Backup tapes have been stolen, from a van, that contained 1.7 million records of patients.  The tapes had patient history and electronic protected health information (ePHI) dating back 20 years.  The information on the tapes includes names, addresses, Social Security numbers and medical information.

This is a huge data breach affecting an enormous amount of people.  Each of the 1.7 million people could  be in danger of identify theft and other identity related crimes.  Stop for a second and think through the value on the black market that this data including Social Security numbers, patient health records, name and addresses would be worth.

The first question that MUST be asked is: why were these backup tapes not encrypted?  Let’s not glaze over this.  This is a crime to jeopardize this many people.  Encrypting backup tapes is not only cheap but it is very easy to do.  It is just a setting in the backup software.  It is just an encryption password.

The second question is: why is the HIPAA Security Rule not being enforced?  How can we watch as millions and millions of patients are having their social security numbers and health records being breached.  How can we ignore the government regulations that were put in place to protect patients?  How many patients must be victims of identity theft before we say enough is enough!?

Source: Apple

Have you ever looked over a doctor’s shoulder when they are using an EMR?  What you see is hard to describe. Picture a crowded screen with fields, data,  buttons and menus that fill up the entire screen.  Picture a screen so crowded that if you wanted to add another data field you would be hard pressed to find some real estate on the already crowded screen. But if you keep watching you would be even more amazed.  If a doctors wants to send an electronic prescription to a pharmacy for the patient she might have to click on 4 or 5 pages to accomplish the task. The amount of options and choices that the doctor has to navigate through is truly daunting. What I just described is not true for every EMR.  With over 300 EMRs on the market, and growing, some of the EMR vendors have figured out usability and design.  But unfortunately many of the vendors have not.

Up until about 5 months ago I have been a dedicated and devoted user of Windows based applications.  My time on Apple computers was very rare.  And I admit that I have engaged in the typical technology driven arguments that the Windows operating system was superior to the Apple operating system.  In fact, I always failed to understand the cult based Apple loving mindset.

Fast forward to the present and after purchasing an Apple iPad my perspective has changed.  I won’t go into details about the iPad because by now you would have to be living under a rock to not know about the smashing success that Apple has had with the iPad.  The one thing that I will point out is how good the interface and usability is on the iPad.  I am amazed that without a keyboard and with only one button on the front of the device, how easy it is to use and navigate iPad (iOS) applications.  And I totally understand your doubt if you have not used an iPad but I ask that you trust me on this one.

iPad EMRs

So can the usability of the iPad be leveraged for EMRs?  Clearly an iPad strategy is a must for most of the EMR vendors. Will they take their existing user interface and shoehorn it into the iPad or will they totally redesign the interface and focus on usability?

For more insight into how some of the EMR vendors have approached the iPad check out this post over at Software Advice.  They go into the booming demand for iPads and tablets as well as review some of the existing iPad EMRs and applications.

Source: Cisco 2010 Annual Security Report

Cisco released it’s 2010 Annual Security Report (pdf).  Some of the findings and trends are very interesting. Cisco found that Microsoft’s improvements in Windows 7 and more aggressive patching of vulnerabilities are making it more difficult for hackers. In response, hackers are moving their target to mobile devices.

Hackers are also taking advantage of new opportunities to make money. In response to vulnerability exploits in various Windows PC operating systems, Microsoft has improved security in Windows 7 and taken a more aggressive approach to patching vulnerabilities. This makes it tougher for scammers to infiltrate Windows 7 effectively; having reached the Windows vulnerability “tipping point” (see page 30), they have moved on to other operating systems, applications, software services, and devices such as smartphones, iPads, and iPods. Apple and its products, including iPhones, iPads, and the iTunes media service, have all experienced upticks in exploits. Just as important in driving this trend is the embrace of mobile devices and applications by consumers and enterprises.

The worldwide adoption of mobile devices presents even more opportunities for intrusions and theft. While security researchers have identified many focused scams that target mobile devices, a widespread incident is almost certainly on its way. To date, scams have targeted select groups of mobile users, such as customers of a specific bank. The massive and relatively new market for mobile applications also offers new markets for criminals. Researchers have detected exploits in which wallpaper apps for Android Market, the app store for the Android mobile operating system, have been collecting mobile subscriber information and sending it to a website owned by a scammer.

Cisco points out the emerging problem associated with Social Networks as well:

Criminals continue to take advantage of the high levels of trust that users place in social networking services. They often exploit this trust by masquerading as someone the user knows.

One noticeable shift in social engineering is that criminals are spending more time figuring out how to assume someone’s identity, perhaps by generating emails from an individual’s computer or social networking account. A malware-laden email or scam sent by a “trusted person” is more likely to elicit a clickthrough response than the same message sent by a stranger.

Spammers are not only spoofing social networking messages to persuade targets to click on links in emails—they are taking advantage of users’ trust of their social networking connections to attract new victims. As communications shift from traditional email and toward the messaging features used in social networks, such as those provided by Facebook and LinkedIn, criminals follow closely behind.

Weak passwords continue to be a problem:

In spite of pleading from IT professionals to choose tough-to-guess security passwords, workers are still disconcertingly likely to come up with something like “password1!”—or simply attach a few numbers, like “123,” to the end of a word. The problem of weak, guessable passwords is not a new one, but it isn’t going away—in fact, it’s getting worse, as users are forced to create several passwords for different systems and change them every 60 or 90 days.

There is a very sad article out today about how a cancer researcher had a laptop stolen from her car that possibly had a cure for prostate cancer.  The researcher at Oklahoma University, Sook Shin, had her laptop stolen from her car while she was at a local restaurant.  When she came out of the restaurant she found her window smashed and the laptop gone.  What is worse is that the data was not backed up.   Her and her husband are offering up a $1,000 reward for the return of the laptop.

Sook said that some of the data could take 2 years to recreate but some of the data could never be replicated.  The loss of this data could push back a cure for prostate cancer.

As unfortunate as this story is, it is a very good example of the importance of protecting data on portable media including laptops and USB drives.  Many people don’t think about it until the laptop or drive is lost or stolen.  So whether it is your personal laptop with priceless pictures of your family or vacations, or whether it is a work related computer; make sure you protect the data.

For personal computers I found that services like Dropbox, Mozy or Carbonite work very well.  These low priced backup solutions are perfect for protecting your valuable data.

For business, I recommend the following:

• Laptops and portable media are very likely to be lost or stolen, as this story shows.  Make sure you encrypt any and all portable media devices to protect the contents of the data.
• Ensure that you are backing up your data to a network share that is included in the network backup routine.  (make sure your network administrator is encrypting the backup tapes or drives as well).
• Laptops that are transported from the office to home might contain data that has not been backed up since the last time it was in the office.  If you are going to save the data periodically at home, make sure you use an encrypted drive as well.

Finally, let’s hope that the researcher’s lost laptop is returned with it’s valuable data intact.

In the movie The Perfect Storm, all the forces had to come together to cause the perfect storm.  A storm so big and so powerful, well you know,  the Andrea Gail had no chance against the storm.

If I was to think of a scenario where everything came together to cause an environment where there were a huge amount of data breaches affecting patient data, this is what I would come up with:

1. The government would encourage health organizations to switch from paper records to electronic records by giving away billions of dollars to provide incentives.
2. The government would not give these organizations the money upfront but would slowly pay them over a few years.
3. The health organizations would spend an enormous amount of money implementing electronic medical record systems.
4. The large outlay of money would leave these organizations financially strapped with minimal resources for training and security of the new EMR systems.
5. A severe economic recession would cut down on the amount of patients that these health organizations would provide services to.  This would add to the financial burden already being felt by the organizations.
6. A shortage of skilled IT workers would make it difficult for health organizations to find workers to help secure these new EMRs.
7. Computer viruses and malware would become more sophisticated and harder to prevent.  The malware would steal data and leak patient information to external parties.
8. Portable devices, laptops, tablets and smartphones would become cheap and ubiquitous.  These portable devices could easily hold  a lot of patient data.
9. A large number of portable devices would be lost and/or stolen.
10. Patient medical data would become valuable and would be in high demand by criminals looking to utilize the data for identity theft and other crimes.
11. The government’s regulations protecting patient medical data would largely be ignored due to a lack of resources and a lack of government enforcement.

Altogether these forces would cause the perfect storm of patient data breaches.  Hundreds of health organizations would have data breaches.  Millions of patients would have their information compromised.  And while this was occurring the government would sit back and watch.

The scenario is very frightening.  Good thing stories like this only happen in the movies.

Putting a gun in an inexperienced person’s hands is a very bad idea.  Hand guns can be very safe if safety precautions are taken.  Experienced gun owners take the right steps to ensure that the gun does not cause harm.  Not storing a loaded gun, safety locks and ensuring that guns are stored in a locked gun cabinet are all steps that knowledgeable and experienced gun owners take.

This year many health organizations are implementing EMRs for the first time.  They are going from paper charts and relatively few computers to complex networks, servers, tablets and other computing devices.  These organizations are used to protecting patient’s information by ensuring that charts are not left where unauthorized persons can read them, storing charts in locked cabinets and other general precautions to protect paper based records.

The switch to electronic medical records is a new adventure for some of these organizations.  They probably spent months evaluating, planning and implementing their new EMR.  The first weeks and months of an EMR implementation is usually a very hallowing experience.  New systems, new workflows, hardware and software issues all put a lot of stress and strain on an organization’s employees.  Doctors, nurses and the entire staff usually struggle in the beginning of an implementation.  In addition, the total amount of training that the EMR vendor provides is on an average 1-2 hours per employee (and that number may be high in some cases).  The training is usually focused on how to use the new EMR, how to login, how to enter progress notes, how to e-prescribe, etc.  Little or no training is provided on how to protect patients’ information.

The topics of securing the daily tape backup, encrypting USB drives and laptops, ensuring that emails are sent securely, performing a risk assessment and other topics are usually not discussed in the EMR training.  Some may argue that the EMR vendor should address these topics but that is for another discussion.  The reality is that you have an organization that is struggling with learning and using a new EMR and have little or no knowledge on computer and patient data protection.  Is it any wonder why we have so many patient data breaches?

EMRs and electronic data accessed and used by inexperience employees are very dangerous to the organization’s patients.  Just as dangerous as putting guns in an inexperienced person’s hands.

Last night I received an emergency text on my phone from a client that had an HR issue and needed the Administrator account password changed.  I understand the use of texting in that case because several people at the client had access to his mailbox.  The use of texting appears safe and is away from prying eyes.  We sent each other a few texts back and forth and the issue was taken care of.

Another client uses texting to request information and support.  This client uses abbreviations and texting shorthand to communicate.  Maybe I am old fashion but I just don’t want to communicate via text when it comes to business communications.  Don’t get me wrong, being the father of 2 teenage kids I totally get the text craze. I have even been know to text my kids when we are all in the same house.  But when it comes to business I just don’t want to use texting for communications.  One of the main reasons I don’t like texting is that I can’t really do anything with the text.  Many times I need to forward information to my staff.  When I receive a text it is not easy to forward (yes I know I can copy and paste into an email but that is just unnecessary steps).  And forwarding a message that is written in texting abbreviation is just unprofessional in my opinion.  In additional texting, unlike email, does not provide a good audit trail.  With email I have a record of every email sent to me and that I have sent.  I don’t trust texting to keep a long term record of my communications.

Texting has it place but I don’t think it should be used for business communications.  What do you think?

As 2010 draws to a close, a lot of people are starting to focus on the New Year.  New Year’s always brings new resolutions and one of them for many healthcare professionals is to get involved in social media.  By social media I am referring to blogging, facebook, LinkedIn, Twitter, etc.  You may be thinking about social media for your medical practice or using it for your own personal professional reasons.

It feels a little awkward writing a guide to social media when I am still a newbie to this whole thing.  I started posting to the Entegration Blog barely 10 months ago.  And I just starting using Twitter (@EntegrationBlog) 2 months ago.  So you can see I am clearly not an expert on the subject. With that said, I will offer up some advice from the perspective of a newbie.

OK, so you want to start using social media but are not quite sure where to begin.  Start with reading the AMA’s recently published guide to social media.

Sit and watch

The first thing I recommend you do is sit back and watch.  Find a few people to follow that you are interested in. I offer some recommendations below.  Read their blogs,analyze their writing style and read the comments that they get on their posts.  You will see that some topics trigger a lot of responses and other topics are ignored. Make mental notes about this activity. Also notice  that some comments are negative and others are positive. Ask yourself what you would do if you posted a topic and received some negative feedback.

The next step is to sign-up on Twitter.  Create a Twitter account and start following people that interest you. Again, sit back and observe.  Twitter is a lot different than blogs.  It is not as easy to get your point across in 140 characters.  But yet some people use Twitter with skill and precision.  I believe it takes a while to figure Twitter out but once you do you will see it is a great resource for information.

Facebook is another resource that you want to observe.  I recommend that you read this post on the doctor-patient relationship and facebook.

Questions that you should ask yourself regarding facebook are:

• Are you interested in setting up up a facebook page for your practice?
• Are you interested in setting up a personal facebook page?  If so, are you going to friend your patients or colleagues?

I decided early on that I would setup a facebook page that was purely for personal interaction.  I don’t friend clients, vendors or business associates.  I use my LinkedIn account for all business related interaction.  I find this works best for me.  In no way is this a recommendation.  You have to decide for yourself what works best for you.

Baby steps

Once you get comfortable observing how people are using blogs, Twitter, facebook, LinkedIn you are ready to make the next step. The next step is to get your “online voice”.  If you read a post on a blog that interests you, leave a comment.  Start to interact with the blogs that you are reading.  The first comment may be a little frightening.  I remember the first comment I left on a blog, I checked the spelling and grammar at least 10 times before hitting submit.  I also checked, over and over, to see if someone responded to my comment.  After the first comment the rest are easy.  As a blogger, I can tell you that getting comments and feedback is greatly welcomed.  Start interacting with the blogs that you read and start to get a feel of putting your thoughts and words out there for everyone to read.

Once you are comfortable with Twitter start to Tweet yourself.  If you read a blog or article that is interesting, Tweet about it.  Twitter is all about sharing information so go ahead and share.  You can also retweet other people’s post and pass it along to the people that are following you.  At first you may not have anyone following you but eventually as you tweet and retweet, people interested in your content will start to follow you.  You may have to follow a lot of people and tweet for a while before others are interested in you but trust me it will happen.

The same goes for facebook.  ”Like” other medical practices or friend other colleagues (if you decide that you are comfortable with that).  Observe how they utilize facebook.  Interact with these resources or simply observe the interaction until you are comfortable. You will decide what you want and do not want to do on facebook, which is extremely important if you decide to start your own facebook page or personal account.

Get involved in LinkedIn discussion groups.  Add your comments to on-going discussions or start a new discussion.  You will see that LinkedIn is a great resource for online conversation and sharing of ideas.

Dive in

Once you get a good understanding about how the whole social media works you may want to dive in. Some people choose to start their own blog to share their ideas.  Others use facebook, LinkedIn and Twitter to share ideas without blogging.  Some use all types of social media to get their message out.  There is no right or wrong answer.  Do what you are most comfortable with.

If you do decide to start a blog here are a few pointers:

• Identify who your audience is.  Who do you want to read your blog?  Write to that audience every time you post a blog.
• Don’t feel pressured to write a book each time you blog.  Keep it short and to the point.
• Coming up with ideas is not easy.  If you don’t have a good idea don’t force it.
• If you read someone else’s blog that you feel is interesting to both you and your audience share it. Summarize it or analyze it by adding your input to the blog.  Make sure you give credit to the author and provide a link or reference to the original post.

Once you start blogging make sure you share your blog posts via Twitter, LinkedIn and facebook.

I would like to point out that I have only mentioned blogging, Twitter, LinkedIn and facebook as sources of social media.  There are many other sources that you can utilize.  These are the only one’s that I use and feel comfortable discussing but do not limit yourself.

Final thoughts

Here are some final thoughts I have:

• Utilizing social media is not easy.  It takes a lot of time and work.
• At first you may feel like you are talking to yourself.  You will probably be correct.  It takes time to gain an audience.
• Post interesting material and utilize the various methods of sharing information and you will see the results.
• Enjoy yourself.  At first it may seem like additional work that you don’t have time for but hopefully you will start to enjoy it and look forward to blogging, twittering or facebooking.

Some people to follow:

• Kevin Pho M.D. – self proclaimed “Social media’s leading physician voice”.  His site provides excellent information and insight.
  • Blog: http://www.kevinmd.com/blog/
  • Twitter: @kevinmd
• Bryan Vartabedian –  aka Doctor_V.  His Twitter profile states “Dispatches from the frontline of social media and medicine”.  An excellent resource and someone who clearly gets the social media thing.
  • Blog: http://www.33charts.com
  • Twitter: @Doctor_V
• John Lynn – I find John’s stuff to be very interesting and informative.  He is on the front-line in terms of EHR implementations, HIPAA and general healthcare IT related topics.   His writes several blogs and utilizes Twitter with a couple of different accounts.
  • Blog: http://www.emrandhipaa.com/
  • Blog: http://www.emrandehr.com/
  • Twitter: @ehrandhit
• Mary Pat Whaley -her goal is to “provide medical practice managers a place to find resources and information”.  She does a great job at achieving her goal.
  • Blog: http://www.managemypractice.com/
  • Twitter: @mpwhaley

Most digital copiers have hard drives that contain an imagine of every copy the copier makes.  As I have previously mentioned in this article, digital copiers may contain sensitive information.

In an effort to make the public aware of this danger, the FTC has released a paper that details the risks.

Some of the highlights of the paper include:

Commercial copiers have come a long way. Today’s generation of networked multifunction devices — known as “digital copiers” — are “smart” machines that are used to copy, print, scan, fax and email documents. Digital copiers require hard disk drives to manage incoming jobs and workloads, and to increase the speed of production.

Copiers often are leased, returned, and then leased again or sold. It’s important to know how to secure data that may be retained on a copier hard drive, and what to do with a hard drive when you return a leased copier or dispose of one you own.

It’s wise to build in data security for each stage of your digital copier’s life-cycle: when you plan to acquire a device, when you buy or lease, while you use it, and when you turn it in or dispose of it.

Their advice if you buy or lease a digital copier:

When you buy or lease a copier:

Evaluate your options for securing the data on the device. Most manufacturers offer data security features with their copiers, either as standard equipment or as optional add-on kits. Typically, these features involve encryption and overwriting.

Encryption is the scrambling of data using a secret code that can be read only by particular software. Digital copiers that offer encryption encode the data stored on the hard drive so that it cannot be retrieved even if the hard drive is removed from the machine.

Overwriting — also known as file wiping or shredding — changes the values of the bits on the disk that make up a file by overwriting existing data with random characters. By overwriting the disk space that the file occupied, its traces are removed, and the file can’t be reconstructed as easily.

When you use the copier:

Take advantage of all its security features. Securely overwrite the entire hard drive at least once a month.

When you finish using the copier:

Check with the manufacturer, dealer, or servicing company for options on securing the hard drive. The company may offer services that will remove the hard drive and return it to you, so you can keep it, dispose of it, or destroy it yourself. Others may overwrite the hard drive for you. Typically, these services involve an additional fee, though you may be able to negotiate for a lower cost if you are leasing or buying a new machine.

One cautionary note about removing a hard drive from a digital copier on your own: hard drives in digital copiers often include required firmware that enables the device to operate. Removing and destroying the hard drive without being able to replace the firmware can render the machine inoperable, which may present problems if you lease the device. Also, hard drives aren’t always easy to find, and some devices may have more than one. Generally, it is advisable to work with skilled technicians rather than to remove the hard drive on your own.

I applaud the FTC for publishing this paper.  It is obvious that digital copiers are a real risk to security and could cause security breaches.  The more the public is aware of the risk the more they can do to prevent it.

Recently Gawker Media had a security breach that exposed the email and passwords of registered users that left comments on their sites.  Gawker Media runs several sites including Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin, and Fleshbot.  If you are a registered user of any of these sites it is strongly suggested that you change your password on all websites that you are registered at (i.e. amazon.com, walmart.com, etc.).  Many people use the same password across several or all the sites that they register with. You can check to see if your password has been exposed by going to http://www.didigetgawkered.com/ and putting in your email address.

The Wall Street Journal has an interesting article on the top 50 passwords that people used at the Gawker Media sites.  The passwords are below.

The message here is if you are using any of the passwords in the above list, there is a good chance that someone can easily guess them.

There are two main takeaways from the Gawker Media security breach:

1. Do not use the same email and password across websites.  Each website that you register at should have a unique password.  Said another way, the password you use at Amazon.com should be different than the password you use at Walmart.com.

 

2. Make sure you use complex passwords.  Passwords should have a mix of letters, numbers and special characters.  A good complex password is one that you will remember but someone can not easily guess.  I like to tell my clients that they should pick a sentence and then use the first character of the words that make up the sentence.  For example:  My son Chris is 10 years old – could make a password of: MsCi10y@.  That is a good complex password that mixes upper and lower case letters, numbers and special characters.  It is also pretty easy to remember (assuming you have a son Chris that is 10 years old).

Make sure you are careful in the passwords that you use and make sure that you pass this information along to your employees.  They should be using unique and complex passwords for all the websites AND applications that they use.