Two unrelated and non-health IT security issues were identified this week.  Citibank admitted that their iPhone banking app stored  personal information including account numbers, bill payment information and  security access codes in a hidden file on users’ iPhones.  In addition Risky.Biz is reporting, the pizza chain Hell Pizza in New Zealand, the UK, and Ireland had their customer database compromised and that 230,000 rows of customer data was accessed.

Citibank has updated their banking app so that personal information is no longer stored on the iPhone.  Hell Pizza issued a statement that the customer database that was compromised had full names, addresses, phone numbers, e-mail addresses, passwords and order history but did not contain any credit card information.

The reason I mention both of these security incidents is because they reveal an alarming trend.  More and more personal information is being collected and put at risk by companies that do not properly secure and protect their customer information.

The application developers at Citibank ignored the fact that a high percentage of smartphones are either lost or stolen. One can only question why they would make the decision to store personal information on the iPhone when the risk of the phone being lost or stolen was so high?  My guess is that they were rushing to get the banking application out to customers and that storing personal data on the phone was the easiest method of developing the application.  The concern here is that there are over 200,000 apps for the iPhone and 30,000 for Google’s Android phones.  With all of these apps being developed how many others are making security mistakes and putting customers / user personal information at risk?

According to Risky.Biz, the Hell Pizza database was very easy to access.  It was as though Hell Pizza did very little to protect the database.  The issue here is that personal data was collected and not secured.  Granted the data did not contain credit card information but did contain email addresses and passwords.  If hackers obtained customer email addresses and passwords there is a good chance that they attempted to use the same email address and passwords at other sites such as Amazon, eBay and online banking sites.  As a personal note:  this is a very good example of why you do not want to use the same email address and password at different online websites.

Turning to health IT, both the Citibank and Hell Pizza incidents raise similar concerns.  Will EMR vendors, in their rush to develop an EMR for the iPhone, iPad or Android OS, make similar security mistakes and store patient data on these devices?  As medical practices implement new EMRs and start to give patients access to patient portals, will they properly secure the patient database.  Will hackers find it as easy to access patient information as it was the Hell Pizza customer information?  Will medical practices lack the security knowledge and resources to ensure that the patient databases are properly secured?  Unfortunately I think the answer to a lot of these questions is YES.   Some EMR vendors will make bad decisions and take security shortcuts in their race to bring a version of their EMR to the smartphone market.  Some medical practices will not protect patient databases and security breaches of patient information will occur.

Let’s hope that EMR vendors and medical practices learn from the mistakes that both Citibank and Hell Pizza have made.

In this post I talked about the dangers of cloud computing.  I mentioned that the service Entegration utilizes for it’s Help Desk support system is from Intuit and is called QuickBase.  At the time of the original post Intuit had just experienced an outage of the QuickBase service that lasted around 24 hours.

Intuit has now experiencing a second major outage that has the QuickBase service unavailable for almost two days. That’s right, QuickBase is unavailable for almost 48 hours.  Our customers are not able to log support tickets or get the status of previously submitted support tickets.  As I mentioned in my original post, we have alternative methods for clients to interact with us regarding support.

The issue here is not Entegration’s Help Desk support system, the issue is the reliability of cloud computing.  Frankly I put a lot of trust into Intuit because of their company size, the resources they have, and their reputation.  This last outage has made me think twice about utilizing the QuickBase service moving forward.  But more importantly it has made me wonder about the reliability of any cloud based service.  Entegration can survive without our Help Desk support system but what if it was an EMR?  Could a practice afford to be down for 48 hours without access to electronic medical records?  Could an accounting firm be without their accounting system for 48 hours?

Cloud computing is very attractive but cloud computing can have have a dark side.  When the application that runs in the cloud goes down, it can bring a business to it’s knees.  Most of the time there is no alternative to running a cloud based application locally so when the application is down there is nothing a business can do.

Many practices are evaluating cloud based EMRs.  I have been fairly neutral on the prospect of cloud based EMRs.  I have thought to myself that if a practice doesn’t have to invest in a lot of infrastructure and they can be up and running in a short period of time then a cloud based EMR makes a lot of sense.  But now that I have experienced first hand the dangers of cloud based computing, I would be highly skeptical of utilizing a cloud based EMR.  The dangers are much more real then I imagined in the past.

South Shore Hospital in Massachusetts announced yesterday that personal records of 800,000 individuals may be missing.  The hospital sent backup tapes to a contractor for destruction.   The contractor has informed the hospital that only a portion of the tapes have been received and destroyed, the rest of the tapes are missing.

According to the Boston Globe:

The hospital said the files contained information on patients, employees, physicians, volunteers, donors, and other business partners associated with South Shore between Jan. 1, 1996, and Jan. 6 of this year.

The files may have included names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits, and other personal information.

My first reaction to this story is to ask “why weren’t the backup tapes encrypted”?  On the South Shore Hospital FAQ website they answer the question:

These particular back-up computer files were scheduled for destruction because they were in a format the hospital no longer uses and because the back-up process did not allow for these files to be encrypted. However, specialized software, hardware, and technical knowledge and skill would be required for someone to access and decipher the information.

You have to admit that now is a very interesting time to be in the healthcare field.  This year we saw a $1 Trillion healthcare reform bill get passed.  I don’t believe that anyone has a real understanding of the impact of the bill or its affects on medical practices.  It seems every day more details are revealed of the bill.  It will take years before we see the total impact.

Then you have the ARRA stimulus package which provides $19 Billion in Medicare incentives to doctors that embrace the use of certified EHRs.  This is a huge opportunity for medical practices to implement technology and move from paper charts to EHRs.  But along with the incentives come some significant obstacles.  Medical practices have to use a certified EHR but there is no definition of what that means or who the exact certifying bodies are.  As of today you can not purchase an EHR that is certified and will qualify for the stimulus funds.  Practices not only have to implement certified EHRs but they have to use them in a way that shows “meaningful use”.  Of course the exact rules for meaningful use are not known and many argue that the rules that are being proposed are too rigid and the bar is too high for practices to actually show meaningful use.  Taken altogether, you  have a lot of medical practices that want to cash in on the ARRA stimulus incentives and to implement an EHR but you have uncertainty and obstacles that are keeping them on the sideline.  They are taking the wait and see approach.  Some are even thinking that it may not be worth the effort to attempt to participate in the ARRA stimulus incentives.

One thing for certain is that the medical practices that are moving forward with an EHR implementation are spending a lot of money.  There is no way around it, EHRs are expensive.  The cost of the software, hardware, network, training, staff disruption and all of the other components that go into an EHR implementation all add up.  Of course the hope would be that the costs would be offset by the ARRA stimulus incentives but that is not a guarantee as I mentioned before.

At the same time you have all this uncertainty around healthcare reform and ARRA stimulus, medical practices have to contend with two major economic issues.  The first is the severe recession that we have been in since 2008.  There is no way around it, when the economy is suffering all business including medical practices suffer as well.  I hear from my clients that patient visits are down and that waiting rooms are less filled.  This has a significant and real impact on a medical practice’s cash flow and financial health.  The second economic issue is the proposed cut of 21% in Medicare payments to physicians.  For at least 6 months the looming threat of a 21% cut in Medicare payments have darkened the economic sky for medical practices.  Congress has postponed the cuts several times but have not permanently addressed the situation.  As of today, the 21% cut has been pushed back until November 30, 2010.  Along with postponing the Medicare cut, Congress has given doctors a 2.2% increase until November.  Very few medical practices are rejoicing because in December 2010 they are looking at a 23% cut in Medicare payments followed up by a 30% cut in January 2011.  No one really knows what or when the final outcome will be.

On top of major financial outlays to implement EHRs and the uncertainty surrounding the economy and Medicare reimbursements, medical practices have to deal with many government regulations.  As I have written about often, the looming threat of HIPAA Security Audits are a real concern for medical practices.  Implementing HIPAA Security usually require skill sets that medical practices don’t have.  IT security companies are needed to help with policies and procedures, vulnerability and risk assessments along with implementing new technologies such as email and laptop encryption.  On top of HIPAA Security, medical practices face the “Red Flags Rule”  requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft.  The Red Flags Rule has been postponed several times and was to go into affect June 1, 2010.  As of now the FTC has agreed to keep physicians exempt from the rule until the outcome of a lawsuit by the American Bar Association.  Once again, the outcome of this regulation is unknown.

When you look at each of the issues a medical practice has to address from healthcare reform to Medicare reimbursement cuts they don’t seem to bad.  Each one taken separately allows a medical practice to address the issue and to make modifications to they way they run their business.  But unfortunately all of the issues are happening at the same time.  A medical practice has to address all of the issues together including major financial outlays, cuts in revenue caused by several factors,  and staying abreast and implementing the latest government regulations.  All the time spent addressing these issues is time not spent on seeing and treating patients.

Have other  industries gone through such dramatic change in such a short period of time?  The changes provide opportunities along with real negative affects.  Medical practices need to be flexible and to adjust to all of these changes.  Some of the changes such as the Red Flags Rule may never occur.  But either way a medical practice needs to be prepared, need to be informed and need to be ready to change their business model to adjust to such dramatic changes.  Strange days indeed.