Health IT and Electronic Health Activate your FREE membership today |  Log-in

Community Blog

December 18, 2013  1:32 PM

Administrative security policies hold enterprise security together

Posted by: adelvecchio
administrative security, information security

Dr  Mathews (2)Guest post by Michael Mathews, PhD, president and COO, CynergisTek, Inc.

This is part four of a four-part series of posts where I look at perimeter security, network security, host security, and finally administrative security as distinct elements in an overall information security architecture and the best way to evaluate the current state of each.

A standard question we ask when working with clients is how they go about assessing their organization’s information security architecture. Previously I examined perimeter, network, and host security. As part of that evaluation, I also examined how to address perimeter security in an ever-changing technical environment. I also covered how to use tools and technology to provide mitigative controls to guard access to networked assets as well as hosts that live in the networked environment.

The final step in evaluating an enterprise security architecture is the envelope that seals everything together — the administrative elements of an information security program. Technical administrative security has roots in compliance with regulatory requirements, but regulations typically set a minimal compliance standard. Technical information security policies and procedures go into far greater detail and set a much higher bar.

The intent of establishing technical information security policies and procedures is to clearly communicate the organization’s risk management expectations. When we assess an organization we typically look for defined policies and procedures that address:

  • Provisioning of users (both normal and privileged)
  • When strong authentication is needed/required
  • Whether there are requirements within the organization for separation of duties
  • The enterprise data backup strategy and life cycle
  • Media/workstation build/reuse/disposal procedures
  • Business continuity and disaster recovery procedures
  • Mobile device management and control procedures
  • Administrative requirements around authentication/authorization/and auditing (AAA)
  • Patch management process (for workstations, servers, and other gear)
  • Configuration management procedures
  • Change control process
  • Approval and communication process for policies and procedures

Presuming security information is properly disseminated to the workforce and that there’s a means through which employees can refer to the existing security rules (e.g. intranet or printed notebooks), it is interesting to note that nearly all systemic technical security gaps can be traced back to a lack of proper policy or supporting procedure that clearly defines an organization’s expectations. Properly documenting the risk management expectations of the organization into a cogent set of rules, combined with a strong perimeter definition and defense mechanisms is part of a base information security plan. Those steps along with a segmented and access-controlled network architecture, and hosts built with an eye on security provide a strong foundation on which an overall information security program (including the security architecture) can be built.

Once the foundation is built, security awareness programs can help garner employee mindshare in the information security process. Regular third party audits/assessments can help determine how effective the program is as well as provide valuable trending data that shows the maturity of the program over time. In our experience this is the best way to help secure a continued budget for the overall program since it’s otherwise very challenging to demonstrate return on investment for information security architecture expenditures.

December 11, 2013  11:28 AM

Evaluate and enhance your core measures reporting process

Posted by: adelvecchio
abstraction, core measures, Meaningful use

BrendaBartkowski_AmphionMedicalGuest post by Brenda Bartkowski, clinical data abstraction manager, Amphion Medical Solutions

From meaningful use to value-based purchasing, too much is riding on core measures reporting to leave it to chance. Hospitals must have processes and resources that are capable of delivering timely and concise reporting.  They must educate clinicians and other staff on core measures and keep definitions and protocols up to date. All of these resources should be leveraged to improve performance rates and avoid financial penalties.

As the stakes get higher, so too does the level of difficulty involved in maintaining compliant reporting processes. The number of measures has continued to climb, increasing the level of difficulty of abstracting and validating the data. There is also a limited supply of internal resources and expertise that can be dedicated to reporting.

As such, to ensure effective core measures reporting, hospitals should evaluate the processes in place to identify and eliminate any aberrant patterns or areas of weakness contributing to backlogs or missed deadlines. Addressing these issues will do more than streamline reporting and improve compliance. It will also create a means by which documentation and processes can be enhanced and best practices put into place in order to drive improvements to publicly-reported core measures.

Three-pronged analysis

The evaluation of core measures reporting process should focus on three areas: deadline compliance, validation rates and regulatory comprehension.

Missed deadlines can almost always be traced back to a lack of resources. Integrating reporting requirements with the additional core duties for which quality departments are now responsible is a resource balancing act, particularly given the rapid rise in the number of metrics that must be reported under the Hospital Inpatient Quality Reporting Program.

When abstractors must divide their time and attention between core measures reporting and their regular responsibilities, backlogs can quickly and deadlines are often missed. Once one deadline is missed, the resulting domino effect makes it difficult to catch up unless additional resources are dedicated to the process.

Overextended abstractors may also struggle to maintain appropriate validation scores, which should be in the 90-95% range. Consistently low scores may signal the need for additional training, creating yet another Catch-22. How do you set aside time for training to bring scores up when heavy workloads are contributing factors to the performance issue?

Finally, regulatory policies and recommendations from the Centers for Medicare and Medicaid Services and The Joint Commission tend to change from one reporting period to the next, while protocols and guidelines are revised and expanded annually. It can be difficult to maintain compliant reporting processes without dedicating a resource to monitor regulatory change and educate clinicians and staff on current core measures and proper abstraction. Thus, an individual should be tasked with continuously monitoring and communicating any changes to guidelines, metrics or requirements so they can immediately be integrated into the reporting process.

Seek outside help

In many cases, weaknesses in any (or all) of these areas can be traced back to insufficient resources.  That is why a growing number of hospitals are outsourcing their core measures abstraction to qualified firms, thus freeing internal resources to focus on core responsibilities.

The success or failure of outsourcing core measure reporting rests on the quality of the selected partner. Look for a vendor that employs only credentialed abstractors with a minimum of three to five years of experience, all of whom should have passed a stringent proficiency test. The firm should be able to deliver an accuracy rate of no less than 95%.

Finally, the partner should provide additional services designed to strengthen the hospital’s core measures performance. These could include weekly and quarterly education sessions, regular evaluations and recommendations for process and documentation improvements.

Maximize value

Regardless of whether it is managed in-house or outsourced to a qualified vendor, reporting processes should be used to drive improved core measures performance by identifying gaps and recommending process enhancements to close them.

One example could be a hospital consistently failing the substance or tobacco use measure sets. An abstractor empowered to go beyond standard “pass-fail” core measure reporting could trace that failure to clinicians neglecting to ask patients about their smoking or alcohol use when completing admission documentation –a situation that can be fixed by simply adding or highlighting the query in the admission order set.

At a higher level, reports can be generated that identify every outlier in order to diagnose the documentation issue which caused the core measure failure. This report can also be used to identify problematic trends that can be corrected with adjustments to order sets or documentation processes. It can even help identify individual clinicians who may require additional education.

Improving core measure performance is a team effort. Providing information to those on the clinical front lines to improve documentation will ultimately drive quality outcomes. Doing so requires strong, compliant and comprehensive reporting processes that reveal the cause core measure failures which can be corrected and improved before they affects quality of care or the bottom line.

Brenda Bartkowski is the clinical data abstraction manager for Amphion Medical Solutions. She can be reached at

December 4, 2013  2:08 PM

Healthcare risk assessment guide: Steps for disaster preparation

Posted by: adelvecchio
Disaster planning, Protected health information, Risk assessment

1386183939_McClintick_CliffGuest post by Cliff McClintick, COO, Doc Halo

Every facet of most health organizations’ operations, processes, and policies are intertwined in a myriad of systems, applications, and data. One hour of lost operations can cost an organization tens of thousands of dollars and, more importantly, have a negative impact on patient care. One of the most important things a CIO can do is assess and mitigate an organization’s risks. A healthcare risk assessment may not be sexy, but a bad day can become catastrophic if you don’t take the proper steps to prepare your organization.

Step one: Plan and brainstorm. Sometimes it is difficult to imagine your beloved data center in an inch of water because of a premature fire sprinkler. Preparation for such as terrorist bombings, chemical warfare, or a power outage combined with a powerful snowstorm must be considered and documented. Each disaster’s record should note its likelihood of occurring, based on historical events and the current environment. Thankfully many of the items on the list don’t have a very good chance of actually happening (a zombie apocalypse, for example). The probability of each risk in this section should be rated numerically from one to three. This section should be weighted as 25% of the total risk score.

Step two: Evaluate the level of impact for each risk. The impact of any outage or catastrophe can range from loss of life and limb, partial to complete system outage, or a breach of protected health information (PHI) that affects millions of people. Each risk should be rated numerically (again, from one to three) to assess the overall impact for each of these areas. This section should also be weighted as 25% of the total score.

Step three: Review the plan or lack thereof for each risk item. Each risk item should be given a numerical value (one to five) that corresponds with the level of planning in place for that item. This section should be count as 50% of the total score.

Step four: Quantify your level of risk. The more quantitative you can be scoring the assessment, the better. Every assessment has a degree of subjectivity. By rating each risk item with a numerical value, it gives team members a starting point around which to frame the overall risk discussion. You should document your risk numbers in a spreadsheet to determine the value for each risk item, accounting for each section’s numerical score and weight.

Step five: Assess the results. It doesn’t matter if you determine a low score is good or bad as long as you are consistent for each section and risk item. For now, I’ll say a lower total score means an item possesses greater risk. You must have a risk mitigation action plan for each item given a score of three or fewer. Having a solid disaster recovery plan and a tested downtime process will mitigate most of the risks for any organization.

Ongoing assessments: HIPAA laws at the federal and state levels are constantly changing. The regulations in this area are strict and carry heavy penalties if breached. The following areas have recently changed and must be covered in your healthcare risk assessments.

  1. Laptop and device encryption.  The assumption should be that every mobile device could contain PHI. Once a device leaves the organizational boundaries it is at risk of exposing PHI. The only way to protect the contents of a laptop is to encrypt its hard drive. This makes it incredibly difficult for the most advanced equipment to decode and break. There are many software options like TrueCrypt that do a very good job of laptop encryption.
  2. Email PHI filter: Email filters detect PHI keywords and reject or ward emails containing these keywords from being sent outside the organizational fire wall. CISCO Iron Port has good filtering devices for protecting your email systems.
  3. EMR security: There are several articles that deal with this topic. Meaningful use stage 2 is the current standard for EMR security. At the minimum the system must be certified and be equipped with the following functions:  Authentication and user ID password restrictions, the ability to audit information and archive data and logs. Controlled role-based access must also be part of the application.

Secure text messaging: The adoption of smartphones in the M.D. demographic is reaching close to 95% penetration. Recent studies show that nearly 70% of physicians use their phones for work. Doctors text PHI to other physicians because it can lead to better patient care. Doc Halo is an industry leader in enterprise text messaging.

Cliff McClintick is Chief Operating Officer of Doc Halo. He is a former Chief Information Officer of an inpatient hospital and has expertise in HIPAA compliance and security, clinical informatics, and meaningful use. He has more than 20 years of information technology design, management, and implementation experience. He has successfully implemented large systems and applications for companies like Proctor and Gamble, Fidelity, General Motors, Duke Energy, Heinz and IAMS.

November 20, 2013  12:42 PM

Analytics: One of many ways information can improve patient outcomes

Posted by: adelvecchio
ACO, Big data, healthcare analytics, Patient engagement

1384283401_Headshot_Felipe_Brito (2)Guest post by Felipe Brito, business director, CI&T

So much has been written and said lately about how big the challenge of sustaining the Medicare and Medicaid programs will be. In this article, I will focus on how the latest technologies — including cloud and mobile — are being used to overcome some longstanding healthcare hurdles, explore the great new programs being established, and take a look at the innovative initiatives that are becoming mainstream in the healthcare space.

The patient comes first

I recently attended a few events and was glad to hear speakers mention one topic over and over: patient centricity. The healthcare community now understands that the patient is core to any strategy. Healthcare programs should strive to comprehend the patient reality in order to achieve better patient outcomes.   The one size fits all approach is simply not adequate. Patients are eager for information and to be treated as people, not diseases.

We are seeing myriad cases in the life science industry where personalized experiences are enhancing the relationship between patients and providers. There are companies focused on analyzing thousands of healthcare professionals and patients’ interactions between healthcare professionals and patients to understand patient behavior and reduce prescription abandonment. Patient portals and prevention programs are investing in preventative care, not treatment of illnesses. Communities of patients and physicians are collaborating to increase health literacy, curate adequate content and improve overall wellbeing. Niche communities and bloggers are engaging online through message boards, where they have discussions around specific conditions. These communities can reduce misconceptions around certain conditions and they create a sense of belonging for those afflicted with the condition.

These enhanced dialogues drive improved patient adherence to recommended treatments. Heart and diabetes patients can have their adherence increased by more than 20% when reminded by systems and applications, a study shows. There are online programs that support smokers with customized protocols in their effort to quit. Health and wellness programs with nutrition advice, meal planning, and exercise routines are redirecting behavior towards healthier lives. This improvement in health will translate to reduce spending on medical treatment. According to the Council for Affordable Health Coverage, lack of medical adherence leads to 125,000 deaths per year, an estimated $100 billion annually in unnecessary hospital readmissions and accounts for more than 33% of all medical-related hospital admittance.

The impact of big data and analytics

It is fascinating to witness the benefits technology is bringing to healthcare. A plethora of sensors can provide insights and data about our critical bodily functions.  Genomics is becoming a reality in clinical trials, which indicates that personalized medicine will soon be within reach. Big data helps doctors fight cancer, and identify the doctors other doctors trust the most. Analytics enables continuous learning across complex networks. Contextual platforms simplify the user experience by providing content to providers’ and patients’ various devices.

By using information gathered in the cloud, companies can now build predictive models that help target messages to patients in need. Gamification is another creative concept that has been used to help people with severe burns, fight dyslexia, and to aid teens keep up with treatments such as chemotherapy. The latest hype seems to be wearable technology. Companies such as Emotiv, and Google with Google Glass, are making great strides and are poised to bring imaginative new products to reality in the coming years.

Along with this patient data revolution, there are also changes being made to benefit the quality and efficiency of care. The accountable care organization (ACO) model was established with the goal of fostering clinical excellence by tying provider reimbursements to quality metrics and reducing the overall cost of care.  ACOs are network of providers, composed mostly of hospitals, physicians and healthcare professionals, payers (Medicare, private or employee-purchased insurance) and the patients themselves.

ACOs rely on effective use of data and metrics to report current performance and ensure that continued improvements will be achieved. Electronic health records (EHRs) are a key component of this strategy. EHRs contain the complete health information of patients, including medical history and personal statistics. EHRs improve diagnostics and patient outcomes. Part of the value of EHRs is they’re available inside secure networks so healthcare professionals can access up-to-date information about patients. There is no time lost dealing with clerical items, silos, or outdated information.

Privacy and confidentiality in the cloud

The increased use of big data and analytics generates valuable insights, but it also raises privacy and confidentiality concerns. The Health Insurance Portability and Accountability Act (HIPAA) established rules for access, authentication, storage and auditing, and transmission of EHRs. Companies recognize that interoperable healthcare data and cloud services will improve the efficiency and efficacy of care. However, it can be challenging to deploy these strategies while maintaining HIPAA compliance. Some care facilities are implementing internal clouds; some are storing personally identifiable information in internal servers and using the cloud to process non-identifiable information. The takeaway is the healthcare industry will continue to find creative ways to be compliant and provide value to patients, physicians and health care professionals.

The future of technology and healthcare

It’s great to work where technology and healthcare meet. Much has been accomplished in the field of healthcare technology and we can only imagine what the future will bring.

I believe information will be a key component of the innovations to come. Companies that make better sense of data and add a layer of intelligence to their businesses will thrive. Many useful data tools are already available. Marketers and technologists that don’t have improving their data analysis as a key initiative in their agenda will deeply regret it — and will pay a price they may not be able to afford. Personalized and predictive solutions will be the future of patient-centric care, and will lead to making patients’ lives better.

Felipe Brito has been with Ci&T since 2000, when he joined the company’s internship program. Since joining the company, Brito has taken on increasing leadership positions and currently serves as a business director and is responsible for all of Ci&T’s business in the Northeastern United States. Supporting Ci&T’s internationalization goals, Felipe leads fast growing global engagements and oversees 350+ people in long-term partnerships with Fortune 500 clients. Brito has extensive experience working in the consumer packaged goods, financial and life science sectors. He holds a bachelor’s degree in Computer Science from Universidade Estadual de Campinas and two MBAs from Fundação Getúlio Vargas and Babson College.

November 13, 2013  12:23 PM

Rapid growth and regulation among top mHealth trends

Posted by: adelvecchio
mHealth, mHealth applications, mhealth apps, mHealth regulation

th_1384363308_amit1Guest post by Amit Gupta, M.D., president, Doc Halo

As doctors and healthcare executives iron out how to use EMRs and other enterprise software that has consumed their attention in recent years, their next IT challenge is close at hand. It’s the mobile device that, in all likelihood, will go everywhere they do.

Mobile health is exploding. Current innovations range from exercise apps to mobile health records to connected sleep apnea devices, with many more in development.

MHealth’s rise will bring tremendous benefits to both healthcare providers and patients as mobile devices become a routine feature of communication, diagnosis and treatment. It will ultimately make healthcare more convenient and efficient. But the move toward mobile brings concerns, too. Among them are government regulation, data security and the question of who will evaluate the data generated by mHealth apps.

Here are some mHealth trends to watch while those issues are settled.

  • Rapid growth: Global mHealth revenue is likely to approach $21 billion in 2018, up from an estimated $6.6 billion this year, according to a report by the research firm MarketsandMarkets. Drivers will include increased attention to chronic diseases, the proliferation of smartphones and high-speed networks and the quest for lower healthcare costs.
  • Increasing regulation: The U.S. Food and Drug Administration stated on Sept. 25 that it would focus regulation on medical apps that “are intended to be used as an accessory to a regulated medical device” or “transform a mobile platform into a regulated medical device.” But those rules could change. Rep. Marsha Blackburn (R-Tenn.) recently said she wants to give the FDA more resources and authority to regulate mHealth apps.
  • Secure messaging: Physician have confided in us many times that they send patient information to their colleagues via text message. They frequently receive messages from office staff and call centers by text, as well. The practice is growing more common, as smartphone adoption among new physicians is nearly 100%. The problem is, this type of data transmission is not HIPAA-compliant, and it could result in significant fines for healthcare providers and their organizations. Doc Halo provides encrypted, HIPAA-compliant secure text messaging that works on iPhone, Android and your desktop computer.
  • Higher prices: MHealth apps stand apart from the crowd, in many cases, because of their cost. Consumers seem willing to pay more than 99 cents for apps that improve their lives, as Inside Mobile Apps noted. A few in the health space sell for more than $100.
  • Insurance reimbursement for apps: MHealth apps would take off at a quicker pace if they were covered by payers. Reimbursement models that include them are few and far between, but there’s evidence that might be changing. Newer reimbursement models that pay providers for keeping patients well, rather than for providing more services, could also encourage mHealth adoption.

The age of mobile health is an exciting time for providers and their patients. Smart companies will find ways to overcome the hurdles, and design technologies that make it easier for physicians and other clinicians to do their jobs and help patients be well.

Dr. Gupta is the president and co-founder of Doc Halo. He completed his Master’s in Clinical Research from Mayo Clinic and fellowships in Outcomes Research and Hematology – Oncology at the University of Cincinnati. He currently practices Oncology at Springfield Clinic. Dr. Gupta’s interest is to understand and improve healthcare communication, especially amongst different doctors involved in an individual patient’s care. “Timely and effective communication is the key to improving patient outcomes.”


October 31, 2013  12:13 PM

How healthcare apps are organized by medical device classes

Posted by: adelvecchio
applications, FDA, Medical device regulation, Medical devices

th_1375478863_landman2Guest post by Zachary Landman, M.D., chief medical officer, DoctorBase

Of the more than 80,000 health related applications available on the App store and Google Play, fewer than 100 are Food and Drug Administration (FDA)-approved mobile apps. Though some health apps will meet the criteria to be considered a medical device (or an accessory to one) outlined in the FDA guiding document released in September, the vast majority will not. That is a significant problem for many app developers who often work independently, in small teams and are often based overseas. Before costs are even considered, most app developers looking to enter the healthcare market have very little idea about how medical devices classes are classified, marketed, tested, and approved.

There are three medical devices Classes, I, II, and III, ranging from devices with the least harmful potential to the greatest. Class I medical devices typically are hospital items such as dialysis chairs, beds, assisted mobility devices and the like. Very few medical apps will land in this category since most apps don’t work in this manner and the lowest risk medical apps such as pill reminders or communication tools are currently exempt from FDA classification as medical devices. Class I medical devices are relatively quickly and easily approved (more than 97% of Class I applications are approved).

Furthermore, Class I devices are exempt from filing a 510(k), which refers to a section of the Food, Drug, and Cosmetic Act that requires device manufacturers to notify the FDA of their intent to market a medical device at least 90 days in advance of doing so. Examples of some Class I apps that have been approved include a patient bed monitoring app, a battery powered examination light, a magnifying app, and a medical image storing app. None of these apps collect or interpret vital information such as blood pressure, visual acuity, hearing, heart rate, or breathing function.

The vast majority of regulated medical apps including all those in the “smartphone physical” category will likely fall into Class II. Class II devices are those in which “general controls” are insufficient to ensure the safety and effectiveness of its use. This means that malfunctioning or improper reporting of the device could lead to injury or harm to the user or patient. Some examples of mobile medical apps that fall into this category that have received approval include apps that can measure pulmonary function (spirometry), blood pressure (an app that regulates inflation and recording of measurements from the cuff), and stethoscopes.

The vast majority of these apps will require a submission of a 510(k) as well as sufficient clinical and/or laboratory information that documents the efficacy, precision, and accuracy of the data that the app collects, transmits, and records. While there is a publically available list of Class II devices which have earned exemption, the standards and classification systems used previously for exemption (nasal cannula, knob to control oxygen flow) may not translate as well to clinically relevant medical apps. Preparation and approval for Class II devices takes between three and six months at a minimum and often costs tens of thousands of dollars for preparation and submission alone.

Class III devices are those in which error can lead to serious harm to human life. Examples include pacemakers, automatic external defibrillators, and HIV diagnostic tests. To my knowledge, no medical app to date has been approved as a Class III device likely due to the time and investment required to meet FDA standards. In the United States, approval can take between 18 and 36 months depending on the availability of clinical data and the initial completeness of the pre-market approval, which is a more stringent version of the 510(k).

Since no medical apps now (or in the very near future) are likely to be approved as Class III, I won’t go into greater detail. However, one can imagine in the coming years an influx of apps that can control ventilation machines, interrogate and correct pacemaker issues, and interact with other types of implantable devices, such as knee replacements or neurologic stimulators. These devices will require significant investments in both time and capital.

So, while the FDA guiding document is largely hands-off and provides incredible leeway for consumer-directed and inter-provider health apps, those that will gather, analyze, or automate data may find themselves with significant hurdles to clinical implementation in the coming years. It should be noted, FDA approval is not a one-time expense, but requires dedicated personnel and processes for adverse event recording, reporting, and correcting following approval. Therefore, at least in healthcare, the most influential apps are unlikely to be coming from a few developers subsisting on Ramen and pizza, but from a coordinated effort between existing industry players and app development companies.

Zachary Landman, M.D., is the chief medical officer for DoctorBase, a developer of scalable mobile health solutions, patient portals and patient engagement software. He earned his medical degree from UCSF School of Medicine. As a resident surgeon at Harvard Orthopaedics, he covered Massachusetts General Hospital, Brigham and Women’s Hospital and Beth Israel Deaconess Medical Center.

October 24, 2013  1:14 PM

Secure text messaging part of HIPAA compliance for call centers

Posted by: adelvecchio
call centers, HIPAA compliance, secure messaging, secure text messaging

th_1382638398_jon2Guest post by Jon Jansen, CTO, Doc Halo

It’s five o’clock and the office has turned the phones over to the call center for the night. What happens next could cost you. Your call center will be sending messages to physicians for the rest of the night. Office administrators often don’t give it a second thought but most messages sent today are inefficient or not HIPAA compliant.

Call centers have been sending messages to physicians’ pagers for years. Smartphones have now become the primary communication tool for most people, a trend that physicians have followed. As physicians get rid of their pagers, they will inevitably ask the call center to text them their messages. This scenario is a compliance officer’s nightmare.

Many compliance headaches can be avoided if the call center uses secure text messaging, something most call centers don’t know how to do. HIPAA-secure text messaging is not only about encryption, it also involves controlling the life cycle of the message.

I’ll go over encryption first. There are protocols that can handle encryption and sending secure texts. Wireless Communication Transfer Protocol can be securely transmitted over Hypertext Transfer Protocol over Secure Socket Layer. This protocol is still not widely supported in the software that call centers use.  Many call centers are stuck using the Telelocator Alphanumeric Protocol, which is dial-up and mostly used by the pager industry.

Controlling secure texts is critical to being HIPAA compliant, which requires that messages are tracked and able to be wiped at any time. Transmitting a secure text over public servers is not acceptable as it cannot be recalled from all servers. Controlling access to that message is vital as well. Some companies have turned to sending special links to view encrypted messages. The problem with this is that the link is usually sent in plain text, unencrypted and over public means. This is not HIPAA compliant either. The initial message can be intercepted as easily as any other message and the perpetrator then has access to the encrypted message.

What you want to ask your call center is, “Are you working with a reputable company that can send secure text messages and is HIPAA compliant?” Only secure texting companies that are built around healthcare have the expertise to navigate the intricacies of this complex problem. It’s time to ask your call center this important question before it’s too late and you’re staring down a fine from the Department of Health and Human Services.

Jon Jansen is CTO and partner in Doc Halo, a company that specializes in secure text messaging. He has an extensive knowledge of programming secure interfaces between hospitals, EMRs and physicians’ data. He has experience navigating through the entire life cycle of HIPAA and secure texting. Jon’s role at Doc Halo is to coordinate all of the behind-the-scenes programming and database creation and optimization, using his more than two decades of experience in this area.


October 17, 2013  10:51 AM

HIPAA and text messaging: How to safely communicate with patients

Posted by: adelvecchio
HIPAA, HIPAA compliance, secure messaging, texting

1382024614_ben bakhskiGuest post by Ben Bakhshi, founder, Coordinato

In this post I will be discussing how to create a secure balance between HIPAA and text messaging. Why text messaging? Texting allows your message to be delivered to patients regardless of the weather, reliability of the postal service, and patients who screen your phone calls. In a twist on traditional text messaging, information doesn’t need to be sent through a mobile phone, thanks to the various online short message services (SMS) available today. This presents healthcare providers the opportunity to send a short text message to their customers as appointment reminders, or with any other info related to their insurance plan.

Sending messages from mobile devices

In most cases, it is not appropriate to send text messages from mobile devices, unless:

  • Messages are immediately deleted.
  • There is a security code to access the cell phone that is sending the messages.
  • Your cellular device is properly encrypted.
  • Registered and traceable mobile devices are being used to send the messages.

Sending messages from the Web or desktop

Alternatively, you may decide to choose a text messaging service that is accessible from the Web. The considerations are similar: There should be a password required to access your account and the Internet connection in use should be encrypted. It is generally not recommended to use a “free SMS” service because often these types of services make money by selling information, which would be a severe breach of the HIPAA rules.

A significant percentage of issues regarding HIPAA and customers’ privacy have to do with lack of proper employee training. For example, I have interacted with healthcare providers that are using secure text messaging systems online, and have had their employees send text messages to patients via their personal cell phones. This mistake is likely triggered by their familiarity with texting from their mobile devices.

For reference, The Joint Commission says that it is unacceptable for physicians to text message orders for patients to a healthcare setting. However, this assumes that text messages are being sent from a mobile device. If you can verify the identity of the person sending the message, and keep the original message as validation of what was entered into the medical record, then communicating to patients’ cell phones is acceptable.

When in doubt, consult a trusted consultant who can properly guide you through HIPAA compliance.

Ben Bakhshi is the founder of Coordinato, an appointment reminder service. Ben comes from a technology background, and with Coordinato provides business solutions to healthcare providers.

October 3, 2013  1:19 PM

Host security complements perimeter and network safeguards

Posted by: adelvecchio
host security, network security, patch management

Dr  Mathews (2)Guest post by Michael Mathews, PhD, president and COO, CynergisTek, Inc.

This is part three of a four-part series of posts where we look at perimeter security, network security, host security, and finally administrative security as distinct elements in an overall information security architecture and the best way to evaluate the current state of each.

A standard question we ask when working with clients is how they go about assessing their organization’s information security architecture. Previously, I examined perimeter and network security. As part of that evaluation, I covered how to address perimeter security in an ever-changing technical environment and how to use tools and technology to provide mitigating controls to secure access to networked assets. The third element — working our way from the outside of the network to the inside — is host security. Host security is a term we will apply equally to any/all endpoints on the network regardless of their purpose or nature (i.e. servers, workstations, network devices, printers, mobile devices, etc.). We do this because all endpoints on the network represent a potential attack vector. Host security started gaining a larger spotlight with the introduction of laptops and portable computers. It is now entrenched as a central part of the overall architecture assessment methodology due to the flood of mobile devices in today’s environment.

Likely the most prominent element of host security is a process information security professionals call “hardening.” It is a process that is performed on network endpoints to make them more resistant and less vulnerable to attack. This is accomplished by turning off unnecessary services and ensuring security controls are enabled on services that are necessary for the business to function. This simple process and if it’s applied in a disciplined manner, it can provide a firm base of host security on which enterprises can build.

The biggest piece of advice I can offer is that configuration and deployment checklists be developed for every platform/operating system/appliance/application deployed within the business environment. Establishing a standard checklist ensures all newly deployed endpoints are uniformly deployed with overall security of the device in mind. The logical follow-up step is to keep endpoints properly patched and updated. While the process might vary slightly from platform to platform — depending on the importance of the endpoint or other factors — there is no denying that routine patch management is a critical element to host security and there should be a formal documented process to support this activity. Coupling these two items with periodic vulnerability testing will yield a technical verification and validation point of the efficacy of the overall security process.

Once the foundation of host security is established with a robust endpoint building process, patch management, and periodic vulnerability testing, there are no shortage of technical controls that can also be deployed to help secure endpoints on the network.  These technical policy enforcement tools include host-based firewalls, encryption of data on the endpoints, host intrusion detection, file system integrity monitoring, endpoint data loss prevention and, of course, the venerable AAA (authentication, authorization, and auditing) feeding into a log management application and potentially an event correlation engine (security information and event management).

As with other mitigating controls, host security controls should be evaluated as augmenting the existing complements of perimeter and network security, with particular attention given to mobile platforms that can often exist without those additional protections.

September 18, 2013  1:11 PM

IT as a Service can transform healthcare

Posted by: adelvecchio
CHIME, IT as a Service, IT skills, patient care


Guest post by Roberta Katz, director, healthcare solutions, EMC Corporation, @Roberta_Katz, @EMCHealthcare

Healthcare organizations are under pressure to respond to Affordable Care Act mandates and meet meaningful use requirements. These demands are driving many organizations to find the right mix of new technologies and business models that will enhance patient care delivery and outcomes, all at lower IT cost.

Wanted: Innovation on a budget

According to a recent survey of CHIME CIOs, 90% of health IT executives report IT innovation is a key component to their future success. The challenge is that only 6% of CIOs surveyed gave their organization an “A” when asked to grade their current ability to innovate. To help enable this transition, many organizations are implementing IT as a Service (ITaaS) models to help lower operational costs, restructure costs from capital to operating expenses, improve service levels, and accelerate deployment of key healthcare applications.

The surveyed CIOs estimate that 47% of their portfolio has the potential to be delivered via ITaaS. They project this service-oriented approach can save 9% of their IT costs, which translates to $11 billion in savings across the industry over the next three years. These are significant savings, likely to increase as healthcare providers merge and form mega networks.

Centralized IT means improved care — with all patient information available at any time as healthcare IT organizations extend their reach to external enterprises involved with care collaboration. This includes ambulatory care settings, physician offices, skilled nursing facilities, home healthcare, and other smaller, healthcare providers.

Others hope to close the IT skills gap — 52% are unable to find and hire all the needed IT staff equipped with the necessary skills. The ability to operate as the internal “service provider of choice” and a “broker” of services from third-party service providers means in-demand IT talent can focus on real change — supporting improved care and transforming the business.

The adoption curve: Providers are taking steps

According to the survey, the benefits of ITaaS are several and significant, including: Managing rapid data growth, reducing risk while new business models are rolled out, and improving information security.

Recognizing the significance of these benefits, respondents report that 15% of their total IT portfolio is delivered via an ITaaS model today. Furthermore, 94% of respondents say they have purchased at least part of their IT portfolio “as a service.”

  • 87% have purchased software or Applications as a Service, such as virtualization
  • 22% have purchased platforms or complete environments, which can help increase the use of private and hybrid clouds
  • 18% have purchased Infrastructure as a Service

Prescription for change

While providers have taken solid initial steps — there is more work to be done. Recommendations from those on the front lines include:

  • Measure progress and improve transparency: Have a structure in place for measuring IT return on investment and transparency across ITaaS pricing.
  • Educate and provide access to IT service information: Spread the word, develop a catalog of services, and promote to stakeholders.
  • Follow the leaders: Learn from those that have already made the move.

As IT departments transform their operations to run ITaaS, their role will also transform — from exclusive providers of IT services to brokers of IT services. The agility of a cloud infrastructure enables numerous possibilities and innovation, such as EMR as a Service, PACS as a Service, Analytics as a Service, or Backup as a Service and can be delivered to organizations without resources to allow them to support these services.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: