May 24

The High Cost of Hoarding Data

Posted on by

For the last several years A&E has been helping Americans “clean out their closets” through the show “Hoarders.” Almost every episode reveals another family who cannot seem to give up all the stuff they’ve been saving year after year after year. It might be that businesses need a version of “Hoarders” to help them face up to all the data they’ve been saving that needs to be purged. Every day too much data storage is costing companies unnecessary expenses and creating unnecessary risks.

Data Hoarding Creates Expenses
As data backup has become more and more routine in most businesses, the habit of saving unnecessary files “just in case” has become routine. According to data management consultant Anne Kershaw, up to 80 percent of the files and folders being stored in backup have not been accessed for three to five years.[1] This unused data continues to compound and soon organizations are paying to store data that is no longer used.

Data Hoarding Creates Risks
There is a greater cost than storing unused data: exposing secure data. “Rule No. 1 in data-breach prevention is that they can’t steal it if you don’t have it,” says Alan Brill, senior managing director of Kroll Advisory Solutions. “It would be a lot better if people remembered that one.”[2] Brill points out that certain types of data must be saved and stored due to legal requirements, but companies save for more data than they need or will use.

As storage costs began to drop, many companies began saving everything. For some companies, their data management policies fails to include a data retention policy that outlines terms of duration. As a result, some data that should be deleted is saved, stored and sometimes even discarded in non-secure ways.

This form of hoarding creates unnecessary risks, and could result in pricey fines in case of a data breach. By deleting unneeded data you can automatically reduce risks. As Kershaw says, “Thieves can’t take what you don’t have.” But now here’s the problem: some companies don’t even know what data can be deleted.

Dean Gonsowski, senior eDiscovery counsel for Symantec, says that “when you talk to organizations, they say, ‘I know about 10 to 15 percent of what I have is valuable. I just don’t know how to distinguish it from the other 85 percent.” How do you discover that 85 percent?

Cal Slemp, Protiviti Managing Director, suggests better data classification can help. Earlier this year, Protiviti conducted a survey on IT security and privacy standards, policies and practices. In their “2012 IT Security and Privacy Survey,” Protiviti found that 81 percent of companies surveyed have some form of retention and destruction policies, but some companies simply have a default policy of saving everything forever.

Slemp suggests that is companies will begin classifying data appropriately, they can “gain a significant advantage in terms of cost savings, operational efficiencies, and legal and regulatory compliance.”[3] By improving the process of categorizing data data and connecting these categories to specific deletion policies, companies can begin a process of more effectively reducing hoarded data.

[1] Anne Kershaw. “Hoarding Data Wastes Money.” Baseline, April 16, 2012 <http://www.baselinemag.com/c/a/Enterprise-Content-Management/Hoarding-Data-Wastes-Money-455589/>
[2] Ericka Chickowski. “Delete Data to Delete Risk.” Dark Reading, May 16, 2012
[3] Cal Slemp. “2012 IT Security and Privacy Survey.” <http://www.protiviti.com/ITsecuritysurvey>

May 21

5 Reminders on Managing Email Infrastructure

Posted on by

Email has become vital part of day-to-day business communications, topping all forms of electronic communication. In 2009, The Radicati Group released an email statistics report, projecting email usage between 2009 and 2013.[1] Here are some of the highlights:

  • Corporate users process at least 207 emails per day (2012)
  • Employees spend quarter of each day on email and email tasks
  • A typical 1,000-user organization can spend upwards of $1.8 million a year to manage spam.
  • Annual loss due to viruses for a typical 1,000-user organization will amount to over $158,000.
  • 419 billion emails are sent each day in 2012 (507 billion will be sent in 2013)

CSOnline ran a helpful piece today on “How to avoid 5 common email management mistakes.”[2] Their five key points serve as helpful reminders for managing email in a business setting. I’ve highlighted the big ideas below:

1. You must have an active data protection and compliance strategy in place.
Management must support a business-wide acceptable use email policy. This involves understanding and enforcing any compliance issues in relation to your business (particularly important for healthcare and finance). As the same time, employees must be trained and understand the potential threats of targeted attacks via email and the risk and penalties for exposing secured data in emails. In addition to policies, the person or team responsible for email management must have some time of data loss prevention (DLP) system in place that inspects and analyzes outgoing emails to prevent confidential information from leaving network.

2. You must have some active form of anti-spam and anti-phishing solution in place.
Even though spam has been dealt a significant blow, it continues to plague business and personal users. Management must implement technologies that reduce spam and phishing messages. Employees must be trained to respond properly when encountering suspicious emails.

3. If your company is using a cloud solution, make sure the provider can meet all security and compliance issues before signing a contract.
In February, I posted a story highlighting this very problem in the City of Los Angeles when Google failed to meet their security requirements again and again. So even though a third-party cloud provider for email may reduce costs or simplify implementation, you must make sure the provider can meet your requirements and have a contingency plan in case of disaster.

4. Your backup server must be as secure and up-to-date as the primary email server.
Due to the low use of backup servers, some companies have not always kept security and service up to date on those servers. Hackers take advantage of this vulnerability by bypassing the main server and exploiting the backup server. Make sure the backup server is not only up to date but is part of the overall monitoring process.

5. Prepare for transitioning to IPv6.
Even if IPv6 is not on the front burner, it is important to begin developing a transition plan that includes updating any outmoded IPv4 routers and switchers that conflict with IPv6.

[1] Editor: Sara Radicati, Ph.D; Principal Analyst: Masha Khmartseva. “Email Statistics Report, 2009-2013.”
[2] Susan Perschke. “How to avoid 5 common email management mistakes.” CSOnline, May 21, 2012

May 18

SaaS EHR – Clinics in the Cloud

Posted on by

Cloud computing is fast becoming a key component in EHR implementation for smaller practices. According to a recent KLAS report, “SaaS EMR 2012: Is It For You?,” more and more physicians are turning to software as a service (SaaS) EHR solutions due to lower costs, more solutions and easier maintenance. [1]

KLAS interviewed 290 healthcare providers who are currently using SaaS EMR solutions to learn about the usage and vendors currently providing cloud-based EMR solutions. Practices chose solutions based on EMR response time, customer support product quality and investment impact. For smaller practices looking for an entry route into EMR, SaaS solutions can offer the promise of faster implementation with a wide variety of advantages that can benefit the practice.

The challenge in any cloud-base implementation continues to be security. CIO posted a recent infographic on security in the cloud, finding that 85% of IT professionals trust the cloud enough to use.[2] In spite of the increased cloud usage, CIO also points out that 58% are not willing to store confidential company financial data in the cloud. This reinforces the continuing question about cloud security. What data can reside in the cloud and what data cannot.

As healthcare providers consider cloud-based EMR solutions, it is essential that they have a comprehensive security strategy and disaster recovery plan to accompany their plans. Good planning, staff training, vendor accountability, and security preparation is essential and must play an ongoing role in a practice.

Whether your facility is considering an Saas solution or you have security questions, Integracon can help you make proper preparation and planning for successful implementation. To learn more about our depth of experience in cloud service implementation, contact Integracon today. We have the deep experience that is essential and can over a list of satisfied customers who continue to rely our service and support.

[1] “Software as a Service EMR Model Garners Greater Appeal.” KLAS Enterprises LLC, May 14, 2012 <http://www.klasresearch.com/News/PressRoom/2012/SaaS>
[2] Thor Olavsrud , Dan Muse. “How Secure is the Cloud? IT Pros Speak Up?” CIO, March 28, 2012 <http://www.cio.com/article/703064/How_Secure_Is_the_Cloud_IT_Pros_Speak_Up>

May 17

State of Utah Exposes 780,000 Records

Posted on by
Sheila Walsh-McDonald, new Health Data Security Ombudsman, will assist victims of the Medicaid data breach, which put 780,000 people at risk.

Hardly a week goes by without a major data breach fiasco that could have been prevented. This week the Governor of Utah announced the resignation of Stephen Fletcher, the executive director of Utah’s Department of Technology Services, for failure of oversight and leadership (See IT World). On March 30, hackers exploited a default password on the user authentication layer of system and managed to bypass multiple security controls. 500,000 records containing names, birth dates and addresses were exposed. On a more serious level, 280,000 social security numbers may have been exposed.

So far an investigation has resulted in the resignation of Fletcher and the firing of a contractor who provided software withut encryption safeguards. At least, two other IT employees are under investigation as well.

In addition to the resignation and firing, the State of Utah is addressing this breach by hiring a new health data security ombudsman (Sheila Walsh-McDonald) and conducting an independent audit through the services of Deloitte & Touche consultants.

Just last week, I mentioned that hackers often infiltrate networks via dynamic multi-staged attacks that include exploiting authentication vulnerabilities (See Preparing for Multi-Staged Attacks and Hackers Exploit Vulnerabilities). Changing default passwords is a simple process but easily and often overlooked.

Even though attacks are becoming more dynamic and breaches are happening regularly, most attacks could be easily avoided with proper (and thorough oversight). Appointing proper security oversight and conducting regular audits are two helpful steps that can expose oversights that could haunt a company (and a CTO) at a later date.

May 10

“Managed Diversity” and the Challenge of Supporting Mobility

Posted on by

In a recent press release, Gartner challenges IT groups to put priority focus on developing and supporting a mobile device management (MDM) policy. “The era of fully supporting company-owned devices is giving way to an era of managed diversity in which tiered support for employee-owned, consumer-class devices is the norm,” said Terrence Cosgrove, research director at Gartner. “With the unabated growth of consumerization, IT leaders need to implement MDM to manage corporate-and employee-owned devices, and assign responsibilities inside IT departments for the service, application and security of all these devices.”

LANDesk released findings from a survey of 193 IT managers and administrators in medium-to-large size enterprise organizations. They found that the use of personal devices in the workplace are becoming all pervasive.[1] Survey findings include:

  • 44 percent of those surveyed said at least part of their workforce works remotely.
  • 77 percent of those surveyed said end users use their personal mobile devices in the workplace.
  • 54 percent of those surveyed reported that they do not currently have a security strategy for mobile devices in place.
  • 37 percent of those surveyed reported that they deal with more than 10 malware incidents a month.

This changing environment brings inherent risks. Last year, InformationWeek Analytics released a security survey from 1,084 respondents.[2] Respondents cited two key fears:
1. Lost or stolen devices could expose sensitive company information, creating a threat beyond the company.
2. Infected personal devices could import a malicious app onto the network, or could expose the device to theft of data.

In this changing environment where more and more employees are using personal mobile devices to complete work tasks, it is essential that companies maintain  and coordinate MDM between security and operations. Gartner talks about strategy that concentrates on “managed diversity” to address the wide range of devices found in the organization.

“Because of the complexity of the mobile device landscape, there must be a person or group responsible for monitoring this landscape and for understanding users’ demands for new types of device and the impact that new platforms have on applications,” said Mr. Cosgrove. “This person or group must work with the security team regularly to address the impact that platform changes and demands for mobile services have on the organization’s security.”

The MDM market is rapidly growing and changing based on company the emerging challenges facing organizations. As more employees use their own devices, companies are saving money. Some of these savings can be applied toward developing and supporting a management and security policy. For help in considering MDM as part of your overall security strategy, please contact our experts at Integracon, call 865-330-2323 or contact us via chat at Integracon.com.

[1] Staff writer. “Do mobile devices in the workplace create security problems?” Help Net Security, May 1, 2012 <http://www.net-security.org/secworld.php?id=12903>
[2] Michael Finneran. “BYOD Requires Mobile Device Managment.” InformationWeek, May 7, 2011 <http://www.informationweek.com/news/mobility/business/229402912>

May 03

Hackers Exploit Vulnerabilities and Blackmail Companies

Posted on by

Belgian credit provider Elantis is facing a blackmail situation from hackers who threaten to publish confidential customer data online if the company does not pay $197,000 dollars before Friday, May 4.[1] The hackers are calling this threat an idiot tax because Elantis left confidential customer data unprotected on Web server.

This threat reinforces the Websense warning that I mentioned last week (see Preparing for Multi-Staged Attacks). Current server attacks use dynamic attacks that search out server vulnerabilities and then seek to exploit those vulnerabilities. Elantis has been exposed with a gaping vulnerability, and even if the situation is resolved, the company’s reputation has still been damaged.

Companies face the daily challenge of targeted attacks that seek to exploit specific vulnerabilities within the network. CSO Online offers 10 web application logic flaws that hackers love to exploit. As you consider your company’s network security and potential vulnerabilities, it might be worth rehearsing and reviewing these commonly exploited weaknesses.

Prior to systems release engineers need to perform an analysis and testing of system, seeking to detect weak authentication or access policy failures. Systems should routinely be tested for bypass authentication and escalating privileges vulnerabilities. At the same, businesses need to utilize dynamic and evolving testing models that can adapt to the ongoing evolution of application attacks.

1. Authentication flags and privilege escalation
Hackers like to exploit authorization vulnerabilities within applications.

2. Critical parameter manipulation and access to unauthorized information/content
A direct attack on authentication or authorizations systems may involve manipulation of values within the Web forms or in the parameters posted to the server. Tests involve identifying easy to guess values, and testing to see if by changing parameter values users can gain unauthorized access. Another key to remember is not exposing authentication state in URLs or client-side scripts.

3. Developer’s cookie tampering and business process/logic bypass
Hackers may attempt to reverse engineer cookies and impersonate a valid user. All session and cookie data should be sent over encrypted channel.

4. LDAP parameter identification and critical infrastructure access
An attacker may alter the LDAP statement causing a process to run with same permissions as the component that executes a command. If the application fails to do proper validation this LDAP injection, the attacker can issue arbitrary commands like granting permissions. This attack succeeds when the logic fails to properly sanitize user inputs on the server side.

5. Business constraint exploitation
If the business logic of an application is poorly designed, an attack may be able to crawl through rules and constraints. Hidden parameters and values must be tested by checking business-specific calls that can become a target and manipulated.

6. Business flow bypass
An attacker may bypass application flow, seeking to identify critical backend data.

7. Exploiting client-side business routines embedded in JavaScript, Flash or Silverlight
Attackers may seek to reverse engineer the logic in these client-side business applications, looking for logic for cryptography algorithms, credential storage, privilege management and other security.

8. Identity or profile extraction
Attackers make seek to identify token parameters in poorly designed and developed applications, opening up the potential for abuse and systemwide exploitation.

9. File or unauthorized URL access and business information extraction
If a business application that supports file export functionality is poorly designed, it may allow for assess leakage that attackers may seek to exploit.

10. Denial of service (DoS) with business logic
Exploiting denial-of-service vulnerabilities within business applications is a common and serious attack that can stop an application and exploit application loopholes.

[1] Lock Essers. “Hackers blackmail Belgian bank with threats to publish customer data.” CSO Online, May 3, 2012 <http://www.csoonline.com/article/705601/hackers-blackmail-belgian-bank-with-threats-to-publish-customer-data?source=rss_data_protection>

Apr 26

Preparing for Multi-Staged Attacks

Posted on by

Websense released its “Threat Report 2012: The Year in Review for Threats” and some of the key takeaways include attacks are becoming more dynamic, multi-staged, focused “sniper” attacks, and are increasingly aimed more at application vulnerabilities and less at operating systems.

The year in review shows the following:

  • 82% of malicious web sites are hosted on compromised hosts
  • 55% of data-stealing malware communications are web-based
  • 43% of the activity inside of Facebook is categorized as streaming media
  • 50% of malware connections lead to the United States
  • 60% of phishing attacks are hosted in the United States
  • 36% of malware is hosted in the United States

Websense identifies six stages of attacks:

Lures
Focused on exploiting human curiosity or common actions, lures target victims on social sites and through email. Since 42% of activity inside Facebook is video, video is a common attack on social sites. Lures offering appealing videos (former boyfriends or girlfriends, current news events, outrageous antics), invite users to take surveys or win free gifts. On email, lures appear as important news that a user may be waiting for like tax refund information, shipping/delivery information, confirmation emails, and urgent bank notices.

Redirects
Once a user clicks on the link, they are redirected onto a blind or hidden path for analysis by an exploit kit, to a survey, rogue AV offer, or fake web page.

Exploit kits
Instead of simply dumping malware on a users computer, the redirect may function like a sniper looking for a shot. If a vulnerability is detected, an attack may be initiated to exploit the vulnerability, otherwise the redirect may send use to a clean site and stay hidden.

Dropper files
Now a dropper file is set in motion, but since the file uses a dynamic packer, known signatures and patterns may remain hidden, so the AV protection may not detect the attack.

Call-home communications
With only one entry point, an attack may infiltrate the system and begin stealing data. Then the attacking file may call back home for malware downloads and tools. Since most AV programs are forward facing, they fail to analyze outbound traffic from infected systems.

Data theft
Then the attack begin stealing data in low volumes per request (drips), avoiding detection over a defined period of time.

With this dynamic multi-staged attack in mind, Charles Renert, Vice President, Websense Labs, says, “More than 80% of today’s attacks require multi-stage defenses for protection.” Preparing for attacks requires a dynamic data driven solution that utilizes    big data, machine analysis, and predictive defenses that assess and respond to threats in real time.

Integracon offers a robust suite of security and assessment tools that can help you keep an eye on your network, your security and your business. For more information, call us at 865-330-2323 or chat via Integracon.com.

Apr 23

Compliance and Confidence Do Not Equal Security

Posted on by

The 2012 “HIMSS Analytics Report: Security of Patient Data” reveals that even though businesses are increasingly confident that they are better prepared to handle attempted data thefts, the actual number of breaches continue to rise. [1] The HIMSS commissioned Kroll Advisory Solutions for this survey, and Kroll Advisory Solutions senior vice president, Brian Lapidus emphasizes that being in compliance is not actually equal to protecting personal health information (PHI).[2] In spite of increased compliance, breaches have not slowed over the last six years.

Compliance does not equal security. 
Theft was actually the most common form of reported breaches in healthcare in 2010. According to the report, some of the breaches that have impacted 500 or more people including the following:

  • 99 incidents involved theft of paper records or electronic media, together affecting approximately 2,979,121 individuals.
  • Loss of electronic media or paper records affected approximately 1,156,847 individuals.
  • Unauthorized access to, or uses or disclosures of, protected health information affected approximately 1,006,393 individuals.
  • Human or technological errors, or other failures to take adequate care of protected health information, affected approximately 78,663 individuals.
  • Improper disposal of paper affected approximately 70,279 individuals.

Healthcare is at most risk.
According to the report, “the U.S. healthcare industry is still one of the most at risk for significant data breaches.” As I’ve highlighted last February, the US Healthcare industry is also a key target because of the high value of stolen healthcare records.[3] Healthcare faces the complexities of a changing landscape that involve use of electronic health records, increased use of mobile devices in healthcare, more third party healthcare vendors, and ongoing regulatory changes. All these factors add to the complexity of assuring PHI security.

Healthcare faces a variety of internal vulnerabilities that must be addressed. The reports highlights the following:

False sense of security linked to regulatory compliance. 
In spite of increased compliance, few organization have any insights into the efficacy of their security programs. The report shows that organizations are more likely to update their security action plan in response to new regulations instead of updating in response to actual security breaches.

Employees threaten security through accidental and deliberate breaches.
From unauthorized access to information to lack of attention to policy, staff continually put data at risk. Facilities must assure accountability happens at all levels and that there are sufficient consequences for policy breaches.

Third party vendors threaten security. 
Though most healthcare facilities require vendors to sign Business Associate agreements, only half make sure that their providers “conduct a periodic risk analysis to identify security risks and vulnerabilities.”  They also must make sure vendors are doing background checks on new employees and providing regular security training.

Mobile devices can be a source of risk.
The potential for mobile devices to be stolen or attacked increase risk to data stored on those devices.

Lack of security ownership hurts many organizations.
Many organizations lack a clear security champion who takes responsibility for the overall security picture including compliance issues.

This report challenges organizations to move beyond monitoring and reactive security procedures to a proactive policy that can adjust to the rapidly evolving threats.

[1] The 2012 HIMSS Analytics Report: Security of Patient Data <http://www.himssanalytics.org/research/AssetDetail.aspx?pubid=79879&tid=4>
[2] Taylor Armerding. ”Compliance isn’t security, but companies still pretend it is, according to survey.” CSO Online, April 19, 2012 <http://www.csoonline.com/article/704577/compliance-isn-t-security-but-companies-still-pretend-it-is-according-to-survey>
[3] Healthcare Primed for Major Data Breach, February 5, 2012 <http://integracon.wordpress.com/2012/02/05/healthcare-primed-for-major-data-breach/>

Apr 20

Social Media in Healthcare

Posted on by

As healthcare facilities transition to EHR and extend engagement with patient customers online, the role of social media becomes an important question. Some facilities have had a prohibition in place that prevents employees from mentioning the facilities in any way. Other facilities have little or no specific policies in place. According to a recent HCAA report, only about one-third of their respondents actually had a social media policy in place. While they found that many health care facilities did have some type of policy in place, the overall number of facilities with social media policies has dropped from 2009 to 2011.[1]

At the same time, more and more customers are looking to social media sources for healthcare answers. Ed Bennett recently posted results from an April report from Price Waterhouse Coopers.[2] He summarizes a few of the findings as follows:

  • One third of consumers now use social media sites for health-related activities
  • 40% of consumers have sought out reviews of treatments, physicians, and other patient experiences
  • 45% of consumers say information from Social Media sources would affect their decisions
  • 73% would welcome social media based tools like make an appointment, or ask a question – but expect a quick response
  • 54% are comfortable with their doctors using online physician communities for advice related to their health situation
  • Consumers are significantly more likely to trust social media  information from their doctors or hospital, less likely to trust insurers or drug companies

Social media and healthcare are poised for significant interaction. This interaction comes with opportunities and risks. Facilities cannot afford to ignore social media. Many doctors, nurses and other staff are already actively engaged on a personal level. Healthcare consultants, CSC offer a helpful list of recommendations for considering social media:

1. Develop Policies
Facilities must take time understand the challenges and develop appropriate policies that uphold privacy requirements, maintain security and preserve standards.

2. Educate staff
The staff should be properly introduced to the policies and trained in the risks and opportunities in social media.

3. Listen and learn
Watch you customers online. Listen to what people are saying about your facility using Facebook, Twitter and other tools. Pay attention to what your competition is doing in the social media sphere.

4. Take baby steps
Initial engagements should be focused on extending brand presence, custom relations, and other non-medical participation.

5. Learn how to engage
PWC emphasizes that listening is good but over time you must engage customers and build relationships. Social media can offer a great place for educating customers and introducing customers to expanded web services on the secure site. Over time, you may discover how to develop and evolve your presence in the social media space.

6. Appoint managers
As you grow, you may find it beneficial to appoint social media managers from within the practice who will monitor, respond and make sure all content is accurate and within regulation.

[1] Social Media and Compliance. A survey by the Health Care Compliance Association & the Society of Corporate Compliance and Ethics. February/March 2011 <http://www.hcca-info.org/staticcontent/2011SocialMediaSurvey_report.pdf>
[2] Social media “likes” healthcare: From marketing to social business. Price Waterhouse Cooper. April 2012, <http://hcsm.me/pwchealth>

Apr 13

EHR and the Patient-Physician Relationship

Posted on by

While EHR implementation involves extensive technological investment, implementation and management, it is essential that the focus remains on the human-centered goals. IT provides tools that both support and extend the patient-physician relationship. When introducing EHR initiatives to the Executive staff and/or the facility staff, it might be helpful to clarify this link between technology and patient-physician outcomes.

In 2003, John Hopkins and American Healthways sponsored a summit bringing over 200 physicians and patients together in a conversation focused on “Defining the Patient-Physician Relationship for the 21st Century.” This conversation might be summarized as a focus and clarification on patient-centered care. They write,
“Amid the changes, one of the clearest themes to emerge is the centrality of patients. Increasingly, they are not simply recipients of care or subjects of research but active, informed individuals who wish to know more about their condition and exert greater control over their own care.”[1]

With this active patient participation in mind, they highlight “seven principal elements that both patients and physicians believe are essential to the relationship.” I suggest the following seven elements might be helpful to keep in mind when considering the role of technology in healthcare practice:

1. COMMUNICATION
Technology introduces a variety of tools that can facilitate two-way communication between patient and physician. Improving communication can lead to improved patient care, better patient comprehension of physician instructions, higher patient satisfaction and more referrals, higher physician satisfaction, fuller perception of patients by physicians and vice versa.

2. OFFICE EXPERIENCE
Technology can facilitate common exchanges like prescriptions and refills, completing information forms, delivering communication to patients and asking questions to physicians/nurses by patients. Extending the relationship outside the office can reduce patient dread at visiting office, increase patients likeliness to seek treatment when needed, and reduce complaints.

3. HOSPITAL EXPERIENCE
Technology can provide information that allow physician and nurses to personalize patient care, improve communication among staff and between staff and patient, and provide continued support after discharge.

4. EDUCATION
Technological tools can help facilitate education between physician and patient, provide patients with more information that can help patients make better decisions, coach patients who are trying to change health-related behaviors, and empower patients with tools to take a more active role in personal care.

5. INTEGRATION
Technology can improve information sharing between all members of the healthcare team, so that they can improve treatment and increase consistency between caregivers.

6. DECISION-MAKING
Technology opens two-way communication, giving a patient (and patient advocate’s) a stronger voice in their own care.

7. OUTCOMES
Overall healthcare outcomes can be improved on multiple levels. Measurable data can improve diagnosis and treatment. Patient’s play a more active role in personal care and treatment. Patient have the opportunity to clarify physician instructions and improve adherence in a given area.

This is just a high level overview but it gives us a way of thinking and talking about technology as support for improving the very human goals of improving patient care by improving physician-patient interactions.

[1] Defining the Patient-Physician Relationship for the 21st Century. 3rd Annual Disease Management Outcomes Summit, October 30 – November 2, 2003, Phoenix, Arizona <www.cardiophonics.com/PatientPhysician.pdf>