During a recent trip to the doctor’s office, other than the nurse using two fingers on my wrist and a watch to take my pulse, everything else was completely different. From booking my appointment online, to completing much of the usual paperwork from home, things have changed. For the first time, I was able to provide an actual medical history, since I was home where that information is. When I arrived at the office, I checked in on a tablet and was told the wait would be less than 5 minutes. Once the doctor entered the exam room, she had already reviewed a thorough and accurate medical history and began firing off questions about the sorts of things that happen during an active lifestyle. Although my first encounter with this provider, she seemed to know me like she’d been treating me for years. During the encounter, I was able to share with her the heart rate alerts I had received on my Apple Watch while essentially doing nothing. This type of information has been made available by the Internet of Things, or internet connected devices, both wearable and otherwise. That’s the positive side of technology’s impact on healthcare.
It’s not just our physician encounters that have changed. Medical devices have also seen great change. Not only do our elderly have access to home health monitoring equipment, but virtually every medical device being manufactured is now either connected directly to an internal network or onto the World Wide Web. These technological advancements have allowed for the flow of data into software systems that analyze, alert, and share that information with providers throughout the care chain. The result is leading to better health outcomes and improved quality of life for many of us.
Sadly, it’s not all good news. The connectivity of all these devices has created a treasure trove of opportunities for cyber criminals. The possibility of extorting someone for bitcoins or they’ll shut your pacemaker off is not an unrealistic concern. In fact, a 2017 Ponemon Institute study found that 39% of medical device manufacturers reported attackers have taken control of their devices. Additionally, 38% of care delivery organizations said inappropriate therapy/treatment had been delivered to patients because of an insecure medical device. Imagine a hacker in Romania manipulating the medicine pump connected to your arm when you’re in the hospital – this is today’s reality.
What’s being done about it?
Truthfully, not enough. Rather than pile on the device manufacturers themselves, let’s consider 3 stakeholders and where each carries a share of the burden. First, it’s the device manufacturers who’s brands are on the line, so one would think they’re doing all they can to strengthen their final products. That may not be the case. The Ponemon study goes on to state most device manufacturers have yet to adopt more stringent software and device security protocols, resulting in production devices with vulnerable code. The urge to get to market as quickly as possible often supersedes adhering to the proper process of security and vulnerability testing.
Second, one must consider the security of the facilities who house these devices, namely hospitals, other care facilities, and even our own homes. From a hackers perspective, medical devices are simply another node on a network, much like a computer or a printer. That means they’re as vulnerable as any other networked device. If medical devices are not being routinely patched and updated, whether manually or automatically, then they’re vulnerable to new threats and exploits.
Finally, the third culprit in our trio is the facilities who refuse to update their devices. Believe it or not, there are still medical devices in use today that are running Microsoft XP as their operating system. This OS became unsupported in April of 2014, which means for the past 4 plus years, any new Microsoft based attacks would find an open door to those devices. Again, to be fair, a significant reason these devices haven’t been upgraded is because the cost to small and rural facilities is prohibitive. Many of these smaller organizations, like solo providers, are struggling to stay above water in our new healthcare environment. The thought of spending $200,000 or more on a new X-Ray machine, for example, is beyond their reach and reason. This particular issue doesn’t have a simple fix.
What was left off the list?
Many industry insiders grew accustomed to blaming the bureaucratic morass as their reason for not developing and pushing out updates to their devices. However, as far back as 2005 the FDA began making allowances for security related patches and updates and this year again issued an update to this policy with the intent to streamline the process. Frankly, we can’t accuse the FDA of standing in the way on this issue.
We also omitted the fact that few IoT devices communicate their data over encrypted channels. This includes medical devices. Citing the Ponemon study, only a third of device makers built encryption into their devices and few healthcare facilities were deploying it on their own IoT devices. While the percentages have likely improved since the study was published, those devices, and the thousands produced before them, are still in use and will be in use for years to come. Lack of encryption of data in transit and data at rest violates a HIPAA recommendation and can be a source of fines from the Office for Civil Rights (OCR), so it should be implemented wherever possible.
What needs to change?
Due to these increased vulnerabilities, a paradigm shift is required and it’s as significant as the technological advancements that led to them. The traditional way of contracting with a software development team to add the soft layer on top of a device is no longer valid. Gone are the days when an offshore software team can be hired, given a functional specification, and then be released once the project is completed. Now, medical device manufacturers need to bring software development in house and incorporate it into the design cycle as early as possible. Likewise, the firmware team needs to stay intact post development and work closely with the software team to coordinate patches and updates on an ongoing basis. Needless to say, these teams aren’t cheap, nor is this talent easy to come by. As a result, it’s going to take some time for medical device manufacturers to get the right teams in place and to adjust their business models to account for the increased overhead they present.
Like all things cybersecurity related, the manufacturers can do everything right, but a secure environment is as much dependent on the training of the workforce as the hardware itself. Even today, despite the security holes that exist in the bulk of the currently deployed medical devices, the greatest source of breaches originate at the user level.
Ultimately, the costs of this shift will be borne by the consumers through increased costs of care. We can hope that more vigilant cybersecurity efforts will leverage down the risks involved, but unfortunately this new business model is here to stay.
About the Author:
Jeff Mongelli built and sold his finance company 17 years ago to GE Capital to enter the healthcare industry. As the Founder and CEO, Jeff built Acentec, Inc. into a national leader in improving the clinical and financial performance of healthcare organizations. He understands that achieving the promise of improved healthcare through aggregated data requires dedicated commitment to the protection and privacy of that information. Jeff is considered an industry expert in IT Technology & Security, HIPAA compliance, and is actively involved in the field of artificial intelligence. He is frequently quoted in the industry’s publications and is a featured speaker at national trade shows and Medical Association meetings. He’s a member of the FBI’s Infragard program and a collaborator in their Healthcare CyberSecurity Workgroup and also a member of Homeland Security’s Information Network.
The recent discovery of new hacking threats to medical devices and systems is a reminder that you should go beyond the four walls of your offices when you perform your security risk analysis under HIPAA. A new order of threats to your data is brewing in cyberspace. The heath care IT “threatscape” gets more active each year. Health care organizations have been spooked by major hacks such as the Heartbleed virus, and this year a home health
If you’re planning to use an online scheduling tool such as ZocDoc, avoid potential HIPAA disasters by ensuring the vendors understand their patient privacy responsibilities. Online appointment services for patients have gained in popularity with 27% of family doctors using patient portals or “online services” for scheduling appointments in 2013, up from 6% in 2005, according to the American Academy of Family Physicians (AAFP). But you need to protect your practice by having the vendor sign a business associate agreement (BAA) to confirm their HIPAA responsibilities, per the 2013 HIPAA “mega-rule,” experts tell Part B News (PBN 9/2/13).
If you’re not ready to share electronic health records (EHR) documentation with other practices, hospitals and ambulatory surgical centers (ASCs), you’re not alone — but you risk a 1% pay cut for failing to meet stage 2 meaningful use measures if you don’t call for help soon.
There’s a groundswell of change coming to healthcare, and it will have a direct impact on every provider and every patient. The wave that’s coming is being talked about throughout the industry and was the focal point of this year’s HIMSS conference. It’s called big data, and it represents the convergence of data from providers, health systems, researchers and patients.
Give more responsibility to your IT vendor. This crisis provides “encouragement for practices to move away from the break-fix relationship with their IT vendor into a managed service relationship,” says Jeff Mongelli, CEO of Acentec in Irvine, Calif.
By Jeff Mongelli
Did you lock your house when you left this morning? How about your car when you came into the building? What if I told you two-thirds or more of the locks in the world can now be opened by a single key, and that key is available to anyone that wants it? As of last week, that is the situation the World Wide Web finds itself in thanks to the Heartbleed Bug.
By Evan Schuman
There’s good news and bad news
Security is a nightmare for all companies, but the very nature of healthcare makes it far worse. It’s not merely onerous government requirements for medical data, or the popularity of security-adverse mobile devices. It’s the need to give tiny medical offices – small, independent businesses, with typically no meaningful IT staff – full network access to all files, physical building access to its employees and privileges to change/add to that ultra-sensitive data.
By Jeff Mongelli
HIPAA and meaningful use seem to have opposing goals: HIPAA mandates keeping protected health information (PHI) secure, while meaningful use requires sharing PHI. The mantra could be “to protect and share,” to borrow a phrase from our boys in blue. Therein lies the challenge of current healthcare IT — accessing PHI needs to be as easy as possible for those authorized, and impenetrable for those who aren’t.
February 7, 2014 By Jeff Mongelli
The Mayans predicted the world would end Dec. 21, 2012, but many computer users are going to feel the Mayans missed the mark by 474 days because, on Apr. 8, 2014, Microsoft will cease supporting and patching Windows XP and Office 2003. OK, the world isn’t going to end, at least I don’t think it is, but roughly one-third of the computing world or 500,00,000 PCs that are currently running Windows XP will no longer meet most global security requirements. Most importantly, Windows XP will no longer be HIPAA compliant for medical practices.
By Jeff Mongelli
Most of us know by now that the HIPAA Omnibus Rule is law and it impacts everyone in the healthcare industry. With increased penalties, enforcement, requirements, and reach, if you haven’t started paying attention to it yet, you do so at your own peril. If you’ve begun to travel down the path to compliance, whether you’ve hired a professional company or you’re braving it on your own, one of the considerations you’ll encounter is how to classify your various vendors. Properly identifying, documenting, and managing your vendor relationships could shift the burden of liability in the event of a breach from your organization to your vendor.
The Orange County Rescue Mission contracts with Acentec and their proprietary HIPAA Security Suite to manage their HIPAA compliance program
Acentec, Inc., a medical practice solution and service provider, announces their recent partnership made with the Orange County Rescue Mission. Through this partnership, Acentec will spearhead HIPAA Risk Assessment services for the faith-based local organization in California. The Irvine-based organization assures top-notch risk assessment service through its HIPAA Security Suite (HSS), a program concentrating in assisting organizations and companies to be HIPAA compliant as mandated by law.
HIPPA Changes You Can’t Afford to Ignore What you need to know about the HIPAA Omnibus Rule and what you need to do about it
For many of you, thinking or reading about HIPAA is about as pleasurable as a trip to the dentist. Well, the HIPAA laws have changed?consider the Omnibus Rule at your next appointment. But rather than dig into the gritty details, we?ll go over what you need to do and why you need to do it. And why sooner is better than later. It?s true when they say falling asleep at the HIPAA switch now could turn out the lights of your practice.
It’s not often an industry juggernaut bets the farm on its future, but with Windows 8, Microsoft has done just that. OK, maybe that’s a bit of an exaggeration, but without question Windows 8 is a dramatic departure from the desktop we’ve all grown accustomed to, and if it fails to receive market acceptance, Microsoft could see a faster erosion of its historical desktop dominance.
Ways to Capitalize on Your Time if You Aren’t Pursuing Meaningful Use
The boxer Mohammed Ali made famous his antic of waving a glove off to the side of his opponent. The instant his opponent reacted, he would jab at the opening he created. The tactic of creating a distraction in order to capitalize on it, or to seek personal gain, has been with us for centuries. Currently, we’re experiencing a similar opportunity within the healthcare industry. I’m specifically referring to Meaningful Use – aka, “The Great Distraction.” Hundreds, if not thousands, of practices nationwide are preoccupied with the tasks required to meet Meaningful Use. For many of those practices, the efforts to bring their businesses along have required full-time attention. But what if you’re not pursuing Meaningful Use? Now is your chance to capitalize on your time while your associates are distracted.
Decisions, decisions. When it comes to electronic medical records (EMRs), the options seem to grow every day. Questions such as, “Do we get a dedicated wound product?” or, “Do we get a popular EMR that has wound care workflows developed?” and, “Do we need to have billing integrated?” are just a few of the important questions to answer before you even begin your search. Identifying your needs in detail will make your selection process much easier and will, ultimately, determine the success of your transition to EMR.
Looking Behind the Curtain at the New EMR Requirements
Recently, we wrote about elements of the American Recovery and Reinvestment Act of 2009 (ARRA) that impact HIPAA privacy. Along with ARRA, the Health Information Technology for Economic and Clinical Health (HITECH) Act mandates that healthcare providers take a series of steps to strengthen safeguards for Protected Health Information (PHI). In addition to the new rules are increased penalties that now include criminal prosecution and fines up to $1.5MM annually. With the risk of imprisonment and crippling penalties, it’s time to pay attention to the handling of PHI. Here are some specific steps you need to take if you intend to be HIPAA compliant.
While the entire medical community focuses on EMR software implementation to meet Meaningful Use requirements, a darker side of Meaningful Use threatens to play a larger role than your software.
Tucked away in Subtitle D of the HITECH Act (passed in 2008 as part of the federal stimulus) are significant changes to the potential liability of anyone involved with protected health information (PHI). Specifically, medical practices, their owners and their employees, can be fined and imprisoned for HIPAA violations. Fines to practices and others can now reach $1.5 million. And to show how serious the government is taking this, it has increased the budget for the enforcement arm of the Department of Health and Human Services (HHS) by several million dollars in 2011, specifically for enforcement personnel.
Recently, a group of online gamers resolved a roadblock that AIDS scientists couldn’t get past for more than a decade. The gaming community solved the issue in three weeks through a concept called crowdsourcing. This structured effort utilized a game designed specifically for solving scientific riddles, and the challenge was offered through an open call on the internet. The achievement opens the door to a new generation of antiretroviral drugs and marks a significant accomplishment for the emerging field of crowdsourcing.
by Jeff Mongelli
Whether or not you choose to pursue the ARRA Stimulus dollars for your practice, the new technology it introduces will have a significant impact on the practice of medicine. Broadly speaking, one of the thrusts of ARRA is increased communications. More specifically, systems are being developed and implemented that allow for the seamless flow of data across multiple platforms and between physicians and their patients. You may choose not to pursue stimulus dollars, but you can benefit from some of these technologies. Let’s consider the patient/physician communication.