EHRs, BSBCNC, Ransomware

Healthcare EMRs [personal]

I had the misfortune to sprain my wrist recently that required a medical facility visit. After lengthy waits and treatment, discharge papers (handout with no digital option) disclosed the usual suspects such as purpose of visit and treatment, meds given and prescribed, and follow up procedures. Here is where the follow-up gets hairy approaching fubar. At the left is the first page of an actual discharge paper given out by the Emergency Department. It touts their secure access to your health records and provides a way to contact your doctors and allied professionals. Near the bottom are follow-up instructions, who to see, address info, phone number, and timeframe. The mistake I made was depending on the forms in the service to set up an appointment for today. Their system did not work and when a call was made late Thursday about it, the staff was unapologetic and less than helpful about. This is but one example of how Electronic Medical Records (EMR) failed in real world applications, the kind that drives costs up and reduces outcomes. A copy of the record that I was given was sent to the specialists’ office, which they acknowledged; made its way to the digital equivalent of the circular filing cabinet, the “ignore” bin. An education about how EMR’s are not really what is needed for healthcare reform and cost containment sheds light on the subject. There is the concept of Electronic Health Records (EHR). EMR is a digital version of paper charts in the Doctor’s office, scanned for archival and supposedly sharing purposes among vetted parties. Right answer, wrong question. A move to EHR takes these digitized documents and facilitates sharing throughout the whole system by design. “The EHR represents the ability to easily share medical information among stakeholders and to have a patient’s information follow him or her through the various modalities of care engaged by that individual” (Peter Garrett & Joshua Seidman PhD, 2011, para. 6). This was five years ago little action taken on this. The facility certainly dropped the ball with the information passing with the patient suffering negative outcomes because someone did not think through a system promoted by “suits” who generally do not have a clue on what happens on the front lines of care. This leads us to the present. National Coordinator for Health IT Karen DeSalvo wants to move forward with public access of their own data with a measure of control that is anathema to the profitable business of “blocking” data. the Office of the National Coordinator (ONC) said its 2016 goals include continuing to “build the economic case for interoperability,” coordinate with industry stakeholders to increase enhance consumer access to data, and to discourage health information blocking (Hall, 2016, para. 8). There are many avenues to making dollars in the corporate world; I do not understand how blocking data allows happening beyond a potential lock-in similar to Windows lock in for personal computing back in the day.

BCBSNC Shakeup

A recent media report has the #2 person at Blue Cross Blue Shield of North Carolina (BCBSNC) has resigned leaving behind a mess of a computer system tied to mistaken billing of customers and other software issues.

nameAlan HughestitleChief Operating Officer (COO)compensation$1.77M (2014)
(John Murawski, 2016)

I was a customer of BCBSNC during my “interim” period prior to Medicare [long story] and based on most of my interactions with them on the phone and in person, no surprise of their flawed systems. Someone has to fall on their sword and there is usually a severance associated with this, which was not disclosed in the piece, but I do not think he will visit the poor side of Durham County anytime soon. When your background is the Chief Information Officer (CIO) and the information system does not work properly, it happens. The Department of Insurance has reported 11,162 customer calls as of April 1, including 2,346 complaints against the insurer. The agency’s investigation could result in fines against Blue Cross up to $1,000 per violation per day (John Murawski, 2016). That has to leave a mark, but it is election year in North Carolina, so “stay tuned”.

Ransomware

UPDATED: Symantec said, “The 2007 and 2010 fixes referenced in the article were not contributing factors in this event” (Ann C Nickels, 2016). Further comment will not emanate from MedStar concurrent to the advice of IT, cybersecurity and law enforcement experts.

This topic will not go away. The hackers that penetrated MedStar Health in the Maryland/DC region came in through a 9 year exploit named JBoss, an application server courtesy of Red Hat Inc. (Tami Abdollah, 2016). As night turns into day, the hospital chain denies this. It must be stated that part of the mission of hackers is to expose weak spots where found. This time, it is the Samas or “samsam” vector specifically for JBoss middleware and other Java based servers. More details can be found here and here. When an IT person in charge of security ignore application threats from the writers of such software and the government on at least 2 other occasions, that would fit the definition of maleficence. MedStar is in deep doo doo, but admitting it would bring more of the wrong kind of attention in a competitive marketplace. Never mind these breaches are not specific to this chain.

Bibliography

Ann C Nickels. (2016, April 6). MedStar Response to Incorrect Media Reports. MedStar Health. Retrieved from http://www.medstarhealth.org/mhs/2016/04/06/medstar-response-incorrect-media-reports/

Susan D Hall. (2016, April 7). Karen DeSalvo: Tech can improve patients’ access to health data. Retrieved April 7, 2016, from http://www.fiercehealthit.com/story/karen-desalvo-tech-can-improve-patients-acesss-health-data/2016-04-07

John Murawski. (2016, April 5). Blue Cross executive resigns amid technology fiasco | News & Observer. The News and Observer. Raleigh, NC. Retrieved from http://www.newsobserver.com/news/business/article70020192.html

Peter Garrett, & Joshua Seidman PhD. (2011, January 4). EMR vs EHR — What is the Difference? Retrieved from https://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/emr-vs-ehr-difference/

Tami Abdollah. (2016, April 5). Hackers broke into hospitals despite software flaw warnings. AP The Big Story. Washington DC. Retrieved from http://bigstory.ap.org/article/86401c5c2f7e43b79d7decb04a0022b4/hackers-broke-hospitals-despite-software-flaw-warnings

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s