Criminal Cyberattacks: The #1 Threat to Healthcare

Criminal Cyberattacks: The #1 Threat to Healthcare

In the last five years, cyberattacks on healthcare organizations have skyrocketed by 125 percent and 45 percent of healthcare organizations report they have been victims of deliberate cyberattacks, according to a new survey from the Ponemon Institute and ID Experts. The survey also showed that 90 percent of healthcare organizations and 60 percent of claims processors and third-party billers experienced a breach in the past two years.

The Value of Black Market Healthcare Data

Cyber Criminal iBridge LLC

Image courtesy of Chanpipat at FreeDigitalPhotos.net

Hackers can make up to $70 each for every medical file stolen and resold on the black market, which explains the high motivation behind these attacks. A vast network of online criminal sites makes trading these commodities quick and easy for those who will pay the asking price for stolen digital goods.

Medical records can net a higher profit for cybercriminals than either credit card or bank account numbers, since they include a large amount of sensitive information (like mother’s maiden name or Social Security numbers) that can then be leveraged into bigger payouts.

The cost to healthcare organizations resulting from medical record theft totals $2.1 million on average, which adds up to $6 billion annually throughout the industry. Damages to those consumers directly affected are also significant, and healthcare data breaches can lead to secondary issues that are just as costly, such as insurance fraud.

Protecting Digital Data

These risks have increased in direct correlation with medical providers moving to electronic medical records. The healthcare industry falls far behind other organizations in the private sector in terms of digital record-keeping, citing security concerns as a reason to continue using paper records instead.

This is the modern-day equivalent of insisting on using only a landline or a typewriter despite the many advantages and technological advances of smartphones and laptops. The inherent concern lies not with the technology itself, but rather with the lack of prioritization given to sufficient security measures within the healthcare industry.

Previously, the leading cause of data breaches was lost hardware, but employee negligence is still named as a top concern for 70 percent of organizations polled. This alone points to the reality that the healthcare industry must look inward foremost, and stop dismissing cyberattacks as a statistical improbability.

Dean

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterUnderground eBook CTA

The Paradigm Shift of Patient Portal Use

The Paradigm Shift of Patient Portal Use

Patient engagement is a growing trend in the healthcare field, but the increasing use of patient portals and online medical records is forcing physicians and clinics to re-evaluate their mindsets about how they utilize online medical records.

Patient Engagement Concerns

According to the STEPS Taxonomy of the HIMSS Health IT Value Suite, the impact of engagement strategies is affecting patient and physician satisfaction rates differently. While most agreed that the patient engagement measures provided by attesting to meaningful use would increase patient satisfaction rates, the same was not true for physician satisfaction rates. Clinicians were dubious about the effects of meaningful use requirements on their clinic workflow, while acknowledging the success of the strategies in improving patients’ quality of care.

This disconnect is symptomatic of a growing concern for health care practitioners. The effectiveness of electronic patient safety and involvement measures is not being disputed, but physicians have expressed unease about the practicality of meeting the minimum requirements for meaningful use.

Doctor Using A Digital Tablet

Image Courtesy of Naypong at FreeDigitalPhotos.net

Electronic Portal Drawbacks

Physicians with primarily older patients who infrequently use computers have claimed that the necessity of email and online access creates a requirement virtually impossible to fill. Physicians also mentioned cultural issues as arguments against meaningful use measures, citing the shift from traditional phone calls to email use being a complication for patients unprepared to adapt.

Part of the problem with electronic records may come from the drawbacks associated with patient portal use, such as the tethering of patient portals to electronic health records that result in patients having multiple portal pages to keep track of for each clinic they visit. New systems are being developed that combine all patient portals into one page for patient ease of use, but for now, the user experience with patient portals is taking a back seat to helping clinics adjust to the switch.

The Future of the Patient Portal

Patient portal use has been a challenge for clinics to successfully implement. Electronic medical records have given clinics the ability to manage patient care in ways never before possible, but the concerns expressed by physicians regarding its use will likely be addressed slowly. The new infrastructure of reliance on patient portal use reflects the changing trends of the healthcare field, and requires flexibility from both physician and patient to implement effectively.

Dean Van Dyke

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Newsletter CTAMedical ID Theft eBook CTA

How IT Services Can Boost Patient Engagement

How IT Services Can Boost Patient Engagement

Patient engagement is a practice that clinics have struggled with for years. Involving patients in the care process keeps them informed and leads to a higher quality experience, but relies on methods and infrastructure that many clinics are unfamiliar with. However, new meaningful use regulations may make patient engagement a necessity instead of a luxury.

Stage 2 of meaningful use requires over five percent of patients to be involved in their own care via electronic medical record or online portal for any provider. This means patients will become more aware of prevention screenings, more informed during inpatient procedures and will maintain better contact with their providers after they’ve gone home. Given the financial costs associated with disengaged patients who fall victim to preventable hospital readmissions, these regulations are understandable.

Personal Health Status On Tablet

Image Courtesy of pandpstock001 at Freedigitalphotos.net

Despite the benefits to increased patient involvement, hospitals have shown poor adherence to engagement practices in the past. A recent survey conducted by consulting firm Technology Advice indicated that 48 percent of patients reported no follow-up from their provider after they were discharged, with a mere nine percent reporting contact via online portal. Hospitals have a long road ahead of them to increase their patient engagement to acceptable levels.

Increasing Engagement

Despite the challenges associated with making patient involvement a priority, new methods in development offer multiple ways for hospitals to engage their patients, particularly in the IT field. Applications being developed allow providers to monitor patient health status after discharge by providing wellness surveys for patient responses. If the responses indicate a decrease in health or wellness, the application notifies a nurse practitioner who can help the patient address the issue.

These applications are also being utilized during hospital stays and surgical procedures, providing ways for family to stay informed with live updates on the status of the patient. These methods combine new technology with electronic health records to create a positive experience that keeps patients informed.

Response to virtual information management has been positive from patients, but patient health outcomes have yet to be improved. Using applications to track the status of patients during procedures and during post-operative care doesn’t satisfy the government mandated State 2 meaningful use requirements, but is a step in the right direction toward integrating IT services and patient engagement.

You can view the full research study at Technologyadvice.com.

Dean Van Dyke

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Newsletter CTAMedical ID Theft eBook CTA

Is Mobile Technology a Benefit to the Medical Field?

Is Mobile Technology a Benefit to the Medical Field?

In theory, mobile devices can offer numerous advantages for care coordination by increasing the efficiency of communication between staff and better organization of patient data. However, reliance on mobile technology for communication can have drawbacks, meaning that clinics that consider utilizing mobile devices in their practice should carefully weigh the risks against the rewards.

Streamlining Communication

Interconnectedness is an essential factor in patient care coordination, and mobile devices excel in this department. With a centralized online medical record, all staff members can access and update patient information from any location in the hospital.

This can do wonders for efficiency when you consider the typical transit time of information by traditional methods. A typical prescription may need to travel from the physician to the nursing staff, then to the pharmacy, ending up at the billing department. While this flow on information has been limited in the past by how quickly staff could deliver it, with mobile technology, all departments can access the information instantly via handheld devices.REVDUWPH4K

Documentation

Monitoring and tracking of patient information is greatly enhanced with mobile devices. It’s difficult to monitor the flow of patient care when traditional documents and resources are handed from person to person, but mobile devices provide a platform for all communications to be logged electronically.

This offers many advantages to the practice, not all of which involve mere boosts to the organization. In a business where reliability is a top concern, digital documentation can ensure that there are records of all communications that occur for each patient. This is a big benefit to hospitals that have had information get lost in the shuffle. With easily-tracked, auditable records, clinics can ensure that all communication will be available for review if the need arises.

Using mobile devices can also provide safeguards for HIPAA and patient confidentiality, as communications will be more restricted to devices that only certified staff can access. Traditional methods of documentation can fall into the wrong hands or be viewed by unauthorized personnel, but handheld devices with built in security features guarantee that information is kept confidential.

Mobile Concerns

While there are arguments for including mobile devices in the medical field, the practice of having all staff members utilize handhelds can offer drawbacks.

Due to the private nature of mobile communication, it becomes harder to manage employee efficiency. There have been documented cases in the past of clinics that have had to sanction staff members for inappropriate communications via mobile devices, and while this problem also exists in workplaces without mobile technology, requiring all staff members to use mobile devices constantly will likely increase the frequency.

Reliance on mobile devices also creates the need for a reliable IT network, with software that is compatible across multiple platforms and employees with the knowledge to use it. While some clinics may provide devices for employees, cross-platform functionality can become an issue when staff members bring their own devices from home. Employees unfamiliar with technology may be slow to adapt to the practice, creating a steeper learning curve and more administrative errors.

Mobile technology in the medical field can provide new methods of communication and patient care coordination, though the practice may not be right for every clinic. Hospitals should assess their practices and decide whether the benefits offered by handheld device use outweigh the complication costs.

Dean Van Dyke

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Newsletter CTAMedical ID Theft eBook CTA

Hacking Medical Records: A Growing Threat

Hacking Medical Records: A Growing Threat

A disturbing upswing in medical-record hacking requires all custodians of such data to take a hard look at their security apparatus. For the people whose medical records are compromised, the consequences can be even more devastating than having financial records stolen.

Medical Records

Source: freedigitalphotos.net

When a major retailer suffers a data breach that compromises customer credit- and debit-card information, there is a narrow set of potential consequences for the affected customers. A criminal can use the information to assume the victim’s identity, make fraudulent transactions, and ruin his or her credit. Although these are serious concerns, there are countermeasures available to limit or eliminate the risk; law enforcement, credit providers, and reporting agencies are proactive in resolving these issues when they happen.

However, when medical information is compromised, the impact is wide-ranging and long lasting. If one’s medical history is published on the Internet for all to see, personal information like substance abuse or mental health issues could affect an individual’s ability to get a new job or obtain quality health insurance at reasonable rates. Personal relationships can also be damaged or destroyed by a breach. Even sensitive data, once published online, is hard to erase.

This was thrust into national awareness recently with the cyberattack on Sony Pictures, which exposed employees’ personal medical records besides other sensitive information such as Social Security numbers and passport numbers. The breach, with other recent medical-record breaches, points out issues that have not previously received the attention they deserve:

  • The custodians of medical records are not limited to hospitals, clinics, insurance companies, and doctors’ offices.
  • Not everyone who possesses medical records and other personal data protects them well.
  • An individual has little or no control over who has access to their health records, how those records are stored, or what happens to them. Custodians are trusted to protect this information and not misuse it.

Some ask why Sony Pictures possessed that level of detail on their employees’ health histories. Everyone who is responsible for other people’s medical records should ask that same thing of themselves when the stored data serves no compelling business purpose and is not required by law or regulation.

The lax attitude toward medical record security results from there being little for hackers to gain from accessing these records, and therefore they do not require the level of protection that financial data does. However, given the level of risk to patients, and the potential loss of trust and damage to a company’s reputation, organizations should look closely at medical record security.

Dean Van Dyke

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Newsletter Sign UpUnderground Economy of Data Breaches

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Turns Out HIPAA Is Full of Healthcare Privacy Holes

Most consumers believe they can put their faith in HIPAA, the federal law designed to make health insurance more portable and to eliminate fraud. Notice we didn’t describe it as a privacy law; while some provisions put patient privacy at the forefront, HIPAA doesn’t always keep consumer personal health information (PHI) under lock and key.

The HIPAA Privacy Rule established national standards designed to protect consumer health information and medical records from cybercriminals by putting limits and conditions on what is usable and shareable without individual patient authorization. However, according to a new report from the California Healthcare Foundation entitled “Here’s Looking at You: How Personal Health Information Is Being Tracked and Used,” there’s a lot more consumer health information floating around in cyberspace than one might imagine.

Source: freedigitalphotos.net

Where Does Protection Come In?

There are many ways legitimate organizations and ill-intended miscreants can capture PHI and other private data and then sell it on the Internet black market without consumer consent or knowledge.

What are the different categories not protected under HIPAA’s privacy provisions? The extent of it might surprise the average patient:

  • Internet searches for health and healthcare information
  • Healthcare products and medications purchased online
  • Purchases of dubiously health-related items such as trans-fat laden fast foods or tobacco products
  • User profiles and activity on health-related social networks such as Sermo and PatientsLikeMe

While the revelation that the information above is not protected is sobering, is it cause for panic? Not necessarily. Much of the data collected via these avenues is used not for criminal reasons but for marketing. The report found that the data mined from these routes may be useful in improving results in clinical trials and targeting affected individuals who may benefit from upcoming vaccine or treatment trials.

Online Activity vs. Privacy Implications

Either way, consumers should know that their online activity – even that related to health and healthcare – is not private. Jane Sarasohn-Kahn, a health economist and principal author of the aforementioned report, states: “Even consumer footprints that are not expressly about health can be used to help determine a person’s physical or mental health. How we shop, the magazines we subscribe to, where we hang out on the weekend – this information is relatively easy to purchase by third parties.”

Understandably, many consumers and consumer advocates are disturbed by the revelations in the California Healthcare Foundation report. Fortunately, Sarasohn-Kahn offers several propositions designed to increase consumer protection without cutting off healthcare data sharing completely:

  • Increase security on PHI through “health data lockers” and more private cloud storage for healthcare data.
  • Boost transparency and simplicity in the healthcare data regulatory market so there is greater oversight and less rampant capturing, selling and use of consumer information without knowledge or consent.
  • Empower consumers by getting their consent before capturing data or enacting “meaningful protections” to prevent malevolent data mining and usage.

Even the FTC has weighed in on this issue. In a June 2014 statement, FTC commissioner Julie Brill demanded congressional action: “Since most consumers have never heard of data brokers, we call on Congress to enact legislation that would lay out their existence and activities at a centralized portal, a solution I have long advocated. At this portal, data brokers could identify themselves, describe their information collection and use practices, and provide links to access tools and opt outs.”

What will be done to protect PHI remains to be seen. While HIPAA helps safeguard types of consumer information, the healthcare data that lies outside its jurisdiction is caught in a data-mining free-for-all that could put consumer privacy at significant risk.

Written by Dean Van Dyke

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

How Can Less Tech-Savvy Hospitals Move Forward with EHR?

How Can Less Tech-Savvy Hospitals Move Forward with EHR?

In urban areas, it’s typical and even expected that larger healthcare organizations and hospitals are already using the latest medical breakthroughs and technological advances, including making (or having already made) the transition to electronic health records (EHR). Yet, rural practices are often stuck years behind their big city counterparts in a number of ways, and EHR adoption is no exception. How can smaller medical practices and hospitals catch up, let alone move forward?

Pipeline Problems

There are a lot of things people living in larger metropolitan areas take for granted, like 24-hour grocery stores or extensive public transportation. Smaller communities are faced with a number of unique challenges related to their relatively remote, isolated locations.

This dynamic is reflected in the healthcare industry as well. When it comes to making tech upgrades, the problems an urban hospital faces are most often related to issues like figuring out the best way to transform a large volume of paper records into digital format, or how to rearrange the budget to pay for the transition. In rural areas, though, complications occur at a much more fundamental level.

The question that smaller practices face isn’t necessarily how to schedule the time or the best way reprioritize the budget, but may instead be as basic as how can they find a technician or vendor to perform the service at all. Facilities that only have a couple dozen beds to begin with may have trouble even getting the latest medical equipment, and definitely don’t have access to the expert guidance they need to install and implement the hardware and software that’s necessary to build and maintain effective electronic records management.

Lack of funding in general is another serious issue facing rural practices. On average, the nation’s 2000 or so rural hospitals already run at an eight percent loss, so the question of finding the necessary investment to adopt EHR—often in the range of about a million dollars—can feel impossible. Yet, these changes need to be on track in order to comply with the mandatory 2015 deadline, so an answer has to be found.

Joining Forces

The solution adopted by increasing number of smaller practices involves a trade-off: giving up their independence in exchange for being absorbed into a larger nearby healthcare organization. Rural hospitals can align or merge with the nearest large metropolitan area hospital system and receive the benefits of more generous financial backing, along with superior access to the necessary technical support. Often, the urban facilities are already using EHR, so making the upgrade is a fairly streamlined—and less financially strapped—process. While some small hospitals remain stubbornly independent and are determined to find funding somehow on their own, others are benefiting in a big way from creatively joining forces with other healthcare providers.

Image via freedigitalphotos.net/2nix

Are Security Concerns Holding Back eHealth?

Are Security Concerns Holding Back eHealth?

Despite the ever-growing integration of technology into the average person’s daily life, there’s still one frontier that many remain resistant to when it comes to going virtual: health care. According to a recent Ponemon Institute study called “Risk & Rewards of Online & Mobile Health Services: Consumer Attitudes Explored,” many consumers still feel uncomfortable about sharing information about their health online. Are these concerns holding back the potential for a more fully developed approach toward electronic health records and other eHealthcare possibilities?

What Holds Consumers Back

The study, sponsored by Experian Data Breach Resolution, looked at the way consumers use online health services and portals as compared to other online services that involve potentially sensitive data as well, such as online banking or making purchases from smartphones.

The study included nearly a thousand participants, many of whom described themselves as regular Internet and mobile app users. Yet, 52% of respondents said that they do not currently use eHealth services, for three main reasons:

  • Mistrust that their online health information would not be fully removed upon request
  • Questions over the respect for privacy—for example, whether users would be tracked online
  • Whether complete online anonymity could be assured

Add to this the common public perception that online healthcare services or portals are not as secure as they should be, and it’s easy to see the challenges facing eHealth industries today.

What Does the Future of eHealth Hold?

With such clear reluctance from the general population, even those who are otherwise fairly tech-savvy, what future developments can be expected in the field of eHealth services? First, it’s important to recognize that there are many benefits to electronically-stored healthcare information as well as many other health-related applications.

  • Microsoft’s HealthVault lets families organize their healthcare records, and share that data with physicians or other agencies (such as children’s schools for their records). HealthVault also integrates with many popular health-related fitness apps.
  • An app called MedTracker gives patients reminders about when to take medications, but this capability is available in electronic pillboxes as well.
  • Other online-based tools, platforms and apps are already in use for nearly every aspect of healthcare, from medical billing to electronic health records and other resources.

Despite hesitance from consumers, healthcare systems are definitely making the shift toward digitally-managed healthcare, both as a solution for improving patient care and safety, and as a cost-saving measure. In fact, the Affordable Care Act was in part written to encourage and promote these technologies in order to lower health care costs overall.

The prime takeaway here is the persistent impression consumers have that their health-related data is less secure to access online than their bank accounts or credit card transactions. In order for this perception to be changed, consumers must feel reassured that the systems and products they’re using are securely encrypted; securing healthcare information is vital for encouraging the widespread adoption of eHealth services in the future.

Vendor Sacked for HIPAA Breach Blunder

Vendor Sacked for HIPAA Breach Blunder

Breach

Data Misuse Concerns

The site in question, used by physicians for patient notes, didn’t show signs of access by any unauthorized personnel, and the patient records did not include financial information or social security numbers. However, the potential for accessing personal information such as prescriptions and medical history was still very much a possibility.

All of the impacted individuals were notified, and Boston Medical Center immediately discontinued their decade-long business association with the medical transcription company. The website was taken down the same day the incident was reported, although it’s not clear how long the patients’ unprotected data was live on the site prior to that date.

It’s clear that MDF Transcription was not following the HIPAA protocol as they should have. The fact that it doesn’t appear as if any of the information was used or accessed inappropriately, HIPAA is not just about fully realized cyber-attacks. Instead, the guidelines set in place by HIPAA are intended to be proactive and preventative, protecting not only against the misuse of data but also unauthorized access of any kind.

The Future of PHI

Ongoing discussions over protected health information (PHI) have led to a recent Blue Ribbon Panel for further discussion on how to best respond to the increasing complexities involved with privacy and security enforcement within the healthcare industry. From the Office for Civil Rights (OCR) to the Federal Trade Commission and even the Securities and Exchange Commission, a number of organizations are getting more involved with the education and enforcement of the HIPAA compliance process.

Perhaps more relevant for companies like MDF, the OCR is taking a more aggressive stance when it comes to imposing financial penalties on those organizations that have neglected to meet even baseline expectations for PHI standards and HIPAA compliance. Overall, the mood is one of very little patience toward companies that continue ignoring mandatory standards, and a heavy emphasis on the right of the individual to expect (and receive) a certain level of privacy assurance when it comes to his or her own health and medical records.