Nuance’s most recent update from Wednesday afternoon says it is still recovering servers following Tuesday’s malware attack. The company has not provided an estimated time to resolution.
Affected cloud services include transcription, radiology critical test results, Assure, Dragon Medical Advisor, Cerner DQR, Computer-Assisted Coding, Computer-Assisted CDI, CLU software development kit, and all Quality Solutions products.
Nuance recommends that cloud transcription users move to Dragon Medical or use an alternative dictation service, which suggests lack of confidence that the systems will be restored soon. A few customers say they’ve been told not to expect restoration of services until next week or even longer, but I can’t verify that.
Patient care is surely being affected as hospitals and practices try to implement minimally-tested downtime procedures or switch to backup transcription providers with the inevitable delays in patient information flow.
It will be interesting to see, once the smoke clears, how Nuance handles the HIPAA implications of the malware attack given its massive healthcare presence. HHS has advised that a ransomware attack is by definition a breach since an unauthorized party has acquired PHI, but adds that if the business associate (in this case since Nuance isn’t a covered entity) can argue that it is unlikely that the information was compromised, then breach notification is not required. The Petya malware – which arguably isn’t ransomware — does not send data anywhere but instead permanently encrypts it (in essence, destroying it), so assuming Nuance can restore the PHI from backups, it may be able to successfully argue that the information was never exposed or threatened.
NUAN share price has declined just 5 percent since its systems went down Tuesday.
Nuance seems to be understandably struggling with its public communication, same as any of us who would rather be fixing the problem than explaining it individually to every user affected by it. Some customers say the company is doing a great job of keeping them in the loop, which probably means that it’s doing the best it can given potentially outdated or incorrect contact information. The company:
- Launched a communications page that was quickly taken down.
- Announced in a press release that updates would be provided on a different page and via a Twitter account, neither of which contain any updates.
- Hastily put up still another page (I’m inferring “hastily” given spelling and punctuation errors) and went silent on Twitter except for a single link to the newly created page.
- Is taking heat from its transcriptionists who are questioning in the absence of definitive updates from Nuance whether they’ll be paid for being unable to work during the several days’ of downtime. However, a Nuance email to employees says they will be paid their normal rate for their scheduled hours and will be offered incentive pay to help clear the post-resolution reports backlog.
From Gordon Gecko: “Re: my KLAS-corrected comments about Cerner. My math is right. I included ‘new’ customers, which are of more interest to the Street, and excluded add-on sales to existing customers. I also said ‘if you take away DoD and the 30 micro-hospitals,’ 85 total. I included all Cerner losses. Maybe the most relevant takeaway is that there have been more Millennium defections in the last two years than Soarian defections. Looks like for every Weirton and Pinnacle that sues Cerner to escape Soarian, there are dozens who don’t dare.”
From Yuge Surprise: “Re: DoD. The swam is not draining, but swirling.” Frank Kendall — the Pentagon’s recently retired undersecretary of acquisition, technology, and logistics — joins the board of Leidos. Kendall presided over the DoD’s selection of Leidos for its $4.3 billion EHR project.
HIStalk Announcements and Requests
HIStalk had 12,114 page views Wednesday, which I assume can be attributed to ransomware interest and the fact that – because of reader tips — I reported Nuance’s incident many hours before anyone else. It was the fourth-busiest day since I started the site in 2003.
This week on HIStalk Practice: HHS announces $195 million in HIT-related community health center funding. BCBS of Nebraska takes over Think Whole Person Healthcare. Rhode Island providers protest PDMP legislation.Independent Health forms Evolve Practice Partners. Physicians show a decided lack of interest in MACRA prep. PatientPoint raises $140 million.
July 11 (Tuesday) 1:00 ET. “Your Data Migration Questions Answered: Ask the Expert Q&A Panel.” Sponsored by Galen Healthcare Solutions. Presenters: Julia Snapp, manager of professional services, Galen Healthcare Solutions; Tyler Suacci, principal technical consultant, Galen Healthcare Solutions. This webcast will give attendees who are considering or in the process of replacing and/or transitioning EHRs the ability to ask questions of our experts. Our moderators have extensive experience in data migration efforts, having supported over 250+ projects, and migration of 40MM+ patient records and 7K+ providers. They will be available to answer questions surrounding changes in workflows, items to consider when migrating data, knowing what to migrate vs. archive, etc.
Acquisitions, Funding, Business, and Stock
Cincinnati-based physician office marketing technology vendor PatientPoint raises $140 million in financing from private investment firms.
Anti-trust concerns cause Walgreens and Rite Aid to cancel their planned $9.4 billion merger and instead strike a deal in which Walgreens will buy half of Rite Aid’s drugstores for $5.18 billion in cash. In other news, Walgreens apparently puts its much-regretted experience with Theranos behind it in that LabCorp will offer specimen collection services in some of its stores.
Diabetes management app and data analytics vendor Glooko raises $35 million in a Series C round, increasing its total to $71 million.
Henry County Health Center (IA) chooses FormFast’s FastPrint and FormFast Capture.
MedeAnalytics hires Paul Kaiser (TriZetto Provider Solutions) as CEO.
Anna Clark (Truven Health Analytics/IBM Watson Health) joins Medecision as SVP/chief revenue officer.
Greg Chittim (Arcadia Healthcare Solutions) joins Health Advances as VP/healthcare IT practice leader.
Announcements and Implementations
Ability Network adds physician scheduling to its ShiftHound workforce management product.
Novant Health (NC) and Carolinas HealthCare System (NC) begin exchanging patient information via an HIE.
Government and Politics
An HHS/ONC bulletin warns of the most recent ransomware threat and provides recommended actions for affected sites.
CMS halts its planned release of Medicare Advantage of claims data at the last minute, cancelling a conference presentation at which it was to have been unveiled. CMS blames unresolved issues with the quality of the information, which immediately raises questions: (a) if CMS is using the information to pay providers, why isn’t it good enough for research purposes?, and (b) given lack of commitment to an updated release date, will the data ever see the light of day?
The Senate considers legislation that would ban the Department of Defense from doing business with antivirus software firm Kaspersky Lab, citing intelligence agency concerns about the company’s close ties to the Kremlin.
This headline and the threat it references say a lot.
Privacy and Security
Heritage Valley Health System (PA) has brought its hospitals back online following its ransomware attack Tuesday, although its community locations remain closed. Princeton Community Hospital (WV) says it will “rebuild its computer network from scratch” following its Tuesday infection and it remains on diversion.
An interesting analysis of the Petya malware concludes that it’s not technically ransomware since it has no ability to actually recover the drives it encrypts even if the victim pays. The author says Petya is instead a nation-state authored “wiper” that is intended to destroy systems, disguised as ransomware to influence media reports. The intended target may have been institutions in the Ukraine, with the malware’s global spread possibly being unintended. That would make Russia the obvious suspect.
In a bizarre incident highlighted by DataBreaches.net, a federal judge chastises California’s attorney general for harassing movie site IMDb.com, the subject of a California law that requires the site to remove the factual age of celebrities who want that information hidden. The Screen Actors Guild backed the law – now blocked by injunction — by saying it would reduce Hollywood age discrimination.
A BCBS analysis of insurance claims finds that opioid addiction diagnoses have increased 500 percent in the past seven years. Twenty-one percent of patients whose claims were reviewed filled at least one opioid prescription in 2015, while the study also found that short-term, high-dose therapy increases the chance of addiction by 40 times compared to lower doses.
In Kenya, three men are charged with stealing the body of a four-year-old from a hospital morgue, apparently with the intention of burying it. The hospital wouldn’t release the body because his family hadn’t paid his bill.
I love dogs, but this is as ridiculous as people scamming airlines into providing free main-cabin rides for their “emotional support animals.” A woman brags on Twitter that she snuck her grandmother’s dog into the hospital to see her, swaddling it to look like a baby. A fellow smuggler voiced support in providing a photo of the dog he brought in (or rode in) as a visitor. Apparently many folks believe that rules apply to them only when convenient.
- IDC Health Insights recognizes NTT Data as a Top 25 Enterprise.
- Reaction Data publishes an industry brief on the Lexmark/Hyland acquisition.
- Optimum Healthcare IT posts a video of the recent presentation of Dan Critchley, CEO of managed services, at UK eHealth Week.
- ECG Management Consultants releases a new white paper, “ASCs at a Tipping Point: The New Reality of Surgical Services for Health Systems.”
- Glytec publishes a new case study, “With Glytec, Hospital Moves to Basal-Bolus Insulin, Saves $9.7 Million.”
- Imprivata will exhibit at the Patient Safety Congress July 4-5 in Manchester, England.
- Twenty-seven Influence Health customers upgrade to its new Web CMS.
- Value-based Healthcare: The Patient is at the Center but Data is the Key (Liaison Technologies)
- How EHR implementations are getting more creative (Nordic)
- Agile Healthcare: The Communication and Coordination Challenge (LiveProcess)
- Remembering the 5 Ps (Optimum Healthcare IT)
- Meditech Nurse and Home Care Forum Highlights Strong Patient/Provider Relationships (Meditech)
- PAMA and MACRA – A Surprising Twist (National Decision Support Co.)
- This July 4, declare independence from your healthcare revenue cycle management challenges (Navicure)
- Focus on Outcomes – Moving to Value-Based Health Care (Netsmart)
- A Chance for PCPs to Intervene in the ED (PatientPing)
- A Peek into ANI 2017: Collaborating for the Future (Patientco)
- By Any Other Name (PatientKeeper)
- Chronic Care Management: Improving Quality of Care (EClinicalWorks)
- Your Promotion is Waiting – Skills Needed to Successfully Transform Your Marketing Department (Evariant)
- Culture Shock: 9 Ways Your Organization Can Prepare for a System Change (Hayes Management Consulting)
- When is the Best Time for an EHR Go-Live? (The HCI Group)
- Six Steps to Bring Innovation to Your Marketing Strategy (Healthgrades)
- 4 ways an integrated EHR can improve cancer management (Meditech)
- 5 Reasons Health Care Organizations Crush on Content as a Service (Healthwise)
- Scottsdale Institute CIO Summit Provides Strategies for EHR Value Realization (Impact Advisors)
- Improve Your Patient’s Satisfaction by Consolidating Self-Pay Balances (Impact Advisors)
- User Experience is Consumer Experience (Influence Health)
- Claims are so yesterday – What is your clinical data strategy? (InterSystems)