Your phone-to-phone text messages are secured against being read by hackers using a decades-old technology that is full of holes and regularly being hacked. As is your location, any time you have your phone turned on. And it's not just the phone companies, not just law enforcement using $50,000 network sniffing devices. It's hackers using $15 cell phones and a laptop. In a demonstration at the Chaos Computer Club (CCC) Congress a few days ago, a couple of seasoned pros gave the assembled hackers a step-by-step tutorial.
But wait, you say, how come hackers aren't cracking the phone companies' SIM card codes so I can do stuff like, say, run an iPhone on my Sprint account? Well, that's because the phone companies are using much tougher encryption to lock in their revenues than to secure your private information. “There is one key used for communication between the operators and the SIM card that is very well protected, because that protects their monetary interest,” says Security Research Labs researcher Karsten Nohl. “The other key is less well protected, because it only protects your private data.”
The problem stems from laziness. The companies could almost effortlessly make two or three changes to tighten up security, firstly, to follow their own industry standards that have been in place for many years. Rather than sending random data in the constant "Are you there?" messages sent to your phone, they use plain text, making it easy to find you and connect a phone with specific data traffic. There is no reason whatsoever for this negligence, but the second step might require a bit more programming, namely, to stop the practice of reusing security keys over and over, making it easy for a hacker to run through a few keys and quickly tap into your session. The fix would probably take a programmer a couple days and cost your phone company a whopping few hundred bucks. Multiplied by several phone companies, the astronomical price of securing hundreds of millions of phones - yours, mine and everybody else's - would run in excess of a few thousand dollars.
Okay, maybe that's a low-ball. Check out the article at ars technica.
December 31, 2010
December 17, 2010
Marketing: Top 5 Web Trends for 2011
Even in this economy, price competition isn't the answer. It can eviscerate the bottom line, and associates our brand with bottom feeders. Instead, in 2011 marketers will be learning to give something else to our prospects and customers. Social media, content push, convergence, social objects and service -- these five emerging trends are covered in an article on OpenForum.com, and I hope you'll read it. But here's the gist:
- Social Media. No, it's not Socialism. Yet. But the communities aggregated by Facebook are the 2011 equivalent of proletariat power. No longer are our gripes and kudos heard by only a few co-workers in the lunchroom, but by hundreds or thousands of our closest friends. And their closest friends. And their closest friends. B2B and B2C marketers are both learning the power of chatter. While waiting for the curtain to rise at a recent entertainment event, audience members all seemed to sort-of know one another. In clusters around the room, it became clear that almost all 150 or so attendees had responded to a Facebook invitation.
- Content Still Rules, but... We've all learned that developing rich online content is key to getting traffic and building credibility with our market. But much of that content just sits there. We've done the Email Newsletter thing, to push content out to our community. Tweets are the next step, using brief and much more frequent touches to keep our customers and prospects close. And tweets don't get your email domain blacklisted.
- Converge and Hybridize. There's the web site. And then there's the Facebook page. It's time to pull them together in a seamless environment that makes interaction integral to the web experience of all your visitors. And it's more than just putting an F button on your home page. (What? You still don't have an F button on your home page?)
- Widgets and Web Tools and Mascots - Oh, My! They're called social objects -- little bundles of clever or cute or useful that get picked up and sent around and pinned to other people's pages. Maybe it's a relevant cartoon or really funky-looking lolcat, or a widget that lets your visitors grab a chunk of your content for their own site or Facebook page. The point is to get other people giving your stuff away for you, just like the sample lady at the grocery store. Only for free; once you've covered development costs, that is.
- Serving is the New Selling. I can remember the exact day that I decided to start giving extreme customer service. It was just after I'd had a great customer service experience myself, with a vendor that made such an impression on me that I've stuck with them ever since -- three years now. It costs me absolutely nothing to make every customer feel smart, attractive, rich, famous and wanted. The actual content of a service event does use up a little more time, and sometimes I even make a follow-up call (which really blows their minds). But the first result is that I love doing it, and service events have become a true joy, and the ultimate result is that the bottom line proves that it works for the customers, too. Now, instead of spending time calling on leads, I spend my time with customers -- including the ones who are just downloading the freebies or have questions. I still have to get the word out, of course, but I can put more resources into direct mail and web advertising designed just to start a conversation. We're entering an age of smarter selling that's all about creating relevance and utility for our prospects and customers, and we're leaving the age of selling "lifestyles." Now, when we get that first contact, we have to listen for the person's existing patterns, to learn how we can help them get more value from the way they are already doing business, or living their lives. It's not about generating warm fuzzies, but about delivering real value -- the stuff that our price-competing competitors don't have any of.
November 22, 2010
Again: Why Is It You Don't Protect My Health Data?
Why do health plans and providers refuse to secure sensitive data when encrypting it costs nothing at all?
According to a study out of HHS that tracks healthcare data breaches, laptop computer theft was the most prevalent cause of data theft, involved in 24% of breaches. Desktop computers accounted for 16% of the breaches. Physical security is cited as an issue; had computers been kept behind locked doors, fewer would have been stolen. But that's just silly. You can't be locking and unlocking office doors all day long, and keeping a laptop in a locked room is sort of not the whole point of a portable computer.
So, why wasn't the data encrypted? "Ah," you say, "Let me explain our reasons: (1) encryption isn't really secure, (2) it costs money and wastes my time, (3) difficult to administer in an organization, and (4) I could be forced to type in my password at gunpoint."
Well, (1), wrong. Encryption is really secure; the chances of anyone being able to break modern layered encryption are somewhere between zero and non-existent* (except for pure random chance, unfortunately, like when they guess your password is hGRw5k9oBn28, or Let's1andallGo(straight)2Shaneequah'sHouse). Despite what the movies would have you believe, random strings and big long phrases with numbers and punctuation are easy to remember, but astronomically difficult to guess, even using brute force cracking software. ILoveMyCat isn't.
And, (2), wrong. Once setup on a laptop, an "encrypted volume" is just like another hard drive, and to use data on it you simply type in a password. No wasted time (oh, well, alright, however long it takes you to type in a handful of characters -- how bad are your keyboarding skills?).
And, (3), wrong. Are you just OK with losing my data, or is work too hard for you? And that old saw about not being able to administer open source software is inapplicable. Who cares if an admin can tweak and fiddle with the copies of copies of copies of redundantly off-site backed-up data that some lower-down has on his laptop?
And, (4), wrong again. The fear of being held at gunpoint while you type in a password for a file your attacker can see on your computer is simply a waste of good adrenaline. Modern encryption software provides full deniability, such that even the sensitive files themselves are invisible; which is to say, they are hidden encrypted inside another file, one that opens to reveal some non-sensitive content when you use one password, and the sensitive stuff when you use another password. Unless the attacker can see inside your head, he doesn't know the data is even there.
And it's free. Yup. Free, open source, downloadable, and you can have it on your laptop and running beautifully in minutes. We don't have any connection with the product, but we've been using it for years. It's called TrueCrypt. Setup took all of 15 minutes. Five years ago. If you don't use it and you lose my healthcare data, I'm going to be really ticked.
Okay, end of rant. Until the next stupid data breach.
*Alright, let's just say that the odds against are so unfavorable that even the most seasoned hackers won't take the bet.
According to a study out of HHS that tracks healthcare data breaches, laptop computer theft was the most prevalent cause of data theft, involved in 24% of breaches. Desktop computers accounted for 16% of the breaches. Physical security is cited as an issue; had computers been kept behind locked doors, fewer would have been stolen. But that's just silly. You can't be locking and unlocking office doors all day long, and keeping a laptop in a locked room is sort of not the whole point of a portable computer.
So, why wasn't the data encrypted? "Ah," you say, "Let me explain our reasons: (1) encryption isn't really secure, (2) it costs money and wastes my time, (3) difficult to administer in an organization, and (4) I could be forced to type in my password at gunpoint."
Well, (1), wrong. Encryption is really secure; the chances of anyone being able to break modern layered encryption are somewhere between zero and non-existent* (except for pure random chance, unfortunately, like when they guess your password is hGRw5k9oBn28, or Let's1andallGo(straight)2Shaneequah'sHouse). Despite what the movies would have you believe, random strings and big long phrases with numbers and punctuation are easy to remember, but astronomically difficult to guess, even using brute force cracking software. ILoveMyCat isn't.
And, (2), wrong. Once setup on a laptop, an "encrypted volume" is just like another hard drive, and to use data on it you simply type in a password. No wasted time (oh, well, alright, however long it takes you to type in a handful of characters -- how bad are your keyboarding skills?).
And, (3), wrong. Are you just OK with losing my data, or is work too hard for you? And that old saw about not being able to administer open source software is inapplicable. Who cares if an admin can tweak and fiddle with the copies of copies of copies of redundantly off-site backed-up data that some lower-down has on his laptop?
And, (4), wrong again. The fear of being held at gunpoint while you type in a password for a file your attacker can see on your computer is simply a waste of good adrenaline. Modern encryption software provides full deniability, such that even the sensitive files themselves are invisible; which is to say, they are hidden encrypted inside another file, one that opens to reveal some non-sensitive content when you use one password, and the sensitive stuff when you use another password. Unless the attacker can see inside your head, he doesn't know the data is even there.
And it's free. Yup. Free, open source, downloadable, and you can have it on your laptop and running beautifully in minutes. We don't have any connection with the product, but we've been using it for years. It's called TrueCrypt. Setup took all of 15 minutes. Five years ago. If you don't use it and you lose my healthcare data, I'm going to be really ticked.
Okay, end of rant. Until the next stupid data breach.
*Alright, let's just say that the odds against are so unfavorable that even the most seasoned hackers won't take the bet.
November 3, 2010
Call for CMS to Release Tax Number Data
The NPI Final Rule called for CMS to establish a system that would assign a National Provider Identifier (NPI) number to essentially every healthcare provider in the U.S. (HIPAA "covered entities"): now more than 3 million providers and growing. Great. But it was years before CMS released that data for the industry to use. CarePrecise personnel were at the forefront even back then, calling for CMS to release the data. If necessary, we were ready to fight for it, filing our own request under the Freedom of Information Act (FOIA). Federal agencies can't keep such kinds of data from the public. It's the law. CMS eventually looked at FOIA, and at their provider data, and decided that, sure enough, they were going to have to release it. We and our clients were ecstatic; now the industry would be able to produce the complex crosswalks necessary to actually achieve the efficiencies promised by the Final Rule.
Hurray... except CMS decided not to release one of the most useful data points of all. A provider's federal tax number is hardly a private number. Businesses have to give their tax number on every imaginable type of transaction. Employees see the employer's number on their W-2s. CMS's excuse was that sole proprietors and pretty much all individual practitioners would have to give their Social Security Number, or that busy doctors might type in the SSN in the wrong spot. Fair enough, but, as everyone who works with data knows, it's a piece of cake to parse a tax number field to determine if the number is a SSN or a business tax number.In fact, that's just exactly what CMS does in the Other ID fields of the NPPES (National Plan and Provider Enumeration System) database, replacing 000-00-0000 with a string of equals signs.
Instead of just redacting the SSNs, CMS decided it was best just to wipe clean the complete Employer Identification Number (EIN) field -- just in case some uppity docs got... uppity. Many of us have been hoping that CMS would revisit the issue of this gaping hole in the provider data, but it seems that the issue is to be ignored so that it will just go away.
So, here we are, once again, years into it, asking CMS to release non-SSN tax numbers/EINs so that we -- health systems and health plans large and small, clearinghouses, HIT vendors, medical billing and coding vendors -- can make this data do what it was intended to do for healthcare and for the taxpayers.
Hurray... except CMS decided not to release one of the most useful data points of all. A provider's federal tax number is hardly a private number. Businesses have to give their tax number on every imaginable type of transaction. Employees see the employer's number on their W-2s. CMS's excuse was that sole proprietors and pretty much all individual practitioners would have to give their Social Security Number, or that busy doctors might type in the SSN in the wrong spot. Fair enough, but, as everyone who works with data knows, it's a piece of cake to parse a tax number field to determine if the number is a SSN or a business tax number.In fact, that's just exactly what CMS does in the Other ID fields of the NPPES (National Plan and Provider Enumeration System) database, replacing 000-00-0000 with a string of equals signs.
Instead of just redacting the SSNs, CMS decided it was best just to wipe clean the complete Employer Identification Number (EIN) field -- just in case some uppity docs got... uppity. Many of us have been hoping that CMS would revisit the issue of this gaping hole in the provider data, but it seems that the issue is to be ignored so that it will just go away.
So, here we are, once again, years into it, asking CMS to release non-SSN tax numbers/EINs so that we -- health systems and health plans large and small, clearinghouses, HIT vendors, medical billing and coding vendors -- can make this data do what it was intended to do for healthcare and for the taxpayers.
November 2, 2010
Federal Physician Comparison Website Coming
CMS has until January 1 to create the new PhysicianCompare.hhs.gov site, intended to make it possible to lookup info on your doctor and compare her quality to that of others. Like HospitalCompare.hhs.gov launched recently, the notion is that these sites will create the incentive for providers to give better care, ultimately helping to control healthcare costs. As required by the Affordable Care Act, CMS has two years to get the site serving up quality data on docs.
Not only must quality data be available to help patients make smarter healthcare purchasing decisions, but the Act requires that the site help physicians to actively use the information to improve quality.
At a five-hour-long Town Hall last week, CMS gathered doctors, hospitals, employers and anyone else who wanted to participate with the goal of getting input on what the site should contain. The outspoken participants told them, among many other things:
And here's a big one: Should physicians' charges be disclosed? How can you make a value decision without prices? Doctors who charge more might offer additional services; what about house calls, or no-wait appointments, or a Personal Health Record (PHR) portal -- should this information be available?
Naturally, the AMA is pushing back a bit. AMA president James Rohack, M.D. told HealthLeaders Media last week that the AMA's concern is that "individual doctor-level data right now is not ready for prime time, especially in complex situations. The attribution of who's really responsible for that care is not worked out." Dr. Rohack said that doctors aren't particularly afraid of being graded: "The reason we became doctors was because we got good grades."
These and many more questions remain to be resolved even before determining exactly what data will be collected -- a step that is mandated to begin in January of 2012. But pulling away the veil of mystery surrounding the work of the physician is long overdue and worthy of the gargantuan task facing CMS. Unless a wing nut Congress repeals or guts the law within the next two years, we will finally be able to look under the hood before making some of the most important and most costly buying decisions of our lives.
Not only must quality data be available to help patients make smarter healthcare purchasing decisions, but the Act requires that the site help physicians to actively use the information to improve quality.
At a five-hour-long Town Hall last week, CMS gathered doctors, hospitals, employers and anyone else who wanted to participate with the goal of getting input on what the site should contain. The outspoken participants told them, among many other things:
- Physician's sex, race and age
- Languages spoken
- Office hours
- Medical degrees and schools
- Hospitals where they have privileges
- How long in practice
- Health networks they belong to
- Awards received
- Community service work/care for the poor
And here's a big one: Should physicians' charges be disclosed? How can you make a value decision without prices? Doctors who charge more might offer additional services; what about house calls, or no-wait appointments, or a Personal Health Record (PHR) portal -- should this information be available?
Naturally, the AMA is pushing back a bit. AMA president James Rohack, M.D. told HealthLeaders Media last week that the AMA's concern is that "individual doctor-level data right now is not ready for prime time, especially in complex situations. The attribution of who's really responsible for that care is not worked out." Dr. Rohack said that doctors aren't particularly afraid of being graded: "The reason we became doctors was because we got good grades."
These and many more questions remain to be resolved even before determining exactly what data will be collected -- a step that is mandated to begin in January of 2012. But pulling away the veil of mystery surrounding the work of the physician is long overdue and worthy of the gargantuan task facing CMS. Unless a wing nut Congress repeals or guts the law within the next two years, we will finally be able to look under the hood before making some of the most important and most costly buying decisions of our lives.
October 22, 2010
Clinical Terminology Dictionary to be Available
Kaiser Permanente announced a few weeks ago its 75,000-term clinical terminology database, the Convergent Medical Terminology dictionary (CMT), to become freely available through HHS. Including maps to additional clinical vocabulary sets, including SNOMED-CT, the database enables links to ICD-9, ICD-10 and other code sets. Many millions of dollars and 16 years in development, the CMT will be freely distributed by the Department of Health and Human Services. Watch here for more information as the dictionary becomes available.
October 19, 2010
Three More EHRs Make the Certified List
Three more electronic health record products have received certification under the federal program: RxNT EHR from Networking Technology, PrimeSUITE 2011 from Greenway Medical Technologies, and a system designed for use in behavioral health, the Avatar 2011 from Netsmart Technology.
PHR-Lite for Medicare Members
The Centers for Medicare and Medicaid Services has launched a new "Blue Button" feature on its MyMedicare.gov website. The app makes it possible for the 47 million Medicare members to access, print or download specific medical information. "Having ready access to personal health information from Medicare claims can help beneficiaries understand their medical history and partner more effectively with providers," the agency says. Having access to Medicare claims means having access to a virtually complete record of your healthcare incidents, the next-best thing to a personal health record (PHR), and it's updated for you by the government. Sweet!
October 18, 2010
Website Compares Hospital Quality
The Commonwealth Fund just launched WhyNotTheBest.org, described as "a free resource for health care professionals interested in tracking performance on various measures of health care quality." Basically, you select some hospitals, choose some measures, and view the report. My first report (see the graphic) showed me that my local major hospitals fell somewhat below the national Top 10 bar, but scored rather well overall. My graphic here shows only an abbreviation of the actual report, which is downloadable in Excel or PDF format.
The site includes measures of hospital quality from the Centers for Medicare and Medicaid Services website, Hospital Compare. The data will be updated quarterly. Nearly all U.S. hospitals are included, over 4,500.
The site includes measures of hospital quality from the Centers for Medicare and Medicaid Services website, Hospital Compare. The data will be updated quarterly. Nearly all U.S. hospitals are included, over 4,500.
Oops: EHR Final Rule Gaffe
If you downloaded the EHR vendor guides from the Office of the National Coordinator for Health IT (ONC), you'll want to download the fixes. The original releases did not include technical descriptions to enable electronic health records to exchange symptom surveillance data. They were “adopted in error” in the final rule for the initial standard for electronic health records, says ONC. As a result of numerous complaints since the flawed rule's release in July, an interim final rule "fix" has now been published in the October 13 Federal Register, to take effect November 12.
What's the flap all about? The rule didn't cover enabling EHR users to “electronically record, modify, retrieve and submit syndrome-based public health surveillance information,” according to language in the interim final rule, stating that the "purpose is to facilitate the electronic exchange of de-identified nationally notifiable conditions." The spec gave public health agencies methodology for reporting conditions, but no guidance on designing EHRs that could meet the standard.
If you liked the final rule, you're gonna love the sequel! Get the interim final rule here.
What's the flap all about? The rule didn't cover enabling EHR users to “electronically record, modify, retrieve and submit syndrome-based public health surveillance information,” according to language in the interim final rule, stating that the "purpose is to facilitate the electronic exchange of de-identified nationally notifiable conditions." The spec gave public health agencies methodology for reporting conditions, but no guidance on designing EHRs that could meet the standard.
If you liked the final rule, you're gonna love the sequel! Get the interim final rule here.
October 14, 2010
Physician Shortage Predicted To Grow Dramatically
Association of American Medical Colleges (AAMC) projections indicate a shortage of 62,900 physicians in five years and 91,500 by 2020. The AAMC's projections, larger than earlier estimates, were pinned on growing healthcare demand from the boomer generation and expansion of coverage as a result of federal health reform measures. (All I know is I still can't afford health insurance under the current system. Too few doctors will be better than no doctor at all.) Read the AAMC report.
Ingenix Buys Even Deeper Provider Position
Nobody much thinks of Ingenix as a provider-centric company. As one of the cleverest helpmates to the payer side, providers might wonder at the company's sincerity in the provider vendor space. But a look at recent Ingenix acquisitions over recent months reveals a striking shift. Acquiring four companies serving the provider health IT market, Ingenix further expanded a portfolio that has been growing more provider-side for over a year now. The company claims that about 50% of its revenue now comes from the provider market, making it a significant provider vendor, despite its ownership by UnitedHealth Group. The recent acquisitions include A-Life Medical, Picis, Axolotl and Executive Health Resources. Over the past year, QualityMetric and CareMedic fell under the Ingenix umbrella. SaaS-based ambulatory EMR vendor LighthouseMD, now marketed as CareTracker, was purchased in 2007.
October 13, 2010
Marketing: Coupons For Healthcare
Healthcare providers are getting into social marketing, using newer electronic content forms to reach new patients. For their part, consumers don't see much of a problem cashing in a coupon with an unknown provider, at least for some types of procedure.
Responding to a promotion for optometrist and optician services, one customer says that "The timing was right so I jumped on it," referring to an offer through Groupon, a daily coupon emailed to tens of thousands of people in the Baltimore region and millions more nationwide. "I'd be more cautious about laser surgery or hair removal. That would take more research. But this worked out..." Groupon's "Deal of the Day" targets consumers who sign up for the daily offers, which tend to promote restaurants, hotels, spas, and the like. But healthcare providers are gradually learning to use the new promotional venue, and with good results reported so far. I myself wear glasses -- glasses that I purchased through a coupon from a provider I had never visited before. Read an article in the Baltimore Sun...
Responding to a promotion for optometrist and optician services, one customer says that "The timing was right so I jumped on it," referring to an offer through Groupon, a daily coupon emailed to tens of thousands of people in the Baltimore region and millions more nationwide. "I'd be more cautious about laser surgery or hair removal. That would take more research. But this worked out..." Groupon's "Deal of the Day" targets consumers who sign up for the daily offers, which tend to promote restaurants, hotels, spas, and the like. But healthcare providers are gradually learning to use the new promotional venue, and with good results reported so far. I myself wear glasses -- glasses that I purchased through a coupon from a provider I had never visited before. Read an article in the Baltimore Sun...
October 11, 2010
$727 Million to Health Centers
The Washington Post reports that the Obama administration announced $742 million from HHS will go to community health centers nationwide to build new medical clinics and bring technology in older clinics up to speed. This is in addition to the more than $2 billion already allocated to health centers from stimulus funds.
October 8, 2010
New Web-based Tool Improves Chronic Care
Say you're a physician caring for diabetes and heart disease patients. Would you like to have a tireless chronic care expert elf poring over your patients' records every night, comparing their care with evidence-based practices, looking for things you might not notice? Kaiser Permanente's lead author of an American Journal of Managed Care study, Adrianne Feldstein, MD, thinks maybe you should. "Patients in the U.S. receive only about half of the preventive and follow-up care now recommended by national guidelines," says Dr. Feldstein. A new web-based Panel Support Tool (PST) extracts information from the electronic medical record and compares it to care recommended by national guidelines. Read the article in Healthcare IT News.
Software List Released by Feds
The Office of the National Coordinator (of health information technology transformation) has released the first list of certified EHR systems. “Only those EHR technologies appearing on [our list] may be granted the reporting number that will be accepted by CMS for purposes of attestation under the EHR incentive program,” says the federal office in charge of certifying electronic health record systems. What does the wonk-speak mean? Only the listed EHRs will qualify physicians and other heathcare providers for Medicare and Medicaid incentives under the HITECH act - worth substantial reimbursement boosts to providers who have installed the systems. Not on the list = no bonus bucks. The certified EHR products are listed here.
Primary Care Providers' Role in Mental Health Increases
Reaching the mental heathcare provider may mean casting a wider net. The Center for American Progress published a study last month finding that more than 50% of patients treated for a mental illness are being treated for part of their condition by a primary care provider. The study, reported by the Associated Press, shows that more than a third of mentally ill patients in the health system are going only to primary care providers. Read the article...
Subscribe to:
Posts (Atom)