This is truly a very challenging time if you are a health care organization. There is a fundamental change occurring that will transform the way medicine is practiced in the next 20 years. Almost like the invention of electricity, the light bulb or the first gas powered engine, the change will have enormous impact to everyone that it touches.

At the same time the risks associated with this change cannot be ignored. As our society moves to the use of electronic medical records, the security issues and associated risk levels have never been greater.

The burden on health care organizations is incredible when looking at securing electronic medical records, smart phones and tablets, USB drives, wireless access points, and remote access solutions. Combine that with the impact of natural disasters such as earthquakes and tornadoes that have been all over the news lately. Implementing disaster recovery solutions only adds to the overwhelming security burden.

Health care organizations are already strapped for the necessary resources to implement electronic medical records. Where will they find the resources to ensure that the appropriate security and disaster recovery procedures are properly implemented?

Like all new technologies, electronic medical records offer incredible opportunities but along with opportunities are real risks that need to be addressed. We will look back in a few years and see that health care organizations made the move from the dark ages to a much more modern area. Unfortunately we will see lots of mistakes and security issues that could and should have been addressed.

A real-life experience occurred on Friday that shows the use of encryption, to protect patient data, is still an afterthought at best.  A conversation between one of our clients and their EMR vendor shows that encryption and data protection is still not at the forefront of concern.  Below is a modified version of the conversation between the client and the EMR vendor which I was copied on.  Everything was changed (to protect the innocent) except for the overall meaning of the conversation.

EMR Vendor: Dear customer – we need a copy of your EMR database so we can test it on the new version of the software we will be rolling out in a couple of months.  We will be sending you a USB disk so your IT vendor can copy the database(s) and send it back to us.

Client: Why do you need the data?

EMR vendor: We want to test functionality of the new system and your database is one of the largest amongst all of our customers

Client: OK we will send you the data

Seems like a very straightforward conversation.  The EMR vendor wants to test a large instance of the database which is good so they can iron out any bugs with the new version of the software.  The client is happy to be part of the testing so they know their database will have no issues when they upgrade.

Everyone but me was happy with the conversation.  Now it is probably because I write about HIPAA security or have launched a HIPAA Security Service but I immediately thought to myself “there is no way we are going to send a disk with over 10 years of patient data to anyone without ensuring that this data is encrypted”.  On the other hand, I am an optimist so I was just waited for the vendor to tell the client that the USB drive will be encrypted or for the client to ask about encryption.  I waited but that dialog never occurred.  I eventually replied to the email with my concerns.

Me: Will the USB drive be encrypted?  There is no way we can send that data without proper protection of the data.

EMR vendor: Yes the drive will contain an encryption utility that you can use to encrypt the data.

Me: Good!

So the good news is that the EMR vendor knew that the data had to be encrypted. The bad news is that the fact that the data had to be protected never came up in conversation until I raised the issue. Encryption was an afterthought during this conversation. We need to move to the point where patient data protection is a primary concern. In this case protecting the data in transit is more important than the testing of the software (in my opinion). A loss of this data could be devastating to the client.

In the end the client thanked me for looking out for the data security. To me patient data protection is one of my primary concerns. Unfortunately it seems that my concerns are not shared by others. We need to get to the point where patient data protection is a primary thought and not an afterthought.

Source: Apple

Have you ever looked over a doctor’s shoulder when they are using an EMR?  What you see is hard to describe. Picture a crowded screen with fields, data,  buttons and menus that fill up the entire screen.  Picture a screen so crowded that if you wanted to add another data field you would be hard pressed to find some real estate on the already crowded screen. But if you keep watching you would be even more amazed.  If a doctors wants to send an electronic prescription to a pharmacy for the patient she might have to click on 4 or 5 pages to accomplish the task. The amount of options and choices that the doctor has to navigate through is truly daunting. What I just described is not true for every EMR.  With over 300 EMRs on the market, and growing, some of the EMR vendors have figured out usability and design.  But unfortunately many of the vendors have not.

Up until about 5 months ago I have been a dedicated and devoted user of Windows based applications.  My time on Apple computers was very rare.  And I admit that I have engaged in the typical technology driven arguments that the Windows operating system was superior to the Apple operating system.  In fact, I always failed to understand the cult based Apple loving mindset.

Fast forward to the present and after purchasing an Apple iPad my perspective has changed.  I won’t go into details about the iPad because by now you would have to be living under a rock to not know about the smashing success that Apple has had with the iPad.  The one thing that I will point out is how good the interface and usability is on the iPad.  I am amazed that without a keyboard and with only one button on the front of the device, how easy it is to use and navigate iPad (iOS) applications.  And I totally understand your doubt if you have not used an iPad but I ask that you trust me on this one.

iPad EMRs

So can the usability of the iPad be leveraged for EMRs?  Clearly an iPad strategy is a must for most of the EMR vendors. Will they take their existing user interface and shoehorn it into the iPad or will they totally redesign the interface and focus on usability?

For more insight into how some of the EMR vendors have approached the iPad check out this post over at Software Advice.  They go into the booming demand for iPads and tablets as well as review some of the existing iPad EMRs and applications.

Most digital copiers have hard drives that contain an imagine of every copy the copier makes.  As I have previously mentioned in this article, digital copiers may contain sensitive information.

In an effort to make the public aware of this danger, the FTC has released a paper that details the risks.

Some of the highlights of the paper include:

Commercial copiers have come a long way. Today’s generation of networked multifunction devices — known as “digital copiers” — are “smart” machines that are used to copy, print, scan, fax and email documents. Digital copiers require hard disk drives to manage incoming jobs and workloads, and to increase the speed of production.

Copiers often are leased, returned, and then leased again or sold. It’s important to know how to secure data that may be retained on a copier hard drive, and what to do with a hard drive when you return a leased copier or dispose of one you own.

It’s wise to build in data security for each stage of your digital copier’s life-cycle: when you plan to acquire a device, when you buy or lease, while you use it, and when you turn it in or dispose of it.

Their advice if you buy or lease a digital copier:

When you buy or lease a copier:

Evaluate your options for securing the data on the device. Most manufacturers offer data security features with their copiers, either as standard equipment or as optional add-on kits. Typically, these features involve encryption and overwriting.

Encryption is the scrambling of data using a secret code that can be read only by particular software. Digital copiers that offer encryption encode the data stored on the hard drive so that it cannot be retrieved even if the hard drive is removed from the machine.

Overwriting — also known as file wiping or shredding — changes the values of the bits on the disk that make up a file by overwriting existing data with random characters. By overwriting the disk space that the file occupied, its traces are removed, and the file can’t be reconstructed as easily.

When you use the copier:

Take advantage of all its security features. Securely overwrite the entire hard drive at least once a month.

When you finish using the copier:

Check with the manufacturer, dealer, or servicing company for options on securing the hard drive. The company may offer services that will remove the hard drive and return it to you, so you can keep it, dispose of it, or destroy it yourself. Others may overwrite the hard drive for you. Typically, these services involve an additional fee, though you may be able to negotiate for a lower cost if you are leasing or buying a new machine.

One cautionary note about removing a hard drive from a digital copier on your own: hard drives in digital copiers often include required firmware that enables the device to operate. Removing and destroying the hard drive without being able to replace the firmware can render the machine inoperable, which may present problems if you lease the device. Also, hard drives aren’t always easy to find, and some devices may have more than one. Generally, it is advisable to work with skilled technicians rather than to remove the hard drive on your own.

I applaud the FTC for publishing this paper.  It is obvious that digital copiers are a real risk to security and could cause security breaches.  The more the public is aware of the risk the more they can do to prevent it.

The number of data breaches that were reported to OCR and posted on HHS breach notification website have almost doubled since July.  In July there were 107 notifications and as of today there are 197 notifications. Each of these notifications are for breaches that affect more than 500 individuals.

In an article over at Health Leaders Media, they give some interesting facts regarding the data breaches.

In the past five months, 90 new reports have surfaced, or an average of 18 per month, a higher pace than the 15-per-month the first five months after OCR launched the website.

Not surprising, laptops and portable media are the leading cause of a majority of the breaches.  Laptops and portable electronic devices are the cause of 42% of the breaches.

Laptops are still the number one location of breach information on the list, accounting for 55 of the 197 reports (27.9%). Paper records (41 reports), desktop computers (32) and portable electronic devices (29) follow.

If you are not encrypting your laptops and portable media (USB drives and Smartphones) you are likely to be added to the ever growing list.

How many breaches do we have to hit before OCR really does something?  It is a well know secret that OCR is not enforcing HIPAA or HITECH.  Without this enforcement health organizations are not putting the necessary security around patient health information.  Without incentives (positive or negative) health organizations are ignoring the requirements to protect patient data.

Quest Diagnostics released a native EHR for the iPad.  The demo video that they have makes it look very user friendly. Here are some facts that they have on their website:

• Care360, the leading web-based electronic health record (EHR), accessible on desktops, laptops and the iPhone™, now comes with a native app for the iPad.
• The app, developed by MedPlus, the healthcare IT subsidiary of Quest Diagnostics, is garnering praise for its intuitive interface, remarkable navigation ease, and support of patient engagement.
• Designed with physician needs and workflow in mind, the Care360 HD interface helps physicians navigate easily while focusing on the patient.
• Physicians are using the app throughout the day — on the go — to review a patient’s medication history, respond to medication renewal requests, write prescriptions and handle other clinical tasks. The longer battery life also minimizes time spent recharging or changing batteries.
• Managing medications, reviewing and annotating lab results, and viewing trends through historical lab results is all easy through Care360’s native iPad app. Physicians are also viewing encounter notes, patient problems, comments and allergies, and accessing, adding or editing patient demographics.
• Physicians had already embraced Care360 Mobile for the iPhone. Now, they have the flexibility to use Care360 with that same functionality on the iPad, with a thoughtfully designed iPad-native app.

I know the more I use my iPad the more impressed I am with it.  I can see this being a very interesting application.  And the nice thing would be to put a keyboard/dock in an exam room and easily enter information and use the touch screen at the same time.

What is even more interesting is that the Care360 EHR is a SaaS / Hosted model that is accessed via the Internet.  So with a 3G iPad you can access the EHR from anywhere.  Or load the app on your iPhone and you will always have access to your EHR no matter where you are.

This sounds like it has the potential to be a game changer.  If anyone has feedback or experience with the Care360 EHR or the iPhone or iPad app leave a comment and give your thoughts.

USB thumb drives or flash drives should be viewed as a real liability.  Yes they are convenient, yes they make transferring data extremely easy and yes they are cheap. But hidden under all those benefits is the reality that because they are so convenient and cheap it is too easy to put sensitive information on them.  It is too easy to lose them and it is too easy to face a major liability of a patient information data breach if they are lost and not encrypted.

In two recent cases the real liability of these flash drives surfaced.  The Department of Veterans Affairs announced that an employee brought in a personal USB thumb drive and copied information on 240 veterans and beneficiaries.  The drive was not encrypted and it was misplaced.

A VA employee had been using the personal thumb drive to store information on 240 veterans and beneficiaries in violation of VA policy, Baker says. The information included names, Social Security numbers, addresses and health data. Affected veterans are being offered free credit protection because the drive was inappropriately removed from the VA facility, Baker explains.

In another incident involving an unencrypted flash drive:

A psychiatric hospital in Louisville is notifying 24,600 patients about a breach involving the loss of an unencrypted flash drive.

So it is pretty easy to see how these drives can be a liability.   Here are a few thoughts on how to limit your exposure this the liability.

1. Develop a policy that employees are not to use personal USB flash drives.  In the policy state that only USB drives that are purchased by the organization are allowed to be used.  Also state that USB drives are only to be used with prior authorization (state who needs to authorize the use as well).  Write the policy in an email or a Word document and send it to everyone.  Make them sign it and send it back to you.
2. Purchase encrypted USB drives for employee use.  Encrypted USB drives are more money than unencrypted drives but are worth the increased cost. They are also very easy to use and just require a password when accessing the drive to either read or write data.  Encrypted drives can be bought at Amazon, Buy.com or other retailers.  I personally use an encrypted drive from Kanguru Solutions which works great.
3. Use staff meetings to discuss the liability associated with the flash drives.  Remind employees about the policy they signed.  Continue to educate them and to continue to remind them until it is ingrained in them to be fearful of these drives.

If you take the above steps your liability will not go away but it is likely to be reduced significantly.  And once the liability is reduced you can go back to thinking how incredible these little drives are compared to floppy drives that were used in the past.

It seems like almost every week there is another report of a breach of personal health information.  A story over at HealthLeaders Media reports that The Medical Center at Bowling Green is notifying 5,418 patients of a theft of a computer drive.  The drive contained personal health information including:

patient’s full name, date of birth, address, medical record number, and physician name. Some patients’ records also include Social Security numbers, weight, height, and menopause age.

In a statement posted on the it’s website, The Medical Center at Bowling Green said this about the data:

The information on the hard drive was not encrypted; however, the hard drive was maintained in a locked, non-public, private area.

Of course if the data was encrypted there would have been no need to notify anyone of the hard drive theft.

The take-away is that every medical practice and medical facility has to start looking into and implementing data encryption.

There is an interesting article in the Wall Street Journal Health Blog.  The article is based on a study from the California HealthCare Foundation.  In the study it showed that patients were concerned about privacy of their medical records:

Privacy concerns still hover around EMRs, with 68% of survey respondents reporting some degree of worry about what happens to their personal information once it’s stored in a doctor’s computer.

Note:  35% responded that they were very concerned and 33% responded that they were somewhat concerned.

15% of the 1,849 adults surveyed said they’d conceal information from a physician if “the doctor had an electronic medical record system” that could share that info with other groups. Another 33% would “consider hiding information.”

Note: The question made it clear that personal information including name, address, and other personal information would NOT be shared.

It is clear from the survey that there is still a long way to go before patients are comfortable with electronic records.

According to a press release from the U.S. Department of Health and Human Services (HHS), several states will benefit from addition stimulus fund.  The funds are to help setup health information exchanges (HIE).

The health information exchange HIE awards announced today provide approximately $162 million to 16 states and qualified state designated entities (SDEs) to facilitate non-proprietary health information exchange that adheres to national standards.  Health information exchange is critical to enabling care coordination and improving the quality and efficiency of health care.  

“Today’s announcement of awards to 16 states and SDEs marks a significant milestone with all states now empowered to start their journey towards identifying innovative ways to break down theses barriers that prevent the seamless exchange of information, so that we can give patients the access to care they deserve and expect,” stated Dr. David Blumenthal, national coordinator for health information technology.  “States play a critical leadership role in advancing the development of the exchange capacity of healthcare providers and hospitals within their states and across the nation. Health information exchange will enable eligible healthcare providers to be deemed meaningful users of health IT and receive incentive payments under the Medicare and Medicaid electronic health record (EHR) incentive program.”

New Jersey is set to receive $11.4 million and Connecticut will receive $7.2 million.

The states receiving funds from the $162 million awards include:

State/SDE	Award Amount
Agency of Health Care Administration (FL)	$20,738,582
The Maryland Department of Health and Mental Hygiene	$9,313,924
New Jersey Health Care Facilities Financing Authority	$11,408,594
South Carolina Department of Health & Human Services	$9,576,408
Iowa Department of Public Health	$8,375,000
Idaho Health Data Exchange	$5,940,500
State of North Dakota, Information Technology Department	$5,343,733
State of Alaska	$4,963,063
Nebraska Department of Administrative Services	$6,837,180
South Dakota Department of Health	$6,081,750
Department of Public Health, State of CT	$7,297,930
State of Mississippi	$10,387,000
Indiana Health Information Technology, Inc.	$10,300,000
HealthShare Montana	$5,767,926
Texas Health and Human Services Commission	$28,810,208
Louisiana Health Care Quality Forum	$10,583,000
Total	$161,724,798