Health data breaches triggered by hacking attacks spiked by 320% in 2016 and ransomware became widespread, according to a report by a health IT cybersecurity firm.
Released the week before HIMSS 2017, the report from CynergisTek, Inc. division Redspin, said that 81% of the health data breaches were caused by hacker attacks specifically, rather than other lost or physically stolen records.
Cybersecurity of health data is expected to be a major topic at the 2017 conference and exhibition of the Healthcare Information Management Systems Society in Orlando.
(CynergisTek was acquired in 2016 by document management company Auxilio, and Redspin, a HIPAA risk assessment and penetration risk company previously acquired by Auxilio, became part of CynergisTek’s portfolio.)
The report also noted that 2016 was the first year that a hospital had been victimized by ransomware by paying a ransom to unlock its data network, and that many smaller hospitals and clinics were hit by hackers causing health data breaches, in addition to several major healthcare systems.
“Healthcare providers have become the primary targets of malicious hackers, and their attacks are becoming increasingly sophisticated and disruptive to operations,” said Dan Berger, Vice President at CynergisTek, said in a release.
Key findings of the report:
- There were 325 large health data breaches, compromising the protected health information (PHI) of 16,612,985 individual patients.
- The year’s single largest incident involved the health data breach of 3,620,000 patient records.
- Some 40% of large health data breaches involved unauthorized access or disclosure of the records.
Incidentally, SearchHealthIT will be interviewing CynergisTek CEO and co-founder Mac McMillan at HIMSS 2017 and will be sure to ask him about what health system CIOs can do to combat the hacker scourge.
Machine learning is a hot topic in healthcare right now. One health IT expert told SearchHealthIT that he predicts machine learning and artificial intelligence will move quickly in the industry and be applied to many different use cases.
And it seems cybersecurity is one strong use case. Even at the upcoming HIMSS 2017 conference in Orlando, Fla., there are multiple sessions discussing the role artificial intelligence and machine learning in healthcare cybersecurity will play.
According to a report by ABI Research, a market research company based in Oyster Bay, N.Y., predicts that this trend of AI and machine learning in healthcare cybersecurity and cybersecurity in general will also boost big data, intelligence and analytics spending to $96 billion by 2021 in every industry sector including healthcare.
The report also said that the cybersecurity industry is heavily investing in machine learning with the hope of providing a more dynamic deterrent to cyberattacks.
“We are in the midst of an artificial intelligence security revolution,” Dimitrios Pavlakis, Industry Analyst at ABI Research, said in a press release. “This will drive machine learning solutions to soon emerge as the new norm beyond Security Information and Event Management, or SIEM, and ultimately displace a large portion of traditional AV, heuristics, and signature-based systems within the next five years.”
The report predicts that IBM will be a major player in this space — especially when it comes to machine learning in healthcare cybersecurity — and will transform the way enterprises employ machine learning.
“This radical transformation is already underway and is occurring as a response to the increasingly menacing nature of unknown threats and multiplicity of threat agents,” Pavlakis said in the release.
While more than half of the country has enacted telemedicine parity laws, restrictions on the types of telemedicine technology that are covered by health insurance often prevent patients from being able to use remote services, according to the American Telemedicine Association (ATA).
Telemedicine parity means that telemedicine encounters are covered by health plans at similar rates as in-person visits. But lack of reimbursement by insurance payers — Medicare, Medicaid and commercial payers — has long been a barrier to telemedicine use. However, improvements are on the way — it is expected that Medicaid programs in all 50 states will cover some form of telemedicine in 2017.
Today, 31 states and the District of Columbia have telemedicine parity laws — up from 21 states in 2014, the first year of the ATA’s 50 State Telemedicine Gaps Analysis. Twenty-four of those states and D.C. have no restrictions on what type of technology can be used. However, 20 states either have no telemedicine parity laws or have several “artificial barriers” to parity.
Despite the ubiquity of smart phones, five states prohibit the use of “video phone” or “cell phone video” for telemedicine: Idaho, Missouri, New York, North Carolina and South Carolina. Idaho, North Carolina and South Carolina cover interactive audio-video, or videoconferencing, only. North Carolina requires a provider to be on premises with the patient and South Carolina requires a telepresenter — typically a nurse who is trained to use the technology — for all audio-video encounters. South Carolina also does not cover remote patient monitoring (RPM) for chronic disease management in the patient’s home.
“Artificial barriers” such as technology type — including RPM — are “harmful and counterproductive,” and prevent patients from being able to realize the benefits of telemedicine, the ATA said in its analysis.
You may be using your personal wearable fitness device, whether an Apple Watch or Fitbit, to simply track your fitness or how many steps you take in a day. However, it turns out that these personal wearable fitness devices are much more powerful and able to do more than most may think.
Recent research published in PLOS Biology discovered that wearables that continuously log information such as heart rate, skin temperature, and even oxygen saturation can help detect when someone is about to get sick.
Michael Snyder, a professor and chair of genetics at Stanford University and the senior author of the study published in PLOS Biology said in an article that his team was surprised that these wearable devices were effective in detecting the start of the flu or even Lyme disease.
The article explained that because these personal wearable fitness devices continuously track and monitor vital signs like heart rate it produces a dense set of data meaning that when abnormalities arise they stand out.
Over the course of two years, participants monitored their vital signs using personal wearable fitness devices, the article said, and one participant included the senior author of the study, Snyder himself.
Snyder said in the article that during that two-year period at one point the wearable device he wore detected marked changes in his heart rate and skin temperature that was different from his baseline. It turns out that after a test two weeks later he had contracted Lyme disease.
Snyder added in the article that he and his team are interested in exploring the role wearable technology can play in achieving personalized or precision medicine and genomics given its ability to detect illnesses. He pointed out that genomics and personalized medicine are really all about detecting and catching diseases early and he believes that wearable devices are set up to do just that.
Explore the aforementioned PLOS Biology research here.
A recent eye health study found that patient-reported data doesn’t always get recorded in a patient’s electronic health record (EHR), raising questions about the accuracy of clinical documentation.
Investigators from the Department of Ophthalmology and Visual Sciences at the University of Michigan Medical School compared patient-reported symptoms with the symptoms recorded in the EHR. The researchers found that of 162 patients surveyed, there were only 38 exact matches between the patient-reported symptoms and the EHR documentation. When the patient reported three or more symptoms, the EHR never had exact agreement.
While the major mismatch between patient-reported data and EMR documentation was the failure to capture patient-reported symptoms, there were also instances of symptoms incorrectly being recorded for patients who did not report that problem. For example, blurry vision was inaccurately identified as a symptom for 29 patients, but was only accurately recorded for 26 patients.
The inconsistency between patient-reported data and clinical documentation led the researchers to conclude, “documentation of symptoms based on [EHR] data may not provide a comprehensive resource for clinical practice or ‘big data’ research.” In other words, since EHR data may not provide a complete view of a patient’s health, it can impact the quality of care the patient receives. Inaccuracies in EHR data could also preclude its use in research studies until it is consistent with patient-reported data.
Maria Woodward, M.D., assistant professor of ophthalmology and visual sciences at the University of Michigan, said in a release, “Many parties in health care use the electronic health records now, and they expect the data to accurately reflect the interaction with the doctor.”
Woodward said neither the patient nor doctor is at fault for the inconsistency, but that it highlights an opportunity to improve doctor-patient communication. Woodward said by using a self-reporting system prior to a visit, the doctor and patient can spend more time talking about symptom management rather than identifying symptoms.
Cries of protest arose when the Joint Commission prohibited secure texting of computerized physician order entries, but now the level of disenchantment among some in the secure text messaging business has ratcheted up with one prominent vendor calling for an straight up reversal of the CPOE ban.
In December, the commission, in conjunction with CMS, clarified its recent statements on secure texting by allowing a range of healthcare uses for texting, but explicitly barring it for CPOE. That move spurred much grumbling among the growing ranks of secure messaging vendors.
Now, Galina Datskovsky, CEO of Vaporstream, a Chicago-based secure messaging vendor, is calling on the commission to reconsider and reverse the CPOE prohibition.
“You need to drop the ban, but you can’t allow just any kind of messaging either,” Datskovsky said, adding that it’s reasonable for the commission to mandate such safeguards as read-and-receipt or automatic feed to EHR features. “To outright ban it seems out of touch with the times and reality.”
Datskovsky noted that HIPAA-compliant secure messaging companies such as Vaporstream and others provide permanent records of text messaging strings that can be used to later verify if physicians or nurses submitted or transcribed orders accurately.
She maintained that while the commission allowed phone CPOE, phone communications are usually not recorded or preserved and can often lead to inaccuracies due to bad connections, dropped or static-marred lines and other problems.
“Voice can be ambiguous,” she said.
Also, Datskovsky said text and chat have become so prevalent in the increasingly mobile-first worlds of healthcare and other industries that it has almost reached the status of the preferred communication mode for professionals across many industries. Vaporstream sells into various vertical industries, but healthcare is its biggest sector, she said.
Texting is also usually faster than calling, she said, an advantage in many medical situations when speed is of the essence.
“Everybody texts. It’s just the way of the world,” Datskovsky said. “It’s really difficult in today’s world to get someone on the phone expeditiously. I think it’s actually more dangerous for the patient if you have to wait for a voice confirmation.”
The commission in its December 2016 statement cited, among other reasons, these rationales for the CPOE texting ban:
- A burden on nurses to manually transcribe text orders into the EHR
- Verbal orders can be clarified but texting is asynchronous and requires an extra step
- Texting may add other extra steps by requiring the doctor or nurse to text multiple times for clarification
In any event, the expectation in the wider health IT community is the commission’s ruling will stand.
But don’t be too sure. The commission has reversed itself before.
In 2011 it banned all texting in healthcare, and then in May 2016 lifted that blanket ban, citing technology advances in secure messaging.
President Donald Trump has already begun the process of repealing the Affordable Care Act, known as Obamacare, by signing an executive order that allows certain government officials and entities to begin the process of dismantling the law.
Some health IT experts have said that they believe, despite Trump’s mission to repeal Obamacare, the effort towards value-based care will remain largely untouched. These experts explained that this is because regulations like the Medicare Access and CHIP Reauthorization Act (MACRA), which pushes healthcare towards value-based care, received strong bipartisan support when Congress approved the law in 2015.
However, it seems some major healthcare organizations are concerned about the future of value-based care. On January 25, the groups—including the American Hospital Association, the American Medical Association, Blue Cross Blue Shield and others—sent a letter to President Trump and other political leaders urging them to accelerate the transition from fee-for-service to value-based care, not impede it.
In the letter, the healthcare organizations outlined 10 principles for value-based care:
- Empower and engage patients to make healthcare decisions with information and support from their healthcare team.
- Invest in engaging patients in the development of measures of provider performance that are relevant to them and consistently and transparently reported by all public and private payers.
- Improve clinician and provider access to timely, accurate and complete claims data to better perform care management.
- Recognize that the socioeconomic status of many patients creates challenges in providing care and adjust payments to providers as appropriate.
- Design voluntary payment models that incentivize more participation and achieve the highest quality and cost value based on patient choice and competitive markets.
- Expand the use of waivers from fee-for-service legal and regulatory requirements that impede collaboration and shared accountability, while preserving consumer protections and safeguards against fraud.
- Build on and expand payment models that promote collaborative financial and care coordination arrangements using incentives that align payers, healthcare providers, providers of long-term care services and clinicians.
- Appropriately incentivize access to medical innovations and treatments that could improve quality of care and reduce overall system cost
- Promote public and private investment in the evidence-based testing and scaling of new alternative payment models as directed in MACRA so that clinicians, other healthcare providers and payers can learn how payment models work.
- Ensure alignment between private and public sector programs, which is important to a value-based payment marketplace.
With its leadership and programs in flux because of uncertainty accompanying the new administration, ONC has produced a flurry of activity lately punctuated by a slate of sessions scheduled for HIMSS 2017 in Orlando coming up Feb. 19.
But even as remaining ONC officials (the top ones have departed) prepare for an active HIMSS presence, the administration of President Donald Trump has already made preliminary moves that appear to strike at some of ONC’s key initiatives and programs.
In any case, ONC is planning no less than eight sessions at the Orange County Convention Center:
- A Town Hall event with the ONC leadership team (more about this later) about ONC’s role in the national health IT agenda
- A demonstration of the SMART App gallery, a market developed under a cooperative agreement between ONC and SMART Health IT, an open standards based technology platform developer, about the gallery’s collection of apps that use FHIR (Fast Health Interoperability Resources), the HL7 International standard, and APIs
- An update from ONC leaders about policy activities now underway at ONC, including 2015 Edition Health IT Certification program and alternative payment models, and upcoming health IT initiatives
- An education session with the agency’s Office of Standards and Technology about health IT testing operations, pilot programs and standards coordination
- A live demonstration by FHIR app developers of systems to allow patients and healthcare providers to share medication lists
- A “fireside chat” on value-based care with Jon White, M.S., the acting national coordinator for health IT, and Kate Goodrich, M.D., director of the CMS Center for Clinical Standards and Quality and CMS chief medical officer
- “Rock Stars of Blockchain in Healthcare,” a discussion with White and Steve Posnack, director of the Office of Standards and Technology, about the fast-growing blockchain encryption technology’s potential for creating a secure and interoperable nationwide health IT system
- An information session about ONC’s efforts to help providers and patients in using health IT for high-quality care
That’s a lot of health IT content from an agency that is little known to the general public, but wields plenty of clout in the industry and seems already to have drawn some perhaps unwelcome attention from the Trump administration in its first full week.
ONC’s parent agency, the giant Department of Health and Human Services, has asked that several ONC notices issued in recent weeks be withdrawn for more review, Politico’s Morning eHealth reported Jan. 25.
I should also note that Trump’s executive order freezing all new regulations extended to plenty of other agencies within HHS, and, indeed, to all federal departments and agencies.
As for the ONC provisions, they include one ONC was preparing to publish imminently that would trigger measures of the 21st Century Cures Act related to ONC’s EHR certification program’s updated usability and interoperability measures, and a rule that would set off a new process for refining quality metrics used in healthcare reimbursement.
HHS also withdrew a provision relating to how ONC selects the third-party certification bodies it uses to review EHRs and other health IT systems for eligibility in federal reimbursement programs, Politico reported.
The current certification bodies’ contracts expire in June and need to be renewed for three years.
The whole thrust of ONC’s health IT certification program is regulatory, and Trump, who as a candidate often criticized over government regulation, may be targeting just that if he views ONC’s regulatory efforts as unneeded or heavy handed.
On the other hand, this could also just be a blip for ONC.
As for the ONC leadership, the agency’s masthead is filled with plenty of officials with “acting” before their titles, reflecting a management corps that has been trimmed by departures.
The top leadership positions at ONC are filled with political appointees.
So former national coordinator Vindell Washington, M.D., Lucia Savage, former chief privacy officer, and Megan Roh, former communications and public relations director, all were political appointees and all left in concert with the end of the Obama administration.
Those positions have not yet been filled by the new administration.
Savage’s job is being done temporarily by Deven McGraw, who is on loan from the HHS Office for Civil Rights.
Andrew Gettinger, M.D., is still acting principal deputy national coordinator for health information technology, a title he has held for a couple of years.
Teresa Zayas Caban is chief scientist and acting chief of staff.
Thomas Mason, M.D., is acting director of the Office of Clinical Quality and Safety and chief medical officer.
Zhan Caplan is acting director of the Office of Public Affairs and Communication.
For a rundown of other top ONC officials, check here.
Healthcare data breaches cost the industry $6.2 billion a year, while the average cost of a single data breach across all industries is $4 million, according to Protenus. Additionally, nearly 90% of healthcare organizations have reported a data breach in the past two years.
Healthcare data breaches include, but are not limited to, phishing attacks, “snooping” by employees and compromised credentials.
Protenus also detailed seven potential costs of a healthcare data beach:
- Forensics – $610,000
- Notification – $560,000
- Lawsuits – $880,000
- Lost business/revenue – $3,700,000
- Brand value – $500,00
- HIPAA fines – $1,100,000
- Post-breach costs – $440,000
The $3.7 million price tag for lost business can be attributed to the fact that nearly a quarter of patients have said they would switch providers due to a data breach, according to a 2015 survey by software advertising firm Software Advice. Patients have also said they withhold information from physicians due to fear of a breach. Beyond the loss of revenue, data breaches can also cause patients to lose trust in a hospital or healthcare organization.
The high cost of healthcare data breaches emphasizes the importance of being proactive in securing patient data and identifying potential external and internal threats. If an organization is breached, it is imperative to notify affected patients as soon as possible. Transparency after a breach can help reduce lawsuits and damage to the organization’s brand.
Telemedicine has the potential to help diverse patient groups – from nursing homes to rural communities – get better healthcare; One place where telemedicine can minimize the disruption to a patient’s life is in schools, according to a Huffington Post story.
The article gives an example of a girl who had trouble breathing at recess at a school in Maryland. The school was outfitted with telemedicine equipment about a year ago. The girl went to the nurse, who determined that the girl was having an asthma attack. The girl’s father was an hour away and there was no time to wait for him to come get his daughter. The nurse could have also called an ambulance but that would have meant the girl would miss the rest of the school day.
Luckily, the girl’s parents had has agreed to enroll their daughter in the school’s telemedicine program, allowing the nurse to set up an online video and audio link with an emergency room pediatrician at a nearby county general hospital.
The doctor confirmed the school nurse’s diagnosis, the nurse administered the necessary medicine, and the girl was breathing normally again within 10 minutes and was able to go on with her day.
According to a study in the Annals of Allergy, Asthma and Immunology, children with asthma who were given treatment via telemedicine were able to gain control over their asthma just as well as when children saw a doctor in person to address their asthma.