For a hacker who’s looking to make money out of stolen personal information, healthcare systems and hospitals can be a one-stop shop.

Along with the usual names, addresses, dates of birth, Social Security numbers and claims information come credit card and banking account numbers used to process payments.

Cyber security experts will tell you the two types of information should be stored in computer systems completely unrelated and disconnected to avoid leaving either one vulnerable — something that seems to have happened to Banner Health.

The Arizona-based hospital chain this week said hackers tapped into credit and debit card information belonging to 3.7 million people through point of sale systems (POS) that process payment card data at dozens of food and beverage outlets serving Banner Health locations.

The hack occurred on June 17 and went undiscovered until July 7.

Six days later, Banner learned patient information and health plan records on its computer networks may also have been comprised.

Banner spokesman Bill Byron said the incident is under investigation and that details won’t be known or shared for weeks.

But the incident has left cybersecurity experts wondering if the healthcare industry, which in the past few years has been hit mercilessly with data breaches and ransomware threats, now has yet another weak spot — the point of sale system.

The vast majority of these systems that process credit card payments are brought in by third-party vendors, hooked up to a cash register, plugged into the internet and “away they go,” said Chris Ensey, chief operating officer of Dunbar Security Solutions.

“(POS systems) are often treated as somebody else’s stuff,” he said, adding that the healthcare organizations view the vendors as responsible for the systems.

But each new third-party services provider creates yet another entry point for hackers, he said.

And in fact, a 2012 study by Verizon showed that point of sale systems are responsible for 48% of assets compromised in healthcare data breaches.

It’s important to conduct audits to review how the systems are interoperating and what vulnerabilities they might reveal during the set-up, Ensey said.

Cyber security expert Jeremy King said hackers are data omnivores who will feast on one system for one type of data then rummage around for different data, as long as it’s marketable.

Criminals regard healthcare records as more valuable than credit card records because their data elements, such as DOBs, addresses and Social Security numbers, can’t be readily changed. A credit card, on the other hand, can be cancelled once a breach has been discovered.

Last month, a hacker was spotted on the black market offering to sell nearly 10 million patient records for $880,000. A lot of criminals who steal credit card account information will use it themselves for fraudulent purchases or sell it.

Hackers can get anywhere from $5 for the card number to $1,000 for the information contained in account balances, according to Business Insider.

“It’s big money,” King said.

King, who is international director of the Payment Card Industry Security Standards Council, said it’s important to maintain a firewall between POS systems and other information networks.

“Segmentation is a way to try and reduce your risk,” he said. “Even then, you’ve got to make sure you do that segmentation correctly, you’ve got the systems in place and you test it.”

King also advises access to credit card systems be on a “need-to-know” basis.

Now, just because Banner’s POS system breach was discovered first doesn’t mean that was the system that was first hacked, said King. “The forensic investigators will find that out in time.”

Byron, the Banner spokesman, said, so far, there is no evidence indicating any of its data were removed or “misused in any way.”

Banner’s breach is the 8th largest on the online “wall of shame” kept by HHS. The site lists all breaches of healthcare information involving 500 or more individuals since 2009.

By far the largest breach on the list was Anthem’s in 2015. The cyberattack comprised the records of 78.8 million individuals. More than 114.1 million individuals’ records have been exposed in the past two years.

Article source:

read more


On Tuesday, May 17, the Health IT Policy Committee and Standards Committee, Federal Advisory Committees to the Office of the National Coordinator for Health IT (ONC), convened for an in-person joint meeting. Three new members were welcomed to the Health IT Policy Committee; Carolyn Petersen with Mayo Clinic Global Business Services, Karen van Caulil with the Florida Health Care Coalition; and James Ferguson with Kaiser Permanente.

Kate Goodrich, Director, Center for Clinical Standards and Quality at CMS, provided a presentation on MACRA and Delivery System Reform. Dr. Goodrich gave a high level overview of the proposed rule to include a look into the quality payment program, Advanced Payment Models (APMs), MIPS, and a deeper dive into the advancing care information performance category within MIPS. For additional information and instructions on how to submit comments to the proposed MACRA rule by the June 27, 2016 deadline, please visit the CMS website.

Steve Posnack, Director of the Office of Standards and Technology with ONC, presented on two funding opportunity announcements to include the High Impact Pilot (HIP) and Standards Exploration Awards (SEA). Three to seven HIP awards, expected to range from $100,000 to $500,000 each, and three to five SEA awards, expected to range from $50,000 to $100,000 each, will be awarded. Interested applicants are encouraged to attend the Information Sessions on May 23 (HIP) or May 26 (SEA).  For more information, visit the ONC website.

The Precision Medicine Task Force, co-chaired by Leslie Kelly Hall with Healthwise and Andrew Wiesenthal with Deloitte Consulting, LLP, presented final Task Force recommendations. The PMI Task Force recommendations identify three interoperability pathways that are critical to the Precision Medicine Initiative (PMI).  The three pathways include one that focuses on EHR data; a pathway that enables data gathering from other independent non-provider sources such as labs, PBMs, and retail pharmacies; and a third pathway to accelerate the ability to return an individual participant’s aggregated data from multiple sources and eventually research results. Final recommendations were approved by the Joint Committee and will be forwarded to ONC for review.

The API Task Force co-chaired by Josh Mandel with Harvard Medical School and Meg Marshall with Cerner Corporation presented final recommendations from the Task Force to the Joint Committee. The recommendations were broken down into 8 generic use case topics: Types of apps and organizations who provide them; app registration; endorsement/certification of apps; communication of the app’s privacy policies; patient authorization framework; limitations and safeguards on sharing; auditing and accounting for disclosures; and identity proofing, user authentication, and app authentication. Recommendations were approved by a narrow margin due to privacy and security concerns.
The next Joint Committee meeting will be a virtual meeting on June 8, 2016.

Article source:

read more

The nation’s top healthcare information technology developers and many of their largest customers have committed to push interoperability, the Obama administration announced Monday.

The IT companies who made the pledge include Allscripts, athenahealth, Cerner Corp., Epic Systems and Meditech, according to the announcement made by HHS Secretary Sylvia Mathews Burwell during the Healthcare Information and Management Systems Society convention in Las Vegas.

A total of 17 vendors of EHR and other IT systems involved provide records systems to 90% of the hospitals in the country. Their goal will be to make it easier for patients to use the information in their EHRs.

Participants agreed to three things, Burwell said.

First, they said they would help patients more easily access their electronic health information and transfer it to any other provider or data user.

“We need to do better to unlock data,” Burwell said. A patient should trust his or her data can be moved where they want, when they want, she said.

Second, the group pledged to help providers share individuals’ health information among each other and their patients whenever permitted by federal privacy laws and not block electronic health information.

“High fees or restrictive legal arrangements slow down our progress,” Burwell said.

The group also promised to implement “federally recognized, national interoperability standards and practices and adopt best practices, including those related to privacy and security.”

Those policies include the use of standardized apps “to make it easier for consumers to access their data,” Burwell said.

Provider participants include Ascension Health, Geisinger Health System, Hospital Corporation of America, Intermountain Healthcare and Kaiser Permanente.

The professional organizations include the American Medical Association, the American Hospital Association, the American Academy of Family Physicians, and the American Health Information Management Association.

In late December, the Office of the National Coordinator for Health Information Technology at HHS released its newest iteration of an “advisory” on interoperability standards as “a single resource for those looking for federally recognized, national interoperability standards and guidance.”

Burwell said health IT systems provide “crucial support” for providers through easy access to data and analytics in an effort to see the “big picture” of healthcare.

As an example, Burwell noted that Dr. Mona Hanna-Attisha at Hurley Medical Center in Flint, Mich., used an EHR to compare lead levels in children in her community with those of young patients elsewhere.

She quickly discovered the percentage of children in Flint with elevated lead levels “doubled, and even tripled in certain cases,” Burwell said.

“Today’s commitments are a critical first step,” Burwell said. “I look forward to all we will accomplish together, this week and beyond.”

HHS will check back in the fall to see how the companies are working toward the goal.

AHIMA CEO Lynn Thomas Gordon lauded Burwell’s announcement.

“AHIMA believes these three principles will make a significant and meaningful difference in making sure health information is available where and when it’s needed,” Gordon said.

While Premier, the Charlotte, N.C.-based group purchasing company has joined the pledge, its leadership is pushing for legislation to enforce the goal of interoperability.

“We support a public rating system of vendors’ technology based on its performance on outcomes measures of usability, functionality and interoperability,” said Blair Childs, senior vice president of public affairs. “We also support the granting authority to investigate and fine vendors who engage in information blocking.”

President Barack Obama just last week asked the healthcare industry to start sharing more data as part of the effort to find successful individualized therapies based on genetic information.

In a separate statement Monday, HHS announced plans to form a Health Care Cybersecurity Task Force as called for in the Cybersecurity Information Sharing Act of 2015.

“Establishment of this task force will build on our work to keep systems secure and to provide information to improve preparedness for cybersecurity threats affecting the healthcare industry,” the HHS statement said. Nominations are being solicited through March 9 at

Article source:

read more


Las Vegas, NV (March 2, 2016) – The 2016 HIMSS Connected Health Survey scheduled to be unveiled at the HIMSS Annual Conference and Exhibition in Las Vegas paints an optimistic picture surrounding the emerging trend of connectivity within the healthcare ecosystem. With more than 50 percent of respondents indicating their hospital currently uses three or more connected health technologies, the high adoption rates (and other supportive statistics in the report) underscore the growing importance these technologies play in the hospital setting.

Respondents found that the technologies implemented within hospital settings positively impacted capabilities to communicate with patients along with the ability to deliver a higher standard of care. In addition, 69 percent of respondents whose hospitals are utilizing mobile optimized patient portals indicated that the attention to a mobile environment expands the capability to send and receive data securely. Given these positive impacts, it’s understandable why healthcare organizations are looking to increase their investment in these tools for the future. See the full results in the infographic here:

“The healthcare ecosystem is increasingly converging on patient centric technology solutions,” said Tom Martin, Ph.D., Director of Healthcare Information Systems for HIMSS. “The role of the provider is to expand far beyond the walls of the exam room, especially as our healthcare system transitions towards value based purchasing. The Connected Health findings illustrate the importance of interactive relationships between physicians and individuals and technology as a means to advance comprehensive health and healthcare.”

The survey was conducted in partnership with the Personal Connected Health Alliance (PCHA). Insights are reflective of 227 IT, informatics and clinical professionals in U.S. hospitals and health systems with regard to their organization’s current and future use of connected health technologies. Currently, 52 percent of hospitals indicated the use of three or more of these technologies, including:

  • 58 percent mobile optimized patient portals
  • 48 percent apps for patient education/engagement
  • 37 percent Remote patient monitoring
  • 34 percent Telehealth – audio visual fee for service
  • 33 percent SMS texting
  • 32 percent patient generated health data
  • 26 percent Telehealth – concierge service

Nearly half (47 percent) of respondents indicated their hospitals are looking to expand the array of connected health technologies they use. Another five percent of respondents expect their hospitals to become first time users of at least one of the connected health technologies outlined in this report. The commonly cited technologies they plan on adding, involve:

  • Telehealth – concierge service
  • Patient generated health data solutions
  • SMS texting

To download the complete 2016 HIMSS Connected Health Survey, please visit: or follow #Connect2Health

SS International (HIMSS Europe, HIMSS Asia and HIMSS Middle East) are the five business units of HIMSS.  A not-for-profit headquartered in Chicago, Illinois, HIMSS has additional offices in North America, Europe, United Kingdom, and Asia.


Article source:

read more

News Release

March 3, 2016

In a February 29th, 2016 letter to Andrew Slavitt, acting administrator of the Centers for Medicare and Medicaid Services (CMS), HIMSS offered a series of recommendations for the development, implementation, and reporting of electronic clinical quality measures (eCQMs) as part of the CMS Merit Based Incentive Payment System (MIPS), acute care-focused, value-based incentive reimbursement programs, and other alternative payment models for 2017 and beyond.

In the letter, HIMSS emphasizes three key points:

  • eCQM reporting should accurately reflect the quality of care delivered.
  • eCQM reporting should minimize the implementation and data collection burden on providers and health IT developers by using information already collected for care and reducing the introduction of new workflows.
  • eCQMs and its associated data must be relevant, useful and able to be used by providers and healthcare organizations to enhance care delivery and ultimately improve patient care outcomes.

HIMSS Quality, Cost, and Safety Committee chair Shelley DiGiacomo and Vice Chair Pauline Byom presented HIMSS recommendations at the Health IT Quality Symposium: Improving Quality in a Payment for Value World at HIMSS16.

View the complete HIMSS recommendations


Article source:

read more