Three Antidotes to Physicians' IT Headaches

While preparing this week’s ABL Healthcare Online, several horror stories impacting physicians jumped out at me. All of them piling on as to why a 2014 survey concluded that America’s “burned-out doctors made up 54 percent of the profession.” Yet, it struck me that over the past few years, in our Healthcare Round Tables, we’ve discussed most of these problems – and their solutions. So here are just three of them – as it happens, they all involved IT:

 First – Dealing with EHRs. 

It’s gotten so bad that there’s a new Twitter account, @EPICEMRparody, channeled by a doc for docs, which has more than 13,000 followers in just over a month.  Truly, if you’re looking for a good laugh, you’ve really got to read it. Yet, even though the august Dr. Atul Gawande offered plenty of reasons “Why Doctors Hate Their Computers” in The New Yorker last November, he also suggested there are several silver linings in that electronic cloud. 

 As Gregg Meyer, the chief clinical officer at Partners HealthCare said, “We think of this as a system for us and it’s not. It is for the patients.” Turns out that the patients – about ten times as many as the nearly 60,000 clinical users at Partners [that’s over half million of them] – love the ability to look up their lab results, remind themselves of medications they’re supposed to take, and read their doctor’s office notes to better understand what they’ve been told. In fact, one of the comments on the @EPICEMRparody feed was from a patient basically saying just that. 

 Dr. Gawande also described a solution that’s now being tried out at Mass General: a “virtual scribe” service, in which India-based physicians document the encounter asynchronously, based on digitally recorded patient visits. Compared with “live scribing,” this system, called IKS Scribble, is reportedly more accurate—since the scribes tend to be fully credentialed doctors, not aspiring med students—for the same price or less. IKS Health, which provides the service, according to Gawande, currently has 400 physicians on staff in Mumbai giving support to thousands of patient visits a day in clinics and hospitals across the U.S. As their website states, “Creating clinically, financially, and legally accurate documentation makes the job of the physician easier.” With Scribble, physicians “are able to return to the bedside interaction and clinical decision-making that inspired them to enter healthcare at the start.”

Second – Dealing with Hackers. 

Apparently, when the physician owners of Brookside ENT and Hearing Center received a demand from cyber criminals to pay $6,500 to buy back access to their medical files, the doctors didn’t first check to ensure they had a working backup ready to replace the patient records in their EHR system. Unfortunately, they didn’t. So when the doctors chose not to pay the ransom, their cyberhackers deleted all the system's files, including patient records and appointment schedules. Now – after a locally televised report on the cybercrime aired on the Battle Creek, Michigan, CBS affiliate – concerned patients are calling the practice in droves. And, while the staff is reassuring the patients that the criminals didn’t get their patient information – because the practice's encrypted files were totally erased, the physicians are shutting down their med practice altogether on April 30th. This really is not a solution.

Three years ago, shortly after a major hospital in LA was shut down for over a week by ransom-seeking hackers – to whom they paid $17,000 in bitcoin to get back up, ABL Member Oli Thordarson, CEO of Alvaka Networks, presented at several of our Healthcare Round Tables steps Members should take to ensure they weren’t next. The solution highest on his list was an admonition to back-up and test a full file system, and restore it, frequently. In more recent months, Oli has shared that cybercriminals who used to attack ISPs randomly, now are getting smarter and going after accounts where the owners are likely to pay high ransoms – specifically healthcare providers, in lieu of closing down like the doctors in Michigan, or having to pay the government high fines for HIPAA violations, as we’ll address later.

Third – Dealing with Insiders’ Human Errors. 

On March 17th TechCrunch broke a story headlined “A Huge Trove of Medical Records and Prescriptions Found Exposed.” The story, later picked up by a raft of HIPAA, cybersecurity, tech, and healthcare journals, went on to report that Meditab, a smaller EMR vendor that has a subsidiary in Puerto Rico – MedPharm Services, which processes electronic faxes for healthcare providers, had an exposed fax server. The “leaky server” was discovered by SpiderSilk, a Dubai-based cybersecurity firm, that apparently went straight to the media to share that the server was unencrypted, and since it had no password, “anyone could read the transmitted faxes in real-time – including their contents.” 

This could be a serious HIPAA violation – and expensive. According to HHS, in 2018 their Office of Civil Rights settled ten cases and secured one judgment, totaling $28.7 million – including the single largest individual HIPAA settlement in history: $16 million with Anthem.

Among the journals covering the story, in TechRadar.Pro, Katie Burnell, wrote How to detect and defend against insider threats, since “insiders” are persistent threats to any organization’s cybersecurity. Of the three groups of threatening insiders, the first are malicious users who use their access privileges to intentionally harm their organizations – they’re roughly 23% of the miscreants. The next are compromised users, who’ve had their credential stolen or abused by nefarious sources – they’re about 13%. That leaves 64% who are negligent users, not intending to cause harm, but who accidentally click on the Trojan attachment, download, or video. And, the best way to eradicate this last group is to educate, educate, educate.

It’s said that when Andy Slavitt was Acting CMS Administrator, he drilled and trained all the employees constantly with phony phishing attempts, to ensure they wouldn’t jeopardize healthcare.gov, and other critical government sites. Ironically, some really great cyberattack precautions were offered by Angel Marrero, the General Counsel at Meditab and MedPharm Services, who said – after their errant fax server “was taken down immediately following their notification of the flaw,” that they’d be:

• Conducting a security check of all servers
• Having additional penetration testing as a part of their server deployment, and
• Implementing a bug bounty program to report flaws directly

Wonder if SpiderSilk will be participating in that?

What would be your solutions to some of these dilemmas facing physicians today?

by Mimi Grant, President, Adaptive Business Leaders (ABL) Organization – Round Tables and Events for CEOs of Healthcare and Technology Companies