Breached healthcare records down 72% but incident numbers steady. Then there’s MyFitnessPal’s 150 million…

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Hackermania in healthcare may be running less wild…but what about consumer health devices? Year-end and top-of-year analyses indicate that the flood of breached records may be starting to drain. A Bitglass analysis of 2017 US Department of Health and Human Services (HHS) data from its infamous ‘Wall of Shame’ is encouraging. They found that the number of breached records decreased over the 2015-2017 period by 72 percent between 2015 and 2017 and by 95 percent from 2016. The calculation excludes the huge spike in breaches due to two 2015 incidents at Anthem and Premera Blue Cross [TTA 9 Sep 15]. Numerically, the breach incident numbers decreased but are relatively steady: 2017 at 294, 2016 at 328. Data security company Protenus in its tracking found more incidents in 2017 versus 2016 (477 in 2017 v. 450 in 2016) but the same reduction in records affected, with five times fewer records in 2017 versus 2016’s 27.3 million records.

What’s been successful has been reducing mega-breaches and containment of healthcare device loss and theft through education and enforcement of employee practices. What continues is the major cause of breaches continue to be insider-related via error and wrongdoing; this includes the major annual Verizon report. Healthcare Informatics

Protenus’ February report, while continuing the reduction trend, had its share of hacking and insider incidents. Of the 39 incidents in their report affecting over 348,000 records, insider actions such as the misuse of system credentials accounted for 51 percent of breached records while hacks were 46 percent, with the majority involving ransomware or malware. Hacking as a cause hasn’t disappeared but perhaps has shifted to easier targets.

UnderArmour’s MyFitnessPal delivers another breach blow. Late last month, the company revealed that 150 million user records were hacked in February. The MyFitnessPal mobile app (more…)

Babylon Health’s ‘GP at hand’ not at hand for NHS England–yet. When will technology be? Is Carillion’s collapse a spanner in the works?

NHS England won’t be rolling out the Babylon Health ‘GP at hand’ service anytime soon, despite some success in their London test with five GP practices [TTA 12 Jan]. Digital Health cites an October study by Hammersmith and Fulham CCG (Fulham being one of the test practices) that to this Editor expresses both excitement at an innovative approach but with the same easy-to-see drawback:

The GP at Hand service model represents an innovative approach to general practice that poses a number of challenges to existing NHS policy and legislation. The approach to patient registration – where a potentially large volume of patients are encouraged to register at a physical site that could be a significant distance from both their home and work address, arguably represents a distortion of the original intentions of the Choice of GP policy. (Page 12)

There are also concerns about complex needs plus other special needs patients (inequality of service), controlled drug policy, and the capacity of Babylon Health to expand the service. Since the October report, a Babylon spokesperson told Digital Health that “Commissioners have comprehensively signed off our roll-out plan and we look forward to working with them to expand GP at Hand across the country.” 

Re capitation, why ‘GP at hand’ use is tied into a mandatory change of GP practices has left this Editor puzzled. In the US, telemedicine visits, especially the ‘I’ve got the flu and can’t move’ type or to specialists (dermatology) are often (not always) separate from whomever your primary care physician is. Yes, centralizing the records winds up being mostly in the hands of US patients unless the PCP is copied or it is part of a payer/corporate health program, but this may be the only way that virtual visits can be rolled out in any volume. In the UK, is there a workaround where the patient’s electronic record can be accessed by a separate telemedicine doctor?

Another tech head-shaker: 45 percent of GPs want technology-enabled remote working. 48 percent expressed that flexible working and working from home would enable doctors to provide more personalized care. Allowing remote working to support out-of-hours care could not only free up time for thousands of patient appointments but also level out doctor capacity disparities between regions. The survey here of 100 GPs was conducted by a cloud-communications provider, Sesui. Digital Health. This is a special need that isn’t present in the US except in closed systems like the VA, which is finally addressing the problem. The wide use of clinical connectivity apps enables US doctors to split time from hospital to multiple practices–so much so on multiple devices, that app security is a concern. 

Another head-shaker. 48 percent of missed NHS hospital appointments are due to letter-related problems, such as the letter arriving too late (17 percent), not being received (17 percent) or being lost (8 percent). 68 percent prefer to manage their appointments online or via smartphone. This preference has real financial impact as the NHS estimates that 8 million appointments were missed in 2016-2017, at a cost of £1bn. Now this survey of 2,000 adults was sponsored by Healthcare Communications, a provider to 100 NHS trusts with patient communications technology, so there’s a dog in the hunt. However, they developed for Barnsley Hospital NHS Foundation Trust a digital letter technology that is claimed to reduce outpatient postal letters by 40 percent. Considering my dentist sends me three emails plus separate text messages before my twice-yearly exam…. Release (PDF).

Roy Lilley’s daily newsletter today also engages the Tech Question and the “IT desert” present in much of the daily life of the NHS. Trusts are addressing it, junior doctors are WhatsApping, and generally, clinicians are hot-wiring the system in order to get anything done. It is much like the US about five to seven years ago where US HHS had huge HIPAA concerns (more…)

Hacking, insider actions 81 percent of healthcare data breaches: Protenus

Healthcare data security company Protenus’ monthly Breach Barometer always contains interesting–and somewhat discouraging–surprises. August’s report topped July’s for the number of patients affected, with 674,000 patients involved in 33 incidents. Over 54 percent of breaches (N=18) were due to hacking (five incidents were attributed to ransomware), with over 27 percent (N=9) were from insider error (the main cause) or wrongdoing–over 81 percent in total. The remainder were due to loss, theft, or ‘unknown’. Another interesting finding was that discoveries of hacking are relatively quick at an average of 26 days from start to finish, due to the disruption they create, while insider attacks can go on for months (209.8 days)–or years. Protenus’ July report highlighted a breach at Tewksbury Hospital in Massachusetts that went unreported for a record-setting 14 years–an insider action that affected 1,100 records. Reporting to HHS is improving with reporting to HHS, the media or state attorneys general on average of 53 days. Protenus crunches its data from databreaches.net. (If you look at their reporting on TheDarkOverlord (@tdo_hackers), including their recent threats on a small Montana school system, you’ll be scared indeed.) MedCityNews 25 Sept, 23 August   Hat tip to Guy Dewsbury via LinkedIn

Want to know effectiveness of telehealth, interoperability? NQF reports take their measure.

There’s been an increase in doubt about the efficacy of telemedicine (virtual visits) and telehealth (vital signs monitoring) as a result of the publication of two recent long-term studies, one conducted by the University of Wisconsin and the other by CCHSC for Telemonitoring NI [TTA 13 Sep]. These follow studies that were directionally positive, and in a few cases like the VA studies conducted by Adam Darkins, very much so, but mostly flawed or incomplete (low N, short term, differing metrics). What’s missing is a framework for assessing the results of both. In an exceptionally well-timed announcement, the National Quality Forum (NQF) announced their development of a framework for assessing the quality and impact of telehealth services. 

In a wonder of clarity, the NQF defines telehealth’s scope as telemedicine (live patient-provider video), store-and-forward (e.g. radiology), remote patient monitoring (telehealth), and mobile health (smartphone apps). Measurement covers four categories: patients’ access to care, financial impact to patients and their care team, patient and clinician experience, and effectiveness of clinical and operational systems. Within these categories, NQF identified six areas as having the highest priority for measurement: travel, timeliness of care, actionable information, added value of telehealth to provide evidence-based practices, patient empowerment, and care coordination. Finally, the developing committee identified 16 measures that can be used to measure telehealth quality.

The NQF also issued a similar framework for interoperability, a bête noire that has led many a clinician and developer to the consumption of adult beverages. Again there are four categories: the exchange of electronic health information, its usability, its application, and its impact—on patient safety, costs, productivity, care coordination, processes and outcomes, and patients’ and caregivers’ experience and engagement. And it kept the committee very busy indeed with, from the release, “53 ideas for measures that would be useful in the short term (0-3 years), in the mid-term (3-5 years) and in the long-term (5+ years). It also identified 36 existing measures that serve as representative examples of these measure ideas (sic) and how they could be affected by interoperability.”

Both reports were commissioned and funded a year ago by the US Health & Human Services Department (HHS). We will see if these frameworks are extensively used by researchers.

NQF release, Creating a Framework-Telehealth (download link), Creating a Framework-Interoperability (download link), Mobihealthnews 

Virtual care stops germs dead in their tracks! (Who would have thought it?)

Here at TTA we do receive and read a lot of press releases, and most are pretty meh. (We work very hard to avoid subjecting our readers to meh, as we don’t much like it either.) Now this one takes a different tack. It backs up telemedicine and telehealth technology that enables the patient to avoid the germ-filled doctor’s office and ED. According to Zipnosis citing the Infection Control and Hospital Epidemiology journal, after the standard well-child visit, there is a 3.17 percent increase in influenza-like illnesses among children and their family members within two weeks. Extrapolated, this results in more than 766,000 additional office visits for flu-like symptoms each year and nearly $492 million in annual costs. Now here is a simple, proactive improvement in outcomes that achieves savings (hear that, HHS and NHS?) facilitated by healthcare technology. (See previous article on ‘A tricorder one step closer‘)

The remainder of the release concentrates on what a bad idea it is to subject the rest of the world to your germs when down with a cold or flu. Even the CDC wants patients to stay home from work, school and errands. (That is, if you can.) The point is made that virtual care can unjam doctor offices and EDs for those less dangerous who need hands on care. The light touch of the product message is that Zipnosis provides a white-labeled virtual care platform to health systems that first uses an online adaptive interview with a patient to document the condition, provides a diagnosis and treatment plan within an hour, directing the patient to an appropriate level of care. Release.

HRSA sets $16 million fund for 4 rural telehealth grant programs (US)

The Health Resources and Services Administration (HRSA), which is part of the Federal Health and Human Services (HHS) department, is making four grant programs available to support rural telehealth and quality improvement in 60 rural communities within 32 states, including a joint program with the Veterans Affairs Office of Rural Health. The four programs administered by the Federal Office of Rural Health Policy (FORHP) within HRSA are primarily three-year programs and include:

  • The largest amount, $6.3 million, will go to the Telehealth Network Grant Program: $300,000 each annually in a three-year program to 21 community health organizations for telehealth programs and networks in medically underserved areas, with a concentration on child health
  • The Flex Rural Veterans Health Access Program: $300,000 each annually in a three-year program to three organizations providing veteran mental health and other health services. This is a joint program with the VA totalling $900,000.
  • Small Health Care Provider Quality Improvement: $21 million will support 21 organizations over three years in improving care quality for populations with high rates of chronic conditions, and to support rural primary care.
  • Seven Rural Health Research Centers: $700,000 per year for four years, totalling $4.9 million, to support policy research on improving access to healthcare and population health in rural communities. (Funds that more usefully would have gone to veterans health?–Ed. Donna)

HHS releaseMobihealthnews, Healthcare IT News

The difficulty in differentiating telemedicine and telehealth

Our Editors have always tried to cleanly define the differences between telemedicine, telehealth and telecare, even as they blur in industry use. (See our Definitions sidebar for the latter two.) But telemedicine, at least on this side of the Atlantic, has lost linguistic ground to telehealth, which has become the umbrella term that eHealth wanted to be only two or three years ago. Similarly, digital health, connected health and mHealth have lost ground to health tech, since most devices now connect and incorporate mobility. And there are sub-genres, such as wearables, fitness trackers and aging tech.

Poor telehealth grows ever fuzzier emanations and penumbra! Now bearing the burden of virtual visits between doctor and patient, doctor-to-doctor professional consults, video conferencing (synchronous and asynchronous), remote patient monitoring of vital signs and qualitative information (ditto), and distance health monitoring to treat patients, it also begins to embrace its data: outcome-based analytics, population health and care modeling. Eric Wicklund accumulates a pile of studies from initial-heavy organizations: WHO, HIMSS, HHS, Center for Connected Health Policy (CCHP), ATA, TRC Network. All of which shows, perhaps contrary to Mr Wicklund’s intentions, how confusing simple concepts have become. mHealth Intelligence

Ransom! (ware) strikes more hospitals and Apple (update)–Healthcare.gov’s plus trouble

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2015/02/Hackermania.jpg” thumb_width=”150″ /]Get out the Ransom! California hospitals appear to be Top of the Pops for ransomware attacks, which lock down and encrypt information after someone opens a malicious link in email, making it inaccessible. After the well-publicized attack on Hollywood Presbyterian in February, this week two hospitals in the Inland Empire, Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville, both owned by Prime Healthcare Management, received demands. While hacked, neither hospital paid the ransom and no patient data was compromised according to hospital spokesmen. Additional hospitals earlier this month: Methodist Hospital in Henderson, Kentucky and Ottawa Hospital in Ontario, Canada. In Ottawa, four computers were hacked but isolated and wiped. It is not known if ‘Locky’, the moniker for a new ransomware, was the Canadian culprit. FBI on the case in the US. HealthcareITNews, National Post

Update: Locky is the suspected culprit in the Prime, Hollywood Presbyterian and Kentucky ransomware attacks. On Monday, Maryland-based MedStar Health reported malware had caused a shutdown of some systems at its hospitals in Baltimore. Separately, Cisco Talos Research is claiming that a number of the attacks are exploiting a vulnerability in a network server called JBoss using a ransomware dubbed SamSam. Perhaps both are creating mischief? Ars Technica, Cisco Talos blog, BBC News, ThreatPost

More and worse attacks north of the 49th Parallel. Norfolk General Hospital in Simcoe, Ontario had a ransomware attack this week that spread to computers of staff, patients and families via the external website through the outdated content management system. According to MalwareBytes, “The particular strain of ransomware dropped here is TeslaCrypt which demands $500 to recover your personal files it has encrypted. That payment doubles after a week.”  So if you are running old Joomla! or even old WordPress, update now! Neil Versel in MedCityNews

If you’re thinking Mac Prevents Attacks, the first ransomware targeting Apple OS X hit earlier this month. Mac users who  downloaded version 2.90 of Transmission, a data transfer program using BitTorrent, were infected. KeRanger appears after three days to demand one bitcoin (about $400) to a specific address to retrieve their files. HealthcareITNews

Finally, there is the Hackermania gift that keeps on giving: Healthcare.gov. (more…)

Our wrapup of news and tart takes on HIMSS 16 (updated redux)

Lions Lie Down With Lambs, and Other Miracles!

HIMSS 16’s main ‘breaking news’ centered on HIT interoperability. The lead was US Department of Health and Human Services (HHS) Secretary Sylvia Burwell’s announcement on how Lions Will Lie Down With Lambs, Or Else. 17 EHRs that cover 90 percent of electronic health records used by U.S. hospitals–including the bitterest of rivals, Epic (the EHR everyone likes to hate) and Cerner, 16 providers including the nation’s five largest private healthcare systems, and more than a dozen leading professional associations and stakeholder groups (including HIMSS) pledged to implement three core commitments that allegedly will improve the flow of health information to consumers and healthcare providers. They are consumer access, no information blocking and standards. When? Where? How? Strictly TBD. HHS release, MedCityNews, Modern Healthcare, which dubbed it ‘another year, another promise’.

Innovate or Die. For companies and providers, it’s not about compliance anymore but about improving patient outcomes due to value-based care and incentives. Providers will increasingly be responsible for patient care throughout the community to make their numbers. Having made this sound point, Dr John Halamka then proposes they will need a ‘care traffic control’ system through data aggregation, with a laundry list of ‘enablers’, directories and connectors surrounding the EHR. How this all will work together, and who will buy in already challenged practices and ACOs, plus how those 17 notoriously territorial EHRs will work with said ‘enablers’ — or complicators — is a mystery to this Editor. Pass the Advil, please. MedCityNews

Read on for more Top 10s, roundups, DOD and VA EHR news, the Super Bowl-winning quarterback tackles the closing keynote, and 10 ways you can become a HIMSS speaker! (more…)

NJ Innovation Institute gains $49 million HHS grant

The New Jersey Innovation Institute (NJII), a New Jersey Institute of Technology (NJIT) corporation, has been selected as one of 39 health care collaborative networks participating in a Health and Human Services (HHS) program, the Transforming Clinical Practice Initiative. According to their announcement, NJII was selected as a Practice Transformation Network and over four years will receive up to $49.6 million for technical assistance support to help equip 11,500 clinicians in the New Jersey region with tools, information, and network support needed to improve quality of care. This is part of a $685 million HHS program awarding grants to 39 national and regional health care networks to help equip more than 140,000 clinicians with the tools and support needed to improve quality of care, increase patients’ access to information, and reduce costs. This is in addition to an $2.9 million grant from the Office of the National Coordinator for Health Information Technology (ONC-HIT) announced in August for sharing of quality data through its New Jersey Health Information Network (NJHIN). Through its Innovation Labs (iLabs), NJII brings NJIT expertise to key economic sectors, including healthcare delivery systems, bio-pharmaceutical production, civil infrastructure, defense and homeland security, and financial services. Release via Ridgewood Patch, HHS release. Hat tip to contributor Sarianne Gruber via LinkedIn.

ONC gets in study game in designing the Consumer Centered Telehealth Experience

ONC (the Office of National Coordinator for Health Information Technology, HHS) in the spring conducted a design session on creating a more consumer-centered telehealth experience, commissioning the engagedIN research firm to help select a panel, run it and produce the study. The white paper focuses on how telehealth can either further fracture or integrate PHR (study pages 7-11), and what’s needed to make telehealth and telemedicine more convenient and effective for consumers. The panel avoided the big telemedicine providers (a bone that Mobihealthnews picks with the study) which typically dominate these panels–to this Editor a positive action–but included other telehealth providers like Qualcomm Life, Care Innovations and Zipnosis, as well as the US’ largest user of telehealth, VA Home Telehealth. Among the key drivers of telehealth are HHS’ and private insurers (UHC) shift to value-based payments; CMS’ target of 50 percent of Medicare value-based care is cited (page 5). There are nine principles at the end (pgs 13-16) to guide the way forward. Designing the Consumer Centered Telehealth and e-Visit Experience (PDF) (Though it is confusing why e-Visit was used rather than ‘virtual visits’ or, in fact, telemedicine.)

6 helpful hints for healthcare startup founders–and funders

Investor Skip Fleshman of Palo Alto (of course)-based Asset Management Ventures has six points of sound advice for founders and developers–and funders of same–who think that their Big Idea(s) are the one thing which will revolutionize healthcare, particularly because of their personal experiences. We’ve observed that successful startups have fitted themselves into the Healthcare Establishment’s game [TTA 19 May], but if an investor is still seeing that attitude, it’s still there. AMV’s track record is there with investments in several healthcare companies, including Proteus Digital Health and HealthTap. Mr Fleshman’s points with this Editor’s comments:

1. Listen to the market–and it’s not direct-to-consumer, despite a cursory reading of Eric Topol. Find where your product or service can reduce or avoid cost, increase engagement and improve quality i.e. patient outcomes (which are all linked, see #4)
2. Hire people who know how to speak the language–experienced healthcare people who can work the system but also get the changes and want to make a difference. And no, they may not look or act like you. They’ll often have gray hair and families. Unless they are independently wealthy, they also expect to be paid decently. Quite a few will be women who don’t act or look like you either, but are invaluable in your organization in multiple ways.
3. Understand how the money flows–and the money is with providers, payers, self-insured employers and (Mr Fleshman doesn’t mention this) government (Medicare, Medicaid, the alphabet soup of HHS, CMS…). The incentives (shared savings) are now to providers to pull cost out of their system but somehow maintain population health quality and outcomes. How to pull this off is where the innovation is needed. Partner wherever you can–and this Editor would add, with other successful early-stage companies as well.
4. Read the Affordable Care Act–with a bottle of painkillers and eyedrops. (more…)

Health Datapalooza 2015: more data, better health

Guest columnist and data analytics whiz Sarianne Gruber (@subtleimpact) sat in on the Health Data Consortium’s 2015 edition of Health Datapalooza last week in Washington, DC. It was all about the data that Medicare has been diligently harvesting. Also see the US-UK connection on obesity.

Health Datapalooza 2015, now in its sixth year, welcomed more than 2,000 innovators, healthcare industry executives, policymakers, venture capitalists, startups, developers, researchers, providers, consumers and patient advocates. Health Datapalooza brings together stakeholders to discuss how best to work the advance health and healthcare,” said Susan Dentzer, senior policy adviser to the Robert Wood Johnson Foundation and a member of the Health Data Consortium. The Consortium promotes health data best practices and information sharing; and works with businesses, entrepreneurs, and academia to help them understand how to use data to develop new products, services, apps and research insights. This year’s conference was held on May 31 through June 3 in Washington, DC. And how best to celebrate is with the gift of more data!

New Medicare Data Means More Transparency
The Centers of Medicare and Medicaid Services (CMS) released its third annual update to the Medicare hospital inpatient and outpatient charge data on June 1, 2013. (more…)

Pondering the squandering redux: $28 billion gone out the HITECH window

In 2009, the US Congress enacted the HITECH Act, as part of a much broader recovery measure (ARRA or ‘the stimulus’), authorizing the Department of Health and Human Services (HHS) to spend up to $35 billion to expand health IT and create a network of interoperable EHRs. Key to this goal of interoperability and seamless sharing of patient information among healthcare providers was achieving stages of ‘meaningful use’ (MU) with these EHRs in practice, to achieve the oft-cited ‘Triple Aim‘ of improved population health, better individual care, delivered at lower per capita cost. Financial incentives through Medicaid and Medicare EHR programs were delivered through multiple stages of MU benchmarks for hospitals and practices in implementing EHRs, information exchange, e-prescribing, converting patient records, security, patient communication and access (PHRs).

Five years on, $28 billion of that $35 billion has been spent–and real progress towards interoperability remains off in the distance. This Editor has previously noted the boomlet in workarounds for patient records like Syapse and OpenNotes. Yet even the progress made with state data exchanges (e.g. New York’s SHIN-NY) has come at a high cost–an estimated $500 million, yet only 25 percent are financially stable, according to a RAND December 2014 study. (more…)

Hospitals snooping on your shopping and eating

[grow_thumb image=”http://telecareaware.com/wp-content/uploads/2014/10/Doctor-Big-Brother.jpg” thumb_width=”150″ /]Another charming use for Big Bad Data. Hospitals are investigating whether available data on patients–prospective and current–on shopping patterns and other purchase behavior such as gym memberships can be used to predict patient risk of disease. Leading the way is Carolinas HealthCare System, which operates the largest group of medical centers in North and South Carolina. With more than 900 care centers including nursing homes, they have 2 million patients to analyze for risk, using data points such as purchases a patient has made using a credit card or store loyalty card, to create predictive models on patient risk and eventually to reach out to patients. Of course this data crunching  has a purpose, and that is to meet quality metrics imposed by HHS and CMS. The goal would be to change the risk curve (more…)

Roundup: data breaches ’round the world

Following on our review of recent articles on why medical identity theft is so attractive, here’s our review of data breaches in the news, including a new (to this Editor) report from Europe.

  • It’s not Europe, blame the UK! That is one of the surprising findings of a meta-review of all types of data breaches released earlier this month by the Central European University’s Center for Media, Data and Society (CMDS). While not specific to healthcare, it is the first study this Editor has seen on EU data breaches and is useful for general trends. 229 verified incidents were analyzed by the CMDS across  28 EU member countries plus Switzerland and Norway, 2005-3rd Quarter 2014, and includes unusual healthcare breaches such as Danish HIV patients’ personal information included in a PowerPoint presentation later published online. Key findings:
    1. 57 percent of breaches were due to insider theft, mismanagement or error; 41 percent were hacker-instigated
    2. It’s common: “for every 100 people in the study countries, 43 personal records have been compromised”
    3. In terms of impact, the UK by far, then Greece, Norway, Germany and Netherlands were the top five countries for incidents and numbers of records breached (report page 9) (more…)