tag:blogger.com,1999:blog-81232439456170955242024-03-19T05:21:02.390-04:00eHealthRiskThe eHealthRisk blog is a forum for examining privacy, security, safety, project and business risks associated with the application of information and telecommunications technologies to health care.Unknownnoreply@blogger.comBlogger112125tag:blogger.com,1999:blog-8123243945617095524.post-65718651485636220502008-01-04T07:39:00.000-05:002008-01-04T08:41:47.486-05:00How Solid are your Privacy Rights?The US-based <a href="http://epic.org/">Electronic Privacy Information Centre</a> and the UK-based <a href="http://www.privacyinternational.org/">Privacy International </a>have released a <a href="http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-559597">comprehensive report on the state of privacy around the world</a>. How solid are your privacy rights?<br /><br />If you live in the US or UK you are in the same class as those living in Malaysia, Russia and China. People living in Greece, Romania (go figure, given where Romania was a couple of decades ago), and Canada fair the best, though Canada's ranking slipped two levels from "Significant protections and safeguards" to "Some safeguards but weakened protections". Among the other findings:<br /><ul style="font-style: italic;"><li><a name="summary">The 2007 rankings indicate an overall worsening of privacy protection across the world, reflecting an increase in surveillance and a declining performance o privacy safeguards.</a></li><li><a name="summary">Concern over immigration and border control dominated the world agenda in 2007. Countries have moved swiftly to implement database, identity and fingerprinting systems, often without regard to the privacy implications for their own citizens</a></li><li><a name="summary">The 2007 rankings show an increasing trend amongst governments to archive data on the geographic, communications and financial records of all their citizens and residents. This trend leads to the conclusion that all citizens, regardless of legal status, are under suspicion.</a></li><li><a name="summary">The privacy trends have been fueled by the emergence of a profitable surveillance industry dominated by global IT companies and the creation of numerous international treaties that frequently operate outside judicial or democratic processes.</a></li><li><a name="summary">Despite political shifts in the US Congress, surveillance initiatives in the US continue to expand, affecting visitors and citizens alike.</a></li><li><a name="summary">Surveillance initiatives initiated by Brussels have caused a substantial decline in privacy across Europe, eroding protections even in those countries that have shown a traditionally high regard for privacy.</a></li><li><a name="summary">The privacy performance of older democracies in Europe is generally failing, while the performance of newer democracies is becoming generally stronger.</a></li><li><a name="summary">The lowest ranking countries in the survey continue to be Malaysia, Russia and China. The highest-ranking countries in 2007 are Greece, Romania and Canada. </a></li><li><a name="summary">The 2006 leader, Germany, slipped significantly in the 2007 rankings, dropping from 1st to 7th place behind Portugal and Slovenia.</a></li><li><a name="summary">In terms of statutory protections and privacy enforcement, the US is the worst ranking country in the democratic world. In terms of overall privacy protection the United States has performed very poorly, being out-ranked by both India and the Philippines and falling into the "black" category, denoting endemic surveillance.</a></li><li><a name="summary">The worst ranking EU country is the United Kingdom, which again fell into the "black" category along with Russia and Singapore. However for the first time Scotland has been given its own ranking score and performed significantly better than England & Wales.</a></li><li><a name="summary">Argentina scored higher than 18 of the 27 EU countries.</a></li><li><a name="summary">Australia ranks higher than Slovakia but lower than South Africa and New Zealand.</a></li></ul>The study is well worth a look.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-72568874533415076212008-01-03T07:53:00.000-05:002008-01-03T08:22:32.387-05:00Do We Know What We're Doing?One of the business risks that come up time and time again in discussions about eHealth is the supply of people knowledgeable about both IT and health care. It seems that there are lots of one or the other, but few who understand both dimensions of a very complex business. Yet there is little effort being applied to increasing the pool of talent needed to address the demand for skilled human resources.<br /><br />There are a number of university and college programs across the country (<a href="http://hi.uwaterloo.ca/hi/HI_Programs_Survey_2006.pdf">link here for a survey of HI programs across Canada published by the Waterloo Institute for Health Informatics Research</a> (WIHIR), but they graduate relatively few health IT practitioners... certainly not enough to fill the demand.<br /><br /><a href="http://www.coachorg.com/">COACH, Canada's Health Informatics Association</a>, has recently published a list of core competencies needed by Health Informatics Professionals (unfortunately its only available to COACH members), but again, there is no strategy to provide educational opportunities for those who need it.<br /><br />The Healthcare Information Management and Systems Society (HIMSS) has recently implemented a certification program (<em><a href="http://www.himss.org/ASP/CertificationHome.asp">Certified Professional in Healthcare Information and Management Systems (CPHIMS)</a>)</em> that is taking us in the right direction.<br /><br />The University of Waterloo's <a href="http://hi.uwaterloo.ca/hi/bootcamp.htm">Health Informatics Bootcamp</a> program developed and delivered by WIHIR is highly recommended because it addresses a critical need to quickly educate health care and IT professionals on the intricacies of health informatics.<br /><br />If we are to succeed in driving out eHealth at the pace promoted by politicians and their instruments such as Canada Health Infoway (and other national equivalents), more investment is needed in the educational programs necessary to develop a competent health informatics workforce.Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-8123243945617095524.post-10138082882414246002008-01-02T08:38:00.001-05:002008-01-02T08:52:14.159-05:00Welcome Back!After a hiatus of a couple of months, I'm finally back to eHealthRisk. I have two announcements for those who are interested:<br /><ol><li>Starting today I have taken on the position of President of the <a href="http://www.chitta.ca/">Canadian Health Information Technology Trade Association (CHITTA)</a>, the health care division of the <a href="http://www.itac.ca/">Information Technology Association of Canada (ITAC)</a>. This will get me back into the game following my year long sabbatical studying all dimensions of eHealth risk.</li><li>The Waterloo Institute for Health Informatics Research has posted the next series of <a href="http://hi.uwaterloo.ca/hi/workshops.htm">eHealthRisk Workshops</a>. New this year is the <a href="http://hi.uwaterloo.ca/hi/securityworkshop.htm">eHealth Information Security Workshop</a> whose inaugural run will be from March 26 to 28, 2008 at the University of Waterloo.</li></ol>And my New Year's resolution... To religiously apply myself to this eHealthRisk Blog.<br /><br />BrendanUnknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-45231864010444442242007-11-21T08:30:00.000-05:002007-11-21T08:37:56.240-05:00Canadian Attitudes to EHRs and Privacy<a href="http://www.infoway-inforoute.ca/en/home/home.aspx">Canada Health Infoway</a>, <a href="http://www.hc-sc.gc.ca/index_e.html">Health Canada</a> and the <a href="http://www.privcom.gc.ca/index_e.asp">Privacy Commissioner of Canada</a> commissioned and have published a comprehensive survey of Canadian attitudes towards Electronic Health Records and Privacy titled <a href="http://www.infoway-inforoute.ca/Admin/Upload/Dev/Document/EKOS_Final%20report_EN.pdf">Electronic Health Information and Privacy Survey: What Canadians Think - 2007</a>.<br /><br />From the Press Release:<br /><br />Almost nine in 10 Canadians (88 per cent) support the development of EHRs -- a five per cent increase since 2003. Other findings include:<br /><ul><li>31 per cent of respondents reported they had experience with an electronic health record during an interaction with the health care system. When asked to how the EHR system compared to the paper system in terms of overall effectiveness for the health care system, an overwhelming majority (89 per cent) said the electronic system was better. </li><li>87 per cent of Canadians believe electronic health records will make diagnosis quicker and more accurate, while 82 per cent believe they will reduce prescription errors and 84 per cent would like to be able to access their own medical records online. </li><li>Canadians want to ensure that privacy and security safeguards are in place to protect their health information. 77 per cent would like audit trails that document access to their health information. 74 per cent want strong penalties for unauthorized access. 66 per cent of Canadians want clear privacy policies to protect their health information. In the event of a security breach, 7 in 10 want to be informed and would like procedures in place to respond to such breaches. </li><li>Those who have had experience with an electronic health record showed an even stronger support for privacy and security safeguards. </li><li>A majority of Canadians (55 per cent) would like to be able to hide or mask sensitive information contained in their record. </li><li>While the poll shows strong support (84 per cent) for using anonymous information from electronic records for health research, this support drops dramatically if personal details are not removed from the record (50 per cent).</li></ul>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-51440373841135145742007-11-15T04:57:00.000-05:002007-11-15T05:04:57.858-05:00Laptop Thefts - Again!Alberta's Privacy Commissioner, Frank Work, is the second Canadian privacy commissioner to demand the encryption of personal health information on laptop computers following the theft of four laptop computers from a Capital Health facility. From the <a href="http://www.oipc.ab.ca/news/detailspage.cfm?id=3354">OIPC press release</a>:<br /><br /><i>"The investigation outlines the following steps that must be taken to protect health information stored on a mobile device in order to meet requirements of the HIA:<br /></i><ul><li><i>There must be policies and procedures that users are aware of and educated on that guide proper use of the device,</i></li><li><i>Reasonable steps must be taken to physically secure the device,</i></li><li><i>There must be a business need to store health information on the device,</i></li><li><i>The device must be password protected, and</i></li><li><i>Health information stored on the device must be protected by properly implemented encryption."</i><br /></li></ul>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-57141304108946325922007-10-29T07:32:00.000-04:002007-10-29T07:45:04.462-04:00Westin Speaks on Health ResearchUS Privacy Guru Alan Westin has recently undertaken a study on behalf of the US <a href="http://www.iom.edu/CMS/3740/43729.aspx">Institute of Medicine</a> on public attitudes concerning privacy and health research. Modern Healthcare Online has published a two part article on his findings (<a href="http://www.modernhealthcare.com/apps/pbcs.dll/article?AID=/20071019/FREE/310190004/1029/FREE">for part 1 click here</a> - <a href="http://www.modernhealthcare.com/apps/pbcs.dll/article?AID=/20071022/FREE/310220003/1029/FREE">for part 2 click here</a>). From the article:<br /><div style="text-align: center; font-style: italic;">"The good news for the research community is, despite a plethora of media reports on privacy and security breaches in the healthcare industry, most people still respect the aims of researchers and are willing to support their work.<br /></div><br /><div style="text-align: center;"><span style="font-style: italic;"> The bad news is, perhaps because of these highly publicized privacy failures, people need more assurance than in the past that their healthcare information will be protected and, particularly, not end up being misused in ways that could hurt them. This new reality will necessitate some consciousness-raising on the part of researchers, who historically have seen themselves as the guys in white hats who should be above suspicion, according to Westin."<br /></span><div style="text-align: left;"><span style="font-style: italic;"><span style="font-style: italic;"><br /></span></span></div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-64302191580522694662007-10-26T07:09:00.000-04:002007-10-26T07:38:17.055-04:00Remote Access to PHIHealth care organizations are under significant stress to allow remote access to personal health information in the field or from the homes of health care workers. The Ontario Information and Privacy Commissioner issued her <a href="http://www.ipc.on.ca/images/Findings/up-3ho_004.pdf">Order HO-004</a> which addressed the issue of PHI stored on laptop computers and directed Ontario health information custodians to employ measures such as encryption to protect PHI on laptops and other portable devices. I know that many Ontario health care organizations are struggling to implement this order while not interfering with the need to allow remote access to PHI for legitimate and important health care delivery and research purposes.<br /><br />I found an excellent reference guideline on the security considerations for remote access published by the US Department of Health and Human Services titled <a href="http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal.pdf">Security Guidance for Remote Use</a><a href="http://www.cms.hhs.gov/SecurityStandard/Downloads/SecurityGuidanceforRemoteUseFinal.pdf">.</a> This is published under the auspices of the HIPAA Security Rule. What I really like about this document is that it takes a risk management approach to considering the problem of remote access. The document looks at the risks of allowing remote access and suggests possible risk mitigation strategies.<br /><br />This document is HIGHLY Recommended.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-6639482466536469952007-10-19T10:20:00.000-04:002007-10-19T10:54:07.191-04:0010 Years LateI was having breakfast a few mornings ago with a colleague. We were discussing the current state of privacy laws and what I perceived to be the major threats to privacy. I was bemoaning the fact that our current privacy regimes are inadequate to deal with these new threats- that of government "function creep" (with the many unfortunate but legal uses being made of our personal information by government agencies in the name of national security and law enforcement), and identity theft. With respect to the former, he commented that while the checks and balances of our modern democratic systems may appear to have broken down, they are actually still in play. We'll see the pendulum swing back in the next few years.<br /><br />It dawned on me that our current privacy laws were made for our world as it existed 10 years ago when we were at the height of the dot.com boom. Way back then, in 1997, everyone was worried about the potential abuses by information entrepreneurs who wanted to capture our eyeballs and data mine our personal information. The laws we built succeeded in tempering the ambitious aspirations of the entrepreneurs, but didn't anticipate the threat to privacy in the post 9/11 world.<br /><br />Maybe thats the pattern. 10 years from now we will have come to a consensus on how to protect personal information from over-zealous bureaucrats and law enforcement officials. But who knows what new threats to privacy will emerge in 2017. We can predict, for example, that our genetic code will be a prominent feature of our electronic health records. Who will be trying to exploit that information for power or profit? We can also predict that our privacy laws won't be able to fully protect us from these new perils.<br /><br />Unfortunately, we don't have a crystal ball.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-31436027314510909552007-10-18T07:17:00.000-04:002007-10-18T07:39:02.818-04:00EHR's for SaleI wonder how Canada Health Infoway will feel about banner ads on its nation-wide Electronic Health Record?<br /><br />After reading a couple of articles over the past few days (<a href="http://www.modernhealthcare.com/apps/pbcs.dll/article?AID=/20071008/FREE/310080003/1029/FREE">Advertising, data sales subsidize EMR products</a> and <a href="http://blog.wired.com/monkeybites/2007/10/google-health-w.html">Google Health Wants to Digitize your Medical Records</a>), it crossed my mind that the EHR, EMR and EPR marketplace is moving way faster than our eHealth policy makers. We've seen it in other sectors, particularly in education where cash-strapped schools and school boards rent out advertising space to soft drink and confectionery companies. Already in the United States banner ads and sales of aggregated and anonymized data (if there really is such a thing any more) are seen as integral parts of the EMR/EHR business model.<br /><br />There are a raft of ethical issues that must be addressed as market forces worm their way into our eHealth systems. Its one thing for big Pharma to market their products to physicians through sales reps, but what happens when the marketing happens in real time... When the drug in the banner ad is tied to the patient's diagnosis and conveniently displayed on the doctor's screen?<br /><br />I'm beyond worrying about whether this is a good thing or a bad thing. What worries me is that this stuff is happening without debate. Maybe the benefits of improved health care through eHealth are worth a little manipulation by big corporate interests if thats what it takes to fund an eHealth infrastructure. But can we at least think about it before it happens?Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-23124759276171269592007-10-17T05:43:00.000-04:002007-10-17T05:49:18.591-04:00Health Privacy ResourceAnyone looking for a good source of health privacy resources should look at the <a href="http://www.privcom.gc.ca/information/02_03_02_e.asp#006">Privacy Commissioner of Canada's website</a>. Her health page links to most of the key resources of interest to Canadians, and has links to international resources as well.<br /><br />My favorite link is to the <a href="http://scc.lexum.umontreal.ca/en/1992/1992rcs2-138/1992rcs2-138.html">1992 Supreme Court decision McInerney v. MacDonald</a>. This is the decision that enshrined the principle that while a health care provider owns the health record, the patient has nearly absolute rights to the data contained in the record (for clarification on the "nearly" check out the decision).Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-22251367634951622592007-10-12T07:41:00.000-04:002007-10-12T08:04:57.868-04:00SPAM spam spam spam.....Alex Jadad and Peter Gernburd of the <a href="http://www.ehealthinnovation.org/splash/ehealth">Centre for Global eHealth Innovation</a> in Toronto, Canada, have recently published a unique study titled <a href="http://medicine.plosjournals.org/perlserv/?request=get-document&doi=10.1371/journal.pmed.0040274">Will Spam Overwhelm Our Defenses? Evaluating Offerings for Drugs and Natural Health Products</a>. They found that 32% of the spam we receive is health related, usually associated with products for erectile dysfunction, killing pain and anti-obesity.<br /><br />Armed with a low-limit VISA card, a post office box and, I suspect, a healthy sense of mischief, the researchers went in search of online health products.<br /><br />The paper includes the following summary points:<br /><ul><li>Spam, or unsolicited e-mail received from an unknown sender, now accounts for the largest proportion of all messages delivered online.</li><li>Little is known about health-related spam and the spammers behind it.</li><li>This study shows that it is possible to purchase products purported to be prescription drugs and controlled substances, across traditional national and legal boundaries, with one-third of our attempts to do so being successful.</li><li>Buyers should be fully aware that it may not be possible for them to hold spammers accountable for any claims made in their messages, or to get protection from illegal activities resulting from disclosure of personal or financial information to spammers.</li><li>Spammers are challenging our traditional regulatory, licensing, and law enforcement frameworks, and even threatening their relevance.</li></ul>For a summary of the study and comments from the researchers, check out the Globe and Mail article titled <a href="http://www.theglobeandmail.com/servlet/story/RTGAM.20070918.wldrugs18/BNStory/PersonalTech">No prescription, no problem</a>.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-82083339535317094342007-10-11T07:19:00.000-04:002007-10-11T07:39:26.595-04:00A Public HangingIts often said that there's nothing like a public hanging to get peoples' attention. Evidence that there are serious consequences to one's actions is a powerful motivator to behave appropriately.<br /><br />Witness the response of Palisades Medical Centre in North Bergen, New Jersey, that played host to actor George Clooney and his girlfriend, Sarah Larson, following their motorcycle accident last month.<br /><br />The hospital suspended 27 employees for looking at Clooney's medical records without authorization following an audit of the hospital's systems.<br /><br />Clooney didn't seem too distressed about the situation. <a href="http://www.thestar.com/entertainment/article/265319">Associated Press quoted him as saying,</a> "While I very much believe in a patient's right to privacy, I would hope that this could be settled without suspending medical workers."<br /><br />Clooney's feelings aside, this situation can be used as a vivid and very public example of the possible consequences of browsing patient medical records.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-51365385529485673722007-10-10T06:46:00.000-04:002007-10-10T07:03:27.604-04:00Privacy Best Practices in ResearchWhile most of the business case arguments for eHealth are associated with the treatment and care of individuals, there are tremendous societal benefits to be gained through health research. I sometimes get the feeling that we have to be apologetic about using health databases for legitimate research purposes. Only through research will we master the medical and social challenges facing humanity.<br /><br />A couple of years ago (in 2005 to be exact), the <a href="http://www.cihr-irsc.gc.ca/e/193.html">Canadian Institutes of Health Research</a> published a document titled <a href="http://www.cihr-irsc.gc.ca/e/documents/et_pbp_nov05_sept2005_e.pdf">CIHR Best Practices for Protecting Privacy in Health Research</a>. This document defines 10 elements that should be considered in the design, conduct and evaluation of health research to address privacy and confidentiality concerns. These elements are:<br /><br /><ul><li><strong style="font-weight: normal;"><a href="http://www.cihr-irsc.gc.ca/e/29072.html#Element1">Element #1</a></strong> - Determining the research objectives and justifying the data needed to fulfill these objectives </li><li><strong style="font-weight: normal;"><a href="http://www.cihr-irsc.gc.ca/e/29072.html#Element2">Element #2</a></strong> - Limiting the collection of personal data </li><li><strong style="font-weight: normal;"><a href="http://www.cihr-irsc.gc.ca/e/29072.html#Element3">Element #3</a></strong> - Determining if consent from individuals is required </li><li><strong style="font-weight: normal;"><a href="http://www.cihr-irsc.gc.ca/e/29072.html#Element4">Element #4</a></strong> - Managing and documenting consent </li><li><strong style="font-weight: normal;"><a href="http://www.cihr-irsc.gc.ca/e/29072.html#Element5">Element #5</a></strong> - Informing prospective research participants about the research </li><li><strong style="font-weight: normal;"><a href="http://www.cihr-irsc.gc.ca/e/29072.html#Element6">Element #6</a></strong> - Recruiting prospective research participants </li><li><strong style="font-weight: normal;"><a href="http://www.cihr-irsc.gc.ca/e/29072.html#Element7">Element #7</a></strong> - Safeguarding personal data </li><li><strong style="font-weight: normal;"><a href="http://www.cihr-irsc.gc.ca/e/29072.html#Element8">Element #8</a></strong> - Controlling access and disclosure of personal data </li><li><strong><a style="font-weight: normal;" href="http://www.cihr-irsc.gc.ca/e/29072.html#Element9">Element #9</a> </strong> - Setting reasonable limits on retention of personal data </li><li><strong style="font-weight: normal;"><a href="http://www.cihr-irsc.gc.ca/e/29072.html#Element10">Element #10 </a></strong>- Ensuring accountability and transparency in the management of personal data</li></ul>This is a comprehensive guide (169 pages) for anyone involved in health research who is interested in applying best practices for protecting the privacy rights of individuals.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-63521141549872892472007-10-09T06:52:00.000-04:002007-10-09T09:53:28.629-04:00Holy Hard Drives, Batman!Researchers at the <a href="http://www.cheori.org/">Children's Hospital of Eastern Ontario (CHEO) Research Institute</a> have just published a paper titled <a href="http://www.jmir.org/2007/3/e24">An Evaluation of Personal Health Information Remnants in Second-Hand Personal Computer Disk Drives</a>. Bottom Line: They bought 60 hard drives from second-hand dealers. They were able to recover personal information from 65% of the drives and personal health information from 10% of the drives. "Some of the PHI included very sensitive mental health information on a large number of people".<br /><br />From the abstract:<br /><div style="text-align: left;"><span style="font-style: italic;" class="spacey"><b>Background: </b> The public is concerned about the privacy of their health information, especially as more of it is collected, stored, and exchanged electronically. But we do not know the extent of leakage of personal health information (PHI) from data custodians. One form of data leakage is through computer equipment that is sold, donated, lost, or stolen from health care facilities or individuals who work at these facilities. Previous studies have shown that it is possible to get sensitive personal information (PI) from second-hand disk drives. However, there have been no studies investigating the leakage of PHI in this way.</span><br /><span style="font-style: italic;" class="spacey"><b>Objectives: </b> The aim of the study was to determine the extent to which PHI can be obtained from second-hand computer disk drives.</span><br /><span style="font-style: italic;" class="spacey"><b>Methods: </b> A list of Canadian vendors selling second-hand computer equipment was constructed, and we systematically went through the shuffled list and attempted to purchase used disk drives from the vendors. Sixty functional disk drives were purchased and analyzed for data remnants containing PHI using computer forensic tools.</span><br /><span style="font-style: italic;" class="spacey"><b>Results: </b> It was possible to recover PI from 65% (95% CI: 52%-76%) of the drives. In total, 10% (95% CI: 5%-20%) had PHI on people other than the owner(s) of the drive, and 8% (95% CI: 7%-24%) had PHI on the owner(s) of the drive. Some of the PHI included very sensitive mental health information on a large number of people.</span><br /><span style="font-style: italic;" class="spacey"><b>Conclusions: </b> There is a strong need for health care data custodians to either encrypt all computers that can hold PHI on their clients or patients, including those used by employees and subcontractors in their homes, or to ensure that their computers are destroyed rather than finding a second life in the used computer market.</span><span class="spacey"><br /><br />So much for those who say "It couldn't happen here"!<br /></span></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-25852906851764829442007-10-05T04:34:00.000-04:002007-10-05T04:57:59.937-04:00eHealthRisk WikiTo complement this blog and the <a href="http://hi.uwaterloo.ca/hi/workshops.htm">eHealthRisk Workshops</a> I teach at the <a href="http://hi.uwaterloo.ca/hi/index.html">Waterloo Institute for Health Informatics Research</a>, I have established an <a href="http://ehealthrisk.wikispaces.com/">eHealthRisk Wiki</a> to be a resource for everyone interested in the subject of eHealth risk.<br /><br />Bookmark the URL <a href="http://ehealthrisk.wikispaces.com/">http://ehealthrisk.wikispaces.com</a><br /><br />Subject areas to be covered on the Wiki include:<br /><ul><li>Risk Management</li><li>Benefits Realization</li><li>Privacy Risk</li><li>Security Risk</li><li>Safety Risk</li><li>Project Risk</li><li>Operations Risk</li><li>Business Risk</li><li>eHealth Standards</li></ul>I believe that wiki's are very powerful tools that provide an intuitive and direct path to information (it works just like Wikipedia). They also provide an opportunity for collaborative development. Anyone interested in contributing to the <a href="http://ehealthrisk.wikispaces.com/">eHealthRisk Wiki</a> is welcome to contact me with your ideas.<br /><br />The <a href="http://ehealthrisk.wikispaces.com/http://">eHealthRisk Wiki</a> in a very early state of development. Some of the pages are still blank and there is much more to add. Still, you will find it a useful reference.<br /><br />I will be posting updates on the progress of the <a href="http://ehealthrisk.wikispaces.com/">eHealthRisk Wiki</a> on this blog from time to time.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-68702639131893079692007-10-02T07:06:00.000-04:002007-10-02T07:24:25.401-04:00KatrinaHealth<a href="http://www.markle.org/downloadable_assets/katrinahealth.final.pdf">Lessons from KatrinaHealth</a> - This report has been around for a while (published in June 2006). For those of you who haven't read it it makes an excellent case study for the use of ICTs in a disaster.<br />From the Introduction:<br /><div style="text-align: center;"><span style="font-style: italic;">KatrinaHealth was an online service that was established to help individuals</span><span style="font-style: italic;"> affected by Hurricane Katrina work with their health professionals to gain access</span><span style="font-style: italic;"> to their own electronic prescription medication records. Through a single portal,</span><span style="font-style: italic;"> KatrinaHealth.org, authorized pharmacists and doctors were able to get</span><span style="font-style: italic;"> records of medications evacuees were using before the storm hit, including the</span><span style="font-style: italic;"> specific dosages. Having this information helped evacuees renew their</span><span style="font-style: italic;"> medications, and helped healthcare professionals avoid harmful prescription</span><span style="font-style: italic;"> errors and coordinate care.</span><br /><div style="text-align: left;"><br />From the body of the report:<br /><br /><div style="text-align: center;"><span style="font-style: italic;">To design, construct, test, and prepare KatrinaHealth for use in less than three weeks, the project team confronted numerous technical, policy, and organizational hurdles. The specifics of the team’s process are described in some detail at the end of this report. Many of the hurdles were overcome, some were not, but did not derail the project, and others remained sticking points. Contrary to expectations, the technical hurdles, although significant, were easier to work around, and sometimes solve, than were some of the policy, business, and</span><br /><span style="font-style: italic;">organizational issues.</span><br /></div><br />This report was published by the <a href="http://www.markle.org/">Markle Foundation</a>. It provides excellent evidence to support the business case for eHealth.<br /><span style="font-style: italic;"></span></div></div>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-32114271892247172672007-10-01T08:30:00.000-04:002007-10-01T08:38:31.600-04:00EC Report - eHealth for SafetyThe European Commission has released a comprehensive report titled <a href="http://ec.europa.eu/information_society/activities/health/docs/publications/eHealth-safety-report-final.pdf">eHealth for Safety: Impact of ICT on Patient Safety and Risk Management</a>. Not surprisingly the report is consistent with the CHI Report <a href="http://ehealthrisk.blogspot.com/2007/09/ehr-and-patient-safety.html">The relationship between Electronic Health Records and Patient Safety</a>.<br /><br />The report provides relevant definitions, a discussion of patient risk and safety in practice, ICT applications in healthcare and a summary of research from expert workshops.<br /><br />This is another important reference for those interested in eHealth and patient safety.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-71027104375606998272007-09-28T07:42:00.001-04:002007-09-28T07:55:02.170-04:00CHI Benefits Evaluation FrameworkWe usually associate risk with adverse events and negative consequences. Privacy and security breaches, project failure, plague and pestilence dominate our attention. But risk management techniques are also applied to the good things in life.... wealth and prosperity, reward and recognition. Consider your investment portfolio. Nothing in your portfolio is there to be lost. You recognize that there are risks, but you manage them. In fact... more risk, more reward.<br /><br />But you need indicators to help determine if you're winning or losing. Like your investment portfolio we need to know what we want to achieve with our investments in eHealth, and indicators to mark progress or loss.<br /><br /><a href="http://www.infoway-inforoute.ca/en/Home/home.aspx">Canada Health Infoway</a> has issued a technical report titled <a href="http://www.infoway-inforoute.ca/Admin/Upload/Dev/Document/BE%20Techical%20Report%20%28EN%29.pdf">Benefits Evaluation Indicators - Technical Report</a>, which provides a benefits evaluation framework and indicators for its primary investment lines which include diagnostic imaging, drug information systems, laboratory information systems, public health systems, telehealth systems and the interoperable electronic health record.<br /><br />Its an important resource for those of you charged with demonstrating the value of eHealth investments.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-62630362456445688882007-09-25T06:41:00.000-04:002007-09-25T07:10:19.906-04:00eHealth Vulnerability Reporting ProgramThe <a href="http://www.ehvrp.org/homepage.html">eHealth Vulnerability Reporting Program</a> is a venture, founded in May 2006, "<span style="font-style: italic;">to establish approaches and procedures that will help ensure eHealth systems are broadly and rapidly deployed with the highest levels of privacy and security</span>". They have published an <a href="http://www.ehvrp.org/images/eHealth_Vulnerability_Reporting_Program_Executive_Briefing_September_2007.pdf">executive briefing</a> on some of their findings which include:<br /><ul><li>EHR vulnerabilities can be exploited to gain control of application or access to data for modification or retrieval</li><li>EHR applications have vulnerabilities consistent with other complex applications</li><li>Application vulnerabilities have long lives</li><li>EHR vulnerabilities are not disclosed to customers of these systems</li><li>Commercial EHR systems are vulnerable to exploitation given existing industry development and disclosure practices</li><li>Security software effectively reduced time of exposure</li><li>No organization could be identified that has responsibility, charter or mission to address security vulnerabilities in eHealth applications</li></ul>The report stresses that the "sky is not falling" but EHR vendors, healthcare providers and the healthcare industry need to do much more.<br /><br />This is a space worth watching for future developments.<br /><br />For an overview of the report read Nancy Ferris' article titled <a href="http://www.fcw.com/article103788-09-17-07-Web">Hacking into e-health records is too easy, group says.</a>Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-5526263334118791082007-09-21T07:45:00.000-04:002007-09-22T07:35:24.408-04:00So Much for Transparency ☹As I sat yesterday contemplating the contents of the courier package, I thought about Kafka’s Joseph K. and the niggling and growing frustration he felt as he prepared for his trial. These aren’t bad people… these nameless and faceless bureaucrats. But they are a breed, and its in their nature to jealously hoard and guard information.<br /><br />You may have read the <a href="http://ehealthrisk.blogspot.com/2007/06/foi-request-and-appeal-for-pias.html">post concerning my Freedom of Information request</a> for the Privacy Impact Assessments for the <a href="http://www.health.gov.on.ca/ehealth/initiatives/initiatives_mn.html#3">Ontario Laboratory Information System (OLIS)</a>, the <a href="http://www.health.gov.on.ca/english/public/program/drugs/eda_mn.html">Ontario Drug Benefit Drug Program Viewer (ODBDPV)</a>, and the <a href="http://www.phac-aspc.gc.ca/php-psp/ciphs_e.html#wiphis">Integrated Public Health Information System (iPHIS)</a>. My original intention was innocuous enough. Very few PIAs are available on the Internet. I was looking for examples I could use in the <a href="http://hi.uwaterloo.ca/hi/privacyworkshop.htm">Health Privacy Professional Workshop</a> I teach at the Waterloo Institute for Health Informatics Research. I had read two of the three PIAs in question in my former role as Chief Privacy and Security Officer for the <a href="http://www.ssha.on.ca/main.asp">Ontario Smart Systems for Health Agency</a> and thought that they would be useful and topical references for workshop participants.<br /><br />In June the Ontario Ministry of Health and Long Term Care (MOHLTC) denied access to the documents under various exemptions in the <a href="http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm#BK15">Freedom of Information and Protection of Privacy Act</a>. I appealed the decision to the <a href="http://www.ipc.on.ca/">Information and Privacy Commissioner for Ontario</a>.<br /><br />My <a href="http://www.ipc.on.ca/images/Resources/up-appeal_e.pdf">appeal has just gone through the mediation process</a> and the courier package contained a new decision to release redacted copies of the OLIS and ODBDPV PIAs. The full iPHIS PIA is still denied. To say the OLIS and ODBDPV PIAs were redacted is an understatement.<br /><br />Now I would have expected some modest redacting where there was a risk of exposing, for example, security vulnerabilities or trade secrets. However, the redaction in this case went over the top.<br /><br />The redacted <a href="http://www.ehealthrisk.com/db1/00025/ehealthrisk.com/_download/dpvpia.pdf">ODBDPV PIA (download a copy here)</a> is an 83-page document. The pages are blank until page 56 where they then released 16 pages of already available public information such as regulations and forms. The last 12 pages are also blank. Not a cover page, table of contents or executive summary… I would not even be able to identify the document as the ODBDPV PIA were it not for the covering decision letter.<br /><br />The redacted <a href="http://www.ehealthrisk.com/db1/00025/ehealthrisk.com/_download/OLISPIA.pdf">OLIS PIA (download a copy here)</a> is a 153-page document. The first 11 pages containing the cover page, document boilerplate and definitions have been released. This is followed by 110 blank pages, then 2 ½ pages containing a textbook table of very general privacy risks and some legal authorities followed by another 30 blank pages.<br /><br />Of course the iPHIS PIA was denied in its entirety, which for the sake of the trees involved was probably just as well.<br /><br />All in all the MOHLTC sent me more than 200 blank pages!<br /><br />The reasons for the denied access referenced the following exemptions under the <a href="http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90f31_e.htm#BK15">Freedom of Information and Protection of Privacy Act</a>.<br /><br />• Section 12 – Cabinet Records<br />• Section 14 – Law Enforcement<br />• Section 17 – Third Parties<br />• Section 19 – Solicitor-Client Privilege<br /><br /><br />The sad thing is that these are good projects, and I expect that the PIAs would demonstrate that all known privacy risks have been identified and are being well managed. I personally know and respect the people who wrote these documents. Unfortunately we are subject to those governmental and societal influences so well described by <a href="http://en.wikipedia.org/wiki/Franz_Kafka">Franz Kafka</a> in his books <a href="http://en.wikipedia.org/wiki/The_Castle_%28novel%29">The Castle</a> and <a href="http://en.wikipedia.org/wiki/The_Trial">The Trial</a> (I reflect on these issues and my own experience as one of Kafka’s bureaucrats in <a href="http://www.brendanseaton.com/_upload/musings/Kafka.pdf">my essay We’re All Kafka Bureaucrats</a>). If I didn’t know better I could read sinister motives into the Ministry’s denial of my request. What could they be hiding? What terrible risks lurk in these systems that could do serious damage to the good citizens of Ontario?<br /><br />But no. They hide everything… good and bad. Its in their nature. So much for transparency.<br /><br />Needless to say I have applied to the Information and Privacy Commissioner’s office to proceed to the next stage – adjudication. We’ll see what happens next.<br /><br />Oh.. and I will be using these documents in my privacy workshop, though not in the way I had originally intended.<br /><br /><br />Supplementary Comment (22/9/07):<br /><br />I'm not the only one frustrated by Government's response to FOI requests. Check out this article in the Globe and Mail titled <a href="http://www.theglobeandmail.com/servlet/story/RTGAM.20070922.wfoimain0922/BNStory/National/home">Delay, denial and stonwalling still clog FOI system</a>.Unknownnoreply@blogger.com2tag:blogger.com,1999:blog-8123243945617095524.post-53367007465048033372007-09-18T07:15:00.001-04:002007-09-18T07:21:56.324-04:00EHR and Patient Safety<a href="http://www.infoway-inforoute.ca/en/home/home.aspx">Canada Health Infoway</a> has published a comprehensive report titled <a href="http://www.infoway-inforoute.ca/Admin/Upload/Dev/Document/EHR-Patient%20Safety%20Report.pdf">The relationship between Electronic Health Records and Patient Safety</a>. Conducted in collaboration with the <a href="http://www.icareabouthealth.ca/home2/index.htm">Integrated Centre for Care Advancement Through Research</a> and the <a href="http://www.patientsafetyinstitute.ca/index.html">Canadian Patient Safety Institute</a>, the report provides an honest assessment of what we know and don't know about EHRs and patient safety, and where we need to go.<br /><br />Worth a read.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-13102390908984663772007-09-17T07:02:00.000-04:002007-09-17T07:10:15.698-04:00Future Directions in Technology-Enabled CrimeThe Australian Institute of Criminology has published a comprehensive report titled <a href="http://www.aic.gov.au/publications/rpp/78/rpp78.pdf">Future directions in technology-enabled crime: 2007 - 09</a>. This 166 page tome surveys existing and emerging threats to information systems in the e-enabled world. Among the risks areas discussed are:<br /><ul><li>Computer-facilitated frauds</li><li>Unauthorized access</li><li>Evolution of malware</li><li>Intellectual property infringement</li><li>Industrial espionage</li><li>Child exploitation and offensive content</li><li>Exploitation of younger people</li><li>Transnational organized crime and terrorism</li><li>Threats to national information infrastructure</li></ul>Security has always been a cat and mouse game between the bad guys and those who work to thwart them. This report gives a good overview of the game as of today. Lets hope the good guys can stay out in front.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-19033784475084764132007-09-14T08:59:00.000-04:002007-09-14T09:04:27.174-04:00Get Ready to Rumble!I enjoyed immensely yesterday's post by Blogger Dr. Scott Shreeve in an <a href="http://scottshreeve.blogspot.com/2007/09/no-laughing-matter-open-letter-to.html">open letter to Google Health's new director Marissa Mayer</a>. He succinctly sums up the challenges encountered by everyone trying to implement IT in health care.<br /><br />I especially liked his openning salvo:<br /><span class="on" style="display: block;" id="formatbar_CreateLink" title="Link" onmouseover="ButtonHoverOn(this);" onmouseout="ButtonHoverOff(this);" onmouseup="" onmousedown="CheckFormatting(event);FormatbarButton('richeditorframe', this, 8);ButtonMouseDown(this);"></span><br /><span style="font-size: 85%; font-style: italic;"><span style="font-weight: bold;">Get ready to rumble. </span>The healthcare industry is littered with the carnage of decades of innovators shattering themselves against the iron anvil of the healthcare. While there have certainly been successes, there are 10x defeats.</span><br /><br />Take a look. Its an short but interesting read.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-69875346010305145762007-09-13T07:20:00.000-04:002007-09-13T07:47:38.148-04:00Catogorizing eHealth Business RiskI have been looking for a model for categorizing and evaluating eHealth business risks. The best I've found so far is a standard and guide published by the UK Risk Management Institute titled <a href="http://www.theirm.org/publications/documents/Risk_Management_Standard_030820.pdf">A Risk Management Standard</a>. This Standard describes four types of business risk:<br /><br /><span style="font-weight: bold;">Strategic Risks</span> - include all of the external and environmental factors associated with an industry. In eHealth this could include political risk, user acceptance (or lack thereof), business model and governance issues.<br /><br /><span style="font-weight: bold;">Compliance Risks</span> - are those risks associated with the need to comply with laws and regulations. In eHealth this would include compliance with privacy and data protection legislation, health and safety regulations, and compliance with legislation governing the operation of health institutions and health professions.<br /><br /><span style="font-weight: bold;">Financial Risks</span> - are those risks associated with the financial structures, transactions and financial processes in place in your organization. In eHealth this could include risks associated with inadequate financial controls, fraud, legal liability and unstable sources of capital and operational funding.<br /><br /><span style="font-weight: bold;">Operational Risks</span> - are those risks associated with operational and administrative procedures. In eHealth this could include business continuity, disaster recovery, procurement issues, and ability to meet required service levels.<br /><br />All-in-all, a neat and simple way of expressing business risk.<br /><br />The guide also suggests a basic (though complete) approach to business risk identification and treatment. Another site, UK <a href="http://www.businesslink.gov.uk/bdotg/action/layer?topicId=1074404839">Business Link</a>, which seems geared to small to medium sized businesses (about the size of our average health care operation), provides a good overview of the process.Unknownnoreply@blogger.com0tag:blogger.com,1999:blog-8123243945617095524.post-30329475735708027762007-09-11T08:07:00.000-04:002007-09-11T08:15:29.961-04:00How to Eat an ElephantIts an axiom that we all-too-often forget. The way to eat an elephant is one bite at a time. Big bang projects are rarely successful. I was reminded of this point while reading an article on the CIO website titled <a href="http://www.cio.com/article/print/132452">How to Justify an IT Project With Uncertain Returns (And Still Make Your CFO Happy)</a>. The author, J.Marc. Hopkins, is the CIO for a large US medical practice. He stresses the need to start small, build on successes, and focus on the needs of end users.Unknownnoreply@blogger.com0