FDA Announces New Steps to Empower Consumers and Advance Digital Healthcare

I wondered out-loud in a draft version of this blog post the following:

I cannot tell if this is the career politician FDA speaking or what, and frankly, this shouldn’t be an issue with any administration, but it sure is with this one.

Upon further review, this is the type of announcement was expected and favored; and consistent with the history of the FDA Commissioner, a political appointee of POTUS45. I fully understand the temptation to speed the process up of software when it comes to medical capabilities. This process has been thought carefully, but two things stand out for me.

  1. HIPAA is the law of the land when it comes to digital medical records. This is a complicated system; that is where we are. How does this idea of a pre certification tie into these requirements? Blog posts on this subject here, here, here, and here.
  2. All of this is moot if the majority of citizens can’t access it due to not being covered under Medicare and Medicaid; the very constituency that can be best served by digital medical options in software including telehealth initiatives.

As for point #2, the rules for current Medicare reimbursement are found here (PDF) and are in my opinion, lacking. A change of mindset when it comes to payment overshadows any other aspect of our current system. In my ideal health care system, there would be Medicare for all with the private insurance market to fill gaps similar to Medicare Supplement policies of today and to “jump the line” in services for a fee. Digital medical options, such as Telehealth and Software based Medical Case Management would be included in the base Medicare and Medicaid plans.

FDA Announces New Steps to Empower Consumers and Advance Digital Healthcare [Official]

Continue reading

Crazy Eddie’s HIPAA & Swap Shop

HIPAA compliance is not optional or dependent on the size of the business. In spite of some best efforts, the data host chosen, do so carefully. Or you could end up like Metro Chicago Hospital Council (MCHC) as a non-profit, has a Health Information Exchange (HIE) that is subcontracted. What happens if your provider leaves the market and takes its data store with it? Fortunately for them, they got a judge to be on their side long enough to ensure a proper transition. A federal judge ordered Sandlot Solutions Inc. [what a name for a medical company] not to destroy the data without court approval. It was ordered to provide the raw data to MCHC as well as a “virtual” copy as soon as possible. The HIE was ordered to bear the cost of hardware, personnel and other expenses necessary to do so, and also to post a bond of $25,000 (Susan D Hall, 2016, para. 5). Sandlot Solutions was out of Irving TX, the website is down, obtained through LinkedIn. A simple Dun & Bradstreet report may have flagged this company, but it does not hurt to check. An analogy would be to put the hands of deciding a game in an official making a call, Golden State Warriors found out the “hard way” about that.

Susan D Hall. (2016, April 25). Court prevents HIE contractor from destroying data. Retrieved April 26, 2016, from http://www.fiercehealthit.com/story/court-prevents-hie-contractor-destroying-data/2016-04-25

Health records 101

Most every topic imaginable has a report, think tank, or field study attached to it. That is just the way it is. “Sophisticated” technology will be necessary to make sure that patient records are unique. Many moons ago when I was active in IT, I was always taught to normalize data by creating rules to stop most bad data from entering the system. Errors such as leading a required field blank or a Social Security Number not entered should NEVER happen. The fix is simple, make the fields required, and stop processing until they are filled and properly formatted. In the 2016 version of the web, this can happen with web-based, app-based, or other forms, and it is a no-brainer. Patient name misspellings cannot be eliminated totally, but greatly reduced if a simple crosscheck query of name fields that correspond with SSN numbers or other information that can verify results. The report wants to make it sound or in practice be harder than it really is, but that is why they get “the big bucks”. “Creating policies and procedures for front-end and back-end staff to follow is foundational for the overall data integrity process” (Katie Dvorak, 2016, para. 8).When you hang around any industry long enough, what is old is new again to different generations.

Katie Dvorak. (2016, April 20). Report: Providers must adopt sophisticated tech, stronger policies to prevent duplicate patient records. Retrieved April 21, 2016, from http://www.fiercehealthit.com/story/report-providers-must-adopt-sophisticated-tech-stronger-policies-prevent-du/2016-04-20

Encryption, Encryption, Encryption

After all of the recent issues with Ransomware and other cyber-attacks in the healthcare field, paying attention to the details can be overlooked at your peril. In my home state of Alabama, a laptop was stolen from a vendor to CVS Health. This laptop, for some unexplained reason, had Protected Health Information (PHI) on it. Of course, it was not encrypted, as per CVS network policy, so somebody had a field day with people who used a certain Pharmacy in Shelby County (Birmingham South Suburban). Their so-called private information was not, and now the company has to inform those on it, and presumably make amends for this.The laptop contained information about customers who have had prescriptions filled at the CVS store at 8370 Highway 31 in Calera, the company announced Monday. The laptop was stolen from the vendor and reported to the Indianapolis police department (Kelly Poe, 2016, para. 2).Interesting tidbit here is that it was reported to a police department over 500 miles away from the “scene” of the crime. A later version of the story said it happened at the unnamed vendor’s locale, which is not the CVS in question.

  • This has HIPAA written all over it.
  • Ignorance is not bliss.
  • Compliance is not limited by company size.

Kelly Poe. (2016, April 18). Alabama CVS’ patient information at risk after laptop stolen. AL.com. Shelby County AL. Retrieved from http://www.al.com/business/index.ssf/2016/04/patient_information_at_risk_af.html

EHR vendors, you’re not only next, but now.

This blog and other places have discussed the recent publicity about Ransomware and how hospitals cope with it, some better than others. What they really want is the Electronic Health Records that are employed in such environments. EHR are very personal and specific. Add the web-based nature of exchange and that is manna to a hacker because they can “hit once, effect many”. Mark Menke, security expert and CTO of Network DLP at Digital Guardian remarked: The financial incentives associated with EHR adoption encourage healthcare providers to roll out bare-bones systems without the infrastructure to back them u(Lisa Hoover McGreevey, 2016).
  1. HIPAA has very specific rules regards data security and the chain of command. Ignore this at your peril.
  2. Virtually all data in an EHR is valuable, some parts more than others. It is the cyber security specialist along with the practice IT staff or consultants to know the difference. Ignorance is not bliss here.
  3. Encryption, Digital Rights Management (DRM), Single Sign On (SSO), and other technologies are your gateway to mitigating the attacks that will come.
  4. Backups, Backups, Backups. The size of the organization will determine how often this is done; Real-time on-site/off-network and hourly off-site is a good place to start.
(Mark Menke, 2016).

Continue reading

Stream 04/07

Healthcare EMRs [personal]

I had the misfortune to sprain my wrist recently that required a medical facility visit. After lengthy waits and treatment, discharge papers (handout with no digital option) disclosed the usual suspects such as purpose of visit and treatment, meds given and prescribed, and follow up procedures. Here is where the follow-up gets hairy approaching fubar. At the left is the first page of an actual discharge paper given out by the Emergency Department. It touts their secure access to your health records and provides a way to contact your doctors and allied professionals. Near the bottom are follow-up instructions, who to see, address info, phone number, and timeframe. The mistake I made was depending on the forms in the service to set up an appointment for today. Their system did not work and when a call was made late Thursday about it, the staff was unapologetic and less than helpful about. This is but one example of how Electronic Medical Records (EMR) failed in real world applications, the kind that drives costs up and reduces outcomes. A copy of the record that I was given was sent to the specialists’ office, which they acknowledged; made its way to the digital equivalent of the circular filing cabinet, the “ignore” bin. An education about how EMR’s are not really what is needed for healthcare reform and cost containment sheds light on the subject. There is the concept of Electronic Health Records (EHR). EMR is a digital version of paper charts in the Doctor’s office, scanned for archival and supposedly sharing purposes among vetted parties. Right answer, wrong question. A move to EHR takes these digitized documents and facilitates sharing throughout the whole system by design. “The EHR represents the ability to easily share medical information among stakeholders and to have a patient’s information follow him or her through the various modalities of care engaged by that individual” (Peter Garrett & Joshua Seidman PhD, 2011, para. 6). This was five years ago little action taken on this. The facility certainly dropped the ball with the information passing with the patient suffering negative outcomes because someone did not think through a system promoted by “suits” who generally do not have a clue on what happens on the front lines of care. This leads us to the present. National Coordinator for Health IT Karen DeSalvo wants to move forward with public access of their own data with a measure of control that is anathema to the profitable business of “blocking” data. the Office of the National Coordinator (ONC) said its 2016 goals include continuing to “build the economic case for interoperability,” coordinate with industry stakeholders to increase enhance consumer access to data, and to discourage health information blocking (Hall, 2016, para. 8). There are many avenues to making dollars in the corporate world; I do not understand how blocking data allows happening beyond a potential lock-in similar to Windows lock in for personal computing back in the day.

BCBSNC Shakeup

A recent media report has the #2 person at Blue Cross Blue Shield of North Carolina (BCBSNC) has resigned leaving behind a mess of a computer system tied to mistaken billing of customers and other software issues.

name Alan Hughes
title Chief Operating Officer (COO)
compensation $1.77M (2014)

(John Murawski, 2016)

I was a customer of BCBSNC during my “interim” period prior to Medicare [long story] and based on most of my interactions with them on the phone and in person, no surprise of their flawed systems. Someone has to fall on their sword and there is usually a severance associated with this, which was not disclosed in the piece, but I do not think he will visit the poor side of Durham County anytime soon. When your background is the Chief Information Officer (CIO) and the information system does not work properly, it happens. The Department of Insurance has reported 11,162 customer calls as of April 1, including 2,346 complaints against the insurer. The agency’s investigation could result in fines against Blue Cross up to $1,000 per violation per day (John Murawski, 2016). That has to leave a mark, but it is election year in North Carolina, so “stay tuned”.


UPDATED: Symantec said, “The 2007 and 2010 fixes referenced in the article were not contributing factors in this event” (Ann C Nickels, 2016). Further comment will not emanate from MedStar concurrent to the advice of IT, cybersecurity and law enforcement experts.

This topic will not go away. The hackers that penetrated MedStar Health in the Maryland/DC region came in through a 9 year exploit named JBoss, an application server courtesy of Red Hat Inc. (Tami Abdollah, 2016). As night turns into day, the hospital chain denies this. It must be stated that part of the mission of hackers is to expose weak spots where found. This time, it is the Samas or “samsam” vector specifically for JBoss middleware and other Java based servers. More details can be found here and here. When an IT person in charge of security ignore application threats from the writers of such software and the government on at least 2 other occasions, that would fit the definition of maleficence. MedStar is in deep doo doo, but admitting it would bring more of the wrong kind of attention in a competitive marketplace. Never mind these breaches are not specific to this chain.


Ann C Nickels. (2016, April 6). MedStar Response to Incorrect Media Reports. MedStar Health. Retrieved from http://www.medstarhealth.org/mhs/2016/04/06/medstar-response-incorrect-media-reports/

Susan D Hall. (2016, April 7). Karen DeSalvo: Tech can improve patients’ access to health data. Retrieved April 7, 2016, from http://www.fiercehealthit.com/story/karen-desalvo-tech-can-improve-patients-acesss-health-data/2016-04-07

John Murawski. (2016, April 5). Blue Cross executive resigns amid technology fiasco | News & Observer. The News and Observer. Raleigh, NC. Retrieved from http://www.newsobserver.com/news/business/article70020192.html

Peter Garrett, & Joshua Seidman PhD. (2011, January 4). EMR vs EHR – What is the Difference? Retrieved from https://www.healthit.gov/buzz-blog/electronic-health-and-medical-records/emr-vs-ehr-difference/

Tami Abdollah. (2016, April 5). Hackers broke into hospitals despite software flaw warnings. AP The Big Story. Washington DC. Retrieved from http://bigstory.ap.org/article/86401c5c2f7e43b79d7decb04a0022b4/hackers-broke-hospitals-despite-software-flaw-warnings