by Felicien | Oct 5, 2018 | Education
Health information technology is more talked about than really understood. Part of the reason for this is that providers and their staffs usually interact with a restricted subset of health IT – the Electronic Health Record (EHR), the radiology imaging system, the billing system, and so forth. Only the organization’s IT staff and Chief Technology Officer (CTO) are in a position to see the big picture. Even they may not see all of it. This blog post tries to cover at least the larger components of Health IT.
What’s The Most Important Piece?
The EHR is arguably the central component. In an ideal system, all the information a provider or patient wants, from demographic information to lab results to radiological images to records of office visits should be there. Making the EHR the centerpiece is one way to avoid “siloing” of information that makes research and analysis difficult or impossible. If the EHR is complete, every other component—statistical reporting, radiology, billing, appointment scheduling, and lab results are present, and can be used to drive other systems.
This, of course, is an ideal situation. One barrier to accomplishing this is money. Putting in a new EHR system can cost a lot. Recent figures for installation are around $33,000 per full-time physician. Maintenance runs $1,500 per month per full-time physician. A hospital system with 500 physicians is looking at a minimum of around $17 million for initial installation and around $9 million for annual maintenance.
If the system is hosted in the cloud, storage, input, and “egress” fees (sending data to the providers for use from data stored in the cloud) have to be considered. Cloud hosting can run around $165 per “seat” per month, where “seat” is a computer linked to the cloud. Assuming an employment of 3,000, this will run around six million dollars per year. But cloud hosting may well be cheaper than buying and maintaining hardware and paying a large IT staff. Cloud hosting offers better security and offloading a lot of IT headaches as well.
What Are Some Other Components?
There will be radiology and lab subsystems, at least, plus billing and accounting. How tightly these are integrated into the EHR system and the cloud will vary. Analytical systems may include big data handling and artificial intelligence. Of course, if a physician is a hospital employee or a member of an affiliated group, it makes sense for their in-office IT systems to be integrated with, or be part of, the hospital IT operation.
What’s So Great About AI?
Artificial intelligence (AI) is still in its infancy. Studies have shown that AI systems are better at reading radiology imagery than human radiologists, and of course better at catching prescription errors and medication conflicts. But many legal questions, particularly about liability, remain unanswered. In addition, AI is intelligent only within a limited sphere. It will be far into the future before AI is able to display the kind of general intelligence that a human physician can bring to a patient.
What AI is good for now is dealing with well-defined tasks and helping to narrow down the “unknown unknowns” – interactions, sources of error, and opportunities for improvement that humans would never have suspected. Their principal role in the near term most likely will be relieving the “cognitive overload” that all physicians, no matter how narrow their specialty, have to deal with.
What Are Patient Portals?
Patient portals – interfaces, usually web-based, are systems that allow patients to see their lab results, talk to their providers, make appointments online, find providers, and do other things that patients would normally do over the phone. If properly designed and implemented, they can have a major impact on operational efficiency and patient satisfaction. On the other hand, a patient portal that is too complex and too clunky to be easily used can drive patients away.
What Are The Incentives For Using All This Stuff?
The Affordable Care Act (ACA) and the Health Information for Economic and Clinical Health Act (HITECH) provide billions of dollars for providers who implement EHR and other health IT systems and “meaningfully” use them. They are a de facto requirement for any provider which receives Federal funds, which is virtually all of them.
What Are The Downsides?
The biggest one, of course, is the expense. Even though it is large, it may well be cheaper than maintaining one’s own equipment and IT staff. It also permits renting out a lot of headaches. The downside is that, for HIPAA purposes, one has to devote as much attention to the vendor’s security practices as to one’s own. Also, system modifications and customizations necessarily involve the vendor’s staff and consulting services, which may be very extensive.
And, of course, there is training. This is not so much expensive as extensive. The example of one Pennsylvania health system that changed EHR systems three times in one year probably represents an extreme outlier, and training the entire staff three times in one year was no doubt a task worthy of being avoided if at all possible.
Finally, if the organization is moving from primarily paper-based systems to health IT, the organization’s culture needs to be adjusted, and the transition may be wrenching. Still, the advantages of health IT outweigh the disadvantages, and all providers should be making the switch as soon as possible.
by Felicien | Oct 5, 2018 | Education
Are you aware of a potentially serious data breach involving Facebook?
According to many top news outlets, 50 million users accounts may have been impacted and Facebook now faces potential huge fines in the EU.
Read more at https://www.theguardian.com/technology/2018/oct/03/facebook-data-breach-latest-fine-investigation.
Need steps to protect your Facebook account? Here’s an interesting article containing steps to protect your personal information and security. https://www.experian.com/blogs/ask-experian/facebook-data-breach-how-to-protect-yourself/
We are continuing to follow this news and will update more on our blog as we learn more.
by Felicien | Oct 4, 2018 | Education
When you think of cybersecurity, protecting credit card numbers or government files might come to mind, but your students’ PII (Personally Identifying Information) is a target for hackers, too.
Young people make great targets because they’re a clean slate. They’re not using their identities to get a mortgage or credit card or anything, so no one is checking up on them. They also have a tremendous amount of personal information being shared – including medical, mental health, contact information, and performance evaluations in academia and sports or the arts – and it’s being saved in various, often poorly secured, locations. And finally, but perhaps of the highest utility to hackers, children are great targets because people will do ANYTHING to protect them.
It CAN Happen Here
If you’re thinking to yourself that you live in a quiet small town with no crime, no draw for a terrorist plot, think again. Yours might be the ideal spot to stage a crime like this. Look to a small Montana school district Columbia Falls in Flathead County. Home to nearly 16,000 students, the district’s parents and administrators received text messages and a seven-page letter containing threats, repeated references to Sandy Hook, creepy quotes, and claiming that the FBI could not help anyone.
Hackers generally don’t target specific cities, but instead are constantly searching for vulnerabilities wherever they may occur, security experts said. “The trick about ransomware right now is that it’s typically not a targeted, focused attack,” said Christopher Krebs, a senior official at the Department of Homeland Security, at a recent mayors’ conference in Boston. “You’re not special.” Source: WSJ
This came seemingly from nowhere, but as the extortionists explained, the choice was deliberate: the district had vulnerabilities that made it easy to gain access to confidential files. With all of the other concerns that educators have, it can be easy to overlook securing digital information properly. You may not even understand the threats that exist, and it’s hard to find qualified Information Technology professionals willing to stick it out for the comparatively low salaries school districts offer.
2017 Cyber Terrorism Attacks
A recent FBI briefing regarding attacks across the country at multiple school districts describes a terrifying ordeal: people all over the district awoke to find text messages informing them that their students’ information was up for ransom. Hackers had taken advantage of vulnerabilities in web-facing district servers to extract student PII (Personally Identifying Information). Victims received physical threats, were told that this information would be used for bad ends unless the district paid a ransom.
The extracted Information included:
Parent, guardian, and student phone numbers
Education plans
Homework assignments
Medical records
Counselor reports
Grades or other testing records
The hackers also demanded their ransoms in cryptocurrency, making it hard for local authorities to follow the trail (for now).
How Is PII Being Used?
PII can be used to forge false online identities, to launder money or get bad actors into the country. And once the information is out there, how do you safely get the genie back into the bottle? A child’s entire future (financial, academic) or even their physical safety is under threat if their identifying information ends up sold to bad actors. When you hold transcripts, grades, and achievements for ransom, you’re waving the flag at a future that’s quickly disappearing into the distance. Prevention is best. So where are your areas of vulnerability, and how can you shore them up?
Common Vulnerabilities
Phishing Scams
These are communications from supposedly friendly senders meant to entice you to open an email, text message, or oother messages or to click on a link. A “social engineering” hack, phishing attacks are meant to gather confidential or personal information. Make sure graphics look normal, hover over links to read their description, and check for any suspicious formatting or wording.
Phishing attacks can also come by phone. Do not give confidential information over the phone to someone who has called you first. Instead, agree to call the company back from the number that you have in your records. Don’t just click “ok” on an unexpected pop-up.
Non-school devices – your network should be configured to recognize new devices.
Educational apps that store student identifying information
Carefully read through privacy and security information from new software or EdTech websites.
Improperly shared or stored PII
Make sure everything is encrypted and password-protected.
Ignorant or non-compliant personnel – not updating software, not checking edtech vendors out, not understanding what looks or is suspicious, not reporting suspicious activities.
Below is a list of cybersecurity measures you can take:
Research privacy acts like FERPA, COPPA, and the PPRA as well as any state laws regarding privacy and educate staff and faculty so that everyone understands what is expected of educators and vendors of EdTech services.
Do a survey of teachers, librarians and IT staff to see what software is being used in the school, and what information is being collected. It might be helpful to see all in one reports on how much information is being collected, and how many different services are collecting it.
Bonus: if anything happens, you know where leaks may have come from.
If parents want more specific information about these services, you’ll be able to tell them what services or websites their child’s teachers use.
Review the privacy policies of EdTech companies that are being used in your district.
Check for vulnerabilities in your data storage procedures.
Are you updating software when you’re supposed to?
Does everyone have their own passwords to get into high-value/confidential data storage locations?
Do you have a plan for how to react to a breach?
Research school-related cyber breaches.
Back up important data.
If you have evidence your child’s data may have been compromised, or if you have experienced any of the Internet crimes described in this PSA, please file a complaint with the Internet Crime Complaint Center at www.ic3.gov.
by Felicien | Oct 4, 2018 | Education
Federal regulations are usually complex and can have unintended consequences. If you are a lawyer, they are a goldmine both for prosecutors and consultants for clients. When it comes to the Health Insurance Portability and Accountability Act (HIPAA), there are, however, just a few (relatively) simple steps you can take to avoid violations, fines, and bad publicity for your healthcare organization. HIPAA is not a paper tiger. Healthcare organizations have been fined millions of dollars for breaches and violations so far.
Download a very informative infographic here.
What Is A Violation? What Is A Breach?
For once, there’s a nice, simple distinction which does not require a legal mind to understand. The definition of a violation is:
“A failure to do what HIPAA requires to keep protected health information (PHI) secure.”
Basically, PHI is data that HIPAA requires be protected by following the steps suggested below. There are a few simple steps one can take to avoid violations. These are things that you should be doing already to protect data in general. All HIPAA does is specify them. They are:
Records must be secured. This means limiting access to the data that employees and providers need to do their jobs. Records can be secured by passwords, biometric identifiers, swipe cards, fingerprint readers, etc. PHI must be encrypted. Enough said. While you’re at it, what rationale do you have for not encrypting all data?
PHI must be encrypted against hacking and breaches. This means that if there is a breach and encrypted records are stolen, you are still liable. Encryption can be broken, and every method of securing data, except for quantum encryption, which is not generally available, has vulnerabilities.
Devices must be secured. This generally means that portable devices, such as smartphones and laptops that could be lost or stolen must be secured via encryption and passwords or have other limitations on access. The theft of a device should not enable the one who stole it (or finds it) to access PHI. If the chief of surgery leaves his or her smartphone in a cab, there must be a way to remotely erase all data on it.
Finally, employees must be trained, not only on the importance of security, but also on the organization’s specific methods of maintaining PHI.
A breach is disclosure of PHI to parties that are not authorized by HIPAA to access it. A breach has occurred if PHI is accessed by an unauthorized party, even if that data is actually stolen.
How Do I Prevent A Breach?
Train employees on why security is important and how to minimize risks.
Maintain possession and control security on mobile devices.
Enable firewalls and encryption.
Ensure that files are encrypted and stored correctly.
Move towards a paperless operation and properly dispose of paper files.
How Do I Plan Ahead?
HIPAA regulations require that a healthcare organization regularly audit its security and have a risk mitigation action plan. If you take the following steps, you will have gone a long way towards ensuring that your organization can pass audits and show that you have already taken steps toward risk mitigation:
Encrypt PHI both in storage and transmission.
Use secure access controls including strong passwords, access limited to job functions, auto timeouts, and screen locking.
Use firewalls and antivirus software on all desktops and mobile devices.
Keep track of incoming, as well as outgoing, data. Know where data comes from.
Keep your risk mitigation plan updated to deal with new threats. The “threat surface” is constantly changing.
Keep software and firmware updated. Many new attacks are aimed at hardware as well as software vulnerabilities.
Keep employee training up-to-date.
How Can My Organization Respond to Breaches?
Your organization should have a written post-breach action plan that is regularly updated. It is foolish to assume that a breach will never occur. The plan should be updated and reviewed at least annually. What is most important is transparency. HHS needs to be notified. Those whose data has been exposed have to be notified. Your legal staff should be notified. And anything resembling a cover-up should be avoided.
Concealment of a breach is a violation of the law and regulations, and can be guaranteed not to work. Breaches will eventually be exposed, and the delay in reporting them or attempts at concealment will only make the organization look worse than would otherwise be the case.
Any breach – or even detection of an attack – should be used as a lesson for future security efforts. The first task is to figure out what went wrong. Where did your security measures fail? Once that is known, you need to determine the root cause. The root cause is usually a bit of a surprise.
In one case, the organization’s own security efforts were perfect. But it used a cloud vendor whose security practices were much laxer. Data was encrypted and communications between the organization and the cloud vendor were secure and encrypted. But the cloud vendor stored decrypted data on one of its own servers that were not even protected by a password and exposed to the public internet. The lesson here is that security audits should cover both your own organization and all of your vendors.
by Felicien | Oct 3, 2018 | Education
From its inception, Microsoft has been defining and redefining business. According to History, Microsoft was founded by Bill Gates and Paul Allen in April of 1975. The company introduced the Windows operating system in 1985. In 1995, it released its web-browser, Internet Explorer. Prior to the Microsoft Ignite 2018 conference for IT developers and professionals, the company announced the expansion of its Dynamics 365 portfolio.
According to Microsoft, the original Dynamics 365 is a “collection of intelligent business applications.” It included a line of customer relationship management (CRM) applications, which were later referred to as a customer engagement plan. It also has an enterprise resource planning (ERP) capability, which is basically a finance and business line.
Dynamics 365 is available in two editions. One is designed for small to medium-sized offices and businesses. The other is more appropriate for medium to large-sized law practices.
What Are the New Additions to Dynamics 365?
Dynamics 365 already offered assistance with accounting and financial management, customer service, field service, operations, and sales, etc. These applications work together seamlessly. Now, however, they can be combined with the following artificial intelligence and mixed reality additions.
Dynamics 365 AI for Customer Service
Dynamics 365 AI for Market Insights
Dynamics 365 AI for Sales
Dynamics 365 Layout
Dynamics 365 Remote Assist
The Dynamics 365 Layout and Dynamics 365 Remote Assist are both mixed reality applications. They are not only new, but they are also the first of their kind. The company refers to them as “a whole new kind of business application.”
What Is Artificial Intelligence?
Artificial intelligence (AI) is essentially machines that have to use intelligence, such as when computing or analyzing, to perform tasks a human would normally carry out. They also collect data in order to adapt and learn how to do things better. Based on algorithms, statistics, and trends, AI is used to solve problems faster and more accurately than the average person would.
Common, contemporary examples of AI include the following abilities:
Alexa by Amazon
Facial recognition on smartphones
John Paul—the luxury concierge company
Netflix’s predictive user-preferences feature
Pandora’s ability to pick user preferences based on 400 musical characteristics
Siri by Apple
Tesla’s self-driving feature
This is merely a handful of the many ways that people use AI on a daily basis. Oftentimes, they are completely unaware.
How Are the New Additions to Dynamics 365 Using AI?
Dynamics 365 AI for Customer Service provides firms with Virtual Agents to do some of the typical day-to-day interactions with clients. It also helps collect automated insights from clients to improve future services.
Dynamics 365 AI for Market Insights uses the actionable web and social insights to improve relationships with clients. It detects trends in marketing and social media to assist legal SEO teams to engage in meaningful actions and respond to current dynamics.
Dynamics 365 AI for Sales is used to improve an office’s bottom line by helping associates focus on high-priority endeavors. It provides detailed analysis and answers to frequently asked questions regarding outreach and income.
What Is Meant by Mixed Reality?
Considered the evolution in computer, environment, and human interaction, mixed reality blends the digital world with the physical one. With advances in computer vision, display technology, graphical processing power, and input systems, both holographic and immersive devices are possible.
Holographic devices are those with the ability to virtually place digital content into the real world like it were actually there. Immersive devices, however, are characterized by the ability to create a sense of “reality.” They replace the physical world with a completely digital experience.
How Are the New Additions to Dynamics 365 Using MR?
The two additions to Dynamics 365 that use mixed reality are the Layout and Remote Assist applications. Both are made possible with the use of Microsoft’s HoloLens. This wearable device allows people to interact with content by using gestures, vocal commands, and even their gaze. It provides the immersive experience required for Layout and Remote Assist.
The Dynamics 365 Layout allows users to visualize or even walk through physical space layouts in real-world scale. Potentially, this would be beneficial during a courtroom situation to provide jurors with an accurate depiction of a crime scene for example. It could also be used to assist clients with investment opportunities, etc.
Dynamics 365 Remote Assist is an immersive tool that helps first-line workers trouble-shoot problems in a “hands-free” environment. First-line employees are the ones to engage with clients, such as receptionists and legal support staff, etc. The Remote Assist application allows them to address situations and improve efficiency.
In Conclusion
In a virtual news briefing, Microsoft corporate Vice President Alysa Taylor stated, “We continue to expand our category with AI and mixed reality. We’re taking another step forward on our journey to help empower every organization on the planet to achieve more through the acceleration of business applications.” That they have.
by Felicien | Oct 3, 2018 | Education
Limited wireless networks are just what they sound like: small networks with limited range that cannot handle the demands of, say, the entire population of a large high school full of students, faculty, and staff all carrying one to three personal devices. Small networks cannot handle the bandwidth demand from multiple classrooms of students streaming videos at approximately the same time while all classrooms report their attendance at the top of the hour and district emails regarding cybersecurity threats go out.
Potential Small Wireless Network Areas:
Administrative Offices
Small Administrative Office, Small Multimedia Lab/Library, Mobile Computer Lab
Any staff that needs to be (literally) mobile/wears multiple hats
Very small elementary school. Teachers who are using iPads or something to take attendance. Small schools might make it with a few high-powered wired PCs and Printers, plus a wireless network for the other stuff.
Annexed community (e.g. a construction module office or library)
Small networks range from a small administration office with a skeleton staff to several offices, connected printers and copiers, and a couple of dozen devices spread across a tiny school (and that’s stretching it to its limits). Anything more than that and a larger network is necessary.
What is a wireless network?
Wireless networks, or Wi-Fi networks, are networked radio signals that relay information (data) from the internet to devices (laptops, desktops, mobile phones, tablets, etc.). Over the years they have improved to the point that they are as secure, reliable, and fast as most wired networks.
Advantages Of A Small Network
Small schools or contained school communities can benefit by having a faster connection on the limited space. It costs less to install and maintain a small network as well, and its general exclusivity makes it a more secure method to share and receive data.
Certain types of information or use are better on a wired connection. So one of the advantages of using a limited, small wireless network is that in an office with equipment better left on a wired connection, such as a dedicated printer or copier, wireless can be for everyone else, or for other appropriate devices as you see fit.
Where To Start
Like with any project, you must determine the scope, budget, and overall goals. What is this network supposed to be able to do? How many devices should it be able to support, and at what bandwidth? You need to know what your goals are, what the scope of the project is, and the budgeting limitations.
You’ll want your main office, the library, and maybe a small computer lab or mobile lab (cart with laptops) to have Wi-Fi. Any other computers would need to be wired or else you’d have to get a much larger system.
This small Wi-Fi network can be a separate network from the rest of the school, to separate
one network from the other for security or speed purposes, or it can be used in a smaller school, or only by a select group of people.
What Should The Small Network Be Able To Handle?
Think about the demands that each individual might put onto the network. Employees, teachers, students , and guests may be on the network if that’s what your school decides, and they will each have their own needs. In an elementary school, very few students will have their own personal devices on them at all times, and even fewer will be using internet access on those devices. This is why the small network might be all right for a small elementary school but not appropriate for a secondary school, where students often have two-three devices.
Account for at least two devices per employee on the network. They will likely have personal devices such as laptops, smartphones, or tablets that they may want to use in addition to work-provided devices.
Once you have the scope down, you can move on to the next phase: choosing your equipment.
You’ll need:
Router(s)
Antenna
Extender
Ethernet Cables
Access Points
In Conclusion
If you have a small school or limited wireless needs to think about, go for the smaller wireless network. It offers convenient connectivity and could also be a way to test the waters on a wireless set-up. Further, elementary schools with fewer unknown devices being brought in could benefit from not wasting money on a monster system too large for the needs of the school. No matter what you decide, make sure that you properly measure the resources that you will need.
