Healthcare Information Technology

Atlantic.Net Recognized in Gartner 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations

Gartner has published its 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations (HDOs). The report contains an analysis of the healthcare cloud market and explains how the cloud can be a viable option for healthcare organizations seeking greater efficiency and flexibility than is achievable with traditional on-premises infrastructure.

Many healthcare organizations are now realizing the value of cloud-based solutions and how intelligent use of the cloud can help improve efficiency, eliminate waste, and drive down the cost of healthcare delivery. The industry may lag behind other sectors in terms of cloud adoption, but the landscape is changing fast as the healthcare cloud market matures.

Healthcare CIOs are now viewing the cloud as an extension of their internal infrastructure. While initially there was a great deal of skepticism about the cloud due to the security risks and potential for costs to spiral out of control, there is now widespread acceptance that the cloud can serve as an IT service delivery model and the healthcare industry is now much more accepting of the cloud. There are tangible benefits to be gained from adopting cloud-based infrastructure and cloud services, HIPAA regulations can be satisfied, and associated risks can be reduced to a low and acceptable level.

Gartner has responded to the growth in cloud adoption in healthcare by producing a market guide for HDOs. The guide defines and describes the market, analyzes the direction the market is taking, and details the most notable vendors that are helping HDOs transition to the cloud.

Gartner has divided the market into four tiers to help healthcare organizations differentiate cloud companies and their offerings. The top tier naturally includes the large cloud service providers (CSPs) such as Amazon (AWS), Microsoft (Azure), IBM (IBM Cloud) and Google (Google Cloud). The second tier contains smaller CSPs that offer more specialist solutions for the healthcare industry such as Healthcare Blocks and Virtustream.

The third tier consists of vertical market players that offer hosting for electronic health records. In this tier are hosting companies such as Atlantic.Net that provide secure, HIPAA-compliant hosting services for electronic health records to allow EHRs to be accessed from any location in real-time, along with HIPAA-compliant hosting for databases, websites, and cloud-based storage services.

In the final tier are platform-as-a-service providers. These are integrated delivery networks that have developed their own cloud-based products for internal use and are now selling those products to other healthcare systems to use under license. Companies such as UK Cloud Health for example.

This is the second year that the Market Guide for Cloud Service Providers to HDOs has been produced and the second time that Atlantic.Net has been named in the market guide.

“We are honored to be named in this report, which we believe further solidifies our standing within distinguished security and compliance service providers,” said Marty Puranik, CEO of Atlantic.Net. “I attribute this success to our team members and skilled engineers, who strive to deliver technological solutions with a human touch.”

Gartner’s 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations can be downloaded hereSubscription required.

The post Atlantic.Net Recognized in Gartner 2019 Market Guide for Cloud Service Providers to Healthcare Delivery Organizations appeared first on HIPAA Journal.

400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS

A recent investigation by ProPublica, the German public broadcaster Bayerischer Rundfunk, and vulnerability and analysis firm, Greenbone Networks, has revealed 24.3 million medical images in medical image storage systems are freely accessible online and require no authentication to view or download the images.

Those images, which include X-rays, MRI, and CT scans, are stored in picture archiving and communications systems (PACS) connected to the Internet.

Greenbone Networks audited 2,300 Internet-connected PACS between July and September 2019 and set up a RadiAnt DICOM Viewer to access the images stored on open PACS servers.

Those servers were found to contain approximately 733 million medical images of which 399.5 million could be viewed and downloaded. The researchers found 590 servers required no authentication whatsoever to view medical images.

PACS use the digital imaging and communications in medicine (DICOM) standard to view, process, store, and transmit the images. In most cases, a DICOM viewer would be required to access the images, but in some cases, all that is required is a web browser or a few lines of code. Anyone with rudimentary computer expertise would be able to view and download the images.

The exposed PACS were located in 52 countries and the highest concentration of unprotected PACS were found in the United States. 187 unsecured servers were found in the United States. The exposed U.S. PACS contained 13.7 million data sets and 303.1 million medical images of around 5 million U.S. patients.

The researchers found more than 10,000 security issues on the audited systems, 20% of which were high-severity and 500 were critical and had a CVSS v3 score of 10 out of 10.

The images included personal and medical information such as patients’ names, dates of birth, scan date, scope of the investigation, type of imaging procedure performed, institute name, attending physicians’ names, and the number of generated images. Some of the images also contained Social Security numbers.

The types of patient information included on the images could be used for identity theft, medical identity theft, and insurance fraud. The data could also be used to extort money from patients or create highly convincing spear phishing emails.

While the investigation uncovered no evidence to suggest any of the exposed information had been copied and published online, the possibility of data theft could not be discounted.

PACS are designed to allow images to be accessed easily by healthcare professionals, but the systems often lack security controls to restrict access. It is the responsibility of healthcare delivery organizations (HDOs) to ensure safeguards are implemented to secure their PACS, but HDOs can face major challenges addressing vulnerabilities and securing their systems without negatively impacting workflows.

To help address the problem, the National Cybersecurity Center of Excellence (NCCoE) recently released new guidance for HDOs to help them improve security controls on PACS and mitigate risks without negatively impacting user productivity and system performance.

The post 400 Million Medical Images Are Freely Accessible Online Via Unsecured PACS appeared first on HIPAA Journal.

Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE

The National Cybersecurity Center of Excellence (NCCoE) has issued new draft NIST mobile device security guidance to help organizations mitigate the risks introduced by corporate-owned personally enabled (COPE) devices.

Mobile devices allow employees to access resources essential for their work duties, no matter where those individuals are located. As such, the devices allow organizations to improve efficiency and productivity, but the devices bring unique threats to an organization.

The devices typically have an always-on Internet connection and the devices often lack the robust security controls that are applied to devices such as desktop computers. Malicious or risky apps can be downloaded to mobile devices by users without the knowledge or authorization of the IT department. App downloads could introduce malware and app permissions could allow unauthorized access to sensitive data.

Organizations therefore need to have total visibility into all mobile devices used by employees for work activities and they must ensure that mobile device security risks are effectively mitigated. If not, vulnerabilities could be exploited by threat actors to gain access to sensitive data and network resources.

The aim of the new guidance – (NIST) Special Publication 1800-21 – is to help organizations identify and address risks and improve mobile device security to reduce the likelihood of unauthorized device access and data loss and theft.

The guidance includes how-to guides and an example solution developed in a lab environment using commercially available mobile management tools which can be used by enterprises to secure their Apple iOS and Android devices and networks while minimizing the impact on operational processes.

The guidance was developed by NIST and technology partners Kryptowire, Lookout, Appthority, MobileIron, Palo Alto Networks, and Qualcomm and is available for downloaded from NCCoE on this link (PDF – 14.5MB). Comments are being accepted until September 23, 2019.

Further guidance on mobile device security for Bring Your Own Device (BYOD) is currently under development.

The post Mobile Device Security Guidance for Corporate-Owned Personally Enabled Devices Issued by NCCoE appeared first on HIPAA Journal.

Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets

Becton Dickinson (BD) has discovered a vulnerability in its Pyxis drug dispensing cabinets which could allow an unauthorized individual to use expired credentials to access patient data and medications.

The vulnerability was discovered by BD, which self-reported the flaw to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). ICS-CERT has recently issued an advisory about the flaw.

The vulnerability affects Pyxis ES versions 1.3.4 to 1.6.1 and Pyxis Enterprise Server with Windows Server versions 4.4 through 4.12.

The vulnerability – tracked as CVE-2019-13517 – is a session fixation flaw in which existing access privileges are not properly coordinated with the expiration of access when a vulnerable device is joined to an Active Directory (AD) domain.

This means the credentials of a previously authenticated user could be used to gain access to a vulnerable device under certain configurations. This would allow an attacker to obtain the same level of privileges as the user whose credentials are being used, which could give access to patient information and medications. Healthcare providers that do not use AD with the devices are unaffected.

The vulnerability has been assigned a CVSS V3 base score of 7.6 out of 10. ICS-CERT warns that the vulnerability is remotely exploitable and requires a low level of skill to exploit; however, BD notes that connecting the drug cabinets to hospital domains is an uncommon configuration and is not recommended by BD. Consequently, only a limited number of hospitals that use the drug carts will be affected.

The flaw has been addressed in the latest software release, v 1.6.1.1, which removes access to the file-sharing part of the Pyxis network.

Affected healthcare providers have been recommended to implement the following mitigations to reduce the risk associated with the vulnerability:

  • Never rely on expiration dates to remove users from the hospital’s Active Directory system
  • Remove users from the AD role that grants them access to the Pyxis ES system
  • Never place Pyxis ES systems on the hospital domain

BD is unaware of any cases where the vulnerability has been exploited to view data without authorization.

The post Vulnerability Identified in Becton Dickinson Pyxis Drug Dispensing Cabinets appeared first on HIPAA Journal.

82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices

82% of healthcare providers that have implemented Internet-of-Things (IoT) devices have experienced a cyberattack on at least one of those devices over the course of the past 12 months, according to the Global Connected Industries Cybersecurity Survey from Swedish software company Irdeto.

For the report, Irdeto surveyed 700 security leaders from healthcare organizations and firms in the transportation, manufacturing, and IT industries in the United States, United Kingdom, Germany, China, and Japan. Attacks on IoT devices were common across all those industry sectors, but healthcare organizations experienced the most cyberattacks out of all industries under study.

The biggest threat from these IoT cyberattacks is theft of patient data. The attacks also have potential to compromise end user safety, result in the loss of intellectual property, operational downtime and damage to the organization’s reputation. The failure to effectively secure the devices could also potentially result in a regulatory fine.

When asked about the consequences of a cyberattack on IoT devices, the biggest concern was theft of patient data, which was rated as the main threat by 39% of healthcare respondents. Attacks on IoT devices can also threaten patient safety. 20% of respondents considered patient safety a major risk and 30% of healthcare providers that experienced an IoT cyberattack said patient safety was actually put at risk as a direct result of the attack.

12% of respondents said theft of intellectual property was a major risk, and healthcare security professionals were also concerned about downtime and damage to their organization’s reputation.

The main impact of these attacks is operational downtime, which was experienced by 43% of companies, theft of data (42%), and damage to the company’s reputation (31%).

Mitigating IoT cyberattacks comes at a considerable cost. The average cost to resolve a healthcare IoT cyberattack was $346,205, which was only beaten by attacks on the transport sector, which cost an average of $352,639 to mitigate.

Even though there are known risks associated with IoT devices, it does not appear to have deterred hospitals and other healthcare organizations from using the devices. It has been estimated up to 15 million IoT devices are now used by healthcare providers. Hospitals typically use an average of 10-15 devices per hospital bed.

Securing the devices can be a challenge, but most healthcare organizations know exactly where the vulnerabilities are. They just lack the resources to correct those vulnerabilities.

Manufacturers need to do more to secure their devices. Security is often an afterthought and safeguards are simply bolted on rather than being incorporated during the design process. Fewer than half of device manufacturers (49%) said security is factored in during the design of the devices and only 53% of device manufacturers conduct code reviews and continuous security checks.

82% of device manufacturers expressed concern about the security of their devices and feared safeguards may not be enough to prevent a successful cyberattack. 93% of device manufacturers said security of their devices could be improved a little to a great deal, as did 96% of device users.

“The previous mindset of security as an afterthought is changing. 99 percent agree that a security solution should be an enabler of new business models, not just a cost,” explained the researchers in their recent report. “This clearly indicates that businesses realize the value add that security can bring to their organization.”

The post 82% of Healthcare Organizations Have Experienced a Cyberattack on Their IoT Devices appeared first on HIPAA Journal.

NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices

The National Institute of Standards and Technology’s (NIST) National Cybersecurity Center of Excellence (NCCoE) has issued draft mobile device security guidance to help organizations improve the security of corporately-owned personally-enabled (COPE) mobile devices and reduce the risk the devices pose to network security.

Mobile devices are now essential in modern business. They provide easy access to resources and data and allow employees to work more efficiently. Mobile devices are increasingly being used to perform everyday enterprise tasks, which means they are used to access, view, and transmit sensitive data.

The devices introduce new threats to the enterprise that do not exist for traditional IT devices such as desktop computers and mobile devices are subject to different types of attacks. A different approach is therefore required to ensure mobile devices are secured and risks are effectively managed.

Mobile devices are typically always on and always connected to the Internet and they are often used to access corporate networks remotely via untrusted networks. Malicious apps can be installed on devices that may be granted access to data. The devices are also small and portable, which increases the risk of loss or theft.

The new guidance – SP 1800-21 – explains the unique risks introduced by mobile devices and how those risks can be reduced to a low and acceptable through the use of privacy protections. By adopting a standards-based approach to mobile device security, and through the use of commercially available technology, organizations can address the privacy and security risks associated with mobile devices and greatly improve their security posture.

NCCoE created a reference architecture to illustrate how a variety of mobile security technologies can be integrated into an enterprise network along with recommended protections to implement to reduce the risk of the installation of malicious applications and personal and business data loss. The guidance also explains how to mitigate breaches when devices are compromised, lost, or stolen.

The guidance contains a series of How-to-Guides that contain step by step instructions for setup and configuration to allow security staff to quickly implement and test the new architecture in their own test environments.

NIST also included advice on reducing the cost of issuing COPE mobile devices through enterprise visibility models and suggests ways that system administrators can increase visibility into security incidents and set up automated alerts and notifications in the event that a device is compromised.

NIST is seeking comments on the new draft guidance until September 23, 2019.

The draft mobile device security guidance for COPE devices can be downloaded from NIST on this link.

The post NIST Releases Draft Mobile Device Security Guidance for Corporately-Owned Personally-Enabled Devices appeared first on HIPAA Journal.

How to Choose the Right Healthcare Cloud Provider

Healthcare organizations are more frequently turning to a HIPAA compliant cloud vendor or Managed Service Provider to ensure electronic patient records are secured within a robustly secure and compliant IT infrastructure. Extensive data privacy legislation was enacted in 1996 with the Health Insurance Portability and Accountability Act (HIPAA). This legally binding compliance initiative is designed to ultimately protect the patient, but this kind of legislation can often make choosing the right cloud vendor a seemingly impossible task.

Cloud Security

Certifications and Security Standards – Secure cloud vendors with HIPAA compliant hosting are one of the most important factors for healthcare organizations when making the decision to join the cloud revolution. HIPAA compliance ensures healthcare professionals that the cloud vendor provides enhanced technical solutions in-line with the administrative, physical and technical safeguards demanded by federal legislation.

These safeguards command the cloud vendor to comply with numerous regulations including:

  • Data Security – there are strict guidelines on how data is stored, transferred and removed, ensuring that data is always encrypted and always protected
  • System Security – client servers and segregated networking systems must be protected to HIPAA best practice agreements to ensure that they are only accessible by approved users
  • Structural Security – cloud data centers must be built from the ground up with stringent security protocols in place to protect the physical building and the electronic systems containing patient data
  • Maintenance – the vendor must ensure the infrastructure is always up-to-date and properly maintained, including antivirus and operating system patching

Other critical certifications to look out for include HITECH compliance and SSAE18 (SOC1 and SOC2). These standards ensure that the internal audit controls, security policies, data processing, and client confidentiality adheres to the highest standards available for a cloud vendor.

Data Governance and Compliance – There are several other critical governance and compliance processes which your shortlisted cloud vendors should adhere to:

  • Auditable – is the cloud vendor’s infrastructure auditable? Can the vendor provide an auditors risk assessment report? These audits validate the cloud vendor’s compliance and offer the client greater insight into the vendor’s capabilities
  • Business Continuity – Can the cloud vendor offer secure offsite backups and data protection technology (such as disaster recovery failover) for the hosted IT infrastructure
  • Business Associate Agreement – Healthcare compliance demands the cloud vendor must sign a Business Associate Agreement which clearly defines the rules and responsibilities of each party entering the agreement
  • Data location – It is important to know where all your data is located. Most healthcare data must stay within the United States. You need to understand the cloud provider’s data services locations. This is essential for backups and DR

Accountability and Compliance

When entering a BAA with a cloud vendor, the vendor is essentially guaranteeing you a level of service and compliance for your organization. The roles and responsibilities of the cloud vendor should be clearly defined, as well as your responsibilities as a client. The aim is to create a status quo of an agreement which is mutually beneficial to all involved.

Other areas of accountability to consider are:

  • Service Level Agreements – This is a service agreement the vendor must adhere to or risk an (often financial) penalty. Things such as Service Uptime, agreed RPO (Recovery Point Objective) and RTO (Recovery Time Objective)
  • Managed Service – The cloud vendor will need to provide a level of service management agreed in the BAA. This usually includes providing and upgrading the technology solution, keeping and maintaining procedures and processes of your technical solution. It may also include offering technical support, monitoring, and pre/post-sales support.

Technology and Services

It is important to develop an understanding of what the cloud vendor can do for your healthcare business. Does the cloud vendor offer you the services and technology that your organization can utilize? 

Healthcare is a very specific business market, it is worthwhile choosing a knowledgeable vendor with vast experience providing similar services to other healthcare professionals, using tried and tested methods of proven solutions, they must also have the ability to be forward-thinking and constantly evolving within the Healthcare marketplace, offering digital transformation services to enhance your business.

This can be done by assessing the technology and services on offer from the provider, most healthcare organizations opt for Infrastructure as a Service (IAAS) or Platform As A Service (PAAS). But, your cloud vendor can offer more services such as:

  • Managed backup service –  Compliance safeguards require a backup solution with guaranteed data protection. It is often best to leverage an existing HIPAA compliant backup service that may be offered by your cloud vendor
  • Managed Disaster Recovery solution – the ability to evoke DR services to fail over production infrastructure to a geographically disparate location are a fundamental part of healthcare compliance. Some cloud vendors can manage this in its entirety for you, failover sequence, boot sequence and testing, as well as implementing regular DR tests
  • 24x7x365 Operational Support – To ensure the manageability of your new cloud infrastructure you may at times need support directly from your cloud vendor. Having around-the-clock support can be highly advantageous
  • Managed network services – Firewalls and associated technology can be difficult to manage for many organizations. If your cloud provider offers HIPAA compliant network infrastructure you can be ensured that you will receive a durable and reliable computer network 
  • Migration Services to the cloud – Most healthcare organizations will already have a significant IT footprint, it’s important to ask what your cloud vendor can do to fast-track the migration to the cloud and also what their exit strategy is should you happen to change vendor in the future
  • Data Monitoring – Data and trend monitoring not only protects against data misuse but also offers enhanced security and system protection to healthcare clients
  • Intrusion Detection – This can be a physical or technical safeguard to protect the underlying computer hardware which provides your cloud service. If your cloud vendor offers this capability, then you can be assured your digital assets are protected to a high standard
  • Multi-factor authentication (MFA) – cloud vendors are extremely flexible with how clients access data, however, protecting this data is also important. MFA provides multiple levels of protection to sensitive data, typically by phone authorization, pin code or even fingerprint and biometric scanning
  • Encryption – Data must be encrypted at rest and in transit to AES 256bit standard

Everything Else

We have highlighted what we believe are the key elements to consider when choosing a cloud vendor. There are also many other factors which play a role in who you decide to utilize for cloud hosting.

  • Reliability – Consider the uptime guarantees of the vendor, consider the hardware and software partnerships they have in place as well as maintenance contracts
  • Performance – The cloud offering must also perform well despite all the security safeguards put in place

Scalability – Can the cloud provider grow with your business if your organization’s growth should exponentially propagate?

The post How to Choose the Right Healthcare Cloud Provider appeared first on HIPAA Journal.

Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches

Cybercriminals are managing to find and exploit vulnerabilities to gain access to healthcare networks and patient data with increasing regularity. The past two months have been the worst and second worst ever months for healthcare data breaches in terms of the number of breaches reported.

Phishing attacks on healthcare organizations have increased and email is now the most common location of breached protected health information. However, a recent analysis of the data breaches reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) in the past 12 months has revealed servers to be the biggest risk. Servers were found to be involved in more than half of all healthcare data breaches.

Clearwater Cyberintelligence Institute (CCI) analyzed the 90 healthcare data breaches reported to OCR in the past 12 months. Those breaches resulted in the exposure, impermissible disclosure, or theft of the records of more than 9 million individuals.

The CCI analysis revealed 54% of all reported breaches of 500 or more healthcare records were in some way related to servers.

Servers house essential programs that are used across the healthcare organization. As a central repository of programs and data, they are an attractive target for hackers. Once access has been gained, data can be viewed, copied, altered, or deleted, systems can be sabotaged, and healthcare organizations can be subjected to extortion using ransomware.

CCI performed a risk analysis to determine high and critical risks facing health systems and hospitals. CCI determined 63% of all identified risks were related to the failure to adequately address vulnerabilities in servers.

The high number of server-related data breaches clearly shows that those flaws are being exploited by hackers to gain access to healthcare networks.

According to CCI, one of the most common server vulnerabilities is the failure to keep on top of user account management. When employees leave the company their accounts must be deleted. Dormant accounts are a major risk and are often used by malicious actors to access systems and mask their activities. CCI notes the risk increases with the number of accounts that are left dormant. The longer those accounts are left open, the greater the likelihood that at least one will be used for illicit or malicious purposes.

To address this risk, security controls should be implemented that automatically disable or delete accounts when the HR department changes the status of an employee. If that is not possible, CCI recommends conducting frequent, periodic reviews to ensure all unused accounts are disabled.

In an ideal world, an account would be disabled instantly. In practice, CCI recommends having the systems, policies, and procedures in place to ensure no account remains open for more than 48 hours after it is no longer required.

Reviews of system activity logs should also be conducted to determine whether dormant accounts have been used inappropriately or if any actively used accounts have been compromised or are being misused.

Excessive permissions on user accounts is another serious server vulnerability. Excessive permissions can result in accidental or deliberate access, alteration, or deletion of data. The failure to restrict access rights is also a violation of the HIPAA principle of least privilege.

CCI reports that the risk of excessive user permissions is highest in organizations that do not regularly review user permissions (43.6%), perform user activity reviews (43.6%), or when there is a lack of proper user account management (43.1%).

Regular reviews of user activity will help healthcare organizations to quickly identify anomalies in user data that could be indicative of account misuse or a cyberattack. The frequency of those reviews should be dictated by several factors, including staff turnover and the number of users. CCI suggests user permission and user activity log reviews at least every quarter for an organization with 100 or more users.

The post Vulnerabilities in Servers Behind Majority of Healthcare Data Breaches appeared first on HIPAA Journal.

ONC Report Reveals Trends in Access and Viewing of Medical Records Online

Most hospitals and physicians have now adopted electronic medical records, yet only half of patients have been offered access to their medical records online, according to a new report from the HHS’ Office of the National Coordinator for Health Information Technology (ONC).

Two of the aims of the 21st Century Cures Act were to make it easier for patents to access their health information and to improve education of patients about their rights to access their health data. The ONC conducted its Health Information Trends Survey (HINTS) to determine whether patients are being offered access to their medical records online and whether they have exercised that right and have viewed medical records that have been made available.

In 2018, there was no change in the number of patients being offered access to their medical records online. As was the case in 2017, 51% of patients were given that opportunity. However, the number of patients using that access to view or download their medical records increased. 30% of patients who were given the option had viewed their records at least once, compared to 27% in 2017.

Individuals who visited their doctor at least once in the past 12 months were twice as likely to be offered access to their medical records online than those who did not. They were also more than 50% more likely to exercise that right and access their medical records than patients who had not visited their doctor in the past 12 months.

Out of the patients who did view their medical records online, 29% viewed records 1 or 2 times, 19% viewed their records between 3 and 5 times, and 11% accessed their records 6 or more times. The number of patients who downloaded their medical records was a third higher than in 2017.

Individuals with chronic conditions were more likely to be offered access to their medical records online, as were individuals with at least a college degree, and individuals with a family income of $75,000 or higher.

When asked about the reasons why they chose not to view their medical records online, the findings were largely similar to 2017. The main reason was patients preferred to speak to their healthcare provider directly (73%) and patients did not have a need to view their medical records (65%).

There were two significant changes. There was a decrease in the number of individuals who said they did not access their records out of privacy and security concerns, falling from 25% in 2017 to 14% in 2018. There was also a fall from 20% to 10% in individuals who said they did not have a way of accessing the Internet.

Americans do appear to be taking a greater interest in their health. There has been an increase in the number of individuals using health and wellness apps. 49% of respondents said they used such an app on a smartphone or tablet and one third of individuals said they use an electronic monitoring device such as a Fitbit-type device, blood pressure monitoring device, or blood glucose monitor.

75% of individuals who use an app do so to track progress toward a health-related goal. 48% use the apps to make decisions about illnesses or health conditions, and 45% use the apps to discuss their health with their providers.  The number of individuals who shared health information with a healthcare professional electronically via their smartphone or tablet increased from 26% to 28%.

“Making it easier for individuals to use apps to access, view, and subsequently share their online medical record data may enable individuals to better manage their health and address gaps in interoperability,” explained ONC. ONC’s interoperability Rule, published in February, will make it even easier for patients to access and use their health data through the use of APIs.

The post ONC Report Reveals Trends in Access and Viewing of Medical Records Online appeared first on HIPAA Journal.