Report – Fifth Annual Study on Medical Identity Theft

Here is a report on the theft of medical identity data. Worth a read.


“Since last year’s study, medical identity theft incidents increased 21.7 percent. “

“Sixty-five percent of medical identity theft victims in our study had to pay an average of $13,500 to resolve the crime.”

“…victims learn about the theft of their credentials more than three months following the crime and 30 percent do not know when they became a victim. Of those respondents (54 percent) who found an error in their Explanation of Benefits (EOB), about half did not know whom to report the claim to”

“Forty-five percent of respondents say medical identity theft affected their reputation mainly because of embarrassment due to disclosure of sensitive personal health conditions (89 percent of respondents). Nineteen percent of respondents believe the theft caused them to miss out on career opportunities. Three percent say it resulted in the loss of employment.”

“…79 percent of respondents say it is important for healthcare providers to ensure the privacy of their health records. Forty-eight percent say they would consider changing healthcare providers if their medical records were lost or stolen.”

“Twenty-five percent of medical identity theft victims in this study knowingly permitted a family member or friend to use their personal identification to obtain medical services and products and 24 percent say a member of the family took their credentials without their consent.”

Article – CDC on EHR errors: Enough’s enough

In this article, the CDC has issued a warning on the issues of user interface design when presenting patient information in EHRs.

As the examples in the article illustrate, having information in digital form is not enough. It needs to be presented in an effective way to ensure comprehension. After the current wave of information digitization and consolidation (moving information from disparate, departmental clinical information systems into a single large enterprise system), the next wave of effort needs to be on privacy/security, accessibility/reliability, and usability, or the incredibly high potential gains will not be realized.

Users need to trust the system, it needs to be there when they need it (wherever that is), and they have to want to use it.

P.S. Here is an infographic on EHR adoption.

Article – New HIPAA rule could change BAA talks

As this article explains, the rules of accountability need to apply to all parts of the delivery chain, from the healthcare provider to the infrastructure vendor.

It is my experience that the readiness of the vendor to provide the necessary security controls (technical, policy, etc.) is usually not the issue. It is often the healthcare provider staff that lacks the knowledge of appropriate and effective controls that prevents proper security from being in place.

For example, even when proper single sign-on (SSO) methods are available in systems, rather than taking the time to implement this between systems (which often requires some learning), staff will often default back to wanting to simply pass a user ID and password (often a generic one) from one system to the next, because that was all they could do 10 years ago to avoid having the user log into multiple systems.

PACS-centric vs. VNA-centric models for including imaging in the EMR

Like many problems, there are more than one valid solution. For the challenge of getting images to both diagnostic consumers (e.g. Radiologists) and clinical consumers (e.g. ordering physicians, EMR users), there are many ways to define a solution architecture, but two are most obvious: PACS-centric and VNA-centric.


In this model, the PACS is the primary system, interfacing with modalities, providing a client to diagnostic users, as well as access to clinical users though an enterprise client embedded in the EMR. Mobile access may be direct or via a mobile EMR user interface, but it is getting images from the PACS. Enterprise images are captured and stored in the PACS (though storing to VNA and routing to PACS is also possible). The VNA’s role is primarily as an archive to (one or more) PACS.



In this approach, the VNA is the primary image management system. The PACS likely still interfaces with modalities (though not always), but captured enterprise images are stored to the VNA, and sent to the PACS when needed/supported. Clinical viewing in the EMR is done by an Enterprise Viewer, which may or may not be provided by the VNA vendor. Mobile access is also through the Enterprise viewer, getting images from the VNA.


Pros and Cons

As stated, both are valid approaches, but each has some inherent strengths and challenges.

The PACS-centric solution has a high likelihood of having all parts of the medical imaging record being available in both diagnostic and enterprise viewers. Proprietary data (e.g. markups and key images) not provided through standard data objects (e.g. DICOM GSPS and KOS) are more likely to be visible in all clients. There may also be some common application configuration settings across clients, which would reduce administration complexity and cost. Getting the image management and image viewing (diagnostic and enterprise client) all working together is the burden of the vendor (i.e. it is an engineered solution designed to function as a single system).

The VNA-centric solution is better suited to support a multi-PACS environment, providing a common management and viewing platform for enterprise users—only the single Enterprise Viewer is embedded in the EMR (vs. the multiple ones provided by each PACS). Environments with multiple PACS and Mini-PACS benefit as the VNA is the common sharing (and data quality validation) point among them—this allows for a more “pluggable” solution where systems that address niche needs can be used until the primary PACS is able to replace them. In this model, the integration among the components is more complex and places a higher burden on the institution to get it all working (i.e. the informatics and IT staff need to be willing and able to put this together), even with purchased professional services from all the vendors involved.

Assuming both the PACS and the Enterprise Viewer support LDAP (Lightweight Directory Access Protocol) and/or SSO (Single Sign-On), user authentication may be equal in both approaches.

Both a well-designed PACS and VNA (and Enterprise Viewer) can provide effective multiple patient ID management methods (e.g. MPI or IHE Patient Identifier Cross-Referencing), to allow integration/exchange of patient imaging records across patient ID domains, though the VNA and Enterprise Viewer are traditionally more likely than PACS to support flexible models.

In both models, storage for the long term archive is expanded at the VNA.

FDA and New Cybersecurity Regulations

A friend forwarded this post to me.

Links worth checking out…

Here are my thoughts…

  • Frankly, security in healthcare devices ranges from embarrassing to terrifying—especially at the interface point between devices/systems. As more devices become network enabled, the level of risk is exponentially increased. Too often, software in medical devices are built by clinically focused developers, or hardware engineers tasked also with the software layer. Developing for security (and performance) is a specific skill set within software development, and it is not commonly found in the average developer. I have found that developers with experience in Web-based consumer applications (that manage personal data) and those with banking application experience generally “get it” more than others, but that’s just my experience. Also, product managers need to get a lot smarter about security and make it a priority in the product scope.
  • Regulations are brought in when industry fails to protect the public interest, and that is what is happening here. If the medical device industry was better at doing proper risk-based design and validation—which security and protection of data would certainly be an area of focus—and including risk mitigation controls in their designs, the FDA would not need to issue regulations. But, here we are. Now we get to see if government regulators can produce effective regulations, and keep pace with the ever-evolving security model best practices and methods.
  • Where the HIPAA Security and Privacy rule applies to the healthcare provider organization (that is, it is their responsibility), FDA regulations apply to the registered device manufacturer. Regulatory Affairs staff working for the vendor community are going to have to learn a lot more about cybersecurity. Most of the professionals in this field that I know, know very little about this topic. If you are a cybersecurity consultant that knows even a little about healthcare IT application design patterns and existing medical device regulations, this is a goldmine. Hmmm, maybe I will study this FDA stuff in more detail. 🙂