Medhost’s public website medhost.com was hacked Tuesday morning, according to a cyber intruder’s message that replaced the company’s usual home page content.
The hacker demanded 2 bitcoin ($37,000), threatening to otherwise “sell the patient data and do a media release regarding the lack of security in a HIPPA [sic] environment.” Medhost offers hosted financial and clinical systems, an emergency department system, a patient portal, and a health and wellness site.
The site had returned to normal by Tuesday afternoon with no acknowledgement of the previous problem on the site or on social media. A Medhost spokesperson did not return my call in which I asked for verification of the hacker’s claim that patient data was exposed.
UPDATE: shortly after the normal home page was restored late Tuesday afternoon, the site was apparently hit again with the “this website has been hacked” message restored.
UPDATE 2: Medhost CISO William Crank reports that the problem has been resolved and no information was compromised:
MEDHOST has full control of the domain, and the restoration of the domain and associated applications has been completed. Depending upon geographic location, sites may already have full access, but it is possible that the DNS restore process could take up to 24 hours to propagate the changes due to TTL. Intermittent application impact may be experienced by end users during that time. MEDHOST wants to reiterate that there is no indication that sensitive information was comprised and the incident didn’t extend beyond the redirection of the MEDHOST DNS to a static site with the message your article referenced. We strive to provide a robust and secure platform for our clients and continue to investigate this incident and its root cause.
From Athenahealth: “Re: APIs. We have integrations with over 200 innovators and a developer community of 7,000, processing 700 million calls per month. Our single-instance, multi-tenant cloud platform allows a global integration model that allows immediate access to all partners for our clients – where innovators connect once and then are activated at clients with the flip of switch. We agree that talking numbers is interesting, but more so, let’s start to talk about API usability and the downstream impact of API calls.” It’s encouraging that Allscripts, Epic, and now Athenahealth have checked in with big API usage numbers. None of these are surprising – Allscripts (in the form of the acquired Eclipsys) pretty much defined the idea of inpatient systems with “hooks” as we called them in the old days, while Epic and Athenahealth stay current in deploying modern technologies and Athenahealth’s system is based on connectivity. I’m guessing Cerner has impressive numbers although I haven’t seen them.
From Event Attendee: “Re: John Halamka’s installation as Harvard Medical School’s inaugural International Healthcare Innovation Professor of Emergency Medicine. I had the distinct honor of attending and snapped a picture of a few notable CEOs in the room – Jonathan Bush (Athenahealth), Girish Navani (EClinicalWorks), and Hoda Sayed-Friel (Meditech). It’s remarkable that they spent the morning together honoring his lifetime of achievement.”
From Earth Shatterer: “Re: Epic. What exactly is Sonnet?” Sonnet is a streamlined, cheaper, faster-install subset of Epic’s full software suite being developed that will target small hospitals and physician groups, post-acute care facilities, and some international organizations. It will be released in March 2018. Sonnet was announced at HIMSS17 along with Utility, a fast installation program that gets customers live faster with fewer modifications. Epic says Utility implementations started in Q4 2017 (it’s now Epic’s most popular implementation method) and the first Utility-implemented customers will go live in 2018. Judy Faulkner chooses all Epic product names herself and they always contain a subtle reference, in this case with the word “sonnet” as translated from Italian as “little song.” Epic has tried similar rollouts in the past, twice in a partnership with Philips in the early 2000s and another attempt a few years later using the Sonnet name that may have failed because of newly mandated Meaningful Use requirements, but this one seems like a done deal.
From Who Else Remembers?: “Re: selection consultants having a conflict of interest. This is reminiscent of the late 1980s and early 1990s when Arthur Andersen was accused of a similar bias. Back then, the cozy relationship resulted in a string of predictable yet questionable wins for Gerber Alley and Statlan. Anderson would do the selection and inevitably be granted a large advisory and implementation role post award. Notably, Jay Toole and Andersen were crisscrossing the country espousing the virtues of a best-of-breed approach that needed lots of consulting help, for which Andersen was all to eager to offer the brave buyers of these footnotes in HIT history.” It’s a longstanding question of whether consulting firms that sell system services should be asked to help customers choose those same systems, at least without first recusing themselves from earning future business related to the selection. On the other hand, health systems can hire whoever they want and are presumably acting in their best interest. You mentioned Jay Toole, and in tracking him down, I learned that Dearborn Advisors filed Chapter 7 bankruptcy and apparently closed earlier this year. For more about Gerber Alley, see Vince’s HIS-tory.
From Fanny Pacque: “Re: vendor underbidding. Epic underbids (probably to their advantage) relative to their competitors. Implementation services, additional software, etc. always come later and require direct third-party engagement. This is the tick-tock on how you get to projects that go 2-3x over budget. Example: San Francisco Department of Public Health, which is a few months out from choosing Epic and they’re already bidding out voice recognition software, revenue cycle implementation, HIM, and patient outreach. You can see why Allscripts, Cerner, and others might suggest increased transparency on this topic since they provide fully loaded proposals.” San Francisco DPH’s several Epic-related RFPs are here (on the right side of the page as part of RFP 47-2017). I would think a prospect would know to compare apples to apples in choosing a vendor, but sometimes they get so mentally locked in to their favored vendor that they don’t dig deep enough and/or their lack of EHR selection experience makes them unsuited to detect contract land mines.
HIStalk Announcements and Requests
The efficiency of DonorsChoose is always impressive to see – we funded the teacher grant request of Mrs. A in Michigan on December 10 and her students are already using the STEM kits and experiment books we provided just nine days later, as evidenced by the photos above. She reports, “My students and I are so elated that this project was funded. The excitement they showed when we unwrapped the science kits was unprecedented! I wanted to thank you again for your very generous donation. The students are now able to take science out of the science classroom and bring it in to their homes. Not only have you allowed the students to experience science phenomena, you have also allowed their families to as well! Many of my students and their families do not have access to the items that will enable them to perform these experiments and now they do! You have truly helped to create lifelong memories.”
Welcome to new HIStalk Platinum Sponsor Ellkay, which brilliantly taglines itself as “Healthcare Data Plumbers.” The Elmwood Park, NJ-based company enables interoperability, providing a data pipeline for 45,000 practices and 500 PM/EHRs and connecting hospitals, practices, labs, payers, HIEs, and ACOs using almost any system. Products include connectivity for diagnostic labs; PM/EHR integration and data migration, lab orders and results interfaces; and ACO/HIE connectivity solutions. Its CareEvolve portal and interfaces provide clinical workflow support between laboratories and the point of care, while hundreds of hospitals have used Ellkay’s data extraction, conversion, and archiving services to decommission legacy systems. Black Book included Ellkay on its list of 2017’s most disruptive health IT companies that have top customer satisfaction scores. The company’s “Our Story” page is the most entertaining and fascinating backgrounder I’ve seen and the story about why they installed beehives on the company roof roped me in completely. Thanks to Ellkay for supporting HIStalk and for entertaining and informing me with an unusually cool website.
Acquisitions, Funding, Business, and Stock
High-profile Silicon Valley investor Bill Gurley – an early Uber backer whose startup Brighter was just acquired by Cigna – launches Stitch Health, a Slack-like care team coordination and patient engagement platform. The Connect team communication system costs from $6 to $18 per user per month depending on features. Stitch CEO and co-founder Bharat Kilaru is a 2015 Harvard MBA graduate and ran a Nashville clinic for the underserved until 2013.
Pittsburgh-based specialized outpatient clinical documentation vendor Net Health will be acquired by two private equity firms and the company’s management team.
Humana and two private equity firms will acquire home health and long-term care operator Kindred Healthcare for $4 billion, continuing the trend of insurers moving into direct patient care.
A New York Times review of proposed health system mega-mergers contains some interesting quotes:
- “Hospital executives are realizing that someone else, including an insurance company employing the nurse at a walk-in clinic or the doctor at a surgery center, wants to take over their relationship with patients — and the potential revenue that those patients represent.”
- “But many point to the promises of past mergers as reason to doubt whether the hospital mergers allow much more than an ability to demand higher prices from insurers. After the last wave of mergers that took place a few years ago, the hospitals didn’t use that opportunity to bring their costs down.”
- “The challenge cannot be underestimated in asking these massive institutions to come together and change into something radically different. You’re taking a zebra and a zebra … what they want to become is a unicorn.”
Silicon Valley, meet Bubble 2.0: SoftBank will invest up to $300 million in a dog-walking app vendor that has already raised $40 million.
Mercy Health chooses PatientPing for real-time patient care coordination.
Recondo Technology hires Craig Niemiec (AxisPoint Health) as CFO.
Patrick Neil Mescall, PhD (Businessolver) joins VirtualHealth as SVP of channel development.
Former National Coordinator Karen De Salvo, MD, MPH, MSC joins Dell Medical School at the University of Texas at Austin as a professor, with appointments in internal medicine and population health.
Announcements and Implementations
A survey of a few dozen hospital CIOs finds that the biggest jump in deployed mobile strategy components over the next three years will be in critical test result alerts, clinical decision support alerts, and care team assignments. Respondents also indicated that their investment in communications technologies will be slightly more driven by system integration capabilities than by end user needs.
I’ve never heard of CHIME’s 2014 spinoffs AEHIS, AEHIT, and AEHIA – which seem to have been created primarily to help CHIME to lasso new dues-paying members who don’t meet the job qualifications to join CHIME since they aren’t CIOs (security executives, CTOs, and application leaders, respectively) – but for those CHIME members who are interested, they’re waiving dues for 2018. I don’t quite understand why a prominently posted press release on the site of AEHIS (that’s the security group) is “Fujifilm Captures New Customers for its Synapse Enterprise Imaging Solutions,” but then again I don’t usually like providers and vendors sharing an association-provided membership bed even when a logical connection exists. As readers have observed, CHIME is mimicking HIMSS in seemingly trying to get bigger, more vendor-friendly, and more executive-compensating, but its members are apparently OK with that and that’s all that counts.
Government and Politics
Americans say healthcare is the country’s second-biggest problem behind the government, Gallup finds. Healthcare hasn’t been one of the top two problems since 2007, when it finished a distance second to Iraq.
Privacy and Security
White House Homeland Security Advisor Tom Bossert says in a Wall Street Journal op-ed piece that North Korea launched the WannaCry malware attack earlier this year that hit hospitals hard, adding, “Pyongyang will be held accountable.”
A Black Book survey finds that 84 percent of healthcare provider organizations don’t have a chief information security officer, 54 percent don’t conduct cybersecurity risk assessments, and 39 percent don’t perform regular firewall penetration testing. The survey also finds that few boards of directors actively discuss cybersecurity.
Yet another exercise proves that de-identifying patient data doesn’t really work, as a university in Australia (as several have done) matches up a publicly released Australia Medicare database and re-identifies patients by linking their information to other publicly available databases. The Australian government is considering laws that would make re-identifying government data illegal, which is an interesting (and not in a good way) approach.
A reader whose company has nothing to do with healthcare consulting was surprised to have it shortlisted among the “Top 10 Healthcare Consulting Firms 2018,” which comes with a (free) certificate and (not free) interview reprint rights from a magazine called Enterprise Services Outlook. The magazine shares a telephone number and street address with shady magazines (CIO Review and Healthcare Tech Outlook) published by Bangalore-based marketing firm SiliconIndia. I’ve previously noted the hilarious misspelling of HIPAA on the cover of Healthcare Tech Outlook and the fact that its covers always feature males. It has published an article by UC Health CIO Steve Hess (which also appeared word for word in Becker’s Hospital Review under a different UC Health author’s name) and by other health system CIOs like Marc Probst and Dan Waltz who probably don’t even realize who they’re writing for. The magazine invites readers who “skimp” [sic] its questionable vanity content to join its august roster of contributors.
Jenn ran this fun item on HIStalk Practice: an Australian nurse becomes his own patient when he begins experiencing chest pains while manning a telemedicine clinic in the remote area of Coral Bay. After calling an ambulance and prepping his own epinephrine and shock pads, he called in to a physician in Perth using the Emergency Telehealth Service. Bea Scichitano, MD was on her first ER shift when she took the video call. “I think it probably took me a few seconds to cotton on to the fact that he was the nurse and the patient at the same time,” she said, “so that was a bit of a shock.”
Moxe Health founder and CEO Dan Wilson reads “’Twas the Night Before Go-Live,” an HIT-focused song parody written by Jay Rath. Jay fascinates me because in addition to having spent time with Epic, he’s a former staffer at “The Onion,” a contributor to “Mad” magazine, and has a broad background in theater and radio comedy.
Wendy from Bellin Health (WI) sent a photo of the Epic Willow team’s holiday-decorated cubicle area in the IT department that creatively adds a fireplace inside and a welcome mat out front. The coats inside prompted me to check Green Bay’s weather forecast – Tuesday was to be sunny with a relatively balmy high of 40 degrees and a low of 11, but Christmas will be biting as temps struggle to rise to zero (Fahrenheit, just to be clear).
- The InstaMed team delivers over 900 presents to the Children’s Hospital of Philadelphia.
- Definitive Healthcare adds visual dashboards to its hospital and provider databases.
- Elsevier Clinical Solutions publishes a new white paper, “Build or Buy: Considerations when adding a new Clinical Decision Support System.”
- FormFast publishes a new case study, “East Alabama Medical Center Saves Time and Cuts Costs with FormFast’s Leading Form Design Technology & Services.”
- Healthfinch publishes a new case study featuring Valley Medical Group.
- Data analytics from Arcadia Healthcare Solutions supports a New York Times skin cancer investigation.
- T-System President and CEO is recognized at D CEO’s “Excellence in Healthcare” awards program.
- Besler Consulting releases a new podcast, “Perspectives on the Alex Azar nomination for HHS Secretary.”
- Mphasis Eldorado and Change Healthcare expand their partnership to include integration between Javelina and Change Healthcare’s payment integrity services.
- 5 Tips for a Consumer Friendly Front Desk (Hayes Management Consulting)
- 6 Resolutions for a Healthier and Happier New Year (Healthgrades)
- The Evolution of Healthcare and Railways (Optimum Healthcare IT)
- eGartner to healthcare provider CIOs: Evaluate biometrics for their most important patient identification use cases (Imprivata)
- The New Healthcare CRM: Moving Beyond Marketing (Influence Health)
- A Look Back: The Top Tips of 2017 (Leidos Health)
- Red Flags You Have a Patient Access Problem (Kyruus)
- MIPS Cost Component – Three Things You Need to Know! (Impact Advisors)
- The Healthcare Platform Advantage: How to Do More With Less (Spok)
- Address All Four Parts of HIPAA Compliance (AdvancedMD)
- Agfa HealthCare proudly supports the UNICEF Emergency Fund (Agfa HealthCare)
- Q4 Industry Report: Shadow IT’s positives and negatives within healthcare (Datica)
- Amazon, CVS and Aetna: Online Medicine and the Future of Healthcare (CareSync)
- Navigate the Penalties & Bonuses of the 2018 MIPS Reporting Year (Chart Logic)
- Celebrating the Holidays with Karson and Make-A-Wish Foundation (CoverMyMeds)
- Embracing the Spirit of Giving (Dynamic Computing Services)
- How Will Artificial Intelligence and Machine Learning Impact Healthcare? (Dimensional Insight)