Healthcare Security: How Safe Is Your Medical Information Online—Really?

Jay Schulman
Jay Schulman

Guest post by Jay Schulman, managing principal, Cigital.

Throughout the past two years, if you’re like me, you’ve had your credit card number stolen a number of times. I’m up to six. In one case, someone purchased a $500 TV with my stolen card information. Yet, I sit here today having lost nothing. Every bank and institution has made me whole. The money that was taken was quickly replaced. While I can complain about the inconvenience, I haven’t lost anything.

The financial industry has the luxury of replacing what was taken. The healthcare industry does not.

Once your medical record is stolen, there is no way for the institution to take that information back. If an electronic medical record (EMR) or MRI system is breached, the information and images are out in the open. While the credit card companies can trace fraud back to a common source, it’s very hard for healthcare companies to figure out who has been breached. That’s why the security of healthcare information is so important.

While many healthcare organizations are HIPAA compliant, that only reflects on their ability to properly control personal health information. It doesn’t necessarily assert that you are secure.

As a healthcare organization, you need to take a holistic approach to secure your environment. This includes:

  1. Understanding your portfolio – what applications and systems are in your environment? Understanding the applications, their development languages, what data they store and access, and other pertinent data points are key to understanding your portfolio. Understanding what needs to be secured is a critical and often missed first step.
  2. Assessing the risk of the portfolio and making priorities. It’s easy to say “anything with personal health information (PHI) needs to be secured.” But, do you understand where PHI is stored or what areas of the network or systems can access systems with PHI? The retail breaches of the past two years have taught us that attackers aren’t always going directly to the critical systems but instead to weak links in the environment. Those weak links can give an attacker access to your data.
  3. Performing a threat model to properly understand those weaknesses. A threat model looks at an environment, who the actors are that can breach your system, and what actions they could perform (steal data or cause a denial of service for example). Given the results of the threat model, you can develop a new ranking of the portfolio.
  4. Determining the best ways to improve the security of the environment. If the organization writing the software is highly outsourced or primarily buys commercial software, assessing their risk is important. Otherwise, how can you be sure that they know how to write secure software? With medical devices, being able to assess the risk and impact of the device to your environment before you put it on your network is essential. Two years ago, many hospitals would assume the device was secure. Today many are starting assume they are not.

Continue Reading

Health IT Startup: ELXR Health

Interoperability in healthcare is critical for doctors to coordinate care for their patients and improve their health. However, if physicians are using proprietary software in their offices, interoperability becomes a very difficult and very expensive challenge. Without interoperability in healthcare, doctors cannot guarantee the data they sent to a specialist will be received or interpreted properly. Today, doctors have to rely on fax machines to exchange patient information. This is an outdated and un-secure form of communication to exchange patient information.

At the center of all this is the patient, whose medical records containing their most sensitive information is traversing across fax lines. ELXR Health will change healthcare by giving physicians a new way to coordinate care and exchange information. With the platform, patients can create and manage their medical consents anywhere on a smartphone or tablet. ELXR Health can transform and translate health data into multiple formats; doctors can seamlessly exchange patient information regardless of the EHR software they sent to, or receiving from.

Elevator pitch
The ELXR Health platform is cloud-based engine that translates and restructures electronic health records into a format easily readable by any doctor’s office. We center our solution around the patient by providing them a responsive web application to create and manage their consents. This doctor-patient collaborative system will improve coordination of care systems and dramatically increase patient outcomes.

Founder’s story
Paul Emanuel, HCISPP, is the co-founder and CEO of ELXR Health. Emanuel has worked in healthcare technology for many years as a technician, a systems and security administrator, an EMR consultant and an HIE Engineer. His years of service in health IT enabled him to receive 14 IT certifications, and is a certified healthcare information security and privacy practitioner. He started his first company in 2008 helping rural health clinics adopt electronic health records and connect with state health information exchanges. He came up with his idea for ELXR Health from his years of experience in Health IT. ELXR Health was created to be the solution for doctors and patients to better coordinate care.

Marketing/promotion strategy
Behavioral health organizations, managed care organizations, hospitals and private practices are looking for a cost-effective way to exchange patient data electronically while improving patient outcomes while adhering to their state laws. Our engine allows doctors to translate, restructure and validate health data so the data being sent is the data being received.

ELXR Health gives the patient the ability to manage their consents at their convenience from their smartphone or tablet. We also give developers the ability to integrate with our API to improve their software and provide better care systems for doctors and patients.

Continue Reading

Despite Headlines, ICD-10 Does Have Its Supporters

We are nearly three months removed from the oft discussed ICD-10 deadline, currently scheduled to take effect Oct. 1, 2015. Barring any last-minute shenanigans by those in Washington, there is little do but wait, and prepare as best as possible for the transition to the new code set in the time remaining.

While there remains plenty of activity on Capitol Hill to, in the very least, delay parts of the roll out of ICD-10, there are countless organizations and individuals who are actively lobbying against a change to the 10th version of the International Classification of Diseases. For example, the American Medical Association has been a staunch antagonist rallying its members against the change. And, as recently as May 2015, the Heritage Foundation, with its report titled, “The New Disease Classification (ICD-10): Doctors and Patients will Pay,” made some strong recommendations against it: “While an updated diagnostic system for disease classification might be in order, there are significant costs and trade-offs,” write Heritage authors John O’Shea, MD, and John Grimsley, reported by Healthcare IT News. “To protect practicing physicians and other healthcare workers from such an unfunded mandate, Congress should delink the disparate goals of research and reimbursement, and develop a more appropriate coding system that makes the billing process less, not more, burdensome.

“In the interim, Congress should allow providers to have the choice of continuing to use the current ICD-9 system or adopt the new ICD-10 system until the alternative reimbursement arrangement is complete.”

However, given this level of dissent toward ICD-10, or the level of dissent that’s reported by the major healthcare news organizations, there’s actually a good deal of support for the change in code sets. When asked about moving ICD-10 forward or further delaying it, the responses received by Electronic Health Reporter were overwhelmingly in favor proceeding with the current timeline, and by no small margin. The following  comments from some of healthcare’s insiders provide proof of that, and show that there are those among us that want to move on as soon as possible, and put the past to rest.

Dr. Jon Elion
Dr. Jon Elion

Dr. Jon Elion, MD, FACC, founder and CEO of ChartWise Medical Systems
I’m in favor of the transition to ICD-10 this October. The ICD-9 code set no longer provides the level of specificity necessary to adequately account for many of the patient ailments physicians are seeing today. After 30 years, the code set is outdated and cannot describe all of the diagnoses and procedures that have been discovered or created during that time. Many codes have been “lumped” together so that meaningful statistics and data analysis are not possible. For example, suturing the aorta (largest artery in the body) has the same ICD-9 code (39.31) as suturing an artery in the hand, despite the fact that they are vastly different in the resources the hospital expends in supporting the different procedures. Furthermore, delaying the transition again will only serve to prolong the limbo hospitals, medical centers and physicians have been in for the past few years. Waiting until ICD-11 also isn’t an option as the first versions won’t be ready until 2017 at the earliest and it will be years after that before a version is prepared that will work for the complexities of coding inpatient morbidity and mortality. ICD-10 is the best option we have right now to provide the level of detail physicians and coders need to properly convey patient symptoms and diagnoses.”

Keith Eggert, FHFMA, executive vice president and general manager, healthcare, VisiQuate

“In the short term, converting to ICD-10 has been a significant undertaking for the industry. But in the long run, it’s a valuable investment because more specific Dx and inpatient procedure codes can lead to more precise diagnostic, utilization and billing data, which positively affects revenue capture. They can also have a positive impact on clinical outcomes. Fortunately, there are third-party vendors who have solutions that eliminate much of the staff time and expense needed to convert to ICD-10 manually.”

Kimberly Vegter CPC, CPC-I, AAPC certified ICD-10 Trainer; coding services for MediRevv

I can honestly say with a resounding yes, I am in support of the ICD-10 transition. At this point, I feel any provider that is not ready for the transition, will never be ready and any further delay will add more burden than relief. I have been teaching ICD-10 since 2011 and I know the providers that I spoke to before the last delay were frustrated with the amount of time and most of all money that was spent only to have it delayed one more year.

Continue Reading

Health IT Startup: Healthspek

healthspek_logo_tagHealthspek is a free tool that manages personal and family health records by using an easy-to-use iPad app and mobile website to track, collect and safely disseminate healthcare information. Patient data is duplicated and stored on Healthspek’s secure cloud server — making it accessible 24/7 from multiple devices, anywhere in the world.

It helps users “take ownership over doctors’ electronic medical records, legal documents and automated refill reminders, insurance cards and more. Plus, account holders can manage medications, medical charts and images, track vitals, access care, and record physician, insurance and emergency contacts, among other features.”

Healthspek also receives medical records and facilitates electronic communications with providers. With the patient’s permission, doctors can access records through Healthspek, providing convenience for both you and your physician.

Elevator pitch
Healthspek is a complete tool available on any mobile device that can be used to track, collect and safely disseminate personal healthcare information from anywhere in the world, 24/7. It’s your personal health record—*you* should have access to it when you need it.

Randy Farr
Randy Farr

Product/service description
Healthspek is a free platform available on the mobile Web—accessible from any mobile device including PCs, tablets and smartphones—and iPad app that’s helped thousands of families and individuals across the country manage their healthcare records and provide access to all of their information 24/7. By creating an account at or on the iPad app and filling in the information relevant to you and your family, you instantly have unlimited access to everything from allergies, vitals and medication information to a repository for legal documents like your living will and power of attorney.

Founders’ story
Randy Farr is a healthcare industry veteran with a passion for allying healthcare and technology to improve physician practices and patient experience.

In 2001, Randy saw an opportunity in applying software technology to doctors’ offices to help physicians realize greater workflow efficiencies and a better bottom line and launched EaseMD, which grew to be one of the largest re-sellers of eClinicalWorks software in the country.

Out of his experience with EaseMD, Randy partnered with Bruce LeFew to develop Healthspek—a free tool that gives patients the ability to track, collect, manage and safely disseminate personal and family health records from any device—12 years later. Similar to EaseMD, Healthspek utilizes technology to better an important part of the healthcare system; but with Healthspek, the focus is on patient experience.

Randy is the energy behind Healthspek, and his excitement and enthusiasm for his work is immediately apparent when you meet him. Randy’s enduring drive to promote Healthspek’s mission has positioned himself and the company as driving forces behind a national demand for more access to and control of personal health records.

Bruce Lefew
Bruce LeFew

With 30 years of experience in the healthcare industry, Bruce LeFew knows physicians, patients, hospitals and their data. He knows their needs and has dedicated his career to providing enhanced operations for better population health management services.

In early 2013, Bruce and his partner, Randy Farr launched Healthspek, a free tool that gives patients the ability to track, collect, manage and safely disseminate personal and family health records from any device. They saw that the simple concept of shifting power from doctors to patients has the potential to reduce healthcare costs, eliminate unnecessary tests and procedures and motivate patients to pay more attention to their personal health.

At Healthspek, Bruce is the momentum. His unwavering dedication to the company’s mission has helped earn them national attention, with recognitions and awards such as one of 10 finalists in AARP’s Health Innovation @50+ LivePitch, Apple’s Best New Medical Apps of 2013 and winner of *MediaPost*’s 2013 Apply Award in the medical category to show for it.

Bruce knows good customer service and support is the best business practice, and in turn communicates with Healthspek users daily. Whether it’s an email or personal phone call, he ensures every customer concern or comment is addressed.

Continue Reading

Differences Between a Rejection and Denial in Medical Billing

Alex Tate
Alex Tate

Guest post by Alex Tate, consultant and digital marketing specialist, CureMD.

Regardless of how brilliant a medical biller is, they are guaranteed to come across rejections and denials from time to time. These terms are frequently used to discuss medical billing claims and are often used interchangeably by even the most experienced team members in the health field. However, a rejection differs vastly from a denial. Additionally, the processes necessary to effectively overturn the ruling of a rejection is different from that of a denial. Understanding these fundamental differences is not only essential for ensuring that medical billing claims can be processed without unnecessary frustration, but will also help increase the efficiency of the revenue cycle and may potentially grow the profitability of the organization you work with.

Claims that do not meet the specific data requirements or the basic format necessary will be rejected, according to the Centers for Medicare & Medicaid Services (CMS). Rejected claims will not be processed because they are not considered to have been “received” by the payor, thus do not make it into the adjudication system. This may sound complicated, but it really isn’t. It simply means that a rejected claim must be resubmitted when the error (or errors) is corrected appropriately. It’s important to note that beneficiaries of a rejected claim cannot be held liable because the services were never actually billed.

Denied claims, on the other hand, have been received by the adjudication system of the payor, and cannot be resubmitted because the payment determination has already been decided upon. A denied claim can, however, be appealed by the request of the payor to necessitate the proper modifications, additional required documents, etc.

Improving Revenue Cycles through Term Clarity

Educating staff members of the differences between a denied or a rejected claim can not only accelerate the appeals process drastically, but also help pinpoint where improvements can be made in the future. For instance, if your team comes across an inordinate amount of rejected claims, you may want to focus additional effort toward improving the process of your claim edits or scrubber to provide your clean claims rate with an added boost. This would likely require the involvement of IT, the business office, and possibly the vendor.

Continue Reading

Health IT Startup: InfoTech Healthcare

John Penland
John Penland

Technology and healthcare have never been more dependent on each other and
ensuring your data is stored on HIPAA-compliant storage systems can be a
challenge. InfoTech Healthcare attempts to take this burden off the healthcare
facilities and provides customers with mobile storage platform to store data from X-rays to office documents. How many times do users email documents back and forth to share information and it not be encrypted? InfoTech Healthcare’s goal is to provide healthcare customers with a worry free solution that requires zero administration action from
the customer while providing information quickly to users no matter the location.

Elevator Pitch
InfoTech Healthcare makes it easy for healthcare organizations to share and store information on a highly secure HIPAA-compliant system that requires not administrative effort by the customer. InfoTech Healthcare provides the tools for users to operate with unlimited storage and share information
with other authorized staff quickly. The InfoTech Healthcare storage app is available for Windows, MAC, iPhone, iPad and Android to keep users connected from any location.

Product/Service Description
Healthcare providers count on storing their office and patient information in a safe and easy to use location. InfoTech Healthcare ensures that healthcare providers have an easy to use system that meets all the security
requirements of the industry. Our team manages all the backend requirements so healthcare providers can focus on using the system and not managing it. Highly detailed auditing is automatically turned on so that data can be reviewed by managed if ever needed. Our systems can be configured so that our support staff can retrieve information deleted from the system by any user. This prevents unauthorized data destruction and ensuring your organization is compliant with record management. Providing multiple layers of granular security, information can be restricted to seven levels of access ranging from ownership to denied access.

Founder’s story
John Penland is the CEO and founder of InfoTech Healthcare. John’s passion for cloud solutions started out of college when working with other healthcare software companies. To be successful, John realized that customers needed a safe and reliable service backed by outstanding customer support and education. John developed key partnerships with other vendors in the market to deliver customers a great set of services for healthcare providers that met all compliance regulations for HIPAA storage. InfoTech Healthcare storage systems are designed to lead the way in cloud storage for healthcare and other business organizations.

Continue Reading

Should Hospitals Think and Act Like Tech Companies?

Amy Cueva
Amy Cueva

Guest post by Amy Cueva, co-founder, Mad*Pow.

Is your hospital or healthcare organization actually a technology company in disguise? Lots of companies are. After all, to win and hold onto customers, organizations have to make huge investments in IT and technology. At some point if, say, a financial services organization spends most of its money on technology, hasn’t it actually become a technology company that happens to deliver financial services? Are hospitals and health care organizations any different?

The thing is, while businesses are becoming tech companies, successful tech companies have realized it’s not about technology at all. It’s about experiences. Think about Uber or AirBnB: What they’re really selling is an experience enabled by technology.

Welcome to the experience economy. At Mad*Pow, the design firm where I lead experience design, we’re always trying to help hospitals and healthcare companies think about the patient experience as they travel through their healthcare journey.

It’s not easy work. The healthcare industry has gotten more than its fair share of disruption to deal with. Things like electronic medical records and the Affordable Care Act have unleashed waves upon waves of new technology into the clinical setting—none of which plays very well together. Meanwhile, doctors and clinicians have become data entry specialists, sacrificing important patient time for screen time. As a result, healthcare is behaving a bit too much like “sick care,” treating problems rather than treating people. It’s more about the transaction, less about the patient experience.

On the bright side, the industry is responding in exciting ways. Today, more and more hospitals are acting like tech start-ups. They’re sponsoring hack-a-thons to crowdsource innovation within their own walls. They’re incubating ideas from doctors and clinicians to build and test new devices and technologies. They’re partnering with universities and entrepreneurs and private business to fuel and fund and focus their innovation.

Continue Reading

Telehealth: A Promising Future for Healthcare

Richard A. Kimball Jr.
Richard A. Kimball Jr.

Guest post by Richard Kimball, Jr., CEO,  HEXL.

In an ideal world, a patient should be able to visit the doctor whenever he has health concerns. However, for many patients, particularly the millions living with lifelong chronic diseases, such as diabetes, heart failure and chronic obstructive pulmonary disease (COPD), meeting this need is a challenge because of several reasons. Key among these are: lack of time and limited access to a nearby health facility. These obstacles, in turn, sometimes create even bigger problems, such as patients’ failure to practice daily routines of disease prevention and management, resulting in worsening of their conditions and triggering the need for emergent care.

Fortunately, a solution is underway. Experts are taking advantage of today’s modern technology—telehealth — and are using it to bring healthcare education and services closer to consumers. Most simply put, telehealthcare provides contact between clinicians and patients who are at some distance from each other, and uses telecommunication-ready tools to “see” each other and undergo clinical examinations even at a distance.

Through telehealth, patients can easily get in touch with their doctors without having to worry about geographical distances. From a residential setting, not only can a simple and known tool like a telephone be used as an audio communications device to connect patients with their clinicians, but an array of monitoring devices, such as blood pressure cuffs, pulse oximetry measurement tools, weight scales, and others, can also be used to transmit current vital sign readings for clinicians’ review. In the same manner, physicians can use today’s information technology to easily access their patients’ electronic health records and monitor their patients’ development outside the walls of their clinics or hospitals.

Truly, telehealthcare and remote monitoring have enabled many healthcare practitioners to help manage the chronic health conditions of their patients, and subsequently, help improve their patients’ quality of life.

Continue Reading

Trends in Consumer Healthcare Payments

The healthcare payments market is growing rapidly and is estimated to reach $5 trillion by 2022 as a total of both payer and consumer payments. The fastest growing portion of the market is payments from consumers for healthcare services and health plan premiums as a result of shifting payment responsibility and changes because of health reform.

However, the healthcare industry is struggling to address the new role of consumers in the payments process with more than 30 percent of healthcare dollars considered to be wasted because of inefficient, disjointed payment processing and costs associated with paper-based billing and administrative processes. These costs are expected to continue to increase unless the healthcare industry recognizes and addresses the critical role of consumer choice and the impact of the digital economy on payment options.

These latest trends and best practices presented in InstaMed’s Trends in Healthcare Payments Annual Report 2014 outline a critical need for healthcare industry professionals to focus on consumer preferences and their emerging role in the payments process. Healthcare providers and payers who offer consumers preferred payment methods, including card payments and online payments, reduce confusion and ultimately increase collections. Additionally, new electronic payment channels, such as mobile payments and Apple Pay, will further accommodate consumers’ expectations for simple billing and convenient ways to pay. A focus on streamlining the consumer payment experience will improve collection rates, increase consumer satisfaction, and enhance profitability and cash flow.

The following infographic illustrates the top trends, industry challenges and best practices to enable healthcare organizations to adapt to the future of healthcare payments. For more information, download the full report:

Continue Reading

CHIME Co-Founder Richard Correll to Retire

Richard Correll
Richard Correll

Co-founder and former president and CEO of the College of Healthcare Information Management Executives (CHIME) Richard A. Correll announced his plans to retire at the end of the month, after 23 years. Correll has been serving as the organization’s chief operating officer and senior strategic advisor since April 2013 following the appointment of CEO Russell P. Branzell.

Correll has led the CHIME organization since it was created more than two decades ago as a nonprofit, professional association for senior IT leaders in healthcare.

“My years serving CHIME have been a privilege and the most rewarding of my career,” said Correll in a statement. “With the indispensable support of our members, board and staff, the organization has become a recognized leader and advocate for the CIO role and the effective use of information management to improve patient care quality and safety.

Correll helped forme CHIME in 1992, enlisting 192 charter members in the first year, led by founding board chair Dr. John Glaser. While serving on the HIMSS board in the 1980s, Correll identified the need for a professional organization dedicated to the development of the emerging top healthcare IT executives taking on the new title of CIO. Today, CHIME has grown to more than 1,500 members and 150 Foundation firm supporters.

“Our ability to utilize information technology to improve the quality, safety and efficiency of care has been significantly furthered because of the efforts of Rich Correll,” said Glaser, senior vice president of Cerner in a statement. “Rich’s creation and leadership of CHIME have led to major advances in the knowledge, skills and capabilities of the healthcare IT leadership community. His legacy is substantial; we all have been shaped his work.”

After CHIME was formed, Correll and Glaser spearheaded the creation of the CHIME Foundation in 1994, comprised of healthcare IT vendors and consultants to partner with the members of CHIME, and in 2007, a second office location in Washington, D.C. to create sustained contact with lawmakers while informing and influencing federal policies meant to transform the delivery of healthcare through IT.

Continue Reading