Security Archives

While health-care professionals seem to love iPads, health IT professionals are less enamored with the consumer-friendly tablet computers, according to a new industry report.

Doctors and others are more likely to use technology they like, which could help chief information officers get everyone on board in using electronic health records and other health IT systems. But iPads in particular are challenging to integrate into existing health IT, according to the report from BizTechReports, "Diagnosis Danger: Governance and Security Issues Cause IT Concerns About iPad in Healthcare Settings."

"There is a sense of concern among healthcare IT executives that pressure to meet the demands of end-users to support consumer-grade computing and communications devices like the iPad is coming at the expense of other important priorities," the researchers reported.

Areas of concern reported by the 100 hospital and clinic CIOs and other health IT executives interviewed by BizTechReports, an independent, Washington, D.C.-based research group, include:

• Compliance with privacy governance requirements.


• The need to manage risk while sharing health information with other users.


• The ability to quickly react to and remediate data breaches.


• Integration with end-to-end productivity systems.

"Products like the iPad ... have derived many of their most attractive features by adopting non-industry-standard components," the researchers said. "Because of this, it is often not possible for these technologies to comprehensively interact or comply with key systems, policies and processes."

For example, electronic patient records are not meant to be managed on consumer-grade technology like the iPad, according to the report. It's also difficult to enter information from an iPad into an enterprise system like an EHR. Nor do iPads have mechanical keyboards or USB ports that can attach devices such as barcode scanners, severely limiting the number of applications they can support.

Panasonic Solutions Co. teamed with BizTechReports to produce the study.

While the overall economy may well continue to sputter, the health IT market should be hitting on all cylinders over the next five years, a new industry report predicts.

One slice of the market, federal spending on health IT, is expected to grow from $4.5 billion in 2011 to $6.5 billion in 2016, for an annualized growth rate of 7.5 percent, according to a summary of the report, "Federal Health Information Technology Market, 2011-2016." The market report by Deltek, a Herndon, Va.-based software and information services provider, is available for purchase.

Key findings, according to the summary, include:

• Demand for mobility, telehealth, informatics, decision support, interoperability and common electronic health records will be driven by technology advances, potential long-term costs savings and improved patient outcomes.


• Aging EHRs operated by federal agencies "are overly ripe for major transformation."


• The federal government must transition from a "pay for service" model to a "pay for health" model that emphasizes outcomes.


• Health IT adoption is threatened by data security, program integrity, care coordination, political agendas and the federal deficit.

In addition to EHRs, the report says, health IT vendor opportunities include IT infrastructure modernization for governmental health agencies, new medical payment systems, and IT to improve health in the general population.

Health-care providers lose an average of $2.24 million every time private patient information is compromised by security breaches, costing doctors and hospitals nationwide an estimated $6.5 billion annually, a new study estimates.

The per-breach cost, which rose 10 percent this year, includes an average of $250,000 in legal fees, according to the Ponemon Institute's "Second Annual Benchmark Study on Patient Privacy and Data Security."

The frequency of data breaches among the 72 health-care organizations interviewed for the study increased by one-third this year compared with last year. Nearly all of the providers surveyed, 96 percent, reported at least one data breach in the last two years; the average number was four. The typical breach compromised 2,575 patient records, up from 1,769 last year.

"I don't see this getting better any time soon," says Larry Ponemon, founder of the Traverse City, Mich.-based Ponemon Institute, which researches information and privacy-management issues. Cash-starved providers are trimming IT security and privacy budgets, he says in a news release, particularly at not-for-profit hospitals and small clinics.

The report blames "employee mistakes and sloppiness" for a majority of the breaches, along with errors by third parties, including subcontractors. Nearly three out of 10 breaches led to identity theft, the respondents said, up 26 percent from 2010.

The explosion in the use of unsecured mobile devices is a major threat to data security, the report concludes. Half of the providers that reported using mobile computing devices said they had done nothing to protect the security of the data on them.

The Ponemon Institute survey was sponsored by ID Experts, a Portland, Ore.-based IT security services provider. The report can be downloaded at the ID Experts website (registration required.)

A new bill introduced in Congress would give Medicare and Medicaid providers limited liability protection for electronic health record errors.

Rep. Tom Marino, R-Pa., says the bill "would create a system for reporting potential errors that occur when using electronic records without the threat of that information being used as an admission of guilt."

The Safeguarding Access For Every Medicare Patient Act, HR 3239, also prevents plaintiffs' lawyers from using EHRs as "an easy source for 'fishing expeditions,'" Marino says in a news release. Health-care providers would be able to correct EHR problems "without having those actions be used to establish guilt," according to the release. It also would limit when lawsuits could be filed, and protect against libel and slander lawsuits.

Marino says his bill reduces fear of expensive lawsuits and thereby promotes EHR adoption by Medicare and Medicaid providers. "Every time a doctor or hospital chooses not to participate because of these fears," he says, "our seniors lose another provider."

To qualify for protections under the bill, providers would have to demonstrate that they are using certified health IT products or meet federal criteria for "meaningful use."

The bill has been referred to the House Energy and Commerce Committee.

Stanford University's hospital system and a former billing subcontractor are co-defendants in a class-action suit that seeks damages for the online posting of information from 20,000 patients' medical records.

The lawsuit, filed last week in Los Angeles Superior Court against Stanford Hospital & Clinics and the billing vendor, Multi-Specialty Collection Services, seeks unspecified damages on behalf of anyone whose health data was posted online--namely patients who visited the Stanford Hospital emergency room, in Palo Alto, Calif., between March 1 and Aug. 31, 2009. A copy of the suit is available at ModernHealthcare.com.

A digital spreadsheet containing the patients' names, medical records, hospital account numbers and the dates of treatment was posted online Sept. 10, 2010, at studentoffortune.com, a website that helps students with their homework. The data remained online for almost a year before a patient discovered it on Aug. 22.

Stanford Hospital says responsibility for the data breach rests with Los Angeles-based Multi-Specialty Collection Services, which it fired following discovery of the privacy lapse. In an Oct. 3 statement, the hospital contends that it sent the data to the company in an encrypted format to protect its confidentiality. A hospital investigation showed that the vendor, known as MSCS, prepared a spreadsheet and sent it to a third person not authorized to have the information.

That person "improperly posted it on a website, apparently to get assistance in generating a graph from MSCS's spreadsheet," the hospital says. "This mishandling of private patient information was in complete contravention of the law and of the requirements of MSCS's contract ... and is shockingly irresponsible."

MSCS did not immediately return a call seeking comment.

The federal health IT czar's top privacy officer has hired a firm that will help patients to understand how, why and when their doctors can share private health information electronically, including data released to health information exchanges.

The project team from the winning bidder, APP Design Inc. of Itasca, Ill., will "design, develop, and pilot innovative ways to electronically implement existing patient choice policies, while improving business processes for health-care providers," the Office of the National Coordinator for Health IT said Monday in an emailed announcement.

The "e-consent trial project" launches in October, ONC said, with one goal being to evaluate electronic consent forms.

Efforts to collect informed consent for treatment often are inadequate," ONC said in the Statement of Work that defines the project.

"For example, in one review of informed consent documents from randomly selected hospitals, the documents examined were shown to have very limited educational value," according to the statement. "The ability to obtain meaningful consent to share health information presents similar challenges."

A final project report is due in about 20 months.

Arguments that electronic health records are safe and secure were dealt a major blow last week with news that the names and diagnosis codes of 20,000 patients at a California emergency room were accidentally posted online -- and stayed there for nearly a year.

Stanford Hospital, in Palo Alto, Calif., was investigating how a billing subcontractor's spreadsheet ended up on a website for students who were soliciting paid help with school assignments, according to reports in newspapers, including the New York Times. The spreadsheet was published on the site beginning Sept. 9, 2010, as an attachment to a question about converting data into bar graphs, a Stanford spokesman told the Times.

The spreadsheet did not include Social Security numbers, birthdays or credit-card numbers, but did include diagnosis codes, hospital account numbers and dates of treatment, the spokesman said.

The hospital learned of the breach from a patient on Aug. 22 and succeeded in getting the offending material removed the next day. The breach was announced publicly on Thursday, several days after affected patients were notified of the problem by mail, according to the San Jose Mercury News.

Stanford Hospital "suspended business" with the vendor, the Mercury News said.

Protected medical information, including patient medical records, is alarmingly susceptible to security breaches, two new reports suggest.

The first report comes from the Health and Human Services Department, and finds that more than 7.8 million people had their medical information compromised by 252 major security breaches over a recent 15-month period. Smaller breaches affected another 30,500 people.

The second report comes from Veriphyr Inc., a data security services provider. It found that 71 percent of health-care providers who responded to a recent online survey had reported at least one medical records security breach in the previous year. More than a third, 35 percent, resulted from employees snooping into their coworkers' medical records, while 36 percent were by employees sniffing out the records of friends, relatives or neighbors. VIP records were compromised in 6 percent of cases involving inside breaches.

The HHS report looked at data breaches that occurred between Sept. 23, 2009, when notification requirements went into effect, and Dec. 31, 2010. HHS is required to report its findings to Congress as part of the Health Information Technology for Economic and Clinical Health Act.

About half of the major breaches reported to HHS - those affecting more than 500 people -- were the result of theft, including stolen electronic equipment such as network components, laptops or hard drives. The largest reported theft affected 1.9 million people, HHS said.

Other reported incidents involved hacking or other intrusions with intent to commit fraud. Human error, the loss of electronic or paper records, and improper disposal of paper records accounted for the other major cases.

The California Hospital Association is fighting a legislative attempt to require a "track changes"-type function for electronic health records, saying the benefits aren't worth the additional cost.

State Sen. Mark Leno, a Democrat from San Francisco, is sponsoring the bill in response to a case in which someone altered the electronic medical records of a patient who had died. State health investigators discovered that someone had erased relevant portions of the dead woman's computer medical records. In addition, a nurse had been instructed to retroactively include notes describing the patient's care. The woman died following knee surgery at Stanford University Medical Center.

The bill calls for tracking changes made to EHRs and keeping a record of who made them, according to a report this week by California Watch, a project of the nonprofit Center for Investigative Reporting. Patients would be able to see changes to their records, as well.

In a letter to Leno, the California Hospital Association argued that "the frequency of the problem addressed in this bill does not make the cost justified at this time when hospitals are focused on achieving sustainable health information exchange and in demonstrating federally defined meaningful use of clinical data."

Hospitals would have to pay millions of dollars to revise EHRs already in place, the association says. It also argues that the measure would cause major delays in implementing new EHR systems.

The bill is scheduled to be heard Tuesday by the California State Assembly's Health and Judiciary Committee. The Senate passed the bill on May 31.

The American Health Information Management Association has set up a disaster-relief fund to help industry professionals recover from this spring's rash of tornados, floods, fires and other disasters.

These professionals "face a unique challenge as they struggle to piece back together their own lives while working to recover as much of their community's patient information as possible," the association says in a news release. The plan is to "assist communities of health information professionals whose personal or professional lives have been severely disrupted by a natural or man-made disaster."

The aid comes by way of the AHIMA Foundation's Health Information Relief Operation (HIRO) Fund. Created with $10,000 in seed money, the fund is accepting additional one-time donations.

To donate, send a check (designated to the HIRO Fund) to: AHIMA Foundation, 25351 Network Place, Chicago, Ill., 60673-1253. The fund is also accepting donations online.

The foundation is still determining criteria for awarding disaster assistance. Applications for relief will be available on AHIMA's website.