Advisory Panel: HIMSS conference, ransomware

What were the most interesting things you learned or saw at the HIMSS conference?

• I met a number of CIOs from hospitals and health systems that either have already completed or were in the process of implementing Cerner financial and ambulatory products to result in integrated clinical and financial systems across inpatient and ambulatory. Cerner appears to continue gaining momentum and building some critical mass in their competition with Epic. VNA products continue to develop nicely. It appears there are good product options that are positioned to upset the traditional, monolithic PACS products.
• I did not attend the HIMSS conference this year. If I attend the one in Orlando next year, it would be merely to see how off the wall they can be and how obscene and disconnected from the reality of practicing medicine today they have become. HIStalkapalooza may be the only reason for even flying there or paying for a hotel room since they are not even offering CMEs.
• I was mostly impressed with the booths downstairs and in the side rooms. I saw some interesting applications of big data analytics finally starting to bloom. Check out Ayasdi (I have no relationship with their company). Generally it felt like there was a lot less energy and excitement than in previous years. I saw very few of my provider-side colleagues — mostly just vendors talking to other vendors (or consultants).
• I focused on meeting with clinical decision support vendors and several that are building CDS data analytics tools, e.g., LogicStream, Stanson Health, MedCPU, Zynx, Appervita, Wolters Kluwer. Seems everyone is trying to figure out how to create some sort of dashboard that can help organizations manage their CDS alerting process. So many organizations have turned on way too many alerts and no one wants to, or perhaps is able to, make the decision to turn off excessive alerts that are overridden upwards of 95+ percent of the time. We really need to get this fixed soon or everyone will be ready to shoot their EHRs. LogicStream and Stanson Health’s data analytics platforms are both outstanding. Both appear to capture a significant amount of the data and display it in several different and useful ways. Stanson also offers their clients actual CDS content, whereas LogicStream is just the analytics platform. I heard several people asking Stanson to just sell them their analytics platform, but so far they only want to sell content and you get the platform to help you manage their content.
• I spent the pre-conference day at the EHR-related patient safety symposium sponsored by AQIPS and ECRI among others. It was interesting to hear everyone talking about EHR-related safety issues and what we need to do to improve EHR safety. Seems that most orgs are still struggling with basic implementation and utilization and only the very mature orgs are worried about EHR-related safety. Heard a good talk by Joe Schneider on ways to avoid and manage EHR downtime that focused heavily on the ONC’s SAFER guides. If the ransomware problem doesn’t kill the EHRs, then I think EHR-related safety issues will become much more important over the next five years.
• I didn’t go to HIMSS — it is less and less valuable each year. One long-time colleague went to his first this year and doesn’t plan to return.
• Disappointing meeting — poor topics of education, too many vendors with chotchkeys, lack of enthusiasm for educational aspects and more towards having fun in Vegas was our perception.
• I didn’t go to HIMSS and really haven’t heard anything (other than your posts, of course) about it from others, including vendors. I get the feeling that I didn’t miss a lot this year.
• Population health is starting to fall into some discrete strategies, with products to match. I expect the diffuse "population health" to become several more discrete somethings like "narrow network strategy," "quality management (analytics and registries),” etc. Still looking for someone who really does it well. Interestingly, there were a lot of people talking about serious security, which I thought was excellent.  About dang time. Also, many organizations with a real cloud model getting traction with hospitals. When asked, it seems that the hospitals figure the data may well be safer with the vendor than with their own systems. Good way to get rid of liability is to not have the data stored on site?
• The most interesting thing I saw was AccendoWave at the AT&T booth. In short, the equivalent of a thermometer for pain (based on EEG waves detected through a non-invasive headband). Even if you only differentiate drug seekers and malingerers from legitimate pain, that’s some great tech. I’m not sure what the most interesting thing I learned was. I got through about 19 hours of the education sessions this year, most of which had CME attached and were legitimate rather than vendor pitches, for which I was grateful.
• I suppose the most entertaining things I learned might be worth mentioning: Halamka really emulates Steve Jobs and is almost as invested in brinksmanship as Eric Topol. Presenters from academic centers have an incredible degree of hubris and a pride in their “big data” volumes that is astounding. I guess “big” is a matter of perspective, but come on, folks, you’re talking about having data from one or a few facilities.
• Themes this year seemed to be: usability, patient engagement, population health, and analytics/BI/big data. It was almost humorous how many different vendors were pitching solutions for “population health” and “value-based reimbursement” all doing different things and using different definitions.

Is your organization taking any steps related to ransomware?

• This past year, we’ve had seven individual episodes of ransomware infections resulting in user and departmental network shares being encrypted. Luckily, we’ve been able to recover through simple data restores with little to no loss of data. These incidents, along with all of the other security news items in the industry, has our leadership more focused than ever on security. I still wonder if it’s enough. IS has been attempting to raise awareness amongst our leadership about the importance of developing a broader security program and I believe we make some relatively small progress every year. However, we still need more resources to move fast enough to keep up with the threats.
• Reputation-based blocking of malicious links embedded in emails. Ransomware often infects the user’s computer after the user is tricked into clicking on a malicious link in a phish email. We subscribe to ProofPoint to analyze all email embedded links and attachments and then stop the malicious ones. This DOES NOT protect against malware downloaded via personal Web-based email, such as Hotmail, Gmail, Facebook, etc. We are considering blocking such services, but that is a tough row to hoe considering the culture.
• Blocking of suspicious Web advertisers as much as we can. We plan to do more of this in the future. Malvertising is another way with which unsuspecting users browsing legitimate sites get hit with ransomware.
• User education and awareness programs to make our community less susceptible to phishing emails. We plan to start using targeted awareness campaigns facilitated by products such as PhishMe in the future to increase user awareness. 
• Things that we’re doing to address the infection payload: overlapping antivirus software. We have three different AVs on the email system, server environment, and desktop/laptop environment to hunt for and stop malware to include ransomware. Unfortunately, traditional AV is not super effective in detecting zero-day malware. Behavioral-based next generation AVs such as Cylance are not mature yet and are fantastically expensive, but we’re watching this space.
• Robust backup process. We don’t pay ransom when we get hit with ransomware. We restore from backup. We use Crashplan to back up desktops and laptops.
• Can we do more? Yes, but it would make our environment stricter. It’s a balancing act.
• We are pretty much maintaining our patches, but we are as vulnerable to phishing as the next guy. You do what you can.
• We are raising awareness from our board level down to the associates. The message to our board includes information about industry events and the outcome, what we are doing to minimize our risk, and how we would respond if infected with ransomware. Our associates are much more aware of the possible consequences of clicking bad email. We had an email phishing attack that resulted in an organizational-wide password expiration. This allowed for education of supervisors and managers as to why they were having them coordinate all associates changing their passwords. That level of awareness has already resulted in a more informed workforce and an increased number of reports of suspicious email.  We use real stories from other health systems to communicate our risk and it seems to work. Also, we have begun adding to our communication around events not only what IT will do to avoid a recurrence, but what our end users can do to help.  As far as technical prevention, we continue to strengthen our monitoring and blocking tools to protect our assets.
• We’re constantly improving our security posture here, but it’s not like we’ve targeted ransomware specifically. However, we actually did see some within our organization. While running some scans from one of our newly deployed technologies, we found some ransomware on a handful of really old files (from 2002 and 2003). I’m not sure when it came in, no one was actually using those files so no one noticed the ransomware or inability to get to them. But, we just deleted them and restored them from backup and they open fine now. Not sure we needed them at all, but that’s another issue altogether.
• We have a security vendor that provides us tools and accounting and as I understand it there have been layers of security improving in strength and coverage in IT. Also the organization is messaging to the physicians and employees how to avoid phishing and other types of targeted email based attacks.
• We have a very aggressive information security and privacy protection strategy and always have. That said, when the bad guys really are out to get you (and they are out for all of healthcare), there is never enough precaution / preparation or defense-in-depth that’s deep enough. It’s a continuous race uphill. There are many key steps we are taking based on the latest round of evolving threats (ransomware being just one of many).
• We are not taking any specific steps due to the recent activity. However, I have pressed our security team pretty hard on ensuring we are doing what we should be doing for our overall security program.  Our weaknesses were identified long before this latest publicized event, so we have a roadmap for all things infosec. We are covering this event in our next board meeting to remind them of our efforts and that even with a good program, we will always have risks.