Encryption at rest and encryption in transit for HIPAA compliance are not easy questions to answer

Given the number of breaches we’ve seen this Summer at healthcare institutions, I’ve just spent a ton of time recently on several engineering engagements looking at “HIPAA compliant” encryption (HIPAA compliance is in quotes since it’s generally meaningless). Since I’ve heard a number of developers say “we’re HIPAA compliant because we encrypt our data” I wanted to take a moment to unbundle that statement and make sure we all understand what that means. ...

The causes of digital patient privacy loss in EHRs and other health IT systems

This past Friday I was invited by the Patient Privacy Rights (PPR) Foundation to lead a discussion about privacy and EHRs. The discussion, entitled “Fact vs. Fiction: Best Privacy Practices for EHRs in the Cloud,” addressed patient privacy concerns and potential solutions for doctors working with EHRs. While we are all somewhat disturbed by the slow erosion of privacy in all aspects of our digital lives, the rather rapid loss of patient privacy around health data is especially unnerving because healthcare is so near and dear to us all. ...

Protect yourself from Shadow IT, embrace “good enough for HIPAA” secure cloud services like Box and Skydrive

It’s a common misconception that if executives at hospitals or practices don’t have time to deliver sophisticated IT solutions to their users that users will just wait patiently and hope that solutions will arrive someday. However, there is a larger Shadow IT movement in many clinical settings than senior executives are willing to admit. Given the wealth of cloud offerings available, many of which have better security in the cloud than some on-premises “clinical” solutions, Shadow IT is growing and will cause more problems in the future as we try to reign it in. ...

Join me in San Francisco on Monday where I’m talking about Using Android in Safety-Critical Medical Device Platforms

The Linux Foundation has invited me to speak about how to use Android in Medical Devices on Monday, February 14 at the Android Builders Summit. If you’ll be at the Summit or are in the San Francisco area and would like to meetup at or near the event, please reach out to me via speaking@shahidshah.com. Here’s the abstract of my talk on Monday: FDA regulated medical devices are considered safety-critical systems due to their ability to affect patient lives. ...

I’m speaking at NIH Clinical Center on Why Meaningful Use (MU) and EHRs are Insufficient for Evidence Based Medicine (EBM) and Comparative Effectiveness Research (CER)

If you’re in the DC area near NIH please join me tomorrow as I lead a discussion on why MU is insufficient for EBM and CER. Here are the details: When:  3:30 – 5:00 PM, Thursday, February 9, 2012 Where:  NIH Clinical Center (Building 10 North), Hatfield Room 2-3330 Abstract: Comparative Effectiveness Research (CER), which is being rechristened “Patient-Centered Outcomes Research” (PCOR), is all about using clinical outcomes research comparing different interventions and strategies to prevent, diagnose, treat and monitor health conditions. ...

Healthcare Cloud definitions should be based on NIST’s definitions

As most of my regular readers know, I work as a technology strategy advisor for several different government agencies; in that role I get to spend quality time with folks from NIST (the National Institute of Standards and Technology), what I consider one of the government’s most prominent think tanks. They’re doing yeoman’s work trying to get the massive federal government’s different agencies working in common directions and the technology folks I’ve met seem cognizant of the influence (good and bad) they have; they seem to try to wield that power as carefully as they know how. ...