IamA I.T. worker in the healthcare industry, and I want to answer your questions about how your patient information isn't always secure
My short bio: I've worked in the healthcare industry, approaching 4 years, I work mostly with small to medium sized clients, and I want to let you know how your information is not often properly secured despite recommendations. I am not a lawyer but I have what I'd consider a firm handle on HIPAA privacy.
My Proof: Sent to mods
UPDATE: Still answering questions, and wanted to let people know if they come to this thread in the morning please go ahead and post because I'll keep replying to questions that haven't been answered yet, I'll need some sleep here soon
UPDATE 2: Been answering questions since I woke up! Glad to see all the questions, it's currently 1:11pm pst and I'll be answering questions for as long as people are posting today! I'm not one of those iama guys who answers 10 questions with 1 liners and peaces out, keep em coming!
UPDATED 3: Answering questions all day! Thanks for the input/contributions guys, if you're coming into this late I'll keep responding as long as questions keep coming in, they just won't be as active as they were today :)
I feel the same way as you in a lot of ways, I don't care if people know I saw the dentist and got a cavity filled, or that my last physical was good. For a lot of people though, medical records can be a source of embarrassment. For example, those with STDs aren't going to want that info made public.
What may be even more relevant though, is that within all this information that's part of medical records are things like SSN, date of birth, insurance information, driver's license info. Identities can be stole with that information really easily. Why this is more stressed when it comes to healthcare than say your banks or other places that use this info, I'm not positive of. Another part of it though is that if some of this information is made publicly available in someway I could see employers abusing this information and turning down people for jobs, or firing people.
Often medical records have pictures too, I have a plastic surgeon client and I'll be damned if I wasn't surprised the first time I saw a before and after pictures of a client who got breast implants sitting on a shelf. They did a good job...
There's some bitterness between IT and healthcare workers (such as nurses and doctors) about EHRs. IT believe that doctors and nurses are too damn stubborn to learn how to use the technology, doctors say that the new systems interrupt work flow that they were used to when they were on paper charts.
So specifically from the IT side, what are the most common problems that to you doctors seem to have? I know your AMA is about patient information and HIPAA, but I'm also interested in other areas, such as usablitity of EHRs.
No problem answering other questions as well!
Doctors seem to be too busy to learn anything that isn't directly related to what they do. And I mean absolutely directly related to exactly what they went to school for. For example, a doctor I know wanted to learn how to use the dictation software, Dragon Naturally Speaking, but literally said he wasn't willing to spend a weekend learning how to use the software, and this is one of the younger dudes who actually isn't that terrible with computers. So instead, he speaks into an old Sony dictaphone where they have to pay someone to transcribe his notes (which has now been outsourced as they killed their transcription department).
Some more examples: Docs get company e-mail address, still use @hotmail account, then sends transcriptions to a company email address using that account, when he could just use his company e-mail and be within HIPAA rules Docs ask to be able to do video conferencing, never use it, never ask about it Docs want new PACS system, aren't willing to take time to look through different options Docs don't want to provide IT with an office or sufficient server storage space because it doesn't 'make any money'
Really, a lot of them are so far up their own ass they don't think they should do anything that isn't something only a doctor does. They don't like writing down their own notes if they don't have to, they don't want to pull up their patients charts on the computer if they don't have to, they won't pull up patient images if they don't have to, they won't pull up and access hospital websites if they don't have to.
Another thing, they'll ask us to help them out right now, then be too busy to do anything "but here's my computer, take a look". Well, it's a website issue for which I don't have an account, soooo....
Docs can technically stay on paper charts, but they lose out on a lot of financial incentives. I can see their beef with this, but it comes down to money and the future. There really needs to be an EMR that can be fully tablet effective, to just be like a digital paper chart in many ways, this would help them a lot. But onetime we provided docs with Dell XT3 touch screen tablets, and we got told it was 1990's technology. It was one of the most ignorant things I'd ever heard. This i7, 16gb, solid state drive, touchscreen LAPTOP, is 90's technology? OK.
Really, they just don't want to take the time to learn things, some things do get in the way compared to the past, but when people embrace the changes it becomes pretty normal for them
I'm a doctor who also has a CS degree, uses Linux, writes code, et cetera.
Every single new IT initiative I see in my hospital promises to make things better, but despite the sworn promises of whatever committee came up with them, only a tiny minority actually do. Usually they just waste time. It's easy to get jaded.
I haven't met a hospital IT system that wasn't awful. Only in rare instances do you get any value from time spent learning about them beyond exactly what you need to know to do your job. (I've tried.)
Every minute not spent on patient care is a big deal. It's not hard to go twelve hours without even time to go to the bathroom. That five extra minutes here and there spent doing stupid paperwork or fighting with some computer not working adds up, and causes real delays and significant errors taking care of patients. No offense, but sitting at your desk in the IT department you don't see these things.
I don't want to start a debate of any type, but I would like to ask if you have volunteered to be on this committees? Because that's often an issue, doctor's won't invest the time to research these systems on their own so they rely on people who aren't in their shoes to do it for them, for whatever reason, then they later complain about what was selected even though they didn't want to take the time to look into it themselves. I once had a group of doctor's approve the purchase of about 40 touch screen laptops 2-3 years ago, to later come back and say they hated it and they never approved it when they were literally given a demo of the product and approved it and liked it, to later say they hated it and put the blame on someone else. We even offered the demo laptop to use in clinical settings and they just decided to ignore it, then later say they hated it. It's frustrating, doctors want what they want but they're not willing to put some time into researching it.
I am not the type of IT person who just sits behind a desk in an IT department, I am very often out and about with the doctors and their nurses near exam rooms and see a lot of what they do and understand time is important and understand the work flow very well, as I'm often helping them with things they want setup for their job. I've seen the check-in process, taking patients to their rooms, viewing patient images, viewing patient charts, dictating patient notes, and then the patient checks-out. I understand what time means and I need to understand what you guys do daily in order to do my job to my best ability, in my opinion. I've also seen the back-end doctors don't see, such as billing processes, what transcriptionists do, what their surgery schedulers do, what their x-ray and mri department does, what their receptionists do. I'm all around the clinic and have to help every person in every job role. I've also been around surgery centers with their receptionists, with their schedulers, their nurses, working on computers during surgeries, I'm not a doctor, but I know a lot of what is required for them to work. I know how bad it is when 3 patients show up 5 minutes late each and what that does to a work schedule. I know they're on call and need access to view patient images from home to avoid having to drive to the hospital just to look at a picture to decide whether or not they need to go in. I know without this technology you'd spend countless hours driving to the hospital when you didn't need to. I really do have a wide reaching picture for what you do.
It's honestly about ROI. If you spend time now, you will save time in the future, just take a moment to learn something and contribute your thoughts on a system and you can save yourself the headache later. You can only pay people to make decisions for you to a point.
I will also add that I've worked with some downright dumb EMR/EHR vendors. I was hired to do conversion between an older system and a newer system. They attempted to not pay a portion because the MRN's (Medical Record Number) were different.......
The MRN's were different because they PAID someone to look at old system and enter in patient demographics into new system. Once they finished the 50k+ (!!!) of First Name, Last Name, Address, Social, etc - they realized how long it would take to manually enter all of the rest of the info.
I told them "sure, No problem - send me the demographics export from the new system and I'll give you a lookup table so you can match them up". Nope, can't do.
This sounds pretty terrible, I wonder if they don't design them this way intentionally to force you to continue using their product, which doesn't even seem fathomable if they're storing the data in a database.
Oh God, sounds like Radiologists. You're giving me flashbacks!
"What do you mean they haven't sent the images yet! It's been 5 minutes!"
I would rather a physician pay attention to peoples medical needs than fiddle with the computer all day.
I do feel this sentiment, but right now being a doctor is a lot more than that, it's also about tracking a patient's medical needs, the patient has the right to have that information readily available to them and to have that information hidden from everywhere else. While computers are a lot more error heavy than pen and paper, for example. Doctors don't need to fiddle with the computer, that's what IT is for, when things stop working, we fix it for them, they merely use the computer. They don't have to figure things out, just use it within best practices.
If you mean fiddle with the computer by opening up patient charts on a computer, it honestly doesn't take very long to do what they're giving out their passwords to do. It's literally searching a number like you would in google and clicking on something, but many insist someone take 10 seconds to do that for them even though they're handing out passwords they shouldn't be.
That doc that wanted to use dragon should be told to hire a scribe and be done with it.
I've had other doctors hire scribes, the funny thing is many are also money hungry, but the laziness takes over. They'd rather pay a scribe 30,000 a year than spend time dictating lol
I used to work for a major EHR vendor and do consulting in this field and your description of doctors and their attitudes towards EHRs is so dead on accurate it's scary. The number of times they would threaten to quit, retire, transfer to another facility etc over learning a new electronic system was staggering. They are smart but people but god damn if they don't act entitled towards everyone else.
Someone else asked in this thread, and maybe you could fill us in a bit better, was it in your experience that after your product was deployed that your company's customer support went downhill? That seems to happen to every client of mine no matter the vendor. It seems they put forth a lot of manpower to get them implemented, then after that the support team is either severely understaffed or severely mismanaged.
Most importantly, you can learn what is entailed in HIPAA. In it's most basic form, any violation is when your patient data is put at preventable risk. So while you're at the clinic, to see how trustworthy your company is, basically look for ways you could violate another patients information (without actually doing it of course). I had a client that would leave the patient in the exam room with the exam room computer logged in and the patient images pulled up on the screen, while no one else was in the room with the patient. At this point, as the patient, you would be able to get on that computer, hit the back button, and start searching through the site looking for other patients, all without being asked for a password because they left it logged in. If you can read patient information because it's left on the counter in an easy to read place, there's a sign, if you could swipe a chart off a counter, there's a sign, if you can walk to the bathroom and there's no one around to stop you from doing this, there's another sign. Places where you can read off their monitors easily is yet another sign.
TL;DR if you find that you can exploit other patients info while you're at the doctor, other people can do the same to you.
You may also try testing them over the phone to see if they would give out any info without you having to prove it's you, then question them about it. I'm not saying harass your clinic, but that's how you can see on the front end. And generally, my guess would be if there not doing these simple things (locking computers, having monitor screens where necessary) then they probably also aren't doing the other more articulate IT stuff either. Mostly due to costs, whether it's software/hardware/or labor. These small clinics can't afford a full time IT person, so when they contract out it's hourly, and it's not cheap.
To answer the second part of your question! I personally do not have any certs, I was lucky and was able to break into the field with a relatively small company looking to train people their way. Most of my training was self taught, as necessary on the job. My luck being I'm very good at figuring things out and able to pick up on learning new things in order to learn new things. The internet is a great resource while you're working on an issue, most issues someone has had before you, and hopefully everything else is covered by the vendor ;)
I personally don't have any certs, most companies will like seeing basic ones like A+ or Network+, as it's the equiv of a high school diploma, it shows you did some work to try to get your foot in the door. My company offered to pay for certs a while back but I'm actually finding myself in a position where I know more than enough for my current job, but I'm lacking certain qualifications to move elsewhere, not that I can't learn them though. Once you build a good troubleshooting foundation, and get to test out deploying new technology, all the rest starts to come a whole lot quicker, hope that's helpful!
The number of physician's offices I've encountered that are still using WEP encryption for their Wi-Fi is staggering.
There was an office down the hall from a client who had one of their WiFi devices with open wifi and the default username/password on the router still being used.
I went to a sushi restaurant once who had this done too, I changed their wifi from 'linksys' to the name of their restaurant for them, I felt good about that lol
You said that a lot stuff you learned was self taught. I'm trying to get into bioinformatics, but have little knowledge of computer science. Got any recommendations for places to learn?
And thank you for doing an AMA!
Really quite plainly, think of something that you think would be fun to do. A good start for you might be learning databases and how you can use information in them, find data you'd like to organize, then just do it. I think the best way to learn is when you're having fun. Another way is just to follow guides, then try to duplicate them in a slightly different way. Google is really your best friend here once you figure out what you'd like to do. If no one is doing the same thing try to find similar things in order to reach a goal. I don't have any specific resources that I can mention because there's so many different things that you will find on random forums across the net, including reddit!
Another note, there's currently a shortage of good IT workers right now, and I will mention that it's probably be because it's really stressful. It's a job where you don't know what you'll be doing from day to day and in healthcare there's a lot of money at stake, so when things aren't working, their company is losing money and there's a lot of pressure to get things done. My least favorite thing about the job is backup management, patient data is a huge deal, without proper backups you run the risk of crippling a company. That stresses me out a bit.
There's always a shortage of good IT workers, because 90% of them suck.
This includes the ones who have certs. In fact, I'd say them in particular -- certs are like a participation ribbon, it proves nothing aside from the fact that you forked over some cash to someone with a laser printer.
It's hard to train someone to think on their feet around problems and not be afraid to try new things. I found this to be an issue with all of my coworkers except one to be honest. I think it also helps that you actually have fun in fixing issues and try new things while you're at home. That coworker and I setup a VPN from each other's apartments and stuff like that regularly, because we enjoyed it.
I work security in the healthcare industry and I must say that people leave pages of personal info around on desks and stuff. Hell I got an email (on my work email) with an excel document with a few hundred names, addresses, socials, etc.
There are ways to prevent that, there is e-mail encryption software that also comes with a way to scan for critical data and prevent patient info from being mailed outside the organization. Human error is only preventable to a degree....doctor's regularly would take patient charts with them home to look at it/finish dictating and just leave them in there care or sometimes lose them for a while, eventually finding them somewhere
What EHR do you work with, what EHR do you prefer and what EHR do you hate?
I have to be very generic with this answer, but the best EHR is a cloud-based EHR, in my opinion
I own a healthcare-related IT company and the real leak does not exist in the technology, but in the data ownership chain.
Your insurance company, for one, often uses temps or low-paid workers either in or outside of the US. If a professional snoop wants information regarding your health, he simply spends money at this level.
In 32 years of software development, millions of users, I have not once been, to my knowledged, hacked. I have, through active auditiing, discovered suspicious access at the temps/admin level.
one of my clients had temp workers to pull charts (they aren't on EMR fully yet) and some charts were in the space shared with IT (ridiculous right?) and they would read patient charts and joke about patient names and stuff, it's definitely an issue.
Do you work with big systems (Epic, Cerner, Soarian) or little systems for smaller private ptractices?
Do you think there is a single, much superior EMR system? Which is it? Why is it superior?
Alternatively, which system is the best for:
- Clinical workflow
- Business workflow
- Doctor interface
- Office folk interface
- Customer interface (if any, patient portal, etc)
- Integration with other systems
A lot of smaller practices will have doctors who work for big hospitals, so I've setup EPIC on quite a few computers in my time, I haven't worked with Cerner or Soarian.
I haven't seen anything I'd consider superior at this point, my best recommendation would be using a cloud EMR system for smaller places, but for actual use of an EMR, since I'm only on the IT side of things I don't get to use the EMR directly, so I'd have to go based on user feedback and it's generally more negative than positive for any of them.
That's been my feeling as well. I want to be able to recommend a good option but I don't see one.
I think it's like replacing a phone system. Never do it. Ever. It's just horrible and everyone will hate you forever.
It's easier to fire everyone, shut down the company, liquidate everything including the old phone system, start a new company, install the new phone system, and then rehire everyone.
But yeah, none seem amazing.
There's a lot of risk involved being the person who decides an EMR, people have been fired for lesser things
Thanks for doing this AMA. Have you worked in a different industry w/ IT? If so, what is the work life balance compared to health care? I almost took a health care position because it paid extremely well but the glass door reviews made me 2nd guess it because management was falling apart.
Our company specializes in healthcare IT but is not exclusive to it. It's a breath fresh air when I work with someone who can easily tell me their password so I can login as them to a website or their computer if they have to do something while I'm on the phone with them. HIPAA just adds a huge layer of complication to your everyday work.
Hello! I work in a Nuclear Medicine Department in an outpatient setting. I recently purchased a Philips gamma camera with a EBW workspace processor (Dell). I send DICOM images off-site to be read by radiologists and occasionally I have Philips techs modem in to help with issues. My question is: The console is still running Windows XP 64. I spoke with Philips and they have no plans to upgrade the system. Since XP is no longer supported, what are the risks, if any, I should be worried about.
ps. my IT guy seemed annoyed when I brought this up. Am I worried over nothing?
Haha, it can depend, initially I'd like to say, yes, it can be an issue. If this system is not browsing the internet and has proper measures to make sure physical access is limited to those approved to use it I'd say your concerns can be lowered. This is somewhat of a gray-line, you're stuck using legacy software because of your vendor. One of the best things you could do to CYA is get something in writing from your tech or company asking them to outline why keeping this computer is safe/not at risk in regards to HIPAA compliance. They will either provide you good information, or possibly be forced into replacing it if they can't provide this information for you.
Just wanted to add I work in IT in a heavily regulated industry, we can't sneeze on our computers without going through a risk assessment.
On the other hand my dad used to work in a doctor's office and needed help getting their wireless printer to work so I go by to help. I see right away the entire office is connected via a WEP secured wifi network. I sent the Dr a nicely worded email that if this was my office I would go to a traditional wired network or at least use WPA2. I explained that any kid sitting in the parking lot could get into the network in about 5 minutes........she thanked me and never did a thing about it.
I even mentioned if HIPAA ever audited her place that would be a pretty big issue to them, problem is HIPAA never audits anyone.
I have a lot of chiropractor clients who flat out ignore HIPAA because it seems they'd rather take the risk of not being audited than doing what they need to do to stay compliant. The odds of being audited are EXTREMELY low, so I can see why when they're running slim on profits that they take this risk, none of my clients have been audited in the past 3-4 years.
As a physician its god damn annoying to learn multiple EMR. I know how to use next gen (horrible) piece of software. Epic (awesome and intuitive to use), Cerner (its eh) and last but not least amazing chart (simple to use but no inpatient ). As far as IT goes are any of you guys planning to interconnect these software's or just plan to have one software nationwide.
Also as a physician, the most common complaints that I hear is the amount of clicking one has to do for simple fast. I am not for paper charts at all but EMR are so far behind their time and they keep on working on making it look pretty but functionality wise they all are slow , glicthy and difficult to use.
Ignore errors. Typing through phone.
These vendors won't interconnect unless one buys out the other....
I don't know who decides on EMR vendors at hospitals, but I've never heard of someone completely happy with their EMR anywhere, and while one person likes one thing another person hates it, it's interesting
Hah, I've installed many a client software for McKesson PACS, why do they make it so difficult to install compared to everyday shit! Damn VPNs!
Having worked in a hospital as a clerk, I can see the need for patient privacy. Many patients with certain illnesses don't want their diagnoses to be released to their family or friends. Ie. A patient with cancer would prefer not to have his family know of his illness and would rather live the rest of his life as normal as possible, not have his family worry, etc.
Anyway, the system that we used there (Meditech) was very archaic. It worked in a DOS-like format, and did not allow much free-form info to be added. I think that it would be a great idea to have more info on who can call to ask for basic info such as appointment times, doctor's names, etc, and who is restricted from any info.
I think that a huge part of patient privacy also lies in the hands of the admin staff. If they do not have a clear idea of what info can and cannot be released, then nothing is secure regardless of what kind of technology is used.
I'm actually vaguely familiar with meditech, I've set it up to be used on many PCs for accessing a nearby hospital's records but never had to use it myself. It's definitely a bit archaic lol
Your last paragraph is definitely true, my iama doesn't necessarily require me to be an IT worker to explain how true that is. And that's sort of my point, you might see a fancy medical clinic on the outside with these 'advanced computer systems' but I can tell you no one is using it perfectly, so don't think they could be!
I worked in the healthcare industry for 11 years with a very large HMO and was actively involved in the technical side of their HIPAA compliance effort and implementation of the EMR.
As with so many other areas, the problem isn't the technology, it's the people. For effort you make to enact data security, there's some jackwagon in the company ready to nullify it with their boneheaded, lazy or just plain stupid actions.
You can train people all you want and enact technical barriers to make it harder to do titanically bad things, but at the end of the day there's no way to make a large organization air-tight.
Exactly! Doctors giving MA's their passwords, then the MA leaves because her husband is military and the doctor never changes his password....it happened all the time. I don't think people who have never been on our side of the industry realize these things and just assume their information is safe!
In your opinion what are some shortfalls of HIPPA? What are some of your suggestions to improve HIPPA?
I'm not as interested as to how your firm handles these things because not all firms are created equal.
My biggest issue with HIPAA is that the guidelines are incredibly vague, I'd love for them to make very clear outlines about what needs to be done to be HIPAA compliant. As far as getting past that, it really hurts small clinics, they don't have the money to increase their overhead with I.T. and other forms of HIPAA compliance, things like monitor screens around a clinic add up in cost. You also need someone to focus on keeping track of HIPAA compliance, reporting potential breaches, making sure everything around the clinic is being maintained. The larger the company, the easier this is for just 1 person to do. That's why so many hospitals are buying up specialty clinics and making them a part of their network.
It's hard to improve upon HIPAA, it's their to protect patient info, but not without some amount of work to be done on the clinical side.
I've been in IT for years and while not in the Healthcare field I understand the gist of HIPAA.
While registering for an outpatient procedure I had a prior patient's registration form in plain sight at the desk where I was also registering. At one point I was left alone at the desk for several minutes. It would have been trivial to grab the piece of paper, take a picture and put it back.
Some things never change.
Yep! Really, as mentioned elsewhere in this thread, the human factor is the worst. I see it all the time.
An example, I needed to login to a woman's computer to look at an issue that was only happening while she was logged in, it was 4:30pm and she had already left for the day. She was an older woman (50s or so?) so I figured she was like the rest and had her passwords written down somewhere. I opened her top draw at her desk and in about 5 seconds I had a list of passwords for numerous sites, and you guessed it, her computer! I was able to login and fix the issue, which was nice for me, and terrible for every other reason ever.
I've witnessed that most breaches of personal medical info aren't by hackers but rather derp moments by doctors, nurses, etc to whom they are entrusted. Leaving a briefcase full of patient files on the subway. Not encrypting a personal laptop where you keep hospital databases on. HIPAA violations when they are caught are not too much money- an unnamed hospital was recently fined 1 mil when a doctor lost his laptop with patient info. But the subsequent "corrective plans" imposed on institutions after the derp cost many, many millions in new security, manpower, training, equipment, oversight....
Had a doctor leave a non encrypted laptop in his car with probably hundreds of patient dictation on it, they didn't report it. I often want to report this former client for breaches but I don't want the company I work for to be pulled into it, since we did their IT for 3 years, yet they took very few of our recommendations and we were somewhat under their thumbs.
It can become a genuine BFD when the hospital or institution receives federal money or grants. The government will pull the money if HIPAA rules are broken and you don't fix it fast. Labs can be shut down. Hell, whole hospitals can be closed. That aside, consider anonymously reporting the incident. You can do that and it may actually save your client's ass down the road.
This client had at least 40 exam rooms in which every room a patient was left sitting in front of an unlocked computer with access to a PACS database, this was the worst one, another bad one, is that I'm pretty sure I still have access to their PACS system because I really doubt they changed the generic username/password they shouldn't have been using in the first place. They're rich but I don't know if they're that rich to cover those HIPAA fines.
Why do you think so many healthcare-focused software vendors are so much worse than non-healthcare-focused ones?
* Rarely interested in security updates
* Often nonresponsive to customer inquiries
* Often tied to extremely outdated software - OS/database/etc.
* Showing minimal interest in actually securing their software - shared/common SA passwords, not encrypting data where they easily could, etc.
On the outside, I think you have people designing software who will never use the software, that being said, people in healthcare are honestly so picky about what they like, particularly doctors, there's never going to be a one-size fits all.
This is the worst, once a vendor has you as a client, they seem to realize that you've already spent a shit ton of money and you're pretty much stuck with them and their support becomes shit. It happens pretty much everytime, response times go down right after implementation, even if they respond they don't follow up, they close tickets without telling you why and the issue isn't fixed, it's frustrating.
They seem to have a limited amount of people working on updating things, web browsers update way faster than software companies even try to keep up with, even with a lot of EHR/EMR companies things won't work properly on Windows 8 or Windows 8.1.
EMR companies don't actually seem to care if you are HIPAA compliant or not, it's not their problem, their system can be HIPAA compliant, but it's not their job to make sure it is...
Hello fellow healthcare IT worker! This sounds exactly like my day to day. Almost sounds like you work right next to me... I feel your pain(s), good sir/madame
Glad to hear I'm not the only one feeling this way!
IT operations and Data Center compliance guru here. In fact, I am currently building an IT department governed by HIPPA/NIST regulations now. I have been building and managing HIPPA/PCI/NIST etc, compliant facilities and organizations since the mid 90s and I can say this.... You can have every conceivable data risk covered. And have a seemingly fool proof security environment. All it takes is one idiot user to leave their laptop in their car when they are at the grocery store and you are screwed. Even with robust endpoint management, encrypted disks, disabling USB storage devices... etc.... most people keep their passwords on a post it note in their backpack.... We really do our best to keep things secure, but you can never completely remove the idiot human factor.
We had a doctor leave a laptop on his backseat, he had a lot of patient info on it. It was stolen. Worst part is he was given a metal lockbox to keep it in his trunk, a bit more secure, he didn't use it. The loss was never reported. They swept it under the rug as much as possible, to the point their practice manager for that clinic wasn't even forward about telling me it was stolen, she just asked if we had another laptop he could use.
What can I, as a future doctor, do to make your job easier?
The best thing you could do is understand I'm just trying to do my job, there are things that I'm supposed to do that make me a good IT worker, like warn you about potential HIPAA violations. I'm not here to make your life hard, even though sometimes it can seem that way. I need to update software to make sure it's up to date and as secure as possible, sometimes updates break things, it just happens. If I fix an issue on your computer and one creeps up later, it wasn't preventable. Sometimes fixing one thing can break another thing randomly, and usually it wasn't related at all, purely coincidence. In a day I could be near many computers, there's a good chance something will go wrong with one of them later.
EMT here. We use electronic patient reporting. If there is a beach in the servers that the third party runs, are we liable in any manner?
So if the servers are run and managed by another company it can depend, if you're contract that stuff out to another company, it is technically your job to ensure they're following HIPAA compliance. So you would need to have your bases covered in having them agree that they are, and preferably have them follow specific requirements that you set forth in maintaining HIPAA compliance.
What are the odds that an individual living in another state (where I have never filled a prescription or received medical care), with a specific interest in me, could get their hands on either my medical or prescription records if they are a medical student or an IT student working in the medical field?
It depends on what access they have, if they work for someone who works closely with like a hospital in a neighboring state it's possible, or if it's government records they have access to, or if they work for a claims company, entire possible, access really is given out willy nilly to people who need it
Oh darn, I missed this... although it seems to have happened pretty late for me. I'm a BI student interested in healthcare so I'm definitely going to read through this whole thread.
I'm still around!
Thanks for the AMA! I have some questions for you. 1. Why do you think IT administrators and CIOs are content to carry out business with insufficient security that could not only compromise their patient's info, but jeopardize their jobs? What causes the mindset of, "let's just use what we've got", despite the inherent risk? 2. What would be the best way to approach, present, and propose a security solution to the IT people that MATTER in this security situation? Even the massive Target data breach, in which the CIO lost his job, does not seem to scare decision makers into protecting their PII.
I'm sure you already guessed it, but I sell data security software for a very large ORgAnization you may be familiar with, and would like to approach these situations tactfully, without irritating prospects and at the same time providing value and a useful product and ROI. Thanks in advance.
It really comes down to the people that control the money, if the administrators and CIOs who want to keep their jobs put their best foot forward but are declined purchasing such software, there is only so much they can do, and if they have proof they're not responsible, then technically they shouldn't be, even though if something were to happen a doctor would always so it wasn't explained thoroughly enough to them. But really, if he knew the risk and wasn't scared, that's his own fault and he's bad at his job. If they don't agree with you I don't think it'll be easy to change their mind, because outside of cost, there's not a good reason to not do it probably so they're not being rational
My story - I was developing some clinical database tools for a hospital in Toronto, and asked for a sanitized record from a particular dbase. Lo and behold, not only did they send me a complete record, but it was that of another client of mine. This was no mean feat, as my client list was rather short at the time. Fortunately, this particular lady was fairly open about her condition, but man, what a shock.
Did you let the other client know? That's a pretty big screw up lol
I'm currently in school to get into HIT and I'm wondering, is it worth it?
No. Studying IT in college is rarely worth it. You're better off learning some skills that are missing from most IT people, like technical writing. I switched from an IT major to English with an emphasis in business writing. I still work IT, but every manager I've had has loved me to death just because I can write up customer facing documents better than most of our marketing guys. Plus I make the company money by being a skilled consultant.
This is a good point, I'm actually an Anthropology major, so human culture, I'm more personable than most IT employees. I get along and make much better personal connections with my clients than other employees in my company. I'm the one they mention that the others guys are awkward to. Having skills outside of IT is great while still maintaining an IT base. It helps you communicate with clients about their needs and how you've fixed something, etc, basically you can explain how you're valuable better by explaining what you've done without tech jargon.
College might not be worth it, unless you're programming, but I wouldn't be against a 2 year technical school if you're not able to learn things on your own for some reason. There's a lot of things I don't know that a technical school would teach me, but if I've been working for almost 4 years, do I really need to know it? I am short on my networking skills, but for most of my clients, I could figure it out I'm almost positive if the need arose.
To not to unfairly sway your decision, I will say my experiences are both unique and not unique. If you're going into the IT field either way, but are looking forward to doing healthcare IT my main warning will be that HIPAA compliance is definitely a pain in the ass. It makes everything you setup have another layer of thought behind it. Shared accounts? Preferably not. Password sharing? You shouldn't.
Specifically in regards to the people in healthcare IT, mainly doctors, I've met many really cool doctors, and met just as many, if not more, real stubborn pain in the ass doctors. The younger they are, the better they are about things, they're better reasoned with and not as stuck in their ways. Young people understand the value of IT. Older people don't see why it's necessary, even though their systems utilize it every single day. Income wise, definitely worth it, you can make good money in this business, and HIPAA actually drives it. The recent expiration of Windows Xp basically forces clients to get new computers as many of their XP systems at this point aren't worth putting Windows 7 on, and damned if they want Windows 8 at this point.
Now, if you're working in a hospital environment, at a large company, I cannot speak for that experience. I think most of the time you're more disconnected from having to deal with doctors and more focused on your job, unless you're helpdesk or direct doctor support for EMR and what-not. Your budgets will be better and your department will be trusted to keep things running and trusted on their recommendations. If you're contracted like our company does, they often see you as just wanting more money. We had a client who had doctors who wanted someone who wasn't Microsoft our their IT company to confirm that they needed to upgrade Windows XP. I sent their practice manager 6+ articles to send to the doctors to prove that we're not making this stuff up to make money. They still haven't replaced their computers. For as much money as they make, they don't want to invest in better equipment for the employees or for the sake of avoiding HIPAA fines.
Honestly, I'm currently hoping for something else to come up. I dislike going to work and not knowing what 90 percent of my day is going to be like. What disaster could happen, who will be mad about something that isn't my fault and I'm actually there to fix. I.T. is high pay, high stress, and high skill. You really need to have good people skills, despite the stereotype when you're contracted. Your clients are your income and you need to be on the level with them. That was a bit of a run on, but I hope I cleared some stuff up for you.
Definitely feel free to follow up with any more questions if you had specifics, or need me to clarify anything that might not have made good sense.
Based on your experience, what EMR do you recommend? Is it meaningful use?
I honestly cannot even recommend one, every single one has issues. CompuGroup Medical (NetPractice is under this umbrella) has terrible response times, close tickets for no reason. Vitera (formerly Sage) has terrible service and response times....I could go on, but I can't recommend any of them based on my use of them. I don't personally use the systems ever either.
My main recommendation, if you're not a hospital especially, is go cloud EMR. Reduce your on-site server costs/risks and put them on your EMR company.
I have two clients with Vitera, one cloud, and one they self-host. The one who self-hosts has so many more problems updating the client on each PC than the cloud one does connecting to a cloud terminal server.
Hey question regarding your education. Do you have a degree in IST or a masters? Do I need a degree to do IT for companies?
My degree is actually a bachelor's in anthropology, and it's definitely not necessary to have a degree for what I do, getting a decent job in IT generally just requires the experience and a record proving you can do what you say you can do. I got lucky on getting in with a small company and during my interview proving I can be trained by giving intelligent responses, and ultimate proving my boss correct. He was very happy with my level of progress and ability to work and figure out solutions on my own. Within 2-3 months I was working without supervision, with zero experience prior, and managing my own tickets and day to day work flow. 2 years later I was promoted to manager and within that time I was already assigning tickets to coworkers in a manager type role for certain clients.
School will help you if you're unable to learn these things on your own, but if you're going to be really good in the field (and literal sense, in the field such as going on site to a client) your ability to learn these things on your own will help immensely. Everyday is a different day and no amount of schooling can fully train you for the proprietary software out there needing troubleshooting or figuring out.
I was an EMT for a number of years and one thing that always amazed me was how casual the ER nurses and doctors were about privacy. While our Ambulance team was really vague and never said names as soon as you got into the ER some nurse was yelling out the patients name and yelling her SAMPLE to the doctor.
I feel like there has been not only a culture of bad online security but also bad norms for the actual real treatment. If I was a patient or loved one obviously I'm not going to tell the nurse to shut up but someone should because it's wrong and illegal.
How would you advise we get nurses and doctors to think about HIPA as they are in the process of treatment and not just after the fact?
Put the numbers in front of them about how big the fines are, that seems to work the best. Also making them sign forms that they understand that they've been recommended to stop doing something and if they continue to do so understand the risks is another way to get them to stop.
I wrote a pretty full-featured program for a hospital pre-admission clinic a few years ago, so I like to think I was hospital IT. Two things that irked me:
- Doctors using email communication
- Hospital had a email-to-fax system, which would cross national borders, meaning, the United States could theoretically look and see what info was on the fax.
These two things used to give me the shits but I didn't see a way of realistically getting doctors to change what they are used to - how do you reckon the whole email thing will evolve?
Patient portals are a big deal in communication, through encrypted means, and someone needs to get a method of email encryption that's as easy to use as normal e-mail, but it'll likely require all parties using it until then, docs and medical practices will continue doing things wrong if they don't wanna pay for the encryption software or be bothered taking longer to send emails. Some people see the importance in this, most don't. I have a lot of clients using gmail and yahoo, so when I want to them using Office365 since it's HIPAA compliant within their organization, they decline due to the fact it costs money.
Sent to mods!
Question: Why do you think it is that everyone is so sensitive about their medical records? Don't get me wrong, I don't want them released, but I would far rather have my medical records released then, say, my credit card or phone records.
Yet, people freak the fuck out over their medical records.
View HistoryShare Link