Tuesday, March 24, 2015

Healthcare GRC and Social Engineering

There is some debate over whether or not the CHS, Anthem and Premera data breaches were the result of "sophisticated" attacks. The jury is still out, but cautious journalists are using quotation marks to indicate that this explanation is not universally accepted. Regardless of the sophistication of these attacks, attacks they certainly are, and healthcare organizations should be prepared for the onslaught to continue, because healthcare data breaches are so lucrative. They have to assume they are being targeted by criminal hackers for fun and profit.

Maybe former Intel CEO Andrew S. Grove's book title got it right: only the paranoid survive. Perhaps healthcare organizations could learn from their corporate antitheses, the tobacco companies, who have many enemies, but are protected by a culture of hardened security.

There is certainly room for technological solutions to help manage risk, but we must recognize that the most frequent cause of data breaches is human behavior. (According to a Verizon data breach report, about 76% of network intrusions involve weak credentials -- bad passwords.) The biggest risk to the security of your data is your people. No amount of monitoring using sophisticating technology can protect your data from bad decisions by people on your network.

Let's not forget the subtitle of Grove's book: How to Exploit the Crisis Points that Challenge Every Company and Career. The threat to data is also an opportunity to establish a culture of data governance. In such a culture, the value of data is recognized, and human behavior is shaped by this recognition.

Human behavior is a critical factor, because social engineering is how malware and other created vulnerabilities find their way into your network. It is essential that your systems have malware protection, but it is equally important that your people know what not to click.

A strong governance, risk management and compliance (GRC) culture fights social engineering with social engineering.

If healthcare organizations can learn to fend off the cyber attackers, they will be in a better position to fend off the lawyers bearing class action law suits.

Monday, March 16, 2015

Pentagon EHR System Upgrade Contract Said to Be Worth $11 Billion

The U.S. Department of Defense has narrowed the field to three contenders for the estimated $11 billion upgrade to the DoD EHR:
  • Computer Sciences Corp., HP, and Allscripts
  • Cerner, Leidos, and Accenture Federal
  • IBM, Epic, and Impact Advisors

The winning EHR company will certainly benefit greatly, both from the DoD, and in the healthcare sphere in general, but I'm sure the other two will also benefit from the vote of confidence on their ability to deliver EHR capable of achieving Meaningful Use.

Numerous challenges have been noted by the bidders:
  • Interoperability - Allscripts senior vice presi dent, sales, Dean Mericka says interoperability will lead to personalized precision medicine and improved telemedicine.
  • DoD mission and culture - Cerner Federal VP and general manager Travis Dalton notes that the task goes far beyond bringing a set of tools. The winning vendor will have to adapt to the DoD's culture, philosophy and mission.
  • Scalability - Epic U.S. federal and global services executive Leslie Karls indicates the scalability of the solution is key.

Those are just the EHR perspectives. The IT and infrastructure challenges present a whole other level of difficulties.

Read more at FierceEMR.

Thursday, March 12, 2015

New Case Study - Redevco B.V.

Established in 1999 to manage the real estate investment activities of the venerable Dutch C&A fashion retail chain, Redevco B.V.'s portfolio includes 450 properties at top locations in major cities across Europe, with tenants including many major national and multinational retail companies.
Redevco implemented the APOS Publisher solution to handle invoice publishing after they started creating the invoices in Web Intelligence instead of Desktop Intelligence.

Check out the new APOS case study on Redevco to find out how they re-engineered their invoicing workflow with APOS Publisher.

Monday, March 2, 2015

Net Neutrality & Meaningful Use

Is the Internet a public utility? Do providers have a responsibility to treat their customers' content equally? Should healthcare Internet traffic have priority over other Internet traffic?

According to the US Federal Communications Commission (FCC), in a February 26, 2015, press release (PDF):

Today, the Commission—once and for all—enacts strong, sustainable rules, grounded in multiple sources of legal authority, to ensure that Americans reap the economic, social, and civic benefits of an Open Internet today and into the future. These new rules are guided by three principles: America’s broadband networks must be fast, fair and open—principles shared by the overwhelming majority of the nearly 4 million commenters who participated in the FCC’s Open Internet proceeding.

In this announcement, access to the Internet takes precedence over economic incentives to sell better service to higher bidders. It reclassifies broadband as a telecommunications service -- in other words, as a regulated public utility.

Healthcare was a consideration in the decision:

FCC Commissioner Mignon Clyburn, in her statement of support for the net neutrality, mentioned healthcare among a litany of reasons for her vote. "Keeping in touch with your loved ones overseas; interacting with your healthcare provider, even if you are miles away from the closest medical facility ... We are here to ensure that there is only one Internet where all applications, new products, ideas and points of view have an equal chance of being seen and heard," she said.

The net neutrality argument has been raging for years, in fact, ever since term was coined in 2003. As decisive as the press release makes the decision sound, the argument is unlikely to stop now.

Is net neutrality an absolute? Maybe for the moment, but there's a good chance that won't last, and that is not necessarily a bad thing. Les Lenert, chief research officer for the Medical University of South Carolina, told FierceHealthIT:

Net neutrality is not something I favor totally... The Internet is a public utility--one with increasing medical applications. Bandwidth for the public good should have priority over bandwidth for amusement... Network neutrality may still include concepts of prioritizing certain types of information though regulation. If so, health information deserves access to the fast lane. However, the FCC should ensure a neutral approach based on categories of service rather than vendors prioritizing their own applications.

When Meaningful Use Stage 3 is accomplished, the Internet will become a critical piece of healthcare infrastructure in the US, if it isn't already, and net neutrality arguments will need to be somewhat more nuanced. Some might argue that healthcare information should not take priority over their inalienable right to view cute cat videos, but that is unlikely to be the FCC's position in the long term.

All information is equal, but some information is more equal than other, to paraphrase Orwell's Animal Farm.