Pat Lynch’s Calendar

January 20, 2013 by Pat Lynch

Ask me anything at

2011-09-01 08.22.35

2015 Calendar

June 5 – Manny’s Meeting, Denver, CO

June 6-8 – AAMI Denver, CO

July 22-24 – MD Imaging Expo, Indianapolis, IN

August 11 – KAMI, Lexington, KY

August 19-21 – CEAI, Chicago,IL

Sept 9-11 – NCBA, Charlotte, NC

Sept 23-25 – VBA, Newport News, VA

October 1-3 – FBS, Orlando, FL

October 21-23 – MD Expo – Las Vegas




The era of IT-as-a-roadblock must come to an end right now

July 7, 2015 by Pat Lynch
IT must stop being a passive observer and really deliver what the business needs.

By July 1, 2015, 6:55 AM PST

A recent article on TechRepublic asked the question “Does anyone still want to be CIO?” Among other things it highlighted the growing trend of tech savvy people (or at least people who believe they are tech savvy) occupying other C-level positions, and makes the arguement that technically-oriented IT leadership is dead, which I do agree with.

However, this does not mean the CIO or for that matter IT leadership in general is destined for the same demise.

As other leaders are growing more aware of technology in the digital age, it is my belief that CIOs need to also invest, immerse in and speak the language of marketing, operations and finance. It is through this cross-pollination of competing skills and professions that an IT leader can have the most impact.

We talk business alignment and business driven priorities but in my experience IT leaders fail at truly understanding these needs and requirements. It is that old order taker-mentality: to some extent not only is there a failure to understand, it appears in many cases it is by design.

Our success is tied to, or should be tied, to delivering more value than a CMO or a COO could by both intimately understanding the problem and the traversing the technology.

If we want to be passive observers of our organizational priorities and marginalize ourselves then we have no right to complain about why we are not given our due share of respect at the executive table.

This attitude both confounds me and infuriates me. Bad leaders shift accountability to others and in so doing also dilute their power base. Good leaders take charge and take on innovation and creativity as a badge to wear everywhere.

We do not have enough good leaders, we do not have enough CIO trend setters that will take a chance for the sake of their business and the sake of themselves and it is ruining it for the rest of us.

If you see a leader or are managed by one that justifies IT-as-a-roadblock by way of process or methodology and promotes the “that isn’t our job mentality” than say something because these leaders are from a bygone era and have no place in modern organizations.

We need to think strategically, act tactically, drive methodically and think technically. If we do this we will provide more value than any other C-level position because we understand what needs to be done, can demonstrate the courage to do it and the experience to do it technically right.

In my view CIOs, if they act properly and integrate themselves within other business disciplines, can easily become the next CEO – not the next doorman.

The Naked CIO is an anonymous technology executive.

Greenway creates Interop U

July 6, 2015 by Pat Lynch
Beth Walsh
Jun 30, 2015

EHR vendor Greenway Health has developed  Greenway Interoperability University  to recruit and train people to become interoperability experts.

The six-week, on-the-job program features a combination of classroom instruction, hands-on exercises, assessments, mentor shadowing and ongoing learning, according to a release. Students, many of whom are recent college graduates, are trained by interoperability experts who have many years of experience.

The first two classes recently held their graduation ceremony at the company’s Carrollton, Georgia headquarters.

“Bottom line, lives are at risk when health IT systems don’t talk to each other,” said Greenway CEO Tee Green. “That’s why Greenway Health has long been a leader in driving interoperability and enabling data liquidity. ‘Interop U’ is yet another way we’re accelerating innovation in this fundamental area while creating rewarding career paths for people interested in the wide-open field of information technology.”

Greenway Health is a founding member of CommonWell Health Alliance, the first ambulatory health IT solution provider to join the eHealth Exchange and, this spring, was one of only three HIT companies in the new Surescripts National Record Locator service.

5 Fascinating Maps to Teach You Something About the World

July 4, 2015 by Pat Lynch

Johnny Lists – 5 Fascinating Maps to Teach You Something About the World

5 Fascinating Maps to Teach You Something About the World

Posted: 30 Jun 2015 08:00 AM PDT

1. How the world actually looks.

2. Worldwide passport power.

3. World religion map.

4. Earth’s seasons.

5. Poverty and the world.



10 Completely Useless Websites

July 3, 2015 by Pat Lynch

10 Completely Useless Websites

Posted: 29 Jun 2015 08:00 AM PDT

1. – A website so exclusive, only one person can be on it at a time.

2. wikipe – The misspelled encyclopedia.

3. – It’s pretty awful.

4. – Just purple.

5. – Watch as a lawn’s grass grows. Exciting!

6. – A simple Facebook like button.

7. – One dinosaur is superior to all of the others. – It’s true.

9. – Play with a toilet paper roll.

10. – A dime.

How can hospitals protect their medical equipment from malware?

July 2, 2015 by Pat Lynch

Some scenarios sound like something out of a Tom Clancy novel, but are completely plausible

June 26, 2015

The challenges in protecting hospitals from cyber attacks are very similar to those faced in ICS and SCADA environments; the equipment used in hospitals is not user-serviceable and therefore often running out-of-date software or firmware. This creates a dangerous situation where:

The devices have known vulnerabilities that can be easily exploited by bad actors

Administrators are not likely to notice malware running on the device as long as nominal operation is maintained

The end goal of bad actors infecting a medical device is to use it as an entry and pivot point in the network. Valuable patient records are not likely to be present on the medical devices, but those devices often have some level of network connection to the systems that do contain patient records.

CLICK HERE to read the rest of the article

25 things to know about health IT interoperability

July 1, 2015 by Pat Lynch
Written by Max Green | June 17, 2015

A patient visits a hospital for a routine procedure. Regardless of his provider, the hospital can retrieve electronic copies of everything from family history and known allergies to detailed notes on previous hospital visits and prescriptions.

The information in the patient’s EHR is well-organized, standardized, accessible and interfaces seamlessly with the hardware and software used by patient, clinician and provider.

This is the interoperable future the healthcare industry is working toward, but the path between here and there is riddled with stumbling blocks and complications.

Ultimately, making healthcare management systems interoperable means creating an environment where clinicians, organizations and providers can share data on patients and access medical information quickly and easily, which in turn should have a positive impact on patient outcomes.

Once the significant logistical, legislative and technological hurdles are conquered, that is. Here are 25 things to know about interoperability.


There are 3 levels of healthcare information technology interoperability. It may be useful to think of these levels in terms of language interpretation.

1. Foundational interoperability can be compared to the one-to-one translation of a word from one language into another. Little context is provided beyond the basic transfer of the hard data. A system that receives the information won’t necessarily be able to interpret or readily incorporate it, although it will be able to successfully retrieve it.

2. Structural interoperability provides that one-to-one translation with additional information — enough to allow for proper syntax or for the proper integration of the data into the new system. A thorough understanding of the information is not necessarily a component of structural IO, but technology systems can exchange hard data.

3. Semantic interoperability is the gold standard, the type of synergistic compatibility that allows for information to not only be shared seamlessly, but for systems to understand the information they send and receive and to use it effectively. This is the equivalent of having a fluent conversation in another language, without barrier. Semantic IO allows systems to parse information, categorize, organize and incorporate it as if the data had been generated within the system itself, rather than received from a completely different source.

4. Information blocking is the purposeful interference with the exchange of electronic health information. Healthcare information systems, organizations or providers may take steps to make their software or data collection systems purposefully incompatible with other systems, the same way a device manufacturer might develop a product that only interacts with other products from the same manufacturer, to encourage consumer loyalty. Information blocking does not serve to protect patient safety or maintain the security of a patient’s health information.

Key statistics

5. With proper integrations of EHR, medical devices and interoperable standards, healthcare costs could be reduced by as much as $30 billion per year, on top of improved patient care and hospital safety, according to an analysis by the West Health Institute. The primary cost benefits of efficient EHR adoption and interoperability are an anticipated reduction in unnecessary procedures, malpractice lawsuits, hospital stays and patient visits.

CLICK HERE to read the rest of the article

To receive the latest hospital and health system business and legal news and analysis from Becker’s Hospital Review, sign-up for the free Becker’s Hospital Review E-weekly by clicking here.

50 things to know about healthcare data security & privacy

June 30, 2015 by Pat Lynch
Written by Carrie Pallardy | June 09, 2015

Data privacy and security are increasingly a concern in nearly all industries. From HIPAA and data breaches to the patient perspective and EHRs, here are 50 things to know about data security and privacy issues in healthcare.


1. The Health Insurance Portability and Accountability Act, designed to protect healthcare information security and confidentiality, was enacted in 1996.

2. The law is divided into Title I, which focuses on portability, and Title II, which focuses on administrative simplification. The portability portion of the law was put in place to ensure individuals can carry health insurance from one job to another. Title II focuses how healthcare information is received and sent, as well as the maintenance of privacy and security.

3. HIPAA regulations apply to all healthcare providers, health plans and healthcare clearinghouses. Protected health information includes the following:

•    Names
•    Birth dates, death dates, treatment dates, admission dates and discharge dates
•    Telephone numbers and other contact information
•    Addresses
•    Social Security numbers
•    Medical record numbers
•    Photographs
•    Finger and voice prints
•    Any other indentifying numbers

4. Under the HIPAA privacy rule, patients have a number of rights including:

•    The right to receive notice of privacy practices of any healthcare provider, plan or clearing house
•    The right to see their protected health information and receive a copy
•    The right to request changes to their records to correct errors or add information
•    The right to have a list of those their protected healthcare information has been disclosed to
•    The right to request confidential communication
•    The right to complain.

5. HIPAA violations can come with both civil and criminal penalties. Here are four HIPAA violations and the resultant civil penalties, according to the American Medical Association.

Individual did not know HIPAA was being violated
•    Minimum penalty: $100 per violation and an annual maximum of $25,000 for repeat violations
•    Maximum penalty: $50,000 per violation and an annual maximum of $1.5 million

HIPAA violation due to reasonable cause and not willful neglect

•    Minimum penalty: $1,000 per violation and an annual maximum of $100,000 for repeat violations
•    Maximum penalty: $50,000 per violation with an annual maximum of $1.5 million

HIPAA violation due to willful neglect, but violation is corrected within required timeframe

•    Minimum penalty: $10,000 per violation with an annual maximum of $250,000 for repeat violations
•    Maximum penalty: $50,000 per violation with an annual maximum of $1.5 million

HIPAA violation due to willful neglect and is not corrected
•    Minimum penalty: $50,000 per violation with an annual maximum of $1.5 million
•    Maximum penalty: $50,000 per violation with an annual maximum of $1.5 million

6. Covered entities, such as health plans, clearinghouses and providers, and their employees are held liable under HIPAA. Criminal penalties apply to covered entities or individuals who “knowingly” obtain or disclose protected health information. Penalties include $50,000 in fines and imprisonment for up to one year. Violations committed under false pretense come with a $100,000 fine and up to five years in prison. Violations involving intent to sell or transfer information comes with a $250,000 fine and up to ten years in prison.

7. The HHS Office of Civil Rights enforces privacy standards. CMS enforces transaction and code set standards, as well as the security standards, according to the AMA.

Data breaches

8. The average consolidated cost of a data breach is now $3.8 million up 23 percent from 2013, according to a Ponemon Institute report.

9. The healthcare industry has the highest cost per stolen record at an average of $363. The costs associated with lost business following a breach have risen from $1.23 million in 2013 to $1.57 million in 2013. On the other hand, notification costs have fallen from $190,000 to $170,000.

10. The most expensive data breaches occur in the United States and Germany.

11. Data breaches could cost the healthcare industry as a whole $6 billion each year, according to a Ponemon Institute report.

12. The cost components of data breach, according to a CFO magazine report, include:

•    Investigation
•    Remediation
•    Notification
•    Identify-theft repair and credit monitoring
•    Regulatory fines
•    Interrupted business operations
•    Loss of business
•    Class-action law suits

13. Forty-seven states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands all have legislation in place requiring private and government entities to notify individuals of data breaches involving personal information, according to the National Conference of State Legislatures.

14. Criminal attacks are the leading cause of data breaches in healthcare. The number of criminal attacks on healthcare organizations has leapt 125 percent since 2010.

15. Within the past year, 78 percent of healthcare organization breaches were due to web-borne malware attacks.

16. Despite the apparent threat data breaches pose, many healthcare organizations remain unprepared. Just 40 percent of healthcare organizations are concerned about cyber attacks.

17. Furthermore 56 percent of healthcare organizations feel their incident response processes lacks funding and resources. “As a hospital system, we don’t have the fraction of the resources as the Targets and the Chases of the world, as far as security experts. We are almost like sitting ducks, but we do put tools in place to facilitate these threats to be prepared,” said Cletis Earle, Vice President and CIO of St. Luke’s Cornwall Hospital Newburgh, N.Y., in a Becker’s Hospital Review report.

18. Though external forces are the leading cause of data breaches, internal causes are also a concern. In 2014, U.S. businesses reported $40 billion in losses due to unauthorized employee computer use, according to Experian’s 2015 Second Annual Data Breach Industry Forecast report.

19. More than half of respondents to the 2014 SANS Health Care Cybersecurity survey, 51 percent, believe a negligent insider is the biggest threat to cybersecurity.

20. In April 2014, Reuters reported the FBI warned the healthcare industry that their cybersecurity systems are more vulnerable than other sectors.

21. There are a multitude of technical issues to consider when safeguarding against data breaches. Here are six technical controls to minimize security and compliance risks, according to the Healthcare security + compliance guide from HIMSS:

•    Anti-malware software
•    Data loss prevention software
•    Two-factor authentication software
•    Patch management software
•    Disc encryption software
•    Logging and monitoring software

22. In addition to addressing the technical side of data security, healthcare organizations must have operational controls in place. Here are six things to consider, according to the HIMSS report:

•    Security and compliance oversight committee
•    Formal security assessment process
•    Security incident response plan
•    Ongoing user awareness and training
•    Information classification system
•    Security policies

Data breaches in the news

23. In February, Anthem, the second largest insurer in the United States, fell prey to the largest healthcare data breach reported to date. Hackers accessed the personal information of approximately 80 million former and current customers and employees.

24. Investigators tracked the data breach back to weak login security. The hackers acquired credentials from five Anthem technology workers and used phishing campaigns to “dupe” network administrators into revealing login information or into clicking a link that granted them access to the administrators’ computers.

25. Shortly after the announcement of the Anthem breach, it was revealed data in the insurer’s database was not encrypted. “There are a lot of folks who don’t encrypt data internally. If not encrypting your data internally is a failure or makes you irresponsible, then we have a whole lot of people in healthcare who are irresponsible, not just these guys,” Mac McMillan, CEO of healthcare IT consulting firm CynergisTek and chair of the HIMSS Privacy & Security Policy Task Force, said in an interview with Becker’s Hospital Review.

26. Following the announcement of the Anthem breach, consumer perceptions of the payer dipped slightly. A Wedbush Securities survey of more than 1,000 people prior to the breach found 51 percent of consumers said Anthem Blue Cross Blue Shield was a better brand than other payers. After the breach, only 45 percent of consumers said the same.

27. The large 2015 breach was not Anthem’s first. In 2010, the payer was fined $1.7 million for a smaller breach, which compromised information from approximately 612,000 people.

28. Less than 24 hours after the announcement of the Anthem breach, the payer was faced with two class-action lawsuits.

29. The high-profile nature of breaches like the Anthem case can drive other healthcare providers to take a second look at their own cybersecurity policies. An Experian Data Breach Resolution and Ponemon Institute found media coverage of data breaches has driven 69 percent of companies to reevaluate and prioritize security.

30. “It’s made a beneficial impact for our case to focus more on cybersecurity because it’s unsexy, it’s behind the scenes. Cybersecurity is only interesting when you have things like Sony and Anthem happen. All these collective things have opened up communication channels for us to continue to grow in cybersecurity,” said Joel Vengco, Vice President and CIO of Baystate Health in Springfield, Mass., in a Becker’s Hospital Review article.

31. Just a little more than a month after the Anthem breach went public, Premera Blue Cross, a health plan in Mountlake Terrace, Wash., announced a cyberattack that compromised the data of 11 million customers, employees and business affiliates.

32. Premera discovered the breach on Jan. 29. The initial attack took place on May 5, 2014.

33. The investigation into the breach indicates no evidence of inappropriate use of the compromised data, as of March 2015. “The security of Premera’s members’ personal information remains a top priority. We at Premera take this issue seriously and sincerely regret the concern it may cause,” said Premera CEO Jeff Roe in a statement. “As much as possible, we want to make this event our burden, not that of the affected individuals, by making services available today to help protect people’s information.”

34. Shortly following the public announcement of the Premera breach, the insurer was hit with several class-action lawsuits.

35. “If you are an organization like this, it is not a matter of being breached — you are likely already compromised and just don’t know it yet. Attackers are able to operate for months before being detected, and this will continue until organizations architect in a way leaving attackers nowhere to hide,” said TK Keanini, CTO of Lancope, in a Becker’s Hospital Review Premera breach reaction report.

36.  In May, CareFirst BlueCross BlueShield, the largest payer in the Mid-Atlantic region of the United States, reported a cyberattack that affected 1.1 million past and current customers. The attack was traced back to June 2014.

37. Mandiant, a subsidiary of Milpitas, Calif.-based FireEye, detected the attack after conducting an end-to-end examination of CareFirst’s IT environment. In a statement to the Wall Street Journal, FireEye said, “The intrusion was orchestrated by a sophisticated threat actor that we have seen specifically target the healthcare industry over the past year.” FireEye has also investigated other breaches and cyberattacks, including those affecting Anthem and Premera.

38. In June, the U.S. Office of Personnel Management announced hackers accessed its computer system. The data of approximately 4 million government workers was compromised.

39. The breach investigators have now linked the OPM cyberattack to both the Anthem and Premera Blue Cross breaches that occurred earlier this year.

40. The suspected culprits are government-linked Chinese hackers, according to a Bloomberg report.

41. Data breach settlement costs can be substantial. New York-Presbyterian Hospital and Columbia University submitted a joint breach report in September 2010. HHS’ Office for Civil Rights initiated an investigation. In 2014, the two organizations agreed to a settlement of $4.8 million, the largest HIPAA settlement to date.

The patient side

42. Healthcare providers are not the only ones concerned with data breaches. Depending on the type of information accessed, patients too can be exposed to risk. A Software Advice survey found that 45 percent of respondents were moderately or very concerned about security breaches involving personal health information.

43. More than half of the survey respondents, 54 percent, said they would switch healthcare providers as a result of a data breach. Nearly a quarter of respondents, 21 percent, surveyed were so concerned with data breaches they withhold personal information from their physicians.

44. Patients whose providers use paper medical records reported more concern over record privacy (75 percent) than patients whose providers use EHRs (69 percent), according to an ONC data brief.

45. Providers have traditionally safeguarded healthcare data, but it is now spreading beyond the four walls of a hospital or physician’s office. Wearables are growing in popularity, but not without concern. A PricewaterhouseCoopers report on wearables found that 86 percent of respondents were concerned this technology would make them more vulnerable to security breaches.


46. The HITECH Act, enacted in 2009, is designed to promote the adoption and meaningful use of healthcare information technology. The legislation also addresses privacy and security concerns, as well as strengthens enforcement of HIPAA rules. The American Recovery and Reinvestment Act also expands HIPAA privacy requirements. The legislation includes regulations governing EHR confidentiality, according to a HIMSS white paper.

47. Meaningful use includes requirements for patient privacy rights including assurance their health information is protected from unauthorized access and ability to access their health information.

48. More than half of providers, 61 percent, identified EHR/EMR as the category of information assets most at risk,according to the 2014 SANS Health Care Cybersecurity survey.

49. Though EHRs are intended to improve how healthcare information is stored and shared, physicians have varying views on how patients fit in. Nearly half of physicians, 49 percent, are of the opinion that patients should only have access to their entire medical record on a case-by-case basis, according to a Forbes report.

50. On the other hand, 34 percent of physicians believe patients should always have full access. Only 17 percent are of the opinion patients should never have full access.

New online benchmarking engine allows hospitals to compare themselves to peers

June 29, 2015 by Pat Lynch

Written by Heather Punke (Twitter | Google+)  | June 17, 2015


A newly launched online benchmarking engine pulls public data for 4,813 hospitals from CMS’ Hospital Compare website and allows for comparison of hospitals against their peers.

The tool, called OnlyBoth, uses artificial intelligence software that reviews the data and reports the findings in English sentences. It describes hospitals by 84 attributes.

Sign up for our FREE E-Weekly for more coverage like this sent to your inbox!

People can enter any U.S. hospital into the engine and get answers to the following three questions:

1. How are we doing?

2. Where could we improve?

3. Which similar peers do best?

“[OnlyBoth] starts with business data, discovers insights, and writes them up for people to act on,” said Oren Etzioni, CEO of the Allen Institute for Artificial Intelligence in Seattle.

Click here to get started benchmarking a hospital.

8 Websites to Teach You Random Knowledge

June 26, 2015 by Pat Lynch

Johnny Lists

8 Websites to Teach You Random Knowledge

Posted: 15 Jun 2015 08:00 AM PDT

1. – Take quizzes on every topic.

2. – The oddest trivia you can imagine.

3. – A free, daily newspaper with interesting things.

4. – The Internet’s free encyclopedia.

5. – Daily links and facts (NSFW language).

6. – Bio’s for history’s most badass people (also NSFW language).

7. – A new fact every minute of the day.

8. – Fascinating facts brought to you in slide form.



50% of medication errors unpreventable by IT systems, study finds

June 24, 2015 by Pat Lynch
Written by Akanksha Jayanthi (Twitter | Google+)  | June 11, 2015


Health IT systems are often heralded as tools to help reduce medication errors by lowering the risk of human error. However, a recent study suggests half of medication errors are not preventable by using IT.

Researchers conducting the study, which was published in Drug Safety, retrospectively analyzed reported or trigger tool-identified error and adverse events at a pediatric tertiary care facility occurring between July 1, 2011 and June 30, 2012.

Researchers noted a total of 936 medication errors, 470 of which (50.2 percent) were deemed preventable by IT at their origin.

Of the medication errors preventable by IT, 32.9 percent were due to IT system bypasses, 21.9 percent were due to insensitivity of IT alerting systems and 10 percent were due to IT alert overrides.

That means that 50 percent of medication errors are also unpreventable by IT systems. Researchers indicated errors related to dispensing, administration and documentation errors were more likely than prescribing errors for being not preventable by IT.

“Inappropriate use of IT systems was a common cause of errors,” researchers concluded. “The identified risk factors represent areas where IT safety features were lacking.”