Can blockchain technology solve healthcare IT security and interoperability challenges?

March 21, 2017March 22, 2017 Kathie McDonald-McClure Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology, HIPAA, Privacy & Security BLOCKCHAIN, Health Information Technology

On March 20-21, 2017, multiple healthcare technology companies came together in Washington, D.C. to host The Healthcare Blockchain Summit. Blockchain, the technology that underpins bitcoin technology, keeps data secure in a “distributed, encrypted ledger” while allowing control over who can access that ledger. This is the hottest technology being discussed today as a way to secure confidential or sensitive data.

The on-line technology publication, Wired, describes blockchain’s security method in a February 1, 2017 article as follows: “Rather than having one central administrator that acts as a gatekeeper to data—a list of digital transactions—there’s one shared ledger, but it’s spread across a Continue reading →

Kathie McDonald-McClure to present at Health Enterprises Network/HIMSS event on HIPAA in integrated healthcare

January 11, 2016January 11, 2016 WyattLLP Data Privacy & Security Bluegrass HIMSS, Health Information Technology, Healthcare integration and HIPAA, Louisville Health Enterprises Network, privacy and security of protected health information

Kathie McDonald-McClure, member of Wyatt’s Data Privacy & Security and Health Care Service Teams, will be speaking at an event presented by the Health Enterprises Network and Bluegrass Healthcare Information and Management Systems Society (Bluegrass HIMSS) entitled, “Whose Data Is It Anyway?” Ms. McDonald-McClure will share strategies for achieving a “Yes-Yes” as well as avoiding the “No-No’s” under the Health Information Portability and Accountability Act of 1996 (HIPAA) with the exchange of health information in an integrated healthcare setting.

Please click here for more information and to register.

Date: January 21, 2016
Time: 5:00 p.m. – 6:00 pm (Cocktail Hour and Registration); 6:00 – 8:00 p.m. (Presentation).

Location:
Kosair Charities Clinical & Translational Research Building
505 S. Hancock Street
Louisville, KY 40202

Stages 1, 2, And Now 3, Meaningful Use Criteria

April 17, 2015 Margaret Young Levi Electronic Health Records, Health Information Technology, HITECH Law, Meaningful Use CEHRT, Centers for Medicare & Medicaid Services, CMS, EHR, Health Information Technology, Meaningful Use, Medicaid Electronic Health Record, Medicare Electronic Health Record, ONC

The Centers for Medicare & Medicaid Services (“CMS”) proposed Meaningful Use criteria to implement Stage 3 and allow eligible professionals, eligible hospitals and critical access hospitals (“CAHs”) to qualify for incentive payments (or avoid downward payment adjustments) under the Medicare and Medicaid Electronic Health Record (EHR) Incentive Program implemented by the Health Information Technology for Economic and Clinical Health (“HITECH”) Act of 2009. Then CMS made changes to Stage 1 and Stage 2 Meaningful Use criteria to better align with the proposed Stage 3 criteria just two weeks later.

On March 30, 2015, CMS published a long-awaited proposed rule which, if finalized, would implement Stage 3, making changes to the objectives and measures of meaningful use for providers effective in Continue reading →

NIST Assigns Highest Risk Level to New Cyber Risk: BASH aka Shellshock

September 26, 2014October 9, 2014 Kathie McDonald-McClure Privacy & Security BASH aka Shellshock flaw, cyber risks and cyber crime, Health Information Technology, privacy and security of protected health information

On Wednesday, September 24, 2014, news broke about a newly discovered cyber security threat referred to as the BASH flaw or Shellshock. By Thursday, September 25, 2014, cyber security experts were confirming the cyber vulnerability threat for users of UNIX and Linux based systems, including MAC IO X. The National Institute of Standards & Technology (NIST) has rated the BASH flaw a 10 out of 10 on its vulnerability severity scale. Click here for the NIST alert.

Devices containing the BASH flaw may include millions of stand-alone Web servers and Internet-connected devices. HITRUST issued an alert to healthcare providers urging them to take appropriate steps to safeguard their systems. The HITRUST alert states, in part:

“The HITRUST Cyber Threat Intelligence and Incident Coordination Center (C3) has been tracking and reporting on the Remote Code Execution Vulnerability Discovered in Bash on UNIX-based Operating Systems (OS). HITRUST C3 is issuing this alert to ensure healthcare organizations are appropriately informed and taking steps to safeguard their systems and have sufficient information to communicate the background and implications to others in their organizations. HITRUST C3 – Healthcare Sector Cyber Threat Report HI255-14.”

According to Fierce HealthHIT: “The vulnerability happens when Bash is starting up; and it could allow a hacker to create a malicious code that would allow them to gain control of a compromised server.” HITRUST and many other cyber experts are stating that the BASH Shellshock bug is worse than Heartbleed, which was the flaw discovered in the widely used website encryption code, OpenSSL, an issue on which we reported in April 2014. The BASH flaw reportedly allows a hacker to completely take over a computer or server.

This is one of the more complicated cyber risk flaws to try to explain to the public, but this chap from UK has produced a 4-minute You Tube video trying to do just that. We are not vouching for the accuracy of this video (especially given that we are not computer scientists), but we can recommend following his advice at the very end of the video: “Make sure you keep your computers and any servers you run up to date with security patches and security fixes.” If you want a more technical description of BASH, see the article published by Troy Hunt, Software architect and Microsoft MVP, on his blog at troyhunt.com or click here.

AHIMA Issues Guidance on Appropriate Use of Copy and Paste in EHRs

April 4, 2014April 4, 2014 Kathie McDonald-McClure EHR Certification Standards, Electronic Health Records, Fraud and Abuse, Health Information Technology, HITECH Law, Meaningful Use AHIMA EHR documentation guidance, EHR Certification Standards, EHR copy and paste function, EHR fraud, Electronic Health Records, Health Information Technology, HITECH Act

As we have written about in previous posts, the Office of Inspector General (OIG) for the United States Department of Health and Human Services (HHS) has been critical of the copy/paste function that is available in electronic health record (EHR) technology developed by software vendors. (See “Electronic Health Records in OIG’s Sights for 2013“, October 20, 2012; “OIG recommends fraud safeguards in hospital EHR technology“, December 11, 2013; “OIG Report on CMS’ EHR Audit Practices Concludes The Practices Are Not Very Sophisticated“, February 11, 2014) As our February 11, 2014 post concludes, while turning off the copy/paste functionalities are not the immediate solution to preventing a misuse of the function, health care providers should implement standards for its use. The American Health Information Management Association (AHIMA) recently issued guidance, “Appropriate Use of the Copy and Paste Functionality in Electronic Health Records,” dated March 17, 2014, discussing the availability and appropriate use of the copy and paste function.

AHIMA supports maintaining the copy/paste functionality in ONC’s EHR certification standards and allowing for its use in CMS Conditions of Participation. AHIMA encourages CMS to augment provider education and training materials on the appropriate use of copy/paste in order to reduce the risk that it may pose to quality of care, patient safety and fraudulent documentation. Importantly, AHIMA recommends that health care providers implement policies and procedures to guide users of EHRs on the proper use of copy/paste functionalities. To read the AHIMA guidance, click here.