John Halamka presents his ideas about the major issues for 2012..
ICD10 - John predicts 25% of IT capacity will be consumed by ICD10 this year. Not good...
Meaningful Use Stage 2 including inpatient clinical documentation - now this is exciting. Potential criteria will likely include improvements to clinical records that improve care coordination and communication between providers. John suggested use of templates and social-networking like group documentation.
ACO Planning - The reform changes for ACOs will include focus on prevention and wellness. New business intelligence (BI) and clinical decision support (CDS) capabilities will be helpful in meeting these goals.
Compliance - Compliance issues will include "conflict of interest tracking, learning management systems for compliance education, and enhanced revenue cycle systems that provide decision support."
Security - yes, the past year had a long list of data breaches, malware, and mobile devices so security of PHI must be improved, particularly if we intend to move clinical decision support to the bedside or engage in Health Information Exchanges.
NPR topics presents a summary of the impact to the Affordable Care Act in a discussion between Audie Cornish and Noam Levey of the Los Angeles Times.
Looking for best of breed HIPAA Training?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
Recently the ONC posted on the Health IT Buzz Blog about the "challenges providers face in achieving Meaningful Use of electronic health records (EHRs)."
The concept of "useability" has long been known in other industries where new technology or applications enter the workplace. Some time ago I wrote about usability of health IT, however I expanded the definition to include a few more "E-bilities" as shown in the following graphic contained in the post: Part 4 of The Value of the Internet for Improving Healthcare.
This is the last post in the series and it focuses on capabilities, or "e-bilities" of technology to improve healthcare. Regardless of the mode of use (e.g. email or internet), technology must be easy to use, secure, reliable, and accessible.
For the past year, the SHARPC-Project 1 has focused on making use of technology easier for clinicians. One ONC staff member, Jacob Reider, MD had some interesting comments that focused on "The User Experience." His comments spanned the continuum of User Experience with a framework for how tools and/or applications can/should evolve.
Functional (it does what it is claimed to do)
Reliable (it works consistently)
Usable (it works in a way that is consistent with the user’s expectations)
Meaningful (it does something important or valuable)
Pleasurable (it is enjoyable to use)
So, I will end with one thought. Even if the system meets "Useability" standards for clinicians, achieving quality health data analytics still requires that accurate, timely and quality data is entered into the EHR avoiding the Garbage In-Garbage Out phenomenon.
This article in Healthcare IT News caught my eye. A white paper written by the Care Continuum Alliance described significant market movement toward accountability and value driven healthcare outcomes as a result of collaborative models, such as ACOs. However, there are 8 key issues that could affect population health management in 2012:
Each of these items contains a plethora of complex issues that will require agreement, alignment, and cooperation between distinct parties. In order to simplify my thoughts on this topic, I offer the following.
Accountable care and collaborative models certainly provide the opportunity with electronic records to capture and disseminate research and/or de-identified clinical data for surveillance. The link to "accountability" also provides the impetus to develop predictive analytics, a personal favorite.
It is well known that mobile technology, including smart phones, are changing the nature of "computer use" and internet access. According to the article the author stated that "a patient-centered, consumer-empowered, pull-rather-than-push model will dominate, with social media in a position of importance."
Reducing re-admissions? Well, we should already be doing this, unfortunately the quality of healthcare in certain situations, or the variable factors in a patient's condition and care makes this a tough goal to reach all the time. However, Medicare tracking is looking a 3 conditions - heart failure, acute myocardial infarction and pneumonia.
Finally, the other items tout the value of competitive forces in healthcare resulting from support of "insourced programs," development of health insurance exchanges in 2014, and the single idea that is near and dear to a nurse - support for prevention and wellness!
Prevention and wellness has not been a priority for most clinicians due to its non-reimbursable status. Let's hope that changes. Since the Prevention and Public Health Fund is under discussion, Medicare added annual wellness visits and expanded coverage of obesity and cardiovascular disease prevention services.
2012 brings a year of great change and challenge. Best wishes to all for a safe, happy, and prosperous new year!
As clinicians, do we ever wonder how excellent patient care can be achieved? Do we become too involved in our deadlines, our tasks, or our own needs and lack the time to reflect and to improve? It is certainly an issue in today's healthcare environment as the delivery of care changes in the path to Meaningful Use...
Well, I watched this video today, posted by Brian Ahier. It is an epic portrait of how one individual came up with an idea that would provide quality care/experience to customers.
Click this link to watch the video - a moving and heart-felt story.
May you have a Happy and Safe Holiday Season!
The HIPAA Survival Guide's Privacy Rule Under HITECH Webinar will help get you up to speed on how the HITECH Act has impacted the HIPAA Privacy Rule and how marketplace trends are impacting it as well. The webinar will walk you through the Privacy Rule and discuss the effect that the HITECH Act has had under three major sections: 1) uses and disclosures of PHI contained in sections §164.502 through §164.514; 2) the Patient's Bill of Rights contained in sections §164.520 through §164.528; and 3) the Administrative Requirements contained in Section §164.530.
Date: December 13, 2011.
Time: 2:00 to 3:30 EST.
To register CLICK HERE.
Looking for best of breed HIPAA Training?
To stay current on the HITECH Act and its quickly changing regulatory scheme visit the HITECH Survival Guide website and/or sign up for our free monthly compliance newsletter. Also, check out our FREE EHR Checklist.
I just have three things to say. First of all, the word is pronounced PRE-scription not PER-scription.
Secondly, if we’re talking medicinal, you want to know something that is broken in the health care system? I’ll tell you: pharmacies. What value does a pharmacist add? None. They can be immediately replaced by vending machines and websites (thx, Zach.) I can read my own labels, thank you very much.
Finally, why are many non-addictive medications by prescription anyway? Here’s an example: ibuprofen. You can buy OTC ibuprofen, and they usually come in 200mg tablets. 200mg doesn’t do anything useful, so what do people do? They take 4-8 of them. If you go to a doctor with a bad headache, they’ll prescribe you ibuprofen in 800mg tablets. I’m sorry Mom, but that’s retarded. Ibuprofen doesn’t need to be by prescription. Here’s another: Liptor. Lipitor is used for reducing cholesterol. “But wait,” Mr. Wily protests, “what if a user bought Lipitor and decided to take more than the label suggested? That would be bad.” Indeed, but the side effects of Lipitor are headache and muscle soreness, hardly cause for alarm. On the other hand, too much of lots of OTC drugs can be harmful as well. For example, excessive Tylenol can hurt your liver, but Tylenol isn’t by prescription. Why?
While I’m at it, doctors themselves are close to obsolete. The Internet is making elite bearers of information unnecessary. When I last went to the doctor for a checkup, he GOOGLED a symptom during our visit. GOOGLED. I can google. Thanks for charging me for your web surfing.
What’s wrong with Medicine today?
Let’s design the most inefficient, error-prone, hackable system for transmitting medical information.
We’ll start by having persons with notorious handwriting, doctors, scribble in code onto a piece of paper.
Then, the afflicted person (the patient) jams that paper into their pants’ pocket and carries it down to a non-doctor (a pharmacy tech), who attempts to decipher the information and enter it into the computer.
If it’s a new pharmacy or a new doctor, they have NO IDEA what you’ve been prescribed before, or what you’re currently taking.
Why, why, why?
Actor George Clooney was admitted last month to the the Palisades Medical Center after a motorcycle accident. The temptation to look at Mr. Clooney’s medical file was just too much a couple dozen unauthorized employees to withstand. 27 people looked. 27 people are now suspended for a month without pay according to CNN.com. Sadly, the impetus for the investigation was not that they viewed Clooney’s records without cause, but that they leaked information to the press… HIPAA, it’s got (some) teeth now.
Microsoft, the megalithic, oft-hated vendor of only marginally-useful software, announced today in the Wall Street Journal that it would be offering free personal health records on the Web via its HealthVault system. Why *anyone* would trust the likes of Microsoft with their health information is beyond my comprehension. Still, proving once again that CEOs continue to make technology decisions instead of CIOs, Microsoft managed to signup an impressive roster of partners, including: American Heart Association, Johnson & Johnson LifeScan, NewYork-Presbyterian Hospital, the Mayo Clinic and MedStar Health, a network of seven hospitals in the Baltimore-Washington region.
On the upside, they did get the permissions model right, “Its privacy controls, the company said, are set entirely by the individual, including what information goes in and who gets to see it.” That said, the WSJ article goes on to mention that the data, stripped of some identifiers, will be data mined by third parties.
The news of this launch prompted a Slashdot reader to quip, “[this brings a] whole new meaning [to the blue screen of death.]
Would you trust Microsoft with your personal medical information?!?
It’s no secret that many doctors are, if not technophobic, at least VERY SLOW to implement new technologies. To wit, according to the report called “Health Information Technology in the United States: The Information Base for Progress,” only one in four doctors (24.9 percent) use EHRs to improve how they deliver care to patients.1 Fortunately, our Luddite physician friends are being joined by Gen X’ers, who, having grown up with computers, are not afraid to break out of the restraints of paper forms and charts.
One of these early adopters is Jay Parkinson, MD, MPH (from Penn State and Johns Hopkins.) Jay is an EMR-enabled, private physician practicing in Brooklyn. Jay prefers to “e-visit [his patients] by video chat, IM and Email for problems that don’t require an actual face-to-face visit. It’s the future of cost-effective medicine.” All of that, plus two home/work visits a year for $500.00. Jay also gives out his cellphone to his patients.
Can you video conference with your doctor?
Recently a number of websites have been offering “real age” calculators which, upon asking a number of health/lifestyle questions, attempt to predict how long you will live. The difference between how long you are going to live and how long people live on average determines your “real age.” If, for example, you are a heavy smoker with a family history of heart disease, you might have been born 28 years ago, but your real age could be closer to 35. As a measure of its popularity, even Oprah and her ilk have been jumping on the real age bandwagon.
These real age calculators are not without their faults however.
After seeing the calculator at http://www.poodwaddle.com/realage.htm, I spent a few hours reverse engineering it. healthtech’s real age calculator is an attempt to rectify the aforementioned deficits.
RemedyMD’s tagline is “Better Data, Better Decisions, Better Outcomes,” and you might be tempted to think that better data leads automatically to better decisions, but that is not always the case. More often, it is the application of intelligent analytic algorithms (predictive informatics, if you will) which transforms the raw data into actionable information. A lot of EHR systems collect medical history, for example, but how many of them process that information to produce actionable knowledge?
We were included in a nice article on EMR consulting and it's impact on adoption.
Waldren says it often becomes a quandary for physicians because they don’t have the financial resources or desire to pay for expert advice, but they are reluctant to start the process of EMR adoption due to fears that the wrong decisions will be made. “You need to show value, and you need to build trust. Those are the two things consultants have to answer for,” Waldren emphasizes. “I do see some uptake [with EMR consultants], but I also see that they have a difficult marketing challenge ahead of them [with physicians].”
That pretty much encapsulates both the article and our feelings on the subject. But do click through so you can read my quotes!
Buzz is growing for Sermo, an online information sharing community "developed by physicians, for physicians." Check it out.
Welcome to the only online community where physicians around the nation exchange the latest medical insights with each other and improve patient outcomes - 24/7.
We've posted on Practice Fusion before here and the feedback we've heard was that using "de-identified" patient data to subsidize a free EHR was going to be a serious problem. Practice Fusion just announced a partnership with Google wherein the web-based application will still be delivered for free but now it will be subsidized by advertisements that come up based on keywords in the patients' records. No word as to whether the initial model has been scrapped or if this new concept is complementary. One thing's for certain, it still raises the hackles of privacy advocates.
"It still comes down to the fact the company is using people's sensitive, personal information for profit," said Allison Knight, staff attorney for the Electronic Privacy Information Center in Washington.
We've seen much debate in the past on security and patient privacy. Here's a brief reminder that (as we've argued) security is an ongoing process and not a one time fix.
“There’s nothing in security that you can do once,” says Kate Borten, president of the Marblehead Group, a consulting firm in Marblehead, Mass. “Risk assessment never stops. This is supposed to be ongoing.”
Everyone benefits when organizations focus on putting policies in place that make it more difficult to steal (or lose) sensitive data.
FierceHealthcare.com posts on a recent survey of "550 randomly chosen general internists" that suggests that primary care physicians agree in principle that physicians should be rewarded for a high level of care but are not happy with the current P4P schemes.
While most PCPs felt that physicians should be rewarded for providing high quality care--provided that the measurements were accurate--less than one-third felt that current measures would do the trick. A majority (66 percent) felt that health plans and the government were unlikely to exert the effort to make such measures accurate. Roughly eight out of ten worried that pay for performance schemes would force doctors to avoid high-risk patients--or even kick such patients out of their practices.
Tim Gee at Medical Connectivity Consulting reviews the latest entry on the medical tablet scene.
Did I mention it has a 12 hour battery life? Wow, I'm impressed. We have yet to reach perfection, but this device comes close for a clinician carried use model. This is a very, dare I say, sexy device.
Unfortunately the target market is physicians. There are several large institutions that could spring for a device like this, but nothing like a majority of the hospital market. Another bit of a miss is targeting EMR applications - actual EMR adoption is quite a bit behind all the hype - although the early adopters will probably be the large institutions who might actually buy something like this for their physicians (places like Kaiser, Cleveland Clinic, Mayo and large university teaching hospitals come to mind).
For too many physicians, that conversation is hard to have, and families, too, are reluctant to initiate a discussion about what Mom or Dad might want until they're in a crisis, which isn't the best time to make these kinds of decisions. Ideally, that conversation should begin at the kitchen table with family members, rather than in a doctor's office.It's a conversation you need to have wherever and whenever you can, and the more people you can rope into it, the better! Make this conversation a part of your Thanksgiving weekend, there will be a right moment, you just might not realize how right it was until you begin the conversation.
The audit program serves as a new part of OCR’s health information privacy and security compliance program. OCR will use the audit program to assess HIPAA compliance efforts by a range of covered entities, Audits present a new opportunity to examine mechanisms for compliance, identify best practices and discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews. OCR will broadly share best practices gleaned through the audit process and guidance targeted to observed compliance challenges via this web site and other outreach portals.The OCR HIPAA Audit Program page also provides detail on when the audits will begin, who will be audited, how the audit process will work, and what will happen after the audit. The information indicates that they will select a broad range of covered entities for the first round of audits and that business associates will be included in future audits.
On June 5, 2009 and June 30, 2009, HHS began investigations of two separate complaints alleging that the Covered Entity was in violation of the Privacy and/or Security Rules. The investigations indicated that the following conduct occurred (“Covered Conduct”):
(i) During the period from August 31, 2005 to November 16, 2005, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of Covered Entity patients, and during the period from January 31, 2008 to February 2, 2008, numerous Covered Entity workforce members repeatedly and without a permissible reason examined the electronic protected health information of a Covered Entity patient.More information and background can be found in the iHealthBeat article, UCLA Health System Agrees to Pay $865K over Privacy Breaches, including a link to a statement on the settlement issued by UCLH Health System.
(ii) During the period 2005-2008, a workforce member of Covered Entity employed in the office of the Director of Nursing repeatedly and without a permissible reason examined the electronic protected health information of many patients.
(iii) During the period 2005-2008, Covered Entity did not provide and/or did not document the provision of necessary and appropriate Privacy and/or Security Rule training for all members of its workforce to carry out their function within the Covered Entity.
(iv) During the period 2005-2008, Covered Entity failed to apply appropriate sanctions and/or document sanctions on workforce members who impermissibly examined electronic protected health information.
(v) During the period from 2005-2009, Covered Entity failed to implement security measures sufficient to reduce the risks of impermissible access to electronic protected health information by unauthorized users to a reasonable and appropriate level.
I received several items in my email regarding different organizations’ proclamations for 2012. Most of them predict that 2012 will be the year for mHealth to ‘break-out.’ Here are 5 examples:
One might ask, what is mHealth? It has many different definitions and from a product offering perspective could range from texting information on a mobile phone to a provider and/or specifying a provider geographical location to a patient to bi-directional interaction with a medical device to/from an electronic medical record application via mobile phone or telecommunications frequencies (or the medical device could be embedded with the mobile telecommunication appliance). As with the traditional Healthcare industry, as one progresses up the interaction functionality chain, the design and interoperability gets more complex. Most of the latest news items I read about successful mHealth applications describe the ‘easier’ applications: texting, scheduling, location, etc. There is still growth and development in the marketplace for interactive medical-device integrated/connected products. Additionally, from a market perspective, most of the current product offerings are proprietary in nature and vertically integrated.
Mobile telecommunication vendors are keenly interested in providing for the healthcare market. They are closely watching as well as working to influence the regulatory environment. From a provider perspective, this means adding another large player to the mix. You may already provide some internal mobile telecommunications support, but providing healthcare monitoring over that infrastructure changes the rules of the game. In addition, the mobile telecommunications market plays to the consumer market, which has faster turnaround times, and higher customer expectations. The consumer market expects the ability to smoothly transition service when changing a ‘product provider.’ In addition, with social media, the pressures are higher; witness the recent policy and product turnaround of Verizon to a charge for customers using a specific billing mechanism. The healthcare provider is not used to this type of oversight or pressure yet.
Down in the healthcare provider trenches, testing remote monitoring and the use of mobile telecommunications offerings continues. Here in Europe there are two larger projects that are interested in demonstrating the efficacy of remote monitoring. One, the Whole System Demonstrator based in England and their National Health System (NHS), has just published its preliminary results. Another, Renewing Health, is based on a nine European country pilot for remote monitoring of chronic diseases. In the case of the Whole System Demonstrator, initial results have been very positive for the clinical outcomes regarding the use of remote monitoring models for chronic disease management with a “15% reduction in A&E visits, a 20% reduction in emergency admissions, a 14% reduction in elective admissions, a 14% reduction in bed days and an 8% reduction in tariff costs” along with a “45% reduction in mortality rates.”
Renewing Health is still in its trial period, however, the initial technical results have been published. A basic summary of the technical aspects of the nine solutions follows:
This project will be ongoing until 2013 and at the end the results are hoped to strengthen the hypothesis that well designed remote monitoring programs for chronic disease management is as or more effective than care delivered in the traditional manner. There should also be some interesting results from a technical perspective. The market is slowly moving towards providing more standards-based products, however, for the purposes of this project, timing did not allow more adoption of those types of products.
So, with all of the activity described above what should healthcare providers do? I suggest the following:
So is 2012 the year of mHealth? Perhaps. If anything, it will be another exciting year for mobile technology and the convergence of the consumer and healthcare industries. It will be bumpy, but in the end, it should be better for the consumer who usually also happens to be the patient.
A recent Class I recall (not pictured) of a medical monitor with a hospital network connected central station stimulates some generalities about software, “fixes”, and connectivity. (Class I recalls are defined by the FDA as a situation in which there is a reasonable probability that the use of, or exposure to, a violative product will cause serious adverse health consequences or death.)
The use of the product in question was given as:
Curiously only one customer was identified as having received the product, or at least this particular version of the product. While the manufacturer and product in question is a matter of public record, and available at the link, I chose not to include it here because my objective is not to repeat the recall information, but to suggest the reasons for the recall, an associated labeling issue, and offer some general lessons.
The reason given for the recall had two seemingly separate parts. The first is that “The weight-based drug dosage calculation may indicate incorrect recommended values, including a drug dosage up to ten times the indicated dosage”. This sounds like a software problem yet the fix was not to “upgrade” the software but to suggest a workaround. (I love the term upgrade to when applied to fixing something that doesn’t actually work!) According to the FDA the firm’s letter stated that “users should enter the patient’s weight by way of the admin/demographics screen to ensure the drug dosage is calculated as intended.” (I did not find the firm’s letter on its website, but it might be one of those hidden page situations since I did find, with a struggle, two other recalls, though using the search term “recall” produced no results). Again speculating, the workaround sounds like a user dependent way to do something that was supposed to happen automatically. At least part of the value of automation is largely diminished, and opportunities for use error increased, when such additional demands are placed on the user.
The second reason given for the recall was that there may be a 5-10 second delay between the electrocardiogram and blood pressure curves (waveforms) at the central station. This is an interesting technical issue that may be related to software and/or communication protocols. In either case it illustrates that multiple data streams may only be useful if they are properly timed stamped, and then properly aligned at the receiver. Out-of-sync data when subsequently processed either by eye, or automatically, can give erroneous and misleading results that might appear to be correct, i.e. the results could be in the category of erroneous but believable.
For one or both reasons the FDA found that, “This product may cause serious adverse health consequences, including death.” Yet it should be noted that this was a voluntary recall, as most recalls are, despite the fact that people who surely know better reported this as “FDA recalls…”
The FDA announcement goes on to say that the company pointed out that the instructions for use state that: ”For primary monitoring and diagnosis of bedside patients, use the bedside monitor. Use the…Central Station only for remote assessment of a patient’s status.” This sentence seems to be illustrative of the fundamental problem of remote information receivers and integrators that carry a disclaimer that in sum says that you shouldn’t rely on them. But isn’t the ability to rely on it exactly why you bought it? Moreover, promotional materials available on the web do not appear to echo this disclaimer. For example it is stated that ”Applications…enhance patient care management by providing rapid assessment, decision support and clinical reporting.” Does that sound like it isn’t for primary diagnosis? Or does “Data accessible from the…Central Station includes real-time waveforms” sound like those waveforms shouldn’t be used for primary monitoring? For one more example it is said that “arrhythmia events are detected with an unprecedented degree of accuracy.” Accuracy is certainly a good thing, but detecting arrhythmias at the central station when only the beside monitor is to be used for “primary monitoring and diagnosis” appears to be less than highly useful.
Furthermore the statement that the central station is only for remote assessment seems both definitional and contradictory. It is obviously for remote assessment–because it is a central station and thus remote! But then what does “assessment of the patient’s status” mean if not monitoring and diagnosis?
The disclaimer game has been addressed in these pages before. Here it seems to involve a product that is being marketed, sold and bought for exactly the reasons that the manufacturer is saying it shouldn’t be used. I didn’t spot the disclaimer language in any of the promotional materials, but maybe it is there somewhere.
So, we have here an apparent example of software driven miscalculations, network transported data that is not time synchornized, and a reminder not to use the central station for primary assessment. Important examples to remember as we charge ahead with software driven networked solutions.
[The products in the photo with this post above are not associated with the recall discussed, and are for illustrative purposes only.]
The issue of the EHR relative to safety and effectiveness has again made the news with the November 7, 2011 pre-publication (and downloadable) release of an Institute of Medicine report on EHR safety, commissioned by the U.S. Department of Health and Human Services (HHS). This report expands the discussion beyond the EHR (used henceforth for both EHR and EMR) to include other related electronic information tools collectively called health IT.
The potential for health IT to improve both the quality and efficiency of medical care has been much noted to include more complete and timely records, ready exchange of information between providers, clinical decision support, and in turn a reduction in errors associated with the quality and availability of patient information. Efficiencies may arise from electronic capture of data which would eliminate manual entry, and time savings in accessing and reviewing patient information, and perhaps in passing information to third party payers. Additional public health value might accrue from the enhanced searchability of electronic records with respects to trends, treatments and outcomes. These benefits assume well designed, user friendly, compatible systems not withstanding that the U.S. model is to allow for numerous independent products that may or may not be able to exchange information nor display it in a consistent manner. Not surprisingly the report notes that the IT imperative will likely not be fruitful without associated attention to the people and the clinical system they work in.
However there is also the potential for health IT to add to, rather then reduce complexity; misplace, lose or garble patient information, and to provide clinical decision support that is incorrect or unreliable. Thus health IT itself has risks that the IOM found have not yet been adequately addressed or monitored. The IOM also cites the lack of an effective health IT problem reporting system compounded by contractual language that may actually impede such reporting. In addition some vendors include disclaimers as to their responsibilities even for software defects and errors. The latter suggests the all purpose liability disclaimer language: “Notice-this product may be badly designed and therefore not suitable for its intended purpose.” Alternatively one could try: “Due to software defects the information in this EHR may or may not be complete and/or may not pertain to the patient of interest. Do not use this information for medical treatment”. The value of such disclaimers will no doubt be tested.
Of course it is not only coding defects that can make heath IT less than effective. The well established issue of usability, or user friendliness, lives on, as does interoperability, training and workflow design. In this regard it might be noted that user friendly features such as pull down menus also facilitate quick but erroneous entries. Thus while an IT product might be theoretically capable of being used properly and effectively, whether it will achieve that goal in the real environment of use, when used by real people, is a separate matter. In this regard when faced with use issues and adverse events vendors will want to say that their product could have provided the correct functionality if only it had been used correctly–and don’t forget our disclaimer. The counter argument is that it was badly designed to the degree that “correct” use was predictably not likely to consistently occur. There are many anecdotes in this regard. A favorite of mine was an order entry system to which was added a physical sticky note on the monitor that read “Do not press Enter to Enter”.
Actual health IT hazards are at least in part separate from the questions of privacy, hacking and other mischief.
It must also be remembered that quantitative data (e.g. lab results and other medical device data), or reasonably well standardized data (e.g. images) are potentially much easier to capture, transmit and display than narrative information. The selection and arrangement of information on a display can also be a significant challenge with respect to density, utility and how many pages the clinician has to look at to get all the information needed–and you can’t spread those pages out. There is also a significant issue with the lack of standardization of “look and feel” factors. In this regard it must be remembered that clinicians of various types, working in multiple environments, might see multiple systems during even a single day. This is analogous to the reality of nurse use of infusion pumps. Ask the nurse if they know how to use an infusion pump and they will most likely say yes (and be insulted). But then ask them if they know how to use a particular infusion pump and they might say, no, I’ve never seen one of those before. In this regard a health IT application may be plug-and play, but that isn’t the same as plug-and-effectively-use.
The report has several specific recommendations:
Readers familiar with the FDA regulation of medical devices will recognize many of these items as standard fare. These include registration and listing, quality systems, and problem reporting. However since the FDA has not asserted that EHRs are medical devices, and the IOM elected not to make that specific recommendation.
Record-type health IT products remain in a regulatory vacuum–except with respect to acquisition funding subject to the meaningful use requirements. In this regard the report includes a dissenting statement from Richard Cook, MD (director of the Cognitive Technologies Laboratory at the University of Chicago) who asserts that health IT products should not only be declared to be medical devices, but that they should be Class III, the most stringently regulated device classification. In this regard he includes the following quote: “Medical and diagnostic devices have produced a therapeutic revolution, but in doing so they have also become more complex and less easily understood by those who use them. When well designed, well made, and properly used they support and lengthen life. If poorly designed, poorly made, and improperly used they can threaten and impair it.” While this quote could appear in nearly any one of the posts here, it actually dates to 1976 as part of President Gerald Ford’s signing statement for the Medical Device Amendments that ushered in the modern era of medical device regulation. While these amendments are often thought of as the beginning of FDA medical device regulation, such regulation actually stems from the 1930′s. What did start in 1976 was before-marketing restraints as opposed to the FDA’s prior post market authority. (And no, 1976 is not ancient history. Some of us actually remember it.)
Health IT is caught in the corn maze of promise vs usability and hazards. With quality design and thoughtful implementation the exit may be found before nightfall. Without it someone is going to have to call 911.
A recent NY Times article reported that hotel Wi-Fi capacity was again being challenged, this time by iPads and other tablets, or more specifically, tablet users. The Times notes that these users may have a smart phone and laptop going at the same time they are sucking up streaming video. The high bandwidth demand of these devices, or more specifically, their uses, is said to be reducing download speeds back to the good old days of dial-up connections. A likely solution will be a tiered charge structure, similar to the newest cellular data plans, with the result that you can waste bandwidth if you don’t care what it costs. A more general report on current and future wireless demand versus capacity has been produced by the Global Information Industry Center at the University of California San Diego. A less foreboding report on medical uses of Wi-Fi has been produced by the Wi-Fi alliance.
Smart phones have a prior history of overwhelming cell phone networks, such that in dense environments someone can’t make a phone call because too many other people are watching reality show reruns and bad movies. Now some cellular devices have been looking at switching to Wi-Fi when it is available, as explained here. This leads to the conflict ridden situation of cellular wanting to use Wi-Fi to solve its capacity problems at the same time that Wi-Fi is being over loaded by other devices. Cellular resistant building structures, which are increasing, also can create a desire to shift to Wi-Fi.
Now think about hospitals. Tablets are surely making inroads here as well, along with smart phones and in house wireless VoIP. Medical devices are also increasingly wireless as has been noted in these pages before here and here. There is also the smart phone wireless app arena (which may or may not be regulated medical devices) as discussed here and here.
Certainly the public access side of a hospital’s wireless network can be limited and segregated. However prioritizing between multiple medical applications is far more challenging both clinically and technically. It must also be remembered of course that lost medical data or lack of clinical telephony can be life threatening, as opposed to merely annoying.
In this demanding arena few wireless medical systems are at least initially tested in a fully functioning environment. Yet there is a vast difference between whether the wireless capability (as well as the wired) is able to function when tested alone, and whether it is capable of functioning around the clock and throughout the year in an actual hospital when static and when roaming. In the latter case when roaming across access points, drop-outs may result in data loss and may not respond well when access is restored. While the link may recover critical information such as which patient is involved may not be available.
In addition it may be possible to add one wireless application today that works in the current environment, but which may not work when the next one or ten or 100 other wireless applications are added later, and perhaps not much later. In this regard vendor assurance, if ever fully believable, cannot be accepted outside the context of the wireless system and devices currently deployed. (By way of bad analogy, such an assurance are like a car salesperson telling you that with this car you won’t have to worry about highway traffic.)
In this regard the effective hospital application has been summarized as requiring ”assurance” which includes coverage, signal strength, capacity, and certainty. The “utility” analogy is often used here, i.e. the wireless service should operate in the background and be something I don’t ever have to think about, just give me more and more wireless devices and they will all play nicely together. (Those who have been through electrical blackouts and brownouts may have a different perspective than others on the reassurance provided by the utility analogy.)
It is clear that wireless and wired capacity have to both be actively controlled and monitored. Besides being totally logical, this is consistent with IEC 80001 (discussed here) which addresses hospital network risk management. This active control requires a centralized coordinator who has the authority, knowledge and system resources to not allow any new wireless application to be deployed without specific consent based on appropriately rigorous tests. There must also be complete inventory of all approved wireless users so there is a record of who is using the system. New systems or upgrade designs must also take capacity seriously (see here for example).
Certainly wireless, using Wi-Fi or otherwise, offers advantages in health care, although perhaps not, wireless will need to be limited to those applications that really need it. In any case, capacity is a challenge that is likely to get worse before it gets better.
Pictured above are Philips’ Intelliview Cableless Measurements wireless SpO2 sensors that use the same ISM band frequencies as Wi-Fi. This photo was taken at the Philips booth at HIMSS 2010 with their permission.
Today I was contacted by a social media marketing firm working for a major MDDS vendor with an offer to contribute content that’s on topic for this site (that last part is important). I’m interested, and I imagine a lot of this blog’s readers will be too. As I will likely take them up on their offer, I want everyone to understand that there’s not any favoritism that plays into who gets to post on this site. So, the following describes the ground rules, the benefits of contributing, and issues an open invitation to contribute posts.
We’ve been fortunate to have a number of terrific contributing authors over the years, and some of them have written posts that continue to be popular to this day. On the About This Site page is a long standing open invitation to anyone who wants to climb up on the soap box and
spout off contribute to the conversation about medical device connectivity. I’ve also made contributing author offers personally to many folks on both the provider and vendor sides of the table. There are so many people who have incredible knowledge and experience to share. And most of these people don’t have the time or inclination to create their own blog. Now you have an outlet.
Increasingly companies are adopting social media policies that establish ground rules for employees posting to blogs, Twitter, Facebook, etc. Besides benefiting your employer, contributing posts also benefits the writer personally with increased awareness and respect among your peers. Contributors also get an author’s bio like this one for current contributor, William Hyman:
Writers that want to remain anonymous can do so, to a degree. You can be anonymous like the blogger Tim at HIStalk. He doesn’t disclose his identity on his site, but he is not legally anonymous. This means that you can chose to not disclose who you are (or your employer), but if I’m legally compelled to disclose your identity I will. Some employers will appreciate this kind of anonymity because there’s little chance the writer’s opinions will be associated with the employer. Of course many employers, especially the smart ones, will want that employee-employer association to be known so that all the insight and intelligence the contributor demonstrates in their posts will rub off on them!
In the connectivity segment of the market, there are a lot of new entrants and many established companies flying under the radar of broad market awareness. Contributing blog posts about your experience or perspective (nothing too commercial please) is a great way to establish credibility and get the word out. The most effective use of blogging is engaging in a long term conversation with your readers. Most of my consulting business comes from this blog, in addition to the usual word of mouth and repeat projects. You put your content out in the blog, and readers come back with questions and requests for help with problems, advice, referrals to fill new positions, you name it. And I can’t tell you how rewarding it is to meet people at customer sites or events who are readers of this blog.
Unlike a magazine article, press release or white paper, contributing to a blog is typically not a one shot deal. A series of blog posts that address a body of topics or frames an issue gets read when it’s published – and after that – via search engine queries (that’s why it’s important to identify and use the right key words in your blog posts). Ideally, potential contributors will look at this as an extended conversation, or at least a series of posts that will span several months, if not indefinitely. Individual contributions are welcome, but they will have to be particularly thought provoking, entertaining and/or informative.
Why contribute posts to this site? Well, the site gets about 300 unique visits per day (less on weekends) and has hundreds of subscribers to the RSS feed (the funny orange square icon on the right). Readership is evenly split between providers and manufacturers. As a contributor you will get access to the sites statistics where you can see how many times your post is accessed and by who (or at least their IP address or domain name).
So, if you’re interested in contributing, let me know. And if you’re a reader, here’s your chance to leave some feedback – what would you like to read more or less of on this site?
As an aside, if you’re interested in the blogs and news sites that I read, keep an eye on the Connectologist’s Shared Items box in the right hand bar. This is a list of shared items from my Google Reader. If you’ve got a blog or news site to suggest to me or your fellow readers, leave it in a comment to this post.
[Flickr photo of Selma by Netzanette]
The fact that connectivity, and perhaps wireless connectivity in particular, allows for hacking for mischief, theft, politics, social protest and other forms and varying degrees of evil should surely come as no surprise. In turn, that a wireless medical device might be hackable should be somewhere on the mind of developers, users, and regulators. Thus the report from the recent Black Hat conference that someone hacked an insulin infusion pump, and in so doing was then able to alter its settings, should also not be particularly shocking, but should serve as yet another reminder, that security associated with connectivity has been and continues to be an issue, as was addressed by Tim back in 2006.
The report in this instance came from Jay Radcliffe who hacked his own insulin delivery equipment. In this instance the hacking avenue was the wireless remote that was part of the device. Perhaps the idea that a wireless remote could be emulated is even at the ultra low end of surprise. More generally, the multiple discussions of this report (e.g. here and here) have suggested that the technology being used by at least some medical device manufacturers does not offer an adequate array of security safeguards. Or the manufacturers haven’t fully utilized what is available in terms of alternate hardware, or they havn’t fully utilized the security features that were available even in the hardware that they were using.
Not surprisingly medical device manufacturers have downplayed the risks of hacking. The manufacturer of the pump in question, Medtronic, responded through a diabetes oriented web site, but apparently not through an actual press release of its own. The responses included that Medtronic does take device security seriously (would you expect them to say otherwise?), and that no real-life events have ever reported. Of course a problem with the later is that stealth hacking, as opposed to announced hacking, could cause harm while going unreported. This is to not say they have, but only to note that “reported” is a limiting case.
Medtronic is quoted further as saying “Our job is to incorporate information security measures into our designs, vigilantly monitor potential threats and to always be proactively finding ways to make our devices more secure for you. That is what we have done and what we will continue to do.”
A curious post in response to this expected response from Medtronic was “Security violations are caused by sloppy implementation. The systems themselves are very secure.” I’m not sure how much better that is supposed to make us feel. Equally curious was that this response referenced RSA as a security authority, with other posters then pointing out that RSA was itself hacked.
Hypothetically (that means I made up the following) assorted glitches and could-not-duplicate service events could be the result of hacking, i.e. if the hacker hacked, and then stopped hacking, whatever the effect of the hacking was could well stop also, and therefore be un-findable. Which reminds me of a hospital wireless interference anecdote I heard about bursts of interference, almost always during the night, and almost always for one or two minutes. The culprit was an old leaky microwave being used in quick mode. And why only at night? Because the cafeteria was closed then and therefore the microwave was a primary food resource.
The bottom line is that security is an ongoing issue that must be rigorously addressed by manufacturers, and in turn by the FDA who has to at least ask the what-have-you-done-about-connectivity-security, and insist on a firm answer. Further, I will ask the question that I asked about the challenges of hospital networking at an AAMI session last June in San Antonio. My question was, “Is the problem getting easier or harder?” The answer was a laugh.
[Thumbnail photo above (used with permission) shows the various sites used to inject insulin over a period of time - one month if I recall correctly. In the lower right corner is the Medtronic insulin pump dangling from a tube. - Ed.]