Digitalising internal and external hospital processes for better healthcare delivery

“Most hospitals tend to make the mistake of selecting infeasible EHR options despite knowing their constraints. Sometimes, seeking a third party’s advice who is in a neutral position would be useful,” said Heungro Lee, Partner, VAIIM Consulting Group. The Electronic Health Record (EHR) is defined as a longitudinal electronic record of patient health information generated by one or more encounters in any care delivery setting, according to the HIMSS Health Information and Technology Resource Library. Included in this information are patient demographics, progress notes, problems, medications, vital signs, past medical history, immunisations, laboratory data and radiology reports.

The EHR automates and streamlines the clinician’s workflow and its adoption can be a means in which hospitals and healthcare organisations tap on to improve healthcare delivery by capturing structured healthcare information. However, different hospitals or healthcare organisations can have very varied budgets and approaches to EHR adoption or even improvement. Mr Heungro Lee, who is in charge of healthcare strategy as a partner at VAIIM Consulting Group, highlighted some key considerations for healthcare organisations and hospitals in their approaches to EHR adoption:

“Decision making is always difficult. But with a well-designed decision making process, the journey might be easier. The first step for EHR adoption for these organisations is to define what their constraints are, be it availability of budget, timelines to meet or the internal manpower resources required.

The next step is to prioritise the goals to achieve and these could be process standardisation, improving patient care and monitoring and managing hospital’s performance, etc. The final step is to source out feasible options based on the previous two steps. From my experience, most hospitals tend to make the mistake of selecting infeasible options despite knowing their constraints. Sometimes, seeking a third party’s advice who is in a neutral position would be useful.”

Medical Device Cybersecurity: 3 Alerts Issued

Federal regulators have recently issued three advisories on cybersecurity vulnerabilities identified in medical devices. Some experts say the spotlighted flaws are issues commonly found in legacy medical devices as well as other IT products.

See Also: The Application Security Team’s Framework For Upgrading Legacy Applications

The advisories from the U.S Computer Emergency Response Team, or U.S. CERT, a unit of the recently launched Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, address the following issues:

A “session fixation” vulnerability. This is in certain versions of the BD Pyxis medication management platform from Becton Dickinson.

Existing access privileges are not restricted in coordination with the expiration of access based on Active Directory user account changes when the device is joined to an Active Directory domain. Successful exploitation of this vulnerability could allow the AD credentials of a previously authenticated user to be used to gain access to the device, patient data and medications.

For exploitation to occur, products must be actively using AD for login and be connected to the hospital domain. Users who do not use AD are not impacted by this vulnerability.

A “use of obsolete function” vulnerability. This vulnerability occurs in the Philips HDI 4000 Ultrasound system if it runs an outdated and unsupported operating system, such as Windows 2000. The vulnerability could allow an unauthorized user to access ultrasound images or compromise image integrity.

“An “incorrect default permissions” vulnerability. This is found in some cardiology products from Change Healthcare, which was created in 2016 when McKesson Corp.’s information technology unit merged with Change Healthcare Holdings.

The vulnerability affects Horizon Cardiology 11.x and earlier, Horizon Cardiology 12.x, McKesson Cardiology 13.x, McKesson Cardiology 14.x and Change Healthcare Cardiology 14.1.x. Insecure file permissions in the default installation could enable an attacker with local system access to execute unauthorized arbitrary code.