Tuesday, March 24, 2015

Healthcare GRC and Social Engineering

There is some debate over whether or not the CHS, Anthem and Premera data breaches were the result of "sophisticated" attacks. The jury is still out, but cautious journalists are using quotation marks to indicate that this explanation is not universally accepted. Regardless of the sophistication of these attacks, attacks they certainly are, and healthcare organizations should be prepared for the onslaught to continue, because healthcare data breaches are so lucrative. They have to assume they are being targeted by criminal hackers for fun and profit.

Maybe former Intel CEO Andrew S. Grove's book title got it right: only the paranoid survive. Perhaps healthcare organizations could learn from their corporate antitheses, the tobacco companies, who have many enemies, but are protected by a culture of hardened security.

There is certainly room for technological solutions to help manage risk, but we must recognize that the most frequent cause of data breaches is human behavior. (According to a Verizon data breach report, about 76% of network intrusions involve weak credentials -- bad passwords.) The biggest risk to the security of your data is your people. No amount of monitoring using sophisticating technology can protect your data from bad decisions by people on your network.

Let's not forget the subtitle of Grove's book: How to Exploit the Crisis Points that Challenge Every Company and Career. The threat to data is also an opportunity to establish a culture of data governance. In such a culture, the value of data is recognized, and human behavior is shaped by this recognition.

Human behavior is a critical factor, because social engineering is how malware and other created vulnerabilities find their way into your network. It is essential that your systems have malware protection, but it is equally important that your people know what not to click.

A strong governance, risk management and compliance (GRC) culture fights social engineering with social engineering.

If healthcare organizations can learn to fend off the cyber attackers, they will be in a better position to fend off the lawyers bearing class action law suits.

Monday, March 16, 2015

Pentagon EHR System Upgrade Contract Said to Be Worth $11 Billion

The U.S. Department of Defense has narrowed the field to three contenders for the estimated $11 billion upgrade to the DoD EHR:
  • Computer Sciences Corp., HP, and Allscripts
  • Cerner, Leidos, and Accenture Federal
  • IBM, Epic, and Impact Advisors

The winning EHR company will certainly benefit greatly, both from the DoD, and in the healthcare sphere in general, but I'm sure the other two will also benefit from the vote of confidence on their ability to deliver EHR capable of achieving Meaningful Use.

Numerous challenges have been noted by the bidders:
  • Interoperability - Allscripts senior vice presi dent, sales, Dean Mericka says interoperability will lead to personalized precision medicine and improved telemedicine.
  • DoD mission and culture - Cerner Federal VP and general manager Travis Dalton notes that the task goes far beyond bringing a set of tools. The winning vendor will have to adapt to the DoD's culture, philosophy and mission.
  • Scalability - Epic U.S. federal and global services executive Leslie Karls indicates the scalability of the solution is key.

Those are just the EHR perspectives. The IT and infrastructure challenges present a whole other level of difficulties.

Read more at FierceEMR.

Thursday, March 12, 2015

New Case Study - Redevco B.V.

Established in 1999 to manage the real estate investment activities of the venerable Dutch C&A fashion retail chain, Redevco B.V.'s portfolio includes 450 properties at top locations in major cities across Europe, with tenants including many major national and multinational retail companies.
Redevco implemented the APOS Publisher solution to handle invoice publishing after they started creating the invoices in Web Intelligence instead of Desktop Intelligence.

Check out the new APOS case study on Redevco to find out how they re-engineered their invoicing workflow with APOS Publisher.