When it comes to Google Apps, I’m certifiable

Back in mid-2007 I deployed my first instance of Google Apps, replacing a Microsoft Exchange 2003 server. It was a controversial choice back then — Google Apps was still pretty new and it wasn’t yet clear whether Google was going to stick with the platform and build it out. But there were several deciding factors that pushed me to an Apps deployment:

  • I was working at a nonprofit, so Google Apps was free for us; worst case I could always fall back to the in-house system
  • Our Microsoft Exchange 2003 server was constantly running out of space and was a pain to backup
  • We lived under a monstrous waterfall of spam that required a special appliance outside the Exchange box that worked well but was costly
  • Our Internet connection was relatively slow and outrageously expensive, so handling all the mail traffic in-house was painful, especially when the in-house web site was what we really wanted to share with the world, not our email system
  • Our users wanted to send and receive larger and larger files via email, which only strained all of the above factors further

We made the switch, I uploaded a bunch of mail using Google’s then-primitive migration tools,  and I put everyone onto the web-based interface — no Outlook allowed. We did trainings and I spent a lot of time helping users get acclimated to the new way of doing things. This was before drag-and-drop email attachments in Gmail. It was before full compatibility with external calendar invitations. It was before Chrome.

And I was immediately hooked.

Why Go Google?

From an IT perspective, this Google Apps thing was awesome. There were no servers to own, nothing to back up, nothing to manage — aside from creating and deleting accounts. The users had far more space than they’d ever had (7GB at the time) and far more space than I could have ever offered locally at a reasonable price. The system was accessible everywhere, and no matter where you got your mail or looked at your calendar, it functioned the same way. And, as a nonprofit, it was all free! We even started using Google Docs right away, sharing selected spreadsheet data with remote workers and volunteers, allowing for real-time collaboration that at the time was mind-blowingly simple yet powerful.

Since then the Google Apps platform has matured with better features, a more homogenized interface in the apps, better administration tools, more reporting, more granular controls, and great (paid) add-ons for email archiving and spam control. And since then I’ve deployed Google Apps 4 more times, not to mention personal use. My most recent migration was last year, again dropping Microsoft Exchange 2003 and Outlook to go all-cloud all the time.

And then there was this past weekend.

Getting Certified

After managing and evangelizing Google Apps all these years, I stumbled across a certification program for Google Apps nerds like me: the Google Apps Certified Deployment Specialist. So I dug through the Study Guide, re-read a lot of stuff I knew, learned a few new tricks Google has developed in the last couple of years, and paid my testing fee.

The weird part was the testing method. Rather than send you to a local testing center — where you might sit for Microsoft or Citrix or VMware or other vendor exams — this one is done at home or in your office. You can take the test anywhere you have a live Internet connection, a Windows or Mac machine, and a special USB webcam they make you buy. Total cost is about the same as those other exams, but you can schedule it on weekends in evenings and take it at home. They proctor the exam through the webcam and special software.

It worked great. The only thing I was “corrected” on during the exam was the fact that I started to read some of the questions out loud, to puzzle them out audibly. That’s verboten, probably because they fear you’d read the questions out loud so you could either record the questions (and give them away to others wanting to take the exam) or ask someone else nearby to provide an answer. It’s too bad, because I like to “talk out” technical solutions. Oh, well.

61 questions after starting, I had passed the exam, so now I’m certified! It’s the first major cert I’ve picked up since the “good old days” of Windows NT 4 and Lotus Notes and Domino. And it’s fun to have a Google certification, perhaps because it’s so rare. My certificate was numbered “1298”, which suggests there were less than 1,300 people certified when I took the exam. That’s cool — I’m in a group smaller than my high school census (except we’re all certified Google Apps pros!).

Can you use Google Apps in a healthcare environment?

I may need to address this further in a future post, but the short answer is yes. People freak out about HIPAA (as they well should) but the key thing to consider is how you use your email system. Bottom line: If you don’t store or share PHI (protected health information) in your email system, then HIPAA rules don’t apply. And for those that are using email systems (of any kind) to share or transmit patient data, I have a question: Are you out of your mind? Email is a promiscuous platform by design — it’ll “sleep” with anyone and it’s 1 degree away from every email account worldwide — so why would you ever push patient information through it? If it helps, I’ve actually addressed the Apps/HIPAA discussion elsewhere before.

Sidebar: I may also have to write a post someday (really a rant) about email footers with lots of legal language in them — a silly practice that has no force of law behind it. If you want to put in a “please don’t share this” message down there, that’s cool, but stop trying to create unilateral contracts with your footers — that’s not a thing.

All that said, I do think Google needs to rethink their stance on signing HIPAA Business Associate Agreements (they won’t sign them). They either need to start signing or they need to post a definitive position paper on HIPAA issues related to Google Apps. Microsoft has shown a willingness to sign BAAs for Office 365 services, which makes their service more attractive, despite their downtime problems. Google has done a good job addressing the overall security of Google Apps, but they need to go a step further, to assuage the fears of healthcare executives and Boards that don’t understand technology very well.

What’s next?

For now I’m a happy Google Apps administrator, still learning, still sharing tips with users new to the platform. Oh, and I’m a Certified Deployment Specialist, of course! So if you’ve got questions about going Google in your healthcare environment (or any business, really) just let me know. I can answer some questions in the comments or we can take the conversation offline.

Defining informatics for health center teams

I just ran across this great short post on informatics and had to share it. I wish Dr. Gibson had written this post a couple years ago when I first used the word “informatics” with my new health center colleagues. When I said the word, I might as well have been speaking Klingon — no one knew what it was — not the clinicians, the business folks, operations… no one had heard the term. Of course it didn’t help that I recommended we consider hiring an informaticist — a new position that no one knew they needed and couldn’t define. 😉

At the time, and to some degree even today, there was an expectation that mainline IT staff would fill the role of informaticist for the company. And in some small ways, we do. But not in the big ways, not in transformative ways. Our IT staff are saddled with basic systems maintenance, user support, new system installation and integration efforts, and so on. We’re not clinicians by training. While we listen and learn a little every day about our clinical operations, we’re still not doctors or nurses. (Funny how that works.)

So what is informatics? What does an informaticist do? Dr. Gibson explains it like this (boldface mine):

Important informatics skills include change management (not just IT change management, but culture and process change management as well), business analysis, stakeholder engagement, project management, requirements development, strategic thinking to place projects into a larger vision, building for inter-operability, translating between IT & business, system life cycle, communications, [etc.]). A good informatician can speak the language of both IT staff and program staff, and should be a good communicator and group facilitator.

Informatics skills are not necessarily present in IT departments. A programmer may be very skilled in writing a program to do what he wants, but is rarely skilled in getting the thorough understanding of what users need. The database administrator may be very skilled in structuring a database to run very quickly, but usually does not understand the content well enough to create operational definitions that address what program managers want to know.

My recommendation from a couple years ago was that we needed to hire an informaticist, or at least someone who had clinical background and technical chops. With all the reporting and analysis requirements in UDS, Meaningful Use (MU), and Patient Centered Medical Home (PCMH), not to mention workflow changes needed to meet increasing security and privacy requirements (HIPAA, HITECH) and general efficiency needs, having someone who could drive workflow / care / data change projects and communications would help a lot.

In the end we didn’t hire a classic informaticist, but we do have a high-level manager driving Quality Improvement (QI) efforts, PCMH, and MU, and she’s quite technically capable as well as a licensed provider. So we’re covering the need for now.

It’s possible that at our scale (currently around 130 employees), perhaps a full-blown highly-paid informaticist won’t be necessary in the future. It’s possible the EHR vendors and various governmental agencies will settle on a collection of core measurements and workflows that work for everyone and those features will just be built-in to our systems. (Ha! Sometimes I crack myself up…)

But for now, I would argue everyone in the health center space (50-500 employees) needs to be thinking about hiring an informaticist. Someone that has clinical training. Someone that isn’t afraid of computers and likes data and analysis. Someone that can communicate well and can drive change projects. So yeah… a miracle worker!

Meanwhile, everyone on your management team needs to know what informatics is. Your health center needs to get comfortable with data and change. Because “accountable care” demands proof, and the proof is in the data.

BONUS: Informatics Links

Buzz is building around the Fitbit Flex

Fitbit was one of the first to bring a consumer activity tracker + web site + mobile app ecosystem to the edge of the mass market, and they’ve won a lot of converts over the last couple years. But at the same time, there’s been an explosion of other trackers and platforms for capturing physical movement, encouraging more activity, and viewing and sharing the data collected. Can Fitbit stay on top?

Well, they’re certainly going to try.

This week Fitbit introduced yet another revision to their activity tracking lineup, a new design intended to recapture users that defected to the wristband-style Nike+ FuelBand or the Jawbone Up. And the tech press, in their annual CES frenzy, are trumpeting the announcement as the next big thing:

The details are simple, really. The Fitbit Flex will be $100 and launch sometime in the spring. You can pre-order right now.

For me, Fitbit is challenging my devotion to the Nike+ FuelBand by combining what I liked about the FitBit with what I like about the FuelBand. Mostly. So here’s my take on the pros and cons of old Fitbit, current FuelBand, and the announced Fitbit Flex…

Where the Fitbit One Beats the FuelBand

  • Because the design calls for you to wear the Fitbit near the center of your body mass (at or near the waist), it’s much more accurate when counting steps or overall body movement than wrist- or arm-mounted activity trackers.
  • Fitbit has several data integrations included with its cloud-based platform, so you can send your captured data lots of different places, including Microsoft HealthVault. This bodes well for the Fitbit’s future prospects as a provider-integrated EHR-syncing activity tracking platform. You know… someday.
  • The Fitbit web and smartphone app platform is more feature-complete than Nike’s, especially if you’re anal enough to enter all your foods, moods, water, and any exercises not picked up by the activity tracker. Nike has a great iOS app with Facebook integration for social health purposes, but then so does Fitbit.
  • All the Fitbit activity trackers are cheaper than the FuelBand. It’s $70 and $100 vs. $150. That’s a big difference.
  • The Fitbit One (but not the “Zip” edition) can track steps climbed using an altimeter function. The FuelBand can’t do that.
  • Like the new Flex (discussed below), the Fitbit One syncs wirelessly with low-power Bluetooth 4.0 anytime you’ve got the app running on your smartphone.

Where FuelBand Beats the Fitbit One

  • The Fitbit One is easily lost in pockets, off your belt, and can end up in the washing machine (and then the trash). The FuelBand, by comparison, just goes on your wrist — end of story. It’s snug and doesn’t have to come off much, so you’re not going to lose it easily. This advantage cannot be overstated. Lots of users have switched to the FuelBand because the data captured, while less accurate, is more complete and consistent because the FuelBand is just more likely to be worn.
  • The FuelBand’s integrated display is attractive, engaging, and informative. The Fitbit One’s display is okay and functional, but not all that engaging. For the good stuff you have to hop into the smartphone app.

And Now the Fitbit Flex: Where Does it Win?

  • The Fitbit Flex can be used for sleep monitoring, just like its non-wrist predecessors. The FuelBand skips this feature, though the Jawbone Up matches it.
  • If you can be woken up by a vibrating wrist, then the Flex can be your alarm clock. LIke the Jawbone Up, it will theoretically buzz at the right moment in your sleep cycle so you wake up refreshed. Reviewers seem to think it works. The FuelBand has no such feature.
  • The motion-sensing part of the Flex can be popped out and dropped in a pocket if you don’t want to wear the wristband.
  • The Nike FuelBand is sold in 3 wrist sizes and you have to figure out which one is right for you (I screwed up on my first choice). The Flex comes with 2 bands and has a highly-adjustable watch-style wristband.
  • You can swap out different Flex wristband colors (if you must) by buying additional bands.
  • Using Bluetooth 4.0 means the Fitbit Flex can maintain smartphone connectivity all day without killing either the wristband’s or phone’s batteries. The FuelBand runs on older Bluetooth modes, requiring manual syncing and more power. The Jawbone Up isn’t even wireless, instead plugging in to your headphone jack for syncing.

Potential Fitbit Flex Problems

  • The FuelBand has a smooth, rounded shape across its entire body, but the Fitbit Flex has a blocky, squared-off top that’s much more likely to catch on clothing. I’m also wondering whether the watchband styling will be annoying. I haven’t worn a classic watch in years.
  • Aside from the 5 LED dots, there’s no multi-function display, so it’s a step ahead of the Jawbone Up, which has no display at all, but several steps behind the FuelBand, which can also act as a watch. (Of course, with Bluetooth 4.0 live syncing, you can view your Fitbit stats on your smartphone anytime.)
  • The Flex lacks the altimeter of the Fitbit One, so no tracking steps climbed.
  • While wrist placement is convenient, it’s also far less accurate in measuring activity when compared against the Fitbit One or any torso-bound tracker.

Conclusions: Fitbit Flex Wins, But It’s a Fast-Moving Market

  • The Fitbit Flex is a winner overall, if it works as advertised. Remember that the Jawbone Up was a disaster at launch and took a year to be revised. Time will tell, but Fitbit has successfully built and launched all prior models.
  • The Flex effectively neutralizes the threat of the FuelBand and the Jawbone Up by offering equivalent physical functionality at a lower price.
  • The Fitbit platform is a major advantage you can’t see on the box, but it will matter most in the long run. Their platform is purpose-built and widely-integrated with other apps and web systems. The FuelBand is, let’s be honest, a side project for Nike. The Up is similarly a side project for Jawbone, the Bluetooth headset and portable speaker manufacturer. Fitbit is focused where the others aren’t.
  • For all the good stuff about Fitbit and the Flex, the truth is the quantified self sector is just starting to reach the mass market. Who knows who wins in the long run?

For now, I’ve pre-ordered the Fitbit Flex for myself. And I can report back here in the spring.

Desperately seeking a HIPAA-compliant Ford Mustang

After the harrowing account of a hospice in northern Idaho being slapped with a $50,000 fine for 411 breached patient records, it’s good to see that even the big players — the biggest in the industry — screw up from time to time.

This widely-cited case, first reported by the L.A. Times, tells the story of how healthcare giant Kaiser Permanente got a little sloppy and ended up working with a contractor who stored electronic patient records all over the place, including sometimes storing records — and I love this — in the trunk of his Ford Mustang.

Which raises the obvious question: Are Ford Mustangs HIPAA compliant? What about a Honda Accord? Maybe a PT Cruiser?

And while that’s the wildest part of the story for me, what’s even more fun is the fact that Kaiser and their mom-and-pop patient records handler (yes, literally — mom-and-pop) have been trading accusations in and out of court for the past 2 years, each accusing the other of not caring about patient privacy and data security.

L.A. Times writer Chad Terhune did a masterful job painting a picture of the comical data security with these gems:

  • “On a recent day [the patient records] sat next to a red recliner where Ziggy, the family’s black-and-white cat, curled up for a nap.”
  • “…kept those patient records at a warehouse in Indio that they shared with another man’s party rental business and his Ford Mustang until 2010.”
  • “…Kaiser said the Deans put patient data at risk by leaving two computer hard drives in their garage with the door open. In response, Stephan Dean moved them to a spare room.”
  • “‘We could have sold these emails [with patient records] to somebody in Nigeria, but Kaiser doesn’t care about its patients’ information.'”
  • “‘[Kaiser] should have signed a contract prior to the commencement of this project,” the manager wrote.”

Be sure to read the article all the way to the end. That last sentence is a killer.

Kaiser got into this mess because they gobbled up yet another smaller hospital and needed to absorb all the patient records quickly. So they outsourced the job. No problem there, really. It’s who they outsourced to that ended up being a disaster.

So far, there’s no known patient data breach, which is great for patients. But authorities are investigating and Kaiser’s got a lot of egg on face with such a high-profile piece hitting the Times.

The lessons for your patient data security efforts? Wait… you really need me to spell this out?

It’s simple. You need your own Ziggy — a certified Patient Privacy Attack Cat — and a Mustang. IT’S RIGHT THERE IN THE FEDERAL CODE, PEOPLE.

Updated ‘quantified self’ gear coming this year

The quantified self movement keeps chugging along, with updated tech announcements coming from both Withings and BodyMedia this week.

BodyMedia will introduce an updated version of their arm-mounted health data collector, theoretically shipping in August. The new version is quite a bit more attractive than the current one. It measures activity / movement, sleep patterns, and calories burned. It competes with the Nike+ FuelBand, the FitBit One, and others.

Withings, who first arrived on the scene with a Wi-Fi weight scale, is introducing an updated scale — the Smart Body Analyzer — but also an activity monitor — the Smart Activity Tracker — to compete with FitBit and all the rest. It’s not clear when these products will ship, though Withings is claiming a Q1 release.

The Smart Body Analyzer is the most interesting addition to the field, as it’s bringing more sensors to the party. This thing will get your weight and body fat percentages, like the current model, but it will also capture heart rate and — this is the amazing bit — air quality, in terms of CO2 levels in the ambient air. Captured data syncs via Wi-Fi or Bluetooth, and naturally goes into their cloud-hosted data monitoring system and smartphone apps. You can sync over to Microsoft HealthVault if you like.

Personally, I’m wearing a Nike+ FuelBand right now and I love it. It actually think the FitBit is more accurate, but the FuelBand goes on your wrist and stays there — you don’t lose it off your belt or send it through the wash in your pants. The only one I really want to try out is the Jawbone Up, which has more features than the FuelBand, but lacks the FuelBand’s integrated data display.

Meanwhile, check out this article from AllThingsD on the trends in the space:

Fitbug pitches employers and launches new activity, weight, and blood pressure gear [UPDATE]

[Update at bottom of post]

This is a new one on me. I follow the “quantified self” market fairly regularly, but it’s the first time I’ve seen activity tracking devices and services being pitched directly to employers.

The idea: As an employer, you want to encourage healthier behaviors, in order to drop your insurance costs. With Fitbug, now your company can hook up with them to provide units to staff and track progress individually and as a group.

The site offers relatively little information and no real studies of effectiveness. But it’s an intriguing idea — one that’s likely to gain traction in the next few years as devices get cheaper and employers (and health insurance carriers) get employees and customers more engaged in health management and promoting healthy behaviors.

New Fitbug Gear

Meanwhile, Fitbug is introducing a bunch of new gear, including the Fitbug Orb, a low-cost ($50) Bluetooth-connected activity tracker (that’s not currently shown on their own web site). They also have a new wireless weight scale (the Fitbug Wow) for $80 and a blood pressure tracker (the Fitbug Luv). None of the new gear is shipping yet, but should all be on the market before summer.

UPDATE: 2012-01-08

While Fitbug has one of the most in-your-face pitches to corporate health device buyers, they’re not the only ones talking to this market. Waaaaaayyy at the bottom of the Fitbit site is a link called Corporate Wellness that takes you to a page pitching the same concept: buy tons of our devices for employees and use them to promote wellness / drive down insurance costs. Sorry I failed to notice that one! If you have other examples from device makers, please let me know.

Health IT for Health Centers: 2013-01-07

Here are my latest recommended links and comments on news items from the Health IT, community health center (CHC), nonprofit, and general IT sectors. I’d be delighted to hear your comments here, or chat me up on Twitter (@jmproffitt) and Google+.

Security

Today in free-reports-you-might-like we have a new one from a group of major security and IT players at major multinational corporations. And though that may sound dull, the report itself: Information Security Shakeup: Disruptive Innovations to Test Security’s Mettle in 2013 (PDF) is well put together and clear enough even for your CEO (sorry CEOs!). The big trends that will affect security planning this year: cloud computing, social media, so-called “big data,” and — of course — mobile devices. Mitigation techniques are proposed for the growing risks, of course. A nice report, really.

When you’re done with the pretty report, here’s some conceptual thinking for you: Compliance strategies can be the enemy of security strategies. Why? “The downside of compliance initiatives is that achieving a minimum may not result in any real change in the security posture…” Of course, compliance with HIPAA security and privacy provisions does help with security, but there are problems with a HIPAA-compliance-only approach. Namely, advancements in the regulations can’t possibly keep up with security (or risk) developments, and if all you do is comply, you won’t be positioning yourself for real-world security. Sounds like a head-scratcher at first, but it’s definitely not. Aim for security, not compliance.

Management

Healthcare Informatics has a nice profile of La Clinica de la Raza’s new CIO, Tina Buop. She started last May and since arriving she’s been dealing with classic Community Health Center (CHC) issues: data collection and reporting, an EHR deployment, and handling IT services across a sprawling 30-site, 1,200-employee organization.

Meanwhile, I gotta give a virtual high five to Dr. Lyle Berkowitz. He’s effectively addressed the “crisis” of too-few primary care providers with an intelligent crystal-ball look at what healthcare may look like in 2025:

Dashboards provide real-time analysis of the status of his panel of 5,000 patients. Patients in the Green Zone will be managed mainly by computerized systems which check on patients virtually to provide positive feedback and ensure they stay on track. Meanwhile, patients in the Yellow Zone will be visited by the physician’s care team at home or work, or perhaps have a virtual conference with the physician to answer their questions. Finally, those patients in the Red Zone will be seen in the office or home for longer sessions with the physician and his or her care team to help determine what is going on and how to get it under control.

And the title of his piece? “We Don’t Have a Shortage of PCPs, We Have a Shortage of Using Them Efficiently”. Yep. Nailed it.

Collaboration

Email is like Democracy: it’s the worst… except for every other system out there. But that may be changing, as companies discover and deploy new collaboration platforms. SharePoint got things started, but other platforms — especially simpler and more social platforms — are gaining traction, like Socialcast, Confluence, Yammer, Podio, SocialText, Chatter, and more. But here’s an idea: delete your email lists and force employees to use the new platform. Find out what one company learned when they went nuclear on email lists in a company of 17,000.

Mobile

Clinicians and pharmacists in your health center might appreciate this list of 6 mobile apps and resources for information on drugs, diseases and more. Keep in mind you can always deploy iPod touch devices if you don’t want to deploy smartphones.

EHR Technology

Tell us how you really feel, competing software vendor! “I don’t believe healthcare can afford Epic and Cerner, and I doubt you do either.” Those of us in the Community Health Center (CHC) world will never buy Epic or Cerner, for the price tag alone, not to mention they’re really built for hospitals. Still, this guy, hawking an open source solution has a point. Though he only cites one example in detail, it’s a good one: $9 million to deploy OpenVista versus $92 million to deploy Epic in facilities of similar size. Go with the open source solution and then take everyone to Hawaii to celebrate!

Now think back to 2009 and the federal cash that burst onto the scene to help pay for increased digitization of health. Mmmmm… cash! Now imagine where we’d be today without that money and the pushes of the HITECH program and ARRA. This piece over at Healthcare IT News argues we’re a lot further along today than we’d otherwise be with EHRs and other tech. I tend to agree. Healthcare organizations are nothing if not slow to change.

Finally, get ready to move mental health records right into your EHR, or at least link them and make them available to your EHR users. The stigma of mental health care is fading, and the advantages of primary care and hospital care physicians having access to both the “medical” record and the “mental” record at once are substantial. With more and more CHCs covering mental health services alongside medical, we may very well be on the cutting edge here. Who knew?

Telemedicine / Telehealth

Everyone’s getting the telehealth bug, so be prepared to support it in your health center. Even the feds are willing to start spending on remote doctor visits, or at least new legislation was introduced in Congress just after the fiscal cliff mess was (sort of) cleaned up. And of course private payers are covering more of this kind of care, too. Aren’t sure how telemedicine licensing works in your state? Check out where the states stand as of December 2012.

How about a Chromebox for patient web access?

In the run-up to building our new health center in Anchorage, we had plans to buy and deploy kiosk-style computers in the facility. These would be made available for patients to access a patient portal or our web site. But three things got in the way:

  • True kiosk hardware that’s hardened against public tampering is very expensive, and we needed other stuff more
  • We hadn’t yet launched a patient portal, so the value was diminished
  • Configuring, deploying, managing, and supporting kiosk PCs is a hassle we didn’t want eating up valuable IT staff time

So no kiosk PCs for us. At least not yet. Someday… someday…

But you? Maybe you’re ready to make a few Internet PCs available for the public to use in your facility, but it needs to be safe and low-impact. How about trying out a Chromebox as a great alternative to a locked-down Windows or Linux PC?

Running Chrome OS, the Chromebox (like the Chromebook) is basically a stripped-down custom Linux that runs a Google Chrome browser and a few plugins (like Flash) that makes the web work fine without all the Windows cruft. It also retails for just $330. It auto-updates to the latest Chrome build every so often, staying current both in features and security. If you haven’t used Chrome OS lately, you may not know that it now includes a Guest mode that doesn’t save any information between user sessions. I’ve been a Chromebook user on and off since last summer and I like the OS for a lot of web work.

Why mention all this now? Well, Samsung is releasing a revised Chromebox soon, as reported yesterday: Meet Samsung’s new Chromebox, same as the old Chromebox (Updated).

However, this news comes at a time when Chrome OS devices are largely unavailable. The new ARM-based 11″ Chromebook is sold out as of this writing — and it sold out pretty much at launch back in November. The Chromebox is now only available used through Amazon, and is sold out at Staples, sold out at TigerDirect, sold out everywhere. Google and Samsung have not announced when Chromeboxes will be available again — but you know they’re coming, given the redesign.

Whenever you get your Chromebox going, you’ll need to bring your own monitor, keyboard, and mouse. And you might need a kiosk or desk. Finally you might also want to get a Kensington lock to tie down the Chromebox.

While you’re waiting for Chrome OS device stock to appear, consider a few resources. First up, a review video from mid-2012 when the major revamp of Chromebooks and Chromeboxes came out. Some things have changed then in the OS since this video was shot, but on the whole this is a good intro:

The written review at The Verge is also good.

Meanwhile, there’s yet another alternative if you want an Internet PC for the public without the hassle of rolling your own Windows or Ubuntu box. HP now makes the sexily-named HP Passport 1912nm 18.5-inch Internet Monitor. It’s a custom Linux build that puts users into a browser space with no configuration options. One wonders how serious HP is about this product (although the same could be said about Google, really). But the good news? Just $200 gets you the screen, the OS, keyboard, and mouse all in one box.

If you’re using Chrome OS devices in your healthcare organization, I’d love to hear about it.

Health IT Links: 2012-01-03

Here are my selected links, with commentary, from the Health IT, community health center (CHC), nonprofit, and general IT sectors today. Please pass me any recommendations you’ve got in the comments or hit me up on Twitter: @jmproffitt.

Products

  • PhoneFactor (Mini-Review at SC Magazine)
    Add 2-factor authentication based on phone calls, SMS messages, and OATH to your web apps, Terminal Services, Citrix sessions, and RADIUS-backed VPN sessions on the cheap. Pretty cool. SC Magazine certainly liked it. (Another option would be to deploy an SSL VPN with 2-factor features built-in, but that’s a story for another day.)
  • Technologies to watch 2013: Windows Server 2012 cannot be ignored
    The Windows Server platform continues to march on, with some great additions in the 2012 edition. This article points to more than 9 advances that just might solve some problems for you, including the vastly-improved Hyper-V, and some fascinating storage pooling techniques blended with a faster SMB file transmission implementation. Of course, watch out for application hosting issues — your app vendors may not yet support Server 2012. I don’t know about you, but we’re still eliminating Windows Server 2003 servers.

Security

Business of Healthcare

  • WellPoint to cover virtual doctor visits
    More payers are starting to cover telemedicine / telehealth costs. Do you do any telehealth in your clinic today? We don’t do it yet, but there’s a real future here, so I know I’m paying close attention.

Lose a laptop with 441 patients’ records, pay $50,000 and pray for donations

The latest HIPAA breach story out of northern Idaho breaks my heart. It also chills me to the bone. First off, here’s the news:

I actually worked with a hospice on tech issues in the last couple years, and I can tell you the attitude about security and IT in general was… less than progressive. They had better things to do. Literally. Hospice folks have a really rough job, emotionally and financially, providing a service that’s simply not properly supported by payers, whether private or public. They live on donations and posthumous gifts. They’re the soup kitchen of modern healthcare, providing a vital service that no one really wants to think about.

But pleading a charity case obviously didn’t work on HHS. The hammer continues to fall with increasing speed and strength in matters of ePHI security.

Yet again, this breach is the story of a lost, unencrypted laptop with patient information on board. It’s not clear whether the records were actually accessed or distributed, but that’s obviously irrelevant.

Community Health Centers and other smaller health providers: Pay attention. HHS is now bringing the penalty thunder down to breaches of less than 500 records. And the price is high, at $50K for just 441 records (theoretically) stolen in this case. Of course the HHS write-up points to lack of policies, no risk assessment, no controls over mobile devices, no encryption, and so on. It’s kind of a broken record now.

So consider this your last chance to get your HIPAA policies and procedures drafted and start making regular progress on improving security. The key is to show active interest and ongoing improvements. Do your risk assessment. Build your list of critical improvements. Do them. Keep records of what you’re doing.

This stuff takes staff time and cash money to buy some technology, which is always tough in nonprofit healthcare. So get these stories in front of your CEO right away if you’re not getting the resources you need. Alternatively, put them in front of your CFO — because a big enough breach could threaten the financial viability of the company.