Wednesday, November 21, 2007

Canadian Attitudes to EHRs and Privacy

Canada Health Infoway, Health Canada and the Privacy Commissioner of Canada commissioned and have published a comprehensive survey of Canadian attitudes towards Electronic Health Records and Privacy titled Electronic Health Information and Privacy Survey: What Canadians Think - 2007.

From the Press Release:

Almost nine in 10 Canadians (88 per cent) support the development of EHRs -- a five per cent increase since 2003. Other findings include:
  • 31 per cent of respondents reported they had experience with an electronic health record during an interaction with the health care system. When asked to how the EHR system compared to the paper system in terms of overall effectiveness for the health care system, an overwhelming majority (89 per cent) said the electronic system was better.
  • 87 per cent of Canadians believe electronic health records will make diagnosis quicker and more accurate, while 82 per cent believe they will reduce prescription errors and 84 per cent would like to be able to access their own medical records online.
  • Canadians want to ensure that privacy and security safeguards are in place to protect their health information. 77 per cent would like audit trails that document access to their health information. 74 per cent want strong penalties for unauthorized access. 66 per cent of Canadians want clear privacy policies to protect their health information. In the event of a security breach, 7 in 10 want to be informed and would like procedures in place to respond to such breaches.
  • Those who have had experience with an electronic health record showed an even stronger support for privacy and security safeguards.
  • A majority of Canadians (55 per cent) would like to be able to hide or mask sensitive information contained in their record.
  • While the poll shows strong support (84 per cent) for using anonymous information from electronic records for health research, this support drops dramatically if personal details are not removed from the record (50 per cent).

Thursday, November 15, 2007

Laptop Thefts - Again!

Alberta's Privacy Commissioner, Frank Work, is the second Canadian privacy commissioner to demand the encryption of personal health information on laptop computers following the theft of four laptop computers from a Capital Health facility. From the OIPC press release:

"The investigation outlines the following steps that must be taken to protect health information stored on a mobile device in order to meet requirements of the HIA:
  • There must be policies and procedures that users are aware of and educated on that guide proper use of the device,
  • Reasonable steps must be taken to physically secure the device,
  • There must be a business need to store health information on the device,
  • The device must be password protected, and
  • Health information stored on the device must be protected by properly implemented encryption."

Monday, October 29, 2007

Westin Speaks on Health Research

US Privacy Guru Alan Westin has recently undertaken a study on behalf of the US Institute of Medicine on public attitudes concerning privacy and health research. Modern Healthcare Online has published a two part article on his findings (for part 1 click here - for part 2 click here). From the article:
"The good news for the research community is, despite a plethora of media reports on privacy and security breaches in the healthcare industry, most people still respect the aims of researchers and are willing to support their work.

The bad news is, perhaps because of these highly publicized privacy failures, people need more assurance than in the past that their healthcare information will be protected and, particularly, not end up being misused in ways that could hurt them. This new reality will necessitate some consciousness-raising on the part of researchers, who historically have seen themselves as the guys in white hats who should be above suspicion, according to Westin."

Friday, October 26, 2007

Remote Access to PHI

Health care organizations are under significant stress to allow remote access to personal health information in the field or from the homes of health care workers. The Ontario Information and Privacy Commissioner issued her Order HO-004 which addressed the issue of PHI stored on laptop computers and directed Ontario health information custodians to employ measures such as encryption to protect PHI on laptops and other portable devices. I know that many Ontario health care organizations are struggling to implement this order while not interfering with the need to allow remote access to PHI for legitimate and important health care delivery and research purposes.

I found an excellent reference guideline on the security considerations for remote access published by the US Department of Health and Human Services titled Security Guidance for Remote Use. This is published under the auspices of the HIPAA Security Rule. What I really like about this document is that it takes a risk management approach to considering the problem of remote access. The document looks at the risks of allowing remote access and suggests possible risk mitigation strategies.

This document is HIGHLY Recommended.

Friday, October 19, 2007

10 Years Late

I was having breakfast a few mornings ago with a colleague. We were discussing the current state of privacy laws and what I perceived to be the major threats to privacy. I was bemoaning the fact that our current privacy regimes are inadequate to deal with these new threats- that of government "function creep" (with the many unfortunate but legal uses being made of our personal information by government agencies in the name of national security and law enforcement), and identity theft. With respect to the former, he commented that while the checks and balances of our modern democratic systems may appear to have broken down, they are actually still in play. We'll see the pendulum swing back in the next few years.

It dawned on me that our current privacy laws were made for our world as it existed 10 years ago when we were at the height of the dot.com boom. Way back then, in 1997, everyone was worried about the potential abuses by information entrepreneurs who wanted to capture our eyeballs and data mine our personal information. The laws we built succeeded in tempering the ambitious aspirations of the entrepreneurs, but didn't anticipate the threat to privacy in the post 9/11 world.

Maybe thats the pattern. 10 years from now we will have come to a consensus on how to protect personal information from over-zealous bureaucrats and law enforcement officials. But who knows what new threats to privacy will emerge in 2017. We can predict, for example, that our genetic code will be a prominent feature of our electronic health records. Who will be trying to exploit that information for power or profit? We can also predict that our privacy laws won't be able to fully protect us from these new perils.

Unfortunately, we don't have a crystal ball.

Thursday, October 18, 2007

EHR's for Sale

I wonder how Canada Health Infoway will feel about banner ads on its nation-wide Electronic Health Record?

After reading a couple of articles over the past few days (Advertising, data sales subsidize EMR products and Google Health Wants to Digitize your Medical Records), it crossed my mind that the EHR, EMR and EPR marketplace is moving way faster than our eHealth policy makers. We've seen it in other sectors, particularly in education where cash-strapped schools and school boards rent out advertising space to soft drink and confectionery companies. Already in the United States banner ads and sales of aggregated and anonymized data (if there really is such a thing any more) are seen as integral parts of the EMR/EHR business model.

There are a raft of ethical issues that must be addressed as market forces worm their way into our eHealth systems. Its one thing for big Pharma to market their products to physicians through sales reps, but what happens when the marketing happens in real time... When the drug in the banner ad is tied to the patient's diagnosis and conveniently displayed on the doctor's screen?

I'm beyond worrying about whether this is a good thing or a bad thing. What worries me is that this stuff is happening without debate. Maybe the benefits of improved health care through eHealth are worth a little manipulation by big corporate interests if thats what it takes to fund an eHealth infrastructure. But can we at least think about it before it happens?

Wednesday, October 17, 2007

Health Privacy Resource

Anyone looking for a good source of health privacy resources should look at the Privacy Commissioner of Canada's website. Her health page links to most of the key resources of interest to Canadians, and has links to international resources as well.

My favorite link is to the 1992 Supreme Court decision McInerney v. MacDonald. This is the decision that enshrined the principle that while a health care provider owns the health record, the patient has nearly absolute rights to the data contained in the record (for clarification on the "nearly" check out the decision).

Friday, October 12, 2007

SPAM spam spam spam.....

Alex Jadad and Peter Gernburd of the Centre for Global eHealth Innovation in Toronto, Canada, have recently published a unique study titled Will Spam Overwhelm Our Defenses? Evaluating Offerings for Drugs and Natural Health Products. They found that 32% of the spam we receive is health related, usually associated with products for erectile dysfunction, killing pain and anti-obesity.

Armed with a low-limit VISA card, a post office box and, I suspect, a healthy sense of mischief, the researchers went in search of online health products.

The paper includes the following summary points:
  • Spam, or unsolicited e-mail received from an unknown sender, now accounts for the largest proportion of all messages delivered online.
  • Little is known about health-related spam and the spammers behind it.
  • This study shows that it is possible to purchase products purported to be prescription drugs and controlled substances, across traditional national and legal boundaries, with one-third of our attempts to do so being successful.
  • Buyers should be fully aware that it may not be possible for them to hold spammers accountable for any claims made in their messages, or to get protection from illegal activities resulting from disclosure of personal or financial information to spammers.
  • Spammers are challenging our traditional regulatory, licensing, and law enforcement frameworks, and even threatening their relevance.
For a summary of the study and comments from the researchers, check out the Globe and Mail article titled No prescription, no problem.

Thursday, October 11, 2007

A Public Hanging

Its often said that there's nothing like a public hanging to get peoples' attention. Evidence that there are serious consequences to one's actions is a powerful motivator to behave appropriately.

Witness the response of Palisades Medical Centre in North Bergen, New Jersey, that played host to actor George Clooney and his girlfriend, Sarah Larson, following their motorcycle accident last month.

The hospital suspended 27 employees for looking at Clooney's medical records without authorization following an audit of the hospital's systems.

Clooney didn't seem too distressed about the situation. Associated Press quoted him as saying, "While I very much believe in a patient's right to privacy, I would hope that this could be settled without suspending medical workers."

Clooney's feelings aside, this situation can be used as a vivid and very public example of the possible consequences of browsing patient medical records.

Wednesday, October 10, 2007

Privacy Best Practices in Research

While most of the business case arguments for eHealth are associated with the treatment and care of individuals, there are tremendous societal benefits to be gained through health research. I sometimes get the feeling that we have to be apologetic about using health databases for legitimate research purposes. Only through research will we master the medical and social challenges facing humanity.

A couple of years ago (in 2005 to be exact), the Canadian Institutes of Health Research published a document titled CIHR Best Practices for Protecting Privacy in Health Research. This document defines 10 elements that should be considered in the design, conduct and evaluation of health research to address privacy and confidentiality concerns. These elements are:

  • Element #1 - Determining the research objectives and justifying the data needed to fulfill these objectives
  • Element #2 - Limiting the collection of personal data
  • Element #3 - Determining if consent from individuals is required
  • Element #4 - Managing and documenting consent
  • Element #5 - Informing prospective research participants about the research
  • Element #6 - Recruiting prospective research participants
  • Element #7 - Safeguarding personal data
  • Element #8 - Controlling access and disclosure of personal data
  • Element #9 - Setting reasonable limits on retention of personal data
  • Element #10 - Ensuring accountability and transparency in the management of personal data
This is a comprehensive guide (169 pages) for anyone involved in health research who is interested in applying best practices for protecting the privacy rights of individuals.

Tuesday, October 9, 2007

Holy Hard Drives, Batman!

Researchers at the Children's Hospital of Eastern Ontario (CHEO) Research Institute have just published a paper titled An Evaluation of Personal Health Information Remnants in Second-Hand Personal Computer Disk Drives. Bottom Line: They bought 60 hard drives from second-hand dealers. They were able to recover personal information from 65% of the drives and personal health information from 10% of the drives. "Some of the PHI included very sensitive mental health information on a large number of people".

From the abstract:
Background: The public is concerned about the privacy of their health information, especially as more of it is collected, stored, and exchanged electronically. But we do not know the extent of leakage of personal health information (PHI) from data custodians. One form of data leakage is through computer equipment that is sold, donated, lost, or stolen from health care facilities or individuals who work at these facilities. Previous studies have shown that it is possible to get sensitive personal information (PI) from second-hand disk drives. However, there have been no studies investigating the leakage of PHI in this way.
Objectives: The aim of the study was to determine the extent to which PHI can be obtained from second-hand computer disk drives.
Methods: A list of Canadian vendors selling second-hand computer equipment was constructed, and we systematically went through the shuffled list and attempted to purchase used disk drives from the vendors. Sixty functional disk drives were purchased and analyzed for data remnants containing PHI using computer forensic tools.
Results: It was possible to recover PI from 65% (95% CI: 52%-76%) of the drives. In total, 10% (95% CI: 5%-20%) had PHI on people other than the owner(s) of the drive, and 8% (95% CI: 7%-24%) had PHI on the owner(s) of the drive. Some of the PHI included very sensitive mental health information on a large number of people.
Conclusions: There is a strong need for health care data custodians to either encrypt all computers that can hold PHI on their clients or patients, including those used by employees and subcontractors in their homes, or to ensure that their computers are destroyed rather than finding a second life in the used computer market.

So much for those who say "It couldn't happen here"!

Friday, October 5, 2007

eHealthRisk Wiki

To complement this blog and the eHealthRisk Workshops I teach at the Waterloo Institute for Health Informatics Research, I have established an eHealthRisk Wiki to be a resource for everyone interested in the subject of eHealth risk.

Bookmark the URL http://ehealthrisk.wikispaces.com

Subject areas to be covered on the Wiki include:
  • Risk Management
  • Benefits Realization
  • Privacy Risk
  • Security Risk
  • Safety Risk
  • Project Risk
  • Operations Risk
  • Business Risk
  • eHealth Standards
I believe that wiki's are very powerful tools that provide an intuitive and direct path to information (it works just like Wikipedia). They also provide an opportunity for collaborative development. Anyone interested in contributing to the eHealthRisk Wiki is welcome to contact me with your ideas.

The eHealthRisk Wiki in a very early state of development. Some of the pages are still blank and there is much more to add. Still, you will find it a useful reference.

I will be posting updates on the progress of the eHealthRisk Wiki on this blog from time to time.

Tuesday, October 2, 2007

KatrinaHealth

Lessons from KatrinaHealth - This report has been around for a while (published in June 2006). For those of you who haven't read it it makes an excellent case study for the use of ICTs in a disaster.
From the Introduction:
KatrinaHealth was an online service that was established to help individuals affected by Hurricane Katrina work with their health professionals to gain access to their own electronic prescription medication records. Through a single portal, KatrinaHealth.org, authorized pharmacists and doctors were able to get records of medications evacuees were using before the storm hit, including the specific dosages. Having this information helped evacuees renew their medications, and helped healthcare professionals avoid harmful prescription errors and coordinate care.

From the body of the report:

To design, construct, test, and prepare KatrinaHealth for use in less than three weeks, the project team confronted numerous technical, policy, and organizational hurdles. The specifics of the team’s process are described in some detail at the end of this report. Many of the hurdles were overcome, some were not, but did not derail the project, and others remained sticking points. Contrary to expectations, the technical hurdles, although significant, were easier to work around, and sometimes solve, than were some of the policy, business, and
organizational issues.

This report was published by the Markle Foundation. It provides excellent evidence to support the business case for eHealth.

Monday, October 1, 2007

EC Report - eHealth for Safety

The European Commission has released a comprehensive report titled eHealth for Safety: Impact of ICT on Patient Safety and Risk Management. Not surprisingly the report is consistent with the CHI Report The relationship between Electronic Health Records and Patient Safety.

The report provides relevant definitions, a discussion of patient risk and safety in practice, ICT applications in healthcare and a summary of research from expert workshops.

This is another important reference for those interested in eHealth and patient safety.

Friday, September 28, 2007

CHI Benefits Evaluation Framework

We usually associate risk with adverse events and negative consequences. Privacy and security breaches, project failure, plague and pestilence dominate our attention. But risk management techniques are also applied to the good things in life.... wealth and prosperity, reward and recognition. Consider your investment portfolio. Nothing in your portfolio is there to be lost. You recognize that there are risks, but you manage them. In fact... more risk, more reward.

But you need indicators to help determine if you're winning or losing. Like your investment portfolio we need to know what we want to achieve with our investments in eHealth, and indicators to mark progress or loss.

Canada Health Infoway has issued a technical report titled Benefits Evaluation Indicators - Technical Report, which provides a benefits evaluation framework and indicators for its primary investment lines which include diagnostic imaging, drug information systems, laboratory information systems, public health systems, telehealth systems and the interoperable electronic health record.

Its an important resource for those of you charged with demonstrating the value of eHealth investments.

Tuesday, September 25, 2007

eHealth Vulnerability Reporting Program

The eHealth Vulnerability Reporting Program is a venture, founded in May 2006, "to establish approaches and procedures that will help ensure eHealth systems are broadly and rapidly deployed with the highest levels of privacy and security". They have published an executive briefing on some of their findings which include:
  • EHR vulnerabilities can be exploited to gain control of application or access to data for modification or retrieval
  • EHR applications have vulnerabilities consistent with other complex applications
  • Application vulnerabilities have long lives
  • EHR vulnerabilities are not disclosed to customers of these systems
  • Commercial EHR systems are vulnerable to exploitation given existing industry development and disclosure practices
  • Security software effectively reduced time of exposure
  • No organization could be identified that has responsibility, charter or mission to address security vulnerabilities in eHealth applications
The report stresses that the "sky is not falling" but EHR vendors, healthcare providers and the healthcare industry need to do much more.

This is a space worth watching for future developments.

For an overview of the report read Nancy Ferris' article titled Hacking into e-health records is too easy, group says.

Friday, September 21, 2007

So Much for Transparency ☹

As I sat yesterday contemplating the contents of the courier package, I thought about Kafka’s Joseph K. and the niggling and growing frustration he felt as he prepared for his trial. These aren’t bad people… these nameless and faceless bureaucrats. But they are a breed, and its in their nature to jealously hoard and guard information.

You may have read the post concerning my Freedom of Information request for the Privacy Impact Assessments for the Ontario Laboratory Information System (OLIS), the Ontario Drug Benefit Drug Program Viewer (ODBDPV), and the Integrated Public Health Information System (iPHIS). My original intention was innocuous enough. Very few PIAs are available on the Internet. I was looking for examples I could use in the Health Privacy Professional Workshop I teach at the Waterloo Institute for Health Informatics Research. I had read two of the three PIAs in question in my former role as Chief Privacy and Security Officer for the Ontario Smart Systems for Health Agency and thought that they would be useful and topical references for workshop participants.

In June the Ontario Ministry of Health and Long Term Care (MOHLTC) denied access to the documents under various exemptions in the Freedom of Information and Protection of Privacy Act. I appealed the decision to the Information and Privacy Commissioner for Ontario.

My appeal has just gone through the mediation process and the courier package contained a new decision to release redacted copies of the OLIS and ODBDPV PIAs. The full iPHIS PIA is still denied. To say the OLIS and ODBDPV PIAs were redacted is an understatement.

Now I would have expected some modest redacting where there was a risk of exposing, for example, security vulnerabilities or trade secrets. However, the redaction in this case went over the top.

The redacted ODBDPV PIA (download a copy here) is an 83-page document. The pages are blank until page 56 where they then released 16 pages of already available public information such as regulations and forms. The last 12 pages are also blank. Not a cover page, table of contents or executive summary… I would not even be able to identify the document as the ODBDPV PIA were it not for the covering decision letter.

The redacted OLIS PIA (download a copy here) is a 153-page document. The first 11 pages containing the cover page, document boilerplate and definitions have been released. This is followed by 110 blank pages, then 2 ½ pages containing a textbook table of very general privacy risks and some legal authorities followed by another 30 blank pages.

Of course the iPHIS PIA was denied in its entirety, which for the sake of the trees involved was probably just as well.

All in all the MOHLTC sent me more than 200 blank pages!

The reasons for the denied access referenced the following exemptions under the Freedom of Information and Protection of Privacy Act.

• Section 12 – Cabinet Records
• Section 14 – Law Enforcement
• Section 17 – Third Parties
• Section 19 – Solicitor-Client Privilege


The sad thing is that these are good projects, and I expect that the PIAs would demonstrate that all known privacy risks have been identified and are being well managed. I personally know and respect the people who wrote these documents. Unfortunately we are subject to those governmental and societal influences so well described by Franz Kafka in his books The Castle and The Trial (I reflect on these issues and my own experience as one of Kafka’s bureaucrats in my essay We’re All Kafka Bureaucrats). If I didn’t know better I could read sinister motives into the Ministry’s denial of my request. What could they be hiding? What terrible risks lurk in these systems that could do serious damage to the good citizens of Ontario?

But no. They hide everything… good and bad. Its in their nature. So much for transparency.

Needless to say I have applied to the Information and Privacy Commissioner’s office to proceed to the next stage – adjudication. We’ll see what happens next.

Oh.. and I will be using these documents in my privacy workshop, though not in the way I had originally intended.


Supplementary Comment (22/9/07):

I'm not the only one frustrated by Government's response to FOI requests. Check out this article in the Globe and Mail titled Delay, denial and stonwalling still clog FOI system.

Tuesday, September 18, 2007

EHR and Patient Safety

Canada Health Infoway has published a comprehensive report titled The relationship between Electronic Health Records and Patient Safety. Conducted in collaboration with the Integrated Centre for Care Advancement Through Research and the Canadian Patient Safety Institute, the report provides an honest assessment of what we know and don't know about EHRs and patient safety, and where we need to go.

Worth a read.

Monday, September 17, 2007

Future Directions in Technology-Enabled Crime

The Australian Institute of Criminology has published a comprehensive report titled Future directions in technology-enabled crime: 2007 - 09. This 166 page tome surveys existing and emerging threats to information systems in the e-enabled world. Among the risks areas discussed are:
  • Computer-facilitated frauds
  • Unauthorized access
  • Evolution of malware
  • Intellectual property infringement
  • Industrial espionage
  • Child exploitation and offensive content
  • Exploitation of younger people
  • Transnational organized crime and terrorism
  • Threats to national information infrastructure
Security has always been a cat and mouse game between the bad guys and those who work to thwart them. This report gives a good overview of the game as of today. Lets hope the good guys can stay out in front.

Friday, September 14, 2007

Get Ready to Rumble!

I enjoyed immensely yesterday's post by Blogger Dr. Scott Shreeve in an open letter to Google Health's new director Marissa Mayer. He succinctly sums up the challenges encountered by everyone trying to implement IT in health care.

I especially liked his openning salvo:

Get ready to rumble. The healthcare industry is littered with the carnage of decades of innovators shattering themselves against the iron anvil of the healthcare. While there have certainly been successes, there are 10x defeats.

Take a look. Its an short but interesting read.

Thursday, September 13, 2007

Catogorizing eHealth Business Risk

I have been looking for a model for categorizing and evaluating eHealth business risks. The best I've found so far is a standard and guide published by the UK Risk Management Institute titled A Risk Management Standard. This Standard describes four types of business risk:

Strategic Risks - include all of the external and environmental factors associated with an industry. In eHealth this could include political risk, user acceptance (or lack thereof), business model and governance issues.

Compliance Risks - are those risks associated with the need to comply with laws and regulations. In eHealth this would include compliance with privacy and data protection legislation, health and safety regulations, and compliance with legislation governing the operation of health institutions and health professions.

Financial Risks - are those risks associated with the financial structures, transactions and financial processes in place in your organization. In eHealth this could include risks associated with inadequate financial controls, fraud, legal liability and unstable sources of capital and operational funding.

Operational Risks - are those risks associated with operational and administrative procedures. In eHealth this could include business continuity, disaster recovery, procurement issues, and ability to meet required service levels.

All-in-all, a neat and simple way of expressing business risk.

The guide also suggests a basic (though complete) approach to business risk identification and treatment. Another site, UK Business Link, which seems geared to small to medium sized businesses (about the size of our average health care operation), provides a good overview of the process.

Tuesday, September 11, 2007

How to Eat an Elephant

Its an axiom that we all-too-often forget. The way to eat an elephant is one bite at a time. Big bang projects are rarely successful. I was reminded of this point while reading an article on the CIO website titled How to Justify an IT Project With Uncertain Returns (And Still Make Your CFO Happy). The author, J.Marc. Hopkins, is the CIO for a large US medical practice. He stresses the need to start small, build on successes, and focus on the needs of end users.

Monday, September 10, 2007

A Foolproof Privacy and Security Plan

GovernmentHealthIT published an article today titled Experts offer advice for creating a foolproof privacy and security plan for sharing patient information. Key points:

1. Think nationally, act locally
2. Use available tools
3. Bring the right people to the table
4. Be broad but restrictive
5. Study HIPAA (or whatever privacy legislation applies to you - italics mine) then go beyond it
6. Keep the focus on the patient

Useful advice.

Friday, September 7, 2007

Australian Standard AS/NZS 4360 Risk Management

Anyone looking for a comprehensive standard for risk management should look to Australian Standard AS/NZS 4360 Risk Management. I have looked at just about everything out there in the standards space and find this standard to be the most useful and usable. What I especially like about it is that it takes a broader view of risk, looking at the opportunity side of the equation in addition to the more negative risk-of-adverse-event side.

From the forward to 4360:
Risk management involves managing to achieve an appropriate
balance between realizing opportunities for gains while
minimizing losses. It is an integral part of good management
practice and an essential element of good corporate governance.
It is an iterative process consisting of steps that, when
undertaken in sequence, enable continuous improvement in
decision-making and facilitate continuous improvement in
performance.

Risk management involves establishing an appropriate
infrastructure and culture and applying a logical and systematic
method of establishing the context, identifying, analysing,
evaluating, treating, monitoring and communicating risks
associated with any activity, function or process in a way that
will enable organizations to minimize losses and maximize
gains.

To be most effective, risk management should become part of an
organization's culture. It should be embedded into the
organization's philosophy, practices and business processes
rather than be viewed or practiced as a separate activity. When
this is achieved, everyone in the organization becomes involved
in the management of risk.

Although the concept of risk is often interpreted in terms of
hazards or negative impacts, this Standard is concerned with risk
as exposure to the consequences of uncertainty, or potential
deviations from what is planned or expected. The process
described here applies to the management of both potential gains
and potential losses.

Organizations that manage risk effectively and efficiently are
more likely to achieve their objectives and do so at lower overall
cost.

The Standard is available for purchase alone or with a very useful implementation guide titled HB436 Risk Management Guidelines - Companion to AS/NZS 4360. Both publications are highly recommended.

Thursday, September 6, 2007

A Poor Judge of Risks

Continuing the thread from my post What Type of Person Takes Risks, an anonymous commentator suggested that we look at security guru Bruce Schneier's article Why the Human Brain Is a Poor Judge of Risk.

Every human being (yes.. that's each one of us) looks at life through filters. Some are rosy... some are black... and they change depending on our moods, our personal experiences, and how we interpret our present circumstances. We really can't be trusted to assess risk based on our "gut feelings".

Question: How many animals of each type did Moses take on the Ark?

Answer: None... It was Noah

The human brain is too easily tricked into thinking that it knows and understands more than it really does. That is why we need structured and disciplined processes such as Privacy Impact Assessment, Threat and Risk Assessment or Safety Hazard Risk Assessment.

For more also read Don Norman's essay Being Analog.

We need to apply more science and less instinct.

Wednesday, September 5, 2007

Dealing with Whistleblowers 2

eHealthRisk Blog reader Kim Sanders-Fisher posted a lengthy comment on my previous post Dealing with Whistleblowers concerning her own personal experience as a whistleblower at a prestigious US hospital. Her comment suggests that my assertion, that every health care organization should put a reporting system in place that allows staff to report safety, privacy and other risk issues without fear of retribution, was somewhat simplistic.

In a perfect world we would encourage and thank people who report matters that compromise the safety and wellbeing of patients and health care workers. In reality, the world is much more complex and, often times, nasty. We continue to live in a blame-oriented culture that would much prefer to kill the messengers (i.e. whistleblowers) than to accept that our organizations and the people who run them are less than perfect.

Unfortunately, even whistleblowing programs and protections that are in place in progressive organizations are easily subverted by low, middle and senior managers who have a vested interest in maintaining the status quo, even if the status quo poses risks to patients and others. Its too easy to blackball someone, making their life miserable, in the hope that they will just go away.

Quis custodiet ipsos custodes? (Who guards the guardians?) Its sad that those in positions of authority in many organizations will tend to act in their own self-interest and the interests of the organization, rather than in the interests of patients.

I am coming to the conclusion that we must implement independent mechanisms such as the Aviation Safety Reporting System to address risk issues in health care, including safety, privacy and security issues associated with eHealth such as security deficiencies, software and other technology errors and poor human factors engineering. This would include the many systemic and organizational issues that will arise as health care providers us eHealth tools to deliver health care.

I'm waiting to hear about a positive whistleblower experience. One where the whistleblower was acknowledged and thanked for taking a personal risk to protect the interests of the patients they were caring for.

I'm not holding my breath.

Tuesday, September 4, 2007

Its the Business Model Stupid!

More and more, it becomes clear that the greatest risk to major eHealth initiatives has nothing to do with privacy, security or other risk issues... Its the business model. Unless there is a clear value proposition for each of the major players in an eHealth program, it will not survive. Scanning the news this morning I came across this post from Modern Healthcare Online titled RHIO experts talk problems, future of movement. Some notable quotes from the article:

It's not yet clear if the incentives exist for healthcare organizations to share information.

One problem with RHIOs as they often are proposed is that they provide the bulk of their benefits to patients and health plans, people and entities that according to our current healthcare payment structure either don't pay at all for RHIO startup and operational costs or pay a disproportionately small share.

It does not make sense for a RHIO to have a consumer-centric model. It's a noble idea to say put the patient first, but what you have to have are business plans within the provider community.

Another common stumbling block to RHIOs is an unwillingness of likely participants to collaborate because of provider and payer rivalry and mistrust.

Too many eHealth initiatives go forward on the assumption that with the right technical architecture and interoperability standards, success is a slam-dunk. While important, what will sink the initiative is one or more stakeholders not believing that it is worth their while to participate.

I was intrigued about the comments concerning the idea of putting the patient first. While it is a noble thought, and while we would do well to structure our architectures based on that premise, eHealth must provide direct, tangible and measurable benefits to those who have to foot the bill or expend the energy effort necessary to ensure success.

Its the business model stupid!

Friday, August 31, 2007

Security of Medical Information

eHealthRisk Blog reader Lyndon Dubeau passed on this link to UK Information Security Expert Ross Anderson who is a professor at the University of Cambridge. I've just spent an hour watching his online lecture Searching for Evil, in which he discusses how to find and thwart bad guys on the net.

Anderson's website has a wealth of information and useful links. Its worth a look.

Thursday, August 30, 2007

Community Attitudes to Privacy 2007

The Office of the Privacy Commissioner of Australia has issued a report titled Community Attitudes to Privacy 2007. The study aimed "to understand Australians' changing awareness and opinions about privacy laws, how they apply to government and business and how individuals view a range of emerging issues, in particular, identity fraud and theft and the use of closed circuit television."

Also included in the report was an assessment of consumer attitudes towards health services and privacy including inclusion in a National Health Database, health professionals sharing patient information, Doctors discussing personal medical information in an identifiable way, and disclosure of the fact that a patient has a genetic illness - with and without consent. A brief analysis of the report and its implications for health care can be found on Dr. David More's blog Australian Health Information Technology.

Wednesday, August 29, 2007

What Type of Person Takes Risks?

How do you classify a person who skydives, yet won't stand up to his/her boss? Is he/she a risk-taker? Understanding why we take some risks and yet avoid others is at the heart of risk management. Researchers at the University of Michigan have recently published a paper titled Towards the development of an evolutionary valid domain-specific risk-taking scale - an unwieldy title better explained in an article titled Not all risk is created equal by the University of Michigan News Service.

Thanks to Gila Pyke for passing this link along.

Tuesday, August 28, 2007

AHRQ National Resource Center for Health IT

The Agency for Healthcare Research and Quality (an agency of the US Department of Health and Human Services) has established a National Resource Center for Health Information Technology. While US focused, it contains many articles, resources and toolkits that can be adapted to many jurisdictions. I particularly like their Privacy and Security Toolkit and "Emerging Lessons" pages for CPOE, EMR/EHR, Health Information Exchange, and Health IT in Small and Rural Communities.

Its an excellent site that appears to present a balanced view of many eHealth opportunities and issues.

Monday, August 27, 2007

eHealth Business Risk

Business risk is associated with the business and political environment in which a health care organization operates. It is perhaps the most challenging area of risk because often the organization doesn’t have control over the measures necessary to reduce the impact or likelihood of such events.

Business risks are often at the heart of the risks identified in other domains. For example, many privacy risks arise because of confused business models that don’t clearly define the roles and responsibilities of each of the stakeholders in an eHealth program. Business risk sometimes transcends the organization for regional, provincial, state and national eHealth programs where government or other supra-organizations are responsible for setting and enforcing standards and policy. The issue of eHealth governance is central to the management of business risk.

There are no defined control standards available to specifically address eHealth business risks at the regional, provincial, state and national levels. Each government jurisdiction has its own unique business and regulatory environment. However, anecdotal evidence suggests several significant control measures that should be put in place for such eHealth programs.

1. An eHealth Governance Framework and Authority – A legitimate body that has the authority to establish and enforce policy and standards in an eHealth environment that includes many healthcare organizations, health care providers and other stakeholders.

2. A Comprehensive Business Model – that defines the roles and responsibilities of each stakeholder in an eHealth program. This includes ensuring that all stakeholders benefit from the initiative in a manner and magnitude consistent with their investment.

3. A Contractual Framework – that accurately represents the business model and agreements between all stakeholders participating in the eHealth program. This would include consent forms and processes for patients.

4. Strategic Business and Technical Architectures –that enable the integration of the eHealth program into the larger health system and ensure that it is interoperable with other eHealth programs and systems.

5. A Stakeholder Engagement Model – to ensure that the interests of all stakeholders, and in particular, patients and end-users, are addressed in all aspects of eHealth program design, deployment and support.

In most jurisdictions around the world, governments have significant involvement in the funding and management of health care. This results in a complex political environment that has a direct impact on business risk. Political influence can be exerted by politicians or by the bureaucracy that supports the government. Political decisions affect priorities and in extreme cases can interfere with normal business protocols.

Business risks associated with eHealth include:

• Regulatory and legal liability
• Financial loss
• Political interference
• Procurement challenges
• Rejection by users
• Business interruption

Guidance on business risk assessment and management can be found in the publication Management of Risk: Guidance for Practitioners that is published by the British government’s Office of Government Commerce. This guide addresses risks at the strategic, program, project and operational levels.

Friday, August 24, 2007

eHealth Insider

One of my regular stops on the Internet is eHealth Insider, an online journal published in the United Kingdom. Its focus is on eHealth in Britain, but often its articles are universal in nature. There are lots of lessons to be learned from the UK experience, and this online resource is an excellent source of topical information. They publish eHealth Insider (focusing on the NHS's eHealth initiatives), eHealth Insider Primary Care (what's going on in the physician world), and eHealth Europe (what's going on all over Europe). You can subscribe to their online newsletters so you won't miss a thing!

What caught my eye today is a report on an article published in the British Medical Journal titled Potential of electronic personal health records and EHI's subsequent review and interviews with the authors.

Thursday, August 23, 2007

The Un-Health Record

While scanning the Internet my eye caught an article in GovernmentHealthIT titled The un-health record by Nancy Ferris. It discusses a growing trend by Governments to use health claims data instead of clinical data for a "claims-based EHR". This trend is documented in a report by the US Department of Health and Human Services Office of the Inspector General titled State Medicaid Agencies initiatives on HIT and HIE. Similar initiatives exist in other countries, including Canada, where the Ontario provincial government gives emergency department access to drug claims data for the Ontario Drug Benefit Program.

Its understandable that Governments, with their massive stores of health claims data, would want to put that information to use. However, there is always a risk of using information collected for one purpose (claims adjudication and payment) for another (clinical decision making). Data quality is the issue here.

How good is claims data? From the article:

A 2004 study published in the journal Medical Care found that claim forms showed the correct primary diagnosis slightly more than half the time. For secondary diagnoses, doctor’s offices submitted correct information just 27 percent of the time. Other researchers have come up with comparable findings.

What’s more, claims data lacks some important details and nuance because of the universal coding scheme and the way it is used. For example, the scheme does not distinguish between a severe case of diabetes and one that’s under control, and providers don’t always use the diagnostic codes that indicate the spread of cancers. Furthermore, symptoms such as pain or fever usually don’t show up at all.


So long as health care professionals are fully informed about the limitations of the data, the use of claims data probably brings more benefits than risks. Claims data can be used as one input into the clinical decision-making process. However, in the absence of structured processes for evaluating the quality of the data, and safety risks in eHealth, claims data alone cannot be used as the basis for clinical decision-making.

Wednesday, August 22, 2007

Lessons Learned from Santa Barbara

One of the most celebrated RHIO (Regional Health Information Organization) failures in the United States was the Santa Barbara County Care Data Exchange which ceased operations in December 2006. The California HealthCare Foundation has released an evaluation of the initiative titled The Santa Barbara County Care Data Exchange: Lessons Learned, which documents the issues leading to the failure and lessons learned for similar initiatives. From the Executive Summary:

The Santa Barbara County Care Data Exchange (SBCCDE) was once one of the most ambitious and publicized efforts to develop health information exchange in the United States, and was considered a model for emerging regional health information organizations (RHIOs) elsewhere. Nearly eight years after its inception, and several months after providing some data to clinical end-users, the SBCCDE ceased operations. Although the venture had developed a peer-to-peer technology infrastructure that enabled authorized physicians, health care organizations, and consumers in the region to access some electronic patient information security via the Internet, the once-promising exchange was unable to overcome major hurdles and thrive.

This case study looks at the history of Santa Barbara's RHIO and why it was not successful. It also presents lessons learned from that experience, briefly describes two other exchanges that have been more successful, and discusses the policy implications for nascent RHIOs elsewhere. Reasons why the project did not succeed include the lack of a compelling business case, distorted economic incentives, passive leadership among participants, vendor limitations and software delays, and due to a variety of factors, the venture's poor momentum and credibility.

This case study is required reading for eHealth risk specialists!

Tuesday, August 21, 2007

Requirements for Enhancing Data Quality in EHR Systems

The US Department of Health and Human Services has published a document titled Recommended Requirements for Enhancing Data Quality in Electronic Health Record Systems (EHR-S). The primary purpose of the project was "to identify requirements for EHR-S that can help enhance data protections, such as increased data validity, accuracy and integrity including appropriate fraud management which would prevend fraud from occuring, as well as detect fraud both prospectively and retrospectively."

The fourteen recommended functional requirements include:

Requirement 1: Audit Functions and Features
Requirement 2: Provider Identification
Requirement 3: User Access Authentication
Requirement 4: Documentation Process Issues
Requirement 5: Evaluation and Management (E&M) Coding
Requirement 6: Proxy Authorship
Requirement 7: Record Modification after Signature
Requirement 8: Auditor Access to Patient Record
Requirement 9: EHR Traceability
Requirement 10: Patient Involvement in Anti-Fraud
Requirement 11: Patient Identify-Proofing
Requirement 12: Structured and Coded Data
Requirement 13: Integrity of EHR Transmission
Requirement 14: Accurate Linkage of Claims to Clinical Records

All of these requirements are integral to managing the risks associated with EHRs. A very useful piece of work!

Monday, August 20, 2007

HIMSS PHR Definition and Position Statement

I give a lot of air time to Personal Health Record (PHR) developments on this blog because I believe they represent the wild card in the high stakes game of eHealth. Think of it as the battle between the controlled economy (EHR) and the marketplace (PHR). For all of the privacy legislation and interoperability standards we put in place, the battle will be won by whoever can capture the attention of the kids who are text messaging and sharing information over their iPhones and Boomers who are increasingly concerned about their deteriorating health and want to take control of their destinies.

The Healthcare Information Management and Systems Society (HIMSS) has published a PHR Definition and Position Statement. They define a PHR as:

a universally accessible, layperson comprehensible, lifelong tool for managing relevant health information, promoting health maintenance and assisting with chronic disease management via an interactive, common data set of electronic health information and e-health tools. The ePHR is owned, managed, and shared by the individual or his or her legal proxy(s) and must be secure to protect the privacy and confidentiality of the health information it contains. It is not a legal record unless so defined and is subject to various legal limitations.

The HIMSS Statement of Position is:

HIMSS supports the development of interoperable ePHRs which are interactive and use a common data set of electronic health information and e-health tools. HIMSS envisions ePHRs that are universally accessible and layperson comprehensible, and that may be used as a lifelong tool for managing relevant health information that is owned, managed and shared by the individual or his or her legal proxy(s). The ideal ePHR would receive data from all constituents that participate in the individual’s healthcare; allow patients or proxies to enter their own data (such as journals and diaries); and designate read-only access to the ePHR (or designated portions thereof).

HIMSS supports ePHR applications with the following characteristics:
Provide for unique patient identification
Allow secure access to the information contained in the ePHR
Permit the receipt of email alerts that do not reveal protected health information (PHI);
Allow patient proxy(s) to act on behalf of the patient
Permit the designation of information to be shared electronically;
Provides technical support to ePHR constituents at all times.

HIMSS champions the development of national standards to ease burdens placed on constituents due to variances in state law and the development of national and uniform state standards to address legal concerns raised by ePHRs such as reliability, reimbursement, ownership, access, transfer, and the limitations, rights and responsibilities of patients and providers for the use of e-health and ePHRs.


Similarly, HIMSS encourages the adoption of incentives by payors, providers, pharmaceutical companies, device manufacturers, and the federal and state governments of the United States to reduce the financial barriers to motivate widespread ePHR adoption.


This is a laudable position that seeks to reign in the wild west world of PHRs. Only time will tell whether the controlled economy or the marketplace prevails.

Friday, August 17, 2007

Project Success and Failure

Information technology projects are well known for the risk of unsuccessful completion. A 2004 report by the Standish Group indicated that only 29% of IT projects succeed. Of the remainder 18% fail outright and 53% fail to meet expectations by exceeding timelines or budgets, or by failing to deliver the required functionality.

The Standish Group has published the top ten criteria for successful projects:

1. User involvement
2. Executive management support
3. Clear statement of requirements
4. Proper planning
5. Realistic expectations
6. Smaller project milestones
7. Competent staff
8. Ownership
9. Clear vision and objectives
10. Hard-working, focused staff

The issue of project management in eHealth is directly linked to yesterday's discussion of program management. Rarely will a project stand on its own. eHealth is implemented into a complex environment that will require a range of interventions to succeed. These other interventions may include business and clinical process re-engineering, changes in job function, new skills development and cultural change. As a result, an eHealth program may involve a number of projects each of which should be considered in the project risk analysis.

Worthy of note is the top reason for project success (or failure if it is missing): user involvement which we know to be a continuing issue in the development of eHealth systems and infrastructure.

Thursday, August 16, 2007

A Program View of eHealth

I am a big fan of the book by John Thorp titled The Information Paradox: Realizing the Business Benefits of Information Technology (unfortunately it is out of print, though used copies can be ordered through Amazon.com). One of the main points in his book is the need to take a program view of IT initiatives.

Far too many eHealth initiatives start and end with the development and implementation project. Many project sponsors and managers have a "build it and they will come" attitude. They're convinced of the benefits of eHealth. Surely health care workers will see the light and happily adapt their day-to-day routines to accommodate the new system. Unfortunately, taking a narrow IT project view will more likely end up with interruptions in business and clinical processes, user rejection, and ultimate failure.

Programs are structured groupings of projects designed to produce clearly identified business results or other end benefits. Rarely does an eHealth system stand on its own as a single project. eHealth is invariably implemented into a complex environment requiring a range of interventions to ensure a successful outcome.

For example, eHealth systems often form part of larger business transformation initiatives such as those supporting primary care reform or wait-times management. Even on their own, eHealth systems require re-engineering of business and clinical processes, changes in job function, end-user training, transformation of organizational culture and ongoing management and maintenance in the operational environment in order to be successful.

One cannot realize benefits or manage risk with a narrow project view of an eHealth initiative. The implementation project represents only the first phase in a long term eHealth program designed to benefit patients, health care providers and health care organizations.

Wednesday, August 15, 2007

Google and Microsoft..... Again

I don't usually publish links to the mass media because they tend to be sketchy in terms of accurate information and rarely contain any meaningful analysis (see my post Critical Reading) . Sometimes they mislead more than they inform.

However, yesterday's New York Times published an article titled Google and Microsoft Look to Change Health Care. Again, the article is really sketchy, but its worth reading to get a sense of where these two software behemoths may be headed with personal health records. It gives some clues as to what Google is putting into its prototype application, and some of the challenges that are likely to slow Google and Microsoft down.

Some of Google's prototype screenshots are showing up in the blog world. Check out the First Google Health Screenshots post from Google Blogoscoped.

Tuesday, August 14, 2007

Business Continuity Planning

On this, the 4th anniversary of the North American blackout that left more than 50 million people in the dark, I thought it appropriate to discuss business continuity planning. Disasters happen and the health care community must be prepared for them. As health care becomes more dependent on information technology, health informaticians also have to be prepared. A disaster of any kind causes increased demand on the health system. We can't afford to have the technical infrastructure supporting healthcare compromised at the same time.

I had personal experience with two disasters while I was at the Ontario Smart Systems for Health Agency (SSHA). One was the blackout mentioned. At Smart Systems we thought ourselves clever by building two high availability data centers with alternate energy supplies and telecommunications systems that barely felt a blip during the blackout. While our data centers were happily humming along, our administrative offices were shut down, the roads, traffic and public telecommunications networks were gridlocked making it difficult for staff to carry out their duties (though they did manage to get through), and many of our clients were without the power needed to run their local systems.

The other disaster was the SARS outbreak that hit Toronto causing a massive public health crisis. Our own data center staff was quarantined for several days after a data center employee (not an employee of SSHA) in another part of the complex went into the data center while infected (that person later died - thankfully no SSHA staff were infected). Fortunately we were still in the build phase at the time and not running any critical health information systems out of the data center.

These and other disasters such as Hurricane Katrina demonstrate that catastrophic events do happen and that it behooves us to be prepared. See how jumpy public health officials are at the news of a chicken sneezing in a Chinese marketplace.

eHealth has the potential to help the health system cope with a disaster, as was evidenced during Katrina. Electronic health records can aid disaster workers and those who must care for chronically ill patients. But this only works when we have taken adequate precautions to ensure that our information systems are operational at the same time.

I came across a unique public health website the other day. The Peel Public Health Unit (servicing an area just outside of Toronto) is promoting business continuity planning as part of its public health program. They emphasize the need to anticipate disasters, to plan and protect our people, processes, facilities and technologies in the event of a disaster. The threats they suggest need to be addressed are:
  • Fire
  • Labour interruption
  • Communication breakdown
  • Pandemic influenza
  • Communicable disease outbreak
  • Supply chain interruption
  • Natural/man made disasters
  • Transportation accident - Rail
  • Essential services failure (power, water, sewer, telecom)
  • Water contamination
  • Flooding/drought/water shortage
  • Severe weather conditions (extreme heat, extreme cold, freezing rain and severe storms)
  • Technology collapse
  • Terrorism/Sabotage/Cyberterrorism
  • Bio terrorism
  • Your worst nightmare
Based on their risk assessment the threats in bold letters represent the 5 most serious threats to the Peel community. This will vary from community to community.

Disasters happen. Our eHealth systems will break down and fail. We need to be ready.

Monday, August 13, 2007

The Point of Vanishing Interest


Have you ever attended a meeting like this one?

(note that this was written in 1957 - 50 years ago)
__________________________________________

Chairman: We come now to Item Nine. Our Treasurer, Mr. McPhail, will report.

Mr. McPhail: The estimate for the Atomic Reactor is before you, sir, set forth in Appendix H of the subcommittee's report. You will see that the general design and layout has been approved by Professor McFission. The total cost will amount to $10,000,000. The contractors, Messrs. MaNab and McHash, consider that the work should be complete by April, 1959. Mr. McFee, the consulting engineer, warns us that we should not count on completion before October, at the earliest. In this view he is supported by Dr. McHeap, the well-know geophysicist, who refers to the probable need for piling at the lower end of the site. The plan of the main building is before you - see Appendix IX - and the blueprint is laid on the table. I shall be glad to give any further information that members of this committee may require.

Chairman: Thank you, Mr. McPhail, for your very lucid explanation of the plan as proposed. I will now invite the members present to give us their views.

It is necessary to pause at this point and consider the various views that the members are likely to have. Let us suppose that they number eleven, including the Chairman but excluding the Secretary. Of these eleven members, four - including the chairman - do not know what a reactor is. Of the remainder, three do not know what it is for. Of those who know its purpose, only two have the least idea of what it should cost. One of these is Mr. Issacson, the other is Mr. Brickworth. Either is in a position to say something. We may suppose that Mr. Issacson is the first to speak.

Mr. Issacson: Well, Mr. Chairman. I could wish that I felt more confidence in our contractors and consultant. Had we gone to Professor Levi in the first instance and had the contract been given to Messrs. David and Goliath, I should have been happier about the whole scheme. Mr. Lyon-Daniels would not have wasted our time with wild guesses about the possible delay in completion, and Dr. Moses Bullrush would have told us definitely whether piling would be wanted or not.

Chairmain: I am sure we all appreciate Mr. Isaacson's anxiety to complete this work in the best possible way. I feel, however, that it is rather late in the day to call in new technical advisers. I admit that the main contract has still to be signed, but we have already spent very large sums. If we reject the advice for which we have paid, we shall have to pay as much again.

(Other members murmer agreement)

Mr. Issacson: I should like my observation to be minuted.

Chairman: Certainly. Perhaps Mr. Brickworth also has something to say about this matter?

Now Mr. Brickworth is almost the only man there who knows what he is talking about. There is a great deal he could say. He distrusts that round figure of $10,000,000. Why should it come out to exactly that? Why need they demolish the old building to make room for the new approach? Why is so large a sum set aside for "contingencies"? And who is McHeap, anyway? Is he the man who was sued last year by the Trickle and Driedup Oil Corporation? But Brickworth does not know where to begin. The other members could not read the blueprint if he referred to it. He would have to begin by explaining what a reactor is and no one there would admit that he did not already know. Better to say nothing.

Mr. Brickwork: I have no comment to make.

Chairman: Does any other member wish to speak? Very well. I may take it then that the plans and estimates are approved? Thank you. May I now sign the main contract on your behalf? (Murmur of agreement) Thank you. We can now move on to Item Ten.

Allowing a few seconds for rustling papers and unrolling diagrams, the time spent on Item Nine will have been two minutes and a half. The meeting is going well. But some members feel uneasy about Item Nine. They wonder inwardly whether they have really been pulling their weight. It is too late to query that reactor scheme, but they would like to demonstrate, before the meeting ends, that they are alive to all that is going on.

Chairman: Item Ten. Bicycle shed for the use of the clerical staff. An estimate has been received from Messrs. Bodger and Woodworm, who undertake to complete the work for the sum of $2350. Plans and specification are before you, gentlemen.

Mr. Softleigh: Surely, Mr. Chairman, this sum is excessive. I note that the roof is to be of aluminum. Would not asbestos be cheaper?

Mr. Holdfast: I agree with Mr. Softleigh about the cost, but the roof should, in my opinion, be of galvanized iron. I incline to think that the shed could be built for $2000, or even less.

Mr. Daring: I would go further, Mr. Chairman. I question whether this shed is really necessary. We do too much for our staff as it is. They are never satisfied, that is the trouble. They will be wanting garages next.

Mr. Holdfast: No, I can't support Mr. Daring on this occasion. I think that the shed is needed. It is a question of material and cost...

The debate is fairly launched. A sum of $2350 is well within everyone's comprehension. Everyone can visualize a bicycle shed. Discussion goes on, therefore, for forty-five minutes, with the possible result of saving some $300. Members at length sit back with a feeling of achievement.

Chairman: Item Eleven. Refreshments supplied at meetings of the Joint Welfare Committee. Monthly, $4.75.

Mr. Softleigh: What type of refreshment is supplied on these occasions?

Chairman: Coffee, I understand.

Mr. Holdfast: And this means an annual charge of - let me see - $57?

Chairman: That is so.

Mr. Daring: Well, really, Mr. Chairman. I question whether this is justified. How long do these meetings last?

Now begins an even more acrimonious debate. There may be members of the committee who might fail to distinguish between asbestos and galvanized iron, but every man there knows about coffee - what it is, how it should be made, where it should be bought - and whether indeed it should be bought at all. This item on the agenda will occupy the members for an hour and quarter, and they will end by asking the Secretary to procure further information, leaving the matter to be decided at the next meeting.
_________________________________________________

Unfortunately I've attended far too many meetings like this.

This excerpt is taken from the essay High Finance or the Point of Vanishing Interest in the book Parkinson's Law by C. Northcote Parkinson. You can read another essay (the one that gave the book its title) Parkinson's Law or the Rising Pyramid at this link. I'm sure you've heard of the law "Work expands so as to fill the time available for its completion". Enjoy!

Friday, August 10, 2007

Truth is Better than Make-Believe

I have just finished reading Henry David Thoreau's classic book Walden... a book chalkfull of famous one-liners and aphorisms. One of the lines in his conclusion is "Any truth is better than make-believe".

The quote struck me because one of the greatest barriers to the successful implementation of eHealth initiatives is a failure to see the truth of our circumstances. Lack of complete and accurate information and understanding is at the root of most eHealth risk.

Why don't we know the truth of our present circumstances? There are many reasons.
  • We might not have all the facts.
  • The facts that we do have might not be accurate.
  • We might not understand the context well enough to be able to interpret the facts that we do have.
  • We might fill in any gaps in the facts with our own best guesses, which may be wrong.
  • Someone may deliberately withhold the facts, or distort them, or deliberately or unwittingly give us misinformation.
  • We might be too busy or not have enough time to gather the facts, and will make decisions based on our gut instincts instead.
  • Our biases and prejudices may cause us to misinterpret or disregard the facts.
  • Wishful thinking may lead us to fit the facts into a conclusion that we have already reached.
  • We might deliberately alter or withhold the facts to avoid blame, or to shield another person or our organization from blame.
Most people don't ignore, alter or withhold information with malicious intent (though that sometimes happens). There are often extenuating circumstances that cause people to interpret the world as they would like it to be. Wishful thinking and avoiding blame are probably the biggest reasons for this.

The first step in any risk management exercise is to understand the environment and context into which your eHealth initiative is to be implemented. This is where science helps. The scientific method is the best approach to analyzing a situation. What are the known facts (i.e. truth)? Where are the gaps? Can we develop reasonable hypotheses to fill in the gaps... and then test those hypotheses multiple times?

We don't know the entire truth about eHealth. We have some early indications of what works and what doesn't. Understanding what we know and don't know, and being honest and truthful about it, and being prepared to take risks, is what is needed to start the journey towards eHealth Nirvana.

Thursday, August 9, 2007

Is Privacy a Legal Issue or Management Issue?

There are at least two schools of thought about privacy; one school much larger than the other. The larger school says that privacy is essentially a legal issue... a subject best addressed by lawyers. The smaller school says that privacy is a management issue... those engaged in the management of the business should address privacy issues, consulting legal counsel only when necessary to understand the legal requirements and risks in a particular situation. This matter relates to my recent post Compliance vs. Risk Management.

I am clearly a member of the second school. My experience is that when lawyers get involved in an eHealth initiative, the result is overkill. Solutions are sometimes over-engineered. Complex functionality is created that addresses issues that are very low risk.

I pick on privacy here because privacy (and to a lesser extent - security) is the subject of comprehensive legislation. It seems that legislators and lawyers have little or no interest in the safety or business risks associated with eHealth. Even security issues outside of the privacy domain such as data and system availability and integrity, which can have massive legal and risk implications, are given little attention.

In their proper place legal counsel can be very useful. Privacy legislation is often complex. Health care managers need to understand the legal implications of their decisions. However, legal matters are only one piece of the risk equation that managers must consider.

It comes down to who is calling the shots: the manager or the organization's legal counsel. In my view it must always be the manager.

That said, I found a useful legal resource for Canadians on the web called the Canadian Privacy Law Blog published by Canadian privacy lawyer David Fraser. He has a very comprehensive privacy resource and links section. I'll keep my eyes open for similar resources in other countries.

Listen to your lawyer, then make your decision in the best interests of the patient, health care providers and your organization. Don't let your lawyer make your decision for you.

Wednesday, August 8, 2007

The Human Factor

Without question the best book I've read about human factors engineering and the issues that arise when we put human beings and technology together is The Human Factor: Revolutionizing the Way We Live With Technology by Kim Vicente. Vicente has written a very readable and fascinating book drawing on real life experiences from the aviation, nuclear, health care and other high risk industries. The book is organized around the "Human-Tech Ladder" which describes a hierarchy of relationships that explains why things sometimes go wrong when humans and technology mix. The ladder looks at the following factors:

Physical - Size, shape, location weight, colour, material
Psychological - Information content/structure, cause/effect relations
Team - Authority, communications patterns, responsibilities
Organizational - Corporate culture, reward structures, staffing levels
Political - Policy agenda, budget allocations, laws, regulations

The book demonstrates that IT failure can rarely be attributed to a simple technology failure or by the failure of a single human being. The extraordinary complexity of the surrounding technological and human systems together with this hierarchy of human-technology relationships is often at the root cause of failure.

I highly recommend this book for anyone building, installing or operating eHealth systems.

Tuesday, August 7, 2007

Categorizing eHealth Benefits

There seems to be a consensus emerging in the literature about how one would categorize the benefits of eHealth. As we move further with the evaluation of eHealth initiatives, it is important to agree on definitions and categories, and to establish measures for each of these benefits. This will help us to compare projects and help health care managers to develop solid business cases for their eHealth projects.

The categories are:

Improved Productivity: increased efficiency, reduced duplication of tests and procedures, cost reduction/avoidance/containment, support to program reform and health system change management.

Improved Access: easier access to health services in remote or under serviced areas, reduction in wait-times for medical and surgical procedures, improved access to data for research.

Improved Quality: improved patient health outcomes, improved population health outcomes, reduction in preventable adverse events, patient empowerment, improved patient satisfaction, improved privacy and security, enhanced accountability.

We continue to have a challenge coming up with quantifiable measures for eHealth benefits that are comparable across a range of eHealth initiatives. This is a particular problem with the assertion that eHealth can help to improve patient and population health outcomes and improve patient safety. The literature is very sketchy on these subjects and even conflicted on the issue of patient safety. Defining benefits and their measures is an essential task to complete if we are to justify the investments being made in eHealth infrastructure and applications.

Monday, August 6, 2007

eHealth Business Modelling

In my experience one of the most serious risks to any eHealth initiative is the absence of a sustainable business model. While we all get excited about the potential for improving patient care and increasing the efficiency of health care delivery through eHealth, far too many initiatives fail to adequately define the business relationships between the many stakeholder groups, establish a mechanism for information governance or ensure long-term financial sustainability.

I found a really interesting toolkit called the eHI HIE Value and Sustainability Model and Tool Suite prepared by the eHealth Initiative as part of their Connecting Communities Toolkit that provides a lot of guidance on the business aspects of eHealth as it relates to Health Information Exchanges (HIE) and Regional Health Information Organizations (RHIO). The toolkit addresses market readiness, value assessment, risk assessment and provides a pro-forma business plan. This is an excellent site and resource. Check it out.

Saturday, August 4, 2007

Commercial Services and Products 1

It is my intention to keep this blog commercial-free. However, some of our blog readers represent companies that are trying to make a meaningful difference in the health care space. Having been a health IT entrepreneur myself, I believe its important to give them a voice too.

So here's my plan. From Monday to Friday all eHealthRisk posts will be commercial-free. On weekends I will post news from companies that have contacted me during the week. You will recognize the posts because they will be titled "Commercial Services and Products #". Inclusion on the blog does NOT represent endorsement of the service or product, though I will review the information in every post to ensure that it is reasonable and not misleading to eHealthRisk readers. Please contact me if you find anything to the contrary.

iMedix

Our first commercial post comes from iMedix, a "community powered health search engine" according to co-founder Iri Amirav. It is a site that enables people with different health conditions to communicate and share experiences with others with the same condition. If for example you have diabetes or asthma, you can post your questions or experiences concerning the disease to a blog or discussion forum. Its essentially an Internet self-health group.

There's obviously a significant opportunity to empower patients with a site like this. There are also a number of risk issues including privacy and safety risks that service providers like iMedix need to address. iMedix is seeking comments and feedback from eHealthRisk readers on the Alpha version of its site.

In order to get into the alpha site you need a user ID and password that can be obtained by sending a blank email to ehealthrisk@imedix.com. They have set up accounts for 50 eHealthRisk readers.

Kroll Fraud Solutions

Our second commercial post this week comes from Kroll Fraud Solutions. Brian Lapidus, Senior Vice President of Kroll has published an FAQ on identity theft titled Identity Theft Protection for Healthcare Companies. This post has been picked up by several health IT blogs. It is a good primer for those who have an interest in identity theft.

Friday, August 3, 2007

Patient Safety and the USVA

One of my favorite sites for the management of patient safety issues is the US Veterans Administration. There are a lot of educational materials and tools that I believe can be adapted to addressing patient safety issues associated with eHealth. I especially like the Patient Safety Assessment Tool, an Excel spreadsheet questionnaire that addresses many of the controls that should be in place when dealing with patient safety and the Healthcare Failure Mode and Effect Analysis (HFMEA) which is a five step process to conduct a prospective patient safety risk analysis. The five steps in the HFMEA are:
  • Step 1 - Define the Health Failure Mode and Effect Analysis Topic
  • Step 2 - Assemble the Team
  • Step 3 - Graphically Describe the Process
  • Step 4 - Conduct a Hazard Analysis
  • Step 5 - Actions and Outcome Measures
An excellent resource worth spending a little time on.

Thursday, August 2, 2007

Compliance vs. Risk Management

One of the first realizations I had when I started researching risk management in eHealth is the need for a paradigm shift from what I call a "compliance mindset" to a "risk management mindset".

The compliance mindset says that if you following all of the prescribed laws and standards, everything will be OK. The risk management mindset says that you need to understand the world around you, you need to understand your eHealth program, and you need to understand all of the risks associated with implementing the eHealth program into your environment. The risk management mindset then insists that you do something about those risks.

eHealth has been caught up in the compliance mindset, particularly with respect to privacy and security. Unfortunately, our legislators and standards setters have only tackled part of the risk issue associated with eHealth. While we have privacy legislation in most jurisdictions, and while standards are emerging for eHealth security, we miss many eHealth risks.

The biggest gaps in my mind are around safety risks and the many project and business risks associated with eHealth.

I personally have never seen an eHealth project fail because of a privacy issue (though breaches have caused grief for eHealth managers and the unfortunate victims). I have however seen many eHealth initiatives fail because of project and business risks that were completely predictable, but invisible to those who operated in the compliance paradigm. Poor project management, business models that failed to address the needs of all stakeholders, poor understanding of the end-user environment, inadequate funding and poor procurement practices top my list of factors that have caused eHealth projects to fail.

The safety issue is the sleeper here. The only reason we haven't seen more safety issues is that we have only just begun to implement eHealth into the clinical environment. Early experience around CPOE suggests that implemented well CPOE can reduce medical errors. Implemented poorly, CPOE can kill. As eHealth rolls out I believe we will see more and more serious safety issues. As of yet there is no structured process for assessing safety risk in eHealth (although draft safety standards for health IT software are in development at ISO TC215/WG4). But even these standards will address only part of the safety issue.

Compliance with legislation and standards is a good thing. Legislators and standards setters are to be lauded for their efforts. But it isn't enough. If eHealth is to succeed we need to tackle the full range of risk issues associated with health IT and the human and business systems that surround it.