Posts

posted by adgrooms on June 3, 2019

With the digital transformation of healthcare, everyone is using more software systems and apps, each one requiring a secure password. A password is supposed to be long, complex, and never reused. Creating and remembering many passwords that meet those guidelines can be a challenge. Password management software can help generate and store complex passwords and is more secure than other methods like - writing down passwords or reusing a handful of secure passwords. A Pew Research Center report found that most people memorize passwords and relatively few are using password managers. The reasons for this are unclear. Let's look at whether mistrust in password managers is a well-founded reason.

To get into a password management system you are usually required to have a master password. Password managers have very good encryption and cryptography to keep out hackers trying to crack the system, but if a hacker gets a hold of the master password, then they have access to ALL of the user's passwords. With a password manager, it is important to choose a very secure master password.

One vulnerability is the ability to retrieve your master password if it is forgotten. This allows for hints to help remember the master password, or even a password reset email to be sent to the user. This makes it easier for a hacker to obtain the master password, especially if they already have access to the user's email. A secure password management system should have no retrieval available, and the master password should be complex, but memorable.

Another potential vulnerability is if a malicious person has access to a target device, they could install a keylogger to capture a master password, as it is entered. A good prevention method is to make sure the password manager has two-factor authentication. This requires a code generated and sent to a second device to be entered for access.

The HIPAA Password policy does not mention specifically password management software, but the majority of experts believe that use of a password manager is the best way of achieving compliance. Nothing is 100% safe, but if properly used, a password manager can be an effective way to combat medical data thieves.

posted by adgrooms on May 30, 2019

We have recently looked at the risk of phishing scams in healthcare and how to avoid them. We have seen that the number of patient data breaches has reached one per day in 2018. But why do hackers continue the relentless attacks on healthcare institutions? What are the hackers after? What reward do they receive?

Patient records are incredibly valuable as far as stolen data goes. A patient data record carries a potential wealth of information. A single patient record could contain a driver's license number, credit card numbers, insurance information, and all of the individual's collected medical data.

Once a hacker obtains the data they can sell it in blocks to other criminals. The information can be purchased and used many times over. For example, a criminal can augment the information into false credentials to sell, or the information can be divided up and sold as individual drivers licenses, social security numbers, and insurance cards. And at any point in the sales, the information can be used for other criminal activities.

From the personal identification information (social security number, drivers license, date of birth), the medical record can be used for Identity theft. From insurance card numbers and personal health information, it can be used for health insurance fraud, filing and receiving payment for false claims. The personal health information can also be used to purchase medical equipment, drugs, and even medical procedures.

While a stolen credit card carries an immediate payoff, mechanisms are in place to quickly discover abuse and shut it down. There is no protection mechanism for health data comparable to the protections on credit cards, and there is no limit on the number of times it can be sold and used. The damage to victims of healthcare identity theft can be far-reaching and last for years.

The high value of medical data and the large number of records amassed in health systems will perpetuate the threat of hacking for medical institutions into the foreseeable future. The threats will continue, but the precautions are relatively simple. The key to security is to make access so difficult as to be not worthwhile. We can go a long way toward accomplishing this by remaining informed and vigilant against phishing and keeping passwords secure.

posted by adgrooms on May 29, 2019

Physician-led team-based care is widely used as a coordinated effort to provide higher quality care to patients. Team members of different specialties are included to provide different strengths in a coordinated effort to create better outcomes. A team effort in a clinical setting has its challenges, and technology can help.

To accomplish effective team care, exceptional communication and information sharing between team members is needed. A tool that pulls data from an EHR and distributes to individual team members while seamlessly incorporating communication would be beneficial. Providing individual team members the ability to select and view relevant information would help them both focus attention and reduce preparation time before a conversation with the patient or other care team members. Dictation and voice recognition could be used to record and share notes and observations from patient visits. In addition, an integrated secure messaging system could ensure the team can coordinate care more efficiently.

Effective communication to and from the patient is essential to provide a sense of trust in the team. If different team members relay contradictory messages, trust is eroded. Trust could be supported by consolidating and making treatment and planning information accessible to the patient and family. The patient-facing interface could provide an easy to understand summary of procedures, prescriptions, and visits from care providers. Bi-directional notes from both patient to provider and provider to patient could further aid communication and improve trust. These notes could be written at any time, providing a way, for example, for a patient to log how they are feeling at a particular time, drug interactions, or a question for a particular care team member.

The physician, as a leader, should have an interface that provides an overview of patients and team members that is easy to read and manage. They should be able to dictate a plan of action for the patient that automatically coordinates and notifies team members what is required of them. Visualizations could be implemented, such as a patient timeline, to quickly understand and assess a patient’s progress.

Team-based care could benefit from a comprehensive, easy-to-use coordination system that integrates seamlessly with the EHR and encourages patient participation.

posted by adgrooms on May 28, 2019

Stealing and exposing patient data is, unfortunately, a lucrative activity. Hackers are relentlessly looking for vulnerabilities in institutions that amass personal health data. In 2018 there were 365 data breaches involving patient data, that is one per day! In addition to the personal costs to the individuals who are compromised, data breaches are expensive to the institutions. In 2018, healthcare systems paid out over 28 million in HIPPA fines and penalties.

Although hospital IT departments do a great job of thwarting attacks, having a secure, single-user login is the last line of defense before a breach happens. Hospital systems are increasingly interconnected, and one piece of software treated with lax security could jeopardize the whole organization.

It might not seem like a big deal to share a password among colleagues, especially if there is a rotating staff. It can seem like an administrative efficiency; instead of having to add and remove user accounts periodically, just give the login to new staff. In a trusting environment of medical professionals, it may seem highly unlikely that this practice would lead to a problem, but it does increase exposure to hackers in several ways.

First of all, the distribution of a shared login creates opportunities for hackers. If a password is emailed or sent as part of onboarding materials to temporary team members, it can be more easily stolen. Lack of accountability gives a user less incentive to keep the shared login as secure as possible. Use of a login that has been passed around may cause users to save the password insecurely on their computer desktop or a similarly convenient location for easy access. If the password storage device does not have a secure password itself, it can be an easy win for a hacker.

Another problem is the lack of changing the password periodically. Those who use shared logins typically hand out the same password over a long period of time. The more logins that are handed out to team members, the more important it is to change the password from time to time in case the password is mishandled or ends up in a compromised situation. However, changing a password and notifying all users is inefficient and could cause a lapse in access if they don’t receive the notification.

Shared logins also prevent an IT team from tracing the source of a security breach quickly. In the event that a breach occurs, time plays a role in the effectiveness of containment. Single user logins give an easier path to find the attack and shut it down to limit the damage. Many IT departments have policies against shared logins for this reason.

Passwords are highly prized targets for hackers. Not exercising the highest level of security practices in healthcare can lead to compromising patient data. How can we encourage or make it easier for users to never share a login and to change their password regularly?

posted by adgrooms on May 24, 2019

A trip to the hospital can be a stressful and overwhelming experience. While the patient is already unwell and concerned, they are also receiving information and guidance about their current and future care from physicians and therapists. Upon discharge, the patient or caretakers must take this information and continue self-treatment at home. But how is the patient to keep track and apply all of the advice and instructions - some spoken, some printed?

Patient portals may contain notes about the visit, but often don’t have detailed information that a patient was given in person. Many patients lose printed discharge information and reasonably resort to looking for the information online. However, this is lacking the specific input from the various specialists and therapists that all provided direction.

An ideal solution would be an after-visit summary that consolidates information from all points of care and a patient could access at any time in their portal. Of course, producing these notes for every patient in language that they could understand would be extremely time-consuming for a physician. This is another area that could be helped by dictation systems. Capturing the instructions as each care provider speaks them to the patient and providing both the audio and transcribed text would help a patient remember what was conveyed.

Additional information could be automatically supplied with libraries of information tied to medical coding. Instead of asking patients to remember to ask for key information and keep track of the answers, these formats could become electronic templates and filled with specific details. This could be further enhanced with the ability for physicians to include additional instructions as needed. The information library could be made take into account the specifics of a patient such as prescription information, health numbers to monitor and aim for, and dietary instructions/goals.

Outcomes can be improved with better patient discharge information. Providing the information in an understandable and accessible way can benefit communication and help a patient take an active role in their recovery.