Some Advice for Buying an EMR/EHR

Here at Liticodec, we don’t practice medicine, but we do practice technology and electronic records and have been doing so for a very long time. Since well before the current trend of faster/cheaper became fashionable, and because of that, we’ve learned a few tricks about the system acquisition (purchasing) cycle that you might not think about, but can probably benefit from.

Do your purchasing according to tried and true practices of defining criteria and doing vendor selection. An EMR is not a trivial item, it is foundational and will make or break your healthcare practice. Involve the right people. If none of that makes sense, HIRE SOMEONE who understands purchasing principal systems and don’t rely on the advice of someone internally just because you think they know what they’re talking about. You want to make sure EVERYONE is backstopped by a proper value based decision with defined and trusted characteristics.

Defining those characteristics can be part of the problem, along with relying on vendors to be truthful in their descriptions of what their systems do. There’s a quick and dirty way to figure out if a particular system suits your organization, and that is to go and do site visits. Select a cross-discipline team of physicians and nurses and IT and send them to other installations for several days to shadow people and dig into the real operations of the system being reviewed. Dig deep. Look at the user interface in action. Look at the interfacing and reporting. Look at the errors and support needs. Look at the BC/DR capabilities.

Yes, this will cost you a lot of money, probably upwards of $100,000 for looking at 3 different systems. If it saves you making a $3M purchasing mistake, it’s money well spent. If you’re REALLY good at purchasing, you can get the vendors to pay for the excursions so you don’t have to. That’s the best way, because if the vendors don’t have that level of faith in their system or that level of funding for sales, then they probably aren’t a good choice. Remember, a mistake in purchasing an EMR goes way beyond the price on the invoice, so you have got to get it right. The more right it is, the better you all look on the cover of the monthly healthcare magazine. The more wrong it is, well, we call those “resume generating events”.

Please make sure to include security and forensics in the criteria. That’s our part. We’re available to assist with purchasing evaluations if you need us, and we only need one day and it doesn’t even need to be on site. We can also help with the business side of things, if you’re light on the IT side as some organizations are. Proper purchasing processes and vendor evaluations were figured out back in the 1960’s so there’s no reason for anyone to get it wrong.

Purchasing and Metrics as Key Business Indicators

It cannot be overstated enough that the two most powerful weapons in a company’s policy arsenal are proper purchasing protections and performance metrics.

Without smart purchasing, businesses tend to waste money on solutions that are inadequate and penalize the company repeatedly until cured. The money needs to be reallocated to purchase the correct solution, and while it is in place, the company fails to gain any advantage from the wrong solution; possibly loses ground.

Proper metrics are what allows a company insight into layers of operational intelligence. Without good metrics that permit comparison with competition and external industry measurements, perceptions can be flawed and gains lost. Worse, improper use of metrics can lead to stagnant areas of insight which undermine the entire purpose.

These two areas are clear marks of maturity in a business and keys to remaining competitive and obtaining market dominance. But they are HARD to do. So we see the almost nowhere. This despite the fact that both areas have been understood and well defined for 50 years!

Now, the interesting thing to us here at Liticode is the ramifications these two key indicators have on information security and litigation costs.  Because the cost of a failed security tool purchase are potentially far greater than the cost of the mistake and the fix.  If there is an event stemming from the failure in purchasing, it can have catastrophic consequences well in excess of the purchase costs.  All stemming from a failed purchasing policy.

The Vicious Feedback Cycle of Ransomware and Insurance

Cyber insurance is motivating the black hats to pursue more ransomware attacks. Much like piracy in the Gulf, knowing there is insurance, and requesting a fraction of the insured worth means it is in the best BUSINESS interest of insurance companies to pay the ransoms, which creates a terrible cycle of destruction and costs. The pirates/criminal know the money is there, all they have to do is write the ransomware.

As is the norm in such cases (like piracy) it will require a government to step in and enforce a contractual policy through force. The government must mandate non-payment, which insurers will lobby against. If payment cannot be made, the government will be required to intervene to protect the business assets of the insured and insurance company or a black market will develop to pay the criminals.

If the government doesn’t want the insurers to pay the criminals then the government will need to have an actor (military etc) take action to discourage releasing ransomware. This will not stop the use of ransomware, only decrease the frequency and increase the intensity, just like piracy.

Unfortunately, this will not increase demand for highly qualified cyber security and risk personnel, who can help prevent successful attacks, it will merely increase the size of the insurance market. Consumers, as always, are a secondary consideration, and critical mass affect assets such as health records will be the biggest target, as in any terrorist style criminal activity. Criminal know they need to pick big targets if you want a big payday.

HIPAA security officers need to prepare for this impending increase in risk more than any other industry, because you’ve got the most to lose.

Why 3rd Party Evidence Handling is Important

Let’s talk about why you should be using the services of Liticode, or someone like us, but preferably us. No equivocation, we’ll get right to the foundations of it.

  1. Transfer of liability. There, we said it. The basest of all motives, money. If, luck forbid, there is an issue with the evidence preservation, and internal people did the preservation, the court is likely to take a dim view of the situation and hold the company accountable. Whereas, if it’s OUR fault, the court is going to yell at us and we may be sued by various parties for it (which has never happened, because we’re good at what we do), but YOU are not going to get hit with an intentional destruction of evidence direction from the court. Isn’t that convenient? Like a little slice of insurance you didn’t have to pay a premium on.
  2. We provide an unbiased, objective methodology for the analysis and collection of the electronic evidence. Our personnel are trained in this, experienced in the specific tasks, and not subject to any internal bias regarding what is evidence and what isn’t. We follow the risk averse mantra of “preserve broadly, present narrowly”, and we’ve never missed an objective. Whereas your personnel are subject to a variety of internal factors and pressures which may or may not increase the risk of an improper preservation effort. Which brings us back to the first argument for using Liticode, move that risk off your plate and onto ours.
  3. Using Liticode reduces the chance of an internal leak. There are several points in the process that can be a bit leaky, and you may not want the information contained in the evidence collection available internally. Analysis personnel talk. Collection personnel talk. Preservation personnel talk, misplace data, and accidentally destroy materials. There are chain of command leaks; line employees talk to their managers about the task and results. (Which, by the way, can increase the risk of insider trading!) Preserved data wanders as employees change positions in the company, as well. Some litigation runs for years, so a single point of risk like Liticode is preferable to a complex risk component such as in internal effort. Using internal resources complicates oversight procedures and accounting, as well. Use of a dedicated internal resource helps, but now you’re tasking an FTE and still not eliminating the majority of the risks outlined above. Our process is designed so that your information can’t be exposed or lost, and we compartmentalize and archive everything in dedicated facilities.

In short, Liticode is the best choice for your evidence processing needs. We do a better job and lower your risks because we have the experience to handle your internal evidence assets even better than you can yourselves.

But run this past your lawyer, because we’re not lawyers, we’ve just been doing this for more than 25 years. And then call us, because we’re the best. You can reach us at 610-810-1727 or fill out the form here.

Unauthorized Data Transmission by Hospital Applications

As reported in Network World and from our own observations, there is a bit of trouble with unauthorized outbound information transmission from a variety of systems and software on business networks, including healthcare. Healthcare Providers are particularly susceptible to this, because they have more systems per installation than any other form of business.  Most of the problems are covered in the article link above, so we’ll focus on the two that aren’t, and then talk about what we can do to help.

As discussed in the article :

  • Security devices and systems transmitting configuration data and other information without consent or notice.
  • OT devices like MRI machines and other systems, misconfigured or with their own security problems.
  • Desktop operating systems like Windows 10, which is obnoxiously chatty with high risk components being transmitted.
  • Rogue devices brought in by employees with good intentions, which unfortunately are not secure and transmit all sorts of good data.

Then there’s these:

  • Applications, misconfigured or configured with malignant intentions in an unauthorized fashion by companies with poor practices or ethics.
  • Good intentioned or bad intentioned users, transmitting all sorts of company data.

Email leaks are bad enough, but when systems and authorized users are transmitting data without our knowledge, it’s a serious blind spot. YOu can implement some form of data loss prevention, which should catch the leaks over common channels, but what about the systems and applications that are authorized and more difficult to find?

For these unauthorized data transmissions by personnel, you need manual review and monitoring. To catch data theft by systems personnel, you need to capture their activities and then validate them during or after the fact for bad activities.  We’ve observed major players in the electronic medical records business transmitting large amounts of patient data back to their company systems without authorization.  That needs to be squashed when it happens, so implement a process to make sure it doesn’t happen to your company.

For unauthorized transmissions by systems, you also need monitoring, but because it’s part of the overall activities, you can’t just watch when it’s happening, because you don’t know when it’s happening.  For this, you need to capture and analyze traffic and build up a knowledge of what is normal so you can spot anomalies.  It’s usually easy to profile an application and then locate any strange activity.

If you want some reassurance that your processes are catching everything, or you don’t have the resources to manage the verification process improvement on your own, please call us.  Finding needles in haystacks is kind of our thing.  We’ll be glad to help you figure out your needs and then map out business process improvements to cover them.

We’re the best at finding evidence of bad actors on your network.  Call now 610-810-1727 or email us at sales@ .

Who Needs Information

So I’m listening to Pink Floyd the other day, and what kind of story isn’t going to be fun that begins with that line? Roger Waters Radio KAOS, specifically, and the song Who Needs Information is just WEDGED into my head for days now. You can look up the lyrics and listen to it if you’re that interested, but the concept of information it repeatedly brings up are relevant to INFOSEC (as is the opening stanza about theft).

We see a lot of information theft these days. The people going after it are our threat actors. Thinking about who needs it helps us fill out our risk register. Thinking about risk while listening to music (or doing anything) is our JOB. The first stanza looks at the opportunistic aspects “we could win a million pounds” and that’s just how some of our actors look at our blue targets. You’re a prize. Your company is a scratcher to them and all they have to do is buy enough, and it’s a cheap buy-in, and they’ll find a winner.

The second run through is about fear, and the obvious correlation here is the FUD our industry pushes on the rest of the business world. Like Management, the song posits that we just want reassurance there’s an escape and we can get on with business. That desire applies to both the attackers trying to claw their way out of their socio-economic position and management in the blue company that wants a three color graphical chart of security showing GREEN so they can go back to business issues.  They’re both desperate for a solution to their respective concerns.

Information security IS a business issue, and management IS getting better at grasping the importance, but they’re still not entirely on board in many cases. Which brings us back to selling with FUD instead of selling with BUSINESS.  And, coincidentally, why we strongly feel that the CISO position needs to be either under the CFO or an independent with CFO ties.  Stop putting operational responsibilities in the security department because it creates a pressure to put them under the CIO and that is the WORST business choice a company can make.  Let the IT department handle the operational aspects of security, because isolating the security functions from the IT positions directly associated with them creates a barrier to work flow and adds costs.  The system administrator is perfectly capable of handling the security duties assigned which the security TEAM under the CFO can correctly monitor and manage.  Best of all, the CFO isn’t going to put up with FUD responses, they’re going to demand financials.  The harder the better, as it should be.  Let’s put a stop to throwing blinky box solutions at problems that are systemic and get down to brass tacks of business improvement in security areas.

But back to the song. The desperation of the characters looking for a way out of their situation is a key element of the emotional direction of the song.  The motivations of the attackers in our security situation are key to figuring out how assets are at risk and what level of intensity will be brought to bear against your defenses.

Who needs information? The blue team.  More than anything else in the INFOSEC world, information about what’s going on is vital to protecting the business.  So one of the key things you need to ask yourself as you’re spending money on security is “What new information is this product/service/person providing?” And if it’s not obvious, you probably don’t need that particular solution.  Some tools are not information providers directly, but all produce information in some fashion, and that is the most important aspect, because even a purely functional tool like an email system that do not provide information in the form of statistics and metadata is a blind spot in your field of vision.

To quote yet another 80’s icon, Billy Idol, “Information is power and  currency.” And the blue team needs all they can get, because the maxim is that blue must hold against a thousand threats while red only needs one gap in the defenses and they win.

Layered security isn’t about what gadgets you have protecting your assets, it’s about what information you have and filling the blind spots.

Liticode can assist with your security needs in ways other vendors can’t; as a trusted advisor interested in helping you improve your information flow for defenses.

80’s musical references are free for all customers.


It’s not often we endorse a product, so this is worth your time. Anti-malware software, anti-virus, whatever the new spin name is for “you clicked something and now you’re in trouble” is a tedious product. None of it, not a single vendor, not even this product, is perfect.

In the course of business here, we install, test, use, and fuss with everything on the market. One product we keep coming back to is Malwarebytes. It’s consistently good. Not perfect, but good.

Recently, it kept one of our computers from picking up something nasty, and I don’t let happenstance good work go unnoticed.  A rebuild of a workstation here costs us a lot of time and money. So this is us thanking Malwarebytes for a job well done. We even purchased additional copies to install on the other Windows systems in the office.

Some security curmudgeons will claim that anti-malware applications are useless, but they’re lying to themselves. We all get surprised by something from time to time, so even if you practice good operational security and don’t click random links, surprises still happen. Like we had last month.

Layered security is not optional, and Malwarebytes is one layer. Something even modestly useful that a professional tells you worked one time is worth it, because JUST ONE TIME is all it takes to ruin your year.

Thanks, Malwarebytes.  If you’re listening, about that CPU hit on initial load…

Certified Media Erasing Utility

We were asked if we knew of a media erasing tool that provided a certificate of destruction. We didn’t. So we wrote one.

It’s a very simple linux utility (Windows coming soon!) that performs a low level overwrite per your needs, which is verifiable for third party inspection, and produces a certificate you can use as proof of destruction.

It’s going live on the GSA website soon, but if you’re not government and would like a copy, please contact us at 610-810-1727 or via sales@this site until we get our civilian sales side set up.


Verification and validation has been coming up quite often recently in conversations with client lawyers. It seems there are a number of litigants relying on systems data or log files information that have not validated their data properly and are suffering the consequences of poor data management practices as a result.

V&V, and data management practices, are well developed standards dating back decades that all IT shops should be incorporating into their standards and practices for systems and data administration.

If the foundation data isn’t right, the business operations won’t be right. In some cases, notably 21 CFR 11, V&V is a requirement. But even if it’s not a legal compliance issue, it should be part of normal IT business practices at every company because of the inherent risk in ignoring V&V.

If your risk management program doesn’t have a V&V component, you might be missing a big vulnerability.

As always, we’re here to help, if you need us.

Outsourcing as a Competitive Business Advantage

Legal firms, whose core business is not IT, can benefit tremendously from outsourced IT & security services.  Advanced outsourcing provides access to services features normally reserved for only the largest companies, such as structured IT program management, ultra-high availability, encryption, and global presence at a fraction of the cost of maintaining such technologies in house. For the majority of law firms, in-house IT is financially disadvantageous, and the lack of high-end features is a business disadvantage and increases risk.  Outsourcing increases performance, reduces risk, and decreases associated costs, enabling any firm to benefit from advanced services and features.

Partnering with a provider who works intimately with the legal industry and understands the needs of a firm equates to better service levels and more productive time with less frustration. A partner that provides a standard platform and services for all its clients provides the most cost effective solutions in a tried and tested format. An outsourcing partner with advanced management services, such as systems architect, security architect, and IT program management can ease the burden on the client firm, improve operations, and spread the cost over the entire client base, so clients only pay for what they get, minimizing overhead.

And with security lapses showing up in the headlines on a near daily basis, everyone can benefit from high quality security management, but even large firms can’t afford to keep an information security expert on staff. It works in everyone’s benefit to spread the load for exceptional personnel.

Finally, use of large scale dynamic infrastructure permits fast adaptation of new features without the cost and problems of “forklift” upgrades. Your outsourcing partner can and should handle all the details of the entire infrastructure, from integration with mobile devices to fault tolerant business continuity services, securely.  In the best of all worlds, you don’t even think about the technology any more, so you can focus on litigation.


Security is the biggest concern after basic operations. But all too often, smaller firms are unable to maintain an adequate level of security which can result in information leaks, loss of data, or lack of availability. A single computer virus can wreak havoc on a law firm’s data repository, taking a terrible toll. Only after the breach does the organization realize they have a problem, and any repairs made in haste typically only last until the next crisis, and the cycle repeats. To make matter worse, any sudden attempt to improve matters without adequate understanding of the overall IT concerns is wasting money. Outsourcing is an appealing alternative because organizations gain the benefit of very experienced staff and insights at a reasonable cost, avoiding missteps or emergency measures.


Encryption is still new on most firm’s radar, and the technologies are varied and not without risk. There’s a reason why encryption was considered a munition by the government with real export restrictions.  Encrypting something completely prevents anyone without the key reading the information. This makes it a great privacy tool, until someone forgets the password. Then the data is effectively destroyed, and that is a serious problem.  Having access to personnel and a proven encryption architecture along with contingency plans for failures is the only way to effectively and safely manage your firm’s information assets and reduce risk. More than any other technology component, encryption must be properly managed or the entire data set of the firm is at risk.


Outsourcing services, particularly computer intensive services and personnel, can greatly enhance a firm’s bottom line and ability to adapt and grow. While IT shops frequently plan for future growth, they cannot anticipate industry shifts.  An outsourced function can capitalize on the dynamic posture and rapidly adapt. That being said, many internal projects can suffer from misaligned scale planning, but with outsourced services, that challenge is overcome with simple changes to allocations. Finally, outsourced services and assets can rapidly scaled and migrate to new technology, something that cannot be done with internal assets, and is particularly useful when offices, temporary or otherwise, need to be stood up rapidly and then torn down when a job is complete.


Outsourcing improves reliability and availability. The use of high quality assets and professional grade architectures provides uptime levels that simply aren’t feasible for an organization operating a service internally. Law firms are not 9-to-5 operations, and we all work nights, weekends, and holidays, from home and on vacation.  Partners expect IT services to be available all the time, every day.

Simple Efficiencies

Outsourced IT services provides firms the opportunity to focus exclusively on core business needs and not get distracted by IT problems and personnel issues. By outsourcing commodity services to providers, Partners can focus their own teams on delivering value directly related to the practice.


Using the best assets and resources available, a firm reduces the risk that an accident or intentional incident will occur.  Further, and specific to law firms, there are distinct liability advantages to using a 3rd party to manage information assets.  Outsourcing reduces risk and creates advantages that are unobtainable through internal IT programs.

Liticode has worked with legal partners for more than 30 years, helping them provide the best technology experience possible.  From basic computer operations to large scale network infrastructure, including forensic technology and experts, we help make your firm more successful. We work in the industry, and we understand your needs better than anyone else.