St. Joseph Health (CA) will pay $2.14 million to settle OCR charges that it exposed the information of 32,000 patients for a full year in 2012-2013 when it brought a server online using default security settings that allowed its contents to be viewed via Internet searches. The exposed files had ironically been created to document the health system’s Meaningful Use participation, so some of the MU money it presumably earned from HHS because of those files will go right back to HHS as punishment for exposing them.
OCR found that the contractors that SJH hired to assess its PHI security did their work “in a patchwork fashion” that failed to meet the requirement of performing an enterprise-wide risk analysis.
The health system paid $7.5 million earlier this year to settle a class action lawsuit filed by patients whose information was exposed.
SJH had previously reported the theft of unencrypted PHI-containing devices in 2010, 2012, 2013, and 2014 as well as a 2014 incident in which an employee failed to delete a PHI-containing Excel worksheet tab before sending it to an investment firm.
From Greek Goddess: “Re: Epic. The same publication that ran the R&D nonsense with Judy’s ‘trust me’ as verification seems to publish whatever Judy says. The latest contains the usual sound bites about industry misinformation about Epic and the tired narrative that it doesn’t have a marketing department.” They were obviously typing with velvet gloves. This 1998 article quotes Judy as saying that she was increasing Epic’s sales and marketing budget by 70 percent because “we want to be very big,” also mentioning the hiring of an advertising department and marketing director. In 2015 I reported a reader’s observation that at least eight former Epic employees identify themselves on LinkedIn as having done Epic marketing and one of them says she reported directly to Judy (“leading in-house marketing team,” she says). Epic hired a high-powered lobbying firm awhile back as well. I think the people who write for the HIMSS-produced publication (which lives in a picture-perfect fairytale HIT land in which seldom is heard a discouraging word about HIMSS-paying vendors) are so pleased with themselves at earning Judy’s rare attention that they simply uncritically regurgitate whatever she tells them, which makes that publication an Epic favorite for planting “news” that is really just Epic disputing any negative industry impressions about the company. Make no mistake: Epic is not naive about marketing and sales even though they might do it differently – all those gazillion-dollar contracts didn’t just happen because a health system CEO cold-called 608.271.9000 and asked to speak to any available 23-year-old programmer.
From The Truth Hearst: “Re: Zynx Health. Laid off 50 percent of the company last week, including all of finance and marketing, perhaps to either fold the company or roll it into one of the other Hearst entities.” The company provided this response to my inquiry:
Zynx has taken the necessary steps to better position itself in a changing healthcare market. We are aligning our solutions, clinical expertise, and content capabilities to meet the needs of the shifting marketplace and new requirements with emerging value-based payment models. With the changes in the marketplace, the difficult decision to eliminate positions was necessary. However, new opportunities have opened as we deploy an interdisciplinary team of professionals to provide more comprehensive support for our products and services to each client. We believe Zynx will be better equipped to innovate as the healthcare market requires and that these changes will not only make Zynx stronger in this new marketplace, but also, and more importantly, provide better service and support to our valued clients. We are definitely not folding and look forward to another 20 years of market leading innovation and solutions.
From Nasty Parts: “Re: Extension Healthcare. An executive tells me the company has been sold with an announcement forthcoming.” Unverified. Nasty Parts has a pretty good rumor-sniffing track record.
From Big ‘Un: “Re: HIStalk links. I notice some refer to a click counter rather than a direct link. What does that do?” It’s interesting to me how many times readers click on links to new sponsor web pages or webinar sign-up pages, which tells me what kind of information readers want (and how well or how poorly I present it). That’s all I use it for. A recent webinar announcement got more than 1,300 clicks to the sign-up page, for instance, and the ratio of how many of those actually registered to attend tells me whether the abstract and learning objectives were on point. Mentioning a new sponsor usually gets 200-400 readers to click over to the company’s webpage to learn more, which tells me the kinds of technologies that pique the curiosity of readers. Beyond my self-improvement efforts, the invisible click counter, which is run from a free PHP script I found on the Internet, does absolutely nothing.
From Jock O’ Lantern: “Re: fitness trackers. Do you think their lack of success in improving health will hurt sales?” No, since companies will continue to market them smartly (which is to say slightly deceptively). Fitness trackers and apps make few people healthier, but they play to the vanity of buyers who fancy themselves as possessing the willpower to change their lives and their mental outlook once they just buy more jock gear so they can look like the sweaty-yet-sexy models in the fitness tracker ads. Accurate ads would show several of the devices stashed in the underwear drawer along with unworn yet stylish exercise clothes while the owner — who moans about having too little time for exercise — spends the entire evening eating Cheetos, watching TV, and interacting with pretend Facebook friends. We’re going to muster one mushy militia if it ever comes to that.
HIStalk Announcements and Requests
I’ve corrected my Monday mistake in listing Southwest General Hospital (OH) as moving from McKesson to Cerner next year. They’re already a Cerner shop – it’s Southwest General Hospital (TX) that’s changing systems. Sometimes Google magnifies rather than resolves my confusion over multiple hospitals that share a name.
Welcome to new HIStalk Platinum Sponsor Protenus. The Baltimore company’s privacy monitoring system detects inappropriate EHR user behavior (with 97 percent accuracy and thus few false alarms) to proactively identify potential HIPAA violations in helping hospitals avoid huge OCR settlements and jury awards. Examples: EHR users who inappropriately access a VIP’s records; employees who snoop through the files of friends or estranged family members; employees who use patient information to file fraudulent tax returns; hackers who obtain user credentials by phishing and then move freely through patient records; contractors who use their access for unauthorized purposes; and laptop thieves who gain EHR access. Protenus learns how each user normally works instead of trying to apply simple rules to detect their unusual behavior, then provides alerting and collaboration tools that enable quick resolution instead of waiting the average 200 days it otherwise takes providers to detect and fix inappropriate access. IT folks benefit from the elimination of expensive managed services, lightweight data integration of any number of systems, and the option to run it in-house or hosted. The company was founded by Robert Lord, a former Hopkins medical student, medical researcher, and hedge fund analyst; and Nick Culbertson, MD, who earned two bronze stars during his eight-year service as a Green Beret sergeant with the 20th Special Forces Group (Airborne) and helps run an East Baltimore veteran support group. Read the Johns Hopkins case study or Robert’s Readers Write article. Thanks to Protenus for supporting HIStalk.
Here’s a look at the privacy monitoring and incident tracking system of Protenus.
Listening: new from Avenged Sevenfold, polished, literate heavy metal in their first album since 2013. They sound great for a band that’s gone through more drummers than Spinal Tap. Pretty cool lyrics.
October 25 (Tuesday) 1:30 ET. “Data Privacy/Insider Threat Mitigation: What Hospitals Can Learn From Other Industries.” Sponsored by HIStalk. Presenters: Robert Kuller, chief commercial officer, Haystack Informatics; Mitchell Parker, CISSP, executive director of information security and compliance, Indiana University Health. Cybersecurity insurers believe that hospitals are too focused on perimeter threats, ransomware, and the threat of OCR audits instead of insider threats, which are far more common but less likely to earn media attention. Attendees will learn how behavior analytics is being used to profile insiders and detect unusual behaviors proactively and to place privacy/insider risk within the risk management matrix.
November 8 (Tuesday) 1:00 ET. “A CMIO’s Perspective on the Successful 25 Hospital Rollout of Electronic Physician Documentation.” Sponsored by Crossings Healthcare. Presenter: Ori Lotan, MD, CMIO, Universal Health Services. UHS rolled out Cerner Millennium’s electronic physician documentation to its 6,000 active medical staff members — 95 percent of them independent practitioners who also work in competitor facilities — across 25 acute care hospitals. UHS’s clinical informatics team used Cerner’s MPage development toolkit to improve the usability, efficiency, communications capability, and quality metric performance of Dynamic Documentation, embedding clinical decision support and also using Nuance’s cloud-based speech recognition product for the narrative bookends of physician notes. This CMIO-led webinar will describe how UHS achieved 70 percent voluntary physician adoption within one month of go-live, saved $3 million in annual transcription expense, and raised EHR satisfaction to 75 percent. It will include a short demonstration of the software that UHS developed to optimize the physician experience.
November 9 (Wednesday) 1:00 ET. “How to Create Healthcare Apps That Get Used and Maybe Even Loved.” Sponsored by MedData. Presenter: Jeff Harper, founder and CEO, Duet Health. Patients, clinicians, and hospital employees are also consumers who manage many aspects of their non-medical lives on their mobile devices. Don’t crush their high technology expectations with poorly designed, seldom used apps that tarnish your carefully protected image. Your app represents your brand and carries high expectations on both sides. This webinar will describe how to build a mobile healthcare app that puts the user first, meets their needs (which are often different from their wants), creates “stickiness,” and delivers the expected benefits to everyone involved.
Acquisitions, Funding, Business, and Stock
Adobe sues MedAssets (via its new owner nThrive) for copyright infringement, claiming that MedAssets distributed Adobe’s ColdFusion web development tool in its CodeCorrect product despite having a license for internal use only.
Home-centered clinical trials management vendor Science 37 raises $31 million in a Series B funding round, increasing its total to $38 million. The founders are dermatologist Belinda Tan, MD, PhD and Noah Craft, MD, PhD, who was chief medical officer of VisualDX.
UnitedHealth Group, which is pulling out many insurance exchanges because too many expensively sick people signed up, books Q3 revenue of $46.3 billion and a profit of $3.6 billion, with the CEO (whose shares are worth $356 million) saying the company will in 2017 “deliver more value to the health system overall.”
Three post-acute care software vendors – Casamba, HealthWyse, and TherapySource – announce their merger under the Casamba nameplate.
The SEC declines to prosecute Harris Corp. after its auditors reported to the SEC that they found evidence that the fired CEO of its Carefx China subsidiary had in 2011-2012 bribed Chinese government officials with as much as $1 million to earn nearly $10 million in business. Harris acquired Carefx for $155 million in cash in 2011. The SEC fined the executive $46,000 and Harris sold its healthcare business to NantHealth in mid-2015. The executive, Ping Zhang, PhD, is now SVP of product innovation and CTO of MedeAnalytics.
The Dubai Health Authority signs a collaboration agreement with GE Healthcare for hospital predictive analysis, efficiency, and training.
Nancy Ham (Healthagen Population Health Solutions, an Aetna Company and Medicity) joins physical therapy EHR vendor WebPT as CEO.
Congratulations to interoperability expert Keith “Motorcycle Guy” Boone of GE Healthcare for completing his master’s in biomedical informatics from OHSU.
Announcements and Implementations
Nuance announces GA of a new version of its Dragon Medical Advisor real-time computer-assisted physician documentation system.
HCS integrates document exchange interoperability technology from Kno2 into its Interactant system to support care transition and care coordination with referring hospital partners.
Long-term care EHR vendor PointClickCare releases an integrated smartphone app for skin and wound assessment and documentation.
AHIMA will offer a health informatics certification credential in early 2017 to candidates with (a) a bachelor’s degree and two years of informatics experience; (b) a master’s degree with one year of experience; or (c) a master’s in health informatics. Like certification programs offered by HIMSS and other industry groups, the credential’s value is clear to the organization being paid to issue it (and the alphabet soup of other certificates AHIMA sells) but much less obvious to those who might receive it. Someone who has earned a master’s in health informatics doesn’t need to pass an AHIMA test to prove their knowledge for an employer who is probably more interested in experience and capabilities anyway. If I were interviewing a candidate for a non-technical position, I would place zero value on trade group certification. Actually, I would probably place negative value on them since I would question the motivation of a possibly insecure and under-qualified candidate who is proud of a credential that was earned by completing a single multiple choice test that has a high pass rate. CHIME’s certified healthcare CIO is the silliest one I can imagine – what health system CEO would value that credential when hiring a CIO? (perhaps only a certified healthcare CEO if there is such a thing, which I sincerely hope there isn’t). Organizations make a lot of money preying on the personal insecurities and educational shortcomings of ambitious people with generous disposable income or employer educational expense reimbursement programs.
Healthgrades releases its annual hospital evaluation report. The company also announces Risk IQ, a questionnaire-based tool that allows consumers to evaluate their personal risk for six common surgical procedures.
MModal launches a risk adjustment solution suite that helps optimize chart documentation to improve HCC charge capture.
LifeImage releases version 5.0 of its image-sharing platform, which adds real-time collaboration, FHIR support, and more extensive integration of information from PACS, VNA, and clinical systems.
Agfa HealthCare announces a new version of its Enterprise Imaging platform that includes new migration tools, image management and workflow rules, live streaming and virtual conferences, and multi-specialty imaging.
Government and Politics
An investigation by the Minneapolis paper finds that FDA has allowed drug device manufacturers to hide reports of patient harm, either by rolling individual reports up into a generic summary or accepting years-overdue reports. A former FDA official who created a search engine called Device Events to track medical device performance says doctors might behave differently if they knew how many incidents were reported.
Wisconsin state inspectors cite a veterans home for dozens of medical errors, some of them related to incorrect transcription and employees confused by new software. An LPN who administered 100 units of insulin instead of the ordered 12 units said she attended training but then went on vacation, with her supervisor advising upon her return that she should just “wing it.” Nurses interviewed by the inspectors said the rollout was poorly handled.
Privacy and Security
St. Jude Medical forms a cybersecurity advisory board following published claims that its medical devices are vulnerable to hacking.
- Rainbow Children’s Clinic (TX) reports to HHS that it was attacked by ransomware on August 3, exposing the information of 33,000 patients to an unknown hacker and resulting in the permanent loss of some patient records.
- Medi-Cal plan provider CalOptima reports its second breach in two months after discovering that a “departing” employee downloaded patient information to an unencrypted USB drive that was later returned.
Philips earns FDA approval for an ultrasound sensor for Android-powered mobile devices, enhancing its Lumify ultrasound diagnostic solution to allow clinicians to perform heart, lung, and OB/GYN ultrasound without an ultrasound cart. It costs $200 per month.
Weird News Andy wonders whether this story really happened. An Oregon hospital quarantines its ED after treating a woman with hallucinations, after which the two deputies who brought her in as well as her caregiver and a hospital employee also began hallucinating for reasons unknown. They’re thinking her medication patch might have been spewing active ingredients all over the place.
- Attendees of Experian Health’s annual Financial Performance Summit put together 1,000 hygiene kits and collected 200 pairs of socks for Nashville charity.
- GE Healthcare will work with India-based Tata Trusts to train 10,000 students for healthcare technology careers.
- Aprima earns high ratings for its RCM services in a KLAS specialty report highlighting ambulatory billing services.
- Bernoulli CEO Janet Dillione is included in the 17 female health IT company CEOs to know.
- Besler Consulting releases a new podcast, “Strategies for navigating bundled payments.”
- Carevive Systems will host a half-day symposium on non-small cell lung cancer October 26 in Philadelphia.
- CoverMyMeds will sponsor the CBI Electronic Benefit Verification & Prior Authorization Summit October 25-26 in San Francisco.
- Consulting Magazine includes Cumberland Consulting Group and Divurgent on its list of fastest-growing firms.
- EClinicalWorks will exhibit at AAP 2016 October 22-25 in San Francisco.
- Iasis Healthcare streamlines documentation processes with FormFast technology during its EHR transition.
- FormFast will exhibit at CHIMA October 24-25 in Edmonton, Alberta.
- Healthwise will exhibit at the EClinicalWorks National Conference October 21-24 in Orlando, FL.
- 5 Strategies to Reduce Financial Risk (AdvancedMD)
- 5 Ways to Break the Glass for Women in Tech (AirWatch)
- If Ada Were an Arcadia … (Arcadia Healthcare Solutions)
- Announcing Customer Spotlights (Catalyze)
- 10 Things End Users Need to Know About Secure Text Messaging Right Out of the Gate (Spok)
- MACRA Final Rule: Empowering Physicians and Health IT (Caradigm)
- Breathe Easy … CCM has Your Patients Covered (CareSync)
- Translating EHR Training into Improved Revenue Cycle Metrics (Culbert Healthcare Solutions)
- Collaboration is Key in Oncology Care (ECG Management Consultants)
- EHRA Reiterates Key Recommendations for Program Alignment and Practicality in Comments on HOPPS (E-MDs)
- A Guide to Managing Physician Relationships (Evariant)
- The Direct Link Between a Security Breach and Patient Safety (Extension Healthcare)
- What a top 10 college football matchup has to do with healthcare IT consulting (Nordic)
- PCMH 2nd Annual Congress Recap (Galen Healthcare Solutions)
- DSRIP: A Major Step Toward Reinventing Medicaid (Hayes Management Consulting)
- McKesson Horizon Legacy Support: The Case for Third Party Assistance (HCI Group)
- What’s So Scary About Automation? (Healthfinch)