I write a lot about network security, HIPAA and protecting patient data. I truly believe that these concerns should be on the top of every healthcare organization’s security list. But recently something has hit my radar that concerns me even more. Phishing has always been a problem but now it seems like an epidemic. Let’s take a closer look at Phishing. What is Phishing? Below is the Wikipedia definition:

Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication.

A good example of a typical Phishing attack is for a person to get an email from their bank that states their account has been locked due to suspicious activity.  The email states that the person needs to log into their account to reactivate it.  In the email there is a link to a website that looks like the normal bank login.  The person enters their log in credentials. From here the login credentials are used to access the real bank account and money is then transferred out of the account to another bank.

Unfortunately over the past month I have heard of actual successful Phishing attempts that have resulted in hundreds of thousands of dollars being stolen. Now you see why Phishing is on top of my list of concerns not only for my company but for my client’s as well.

In the past Phishing attempts were easy to spot.  The emails had spelling mistakes, the website didn’t look legitimate, etc. But that is not the case anymore.  The emails now are almost impossible to spot as fake, the websites look exactly like the real websites. It is getting harder and harder to spot Phishing attempts.

With the recent high profile hacking of large companies such as Epsilon and Sony, millions and millions of email addresses are now in the hands of people that are using them for Phishing attacks.

So what can an organization do to protect themselves against Phishing attacks?

1. Educate your employees – make them aware of Phishing attacks. Make sure anyone that has access to your organization’s financials, credit cards and online banking is very aware of what Phishing is and are on the lookout for Phishing attacks. Make sure they know that anytime they think something may be suspicious, they should call the bank or company and verify the legitimacy of the request prior to providing any information online.
2. Lower your bank’s wire transfer amount limit – many times a successful Phishing attack utilizes a wire transfer out of the victim’s bank into another bank. One way to protect against this is to lower the wire transfer amount limit on your account. If you don’t use wire transfers often then lower it to $5,000 or less or insist that you have to verbally approve each wire transfer. Each bank is different but it is worth the time to discuss your options with your bank.

In addition to loss of money due to wire transfers, other Phishing attempts try to collect credit card information, social networking information such as ids and passwords of sites such as Facebook and LinkedIn. Now more than ever, it is very important to scrutinize each email that you receive and make sure that it is legitimate prior to providing any information that can be used to access your accounts.

Image: scottchan / FreeDigitalPhotos.net

There has been a lot written about Google+.  Google’s new social platform seems to be a hit. Google+ mixes the best elements of both Facebook and Twitter and provides a platform that allows for both sharing of information as well as providing Facebook type comments and feedback.

So far the pace of information, sharing and user growth has been both fast and furious. I am enjoying the Google+ experience and seeing how a new social platform develops.

Are you on Google+?  If you are and want to connect use the Follow Me on Google+ box to the right of this post to add me to one of your circles.

See you on G+!

Joplin, MO was hit by a massive tornado on Sunday evening that did extensive damage to the St. John’s Regional Medical Center hospital. There are reports that x-rays from the hospital have been found in driveways 70 miles east of the hospital.

On Twitter Steven Waldren sheds some very interesting and insightful perspectives:

Steven’s quotes gets to the bottom of Disaster Recovery.  When an actual disaster hits and your servers are destroyed how do you get to your data? Having tape backups or offsite backups are fine but if your servers are gone where do you restore the data?

Disaster Recovery (DR) planning is more than ensuring you have a backup of your data. It is about ensuring that your organization can still function and get to critical systems even when your primary systems have been destroyed. With cloud-based Disaster Recovery solutions the cost of implementing DR has been significantly lowered. All healthcare organizations should be looking into some sort of DR that will not only ensure that data is properly backed up but will allow for access to critical data in the event of a real disaster.

Contingency planning and DR planning are required under the HIPAA Security Rule:

STANDARD § 164.308(a)(7)Contingency Plan

The purpose of contingency planning is to establish strategies for recovering access to EPHI should the organization experience an emergency or other occurrence, such as a power outage and/or disruption of critical business operations. The goal is to ensure that organizations have their EPHI available when it is needed. The Contingency Plan standard requires that covered entities:

“Establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic protected health information.”

DISASTER RECOVERY PLAN (R) – § 164.308(a)(7)(ii)(B)

The Disaster Recovery Plan implementation specification requires covered entities to:

“Establish (and implement as needed) procedures to restore any loss of data.” Some covered entities may already have a general disaster plan that meets this requirement; however, each entity must review the current plan to ensure that it allows them to recover EPHI

A final takeaway is that the time to think about Disaster Recovery is before a disaster hits. Implementing DR is not only required under HIPAA but is critical to any business to ensure that the organization can continue to operate even when primary systems are destroyed.

An interesting report was released by the Consumer Health Information Corporation (CHIC) which looked into the use of smartphone apps. The report was based on a survey of 395 respondents and was conducted to gauge consumer interest in health apps and evaluate the likelihood of patient adherence to them.

According to the report

The CHIC survey shows that the availability of a better app (34.4%) and lack of user friendliness (32.6%) are the top reasons for discontinuation of smartphone apps.

Another data point that seems fairly obvious is:

In general, ease of navigation (90.9%) was the top feature that made apps favorable. In terms of interest in health apps, the majority of surveyed consumers stated that they would be most interested in using a health app to gain information (91.1%).

The one piece of information that I think is very useful is how patients would like to be reminded to perform a health related task. The overwhelming response (41%) was that they would like to receive a text reminder. Only 1.3% said they wanted to receive a phone call as a reminder.  Clearly people do not want phone calls as reminders.

So if you are calling patients to remind them of upcoming appointments, you may want to explore implementing a text reminder instead.

Other information from the study included:

Consumers were most likely to use a health app to find information about drugs (42.2%) or disease states (26.5%).

39.8% were willing to use such a health app several times a day.

National health organizations were the most trusted source of health information (51.8%).

The majority of consumers were either somewhat influenced by (55.8%) or very much influenced (32.2%) by consumer ratings of apps.

33.4% of consumers preferred health apps to be free but the majority were willing to pay, with 30.9% willing to pay $1.00-$5.99.

In terms of preference for health-related task reminders, consumers did not want phone calls, drug vials, or email reminders.  The majority of consumers preferred reminders through their mobile phones such as text messages (41.1%), smartphone apps (20.3%), or phone alarm (19.5%).

This is truly a very challenging time if you are a health care organization. There is a fundamental change occurring that will transform the way medicine is practiced in the next 20 years. Almost like the invention of electricity, the light bulb or the first gas powered engine, the change will have enormous impact to everyone that it touches.

At the same time the risks associated with this change cannot be ignored. As our society moves to the use of electronic medical records, the security issues and associated risk levels have never been greater.

The burden on health care organizations is incredible when looking at securing electronic medical records, smart phones and tablets, USB drives, wireless access points, and remote access solutions. Combine that with the impact of natural disasters such as earthquakes and tornadoes that have been all over the news lately. Implementing disaster recovery solutions only adds to the overwhelming security burden.

Health care organizations are already strapped for the necessary resources to implement electronic medical records. Where will they find the resources to ensure that the appropriate security and disaster recovery procedures are properly implemented?

Like all new technologies, electronic medical records offer incredible opportunities but along with opportunities are real risks that need to be addressed. We will look back in a few years and see that health care organizations made the move from the dark ages to a much more modern area. Unfortunately we will see lots of mistakes and security issues that could and should have been addressed.

It seems that at least twice a month we are hearing about a health care organization that has had a data breach because of a lost of stolen laptop. Every time I read about a new breach I shake my head and ask myself why aren’t these organizations using encryption to protect the contents on the laptops? I have come up with 2 conclusions:

1. The organizations are not familiar with encryption technology and think it is too complex to implement
2. The organizations think that implementing encryption technology is too expensive and cost prohibitive

So I thought I would take a few minutes to hopefully help enlighten some people on just how easy it is to implement encryption and how affordable encryption is.

There are many encryption products on the market.  Some are free such at TrueCrypt, while others vary in cost and complexity.  PGP is one of the leaders in encryption and has recently been purchased by Symantec Corporation.  PGP ranges from encryption of a few laptops to 1,000s of laptops in an enterprise.  PGP usually requires some infrastructure setup that allows administrators to control policies, safeguard encryption keys and monitor which laptops have been encrypted. There is some complexity that is associated with setup and deploying PGP encryption.

A product that we have been using for ourselves and our clients is called AlertBoot.  AlertBoot is an easy to install encryption product that encrypts the entire laptop’s hard drive.  The install is web based from the AlertBoot’s site and is very easy and painless.  Depending on the size of the hard drive and the speed of the drive it can take anywhere from 30 minutes to 4 hours to encrypt the drive.  You can even use the laptop while it is doing the one-time encryption.  There is no risk of losing the encryption password and then being locked out of the laptop.  AlertBoot has 7×24 hour support that can help a user recover a lost encryption password.

AlertBoot Support, Password Recovery, and Helpdesk

Forget your password? Have a question about AlertBoot? Don’t worry: help is always just a phone call away. AlertDesk is your personal helpdesk for password recovery and assistance— open 24 hours a day, 7 days a week, 365 days a year.

AlertDesk is completely secure and confidential. You’ll be challenged with security questions as a safety precaution to verify your identity. AlertDesk Support will never have access to your devices or your personal data.

AlertBoot encryption costs $12.95 per month per laptop.  There is a 10% savings if you prepay for the year.  So for around $150/year per laptop you can fully encrypt the contents of the hard drive.

Now to be clear, AlertBoot is just one of the many products on the market and I am only using them as an example because I am familiar with the technology and their monthly cost per laptop makes it easy to calculate the true cost of encrypting each laptop.

So say you have 10 laptops in your organization, you are looking at $130 month to encrypt all 10 laptops.  That to me is a very reasonable price to pay to ensure that you are protecting the data on each laptop, complying with HIPAA regulations and ensuring that any patient data on the laptop is secure and protected.

To put the costs into perspective let’s take a look at some estimates of cost if a laptop is lost or stolen.  According to the Ponemon study (PDF) titled “The Cost of a Lost Laptop” published in April 22, 2009, a lost laptop will cost:

According to the report, the use of encryption can reduce the cost of a lost laptop by $20,000. That makes the $12.95/mo seem incredibly cheap.  And now that you know encryption is easy to install and the risk of being locked out of the laptop is not an issue, you should seriously consider encrypting each of your laptops. There really is no good excuse not to implement Laptop encryption.

You have just implementing a new electronic health records (EHR) system, congratulations!  You probably spent anywhere from $75,000 – $500,000+ on hardware, software, licenses,and implementation labor.
Hopefully you qualify for EHR meaningful use incentive funds to offset some of those expenses. While you are looking to stop spending money and to start recouping some of the expense, I am going to tell you 3 additional products and services that you must consider.

The 3 products and services are:

1. Offsite data backup
2. HIPAA Security
3. Disaster Recovery

I realize those 3 items are not sexy and will not help increase your revenue. I think that is one of the reasons that many medical practices don’t sign up for these services. The 3 services are about protecting your EHR, your data, your patient’s information and protecting your practice.

Offsite Data Backup

“Why do I need offsite data backup when we are backing up to a tape drive?”

I can’t tell you how many times I have had this conversation. Backing up your data nightly to a tape drive is a good practice but unfortunately backup tapes are not completely reliable. Every time we have to restore a file, database or other data from a backup tape, I hold my breath and pray that the data is on the tape and we can retrieve it successfully.

If you are backing up to tape the responsibility to switch tapes on a daily basis is usually assigned to an individual in the practice. From experience we have seen that people forget to switch tapes (trust me this happens more then you can imagine). In addition, tapes are used over and over and eventually they lose their ability to successfully read and write data. Hence the praying comment that when we need the data, the tape will not be at the point where we can not successfully retrieve the data.

Offsite data backup is a very straightforward process and very similar to backing data up to tape. On a nightly basis the data is backed up but instead of being backed up to tape it is backed up to a server in a vendor’s data center. Here is how it works.

1. On the system that you are backing up, there is a backup agent (software program) that starts to backup the data.
2. The backup agent makes a secure encrypted connection via the Internet to a server(s) at a vendor’s data center.
3. The data is copied to the servers and is stored on the vendor’s server is a secure encrypted format.

As you can see it is critical to have an Internet connection in order to perform the offsite backup.  The offsite data backup is scheduled and runs automatically so there is no human intervention required. This eliminates the issue with someone forgetting to change the backup tape.

My recommendation to most practices is to use offsite data backup as a supplemental service in addition to doing nightly tape backups.  If you do both then you have your data in 2 different places and you increase your chances that the data will be available if and when you need it.

On an average, offsite data backup costs around $2/GB.  So if you are backing up your EHR and you have 20GB of data it will cost you around $40/mo. I think that is a very reasonable amount to help ensure that your data is protected. To help convince you that offsite backup is worth the additional expense let’s look at a scenario that I have seen happen multiple times.

There is a really bad storm with heavy rain and lightning. The storm knocks out power to your office and although your EHR server is on a uninterrupted power supply (UPS) the server does not shut down cleanly (immediately loses power) and in the process it corrupts the EHR database. When power is eventually restored and the server comes back online the EHR program generates errors stating that it can not read the EHR database (it is corrupt). Imagine that you have been using the EHR for 1 month and every patient that you have seen is in your EHR (go ahead and imagine you have been using it for over a year and the amount of records would be even scarier). Your IT company comes in to help restore the EHR database from tape and get you back up and running.  When the IT company inserts the backup tape they can not locate the EHR database.   It turns out that the person who was responsible for changing the tape forgot to do it the last 2 evenings. They are able to restore the database from 2 days ago but all the data that was entered for the past 2 days is lost.  Think about having to recreate that data. You are using an EHR so do you have notes on each patient? Probably not. The amount of time and effort you and your staff will have to use to recover from the lost data makes the $40 look cheap.

HIPAA Security

The second service I urge you to consider is HIPAA Security. You are using an EHR and all of your patient information moving forward will be electronically stored. You may also have interfaces with vendors for electronic lab results, digital x-rays, ultrasounds, etc. For each patient there is a lot of electronic information that has to be protected.

Most EHR vendors do not address HIPAA security when they are training employees on the new EHR. If they do it is not in depth and there is a good chance that your employees will not understand what is required by HIPAA to protect patient information.

HIPAA security is about protecting patient data in electronic format. I am recommending you sign up for a HIPAA security service not only to comply with the HIPAA regulations but to ensure that your entire staff is educated on what exactly is required to protect patient data and to understand the best practices for protecting data. More importantly HIPAA security is a defensive measure to help protect your patients and your practice against a data breach. A lost laptop or USB drive with patient information could have serious financial impact on an organization.  Imagine a data breach that costs your practice $1,500,000. If you think that number too high consider the regulatory fines, patient breach notification expenses, lost revenue from patients leaving the practice, IT related expenses to re-mediate the breach, etc.  Even if the expense is half of that at $750,000 it can have a significant impact to an organization. And if you are thinking that your general liability insurance policy will cover most of those expenses you should check your coverage. Most policies do not cover HIPAA related expenses (although there are supplemental insurance policies that do cover HIPAA and cyber expenses).

There are many HIPAA security services on the market but on a whole you should look to accomplish the following:

1. Implement policies and procedures to ensure that patient information is properly protected
2. Perform a risk assessment to understand where you are at risk in protecting patient information and what additional security measures you should implement to better protect the information.
3. Train your entire staff on exactly what is HIPAA security, what they should be doing to protect patient data and what they should not be doing that could put patient data at risk.

HIPAA security will range in costs but for some real numbers this service will cost $1,750 to provide the 3 items above. (Full disclosure, HIPAA Secure Now! is a service of Entegration, Inc.).

As with the justification for offsite data backup, spending $1,750 to help protected you from fines and expenses that could be up to 100 times more expensive seems like a good investment.

Disaster Recovery

The third and final service I will urge you to consider is disaster recovery for your EHR and network.

I will start off by acknowledging that the odds of a disaster are slim but yet we have seen the affects of earthquakes and tornadoes in the past few months. And disasters are not only confined to natural disasters.  Fires and floods occur all the time.  Broken water pipes and sprinkler systems can destroy servers and computing equipment.

What exactly is disaster recovery?  Simply stated it is the ability to continue to utilize your applications in the event that your primary servers, network and applications are either destroyed or made unavailable by some event. Disaster recovery is ensuring that you can run your EHR on another server and access that server in the event of a disaster.

I wrote a detailed blog article on cheap disaster recovery which you should read.  But from a high level view, disaster recovery is:

1. Ensuring that you have another server(s) in another physical location that you can use in the event your primary server is unavailable
2. Data needs to be copied and kept up to date on the server(s) that you will use for disaster recovery
3. A method of accessing the disaster recovery server must be established
4. A detailed procedure must be in place that defines exactly what is needed to utilize the disaster recovery server(s) and what your employees need to do to operate in disaster recovery mode.

If you go back to the blog article that I wrote on cloud based disaster recovery the prices range from around $100/month/server.  So if you need to ensure that have your EHR server and your Domain Controller available in the event of a disaster then it will cost you around $200/mo.

Again let me define a scenario that helps justify the expense.

Let’s assume a water pipe bursts in the office above you and overnight hundreds of gallons of water leak onto your servers, destroying them.  Everything else in your office is wet but usable. After a couple of days of clean up you are ready to see patients but you no longer have functional servers and no functional EHR. You can order new servers from Dell or HP but even with overnight shipping there is a chance you will not receive them for 10-14 days.  Can you go without your EHR for that long? With the cloud based disaster recovery you can be up and running in as little as 4 hours. You can even access the EHR if you need to see patients in another practices’ office while you repair your office. Again I argue that $200/month is worth the expense to provide the safety net and flexibility to recover in the event of a disaster.

Summary

The 3 services that I described will protect your medical practice. Each of the services can be considered a safety net and operational insurance to protect you and to avoid events that can have significant financial impact to your organization. Take a step back and think of how much money you just spent on your EHR. The services that I recommend will cost you under $5,000 the first year (and half of that moving forward) and will help protect your investment in your EHR.

I would love to hear your thoughts and help with any questions you may have. Use the comments section below to give feedback.

Almost like the Earth spinning and no one notices it, there is a major shift in health care IT going on. On the surface you can’t miss the chatter.  Talk of stimulus funds, meaningful use requirements, cloud based EMRs, free EMRs, iPads, smart phones and the list goes on. Hundreds and thousands of medical practices ranging from 1-3 employees up to hundreds of employees are in the process of either evaluating or transitioning to electronic medical records.  And as these organizations continue their transition from paper based records to electronic medical records the impact will be felt for years to come.

It is exciting to be a part of something that will have a lasting impact. But at the same time I think that there will be a lot of fatalities in this process. On the surface the migration to electronic medical records seems pretty straightforward.

1. Select an EMR vendor
2. Purchase equipment
3. Install equipment
4. Train staff
5. Start using new EMR

But the reality is it is far from easy. There are hundreds of EMR vendors; some good, some not so good. EMR implementations fail at a very high rate. The complexity of setting up a network to support an EMR is daunting. Integrating servers, network, tablets, smartphones, lab equipment, etc. can be a challenge at best and a disaster at worst.

And if a practice makes it this far there are the concerns with patient records and HIPAA security. These practices that are new to electronic medical records have not been tasked with protecting electronic assets in the past. This skill set in not easily acquired nor is it cheap. Network and data security is not a part-time job and it should not be added onto to someone’s job responsibility especially if they are not IT savvy.

And will these practices understand the risks of implementing technology to support electronic medical records? Will they implement the appropriate data backup solutions and disaster recovery solutions to ensure that a disaster does not cripple their ability to use and access the electronic medical records? Will they understand that most small businesses never recover from a disaster that impacts IT?  Will they make the appropriate investments to ensure that a disaster does not put them out of business?

It is almost like a herd being led into an ambush, some of these organizations will be among the fatalities.  A failed EMR implementation can cost hundreds of thousands of dollars. Not many smaller medical practices can take that financial impact and still survive.  A data breach or serious HIPAA violation can  have a huge financial impact on an organization. An unplanned for disaster can put an organization out of business.

So as the headlines talk of meaningful use stage 2 and 3, Medicare EHR Incentive Programs, Attestation, the next greatest tablet, mobile health apps, and cloud based EMRs remember that the impact to some health care organizations will be fatal. Can the quest for electronic medical records be similar to a herd being led into an ambush? Will we look back and see that 2011-2013 led to a thinning of the herd? Will these fatalities lead to more hospitals and larger organizations consolidating smaller medical practices? Electronic medical records are needed and provide an enormous opportunity for the entire health care system but without proper guidance and support many medical practices will be causalities in the process.

On April 21, 2011 Amazon’s East Coast data center went down and brought many high profile businesses down with them. Some of the businesses that rely on Amazon to provide their infrastructure include Foursquare, Quora, Hootsuite, SCVNGR, Heroku,  and Reddit.  In addition small or mid-size businesses that relied on Amazon felt the impact as well.

So a day later we take a step back and look at the impact.  Let’s ask some questions:

First question: Will this signal the end of cloud computing?  NO!

Second question:  Will this be the last cloud based provider to experience an outage? NO!

Third question: Will this harm the migration to cloud based providers? YES!

The first two questions are easy.  The outage is not the first and will not be the last. The benefits of cloud computing to startups, small and mid-size businesses are real and this outage will not signal the end of cloud computing. But the high profile outage may harm the migration to cloud computing.

If you are a medical practice and are in the process of purchasing an EMR for your practice, yesterday’s Amazon outage gives you something to think about. Many EMR vendors give multiple options for deploying the EMR including on-site servers that are in the practice’s office and hosted servers or applications that are at the vendor’s data center or some other hosting facility. A day after Amazon’s outage you have to ask yourself; if Amazon can suffer a complete melt down of their data center what is to stop an EMR vendor from having the same experience? You may even conclude that Amazon, one of the leaders in cloud computing, have far more resources to support their data center than an EMR vendor does.  Does this make you think that the likeliness of an EMR vendor having a prolonged outage is even greater than Amazon having one? I would answer yes. And if you do answer yes, the next question you have to ask is; can you afford to be without your EMR for 24 or more hours?

I think Amazon’s outage will impact migration to cloud based computing. It will not stop cloud based computing but it is a wakeup call for businesses that are looking to use or are currently using cloud based computing. My advice remains the same as it has been in the past. Migrate non-core functions and servers to the cloud and keep core functions and servers within your network / office. There are real benefits to utilizing cloud based services but the risk is just as real. Yesterday’s outage makes that perfectly clear.

Image: Jennifer Ellison / FreeDigitalPhotos.net

Source: Apple

Have you ever looked over a doctor’s shoulder when they are using an EMR?  What you see is hard to describe. Picture a crowded screen with fields, data,  buttons and menus that fill up the entire screen.  Picture a screen so crowded that if you wanted to add another data field you would be hard pressed to find some real estate on the already crowded screen. But if you keep watching you would be even more amazed.  If a doctors wants to send an electronic prescription to a pharmacy for the patient she might have to click on 4 or 5 pages to accomplish the task. The amount of options and choices that the doctor has to navigate through is truly daunting. What I just described is not true for every EMR.  With over 300 EMRs on the market, and growing, some of the EMR vendors have figured out usability and design.  But unfortunately many of the vendors have not.

Up until about 5 months ago I have been a dedicated and devoted user of Windows based applications.  My time on Apple computers was very rare.  And I admit that I have engaged in the typical technology driven arguments that the Windows operating system was superior to the Apple operating system.  In fact, I always failed to understand the cult based Apple loving mindset.

Fast forward to the present and after purchasing an Apple iPad my perspective has changed.  I won’t go into details about the iPad because by now you would have to be living under a rock to not know about the smashing success that Apple has had with the iPad.  The one thing that I will point out is how good the interface and usability is on the iPad.  I am amazed that without a keyboard and with only one button on the front of the device, how easy it is to use and navigate iPad (iOS) applications.  And I totally understand your doubt if you have not used an iPad but I ask that you trust me on this one.

iPad EMRs

So can the usability of the iPad be leveraged for EMRs?  Clearly an iPad strategy is a must for most of the EMR vendors. Will they take their existing user interface and shoehorn it into the iPad or will they totally redesign the interface and focus on usability?

For more insight into how some of the EMR vendors have approached the iPad check out this post over at Software Advice.  They go into the booming demand for iPads and tablets as well as review some of the existing iPad EMRs and applications.