Here’s what we know. In the Anthem hack, it is estimated that approximately 80 million records were stolen. The Anthem hackers stole information of both employees and customers, which included names, address, emails, birth dates, medication history, employment details, family relatives and more. But while most hackers steal financial data for spending sprees – these hackers had next-step intentions with the stolen data serving as the basis for phishing emails with attachments for the purposes of installing malware using their official email accounts, gathering even more personal information, and then it was propagated across entire networks. So now what?
Know the facts. According to Privacy Rights Clearinghouse, up until Anthem, since 2006, about 6.6 million records have been exposed from 79 medical-related breaches of hacking or malware type. Last year, Community Health Systems Inc. announced a large data breach of its health system compromising data for 4.5 million patients and now Anthem at the 80 million mark. Attackers like targeting EHRs because the records are highly profitable compared to other forms of information. For example, each credit card data is valued about $1 in the black market. However, according to various sources, a partial or complete EHR can generate $50 to $100 on the black market. The high price is because of the healthcare data includes personal identity information and sometimes carries credit card information along with insurance and personal health information. So, while financial information can be tracked and secured following a breach — the healthcare information cannot be as easily tracked and resolved.
Current mandates. Every EHR provider should safeguard data and information with HIPAA-complaint communication protocols, 128-bit encryption and public key authentication. As per the HIPAA norms of strong grade encryption and authentication, providers should meet all the regulatory requirements enabling security and confidentiality. Scheduled backups of the data are essential to keeping records and information from being lost or destroyed.
Chris Strammiello, vice president of marketing and product strategy, Nuance.
Patient admissions and discharge processes implemented at many hospitals today are rife with vulnerabilities and potential HIPAA violations. One of the greatest challenges hospitals face is how they can successfully deliver on dual requirements to make the information in a patient’s electronic health record (EHR) more accessible while at the same time making it more secure, especially because of their reliance on paper, analog fax machines and unmonitored multi-function devices (MFDs).
Every time a document or form is copied, scanned, printed, faxed or emailed — on either an analog fax machine, digital MFD or mobile phone or tablet — a patient’s protected health information (PHI) can be accidentally exposed or intentionally compromised. In light of this, federal standards have now defined digital MFDs as workstations, where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, maintain an audit trail of all activity and encrypt data at rest and in motion.
Healthcare organizations need to add a layer of security and control to electronic and paper-based patient admissions and discharge processes to help minimize the manual work and decisions that invite human error, automatically mitigate the risk of non-compliance and avoid the fines, reputation damage and other costs of HIPAA violations and privacy breaches.
As hospitals are rapidly approaching an FY 2015 deadline for meaningful use, they must demonstrate their “meaningful use” of certified EHR technology, including the ability to protect patients’ health information, or face reduced Medicare payments. The recent HIMSS Analytics survey found that despite the vast majority of hospitals reporting progress toward Stage 2 EHR, barely half of them — just 54 percent — were yet capable of protecting electronic health information, a required Core Objective in Stage 1.
Acting under provisions of HITECH, the Department of Health and Human Services Office of Civil Rights issued new rules in 2013 that enhance patients’ privacy protections, expand individuals’ rights to their health information and strengthen the government’s ability to enforce the law. One new development from these rules is that a security risk assessment tool prepared by the Office of the National Coordinator for Health Information Technology (ONC) mentions copiers 15 times as being workstations where PHI must be protected with administrative, physical and technical safeguards that authenticate users, control access to workflows, encrypt data handled on the device and maintain an audit trail of all activity.
Hospitals also need to conduct a risk assessment to identify threats and vulnerabilities (including copiers), implement and train workers in data loss protection (DLP) technology and procedures, and establish security incident reporting.
RightPatient is a division of M2SYS Technology, an ISO 9001:2008 certified company and biometric technology solution provider. M2SYS has more than a decade of biometric technology experience, with more than 300 million enrolled users in more than 100 countries.
Elevator pitch
RightPatient is the industry’s most advanced biometric patient identification, patient engagement, personalized healthcare and healthcare intelligence platform to reduce costs and liability, improve quality of care, monitor population health and enhance the patient experience. With features for wearable and biosensor integration, health games, medication alerts, proactive health management and predictive analytics, the platform also integrates with major electronic health record (EHR) systems such as Epic, Siemens, Cerner, McKesson, Meditech, IBM and many others. RightPatient is already deployed across hospitals and health systems that collectively maintain the health data of over 10 million patients.
Product/service description
RightPatient is the industry’s most advanced patient identification, patient engagement, personalized healthcare, and healthcare intelligence platform to reduce costs and liability, improve the quality of care, monitor population health, and enhance the patient experience. Our healthcare ecosystem unifies clinical knowledge through data aggregation, deep learning, and predictive analytics to personalize medicine, improve outcomes, and reduce re-admissions.
Founders’ story
Mizan Rahman
Our founder and CEO Mizan Rahman immigrated to the U.S. in the late 1990s seeking to turn some of his ideas, education, and experience into tangible products that solved problems for different verticals. He has successfully shepherded two companies from startup to a multi-million dollar companies that were eventually bought out.
Mizan now oversees the strategic and operational interests of the company worldwide combining his software engineering experience and entrepreneurial leadership with comprehensive international market intelligence to solve customer problems through identity solution ingenuity. He has successfully shepherded the growth of M2SYS as a global force in identity management, pioneering the development and launch of M2SYS’ Bio-Plugin biometric middleware and Hybrid Biometric Platform – both of which were recognized by Frost and Sullivan with prestigious awards for their design innovation.
Mizan continues to be recognized for his innovation and leadership in the field of biometric identification technology, most recently as recipient of “Technology Innovator of the Year” by InfoWorld. He is a frequent speaker in many US and international conferences, symposiums and universities such as the International Biometric Conference and MIT.
Guest post by Ken Perez, vice president of healthcare policy, Omnicell.
Ken Perez
We’ve often seen the U.S. federal government announce its intent to drive major changes in the way the healthcare system is run, only to have the private sector respond in a tepid or negative manner.
That was not the case at a January 26 Department of Health and Human Services meeting, at which HHS Secretary Sylvia M. Burwell announced concrete goals and an aggressive timeline for moving Medicare payments from fee for service to fee for value. Nearly two dozen leaders representing consumers, insurers, providers and business leaders were in attendance and clearly supportive of the vision cast by Burwell. Notably, high-ranking representatives from the American Academy of Family Physicians, the American Medical Association, the American Hospital Association, and America’s Health Insurance Plans (AHIP) were among the participants.
The announcement was a landmark one. For the first time in the history of the Medicare program, HHS has communicated quantified goals for pushing a significantly greater share of Medicare payments through alternative payment models, such as accountable care organizations (ACOs) and bundled payments. Such payments will rise from 20 percent ($72.4 billion) of Medicare payments in 2014 to 30 percent ($113 billion) in 2016 and 50 percent ($213 billion) in 2018—a compound annual growth rate of 31 percent over the five-year period.
Ever wonder what it takes to slay the dragon; to bring down the giants? What do the health IT disruptors take into consideration as they develop their strategies for conquering the worlds in which they live?
How are your peers – the ones you glance at from the corner of your eye and watch as they nip at your heels but fail to recognize in public – working to change health IT and make a play to dominate competitors that haven’t re-invented their firms?
Since I wanted to know the answers to these kinds of questions, I put out a call. I asked health It leaders to tell me their points of attack, why those attacks work, how they determined they’re playing the best plan for success and how the dragons they are slaying are reacting.
Here are the responses I received, in no particular order, area or specialty. Once you’ve read their stories, share yours. Which dragon are you slaying; which giant are you downing?
David Caldeira
Dave Caldeira, senior vice president of product and solution marketing, Kofax For any disrupting technology to be successful, it’s important to demonstrate actionable benefits for IT, healthcare workers and most importantly, the patient. Kofax is improving healthcare IT in four key areas:
Increasing efficiencies — from health, patient and finance documents to accounts payable, accounting and legal
Improve and speed the move to electronic health records to meet “meaningful use” requirements
Enable better outcomes by sharing real-time electronic information between heath practioners and patients
Reduce operation and healthcare costs
The six dominant players Kofax sees in this marketplace are Cerner, McKesson, Epic, Allscripts, IOD and Ricoh. We’ve found that the best way to influence the healthcare IT decision maker is to align ourselves with the dominant players they are comfortable using. For example, Kofax is tightly aligned with Cerner for medical records. Ricoh is a reselling partner that has a dedicated team that we work with. And IOD is a business process outsourcer that also uses Kofax solutions.
For Cerner and IOD to use Kofax solutions is a huge endorsement to how Kofax is making healthcare smarter with information capture mobile capabilities and advanced analytics. Would we consider ourselves a disruptor? Yes, but we do it in partnership with the dominant players.
When purchasing an EHR from a large vendor, customers receive all the modules from this vendor, both the good modules as well as the bad ones. Choosing such a system is always a compromise as no single system can satisfy all user requirements.
Is this something that can be improved? Health Samurai believes that monolithic architectures will eventually give their place to platforms and app stores just as in other industries. Apps in the app store have to be united, communicate and understand each other. Only using of a common standard can enable these storage and data-exchange capabilities.
Health IT has a long way ahead, but the transition has already begun.
International standards organization, Health Level Seven (HL7), has drafted a new interoperability standard called FHIR (Fast Healthcare Interoperability Resources). The standard is open source and was designed using the modern successful IT practices. It leverages web technologies and is focused on implementers. It has a growing community and the potential to take interoperability to a whole new level.
While the frequency and severity of cyberattacks against organizations are on the rise, a majority of information technology (IT) leaders do not feel confident in their leaderships’ ability to leverage intelligence that can predict a cyber vulnerability and effectively combat threats, according to a new survey commissioned by Lockheed Martin.
A majority of survey respondents noted an increase in the severity (75 percent) and frequency (68 percent) of cyberattacks, but feared that they don’t have the budget (64 percent) or the expert personnel (65 percent) to address the threats.
“This survey illuminates areas of concern about cyber readiness across government and critical infrastructure industries,” said Guy Delp, director of cybersecurity and advanced analytics for Lockheed Martin. “The results highlight that the challenges in this domain are universal across both industry and government, and therefore our response needs to be equally holistic. The adoption of Intelligence-Driven Defense techniques is critical to ensuring that not only IT officers, but also chief executives, boards of directors and customers have confidence in the security of their information.”
Other key findings include:
Many organizations are relying on intuition, rather than intelligence, to assess their security levels: Business and government respondents who felt that they were not presently being targeted for attack relied on their intuition (35 percent) or logical deduction (33 percent) rather than data or intelligence (32 percent) to justify their beliefs.
Whether malicious or negligent, insiders continue to be among the greatest perceived cyber threats: Thirty-six percent of respondents said that negligent insiders were the most significant network vulnerability facing their organization, and more than half (53 percent) ranked malicious insiders in their top four threats.
The most serious risks do not receive the most budget: The top two factors impacting an organization’s cybersecurity posture – employee cyber awareness and supply chain security – receive only four and 15 percent of cybersecurity budgets, respectively. Top budget items, such as mobile and cloud security, are both perceived to be lower threat levels.
Spotlight Health allows consumers the ability to compare prices on medical procedures from doctors, hospitals and clinics in their area.
Elevator pitch
With the dramatic increase in high-deductible health insurance plans, more and more people now have to pay for medically necessary procedures out-of-pocket. There is a consumer need in the healthcare market that wasn’t being served. Spotlight Health now makes it easy to research how much potential medical procedures will cost and allows consumers to have an active role in their healthcare spending choices.
Product/service description
Spotlight Health allows consumers to compare healthcare costs for providers, procedures, treatments and office visits in their area. The Spotlight Health technology lets users find providers, clinics and hospitals in their geographical area based on city, state and zip code. The site also allows users to get estimated pricing for procedures, treatments, therapies and conditions based on the individual criteria. Our goal is to put price transparency in the hands of the consumer, while providing valuable data to patients, physicians, clinics and hospitals.
Marketing/promotion strategy
Our vision for promoting Spotlight Health and generating income is to partner with healthcare providers (physicians, hospitals, clinics) so that they can update their pricing profile to reflect their exact charges. Providers will be able to advertise and promote their business to compete as the market shifts to a more consumer driven model. We are going to be adding a division that will help consult patients on their healthcare costs and help providers set the appropriate market price for their billing. In addition, our SEO and marketing teams are looking for ways we can improve visibility to reach more healthcare consumers.
In light of the recent hacking healthcare news in which of health insurer Anthem, hospitals and health systems should be reminded of the need to assess their own vulnerabilities. Historically, healthcare organizations have lagged behind other regulated industries in keeping pace with information security despite compiling patient data at expanding rates. Unfortunately, the Anthem attack is unlikely to be an isolated incident: Industry executives have already predicted phishing and malware will be on the rise in 2015.
With an ever-increasing number of Internet-connected devices accessing hospital networks, hackers have an increasing number of ways to exploit vulnerable systems and steal information.
Understanding hacker motivation is important. Some want to sell private information, such as Social Security or credit card numbers. Patient and consumer data have a lucrative black market. Other hackers commit corporate, industrial or political espionage by compromising systems and stealing sensitive information, trademarked designs or strategic plans.
To combat these growing threats, hospitals and health system have prioritized measures such as two-factor authentication; encryption and mobile device security; security risk analysis; advanced email gateway software; and expansion of IT security staff.
What other actions should prudent institutions take?
First, hospitals should develop comprehensive risk assessment plans. These plans can identify potential weak points, determine best practices and provide a roadmap for increased security. They should be reviewed and updated continually. Hospitals also need regular security assessments and training sessions for anyone who uses a computer.
The biggest oversight most organizations make is neglecting the training of end users. Basic training of users upon hire and at least annually will help protect an organization. Users need to make sure they’re not making common mistakes, such as clicking links in phishing emails. Following bogus links can easily allow hackers to steal information or infect computers. Users need to be educated about how to identify and avoid these types of risks. Continue Reading
Guest post by Divan Dave, CEO, OmniMD.
