A recent post over at HealthcareInfoSecurity.com has an interview with Robert Wah, M.D., of Computer Sciences Corp.  Dr. Wah gives some very insightful tips on what a practice should address when looking at a hosted EHR.  Below are some key points of the interview.

Dr Wah recommends that a practice have multiple paths of connectivity to the hosted EHR datacenter.  In practical terms, you will want at least a primary Internet connection such as a T-1 and a backup Internet connection such as a Cable Modem, FIOS or DSL.

But the other thing one has to think about when looking at remotely hosting an application like this is it is important to have multiple paths to the data center so that you are not reliant on a single point of failure. Because the classic worry that people have, and certainly I had this when I was in the Department of Defense, is…we used to always talk about what happens if a backhoe digs up the cable that runs to our data center…if you have multiple pathways to the data center so you can fail over to another pathway and not lose connectivity.

Dr. Wah recommends that a practice ensure that a contract with the EHR vendor specifically address HIPAA, security and who pays to implement any new regulations.

It is important to have in the contract what is the plan when new regulations come out; whose responsibility is it to comply with those; what is the timeframe for achieving compliance; and who bears the cost of changing the system or adding new layers of security to become compliant.

Dr. Wah goes into detail about ensuring that the EHR data is backed up.

It is important to understand at the beginning…what is the normal schedule for backup, and whether that meets the requirements of your situation…. We have a client that is a major medical center at one of the Ivy League schools. Every month, we drop a tape with the latest full backup so if anything happened to the data and they were not able to get to our system, they would be able to rely on an actual backup and the gap between the time they got it and the time they needed it would be fairly short.

Dr. Wah addresses other security issues that should be considered including; how the hosted datacenter is run, ensuring that the personnel working in the datacenter are well versed with HIPPA, and knowing what the maintenance schedule is and the associated availability of the EHR.

Well I think it is important to remember that when we are talking about healthcare, in most cases we are talking about mission-critical data. So it is important to deal with it just like other industries deal with mission-critical data.

Financial industries obviously have dealt with this issue for a long time, because if they don’t have access to financial data, they are sort of out of business. Lack of access to data in healthcare can actually be detrimental to patient care, which makes it even more mission-critical than financial information.

So I think it is important to have good transparency into how a data center runs. The data center operations must be transparent to the client so that they know and have good reassurance that, as I said before, the highest level of security is being maintained both from a technology standpoint but also from a policy and procedure standpoint. The client also must be assured that the people who are working in that data center are trained, are very complaint with HIPAA guidelines, and understand the importance of electronic personal health information and are very cognizant of the mission criticality of the system that they are running.

Some people actually go visit the data center to actually see the physical plant and meet the people who are going to be involved with handling their systems. Because it is, as I said before, a mission-critical data set that they are dealing with and they want to know that they have put that in the right hands. I would say transparency is a question that you always want to bring up when you are dealing with trying to select someone to handle your mission- critical data. I think it is also important to talk about maintenance. Sometimes it is necessary to shut down the system to do maintenance….So it is important to make sure that everyone understands what the procedure would be when that maintenance occurs.

In some systems, it is possible to do it during the off hours when no patient care is going on. When I was in the Department of Defense, we had a problem where we were operating our system in 12 time zones, so there really was no “middle of the night.” Everybody was accessing the system all of the time, so we had to have backup systems put in place while maintenance was done on the main system. But other systems that are not spread as globally as we were in the Department of Defense may not have that same problem.

Knowing when the system is going to go down and when it will come back up is critical so that people know to prepare and have a contingency plan where they can go to some sort of an alternative format, whether that be paper or another system, while the maintenance is going on.

I think Dr. Wah points are very valid and give a good insight into what should be discussed with any EHR vendor that is offering a hosted product.  I have discussed some of the dangers of cloud computing in the following posts.

• The dangers of cloud computing
• More black clouds over cloud computing

Dr. Kathy Corby, an emergency room doctor, treated an 8 year old patient using her iPhone and 7 separate apps.  The 8 year old girl was having seizures and was not breathing.  Dr. Corby reached for her iPhone and used the following applications to save the girl:

The child has a rare hereditary disease, and Corby needed to become an instant expert. So she began scanning a number of medical apps loaded onto her iPhone to access “everything you can’t remember on your own in the midst of something like this.”

The power of smartphone and medical apps is truly amazing.  I think stories like this will be told again and again. Scanning through large text books or even going to a computer to do research will be replaced by reaching for a smartphone and instantly accessing information.  And in an emergency situation the use of a smartphone could be even more important.  As Dr. Corby said:

“I did all of this,” she said, “without taking my eyes off the child.”

Two unrelated and non-health IT security issues were identified this week.  Citibank admitted that their iPhone banking app stored  personal information including account numbers, bill payment information and  security access codes in a hidden file on users’ iPhones.  In addition Risky.Biz is reporting, the pizza chain Hell Pizza in New Zealand, the UK, and Ireland had their customer database compromised and that 230,000 rows of customer data was accessed.

Citibank has updated their banking app so that personal information is no longer stored on the iPhone.  Hell Pizza issued a statement that the customer database that was compromised had full names, addresses, phone numbers, e-mail addresses, passwords and order history but did not contain any credit card information.

The reason I mention both of these security incidents is because they reveal an alarming trend.  More and more personal information is being collected and put at risk by companies that do not properly secure and protect their customer information.

The application developers at Citibank ignored the fact that a high percentage of smartphones are either lost or stolen. One can only question why they would make the decision to store personal information on the iPhone when the risk of the phone being lost or stolen was so high?  My guess is that they were rushing to get the banking application out to customers and that storing personal data on the phone was the easiest method of developing the application.  The concern here is that there are over 200,000 apps for the iPhone and 30,000 for Google’s Android phones.  With all of these apps being developed how many others are making security mistakes and putting customers / user personal information at risk?

According to Risky.Biz, the Hell Pizza database was very easy to access.  It was as though Hell Pizza did very little to protect the database.  The issue here is that personal data was collected and not secured.  Granted the data did not contain credit card information but did contain email addresses and passwords.  If hackers obtained customer email addresses and passwords there is a good chance that they attempted to use the same email address and passwords at other sites such as Amazon, eBay and online banking sites.  As a personal note:  this is a very good example of why you do not want to use the same email address and password at different online websites.

Turning to health IT, both the Citibank and Hell Pizza incidents raise similar concerns.  Will EMR vendors, in their rush to develop an EMR for the iPhone, iPad or Android OS, make similar security mistakes and store patient data on these devices?  As medical practices implement new EMRs and start to give patients access to patient portals, will they properly secure the patient database.  Will hackers find it as easy to access patient information as it was the Hell Pizza customer information?  Will medical practices lack the security knowledge and resources to ensure that the patient databases are properly secured?  Unfortunately I think the answer to a lot of these questions is YES.   Some EMR vendors will make bad decisions and take security shortcuts in their race to bring a version of their EMR to the smartphone market.  Some medical practices will not protect patient databases and security breaches of patient information will occur.

Let’s hope that EMR vendors and medical practices learn from the mistakes that both Citibank and Hell Pizza have made.

You have to admit that now is a very interesting time to be in the healthcare field.  This year we saw a $1 Trillion healthcare reform bill get passed.  I don’t believe that anyone has a real understanding of the impact of the bill or its affects on medical practices.  It seems every day more details are revealed of the bill.  It will take years before we see the total impact.

Then you have the ARRA stimulus package which provides $19 Billion in Medicare incentives to doctors that embrace the use of certified EHRs.  This is a huge opportunity for medical practices to implement technology and move from paper charts to EHRs.  But along with the incentives come some significant obstacles.  Medical practices have to use a certified EHR but there is no definition of what that means or who the exact certifying bodies are.  As of today you can not purchase an EHR that is certified and will qualify for the stimulus funds.  Practices not only have to implement certified EHRs but they have to use them in a way that shows “meaningful use”.  Of course the exact rules for meaningful use are not known and many argue that the rules that are being proposed are too rigid and the bar is too high for practices to actually show meaningful use.  Taken altogether, you  have a lot of medical practices that want to cash in on the ARRA stimulus incentives and to implement an EHR but you have uncertainty and obstacles that are keeping them on the sideline.  They are taking the wait and see approach.  Some are even thinking that it may not be worth the effort to attempt to participate in the ARRA stimulus incentives.

One thing for certain is that the medical practices that are moving forward with an EHR implementation are spending a lot of money.  There is no way around it, EHRs are expensive.  The cost of the software, hardware, network, training, staff disruption and all of the other components that go into an EHR implementation all add up.  Of course the hope would be that the costs would be offset by the ARRA stimulus incentives but that is not a guarantee as I mentioned before.

At the same time you have all this uncertainty around healthcare reform and ARRA stimulus, medical practices have to contend with two major economic issues.  The first is the severe recession that we have been in since 2008.  There is no way around it, when the economy is suffering all business including medical practices suffer as well.  I hear from my clients that patient visits are down and that waiting rooms are less filled.  This has a significant and real impact on a medical practice’s cash flow and financial health.  The second economic issue is the proposed cut of 21% in Medicare payments to physicians.  For at least 6 months the looming threat of a 21% cut in Medicare payments have darkened the economic sky for medical practices.  Congress has postponed the cuts several times but have not permanently addressed the situation.  As of today, the 21% cut has been pushed back until November 30, 2010.  Along with postponing the Medicare cut, Congress has given doctors a 2.2% increase until November.  Very few medical practices are rejoicing because in December 2010 they are looking at a 23% cut in Medicare payments followed up by a 30% cut in January 2011.  No one really knows what or when the final outcome will be.

On top of major financial outlays to implement EHRs and the uncertainty surrounding the economy and Medicare reimbursements, medical practices have to deal with many government regulations.  As I have written about often, the looming threat of HIPAA Security Audits are a real concern for medical practices.  Implementing HIPAA Security usually require skill sets that medical practices don’t have.  IT security companies are needed to help with policies and procedures, vulnerability and risk assessments along with implementing new technologies such as email and laptop encryption.  On top of HIPAA Security, medical practices face the “Red Flags Rule”  requiring that certain entities develop and implement written identity theft prevention and detection programs to protect consumers from identity theft.  The Red Flags Rule has been postponed several times and was to go into affect June 1, 2010.  As of now the FTC has agreed to keep physicians exempt from the rule until the outcome of a lawsuit by the American Bar Association.  Once again, the outcome of this regulation is unknown.

When you look at each of the issues a medical practice has to address from healthcare reform to Medicare reimbursement cuts they don’t seem to bad.  Each one taken separately allows a medical practice to address the issue and to make modifications to they way they run their business.  But unfortunately all of the issues are happening at the same time.  A medical practice has to address all of the issues together including major financial outlays, cuts in revenue caused by several factors,  and staying abreast and implementing the latest government regulations.  All the time spent addressing these issues is time not spent on seeing and treating patients.

Have other  industries gone through such dramatic change in such a short period of time?  The changes provide opportunities along with real negative affects.  Medical practices need to be flexible and to adjust to all of these changes.  Some of the changes such as the Red Flags Rule may never occur.  But either way a medical practice needs to be prepared, need to be informed and need to be ready to change their business model to adjust to such dramatic changes.  Strange days indeed.

I have been thinking and posting a lot about HIPAA security lately.   In the meantime Entegration has been involved in a large scale EHR implementation for one of our clients.  The combination of the two activities has allowed me to come up with a theory that is downright scary.  I don’t claim to be Nostradamus and I can’t see the future but I will throw out my theory anyway.  I believe that the ongoing EHR gold rush will put a lot of patient information in electronic form and place it in the hands of inexperienced employees that have not been trained on proper security precautions.  In addition, health organizations will think about security after the EHR implementation and not properly plan security prior to an EHR implementation.  Together these events will lead to a huge amount of security breaches that will compromise patient information and could potentially derail the effort to modernize our health information systems.

As part of the ARRA stimulus package many health organizations from hospitals to solo practices are pushing to implement EHRs to receive the full Medicare reimbursement per doctor.  There will be a big up-tick in the amount of health organizations that go from paper charts to electronic health records.  There will also be a big push to start using existing EHRs to comply with the “meaningful use” standards which will require more functions and modules to be turned on within existing EHRs.  In addition, more employees at health organizations will be required to utilize computers, tablets, laptops and other computing devices to perform their jobs.  Taking all of these events together will mean a lot more patient information will be in electronic form and a lot more people will have access to the electronic information.

Over the years Entegration has been involved in many EHR implementations.  There seems to be a common theme that I have noticed throughout all of these implementations and it is pretty consistent no matter who the EHR vendor is.  Employee training of the EHR is usually a quickly thrown together process where the EHR vendor sends a trainer onsite to teach a series of group classes on how to use the EHR.  These classes range from 1 hour to half of a day depending on the employee job function and responsibility.  After the class is over the employee is sent on their way to start using the EHR.  The training the employee receives is usually focused specifically on how to use the EHR, how to navigate screens, perform functions, etc.  Rarely have I seen training that includes a security overview that discusses protecting patient information on laptops, sending patient information via email or addresses password complexity, etc.

Furthermore, many health organizations that go from paper charts to EHRs also go from simple computer networks to much more complex networks that are required for the EHR.  In the process of implementing the EHR a large amount of computer equipment has to be purchased and installed including servers, desktops, tablets, printers, upgraded Internet connections and various other equipment.  Unfortunately most health organizations that go from paper charts to EHRs do not go through a formal security review prior to the implementation.  These organizations most likely will not concern themselves with the HIPAA Security Rule because before the EHR they don’t have a lot of electronic protected health information (EPHI).  So most likely the organization will have very few if any security policies and procedures. They will probably not go through a formal risk assessment and will not perform vulnerability scans on the newly created complex network.  Employees will not go through training sessions that discuss protecting newly formed EPHI.

What you will have is a lot of health organizations that start putting patient information into EHRs that are used by employees without proper security training.  You will have health organizations that have newly created complex networks without proper security policies and procedures.  These complex networks will not have the proper vulnerability assessments.  Employees will not be trained on best security practices that discuss protecting patient information on laptops and portable devices, they will not have training on sending EPHI via email, or the use of complex passwords.  The networks will not have the proper auditing in place that monitor the event logs to determine if there has been access to information by unauthorized personnel which could be internal employees or threats from external entities.  Data will most likely be backed up but full Disaster Recovery technologies and procedures will probably not be in place.

We have seen a large number of security breaches so far in 2010.  It seems like every week we hear about more and more patient information that has been compromised.  This is happening already even before the big push by a majority of health organizations to implement EHRs.  When all the forces come together will we see the flood gates open and patient information be compromised and data breaches occuring at an alarming rate?  If this does occur will patients lose trust in their doctors and the use of EHRs?  I don’t know the answers to these questions but if my theory is correct we will see a major occurrence of patient information data breaches that will put patient’s information in jeopardy and could potentially damage the effort to modernize our health information systems.

Many years ago Entegration would respond to support calls and fix problems when they occurred.  The use of remote tools and the ability to do preventative maintenance was not mature.  Occasionally we would send a tech to a client’s office and have them do some system maintenance which included making sure backups were occurring, checking for hardware errors, applying any outstanding Microsoft Service Packs, etc.  Keep in mind that these were the days before software vendors released regularly scheduled security patches and program updates.

Unfortunately the old model which is referred to as “break / fix” led to a lot of frustration from a client perspective and from our perspective.  The reason it is called break / fix is because a client would report a problem (break) and we would repair the problem (fix).  Over time some of the same problems would occur over and over.  A client would get frustrated having to report the same problem over and over and we would be frustrated having to fix the same problem over and over.  Unfortunately at times we were not able to stay ahead of problems.

In the past few years significant changes have occurred that allowed us to move away from a break / fix model.  The first significant change was the use of remote administration tools.  All of our clients now have Internet connections.  We now can leverage the Internet to remotely and securely access our client’s networks without having to be at their office.  The second significant change was that software vendors started to release regularly scheduled software patches.  These patches fix security holes and/or program bugs.   For example, on the second Tuesday of each month Microsoft releases a set of patches that fix security holes or program bugs in certain operating systems (i.e. Windows XP, 2003 Server) or applications (MS Word, Excel, Access, etc.).

Now for every client that we support we provide preventative system maintenance.  We now use automated tools to let us know the health of a client’s network.  We know if a client’s servers are up or down or if their Internet connection has failed.  We receive notifications when data backups fail or when a virus outbreak occurs.  We work with system tools to push out vendor patches / updates on desktops, laptops, tablets and servers.  We now perform test restores of data to ensure that the backups are valid.  We can do all the preventative system maintenance without ever going to a client’s office.

The change from break / fix to preventative system maintenance had a real and positive effect.  The amount of support calls / tickets that we received from clients went down significantly.  I don’t have the exact numbers but I would guess that support calls decreased by 50% over time.  A client network that is regularly patched with operating system and application updates is much more stable and reliable.  This has a positive affect on our clients and the use of our techs.  Our clients are happy because they have a network that is much more dependable and reliable.  There is much less time and money being spent on annoying problems.  Clients can focus on implementing advanced services that make them more efficient.  From our perspective with less support calls we can take on more clients without having to hire more techs.  Preventative system maintenance has produced stable and reliable networks that don’t need as much support from us.

As a practice moves from paper charts and simple networks to full EHR / EMR implementations with complex networks, it is essential to move to a preventative system maintenance model.  Break / fix is not an option as you implement more and more network equipment.  Complex networks need to be patched at the operating system level (Windows XP, Windows 7, Windows 2003 and 2008 Server), the system application level (MS SQL, Exchange, etc) and at the desktop application level (MS Office, Adobe Acrobat, EMR client software, etc.).  As you are looking into implementing and EHR / EMR, conversations with your IT vendor should be occurring on how the network will be supported.  If you have already implemented an EHR / EMR your vendor should be doing preventative maintenance on your network.  In addition to ensuring that a network is stable and reliable, networks that are kept up to date are much more secure as I pointed out in this article.  My last thoughts on this is if you want your practice to run as smooth as possible and to make the most out of your EHR / EMR, moving to a preventative system maintenance model is a requirement.

A story over at FierceMoblieHealthcare reports that two laptops were stolen from the Department of Veterans Affairs.  Neither of the laptops had the hard drives encrypted.

Two recently disclosed potential breaches of health data in government health programs, potentially impacting more than 10,000 patients, were the result of stolen, unencrypted laptops belonging to contractors.     

The Department of Veterans Affairs said that a laptop stolen from an unspecified contractor’s car April 22 contained unencrypted, personally identifiable information of about 644 veterans. And New Mexico’s Health and Human Services Department reported last week that an employee of West Monroe Partners, a subcontractor that processes dental claims for Medicaid enrollees, had an unencrypted computer in the trunk of a car stolen in Chicago March 20. That computer may have contained data on 9,600 beneficiaries, Government Health IT reports.

Still, the news incensed Rep. Steve Buyer (R-Ind.), the ranking member of the House Veterans Affairs Committee, because a law passed in the wake of a major breach in 2006 that threatened the privacy of 26.5 million veterans and their spouses requires VA contractors to encrypt health data on laptops. The breach indicates that the “VA lacks focus on its primary responsibility of protecting veterans’ personal information,” Buyer writes in a May 12 letter to VA Secretary Eric Shinseki.

“We would like to express our deepest concern about the continued use of unencrypted devices within VA, despite the ongoing efforts to stop such use,” he adds.

It seems to me that if your medical practice is using laptops that are unencrypted, it is only a matter of time before you experience a security breach.  Encrypting the hard drive of a laptop is neither very complicated nor is it expensive.  My advice is to start looking into laptop encryption sooner rather than later.

It seems pretty obvious that if you keep your software updated you decrease the chances of incurring a security breach.  Software updates include Operating Systems (Windows XP, Vista, Windows 7, Windows Server 2003, Windows Server 2008, etc.), Adobe Acrobat, Microsoft Office, Internet Explorer, Microsoft SQL Server, etc. .  By security breach I am referring to a virus attack, spyware / malware or a theft of data from an external entity to your network.

Microsoft published Version 8 of its Security Intelligence Report (SIR) which is a 250 page report on security.

Wolfgang Kandek the CTO of Qualys, a maker of vulnerability scanning products does a nice job summarizing some of the key points of the Microsoft SIR:

Running updated software decreases the attack surface and increases general robustness. The report shows that attackers target Internet Explorer 6 (IE 6) up to four times more often than the newer version IE 7 (pg.33). Statistics on the OS level reveal that the newer versions of Windows are less likely to be infected by malware — Windows XP SP3 is more than five times better than the original Windows XP, and Windows 7 is another three times better than XP SP3 (pg. 85). In addition, 64-bit implementations add another layer of robustness.

 

Application attacks continue to increase. Adobe Reader attacks were used in 44 percent of the investigated cases, followed by an attack on a recent Internet Explorer vulnerability with 16 percent. The remaining 40 percent are divided by attacks on the OS and a variety of different software packages, including RealPlayer, Apple QuickTime, and AOL software (pg.26).

 

Attacks against Microsoft Office make use of older vulnerabilities and can easily be avoided by keeping the software suite up to date. By applying the respective service packs, users can avoid the majority of Office file format attacks (pg. 43).

 

While Windows 7 (and Vista SP2) are clearly much better than the older versions of Windows, there has been an uptake in the infection rate. Attackers are starting to focus their attention on Windows 7 as it become wider deployed and it will be interesting to see how its performance develops.

It is clear to say that Microsoft believes that the more you patch and update your products the less the chances of experiencing a security breach / attack.  If you are cynical and say that of course Microsoft wants you to upgrade your products because it make them more money, I won’t argue with you.

A best practice and one that you should do as you are implementing the HIPAA Security Rule is to do a Risk Assessment which includes a vulnerability scan.  The vulnerability scan will identify all the holes and vulnerabilities in your current software (Operating System, application software, network equipment, etc.).  Once you get the results of the vulnerability scan, you will want to ensure that you apply the appropriate software patches and/or upgrades to eliminate or minimize the risk of the vulnerabilities.  Moving forward you will want to adopt a software patching process that applies the latest patches that software vendors release.  Microsoft offers a few free ways of keeping your software up to date. 

Once again, the more you keep your software updated, the less likely you will experience a security breach / attack.

InformationWeek is reporting that University of California-Davis has decided to stop using Google Gmail over privacy concerns.  The University was engaged in a trial of the paid Gmail program for 30,000 of its faculty and staff members. 

Some interesting quotes from the story:

• Many faculty “expressed concerns that our campus’s commitment to protecting the privacy of their communications is not demonstrated by Google and that the appropriate safeguards are neither in place at this time nor planned for in the near future,” the letter said.

 

• “Though there are different interpretations of these sections, the mere emergence of significant disagreement on these points undermines confidence in whether adopting Google’s Gmail service would be consistent with the policy,” the letter states.

 

•  The UC Davis IT leaders’ letter additionally stated that “outsourcing e-mail may not be in compliance with the University of California Electronic Communications Policy.” The policy forbids the university from disclosing or examining the contents of e-mails without the account holder’s consent, and from distributing e-mails to third parties.

This could have major ramifications to Google if other Universities, Medical Practices, Legal Practices and other profession service companies reach the same conclusion regarding the lack of Privacy with Gmail.

In a story that makes you scratch your head, a missing CD with over 300,000 names of New Yorkers with developmental and other health issues has been missing for almost a month.

We have not been able to locate within our Early Intervention program unit one disc out of two discs that we received from New York City,” DOH spokeswoman Claudia Hutton said.”At this point, we have no reason to believe they’ve left the building.”

The contents of the disk were encrypted but unfortunately the encryption password may have been written on the outside of the disk.

Adding to concern is the fear that the disc’s password may be written on the outside, although Hutton said the disc is encrypted and could not be read without advanced technical skill.

 

Hutton conceded that putting the password on the disc was not a good idea and amounted to “sloppy housekeeping.”