A Buffalo News report describes the ransomware infection of Erie County Medical Center (NY), from which the hospital has still not fully recovered six weeks later. The hospital declined to pay the $44,000 demanded because it had backups, users could look up patient information from the HealthLink HIE, and administrators worried that the hackers might not restore its files even if the hospital paid up.
The hospital thinks hackers used a brute force password attack to gain control of a hospital Web server a week before the attack, then manually logged on looking for files to encrypt. Clinical systems weren’t restored until a month later.
A hospital-provided screenshot of the ransomware message suggests that the malware is Samas, in which hackers use a variety of tools (including login-stealing malware) to gain credentials and install programs that use Active Directory to propagate the malware to all attached devices.
MedStar Health fell victim to Samas in March 2016 days after both Microsoft and the FBI issued public warnings of its threat. The malware requires online access to just one vulnerable server, often one that’s running unpatched Red Hat JBOSS middleware.
From Identity Thief: “Re: CHIME’s patient ID challenge. Is anyone questioning its usefulness? The $1 million winner has to provide their solution to the market free of royalties, which means they can’t use any underlying technology that isn’t free. Also, the challenge is based on authentication rather than identity assurance. From NIST, ‘authentication’ implies confirmation of the patient’s presence using authentication factors, while ‘assurance’ means verifying that the person presenting those factors is in fact who they say they are. The solutions of the finalist appear to focus on using tokens (most likely biometric) to authenticate themselves. But before a token can be used, there is a need to identify the patient via inspection of their documents, verifying via a third party , or conducting KBA activities. The FY17 Omnibus legislation requires a strategy that is more than just the pervasive use of an authenticator. It requires a way to roll out a program nationally for all patients and to link a known patient to all of their records from any location in which they have received services. We should question whether a winning authentication solution truly solves the patient identity problem. In my opinion, it does not.” I agree that someone would need to physically verify a person’s identity in issuing their authentication token, but then there’s the question of how a different provider would connect to that information collected elsewhere (perhaps it would be self-contained, like a fingerprint profile stored on a smart card.) As you said, positive identification doesn’t necessarily imply data sharing, but that doesn’t seem to be part of the conversation despite the NIST definition. I would be happy with a solution that would (a) prevent identity fraud; and (b) give hospitals a single ID that would eliminate patient merges and that would link all of a patient’s information even just within that one organization’s systems.
From Arm Twister: “Re: Athenahealth. They say they have 35 MU attestations using their complete inpatient solution, but CMS shows only 17 inpatient attestations. Also, is it really Athena that’s being used to attest? HIMSS Analytics shows that most of Athena’s 25 sites are still running RazorInsights for registration, scheduling, and patient billing, so wouldn’t they also be running at least parts of the Razor clinical package, too?”
From Bushie: “Re: Athenahealth. Is it undervalued as the activist investor says?” Value is whatever the buyer thinks it is, but certainly the company has struggled to meet longstanding high-flying expectations as investors begin to question its slowed growth, management changes, forays into marginally related business lines that are defended by deeply entrenched competitors (inpatient), slowing post-HITECH EHR sales, and erratic investor guidance and resulting performance. I would also question, as I have from the day the company announced its IPO, if there’s too much of a Jonathan Bush cult of personality among fanboy equities analysts and whether Athenahealth is really a tech high-flyer vs. a boring business process outsourcer that just sends scanned paper to teams in India for manual entry. The stock price jumped after last week’s announcement that Elliott Management had acquired a 9.2 percent stake (and Wall Street firms predictably applied their impressive 20-20 hindsight to immediately upgrade their share price targets), but that’s probably more of a kneejerk reaction to the assumption that change is inevitable. Carving up the business into parts that are more valuable than the whole doesn’t seem likely and I don’t see opportunities to gain unmet synergy. I suspect the biggest fear out there is that JB will be pushed out and Athenahealth will be left as just another mature, sometimes struggling, not all that interesting industry player whose arc flattened out short of expectations. Quite a few EHR companies looked smart when the government was paying for EHRs in its $40 billion cash for clunkers program, but nearly all of them are scrambling frantically to pivot into population health, analytics, or revenue cycle to prop up their businesses that weren’t prepared for the inevitable scale-back required once the HITECH fired had been extinguished and doctors realized that the EHRs they hated pre-HITECH weren’t any more likable just because someone else (you and I) paid for them. I’ll turn to readers – is ATHN undervalued, what changes should it make, and what companies might like to buy some or all of it?
From Carry On: “Re: HIMSS. What are they paying Steve Lieber these days?” The newest IRS Form 990 I can find is for the fiscal year ending 6/30/15, when he made $1.1 million, a number that’s sure to swell dramatically this year as his retirement benefits are paid out. HIMSS paid more than $400K that year to Carla Smith, Norris Orms, John Hoyt, Jeremy Bonfini, and Alisa Ray. I would enjoy dissecting the HIMSS 2015 990 form if anyone has it – it’s apparently not online anywhere like the older ones.
From Lengua Taco: “Re: VIPs. I was surprised to read that hospitals treat VIPs differently.” You must never have worked in one. My first eye-opening experience was when, as a recent graduate turned hospital department head (unimpressively – it was a crappy, for-profit rural hospital) the awful second banana executive nearly lost his mind upon hearing that the mother of our big-money ophthalmologist was being admitted. He cleared all the rooms around hers, mobilized the dietary people to make special meals well beyond their culinary capabilities, and bossed around the nurses and techs to make sure they tiptoed about deferentially and didn’t screw up clinically (which as any hospital person knows actually makes mistakes more likely in replacing well-honed routines with new exceptions). In hospitals, everyone is treated the same in the ED, but once they are admitted and are found to have connections, money, or power, they are elevated from economy class to first (which, like the best table at McDonald’s, still isn’t that great). Wealthy, demanding local businesspeople and politicians don’t share semi-private rooms with the unwashed rest of us, nor do celebrities or Middle Eastern oil sheiks who might get their own entire floor. I doubt their clinical outcomes are any better, though, just their accommodations, a free pass to break hospital rules, and the endless middle management fawning over their magnificence.
HIStalk Announcements and Requests
Nearly 40 percent of poll respondents say the most important factor in reducing US healthcare costs is to move to a single-payer system that eliminates middlemen, with the next top choices being to control prices and increase emphasis on prevention. Frank provided a thoughtful response in saying that consumerism has worked well with cosmetic surgical procedures, won’t work as well with routine outpatient care and non-emergent elective procedures, and won’t work at all with care in emergencies, with the aged, and involving terminal illness, at least without societal upheaval. He adds that, unfortunately, most of the cost is involved in those areas where consumerism isn’t effective. He also warns that medical technology is advancing in providing expensive treatments for more Baby Boomer conditions. Cosmos says the best use of federal money is for public goods that have not not been addressed by the free market, such as disease prevention, promoting access to care and insurance, and rewarding physicians who do the right thing. Cash payer says treatment costs should be standardized to allow consumers to shop effectively.
New poll to your right or here: does your business card or email signature list a certification or fellowship credential? That issue comes up sometimes in HIStalk, where people complain that I don’t list their FHIMSS, FACHE, CHCIO, etc. My policy is that I list only academic degrees above the US bachelor’s level, with one exception — the non-US MBBS, which technically is a bachelor’s degree but is equivalent to the US MD. I also don’t list licensure, but it gets fuzzy where someone’s practice requires only a bachelor’s degree, such as a nurse, where I wouldn’t ordinarily list either the BS or the RN but there’s otherwise no good way to indicate that the person is a nurse. Sometimes I omit even graduate “degrees” that LinkedIn shows came from unaccredited (and sometimes hilariously phony) schools or that were honorary rather than earned, thus upsetting the folks who are anxious to flaunt a pointless credential in hopes nobody will notice the source.
Readers funded the DonorsChoose grant request of Mrs. A in California, who asked for a projector, document camera, USB camera, and laser printer for her middle school’s library, where she teaches math to 150 students. She reports, “The document camera and projector have improved the quality of my instruction. We will often show different strategies with different colors so that students understand that there is more than one way to solve a math problem. Lately, students have been going up and presenting their work under the doc cam, while other students ask them questions about their work. I also use the document camera and projector heavily for instruction. One particular student who has warmed to the doc cam and projector is Ramses. He loves presenting his work, and he was the first student to do so under the document camera in my 6th grade class. After he presented, students gave him ‘glows’ and ‘grows feedback about his presentation. Now other students present based on his model presentation and students are able to practice presenting their work proudly in front of their peers.”
This Week in Health IT History
One year ago:
- Kansas Heart Hospital (KS) pays a hacker after a ransomware attack, but still doesn’t regain access to its systems.
- Fired Practice Fusion founder and CEO Ryan Howard launches iBeat, which will offer a heart monitor and emergency notification watch.
- Apple CEO Tim Cook says the company is focused on health and its entry point will be Apple Watch, which will have new sensors added.
- HP announces plans to spin off its enterprise services business in a merger with CSC.
- Paul Tang, MD joins IBM Watson Health as VP/chief health transformation officer.
Five years ago:
- Cerner CEO Neal Patterson predicts that the company will hit $10 billion in annual revenue by 2020 and says he will probably retire before then.
- Victoria, Australia ends its HealthSMART hospital software project that involves Cerner, CSC, and InterSystems after running over budget to $557 million.
- HealthCor launches a proxy fight against Allscripts following the resignation of three Eclipsys-connected directors the previous month.
- The VA announces plans to spend up to $5 billion to enhance VistA via the private sector and open source community.
- US CTO Todd Park announces the Presidential Innovation Fellows Program.
- The UK NHS announces plans to shut down its HealthSpace personal health record.
Weekly Anonymous Reader Question
I made last week’s question too specific, I think, given the small number of responses to the question of the most customer-unfriendly contract term or condition seen. I’ll just list those few responses here:
- Charging maintenance fees for applications that just kicked off an implementation, as well as charging implementation and hosting fees! The ultimate double-dip rip-off.
- Arrogant PeopleSoft VP refused to include any language protecting the customer should they be acquired, after all, “they are PeopleSoft”. Two years later, Oracle had them.
- Non-compete clauses that inhibit people from their employment choices.
- Having one vendor try to set the terms for who else I can engage with to optimize pieces of my organization. I have software I like to buy. And I have professionals I prefer to do business with for process improvements. When the software company tries to restrict my ability to engage with the professionals I trust, I view that as very unfriendly toward me.
This week’s reader-requested question: what factors have helped you attain job promotions?
Last Week’s Most Interesting News
- Activist investor Elliott Management takes a 9.2 percent stake in Athenahealth.
- Two highly-touted, well-funded, for-profit primary care clinic chains fail.
- GQ exposes the efforts of fired Trump campaign manage Corey Lewandowski to sell access to the President, with Flow Health hiring the company hoping to reverse the VA’s termination of its data analysis contract.
- Global impact of the WannaCry ransomware is muted when a security researcher finds and activates its kill switch.
- Johnson Memorial Hospital (IN) will switch from Meditech to Cerner in August 2017.
- Marshall Medical Center (CA) will replace McKesson with Epic in November 2017.
- St Michaels Medical Center (NJ) went live with Epic this year.
These provider-reported updates are supplied by Definitive Healthcare, which offers a free trial of its powerful intelligence on hospitals, physicians, and healthcare providers.
Melissa Bell (MedAssets) joins Inovalon as SVP of client success.
Jim Feen is promoted to SVP/CIO at Southcoast Health (MA).
Announcements and Implementations
Messaging and patient engagement technology vendor Talksoft integrates its appointment reminder app with Uber, allowing patients to click an app button to call a car to take them to their appointment.
Teladoc will expand telemedicine services in Texas following the end of its six-year legal battle with the state over the now-eliminated requirement that patient-physician relationships begin with a face-to-face visit.
Doctors at MUSC’s Medical University Hospital (SC) are reportedly “livid” that the hospital will start paying them based on the number of patients they see (RVUs) instead of based on the profits of their department. The CEO says that doctors who aren’t clinically productive “are going to have a tough time. Everyone has to be accountable to this clinical productivity.,” He adds that the current system is unfair to trauma surgeons who treat uninsured patients but benefits gastrointestinal surgeons who treat mostly Medicare patients. A patient safety advocate whose son died from a MUSC medical error says, “Paying doctors by RVUs is a terrible system and absolutely antithetical to patient safety, never mind workplace satisfaction. The doctors are right to be worried. I think this is a real comment on the priorities of the current MUSC leadership.”
- Encore publishes a white paper, “Enabling Value Based Care through IT.”
- QuadraMed, a Harris Healthcare company, will exhibit at the Texas Regional HIMSS Conference May 25-26 in San Antonio.
- Sphere3 CEO Kourtney Govro co-authors an article on business relationship management in health IT.
- Sunquest Information Systems will exhibit at the API – Pathology Informatics Summit May 22-25 in Pittsburgh.
- Frost & Sullivan features Agfa Healthcare in a new whitepaper, “Vision 2027: Enterprise Imaging.”
- Visage Imaging will exhibit at ACR 2017 May 22-23 in Washington, DC.
- Huron employees volunteer time on day of service to give back to 51 communities worldwide.
- Art of the Pitch: How to Tell and Sell Your Startup Story (Salesforce)
- How Hospital Billing and Claims Management Processes Affect Revenue (The SSI Group)
- 4 Reasons Text-Enabling Your Landline is Essential (Solutionreach)
- Healthcare is No Longer Local: Explore the Cost of Disparate Health Data (Surescripts)
- Value in Healthcare, Part 2: Linking Reimbursement to Quality and Value (ClinicalArchitecture)
- Improving healthcare quality: four proven health plan strategies that providers should adopt (Verscend Technologies)
- Mobile communication generates excitement at WONE. (Voalte)