Thursday, February 19, 2009

MAeHC launches subsidiary

Today we're announcing the launching of MAeHC Professional Services Corporation (PSC), a for-profit, wholly owned subsidiary of the Massachusetts eHealth Collaborative. Our press release is here. PSC will provide a broad range of fee-based consulting services related to EHR deployment, health information exchange, and quality data warehousing. PSC will provide these services—including strategic planning, project management, and project execution services—to both nonprofit and for-profit clients throughout the United States who are involved in a variety of health IT activities.

Today's Boston Globe gave our launch some nice coverage (New eHealth subsidiary will fund expansion), and we greatly appreciate their interest in the story. One thing from the story that I'd like to clear up is that it suggests that we don't work with so-called "web-based" applications such as athenahealth. In fact, both MAeHC and MAeHC-PSC are vendor- and platform-agnostic, and we ourselves have deployed both web-based and client/server-based applications. And, of course, we're happy to work with athenahealth.....

Saturday, February 14, 2009

Darn, I'm a breach victim......

I just got the following email.
Important Message from Pentagon Federal Credit Union
Ref. Card Number
Ending In: XXXX

Dear Member,
Visa Fraud Control has recently notified us that your Pentagon Federal Credit Union Visa credit card account number, name, expiration date, and CVV (a three-digit verification value on the magnetic stripe of the plastic) may have been compromised in a processor level breach at Heartland Payment Systems, Inc. Heartland Payment Systems, Inc. is one of the nation's largest payment processors delivering credit/debit/prepaid card processing, payroll, check management and payments solutions. Heartland has dedicated a website, to provide additional information on the breach.

Information pertaining to your other Pentagon Federal Credit Union account(s) has not been associated with this event or compromised in any way. The compromise did not occur at Pentagon Federal Credit Union nor did it involve any of our systems. All of your Pentagon Federal Credit Union account information remains absolutely secure.

We continue to take all necessary precautions to safeguard and monitor your Pentagon Federal Credit Union accounts to protect against unauthorized activity. We have provided a series of frequently asked questions below that provide additional details and tips.

Please review them and if you would like to receive a new card with a new account number, please use the instructions provided below. You may reach us toll free at 800-247-5626 or online at

If you have recently closed the referenced card, please disregard this correspondence. We apologize for any inconvenience this may cause. We appreciate the continued trust you have placed in Pentagon Federal Credit Union. Thank you for remaining a valued member.

Vincent Gay
Director, Security
Pentagon Federal Credit Union

In this simple email we see the complexity of breach notification. Let me say for the record that I love PFCU -- I've been a member of PFCU for many years and will continue to be for many more.

On the negative side of this notification is the ambiguity. My information "may have been compromised" -- not sure if it actually was, so I'm not sure what the actual risk is. They're fulfilling a legal and/or ethical obligation to tell me the nature of the breach, but are they really helping me by telling me that it's a "processor level breach", without further explanation? And how am I as a consumer supposed to assess my level of exposure? Does this mean that there was an actual intrusion of Heartland's environment, or that they discovered a security hole that could have been entered without their knowledge but they really have no idea whether it was.

On the positive side, I'm alerted, so I myself can keep my eyes open for suspicious activity.

This notification was for a relatively simple incident in a disciplined corporate setting, and it still raises more questions than it answers. Makes me wonder about how we're going to strike the right balance as we move to stricter breach notification regimes in health care.....

Wednesday, February 11, 2009


Farzad Mostashari and I wrote a short white paper urging a more direct link between Federal HIT incentive funds and regional HIT extension centers (Farzad deserves the lion's share of credit for taking this idea and running with it). Pretty straight-forward idea, really -- rather than just handing out $18 billion in cash to providers, funnel those funds through an infrastructure that will protect the government's investment by ensuring that adoption happens efficiently, effectively, and with public benefit in mind. You'd think this would be a no-brainer after our recent experience with the $350 billion bank give-away, but so far, the concept hasn't made it's way into the stimulus package.

The letter has gotten almost 60 signatures from individuals and groups across 26 states, including some prominent national organizations such as the eHealth Initiative, NCQA, National Partnership for Women & Families, and Pacific Business Group on Health. It's also gotten a fair amount of attention. It was featured on iHealthBeat, John Halamka wrote about it in his blog, and it was also picked up by the New York Times. Thanks to everyone who co-signed it......hopefully somebody up there is listening!