How to keep EHRs secure and safe from cybercriminals – TechRepublic

via How to keep EHRs secure and safe from cybercriminals – TechRepublic

Stream 04/07

Healthcare EMRs [personal]

I had the misfortune to sprain my wrist recently that required a medical facility visit. After lengthy waits and treatment, discharge papers (handout with no digital option) disclosed the usual suspects such as purpose of visit and treatment, meds given and prescribed, and follow up procedures. Here is where the follow-up gets hairy approaching fubar. At the left is the first page of an actual discharge paper given out by the Emergency Department. It touts their secure access to your health records and provides a way to contact your doctors and allied professionals. Near the bottom are follow-up instructions, who to see, address info, phone number, and timeframe. The mistake I made was depending on the forms in the service to set up an appointment for today. Their system did not work and when a call was made late Thursday about it, the staff was unapologetic and less than helpful about. This is but one example of how Electronic Medical Records (EMR) failed in real world applications, the kind that drives costs up and reduces outcomes. A copy of the record that I was given was sent to the specialists’ office, which they acknowledged; made its way to the digital equivalent of the circular filing cabinet, the “ignore” bin. An education about how EMR’s are not really what is needed for healthcare reform and cost containment sheds light on the subject. There is the concept of Electronic Health Records (EHR). EMR is a digital version of paper charts in the Doctor’s office, scanned for archival and supposedly sharing purposes among vetted parties. Right answer, wrong question. A move to EHR takes these digitized documents and facilitates sharing throughout the whole system by design. “The EHR represents the ability to easily share medical information among stakeholders and to have a patient’s information follow him or her through the various modalities of care engaged by that individual” (Peter Garrett & Joshua Seidman PhD, 2011, para. 6). This was five years ago little action taken on this. The facility certainly dropped the ball with the information passing with the patient suffering negative outcomes because someone did not think through a system promoted by “suits” who generally do not have a clue on what happens on the front lines of care. This leads us to the present. National Coordinator for Health IT Karen DeSalvo wants to move forward with public access of their own data with a measure of control that is anathema to the profitable business of “blocking” data. the Office of the National Coordinator (ONC) said its 2016 goals include continuing to “build the economic case for interoperability,” coordinate with industry stakeholders to increase enhance consumer access to data, and to discourage health information blocking (Hall, 2016, para. 8). There are many avenues to making dollars in the corporate world; I do not understand how blocking data allows happening beyond a potential lock-in similar to Windows lock in for personal computing back in the day.

BCBSNC Shakeup

A recent media report has the #2 person at Blue Cross Blue Shield of North Carolina (BCBSNC) has resigned leaving behind a mess of a computer system tied to mistaken billing of customers and other software issues.

name Alan Hughes
title Chief Operating Officer (COO)
compensation $1.77M (2014)

(John Murawski, 2016)

I was a customer of BCBSNC during my “interim” period prior to Medicare [long story] and based on most of my interactions with them on the phone and in person, no surprise of their flawed systems. Someone has to fall on their sword and there is usually a severance associated with this, which was not disclosed in the piece, but I do not think he will visit the poor side of Durham County anytime soon. When your background is the Chief Information Officer (CIO) and the information system does not work properly, it happens. The Department of Insurance has reported 11,162 customer calls as of April 1, including 2,346 complaints against the insurer. The agency’s investigation could result in fines against Blue Cross up to $1,000 per violation per day (John Murawski, 2016). That has to leave a mark, but it is election year in North Carolina, so “stay tuned”.


UPDATED: Symantec said, “The 2007 and 2010 fixes referenced in the article were not contributing factors in this event” (Ann C Nickels, 2016). Further comment will not emanate from MedStar concurrent to the advice of IT, cybersecurity and law enforcement experts.

This topic will not go away. The hackers that penetrated MedStar Health in the Maryland/DC region came in through a 9 year exploit named JBoss, an application server courtesy of Red Hat Inc. (Tami Abdollah, 2016). As night turns into day, the hospital chain denies this. It must be stated that part of the mission of hackers is to expose weak spots where found. This time, it is the Samas or “samsam” vector specifically for JBoss middleware and other Java based servers. More details can be found here and here. When an IT person in charge of security ignore application threats from the writers of such software and the government on at least 2 other occasions, that would fit the definition of maleficence. MedStar is in deep doo doo, but admitting it would bring more of the wrong kind of attention in a competitive marketplace. Never mind these breaches are not specific to this chain.


Ann C Nickels. (2016, April 6). MedStar Response to Incorrect Media Reports. MedStar Health. Retrieved from

Susan D Hall. (2016, April 7). Karen DeSalvo: Tech can improve patients’ access to health data. Retrieved April 7, 2016, from

John Murawski. (2016, April 5). Blue Cross executive resigns amid technology fiasco | News & Observer. The News and Observer. Raleigh, NC. Retrieved from

Peter Garrett, & Joshua Seidman PhD. (2011, January 4). EMR vs EHR – What is the Difference? Retrieved from

Tami Abdollah. (2016, April 5). Hackers broke into hospitals despite software flaw warnings. AP The Big Story. Washington DC. Retrieved from


Bonus Stream 04/06

Efforting to get back into Pro status so I can directly upload from existing tools.

Update: What I used to do this in the past is no longer available due to hacker exploits.

[embeddoc url=”” viewer=”google”]

Stream 04/04

Ransomware is not going away 

The Department of Homeland Security has issued an alert about this topic dated 3/31/2016 reported today about new variants of ransomware such as Locky and Samas are affecting hospital network computers throughout North America. In conjunction with Canadian Cyber Incident Response Centre (CCIRC) US DHS brings the subject into focus in an official capacity. The fear of doing something electronically increased this event and I can gather most of this is preventable for all of the usual suspects. Click on a link reflective action. Guilt based on network. Fear of being caught with hand in cookie jar. That sort of thing.

  • Employ a data backup and recovery plan for all critical information.
  • Use application whitelisting to help prevent malicious software and unapproved programs from running.
  • Keep your operating system and software up-to-date with the latest patches.
  • Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
  • Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services.
  • Avoid enabling macros from email attachments. This means that PDFs so important to our business day may have to come from a third party source.
  • Do not follow unsolicited Web links in emails.

Sounds pretty boilerplate, does not it. Almost a “duh” moment. However, our job as IT pros is to prevent users from themselves.

ER Overcrowding continued difficulties

Having personal experience with a big-city ER on a weekend day got my attention for this story. When you have a system that requires the patients be seen regardless of condition and ability to pay in one of the richest countries in the world, issues arise. There are ways to mitigate this that some hospitals nationwide are doing, such as freestanding ER clinics. House calls for treatment conditions not requiring emergency care along with other “adventurous” options.

Community paramedicine or mobile integrated healthcare-community paramedicine (MIH-CP) is a new concept to me, which can include transport “ambulances” that are closer to the local community, such as Fire Stations and Community Precincts. Pair a Nurse Practitioner with a Paramedic and cover the most common illnesses in a vehicle at a cheaper rate than Medic and preferably on-site with telemedicine from the patient’s personal physician, or someone at “headquarters” that is staffing a “call center” to guide the patient through sticky wickets beyond the on-site staffers reach. Then an ER admission would be reserved for life-threatening or altering injuries or conditions. My situation would have called for urgent care, since an X-Ray was taken, looked at, and decided to place this on me so I can see a follow-up with an Orthopedic Specialist. Medicare and Medicaid in NC and some other states do not lend itself to other options that are not out-of-pocket upfront expenses. Not everyone can have BCBSNC, Aetna, or other private insurance regardless of subsidies and other aspects of Obamacare not brought up here. An ideal system would allow Urgent Care, CVS Minute Clinic, Walgreens’ Take Care Clinic, et cetera, to perform these functions as a health issue without being financially driven. Regardless where healthcare interactions occur, they must be protected and Compliance is not an option.