• Member Statistics

    • 838,029 Colleagues-to-Date [Sponsored by a generous R&D grant from iMBA, Inc.]
  • David E. Marcinko [Editor-in-Chief]

    As a former Dean and appointed University Professor and Endowed Department Chair, Dr. David Edward Marcinko MBA was a NYSE broker and investment banker for a decade who was respected for his unique perspectives, balanced contrarian thinking and measured judgment to influence key decision makers in strategic education, health economics, finance, investing and public policy management.

    Dr. Marcinko is originally from Loyola University MD, Temple University in Philadelphia and the Milton S. Hershey Medical Center in PA; as well as Oglethorpe University and Emory University in Georgia, the Atlanta Hospital & Medical Center; Kellogg-Keller Graduate School of Business and Management in Chicago, and the Aachen City University Hospital, Koln-Germany. He became one of the most innovative global thought leaders in medical business entrepreneurship today by leveraging and adding value with strategies to grow revenues and EBITDA while reducing non-essential expenditures and improving dated operational in-efficiencies.

    Professor David Marcinko was a board certified surgical fellow, hospital medical staff President, public and population health advocate, and Chief Executive & Education Officer with more than 425 published papers; 5,150 op-ed pieces and over 135+ domestic / international presentations to his credit; including the top ten [10] biggest drug, DME and pharmaceutical companies and financial services firms in the nation. He is also a best-selling Amazon author with 30 published academic text books in four languages [National Institute of Health, Library of Congress and Library of Medicine].

    Dr. David E. Marcinko is past Editor-in-Chief of the prestigious “Journal of Health Care Finance”, and a former Certified Financial Planner® who was named “Health Economist of the Year” in 2010. He is a Federal and State court approved expert witness featured in hundreds of peer reviewed medical, business, economics trade journals and publications [AMA, ADA, APMA, AAOS, Physicians Practice, Investment Advisor, Physician’s Money Digest and MD News] etc.

    Later, Dr. Marcinko was a vital and recruited BOD  member of several innovative companies like Physicians Nexus, First Global Financial Advisors and the Physician Services Group Inc; as well as mentor and coach for Deloitte-Touche and other start-up firms in Silicon Valley, CA.

    As a state licensed life, P&C and health insurance agent; and dual SEC registered investment advisor and representative, Marcinko was Founding Dean of the fiduciary and niche focused CERTIFIED MEDICAL PLANNER® chartered professional designation education program; as well as Chief Editor of the three print format HEALTH DICTIONARY SERIES® and online Wiki Project.

    Dr. David E. Marcinko’s professional memberships included: ASHE, AHIMA, ACHE, ACME, ACPE, MGMA, FMMA, FPA and HIMSS. He was a MSFT Beta tester, Google Scholar, “H” Index favorite and one of LinkedIn’s “Top Cited Voices”.

    Marcinko is “ex-officio” and R&D Scholar-on-Sabbatical for iMBA, Inc. who was recently appointed to the MedBlob® [military encrypted medical data warehouse and health information exchange] Advisory Board.

    entrepreneur

    Frontal_lobe_animation

  • ME-P Information & Content Channels

  • ME-P Archives Silo [2006 – 2020]

  • Ann Miller RN MHA [Managing Editor]

    ME-P SYNDICATIONS:
    WSJ.com,
    CNN.com,
    Forbes.com,
    WashingtonPost.com,
    BusinessWeek.com,
    USNews.com, Reuters.com,
    TimeWarnerCable.com,
    e-How.com,
    News Alloy.com,
    and Congress.org

    Comprehensive Financial Planning Strategies for Doctors and Advisors: Best Practices from Leading Consultants and Certified Medical Planners(TM)

    Product Details

    Product Details

    Product Details

  • CERTIFIED MEDICAL PLANNER® program

    New "Self-Directed" Study Option SinceJanuary 1st, 2020
  • Most Recent ME-Ps

  • PodiatryPrep.org


    BOARD CERTIFICATION EXAM STUDY GUIDES
    Lower Extremity Trauma
    [Click on Image to Enlarge]

  • ME-P Free Advertising Consultation

    The “Medical Executive-Post” is about connecting doctors, health care executives and modern consulting advisors. It’s about free-enterprise, business, practice, policy, personal financial planning and wealth building capitalism. We have an attitude that’s independent, outspoken, intelligent and so Next-Gen; often edgy, usually controversial. And, our consultants “got fly”, just like U. Read it! Write it! Post it! “Medical Executive-Post”. Call or email us for your FREE advertising and sales consultation TODAY [770.448.0769]

    Product Details

    Product Details

  • Medical & Surgical e-Consent Forms

    ePodiatryConsentForms.com
  • iMBA R&D Services

    Commission a Subject Matter Expert Report [$2500-$9999]January 1st, 2020
    Medical Clinic Valuations * Endowment Fund Management * Health Capital Formation * Investment Policy Statement Analysis * Provider Contracting & Negotiations * Marketplace Competition * Revenue Cycle Enhancements; and more! HEALTHCARE FINANCIAL INDUSTRIAL COMPLEX
  • iMBA Inc., OFFICES

    Suite #5901 Wilbanks Drive, Norcross, Georgia, 30092 USA [1.770.448.0769]. Our location is real and we are now virtually enabled to assist new long distance clients and out-of-town colleagues.

  • ME-P Publishing

  • SEEKING INDUSTRY INFO PARTNERS?

    If you want the opportunity to work with leading health care industry insiders, innovators and watchers, the “ME-P” may be right for you? We are unbiased and operate at the nexus of theoretical and applied R&D. Collaborate with us and you’ll put your brand in front of a smart & tightly focused demographic; one at the forefront of our emerging healthcare free marketplace of informed and professional “movers and shakers.” Our Ad Rate Card is available upon request [770-448-0769].

  • Reader Comments, Quips, Opinions, News & Updates

  • Start-Up Advice for Businesses, DRs and Entrepreneurs

    ImageProxy “Providing Management, Financial and Business Solutions for Modernity”
  • Up-Trending ME-Ps

  • Capitalism and Free Enterprise Advocacy

    Whether you’re a mature CXO, physician or start-up entrepreneur in need of management, financial, HR or business planning information on free markets and competition, the "Medical Executive-Post” is the online place to meet for Capitalism 2.0 collaboration. Support our online development, and advance our onground research initiatives in free market economics, as we seek to showcase the brightest Next-Gen minds. THE ME-P DISCLAIMER: Posts, comments and opinions do not necessarily represent iMBA, Inc., but become our property after submission. Copyright © 2006 to-date. iMBA, Inc allows colleges, universities, medical and financial professionals and related clinics, hospitals and non-profit healthcare organizations to distribute our proprietary essays, photos, videos, audios and other documents; etc. However, please review copyright and usage information for each individual asset before submission to us, and/or placement on your publication or web site. Attestation references, citations and/or back-links are required. All other assets are property of the individual copyright holder.
  • OIG Fraud Warnings

    Beware of health insurance marketplace scams OIG's Most Wanted Fugitives at oig.hhs.gov

Understanding HIT Security Risks – The Ugly Truth!

Join Our Mailing List

On the Privacy and Security of Healthcare Records

Dr. Mata

[By Richard J. Mata, MD, CIS]

There is no privacy …  get over it.

Scott McNealy, Former Sun Microsystems CEO

Storing and transmitting health information in electronic form exposes it to risks that do not exist, or exist to a lesser extent, when the information is maintained in paper.  For example, although both paper-based and electronic systems need protection from fire, water, and wear and tear because of aging, electronic data is also vulnerable to hardware or software malfunctions that can make data inaccessible or become corrupt, and to non-secure policies that can make data vulnerable to illegal access.  In addition, cyber-crimes, and unauthorized intrusions originating both internally and externally, are increasing dramatically every year, costing companies millions of dollars.  Nonetheless, electronic medical records (EMRs) are usually considered more secure than paper patient charts because paper records lack an audit trail, papers are easily lost, and their contents can be illegible.

Take Care the Risks

Healthcare organizations must take the new risks seriously, however, because health information is a vital business asset, and protecting it preserves the value of this asset.  In addition, securing patients’ information protects their privacy and enhances the organization’s reputation for professionalism, patient well-being, and trustworthiness.  Hospitals, emerging healthcare organizations (EHOs), physicians, and healthcare entities long ago recognized the value of health information, and implemented security policies and procedures, but as they move more into the electronic arena, it is vital to revise and update policies and procedures to acknowledge the different risks inherent in the digital age.

Three Components of Security

The three classic components of information security are confidentiality, integrity, and availability.  Donn B. Parker, a pioneer in the field of computer information protection,[1] added possession, authenticity, and utility to the original three.  These six attributes of information that need to be protected by information security measures can be defined as follows:  

  • Confidentiality: The protection and ethics of guarding personal information — for example, being cognizant of verbal communication leaks beyond conversation with associated healthcare colleagues.
  • Possession: The ownership or control of information, as distinct from confidentiality — a database of protected health information (PHI) belongs to the patients.
  • Data integrity: The process of retaining the original intention of the definition of the data by an authorized user — this is achieved by preventing accidental or deliberate but unauthorized insertion, modification or destruction of data in a database.  Make frequent backups of data to compare with other versions for changes made.
  • Authenticity: The correct attribution of origin — such as the authorship of an e-mail message or the correct description of information such as a data field that is properly named.  Authenticity may require encryption.
  • Availability: The accessibility of a system resource in a timely manner — for example, the measurement of a system’s uptime.  Is the intranet available?
  • Utility: Usefulness; fitness for a particular use — for example, if data are encrypted and the decryption key is unavailable, the breach of security is in the lack of utility of the data (they are still confidential, possessed, integral, authentic and available).

Ethics

When these attributes are considered in the healthcare context, another factor comes into play: ethics.  According to Dr. J. A. Magnuson, professor of public health informatics at Oregon Health Science University’s Medical Informatics Program, privacy,[2] security, and ethics are inextricably intertwined, and all are critical to public health’s role as a trustee of the public’s data.  As public health becomes increasingly involved in Electronic Data Interchange (EDI;[3]), the information aspects of privacy, security, and ethics become ever more critical.  All doctors take an ethical oath to protect the patient, and the obligation to uphold this oath extends to health data management, even for employees who do not take an oath.

The fields of medicine and information technology (IT) each have separate and related ethical considerations.  Ethics may prohibit technology, for example, when using a specific application that would make a security breach likely.  However, ethics may also demand technology.  Suppose that a new surveillance application would improve public health — is it not ethically imperative to utilize it to save countless lives?  But suppose it also almost guarantees a security breach — what does the ethical position on use of the application become then?  That is an extreme example, though not completely unrealistic.

FISA

Varied Uses

Complicating the picture is the fact that IT in the healthcare arena has so many and varied uses.  For instance, office-, clinic-, and hospital-based medical enterprise resource planning (ERP) is based on the same back-end functions that a company requires, including manufacturing, logistics, distribution, inventory, shipping, invoicing, and accounting.  ERP software can also aid in the control of many business activities, like sales, delivery, billing, production, inventory management, quality management, and human resources management.  However, other applications particular to the medical setting include the following:

  • The EMR, which has the potential to replace medical charts in the future, is feasible.[4]
  • Healthcare application service providers (ASPs)[5] are available via Internet portals.
  • Custom software production may produce more solution-specific applications.
  • Medical speech recognition systems and implementation are replacing dictation systems.
  • Healthcare local area networks (LANs), wide area networks (WANs), voice-over Internet protocol (IP) networks, Web and ATM file servers are ubiquitous.
  • The use of barcodes to monitor pharmaceuticals is decreasing the chance of medication errors and warns providers of potential adverse reactions.
  • Telemedicine and real-time video conferencing are already a reality.
  • Biometrics will be used more often for data access.
  • Personal digital assistant (PDA) wireless connectivity, which relies on digital or broadband technology including satellites, and radio-wave communications are increasingly common.
  • The use of wireless technology in medical devices will be increasing.

No Healthcare Standardization

All of these applications offer advantages, but the security of these IT methods and devices is not yet fully standardized or familiar to health professionals; despite the CCHIT, Office of the National Coordinator for Health Information Technology, etc.  They all involve inherent security and privacy risks, and the prudent healthcare organization will want to ensure that these risks are identified and contained.  For instance, a single firewall or intrusion detection system (IDS) may not be enough.

The process must begin by conducting a security risk assessment — that is, doing a thorough assessment of current systems and data, and performing checks such as real-time intrusion testing, validation of data audit trails, firewall testing, and remediation when gaps or failed systems are exposed.  These activities are part of developing a healthcare security plan, including disaster recovery.

Privacy Officers

To ensure that the risk assessment is thorough, hospital network administrators and Privacy Officers should have a working knowledge of federal regulations and of the following security mechanisms:

  • vulnerability assessment;
  • security policy development;
  • risk management;
  • firewall assessment;
  • security application assessment;
  • network security assessment;
  • incident response and recovery assessment;
  • authentication and authorization systems;
  • security products;
  • firewall implementation;
  • public key infrastructure (PKI) design;
  • virtual private network (VPN) design and implementation
  • intrusion detection systems;
  • penetration testing;
  • security program implementation;
  • security policy assessment; and
  • security awareness training.

The federal government has recognized the importance of health information security by establishing regulatory guidance with its Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The International Standards Organization

Join Our Mailing List 

IT system managers in healthcare settings are also familiar with the comprehensive security model offered by the International Standards Organization (ISO).  For instance, using ISO’s 17799 Code of Practice for Information Security Management, versions 2000, 2005, or 2010 information security is achieved by implementing a suitable set of controls to govern policies, processes, procedures, organizational structures and software and hardware functions.  The Code requires the IT manager to establish, implement, monitor, review, and where necessary, improve these controls to ensure that the specific security and business objectives of a healthcare organization are met.

Assessment

The work of the National Institute of Science and Technology (NIST) in developing innovative technology for the healthcare sector is also of interest to IT system managers.  For instance, research on a computer note-writing system that captures clinical data automatically and a data repository system that captures patient data and integrates it with clinical decision support and knowledge bases are two of the initiatives that have originated with NIST.  In addition, the organization publishes numerous Special Publications that provide guidance on how to establish and maintain IT security.

CASE MODEL: HIT Security

Conclusion

Your thoughts and comments on this ME-P are appreciated. Feel free to review our top-left column, and top-right sidebar materials, links, URLs and related websites, too. Then, subscribe to the ME-P. It is fast, free and secure.

Speaker: If you need a moderator or speaker for an upcoming event, Dr. David E. Marcinko; MBA – Publisher-in-Chief of the Medical Executive-Post – is available for seminar or speaking engagements. Contact: MarcinkoAdvisors@msn.com

OUR OTHER PRINT BOOKS AND RELATED INFORMATION SOURCES:

References:


[1]   Donn B. Parker developed the so-called Parkerian Hexad Principles, which discuss the attributes of information security.

[2]   Privacy generally refers to a ‘people’ context, a state of being free from unauthorized intrusion or invasion.  This concept is as applicable to medical records as it is to your own house.  Confidentiality is viewed more in the context of information, usually dealing with accessing and sharing information or data.

[3]   EDI involves electronic transmission methods, often utilizing networks or the Internet.[3]  The benefits of EDI include speed, data entry savings, and reduction of manual errors; the risks are legion.

[4]   Terms used in the field include electronic medical record (EMR), electronic patient record (EPR), electronic health record (EHR), computer-based patient record (CPR), etc.  These terms can be used interchangeably or generically, but some specific differences have been identified.  For example, an EPR has been defined as encapsulating a record of care provided by a single site, in contrast to an EHR, which provides a longitudinal record of a patient’s care carried out across different institutions and sectors.  However, such differentiations are not consistently observed.

[5]   An application service provider (ASP) is a business that provides computer-based services to customers over a network.

Buy from Amazon

10 Responses

  1. Why you Shouldn’t Process and Store Electronic Medical Records in the Cloud

    Hello Darrell – The HHS has declared that their breach notification final rule under the HITECH Act needs further review. Apparently they got an earful from privacy advocates so they decided to scrap it and start over.

    http://www.hospitalimpact.org/index.php/2010/08/04/why_you_shouldn_t_process_and_store_medi_1

    Wow! What a federal system?

    Sue

    Like

  2. Thanks, Sue.

    I don’t know what to say. I don’t think anyone really has a handle on the issue of privacy and eHRs.

    It’s sure to get even more interesting.

    Darrell

    Like

  3. Dr. Pruitt

    Calling “hold harmless” clauses in health IT vendor contracts unethical, the American Medical Informatics Association [AMIA] is calling on vendors of EHRs and other clinical information systems to accept shared responsibility with their customers for patient safety and error management.

    http://www.fierceemr.com/story/amia-hold-harmless-clauses-vendor-contracts-unethical/2010-11-11?utm_medium=nl&utm_source=internal

    Or: there’s s sucker born every minute.
    PT Barnum

    Like

  4. Thanks, Jack

    Joseph Conn, writing for Modern Healthcare Online also posted an article about this today titled “AMIA: Time to revisit government regulation of health IT”

    http://www.modernhealthcare.com/article/20101111/NEWS/311119965/1153

    Do you think the new regulations will make eHRs cheaper?

    Darrell

    Like

  5. Don’t act like a fomite

    Interoperable EHRs are susceptible to communicable internet diseases. So don’t act like a fomite, Doc.

    United States Defense Secretary Leon Panetta is one of many experts who have compared the internet’s current vulnerability to terrorist attacks to the nation’s weaknesses preceding 9/11. A couple of days ago, “In His Own Words: Panetta on Cyberthreats – Defense Secretary Warns of Dangers Facing U.S. from Cyberspace” was posted on GovInfoSecurity.

    http://www.govinfosecurity.com/in-his-own-words-panetta-on-cyberthreats-a-5196/p-1

    The increasingly sophisticated cyberthreats have the potential to cause much more physical harm to US citizens than the now-common distributed denial of service attacks (DDoS). In a speech delivered Oct. 11 to the Business Executives for National Security, Panetta described a new virus called “Shamoon” that was discovered in August after it had infected computers in the Saudi Arabian state oil company Aramco. The modular virus includes a routine called a “wiper” (also known as “Flame”) that is coded to self-execute. Panetta warns: “This routine replaced crucial systems files with an image of a burning U.S. flag. But it also put in additional garbage data that overwrote all the real data on the machine. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers.”

    Compared to the tragic, bankruptcy-level liability a dentist faces should his or her patients’ records suddenly become inaccessible, the cost of replacing infected computers would be miniscule. What’s more, since terrorists who would disrupt our healthcare system are naturally more likely to target large pools of data rather than individual practices, dental and other medical records stored in cloud-based systems might be even more vulnerable to destruction than those in proprietary, office-based systems. Then again, it’s been estimated that up to 30% of physicians don’t even have functional firewalls. As far as I know, no such study has been reported for dentists.

    Panetta: “The Department of Defense is doing our part. And I’m asking you to do yours as citizens and as business leaders. Help us innovate. Help us increase the nation’s cybersecurity by securing your own networks. Help us remain ahead of the threats that we confront. By doing so, you will help ensure that cyberspace continues to bring prosperity to your companies and to people across the world.”

    It certainly doesn’t improve my popularity with EDR stakeholders inside and outside the ADA when I share logical yet taboo advice, but for dentists who are still intent on adopting EDR systems, it would be prudent to put off that investment for at least a year. Since EDRs don’t yet offer dentists a return on investment anyway, what can it hurt to save your money until the costs and dangers come down?

    D. Kellus Pruitt DDS

    Like

  6. FISA

    President Barack Obama just signed into law a five-year extension of the U.S. government’s authority to monitor the overseas activity of suspected foreign spies and terrorists.

    Alonzo

    Like

  7. Many clinics, hospitals not prepared for IT risks

    While practices may see EHRs as a solution to patient safety problems, a new report says that many are not prepared for the risks associated with them.

    http://medicaleconomics.modernmedicine.com/medical-economics/news/many-hospitals-clinics-not-prepared-it-risks

    Any thoughts?

    Ann Miller RN MHA

    Like

  8. ETHICS

    “Health-Care Industry Starts to Pay Attention to Cyber Risks” … except in Fort Worth.

    The health-care industry is grappling with how to protect personal health information from increasing cyber threats. In addition to meeting security and privacy regulations, companies can do more to prevent breaches by assessing and prioritizing cybersecurity risks, said Jim Routh, chief information security officer at health insurer Aetna. The message has already caught on at some health-care companies, who are starting to look for technology executives with risk experience.” By Rachael King, Reporter, Wall Street Journal, November 7, 2014.

    http://blogs.wsj.com/cio/2014/11/07/health-care-industry-starts-to-pay-attention-to-cyber-risks/

    Recently, leaders of the Fort Worth District Dental Society (ADA) anonymously censored news of a data breach from local dental office – hiding the information not from patients who saw the report on TV, but from colleagues whose practices might also be at risk of bankruptcy due to inadequate security.

    Simply childish. It’s a small community. One day, I will find out who was responsible for the command-and-control foolishness.

    D. Kellus Pruitt DDS

    Like

  9. EHR Extortion

    “[Hacker group] Rex Mundi dumps more data after another entity doesn’t pay extortion demands – Rex Mundi has hacked and dumped data from Temporis, a French employment/recruitment agency.” By Dissent for Office of Inadequate Security, January 27, 2015.

    http://www.databreaches.net/rex-mundi-dumps-more-data-after-another-entity-doesnt-pay-extortion-demands/

    What will you do when it comes time to either pay Rex Mundi or report a data breach – endangering the very fabric of your practice?

    Protect yourself, Doc. Put patients’ identities out of reach of hackers. De-ID now.

    D. Kellus Pruitt DDS
    http://www.amazon.com/Dictionary-Health-Information-Technology-Security/dp/0826149952/ref=sr_1_5?ie=UTF8&s=books&qid=1254413315&sr=1-5

    Like

  10. 73% of Healthcare Workers Report Security Policy Violations

    DataMotion recently announced results of its third annual survey on corporate email and file transfer habits, revealing significant security risks. Here are some key findings from their healthcare respondents:

    • 36% said within their entity, security and compliance policies are at most only moderately enforced.

    • When asked if they thought employees fully understood these types of policies, over a third said no.

    • Almost three quarters said employees/co-workers either occasionally or routinely violate these policies.

    • 18.2% said policies were intentionally violated by employees to get their job done.

    Source: DataMotion, March 11, 2015

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: