Skip to content

RSA (a Security Firm) Hit by Hackers!

This is one of those things that crosses your desk and immediately sends shivers up your spine:

RSA security firm hit by ‘sophisticated’ hackers

So if RSA, which is a company focused on technology security, is vulnerable to hackers, what hope do the rest of us have of repelling a determined intruder?

And having said that, what of RSA’s main product line–the “SecurID” VPN tokens?

For those that are unfamiliar, RSA’s VPN tokens are used by an estimated 40 million employees of large corporations and organizations. They generate a seemingly random six-digit number every 30 or 60 seconds, which the employees type in to log into virtual private networks or other sensitive systems.

This allows employees (or customers) to access sensitive systems in (what previously was considered) relative safety.

Secure no longer….

The issue here is that the hackers broke into RSA’s servers and stole data related to SecurID authentication tokens, and the RSA cryptography algorithm. This algorithm uses a 128-bit “seed” unique to each token to generate the numbers, which in and of itself is virtually impossible to crack. However, by accessing the RSA servers, the hackers may have bypassed this security, and may now have access to any RSA protected system.

What’s it all mean?

Unfortunately it means that (once again) the “bad guys” seem to have the upper hand, and that despite our best efforts our “impenetrable” security has proved vulnerable. We’ll need to continue to watch this one closely, to keep an eye on the severity of the impact of this breach.

But what of Health Information? How will this impact hospital systems (many of which use RSA SecurID tokens)?

And can any of us be confident that our systems are indeed secure? After all, if a security firm has had its systems compromised, with all the staff and resources they have available to protect against just such an attack, what happens to the rest of us, with budgets limited by real-world considerations?

It’s not a pleasant thought….

Posted in EMR, Security, Strategic Planning.

Tagged with , , , .

No comments

By admin March 21, 2011

More on the iPad

With with the advent of the iPad 2, we may see even wider adoption of iOS devices by physicians:

iPad 2 looks even better for docs

And once again one is left to wonder how this will impact EHR vendors?

  • Will they realize that the “market has spoken” and that they must have an iPad solution to remain competitive?
  • And because iPads do not currently support Java, for those vendors who’ve chosen to be Java-centric in their development efforts, what are their plans to include iOS devices?
    • Will they commit to the necessary rewrite/rework of their code base?
    • Or will they choose to concentrate their efforts exclusively on alternative (non-iOS) systems?
    • And if so, what does this say about their commitment to current customers and their satisfaction with the product (and the company)?
    • And most importantly, what will be the long-term impact on an EHR vendor that chooses not to include iOS?
      • How will lack of iOS integration affect their market viability?
      • How will lack of iOS integration affect their financial stability?

All good questions, and the answers to which will be a good indicator of whether a vendor is committed to being a leader and partner in the EHR space, or whether they will simply be milking the cash cow of their current customer base for as long as possible.

Something to watch as our EHR market continues to evolve and mature….

Posted in EMR, Implementation, Redlog Blog, Strategic Planning.

Tagged with , , .

No comments

By admin March 8, 2011

iPads are Tablet of Choice among Physicians

An interesting article from Healthcare Informatics detailing the results of a recent physician survey:

Survey: iPads Are Tablet of Choice Among U.S. Physicians

So not surprisingly, iPads are the current tablet of choice. with 79% of physicians choosing the Apple platform for professional use.

Following a bit further behind were:

Windows Tablets: 12%
Android Tablets: 9%

And while these percentages may change a bit as Android and Windows tablets become more available in the consumer market and these platforms increase their market share, it seems clear that iPads will continue to be the preferred platform for some time. Indeed the article states that 38% of medical professionals will own an iPad within the next year, and for those that currently own an iPad, 59% use it for medically related tasks..

So the market has spoken–and the question now is how the EHR vendors will respond. Many already have native iPad applications on the market, and of those that do not, most report having apps in development. The challenge it seems for many EHR vendors is adapting their software to work on an iPad without the need for intra-screen scrolling (which is troublesome on an iPad) and to incorporate Apple’s “pinch/zoom” functionality.

Given physicians’ preferences, it does seem clear that iPad integration will likely be a market differentiator for those considering EHR purchase. With the ARRA on the immediate horizon, those vendors who can respond quickly may be in the best position to increase their market share.

Stay tuned–there are interesting times ahead!

Posted in ARRA, EMR, Interfaces.

Tagged with , , .

2 comments

By admin March 7, 2011

Patient Data Compromised by Flash Drive

Had received an email from an associate today regarding the data breech at Henry Ford Health System in Detroit, MI.

If you’ve not yet heard about it, a flash drive was “lost” that contained PHI on 2,777 patients.

Here’s a link to the story:

Henry Ford Health System employee loses flash drive containing patient information

An incredible story, and certainly one with expensive consequences. Yet, I can see this happening at most of our organizations, especially with the ubiquity of flash drives, smart phones, dropbox and other “personal storage” options.

And yet hospital & healthcare provider IT departments are now required to guard against (and essentially prevent) all possible data breeches.

A tall order to be sure….

Posted in ARRA, Security, Strategic Planning.

No comments

By admin February 25, 2011

Stage 2 Meaningful Use – Time to Comment!

ONC Seeks Comments on Potential Stage 2 Meaningful Use Objectives

The Office of the National Coordinator (ONC) has announced that it is now seeking comments on its initial recommended objectives for Stage 2 of Meaningful Use.

As per normal procedure, the objectives will be published in the Federal Registry, and there will be a 45 day comment period.

The proposed recommendations include an increase to the threshold for many of the Stage 1 objectives, including CPOE which increases from 30% to 60%.

We’ll have more discussion on the Redlog Blog in the future, but for now check the Health IT Website at HHS for more information.

The proposed rules and request for comment instructions are available here:

http://healthit.hhs.gov/media/faca/MU_RFC%20_2011-01-12_final.pdf

Posted in ARRA, EMR, Meaningful Use.

Tagged with , , .

No comments

By admin January 19, 2011

Clinicians and Software – Why is it so hard?

As we implement EHRs, it seems we run into the same questions, and the same issues.

“Why is my EHR so hard to use?”

And we focus on physician training, and workflow analysis and redesign–and that’s all critically important, but in many ways we ignore the fundamental issue–that EHRs are software–they’re an electronic approximation of something else (and something we’re quite comfortable with)–a paper medical record.

And that’s the core of the issue–EHRs are a good approximation of a paper record.

But they’re not paper records.

There’s a reason why we like paper and pen, and why most of us still take notes using those antiquated tools–they work!

The problem is that computers are unforgiving–they’re on or they’re off, yes or no, ones or zeros–there is no gray. Everything is (and must be) black and white.

And the world (and medicine) simply do not work that way.

An example:

Think about ordering a diet for a patient.

Using a paper chart, a physician could easily order “Regular Diet” and all was well. A nurse would be able to interpret that order, and adjust the patient’s diet accordingly.

But with an electronic record, you might need three different “fields” to be completed–for example diet, texture and liquid modification. And those three fields would always need to be completed for a valid order to be place (remember, the computer only understands ones and zeros).

So now with an electronic record, every physician needs to learn and understand what “texture” and “liquid modification” mean, and the options available to them if they want to submit a diet order.

Now you can see why physicians initially balk at EHRs, and why they articulate their displeasure with phrases such as “An EHR slows me down” or “It changes the way I practice”.

Suddenly there are multiple new things that doctors need to know–things they didn’t even previously think about. And that’s especially disconcerting for physicians who’ve practiced successfully for many years.

So what can be done?

First and foremost, better software with better user interfaces. I’ve blogged about this quite a bit–EHRs are programmed by programmers. They write code (and design software) in a way that makes sense to them.

But they’re not clinicians.

And then we wonder why clinicians aren’t happy.

But that’s a long-term solution–the real question is what can we do now?

  1. Education & Training- physicians need to know the challenges that are ahead. They need to know their world will change, and there will be new things they’ll need to learn. And yes, we have to admit they’re right–that EHRs will slow them down and change the way they practice. And they need to know there are solutions, and that success can be achieved with dedication, training and hard work. The difficult part (of course) is for organizations to adequately plan (and budget) for the time, staff and resources required to provide that training (but that’s best left for another blog post for an in-depth discussion).
  2. Workflow Design – create new clinical protocols and policies that support order sets that “make sense” to clinicians. (i.e. implement “smart” systems that “know” what “Regular Diet” means–without having to complete unnecessary or redundant fields). Many systems can be configured to facilitate clinical operations, and vendors have often already solved these issues for other customers.
  3. Encourage Innovation – not only for our organizations, but for our vendors. It’s a partnership, and that means that clinicians need to help vendors create better products and better interfaces (and not have vendors responding to our clinicians’ and organization’s needs).

Will we get there?

Yes–eventually (I hope).

Posted in EMR, Implementation, Interfaces, Redlog Blog.

Tagged with , .

No comments

By admin December 31, 2010

When are passwords not “enough”?

Ran across this article this morning and thought I’d comment:

It’s time to move beyond passwords

We’ve known this for some time–passwords get reused (and we won’t even talk about the post-it note on the side of the monitor).

The interesting part are the implications for protected health information.

What if patients use the same password for their twitter account as they do for their personal health record?

What if physicians use the same password for their EHR login as they do for their email?

What if those individuals also had a Gawker account and had their information compromised?

But we use “hardened” passwords!

Sure we do–8 characters long, with a Capital letter and a numb3r and at least one $peci@l character…

Really–isn’t that essentially the same as taking your shoes off at the airport? Do you really feel any safer?

But we use RFID cards!

Great–unless someone has a hand-held scanner (not to mention the “threat” of someone simply losing their wallet).

No wait–we have biometric identification deployed!

Except there are those folks whose fingers don’t scan well, and who need some kind of alternative access (like a password).

Bottom line is that while alternative authentication methods are constantly being developed, passwords will be here for the foreseeable future.

So what can be done?

The obvious answer is to not reuse passwords. And we’ve all heard it, and we all ignore it. Same with “hardened” passwords (too hard to remember for most folks).

One suggestion I heard a while back is to use your favorite song as a mnemonic for your password–say it’s “Old McDonald” (had a farm…e-i-e-i-o).

Take the first letter of each word, and voila!

OMHAFEIEIO

A cryptic password that’s easy to remember. Change the “Oh’s” to “Zeros” and the “I’s” to “Ones” and you have:

0MHAFE1E10

Add a “special” character (“@” as a substitute for “A”) and you have:

0MH@FE1E10

But that still doesn’t help with using the same password in different systems. And the best recommendation I’ve seen for that is to simply append (or prefix, or both) your “hardened” password (above) with one or two characters from the website you’re visiting–so for redlog.com you’d add an “R” at the end, and you’d have:

0MH@FE1E10R

If you were at Yahoo reading your email your password would be:

0MH@FE1E10Y

Not a perfect solution, but the best I’ve seen that allows most folks a way to easily remember a password, and make it unique for each website they visit or system they use.

Food for thought…and until we develop a better, more secure and easier to use system, we’re likely to have traditional passwords for some time to come.

Posted in Security.

Tagged with , , .

No comments

By admin December 20, 2010

10 Steps to a Successful CPOE Implementation

We all have heard that CPOE systems are difficult to implement successfully for physician practices and hospitals. Certainly there are challenges, and yet we have seen enough successful CPOE implementations that we can learn from those who’ve experienced success, and adopt their solutions and recommendations to help mitigate some of the risks of a CPOE roll-out.

Here then are 10 “lessons learned” for CPOE implementations:

  1. Executive Leadership and Support – the organization must be committed not only to CPOE, but to EHRs and HIEs in general.
  2. Physician Leadership and Support – “Physician Champion” is an overused phrase, but physician and clinician support is probably the biggest factor ensuring success of a CPOE roll-out.
  3. Choose a Good Vendor and Product (that works) - Bottom line is that some EHRs are better than others. Functionality (and a history of successful implementations and satisfied customers) must always trump a lower purchase price.
  4. Train, Train and Train Some More - And when you think you’ve finished training, train some more. This is the most important factor for successful EHR (and CPOE) implementations. You must allocate the time and resources to train staff. I’ve yet to hear any organization say they overspent on training.
  5. Lighten Provider Schedules at Go-Live - While organizations may be tempted to avoid cutting the number of patient visits (and associated revenue) during go-live, it is important to recognize that learning a new CPOE system is a time-intensive process. Make sure everyone has sufficient time to devote to learning the new system, and the new workflows.
  6. Test System Access Prior to Go-Live - This includes all end-users (including physicians). Passwords need to work, and all screens and orders sets need to be available. There should be no “surprises” at go-live.
  7. “At the Elbow” Support - If at all possible, have trained staff in the office, in person during go-live. Even with training, users will need immediate help, and a phone call or email just won’t cut it. Having someone there to guide clinicians through the process is critical.
  8. Physicians Must Develop Content - Along with physician support, clinicians must be actively engaged in developing EHR content (including order sets and workflows). While standard vendor recommendations are a good starting point, physicians must take ownership of the final product (whether or not customizations from “vanilla” order sets have been implemented).
  9. Be Adaptive – Recognize that despite everyone’s best efforts and plans the system will need to be changed and modified as it begins being used. This is not a flaw in implementation or planning, but simply a part of the process–it is impossible to anticipate every situation until physicians and clinicians start using the product. Only after clinicians experience the product and workflows in a live environment will they be able to make meaningful suggestions and recommendations for improvement.
  10. Set up an Appropriate Governance Structure - All EHR and CPOE systems will require modification and adjustment periodically. However, changes must be examined from a systems perspective–what seems like a small change to one end-user may have a significant (and sometimes unanticipated) downstream impact. Modifications and customizations must be carefully considered and tested to ensure they will not compromise core processes, and how they may or may not affect all end users.

Posted in Redlog Blog.

No comments

By admin December 14, 2010

ARRA Medicare Payments: PPS Hospitals

A short summary of the Medicare ARRA incentives (and the associated formulas) for PPS hospitals.

  • PPS: receive lump sum payments (not based on EHR cost)
  • CAH: receive reimbursement payments for “reasonable costs” incurred for the purchase of certified EHRs

PPS Medicare Incentive Payment

= [Initial Amount] x [Medicare Share] x [Transition Factor]

[Initial Amount]=

$2M + [$200 per discharge for 1,150th to 23,000th discharges]

[Medicare Share]=

{(# In-Patient Part A Bed Days)  +   (# In-Patient Part C Bed Days)}
——————————————————————————————————–
[Total In-Patient Bed Days]    x     [{(Total Charges) - (Charity Charges)} / (Total Charges)]

[Transition Factor]

Year Meaningful Use is Reached
2011 2012 2013 2014 2015
Year of Payout 2011 1.00
2012 0.75 1.00
2013 0.50 0.75 1.00
2014 0.25 0.50 0.75 0.75
2015 0.25 0.50 0.50 0.50
2016 0.25 0.25 0.25

Example:

A PPS hospital meets Meaningful Use and is eligible for incentive payments in 2012.

They had 10,000 inpatient discharges in FY 2011.

They had 15,000 Part A inpatient bed days.

They had 18,000 Part C inpatient bed days.

Total inpatient bed days were 50,000 in FY 2011.

Total charges (excluding charity care) were $9,000,000.

Total charges were $10,000,000.

[Initial Amount] = $2,000,000 + [$200*(10,000 - 1,150) = $3,770,000

[Medicare Share] = {15,000+18,000} / {50,000 x [9,000/10,000]} = 0.733

[Transition Factor] = 1.00 in 2012

[TOTAL INCENTIVE] = $3,770,000 x 0.733 x 1.00 = $2,764,667 in 2012

Next time we’ll tackle the CAH payments

Posted in ARRA, EMR.

Tagged with , .

No comments

By admin December 10, 2010

Just the Facts Ma’am

The ONC has released a series of short, one-page  “Fact Sheets” for each of the ARRA HITECH initiatives, available as PDFs:

Electronic Health Records

HITECH Programs

Health IT Topics

Posted in ARRA, EMR, Redlog Blog.

Tagged with , .

No comments

By admin December 9, 2010