Home » News » Currently Reading:

Monday Morning Update 9/21/15

September 20, 2015 News 3 Comments

Top News


A hobbyist geek prowling around the publicly accessible subdomains on Amazon Web Services finds unencrypted SQL database backups, apparently from claims management vendor Systema Software, that contain the personal and medical information of at least 1.5 million people. He also found a complete backup of the Kansas State Self-Insurance Fund, thousands of PDF scans from Golden State Risk Management Authority, insurance files, fraud investigation notes, and a 570,000-entry address book. The SQL backups also contained user login information and proprietary information. Vendors and health systems that use AWS might want to double check their security settings.  

Reader Comments


From With a Spoon: “Re: vendor gag clauses. You are right and the online magazine is wrong. A gag clause is a specific set of contract language that prohibits a customer from saying or writing something negative about their vendor. Nothing else is a gag clause, especially intellectual property limitations, and nothing else has a negative impact on patient safety. Plus, just because a customer isn’t prohibited from alerting other users about a vendor software problem doesn’t mean they will – like information blocking, it’s not just what the vendor prohibits, but what customers are willing to actually do when it doesn’t benefit them.” Congress is hearing from people who don’t know what they’re talking about that gag clauses exist and they’ve provided no evidence. I also agree that everybody assumes it’s the bad old vendors who are responsible for the lack of information sharing among customers, which doesn’t hold water in most cases because it’s the customer who benefits from walling off their data.


Contrast Politico’s much-hyped headline with its non-story that obviously confuses IP clauses with non-disparagement clauses and provides no evidence of what the headline claims. Meanwhile, the folks at HIMSS Analytics have graciously offered to give me access to the CapSite contract database, so I’ll do my own looking for such clauses and will let you know what I find.

From Screener: “Re: sharing software screen shots. The reason vendors require customers to ask permission first is that much of a vendor’s product design and internal algorithms can be deduced from a screen shot. Collecting all screens of a vendor exposes the heart and soul of their design. Without a ‘you can’t post our screens without asking’ default, certain people would apply their personal critique indiscriminately, possibly funded by special interests or even competitors (some sites have on-site doctors who work for the competitors of their EHR vendor).” I admit that a couple of times early in my career, I used a vendor’s screen I remembered having seen as a basis for writing a program for my own hospital, although it didn’t affect that vendor since my stuff was for internal use only.  Courts have ruled that  vendors can’t claim copyright infringement for look and feel, screen layouts, and algorithms, meaning the only physical parts of software that are protected are the actual programming code and database schema. Therefore, the only way a vendor can protect itself from outright theft is to add terms of service that make customers responsible for not sharing sensitive information that can’t be copyrighted. Those terms also often protect the customer as well, giving them ownership and control of their own customizations instead of automatically conveying those rights to the vendor.

From Prior Restraint: “Re: sharing software screen shots. Say for example that someone who is seeking publicity asks permission to use an EHR’s screen shots to prove that the software is unsafe, but then alters the images to hide the big warnings that users ignored. The vendor could probably sue that person if their intent was to make the vendor look bad, but it’s easier for everyone for the vendor to make sure their product is represented accurately before giving permission.” Every person I’ve seen who publicly and bitterly complained that they personally ran afoul of a vendor’s terms on screen shot use works for an academic medical center that signed their vendor’s confidentiality terms. When enforcement of those terms impedes the complainer’s moonlighting projects (writing books, delivering keynote addresses, pontificating, etc.), they go public in charging that their free speech has been violated and the vendor is trying to hide something that the public needs to know (via their project, of course). Why aren’t they using their academic freedom to criticize their bosses who signed the contract in the first place? However, a researcher whose employer hasn’t signed a contract with the vendor they’re writing about should be legally OK, although just the threat of defending an unjustified lawsuit would deter most of us. Here’s a challenge: if an EHR vendor has threatened you (as a non-vendor employee) for going public with safety concerns, give me the details. I will keep you anonymous.

From Bowdlerizer: “Re: gag clauses. If someone wants health systems to call potentially safety-endangering vendor software issues to the public’s attention, wouldn’t it be equally beneficial for EHR vendors to find examples of provider medical errors and publish that information on the web? Transparency that benefits the public should work both ways, but health systems are fanatical about not allowing employees or vendors to say anything about mistakes they’ve made that might make them look bad. In fact, I bet some of them insert their own software contract gag clauses that prevent their vendors from saying anything about their operation or using their name without their approval.”


From Vendor Diesel CEO: “Re: ICD-10 preparations. We’ve been in high-volume test mode for nearly a year. We worked with users at our conference to find any one-off situations they could think of. Our entire RCM staff has been trained, not only on the practice side, but on the consultative side to address practice needs. Our EDI, product, training and implementation, and support groups have been trained as well. We have prepared videos and conducted free, continuous webinars to ensure an orderly transition and customers are getting regular countdown bulletins. We have brainstormed as to what we can’t control (payers) and worked with our clearinghouse partner to have rejections handled expediently. ICD-10 is a challenge, but also an opportunity to shine and perform. As Ed Harris said in ‘Apollo 13,’ failure is not an option.”


From Mike: “Re: grammar pet peeves. An item that continues to annoy me greatly is using modifiers to the term ‘unique.’ Something is either unique or it’s not; there is no such thing as ‘very unique’ or ‘highly unique.’” That one bugs me, too, along with recent others such as using the non-word “irregardless,” using “disinterested” when “uninterested” is intended, and people who say “less” instead of “fewer” when referring to a discrete unit (“fewer people” is correct, “less people” is not). Not surprisingly, people who don’t have the knowledge or respect for others to use words correctly strenuously object to the very idea that language can be right or wrong, figuring it’s easier for them to be sloppy and let the other guy figure it out (a smug indifference to personal responsibility grates on me like nothing else).


From Devious Septum: “Re: jury duty. I was called for a minimum of three months, but I knew my health IT vendor employer would either fire or reassign me to a ‘dangle position’ if I was away from my director-level job for that long. Was I wrong to wangle out of it with an excuse?” Most people can’t afford to miss work for weeks or months to serve on a jury, so society ends up with major legal decisions being made by students, the unemployed, and retirees as everybody else figures out how to pass the buck and then complain bitterly later that juries are irrational. I would never lie to avoid jury duty, but everybody has to figure out their own acceptable level of expedient dishonesty. A programmer who worked for me got stuck on a months-long, high-profile case and did his work after the court let out each day (often early since the legal system doesn’t feel much urgency despite claimed case backlogs), which worked out well all around. Corporations seem to have a habit of feel-good bragging about how wonderfully they treat and value their employees, which may be true collectively, but it takes only one nasty VP to make your life miserable by acknowledging your commendable desire to practice civic responsibility with, “Can’t you get out of it?” I was at jury duty once in March and a self-employed CPA tried to convince the judge (somewhat snottily, I thought) that she should be excused since her most important and most profitable work would occur in the upcoming weeks – the judge admonished her for suggesting that her work was more important than her duties as a citizen or that she should receive preferential treatment because she was more important than others in the jury pool who would have to cover her desired absence.


From Donald Keyhotay: “Re: DonorsChoose. I didn’t see instructions on how I can donate.” DonorsChoose came up with this process:

  1. Purchase a gift card in the amount you’d like to donate.
  2. Send the gift card by the email option to mr_histalk@histalk.com (that’s my DonorsChoose account).
  3. I’ll be notified of your donation and you can print your own receipt for tax purposes.
  4. I’ll apply the matching funds, and publicly report here (as I always do) which projects I funded, with an emphasis on STEM-related projects as the matching funds donor prefers. I fund only projects that have received no donations so far, so all the projects I mention were fully funded by readers with matching funds made available by an anonymous vendor executive.

HIStalk Announcements and Requests


Poll respondents aren’t too optimistic about Salesforce’s potential health IT success. Dr. Ed says tech firms who have forayed into healthcare is “a trail of tears,” while Olivia says it’s all hype since Salesforce can’t handle H7 natively and nobody’s going to want to work with them. Brian hopes Salesforce can bring their CRM approach to patient engagement, helping them follow clinical guidelines. New poll to your right or here: what is your reaction when a company changes its name?


My WiFi signal didn’t reach the the back yard, preventing me from using the laptop there or causing me to worry that streaming Pandora to a Bluetooth speaker was burning up my cell plan’s data allocation. I was finally inspired to see if I could install some kind of WiFi extender to carry the signal back there and Amazon had my solution: the TP-Link wireless range extender. It took literally two minutes to set it up since my router has WPS – you just plug the unit into a power outlet, push the WPS button on the router and the unit to establish wireless connectivity, and then unplug the unit and move it to a good spot inside the house (about halfway between the router and the desired location is ideal). Nothing has to be reset or reconfigured – your existing network just goes further. Now I have strong WiFi coverage all over the back yard, which I tested by shutting off cellular data and running Speedtest, which tells me I’m getting nearly the same speed as indoors. Best of all, the nicely packaged and documented extender costs only $19.99. Now I can freely stream music from  my phone and use my laptop and tablet outside. I’ve used powerline network adapters and those work great as well, but those require you to plug in your connected device via Ethernet cable. Check out the variety of similar extender devices if you have rooms, a workshop, or outdoor location with poor WiFi reception.


Reader Karen contributed $100 to my DonorsChoose project, which I put on the educational street immediately. I chose a large library of math manipulatives for Mrs. Brunetti’s elementary school class in Hector, AR (this was a $400 grant that required only $95 to fund since Economic Arkansas paid most of the money with the stipulation that the teacher find a donor for the rest). I also bought interactive math, letters, and comprehension software for Mrs. Wallace’s class of second- and third-graders with autism in Indianapolis, IN (with matching funds from the IPS Education Foundation). Karen got a lot of educational bang for her 100 bucks thanks to my anonymous vendor executive and other matching funds. It may well happen 30 years from now that one of these kids will do something amazing (even if that’s only leading a happy, productive life) and credit the time when a big box was delivered to their classroom, evidence that anonymous, distant strangers were willing to stand shoulder to shoulder with them in their education.


Mrs. Rose from New York City emailed to say that her students “were graciously overwhelmed” by our donation of a robotics kit and books. They’re building a robot for a city competition, for which they now have current robotics technology rather than the outdated version. She says the students are writing programs to learn the new Lego Mindstorms EV3 and have already built two robots as practice.

The stages of third-party data usefulness that I just made up:

  1. I don’t have any information that you want or need.
  2. I have information that you want or need, but I won’t give it to you.
  3. I have information that you want or need, but I will make it available only in a static, text-based form on a non-real time schedule.
  4. I have information that you want or need. I will put it on my own site in a schedule extract and you can log in and look at it.
  5. I have information that you want or need and I’ll push it to your system in real time, where you can just look at it more conveniently.
  6. I have information that you want or need and I’ll push it to your system in real time as discrete data that can automatically interact with your system in a helpful and non-intrusive way.

Last Week’s Most Interesting News

  • The Senate’s HELP committee and a bunch of provider organizations demand that HHS delay Meaningful Use Stage 3.
  • HP announces plans to lay off another 30,000 people when it splits into two companies later this year.
  • ONC announces availability of a Health IT Complaint Form, which is actually brought live a few days later.
  • A report finds that of 165,000 mHealth apps, most are primitive and seldom downloaded, with just 36 of them (mostly consumer and fitness tracker focused) making up half of all downloads. Providers hesitate to recommend apps because they operate in silos and haven’t been proven to be effective.
  • An HHS OIG report finds that CMS failed to manage its Healthcare.gov contractors, causing delays and cost overruns.
  • Two India-based technology executives launch a $500 million fund to acquire US digital health companies.
  • Qualcomm acquires medical device data integration vendor Capsule.


September 22 (Tuesday) noon ET. “Just Step on the Scale: Measure Ongoing EHR Success and Focus Improvements Using Simple but Predictive Adoption Metrics.” Sponsored by The Breakaway Group. Presenters:  Heather Haugen, PhD, CEO and managing director, The Breakaway Group; Gene Thomas, VP/CIO, Memorial Hospital at Gulfport. Simple performance metrics such as those measuring end-user proficiency and clinical leadership engagement can accurately assess EHR adoption. This presentation will describe how Memorial Hospital at Gulfport used an EHR adoption assessment to quickly target priorities in gaining value from its large Cerner implementation, with real-life results proving the need for a disciplined approach to set and measure key success factors. Commit to taking that scary first step and step onto the scale, knowing that it will get measurably better every day.

September 22 (Tuesday) 5 p.m. ET. “Laying the Groundwork for an Effective CDS Strategy: Prepare for CMS’s Mandate for Advanced Imaging, Reduce Costs, and  Improve Care.” Sponsored by Stanson Health. Presenters: Scott Weingarten, MD, MPH, SVP and chief clinical transformation officer, Cedars-Sinai; Anne Wellington, VP of informatics, Stanson Health. Medicare will soon penalize physicians in specific settings who do not certify that they consulted "appropriate use" criteria before ordering advanced imaging services such as CT, MRI, nuclear medicine, and PET. This webinar will provide an overview of how this critical payment change is evolving, how it will likely be expanded, and how to begin preparations now. A key part of the CMS proposal is clinical decision support, which will help meet the new requirements while immediately unlocking EHR return on investment. Cedars-Sinai will discuss how they decreased inappropriate utilization of diagnostic tests and treatments, including imaging.

Acquisitions, Funding, Business, and Stock


Raleigh, NC-based referral management technology vendor Cguros receives $5.5 million in funding. Perhaps they can use some of the funding to hire an English professor to explain why their tagline is appallingly incorrect, which is also true of quite a bit of their website prose.


Insurance company Clover Health, which analyzes insurance claims to target high-risk patients with specific care manager interventions, raises $100 million in funding.



ONC policy director Jodi Daniel, JD, MPH has resigned, she says in her Twitter feed. She joined ONC in October 2005, moving over from HHS’s Office of the General Counsel.


Beth Israel Deaconess Medical Center (MA) promotes Manu Tandon to CIO. John Halamka, MD will move full time to CIO of the BIDMC system.


Jake Brewer, a senior policy advisor in the White House’s CTO office, died Saturday when he lost control of his bicycle in a cancer research fundraising ride. He was 34.

Privacy and Security

ABC News posts a breezy, click-me-please article called “The Medical Identify Theft Apocalypse? Fear the Walking Files.” Its list of ridiculous tips (or as it says, “How to Tell If You’ve Been Bit by the Medical ID Theft Zombie”) includes such gems as:

  • Don’t answer one-ring telephone calls.
  • Ask medical debt collectors to describe what you were billed.
  • Read all mail from healthcare providers and call them if something doesn’t look right (duh).
  • If you can’t access your medical records online, “ask your doctor to read it to you.”  (let me know how that works out).



A Robert Wood Johnson Foundation report reviews the state of health IT in updating previous versions of the report with these findings:

  • Three-quarters of US hospitals have at least a basic EHR, but many of them won’t be able to meet Meaningful Use Stage 2.
  • Community HIEs are trying to evolve to find financial viability after struggling. They face many survival challenges that they will need to prioritize.
  • HITECH spurred EHR adoption but failed to achieve its goal of increasing healthcare efficiency and effectiveness through the use of IT. ONC was naive in overlooking barriers beyond its control and ran each of its grant programs in their own silos.
  • Big data isn’t a new concept in healthcare but it holds promise for transforming healthcare if issues related to security, analytics capability, stakeholder collaboration, and consumer engagement are addressed. Big data won’t be a silver bullet despite its position in the Gartner Hype Cycle’s “Peak of Inflated Expectations.” Bigger data isn’t necessarily better data. Not all providers are interested in providing information from their systems for public aggregation (which has minimal funding available to accomplish anyway) and dumping together information of unknown validation from a variety of sources adds additional potential for error.  
  • Regional Extension Centers helped providers implement EHRs but they have not been successful in helping them meet Meaningful Use criteria.
  • The hundreds of millions in grants ONC handed out for HIE development failed to meet ONC’s goals, with no state being able to offer all its providers bi-directional exchange. The federal government let states figure out their own approaches, leaving them on their own to figure out incomplete or inconsistently implemented national standards and lack of a national patient identifier or single patient-matching technology. Health system competition also stood in the way.
  • The report characterizes the uptake in EHR adoption as converting analog to digital within individual organizations that it calls “corporate islands.” It concludes that information exchange among health professionals hasn’t improved in 10 years, but new payment models will eliminate some of the boundaries. 
  • The report says HL7 failed as a standard because it allows too much implementation variation and requires hand-coded programming changes with every implementation, saying HL7v2 is “an artifact of the economic incentives of the organizations that wanted and created it.” It adds that HL7v3 has also failed because its adoption rate is “dismal” and it still doesn’t address semantic interoperability, but expresses hope that HL7 FHIR will allow developers to work more constructively with informaticists while SMART will allow them to build applications on top of EHRs without having to learn the underlying EHR.
  • ONC has embraced the PCAST, JASON, and JTF reports and favors API access and exchange languages with stakeholder involvement, which is bringing into focus a national interoperable HIT infrastructure.

Some interesting quotes from the report:

Some of these corporate islands have grown to incorporate smaller neighbors and create larger fiefdoms, increasing the number of patients on whom they zealously guard information; but they’ve also widened the barriers between every other corporate island … the larger vertically “integrated” health systems are rushing to warehouse clinical and financial data, but ultimately for the wrong reason. They simply want to enhance their private holdings.

[HITECH] corrupted the markets like all subsidies do … Once the government pays for certain behaviors, two things happen. First, the recipients figure out how to game the requirements to get the most from the least work. Second, they wait to do new things, trying to goad the government into paying for that also. Together, these undermine the very entrepreneurship and innovation that we need to move health care to a better future … The market will be wary of new investments if there is ever the potential for new government money to pay for it. (former National Coordinator David Brailer)

We want, in effect, for BMW to share its client list and their proclivities, their purchasing power, their use of services with Toyota. That’s what we’re asking the healthcare market. And we want it to be done free. Not just free, but we want Toyota and BMW to pay for the opportunity to give away some of their most precious proprietary assets. (former National Coordinator David Blumenthal)


Multi-billionaire Elizabeth Holmes, CEO of disruptive medical laboratory Theranos and featured on Inc.’s cover as “The Next Steve Jobs,” responds to concerns that average patients aren’t capable of understanding their test results:

The idea that I as a human should not be free to access my own health information, especially using my own money — even though I can buy weapons and anything else I want — and rather should be legally prohibited from doing so, summarizes the root of the fundamental flaw we’re working to change in our healthcare system.

In New Zealand, a pharmacy that provided 100 percent acetic acid instead of the 5 percent concentration needed for a woman’s colposcopy offers compensation for her severe intestinal burns and resulting medical bills – a letter of apology for its error and a $50 gas voucher “to cover your travel costs related to your readmission to the clinic.”

Sponsor Updates

  • The SSI Group will exhibit at the Texas Ambulatory Surgery Center 2015 Annual Meeting September 24-25 in San Antonio.
  • TriZetto Provider Solutions receives the Visionary for Children Award from the Children’s Home Society of Missouri.
  • Valence Health will exhibit at the Center for Healthcare Governance Fall Symposia September 20-22 in Chicago.
  • Visage Imaging will exhibit at the New York Medical Imaging Informatics Symposium September 21 in New York City.
  • Vital Images will exhibit at the North American Society for Cardiovascular Imaging Annual Meeting September 26-29 in San Francisco.
  • Huron Consulting Group is recognized by Consulting Magazine as a Best Firm to Work For for the fifth consecutive year.
  • XG Health Solutions Glenn Steele Jr., MD will speak at Geisinger Health System’s A Century of Transformation and Innovation Centennial Symposia September 24-25 in Danville, PA.
  • Recondo Technology CEO Jay Deady will speak at AGC’s Annual East Coast Technology Growth Conference September 21 in Boston.

Blog Posts

HIStalk sponsors exhibiting at the AHIMA conference September 26-30 in New Orleans include:

Anthelio Healthcare Solutions
Clinical Architecture
Experian Health
HCTec Partners
Streamline Health
Wolters Kluwer Health


Mr. H, Lorre, Jennifer, Dr. Jayne, Dr. Gregg, Lt. Dan.

More news: HIStalk Practice, HIStalk Connect.

Get HIStalk updates.
Contact us or send news tips online.


HIStalk Featured Sponsors


Currently there are "3 comments" on this Article:

  1. I saw the deal on Clover Health, Medicare Advantage plans again..so what are they doing to do different than what insurers have already done with increasing risk with fiddling with assessing chronic conditions? I don’t know if you have seen it or not but there’s a bug stink with CMS saying insurers bilked them for $70 billion doing the same thing. Logic tells me that to raise money, the investors want a story on how they will make bigger money that the big insurers have already done, correct? So what do we have here, some new proprietary algorithms that can sharp shoot Medicare risk assessments and bury it in a compiler? Someone also said no premiums on this company? I can’t verify that but if they do, you know they will be selling either data or “scores”, the way that companies get around HIPAA these days. They don’t sell your actual data but send off a score from some algorithm created with proprietary software that nobody can replicate. Here’s the CMS deal that is brewing complete with several whistle blower lawsuits related to risk fiddling.


    On another note and a bit off topic, please check out how VW Code Hosed consumers where they blatantly created software to fool the government emmissions requriements…all in all, case closed as far as folks who can cheat with code. Sadly, we have left the good days of Bill Gates and others, creating productivity software for the new normal, write code that makes money.


    By the way via Twitter Andy Slavitt’s next door neighbor was kind enough to provide this little tidbit with United Healthcare stating that Loretta Lynch was a great choice for AG since they have done such a good job representing them on Antitrust issues. People also forget too that United also has a subsidiary that is a bank, Optum bank. Interesting over there as it’s basically health savings accounts, but the bank gives them Master Card credit cards to empty it out when they want:) The monopoly looks like it will still live on as Lynch says she will go after bankers in a recent article, but what about this? This letter is right from Untied legal folks recommending Lynch.


  2. Re: Systema Software breach: I’m not a security expert, but it doesn’t appear that the “hobbyist” took advantage of any shortcoming in AWS specifically. It sounds like Systema Software was using and storing an unencrypted database when they should have definitely encrypted anything that sensitive. They were also apparently storing backups (in S3 I assume) with public sharing turned on. Both of those are no-nos regardless of your cloud provider, and both could happen on any provider if you don’t implement a secure setup.

  3. “Sadly, we have left the good days of Bill Gates and others, creating productivity software for the new normal, write code that makes money.”

    Bill Gates and Microsoft is infamous for writing (or architecting) Windows, DOS, Internet Explorer, Office, etc. in such a way as to mess with competitors and increase lock in to maintain or extend their dominance. Gates was the poster child of such unethical behavior. Pretty interesting example you picked.

Text Ads

Recent Comments

  1. Care from the "Home Care" industry, housecleaninig, companionship, etc, is trying to move into the Hospital at Home space, but…

  2. There are many validated and published studies on patient satisfaction with "hospital at home" models, along with individual statistics presented…


Founding Sponsors


Platinum Sponsors






















































Gold Sponsors