The Coalfire Blog

Welcome to the Coalfire Blog, a resource covering the most important issues in IT security and compliance. You'll also find information on Coalfire's insights into the unique cybersecurity issues that impact the industries we serve, including Cloud Service Providers, RetailFinancial Services, Healthcare, Higher Education, Payments, Government.

The Coalfire blog is written by the company's leadership team and our highly-credentialed security assessment experts.

The Coalfire Blog

What We Learned at HIMSS12

March 16, 2012, Andrew Hicks, Managing Principal, Coalfire

Andrew Hicks

A few weeks ago, more than 35,000 healthcare IT professionals and 1,100 exhibitors converged on Las Vegas.  Some were there to go shopping for “HIT” or health information technology; others were there to sell it.  The IT professionals from across the healthcare spectrum were there to meet with each other and regulators, and stay abreast of the rapid technological changes in the healthcare industry.  This was an overwhelming event; a flood of information.  It’s been a couple of weeks.  Here’s a few of the HIMSS12 highlights:

Our U.S. Healthcare System is Ailing

The spend on healthcare is 8 percent of the U.S. economy - $2.6 TRILLION – but all this spending is not producing the best outcomes when we compare ourselves in the USA to other countries.  According to one speaker, we rank 4th from the bottom for “premature mortality.”  The countries worse than us include Hungary, Mexico, and Russia; everyone else is better.  We top the charts in costly medical procedures such as knee replacements and pay 60 percent more for pharmaceuticals than many citizens in the EU.  Another speaker noted that over 100,000 deaths occur annually in the U.S. from medical errors and inefficiencies – “equivalent to 781 Boeing 737s crashing each year.”

Information Technology is a Laggard in Healthcare

With so few medical records in electronic form and even fewer medical records shared electronically among healthcare providers, it is not surprising that patients are often treated inefficiently by care givers who have incomplete knowledge of their medical history and condition, or lack the access to that information when the patient needs it most.  One speaker noted that 18 percent of medical errors are due to inadequate availability of patient information and that 1 out of every 131 deaths of ambulatory patients were caused by medication errors.  Unlike many other industries, having the right information at the right time may save your life or at least save you money.

Cloud Computing 

The most popular topic at HIMSS12 revolved around cloud computing.  The exhibitor floors were loaded with cloud providers touting infrastructure, platform and software as a service offerings.  For many healthcare administrators, this is a challenging leap into the unknown.  The challenges include rapidly evolving virtualization technology, regulatory compliance requirements in security and privacy, and practical issues around contracting with cloud providers, supporting the exchange of information, implementation challenges, and potentially, de-implementation challenges (some marriages end in divorce).  Moving from a paper-based model or closed network to one with the transparency of the cloud requires a well-designed service to protect and safeguard patient and health data.  Cloud providers must be able to demonstrate that the environment they create for you can protect individually identifiable health information (HIPAA), cardholder data (PCI), and anything else in their customer’s regulatory landscape.

Mobile Computing and mHealth

The growing use of mobile devices such as smartphones, tablet PCs, etc. was clearly a topic on the minds of attendees.  Consumerization’s impact is that healthcare would like to practice BYOD – bring your own device – and continue to serve their patients using those mediums.  The security concerns were front and center as vendors presented their solutions and a number of speakers discussed how their organization’s ensured the security of their mobile device solutions.  mHealth is broader than just a communication channel.  It was defined by one speaker as “… the delivery, facilitation, and management of health-related information via mobile tools including cell phones, tablets, sensors, monitors, and wireless infrastructure in general.  It’s perhaps a distinction without a difference from a security perspective.  It all needs to be hacker-proof.

The Carrot - Government Electronic Health Record Incentive Programs

Eligible hospitals and healthcare providers are pursuing “meaningful use” of health information technology under the CMS’ EHR incentive programs.  Awards under Stage 1 as of 1/31/2012 totaled about $3.1 billion.  The migration to electronic medical records is slower than the U.S. Department of Health and Human Services would like but it is nevertheless underway and deemed unstoppable.  There was buzz, buzz, buzz about Stage 2 of meaningful use.  This 455 page document was released for comment on the last day of the event.  In short, it raises the HIT bar and moves the participants toward increased usage of EHRs, interoperability, and timely electronic sharing of the patient’s data.  The same is true from a security perspective – Stages 2 and 3 are expected to raise the bar on security requirements above the HIPAA floor of protection.

The Stick - Enforcement

Healthcare providers that choose to stay on paper medical records instead of implementing an electronic health record software package will see their Medicare and Medicaid reimbursements cut back starting after 2015.  Additionally, from listening in on Leon Rodriguez’s presentation (he’s the HIPAA enforcer in the HHS’ Office of Civil Rights), enforcement of HIPAA’s privacy and security rules is on the increase.  They’re underway setting up the HIPAA compliance program and have already completed the first 20 of 150 audits planned for completion by the end of 2012.  He emphasized that these audits are not meant to ‘nail’ organizations.  Rather, to make sure the compliance program is well designed and HIPAA clarified where it appears to be misunderstood.

Leon commented that when they investigate breaches, one of the first areas of investigation goes to the ‘risk analysis’ and the training program.  He finds that often, neither has happened, and he plans for the enforcement program to focus on root causes such as these.  Per Mr. Rodriguez, avoiding monetary penalties starts with seeking compliance and making it part of the organization’s culture.  It’s a reminder that the HIPAA Security Rule’s first implementation specification is ‘Risk Analysis’ and … covered entities are either not doing it (Leon Rodriguez) or, more often than not, doing it wrong (Coalfire’s opinion).

Government-Mandated Healthcare

With healthcare reform requiring all individuals to purchase health insurance, some spoke of their concerns about the impact these additions could have by putting an extra strain on an already stressed healthcare system.  Many healthcare providers are budget cutting and were already concerned about the costs of HealthIT implementations and IT security.  We heard worry about adding a lot more patients to this overburdened system without adding the revenue to support it.  There is also significant uncertainty around the impact of the Supreme Court’s decision on whether the “individual mandate” to purchase health insurance is unconstitutional.  The decision is expected sometime this summer.

Interoperability of Health IT

The next biggest trend to come out of HIMSS12 is about how CIOs and IT administrations can fully optimize their performance while getting value from their existing systems. The ability of the old healthcare system to work in conjunction with the new model without any special effort on the part of the consumer is still a topic hovering over the rising healthcare demands.

The demand for timely patient data across multiple sites raises complications of degrading the performance and functionality of the existing information systems. The Ambulatory HIE Toolkit was one of many tools released to better help the interoperability of health IT. This new source for health IT provides comprehensive Health Information Exchange education for ambulatory and physician office practice professionals. In an effort to deliver more effective and efficient care to their patients, these ambulatory practices are an important tool to help the expanding role of IT with HIE.  As well as other health IT vendors, MedAllies demonstrated what they believed was the best approach to this issue during the Interoperability Showcase.

There is plenty to digest from HIMSS12 and much to unfold. The wave of change is starting and we can only hope that when it breaks, things run smoothly.

The Last Speaker on the Last Day

If you missed Dan Buettner’s talk about “Blue Zones” – the last session on the last day, you missed out.  Dan cut to the chase and presented what he and his team learned about living longer and healthier lives by studying the world’s longest living people that live in the five Blue Zones around the world.  He’s the author of a New York Times best-selling book entitled “The Blue Zones: Lessons for Living Longer from the People Who’ve Lived the Longest.” He went through the 9 secrets of living longer (and they’re not so secret).  It’s a shame that by this point, 33,000 of those 35,000 attendees had gone home and missed out on the secrets of living longer.

The Last Laugh

Consider that pumpkin to be the vast data stores that are now becoming digitized … and the pumpkin pie to be the desired result – organizing that data into something beneficial and useful that was shared immediately after the picture was taken.  I thought it was a great way to explain ‘meaningful use’!

What did you think?
If you were at the HIMSS12 and would like to add on about what you saw or heard at the show, please feel free to let us know your thoughts in the comments section below.

<< Go Back

Ron Frechette

Very well written!!!! Thanks for all you do for Coalfire!!

4/16/2012 8:17:01 PM

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS