Archive for the ‘Electronic Medical Records’ Category

ransomwareRansomware is like the elementary school bully who steals your lunch and won’t give it back until you give him a quarter. Except in this case, it is all or most of the files on your computer’s hard drive, and the cost to restore your data is hundreds of dollars.

The first known ransomware attack was back in 1989. Widespread ransomware attacks started in Russia in 2005. By 2012 the attacks had spread outside of Russia, especially to Europe and North America. They work by either encrypting your files or locking access to your system via a variety means, from constantly putting pornographic pictures over everything on your screen to running a fake version of Windows that won’t do anything until you pay.

There are ransomware attacks for Windows, Mac OS, iOS, and Android systems.

Payment is almost always through some form of electronic currency like Bitcoin. These virtual monetary systems are anonymous and it is very difficult for authorities to track the destination of the payments. However, some ransom notes have you call a “toll-free” number to get a key to release your files or system, except the phone number is routed through a country with very high long-distance rates, and the operator “needs” to put you on hold for several minutes before giving you the code. You could end up with a several hundred dollar item on your next phone bill.

Sometimes the pop-up on your screen looks like it came from a law enforcement agency like the FBI in the US, Scotland Yard in the UK, or your local police agency. The notification page claims the agency locked your computer because they detected illegal files on your computer: usually porn or terrorism-related material. Once you get over the official looking notification with all the correct logos and badges and can read it calmly, it looks like a scam. Often the wording is awkward, and, really, is the FBI going to ignore your alleged terrorism-related activities if you Bitcoin them a few hundred dollars?

By the end of 2013, Security expert Symantec reported 600,000 ransomware attacks a month, and expects these attacks to increase substantially in 2016 across all platforms.

If you get a ransomware notification on your business or personal computer, tablet or smart phone, do not pay the ransom. They may give you the key, or they may not. These are cybercriminals, not necessarily known for their ethics. Once the malware is loaded, they can bully you again as often as they want until you clean it off of your system. Have a five-minute rant, calm down, reload a fresh copy of the OS and then restore your files from your latest backup.

The solution, of course, is not to be attacked by ransomware. While you can never be completely protected, here are four things that you should already be doing.

  1. Practice safe clicking. Always check the link in an email or on a website that you are not positive is friendly. Check out my last post for how to do that. Most ransomware comes in through a standard malware attack.
  2. Keep your software up-to-date. Cybercriminals and cyberterrorists are always looking for new vulnerabilities, and they are very good at it. Once they find one, they pass the information on to other cyber attackers. Fortunately, the good guys are also looking for vulnerabilities and making updates to their software to close vulnerabilities as they find them. But if you do not have the latest software, you still have those vulnerabilites.
  3. Use a good security software package that is more than just anti-virus.
  4. Often. No, even more often than that. Periodically, ask yourself when you or your automated backup mechanism made your last backup. Then ask how much grief it would be to redo everything you had done since then. Macintosh Time Machine and Windows 10 File History backup changed files every hour, but only if you have an external hard drive and the option turned on.

In one recent example, Hollywood Presbyterian Medical Center paid cyber-terrorists 40 bitcoins (about $17,000) to get the key to release the hospital’s data. I call this a cyber-terrorist attack because it put every patient in the hospital at risk of death or serious injury when doctors and nurses can no longer access the patients records or get access to diagnostic information from monitoring or diagnostic equipment. Hollywood Presbyterian Medical Center is a private hospital in Los Angeles with 434 beds. The hospital CEO, Allen Stefanek, said the paying the terrorists was the “quickest and most efficient way” to regain control of their data systems. The malware attack was first noticed on February 5, and was fully functioning until 10 days later. Clearly, this hospital IT department was not prepared for any kind of a disaster. I expect they will be attacked again, probably by the same terrorists.

The FBI is investigating, but I would not expect them to catch anybody.

The last word:

Packages like Time Machine and File History are great for automatically backing up in the background while you are working, and in general meaning you never have more than one hour’s worth of work to recover. They also make recovery easy, and can give you the file as it was yesterday or last week in case you really messed it up and do throw away the last change effort.

However, they are not very effective in two cases:

  1. If you have a building failure, they are likely to also get destroyed. A building failure is a case where you cannot get back into the building, perhaps because of a fire, earthquake, biological contamination, police or military action, or terrorist act.
  2. Some ransomware not only makes the files on your computer’s hard drive inaccessible, but will also destroy or encrypt the files on any attached hard drives, like your Time Machine or File History drive.

If you are paranoid, like me, you should also have an offsite backup. It is now fairly easy and inexpensive to do this with packages like Microsoft OneDrive, Apple iCloud, Carbonite, and a host of others.

Comments solicited.

Keep your sense of humor.


Read Full Post »

I recently wrote about some of the impacts that government regulations around the Affordable Care Act are having on small medical practices. One of those differences has to do with coding. These codes are established by the World Health Organization, part of the United Nations, in a medical classification list called the International Statistical Classification of Diseases and Related Health Problems, usually just called “ICD.” This is really two lists: a list of diagnosis codes and a separate list of procedure codes.

The current set, ICD-9, has about 13,000 diagnosis codes and 3,000 procedure codes. The 30-year old ICD-9 suffers from several problems: it lacks detail, uses generic terms, is based on outdated technology,and has limited capability to add new codes.

The new set, ICD-10, addresses those problems. It provides for up to 68,000 diagnosis codes and 87,000 procedure codes.

In a recent one-week nation-wide test involving over 127,000 claims from 2,600 health care providers, suppliers, billing companies and clearinghouses, only 89% of the claims were accepted without issues. This test involved claims from only about 5% of potential claim submitters, and only included those who agreed to be part of the test and had been working on this conversion for years. After October 1, 2015, claims that do not use ICD-10 or have issues with the ICD-10 codes will not be processed, and claims not processed will not be paid. The official position: physicians are urged to set up a line of credit to mitigate any cash flow interruptions that may occur.

As you can imagine, there are some fairly unusual codes. One that has made the NPR circuit is V91.07: burn due to water-skis on fire. But NPR did not get the story correct. V91.07 is an invalid code; you must use one of the three subservient codes to describe the diagnosis in greater detail:

  • V91.07XA – initial encounter
  • V91.07XD – subsequent encounter
  • V91.07XS — sequela

A “sequela” is a chronic condition that is a complication of an initial event.

Before you scoff at this diagnosis, check out these guys.

For some reason, there are different sets of ICD-10 for different countries, so for those of us who travel to foreign countries, there is likely to be some confusion with your insurance provider and local healthcare facility if you are injured or sick outside your home country.

Many organizations have already been working on this conversion for a few years. There are also lots of companies out there to help medical staffs make the transition. For example, Find-A-Code has search solutions for small practices ($300/year) and larger facilities ($950/year).

Like a lot of things in the Affordable Care Act, the end result of the convesion will be beneficial to patients. Getting there will be a really interesting ride, and will contibute to the loss of small medical practices with potentially a significant negative impact in rural areas.

The real concern will be the significant number of coding errors during the transition. Each diagnosis coding error can lead to health workers adminstering the wrong procedures, especially as patients are shifted between doctors and other care providers in larger medical organizations.

The last word:

Considering the large number of people who have access to your health care information, and the number of breaches in personal health care data, you should be concerned over misuse of your data. Certainly the government will have access. Expect companies, perhaps legally, to offer your health care information to your current or potential employer, and certainly to your insurance providers.

Read carefully the fine print around any job or insurance application you submit. You may be granting them access to all of your medical data as well as your financial data as part of a “background check.” HIPAA actually treats much of your medical information as a valid part of your employment record. This includes anything related to drug testing, Family and Medical Leave Act, Americans with Disabilities Act, Occupational Safety and Health Administration, workers’ compensation records, sick leave or return to work documents, and anything related to a drug or alcohol free workplace.

There are legal restrictions on what a company can access or ask for, but if you say “yes” in a job application all bets are off.

Comments solicited.

Keep your sense of humor.


Read Full Post »

2014 has been a very bad year for data security. Many of these attacks have made the news, starting with Target and ending with Sony. Unfortunately, the majority of data breaches never make the mainstream media. If you ever think that data security is improving, check out Hackmageddon.com. They put out a fortnightly report on worldwide cyber attacks. The November 16-30 report, for example, lists 36 attacks in just those 14 days. To me, some of the more interesting attacks:

  • ISIS social media is hacked, replacing a threatening message from the group’s leader with a song along with a logo similar to that of the Egyptian military.
  • The US State Department is forced to shut down its unclassified email system.
  • The entire City of Detroit database was encrypted, and the hackers demand a ransom of 2000 bitcoins (about US$800,000). The database is still down.
  • The hacker group Anonymous had a busy fortnight: they deface the City of Ottawa web site, take down websites of the Supreme Court of Canada, Ottawa Police, several police organizations in Italy, and the City of Cleveland.
  • The Syrian Electronic Army redirects the Internet traffic of a customer identity management platform to its servers. Among the many sites affected are CNBC, the Canadian Broadcasting Corp, and the Boston Globe.

Do not expect 2015 to be any safer. Websense Security Labs recently published their 2015 Security Predictions. They list eight areas of increased concern in 2015.

  1. Healthcare will see a substantial increase of data stealing attack campaigns. Attackers are after the medical records and patient data. These records contain personal information including links to insurance and financial accounts that can be used in additional attacks and fraud. I have recently posted about this issue in general and how the shift to electronic medial records is actually increasing the risk. Websense expects these attacks will rise in frequency and success in 2015.
  2. The “Internet of Things” refers to the increasing connection of almost anything to the Internet: you are probably aware of your car; your house including appliances and security devices; individual and government security cameras; and electric and other utility meters. The real danger is not your personal gadgets, but the devices that control our electrical grid, oilrigs, dams, water supplies, traffic lights, and manufacturing lines. Websence expects increased attacks from multiple sources on these devices. For your business, this is the next attack opportunity phase after your BYOD (bring your own device) initiatives.
  3. Credit card attacks will continue, but as the value per card decreases due to increased security by the card processors, Websense expects these cybercriminals to expand the information they steal, and aggregate that information for individuals from related sources like loyalty programs and medical information. Then they can sell complete personal identity dossiers.
  4. Your smart phone and tablet will be attacked, but not for stealing the data that is on the phone, but rather to gather information for later credential stealing and authentication attacks to all of the data you have access to in the Cloud. As more and more of us use the mobile device as part of our authentication process when we access the Cloud, Websense expects attacks involving malware that intercepts the authentication elements turning your device into a man-in-the-middle attack, perhaps even enabling the cloning of your mobile device. The result: the cybercriminals will have the same access to the personal and corporate data that you do.
  5. Newly discovered vulnerabilities in old code. We have recently seen examples such as Heartbleed that take advantage of vulnerabilities in open source code.   There are probably hundreds of similar vulnerabilities, and many are probably already known to hackers. There are probably thousands of vulnerabilities in proprietary code such as Windows and the huge supply of legacy code still in use, some of it decades old and written in an entirely different security landscape in a pre-Internet era. Little of that code has been properly checked from a security perspective. Websense expects at least one major breach of confidential company data based on “undiscovered” old code vulnerabilities.
  6. Email threats will evolve to a new level of sophistication.   Websense expects a general decline in the amount of spam, but the new spam will increasingly get through your corporate or ISP spam filters and reach your mailbox. These new messages may not contain a link or even some form of obviously spam message, but are actually the first reconnaissance step in a continuing attack.
  7. As your company increases its use of Cloud and social media tools, like Google Docs, these approved cooperative tools will become part of the attack structure. Cybercriminals will migrate their command and control infrastructure into these approved channels thus escaping detection by your company’s network monitors. Websense expects these compromised approved site to hide data-security attacks.
  8. New players will join in the current Cyber War. Unlike existing measures designed to limit access to strategic weapons (like the nuclear non-proliferation treaties), there is nothing to limit the ability of countries, rebel groups, and others with nationalistic interests to engage in cyber war. Even potential future international treaties, which may have an effect on some countries, will have no effect on organizations like ISIS or rogue countries like North Korea. Because it is relatively inexpensive to organize a cyber-terrorism or cyber-warfare organization, it does not require a large First World country to support such activity. Websense expects one or more cyber-warfare attacks from countries with high forecasted economic growth in order to protect and advance their growing influence.

All in all, it appears that 2015 will be a very interesting time in cybersecurity.

The last word:

When your company is attacked, are you ready? Can you afford not to be ready?

At an absolute minimum, keep your operating systems and malware software up to date. Microsoft’s December Patch Tuesday contained seven security updates including three critical security patches ending a year of far too many serious flaws in Microsoft software.

Are you still running Windows XP? If so, make a New Year’s resolution to get completely off XP by the end of 2015. It is far too dangerous to keep running it.

Comments solicited.

Keep your sense of humor.


Read Full Post »

The entire Health Care industry is impacted by existing legislation requiring the adoption of electronic medical records (EMR). This adoption is absolutely necessary in order to improve patient care, reduce medical accidents, and in the end reduce total cost to provide care. The Cloud is a key enabler, allowing insurance companies, pharmacies, doctors and hospitals to share information about a patient allowing for quicker and more accurate treatment. Getting there can be a very expensive pain, especially for those organizations with only paper-based patient records. These companies are not just moving their existing IT to the Cloud, they are moving to an automated computer-managed environment, actions that most older companies took decades ago, and a phase newer companies never went through at all. Most small rural medical practices fit into the “paper-based” category. In many rural areas, small medical practices with an aging physician are the norm. For them, the move to EMR to meet the current ObamaCare requirements can be a heavy and long-term burden.

These doctors are faced with four choices:

  1. Bite the bullet, and spend tens of thousands of dollars and at least a year to comply. While EMR is a federal mandate, the government provides no financial assistance in the conversation.
  2. Ignore the law and carry on as they have for, in some cases, several decades. In this case the government punishes the doctor by withholding part of their Medicare pay. Most small practices are running fairly close to the edge financially due to ever-increasing malpractice insurance rates, the need for more expensive equipment, and declining insurance payments to the practice.
  3. Merge into a larger regional organization. The larger organization probably has implemented a compliant EMR and will help the small practice migrate. The doctor loses a lot of control over the hours they work, possibly work location, and even patient selection. They become an employee of a large bureaucracy.
  4. Retire.

The Medicare reimbursement penalties are significant. Lose 1% for not having a qualified EMR. Lose another 1.5% for failing to enroll in PQRS, a federally mandated program the collects quality data.

For many doctors, especially those over 50, the last option is the one they are selecting, forcing many rural patients to find a new doctor, often many miles away from where they live and work.

To further complicate the migration to EMR, the government is changing, again, the classification codes used to identify diagnoses and diseases within an EMR and in exchanging data with insurers and government organizations. ICD-10 is required by every medical practice in the US by October 1, 2015. This changes how doctors and other medical staff code everything about patient care. Again, when the conversion is complete nationwide it should improve health care significantly, but the path is not easy and not free to the medical organizations. Several state medical associates and the National Physicians’ Council for Healthcare Policy have urged Congress to delay implementation of ICD-10 for two years. At the same time, other groups are pressing for no more delays citing the cost in time, effort and money as they try to meet disjointed deadlines for multiple federal mandates.

The last word:

The impact on you, your family and your business will depend on where you live and your financial situation. One impact we will all face is, at least over the next few years, is the increased cost of medical care and thus for medical insurance while everyone involved in the medical industry tries to keep up with constantly changing government regulations.

All of this confusion also negatively impacts the security of health care data, making us all more vulnerable.

Comments solicited.

Keep your sense of humor.


Read Full Post »

Last time I wrote about The Need to Protect Healthcare Data, or perhaps more importantly the potential cost of not protecting it. This time I want to talk about how to do that in a non-disruptive way that will probably save your organization money while significantly reducing the chances of a major data breach involving hundreds or thousands of patient records.   Of course the same approach can be used to protect any kind of protected information from exiting en masse in any line of business.

The key is to protect the “crown jewels” – the database that contains the data that must be protected. Normally, these systems are implemented as three-tier environments. To keep the picture and words simple, in this discussion each tier has only one server but in a real implementation each tier is usually composed of multiple servers for redundancy or to provide the necessary performance.

  • The data tier contains the database server that actually contains the database. This server contains the software that manages all access to the data: no one can access the data without eventually getting to the database server.
  • The application tier that controls the business logic that uses the database. These are the programs that implement information retrieval and update for the medical staff, capture information from medical device controllers, and handle data retrieval for meaningful use and billing.
  • The presentation tier is what interfaces with the user or another application system. It is often implemented as web services so that any device with a web browser can access the same information.

For example, when a doctor needs to see a patients chart from her tablet, she can use a browser or a special tablet application to ask for the current chart for “John Smith DOB 04/23/1945.” The tablet browser or application sends that request to the presentation tier, where the doctor is authenticated if necessary, then sends that request to the application tier. There a program formats a query against the database and sends it to the data tier. The data tier retrieves the information and sends it back to the application tier, who formats the specific information for the chart and sends that to the presentation tier. The presentation tier then sends it to the tablet browser or application for display to the doctor.

While this may seem like a complicated process, it nicely separates the operation so that, for example, a different kind of user device with completely different display characteristics can be easily added by changing only the presentation tier, and usually just making a single change that will work independent of the specific kind of transaction. Similarly, it allows the application layer to perform additional validation on a specific transaction, such as verifying that the doctor is permitted by HIPAA to see John Smith’s information.

The purpose of this requirement is to limit access to the application and data tiers to only those specific devices that have a valid need to access those tiers. In particular, only the servers in the application tier should be allowed to access the servers in the data tier, and only the servers in the presentation and data tiers should be allowed to access the servers in the application tier. There are, of course, users called administrators that require access directly to the application and data tier servers. These are the people who are responsible for the management and operation of the applications and database. In most organizations, there are just a few database administrators and application administrators who must have direct access into those servers.

This solution described there uses the Unisys Stealth Solution. Stealth uses state-of-the-art encryption, but the key principle behind Stealth is that it only allows a device to communicate with another device if they share a Community of Interest, a COI. A COI is nothing more than a group of people and servers. Data can be shared freely within a COI, but must not be shared with any person or server not in the COI. In the usual Stealth installation, a user’s COI or set of COIs is specified in the site’s identity management system, the system that is used to authenticate a user when the user signs on. If some device tries to access a Stealth-protected server or workstation without belonging to the same COI, then the Stealth-protected device is completely invisible; the Stealth-protected device simply will not respond to anything from that device.


The picture represents each tier by a single server and shows one database and application administrator. As stated before, there are usually multiple of each. The red lines show the communications paths protected by Stealth. The black line represents clear-text traffic coming from the organizations internal network or over the Internet. The Internet traffic should already be protected by some form of encryption such as IPsec or SSL. There are three Communities of Interest (COIs) in the diagram. The green dots represent devices in the DB COI, the blue dots represent devices in the Application COI, and the yellow dots represent devices in the DB Administrator COI. Only the database Administrator and the application tier server can access the data tier server. Only the data tier server, application administrator, and presentation tier server can access the application tier server. Any other device attempting to access the data or application tier servers would be completely ignored.

Since the individual administrator’s COI is determined at log on time, it does not matter which workstation an administrator uses. When an individual signs on with a database administrator’s credentials, he now has the DB ADMIN COI and can access the data tier server.

One Stealth implementation can protect multiple databases that are in the same network segment, i.e., are visible from each other in the network. Otherwise you can replicate the Stealth implementation as needed.

This solution has no impact on existing applications and is invisible to end-users and even to the database and application administrators. Capital savings come from not requiring as much network infrastructure such as firewalls. Operational savings come from not needing to reconfigure firewalls or other network security devices and applications. If an administrator is added or moves on, simply change your identity management system. Stealth then automatically permits or prevents the individual from accessing the database or application servers.

If you do not have a tiered implementation or have collapsed the tiers onto a single server, and therefore allow end users to directly access the server containing the database then this mechanism does not help. Then again, not much would be able to help in this situation. You first need to separate your environment into multiple tiers so that any security solution can control access to the database and application servers.

The last word:

This mechanism does not protect against the accidental or deliberate loss caused by inappropriate actions of individuals who are authorized to access the data. This includes the file clerk who walks away from a logged-on workstation in a semi-public area, or the doctor who foolishly loads a couple of patient files on her son’s laptop at home. There are ways to reduce the chances of these kinds of incidents, and in super-sensitive environments it makes sense to make those investments. But they are very expensive and usually not worth the cost. While these errors are regrettable they rarely lead to fines or the risk of losing accreditation, or the CIO needing to find a new job.

As always, the key is to have a good security policy document and provide annual security training emphasizing to employees and contractors that you are serious about data security.

Comments solicited.

Keep your sense of humor.


Read Full Post »

Healthcare CIOs have some real problems today. The Affordable Care Act (ACA) is having a big impact on the industry. The rules themselves are changing as the US President makes changes to the law, and depending on the outcome of the November congressional elections in the US we may have a congress that makes additional changes. The behavior of insurance companies is transforming as a result of the ACA, and health care customers, like you and me, are changing the way we access health care as we learn, usually the hard way, what is and is not covered and how much it will cost us. Just adding millions of new customers can have a destabilizing impact to the industry.

On top of that, factor in the government mandated migration from paper records to electronic medical record (EMR) systems. While the end results are probably beneficial, the migration is nothing but pain over many months or years for most organizations.

If that wasn’t enough, a combination of factors, including the ACA, is leading to massive mergers of hospitals and medical practices into larger and larger enterprises. A decade ago dozens of hospitals in my area are now just a couple of mega-medical companies. These mergers and acquisitions offer the CIO the opportunity to reconcile and merge a number of totally different hardware and software medical systems into one, or figure out how to run a business with multiple billing systems and keeping patients records accurate across multiple EMR systems.

No wonder that most of these CIOs do not have the time to be very interested in data security. There are millions of dollars of government rewards for moving to EMR and enabling Meaningful Use. Meaningful Use has the potential to provide significant benefits in health care and could lead to quicker approval of new uses for existing treatments, along with a significant increase in the potential for the government and insurance companies to misuse data about individuals. There are millions to be saved by quickly moving to a single software environment in these growing amalgamations of separate health care organizations. Besides, what’s the worse that can happen if a few records are stolen? It happens every day with doctors and file clerks accidentally leaving patient records out on an unattended desktop or similar sloppy behavior at labs, pharmacies and hospitals.

To a large extent, that is a reasonable response. Even in the desired end state of complete integrated EMR and billing systems plus a fully functional nationwide Meaningful Use infrastructure will not prevent these kinds of small errors. The loss of one person’s information is not a big problem for the medical institution.

However, the loss of thousands or millions of people’s medical records is a big problem for a medical organization. In my February 2014 posting The Cost of a HIPAA Breach I show that for significant breaches the cost in fines alone can start at $150,000 and easily rise to over a million dollars per incident. This does not include the approximately $200 for each lost record that it costs an organization on average to deal with a data breach.

A major data breach at your hospital or medical practice can cost million of dollars in fines, plus risks the loss of accreditation of your organization. It also often causes the CIO, or even the CEO, to seek employment elsewhere. If you think you have never had a breach, you would be better to think instead that you don’t know that you have had a data breach. Health care data accounted for 43% of major data breaches in 2013, and the Washington Post reported that over 30 million patients have been impacted by health care data breaches. Over 80% of data breaches are discovered by a third party.

For a longer look at these issues, check out Daniel Berger’s June 2014 What Healthcare CEO’s Need to Know about IT Security Risk paper. Mr. Berger is President and CEO of Redspin, Inc. Based in Santa Barbara, California, Redspin has become a leader in healthcare IT security and provides HIPAA security risk analysis and compliance, including meaningful use.

As your organization advertises its new treatment options, new care centers and new growth, a front page article that you have just lost thousands of patients’ data can negatively impact its reputation.

Next time I plan to talk about a way to protect the crown jewels of your IT infrastructure: the databases that contain your critical health care and financial data.

The last word:

In addition to the financial risks, hacking into health care records can kill people. Changing prescriptions, diagnosis, or test results, or modifying instructions to network-connected imaging, drug dispensing, and operating room equipment can kill or seriously harm a patient. Or a thousand patients.

Comments solicited.

Keep your sense of humor.


Read Full Post »

I have mostly been concerned with data breaches that impact financial information, like the recent Target and Neiman Marcus events.  But health care breaches are also expensive, also costing about $200 per lost record and the potentially more serious impacts due to lost patients and even doctors due to the damage to the organization’s reputation.

In October 2013 AHMC Healthcare lost the medical records of 729,000 patients – they literally just walked out of the office.  These records contained patient names, Medicare data, diagnosis, plus insurance and payment information.  State and Federal governments are cracking down on these breaches, with stiffer notification rules and serious penalties:  $150,000 from Adult & Pediatric Dermatology in December 2013, $1.2 million from Affinity Health Plan in August, and $1.7 million from Wellpoint in July.

There are two Federal laws that apply to health care records, HIPAA and HITECH; plus the safety of health care information is included in the privacy laws of 46 US States plus the District of Columbia.

HIPAA is the “The Health Insurance Portability and Accountability Act” of 1996.  It includes rules about privacy, security and breach notification.

HITECH is the “Health Information Technology for Economic and Clinical Health Act” of 2009.  It seeks to improve US health care through the increased use of IT, including Electronic Health Records (EHR or EMR) systems.  It also includes rules about privacy and security of medical records.

Since most healthcare companies also handle patient financial information, they may also be required to be PCI-DSS (Payment Card Industry Data Security Standard) compliant.  You might think they can just worry about one type of compliance because they are both about protecting people’s personal data.  You would be wrong.  There are significant differences in requirements.

The biggest difference is that PCI-DSS compliance is defined by a commercial group of companies including American Express and Discover, VISA, and MasterCard.  While some States have criminal penalties for willful violation of their privacy laws, almost all penalties for violations are in terms of fines, the cost of dealing with a breach, and lost reputation.   These fines can run into the millions of dollars paid to the credit card companies, and could result in the company losing the right to process credit cards which can be a fatal blow.  The company must notify their customers who may have been compromised.  The large breaches end up in the news, but the smaller ones usually don’t.

PCI requirements are very technical, identifying specific IT activities and defining at least the attributes of solutions in twelve major areas.

HIPAA is Federal law monitored by the US Department of Health and Human Services (HHS).  In addition to fines paid to HHS, HIPAA establishes criminal penalties including vacations in a federal prison.  HIPAA requires that in addition to notifying potentially impacted patients, they must also issue press releases through media outlets.

HIPAA is focused on policies, training and processes.  It requires that all of your business partners and vendors, including Cloud Service Providers, be covered by a BAA (Business Associate Agreement) and that they must be HIPAA compliant.  Your company plus each of your business partners must complete a risk assessment and management plan for addressing each of the HIPAA safeguards.

HITECH, also under HHS, establishes four levels of penalties based on the culpability of the organization, with financial penalties up to $1.5 million dollars.  However, you can avoid financial penalties under HITECH if you correct the problem within 30 days and the violation was not due to your willful neglect.

I wonder who pays the fines when the Affordable Care Act website, including its back-end processing that links to Social Security and the health care providers, violates HIPAA, HITECH or PCI-DSS rules?

The last word:

What to do?

  • Make sure your company and your partners are HIPAA and HITECH compliant. Work with your partners like billing and EMR providers to make sure they are compliant, including with PCI where appropriate.
  • Get a copy of each partner’s HIPAA risk assessment and management plan, and keep them with yours in preparation for a possible HHS audit, usually conducted by KPMG.  Also get a copy of your partner’s latest audit report and confirm that HIPAA compliance is based on the OCR Audit Protocols.
  • If you are also dealing with patient financial information (e.g., hold credit card numbers), get your partner’s latest PCI audit report and that their compliance is based on the PCI-DSS.
  • Make sure your employees and contractors are well trained on your processes and the law, and monitored for violations.
  • Make sure your IT department is following the appropriate best practices.  Use the PCI technical requirements as a framework for HIPAA compliance.

A health care security breach can impact your business, even put you out of business.  While you are focused on your patients’ health, also focus on protecting their privacy and your reputation.

Comments solicited.

Keep your sense of humor.



Read Full Post »

A lot of people are interested in your data, data about where you are, what you buy, what you search for and talk about, what you are doing right now, who you communicate with and how often, and what you are likely to do or want next.  Right now there are weak laws with largely ineffective enforcement, especially were cybercriminals and governments are involved.  There is potential danger to you in this big data.  There are some encouraging sectors: financial with PCI DSS and health care with HIPAA are getting better at protecting your data.

We are in the information age.  I suspect at lot more money is made dealing with information than dealing with hard products.  Most financial transactions are actually about information, not currency.  Companies, criminals and governments collect information because information is power and, in all cases, except governments, correlates to money.

Jaron Lanier has an interesting article in the November 2013 Scientific American “How Should We Think about Privacy?”  Dr. Lanier is a computer scientist at Microsoft Research and probably best known for his work with virtual reality.  One of his points: the information a company collects from you should not be free.

If the information a company collects about you brings the company money, than that information is essentially part of that company’s raw material.  And, like steal or corn or other commodities and intellectual property it should have a cost to the company.  Right now, Google, Amazon, utility companies and the myriad other companies who collect your data do not pay anything to get your data.  Why don’t we treat personal data like any other intellectual property:  you own it, and you get to decide who gets to use it at what price.

The important point is that last sentence is “use.”  Let anybody or any organization collect anything they want.  The weird techie walking by you with a helmet cam can take your picture and store it in the Cloud for free.  But if he looks at it, publishes it in any form, or uses it even as a statistical data point in some study, he should have your permission and pay you.

So Google can collect anything it wants about what you do around Google.  But if it uses that information to place an ad on a search results screen for you, or a friend of yours, it should have to pay you.  After all, your information is enabling Google to make money from placing that ad.

If you buy a product from a brick-and-mortar store or its on-line presence, then that store shares in the ownership of the data about that transaction.  It can freely use it, for example, for inventory control, product-ordering predictions, sending you recall or safety information about the product, and other uses directly related to that company or that product.  However, if it wants to sell that information to another company, it should have to pay you in order to do that.

We clearly have the technology to make this work.  We could allow individuals to set prices for specific types of information (email address, browsing or search history, age, facial image, email and phone meta-data or content, utility usage, library book checkouts, and maybe another dozen or so categories) and penalize companies monetarily for failing to pay you appropriately and promptly.  It wouldn’t be any harder than setting your Facebook privacy options.

With the appropriate settings, you could go from a lot of privacy to a small stream of money, probably enough for that extra cup of latte each week.

These laws would provide another attack point on cybercriminals, much like the RICO laws gave the government a financial attack point for organized crime.  Plus, the government should be compelled to follow the same laws.  If the NSA wants the data from a library, Verizon, or Amazon, NSA would have to buy it, and the seller then would have to pay you.  If NSA wants to collect your email messages, let them.  If they look at them, either manually or electronically, then they drop some pennies in your PayPal account for each email.  If they wanted to be secret and not let you know they were looking at your information, they simply pay everybody.

This makes the usage of your personal data a business decision for companies and government agencies.  Is the information they get worth the price?

If you do not believe that the US government is at least collecting everything they can about you and your business, consider that for the past couple of years there has hardly been a single month where we have not learned that the government has deliberately lied to us about what information they are collecting and what they are doing with that information.  You should at least consider that the government is lying anytime they deny doing something.

While the news lately has been about the NSA, there is a whole set of alphabet soup government and government monitored private agencies that also collect your private information, from transportation systems, the IRS and state taxing authorities, E-ZPass and equivalent toll road transceivers, utility companies, and insurance companies.

The last word:

A friend recently sent me a link to a Gizmodo article on how companies are encrypting your data.  It has an interesting chart that compares 17 companies from Amazon to Yahoo!  Only four are green all the way across (Dropbox, Google, Sonic.net, and SpikerOak).  Others are not doing a very good job at adopting appropriate encryption best practices to protect your data to and from its servers and between its data centers.

Comments solicited.

Keep your sense of humor.


Read Full Post »

A current “big thing” is “big data.”  Big data grew out of a real or perceived need of organizations to know more about what is happening inside the organization.  Companies like Wal-Mart or Kmart keep track of every item that moves within their company, from the time it arrives at a warehouse until it leaves the store with a customer.  They know exactly how many Graco SnugRide Baby Car Seats have been sold at each store, the inventory in each store and warehouse, and the number ordered from the manufacturer and on the way to one of their warehouses.  They use this information to predict future sales, make sure that no store ever runs out of the item, and yet keep their inventory as low as possible.

Most companies are growing their data storage requirements by about 20% a year.  At this rate and with the rate the cost of storage is coming down, a company should have relatively flat storage costs into the future, whether they maintain their own storage farms or use the Cloud.  Some government agencies recently in the news are growing their storage requirements by 20% a month or more, or almost nine times in one year.  Amazon storage offered to their Cloud customers (AWS S3) tripled in 2011, about a 10% per month growth.

But few of these large databases are really “big data.”  The term “big data” applies to collections of data that are so large they are difficult to handle: difficult to capture, validate, store, search, move, or even analyze.  New software products come out periodically that make analysis faster, and some can even look for correlations between multiple sets of big data.  Big data collections are exceedingly useful in science and research.  For example, the Large Hadron Collider generates 40 million data points per second from each of 150 million sensors.  The Sloan Digital Sky Survey started collecting data in 2000.  At the rate of 200 GB per night, in a few weeks it collected more data than all of the data collected in the history of astronomy.  The Large Synoptic Survey Telescope, scheduled to go active in 2016, is expected to collect the equivalent of 2.5 years of Sloan data each day.

Between data being collected by companies, research organizations and governments, 90% of all the data in world has been generated in the last two years.

If your company is collecting, or even thinking of collecting, large amounts of data, here are a few questions to ask.

  1. Why are you collecting the data?  What will you do with it?
  2. What is the value of the data?  How much increased revenue will it bring in?  How much will is cost to store, replicate, analyze and report?
  3. What is the potential cost of someone stealing some or all of the information?
  4. If your customers, partners and shareholders knew exactly what data you were collecting and what you were doing with it, would they be happy, resigned, or furious?
  5. Do you have a policy to get rid of obsolete data, and verify the destruction?
  6. Is any of the information linked to a specific individual?

That last question is important, because that information can open your organization to civil and criminal penalties plus severely impact your reputation.  Some additional considerations:

  • What laws and certifications cover what parts of the data?
  • Do you provide a way for individuals to opt out so their data is not collected?
  • Do you provide a way for individuals to see and correct data about themselves?
  • Do you tell them what data you are collecting?

Big data can be very valuable, but can be a big expense and a big risk.  Beware of too much optimism.  Even Wal-Mart gets surprised by a run on Graco SnugRide Baby Car Seats.  Don’t become overly complacent that you really know what is going on.  Big data can only answer the questions you ask.

The last word:

Most uses of big data are beneficial or at worst benign.  However, data that provides information about individuals can be dangerous, both to the individual and to society.  Utilities are starting to collect more and more information about individual customer actions, with Smart Meters, DVR devices that report what a household watches, electronic medical records, and security systems that allow you or a potential cybercriminal to monitor your house.  Some email providers mine emails looking for ways to sell advertising targeted to individuals, and insurance companies are trying to monitor where and how you drive so they can set an individual rate.

All of this data is vulnerable to cybercriminals and governments, and many of the companies collecting and storing this data are not very good at protecting it, and none of them are very good at destroying it when it is no longer needed.

But the biggest risk is from government.  They have demonstrated their vulnerability to cybercriminals, plus a recent set of reported abuses of data by their own employees and contractors.  The biggest problem is the government’s ability to simply say they can’t talk about it and will admit no responsibility for any outcome.

Comments solicited.

Keep your sense of humor.


Read Full Post »

I first blogged about electronic medical records (EMR) almost three years ago, comparing the effort necessary to convert just the US medical industry to their use with the effort around Y2K, the effort to make computer systems survive the transition from 1999 to 2000.

The Y2K effort was huge.  Most people today think it was a non-event, but the worldwide cost was estimated at more than US$300B.  Oh, there were some amusing incidents like the inability of California to issue five-year driver’s licenses in 1995 and 1996 (the license showed up as expired when a police officer ran your license after a traffic stop).  There was the hilarious story of the lady who bought a 10-year CD in January 1990, and the bank added a few million dollars of interest overnight (thinking that the CD had matured in 1900).  Cars and planes and trains and ships, elevators and bank accounts and defense systems all continued to operate just fine.  The boss of the company I worked for at the time brought in a big screen TV to the lounge, added a few cots, and scheduled 24 hour a day coverage by support and engineering teams starting December 30.  We were all staring at the phones and emails when Guam hit midnight on 12/31.  By the time midnight reached Hawaii, the boss sent back the TV and we all went home.  Other than a couple of “hey, it worked!” emails, nothing happened.  The many hours we had spent making it a non-event were effective.

The EMR issues dwarfs the Y2K issue.  It will cost a lot more, and almost everybody will notice.

I went to an eye doctor two years ago.  Behind the reception area was a large room with rows of tall file cabinets full of paper files, probably going back decades.  The clerks had dozens of computer systems for appointments, billing and payments, interfacing with multiple insurance companies and governments, and lots of paper-based systems to keep records, doctor’s notes, prescriptions, and inventory.  They were just starting to transition to an EMR system.  They were ecstatic; soon everything would be in one system and they could get rid of the tons of paper.  The doctors expected to be able to reduce the size of their clerical staff, get insurance payments quicker, and in general eliminate a bunch of the stress of just running a small medical practice.  In preparation for my appointment, they had copied my paper records into the computer, and I spent 15 minutes with them reviewing it for accuracy.

I went back a couple of months ago for my annual (OK, bi-annual) checkup.  There were some obvious changes.  Oh, all the paper was still there, and all of the computer and paper systems still seemed to be in operation.  What had changed was the addition of a couple more clerks, and an increased stress level on everyone.  They were still in transition, and weren’t very happy about it.  They had yet to get to any of the benefits, but the journey was “interesting.”  I spent another 15 minutes with them reviewing my EMR for accuracy.

This is not a unique occurrence.  I have yet to talk to any medical facility that has had a smooth transition.  The best one was a transition that occurred in six months; most take one to two years, some are still going on after five years.

Scot Silverstein from Drexel University was quoted in a February 18, 2013, article in the Philadelphia Inquirer newspaper.  Silverstein believes that we are rushing too fast to EMR and that the notion that they prevent more mistakes than they cause is not proven.  He cites serious issues with some software components that printed orders for the wrong medicines, or the wrong dosage.  “We are in the midst of a mania” to convert to EMR, largely spurred by government carrot and stick tactics: money if you convert, delays in payments if you don’t.  “We know it causes harm, and we don’t even know the level of magnitude.  That statement alone should be the basis for the greatest of caution and slowing down.”  Silverstein does hold a minority view and he believes in the potential benefits of EMR over time, but “patients are being harmed and killed as a result of disruptions to care caused by bad medical IT.”

What happened?  Why isn’t the transition to EMR as smooth as the Y2K effort?  What happened is that IT folk treated EMR like they did Y2K – a huge project management problem, millions of separate things to be done in a specified time; 12/31/1999 was not going to slip.  Yet it all involved computer systems.  Fix the software, test it, and move to the next step.  IT people know how to do these kinds of projects, no matter how large.  The average person saw nothing, did nothing different other than, in a few cases, have to enter a four-digit year instead of a two-digit year.

But while Y2K was just an IT issue, EMR is an IT issue, a data conversion issue, and a people issue.  The IT issue is complicated, but really has no unknowns.  IT has done these kinds of software development projects before.

The data conversion issue is huge.  The electronic data is relatively easy, although there is usually a significant code conversion issue: the old system used “measles” and the new system uses “783.2” and each insurance company has a different code.  The hard part is paper.  Even a small medical practice has tons of paper.  For those skeptics, a box of paper (5,000 sheets) is 50 pounds.  A typical four-drawer file cabinet even if not stuffed will have about 200 pounds of paper in it.  It’s easier to count boxes or drawers – look in your doctor’s office file room and do a quick count.  A ton is about 200,000 pieces of paper.

Much of the data on those sheets is hand written, often by people in a hurry and not known for good handwriting.  A lot of it is second or third carbon copies, or faxed sheets.  OCR (optical character recognition) technology does not work very well under these conditions.  Each of those sheets has to be scanned, processed electronically, and then manually verified.  A trained clerk can do much of that verification, but some will require a medical professional to figure out.  This data conversion effort will probably be 99% correct, but that is hardly good enough since it probably means several errors per patient.  Most are likely trivial, but some may be critical.

But the real problem is people.  Every process changes: how you schedule appointments, admit patients, move patients between rooms, deliver medicines, conduct and review tests, bill, record doctor’s comments and directions, generate and fill prescriptions, …

The transition is a nightmare.

Some places try a slow phased transition – one system at a time or one ward at a time.  In general, I recommend this approach because you learn something at each phase, but it has the problem that you have to keep both the old systems and the new system running for a long time, probably several years.  When you have patients that move from an “old” environment to a “new” environment you have to scramble to get their information into the EMR system.  Worse, if you have a patient who moves from the “new” environment to the “old” environment, you end up in a real mess that confuses everybody.

Some places try a cold-turkey approach.  I have a good friend who is a senior doctor at a major hospital.  They decided to switch everything at once.  They picket 5PM Friday, since over the weekend it is primarily the ER that is really busy – everything else slows down significantly.  They put on extra doctors, nurses, clerical people and representatives from the EMR vendor and concentrated them in ER for the weekend.  I haven’t talked with her for five weeks.  A mutual friend says, “She is very busy.”  I suspect they all are.

This is what I think Scot Silverstein was really worried about: disruption.  The addition of process stress on top of the normal stress caused by caring for people’s lives must lead to errors.  A mistake can kill a patient, no matter where the mistake originates in the transition process.

The last word:

The value of EMR has not changed.  When we get there, we will have a less expensive more efficient and safer care delivery environment.  The journey is just longer and more difficult than anybody imagined.  There is huge training effort required, which I believe is largely ignored or significantly short-changed.  But it is a journey we all need to take.  It needs to be carefully planned.  Do not simply take the “migration plan” provided by the EMR vendor.  If you do not have project planning and management people on staff, get some that work for you and have them create a workable plan.  This process will take months, but is critical.

I repeat my recommendation from 2010:  If you are a young software developer looking for a career, I have one phrase for you: “Electronic Medical Records.”  But I now add that same recommendation to you as a business graduate.  Medical organizations need even more help in the management of the transition to EMR.

Comments solicited.

Keep your sense of humor.


Read Full Post »

Older Posts »