Over the past years, I got the chance of get in contact with many Laboratory Information Systems (LIS) available in the market.
And when I look back, and try to analyse them from a safe distance I get the feeling that they all have more similarities than differences.
They all share some common goals:
damn, look like a virus to me!!!
They all try to reach to different types of Labs, try to do different tasks, try to manage different business environments, try to adapt by all means to the circumstances, etc. And to do this they all seem to loose their vertebra.
Sometimes, it is wise to stop and accept that your software is not tailored to manage all the information concerning your lab.
Let me give you an example, a good clinical management software does not have to be a good stock management software.
Maybe your software is great for communications with lab analysers, but maybe it sucks for data mining.
And sooner or later, the Lab Manager will ask himself why is he carrying this huge, complicated, heavy, not flexible tool, when most of the time he only need a small tool, and only ocasionally he will need ‘the big stuff’.
Surelly he will wonder, “wouldn’t it be nice to modularize my software, use as I need, and hope my ‘modules’ communicate each other nicely?”
I’ve been in that (in)decisive situation over the past year. Between two house moves, managing family priorities among everything else, this blog has been stalled.
I’ve decided to try to give the blog a new chance.
Hope this is a good decision.
There was a generous reference to my blog, from DarkDaily that I’d like to share with everybody:
“Geek in the Lab
Pedro Fonseca has been an IT healthcare specialist for more than 15 years. It is clear while poking through Geek in the Lab that Fonseca is passionate about information technology as it relates to healthcare. “Geek in the Lab” is laid out so that IT professionals can keep up with the latest in healthcare technology, but it is written in a way that is accessible to the laymen. While many similar blogs are full of difficult to understand technical jargon, Fonseca makes sure his blog is easy for all readers to understand. Far from a “How To” advice column, “Geek in the Lab” keeps track of healthcare IT trends and offers observations on how they may impact the big picture. Fonseca’s “Gadget of the Week” gives readers a glimpse of the latest in IT tech.”
Thanks to Robert L. Michel and his team for such kind words and keep the good work.
In my last post I’ve stated that the login/password is not secure.
Maybe the problem resides not in the ‘technology’ but as many times on the human factor.
In fact, the main problem is not the login/password procedure, but the way you use it.
So, in order to study my customers passwords, I tried to create several simple rules to determine if the password used by them are easily crackable or not.
I have done this study using data from an hospital, and having a 400 user accounts.
Let me remind that although our software has several rules implemented for password management, we were asked to turn them down. This rules include:
- time validity
- minimum chars used
- time period for using the same password
- among others.
So, the rules I’ve come up with, are 10 very simple and common sense rules:
Rule 1: Verify if the users ever changed the password (12% didn’t, meaning that they still use the original random password assigned to them)
Rule 2: Verify that password is the same than login (4% use password=login)
Rule 3: Verify if the password is the Institution name (1%)
Rule 4: Verify that the password is the Application name (4%)
Rule 5: Verify if the password is the official employee number (14% use their official number, that is published in every institution document)
Rule 6: Verify if the password is between 1900 and 2009 (25% a year like password)
Rule 7: Verify that password is a 4 digit number, not like Rule 5 (5%)
Rule 8: Verify that password is the user first name (2%)
Rule 9: Verify that password is the user last name (1% use last name, although I haven’t tried maid name)
Rule 10: Verify if the password is a portuguese name (3% use Portuguese names, which I suppose to be children names, or wife/husband names)
This simple 10 rules, allowed me to crack 71% of a 400 user accounts password, meaning 284 user accounts.
I suppose that if I apply this rules to the same users on different applications, I would have got similar results, because the crackable passwords were personal data.
“Do you really think your health data is safe?”
Let´s ban login/password NOW!
I’ve been working in hospital labs for several years, and have followed the IT evolution in this sector. In the beginning, the lab was an isle, and the information was secure for the physical barriers. The network was restricted to the laboratory, and the access to the software wasn’t password protected.
Then, the hospitals began to connect the several ‘islands’, and implementing a centralized infrastructure.
It was the beginning of domains, and the first contact of the user with logins and passwords.
Then, rapiddly there was a proliferation of software, and each one had different logins and passwords. There was administrative software, clinical, image, lab, infection control, then appeared the intranets and portals, and when the user noticed he had more logins and passwords than he could possibly manage and memorize.
One of the first reaction from users was to unify passwords. But then, some of them had time limit, and others did not, and it was an Herculean task to manage all this info.
Some hospitals tried to implement Single Sign On, others tried to ease access through digital id cards. But the most common access control still is Login/Password.
And why should login/password be banned?
Because it is not secure!
To prove this I have made some tests attempting to figure out what the user password was in several databases installed in different hospitals.
The results leave no doubt that this method is not secure. More than 70% of the passwords were broken in the first 10 rules.
On the next post, I’ll describe the tests I made and the results I got.
Remember the Star Wars scene in which R2D2 projects a three-dimensional image of a troubled Princess Leia delivering a call for help to Luke Skywalker and his allies? What used to be science fiction is now close to becoming reality thanks to a breakthrough in 3D holographic imaging technology developed at the University of Arizona College of Optical Sciences.
A team led by optical sciences professor Nasser Peyghambarian developed a new type of holographic telepresence that allows the projection of a three-dimensional, moving image without the need for special eyewear such as 3D glasses or other auxiliary devices. The technology is likely to take applications ranging from telemedicine, advertising, updatable 3D maps and entertainment to a new level.
The journal Nature chose the technology to feature on the cover of its Nov. 4 issue.
This item caught my eye in the latest ACM TechNews e-newsletter. Loads of possibilities! Wish I had time to speculate more on it, but today is a busy day.
A leading Australian expert in infectious diseases says people who use display iPads and iPhones at Apple stores are risking serious infections and the company should do more to maintain hygiene.
Another good reason to carry that little bottle of Purell® with you when you go to the mall...
While continuing to poke around on the HealthSystemCIO site today (thanks to the Clinical Groupware Collaborative for the pointer, BTW), I came across a very insightful piece from Dan Morreale on the possibility that stand-alone EHRs may be obsolete.
Without a doubt, EHRs play a vital role within our traditional healthcare delivery model, characterized by independent physician practices and well-defined care delivery systems. As the pace of change has accelerated, however, we have to question how well the EHR — as a stand-alone information silo lacking longitudinal context — is able to handle the demands of coordinated delivery models. It’s time to forget and rethink the model.
Essentially, the problem with existing EHRs is that they are a) hospital-centric, and b) payment-oriented.
Hospital centricity means they are targeted at the large enterprise rather than small businesses like most primary care practices and IPAs). An enterprise can impose software on their employees. A small business must have systems that their staff (especially clinicians) find useful, and most EHRs aren't especially useful to primary care providers (PCPs) in the patient encounter.
Nor were they designed to be -- I'm not roasting the EMR community for designing to the requirements of their target market. A PCP's information requirements are very different from those of the specialist or hospitalist dealing with a patient in the hospital for (in most cases) a previously diagnosed condition with a pre-existing plan of care. PCPs deal with often-nebulous complaints that may take more than one visit to pin down into a definitive diagnosis.
Moreover, care planning for the ambulatory patient, especially those with multiple serious chronic conditions, must take many more factors into account than the in-patient setting. The patient's home- and community-based informal and paraprofessional support network must be taken into account. Those traditional EHRs that capture such information, and not all do, may nonetheless fail to provide timely access to it.Because the PCP in an ambulatory practice is ordinarily the decision-maker as well as primary beneficiary of the benefits of an EMR system, and because the PCP's business model requires very careful analysis of costs and benefits, health IT in the ambulatory setting is better viewed as "groupware" rather than enterprise IT. Groupware developers must address key challenges in order to develop systems that are worth more than they cost. Disparities in work and benefit, unobtrusive accessibility, and failures of intuition are all too common in groupware applications, leading to failure to achieve critical mass needed to tip the organization into an IT-driven mode of operation.
The traditional EMR's payment orientation is apparent in an information model that uses ICD-9 for diagnoses and CPT for procedures. These are fine for the in-patient world, but don't capture enough clinical detail for the PCP's purposes, especially with respect to nebulous issues and less-than-certain diagnoses that will take time and more visits to clarify.
Emerging multidisciplinary models of care offer the promise of higher quality for patients and reduced costs for the healthcare industry. These new approaches – including patient-centered medical home (PCMH) and accountable care organizations (ACOs) – harness the power of collaboration among primary care providers, specialists, hospitals, health systems, payers and patients to deliver focused, effective and coordinated care.
To fulfill their promise, however, these models require a different toolset than traditionally has been available to the healthcare market. EHRs, while evidence of technological progress in the industry, were designed to support a provider- and hospital-centric approach to care. As such, they are not fully equipped to catapult the industry towards the collaborative strategy preferred today. ACOs, PMHCs and other approaches will rely upon a platform that facilitates collaboration beyond the enterprise and across the community to achieve multidisciplinary care coordination.
In many ways, the initiatives mentioned in the last paragraph are more important to the PCP than Meaningful Use as defined in the HITECH incentives. ACOs and PCMHs have the potential to provide the right kind of incentive for PCPs to adopt health IT. The only thing missing from that long-term picture is a comprehensive, groupware-oriented IT system tailored to the PCP's requirements.
Rather than requiring all eligible providers and hospitals fill out what is generally the same checklist for Meaningful Use, organizations which prove they are achieving outcomes far beyond the norm could qualify right off the bat, suggested National Coordinator for Healthcare IT David Blumenthal, M.D., at the October HIT Policy Committee meeting.
HealthSystemCIO's Anthony Guerra posted a brief report suggesting that maybe there will be different ways to meet the Meaningful Use (MU) criteria. Or maybe different criteria, I can't quite tell from his remarks.
Just what every family practitioner needs right now -- more uncertainty about HITECH! It's not surprising that a wait-and-see approach may be the path of the vast majority in the 2011 first round of MU.
We at Cielo are hard at work on activities leading to MU certification, but we are working hardest on meeting a higher standard, Meaningful Usability.
A primary care provider may find that their newfangled IT system gets in the way of delivering quality care at the same time they are purportedly documenting it. That may be Meaningful Use by HITECH standards, but it's not Meaningful Usability. We are on track to deliver a system that improves the quality of the patient encounter in addition to documenting the improvement for HITCH and other P4P/P4R purposes.