EHR vendor loses ONC certification for two of its records systems

Posted on April 26, 2013 by Steve Fox and Vadim Schick

This week health care organizations were startled and not a little concerned to learn of the ONC's unprecedented action with regards to a California health software company.  The agency is decertifying electronic health records systems which initially met ONC requirements for certification. 

Via Modern Healthcare:

For the first time, the Office of the National Coordinator for Health Information Technology at HHS has revoked certifications for two electronic health-record systems, raising troubling questions about how physicians and hospitals should react if the government nixes a system they're already using.

Federal officials require that doctors and hospitals use certified EHR systems in order to receive federal money to defray the cost of converting to EHRs. But on Thursday, the ONC said it decided to revoke certifications for two products on the market after anonymous complaints were lodged about the systems.

 

EHRMagic, of Santa Fe Springs, Calif., had two of its records systems shot down by the government: EHRMagic-Ambulatory and EHRMagic-Inpatient. Two people familiar with the company interviewed for this story said they were not surprised by the development, since the firm didn't seem able to live up to its promises on the sales side of the operation several years ago.

Calls and e-mails to EHRMagic on Thursday were not returned. Records with the California secretary of state list the 4-year-old company's corporate status as “suspended.”

ONC spokesman Peter Ashkenaz said no healthcare provider has “attested” to using the system, which means that no one had tried to receive federal funding to pay for installation of an EHRMagic system. Since 2011, more than 234,000 organizations and individuals have received a total of $12.7 billion in EHR incentives to install one of the 1,700 systems eligible for payments.

But a blog post Thursday from Carol Bean, director of the certification office at the ONC, makes clear that the office will continue aggressive monitoring for other EHR systems that don't meet the federal requirements. That includes proactive investigations and surveillance by the office, as well as inquiries that stem from tips from the public about shoddy systems.

“We want to be clear,” the blog post says, “the office of certification's role doesn't stop after EHR certification. We are also going to monitor certified EHRs to determine whether they continue to meet our requirements. The doctors, hospitals and other providers that are adopting—and have already adopted—EHRs deserve this and should feel confident that the tools they are using are up to the job of helping their patients get the best care possible.”

Ashkenaz declined to say what a healthcare provider should do if the system it is using ends up retroactively decertified for payments, as EHRMagic's systems were.

Richard Gant, CEO of physician-supply seller Innovative Healthcare Systems in Royal Palm Beach, Fla., said the EHRMagic situation pointed to another major concern about decertification. EHRMagic sells what is known as a “cloud-based” system, meaning that patient information is stored off-site and not physically in a provider's office.

“The biggest issue is, all of your information is on their servers,” he said. “And if they disappear, that information could go away.”

Several years ago, Gant's firm attempted to sell EHRMagic's systems through a sales model that would have allowed it to be installed for free in exchange for eventual federal subsidies. But he said Innovative Healthcare Systems severed its relationship with the EHRMagic after several initial attempts to install it failed, and sales payments were not forthcoming.

“When they weren't paying for anything and they weren't supporting clients of ours, we said goodbye,” Gant said. “I'm surprised they were even around to even be decertified.”

By Joe Carlson

ONC revokes firm's EHR certifications,” Modern Healthcare (April 25, 2013)
  • Print
  • Comments
  • Trackbacks
  • Share Link
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Nemours reports breach affecting 1.6 million individuals

Posted on October 19, 2011 by Steve Fox and Vadim Schick

Nemours, a children's health system with hospitals in Pennsylvania, Delaware, Florida and New Jersey, reported a massive breach affecting 1.6 million people, including patients, employees, and vendors. Via Health Data Management:

'On September 8, 2011, we learned that a locked tape storage cabinet containing computer backup tapes was missing,' the delivery system said in a notice to patients. 'We immediately began an investigation and now believe the cabinet was removed from our Wilmington facility on or about August 10, 2011, during a remodeling project. To date, we have been unable to locate the storage cabinet. We believe the cabinet contained three unencrypted backup tapes from a computer system we stopped using in 2004. No medical records were on the backup tapes, but they did contain patient billing information, including name, date of birth, insurance information, medical treatment information, and Social Security number.' Some employee payroll data and vendor information, such as direct deposit bank account information, also was on the tapes.

Nemours began encrypting its back up data tapes and moved its rarely-used tapes to a more secure off-site facility. The health system is offering a year's worth of credit-monitoring to affected individuals, which considering the numbers involved in this breach, could be a massive, seven-figure expense.

"Nemours Notifying 1.6 Million Individuals About Breach," Health Data Management (October 18, 2011).

  • Print
  • Comments
  • Trackbacks
  • Share Link
Tags: , , , , , , , , ,

Rising numbers and costs of data breaches

Posted on January 28, 2010 by Vadim Schick

There is little doubt that the healthcare industry must prepare for a growing number of - and expanding costs associated with - data breaches, particularly for breaches of protected health information.  Here are just a few notable reports on this subject:

  • Infosecurity.com reported on a striking increase in attempts to hack into healthcare organizations, while the rate of hacking in other economic sectors remained flat:  "the last quarter of [2009] saw an average of 13 400 attempts to hack healthcare organizations, compared to an average of 6,500 in the first nine months."  According to researchers at SecureWorks, which produced the graph above, healthcare organizations are particularly vulnerable to such attacks because they "have to provide access to many external networks and web applications so as to stay connected with their patients, employees, insurers and business partners. This increases their risk to cyber attacks."
  • Cnet News reported on similar findings by the Ponemon Institute, whose survey concluded that "Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches."  The cost per compromised record involving a criminal act averaged $215, about 40% higher than breaches from negligence and 30% higher than those from glitches, the Ponemon survey found.

 

There are also a couple of examples of individual healthcare organizations suffering from increasing costs associated with data breaches:
 

  • According to Chattanooga Times Free Press (via iHealthBeat), BlueCross BlueShield of Tennessee announced that it has spent more than $7 million to respond to a security breach resulting from 57 hard drives having been stolen from its training facility, which may have compromised personal and health data of up to 500,000 members.  $7 million tab does not appear to be the end of it:

The insurer has notified 220,000 BlueCross members about the data theft. The company also is offering no-cost credit-monitoring services for affected members. In addition, BlueCross is working to notify attorneys general in 32 states about the breach [pursuant to the HITECH Act].   <...>

BlueCross officials said 20,500 members already have signed up for the no-cost credit-monitoring services. In addition, the company has hired more than 700 contract and BlueCross employees to help determine what data the hard drives contained. The insurer said it might need to spend significantly more money to evaluate the missing data and provide additional identity protection services.

  • Considering the experience of BCBS of Tennessee, the costs associated with HealthNet's infamous data breach must be even higher. On top of providing two years of free credit-monitoring for hundreds of thousands of affected members, HealthNet is being sued by the state of Connecticut for HIPAA violations and noncompliance with HealthNet's own security policies by failing to encrypt the sensitive data.  The missing hard drive contained "27.7 million scanned pages of more than 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records."  Further complicating HealthNet's situation is the fact that the company waited for six months to inform the affected customers of the possible breach.

"Healthcare hacks on the rise," Inforsecurity.com (January 26, 2010).

"Survey: Data breaches from malicious attacks doubled last year," cnet News (January 25, 2010).

"Tab for Response to Data Breach Hits $7 Million for BCBS of Tennessee," IHealthBeat (January 26, 2010).

"AG files suit in health data privacy breach," theday.com (January 13, 2010).

 

 
  • Print
  • Comments
  • Trackbacks
  • Share Link
Tags: , , , , , , , , , , , , , , , , ,