Recent Articles:

Morning Headlines 9/12/14

September 11, 2014 Headlines No Comments

Allscripts Ex-CEO Glen Tullman Launches Livongo Health At Disrupt, Backed By General Catalyst

Glen Tullman launches a digital health startup called Livongo Health, backed by a $10 million investment from General Catalyst. The company is building chronic disease management platforms that use technology to connect patients, care providers, and family members.

States Graded on Telemedicine Policy

The American Telemedicine Association publishes two reports analyzing the telemedicine policies of all 50 states, focusing on coverage, reimbursement, practice standards, and licensure requirements.

Medicine’s Manhattan Project: Can The World’s Richest Doctor Fix Health Care?

Forbes profiles healthcare billionaire Patrick Soon-Shiong and his startup NantHealth, which he promises will revolutionize healthcare. Forbes calls him a blowhard and quotes John Halamka, MD saying “The marketing is three years ahead of the engineering.”

Epic Systems again ranked as No. 1 Dane County employer

Just ahead of its annual user conference, Epic is named the largest employer in Dane County.

View/Print Text Only View/Print Text Only
September 11, 2014 Headlines No Comments

News 9/12/14

September 11, 2014 News 2 Comments

Top News


Former Allscripts CEO Glen Tullman launches Livongo Health, which will offer diabetes monitoring that includes an FDA-approved interactive glucometer and analytics. The company received a $10 million investment from General Catalyst. Its leadership team is sprinkled with former Allscripts people.

Reader Comments

From Vendor_Neutral: “Re: Apple. After months of being annoyed by misleading blog posts about Apple and Epic’s alleged partnership, I went back and watched that portion of WWDC this morning. Here is the direct quote: ‘We’re also working with leaders in health care applications like Epic Systems, now they provide the tech that enables hospitals serving over 100 million Americans, and so now with their integration with HealthKit, patients at these leading institutions will be able to get closer in sharing their information with their doctors.’ That’s all they said! NOTHING about a ‘partnership.’ They merely got early access to HealthKit. Let it be known that that is it.”

From Kaiser Roll: “Re: Phil Fasano. Resigned as CIO of Kaiser Permanente as announced in an email from CEO Bernard Tyson.” Unverified.

HIStalk Announcements and Requests

This week on HIStalk Practice: ABQ Healthcare Partners goes live on Allscripts. American College of Physicians outlines why MDs hate EHRs. Amazing Charts, athenaClinicals, and Meditouch vie for best EHR title. Research shows that primary care practices that create their own patient portal adoption strategy earn strong participation. The American Telemedicine Association grades states on telemedicine reimbursement and physician practice standards. Thanks for reading.

This week on HIStalk Connect: Apple unveils its long-awaited smartwatch, which will track activity and heart rate, but still falls short of what many were expecting for health features. The Mayo Clinic announces that it will work with IBM on a project that will use the Watson supercomputer to help analyze patient charts and match them with relevant clinical trails. Wellframe, a Boston-based startup, raises an $8.5 million Series A for its smartphone-based patient education and reminder tools.


September 18 (Thursday) 1:00 p.m. ET.  DHMSM 101: The Hopes, Politics, and Players of the DoD’s $11 Billion EHR Project. Presented by HIStalk. Presenters: Dim-Sum, an anonymous expert in government healthcare IT, military veteran, and unwavering patriot; Mr. HIStalk. The Department of Defense’s selection of a commercially available EHR will drastically change the winning bidders, the health and welfare of service members all over the world, and possibly the entire healthcare IT industry. The presentation will include overview of the military health environment; the military’s history of using contractors to develop its systems vs. its new direction in buying an off-the-shelf system; its population health management challenges in caring for nearly 10 million patients all over the world, some of them on the battlefield; and a review of the big players that are bidding. This presentation will be geared toward a general audience and will be freely sprinkled with humor and wry cynicism developed in years of working in two often illogical industries that hate change.

September 25 (Thursday) 1:00 ET. Using BI Maturity Models to Tap the Power of Analytics. Presented by Siemens Healthcare. Presenters: James Gaston, senior director of maturity models, HIMSS Analytics; Christopher Bocchino, principal consultant, Siemens Healthcare. Business intelligence capabilities are becoming critical for healthcare organizations as ACOs and population health management initiatives evolve in the new healthcare marketplace. The presenters will explain how BI maturity models can help optimize clinical, financial, and operational decisions and how organizations can measure and mature their analytics capabilities.

September 26 (Friday) 1:00 ET. Data Governance – Why You Can’t Put It Off. Presented by Encore, A Quintiles Company. Presenters: Steve Morgan, MD, SVP for IT and data analytics and CMIO, Carilion Clinic; Randy Thomas, associate partner, Encore, A Quintiles Company. In this second webinar in a series, “It’s All About the Data,” the presenters will review the pressing need for data governance and smart strategies for implementing it using strained resources.

Acquisitions, Funding, Business, and Stock

Google acquires Lift Labs, which makes a sensor-powered stabilizing spoon that helps people with tremors eat normally.


Streamline Health Solutions announces Q2 results: revenue down 17 percent, EPS –$0.14 vs. -$0.07. Above is the one-year share price chart of STRM (blue) vs. the Nasdaq (red).

Privacy monitoring vendor FairWarning announces first-half results that include 104 percent growth in existing-customer revenue, 6,500 healthcare facilities as clients, and 64 hospitals running its SaaS-based product.


Capella Healthcare (TN) chooses Medhost’s YourCareLink to submit information to state public health reporting agencies.


Phoebe Putney Health System (GA) selects Harris Corporation’s FusionFX Provider Portal.


Evans Army Community Hospital (CO) will deploy AtHoc’s emergency communication solution.

Community Health Network (IN) will link its community Epic, Cerner, and Meditech EHRs through Health Catalyst’s Late-Binding Data Warehouse and Analytics Platform.



Jack Janoso is named CEO of Fairfield Medical Center (OH). He was promoted from VP/CIO to CEO at Sharon Regional Health System (PA) before taking the new job.


Beaumont Health (MI) — formed via the merger of Beaumont Health System, Botsford Health Care, and Oakwood Healthcare – names Subra Sripada as chief transformation officer of the 10-member executive team. He was previously chief administrative and information officer at Beaumont Health System.


David Sides (iMDsoft) joins Streamline Health Solutions as EVP/COO.


Boston Software Systems promotes Matthew Hawkins to EVP of healthcare strategy and sales.


Jay Anders, MD (McKesson) is named chief medical officer of Medicomp Systems.

Announcements and Implementations


Gillette Children’s Specialty Healthcare (MN) goes live on the Versus Advantages Clinic patient flow system.

AirWatch introduces AirWatch AppShield to provide security and management capabilities.

MModal launches an outpatient medical coding service.

Elsevier chooses Clinical Architecture’s Symedical terminology management system for its InOrder order set tool.


MetroChicago HIE goes live with 31 hospitals using technology from Sandlot Solutions.

A Health Catalyst-sponsored survey of CHIME members (70 respondents) finds that analytics is the highest-priority IT investment, followed by population health and ICD-10.

Government and Politics

ONC announces that it will make minor tweaks to its 2014 certification criteria instead of rolling out voluntary 2015 criteria as previously planned. It will also name certification criteria by their year of approval going forward and will discontinue the “Complete EHR” certification.


Samsung pokes fun at this week’s somewhat anemic (and health-free) announcements from Apple, which seems to be morphing into Microsoft as it (a) pre-announces a product that won’t be available for a long time; (b) enters an existing market (smart watches) instead of creating a new one; and (c) fails to meet expectations in not talking about its rumored Health offering, possibly because of (a) limited stage time given the urgency of discussing fashionable watches and enlarged iPhone screens; (b) the moving target nature of whatever it’s going to eventually do, or (c) poor timing given that iCloud was just hacked.

Researchers from MIT and Georgia Tech find that Google Glass can measure pulse and respiration using its built-in gyroscope, accelerometer, and camera. You could say it’s for people who wouldn’t be caught dead wearing Glass.



The American Telemedicine Association reviews the telemedicine-related physician practice and licensure standards of all 50 states. The components included physician-patient encounter (are in-person initial visits required are are more restrictive standards in place); telepresenter (does the law require someone to be physically present with the patient during the session); informed consent (is the patient required to sign off differently than for in-person visits); and licensure (does the state offer out-of-state licensure reciprocity, exemptions for physician-to-physician consultations, and conditional licensure). Twenty-three states and DC earned an A grade, 27 got a B, and one (Alabama) had the lowest composite score and a C grade.


Billionaire doctor Patrick Soon-Shiong makes the cover of the September 29 issue of Forbes, whose reporter seems as confused as the rest of us over whether he’s a genius, a blowhard huckster, or both. It points out that despite his spending $1.3 billion of his own money to acquire a bunch of unrelated technology companies (most notable in healthcare IT: iSirona), his grand ideas for “solving” healthcare are vaporware so far even as a rollout to Providence Health & Services is planned. The article mentioned Soon-Shiong’s tendency toward wild hype and his historic, greedy shafting of business partners, investors, and family members (“more of a wheeler-dealer than a scientist.”) Forbes concludes that his Nant-related holdings (including NantHealth) are worth $7.7 billion and he will start running IPOs next year, with NantHealth being the first.

Several publications are running breathy news items that Epic has hired a lobbying firm, none of them crediting HIStalk as their source since I reported it here on August 14 as tipped of by a reader who follows federal lobbying registrations.


Epic’s user group meeting starts Monday, with 10,000 attendees riding buses from hotels as far away as Wisconsin Dells to get to Verona. Meanwhile, the company is again named the largest employer in Dane County, WI with 7,400 FTEs.

In the UK, breast cancer screening vans are upgraded with satellite links to allow employees to enter and access patient information and to send images directly to hospitals.

The family of Joan Rivers will reportedly file a $100 million lawsuit against the for-profit endoscopy clinic where she died during a throat operation, claiming the clinic allowed one of the doctors to perform an unplanned biopsy that should have been done in a hospital instead.

Weird News Andy titles this story “Moob.” In England, a man complains of gender discrimination when NHS turns down his request for cosmetic breast surgery to correct a lopsided condition caused by gynecomastia. “Women get boob jobs on the NHS but I can’t get help,” he says, while NHS maintains that they don’t pay for surgery that has no demonstrable health benefit.

Sponsor Updates

  • MedAssets issues a call for speakers for the 2015 Healthcare Business Summit April 7-9, 2015 in Las Vegas.
  • Connance presents a video case study of the challenges and successes of Carolinas HealthCare System (NC) after implementing its revenue cycle solution.
  • Billian’s HealthDATA offers its Vitals hospital news and RFP feed free to the public.
  • Aventura will participate in the SE conference of the HIMSS Summit in Nashville September 16-17.
  • The CDC and Premier release research indicating that unnecessary hospital antibiotic use costs $163 million.
  • Chilmark Research names Wellcentive a “Standout” Vendor in Product and Market ratings in Population Health Management Analysis.
  • Health Catalyst shares the results of its recent survey of CHIME members which indicates analytics is their top priority.
  • Aspen Advisors highlights its framework and recent engagements with organizations that are realizing the full value of their EHR.
  • Frost & Sullivan recognizes GE Healthcare IT with an innovation award for Centricity Financial Risk Manager.

EPtalk by Dr. Jayne


It’s amazing how varied my work as a CMIO can be at times. Hot on the heels of some ridiculous implementation escapades, I’ve had a week of actually enjoyable work. I started the week attending a web-based focus group for one of our vendors. They did a great job putting it on and I give them an A-plus for facilitation skills.

The task at hand was to review some mock-ups for updated Patient-Centered Medical Home workflows. Instead of just throwing us into the content, they took the time to talk with the group about our existing workflows, including the good aspects as well as the challenges. The moderator made sure everyone was participating with a good mix of calling on people and letting them volunteer.

Web meetings are always hard, especially with a group of attendees that don’t really know one another. Someone is always trying to talk over the group or failing to mute themselves while they’re banging around their office, but we didn’t have any of that.

Only after they heard our needs did we see the mock-ups. It was an effective strategy because you didn’t have people throwing out all kinds of additional needs because they hadn’t thought it through. We were validating our needs against their ideas rather than being reactive.

Additionally, their mock-ups were well done with real-world scenarios. I’ve seen samples from other vendors where it looks like they just chose random drugs from a reference book, but these were spot on. I appreciated the fact that they prepared for us rather than asking us to imagine how it would be for the scenarios we see every day.

Usually after a four-hour web meeting I’m ready to bang my head against the wall (assuming no martinis are available), but I was actually a bit sad to see this one end. We’re regrouping in a few weeks, however, so that gives me something to look forward to.

Following the focus group, I was able to use the fact that my boss is out of town and our standing one-on-one is cancelled to do some belated spring cleaning in my office. It’s amazing how much junk accumulates. I’m ashamed to say I found a bunch of marketing collateral from HIMSS that I shoved in a drawer six months ago and promptly forgot. Sorry, marketing folks, I won’t be following up. But the cool Mylar folding wine bottle drip-proofer attached to one packet was a nice find.

Today I was able to spend some time mentoring a relatively new physician champion at one of our hospitals across town. Although he has a great deal of knowledge on the inpatient side, he’s just starting to get involved in ambulatory projects. He’s also studying for the clinical informatics board exam next month, so we talked about tips and tricks.

His facility is relatively new and has always been paperless, so it will be interesting to see how he does working with physicians who are transitioning from paper to EHR at the same time they’re transitioning to being employed. I’ve shared some of my horror stories, but from the expression on his face, I’m pretty sure he thought I was making them up. I can’t wait until he has a war story of his own.

The most fun thing about working with him is showing him some of the cooler features of our EHR. I spend so much time listening to physician complaints about how bad it is and how computers are ruining the practice of medicine that it was good to get an outsider view of its capabilities. He’s had formal training from the vendor, but taking that knowledge and applying it to a real-world practice workflow when you’re being interrupted by phone calls, nurses popping their heads through the doorway, and the mounds of paper that inhabit our “paperless” offices is another thing.

The best part of the meeting was when he asked what websites I would recommend to help him learn more about the IT landscape. I get an “F” on my mentor report card because I unfortunately couldn’t tell him about HIStalk. Hopefully he’ll stumble upon it or maybe one of the other informatics staff will recommend it, but it’s always a surreal experience when my worlds almost collide.

Got an alter ego? Email me.


Mr. H, Lorre, Jennifer, Dr. Jayne, Dr. Gregg, Lt. Dan, Dr. Travis.

More news: HIStalk Practice, HIStalk Connect.

Get HIStalk updates.
Contact us online.



View/Print Text Only View/Print Text Only
September 11, 2014 News 2 Comments

Morning Headlines 9/11/14

September 10, 2014 Headlines No Comments

2014 Edition Release 2 Electronic Health Record (EHR) Certification Criteria and the ONC HIT Certification Program

ONC scraps its voluntary 2015 Edition EHR certification criteria, providing some flexibility for EHR vendors, but doing little for providers that are not yet ready for the start of the MU 2 attestation period.

Epic retains lobbyist to improve image on Capitol Hill

Epic hires lobbying firm Card & Associates to help address its reputation on Capitol Hill as an opportunistic EHR vendor selling closed systems that are unable to exchange data with other vendors.

Watchdog Says V.A. Officials Lied

Richard J. Griffin, the VA’s acting  inspector general, said in testimony to the Senate Veterans’ Affairs committee on Tuesday that during its investigation on scheduling improprieties, 42 VA health care facilities were found to be altering appointment wait times. Additionally, 13 VA administrators are accused of lying to IG staff during the investigation.

Homeland Security picks Mass company for electronic health record system

eClinicalWorks wins a $5 million contract to provide EHRs for the U.S. Immigration and Customs Enforcement’s detention facilities.

View/Print Text Only View/Print Text Only
September 10, 2014 Headlines No Comments

An HIT Moment with … Travis Bond

September 10, 2014 Interviews 1 Comment

An HIT Moment with ... is a quick interview with someone we find interesting. Travis Bond is founder and CEO of CareSync of Wesley Chapel, FL.


Consumers have voted with their feet in failing to adopt personal health records platforms that require them to maintain their information manually. How is CareSync different?

Traditional PHRs have failed for a lot of reasons, but it ultimately boils down to the fact that gathering and organizing health information is a lot of work. A complete hassle, actually. Let’s face it, unless it’s out of necessity, it never becomes a priority for most people.

We recently did some interviews with a handful of our users and almost everybody said the same thing: “I knew that I needed to get my hands on this information, but just the thought of getting it overwhelmed me.”

We obviously love technology and I believe that the ball is moving in the right direction in HIT, but we’ve got a long way to go before technology solves the data, communication, and care coordination problems that plague healthcare. Collecting medical records from various providers is a hassle, the data is fragmented across various health systems and providers, and even if you manage to get them all together, the information isn’t particularly meaningful.

We often have internal debates whether or not we are a PHR. We are in many ways, but our approach is completely different. It’s not just the high tech, but rather the combination of great technology and high-touch concierge services to connect people and data and truly redefine the role of the patient in healthcare.

We have a team of people who gather all of a user’s available medical records from all of their providers. They enter data such as health conditions, medications, and allergies into structured, codified fields. They build a digital record of each past medical visit, including the provider’s assessment and plan. This comprehensive Health Timeline is easily filtered and electronically transmitted to providers directly from the app.

Users add family, friends, and other members to their care team. We believe in the “it takes a village” concept when it comes to managing healthcare, so family and other caregivers can help with tasks, appointment prep, and medication compliance. They receive notifications and alerts to help their loved one stay on track.

Our latest release includes tracking and measurements. We’re layering clinical data with patient and family-generated data in the form of journals and pain scales, vitals, and behavioral data with integrations with tracking and wearable devices.

We make the data accessible, useful, easy-to-understand, and even easier to share with the people who need access to it.


How do you sell subscriptions to consumers without spending a fortune on marketing?

We focus our marketing energy and dollars on targeting the population where our solution meets a true need today. That’s primarily people who have a chronic illness and the people who help take care of them. We’ve been successful with social media engagement, speaking at events, and doing some targeted advertising. We have partnered with some chronic and rare disease organizations as well.

We also sell CareSync to businesses, including hospitals, payers, employers, pharma, and even universities. Each use it a little differently, but everybody benefits when people are healthier and engaged in their care. Employers are offering it as an employee perk and to reduce their healthcare costs. A specialty hospital is relying on our newly released Pro version that functions as a communication layer between their organization and the patient and caregivers.

Very satisfied customers, word-of-mouth, and people adding family members and other caregivers who quickly become paying customers helps, too.


What’s different about creating technology for patients and families instead of for doctors?

This is somewhat hard to say without sounding harsh, but we believe the biggest difference has been how appreciative patients and caregivers are. We get calls and letters every day from our users who are thankful for how we helped them better understand their condition, prepared them for an important visit with a super specialist, and helped carry the burdens that come with being a patient or caregiver. It’s very satisfying knowing that what you’re offering really does make life better for the people who use it.

All that said, doctors are really benefitting from CareSync, too. One doctor I recently talked to told me that it was a breath of fresh air to, for the first time in his career, have access to information from his patients’ other doctors. Like patients, doctors are also really frustrated by the system and truly do want to help their patients.

We have seen CareSync reignite the fire for a lot of doctors by giving them data and engaged patients. One user shared that her doctor hopped up to sit next to her on the exam table to go through her CareSync data. She left the visit with a long-awaited diagnosis and a high five from the doctor.

It’s a refreshing reminder that healthcare can be better.


Healthcare is the only industry in which its ultimate customer has had little voice and is almost lost in the business model. Can that be changed and can technology help?

The only way that healthcare will really improve is to get patients and their families involved, equipped with information and tools to manage and share it, and enough convenience to make them want to participate in what has traditionally been a frustrating and often overwhelming experience.

We have to redefine the role of the patient and give them a voice and unprecedented confidence in choosing what’s right for them.

It’s not just about cost. It’s about decisions around quality of life and personal preferences. It’s about helping the healthy stay that way and not making people feel so vulnerable when they are sick.


You’ve been in healthcare IT for a long time. What are the most positive aspects of it that you are seeing compared to a few years ago?

In 2003, I actually said, “How hard can it be to build an EMR?” It didn’t take long to realize that doing anything in healthcare is more of a challenge than it should be. I believe we’ve made a ton of progress in creating standards. We are starting to move toward accessible, cloud-based solutions.

There are a lot of really intelligent innovators and entrepreneurs tackling the inefficiencies of healthcare, building really great solutions. Change is happening. Technology and the power of the Internet are finally starting to help healthcare like they have in just about every other industry.

Patients are starting to wake up and say, “Enough is enough.” They are equipped with always-on smartphones. People are starting to apply the age of consumerism mentality to their healthcare. Once we get there, that’s where we’ll see the tide shift.

View/Print Text Only View/Print Text Only
September 10, 2014 Interviews 1 Comment

Health IT from the CIO’s Chair 9/10/14

September 10, 2014 Darren Dworkin 6 Comments

Fine print: the views and opinions expressed in this article are mine personally and are not necessarily representative of current or former employers.

EMRs – Application or Platform?

It is hard to go very far these days with out someone looking to dismiss EMRs as “just the transactional system.” It seems every new IT innovation or idea is the next big thing that will do us the favor of connecting with our installed systems, but do so much more. Population health, analytics, mobility, and patient engagement are all the new platforms to focus on.

Wait. EMRs are depended on every minute of every day to enable care delivery through zillions of transactions and are the result of years of hard work and untold dollars. They aren’t a platform? Really?

I want to believe that our enterprise EMRs are really agile platforms on which care delivery can be transformed. They are just works in progress. Oracle, SAP, Facebook, and all started as applications and grew into platforms. Some better than others, but it was a journey.

In my mind, our industry’s EMRs are on this same path. I think that the EMRs brought to us by Epic, Cerner, and Meditech (which I will refer to as the Gang of Three) all have a shot to truly be called a platform.

If the Gang of Three want to be seen as a platform and not just an application, they will need to evolve as did their big brothers in the ERP world.

Demonstrate market share dominance through rapid growth, consolidation, and the other vendors pivoting their business models in other directions as not to compete head to head. A goal here is to establish enough customer mass that effective and brilliant “group think” could take place. The market moves buyers to want enterprise all-in-one solutions instead of best-of-breed department ones.

I’m going to give the Gang of Three a grade of A on this one.

Demonstrate innovation of function, design, and features. Basically, they should be darned good — maybe even outright awesome — at transactions. Expect to see massive investments in R&D and lots of co-innovation with customers.

I’m going to give the Gang of Three” an A on this one, too.

Be regarded as having deep industry capabilities, clear and comprehensive road maps, and embedded best practices. Other software vendors from other industries would view the vertical as too complex to enter based on the learning curve.

The Gang of Three earns a split grade on this one. Deep healthcare knowledge, A. Comprehensive roadmaps, B. Embedded best practices, C.

Provide analytics. This would be translated as performance suites with end user-centric dashboards, complex and robust data integration suites, comprehensive data quality tools, and the real belief that they are enabling massive amounts of information to be transformed to competitive knowledge.

The Gang of Three gets a B+ for focus and initial efforts, but a C for execution.

Support mobility. This would be demonstrated by enabling wireless workflows across the organization. Optimized work can be done from anywhere, at any time, and on any device. Costs and tools matter in this space, so device management and security are key parts of all offered solutions.

The Gang of Three earns a C. Good progress on vision and good early applications, but with lots of work ahead.

Demonstrate reliability, flawless uptime and performance, and sub-second response times. Terabytes of data managed and delivered at the speed of thought. The paradigm of all information available in real time would be realized and would drive the enablement of new workflows never imaged before the system was installed. With the reliable availability of information, new business models to share and move data around the ecosystem would emerge.

I’m going to give the Gang of Three a B+.

Platforms are not just about function, but equally about cost. They would need to enable the shift within the IT organization of today that typically has 80 percent of costs on tactical IT delivery and 20 percent on strategic initiatives to at least a 50/50 split. IT operational costs consuming the majority of resources are lowered through hosting, cloud, and other leveraged services to allow for greater spending on innovation. Support costs are predictable and fall over time. Costs act as a consolidation driver as much or more than workflow.

This earns a B for the Gang of Three.

The toughest and probably the most important area for our gang to distinguish themselves as a platform is to create choice by building a leveraged open ecosystem. Choice would be fully realized by creating open APIs to access data models and workflows. Customers and third-party vendors would look to solve problems by building solutions within the system and innovation would be an open challenge to solve for everyone.

The Gang of Three gets a D-. This alone isn’t the definition of a platform, but it is crucial to the mix. This is the biggest area in which our gang needs to improve.

So, Gang of Three, it is time to get everyone involved to help us solve problems. Talk to your customers and third-party developers, court them, and encourage them to build their applications in such a way that they have a technology dependency on you. Risk some value you may create on your own, but balance it by figuring out how to extract value from your new workforce – your third-party developers.

It is time to enable choice!

1-29-2014 12-54-46 PM

Darren Dworkin is chief information officer at Cedars-Sinai Health System in Los Angeles, CA. You can reach Darren on LinkedIn or follow him on Twitter.

View/Print Text Only View/Print Text Only
September 10, 2014 Darren Dworkin 6 Comments

Morning Headlines 9/10/14

September 9, 2014 Headlines No Comments

Apple Watch

Apple unveils its newest device, a smartwatch that will monitor caloric burn, daily activity levels, heart rate, and exercise intensity.

New dean reviews Dell Medical School

Clay Johnson, dean of the University of Texas’s new Dell Medical School, says in an interview that one of his goals for the school is to embrace healthcare IT as a means of solving some of the fundamental problems he sees in care delivery.

A Comparison Of Hospital Administrative Costs In Eight Nations: US Costs Exceed All Others By Far

A recent study finds that hospital administrative costs in the US account for 25 percent of all hospital expenditures, far more than any other nation included in the study.

View/Print Text Only View/Print Text Only
September 9, 2014 Headlines No Comments

News 9/10/14

September 9, 2014 News 11 Comments

Top News


Apple announces the iPhone 6 and the larger-screen iPhone 6 Plus; the Apple Pay mobile payments system that uses fingerprint ID; and the Apple Watch (not named the iWatch after all)  that connects to its Health app as well as to Apple Pay. The Apple Watch, which requires an iPhone connection, won’t be available until next year and will start at $349 with a choice of 18 styles. Health-related watch functions include step counter, pulse tracker, calories burned, activity monitor, time in a seated position, and fitness goals. In other words, it fell way short of the pre-announcement hype, with no mention of HealthKit or the expected Mayo Clinic involvement, maybe because Apple’s high-profile iCloud celebrity nude photo breach made the timing inauspicious. It’s just as well — doctors aren’t sitting idly by anxious to watch streams of mostly meaningless sensor-collected patient information that doesn’t tell them anything they don’t already know. The people who think patient sensors are going to change medicine are naive; we don’t even monitor 95 percent of hospitalized patients because it doesn’t provide actionable information.

Reader Comments


From Medwreck: “Re: BoxWorks. Attended the Box user conference last week. This HIPAA-compliant cloud-based storage company is making a big push into IDN/healthcare provider world to fill in the gaps for sharing ‘unstructured’ health/patient content which the company estimates entails 15-30 percent of all shared healthcare content. They list Stanford, MD Anderson, and St Joseph Health (CA/TX) as clients. The idea of sharing unstructured content — areas that the EMR vendors may have missed — is a very interesting area ripe for growth.” It’s funny to me how Box and other companies try to fancy up their offerings to sound more strategic, letting the marketing and product management people go wild in renaming its file-sharing service as “global content collaboration.” I have that already – it’s called email (actually in my case it’s called Dropbox and is also called “free”). Box and similar services seem like an odd way to share content within an organization, and sharing outside the organization would require designing something that looks more like an integrated, context-aware function within an EHR or other system vs. a “log on and download your document” approach that’s more like a physician portal.


From Erasure: “Re: Mission Health, Asheville, NC. Just quietly announced layoffs with $50 million in cuts needed. Ouch.” The 11,000-employee (before the layoffs, anyway) health system announced ambitious plans a month ago to boost revenue by $10 million in the next fiscal year and cut expenses by $42 million, based on its expectation of $500 million in reduced hospital volume over the next 10 years. Meanwhile, Modern Healthcare apologizes for claiming in an August 11 cover story that Mission Health CEO Ron Paulus received the biggest raise of any not-for-profit hospital executive in 2012, with the magazine saying it didn’t know that the numbers it cited were a year old and the previous salary figures it compared against covered only a four-month period.

From Otto von Bismarck: “Re: Siemens Medical. Rumors abounding again that it will be picked up by Samsung.” Samsung was rumored to be interested in the medical device business of Siemens when the company first suggested that it would shed some of its business units.


From FranktheTank: “Re: SRS. Cut 20-25 people on Monday.” Unverified, but reported by more than one reader. The company has not responded to my inquiries. 

HIStalk Announcements and Requests


We as HIStalk readers bought a listening station a couple of weeks ago for Ms. Anderson’s highest-poverty Kentucky classroom via She sent the photo above with this report: “Student engagement has tremendously increased. Now, they are no longer intimidated by a longer novel. I am so appreciative of your generous donation … They will become stronger readers as a result of your willingness to invest in education.” Thanks to the Bill & Melinda Gates Foundation, which matched our contribution in fully funding the project.


I suggested to Amy Gleason of CareSync that she give one HIStalk reader a free plan in return for a write-up of their experience with it. Email Amy if you’d like a free One-Time Health History (normally $99), where the company will obtain your medical records from all of your providers, summarize your visits, create a Comprehensive Health Timeline, and offer smartphone-powered health services.


September 11 (Thursday) 1:00 p.m. ET. Electronic Health Record Divorce Rates on the Rise — The Four Factors that Predict Long-term Success. Presented by The Breakaway Group, A Xerox Company. Presenters: Heather Haugen, PhD, CEO and managing director, The Breakaway Group, A Xerox Company; Bill Rieger, CIO, Flagler Hospital, St. Augustine, FL. Many users are considering divorcing their EHR as dissatisfaction increases. Many are spending 90 percent of their time and resources on the wedding  (the go-live) instead of the long-term commitment to new workflows, communication, education, and care outcomes (the marriage). Hear more about the findings of research published in “Beyond Implementation: A Prescription for Lasting EMR Adoption” about EHR adoption and success factors.  Registrants get a free electronic or paper copy of the book.

September 18 (Thursday) 1:00 p.m. ET.  DHMSM 101: The Hopes, Politics, and Players of the DoD’s $11 Billion EHR Project. Presented by HIStalk. Presenters: Dim-Sum, an anonymous expert in government healthcare IT, military veteran, and unwavering patriot; Mr. HIStalk. The Department of Defense’s selection of a commercially available EHR will drastically change the winning bidders, the health and welfare of service members all over the world, and possibly the entire healthcare IT industry. The presentation will include overview of the military health environment; the military’s history of using contractors to develop its systems vs. its new direction in buying an off-the-shelf system; its population health management challenges in caring for nearly 10 million patients all over the world, some of them on the battlefield; and a review of the big players that are bidding. This presentation will be geared toward a general audience and will be freely sprinkled with humor and wry cynicism developed in years of working in two often illogical industries that hate change.

Acquisitions, Funding, Business, and Stock


Sandlot Solutions raises $23.3 million in funding, $17 million of it from Lemhi Ventures and the remainder from existing investors North Texas Specialty Physicians and Santa Rosa Holdings.


Wellframe, which offers care protocol and alerting software, closes $8.5 million in Series A financing.


Mednax completes its previously announced acquisition of revenue cycle management services vendor MedData.



Henry Mayo Newhall Hospital (CA) chooses Mobile Heartbeat’s CURE smartphone communications app for clinicians after completing a pilot in which nurses reduced their footsteps by 38 percent.

MedStar Health (DC) selects AirStrip for labor and delivery patient monitoring.


University of Utah Hospital (UT) will purchase PeriGen’s PeriCALM L&D solutions.



Mark Janczewski, MD, MPH (Medical Networks, LLC) joins Systems Made Simple as senior clinical informaticist.


Real-time surveillance systems vendor VigiLanz names Patrick Spangler (Healthland) as CFO.


Bivarus, a Chapel Hill, NC-based analytics software vendor, names David Levin (Clinipace Worldwide) as CEO.

Announcements and Implementations


TrueVault releases a software developer’s kit for connecting apps to iOS 8 in a HIPAA-compliant manner.

Toshiba establishes a big data project with the radiation oncology department of Johns Hopkins Medicine (MD), hoping to create technologies to individualize cancer treatments based on similarities to other patients.


PerfectServe releases Version 4.0 of its communications platform to the App Store, which includes the ability to add multiple attachments (such as photos) and  a redesigned user interface.

Government and Politics

The white hat hackers who warned Congress that was insecure before its launch are, not surprisingly, a bit sarcastic now that one of the site’s test servers has been breached. High profile hacker Kevin Mitnick tweeted, “Didn’t we just warn these guys at Congress a few months ago?” A security expert told a House committee before went live that, "I don’t understand how we’re still discussing whether the website is insecure or not. It is; there’s no question about that. It is insecure — 100 percent." New information suggests that someone accidentally connected the test server, secured only by the manufacturer’s default password, to the Internet.

The co-chair of the Institute of Medicine committee that was critical of taxpayers footing the $10 billion per year cost of graduate medical education says the political reality is that such funding will continue, but should be refocused to supported needed physician specialties and opened up to providers other than teaching hospitals. She added that two-thirds of the taxpayers’ money is spent on indirect medical education, which was arbitrarily created by Congress in response to the complaints of hospitals that DRGs would underpay them, adding that she doesn’t believe in paying more without necessarily getting more value or services when healthcare is moving toward a value-based system.



A fun article debunks the claims of calorie-counting wristband maker Healbe, which as the article says “put the scam in scampaigning.” The Russia-based company’s hilarious activities include (a) touting its self-conducted research studies that monitored five patients for five days; (b) claiming American investors who never materialized; and (c) announcing that Memorial Sloan Kettering  Cancer Center was a test site when the hospital said they’d never heard of the company. Early App Store ratings are scathing: one user reports that the only unit of measure supported for entry of weight is “feet,” with the helpful reviewer adding an opinion that the app is “a piece of garbage.” Note the spelling “mesurement” in the above screen shot.



The Federal of State Medical Boards completes its voluntary model policy for individual states that would make it easier and faster for doctors to obtain licensure in multiple states. As with FSMB’s model telemedicine policy, the location of the patient determines the state of jurisdiction.

A small-scale December 2012 survey of attending internists (many of them residents) finds that using EHRs cost them an average of 48 minutes per clinic day, with a surprising one-third of respondents saying that looking up patient information in the EMR takes longer than with paper charts. The VA’s VistA system resulted in the lowest time loss. The authors suggested questionable alternatives: “use of scribes, standing orders, talking instead of email.” Also questionable is the subjective nature of the 48-minute average, along with the fact that no distinction was made as to when the system went live — how would they remember their time loss if go-live was years before or before they started their residency?


Harvard School of Public Health gets a $350 million donation from one of its alumni, Hong Kong billionaire Gerald Chan, who made his fortune by founding a private equity firm and working in his father’s real estate business. HSPH is the #3 ranked public health program in the country, following Johns Hopkins and University of North Carolina – Chapel Hill and finishing ahead of University of Michigan – Ann Arbor and Columbia University.

Two John Muir Health campuses go to paper and briefly divert ambulances when their Epic system goes down intermittently Monday.

Yet another study proves that the US is #1 in one important healthcare category: administrative overhead, which eats up a fourth of all of our massive healthcare expenditures, far ahead of #2 Netherlands at less than 20 percent. On the other hand, the odds are high that those whose salaries fall into that “overhead” category see themselves as critical.


The new dean of the Dell Medical School, scheduled to open in 2016, says the school will focus on healthcare technology. “In general, we are sort of driven by the notion that health care isn’t what it should be … One example of that is how slow and difficult it’s been to have technologies be integrated within the healthcare industry. One example I like is that I can find a restaurant and, right now, know the quality of it and how it’s rated and be able to book a table anytime today. Now try to do something even close to that with a physician. That’s true throughout the healthcare system and it impacts the way that we provide care — the physician-focused care. A lot of the problems we have could be dealt with by technology — on email, on the phone, and with pharmacists and practitioners. So it’s trying to take a step back and to say, ‘What’s the health care plan that we would really want if we could blow up our system, and what pieces need to be in place for us to achieve that?’”

Sponsor Updates

  • Verisk Health’s “Moving Healthcare Forward” conference is underway this week in Scottsdale, AZ with presenters that include former HHS Secretary Mike Leavitt. Attendees will also create food packages for local community members through Desert Mission.
  • Sagacious Consultants launches an Epic report writing service featuring hourly billing and no contract required.
  • PerfectServe President and CEO Terry Edwards writes a blog post titled “Learning from the Airlines and Banks.”


Mr. H, Lorre, Jennifer, Dr. Jayne, Dr. Gregg, Lt. Dan, Dr. Travis.

More news: HIStalk Practice, HIStalk Connect.

Get HIStalk updates.
Contact us online.



View/Print Text Only View/Print Text Only
September 9, 2014 News 11 Comments

Morning Headlines 9/9/14

September 8, 2014 Headlines No Comments

Interstate Medical Licensure Compact Ready for Consideration by States

The Federation of State Medical Boards announces that its Interstate Medical Licensure Compact is complete and ready for adoption by individual state medical boards. The compact simplifies the process of transferring licenses from state to state, and was written to help make it easier for physicians to provide telehealth services to patients that live out of state.

Chinese engineer accused of stealing trade secrets from GE unit

A Chinese engineer is being charged with stealing trade secrets from GE Healthcare after downloading 2.4 million confidential records from his office in Wisconsin, and shipping them back to China.

Mayo Clinic and IBM Task Watson to Improve Clinical Trial Research

Mayo Clinic will begin using IBM’s Watson supercomputer to improve clinical trial recruitment. The program will automate the now manual process of analyzing patient charts and matching them with clinical trials that are searching for participants. To start, the project will focus on cancer patients.

View/Print Text Only View/Print Text Only
September 8, 2014 Headlines No Comments

Curbside Consult with Dr. Jayne 9/8/14

September 8, 2014 Dr. Jayne 2 Comments

Our EHR implementation team is in full swing again, thanks to a mad rush of acquisitions. Like many health systems, we’ve been frantically snapping up practices as we try to tighten our grip on market share.

Although it makes sense that we’d want to build the membership in our accountable care organization, it doesn’t mesh with the quality of some physicians we’ve decided to employ. At this stage in the game, if you’re not employed, you generally fall into a handful of groups: successful independent practice; member of an IPA or other group bargaining arrangement; renegade individualists (such as direct primary care providers); or disasters.

Although we’ve purchased a couple of the former, we’ve apparently acquired some of the latter. It’s easy to see why these disasters would want to be employed in the current economy. The medical group takes over credentialing, HR functions, operational management, billing, marketing, managed care negotiations, and the all-important provision of medical liability insurance. In return, the medical group stamps out competition and gets a captive patient population to add to its ancillary services pipeline.

Usually when practices are acquired, it’s a race to get the physicians migrated to employed status as well as to bring them up on our EHR. For the more savvy practices that have already been on an EHR, we’ve gotten pretty good at conversions. As long as there is data integrity in the source system, we’re able to do a fairly seamless transition. In this round of acquisitions, though, we’ve had a disproportionate share of practices coming off of paper or transcription.

As we race to get them started in our system, there is often little involvement by the operational teams to really look at the practice’s workflow and habits. The EHR implementation team is often sent in as the shock troops with the assumption that they’ll get the practice in line. I’ve fought for years to try to get operational management to understand that you can’t use the EHR as a weapon to beat physicians into submission. If there are serious issues with their office processes or habits, those need to be addressed first. At the current breakneck, pace those concerns are consistently being cast aside.

What do you do, then, when an EHR implementation uncovers serious problems in a practice? I joked to my CEO that if I could file as a Medicare whistleblower, I could retire on my share of the recovery for what I’ve seen this year. Although some of them are “typical,” such as phone messages on sticky notes and passwords taped to the monitor, others are much more serious:

  • A provider with over 1,000 un-dictated visit notes over a 90-day period (all of which were billed out already).
  • Lab tests and medication refills being ordered by unlicensed phone receptionists and front desk personnel without standing orders or a verbal order (otherwise known in many states as “practicing medicine without a license”).
  • Paper controlled substance prescriptions being signed by staff (otherwise known as forgery).
  • Loose pills in a desk drawer (gross as well as inappropriate).
  • Inappropriate web surfing (and it wasn’t online shopping).
  • Inappropriate office relationships (leading to one of my trainers, for the first time ever, abandoning a training session due to the behavior taking place).

I continue to be amazed that district practice managers and other leaders expect us to not only look the other way when we find these issues, but also to figure out how to successfully implement a practice where these happenings are commonplace and accepted.

Just dealing with the first example of un-dictated charts – if the provider was 1,000 charts behind using dictation, there is no way he is going to be able to document visits in the EHR in a timely fashion. I know if I don’t finish my charts as I go, I can barely remember some visits by the end of the shift. There would be no way I could try to dictate a day or two later, let alone three months down the road.

I am also amazed (although I guess I shouldn’t be) that our hospital organization is willing to stoop this low, acquiring practices that are known to have issues just because they want the market share. It’s not like these offices are hiding these behaviors. Even a casual observer could have uncovered them. I can’t imagine someone doing due diligence before purchasing a practice would have missed them.

We’ve also had to work recently in a practice that has what I would consider basic hygiene issues – trash not being emptied regularly in patient care rooms, exam tables not being sanitized, filthy physician white coats, food in the lab, things like that. If a practice is that cavalier about the basics of patient care, it would be difficult to assume that they’re going to be star performers when we start applying standardized workflows and patient care algorithms through the EHR.

I met with our senior leadership to discuss strategy for these situations. Although everyone was wringing their hands and making the right statements, no one agreed to take action. Essentially, the EHR team was told to figure out how to deal with it and to get them live and ready to attest prior to October 1.

In the past, we’d have jettisoned these practices after a year or so, but now that they’re part of our MU payment base, I wonder how it will play out. I can’t imagine them being successful attesters on such a short timeline, so maybe their lack of performance will help them out the door.

It’s no secret at my organization that I’m job hunting. It’s challenging enough to be a CMIO, living in the middle ground between the CIO, CMO, and CEO, all of whom have opinions about how you do your job. It’s another thing entirely to be asked to overlook (if not enable) fraud, illegal activities, and poor patient care.

I know from chatting with colleagues that I’m not the only one seeing these issues, although I may be in the minority in that my organization refuses to take a stand.

Are you a CMIO on the brink? Email me.

Email Dr. Jayne.

View/Print Text Only View/Print Text Only
September 8, 2014 Dr. Jayne 2 Comments

HIStalk Interviews Jeff Surges, President, Healthgrades

September 8, 2014 Interviews No Comments

Jeff Surges is president of Healthgrades of Denver, CO.


Tell me about yourself and Healthgrades.

I’ve been around the healthcare ecosystem for close to 25 years. I’ve spent a lot of my time on what you would traditionally call the vendor community in multiple settings — private companies, small and large companies, publicly held companies, and hybrid companies.

I’ve served in many different roles, mostly client- or customer relationship-facing roles as CEO and founder. Then in an operating role helping our customers — whether that’s hospitals, physicians, or extended care providers — efficiently maximize their resources to achieve the results set out by that particular project.

I’ve worked in all settings for multiple years. I think that’s code for, “I’m getting older.” It’s certainly an exciting time again in healthcare for all of us as we see more transformation happening.

Healthgrades is a multi-faceted company that I find amazing. It is a place where nearly one million people a day visit to find the right doctor, the right hospital, and the right care based on a number of ways to search our database of physicians and hospitals by diseases, conditions, or procedures. That starts the information gateway into Healthgrades.

Traditionally, Healthgrades was only in the quality business. It would use publicly available data to run a process of looking at quality metrics and quality data and help hospitals that achieved those results make their community aware of their prestigious status.

Eventually over time, Healthgrades — by partnering with a private equity firm out of New York, Vestar — added two additional components to the value proposition. One is a business that centers itself on CRM, or customer relationship management. The teams work with hospitals on patient engagement, patient access, and what would we now call today population health initiatives. But I think truly I’ve found a place where pop health is real.

Then also, because of the amount of information that the company has on doctors, hospitals, physicians, and care settings, we have a media portion of the business that works primarily with pharmaceutical companies bringing information real time to the point of search based on a consumer’s interest or activity from the site.

Quality, CRM solutions, and a consumer portal that’s leading the industry every day with nearly one million visitors per day.


A lot of sites offer doctor search. How is the demand for that changing and what are people doing with the information?

As we’ve seen over the last three or four years, transparency is becoming more and more important. As the healthcare landscape is changing, the informed consumer is finally awakening to the same destination we go to for other activities, whether we’re looking for a vacation, a home, a car, or a restaurant. If I’m new to a market, have a new health plan, or I am signing up for a personal plan, I want to search for my healthcare now and take more control of that.

The brand of Healthgrades is tried and true over a long period of time as being a trusted resource providing great transparency. The database we have on physicians, hospitals, procedures, and conditions and the ability to be flexible and to showcase those results at the point in time where those results are needed.

Of the visitors we get to the site every day, we know that within a week, an overwhelming majority of those – more than half of them — are going to schedule an appointment with a physician. You’re on the site to conduct some real-time, emotion-filled information search. Healthgrades has become a trusted resource over time as that destination on the consumer side.


Organizations pay to use their Healthgrades rating for marketing. How does the company make money otherwise, including from the search function?

The real misnomer traditionally on Healthgrades has been that there’s an award and then there’s a monetization of the award. What I’ve learned quickly from some of our top clients and customers is that the hospital achieves the awards. They’re achieving that through a methodology that the company has developed using publicly held data and information and then comparing that regionally and nationally. They achieve these awards based on their results and their performance.

The marketing department of a hospital — who is waking up every day more than ever trying to gain awareness and to inform their communities because competition is really high right now — has been engaging with our CRM platforms on a variety of communications. One might be that if you’ve achieved that award, to let your community know that you’re hospital excels in a particular category. Healthgrades has a platform in the marketing solutions area that helps hospitals inform their communities when making that tough decision on finding a doctor, hospital, or specialist.


Is there a solution to the problem that multiple services offer their own version of ratings or rankings and consumers can’t figure out which one to trust?

Unlike normal Internet search where you would go to a particular search engine, type in a key word, and then get multiple pages of information, those are more for convenience people that are looking to shop or looking to plan. What we know about healthcare is that when you need it, it needs to be there. It needs to be an actionable transaction. It’s got to be trusted.

With Healthgrades specifically focused on finding the right doctor and helping you search, finding the right hospital, and making you aware of the right care setting at that point in time, what I’ve come to appreciate quickly is how we’ve differentiated ourselves because of the longevity and the depth at which the company is using information to help you with that.

There is a lot of activity of people trying to be the next site and the next site. It reminds me years ago when the 1-800 services were around. Ultimately you had to get to a trusted resource. Healthgrades continues to lead in that. That’s one of the things that excited me about the company.


The company is using large data sets, some of which are publicly available. What are the possibilities with so-called big data?

I’m going to have a better answer in a year, but in my first 100 days with the company, what I have really respected about the interaction we have with the consumer, physicians, and hospital clients is the notion that there really is big data in IT.

What will continue to separate Healthgrades will be the ability to expose the data, expose the information, and present it in a way that gives you an informed look.

The term population health is trendy right now, but when you’re working with a hospital that’s trying to identify an aging population or segmenting them by a different category other than just gender, race, or payer type … you’re going to get into the disease, condition, or procedure because you want to let them know about screening and immunizations. You want to let them know that you’ve done some risk stratification and want to contact them because they haven’t had a scan or a screening done. Or you want to identify an opportunity because of the seasonality of allergy or flu.

There’s some real predictive models of data that Healthgrades has at its fingertips. It’s the first company I’ve worked at where the title “data scientist” is not just one or two people, but groups of people working side by side with the hospital’s team to identify those populations in the CRM platform and communicate with them across multiple channels. Not just print, social, digital, and electronic, but taking all those together to get the message out to the community.

It’s more than just, “come to our website.” It’s about keeping healthy in a time where people are looking to trust a resource to guide them on how to do that.


Healthgrades was acquired by a private equity firm a few years back. Having been through that in different places, how does that process work and what’s good and bad about it?

It comes in all shapes and sizes. There are varying degrees of the overall objective.

In the case of Healthgrades and their partnership with their investors, it’s about leveraging the Internet. It’s about leveraging the consumer’s activism. Being patient enough to understand that healthcare is an evolving industry that has survived the test of time.

In many ways, a large private equity organization thinks about a long-term strategy and wants to see that strategy initiate over time. I’ve been part of companies where you have a start-up, an early stage, a venture backed, or you have a smaller private equity that wants to go public. All of those can be good to support what the company’s trying to do at that point in time.

What I’ve come to appreciate and respect about the Healthgrades model is that, in many ways, we’re still at the beginning. Healthgrades is on the patient acquisition, patient engagement, and ROI side of the model at a time when healthcare is looking to see who the survivors are. There’s been so much consolidation through acquiring specialists, physicians, or other hospitals.

There’s a need at the board level of hospitals and at the CEO level of hospitals to start to think about delivering on the promise that a large, integrated network would mean more revenue, more growth, or more sustainable balance sheets.

Being on that side of the equation is new to me, but it’s also very exciting when you see the conversations that are going on around strategies on patient access, patient engagement, and population health initiatives.


What are the most important things that will tell us where healthcare IT will be in five years?

It’s a big question. Those of us who have been around for a few generations now have always thought that the next big thing was going to be the one that pushes healthcare over. Yet whether it was a supply chain era, the EMR era, and now as we move into the big data cloud computing analytics era, it’s just an evolution. It continues to evolve. Demand, the population, payer mix … there are too many forces to even predict it.

The biggest thing we need to do is help our customers who are in the center of it. They’re in the center of transformation, whether it’s governmental, planned change, accountable care, compliance, or quality. Helping them achieve those results in real time. Because to be here for the next wave means you have to survive and thrive in this wave.

Long term means one to two years in many ways. The results of our clients are the most important metrics we can be thinking about.

On the Healthgrades side, we help our clients gain better access to information, use that to target their audiences and their communities, and make sure that those who are approaching them are the most informed and can be the most efficient. Not only for that individual or family, but for the services that the customer wants to provide or the health system wants to provide.


Do you have any final thoughts?

It’s an exciting time. You’re going to see three things coming from Healthgrades.

One is a re-introduction of what I call the new Healthgrades. We’re going to be releasing a lot of data and analytics about our ratings in the fall and using very expressive ways to show how our methodologies can partner with quality and outcomes within a hospital.

If you lined up the T-bar and said on the right side is cost and then the left side is revenue, there is great hope and interesting opportunities helping our healthcare clients — physicians, hospitals, and post-acute settings –survive in this area. Using a CRM platform intelligently with data and analytics is very big.

But healthcare is very local and will always be, and so real-time information and access is going to continue to be of utmost importance. Mobility, social, and interacting with the various platforms is going to continue to challenge us.

That’s an exciting area to be in right now. It’s why I found Healthgrades and Healthgrades found me. It’s been a great fit right out of the gate.

View/Print Text Only View/Print Text Only
September 8, 2014 Interviews No Comments

Morning Headlines 9/8/14

September 8, 2014 Headlines No Comments

PwC to Propose Open Source EHR System to the Department of Defense Healthcare Management Systems Modernization Program

PwC enters the DoD EHR vendor search, proposing VistA and partnering with General Dynamics as a system integrator, and MedSphere and DSS as commercial resellers of VistA.

Nine Ways Hospitals Can Use Electronic Health Records to Reduce Readmissions

The Society of Hospital Medicine’s Health Information Technology committee publishes a list of nine strategies that hospitals can deploy within their EHRs to reduce all-cause readmissions.

Propeller Health Raises $14.5 Million Series B Financing Led by Safeguard Scientifics

Madison, WI-based Propeller Health raises a $14.5 million Series B and hires Practice Fusion VP Chris Hogg as its COO. The company helps health systems manage their asthma and COPD populations through a rescue inhaler sensor that tracks medication usage, pushing the captured data to both a smartphone app for patients, and a population health dashboard for health systems.

View/Print Text Only View/Print Text Only
September 8, 2014 Headlines No Comments

Monday Morning Update 9/8/14

September 5, 2014 News 6 Comments

Top News


Another team officially joins the DoD EHR hunt: PwC, DSS, Medsphere, and General Dynamics, which will offer up VistA.

Reader Comments

From Bon Scott: “Meditech announcing organizational changes. It seems odd that the previous sales and marketing VP is now over services and the VP over an older product line is now in charge of sales and marketing. Think this is a sign of the times with Meditech and it coming across as desperate for change?” EVP Hoda Sayed-Friel (above) takes over implementation and support, VP Helen Waters moves over sales and marketing, and EVP Michelle O’Connor takes over all develpoment.

From OB: “Re: Denver fire department. Great idea — a mobile care unit that handles 911 calls that don’t require a patient to be taken to an ED. I was interested to read that ‘South Metro Fire also relies heavily on Colorado’s new electronic medical records network. The nurse or EMT can call up patient records on the scene to provide care that’s more like an office visit, and dispatchers can check recent medical histories to make sure they send ambulances to people who might really need one.’ Too bad that insurance is not paying for the service right now, hopefully that will soon change.”

HIStalk Announcements and Requests

Thanks to the following sponsors, new and renewing, that recently supported HIStalk, HIStalk Practice, and HIStalk Connect. Click a logo for more information.



Poll respondents see drugstore chains as having significant influence on healthcare going forward. New poll to your right or here: of which industry groups are you a member?

Maybe it’s just me, but I’m creeped out when after casually looking at someone’s LinkedIn profile, they send a message saying, “I saw you looked at my profile. May I help you?” Answer: no, because if I wanted help I could message you just as easily as you messaged me. I don’t really like having my profile views tracked, so I finally overcame my inherent laziness and went to Privacy Settings and changed “Select what others see when you’ve viewed their profile” to the “You will be totally anonymous” option (which surprisingly doesn’t require the hard-sold LinkedIn upgrade). Facebook could have an instant goldmine if they charged for the ability to see who has viewed your profile, just like Netflix will mint coin the moment they break the porn barrier.

Last Week’s Most Interesting News

  • CMS publishes updated Meaningful Use requirements with few changes from the original draft that drew widespread provider ire in requiring a full 365-day reporting period for 2015, meaning hospitals have to be ready to start in the next four weeks.
  • CVS continues its transition to a healthcare powerhouse by renaming itself CVS Health, emphasizing its offerings that include Minute Clinics for primary care and chronic disease management in partnership with health systems.
  • An apparently security weakness in Apple’s iPhone that allowed nude celebrity photos to find their way onto the Internet makes headlines just as the company prepares to announce several health-related offerings.
  • The White House announces a new CTO and deputy CTO from Google and Twitter, respectively, ending the streak of two US CTOs (Aneesh Chopra and Todd Park) who had strong healthcare backgrounds.


September 11 (Thursday) 1:00 p.m. ET. Electronic Health Record Divorce Rates on the Rise — The Four Factors that Predict Long-term Success. Presented by The Breakaway Group, A Xerox Company. Presenters: Heather Haugen, PhD, CEO and managing director, The Breakaway Group, A Xerox Company; Bill Rieger, CIO, Flagler Hospital, St. Augustine, FL. Many users are considering divorcing their EHR as dissatisfaction increases. Many are spending 90 percent of their time and resources on the wedding  (the go-live) instead of the long-term commitment to new workflows, communication, education, and care outcomes (the marriage). Hear more about the findings of research published in “Beyond Implementation: A Prescription for Lasting EMR Adoption” about EHR adoption and success factors.  Registrants get a free electronic or paper copy of the book.

September 18 (Thursday) 1:00 p.m. ET.  DHMSM 101: The Hopes, Politics, and Players of the DoD’s $11 Billion EHR Project. Presented by HIStalk. Presenters: Dim-Sum, an anonymous expert in government healthcare IT, military veteran, and unwavering patriot; Mr. HIStalk. The Department of Defense’s selection of a commercially available EHR will drastically change the winning bidders, the health and welfare of service members all over the world, and possibly the entire healthcare IT industry. The presentation will include overview of the military health environment; the military’s history of using contractors to develop its systems vs. its new direction in buying an off-the-shelf system; its population health management challenges in caring for nearly 10 million patients all over the world, some of them on the battlefield; and a review of the big players that are bidding. This presentation will be geared toward a general audience and will be freely sprinkled with humor and wry cynicism developed in years of working in two often illogical industries that hate change.

Acquisitions, Funding, Business, and Stock


Asthma inhaler monitoring device vendor Propeller Health raises $14.5 million in Series B financing.



Chris Hogg (Practice Fusion) joins Propeller Health as COO.


Fascinating but scary: if you have a Google account, check out its display of where you’ve been lately, as tracked by (a) your Android phone’s GPS, or (b) your use of Google Maps.


Apple adds a countdown clock for its September 9 announcements, also adding that it will stream live video from the same page. Nobody can top Apple when it comes to creating drama and excitement around product announcements. I can’t imagine a healthcare IT company doing anything like that, although Epic probably could if it wanted given its similar fanboy base and creative flair.


Mr. H, Lorre, Jennifer, Dr. Jayne, Dr. Gregg, Lt. Dan, Dr. Travis.

More news: HIStalk Practice, HIStalk Connect.

Get HIStalk updates.
Contact us online.



View/Print Text Only View/Print Text Only
September 5, 2014 News 6 Comments

Morning Headlines 9/5/14

September 4, 2014 Headlines 1 Comment

After quitting tobacco, CVS makes its next health-care moves

CVS pulls tobacco from its shelves a month ahead of its published goal, cutting $2 billion in annual revenue in the process. The company will expand its Minute Clinics and pursue new payer and health system partnerships to compensate for the loss.

President Obama Names Megan Smith U.S. CTO, Alexander Macgillivray Deputy U.S. CTO

Megan Smith, former Google VP of new business development, replaces Todd Park as the new US CTO, while Alexander Macgillivray, Twitter’s former lead council, will assume the role of Deputy US CTO.

Cover Oregon needs Oracle’s help to avoid delays in federal health exchange transition

After Oracle and the state of Oregon sue each other over the failed Cover Oregon health insurance exchange, Oracle puts the brakes on efforts to move on by refusing to provide access to the servers and source code for the site. The impasse will likely compromise Oregon’s ability to launch a functional exchange before the start of the next open enrollment period on November 1.

View/Print Text Only View/Print Text Only
September 4, 2014 Headlines 1 Comment

News 9/5/14

September 4, 2014 News 4 Comments

Top News


CVS Caremark changes its name to CVS Health as it also stops selling tobacco products in its 7,700 pharmacies. The company will take a $2 billion revenue hit in removing tobacco from its shelves, but the move obviously positions it more convincingly as a player in the general health market as it expands the number of its Minute Clinics from 900 to 1,500 in the next three years. CVS says it doesn’t plan to move Minute Clinic into full primary care as Walmart is doing, but will expand its chronic disease management services, which is not surprising given its recently announced care management relationships with several health systems and its transition to Epic.

Reader Comments


From Heathkit Assembler: “Re: Apple HealthKit. Here are the company’s specific developer requirements.” The “improving health” part might be just as easily skirted as HIPAA’s “treatment, payment, and operations” unless Apple defines it further.

From Just Nutz: “Re: Meaningful Use. Mr. H’s ‘Comatose’ was the perfect descriptor. CMS could have made 2015 more flexible. The 2014 period ends in 26 days, so people had already figured Stage 2 out if they were ever going to, and Stage 3 was pushed back but virtually no one cares about this today. The primary stressor for hospitals, the year-long reporting period that also starts October 1, was ignored despite thousands of comments urging CMS to address it as hospitals desperately try to get ready for 2015.” I’m glad Meaningful Use interest is finally fading. It was a necessary and ultra-expensive evil for getting poorly selling EMRs adopted, but it’s time to let the free market take back over and forget piecemeal provider bribes that often don’t provide the biggest bang for the patient outcomes buck.

From Nasty Parts: “Re: Explorys. I can confirm that they’re on the market. I hear GE, IBM, McKesson, and Medecision are the suitors.” Unverified.

From Beltway Bandido: “Re: DoD EHR. VistA is in the mix, being bid by DSS, PwC, and General Dynamics.” Dim-Sum told me they are pushing VistA, which has zero chance of getting anywhere for reasons that are surprisingly good.

HIStalk Announcements and Requests

This week on HIStalk Connect: Dr. Travis discusses Apple’s move into healthcare ahead of next week’s anticipated iWatch unveil. Qualcomm announces the 10 finalists in its $10 million Tricorder X-Prize competition. Ybrain closes a $3.5 million Series A to further development of a wearable device designed to help treat Alzheimer’s Disease. Three students from the University of Queensland in Australia win iAward’s Young Innovator of the Year award for a gamified mHealth app that helps children with cystic fibrosis. 

This week on HIStalk Practice: Healthpointe announces a new urgent care telemedicine service. Veterans in Rhode Island share their health data with the VA via the state HIE. President Obama holds Estonia in high esteem when it comes to sharing digital health data. University of Toledo Physicians selects athenahealth solutions. The VA announces mobile versions of its most popular HealtheVet portal applications. Fall conference season – from open source to the cloud – gets into full swing. Thanks for reading.

Note to desperately idea-starved writers trying to sound hip and topical by riding pop culture coattails: articles like “What healthcare can learn from the passing of [fill in ‘Robin Williams’ or ‘Joan Rivers’ or any other recently deceased celebrity’s name]” are about as lazy, pointless, and lame as their titles suggest.

Listening: Dutch progressive rockers Knight Area, which sounds a lot like early 1970s Genesis. They will release a new album in October.


September 11 (Thursday) 1:00 p.m. ET. Electronic Health Record Divorce Rates on the Rise — The Four Factors that Predict Long-term Success. Presented by The Breakaway Group, A Xerox Company. Presenters: Heather Haugen, PhD, CEO and managing director, The Breakaway Group, A Xerox Company; Bill Rieger, CIO, Flagler Hospital, St. Augustine, FL. Many users are considering divorcing their EHR as dissatisfaction increases. Many are spending 90 percent of their time and resources on the wedding  (the go-live) instead of the long-term commitment to new workflows, communication, education, and care outcomes (the marriage). Hear more about the findings of research published in “Beyond Implementation: A Prescription for Lasting EMR Adoption” about EHR adoption and success factors.  Registrants get a free electronic or paper copy of the book.

September 18 (Thursday) 1:00 p.m. ET.  DHMSM 101: The Hopes, Politics, and Players of the DoD’s $11 Billion EHR Project. Presented by HIStalk. Presenters: Dim-Sum, an anonymous expert in government healthcare IT, military veteran, and unwavering patriot; Mr. HIStalk. The Department of Defense’s selection of a commercially available EHR will drastically change the winning bidders, the health and welfare of service members all over the world, and possibly the entire healthcare IT industry. The presentation will include overview of the military health environment; the military’s history of using contractors to develop its systems vs. its new direction in buying an off-the-shelf system; its population health management challenges in caring for nearly 10 million patients all over the world, some of them on the battlefield; and a review of the big players that are bidding. This presentation will be geared toward a general audience and will be freely sprinkled with humor and wry cynicism developed in years of working in two often illogical industries that hate change.

Acquisitions, Funding, Business, and Stock


Best Doctors acquires Rise Health, which offers a population health management platform.  Rise Health’s CEO is Mark Crockett, MD (formerly of OptumInsight/Picis) and its president/COO is Connie Moser (with McKesson until a few months ago).


Clarity Health, which sells a referral management system, raises $1.89 million, increasing its total to $13 million.  

Pain treatment analytics platform vendor Axial Healthcare raises $1.75 million in a Series A round. Paul McCurry, MD, formerly of MedSolutions, founded the Nashville-based company in 2012.  

Google enters the pharma business with a drug company biotech partnership that will research age-related diseases at a cost of up to $1.5 billion.


Piedmont Healthcare (GA) selects Perceptive Software’s Acuo Vendor Neutral Archive.

Health Plan of San Mateo (CA) chooses Verisk Health’s payment accuracy suite.


Saline Memorial Hospital (AR) chooses Allscripts Sunrise. What a great hospital name – if it were located in Normal, IL it could be called Normal Saline.


Singing River Health System (MS) chooses Strata Decision’s StrataJazz decision support and cost accounting.



Nancy Brown (McKesson) joins Oak HC/FT as a venture partner.

image image

As expected, the White House names Megan Smith (Google) as CTO, replacing Todd Park. Former Twitter lawyer Alexander Macgillivray is named as deputy CTO.

Announcements and Implementations

Elsevier will market Tonic Health’s patient data collection platform.

Flint Rehabilitation Devices launches MusicGlove, a Guiter Hero-type game that helps stroke and muscular injury patients regain hand function through music-paced repetitive exercise games.

MedAptus launches Provider Enrollment in partnership with Newport Credentialing Services.

Government and Politics

Former Senators Trent Lott and John Breaux sign on as lobbyists trying to convince the federal government to cancel plans to impose sanctions on a state-owned Russian bank in protest of that country’s activities in the Ukraine. As Lenin said, “We will hang the capitalists with the rope they sell to us.” The healthcare connection: the political guns-for-hire formed the Alliance for Connected Care to twist political arms on behalf of telehealth-invested companies such as CVS, Teladoc, and WellPoint.


Oregon and Oracle are suing each other over the Cover Oregon health insurance exchange, but even though the state is moving to for Medicare it will still need Oracle’s help to get its Medicaid part running. The snag: Oracle won’t give the state access to its servers or set up a new production environment. A consultant’s report says if Oracle doesn’t come to the table by Friday (September 5), the site won’t be ready for the next open enrollment period that starts in November.


HHS announces that a hacker breached a test server of in July and installed malware. Apparently it wasn’t a targeted attack, just the usual hack bot cruising, which HIStalk’s server defenses have blocked exactly 1,000 times today (as broken out by the graphic above) which means nearly every site on the Internet, including, is getting pounded even though they contain nothing of value. It’s unbelievable that any site can keep running given the endless creativity and resources hackers are willing to waste to penetrate pointlessly.


Coming soon to an already economy-devastating US healthcare system: cancer drugs that cost $150,000 or more per patient per year and are required for the rest of a patient’s life.

The city council of Berkeley, CA approves a “charity cannabis mandate” that requires medical marijuana dispensaries donate at least 2 percent of their product to low-income residents, with the mayor arguing that marijuana is a medicine and everybody should have access to it. The response from the California Narcotic Officers’ Association: “Instead of taking steps to help the most economically vulnerable residents get out of that state, the city has said, ‘Let’s just get everybody high.’”

Someone tweeted that “assumptions are imperfect substitutes for data.” I might agree, but with several caveats:

  • Data are never perfect, complete, and free from bias, so there’s always a leap of faith even when data (including the “big” kind) are available.
  • You can lose your advantage (competitive or clinical) while waiting on the perfect set of data.
  • It’s hard to distinguish causation from correlation, subjecting any given data set to imperfection. As our hospital pathologist helpfully told me early in my career when I reviewed a patient’s chart for a committee, “He died with it, not of it.”
  • Sometimes intuition, experience, and people knowledge works better than data. The challenge is to determine which side of the fence a given situation falls on. Ideally, someone with that intuition, experience, and people knowledge is the one evaluating the data so you get the best of both worlds.
  • Healthcare straddles the fence above. Data analysis can provide new insight and help make treatment decisions, but only if wielded by expert clinician hands. You as a patient are just like other patients in not wanting to be managed by faceless payer or government algorithms cranked out from population health number-crunching that don’t take your own feelings, impressions, and beliefs into account. When it comes to the practice of medicine, art and science aren’t conveniently demarcated by a sharp line.
  • Bad decisions can (and often do) come from good data.


Weird News Andy calls this story from England “Meals on Wheels.” A new hospital uses a fleet of 12 robots to deliver patient meals, linens, instruments, and pharmacy items to the floors. Unrelated but interesting is the hospital’s response to patient complaints about small portion sizes, some of which found their way (with pictures) online: “We don’t know if it is a frail old man we are serving or a large rugby player so it’s up to each ward to know their patients and serve food accordingly.” WNA finds this a good story pairing: a company’s restaurant robot grinds beef and cooks it to order to create 360 burgers per hour, even slicing tomatoes and pickles simultaneously and placing the finished product in paper bags. The company’s co-founder says the machine isn’t intended to make fast food employees more efficient, but instead to eliminate them.

Sponsor Updates

  • NVoq announces the 2014 SayIt Healthcare Productivity ShowcaseFest, where 12 chosen healthcare professionals will work with the company’s SayIt speech recognition product to build and record a voice-optimized EMR Showcase. Nominations are due September 26.
  • GetWellNetwork Inpatient earns 2014 Edition Modular Inpatient EHR certification.
  • EDCO Health Information Solutions will host a session titled “An Unexpected Necessity – Indexing Software” at the AHIMA conference in San Diego on September 28.
  • Impact Advisors publishes a blog post, “Meaningful Use Final Rule.”

EPtalk by Dr. Jayne


The Greenway Engage14 user group meeting kicked off today in Dallas. I’ve got a reporter embedded. Here are some of his preliminary thoughts.

“We are making our final descent into Dallas, where the temperature is 99 degrees and the local time is 8:04 p.m.” Maybe it is just me, but it felt like 324 degrees Kelvin when departing the airport. Greenway has chosen yet another Gaylord hotel, this time a short ($25 cab) jaunt from DFW. It is the official hotel of the Dallas Cowboys and there are some players milling around and mixing with the OB/GYNs. It is a huge complex. So far, no riots over MU2 have broken out. That being said, the gent next to me at the bar was here to cancel his contract — he was hoping to get to do so directly to Tee Green. He was upset about product performance and issues upgrading, describing 2014 as, “The year I will never recover from financially.”

I’ll be curious to see and hear some other opinions as the conference begins in earnest tomorrow. I remain skeptical of the premise that the annual way to educate and inform your best customers is to price gouge them at a hotel that is inconvenient at a time when most kids are just going back to school and many practices are becoming quite busy. For now, everyone is getting settled in for what should be a long weekend of wondering what happened to MU and where they go from here. Also, what happened to Vitera in all of this, their product wasn’t so bad …”

He plans to attend the opening night gala and snap some photos and get feedback from the trenches as the liquor flows. I perused the agenda to suggest some sessions for him. It seems they have ambitiously scheduled fitness classes on Friday and Saturday at 5:30 a.m. I noticed they left them off the schedule for Sunday morning, which is probably a good thing since their client event runs from 7 p.m. to 1 a.m. the night before. The agenda says the “Greenway team is famous for its dance moves,” so I’ll definitely be on the lookout for photographic evidence.

I don’t envy them with the updated Meaningful Use timeline being released the weekend prior. Attendees will expect Greenway staffers to be knowledgeable and ready to provide advice on their particular situations. I have to admit this is the first rule I’m not going to read in its entirety. Like Mr. H, I am kind of “over” MU and will wait for the CliffsNotes versions that I anticipate my vendors will send within a week or so.

I laughed as I went through my inbox. Right after the notification from CMS was this article from JAMA touting the benefits of “cognitively stimulating activities such as reading” as preventive against cognitive impairment. I think I’ll go for some 2048 instead.

As for my roving reporter’s comments about user group meetings in general, I’m sympathetic. Our primary vendor’s meeting continues to increase in cost, not only for the meeting itself, but for hotel and travel. We’ve had to cut back on the number of people we send and rotate attendees to make sure that everyone has the chance to go every few years. A couple of our staffers who really enjoy attending have gotten smart and submit a presentation every year in the hopes that they’ll be selected to speak and will get one of the coveted spots.


Thanks to Dr. Travis for turning me on to NomadList, which appeared in a tweet about 25 promising startups. NomadList quantifies the best cities to live in when you can work remotely, providing info on cost of living, Internet speed, and weather. I know a couple of consultants who have a minimal home base and travel all the time whether they’re client-facing or not. I once had an EHR conversion done by a guy who admitted he was processing my data from the beach in Thailand. Top US cities include San Juan, Las Vegas, Austin, Dallas, and Park City.

If you’re a digital nomad, what do you think? Email me.


Mr. H, Lorre, Jennifer, Dr. Jayne, Dr. Gregg, Lt. Dan, Dr. Travis.

More news: HIStalk Practice, HIStalk Connect.

Get HIStalk updates.
Contact us online.



View/Print Text Only View/Print Text Only
September 4, 2014 News 4 Comments

Morning Headlines 9/4/14

September 3, 2014 Headlines 3 Comments

Task force taps the brakes on interoperability

During Wednesday’s Health IT Policy Committee meeting, members decide that a JASON report on health data interoperability that had been created to guide future policymaking is inadequate and overlooks the pressures on EHR vendors.

Google’s Calico, AbbVie forge deal against diseases of aging

Google’s Calico initiative to extend human life enters into a $500 million research agreement with US drugmaker AbbVie to help create life sciences research facilities in Silicon Valley, and then collaborate on drug development projects. Each business will contribute $250 million initially, with the option of adding an additional $500 million over the lifetime of the partnership. The team will share both costs and profits equally as new drugs are developed and marketed.

Groups press FDA to encourage medical-device registries

Pew Charitable Trusts, the Blue Cross and Blue Shield Association, and the Science Infrastructure Center run by Weill Cornell Medical College are collectively calling on the FDA to create a medical device registry that would be tasked with post-market surveillance and capturing data for long-term research initiatives.

CMS finalizes auto-enrollment process for current Marketplace consumers

CMS publishes a final rule that will provide consumers who purchased their health insurance over an insurance exchange with a simple way of to renewing the plan.

View/Print Text Only View/Print Text Only
September 3, 2014 Headlines 3 Comments

Readers Write: Lessons Learned from the CHS Breach

September 3, 2014 Readers Write 2 Comments

Lessons Learned from the CHS Breach
By John Gomez

In early 2014, a group of security researchers began to suspect that some implementations of SSL — a commonly used method to encrypt data — were not as secure as the name would imply. Their thesis was rather elegant, actually more art than science, but fascinating just the same.

They hypothesized that although the cryptographic algorithms may well be secure and protect over-the wire data (data sent across a network) from prying eyes, the actual programming used to implement the algorithms may have flaws. If there was a flaw in the underlying implementation — such as how memory is managed, for instance — then SSL could become a tool for nefarious agents to exploit and compromise network security.

On April 1, 2014, two groups of security researchers (Neel Mehta of Google and Codenomicon) announced that such a flaw did exist in SSL, specifically in OpenSSL. This vulnerability came to be known as Heartbleed.

Within hours of the vulnerability being announced, sites around the world were compromised, including the Canadian Revenue Agency, Mumsnet in the UK, and others. Early estimates showed that well over a million sites and X.509 certificates were at risk of attack. On April 12, 2014, University of Michigan reported that a server in China had attacked a decoy server at U of M with advanced tools to exploit the Heartbleed vulnerability.

The revelation of the Heartbleed impact created shock waves. Some, like the Electronic Frontier Foundation, called it “catastrophic,” and Forbes columnist Joseph Steinberg declared, “Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet.”

Within days of the disclosure, the Federal Bureau of Investigation released a private industry notice (or PIN) to the healthcare industry that stated, “The healthcare industry is not as resilient to cyberintrusions compared to the financial and retail sectors, therefore the possibility of increased cyberintrusions is likely.”

Flash back to February 2014, when a group of hackers known as Unit 61398 was suspected of launching cyberattacks against a variety of US industries, specifically the financial, transportation, energy, and healthcare sectors. Unit 61398 is believed to be, according to cybersecurity firm Mandiant, a top-secret unit of the People’s Liberation Army based in Shanghai.

Since February 2014, it has been learned that Unit 61398 is not specifically tasked with cyberattack missions, but it is believed to have developed highly sophisticated software and hardware tools that could be used for cyberwar, typically known as cybermunitions. Speculation is that these tools are made available to independent hacker groups for “testing purposes only,” although this has never been confirmed.

One such group believed to have gained access to these tools is APT 18, a well known and highly sophisticated group of Chinese hackers with branches in Shanghai, Hong Kong, Singapore, and the United States. APT is shorthand for a type of cyberattack known as Advanced Persistent Threat. APT 18 specializes in conducting those attacks.

It is believed that within hours of the Heartbleed disclosure on April 1, APT 18 started customizing the tools from Unit 61938. One they possibly created is a Remote Access Tool (or RAT.) A RAT works by using a carrier to gain access to network systems, usually by rather simple means. For example, a RAT can be deployed inside a network as a result of a user watching a video, reading an e-mail, or opening a file.

A highly common way of distributing a RAT is through a trusted third-party communication, which is typical in exchanges between business associates and covered entities in healthcare. A RAT could also be deployed to a medical device with a vulnerable call-home feature and network access.

The RAT allows remote control of a network, servers, devices, and much more. Just like a real rat, a cyber-RAT is infectious and can cause severe damage. The current thinking is that APT 18 targeted Community Health Systems (CHS) and successfully introduced a RAT before CHS could apply the Heartbleed patches to all of its systems. This is speculation, but highly probable.

It is also probable that APT 18 was successful because it had started targeting the healthcare industry in February 2014. Heartbleed was a fortunate development. It is also believed that CHS is not the only targeted healthcare entity and APT 18 may have compromised other healthcare organizations that may not have discovered the compromise yet. APT 18 may have used other vulnerabilities to infiltrate the CHS system, but for purposes of this article, we will continue to embrace the common thinking that Heartbleed was the key mechanism.

Criticizing CHS would be wrong. It acted quickly and there’s no evidence that it was negligent or dismissive. A better use of our time as an industry would be to learn from the CHS experience. The healthcare information technology sector is under attack by sophisticated enemies who will continue to persist their attacks on healthcare infrastructure as a means to undermine patient confidence in our ability to provide quality care and security.

We should be thankful that the CHS breach was limited to data because a RAT can take over an MRI, CT scanner, or EMR system to impact patient safety. Other cybersecurity researchers have demonstrated how to attack X-ray machines and other medical devices. The risk of attack on medical devices prompted the FDA to issue a memorandum on security to medical device manufacturers in June 2013. Although some manufacturers have responded to the memo in a positive manner, some have ignored its warning.

The most important lesson we can take away from the CHS breach is that we as an industry, to echo the FBI PIN, are “…not as resilient as other industries.” Which leaves us with the question: how do we improve our security stance and become more resilient?

Security takes money and a lot of it. There is no way to sugarcoat that fact or to make it more politically correct. NBC News recently reported that the annual cost of healthcare breaches is approximately $5.9 billion. Being secure means educating the board of directors and making it a core investment of the healthcare organization. There is no cheap answer or strategy.

Then, consider how to become aggressive about cybersecurity. Not assertive, but aggressive. Here’s an analogy.

Think of a healthcare system as a castle. Castles had multiple layers of security — intelligence, physical deterrence, internal and external defensive tools and strategies, propaganda, community allegiance, and, “Oh, crap, everything has failed” plans.

The safest castles — the ones that truly focused on protecting their inhabitants, allowing them to pursue a happy and high quality life — had the best layers of coordinated defense and offense. The castles that simply deployed the basics — a moat, drawbridge, some pots of tar, and maybe a few archers — soon learned that a persistent and determined attacker, like APT 18 or others like them, would eventually defeat these strategies.

In today’s terms, that means if you have firewalls, intrusion detection, penetration testing, DLP and similar tools, and policies and procedures, you either have been breached or you will be breached, just like the simpleton castle that did only the basics. A Level III castle.

If you take things up a notch, maybe employ a CISO, get advanced tools, and offer community education and compliance monitoring, you’re on the right track. Still, the odds are that you will get taken out. Your castle is a bit more sophisticated as a Level II castle. You added some alligators to the moat, armed the citizens, and took survival a bit more seriously. A good job, but you could do better. You are assertive, not aggressive.

The best castles invest in leading edge tools, form regional security councils to share ideas and help each other, create crisis response plans, educate their business associates, and use tools for real-time compliance monitoring, data discovery, classification and categorization, and locking down medical and mobile devices. This is a Level I castle. Just like in medieval times, it has not only strong external defenses, but also internal mazes, secret passages, trap doors, nightingale alarms, and have remote forces that can respond at a moment’s notice to surround the enemy.

It’s true that someone can get into even a Level 1 castle, but a Level I castle will survive longer than a Level II or III castle. In fact the odds are that a Level I castle will repel attacks and be standing after an APT or coordinated persistent attack.

If you had to put your family and loved ones in a castle that was going to be attacked, you would choose the Level I castle. You would do anything to safeguard the lives of those you love. In this day and age and within our industry, cybersecurity is not about privacy any longer. It is about safeguarding patient lives.

It doesn’t matter how the CHS attack happened. It is a wake-up call. Vendors, providers, and allied health entities need to build a Level I castle because they are at risk of coordinated and focused attacks. APT 18 is just one of hundreds of organized entities and thousands of independent attackers who are targeting healthcare and your castle.

To give you an example of how the stakes have been raised, ISIS (yes, the Middle East terror group) has several hundred computer programmers and hackers on their payroll. Take a few moments to let your mind wander about the damage a group like ISIS could cause to your castle. Some of those attackers will be happy with just taking data, while others won’t be happy until they take a patient’s life. 

CHS has shown that life for all of us in healthcare information technology has changed. The only remaining question is, whose castle will be next?

John Gomez is CEO of Sensato of Asbury Park, NJ.

View/Print Text Only View/Print Text Only
September 3, 2014 Readers Write 2 Comments

Advisory Panel: Reactions to the Community Health Systems Data Breach

September 3, 2014 Advisory Panel No Comments

The HIStalk Advisory Panel is a group of hospital CIOs, hospital CMIOs, practicing physicians, and a few vendor executives who have volunteered to provide their thoughts on topical industry issues. I’ll seek their input every month or so on an important news developments and also ask the non-vendor members about their recent experience with vendors. E-mail me to suggest an issue for their consideration.

If you work for a hospital or practice, you are welcome to join the panel. I am grateful to the HIStalk Advisory Panel members for their help in making HIStalk better.

This month’s questions involve actions taken in response to news of the recent hacking of Community Health Systems via the Heartbleed exploit.

What new actions or security reviews has news of the CHS breach caused in your organization?

I have been asked to have a penetration test performed on our network by our COO. This level of attention is unprecedented. I owe the folks at CHS a thank you gift for raising awareness amongst the rest of our executive team.

Asked my management team to review our systems again. I’m not positive the networking group reviewed their systems in April. I am now. 

It’s a reminder that we must constantly scan our environment for vulnerabilities and remediate every exposure. We have decommissioned some hardware as a result of our Heartbleed assessment.

We reviewed our current IE based connectivity i.e, Cisco (far better than Juniper).

[from a vendor member] As a result of recent breaches such as Community and Sony, we are setting up IDS — intrusion detection — for our production environment. We are now getting daily reports on access activity from our prod environment, paying very close attention to foreign access attempts. We are also turning up our white hat vulnerability scanning of our code base before deploying to production. White hat is also doing proactive vulnerability testing in our prod environment. SQL injection, xsite scripting vulnerabilities are specifically targeted. We are doing everything possible to be proactive to protect all client data under our care.

Gather details on the CHS breach. Ensure that we don’t have the same exposure. My understanding was the the Heartbleed vulnerability was unpatched on a VPN device (vendor omitted) and the device was configured for single-factor authentication only. From there, the attacker leveraged a known trojan backdoor to gain remote access to unpatched / unprotected Windows machines.

The news of the latest breach pretty much is part of the background noise since there is a breach every couple of days.

We are implementing a data loss prevention product to help mitigate the risks.

No new technology, but increased education for our staff  to remind them that security involves all users. We also presented our information security plan to our board, which met this week.

New actions, none. We had done sweeps using scripts to detect the Heartbleed SSL on our publicly-facing systems. We already have active security sweeps that detect Heartbleed vulnerabilities as well as any exploitation attempts.

We are re-evaluating our ability to detect large outbound data flows.

It actually happened at a good time. We were in the midst of our annual security audit when the news broke. We had just received initial results which showed our security posture. Tying the breach to our posture and presenting to executive leadership and the board gave our security program immediate credibility.

We have been reviewing our policies for vendor-managed systems and will be setting a revised set of standards for all vendors to follow irrespective of whether they like it or not.  We culturally and procedurally need to move away from the mentality of, “This is vendor managed, so we don’t touch it.” 

No new actions or reviews. Has led to heightened organizational awareness.

No changes. We are already monitored by a third-party vendor and have security set around our perimeter.

Review of all access privileges and more limited access to some previously given more global access. Creating more steps for some who have global access because we are asked to do things others used to do when they had access to the data.

We have not changed anything since the CHS attack. We have not performed anything in addition to our current IT security assessment, which coincidentally is running right now.

[from a vendor member] No new actions. We are already pretty paranoid. As a vendor organization with large payer and provider data sets, we’d be in big trouble if we breached. 

We have re-examined our approach to Heartbleed, but recognize that all of our best efforts are sometimes not enough. We focused on remediation, but also on response should we have a problem.

Initial reports suggest that the Heartbleed exploit was involved. Are you confident that your network equipment software has been updated?

I am as confident as reasonably possible. We have outsourced most of our security monitoring to a third-party service and they have scanned and validated we are secure. 

Yes. (two responses)

We are confident that our actions have corrected identified issues. This seems to be a “known unknowns” kind of situation where we know about some system components not managed by us that could be vulnerable. Vulnerability scanning continues.

Yes. We scan with Qualys monthly and before any new infrastructure is put onto the PRD network.

Yes. We have the same Juniper SSL VPN and applied the update soon after the exploit was identified.

When the Heartbleed exploit was publicized, we reviewed all our existing infrastructure and patched what we could. We continue to work with vendors to ensure that all needed patches have been installed.

Public Internet facing, yes, we are protected. There are a number of free or custom scripted scanning engines to verify. We’ve done that with QualysGuard on the big-name side, custom scripts on our security team, and finally by pushing as many things though our F5 load balancer that was not as effected on the SSL off-loading side. Internally there are ton of HTTPS/SSL security administration pages that need updates still, this many months on.

We initiated a remediation effort as soon as news of the Heartbleed vulnerability went public. While we feel pretty confident we have addressed the know vulnerability, we remain vigilant for suspicious activity.

We ran a test that showed that we only had one Heartbleed exposure, on a semi-retired system, which we fixed.

Not fully as we are completing our assessment, but believe our plans will largely address this.

Confident yes. Certain, no.

I hope so:) not confident.

I am never confident that we have covered every possible point keeping software up to date. There is always a chance we have missed something that will expose us to an exploit. Not that we accept vulnerabilities, but we are realistic about what we can and cannot protect.

[from a vendor member] We are pretty confident our network is up to date. It is amazing as a recently founded company (less than five years) with a hosted "cloud" model the amount of equipment in our office is down to laptops and a switch, one server for hardware experiments that is not hosting live data. Everything else is hosted and easy to control and evaluate. That is underappreciated in its effects in your efficiency and margins as an organization.

One of our staff reads Finnish blogs and we found out early. The patch was installed quickly.

We think so, but have chosen to take a more comprehensive look.

Would your network monitoring procedures detect unusual user behavior or large data transfers?z

We are missing some components of a perimeter security solution (IDS/IPS for one). This event has escalated the discussion and we are now pursuing the purchase of products and services to fill in a few gaps.

Probably not. Our logs are so voluminous we can’t find the needles that are in the haystacks, let alone tie needles from multiple haystacks together. 

Yes. We use intrusion detection and other monitoring techniques and have a 24×7 monitoring team to support detection.

Not really, but large data transfer is generally inhibited or not allowed.

Yes. DLP would detect/block any abnormalities at egress through the internet proxy.

No. We have to implement our data loss prevention solution before we can detect those.

We recently installed a new product from our core security vendor that looks unusual traffic on our network and has the ability to block traffic or workstation when it see something unusual. We feel this new system will be critical in responding events where no known malware or virus has been published.

[from a vendor member] We hope so. Our tests have picked up this kind of behavior, but frankly I’m always impressed at the ingenuity of software developers. It is what we pay them for, but since they could write the rules for those tests, they usually have insight into how someone might take a shortcut. 

Yes. We a security analytics platform based on real-time logs and network capture. There are a number of custom “content” detection methods we have on that solution. We detect abnormally large SSL handshakes, for example, an indicator of someone attempting to grab a full 256-bit data response from a vulnerable OpenSSL installation. When it comes to data exfiltration, we have the same security analytics platform plus a DLP platform, security operations center (SOC) rule sets, web filtering rules that would detect large transfers, and your general network operations center (NOC) monitoring.

We believe they do.  However, continuing to re-evaluate and test our ability to detect large outbound data flows.

Yes. Firewall alerts show large transfers. Geoblocking rules stop any transmissions to non-US IP addresses.

Not completely as it currently stands.We are presently executing upon a set of strategies will address this and other matters in the coming months.

Likely only very significant or large-scale activity.

Yes, we have checks and balances in place.

We have tools in place to detect abnormalities. However, we have not tested for this scenario … yet.

We have mechanisms for detecting unusual user behavior and our software blocks large data transfers (Outlook). Anything more sophisticated than than that would not be seen. The traffic (network) software requires human monitoring to be useful and we are short-staffed in that area.

Yes, I believe so. We have invested in tools and technologies, but in many ways, It just means we might detect something a bit more quickly than we might have otherwise detected. Not truly about prevention — just detection.

What ONE recommendation would you offer to a hospital trying to assess or improve its security against cyberattacks?

If you’re a small to mid-size healthcare organization, hire qualified professionals to evaluate, plan, and implement a full security program.

You can’t have one. Cyber security is multiple layers of different locks with keys held by multiple people. 

Address identified vulnerabilities without delay.

Have a robust Intrusion Detection System – we use McKesson as our ISP.

Diligence. More specifically, scan, patch, repeat. Strong password policies and two-factor authentication.

Tools are available. Look at the products in that space and select and implement. It will take a senior-level network resource to do it right.

Multi-layered security infrastructure and lots of training for staff.

[from a vendor member] Cloud vendors are probably more secure and less likely to breach their data, which doesn’t seem to make sense until you really examine the required data flows and architectural components. And watch those appliances and browser plugins, but I’m sure they are ahead of those issues already. 

Hire a SOC or some other Managed Security Service (MSS) based off a security solution that uses both log sources as well as network capture. If that is too much $$ for the analytics solution, at least hire a managed/outsourced SOC to watch your firewall/public Internet device logs. If a hospital can’t spend ~$10-30k per year to fund watching the front door, there are many other ways to breach that organization. 

Ensure firewalls are secure and these firewalls are sensitive enough for certain levels of attack and then immediately be informed of the attack to  those who need to know.

Take these threats seriously and prepare. Many in our healthcare industry seem to feel that these things only happen to financial institutions or commercial organizations. We’re the new target and, unfortunately, I think we’ll see more of these large breaches before healthcare finally takes security seriously.

Take it seriously. Now even small hospitals are a target. You cant follow "security by obscurity" any more.

Use common sense. When it’s been announced in every major public media source that there is a bug in the software that health systems use that leaves them vulnerable to data breaches, they should fix the bug immediately. We still regularly hear about unencrypted laptops being stolen. I wonder how many health systems there are out there that still haven’t fixed the Heartbleed bug and won’t until they have a breach?

Invest in security in your org and engage the people to have heightened awareness of security risks. Bad things will happen; the bad guys have more money, more resources, and more time than many of us. It is important to know how to reduce exposure and be prepared for the bad events. In many ways, it is like the principles of a High Reliability Organization, ideas promoted by Drs. Weick and Sutcliffe.

  1. Be preoccupied by failure. Focus on what could go wrong.
  2. Be reluctant to simplify interpretations. Don’t jump to simple conclusions – try to understand the situation.
  3. Sensitivity to operations. Respect the folks close to the problem; they may be able to help you detect that something is going wrong.
  4. Commitment to resilience. Be prepared to bounce back; don’t give up.
  5. Deference to expertise. Engage the experts

We have dedicated software, not hardware, for DDOS attacks, but those are pretty obvious when they are happening. Far and away it is the human factor, phishing, that is the danger, perhaps even more so from the IT department who considers themselves immune to this type of attack. I bet they are are just as gullible as every other user.

Install an IPS. It is amazing to see what how many times a day you are scanned and/or attacked. The right technology will allow you to “see” the activity and defend against attack.

Use an outside firm that has expertise in this area to do an annual assessment and also perform white hat hacking. You will be amazed at what is discovered and how this information can help position the organization to be as prepared as reasonably possible against attacks.

I would love to believe that ONE recommendation would address our reality. This space is one of the most underrated in terms of complexity, cost, and risk. We have spent the past 18 months going through an exhaustive planning and education process to thoroughly assess where we are and where we need to be. There are technical parts for sure which need to be understood and addressed. These are the easiest to deal with because they are, by definition, known. The issue is, how to you reconcile an organization’s risk tolerance against a growing uncertain threat? This is not an easy topic to get organization leaders’ heads around. Take the recent situation at Children’s of Boston. Did any of us actually believe we providers would be the victim of an attack from a sympathetic group involving the care of a very tragic patient care situation? 

We live in a different world at a very different time. We providers are all under a significant amount of pressure as we deal with all of what is happening in our space. I believe most of us have been making “best reasonable efforts” to do the right thing and safeguard the information which we need to be responsible for. We also need to invest in a wide variety of enablers to transform ourselves into what we believe is important. Everyone is becoming more sensitive as most people know that no one is immune to this threat and it’s just a matter of time. Unfortunately, it’s difficult to make the necessary investments to mitigate against most if not all of the threats given the economic pressures that we are all under. Interesting topic in very interesting times.

View/Print Text Only View/Print Text Only
September 3, 2014 Advisory Panel No Comments

Founding Sponsors


Subscribe to Updates





Report News and Rumors

No title

Anonymous online form
Rumor line: 801.HIT.NEWS


Sponsor Quick Links


Platinum Sponsors





















































































Gold Sponsors


























Reader Comments

  • JR Bak: Re: retail clinics There is so much packed into this situation and your comments, which is neither good/ bad or right...
  • HITPundit: Regarding the HIT consulting market, if your business is mostly Epic, the market is not in your favor. There is plent...
  • Daddio62: “Re: health IT consulting." Nothing lasts forever. Healthcare IT consultants needed to keep an ever-watchful eye on ...
  • F(n): Re: retail clnics - they're as close to concierge medicine as some folks will get. That also has the practices nervous. ...
  • meltoots: I don't understand AHIMA phase in for ICD10 answer. When I send in my claim for payment, I have NO idea what the hospita...

Text Ads