Physicians that use file sharing software can inadvertently expose their patients' health and financial information, according to a study in the Journal of the American Medical Informatics Association.
The study, by Khaled El Emam and colleagues at Children's Hospital of Eastern Ontario, is the first to quantify the risks associated with physician use of file-sharing applications, which are typically used to access and share music, videos and porn.
Over the course of one year, El Emam’s group used popular file sharing software including Limewire, BitTorrent and Kazaa to access and download more than 23 million files from computers in the US and Canada.
They found personal health and financial information in 2%, or tens of thousands, of the Canadian files and 5%, or hundreds of thousands of US files.
The information included medical authorizations containing patient insurance information, Social Security numbers, phone numbers, dates of birth, medical histories and current medication lists. Other files contained financial information like credit card numbers, passwords and PINs.
In addition, El Emam’s group found evidence that outsiders were actively searching for files containing personal health and financial data. "There is no obvious innocent reason why anyone would be looking for this kind of information," El Emam told Healthcare IT News.
These file sharing tools "are not completely intuitive and can thus lead to errors as to which files or folders are set-up for sharing. Without additional protection on the health records, like encryption or elevated access controls, it is entirely possible that a misconfigured file sharing tool could access the records," Robert Grapes, Cloakware’s chief technologist added.
The scientists advised that file-sharing tools can make health and financial documents vulnerable to fraud or theft, and that unless all office personnel understand how to operate the security settings on such software, it’s best not to use it on computers where such information is housed.
"A significant amount of information is leaking and I think it's important for the public to be aware of the risks of running those programs," El Emam told the Montrael Gazette.
Simon Morris, VP of marketing and products at BitTorrent said that inadvertent file sharing of the sort described by El Emam is impossible on BitTorrent because files are only shared when they are downloaded. Morris did concur such breaches were possible with other file-sharing software.
"The problem is that consumers in the past, have sometimes not understood what it means to 'share' a folder, and sometimes accidentally shared folders (or folders within folders) which contain all sorts of private information (tax returns, etc.)," Morris said.
The issues raised above are new to health care, but they have already affected other sectors. Federal government personnel have inadvertently exposed sensitive government and personal information by having file-sharing software on their work computers.
The information known to have been lost in this manner includes lists of people with HIV, FBI photos of a Mafia hit man, the names of people in the federal witness protection program and the safe-house location for Laura Bush, according to testimony provided last summer to the House Oversight and Government Reform Committee.
Glenn Laffel, MD, PhD
Sr. VP Clinical Affairs, Practice Fusion
Wednesday, March 10, 2010
Annals of Security: File-Sharing Tools Imperil Personal Health Data
Tuesday, March 9, 2010
SaaS as the new buzz in Health IT
At last week’s HIMSS trade show, one of the clear messages that emerged is that SaaS-based (software-as-a-service) Electronic Health Records (EHRs) are stepping onto the main stage as the most likely way that smaller and solo practices will be able to adopt EHRs in a meaningful way, in time for the 2011 ARRA/HITECH incentive moneys. Dana Blankenhorn (from ZDNet) commented on this, as did John Halamka (CIO at Harvard and member of the Health IT Standards Committee).
SaaS-based software has also been referred to as cloud-based computing, web-based software, ASP-delivered software, and other terms (not all exactly the same from a technical standpoint, but often used interchangeably). So what is this new “hot buzz” all about and why is it important in the world of Health IT?
Elimination of IT burden
SaaS-based software is internet hosted, and accessed through an ordinary web browser. That means that the vendor, not the clinician, bears the burden of all the back-end heavy lifting – servers, always-available access, security and safety of data, and backup of data are all issues that are removed from the clinician.
This is a significant difference compared to legacy client/server software, which require a local installation onto a server, the maintenance of a secure local network (with perhaps a Citrix layer to access it from outside the confines of the office and network), and local policies for safety and security, as well as data backup. This generally requires the need to hire an IT consultant, and adds “hidden” cost to the whole EHR installation.
An interesting side-note here is that the computers which run the software (the clients) can have less expensive operating systems with a SaaS approach. In a local area network (a LAN), all the workstations that access the local server need to be able to become members of a Domain, which is established by the server. Windows (any version) Professional version needs to be installed; the Home versions of the operating system is not able to join Domains. There is generally about a $100 additional cost for the Professional version of operating systems, compared to Home versions. With a SaaS-based EHR, all one needs is a browser and an internet connection – joining a domain is not required. Therefore, any off-the-shelf computer with a pre-installed Home version of the operating system will work.
Version control
Another limitation of a locally installed legacy client/server system is that, once it is installed, then it is “set.” Upgrades and bug fixes require the application of a patch, or installation of a new version. Often, a fee (per upgrade, or per year) is charged by the vendor for this support.
From the standpoint of a vendor, support is challenged by this. When there are a variety of versions of a product locally installed “in the field,” then support is more difficult.
A SaaS-based EHR avoids this issue of “version control” – everyone, by definition, is on the same version. When changes or upgrades are deployed, everyone receives these changes on their next session log-on. From the standpoint of support, this is much easier, and feature fixes as well as bug fixes can be managed quickly, and deployed to everyone at once.
Customizable UI, per role, per specialty
One of the criticisms made about SaaS-based EHR products is that they are “one size fits all.” This may really limit the usability of a given product. Therefore, a customized, specialty-specific EHR may work better, given that the workflows faced by different specialties are, in fact, quite different.
Using modern technology, it is possible to capture many elements of a user upon login, and create a product that delivers a view (the User Interface, or UI) that can be very individualized. Within a given medical practice, different users have different needs, depending on their role – what a front-office check-in staff member and scheduler needs are different than a back-office nurse, which is different from what the clinician needs.
Similarly, what a Family Physician needs from an EHR may be quite different from what an Orthopedist needs, or what an Oncologist needs. Such workflow needs are beyond simply presenting a different set of charting templates (though that is certainly a start). Though not fully actualized presently, modern SaaS-based technology can move in this direction – the result being that, upon login to a SaaS-based product, the features presented by default (the UI) will vary depending on specialty, role, and individual preferences.
Learning curve
One of the biggest fears about moving from a paper medical record environment to an electronic one is the concern about a prolonged learning curve and a consequent dip in productivity. This dip in productivity (i.e. income stream) can be significant (e.g. 20%) and can last a long time (e.g. months). This is especially concerning for small primary care practices that run very close to the margin – small perturbations in income stream can mean running at a loss. In a fee-for-service system, life as a primary care physician is often a mad hamster-wheel life, with little time for much else other than processing high patient volumes through the office (worthy of an entire tangential blog topic thread). Anything that introduces a slowdown in this frenetic pace is worrisome.
Yet these precise practices are the ones that the Office of the National Coordinator (ONC) wants to get on board with EHRs. Even if the EHR is SaaS-based (minimal IT infrastructure costs), and free, the worry about work slow-down during the adoption phase is an obstacle to adoption and use of an EHR in a meaningful way.
Thus, regardless of the style of EHR deployment, the burden is on EHR developers and vendors to create products that minimize the learning curve. Usability is paramount. Incorporation of user suggestions into the product is very important.
A lightweight, intuitive, responsive EHR is the goal for all us of who are creating the tools needed in order to achieve the transformation of U.S. healthcare from a paper-based legacy to a modern electronically-connected one.
Robert Rowley, MD
Chief Medical Officer, Practice Fusion, Inc.
Monday, March 8, 2010
Strategic Innovation in Health Care
The United States is an unquestioned world leader in medical innovation. The fruits of our creativity can be seen in astoundingly clear MRI images and in expressions on the faces of organ transplant recipients that have regained fulfilling, productive lives.
Medical innovation also creates jobs for US citizens. The medical device and health information technology sectors are particularly hot in this regard right now. Practice Fusion for example, expects to hire nearly 100 new people this year, tripling our current headcount.
And medical innovation creates new knowledge and highly-skilled workers which will prove critical to our nation’s success in an increasingly competitive global economy.
But the news isn’t all good about medical innovation. For one thing, it drives up the cost of health care. Thirty years-worth of public demand for the newest medicines and latest high-tech devices has pushed medical cost inflation far beyond what has been observed in other sectors of the US economy. This spiral was thought to be unsustainable even before the current era of enormous public deficits and sluggish economic growth.
Is it wise to be developing ever more sophisticated – and expensive – imaging technology and surgical implants that have low marginal benefits compared with existing versions? Do we care that such innovations widen access disparities to the highest quality healthcare in our country?
Thought of this way, medical innovation is a double-edged sword: we can cut payment for innovative products that improve care but at a high marginal cost, but doing that will dampen the job creation and knowledge-development that our economy desperately needs.
Is There Another Way?
What we need to do is re-examine how and where we innovate. We need to abandon or at least reduce our focus on "incremental innovation," in which we strive to produce ever-more sophisticated versions of existing technologies, and focus instead on innovations that either reduce the cost of health care delivery or make it more accessible.
Telemedicine, remote monitoring devices and portable ultrasound devices hold promise in this regard. They let more people get treatment, make better use of medical manpower, and shift treatment to less expensive settings.
Beyond this lies something I’ll call Strategic Innovation. Strategic Innovation means redefining business models so as to promote deployment of new products and services at lower costs to providers—and hence the government, which uses taxpayer dollars to pay for them via Medicare, Medicaid, SCHIP and so forth.
This is what Practice Fusion has done by offering a fully-functioning EHR for free to providers. In an instant, our ad-supported product eliminates license fees, training fees, transaction fees and update fees that providers, and ultimately the government, previously had to absorb. In an instant, solo and small group practices can access quality improving, cost reducing EHR technology that had previously been unaffordable for them…and leverage it on behalf of their patients.
There’s more. Practice Fusion’s Strategic Innovation aligns our interests with those of the providers we serve. We don’t get paid unless providers use our EHR, so we listen when providers tell us how we can be better. And we are driven to help providers use the EHR more and more…which is exactly what the government wants.
In contrast, the traditional EHR vendor business model creates few incentives for vendors to be customer-focused. Is it even in their interest to promote utilization of their systems once they have made a sale?
Glenn Laffel, MD, PhD
Sr. VP Clinical Affairs, Practice Fusion
Friday, March 5, 2010
HIMSS Shows What's Right and Wrong in Today's HIT
The conference was an exhausting but gratifying experience for Emily, Kellie, Ryan and me, the 4 folks from Practice Fusion who were lucky enough to attend. We met so many people who wished us well and want us to succeed…it was overwhelming. We thank each and every one of you for your kind wishes.
And we 4 owe a heart-felt ‘thank you’ to every other member of the Practice Fusion team who could not attend HIMSS: your energy and creativity are driving our rapid rise.
The massive conference left attendees with a million memories: it was part carnival, part inspirational and part heartburn (unless you normally eat breakfast at Papa John’s).
A highlight for us was ONC-boss David Blumenthal’s visit to the Practice Fusion booth. Long ago, I reported to Dr. Blumenthal when he was Sr. VP for Clinical Affairs at
Brigham and Women’s Hospital in Boston. We even published a paper together in JAMA back in the day. The man hasn’t changed at all: his reasoned approach to things, his listening skills, and his unwavering commitment to public service and the greater good were present 20 years ago and they’re still there.It feels to me like Dr. Blumenthal has been prepping for his entire career to fill the role he now holds, and he is not about to swing and miss.
And the man has surrounded himself with an exceptionally talented staff—many of whom we met at HIMSS as well. These people believe they can make a difference in health care, and they are doing just that. I was stunned to learn at HIMSS that ONC has only 55 employees right now, but after meeting these folks I have some understanding for how such a small number of people can manage to have made such a profound impact in so short a period of time.
Almost as striking to me was the World's Fair atmosphere in the exhibit hall, which was created by palatial booths of many legacy EHR vendors. Some of these booths were larger than my home. They were bathed in soft backlighting. They featured perfectly coordinated color schemes, plush carpeting, and more HD TV screens than a sports bar on Super Bowl Sunday.
In short, they were waaay over-the-top, and they represented everything that is wrong in HIT today.
These exhibits reminded me of the spectacle that unfolded 16 months ago when the CEOs of the big three automakers flew to Washington on private luxury jets to plead for $25 billion in taxpayer money to avoid bankruptcy.
What can these EHR vendors be thinking? Indeed, what must Dr. Blumenthal be thinking when he sees these cathedrals?
HITECH, lest we forget, is a taxpayer-supported program that was born out of the Great Economic Crisis of 2008, a near-disaster that is only now easing, and not all that fast, either. Millions of US citizens are out of work and down on their luck, and a central premise behind HITECH and the ARRA legislation it belongs to was to help these folks get back on their feet.
Now, it’s certainly not the fault of the legacy EHR vendors that the promise of HITECH cash has fueled investor speculation and soaring HIT stock prices. But the idea that part of this investment has found its way into the designer booths and Armani suits of legacy EHR vendors is abhorrent.
Surely a toned-down display would have been more appropriate given the hard times so many millions of Americans face right now. Surely some of that shareholder money could have been used to create more jobs or fueled more innovation by these companies so they could cut prices on their systems, enable more providers to afford them, and ultimately to allow more US citizens to benefit from the promise of HIT.
The contrast I witnessed in Atlanta, between the right-minded, super-capable public servants that came by our booth, and the large shadows these other booths cast over our modest footprint at HIMSS was something I’ll not soon forget.
Glenn Laffel, MD, PhD
Sr. VP Clinical Affairs, Practice Fusion Click Here to Read More..
Thursday, March 4, 2010
Rules for designating EHR Certification bodies now defined
On Tuesday, March 2nd, the Office of the National Coordinator (ONC) for Health IT released a new Notice of Proposed Rulemaking (NPRM) detailing how Certifying Bodies will go about testing and certifying EHRs. Using HHS-certified EHRs is required for physicians to have access to ARRA/HITECH incentive funds that will begin to become available in 2011.
Previously, the Centers for Medicare and Medicaid Services (CMS) had released a Meaningful Use NPRM, which is currently in the 60-day open comment period. This proposal specifies the 25 different categories of Meaningful Use that a physician needs to demonstrate in order to be eligible for incentive money – although these proposals have undergone modification and won’t be finalized until after March 15th.
Simultaneously, the ONC released an Interim Final Rule (IFR) on Certification, which details the capabilities an EHR system must have in order to become certified. Notably, the IFR introduced the concept of “Certified EHR Technology,” acknowledging that it may be unlikely for a single product to be able to address all 25 categories. Certified EHR Technology can be achieved either through a single Certified EHR (which does everything in one package), or through a collection of EHR Modules, each of which are certified to accomplish one or several of the categories and which can be mixed-and-matched to achieve the desired overall functionality.
What was missing was the process of designating ONC-Authorized Testing and Certification Bodies (a new acronym in the space: ONC-ATCB). Up until now, CCHIT and Drummond have expressed interest in becoming such Certification Bodies, though others may also follow suit now that the process is better defined. An easier-to-manage bookmarked copy of the NPRM can be found here.
This new document introduces a new concept. Given that the time is short before certification of EHRs need to be in place before the 2011 deadline (and we have expressed our concern about this previously), the new NPRM describes (1) Temporary Certification, and (2) Permanent Certification.
The Temporary Certification for ONC-ATCBs is a short-term stopgap, and the open comment period for this part of the NPRM is 30 days (it is 60 days for comments on the Permanent Certification portion of the NPRM). It is intended to cover the period from Q2 2010, and sunset after Q1 2012; Permanent Certification will begin Q1 2012 and continue on an ongoing basis subsequently.
We certainly applaud the release of the detailed process by which EHR Certification can proceed, and understand the reasoning behind a quick Temporary process, to be followed by a Permanent process down the road.
The main concern I would pose is this one: when the doors open up and one or more ONC-ATCBs are designated, there will be a crush of vendors (estimated 180+ different vendors in the EHR space) cramming to get in the door simultaneously, seeking certification. What if a vendor fails one or more Modules? Do they have to go to the back of the line for re-examination? Will that impede the designation of Certified EHRs and hamper overall EHR adoption (which is, after all, the whole purpose behind this process)?
A method to consider is how the Joint Commission for Accreditation of Healthcare Organizations (JCAHO) goes about accrediting hospitals and other healthcare organizations. The accreditation process is intensive and detailed, as anyone who has been through a JCAHO survey will attest. Few hospitals, who fail the testing process significantly, will lose their accreditation status. Few hospitals, on the other end of the spectrum, will become accredited with no contingencies. Most hospitals will have a few findings that don’t quite “make the mark” in some areas, but will be granted accreditation “with contingencies” – these contingencies will subsequently be re-addressed by a focused follow-up survey to ensure that compliance with the regulations has been met.
This may be a good model to follow. If Temporary Certification in a given module is pretty close (is “90% there”), then Certification “with contingencies” may still allow for designation of Certification status (and thus allow the vendor to help physicians meet Meaningful Use in time for 2011) – and the contingencies need to be cleaned up in a short, focused period of time (perhaps by the time of Permanent Certification).
Exactly how each ONC-ATCB will function remains to be seen. We’ll see how certification happens in a way that balances “getting very good product out the door quickly” with certifying EHRs that are safe and effective. Following the JCAHO model of accreditation (with or without contingencies) might be a good lesson to learn from experience in an adjacent field.
But the gates are open, and candidate organizations that wish to become Authorized Testing and Certification Bodies are now able to step forward.
Robert Rowley, MD
Chief Medical Officer, Practice Fusion, Inc.
Wednesday, March 3, 2010
Regulating EHR Safety (II): Post-Market Surveillance
We have argued previously that ONC has an obligation to assure that EHRs are safe and effective, and that a two-part regulatory strategy could achieve this goal without hindering ONC’s primary mission to foster rapid uptake of EHRs by US providers.
In Monday’s post, we reviewed the first part of this strategy, which is to extend EHR certification to include more patient safety criteria than they do currently. Here, we outline the second part, a post-market surveillance system governing EHR safety.
Introduction
HITECH is based on the assumption that EHRs can help achieve many of the goals we share for improving our health system, including improved quality, reduced costs and efficient responses to public health emergencies.
Few believe this assumption is flat-out wrong, but the scientific literature contains surprisingly few studies which confirm that EHRs are safe, and these are offset by others showing EHRs actually cause safety incidents and patient harm.
Concerns about EHR safety were raised recently by Jeffrey Shuren, the director of the FDA’s Center for Devices and Radiological Health. He noted in public testimony last week that his agency received reports of 6 deaths and dozens of injuries associated with EHRs in the last 2 years alone.
The incidents included patient mix-ups, misfiled test results and failure to display allergy information, among other things.
The frequency of such incidents might be expected to increase as HITECH incentives drive hospitals to adopt EHRs. This is because legacy EHR vendors have neither the manpower nor the platform/software flexibility to handle the flood of customization projects required to accommodate local workflows.
Post-Market Safety Surveillance for EHRs
To address the problem, ONC should implement a mandatory EHR/Patient Safety reporting system that requires providers and vendors to report safety-related issues to a national clearinghouse, whether they have caused harm to patients or simply have the potential to do so.
The idea of a national clearinghouse for EHR safety--which is a form of post-market surveillance--was first proposed by Walker et. al. In their proposal, vendors can see all incidents in the data base, in anonymized form. Scientists have access to the anonymized data as well.
The clearinghouse should categorize safety issues to facilitate analysis. Although a proper taxonomy of EHR-related safety issues has not yet been developed, it should be possible to leverage related work in the narrower field of computerized physician order entry to develop such a system.
Once an EHR-related safety concern has been logged into the clearinghouse, ONC must alert several groups including affected customers and, if the concern is generalizable to other EHRs, their users as well. Of course the EHR vendor must then also address the issue to the satisfaction of ONC.
In addition to a clearinghouse, Settig and Classen recommend that ONC establish an EHR Adverse Event Investigation Board which can investigate and publicize serious adverse events or hazards involving EHRs. This agency would function like the National Transportation Safety Board does when it investigates airline disasters.
In particular, it would analyze the complex, sociotechnical interactions between clinicians and EHRs that lead to the mishap, and report its findings to ONC, EHR vendors, providers and the public for learning purposes. The board would have unlimited access to all aspects of the EHR, including system backups and change logs.
Conclusions
Frankly, neither EHR vendors nor the regulatory agencies overseeing them have systems in place to assure that EHRs are safe. EHRs profoundly impact clinical workflows and provider communication patterns, especially in hospital settings, so it is essential to establish mechanisms assuring they are indeed safe. A post-market surveillance system can meet this objective without impeding the government-desired roll-out of EHRs throughout the US health care system.
Glenn Laffel, MD, PhD
Sr. VP Clinical Affairs, Practice Fusion
Tuesday, March 2, 2010
ONC unveils another step toward a Health Internet
Step by step, the Office of the National Coordinator (ONC) for health IT has been opening the door and embracing modern technologies, as it tries to knit together a network of interconnected Electronic Health Records (EHR) systems.
The most recent step in this direction was the unveiling on February 26th of a free, open-source tool called “popHealth” which can be used by healthcare providers and EHR vendors to pull clinical data from their own systems and do their own population care analysis.
The goal of popHealth is to simplify the reporting of summary quality measures and streamline the exchange of such data. One of the measures of Meaningful Use requires the reporting of quality measures and public health data – this tool is designed to help providers submit such data as part of their existing workflow.
Of note, this new prototype tool uses established standards, and is web-based. For web-based EHR vendors, incorporating such a tool is relatively straightforward and can be rolled into a combined offering to physician end-users. For more legacy EHR software vendors, this tool may need to sit side-by-side with their non-web-based user interfaces, but it should still piggy-back onto legacy systems (though it may require the help of IT support staff or consultants to get it all hooked up right).
Taking a step back, the release of such a web-based, open-source solution by the ONC represents a trend that is quite heartening. Traditionally, the ONC has supported the build-out of the Nationwide Health Information Network (NHIN), which is a “network of networks” comprised of multiple local and regional Health Information Exchanges (HIEs). HIEs have been traditionally supported by legacy EHR vendors, and upload of data to them has been difficult to implement – the result has been that large sums of money have been spent on creating and supporting these regional databases, yet to date no “galloping herds” of local physicians have been uploading their EHR data to them.
At the same time, the ONC has begun to embrace the concept of the “Health Internet” – a more consumer-focused platform comprised of discrete, substitutable, modular applications, rather than the traditional HIE approach of massive, consolidated (and somewhat proprietary) networks. The Health Internet is web-based. It is also more market-driven, develops rapidly, and looks to the ONC mainly for standards definition rather than for subsidy.
The release of a web-based, open source tool by the ONC to assist in quality metric reporting is another step towards embracing a “Health Internet” approach. It is a step toward the goal of an interconnected, coordinated electronic health infrastructure that can support the development of a transformed health delivery system. Plug-and-play, modular, web-based pieces of health IT will likely be more successful in achieving this goal than will build-out of increasingly massive, and increasingly expensive legacy systems and networks. We applaud the ONC in this step forward.
Robert Rowley, MD
Chief Medical Officer, Practice Fusion, Inc.
Posts
