Submit your article of up to 500 words in length, subject to editing for clarity and brevity (please note: I run only original articles that have not appeared on any Web site or in any publication and I can’t use anything that looks like a commercial pitch). I’ll use a phony name for you unless you tell me otherwise. Thanks for sharing!
Note: the views and opinions expressed are those of the authors personally and are not necessarily representative of their current or former employers.
Hey Healthcare, ‘I Dare You to Do Better’
By Nick van Terheyden, MD
I was reading “Dream Big, Start Small: NYU Startups Disrupt Big Industries” when a quote from Mana Health caught my attention: “We want to make the job as easy as possible for doctors … We want to be Apple in [the] health industry.”
This quote got me thinking about the role of simplicity in healthcare. Part of what makes Apple unique is its simple approach to consumer technology. While bells and whistles are buried beneath the surface, what the user experiences is the ability to pick up a piece of Apple technology and interact with it without reading a verbose manual or watching a “How-To” YouTube video.
Clearly, a team has already taken the time to anticipate how people will use this technology, what questions they might have, where they might get hung up, and what’s really going to “wow” consumers and keep them engaged. There’s something mystical and awe-inspiring about this type of simplicity, particularly if you compare it to what clinicians have to do in order to get up to speed on the most basic healthcare technologies.
Maybe it’s because The Official Star Trek Convention was recently held in San Francisco, or the fact that I just recently heard that a nine-minute teaser for the latest Star Trek movie, “Star Trek Into Darkness” will be available in 3D IMAX theaters on December 14, but in addition to “simplicity,” I’ve also been thinking a great deal about how advancements in technology can help the healthcare industry “boldly go where no one has gone before.” And more importantly, to get “there” without asking clinicians to fight Klingons.
Over the past year, there has been an array of studies and stories pointing to frustrations associated with electronic health records and Meaningful Use. This is compounded by additional pressures putting the heat on the healthcare industry — a looming physician shortage, an aging population with increased care demands, and changes in the reimbursement model.
Still, for every problem, there’s a solution. What keeps me up at night, though, is the fact that all too often we try to slap a new coat of paint on a problem in an effort to mask the issue as quickly and efficiently as we can. More often than not, we approach problems — especially in healthcare — with a fast and furious desire to make things right in the moment instead of aiming to make things right for the long term.
The fast fix in healthcare is often not the real solution to the problem. Take the transition to ICD-10, for example. At first, some healthcare providers wanted to keep doctors as far from the transition as possible. And at first glance, I can understand why. No one wants to take the focus off of the patient. Still, the transition to ICD-10 can’t be simplified without having doctors on board as part of this massive personnel and technological overhaul.
See, the problem with simplicity is that to get to that type of Apple approach in healthcare, you have to take into consideration the myriad of players that will be affected. You have to take the time to test and tweak, test and tweak in an iterative process that while challenging and time intensive, will ultimately be rewarding. In other words, to get to “simple,” you have to trudge through the difficult for quite some time.
As we head into the holiday season and take a look back at the accomplishments and failures from the past year, let’s agree to remain focused on integrating a new sense of simplicity into the complexity of all things healthcare in 2013 – whether it’s technology, health insurance, or patient communication. One particular “Star Trek” quote mapping back to the simplicity theme that seems like a fitting request for all healthcare players in the coming year is this: I dare you to do better.
Nick van Terheyden, MD is chief medical information officer at Nuance of Burlington, MA
Humble Suggestions from an Allscripts Pro Client to Ease Transition Pain for MyWay Clients
By Cathy Boyle, RN, BSN
By now, I’m sure everyone who uses Allscripts MyWay is aware that the company is transitioning customers to the Professional Suite. You’re probably overwhelmed sorting through options as you decide whether to upgrade to the new product or to jump ship and start over with another EHR company.
Starting over with another company may be painful, but it’s also somewhat vindicating. On the other hand, agreeing to upgrade to the Professional product may be the easier road because you’re exhausted and don’t want to start over with someone new.
Let me offer a little perspective …
Three years ago, our practice learned Misys was merging with Allscripts and we would need to move to the Allscripts product. No choice.
We were miffed, to say the least, and jumped ship to a competing product. Within three months, we realized it was a serious mistake. We ate a little crow and made the decision to return to Allscripts.
We implemented the Allscripts Pro EHR/PM system and came to the conclusion that even though not all of our experiences with Allscripts have been perfect, it was the right choice. Like it or not, Allscripts is the leader in the EHR world for a reason. They haven’t always gotten it right. Unfortunately, no one does.
I will not pretend to understand how any of you feel as a MyWay client. The only thing I can offer is my perspective from moving to another product and realizing the grass is not always greener on the other side.
My suggestions are threefold:
- If you haven’t already, sign up for Allscripts Client Connect and check out the resources available for people upgrading to the Pro EHR and for those considering other options. You’ll find links to webinars, product demos. and lots of other info. Can’t hurt, right?
- Go to the Pro ARUG (Allscripts Regional User Group) page for your state and start asking questions of Pro users in your area. They’ll answer you honestly. They are not paid by Allscripts and have real-life, in-the-trenches perspectives on the Pro product.
- Find out who in your local community has the Pro product and go take a look at it. See it for yourself firsthand as you make the best decision for your practice.
Then, if you don’t like what you see and hear, feel free to explore other options.
I wish you the best in this world of healthcare changes – I really do! But if you come to realize, as we did, that the Pro solution is right, I would personally like to welcome you to the Pro family! We will help you, support you, cry with you, teach you, bang our heads (at times) with you, and celebrate the victories that come with finding a system and a family of users from which you can benefit. It’s not always easy going, but you will be heard and you will not be alone.
I am not paid by Allscripts and do not reap any personal benefit from writing this post. Just concerned with what is happening to fellow clinicians in the Allscripts community. Feel free to contact me directly if you have questions. I will not mince words and am happy to help in any way I can.
Cathy Boyle, RN, BSN is clinical director at Heiskell King Burns & Tallman Surgical Associates, Inc. of Morgantown, WV.
OCR’s Guidance for De-Identifying Health Data
By Deborah Peel, MD
The federal Office of Civil Rights (OCR), charged with protecting the privacy of nation’s health data, has released guidance for “de-identifying” health data. Government agencies and corporations want to de-identify, release, and sell health data for many uses. There are no penalties for not following the guidance.
Releasing large data bases with the de-identified health data of thousands or millions of people could enable breakthrough research to improve health, lower costs, and improve quality of care — if de-identification actually protected our privacy so no one knows it’s our personal data. But it doesn’t.
The guidance allows easy re-identification of health data. Publicly available databases of other personal information can be quickly compared electronically with de-identified health data bases to reattach names, creating valuable, identifiable health data sets.
The de-identification methods OCR has proposed are:
- The HIPAA Safe Harbor method. If 18 specific identifiers are removed (such as name, address, and age), data can be released without patient consent. Still, 0.04 percent of the data can still be re-identified.
- Certification by a statistical expert that the re-identification risk is small allows release of databases without patient consent. There are no requirements to being called an expert. There is no definition of small risk.
Inadequate de-identification of health data makes it a big target for re-identification. Health data is so valuable because it can be used for job and credit discrimination and for targeted product marketing of drugs and expensive treatment. The collection and sale of intimately detailed profiles of every person in the US is a major model for online businesses.
The OCR guidance ignores computer science, which has demonstrated that de-identification methods can’t prevent re-identification. No single method or approach can work because more and more personally identifiable information is becoming publicly available, making it easier and easier to re-identify health data. See Myths and Fallacies of Personally Identifiable Information by Narayanan and Shmatikov, June 2010. Key quotes from the article:
- “Powerful re-identification algorithms demonstrate not just a flaw in a specific anonymization technique(s), but the fundamental inadequacy of the entire privacy protection paradigm based on ‘de-identifying’ the data.”
- “Any information that distinguishes one person from another can be used for re-identifying data.”
- “Privacy protection has to be built and reasoned about on a case-by-case basis.”
OCR should have recommended what Shmatikov and Narayanan proposed: case-by-case “adversarial testing” in which a de-identified health database is compared to multiple publicly available databases to determine which data fields must be removed to prevent re-identification. See PPR’s paper on adversarial testing.
Simplest, cheapest, and best of all would be to use the stimulus billions to build electronic systems so patients can electronically consent to data use for research and other uses they approve of. Complex, expensive contracts and difficult workarounds (like adversarial testing) are needed to protect patient privacy because institutions — not patients — control who can use health data. This is not what the public expects and prevents us from exercising our individual rights to decide who can see and use personal health information.
Deborah C. Peel, MD is founder and chair of Patient Privacy Rights Foundation of Austin, TX.
Evolution in your Data Center
By Axel Wirth
The change of a biological organism through a combination of mutation and natural selection over a number of generations was first articulated as the Theory of Evolution by Charles Darwin. In short (and with my apologies to the great scientist), if a change occurs and the next generation is more successful, it will have a higher probability of passing on its characteristics to future generations.
Survival of the fittest, survival of the smartest, or plainly a strategy to adapt to a changing environment. Whichever way you look at it, it has enabled the human race to populate the earth from our origins in Africa to the icy north.
But evolution works in both directions. Think, for example, of the problems caused by antibiotic-resistant infections like MRSA. We can also apply a similar thought model outside of biology. Let’s have a look at the scary and complex world of computer viruses and malware.
A recent example. In mid-2009, W32.Changeup, a polymorphic worm written in Visual Basic, was first discovered, but was not really anything special. It wasn’t harmless, but in general, it was classified as a medium damage, medium distribution, and easy to contain worm.
But then evolution came to play (granted, this was not evolution by mutation, but evolution by design). As of recently, we have seen over 1,000 variants of W32.Changeup, some of which much more aggressive and successful than the original. Some variants recently showed an increase in activity of over 3,000 percent in a single week.
What is even more concerning is that based on some of the characteristics of this worm, it is especially dangerous for the typical healthcare infrastructure. We have already seen several hospitals hit hard over the past weeks.
Why now and not back in 2009? Just like MRSA, W32.Changeup evolved and became more resistant and dangerous.
There are a number of malware threats which, due to the way there are designed, are affecting healthcare IT more than others. Downadup, also known as Conficker, was one of them. It looks like Changeup is joining the club. Here is why:
- It spreads through removable drives. Devices and subnets which are perceived to be protected through isolation and may not have sufficient malware protection and resilience are at risk.
- It infects old and new versions of Windows on workstation and server platforms. Certain devices on hospital networks with older or unpatched operating systems (e.g. medical devices, dedicated workstations, and servers) may be especially vulnerable.
- It uses multiple propagation methods through removable drives and shared network drives. Once a system is compromised, Changeup’s main purpose is to download various additional malware. Among it is a Downloader Trojan, which in turn will download even more malware.
- Changeup is polymorphic in nature. As it copies itself to other devices, it maintains its function, but changes it look. This makes it difficult to detect with traditional signature-based antivirus software. Modern anti-malware software provides more functionality than signature-based protection, but proper configuration of your endpoint protection combined with a layered security approach are required to detect and protect against a sophisticated worm like Changeup.
- Changeup copies itself to removable and mapped drives by taking advantage of the AutoRun feature in Windows, which should therefore be prevented for all users and devices, including network shares.
This brings us back to the initial point made about evolution. We now have diseases which are resistant to a single antibiotic and require a complex, multi-pronged approach. Similarly, with computer malware like Changeup, a single approach (e.g. relying on signature-based antivirus alone) is not sufficient any more. At a time where we are seeing well over 10 new viruses and variants being created per second, we need to take a strategic “defense in depth” approach.
Of course, traditional and signature-based antivirus is still part of that picture, but it needs to be complemented by system and network intrusion detection, peripheral security (firewalls), system configuration and controls, security event monitoring, and URL filtering to prevent connection to known C&C (command and control) URLs.
Axel Wirth is national healthcare architect for Symantec Corp. of Mountain View, CA.