Web Log


A Tale of Two EHRs: The Cerner and Epic Train Wrecks

8/15/2016 9:55 AM

Today we have a loosely coupled doubleheader for you. In the news this morning Bon Secours, a Richmond Virginia healthcare system exposed 655,000 patient records from Virginia, South Carolina and Kentucky to the internet from its Epic EHR system. Read all about it. According to a press release from Bon Secours:

  "...R-C Healthcare Management, a company doing work for Bon Secours, inadvertently left files containing patient information accessible on the internet while attempting to adjust their network settings from April 18th to April 21st."  

We here at Sentia (Ok I represent Sentia) (am)are a little confused. Why are there files laying around on some disk or disk array to expose to the internet? A database has two files and you can't get to them because they are locked by the database engine and you can't even copy them while they are in use. If your EHR is designed correctly, or at all, you can't expose this to the internet. Epic is one of two huge companies who vend EMR/EHR systems. Clearly they are doing something wrong.

In related news, the other huge EMR/EHR vendor, Cerner, just allowed its CEO, Neal Patterson, to cash in his stock options for a net $26,900,000 ($26.9 million). Patterson has led Cerner since 1995 when they began with 1095 employees. Today they employ more than 22,200 world wide. Patterson still holds options to buy 1,138,000 more Cerner shares at $3.70 apiece. The stock closed Friday at $66.45. If we do the math, that means that this guy stands to make another $71,000,000 in addition to his salary.

Here are a couple of problems: as a software vendor, you don't need people. Sure, you have to have developers, and you have to have a support team to reset passwords, but 22,200 people??? We have one guy that does bug fixes, support, administration and biling. WE call him the "Maytag Repairman" because outside of clicking the "Go" button to send out bills, he literally doesn't do anything. Everything is automated. With 22,200 people I could describe the universe and give three examples and NOT lose anyone's data. Second, I don't care if this guy is the second coming AND the worlds greatest developer, he isn't, he isn't worth $100,000,000 plus his salary.

How are these stories related? If there are two big vendors, we have to conclude that they have similar offerings. If they didn't, one would shrivel up and die and the other would flourish. Since this isn't happening the obvious conclusion is that they are, for all intents and purposes the same. If they are the same and Epic just exposed 655,000 patient records to the internet, then Cerner either has or will expose thier patient records to the internet. Just do a search for "Cerner Data Breach" I suggest Bing. Go ahead, I'll wait.

So Cerner has data breaches too. The top stories I found were about someone hacking into their data center, not just some hospital out in the world with lax or nonexistent security either. Clearly, obviously, demonstrably we can't trust these huge vendors to secure our data. I don't really want anyone to know I'm getting treated for carbuncles on me bum, but even worse, there is enough information on those servers (think date of birth and social security numbers) to open a credit account in my name and start buying things.

At Sentia, we don't have files laying around and honestly can't figure out why anyone would. All our data (images included) reside in our database, as it should, that has a resting encryption so that even if the database itself is stolen, (it can't be) the hackers couldn't get into it. That isn't even the double security layer. First, all data transfer is done over secure sockets. That means the data is encrypted before being transmitted across the internet. That wasn't enough for us. The NSA can break that encryption, in real time and look for my carbuncles. The second layer is an ever changing Globally Unique IDentifier (GUID) that identifies both the user and the session. This GUID is never transmitted across the internet and is required to authenticate both the user and the session for each database call. We literally CAN NOT have an Epic style data breach.

Meanwhile, these idiots are charging hundreds of millions of dollars per installation and paying idiot CEOs hundreds of millions of dollars when they clearly, obviously and demonstrably do not know what they are doing. And who do you suppose, dear reader is paying for all of this? You are.

Here is a simple question: would you rather pay hundreds of millions per installation and tens or hundreds of thousands per month for support and infrastructure, plus hundreds of millions to idiot CEOs (I'm aiming squarely at you Neal Patterson and Judy Faulkner), or would you rather have a secure, well written EMR provided for free by your insurance company who also charges 1/3 less than your current health insurance provider?

If I were you, dear reader, I would start calling and writing my senators and representatives and the administrators of my local hospital right now and demanding better. Heck, the VA is looking at Cerner and Epic and that installation will cost billions and both have completely failed installations that had to be rolled back to paper records. Sentia will do it better and faster than they can and do it for 1/100th of whatever price they quote.

99% discount sounds pretty good, doesn't it? We provide:

Real Solutions

Visit https://sentiahealth.com or email us at info@sentiahealth.com

Date Written Comment By Comment