Quote Of The Year

Timeless Quotes - Sadly The Late Paul Shetler - "Its not Your Health Record it's a Government Record Of Your Health Information"

or

H. L. Mencken - "For every complex problem there is an answer that is clear, simple, and wrong."

Saturday, December 17, 2011

Weekly Overseas Health IT Links - 17th December, 2011.

Note: Each link is followed by a title and few paragraphs. For the full article click on the link above title of the article. Note also that full access to some links may require site registration or subscription payment.
-----

Three Technology Trends Your Company Can't Ignore

Information Management Magazine, Nov/Dec 2011

Daniel Burrus
HDM Breaking News, December 5, 2011
Technology is evolving - fast. For that reason, it's imperative that your company focuses not just on the changes that are happening today, but also on the technological trends that are emerging and shaping the future of your organization and your industry. Why? Because the more anticipatory you can be in regard to technology, the more creatively you can use it to gain competitive advantage.
As someone who has been accurately predicting the future of technology for more than 25 years, I urge all leaders to focus on the following three trends that are emerging and reshaping the business landscape as we know it.
-----

Patient Data Losses Jump 32%

Growing use of mobile devices in healthcare has intensified the security risk associated with managing patient data.
By Nicole Lewis,  InformationWeek
December 07, 2011
The frequency of patient data losses at healthcare organizations has increased by 32% compared to last year, with nearly half (49%) of respondents citing lost or stolen computing devices such as laptops, tablets, and smartphones, according to recently published figures from the Ponemon Institute's second annual benchmark study on patient data security.
The latest report--2011 Benchmark Study on Patient Privacy and Data Security--estimates that data losses and security breaches cost the U.S. healthcare industry about $6.5 billion. And healthcare organizations face challenges in their ability to stem those losses.
-----

Dealing with Doctors' Reluctance Toward PHR

Greg Freeman , December 9, 2011

This article appears in the November 2011 issue of HealthLeaders magazine.
Physician engagement with patients through personal health records may be more of a challenge than getting patients to use the system, says G. Daniel Martich, MD, FACP, chief medical information officer and vice president for physician services at UPMC.
Because of the particular software design of the e-visit portion of the PHR at UPMC, it can be used only by generalists such as primary care internists and family care practitioners. Of the 69 UPMC practices and 350 physicians in that category, 27 of the practices have opted in completely. Individual physicians also can opt in, and in the other 42 practices at least one doctor has agreed to respond to participate in HealthTrak and respond to the e-visit portion of the PHR.
-----

Open Health Tools, Georgia Tech to spur IT adoption

December 09, 2011 | Mike Miliard, Managing Editor
ATLANTA – Open Health Tools, a multi-stakeholder open source community whose chief health informatics officer is Robert M. Kolodner, MD, the former national coordinator, is joining with the Georgia Institute of Technology on a public-private initiative designed to accelerate the adoption of health information technology.
“The overarching mission of this initiative is to provide a virtual environment in which diverse stakeholders work together to unleash the innovations necessary to bring the industry to its future state,” said Steve Rushing, director of Health@EI2, which is part of Georgia Tech’s Enterprise Innovation Institute.
The new pro will include participants from government, healthcare providers and provider organizations, patient and personal health advocacy organizations, open source and commercial vendors, public health organizations, academic and non-academic researchers, start-up companies and entrepreneurs.
-----

ONC: Standards for HIE Won't be Optional

HDM Breaking News, December 8, 2011
In a new blog posting, Doug Fridsma, M.D., of the Office of the National Coordinator for HIT gives an update on efforts to develop standards for the exchange of health information. And he makes clear the standards won't be optional.
"Reducing optionality improves interoperability and lowers the cost for vendors to implement, thus lowering the cost for health care providers as well," Fridsma writes. "ONC is identifying the vocabularies, the message, and the transport 'building blocks" that will enable interoperability. While vendors should be able to flexibly combine them to support interoperable health information exchange (HIE), these 'building blocks' need to be unambiguous and have very limited (or no) optionality."
-----

How one IPA enabled clinical integration for 1,500 docs

December 08, 2011 | Patty Enrado, Contributing Editor
Brown & Toland Physicians' recent selection of Allscripts Community Record, powered by dbMotion, represents a big step toward realizing the IPA's vision of providing clinical integration and connectivity for its 1,500 primary care and specialty physicians in the San Francisco Bay Area.
What's remarkable about Brown & Toland's path to clinical-information sharing is that the IPA, which is physician owned and governed, defined its goal eight years ago - long before the HITECH Act - and was challenged by the fact that it neither employs its physicians nor maintains their systems. "We've been on this mission to figure out how we - as an independent group of physicians - can share clinical information," according to COO Mark Ficker.
-----

ONC taps Hollywood for HIT video

December 07, 2011 | Mary Mosquera
The Office of the National Coordinator for Health IT is going Hollywood, or at least contracting a California production company, to create a video to explain to the public the value of health IT and how individuals can engage with their providers.
The video is an example of ONC’s expanded efforts to get consumers more involved in their health and healthcare and encourage them to raise the importance of electronic health records with their providers, according to an ONC official.
ONC’s strategy includes supporting a change in how consumers view themselves as receivers of healthcare, to feel empowered to request access to their information, take action with their data and work as part of a team with their providers, said Lygeia Ricciardi, senior adviser for consumer e-health at ONC.
-----

Health IT Leaders Launch Info-Sharing Website

Founded by clinicians, site called Doctors Helping Doctors Transform Health Care encourages the medical community to share its EHR successes, complaints.
By Ken Terry,  InformationWeek
December 07, 2011
A group of physician health IT leaders has launched a nonprofit website for doctors that's designed to promote the transformation of healthcare through the use of information technology. Although not directly aligned with the federal government's Meaningful Use program, the website, Doctors Helping Doctors Transform Health Care also could help physicians achieve Meaningful Use by aiding them in implementing electronic health records.
-----

Study: Prescribing errors spike with EHR upgrades

December 7, 2011 — 2:08pm ET | By Marla Durben Hirsch - Contributing Editor
Transitioning to an upgraded electronic health record system appears more likely to lead to errors in e-prescribing than implementing one for the first time, according to a recent article published in MedPage Today.
According to two studies presented at the New York eHealth Collaborative's Digital Health Conference in New York last week, sites that previously had not used e-prescribing had an 85 percent decrease in errors once they made the switch from paper prescribing.
-----

Microsoft Moving Most Health Care Products to GE Joint Venture

HDM Breaking News, December 8, 2011
Microsoft Corp. is exiting much of its health care-specific business by moving those products into a joint venture with GE Healthcare.
Microsoft will retain the HealthVault suite of software for health care consumers. But Microsoft's Amalga data aggregation and analytics software, as well as its single-sign-on and context management software acquired several years ago when it bought Sentillion, move to the joint venture.
Amalga enables providers to combine data from disparate information systems across facilities to better understand the needs of specific patient populations, develop appropriate care plans, track progress and report on outcomes. The content management software enables the viewing from patient data from multiple disparate systems on a single screen.
-----

How EHRs can help Berwick’s 5 reasons for waste in healthcare spending

Last week, Don Berwick completed his 17 month tenure as administrator of Medicare and Medicaid. The nation should be grateful that such a visionary was at the helm. The nation should be frustrated that he was never confirmed.
In his parting interview with the press, he noted that 20 percent to 30 percent of health spending is “waste” that yields no benefit to patients.
Berwick listed five reasons for the enormous waste in health spending:
*Patients are overtreated
*There is not enough coordination of care
*US health care is burdened with an excessively complex administrative system
*The enormous burden of rules
*Fraud
Certainly regulatory reform is needed, but electronic health records can go far to addressing each of these issues.
-----

CSC to earn another £2 billion from NHS

8 December 2011   Jon Hoeksma
Computer Sciences Corporation has told US investors that it expects to earn up to £2 billion more from its contract with the Department of Health, for providing electronic patient record software to the NHS.
Despite its dismal record on delivering the Lorenzo electronic patient record software to NHS trusts in the North, Midlands and East - just three out of 97 contracted - CSC has told investors it still expects to make a profit on its NHS deal.
This will come mostly from recurring maintenance of legacy systems it put in as stop-gaps. And CSC doesn’t believe the NHS will terminate its contract.
According to an investigation in the Times, CSC says that it will earn revenues of £1.5 to £2 billion over the remaining term of the contract.
-----

Doctor or patient? Who will drive mHealth?

December 07, 2011 | Eric Wicklund, Contributing Editor
WASHINGTON – Who’s more important to the advancement of mHealth – the physician or the patient?
To Krishnan Ganapathy, of the Apollo Telemedicine Networking Foundation in India, the answer quite clearly is the physician – and he’s quite sure that all this new technology and all these new services won’t be accepted by people unless it’s all recommended by their physicians first. But to Joseph Kvedar of Partners Healthcare’s Center for Connected Health, the future of mHealth may lie with the patient.
 “I think there is a role for automated coaching and maybe, maybe, the doctor isn’t the center of the universe,” he said.
Ganapathy and Kvedar were two members of a five-person panel at the mHealth Summit in Washington D.C. for Tuesday morning’s Super Session, titled “Mobile Health in the Clinical Enterprise.” In an hour-long session taken up almost entirely by each panelist’s opening remarks, the conversation centered primarily on how mHealth initiatives can be advanced, and who should do the advancing.
-----

Can Social Media Become A Boon to Health Care?

Insurance Networking News

Ara Trembly
HDM Breaking News, December 6, 2011
One of the most predictable things about technology fads is that as soon as they attain "fad" status, we try to apply them to every conceivable problem, regardless of how practical or advisable the application.
This thought came to mind when I read a recent posting on ScienceDaily which noted that, "Social networking sites like Facebook and YouTube can be powerful platforms to deliver and receive healthcare information, especially for patients and caregivers who are increasingly going online to connect and share experiences with others with similar medical issues or concerns."
The posting adds, however, that these sites may lack patient-centered information and can also be sources of misleading information that could potentially do more harm than good, according to the results of two separate social media-related studies unveiled recently at the American College of Gastroenterology's 76th Annual Scientific meeting in Washington, D.C.
-----

Kaiser Permanente Wins Four eHealthcare Leadership Awards

Health care provider recognized for commitment to online excellence

Published: Wednesday, Dec. 7, 2011 - 9:44 am
OAKLAND, Calif., Dec. 7, 2011 -- /PRNewswire/ -- Kaiser Permanente recently received one of the first eHealthcare Organizational Commitment awards for its use of the Internet and technology to support its  commitment to total health. The health care organization provides easy and convenient online tools and information to help members choose a health plan that meets their individual needs and then manage their health through My Health Manager on kp.org.
The eHealthcare Leadership Awards received more than 1,200 entries in 2011 and websites were rated on Internet excellence and how they compare to similar websites in their group classification. The awards are sponsored by Strategic Health Care Communications, an organization that supplies marketing, communications and business development information to health care organizations through its two publications, Strategic Health Care Marketing and eHealthcare Strategy & Trends.
-----

Most Providers Unprepared for HIPAA Audit

Dom Nicastro for HealthLeaders Media , December 2, 2011

Most healthcare organizations charged with HIPAA compliance are not fully prepared for a privacy and security audit by federal regulators, a November survey conducted by HCPro, Inc. reveals.
For hospital leaders, already challenged on the technology front to implement ICD-10, electronic medical records systems, and pursue meaningful use certification, that's not great news. The government has already begun conducting audits.
Earlier this year, the Office for Civil Rights, the enforcers of HIPAA privacy and security, engaged a contractor to audit covered entities and business associates at random.  The objective was to assess how many would be HIPAA-compliant by December 31, 2012.
-----
December 5, 2011

Nothing cutting edge about Canadian ehealth strategy, critics say

Critics have argued of late that Canada’s ehealth strategy entirely missed the boat because of an excessive focus on developing massive centralized data systems as opposed to promoting meaningful use of electronic health data by physicians and patients.
The situation may be even more worrying than that, though, as one of architects of Canada’s ehealth strategy says the evolution of technology, itself, has all but completely made that plan obsolete.
New technologies such as tablets and mobile devices long ago outstripped Canada’s ehealth strategy, says Will Falk, who is credited with writing one of Canada Health Infoway’s first business plans. “There are only a couple of homecare mobile projects that have received Infoway funding to date. This in the country that invented the Blackberry?”
-----

Healthcare Cloud Brings Access Control Concerns

N.Y. nurses service finds single sign-on enables its mobile workforce to use its multiple, disparate cloud apps.
By Neil Versel,  InformationWeek
December 05, 2011
The shift to cloud computing has exposed a series of worrisome dichotomies in healthcare, an industry that handles sensitive data and thus has unique privacy requirements.
Consider the Visiting Nurse Service of New York (VNSNY), which supports a largely mobile workforce of more than 14,000 healthcare providers. The cloud allowed the organization to make decisions on technology for business services without having to get the IT department fully involved, according to chief information security officer Larry Whiteside Jr. But that also meant different areas of the enterprise chose different cloud hosts.
-----

Sebelius lauds smartphones at mHealth Summit

December 06, 2011 | Eric Wicklund, Contributing Editor
WASHINGTON – The practice of medicine is undergoing a sea change, thanks to the smartphone.
So said Health and Human Services Secretary Kathleen Sebelius and other speakers, such as Eric Topol, vice chairman of the West Wireless Health Institute, at the mHealth Summit, a three-day conference and exhibition on mobile health technology at the Gaylord Resorts and Conference Center in Washington. The event counts 3,600 registered attendees – up from 2,400 last year.
Both Sebelius and Topol focused on the game-changing aspects of mobile health technology to improve clinical outcomes, promote preventive medicine and reduce wasteful spending and healthcare costs. And they issued a call to arms – or minds – to support innovation in the field of mobile medical devices.
-----

Docs' Top 3 PHR Fears

Gienna Shaw, for HealthLeaders Media , December 6, 2011

Healthcare organizations are working to encourage patients to get engaged in their healthcare data, in part by making Personal Health Records more user-friendly. Part of the adoption problem isn't just a lack of consumer awareness, but the fact that many physicians are wary of records that are created and controlled by patients.
Among their concerns: time, accuracy, and control over data.
1.Time
Physicians who are reluctant to participate in the PHR system at the University of Pittsburgh Medical Center most fear that having a direct connection between themselves and their patients  would take too much time, Daniel Martich, MD, chief medical information officer and vice president for physician services at UPMC, tells HealthLeaders Media.
-----

Govt to opt patient data into trials

6 December 2011  Rebecca Todd
The government wants to change the NHS Constitution so that patient information is automatically included in clinical research.
The move, which will be subject to consultation, is part of a raft of government announcements designed to boost investment in Britain’s life sciences sector and to drive innovation in the NHS.
The headline announcement, that data linking hospital and primary care data could be released to drug and other companies, created a storm of controversy in the national media, with privacy watchdog groups warning that it would herald the “death of privacy”.
-----

NHS open data plans 'death of privacy'

5 December 2011   Rebecca Todd
Privacy groups say a government plan to share anonymised NHS data with commercial companies will herald the “death of patient confidentiality”.
Prime Minister David Cameron is due to give a speech this afternoon unveiling plans to boost the UK’s life sciences sector.
According to wide-spread coverage of his speech, these will involve a new service, developed by the Medicines and Healthcare Products Regulatory Agency, that will link anonymised hospital data with data from primary care.
The government is to spend £60m developing the Clinical Practice Research Datalink. It is not clear whether companies will pay to use it.
-----

Apple’s Secret Plan to Steal Your Doctor’s Heart

Nancy Luo didn’t expect an answer when she e-mailed Steve Jobs one Wednesday evening two summers ago. But less than a day later, an Apple emissary knocked on her door at the University of Chicago Hospitals.
It was Aug. 25, 2010, the last day of a long heatwave in Chicago. Luo — a second-year resident at the hospital’s internal medicine department — had been assigned the tricky task of figuring out whether a pilot program that put iPads in the hands of the hospital’s residents was working out. So she sent a note to the CEO of Apple.
The iPad had hit the market just four months earlier, but the young, tech-savvy residents at the hospital were already using Apple’s tablet to access medical data on the go. Luo thought that with some internal tweaking, she could measure whether the students were actually saving time with the iPad. “I just wanted to see if maybe Apple wanted to help us out,” she remembers.
Jobs didn’t get back to her, but at 5:21 a.m. the next day, she had an answer. Luo didn’t even read the e-mail at first, assuming it was some sort of automatic response. But when she did, she was amazed. The note was from an Apple employee named Afshad Mistri, who offered to swing by the hospital later that afternoon — he just happened to be in Chicago that day. “Your e-mail was forwarded to me for follow up from Steve,” wrote Mistri, Apple’s medical market manager, the company’s go-to guy for the medical industry.
-----

Military Surgeons Association names MC4 top IT team

December 02, 2011 | MC4 Public Affairs
The Army’s Medical Communications for Combat Casualty Care (MC4) program was recognized by the Association of Military Surgeons of the United States (AMSUS) as the 2011 top information technology (IT) team. The AMSUS IT Team Award honors organizations that have made significant contributions in IT, specifically those that improve the effectiveness and cohesiveness of federal health care initiatives. In 2010, MC4 helped field the rapid expansion of technology used to remotely connect Soldiers with mental health physicians in the combat zone.
The Army’s MC4 program trains, fields and supports IT systems that allow deployable medical staff to document and track patient care, digitally manage medical supplies and conduct health surveillance in the combat zone. In addition to fielding new technology, last year MC4 launched new training initiatives to improve electronic medical record-keeping on the battlefield. In return, MC4 users have realized faster set-up times and easier use of the medical records system, while combatant commanders have gained better data integrity and a clearer picture of population health.
-----

KLAS: Wave of PACS replacements will surpass $10M

Written by Evan Godt   
December 2, 2011
PACS replacements, which had slowed overall, are expected to ramp up significantly riding a wave of replacements starting in the largest hospitals and eventually sweeping over smaller facilities. Nearly one in six hospitals and health systems with over 1,000 beds reported they have plans to replace their PACS, according to a recent report from market researcher KLAS.
"These large hospitals and health systems are seeking more innovative technology and deeper strategic partnerships for imaging," said Ben Brown, KLAS medical imaging general manager and the report’s author.
-----

CDC data on EHR adoption overlooks inconvenient facts

December 4, 2011 — 7:13pm ET | By Ken Terry
The U.S. Department of Health & Human Services last week boasted that the percentage of doctors who had basic electronic health records doubled between 2008 and 2011. That's certainly a good sign. So is the increase in the percentage of physicians who say they plan to show Meaningful Use. More than half of doctors now say they aim to attest to Meaningful Use, vs. 41 percent in 2010.
But it's way too early to break out the champagne. To start with, the Centers for Disease Control and Prevention (CDC), which conducted the physician EHR survey, dropped the category of "fully functional" EHRs that it had used in previous years. It's now looking only at how many doctors have basic systems and how many say they have any "EMR/EHR" system at all. (That's so vague that it's virtually meaningless.) Why the comprehensive EHR category was eliminated is anyone's guess; but it's a good bet that the CDC did it to make the numbers look better.
-----
Monday, December 05, 2011

Putting Health Care Analytics in the Hands of Patients

Despite the health information revolution and health care consumerism that the Web has ignited, many decisions in medicine today are still made without reliable comparative information. The analytics methodology that can address patients' and physicians' needs for comparative information does exist. However, it is not consistently applied and it is not easily accessible at the point of care. Specifically, analytics on comparing hospital quality have primarily focused on experts and have made their way into professional reports that are sold for thousands of dollars to hospital administrators. For the most part, they have not yet been made usable or accessible to patients and their busy physicians.
-----

Enjoy!
David.

Friday, December 16, 2011

It Might Be That The Time For This Has Really Arrived. Could Be Interesting To See.

The following report appeared a few days ago.

ABPM, AMIA advance informatics certification

Posted: November 30, 2011 - 12:30 pm ET
The American Board of Preventive Medicine remains on schedule to administer a first-ever examination for physician board certification in clinical informatics in fall 2012 while the American Medical Informatics Association is pursuing a parallel informatics certification program for nonphysicians, according to outgoing AMIA President and CEO Dr. Edward Shortliffe.
Shortliffe's update on the certification programs appears in the current issue of JAMIA, the association's journal.
The certification process will be overseen by the ABPM, but the American Board of Pathology has asked to be a co-sponsor "and two other boards have also expressed an interest in doing so" as well, Shortliffe said.
Meanwhile, the AMIA "is already well along in designing board review courses that we will offer for those who are preparing to take the certifying examination," he said.
More here:
The full paper is found here:
The title is as follows.
J Am Med Inform Assoc 2011;18:890-891 doi:10.1136/amiajnl-2011-000582
  • Messages from AMIA

President's column: subspecialty certification in clinical informatics

  1. Edward H Shortliffe
The key paragraphs are these is my view - after reviewing how AMIA got to where we now are - are these.
“The current plan is for clinical informatics subspecialty board examinations to be offered by ABPM starting in the autumn of 2012. For the first 5 years, practicing clinical informaticians will be able to apply for board eligibility based on their work and experience in the field. Formal criteria for such practice-based eligibility will be announced by the ABPM. One requirement, of course, will be that the applicant must already be board certified in a primary specialty by one of the ABMS boards. After the first 5 years, all candidates will need to have completed a fellowship in clinical informatics that is accredited by the ACGME. There is thus a 5-year period during which new and existing fellowships will need to be created and assessed by ACGME so that their graduates will be board eligible. The AMIA Academic Forum has been working with existing training programs to provide education about the ACGME accreditation process and to assist in the adaptation of existing fellowships to comply with ACGME requirements.
Although the certification process will be overseen by the ABPM and one or more co-sponsoring boards (the American Board of Pathology has already asked to be a co-sponsor, and two other boards have also expressed an interest in doing so), AMIA will be providing support in a variety of ways. First, we solicited self-nominations from AMIA members who are interested in serving on the ABPM clinical informatics examination committee, which will be responsible for writing examination questions based on the identified competencies for those who wish to be board certified. Several names were forwarded to the ABPM and we expect several AMIA nominees to be appointed to the question development committee. Second, AMIA is already well along in designing board review courses that we will offer for those who are preparing to take the certifying examination.
We have also recognized that many superb clinical informaticians will be ineligible for the subspecialty certification being offered by the ABMS/ABPM process. In particular, the certifying examination will be unavailable to non-physicians or to physicians who lack specialty certification through one of the ABMS boards. Nurses, pharmacists and PhDs who are working full time in clinical informatics environments clearly need a similar kind of certifying opportunity, and AMIA is committed to developing such options for all our members who wish to pursue clinical informatics certification.”
This announcement seems to me to do two important things. First it provides a way of having individuals who are skilled in using technology to support clinical care a pathway to significant professional recognition - based on experience or examination. Secondly it bridges the gap between medical clinicians and others to reach a common level or recognition and hopefully career prospects.
As I have said before we need to be considering how a similar type of recognition can be developed in Australia especially for those focussed on improvement of clinical care in all its aspects.
David.

Thursday, December 15, 2011

Draft Submission to The Senate Community Affairs Committee - For Comments Please!

Submission to The Senate Community Affairs Committee

Enquiry on Personally Controlled Electronic Health Records (Consequential Amendments) Bill 2011 and the Personally Controlled Electronic Health Records Bill 2011.

Submissions due January 12, 2012.

Terms Of Reference.

The (Senate Community Affairs) Committee met in private session on Thursday, 24 November 2011 at 3.32 pm.
The committee resolved to recommend —That (among others) —the provisions of the Personally Controlled Electronic Health Records Bill 2011 and the provisions of the Personally Controlled Electronic Health Records (Consequential Amendments) Bill 2011 be referred immediately to the Community Affairs Legislation Committee for inquiry and report by 29 February 2012 (see appendix 6 for a statement of reasons for referral).

The Reasons for Referral / Principal Issues For Consideration.

·         Privacy issues / Privacy Breaches / Penalties for Breaches
·         Security of information on the PCEHR
·         Questions about the design, functionality and capability of the PCEHR
·         Questions regarding the use of consultants, contractors and tenders let or hired by NEHTA in regard to the development of the PCEHR
·         The level of functionality of the PCEHR at 1 July, 2012
·         Questions around the continuation of NEHTA after 1 July, 2012
·         The products that NEHTA designed, made, tested, certified for use in the PCEHR.
·         Any other issues the Committee considers appropriate.

Author Of Submission.

Dr David G More BSc, MB, BS, PhD, FANZCA, FCICM, FACHI.
Author Contact Details:
Phone +61-2-9438-2851 Fax +61-2-9906-7038
Skype Username : davidgmore
E-mail: davidgm@optusnet.com.au
HealthIT Blog - www.aushealthit.blogspot.com
Twitter @davidmore
Author’s Background.
I am experienced specialist clinician who has been working in the field of e-Health for over 20 years. I have undertaken major consulting and advisory work for many private and public sector organisations including both DoHA and NEHTA.
Previous Submissions on the PCEHR.
I previously provided a Submission on the PCEHR proposal to NHHRC in May, 2009 and the views expressed in that submission remain my position despite the work undertaken by DoHA and NEHTA since.
This submission is available here:
A later submission on the Draft Concept of Operations for the PCEHR from May2011 is found here:
I also provided a submission to the Department of Health and Ageing on the Draft Legislation to support the PCEHR.
This is found here:
Consent for Publication.
I am more than happy for this submission to be made available for public review on the Senate  website.

Submission

Introduction

The Senate Community Affairs Committee is faced with a very considerable problem in responding to the Government’s Bills related to the Personally Controlled Electronic Health Records (PCEHR).  This is because the Legislation is at the end of a very long process and only with an understanding of steps taken over the last fifteen years will what is being now proposed be able to understood and assessed.
To help the committee in this task I can recommend the following publication from the Parliamentary Library as very useful background reading.
The e health revolution—easier said than done [HTML] [PDF 1.02MB] The document is very recent having been published in November, 2011.
The perspective I am adopting in preparing this submission is that of a clinician who has been actively involved in ‘e-Health’ for over two decades. It seems to me that it is important to step back from the Bills and ask the following.
1. Is the proposal for the PCEHR the ideal approach for Australia to be adopting in seeking to move the Health Reform Agenda forward - and if not what might be a better approach?
2. Is the PCEHR proposal an evidence based intervention that has a significant chance of actually improving healthcare outcomes in Australia?
3. Are DoHA and NEHTA ideally led and governed to succeed with such a complex and sensitive initiative and has DoHA, NEHTA and the Government really assessed the risks associated with the PCEHR proposal?
4. Has a Business Case / Cost Value Analysis specifically of the PCEHR proposal been undertaken (rather than generic analyses of ‘e-health’ benefits) and what were the findings from this work to support the present PCEHR plans?
5. What has been put in place to ensure that clinical practitioners will actually use the proposed PCEHR and will what is presently planned be successful?
I would argue strongly that the answer to all five questions is a resounding no and the rest of my submission will develop the arguments to support this view.
I am firmly of the view that without radical re-design and re-scoping the PCEHR Program will be seen by history and a profoundly flawed initiative which was badly executed and one which continues a sorry line of similar initiatives as recounted in the Parliamentary Library report mentioned above.
The very recent appointment of Ms Tanya Plibersek as the Federal Health Minister - replacing Ms Nicola Roxon - may result in some dramatic reassessments of a range of Health sector initiatives and it is quite possible that there may be some fundamental changes to the PCEHR program as a result. It seems unlikely clarity will emerge on this score before submissions close on January 12, 2012.

Specific Issue Responses.

Issue 1. Is the PCEHR the right approach for Australia?
On the basis of research extending back over a decade there is good reason to judge that there is not a single successful approach to the delivery of Health IT initiatives. As well documented by the Parliamentary Library report a range of quite different approaches have had success.
I believe it is true to say that the most success has been seen with initiatives which are designed to deliver current, trustworthy and complete information regarding a patient to the professional clinical decision maker. Ideally delivery of this information is also supported by point of care clinical decision support.
This has usually involved some point of care computer system linked to a messaging system or some centralised databases where the relevant information is held.
It is such an approach that has worked well in Denmark (messaging based) or Kaiser Permanente (more centralised approach).
In both these and other successful initiatives the use by the clinician of the information to manage the patient has focussed clinician effort on ensuring information accuracy and ensuring information currency.
For quite inexplicable reasons such considerations have been ignored and the PCEHR is intended to be an aggregation of information extracted from live, used systems and for this information to be shared - under patient control - with other healthcare providers. The complexity and potential for confusion - to say nothing of the interference with clinician workflow - of this sort of plan is obvious and clearly ill-considered.
The conceptual design for the PCEHR appears no-where in the 2008 National E-Health Strategy and seems to have been invented in the bowels of the Department of Health and Ageing and NEHTA with virtually no consultation in response to a concept (and a concept only) found in the Health Reform Report from the HRRC in 2009. No similar initiative has been planned or undertaken anywhere else in the world that I am aware of.
At its heart the proposed PCEHR System is a aggregation of data-base information from diverse sources which is held and managed in parallel (and not replacing) information already held by providers and government on other systems.
A fundamental issue with such a parallel approach is that it lacks a ‘single source of truth’ for each piece of information and so violates, at its very core, one of the basic tenants of trusted information management. Bluntly, from an information management perspective, the approach is indefensible.
Issue 2. Is there any evidence the PCEHR will make a significant difference to patient safety and clinical outcomes?
I understand that Government, as a whole, is a strong supporter of evidence based policy. As presently planned the PCEHR is unique in the world and is being implemented without any structured evaluation of a completed pilot or prototype. In this situation it can be safely asserted the PCEHR is a very expensive policy experiment unsupported by any evidence of utility, value or safety.
Issue 3. What is needed in the way of leadership and governance to implement a successful National E-Health Program? Are we legislating to set this up?
All the evidence supports the statement that developing a nation Health IT infrastructure is a complex and difficult project which, if experience is any guide, takes many years and typically has a range of false starts and need for reworking.
To address such a difficult and complex undertaking expert leadership and governance is critical for success.
These short paragraphs from a recent article make it clear what is being talked about:
“Information governance is akin to an accountability wrapper for Enterprise Information Management (EIM).  A useful definition that speaks to the unique importance of information governance in health care organizations is:
To ensure that the organization has the leadership and organizational structures, policies, procedures, technology and controls for enterprise information management that represent the highest standards for legal, ethical, and business practice to serve patients, stakeholders and advance the public good.   
Governance of information assets has become every bit as important to advancing the organization’s mission as other dimensions of governance and effective governance should be driven by boards of directors and senior leadership. In fact, many hospital boards are now holding senior management accountable for steps being taken to avoid breaches of data.  Information exchange and greater transparency and public accountability for outcomes and cost raise the stakes. Senior leadership and boards should begin now to articulate their vision for information governance and EIM.”
The full article by Linda L Kloss (former CEO of the American Health Information Association) is found here.
Sadly we do not presently have either the leadership or the governance frameworks to address most of the issues raised. Before the PCEHR is implemented it is vital there be legislated best practice to ensure community expectations are met for information integrity, security, privacy and so on.
The present legislation fails utterly in this area.
The gap is made even more obvious by the following statements in an unreleased NEHTA document from late 2008 when proposing a predecessor to the PCEHR in a business case which was not actioned.
----- Begin Extract.

Governance arrangements

National e-health governance arrangements must provide three major functions:
·           strategic oversight and public accountability
·           management and operation
·           regulation and privacy.

Strategic oversight and public accountability

Implementing a national IEHR for Australia is a major business change. There are significant and complex issues in successfully managing this change, including policy, regulation, consultation, incentives and education. Many of these will be deeply connected and related to broader health policy and service issues.
The overall governance of the e-health work program outlined in this paper will rest with Health Ministers who are ultimately accountable for the safety, quality and outcomes of the health system. Consistent with this expectation, strategic oversight of the work program will be provided by the Australian Health Ministers’ Conference (AHMC). In order to fulfil these responsibilities, AHMC will be supported by its existing advisory committees. In particular, it is recommended that AHMC be supported by the Australian Health Ministers’ Advisory Council (AHMAC) which will be responsible for approving a detailed National IEHR Service Work Plan based on the schedule in this business case. AHMAC will also conduct gateway reviews at major milestones throughout the delivery of the work plan and publicly report on progress and achievements. AHMAC will determine the national policies, priorities and strategic directions for e-health and health information, and establish the required regulatory and institutional arrangements.

Management and operation

In line with the National E-Health Strategy, it is recommended that a governance board and e-health entity be established to successfully manage the delivery of the National IEHR Service Work Plan (as it is approved by AHMAC). Consistent with previous recommendations, the new board and e-health entity will incorporate stakeholder consultation in a systematic and structured way, thus ensuring that stakeholders are able to shape the design and implementation of e-health activities. This level of stakeholder engagement will be critical to effective national leadership, capacity building and uptake. A new board and entity is required as no existing organisation is sufficiently well equipped to manage such engagement, nor to manage the business change and focus on delivery envisaged by this business case. Features of the proposed board and entity will be:
·           An independent, skill-based national e-health governing board accountable for retaining the connection between the overall strategy (and desired health outcomes) and on-the-ground implementation. The board will support a structured approach to assessing the implications on the agreed plan of changes in policy, strategy, funding mix or execution priorities, and will work with governments to ensure that their significant investment remains on track to deliver the planned outcomes.
·           An e-health entity with clear accountability for delivery of the agreed plan. This entity will be charged with establishing clear agreements with jurisdictions and clarifying respective roles and responsibilities for delivery of the planned outcomes. The entity will require significant program management and health service delivery expertise and will work closely with the e-health governing board to:
       broker required sector collaboration
       manage key program risks and issues throughout delivery
       inform consumers and providers about the program
       report on specific measures of the program’s success.
Between COAG agreement to the National IEHR Business Case and the start of the work plan on 1 July 2009, an IEHR Project Taskforce will need to be established to consult, design, establish and launch the new national e-health governance arrangements.
Health Ministers will determine the preferred model for establishing the new national e-health governance arrangements, which will involve a transition process during the establishment phase of the work plan. Two options have been identified, both of which will require a significant program of work to implement. They are:
1           Reconstitute NEHTA to be the new e-health entity and subsume all functions required to deliver the work plan. This includes rebranding and refocussing NEHTA from a ‘transition’ authority to an e-health implementation body. Significant new capabilities including program management and health service delivery expertise would need to be developed by NEHTA to ensure its capacity to deliver this broader scope of functions, or
2           Continue NEHTA as the body charged with the significant task of developing and deploying core national e-health infrastructure (including finalising identifiers and authentication services, and standards development, conformance and compliance). A new national e-health entity would also be established focussed on delivering the broader work plan. NEHTA would report to the national e-health entity on the components of the work plan it is responsible for, with NEHTA’s role to be reviewed in three years.

Regulation and privacy

Privacy safeguards must be in place to promote consumer and healthcare provider confidence, uptake and benefits of e-health initiatives. Related to this, there must be clear consent processes for access to and use of health information and participation in e-health initiatives. There must also be sufficient regulation to ensure that practice conforms with policy, legislation and standards and to promote sustainability of the e-health market, including minimising the risk of market monopolisation.
Without a robust privacy and regulatory regime, it will not be possible to deliver the next stage of the national e-health work program. The current patchwork of health privacy legislation across the country is a major barrier to implementation of e-health initiatives. In addition, some e-health initiatives, such as the health identifiers, which is a critical dependency for the IEHR, will require specific enabling legislation.
The key regulation and privacy functions will:
·           promote the access, interoperability and sustainability of the national e-health market
·           protect the integrity, privacy and security of health information in both paper and electronic environments
·           provide compliance, complaints and enforcement arrangements for health information privacy and e-health systems.

The regulatory and privacy functions will need to be managed outside of the governance board and e-health entity, probably through existing jurisdictional health information privacy and complaints regulators. The e-health entity will, however, be responsible for identifying and managing dependencies between this work and the broader National IEHR Service Work Plan.
Work is already well underway by AHMC on the development of a National Health Information Regulatory Framework (NHIRF) through AHMAC. This includes developing legislative proposals that will provide nationally consistent health privacy legislation and authorisation for health identifiers. It will be important to publicly consult early on these proposals, which is currently planned in February-March 2009. Governments are expected to take a draft NHIRF Bill to their respective parliaments in November 2009.
----- End Extract.
Even NEHTA recognised what is needed is far from what DoHA and the Government are presently proposing and saying it will be fixed up ‘later’ with regulations is really just not good enough.
Issue 4. Is there a business case / business justification specifically for the PCEHR rather than generic ‘feel good’ benefits studies that examine approaches that are vastly different from the PCEHR.
When well deployed there is evidence that Health Information Technology can improve the quality, safety and efficiency of healthcare.
NEHTA’s own internal analysis shows the major benefits from Health IT deployment are in:
1. Clinical Decision Support (50%)
2. Clinical  Messaging Efficiencies (30)
3. Internal Community Provider and Hospital Provider Efficiencies (20).
Source: NEHTA Presentation - AFR Conference February 2007
For reasons that are not at all clear these benefits are not where the emphasis, indeed much attention at all, is focussed by the PCEHR program. There is really no evidence that sharing basic health summaries - under patient control - is likely to provide much in the way of tangible benefits or improvements in patient safety.
The best work done on this comes from the UK and professional academic evaluations of the UK’s Shared Care Record - have ranged between dismal and very disappointing with quite low access and use of available records.
Issue 5. What has been put in place to ensure that clinical practitioners will actually use the proposed PCEHR and will what is presently planned be successful?
At present it is planned that usage of the PCEHR will be on an ‘opt-in’ basis i.e. it is up to the consumer of clinician to decide if they wish to use the system.
Given that inevitably there will be both negative workflow an time consequences it seems very unlikely the system will be used without some compensating financial incentives which, at present, have been ruled out.
Both the AMA and the RACGP have warned that without appropriate incentives usage will be minimal and adoption - if it happens - will be at a snail’s pace.
Adoption and use by clinicians will also be inhibited by uncertainty as to the reliability and completeness of the information held within the PCEHR.
Consumer use is also likely to be very low as many of the services that have been found to be useful for consumers (e-mail access to practitioners, ease of arranging appointments and repeat prescriptions and similar interactive services) are not catered for in the present PCEHR design.
There is a high risk of the entire program becoming a very expensive white elephant and the only way this risk can be sensibly mitigated is to conduct some at-scale trials to optimise and fine tune what is delivered before a major roll-out is initiated.

Responses To Issues Raised In Enquiry Referral.

Most of the issues raised in the points associated with the reference to a Senate Enquiry properly fall under the headings of leadership and governance I have explored above.
On the NEHTA specific issues raised it is clear that there are a very wide range of views regarding NEHTA’s performance over the last almost six years. My personal view is that the organisation is culturally flawed and while having sensible objectives has become a victim of managerial spin and an excessive user of public relations personnel to hide fundamental under-delivery.
There are many really dedicated and smart people working for NEHTA but sadly they seem to be being led by some quite flawed management who seem to have lost touch of the fact that their role is to assist the health system implement systems which will make a positive difference and not to pursue technical objectives for their own sake.
The persistent complaints and negative comments coming from many sources - including many of those who have left or still work for NEHTA - really suggests there are real problems that need resolution - ‘No smoke without fire’ would seem to apply here.
The continuing flow of negative information from a range of ‘Netians’ (as they term themselves) to my blog from a range of sources tends to confirm my view.
I suspect submissions from the Medical Software Association and the Australian Privacy Foundation (as well as the reporting found in the mainstream press) will confirm my impression.
I also expect there will be vociferous support for NEHTA, especially from those who stand to lose financially if there are cut-backs in NEHTA’s promotional and support budgets.
Given the technical nature of much of the material that is likely to be discussed I recommend the Committee appoint an independent expert adviser in e-health to the Committee Secretariat to ensure fair but properly revealing testimony.

Issues I Believe Need To Be Explored By Committee That Are Not Mentioned In the Referral.

There are some specific questions I would commend to the committee.
Why the haste with implementation of a program as complex as the PCEHR?
Why was the National E-Health Strategy Not Funded and Implemented following its release and approval by Health Ministers in 2008?
Why has actually been the live real-world adoption and use of the Health and Use of the Health Identifier Service?
What tangible benefits have been thus far delivered to Australian Patients as a direct result of NEHTA’s work over the last six years?
Has the Australian Public received value for money for the hundreds of millions invested in Commonwealth E-Health projects and how has this been quamtified?

Summary Concluding Remarks.

I believe - having reviewed all the submissions and taken evidence - that the Committee will be left with a choice of three paths.
First it may decide to recommend the PCEHR program continue, NEHTA be given on going funding and await developments over the next few years with the passage of the legislation in its present form.
Second it may decide to instigate urgent checkpoint reviews of the PCEHR Program Components and NEHTA to assess the cost / risk benefit of what is underway and to recommend changes to the programs and legislation to ensure there is a maximal chance of overall success in the longer term.
Third it might decide to recommend that a carefully considered National E-Health Governance Framework be developed and implemented and that when that is achieved the operations of NEHTA and the PCEHR program be reviewed and aligned to a more practical and realistic set of objectives as per the 2008 Deloittes National E-Health Strategy - which should be properly funded.
My preference would be very much for the third path to be chosen.

Links To Relevant Blog Posts.

As noted by the report undertaken by the Parliamentary Library there are vociferous supporters of what is being done in the e-Health domain by the Government and there are also a considerable number of experts who have great concern about what is happening from a range of perspectives.
As also pointed out in the report there is a community of concerned experts who contribute to my blog and who form a small coalition hoping for more care and thought being applied to the overall initiative.
It also needs to be pointed out there are a number of web-sites, typically sponsored by NEHTA among others, who complain remorselessly about ideas and concepts found on my blog.
The links following provide some insight into the sort of discussions and positions put. (Note much of the contributed material is anonymous as people are concerned for the careers and prospects should they be identified.)
To be Added after review.
----- End Draft.
Note: We all only have one shot at this - so input is vital!
David.

Wednesday, December 14, 2011

It Does Seem Things Are Not Going All That Well With Canada Infoway. Are There Parallels We Need To Watch Closely?

The following article appeared in the Canadian Medical Journal last week.

NEWS

December 5, 2011

Nothing cutting edge about Canadian ehealth strategy, critics say

Critics have argued of late that Canada’s ehealth strategy entirely missed the boat because of an excessive focus on developing massive centralized data systems as opposed to promoting meaningful use of electronic health data by physicians and patients.
The situation may be even more worrying than that, though, as one of architects of Canada’s ehealth strategy says the evolution of technology, itself, has all but completely made that plan obsolete.
New technologies such as tablets and mobile devices long ago outstripped Canada’s ehealth strategy, says Will Falk, who is credited with writing one of Canada Health Infoway’s first business plans. “There are only a couple of homecare mobile projects that have received Infoway funding to date. This in the country that invented the Blackberry?”
Physicians are essentially bypassing the multibillion dollar project and finding their own ways to incorporate the new technologies into their practices, adds Falk, estimating that 90% of doctors now use smartphones, tablets and other personal communications devices without government prodding. “Doctors aren’t waiting for Infoway. They are voting with their feet.”
Far too much of the official investment in ehealth has gone towards subsidizing the development of overpriced, useless systems that unsuccessfully mimic cheaper, better,  privately-developed products, says Falk. As an example, he cites Ontario’s “ONE mail” system, a custom-built email system which has been harshly criticized by government auditors as being inferior to commercial products (www.auditor.on.ca/en/reports_en/ehealth_en.pdf).
A plethora of other investments have also soured but Infoway and its provincial counterparts seem incapable of cutting them loose, Falk adds. “It’s time they began sorting out their projects and eliminating those that can’t prove a business case for survival.”
“They just can’t keep on doing demonstration projects,” adds Falk, who in a recent report for the Mowat Centre for Policy Innovation at the University of Toronto in Ontario called on governments to either scuttle ehealth agencies or “monetize” them, perhaps as Crown corporations (www.mowatcentre.ca/research-topic-mowat.php?mowatResearchID=41).
Economist Donald Drummond similarly argues there’s a need to more effectively utilize new mobile information technologies and the Internet itself in the delivery of health services.
Better information should be available to patients regarding their own health care, says Drummond, visiting scholar at Queen’s University in Kingston, Ontario, and former vice-president of the Toronto-Dominion Bank. “With the proper information, patients, such as diabetes sufferers or their families, could provide the ongoing care rather than always relying on physicians and hospitals.”
“Greater use could be made of internet and telephone services to provide care” and to help Canadians find family physicians,” adds Drummond, who argued in a recent report, Therapy or Surgery? A Prescription for Canada’s Health System, for the C.D. Howe Institute that Canada must reconfigure its ehealth strategy so that it is driven by the needs of hospitals and family health teams (www.cdhowe.org/pdf/Benefactors_Lecture_2011.pdf).
Physicians need access to information that is relevant and “doesn’t end up being another compliance burden,” adds Drummond.
The views of Drummond and Falk align with those of many other critics who say that Infoway’s ehealth strategy was driven by industrial considerations and contracts with information technology firms, rather than health system needs (www.cmaj.ca/lookup/doi/10.1503/cmaj.109-4001).
Falk credits the billions channelled by the federal and provincial governments toward ehealth agencies with the subsidization of an industry that he estimates has grown from employing a few hundred experts to 30 000. But having accomplished that, the subsidies have created a situation where “several agencies and ministries have substantial internal software development shops which directly compete with private industry,” he says. “Many provincial and sub-provincial service providers are both purchasers of and providers of SI [systems integration] and outsourcing services. They are both clients and competitors at different points. They need to be put on a level-playing field with private industry and compete in open processes.”
.....
DOI:10.1503/cmaj.109-4065
— Paul Christopher Webster, Toronto, Ont
Lots more here:
I was alerted to this article by a frequent visitor to Canada who rather pithily describes Canada Infoway as ‘NEHTA’s Evil Twin’.
I do have to say that, while there are differences there are certainly some striking parallels.
First both organisations are set up at a slight arm’s length to Government while taking both federal and state funds.
Second both are big picture, architecturally driven with many in-house experts.
Third over-time both have becomes the ‘only game in town’ - often to the detriment of small already active solution providers.
Fourth there does seem to have been a rather top down, one size fits all approach where possibly a little more local flexibility might have helped.
Fifth both organisations like to use contractors and outsourcing for most delivery - providing them with very considerable market power.
Sixth in both environments there concerns from clinicians and other stakeholders that there is a degree of inflexibility and lack of consultation about what is being done.
Seventh both organisations have not impressed with the speed of delivery.
Eighth both organisations are very active self-promoters in the PR sense!
Four key differences has been however that Infoway has been much better funded, has been much more publicly accountable, has used a business case based model to distribute funding and has actively sought local involvement at a regional level. It is also true that Infoway has had some significant project wins - which we have yet to see from the slightly younger NEHTA.
A little honest cross learning between these two could be a very good thing for both organisations.
David.

Tuesday, December 13, 2011

The Health Information Breach Problem Seems To Be Getting A Lot Of Coverage. Australia Needs To Take a Serious Stance On the Issue and Soon!

Last week I ran a blog on some material on Health Information Security.
This is found here:
Just after this we have had ongoing reports about the situation in the US.
First here:

Health data breaches cost $6.5B annually

December 1, 2011 — 5:43pm ET | By Ken Terry
The number of reported data security breaches in healthcare organizations increased 32 percent from 2010 to 2011, and, on average, there were four breaches per healthcare provider this year, according to the Ponemon Institute's second annual survey on the topic.
The mean cost of these breaches to healthcare organizations was $2.2 million, up 10 percent from last year. In addition, respondents reported that security breaches reduced productivity, caused a loss of goodwill, and contributed to patient churn. Twenty-nine percent of providers said that data breaches had resulted in medical identity theft.
Based on the survey responses, Ponemon estimates that data security breaches cost the U.S. healthcare industry about $6.5 billion a year.
.....
To learn more:
- read the Ponemon Institute
press release
- see the Healthcare IT News
article 
More here:
This was followed up by a long interview here:

Q&A: How a health 'data spill' could be more damaging than what BP did to the Gulf

By Tom Sullivan, Editor
Created 2011-12-05 11:12
The street value of health information is 50 times greater than that of other data types. Even worse, the healthcare industry is among the weakest at protecting such information. With organized criminals trying to steal medical IDs, sloppy mistakes becoming more commonplace, mobile devices serving as single sign-on gateways to records and even bioterrorism now a factor, healthcare is ripe for some a wake-up call – one that just might come in the form a damaging "data spill."
Government Health IT Editor Tom Sullivan spoke with Larry Ponemon, chairman and founder of the Ponemon Institute, and Rick Kam, president of ID Experts (pictured below), which sponsored Ponemon's second annual Benchmark Study on Patient Privacy and Data Security. He asked about that data spill assertion, why healthcare lags other industries in privacy and security, and how the $6.5 billion spent on responding to data breaches could be better invested.
Q: The study finds that breaches are up 26 percent. Are things as bad as they seem to be?
Larry Ponemon: Data loss and data breaches happen all the time. And one of the possible reasons for increase in frequency for the data breach events can be due to the fact that organizations are more cognizant of it and are mandated by law to report it. In other words, it’s the old adage, 'If a tree falls in the middle of the forest and we don’t hear it, did it actually fall?' Well, organizations have a heightened sense of awareness, hopefully, about these laws and therefore the frequency is increasing because of that.
There is a second more nefarious possibility that data loss occurs because there’s just more criminal enterprise around data theft. And there’s evidence that, not just in healthcare, but generally that number seems to be on the increase as well.
So it’s a combination of factors, but the results of our research on a matched sample basis suggest that number certainly isn’t going down. Instead of getting better, it seems to be on the increase.
Q: What, specifically, are those factors?
Rick Kam: One of the interesting things within privacy circles is growing concern about the strategic nature of the data. For example the TRICARE information that was breached, there’s concern about the data including the vaccination and health information of our fighting forces being released or perhaps picked up by a nation-state like China or North Korea or others that would look at a bioterrorism strategy against our country in some respect. It might seem a little out there in terms of concern, but just as there’s nefarious for criminal or financial gain, there’s also nefarious for other types of issues where health information can be very useful.
Q: So, an enemy could potentially find out weaknesses in terms of vaccinations, and deduce the best way to attack our troops?
RK: Exactly. To use a bioterrorism agent that weakens the fighting forces of the U.S., knowing what they are vaccinated against and what they are not would be an important detail.
Q: Beyond the military, is the healthcare industry at large vulnerable to some sort of big data heist?
RK: Like when BP had their massive oil spill, there’s the potential for something like this to occur in the data security/privacy within healthcare – which would be a wake-up call for the industry. To put this into context, healthcare information compared to financial data or even oil is something that cannot be put back in the box. You can get a new Social Security number or a new credit card from a financial or identity theft. If you have an issue with the theft from TJX or one of those types of situations or even Sony with the email addresses and account numbers, but losing even a handful of hundreds of pieces of patient data that might surround a stigmatized illness or some variation on that theme, that information cannot be put back into the box. Once it’s out there, it’s out there forever. There are a couple of issues around that. One is that the information is worth 50 times what Social Security numbers are worth based on some of the things I’ve seen in various pieces of research, some of which Larry has done. So a Social Security number is worth, say, $1 on the street while a health insurance number and/or health information is worth $50 on the street, which points to the value of that information for other uses, whether it’s getting access to prescription drugs illegally, or health services.
So I do think there’s going to be a giant data spill of health information and that might be tens of thousands or even millions of records that create that impact. Since you’re Government Health IT, I love this example: Imagine if the health information of the U.S. Congress was compromised ... or of the GOP candidates … or some variation on that theme.
Q: The study found that sloppy mistakes are among the most prevalent causes of data breaches. What are the most common examples?
LP: Basically, it’s hard to say what the sloppiest is, or the worst example, but I think we see billing information, administrative applications like scheduling apps, definitely clinicians that are not paying attention to detail that unfortunately might lose a device like a handheld that contains patient information. Part of the whole ecosystem of healthcare is about collecting information. You have to do it. That’s why you’re in a hospital, right, to recover from an illness or for diagnostic purposes. There’s information that has to be collected about you, but there’s the handling of that between clinicians, administration, billing, and others including third-parties that creates kind of a perfect storm for data loss. There’s also the culture. I’m just going to jump in here – and this might sound pretty negative and damning to clinicians – but culturally we’re dealing with people who measure their efficiency in seconds. There’s pressure on healthcare organizations to be more efficient than they’ve previously been. There’s efficiency in terms of time, the time it takes to get something done. So if it takes a little bit of time to secure your handheld device with a password, that doesn’t get done. That goes back to the culture of healthcare where we push people to work very, very efficiently but they may not have the resources to go a little slower to be more mindful of their privacy and security responsibilities. This might also be true in other industries but based on the research we’ve done over the years healthcare seems to be one of the worst in terms of balancing the need for security with the mission of more efficiency.
Q: So why is healthcare among the worst?
LP: Well, I think there are financial challenges for many healthcare providers, so as a result of that it’s hard to get enough funding to have the right technology and the right people, the right governance processes in place to deal with these regulatory and real requirements, more than just regulatory. So that has a lot to do with it and as I said culturally the main vision in healthcare is to heal people. It’s not about protecting data. Some industries like financial services learned a long time ago that data protection is core to customer trust.
That concept does not seem to pervade the healthcare organizations that participated in our study and, interestingly enough, patients, people who are the victims of data loss, if a healthcare provider loses their data, they’re going to lose trust pretty quickly and say ‘Why do I want to go to a hospital that can’t manage my data? How can they manage my illness?’ ‘How can they manage a laboratory test if I can’t trust them to manage my billing order?’ Those kinds of issues are pervasive in healthcare. Other industries experience some of these, it’s not uniquely a healthcare problem – but it does seem that healthcare has more of these challenges than other industries.
RK: Widespread use of mobile devices is one of the culprits. It’s not unique to healthcare but they are causing problems.
Lots more here (really worth a browse):
And concern also made it to the Australian press. See here:

Data breaches common in US health system

NINETY-six per cent of US healthcare organisations have reported at least one data breach in the past two years, the Ponemon Institute reports in its second annual Patient Privacy and Data Security benchmark survey.
The independent privacy researcher found that organisations suffered an average of four data breaches during the period, at an average cost of $US2.2 million per incident.
Ponemon chairman Larry Ponemon described medical information handling practices as "sloppy", and "a disturbing reality check for patients".
"Data breach risks are high, identity theft and medical identity theft are on the rise, and patients’ privacy is affected," Dr Ponemon said.
Employee negligence was the primary culprit for the 32 per cent rise in the number of breaches during the 2010-11 financial year over the previous period, with 41 per cent of respondents blaming "sloppy mistakes" involving protected health information.
Forty-nine per cent of respondents cited lost or stolen computing devices, while 46 per cent reported "snafus" by third-parties or business associates.
Technical glitches played a part in one-third of the breaches, while criminal attacks were involved in 30 per cent of cases.
The average number of lost records was 2575, up from 1769 a year earlier.
The widespread use of mobile devices was a significant risk, with 81 per cent of respondents collecting, storing and transmitting some personal health information wirelessly – 49 per cent admitted their organisations did nothing to protect these devices.
.....
In Australia, there is no compulsion for healthcare organisations to report data breaches, so the scale of the problem here is unknown.
More here:
The most telling here is the last paragraph - pointing out we don’t have a clue what is happening in Australia.
On the local front we have NEHTA with its work on a Security and access framework and NASH.
See here:

Nehta releases security framework

The National E-health Transition Authority (Nehta) has released the security and access framework that sets out how health information should be collected, stored and accessed – a critical step in its bid to win consumer support for the personally controlled electronic health records which Australians can sign up for starting mid-2012.
Details of the National eHealth Security and Access Framework (NESAF) which was unveiled today by Nehta are currently only available to vendors registered with the Nehta website.

The heart of the framework however is understood to be descriptions of the standards and protocols organisations should use when writing e-health systems, which have been compiled as a toolkit to help organisations design and develop health related computer systems.
Lots more here:
I would tell you more about the document but it seems I can’t.
From Page ii.
Security
The content of this document is confidential. The information contained herein must only be used for the purpose for which it is supplied and must not be disclosed other than explicitly agreed in writing with NEHTA.
I can however point out that the NESAF aims to deliver a risk based management process framework that is to be used by any organisation that is receiving or sending information to the public e-Health infrastructure (PCEHR, IHI etc. one assumes) and that compliance mechanisms are still a bit of a work in progress and may be addressed in Version 4 of the NESAF which is due in March 2012.
Just who funds what, how compliance is to be audited and who needs to apply the framework will almost certainly become clear over time. The cost and complexity of some of what seems to be being proposed to a solo GP practice may be an issue I suspect.
In passing I note we have this available describing NASH - which works with the NESAF.

National Authentication Service for Health

The National Authentication Service for Health (NASH) is a key foundational component for eHealth in Australia. It is essential that the identity of people and organisations involved in each eHealth transaction can be assured, and this requires high quality digital credentials. The NASH,  Australia’s first nationwide secure and authenticated service for healthcare delivery organisations and personnel to exchange sensitive eHealth information, will provide this.
In March 2011 the contract to design and build NASH was awarded to IBM, and NEHTA began working with stakeholders to develop its Concept of Operations and solution design.
The service will issue digital credentials, including digital certificates managed through the Public Key Infrastructure and secured by tokens such as smartcards. These credentials will validate identity when used to access eHealth systems that are enabled to use NASH authentication.
Specifically, NASH will:
  • provide a governance approach that would allow health sector participation in the operational policies and services NASH develops
  • establish the standards framework for national tokens/smartcards in healthcare delivery
  • establish a national supply of digital credentials available to all healthcare delivery entities in the health sector, allowing the traceability of eHealth transactions to trusted identities
  • allow healthcare communities to issue and manage authentication credentials locally, supported by national infrastructure
  • support software vendors in transitioning their products to use nationally recognised digital credentials
Found here (December 9, 2011).
Any close reading of this makes what I said last week seem optimistic. Implementation of NASH is going to take years and years and the costs are going to be more than considerable - both in initial implementation and ongoing maintenance.
Just how this fits with the PCEHR time-table I leave for resolution by the reader!
David.