use of the data.

Dogged By Privacy Concerns, Consumers Wonder If Using HIT Is Worthwhile

Posted on May 17, 2017 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

I just came across a survey suggesting that while we in the health IT world see a world of possibilities in emerging technologies, consumers aren’t so sure. The researchers found that consumers question the value of many tech platforms popular with health execs, apparently because they don’t trust providers to keep their personal health data secure.

The study, which was conducted between September and December 2016, was done by technology research firm Black Book. To conduct the survey, Black Book reached out to 12,090 adult consumers across the United States.

The topline conclusion from the study was that 57 percent of consumers who had been exposed to HIT through physicians, hospitals or ancillary providers doubted its benefits. Their concerns extended not only to EHRs, but also to many commonly-deployed solutions such as patient portals and mobile apps. The survey also concluded that 70 percent of Americans distrusted HIT, up sharply from just 10 percent in 2014.

Black Book researchers tied consumers’ skepticism to their very substantial  privacy concerns. Survey data indicated that 87 percent of respondents weren’t willing to divulge all of their personal health data, even if it improved their care.

Some categories of health information were especially sensitive for consumers. Ninety-nine percent were worried about providers sharing their mental health data with anyone but payers, 90 percent didn’t want their prescription data shared and 81 percent didn’t want information on their chronic conditions shared.

And their data security worries go beyond clinical data. A full 93 percent responding said they were concerned about the security of their personal financial information, particularly as banking and credit card data are increasingly shared among providers.

As a result, at least some consumers said they weren’t disclosing all of their health information. Also, 69 percent of patients admitted that they were holding back information from their current primary care physicians because they doubted the PCPs knew enough about technology to protect patient data effectively.

One of the reason patients are so protective of their data is because many don’t understand health IT, the survey suggested. For example, Black Book found that 92 percent of nurse leaders in hospital under 200 beds said they had no time during the discharge process to improve patient tech literacy. (In contrast, only 55 percent of nurse leaders working in large hospitals had this complaint, one of the few bright spots in Black Book’s data.)

When it comes to tech training, medical practices aren’t much help either. A whopping 96 percent of patients said that physicians and staff didn’t do a good job of explaining how to use the patient portal. About 40 percent of patients tried to use their medical practice’s portal, but 83 percent said they had trouble using it when they were at home.

All that being said, consumers seemed to feel much differently about data they generate on their own. In fact, 91 percent of consumers with wearables reported that they’d like to see their physician practice’s medical record system store any health data they request. In fact, 91 percent of patients who feel that their apps and devices were important to improving their health were disappointed when providers wouldn’t store their personal data.

Could Blockchain Tech Tackle Health Data Security Problems?

Posted on March 25, 2016 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

While you might not own any them, you’ve probably heard of bitcoins, a floating currency backed by no government entity. You may also be aware that these coins are backed by blockchain technology, a decentralized system in which all participants track everyone’s holdings on their own individual systems. In this world, buyers and sellers can exchange bitcoins untraceably, making bitcoins perfect for criminal use.

In fact, some readers may have first heard about bitcoins when a Hollywood, CA hospital recently had all its data assets frozen by malware hackers, who demanded a ransom of $3.4 million in bitcoins before the hospital could have its data back. (The hospital ended up talking the ransomware attackers down to paying $17K, and when it paid that sum, IT leaders got back control.)

What’s intriguing, however, is that blockchain technology may also be a solution for some of healthcare’s most vexing health data security problems. That, at least, is the view of Peter Nichol, a veteran healthcare business and technology executive consultant. As he sees it, “blockchain addresses the legitimate previous concerns of security, scalability and privacy of electronic medical records.”

In his essay posted on LinkedIn Nichol describes a way in which the blockchain can be used in healthcare data management:

  1. Patient: The patient is provided a code (private key or hash) and an address that provides the codes to unlock their patient data.  While the patient data is not stored in the blockchain, the blockchain provides the authentication or required hashes (multi-signatures, also referred to as multi-sigs) to be used to enable access to the data (identification and authentication).
  2. Provider: Contributors to patient’s medical records (e.g. providers) are provided a separate universal signature (codes or hashes or multi-sigs). These hashes when combined with the patient’s hash establishes the required authentication to unlock the patient’s data.
  3. Profile: Then the patient defines in their profile, the access rules required to unlock their medical record.
  4. Access: If the patient defines 2-of-2 codes, then two separate computer machines (the hashes) would have to be compromised to gain unauthorized access to the data. (In this case, establishing unauthorized privileged access becomes very difficult when the machines types differ, operating systems differ and are hosted with different providers.)

As Nichol rightly notes, blockchain strategies offer some big advantages over existing security, particularly given that keys are distributed and that multiple computers but need to be compromised for attackers to gain access to illicit data.

Nichols’ essay also notes that blockchain technology can be used to provide patients with more sophisticated levels of privacy control over their personal health information. As he points out, the patient can use their own blockchain signature, combined with, say, that of a hospital to provide more secure access when seeking treatment. Meanwhile, when they want to limit access to the data it’s easy to do so.

And voila, health data maintenance problems are solved, he suggests. “This model lifts the costly burden of maintaining a patient’s medical histories away from the hospitals,” he argues. “Eventually cost savings will make it full cycle back to the patient receiving care.”

What’s even more interesting is that Nichols is clearly not just a voice in the wilderness. For example, Philips Healthcare recently made an early foray into blockchain technology, partnering with blockchain-based record-keeping startup Tierion.

Ultimately, whether Nichols is entirely on target or not, it seems clear that health IT players have much to gain by exploring use of blockchain technology in some form. In fact, I predict that 2016 will be a breakout year for this type of application.

ONC Wants Medical Practices To Have A Privacy and Security Officer

Posted on May 21, 2012 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

The Office of the National Coordinator for Health Information Technology (ONC)  has thrown down the gauntlet on HIPAA, challenging medical practices to select a privacy and security officer.  The ONC recommendation comes as part of a report outlining a 10-step plan to protect patient data.

While the advice it offers might be helpful to a range of providers, the report is largely focused on medical practices which are adopting EHRs and don’t have trained IT staffers to manage privacy protection and security, said Daniel Berger, president and CEO of Redspin Inc. in an interview with InformationWeek.  As practices shift from paper notes to digital records, there’s countless opportunities to slip up and have a data breach.

The problem may get worse as practices move up to Meaningful Use Stage 2, as this level of compliance will force practices to exchange data between providers.  Securing their own health data is hard enough; HIEs poses greater risks yet.

To make sure their data stays secure, a privacy officer is important but not sufficient. Other suggestions include:

*  Do a privacy/security risk analysis, and create an action plan to address problems found during the analysis

*  Develop written policies and procedures for protecting electronic protected health information

*  Educate and train employees thoroughly

*  Make sure business associate agreements  meet HIPAA standards and HITECH breach notification requirements

Though the ONC is trying to be helpful, I suspect that few medical practices are ready to follow these suggestions.  While practices certainly understand that HIPAA is a serious proposition, I’ll submit that few are ready to do a risk analysis. (After all, many medical practices haven’t had their EMR that long and are pretty overwhelmed just making it work for them.)

On the other hand, if practices name a privacy and security officer, train them and get them going now on risk analysis, it could result in a process of learning where knowledge diffuses out into the practice. Yup, I think that step will go along way on its own.