eHealthRisk

How Solid are your Privacy Rights?

2008-01-04T07:39:00.000-05:00

The US-based Electronic Privacy Information Centre and the UK-based Privacy International have released a comprehensive report on the state of privacy around the world. How solid are your privacy rights?

If you live in the US or UK you are in the same class as those living in Malaysia, Russia and China. People living in Greece, Romania (go figure, given where Romania was a couple of decades ago), and Canada fair the best, though Canada's ranking slipped two levels from "Significant protections and safeguards" to "Some safeguards but weakened protections". Among the other findings:

The 2007 rankings indicate an overall worsening of privacy protection across the world, reflecting an increase in surveillance and a declining performance o privacy safeguards.
Concern over immigration and border control dominated the world agenda in 2007. Countries have moved swiftly to implement database, identity and fingerprinting systems, often without regard to the privacy implications for their own citizens
The 2007 rankings show an increasing trend amongst governments to archive data on the geographic, communications and financial records of all their citizens and residents. This trend leads to the conclusion that all citizens, regardless of legal status, are under suspicion.
The privacy trends have been fueled by the emergence of a profitable surveillance industry dominated by global IT companies and the creation of numerous international treaties that frequently operate outside judicial or democratic processes.
Despite political shifts in the US Congress, surveillance initiatives in the US continue to expand, affecting visitors and citizens alike.
Surveillance initiatives initiated by Brussels have caused a substantial decline in privacy across Europe, eroding protections even in those countries that have shown a traditionally high regard for privacy.
The privacy performance of older democracies in Europe is generally failing, while the performance of newer democracies is becoming generally stronger.
The lowest ranking countries in the survey continue to be Malaysia, Russia and China. The highest-ranking countries in 2007 are Greece, Romania and Canada.
The 2006 leader, Germany, slipped significantly in the 2007 rankings, dropping from 1st to 7th place behind Portugal and Slovenia.
In terms of statutory protections and privacy enforcement, the US is the worst ranking country in the democratic world. In terms of overall privacy protection the United States has performed very poorly, being out-ranked by both India and the Philippines and falling into the "black" category, denoting endemic surveillance.
The worst ranking EU country is the United Kingdom, which again fell into the "black" category along with Russia and Singapore. However for the first time Scotland has been given its own ranking score and performed significantly better than England & Wales.
Argentina scored higher than 18 of the 27 EU countries.
Australia ranks higher than Slovakia but lower than South Africa and New Zealand.

The study is well worth a look.

Do We Know What We're Doing?

2008-01-03T07:53:00.000-05:00

One of the business risks that come up time and time again in discussions about eHealth is the supply of people knowledgeable about both IT and health care. It seems that there are lots of one or the other, but few who understand both dimensions of a very complex business. Yet there is little effort being applied to increasing the pool of talent needed to address the demand for skilled human resources.

There are a number of university and college programs across the country (link here for a survey of HI programs across Canada published by the Waterloo Institute for Health Informatics Research (WIHIR), but they graduate relatively few health IT practitioners... certainly not enough to fill the demand.

COACH, Canada's Health Informatics Association, has recently published a list of core competencies needed by Health Informatics Professionals (unfortunately its only available to COACH members), but again, there is no strategy to provide educational opportunities for those who need it.

The Healthcare Information Management and Systems Society (HIMSS) has recently implemented a certification program (Certified Professional in Healthcare Information and Management Systems (CPHIMS)) that is taking us in the right direction.

The University of Waterloo's Health Informatics Bootcamp program developed and delivered by WIHIR is highly recommended because it addresses a critical need to quickly educate health care and IT professionals on the intricacies of health informatics.

If we are to succeed in driving out eHealth at the pace promoted by politicians and their instruments such as Canada Health Infoway (and other national equivalents), more investment is needed in the educational programs necessary to develop a competent health informatics workforce.

Welcome Back!

2008-01-02T08:38:00.001-05:00

After a hiatus of a couple of months, I'm finally back to eHealthRisk. I have two announcements for those who are interested:

Starting today I have taken on the position of President of the Canadian Health Information Technology Trade Association (CHITTA), the health care division of the Information Technology Association of Canada (ITAC). This will get me back into the game following my year long sabbatical studying all dimensions of eHealth risk.
The Waterloo Institute for Health Informatics Research has posted the next series of eHealthRisk Workshops. New this year is the eHealth Information Security Workshop whose inaugural run will be from March 26 to 28, 2008 at the University of Waterloo.

And my New Year's resolution... To religiously apply myself to this eHealthRisk Blog.

Brendan

Canadian Attitudes to EHRs and Privacy

2007-11-21T08:30:00.000-05:00

Canada Health Infoway, Health Canada and the Privacy Commissioner of Canada commissioned and have published a comprehensive survey of Canadian attitudes towards Electronic Health Records and Privacy titled Electronic Health Information and Privacy Survey: What Canadians Think - 2007.

From the Press Release:

Almost nine in 10 Canadians (88 per cent) support the development of EHRs -- a five per cent increase since 2003. Other findings include:

31 per cent of respondents reported they had experience with an electronic health record during an interaction with the health care system. When asked to how the EHR system compared to the paper system in terms of overall effectiveness for the health care system, an overwhelming majority (89 per cent) said the electronic system was better.
87 per cent of Canadians believe electronic health records will make diagnosis quicker and more accurate, while 82 per cent believe they will reduce prescription errors and 84 per cent would like to be able to access their own medical records online.
Canadians want to ensure that privacy and security safeguards are in place to protect their health information. 77 per cent would like audit trails that document access to their health information. 74 per cent want strong penalties for unauthorized access. 66 per cent of Canadians want clear privacy policies to protect their health information. In the event of a security breach, 7 in 10 want to be informed and would like procedures in place to respond to such breaches.
Those who have had experience with an electronic health record showed an even stronger support for privacy and security safeguards.
A majority of Canadians (55 per cent) would like to be able to hide or mask sensitive information contained in their record.
While the poll shows strong support (84 per cent) for using anonymous information from electronic records for health research, this support drops dramatically if personal details are not removed from the record (50 per cent).

Laptop Thefts - Again!

2007-11-15T04:57:00.000-05:00

Alberta's Privacy Commissioner, Frank Work, is the second Canadian privacy commissioner to demand the encryption of personal health information on laptop computers following the theft of four laptop computers from a Capital Health facility. From the OIPC press release:

"The investigation outlines the following steps that must be taken to protect health information stored on a mobile device in order to meet requirements of the HIA:

There must be policies and procedures that users are aware of and educated on that guide proper use of the device,
Reasonable steps must be taken to physically secure the device,
There must be a business need to store health information on the device,
The device must be password protected, and
Health information stored on the device must be protected by properly implemented encryption."

Westin Speaks on Health Research

2007-10-29T07:32:00.000-04:00

US Privacy Guru Alan Westin has recently undertaken a study on behalf of the US Institute of Medicine on public attitudes concerning privacy and health research. Modern Healthcare Online has published a two part article on his findings (for part 1 click here - for part 2 click here). From the article:

"The good news for the research community is, despite a plethora of media reports on privacy and security breaches in the healthcare industry, most people still respect the aims of researchers and are willing to support their work.

The bad news is, perhaps because of these highly publicized privacy failures, people need more assurance than in the past that their healthcare information will be protected and, particularly, not end up being misused in ways that could hurt them. This new reality will necessitate some consciousness-raising on the part of researchers, who historically have seen themselves as the guys in white hats who should be above suspicion, according to Westin."

Remote Access to PHI

2007-10-26T07:09:00.000-04:00

Health care organizations are under significant stress to allow remote access to personal health information in the field or from the homes of health care workers. The Ontario Information and Privacy Commissioner issued her Order HO-004 which addressed the issue of PHI stored on laptop computers and directed Ontario health information custodians to employ measures such as encryption to protect PHI on laptops and other portable devices. I know that many Ontario health care organizations are struggling to implement this order while not interfering with the need to allow remote access to PHI for legitimate and important health care delivery and research purposes.

I found an excellent reference guideline on the security considerations for remote access published by the US Department of Health and Human Services titled Security Guidance for Remote Use . This is published under the auspices of the HIPAA Security Rule. What I really like about this document is that it takes a risk management approach to considering the problem of remote access. The document looks at the risks of allowing remote access and suggests possible risk mitigation strategies.

This document is HIGHLY Recommended.

10 Years Late

2007-10-19T10:20:00.000-04:00

I was having breakfast a few mornings ago with a colleague. We were discussing the current state of privacy laws and what I perceived to be the major threats to privacy. I was bemoaning the fact that our current privacy regimes are inadequate to deal with these new threats- that of government "function creep" (with the many unfortunate but legal uses being made of our personal information by government agencies in the name of national security and law enforcement), and identity theft. With respect to the former, he commented that while the checks and balances of our modern democratic systems may appear to have broken down, they are actually still in play. We'll see the pendulum swing back in the next few years.

It dawned on me that our current privacy laws were made for our world as it existed 10 years ago when we were at the height of the dot.com boom. Way back then, in 1997, everyone was worried about the potential abuses by information entrepreneurs who wanted to capture our eyeballs and data mine our personal information. The laws we built succeeded in tempering the ambitious aspirations of the entrepreneurs, but didn't anticipate the threat to privacy in the post 9/11 world.

Maybe thats the pattern. 10 years from now we will have come to a consensus on how to protect personal information from over-zealous bureaucrats and law enforcement officials. But who knows what new threats to privacy will emerge in 2017. We can predict, for example, that our genetic code will be a prominent feature of our electronic health records. Who will be trying to exploit that information for power or profit? We can also predict that our privacy laws won't be able to fully protect us from these new perils.

Unfortunately, we don't have a crystal ball.

EHR's for Sale

2007-10-18T07:17:00.000-04:00

I wonder how Canada Health Infoway will feel about banner ads on its nation-wide Electronic Health Record?

After reading a couple of articles over the past few days (Advertising, data sales subsidize EMR products and Google Health Wants to Digitize your Medical Records), it crossed my mind that the EHR, EMR and EPR marketplace is moving way faster than our eHealth policy makers. We've seen it in other sectors, particularly in education where cash-strapped schools and school boards rent out advertising space to soft drink and confectionery companies. Already in the United States banner ads and sales of aggregated and anonymized data (if there really is such a thing any more) are seen as integral parts of the EMR/EHR business model.

There are a raft of ethical issues that must be addressed as market forces worm their way into our eHealth systems. Its one thing for big Pharma to market their products to physicians through sales reps, but what happens when the marketing happens in real time... When the drug in the banner ad is tied to the patient's diagnosis and conveniently displayed on the doctor's screen?

I'm beyond worrying about whether this is a good thing or a bad thing. What worries me is that this stuff is happening without debate. Maybe the benefits of improved health care through eHealth are worth a little manipulation by big corporate interests if thats what it takes to fund an eHealth infrastructure. But can we at least think about it before it happens?

Health Privacy Resource

2007-10-17T05:43:00.000-04:00

Anyone looking for a good source of health privacy resources should look at the Privacy Commissioner of Canada's website. Her health page links to most of the key resources of interest to Canadians, and has links to international resources as well.

My favorite link is to the 1992 Supreme Court decision McInerney v. MacDonald. This is the decision that enshrined the principle that while a health care provider owns the health record, the patient has nearly absolute rights to the data contained in the record (for clarification on the "nearly" check out the decision).

SPAM spam spam spam.....

2007-10-12T07:41:00.000-04:00

Alex Jadad and Peter Gernburd of the Centre for Global eHealth Innovation in Toronto, Canada, have recently published a unique study titled Will Spam Overwhelm Our Defenses? Evaluating Offerings for Drugs and Natural Health Products. They found that 32% of the spam we receive is health related, usually associated with products for erectile dysfunction, killing pain and anti-obesity.

Armed with a low-limit VISA card, a post office box and, I suspect, a healthy sense of mischief, the researchers went in search of online health products.

The paper includes the following summary points:

Spam, or unsolicited e-mail received from an unknown sender, now accounts for the largest proportion of all messages delivered online.
Little is known about health-related spam and the spammers behind it.
This study shows that it is possible to purchase products purported to be prescription drugs and controlled substances, across traditional national and legal boundaries, with one-third of our attempts to do so being successful.
Buyers should be fully aware that it may not be possible for them to hold spammers accountable for any claims made in their messages, or to get protection from illegal activities resulting from disclosure of personal or financial information to spammers.
Spammers are challenging our traditional regulatory, licensing, and law enforcement frameworks, and even threatening their relevance.

For a summary of the study and comments from the researchers, check out the Globe and Mail article titled No prescription, no problem.

A Public Hanging

2007-10-11T07:19:00.000-04:00

Its often said that there's nothing like a public hanging to get peoples' attention. Evidence that there are serious consequences to one's actions is a powerful motivator to behave appropriately.

Witness the response of Palisades Medical Centre in North Bergen, New Jersey, that played host to actor George Clooney and his girlfriend, Sarah Larson, following their motorcycle accident last month.

The hospital suspended 27 employees for looking at Clooney's medical records without authorization following an audit of the hospital's systems.

Clooney didn't seem too distressed about the situation. Associated Press quoted him as saying, "While I very much believe in a patient's right to privacy, I would hope that this could be settled without suspending medical workers."

Clooney's feelings aside, this situation can be used as a vivid and very public example of the possible consequences of browsing patient medical records.

Privacy Best Practices in Research

2007-10-10T06:46:00.000-04:00

While most of the business case arguments for eHealth are associated with the treatment and care of individuals, there are tremendous societal benefits to be gained through health research. I sometimes get the feeling that we have to be apologetic about using health databases for legitimate research purposes. Only through research will we master the medical and social challenges facing humanity.

A couple of years ago (in 2005 to be exact), the Canadian Institutes of Health Research published a document titled CIHR Best Practices for Protecting Privacy in Health Research. This document defines 10 elements that should be considered in the design, conduct and evaluation of health research to address privacy and confidentiality concerns. These elements are:

Element #1 - Determining the research objectives and justifying the data needed to fulfill these objectives
Element #2 - Limiting the collection of personal data
Element #3 - Determining if consent from individuals is required
Element #4 - Managing and documenting consent
Element #5 - Informing prospective research participants about the research
Element #6 - Recruiting prospective research participants
Element #7 - Safeguarding personal data
Element #8 - Controlling access and disclosure of personal data
Element #9 - Setting reasonable limits on retention of personal data
Element #10 - Ensuring accountability and transparency in the management of personal data

This is a comprehensive guide (169 pages) for anyone involved in health research who is interested in applying best practices for protecting the privacy rights of individuals.

Holy Hard Drives, Batman!

2007-10-09T06:52:00.000-04:00

Researchers at the Children's Hospital of Eastern Ontario (CHEO) Research Institute have just published a paper titled An Evaluation of Personal Health Information Remnants in Second-Hand Personal Computer Disk Drives. Bottom Line: They bought 60 hard drives from second-hand dealers. They were able to recover personal information from 65% of the drives and personal health information from 10% of the drives. "Some of the PHI included very sensitive mental health information on a large number of people".

From the abstract:

Background: The public is concerned about the privacy of their health information, especially as more of it is collected, stored, and exchanged electronically. But we do not know the extent of leakage of personal health information (PHI) from data custodians. One form of data leakage is through computer equipment that is sold, donated, lost, or stolen from health care facilities or individuals who work at these facilities. Previous studies have shown that it is possible to get sensitive personal information (PI) from second-hand disk drives. However, there have been no studies investigating the leakage of PHI in this way.
Objectives: The aim of the study was to determine the extent to which PHI can be obtained from second-hand computer disk drives.
Methods: A list of Canadian vendors selling second-hand computer equipment was constructed, and we systematically went through the shuffled list and attempted to purchase used disk drives from the vendors. Sixty functional disk drives were purchased and analyzed for data remnants containing PHI using computer forensic tools.
Results: It was possible to recover PI from 65% (95% CI: 52%-76%) of the drives. In total, 10% (95% CI: 5%-20%) had PHI on people other than the owner(s) of the drive, and 8% (95% CI: 7%-24%) had PHI on the owner(s) of the drive. Some of the PHI included very sensitive mental health information on a large number of people.
Conclusions: There is a strong need for health care data custodians to either encrypt all computers that can hold PHI on their clients or patients, including those used by employees and subcontractors in their homes, or to ensure that their computers are destroyed rather than finding a second life in the used computer market.

So much for those who say "It couldn't happen here"!

eHealthRisk Wiki

2007-10-05T04:34:00.000-04:00

To complement this blog and the eHealthRisk Workshops I teach at the Waterloo Institute for Health Informatics Research, I have established an eHealthRisk Wiki to be a resource for everyone interested in the subject of eHealth risk.

Bookmark the URL http://ehealthrisk.wikispaces.com

Subject areas to be covered on the Wiki include:

Risk Management
Benefits Realization
Privacy Risk
Security Risk
Safety Risk
Project Risk
Operations Risk
Business Risk
eHealth Standards

I believe that wiki's are very powerful tools that provide an intuitive and direct path to information (it works just like Wikipedia). They also provide an opportunity for collaborative development. Anyone interested in contributing to the eHealthRisk Wiki is welcome to contact me with your ideas.

The eHealthRisk Wiki in a very early state of development. Some of the pages are still blank and there is much more to add. Still, you will find it a useful reference.

I will be posting updates on the progress of the eHealthRisk Wiki on this blog from time to time.

KatrinaHealth

2007-10-02T07:06:00.000-04:00

Lessons from KatrinaHealth - This report has been around for a while (published in June 2006). For those of you who haven't read it it makes an excellent case study for the use of ICTs in a disaster.
From the Introduction:

KatrinaHealth was an online service that was established to help individuals affected by Hurricane Katrina work with their health professionals to gain access to their own electronic prescription medication records. Through a single portal, KatrinaHealth.org, authorized pharmacists and doctors were able to get records of medications evacuees were using before the storm hit, including the specific dosages. Having this information helped evacuees renew their medications, and helped healthcare professionals avoid harmful prescription errors and coordinate care.

From the body of the report:

To design, construct, test, and prepare KatrinaHealth for use in less than three weeks, the project team confronted numerous technical, policy, and organizational hurdles. The specifics of the team’s process are described in some detail at the end of this report. Many of the hurdles were overcome, some were not, but did not derail the project, and others remained sticking points. Contrary to expectations, the technical hurdles, although significant, were easier to work around, and sometimes solve, than were some of the policy, business, and
organizational issues.

This report was published by the Markle Foundation. It provides excellent evidence to support the business case for eHealth.

EC Report - eHealth for Safety

2007-10-01T08:30:00.000-04:00

The European Commission has released a comprehensive report titled eHealth for Safety: Impact of ICT on Patient Safety and Risk Management. Not surprisingly the report is consistent with the CHI Report The relationship between Electronic Health Records and Patient Safety.

The report provides relevant definitions, a discussion of patient risk and safety in practice, ICT applications in healthcare and a summary of research from expert workshops.

This is another important reference for those interested in eHealth and patient safety.

CHI Benefits Evaluation Framework

2007-09-28T07:42:00.001-04:00

We usually associate risk with adverse events and negative consequences. Privacy and security breaches, project failure, plague and pestilence dominate our attention. But risk management techniques are also applied to the good things in life.... wealth and prosperity, reward and recognition. Consider your investment portfolio. Nothing in your portfolio is there to be lost. You recognize that there are risks, but you manage them. In fact... more risk, more reward.

But you need indicators to help determine if you're winning or losing. Like your investment portfolio we need to know what we want to achieve with our investments in eHealth, and indicators to mark progress or loss.

Canada Health Infoway has issued a technical report titled Benefits Evaluation Indicators - Technical Report, which provides a benefits evaluation framework and indicators for its primary investment lines which include diagnostic imaging, drug information systems, laboratory information systems, public health systems, telehealth systems and the interoperable electronic health record.

Its an important resource for those of you charged with demonstrating the value of eHealth investments.

eHealth Vulnerability Reporting Program

2007-09-25T06:41:00.000-04:00

The eHealth Vulnerability Reporting Program is a venture, founded in May 2006, "to establish approaches and procedures that will help ensure eHealth systems are broadly and rapidly deployed with the highest levels of privacy and security". They have published an executive briefing on some of their findings which include:

EHR vulnerabilities can be exploited to gain control of application or access to data for modification or retrieval
EHR applications have vulnerabilities consistent with other complex applications
Application vulnerabilities have long lives
EHR vulnerabilities are not disclosed to customers of these systems
Commercial EHR systems are vulnerable to exploitation given existing industry development and disclosure practices
Security software effectively reduced time of exposure
No organization could be identified that has responsibility, charter or mission to address security vulnerabilities in eHealth applications

The report stresses that the "sky is not falling" but EHR vendors, healthcare providers and the healthcare industry need to do much more.

This is a space worth watching for future developments.

For an overview of the report read Nancy Ferris' article titled Hacking into e-health records is too easy, group says.

So Much for Transparency ☹

2007-09-21T07:45:00.000-04:00

As I sat yesterday contemplating the contents of the courier package, I thought about Kafka’s Joseph K. and the niggling and growing frustration he felt as he prepared for his trial. These aren’t bad people… these nameless and faceless bureaucrats. But they are a breed, and its in their nature to jealously hoard and guard information.

You may have read the post concerning my Freedom of Information request for the Privacy Impact Assessments for the Ontario Laboratory Information System (OLIS), the Ontario Drug Benefit Drug Program Viewer (ODBDPV), and the Integrated Public Health Information System (iPHIS). My original intention was innocuous enough. Very few PIAs are available on the Internet. I was looking for examples I could use in the Health Privacy Professional Workshop I teach at the Waterloo Institute for Health Informatics Research. I had read two of the three PIAs in question in my former role as Chief Privacy and Security Officer for the Ontario Smart Systems for Health Agency and thought that they would be useful and topical references for workshop participants.

In June the Ontario Ministry of Health and Long Term Care (MOHLTC) denied access to the documents under various exemptions in the Freedom of Information and Protection of Privacy Act. I appealed the decision to the Information and Privacy Commissioner for Ontario.

My appeal has just gone through the mediation process and the courier package contained a new decision to release redacted copies of the OLIS and ODBDPV PIAs. The full iPHIS PIA is still denied. To say the OLIS and ODBDPV PIAs were redacted is an understatement.

Now I would have expected some modest redacting where there was a risk of exposing, for example, security vulnerabilities or trade secrets. However, the redaction in this case went over the top.

The redacted ODBDPV PIA (download a copy here) is an 83-page document. The pages are blank until page 56 where they then released 16 pages of already available public information such as regulations and forms. The last 12 pages are also blank. Not a cover page, table of contents or executive summary… I would not even be able to identify the document as the ODBDPV PIA were it not for the covering decision letter.

The redacted OLIS PIA (download a copy here) is a 153-page document. The first 11 pages containing the cover page, document boilerplate and definitions have been released. This is followed by 110 blank pages, then 2 ½ pages containing a textbook table of very general privacy risks and some legal authorities followed by another 30 blank pages.

Of course the iPHIS PIA was denied in its entirety, which for the sake of the trees involved was probably just as well.

All in all the MOHLTC sent me more than 200 blank pages!

The reasons for the denied access referenced the following exemptions under the Freedom of Information and Protection of Privacy Act.

• Section 12 – Cabinet Records
• Section 14 – Law Enforcement
• Section 17 – Third Parties
• Section 19 – Solicitor-Client Privilege

The sad thing is that these are good projects, and I expect that the PIAs would demonstrate that all known privacy risks have been identified and are being well managed. I personally know and respect the people who wrote these documents. Unfortunately we are subject to those governmental and societal influences so well described by Franz Kafka in his books The Castle and The Trial (I reflect on these issues and my own experience as one of Kafka’s bureaucrats in my essay We’re All Kafka Bureaucrats). If I didn’t know better I could read sinister motives into the Ministry’s denial of my request. What could they be hiding? What terrible risks lurk in these systems that could do serious damage to the good citizens of Ontario?

But no. They hide everything… good and bad. Its in their nature. So much for transparency.

Needless to say I have applied to the Information and Privacy Commissioner’s office to proceed to the next stage – adjudication. We’ll see what happens next.

Oh.. and I will be using these documents in my privacy workshop, though not in the way I had originally intended.

Supplementary Comment (22/9/07):

I'm not the only one frustrated by Government's response to FOI requests. Check out this article in the Globe and Mail titled Delay, denial and stonwalling still clog FOI system.

EHR and Patient Safety

2007-09-18T07:15:00.001-04:00

Canada Health Infoway has published a comprehensive report titled The relationship between Electronic Health Records and Patient Safety. Conducted in collaboration with the Integrated Centre for Care Advancement Through Research and the Canadian Patient Safety Institute, the report provides an honest assessment of what we know and don't know about EHRs and patient safety, and where we need to go.

Worth a read.

Future Directions in Technology-Enabled Crime

2007-09-17T07:02:00.000-04:00

The Australian Institute of Criminology has published a comprehensive report titled Future directions in technology-enabled crime: 2007 - 09. This 166 page tome surveys existing and emerging threats to information systems in the e-enabled world. Among the risks areas discussed are:

Computer-facilitated frauds
Unauthorized access
Evolution of malware
Intellectual property infringement
Industrial espionage
Child exploitation and offensive content
Exploitation of younger people
Transnational organized crime and terrorism
Threats to national information infrastructure

Security has always been a cat and mouse game between the bad guys and those who work to thwart them. This report gives a good overview of the game as of today. Lets hope the good guys can stay out in front.

Get Ready to Rumble!

2007-09-14T08:59:00.000-04:00

I enjoyed immensely yesterday's post by Blogger Dr. Scott Shreeve in an open letter to Google Health's new director Marissa Mayer. He succinctly sums up the challenges encountered by everyone trying to implement IT in health care.

I especially liked his openning salvo:

Get ready to rumble. The healthcare industry is littered with the carnage of decades of innovators shattering themselves against the iron anvil of the healthcare. While there have certainly been successes, there are 10x defeats.

Take a look. Its an short but interesting read.

Catogorizing eHealth Business Risk

2007-09-13T07:20:00.000-04:00

I have been looking for a model for categorizing and evaluating eHealth business risks. The best I've found so far is a standard and guide published by the UK Risk Management Institute titled A Risk Management Standard. This Standard describes four types of business risk:

Strategic Risks - include all of the external and environmental factors associated with an industry. In eHealth this could include political risk, user acceptance (or lack thereof), business model and governance issues.

Compliance Risks - are those risks associated with the need to comply with laws and regulations. In eHealth this would include compliance with privacy and data protection legislation, health and safety regulations, and compliance with legislation governing the operation of health institutions and health professions.

Financial Risks - are those risks associated with the financial structures, transactions and financial processes in place in your organization. In eHealth this could include risks associated with inadequate financial controls, fraud, legal liability and unstable sources of capital and operational funding.

Operational Risks - are those risks associated with operational and administrative procedures. In eHealth this could include business continuity, disaster recovery, procurement issues, and ability to meet required service levels.

All-in-all, a neat and simple way of expressing business risk.

The guide also suggests a basic (though complete) approach to business risk identification and treatment. Another site, UK Business Link, which seems geared to small to medium sized businesses (about the size of our average health care operation), provides a good overview of the process.

How to Eat an Elephant

2007-09-11T08:07:00.000-04:00

Its an axiom that we all-too-often forget. The way to eat an elephant is one bite at a time. Big bang projects are rarely successful. I was reminded of this point while reading an article on the CIO website titled How to Justify an IT Project With Uncertain Returns (And Still Make Your CFO Happy). The author, J.Marc. Hopkins, is the CIO for a large US medical practice. He stresses the need to start small, build on successes, and focus on the needs of end users.

A Foolproof Privacy and Security Plan

2007-09-10T07:43:00.000-04:00

GovernmentHealthIT published an article today titled Experts offer advice for creating a foolproof privacy and security plan for sharing patient information. Key points:

1. Think nationally, act locally
2. Use available tools
3. Bring the right people to the table
4. Be broad but restrictive
5. Study HIPAA (or whatever privacy legislation applies to you - italics mine) then go beyond it
6. Keep the focus on the patient

Useful advice.

Australian Standard AS/NZS 4360 Risk Management

2007-09-07T07:59:00.000-04:00

Anyone looking for a comprehensive standard for risk management should look to Australian Standard AS/NZS 4360 Risk Management. I have looked at just about everything out there in the standards space and find this standard to be the most useful and usable. What I especially like about it is that it takes a broader view of risk, looking at the opportunity side of the equation in addition to the more negative risk-of-adverse-event side.

From the forward to 4360:

Risk management involves managing to achieve an appropriate
balance between realizing opportunities for gains while
minimizing losses. It is an integral part of good management
practice and an essential element of good corporate governance.
It is an iterative process consisting of steps that, when
undertaken in sequence, enable continuous improvement in
decision-making and facilitate continuous improvement in
performance.

Risk management involves establishing an appropriate
infrastructure and culture and applying a logical and systematic
method of establishing the context, identifying, analysing,
evaluating, treating, monitoring and communicating risks
associated with any activity, function or process in a way that
will enable organizations to minimize losses and maximize
gains.

To be most effective, risk management should become part of an
organization's culture. It should be embedded into the
organization's philosophy, practices and business processes
rather than be viewed or practiced as a separate activity. When
this is achieved, everyone in the organization becomes involved
in the management of risk.

Although the concept of risk is often interpreted in terms of
hazards or negative impacts, this Standard is concerned with risk
as exposure to the consequences of uncertainty, or potential
deviations from what is planned or expected. The process
described here applies to the management of both potential gains
and potential losses.

Organizations that manage risk effectively and efficiently are
more likely to achieve their objectives and do so at lower overall
cost.

The Standard is available for purchase alone or with a very useful implementation guide titled HB436 Risk Management Guidelines - Companion to AS/NZS 4360. Both publications are highly recommended.

A Poor Judge of Risks

2007-09-06T08:48:00.000-04:00

Continuing the thread from my post What Type of Person Takes Risks, an anonymous commentator suggested that we look at security guru Bruce Schneier's article Why the Human Brain Is a Poor Judge of Risk.

Every human being (yes.. that's each one of us) looks at life through filters. Some are rosy... some are black... and they change depending on our moods, our personal experiences, and how we interpret our present circumstances. We really can't be trusted to assess risk based on our "gut feelings".

Question: How many animals of each type did Moses take on the Ark?

Answer: None... It was Noah

The human brain is too easily tricked into thinking that it knows and understands more than it really does. That is why we need structured and disciplined processes such as Privacy Impact Assessment, Threat and Risk Assessment or Safety Hazard Risk Assessment.

For more also read Don Norman's essay Being Analog.

We need to apply more science and less instinct.

Dealing with Whistleblowers 2

2007-09-05T07:40:00.000-04:00

eHealthRisk Blog reader Kim Sanders-Fisher posted a lengthy comment on my previous post Dealing with Whistleblowers concerning her own personal experience as a whistleblower at a prestigious US hospital. Her comment suggests that my assertion, that every health care organization should put a reporting system in place that allows staff to report safety, privacy and other risk issues without fear of retribution, was somewhat simplistic.

In a perfect world we would encourage and thank people who report matters that compromise the safety and wellbeing of patients and health care workers. In reality, the world is much more complex and, often times, nasty. We continue to live in a blame-oriented culture that would much prefer to kill the messengers (i.e. whistleblowers) than to accept that our organizations and the people who run them are less than perfect.

Unfortunately, even whistleblowing programs and protections that are in place in progressive organizations are easily subverted by low, middle and senior managers who have a vested interest in maintaining the status quo, even if the status quo poses risks to patients and others. Its too easy to blackball someone, making their life miserable, in the hope that they will just go away.

Quis custodiet ipsos custodes? (Who guards the guardians?) Its sad that those in positions of authority in many organizations will tend to act in their own self-interest and the interests of the organization, rather than in the interests of patients.

I am coming to the conclusion that we must implement independent mechanisms such as the Aviation Safety Reporting System to address risk issues in health care, including safety, privacy and security issues associated with eHealth such as security deficiencies, software and other technology errors and poor human factors engineering. This would include the many systemic and organizational issues that will arise as health care providers us eHealth tools to deliver health care.

I'm waiting to hear about a positive whistleblower experience. One where the whistleblower was acknowledged and thanked for taking a personal risk to protect the interests of the patients they were caring for.

I'm not holding my breath.

Its the Business Model Stupid!

2007-09-04T07:30:00.000-04:00

More and more, it becomes clear that the greatest risk to major eHealth initiatives has nothing to do with privacy, security or other risk issues... Its the business model. Unless there is a clear value proposition for each of the major players in an eHealth program, it will not survive. Scanning the news this morning I came across this post from Modern Healthcare Online titled RHIO experts talk problems, future of movement. Some notable quotes from the article:

It's not yet clear if the incentives exist for healthcare organizations to share information.

One problem with RHIOs as they often are proposed is that they provide the bulk of their benefits to patients and health plans, people and entities that according to our current healthcare payment structure either don't pay at all for RHIO startup and operational costs or pay a disproportionately small share.

It does not make sense for a RHIO to have a consumer-centric model. It's a noble idea to say put the patient first, but what you have to have are business plans within the provider community.

Another common stumbling block to RHIOs is an unwillingness of likely participants to collaborate because of provider and payer rivalry and mistrust.

Too many eHealth initiatives go forward on the assumption that with the right technical architecture and interoperability standards, success is a slam-dunk. While important, what will sink the initiative is one or more stakeholders not believing that it is worth their while to participate.

I was intrigued about the comments concerning the idea of putting the patient first. While it is a noble thought, and while we would do well to structure our architectures based on that premise, eHealth must provide direct, tangible and measurable benefits to those who have to foot the bill or expend the energy effort necessary to ensure success.

Its the business model stupid!

Security of Medical Information

2007-08-31T08:25:00.000-04:00

eHealthRisk Blog reader Lyndon Dubeau passed on this link to UK Information Security Expert Ross Anderson who is a professor at the University of Cambridge. I've just spent an hour watching his online lecture Searching for Evil, in which he discusses how to find and thwart bad guys on the net.

Anderson's website has a wealth of information and useful links. Its worth a look.

Community Attitudes to Privacy 2007

2007-08-30T04:36:00.000-04:00

The Office of the Privacy Commissioner of Australia has issued a report titled Community Attitudes to Privacy 2007. The study aimed "to understand Australians' changing awareness and opinions about privacy laws, how they apply to government and business and how individuals view a range of emerging issues, in particular, identity fraud and theft and the use of closed circuit television."

Also included in the report was an assessment of consumer attitudes towards health services and privacy including inclusion in a National Health Database, health professionals sharing patient information, Doctors discussing personal medical information in an identifiable way, and disclosure of the fact that a patient has a genetic illness - with and without consent. A brief analysis of the report and its implications for health care can be found on Dr. David More's blog Australian Health Information Technology.

What Type of Person Takes Risks?

2007-08-29T07:13:00.000-04:00

How do you classify a person who skydives, yet won't stand up to his/her boss? Is he/she a risk-taker? Understanding why we take some risks and yet avoid others is at the heart of risk management. Researchers at the University of Michigan have recently published a paper titled Towards the development of an evolutionary valid domain-specific risk-taking scale - an unwieldy title better explained in an article titled Not all risk is created equal by the University of Michigan News Service.

Thanks to Gila Pyke for passing this link along.

AHRQ National Resource Center for Health IT

2007-08-28T08:03:00.000-04:00

The Agency for Healthcare Research and Quality (an agency of the US Department of Health and Human Services) has established a National Resource Center for Health Information Technology. While US focused, it contains many articles, resources and toolkits that can be adapted to many jurisdictions. I particularly like their Privacy and Security Toolkit and "Emerging Lessons" pages for CPOE, EMR/EHR, Health Information Exchange, and Health IT in Small and Rural Communities.

Its an excellent site that appears to present a balanced view of many eHealth opportunities and issues.

eHealth Business Risk

2007-08-27T07:59:00.000-04:00

Business risk is associated with the business and political environment in which a health care organization operates. It is perhaps the most challenging area of risk because often the organization doesn’t have control over the measures necessary to reduce the impact or likelihood of such events.

Business risks are often at the heart of the risks identified in other domains. For example, many privacy risks arise because of confused business models that don’t clearly define the roles and responsibilities of each of the stakeholders in an eHealth program. Business risk sometimes transcends the organization for regional, provincial, state and national eHealth programs where government or other supra-organizations are responsible for setting and enforcing standards and policy. The issue of eHealth governance is central to the management of business risk.

There are no defined control standards available to specifically address eHealth business risks at the regional, provincial, state and national levels. Each government jurisdiction has its own unique business and regulatory environment. However, anecdotal evidence suggests several significant control measures that should be put in place for such eHealth programs.

1. An eHealth Governance Framework and Authority – A legitimate body that has the authority to establish and enforce policy and standards in an eHealth environment that includes many healthcare organizations, health care providers and other stakeholders.

2. A Comprehensive Business Model – that defines the roles and responsibilities of each stakeholder in an eHealth program. This includes ensuring that all stakeholders benefit from the initiative in a manner and magnitude consistent with their investment.

3. A Contractual Framework – that accurately represents the business model and agreements between all stakeholders participating in the eHealth program. This would include consent forms and processes for patients.

4. Strategic Business and Technical Architectures –that enable the integration of the eHealth program into the larger health system and ensure that it is interoperable with other eHealth programs and systems.

5. A Stakeholder Engagement Model – to ensure that the interests of all stakeholders, and in particular, patients and end-users, are addressed in all aspects of eHealth program design, deployment and support.

In most jurisdictions around the world, governments have significant involvement in the funding and management of health care. This results in a complex political environment that has a direct impact on business risk. Political influence can be exerted by politicians or by the bureaucracy that supports the government. Political decisions affect priorities and in extreme cases can interfere with normal business protocols.

Business risks associated with eHealth include:

• Regulatory and legal liability
• Financial loss
• Political interference
• Procurement challenges
• Rejection by users
• Business interruption

Guidance on business risk assessment and management can be found in the publication Management of Risk: Guidance for Practitioners that is published by the British government’s Office of Government Commerce. This guide addresses risks at the strategic, program, project and operational levels.

eHealth Insider

2007-08-24T07:58:00.000-04:00

One of my regular stops on the Internet is eHealth Insider, an online journal published in the United Kingdom. Its focus is on eHealth in Britain, but often its articles are universal in nature. There are lots of lessons to be learned from the UK experience, and this online resource is an excellent source of topical information. They publish eHealth Insider (focusing on the NHS's eHealth initiatives), eHealth Insider Primary Care (what's going on in the physician world), and eHealth Europe (what's going on all over Europe). You can subscribe to their online newsletters so you won't miss a thing!

What caught my eye today is a report on an article published in the British Medical Journal titled Potential of electronic personal health records and EHI's subsequent review and interviews with the authors.

The Un-Health Record

2007-08-23T06:22:00.000-04:00

While scanning the Internet my eye caught an article in GovernmentHealthIT titled The un-health record by Nancy Ferris. It discusses a growing trend by Governments to use health claims data instead of clinical data for a "claims-based EHR". This trend is documented in a report by the US Department of Health and Human Services Office of the Inspector General titled State Medicaid Agencies initiatives on HIT and HIE. Similar initiatives exist in other countries, including Canada, where the Ontario provincial government gives emergency department access to drug claims data for the Ontario Drug Benefit Program.

Its understandable that Governments, with their massive stores of health claims data, would want to put that information to use. However, there is always a risk of using information collected for one purpose (claims adjudication and payment) for another (clinical decision making). Data quality is the issue here.

How good is claims data? From the article:

A 2004 study published in the journal Medical Care found that claim forms showed the correct primary diagnosis slightly more than half the time. For secondary diagnoses, doctor’s offices submitted correct information just 27 percent of the time. Other researchers have come up with comparable findings.

What’s more, claims data lacks some important details and nuance because of the universal coding scheme and the way it is used. For example, the scheme does not distinguish between a severe case of diabetes and one that’s under control, and providers don’t always use the diagnostic codes that indicate the spread of cancers. Furthermore, symptoms such as pain or fever usually don’t show up at all.

So long as health care professionals are fully informed about the limitations of the data, the use of claims data probably brings more benefits than risks. Claims data can be used as one input into the clinical decision-making process. However, in the absence of structured processes for evaluating the quality of the data, and safety risks in eHealth, claims data alone cannot be used as the basis for clinical decision-making.

Lessons Learned from Santa Barbara

2007-08-22T06:14:00.000-04:00

One of the most celebrated RHIO (Regional Health Information Organization) failures in the United States was the Santa Barbara County Care Data Exchange which ceased operations in December 2006. The California HealthCare Foundation has released an evaluation of the initiative titled The Santa Barbara County Care Data Exchange: Lessons Learned, which documents the issues leading to the failure and lessons learned for similar initiatives. From the Executive Summary:

The Santa Barbara County Care Data Exchange (SBCCDE) was once one of the most ambitious and publicized efforts to develop health information exchange in the United States, and was considered a model for emerging regional health information organizations (RHIOs) elsewhere. Nearly eight years after its inception, and several months after providing some data to clinical end-users, the SBCCDE ceased operations. Although the venture had developed a peer-to-peer technology infrastructure that enabled authorized physicians, health care organizations, and consumers in the region to access some electronic patient information security via the Internet, the once-promising exchange was unable to overcome major hurdles and thrive.

This case study looks at the history of Santa Barbara's RHIO and why it was not successful. It also presents lessons learned from that experience, briefly describes two other exchanges that have been more successful, and discusses the policy implications for nascent RHIOs elsewhere. Reasons why the project did not succeed include the lack of a compelling business case, distorted economic incentives, passive leadership among participants, vendor limitations and software delays, and due to a variety of factors, the venture's poor momentum and credibility.

This case study is required reading for eHealth risk specialists!

Requirements for Enhancing Data Quality in EHR Systems

2007-08-21T06:10:00.000-04:00

The US Department of Health and Human Services has published a document titled Recommended Requirements for Enhancing Data Quality in Electronic Health Record Systems (EHR-S). The primary purpose of the project was "to identify requirements for EHR-S that can help enhance data protections, such as increased data validity, accuracy and integrity including appropriate fraud management which would prevend fraud from occuring, as well as detect fraud both prospectively and retrospectively."

The fourteen recommended functional requirements include:

Requirement 1: Audit Functions and Features
Requirement 2: Provider Identification
Requirement 3: User Access Authentication
Requirement 4: Documentation Process Issues
Requirement 5: Evaluation and Management (E&M) Coding
Requirement 6: Proxy Authorship
Requirement 7: Record Modification after Signature
Requirement 8: Auditor Access to Patient Record
Requirement 9: EHR Traceability
Requirement 10: Patient Involvement in Anti-Fraud
Requirement 11: Patient Identify-Proofing
Requirement 12: Structured and Coded Data
Requirement 13: Integrity of EHR Transmission
Requirement 14: Accurate Linkage of Claims to Clinical Records

All of these requirements are integral to managing the risks associated with EHRs. A very useful piece of work!

HIMSS PHR Definition and Position Statement

2007-08-20T06:48:00.000-04:00

I give a lot of air time to Personal Health Record (PHR) developments on this blog because I believe they represent the wild card in the high stakes game of eHealth. Think of it as the battle between the controlled economy (EHR) and the marketplace (PHR). For all of the privacy legislation and interoperability standards we put in place, the battle will be won by whoever can capture the attention of the kids who are text messaging and sharing information over their iPhones and Boomers who are increasingly concerned about their deteriorating health and want to take control of their destinies.

The Healthcare Information Management and Systems Society (HIMSS) has published a PHR Definition and Position Statement. They define a PHR as:

a universally accessible, layperson comprehensible, lifelong tool for managing relevant health information, promoting health maintenance and assisting with chronic disease management via an interactive, common data set of electronic health information and e-health tools. The ePHR is owned, managed, and shared by the individual or his or her legal proxy(s) and must be secure to protect the privacy and confidentiality of the health information it contains. It is not a legal record unless so defined and is subject to various legal limitations.

The HIMSS Statement of Position is:

HIMSS supports the development of interoperable ePHRs which are interactive and use a common data set of electronic health information and e-health tools. HIMSS envisions ePHRs that are universally accessible and layperson comprehensible, and that may be used as a lifelong tool for managing relevant health information that is owned, managed and shared by the individual or his or her legal proxy(s). The ideal ePHR would receive data from all constituents that participate in the individual’s healthcare; allow patients or proxies to enter their own data (such as journals and diaries); and designate read-only access to the ePHR (or designated portions thereof).

HIMSS supports ePHR applications with the following characteristics:
• Provide for unique patient identification
• Allow secure access to the information contained in the ePHR
• Permit the receipt of email alerts that do not reveal protected health information (PHI);
• Allow patient proxy(s) to act on behalf of the patient
• Permit the designation of information to be shared electronically;
• Provides technical support to ePHR constituents at all times.

HIMSS champions the development of national standards to ease burdens placed on constituents due to variances in state law and the development of national and uniform state standards to address legal concerns raised by ePHRs such as reliability, reimbursement, ownership, access, transfer, and the limitations, rights and responsibilities of patients and providers for the use of e-health and ePHRs.

Similarly, HIMSS encourages the adoption of incentives by payors, providers, pharmaceutical companies, device manufacturers, and the federal and state governments of the United States to reduce the financial barriers to motivate widespread ePHR adoption.

This is a laudable position that seeks to reign in the wild west world of PHRs. Only time will tell whether the controlled economy or the marketplace prevails.

Project Success and Failure

2007-08-17T06:45:00.000-04:00

Information technology projects are well known for the risk of unsuccessful completion. A 2004 report by the Standish Group indicated that only 29% of IT projects succeed. Of the remainder 18% fail outright and 53% fail to meet expectations by exceeding timelines or budgets, or by failing to deliver the required functionality.

The Standish Group has published the top ten criteria for successful projects:

1. User involvement
2. Executive management support
3. Clear statement of requirements
4. Proper planning
5. Realistic expectations
6. Smaller project milestones
7. Competent staff
8. Ownership
9. Clear vision and objectives
10. Hard-working, focused staff

The issue of project management in eHealth is directly linked to yesterday's discussion of program management. Rarely will a project stand on its own. eHealth is implemented into a complex environment that will require a range of interventions to succeed. These other interventions may include business and clinical process re-engineering, changes in job function, new skills development and cultural change. As a result, an eHealth program may involve a number of projects each of which should be considered in the project risk analysis.

Worthy of note is the top reason for project success (or failure if it is missing): user involvement which we know to be a continuing issue in the development of eHealth systems and infrastructure.

A Program View of eHealth

2007-08-16T08:18:00.000-04:00

I am a big fan of the book by John Thorp titled The Information Paradox: Realizing the Business Benefits of Information Technology (unfortunately it is out of print, though used copies can be ordered through Amazon.com). One of the main points in his book is the need to take a program view of IT initiatives.

Far too many eHealth initiatives start and end with the development and implementation project. Many project sponsors and managers have a "build it and they will come" attitude. They're convinced of the benefits of eHealth. Surely health care workers will see the light and happily adapt their day-to-day routines to accommodate the new system. Unfortunately, taking a narrow IT project view will more likely end up with interruptions in business and clinical processes, user rejection, and ultimate failure.

Programs are structured groupings of projects designed to produce clearly identified business results or other end benefits. Rarely does an eHealth system stand on its own as a single project. eHealth is invariably implemented into a complex environment requiring a range of interventions to ensure a successful outcome.

For example, eHealth systems often form part of larger business transformation initiatives such as those supporting primary care reform or wait-times management. Even on their own, eHealth systems require re-engineering of business and clinical processes, changes in job function, end-user training, transformation of organizational culture and ongoing management and maintenance in the operational environment in order to be successful.

One cannot realize benefits or manage risk with a narrow project view of an eHealth initiative. The implementation project represents only the first phase in a long term eHealth program designed to benefit patients, health care providers and health care organizations.

Google and Microsoft..... Again

2007-08-15T07:00:00.000-04:00

I don't usually publish links to the mass media because they tend to be sketchy in terms of accurate information and rarely contain any meaningful analysis (see my post Critical Reading) . Sometimes they mislead more than they inform.

However, yesterday's New York Times published an article titled Google and Microsoft Look to Change Health Care. Again, the article is really sketchy, but its worth reading to get a sense of where these two software behemoths may be headed with personal health records. It gives some clues as to what Google is putting into its prototype application, and some of the challenges that are likely to slow Google and Microsoft down.

Some of Google's prototype screenshots are showing up in the blog world. Check out the First Google Health Screenshots post from Google Blogoscoped.

Business Continuity Planning

2007-08-14T07:11:00.000-04:00

On this, the 4th anniversary of the North American blackout that left more than 50 million people in the dark, I thought it appropriate to discuss business continuity planning. Disasters happen and the health care community must be prepared for them. As health care becomes more dependent on information technology, health informaticians also have to be prepared. A disaster of any kind causes increased demand on the health system. We can't afford to have the technical infrastructure supporting healthcare compromised at the same time.

I had personal experience with two disasters while I was at the Ontario Smart Systems for Health Agency (SSHA). One was the blackout mentioned. At Smart Systems we thought ourselves clever by building two high availability data centers with alternate energy supplies and telecommunications systems that barely felt a blip during the blackout. While our data centers were happily humming along, our administrative offices were shut down, the roads, traffic and public telecommunications networks were gridlocked making it difficult for staff to carry out their duties (though they did manage to get through), and many of our clients were without the power needed to run their local systems.

The other disaster was the SARS outbreak that hit Toronto causing a massive public health crisis. Our own data center staff was quarantined for several days after a data center employee (not an employee of SSHA) in another part of the complex went into the data center while infected (that person later died - thankfully no SSHA staff were infected). Fortunately we were still in the build phase at the time and not running any critical health information systems out of the data center.

These and other disasters such as Hurricane Katrina demonstrate that catastrophic events do happen and that it behooves us to be prepared. See how jumpy public health officials are at the news of a chicken sneezing in a Chinese marketplace.

eHealth has the potential to help the health system cope with a disaster, as was evidenced during Katrina. Electronic health records can aid disaster workers and those who must care for chronically ill patients. But this only works when we have taken adequate precautions to ensure that our information systems are operational at the same time.

I came across a unique public health website the other day. The Peel Public Health Unit (servicing an area just outside of Toronto) is promoting business continuity planning as part of its public health program. They emphasize the need to anticipate disasters, to plan and protect our people, processes, facilities and technologies in the event of a disaster. The threats they suggest need to be addressed are:

Fire
Labour interruption
Communication breakdown
Pandemic influenza
Communicable disease outbreak
Supply chain interruption
Natural/man made disasters
Transportation accident - Rail
Essential services failure (power, water, sewer, telecom)
Water contamination
Flooding/drought/water shortage
Severe weather conditions (extreme heat, extreme cold, freezing rain and severe storms)
Technology collapse
Terrorism/Sabotage/Cyberterrorism
Bio terrorism
Your worst nightmare

Based on their risk assessment the threats in bold letters represent the 5 most serious threats to the Peel community. This will vary from community to community.

Disasters happen. Our eHealth systems will break down and fail. We need to be ready.

The Point of Vanishing Interest

2007-08-13T07:01:00.001-04:00

Have you ever attended a meeting like this one?
(note that this was written in 1957 - 50 years ago)

__________________________________________

Chairman: We come now to Item Nine. Our Treasurer, Mr. McPhail, will report.

Mr. McPhail: The estimate for the Atomic Reactor is before you, sir, set forth in Appendix H of the subcommittee's report. You will see that the general design and layout has been approved by Professor McFission. The total cost will amount to $10,000,000. The contractors, Messrs. MaNab and McHash, consider that the work should be complete by April, 1959. Mr. McFee, the consulting engineer, warns us that we should not count on completion before October, at the earliest. In this view he is supported by Dr. McHeap, the well-know geophysicist, who refers to the probable need for piling at the lower end of the site. The plan of the main building is before you - see Appendix IX - and the blueprint is laid on the table. I shall be glad to give any further information that members of this committee may require.

Chairman: Thank you, Mr. McPhail, for your very lucid explanation of the plan as proposed. I will now invite the members present to give us their views.

It is necessary to pause at this point and consider the various views that the members are likely to have. Let us suppose that they number eleven, including the Chairman but excluding the Secretary. Of these eleven members, four - including the chairman - do not know what a reactor is. Of the remainder, three do not know what it is for. Of those who know its purpose, only two have the least idea of what it should cost. One of these is Mr. Issacson, the other is Mr. Brickworth. Either is in a position to say something. We may suppose that Mr. Issacson is the first to speak.

Mr. Issacson: Well, Mr. Chairman. I could wish that I felt more confidence in our contractors and consultant. Had we gone to Professor Levi in the first instance and had the contract been given to Messrs. David and Goliath, I should have been happier about the whole scheme. Mr. Lyon-Daniels would not have wasted our time with wild guesses about the possible delay in completion, and Dr. Moses Bullrush would have told us definitely whether piling would be wanted or not.

Chairmain: I am sure we all appreciate Mr. Isaacson's anxiety to complete this work in the best possible way. I feel, however, that it is rather late in the day to call in new technical advisers. I admit that the main contract has still to be signed, but we have already spent very large sums. If we reject the advice for which we have paid, we shall have to pay as much again.

(Other members murmer agreement)

Mr. Issacson: I should like my observation to be minuted.

Chairman: Certainly. Perhaps Mr. Brickworth also has something to say about this matter?

Now Mr. Brickworth is almost the only man there who knows what he is talking about. There is a great deal he could say. He distrusts that round figure of $10,000,000. Why should it come out to exactly that? Why need they demolish the old building to make room for the new approach? Why is so large a sum set aside for "contingencies"? And who is McHeap, anyway? Is he the man who was sued last year by the Trickle and Driedup Oil Corporation? But Brickworth does not know where to begin. The other members could not read the blueprint if he referred to it. He would have to begin by explaining what a reactor is and no one there would admit that he did not already know. Better to say nothing.

Mr. Brickwork: I have no comment to make.

Chairman: Does any other member wish to speak? Very well. I may take it then that the plans and estimates are approved? Thank you. May I now sign the main contract on your behalf? (Murmur of agreement) Thank you. We can now move on to Item Ten.

Allowing a few seconds for rustling papers and unrolling diagrams, the time spent on Item Nine will have been two minutes and a half. The meeting is going well. But some members feel uneasy about Item Nine. They wonder inwardly whether they have really been pulling their weight. It is too late to query that reactor scheme, but they would like to demonstrate, before the meeting ends, that they are alive to all that is going on.

Chairman: Item Ten. Bicycle shed for the use of the clerical staff. An estimate has been received from Messrs. Bodger and Woodworm, who undertake to complete the work for the sum of $2350. Plans and specification are before you, gentlemen.

Mr. Softleigh: Surely, Mr. Chairman, this sum is excessive. I note that the roof is to be of aluminum. Would not asbestos be cheaper?

Mr. Holdfast: I agree with Mr. Softleigh about the cost, but the roof should, in my opinion, be of galvanized iron. I incline to think that the shed could be built for $2000, or even less.

Mr. Daring: I would go further, Mr. Chairman. I question whether this shed is really necessary. We do too much for our staff as it is. They are never satisfied, that is the trouble. They will be wanting garages next.

Mr. Holdfast: No, I can't support Mr. Daring on this occasion. I think that the shed is needed. It is a question of material and cost...

The debate is fairly launched. A sum of $2350 is well within everyone's comprehension. Everyone can visualize a bicycle shed. Discussion goes on, therefore, for forty-five minutes, with the possible result of saving some $300. Members at length sit back with a feeling of achievement.

Chairman: Item Eleven. Refreshments supplied at meetings of the Joint Welfare Committee. Monthly, $4.75.

Mr. Softleigh: What type of refreshment is supplied on these occasions?

Chairman: Coffee, I understand.

Mr. Holdfast: And this means an annual charge of - let me see - $57?

Chairman: That is so.

Mr. Daring: Well, really, Mr. Chairman. I question whether this is justified. How long do these meetings last?

Now begins an even more acrimonious debate. There may be members of the committee who might fail to distinguish between asbestos and galvanized iron, but every man there knows about coffee - what it is, how it should be made, where it should be bought - and whether indeed it should be bought at all. This item on the agenda will occupy the members for an hour and quarter, and they will end by asking the Secretary to procure further information, leaving the matter to be decided at the next meeting.

_________________________________________________

Unfortunately I've attended far too many meetings like this.

This excerpt is taken from the essay High Finance or the Point of Vanishing Interest in the book Parkinson's Law by C. Northcote Parkinson. You can read another essay (the one that gave the book its title) Parkinson's Law or the Rising Pyramid at this link. I'm sure you've heard of the law "Work expands so as to fill the time available for its completion". Enjoy!

Truth is Better than Make-Believe

2007-08-10T07:12:00.000-04:00

I have just finished reading Henry David Thoreau's classic book Walden... a book chalkfull of famous one-liners and aphorisms. One of the lines in his conclusion is "Any truth is better than make-believe".

The quote struck me because one of the greatest barriers to the successful implementation of eHealth initiatives is a failure to see the truth of our circumstances. Lack of complete and accurate information and understanding is at the root of most eHealth risk.

Why don't we know the truth of our present circumstances? There are many reasons.

We might not have all the facts.
The facts that we do have might not be accurate.
We might not understand the context well enough to be able to interpret the facts that we do have.
We might fill in any gaps in the facts with our own best guesses, which may be wrong.
Someone may deliberately withhold the facts, or distort them, or deliberately or unwittingly give us misinformation.
We might be too busy or not have enough time to gather the facts, and will make decisions based on our gut instincts instead.
Our biases and prejudices may cause us to misinterpret or disregard the facts.
Wishful thinking may lead us to fit the facts into a conclusion that we have already reached.
We might deliberately alter or withhold the facts to avoid blame, or to shield another person or our organization from blame.

Most people don't ignore, alter or withhold information with malicious intent (though that sometimes happens). There are often extenuating circumstances that cause people to interpret the world as they would like it to be. Wishful thinking and avoiding blame are probably the biggest reasons for this.

The first step in any risk management exercise is to understand the environment and context into which your eHealth initiative is to be implemented. This is where science helps. The scientific method is the best approach to analyzing a situation. What are the known facts (i.e. truth)? Where are the gaps? Can we develop reasonable hypotheses to fill in the gaps... and then test those hypotheses multiple times?

We don't know the entire truth about eHealth. We have some early indications of what works and what doesn't. Understanding what we know and don't know, and being honest and truthful about it, and being prepared to take risks, is what is needed to start the journey towards eHealth Nirvana.

Is Privacy a Legal Issue or Management Issue?

2007-08-09T05:34:00.000-04:00

There are at least two schools of thought about privacy; one school much larger than the other. The larger school says that privacy is essentially a legal issue... a subject best addressed by lawyers. The smaller school says that privacy is a management issue... those engaged in the management of the business should address privacy issues, consulting legal counsel only when necessary to understand the legal requirements and risks in a particular situation. This matter relates to my recent post Compliance vs. Risk Management.

I am clearly a member of the second school. My experience is that when lawyers get involved in an eHealth initiative, the result is overkill. Solutions are sometimes over-engineered. Complex functionality is created that addresses issues that are very low risk.

I pick on privacy here because privacy (and to a lesser extent - security) is the subject of comprehensive legislation. It seems that legislators and lawyers have little or no interest in the safety or business risks associated with eHealth. Even security issues outside of the privacy domain such as data and system availability and integrity, which can have massive legal and risk implications, are given little attention.

In their proper place legal counsel can be very useful. Privacy legislation is often complex. Health care managers need to understand the legal implications of their decisions. However, legal matters are only one piece of the risk equation that managers must consider.

It comes down to who is calling the shots: the manager or the organization's legal counsel. In my view it must always be the manager.

That said, I found a useful legal resource for Canadians on the web called the Canadian Privacy Law Blog published by Canadian privacy lawyer David Fraser. He has a very comprehensive privacy resource and links section. I'll keep my eyes open for similar resources in other countries.

Listen to your lawyer, then make your decision in the best interests of the patient, health care providers and your organization. Don't let your lawyer make your decision for you.

The Human Factor

2007-08-08T07:27:00.000-04:00

Without question the best book I've read about human factors engineering and the issues that arise when we put human beings and technology together is The Human Factor: Revolutionizing the Way We Live With Technology by Kim Vicente. Vicente has written a very readable and fascinating book drawing on real life experiences from the aviation, nuclear, health care and other high risk industries. The book is organized around the "Human-Tech Ladder" which describes a hierarchy of relationships that explains why things sometimes go wrong when humans and technology mix. The ladder looks at the following factors:

Physical - Size, shape, location weight, colour, material
Psychological - Information content/structure, cause/effect relations
Team - Authority, communications patterns, responsibilities
Organizational - Corporate culture, reward structures, staffing levels
Political - Policy agenda, budget allocations, laws, regulations

The book demonstrates that IT failure can rarely be attributed to a simple technology failure or by the failure of a single human being. The extraordinary complexity of the surrounding technological and human systems together with this hierarchy of human-technology relationships is often at the root cause of failure.

I highly recommend this book for anyone building, installing or operating eHealth systems.

Categorizing eHealth Benefits

2007-08-07T07:56:00.000-04:00

There seems to be a consensus emerging in the literature about how one would categorize the benefits of eHealth. As we move further with the evaluation of eHealth initiatives, it is important to agree on definitions and categories, and to establish measures for each of these benefits. This will help us to compare projects and help health care managers to develop solid business cases for their eHealth projects.

The categories are:

Improved Productivity: increased efficiency, reduced duplication of tests and procedures, cost reduction/avoidance/containment, support to program reform and health system change management.

Improved Access: easier access to health services in remote or under serviced areas, reduction in wait-times for medical and surgical procedures, improved access to data for research.

Improved Quality: improved patient health outcomes, improved population health outcomes, reduction in preventable adverse events, patient empowerment, improved patient satisfaction, improved privacy and security, enhanced accountability.

We continue to have a challenge coming up with quantifiable measures for eHealth benefits that are comparable across a range of eHealth initiatives. This is a particular problem with the assertion that eHealth can help to improve patient and population health outcomes and improve patient safety. The literature is very sketchy on these subjects and even conflicted on the issue of patient safety. Defining benefits and their measures is an essential task to complete if we are to justify the investments being made in eHealth infrastructure and applications.

eHealth Business Modelling

2007-08-06T06:59:00.000-04:00

In my experience one of the most serious risks to any eHealth initiative is the absence of a sustainable business model. While we all get excited about the potential for improving patient care and increasing the efficiency of health care delivery through eHealth, far too many initiatives fail to adequately define the business relationships between the many stakeholder groups, establish a mechanism for information governance or ensure long-term financial sustainability.

I found a really interesting toolkit called the eHI HIE Value and Sustainability Model and Tool Suite prepared by the eHealth Initiative as part of their Connecting Communities Toolkit that provides a lot of guidance on the business aspects of eHealth as it relates to Health Information Exchanges (HIE) and Regional Health Information Organizations (RHIO). The toolkit addresses market readiness, value assessment, risk assessment and provides a pro-forma business plan. This is an excellent site and resource. Check it out.

Commercial Services and Products 1

2007-08-04T06:47:00.000-04:00

It is my intention to keep this blog commercial-free. However, some of our blog readers represent companies that are trying to make a meaningful difference in the health care space. Having been a health IT entrepreneur myself, I believe its important to give them a voice too.

So here's my plan. From Monday to Friday all eHealthRisk posts will be commercial-free. On weekends I will post news from companies that have contacted me during the week. You will recognize the posts because they will be titled "Commercial Services and Products #". Inclusion on the blog does NOT represent endorsement of the service or product, though I will review the information in every post to ensure that it is reasonable and not misleading to eHealthRisk readers. Please contact me if you find anything to the contrary.

iMedix

Our first commercial post comes from iMedix, a "community powered health search engine" according to co-founder Iri Amirav. It is a site that enables people with different health conditions to communicate and share experiences with others with the same condition. If for example you have diabetes or asthma, you can post your questions or experiences concerning the disease to a blog or discussion forum. Its essentially an Internet self-health group.

There's obviously a significant opportunity to empower patients with a site like this. There are also a number of risk issues including privacy and safety risks that service providers like iMedix need to address. iMedix is seeking comments and feedback from eHealthRisk readers on the Alpha version of its site.

In order to get into the alpha site you need a user ID and password that can be obtained by sending a blank email to ehealthrisk@imedix.com. They have set up accounts for 50 eHealthRisk readers.

Kroll Fraud Solutions

Our second commercial post this week comes from Kroll Fraud Solutions. Brian Lapidus, Senior Vice President of Kroll has published an FAQ on identity theft titled Identity Theft Protection for Healthcare Companies. This post has been picked up by several health IT blogs. It is a good primer for those who have an interest in identity theft.

Patient Safety and the USVA

2007-08-03T04:48:00.000-04:00

One of my favorite sites for the management of patient safety issues is the US Veterans Administration. There are a lot of educational materials and tools that I believe can be adapted to addressing patient safety issues associated with eHealth. I especially like the Patient Safety Assessment Tool, an Excel spreadsheet questionnaire that addresses many of the controls that should be in place when dealing with patient safety and the Healthcare Failure Mode and Effect Analysis (HFMEA) which is a five step process to conduct a prospective patient safety risk analysis. The five steps in the HFMEA are:

Step 1 - Define the Health Failure Mode and Effect Analysis Topic
Step 2 - Assemble the Team
Step 3 - Graphically Describe the Process
Step 4 - Conduct a Hazard Analysis
Step 5 - Actions and Outcome Measures

An excellent resource worth spending a little time on.

Compliance vs. Risk Management

2007-08-02T04:04:00.000-04:00

One of the first realizations I had when I started researching risk management in eHealth is the need for a paradigm shift from what I call a "compliance mindset" to a "risk management mindset".

The compliance mindset says that if you following all of the prescribed laws and standards, everything will be OK. The risk management mindset says that you need to understand the world around you, you need to understand your eHealth program, and you need to understand all of the risks associated with implementing the eHealth program into your environment. The risk management mindset then insists that you do something about those risks.

eHealth has been caught up in the compliance mindset, particularly with respect to privacy and security. Unfortunately, our legislators and standards setters have only tackled part of the risk issue associated with eHealth. While we have privacy legislation in most jurisdictions, and while standards are emerging for eHealth security, we miss many eHealth risks.

The biggest gaps in my mind are around safety risks and the many project and business risks associated with eHealth.

I personally have never seen an eHealth project fail because of a privacy issue (though breaches have caused grief for eHealth managers and the unfortunate victims). I have however seen many eHealth initiatives fail because of project and business risks that were completely predictable, but invisible to those who operated in the compliance paradigm. Poor project management, business models that failed to address the needs of all stakeholders, poor understanding of the end-user environment, inadequate funding and poor procurement practices top my list of factors that have caused eHealth projects to fail.

The safety issue is the sleeper here. The only reason we haven't seen more safety issues is that we have only just begun to implement eHealth into the clinical environment. Early experience around CPOE suggests that implemented well CPOE can reduce medical errors. Implemented poorly, CPOE can kill. As eHealth rolls out I believe we will see more and more serious safety issues. As of yet there is no structured process for assessing safety risk in eHealth (although draft safety standards for health IT software are in development at ISO TC215/WG4). But even these standards will address only part of the safety issue.

Compliance with legislation and standards is a good thing. Legislators and standards setters are to be lauded for their efforts. But it isn't enough. If eHealth is to succeed we need to tackle the full range of risk issues associated with health IT and the human and business systems that surround it.

Journal of Medical Internet Research

2007-08-01T06:57:00.001-04:00

The Journal of Medical Internet Research is an excellent resource on all matters associated with eHealth. Based out of the Centre for Global eHealth Innovation in Toronto, Canada, the journal is an international scientific peer-reviewed journal on all aspects of research, information and communication in the healthcare field using Internet and Intranet-related technologies.

I personally was struck by two articles relevant to my eHealth risk and opportunity research: Design and Evaluation in eHealth: Challenges and Implications for an Interdisciplinary Field and Improving Information Technology Adoption and Implementation Through the Identification of Appropriate Benefits: Creating IMPROVE-IT.

All journal articles can be accessed in in HTML format for free. A paid membership fee is required if you want to download PDF files of articles.

This is a page worth bookmarking.

The Dark Side of eHealth

2007-07-31T06:58:00.000-04:00

In a comment on last Thursday's post on eHealth for Safety, Dr. Hamza Mousa, a physician and system developer in Egypt, provided a link to his blog post concerning a website that appears to be brokering exchanges in blood and organs, outside of any official process or mechanism for organ donation and transplantation. He raises both the privacy and public safety issues associated with such sites.

We all know that the Internet is used for all kinds of nefarious purposes - kiddy porn, hate mongering and the like. We know that the Internet health care space is filled with quackery and sites that seek to take advantage of people in desparate circumstances.

This will be a constant struggle for those of us who promote the Internet as a tool to enhance the health and well-being of patients. I'm not sure what we can do about such sites. One thing we can be certain of is that for all the good eHealth can do, some people will be motivated to exploit the technology and the people who use it.

Trust and Understanding

2007-07-30T07:04:00.000-04:00

Friday's post on Making Progress Towards EHRs generated some lively discussion about the health sector's state of readiness with respect to EHRs and other information and telecommunications technologies. I agree that we are at a tipping point with respect to the capability of ICTs to revolutionize the work of health professionals. However, the skeptic in me keeps niggling away about the human issues that still must be addressed before we see health care providers embracing the technology in the way those promoting eHealth envision; i.e. a world of happy healthcare providers willingly and enthusiastically sharing information with one another and with other stakeholders in a collegial and collaborative way.

Central to it all is trust and understanding. By and large, I don't think the major players in the health sector trust and understand each other. In particular there is a great divide between those who provide health care and those who pay for it. At the 100,000 foot level we all agree on the basic tenets of health care and eHealth, but when it comes to implementing eHealth on the ground, different agendas and points of view come into play. Many eHealth initiatives are sponsored by the payer community (Government or private sector) who want to see improved efficiencies and happier customers. These initiatives are often regarded with suspicion by health care providers who fear unwanted intrusion into their daily work and relationships with patients.

I don't think that there is any maliciousness at play here. Everyone wants to do a good job providing excellent care to patients while at the same time making a decent living. Unfortunately each of the different stakeholder groups sees the promised eHealth world differently.

Witness the gaps (well documented in many of the papers noted on this site) in meaningful end-user involvement in the development of requirements and the design of eHealth systems. Many eHealth system developers live in a Dilbert world where users are seen as just another component in a complex business process that is better understood by engineers than by knowledgeable health care practitioners. This is particularly acute when the paymasters for the eHealth initiative is a government or insurance company rather than the health care providers, or some group acting on their behalf. He who pays the piper calls the tune. This lack of involvement promotes distrust, and ensures that we will not understand one another.

The answer is information governance. While the technological capability may exist for eHealth, and while health care providers are becoming more technically savvy, without some mechanism for brokering consensus about eHealth systems requirements, the rules and standards governing eHealth and a respected approach to enforcing those rules and standards, I fear that our eHealth initiatives will continue to flounder or fail to realize their real potential.

There is some progress being made towards information governance, particularly with respect to the privacy issue. But privacy is only one of a range of issues that must be addressed before we cross the tipping point into eHealth Nirvana. This is what I believe will take the time. Implementing technology is a lot easier than changing attitudes or building trust. The technology will be in place long before the human part of the system matures to the point that we will realize the full benefit of eHealth.

Making Progress Towards EHRs?

2007-07-27T07:16:00.000-04:00

The May 28, 2007 issue of InformationWeek included a comprehensive article titled Why Progress Toward Electronic Health Records Is Worse Than You Think. It cuts through much of the hype about the US experience with EHRs and cites a number of examples.

While there is evidence of an increase in the use of electronic health information systems, the long sought-after change in health care provider behaviour, data-sharing, is lagging far behind. The most encouraging example cited was the Indiana RHIO created by the Regenstrief Institute, which was developed over 30 Years! "The secret of success is having patience," says Dr. Marc Overhage, Regenstrief's director of medical informatics.

My own experience is that any successful system in health care takes at least 10 years from first concept to full implementation and integration into business processes (not including implementation of straightforward and mature HIS's - note the near-obsession with PACS as an early win in the EHR game). 30 years is not unrealistic for the integration of many disparate systems and the associated changes in health care provider behaviour through what amounts to a complete re-engineering of the care delivery process. Most proponents of EHRs will argue that that's not good enough.

Perhaps not, but it is reality.

eHealth for Safety

2007-07-26T07:19:00.000-04:00

I came across this website, eHealth for Safety , commissioned by European Commission Information Society. The site is a little light on content, but does feature an interesting paper, eHealth for patient safety: towards a European research roadmap. The paper summarizes many of the published findings already in the literature. Its a good and balanced overview document that promotes eHealth as an enabler of improved safety while acknowledging the safety risks associated with health IT. The site has got a good links section as well for those interested in IT and patient safety.

HIPAA Privacy and Security

2007-07-25T04:59:00.000-04:00

Noted US privacy and security expert Dr. William Braithwaite gave a Keynote address at the Fourth Health Information Technology Summit in March titled Will Privacy and Security Concerns Impede HIT Initiatives? Identifying Issues and Practical Solutions. The Healthcare Update News Service has posted a video of Dr. Braithwaite's address.

The presentation gives a general overview of HIPAA compliance and activity throughout the United States. If you have a spare 33 minutes today, put on your headphones and watch.

Links and information were gleaned from Neil Versel's Healthcare IT Blog.

eHealth and Ethics

2007-07-24T04:41:00.000-04:00

In order to address the privacy and safety rights of patients we need a sound ethical basis on which to understand, interpret and balance the issues associated with eHealth. Professor Eike-Henner Kluge, Professor of Philosophy at the University of Victoria has written a paper titled Ehealth, the USA Patriot Act and other hurdles: the black lining on the silver cloud that defines the ethical basis of eHealth and EHRs and explores issues such as the impact of national legislation to combat terrorism on eHealth, the development, harmonization and enforcement of standards, and the education and certification of Health Informatics Professionals.

An excellent paper well worth the read.

Procurement Woes

2007-07-23T05:01:00.000-04:00

In many parts of the world eHealth initiatives are run or funded by government organizations. As a result, they are subject to greater public scrutiny than most ICT projects. Procurement is one area rife with risk for government project managers and project sponsors. These risks include:

Conflicts of interest - should there be any real or perceived linkages between the vendor and project principals - no matter how small or insignificant
Competition - or lack thereof - especially in cases where the procurement is system-wide such as selecting a system for GPs where the procurement decision alters the marketplace perhaps putting some unsuccessful vendors out of business and limiting choice for end users
Immature business models where the roles and functions of the vendor, purchaser and users are poorly defined leading to breakdowns that undermine project success
Criticism and censure by public oversight bodies
Inflated costs due to a poor understanding of the risks and liabilities

Once again the NHS has been singled out for criticism by the British Parliamentary Public Accounts Committee for a major procurement action in a report titled Dr Foster Intelligence: A joint venture between the Information Centre and Dr Foster LLP. The conclusion and recommendations included the following statements:

By failing to advertise the deal or hold a competition, the Department and Information Centre let it appear that the joint venture offered an advantage to one company at the expense of others.
Without an open competition, the Information Centre cannot demonstrate that it paid the best price for its 50% share of the joint venture, as there are no tenders or other benchmarks for comparison.
In developing the joint venture deal, the Department's Commercial Directorate did not follow established good practice in public sector procurement.
The cost of professional advice on the joint ve£nture (Dr. Foster Intelligence) increased from an initial estimate and contract for £284,000 to between £1.75 and £2.5 million on a £12 million investment.
The Department and Information Centre could have reduced the need to rely heavily on professional advice by making use of wider government experience on forming public private partnership.
It is unclear what benefits the Information Centre will receive from the joint venture.
In the first year the joint venture made a loss of £2.8 million compared with the expectation that it would make a small profit.

How about a Safety Commissioner?

2007-07-20T04:08:00.000-04:00

Here's my thought for the day. In Canada and in other jurisdictions we have had great success in driving a health information privacy agenda with the enactment of privacy legislation and the appointment of Privacy Commissioners to receive complaints from the public and to oversee legislative compliance.

Perhaps we should do the same with patient safety.

Discipline and oversight of such matters is currently left with professional colleges for actions by health professionals as individuals, but I don't think anything exists to monitor and respond to incidents that have systemic causes, or are perpetrated by organizations.

With somewhere between 7000 and 23,000 Canadians dying each year due to medical error, and knowing that there are real risks associated with the systems we are implementing, the time is right for patient safety legislation and the appointment of a Safety Commissioner.

Like the more progressive Privacy Commissioners in this country, the Safety Commissioner's role would be one of leadership, promoting patient safety, objectively investigating safety incidents, and ordering changes to individual and systemic clinical and business practices and behaviors to improve safety for patients.

Its something worth considering.

eHealth Risk Exposure

2007-07-19T07:47:00.000-04:00

In my research on eHealth risk I have identified two classes of risk. First, risk to patients (and to a lesser extent health care providers)– which encompasses privacy, security and safety risk, and second, risk to the organization (or health system at large) which encompasses project, operational and business risk.

Peter Croll and Jasmine Croll of the Queensland University of Technology in Australia have published a paper titled Investigating risk exposure in e-health systems that brilliantly addresses the former. It considers and integrates the analysis of a range of risk issues including quality, usability, privacy and safety.

We are all aware that eHealth systems operate in a complex environment of people, process and technology. Any assessment of risk must consider and balance the wide array of risks associated the system and the environment in which it will operate. The QUiPS model described in this paper goes a long way to addressing this need.

Government's Role in eHealth

2007-07-18T07:05:00.000-04:00

I’ve always struggled with the role of government in health care, and more recently in eHealth. I’m a supporter of publicly funded healthcare. What better insurance pool than the entire population of a nation? And who better to set the rules around regulation of an industry that affects the health and well-being of every citizen?

Governments and government-sponsored agencies are good at several things: infrastructure for one, and rules, regulation and enforcement for another. Think about our road systems. Governments usually build and maintain the roads. They set the rules for driving on the roads, and they enforce those rules with police forces. By and large they do a pretty good job.

But they don’t run trucking companies, or car dealerships, or the myriad of businesses that spring up along transportation arteries to take advantage of a traveling public. Those things are better left to market forces and private initiative, which by and large do a pretty good job.

So what should government and government-sponsored agencies do in eHealth? In my own opinion it’s just like the road system:

• Planning and Strategy – to drive consensus on how the all stakeholders in the eHealth game will approach their own applications and how they will interact with one another.
• Infrastructure – like secure high-bandwidth networks, systems to identify and authenticate citizens be they patients or health care providers, secure communications systems to support public health and other services.
• Standards – to define minimum requirements for security, safety, usability and interoperability for everything running on the infrastructure.
• Rules of behavior – defining acceptable uses for the information and services flowing through the network and acceptable behaviors with respect to privacy and safety.
• Enforcement – to ensure that standards are adopted and rules obeyed.

As a general rule, governments should stick to systemic initiatives and avoid getting involved with application systems and other activities that impacts healthcare workflows or the complex interactions between stakeholders. They are not close enough to the action to understand end-user needs or impacts.

In those instances where governments are funding the development and deployment of eHealth applications, they should behave as any prudent investor would. Government should avoid direct involvement and intervention, but is within its rights to demand action and behavior that will deliver promised results.

So what would the ideal situation look like?

The government would lead on the development of an eHealth strategy based on consensus amongst eHealth stakeholders, would establish a common eHealth infrastructure that would otherwise be outside the purview, competence or capacity of any other stakeholder, set and enforce standards and the rules of engagement for eHealth participants.

Health care organizations and providers (including regional collectives such as health regions or districts) would worry about their own priorities for eHealth applications and undertake development and deployment of eHealth systems in response to the needs of their communities.

Government could participate in local application initiatives as a prudent investor, focusing on results and value for money, but letting the community determine its own needs and approach to development and deployment.

I've Got Nothing To Hide!

2007-07-17T05:00:00.000-04:00

One of the most familiar retorts to the notion of personal privacy is the “nothing to hide” argument. The basic notion is that if you have something that you want to keep private (i.e. something to hide) there must be some suspicious motive for your position. It must be illegal, or immoral, or so inappropriate that somehow the rest of us have a right to know about it.

Many jurisdictions have privacy legislation in place to protect health information. But these statutes invariably exempt actions by governments where homeland security, public health or other law enforcement activities are involved. In our post 9/11 world (or 7/7 world in the UK), governments all around the globe use the “nothing to hide” argument to justify intrusions into our day-to-day lives. While the population might acknowledge that some intrusions are warranted to fight terrorism, we would do well to be skeptical about the motives of government bureaucrats and over-zealous law enforcement officials who may be tempted to use the information for purposes other than what was intended; a phenomenon known as function creep. Click here for a good example of function creep.

Privacy consultant Patrick Lo passed on an excellent paper written by Daniel Solove of George Washington University titled ‘I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy that explores and debunks this argument.

Highly recommended. Download and read.

Mr. Granger Bids Adieu

2007-07-16T04:25:00.000-04:00

Richard Granger is stepping down after five years at the helm of the UK NHS’s National Program for IT. This is probably the largest single eHealth initiative in the world. Subject to scathing criticism, particularly in a recent report by the UK Parliament’s Public Accounts Committee, Granger gives his parting shots in an interview with CIO Magazine.

I recall some remarks made by Canada Health Infoway President Richard Alvarez during his keynote speech at eHealth 2007 in Quebec City. Alvarez commiserated with Granger and recognized the challenge of implementing national health information infrastructures. Like it or hate it, the UK NHS is on the bleeding edge of eHealth blazing trails that other nations will inevitably follow…. or avoid. Either way the global eHealth community will benefit from the UK’s learnings.

I recommend reading the Summary and Conclusions and Recommendations sections of the Parliamentary report (pages 3 - 7) before reading Granger’s interview. The two viewpoints provide an interesting counterpoint. Which account is truer? I’d be interested in your views.

Perspectives on PHRs

2007-07-13T05:21:00.001-04:00

There's a lot of buzz and hype about Personal or Patient Health Records (PHRs). A PHR is a health record that is in the control of the individual patient, who makes it available as required to their health care providers. There are a great many risks associated with PHRs, but with giants like Microsoft and Google making noise about entering the space, anything can happen.

The California HealthCare Foundation has published a report titled Perspectives on the Future of Personal Health Records. It briefly explores the PHR from six perspectives:

The Big Picture Perspective
The Consumer Perspective
The Physician Perspective
The Clinical Technology Perspective
The Employer Perspective
The Public Health Perspective

Though very high level and supportive of the concept, the report doesn't sugarcoat the risks that must be addressed before PHRs can become a reality.

Another useful reference is the paper Personal Health Records: Definitions, Benefits, and Strategies for Overcoming Barriers to Adoption. The paper summarizes a symposium of the AMIA College of Medical Informatics in 2005.

Both publications are worth a look for anyone interested in PHRs.

Wrong About Justen

2007-07-12T09:42:00.000-04:00

OK. I was wrong. In yesterday's post about Whistleblowing I made some unkind and unsubstantiated comments about Justen Deal, the young man who blew the whistle on Kaiser Permanente's eHealth Record Management System. I just got off the phone with Justen who, in our hour long conversation, proved himself to be a quite mature and not-at-all arrogant person. He took his action after exhausting all other means of bringing problems with the system to the appropriate authorities and in full awareness of the consequences. Sorry Justen... please turn that smack into a pat on the back.

Understanding eHealth Success and Failure

2007-07-12T08:24:00.000-04:00

The success or failure of health information systems is the result of a complex mix of people, organizational processes and technologies. I continually look for theories that help to explain the interaction between these dynamic elements.

I came across a paper presented at the 2002 International Conference on Systems Sciences titled Structuration Theory and Conception-Reality Gaps: Addressing Cause and Effect of Implementation Outcomes in Health Care Information Systems written by Angelina Kouroubali at the University of Cambridge in the UK. It applies the work of Anthony Giddens and Richard Heeks to a case study on the Isle of Crete.

Further Googling took me to the source paper for Heeks' work titled Why Health Care Information Systems Succeed or Fail. As is always the case, technology accounts for only one small part of eHealth success or failure. Heeks' model is based on the acronym ITPOSMO which stands for Information, Technology, Processes, Objectives and values, Staffing and skills, Management and structures, and Other resources: money and time. Heeks also developed a method for eHealth Project Risk Assessment called the Design-Reality Gap Technique.

These are three very good references. Download and read!

Dealing with Whistleblowers

2007-07-11T04:56:00.000-04:00

I was scanning the web looking for leads on a story that has been circulating about Kaiser Permanente and a major failure of its reported $4 billion eHealth records management system. It started with a Computerworld article based on a 722 page internal report outlining the inadequacies of the system. Following up on yesterday's post on "Critical Reading" I was curious to find out how bad this system really was. BIG systems always have BIG problems, and my gut tells me that the fact that Kaiser commissioned such a comprehensive review of its system is a good thing.

More interesting though is how the story came to light. Justin Deal, a 22 year-old Kaiser employee was incensed at the waste and problems the system was causing and took it upon himself to send an email to 120,000 Kaiser employees. The Wall Street Journal quoted the email in part:

"In a blistering 2,000-word treatise, Deal wrote: “We’re spending recklessly, to the tune of over $1.5 billion in waste every year, primarily on HealthConnect, but also on other inefficient and ineffective information technology projects.” He did not stop there. Deal cited what he called the “misleadership” of Kaiser Chief Executive George Halvorson and other top managers, who he said were jeopardizing the company’s ability to provide quality care.

“For me, this isn’t just an issue of saving money,” he wrote. “It could very well become an issue of making sure our physicians and nurses have the tools they need to save lives.”"

Wow... How would you respond if you saw an email like that in your inbox?

Was Justin Deal right? Was he wrong? After reading his blog, I would have smacked him. He sounds like an immature, arrogant, self-righteous kid. [PLEASE NOTE Retraction of this comment] Although... I must admit I was once like that myself.

The issue here is how do we deal with whistleblowers.

Like Kaiser's system, many of our eHealth systems will have MAJOR problems. So much so that some people will feel compelled to expose waste, mismanagement, fraudulent acts, and errors that hurt people. We tacitly support the notion of whistleblowing, but as organizations we fail to provide a legitimate outlet or channel for people to voice concerns. They then turn to the media or other methods of exposing what they believe to be misdeeds.

I personally have experience with two whistleblowing episodes. In the first case the person, frustrated with the organization, went to the media with allegations of wrongdoing. This ended up badly for everyone. In the second case the person approached a trusted member of the organization's management. The trusted manager took the matter seriously, thoroughly investigated the matter and protected the whistleblower's confidence and identity. Issues were brought to the executive team's attention for action. This case ended up well.

In each of these two cases the whistleblowers had only part of the information and reported issues which, to the outside observer seemed troublesome, but upon investigation were found to be explainable and without malfeasance. The second case did point out some procedural issues that were easily resolved.

In both cases the whistleblowers were acting in what they believed to be the best interests for the organization and its clients. They knew the risks and put their jobs and reputations on the line. That's the challenge with whistleblowers. You're dealing with people who want to help and who care deeply for the organization and its mandate.

A risk management system must have a mechanism for people to report safety issues, privacy and security breaches, project and operational risks, conflicts of interest and wrongdoing. Most important: the person doing the whistleblowing must believe that following the right channel will result in a positive outcome, that their concerns will be taken seriously, and that they will not face retribution. Otherwise we force them to look for other avenues to expose wrongdoing.

Set up a whistleblower reporting system in your organization. A good starting point is Shaping Your Whistleblower System by Gerald Bloch. Don't waste your 15 minutes of fame on a headline or broadcast email subject line like the ones that Kaiser faced.

Check out the Wall Street Journal Health Blog for more discussion on the Kaiser incident.

Critical Reading

2007-07-10T06:37:00.000-04:00

The most important factor when assessing risk is the availability of complete, accurate and current information. You can’t reliably predict risk outcomes without the all of the facts, or at least as many facts as are available at the time. Where do we find accurate and reliable information about eHealth?

The simple answer is nowhere. Everything you read or hear about anything, be it geopolitics, global warming or eHealth comes from a biased perspective that must be taken with a grain (or a whole shaker) of salt.

I remember when I first lost faith in the mass media as a source of reliable information. It was in December 2001 when I was Chief Privacy and Security Officer at the Ontario Smart Systems for Health Agency (SSHA), a branch of the Ministry of Health at the time. Canada’s national newspaper, the Globe and Mail, broke a story about an SSHA system that had gone live the month before. From the front page the nation learned about security weaknesses and inappropriate behavior by the Agency and its personnel.

Problem was, none of it was true. The reporter had fashioned a scathing article out of a few disparate documents leaked to him by a disgruntled employee. This was my first experience where I actually knew all of the relevant facts of the case and could compare it to what I saw in the media, and the media got it all wrong. To finish this story, the Information and Privacy Commissioner for Ontario conducted a comprehensive investigation that exonerated SSHA. The Globe printed a brief article acknowledging the Commissioner’s report, but buried it deep inside the paper and never repudiated its allegations.

Today, as I scan the net each morning looking for news and resources for the blog, I maintain a skeptical eye. I read, but put little stock in the mass media. They are out for headlines and sales. The mass media dwells on the negative, jumping on an event such as a security breach when it first occurs, quickly losing interest and rarely reporting on the final outcomes of any investigation that may come months later.

Trade magazines are a little better, though while the mass media dwells on the negative, trade journals (paper and online) tend to overstate the positive. With the organizational Chiefs (CEOs, CIOs, CFOs, etc.) as their audience and IT vendors footing the bill through advertising, they are less inclined to report when things go really bad. They don’t want to bite the hand that feeds them.

Blogs are an interesting new source of information, but they are inherently biased. Usually authored by one person, or a group of like-minded people, blogs offer opinion. Facts are filtered to support the blogger’s point of view. In many cases, mine included, blogs are maintained by consultants and companies who want to show you how clever they are in the hope that you will hire them. Treat blogs (including this one) as you would a movie or theatre critic. Find one that represents your point of view, but don’t expect pure truth.

A number of reports and publications are published by organizations mandated to deliver eHealth as a function of public policy (in Canada this includes Canada Health Infoway, the Smart Systems for Health Agency and Ministries of Health). Every country has its proponent organizations. At the international level groups like the WHO and the EU promote eHealth aggressively. You never hear bad news stories from these sources. There is often a blurring of objective fact and marketing hype in these publications which can be useful, but need to be understood in their context of promoting public (i.e. political) policy.

The most reliable sources of information (in this blogger’s biased point of view) are respectable peer-reviewed journals published by professional organizations. Reports by respected public authorities such as government auditing agencies (e.g. the Auditor General in Canada), privacy commissioners and standards producing bodies (e.g. ISO, CSA, ANSI, CEN) can be generally relied upon. But even these documents are products of a point-in-time view of available facts and must be read with that in mind. Their findings can become irrelevant as circumstances change over time.

You can’t ignore any source of information as you try to assess risk in eHealth. Even the mass media teaches you how the mass media is likely to respond if you or your organization is the subject of a security breach or patient safety incident. The key is to read critically and to try to keep it real.

eHealth Risk Workshops

2007-07-09T06:24:00.000-04:00

Dates for the next eHealth Risk-Opportunity Report Card Workshop and Health Privacy Professional Workshop at the Waterloo Institute for Health Informatics Research (WIHIR) have been announced. The risk workshop will be held the evening of October 2nd and all day October 3, 2007, and the privacy workshop the evening of October 3rd and all day October 4, 2007.

The workshops are practical "hands-on" case-study oriented events complemented by online lectures. The risk workshop will feature the final version of the eHealth Risk Report Card methodology which has been under development for the past year at WIHIR.

eHealth Risk-Opportunity Report Card Workshop

On-Line Lecture - Review before you arrive - Managing eHealth Risks and Opportunities

On-Site Evening Session (October 2nd)

Introduction to workshop instructors and participants
Introduction to the eHealth Risk Report Card Methodology (interactive lecture)
Introduction to the case study

On-Site Day Session (October 3rd)

Managing eHealth Risk at the facility, regional and provincial levels - real life stories - Guest Lecture by Judy Farrell, Director, Health Information and Privacy, London Health Sciences Centre, London, Ontario
Conducting an eHealth Opportunity Analysis (workshop activity based on case-study)
Conducting an eHealth Risk Analysis (workshop activity based on case study)
Making the Grade - Completing the eHealth Risk Report Card (workshop activity based on case study)

Health Privacy Professional Workshop

On-Line Lectures - Review before you arrive - Privacy Fundamentals, Privacy and the Law, Privacy Roles and Responsibilities, Security Fundamentals for the Privacy Professional, Managing Privacy and Security Risks in Health Information Systems.

On-Site Evening session (October 3rd)

Introduction to workshop instructors and participants
Privacy as an eHealth Risk Issue (interactive lecture)
Introduction to the case study

On-Site Day session (October 4th)

Privacy Governance - Interactive Lecture
Developing and Implementing a Privacy Program - Conducting a Privacy GAP Analysis (workshop activity based on case study)
Conducting a Privacy Impact Assessment (workshop activity based on case study)
Addressing Privacy Risks - How to Co-opt senior management, staff and other stakeholders (workshop activity based on case study)

Both workshops will be held on the campus of the University of Waterloo in Waterloo, Ontario, Canada.

The early bird registration date is August 15, 2007. Register now for the early bird discount.

A Zero Sum Game

2007-07-05T16:46:00.000-04:00

Yesterday I received an email from Lyndon Dubeau, an information security specialist at the Ontario Association of Community Care Access Centres. He sent a link to a Health IT Survey conducted by Kaiser Permanente in conjuction with the Health Care IT Summit focusing on question 10 which reads as follows:

"10. I'm going to read you a statement and please tell me if you agree or disagree with it:

'The benefits of electronic medical records, such as better treatment in an emergency and a reduction in medical errors, outweigh any potential risk to patient privacy or the security of health information.'"

The survey showed that 73% of respondents agreed with the statement, 25% disagreed, and 2% were unsure or didn't know.

Lyndon writes:

"The zero-sum-game approach to question 10 is interesting and pits two risks against each other.

1) The risk of not getting the best treatment in an emergency (a risk that people can relate to and understand)

2) The abstract risk of 'something' bad happening from a privacy/security perspective.

The challenge I face as an information security professional is helping the business understand that it's possible to have reasonable security/privacy controls in place without hampering the ability to get work done."

Lyndon is right-on with respect to the corner health informaticians paint themselves into with the fuzzy logic of public opinion. This isn't an either/or question. It isn't a question of privacy and security of information OR safety. Patients need and deserve both, and quite frankly, we are dishonest when we suggest that patients need to make a choice.

The issue is similar to discussions I had recently with some Waterloo Bootcamp and eHealth Risk Workshop participants. I was asked to comment on an Order by the Ontario Information and Privacy Commissioner that required health organizations to apply strong security measures to personal health information on laptop computers. The suggestion from some participants was that this was an onerous obligation to put on health care organizations struggling to improve and deliver patient care. My reaction was that the Privacy Commissioner's order was not only reasonable, but organizations that failed to apply readily available technologies such as encryption to information on laptop computers were remiss in their basic responsibilities.

Of course the real problem these people faced was getting healthcare professionals, and in particular physicians who wanted to download their patient records from the hospital system to their own computers, to apply basic security measures. It requires well thought out polices, training and enforcement that some organizations, because of the power politics, are reluctant to implement. I'm sure that a 100 years ago doctors complained about hand washing and how it wasted time that could otherwise be spent with patients.

The survey itself is problematic. Question 10 is a bad question. Given the bald choice between death and disclosure of my personal information, of course I'm more likely to side with safety. I'm encouraged that 25% of respondents saw through this ploy. I would suggest that anyone who uses the data to support less privacy and security is doing a great disservice to patients, health care providers and healthcare organizations.

For an example of an excellent survey of consumer attitudes towards EHR's I would point you to a 2003 survey by the Information and Privacy Commissioner of Alberta titled OIPC Stakeholder Survey 2003. In particular, check out section 6 (pages 31 - 35) for some real information on consumer attitudes, interests and concerns about EHR's.

I invite everyone who reads this post to comment. Is question 10 a fair question?

Short Cuts to Failure

2007-07-05T06:05:00.000-04:00

A large number of eHealth initiatives, especially those that are infrastructure oriented, are government sponsored or led. I came across a paper titled Walking Atop the Cliffs: Avoiding Failure and Reducing risk in Large Scale E-Government Projects. The paper identifies six "Short Cuts to Failure". These shortcuts include projects that:

Will conduct a cursory stakeholder identification process
Will not seek serious partnerships or ongoing information collection with stakeholders, key or otherwise
Will curtail the breadth and depth of the feedback collected from stakeholders
Will follow a pre-determined path for the project and not develop a plan based on stakeholder feedback
Will revert to traditional analysis methods in response to environmental pressure for an answer
Will adopt the results of the pre-study of business processes rather than invest in comprehensive investigation and documentation necessary.

The paper includes a review of the literature on project management and illustrates its findings with a case study.

Long gone are the days when IT folks could restrict user involvement to requirements definition and acceptance testing - leaving most of the development process to the engineers and technical analysts. End users must be involved at every stage of the development process and beyond. They're the ones who must live with the system.

I find it interesting that most of these short cuts to failure involve the failure to effectively engage stakeholders or respond to their issues, needs and concerns. I personally am aware of a number of major eHealth projects that fall into this category. Due to time pressure or politics they don't engage stakeholders; especially the end-user health professionals who are supposed to use the systems. On occasion the principals even hold significant stakeholder groups in contempt, hiding ulterior motives for the system such as cost containment or greater control of the health system.

The one conclusion I've come to in my research on eHealth risk is that effective and meaningful stakeholder engagement is MANDATORY for eHealth projects. It will take more effort and time, but its the shortest "Shortcut to Success".

Privacy and Security Review and Audit

2007-07-04T04:46:00.000-04:00

Are you ready for an audit by a privacy and security oversight agency? Privacy legislation in many jurisdictions gives designated oversight agencies the power to review and audit the privacy, security and information handling practices of health care organizations.

According the Computerworld, health care organizations in the United States are on edge because the US Department of Health and Human Services (HHS) initiated an audit of Atlanta’s Piedmont Hospital for compliance under the HIPAA’s Security Rule. In an article dated June 19, 2007 Computerworld published a list of the 42 policies, procedures and other documents HHS asked Piedmont to provide.

Earlier this year the Information and Privacy Commissioner for Ontario (Canada) conducted a review of the Ontario Smart Systems for Health Agency (SSHA). SSHA provides the technical infrastructure for eHealth in the province of Ontario. The IPC report and SSHA’s response can be found on the SSHA Website.

Do you really have to worry about a review or audit by an oversight agency? I know that in Canada all of the Information and Privacy Commissioner offices are grossly under funded with respect to the review and audit role and would be challenged to undertake any kind of systematic approach to general audit and review. How strong is the capacity of HHS or oversight agencies in other countries to take on an aggressive role in this regard?

Audits and reviews are most likely to be initiated after a major security or privacy breach, or some other event that brings an organization to the overseer’s attention. The chances of being selected at random for a review or audit are likely the same as a plane crash. They happen, but the chances of it happening to me personally are pretty remote.

Successful eHealth Projects

2007-07-03T05:30:00.000-04:00

The European Union has issued a report titled eHealth is Worth it - The economic benefits of implemented eHealth solutions at ten European sites. This 60 page report provides evidence of the economic benefits of 10 projects widely regarded as successes.

The report focuses on lessons learned in eHealth initiatives and has distilled the reasons for success down to six key factors:

Commitment and involvement of all stakeholders: All phases of eHealth development, implementation and deployment have to besupported by citizens/patients, health providers,industry, authorities, and third party payers.
Strong health policy and clinical leadership that guides a flexible and regularly reviewed eHealth strategy: While the strategy should be directed by a long term vision of a citizen-centred health delivery system, it must address concrete needs of actors in the system. The strategy should include achievable, shorter term goals that create an eHealth investment dynamic. A big-bang approach with ambitious goals to be achieved over a short period of time is not recommended.
Regular assessment of costs, incentives and benefits for all stakeholders: Considering purely financial return on investment at an institutional level, or potential benefits for only one of the stakeholders, may lead to suboptimal decisions. Particular attention should be paid to include all users, some of whom are often neglected in such assessments.
Organisational changes in clinical and working practices: This is indispensable in order to optimise the use of ICT-enabled solutions and realise the benefits. Such changes should be facilitated by greater legal certainty in using eHealth solutions.
Strong clinical leadership, good organisational change management, multi-disciplinary teams with a well-grounded experience in ICT and clear incentives: The combination of skills of the people involved will make the difference between success and failure, not the specific eHealth solution. Skills development through continuous education and training is essential.
Long term perspective, endurance and patience: Beneficial eHealth investment is like a good wine. It takes a considerable amount of time (about 5 years) to mature and develop its potential fully.

These findings are consistent with my own analysis of the success factors for benefits realization. I have created a Benefits Realization Gap Analysis Tool that includes most, if not all of these factors as part of the eHealth Risk Report Card Methodology. It is available for free download at www.ehealthrisk.com.

Google Health

2007-07-02T05:58:00.000-04:00

As we sit around contemplating data models, nomenclatures, privacy impact assessments, and technical architectures for an interoperable electronic health record (EHR), the real world is racing ahead of us. Consider this.... One day we may wake up and find that many of our patients have their own online Google health record. Dr's are using their iPhones to access not only the Google health record, but diagnostic images. Maybe that latest ultrasound will be available on YouTube.

This is not as far-fetched as it sounds. Many of us leading the charge in health informatics are old fogies, locked into the technological concepts of the 1970's, 80's and 90's. We still think websites are pretty cool, while our kids (most of whom are now adults) are texting one another with a coded language that certainly doesn't look like Snowmed or ICD-10.

This involves not only new technology, but new ideas, new ways of relating to one another and new values. Perhaps the biggest risk to what we are all now calling the EHR is that our work will be eclipsed by a marketplace and a generation that doesn't have the patience for our bureaucratic approaches to EHR development. I would liken our state to the recording industry. We're working with 8-track tapes that give us quadraphonic sound while our kids are downloading iTunes.

Blogger Vince Kuraitis has written an analysis titled Connecting the Dots...Google Health Promises to Create and Dominate Next Generation PHRs. Also check out this post linked from the Clinical Cases and Images Blog for an example of what you can see on You-Tube.

Is the Google initiative a bad thing? No, not at all. Its certainly a little scary to those of us who really worry about things like patient safety and privacy. However, if we are to achieve our goals for eHealth (for example the Canada Health Infoway goal of providing EHRs to 50% of the Canadian population by 2010), maybe the Google approach is the way to go... and perhaps we won't have a choice. It may happen in spite of us.

Never Learned Much From What Went Right!

2007-07-01T06:23:00.000-04:00

I remember an old friend and colleague, a country lawyer working for the Department of Justice of an eastern Canadian province who once said to me, "I never learned much from what went right." We were working on the aftermath of a particularly troublesome project that not only failed, but where the principals ended up in prolonged legal action.

That troublesome project taught everyone involved a lot of very important lessons.... lessons that I apply to this day in my consulting practice.

The overwhelming number of posts on this blog will be about bad news. Unfortunately, we rarely publicize our successes, and when we do, the commentary is often accompanied by more hype than evidence.

Every eHealth project is a success if we can harvest learnings and experience. Much in the eHealth world is experimental. At this stage of eHealth evolution the things that don't work can be just as valuable that the things that do. Perhaps more so. How many improvements in aircraft design, crew training, air traffic control and emergency response have come from the investigations of air crashes? Quite a few.

Unfortunately, health care is dominated by a blame-oriented culture. This is due in large part to the political nature of health care in many parts of the world. Publicly funded health care is a wonderful thing, but it exposes us to political influences. The prevailing attitude is "Failure is not an option". This means that failures are buried, hidden or swept under the carpet rather than studied for the valuable intelligence they contain.

As you read the posts on this site, be thankful to those people who are sharing their experiences with us, both successes and failures. Its through this sharing of experience that we will improve the success to failure ratio for all eHealth initiatives.

eHealthRisk.com

2007-06-30T05:48:00.000-04:00

I have set up a companion website to this blog at www.ehealthrisk.com. The website contains:

A list of all links featured on the eHealthRisk Blog including all documents referenced on the blog and in the reference section of the eHealth Risk Report Card Methodology. I also indicate whether the materials are free or must be purchased (eHealth Risk Links).
Downloads of the eHealthRisk Report Card Methodology and any supplementary materials, PowerPoint presentations given on the subject (Home page).
Educational opportunities (Training page)

You can get to eHealthRisk.com by clicking the links in the eHealthRisk.com section in the left hand column of this blog.

Identity Theft

2007-06-29T05:40:00.000-04:00

One of the factors considered when you conduct a threat and risk assessment is the motivation of the threat agent (i.e. bad person) who wants to steal the personal health information in your custody. This often leads some privacy naysayers to ask "who would want to steal my health information? There's nothing interesting there and even if they did, who cares?" There is a touch of truth to this. I can't imagine anyone getting off on my history of negative lab test results.

There is however the matter of identity theft. No one wants my lab tests, but they might be motivated by the opportunity to take over my bank accounts, credit cards and home mortgage. Health care databases are a rich source of data for identity thieves who are more interested in the state of my finances than the state of my health.

We must also recognize that health care is a valuable service that doesn't cover everyone, especially those living in the United States who might be motivated to scam some free health services. Stealing the identity of an insured person is one way of gaining access to free health care.

Gordon Atherley has written a white paper on identity theft in health care. I'll also point you to the article Diagnosis: Identity Theft from an earlier post on this blog. The World Privacy Forum has published a report titled Medical Identity Theft: The Information Crime that Can Kill You. Download and read these papers. Someone out there will be motivated to go after your databases not because they intend to misuse the health data, but because they want to rob us blind.

Knowledge Centre

2007-06-28T11:33:00.000-04:00

Dr. Gordon Atherley maintains a website called the Knowledge Centre for Privacy, Security and Safety of Information Technology. The Centre contains a large inventory of media reports and other information on many aspects of eHealth with a focus on privacy and security. In a telephone conversation with Gordon today, he told me that his objective is to publish information resources to support the public's right to know.

Its worth a look.

The Burden of eDiscovery

2007-06-28T04:19:00.001-04:00

In an email to me yesterday, Dr. Scot Silverstein wrote: "You might want to add to your risks on eHealthRisk.com the new risk of eDiscovery. I just attended an AHIMA conference (Amer. Health Info Management Assoc.) where this was discussed. The infrastructure required to be able to respond effectively to eDiscovery requests will likely become increasingly burdensome to healthcare organizations."

The American Health Information Management Association (AHIMA) has published a summary of the Electronic Discovery Civil Rule and how it applies to healthcare organizations. While this applies to organizations in the United States, one will expect that similar issues will arise in all national jurisdictions. From the summary:

"As electronic health record (EHR) technology advances, sophisticated litigators are gaining a better understanding of the information they can obtain from e-mail messages, databases, software applications, computer logs, and metadata. Electronic discovery (e-discovery) is becoming a critical part in gathering and using evidence in legal proceedings, complementing traditional methods such as photocopies, printouts, and digital images of patient medical records.

New changes to the Federal Rules of Civil Procedure related to e-discovery will greatly affect how healthcare organizations manage their electronic records. This practice brief provides an overview of pretrial requirements in the e-discovery civil rule and reviews the relevance and application of each section of the rule to healthcare organizations. Additionally, it identifies the steps HIM professionals can take to prepare their departments and organizations for the challenges associated with e-discovery."

Health IT Horror Stories

2007-06-27T05:40:00.000-04:00

Dr. Scot Silverstein of Drexel University has published a website titled Sociotechnologic issues in clinical computing: Common examples of healthcare IT failure. He provides an excellent overview of health IT issues and case examples illustrating a number of health IT horror stories. Only by understanding what's gone wrong can we make sure that our eHealth systems go right. Its worth taking a look.

EHR Information Governance

2007-06-26T07:34:00.000-04:00

The best survey I’ve seen of information governance issues for EHR’s and eHealth in general is a white paper prepared by Canada Health Infoway titled Information Governance of the Interoperable Electronic Health Record (EHR). While the paper restricts its scope to privacy and security matters, it inevitably touches on governance issues that can be applied across the spectrum of eHealth risk. This is an important educational resource and essential reference for all students of eHealth risk management.

The paper raises many issues that need to be resolved before an interoperable EHR can become a reality. For example it acknowledges what I believe to be the biggest problem in privacy risk management - the problem of what to do with the results of privacy impact assessments.

“Although substantial expertise exists across Canada in the conduct of PIAs, few best practices or policies have been developed to monitor the implementation of privacy risk mitigation strategies and to integrate privacy monitoring and PIA revisions into the change management process. Developing programs to ensure continuous privacy management is an issue that will need to be addressed as part of effective EHR information governance.” (page 15)

The paper doesn't have all the answers, but it does ask the right questions. This is a must read.

eHealth Safety Issues - Focus on CPOE

2007-06-25T13:49:00.000-04:00

Much of the literature on eHealth safety focuses on Computerized Physician Order Entry (CPOE) systems and their potential for reducing medical errors, particularly with respect to medications. However... the literature is split on the efficacy of CPOE systems and some evidence points to the potential for CPOE systems to contribute to errors. The following papers give pause for thought for those who want to barrel ahead with eHealth implementations.

J. Ash, M. Berg, E. Coiera, Some Unintended Consequences of Information Technology in Health Care: The Nature of Patient Care Information System-related Errors, JAMIA Mar/Apr 2004

Y. Han, J. Carcillo, S. Venkataraman, R. Clark, R. Scott Watson, T Nguyen, H. Bayir, R. Orr, Unexpected Increased Mortality After Implementation of a Commercially Sold Computerized Physician Order Entry System, Pediatrics Dec 2005

R. Koppel, J. Metlay, A. Cohen, B. Abaluck, A.R. Localio, S. Kimmel, B. Strom, Role of Computerized Physician Order Entry Systems in Facilitating Medication Errors, JAMA Mar. 9 2005

R. Berger, J.P. Kichak, Computerized Physician Order Entry: Helpful or Harmful? JAMIA, Mar./Apr. 2004

G. Kuperman, R. Gibson, Computer Physican Order Entry: Benefits, Costs and Issues, Annals of Internal Medicine, July 2003

A few thoughts after reading these articles:

CPOE is undoubtedly a good thing... if implemented well.
CPOE is not a magic bullet. Simple implementation of a CPOE system will not automatically result in reduced errors. In fact it may increase errors.
All CPOE systems are not created equal. Some commercial products are better than others... which also means that some commercial products are worse than others.
Software implemented badly, no matter how good it is, will result in a bad system that can hurt people.

FOI Request and Appeal for PIAs

2007-06-22T09:01:00.001-04:00

In February I submitted an FOI request to the Ontario Ministry of Health and Long Term Care (MOHLTC) under the Freedom of Information and Protection of Privacy Act (FIPPA) for documentation associated with 3 major eHealth projects: the Ontario Lab Information System (OLIS), the Ontario Drug Benefit Drug Program Viewer (ODBDPV), and the Integrated Public Health Information System (iPHIS). The request included copies of the Steering Committee minutes and Privacy Impact Assessments for each of the 3 projects, and a copy of the Province's Strategic eHealth Plan.

The Ministry released redacted copies of the Steering Committee minutes but denied access to the PIA's and Strategic eHealth Plan.

Reasons for denying access to the PIA's included:

For OLIS - Section 12(1)(a) of FIPPA - Cabinet Records
For ODBDPV - Section 14(1)(i) of FIPPA - Law Enforcement, and 17(1)(a)(b)(c) of FIPPA - Third Party
For iPHIS - 12(1)(c)&(e) of FIPPA - Cabinet Records, and 14(1)(i) of FIPPA - Law Enforcement.

The Ministry found a 2004 eHealth Strategy document and denied access under Section 12 (Cabinet Records) of FIPPA.

I have appealed the denial of access to the PIA's to the Information and Privacy Commissioner for Ontario. I decided not to pursue the matter of the Strategic Plan as it appears that the Ministry does not have a current eHealth Strategic Plan.

The IPC has acknowledged receipt of my appeal.

I'll post updates on the Blog concerning the progress of this request.

Positive Feedback on eHealth Risk - Opportunity Workshop

2007-04-25T14:20:00.000-04:00

The attendees at the first eHealth Risk-Opportunity Report Card Workshop on April 17/18 at the University of Waterloo gave good grades to the Waterloo Institute for Health Informatics Research and workshop instructor Brendan Seaton for the event. Average participant evaluation scores for workshop content was 4.3 out of 5, and for presenter knowledge and presentation 4.5 and 4 out of 5 respectively. Overall organization of the workshop was rated at 4.4 out of 5.

A thank you to the participants who were fully engaged and who offered a great deal of constructive criticism and advice for the next version of the report card.

Comments on eHealth Risk Opportunity Report Card Paper

2007-04-23T10:25:00.000-04:00

Rupak Mazumdar, Senior Risk Analyst for the Ontario Smart Systems for Health Agency offers the following comments on the Report Card Paper.

In general, I think that you have put together a well-thought out paper.

I like Page 5 where you have indicated that each eHealth program can apply flexible weights to the report card. Risk management tools need to be flexible to address different situations.
The opportunity-risk matrix in Table 5 is also a nifty idea.
I am very interested in seeing the paper put into real practice. In fact, application of the paper is a theme for me. Applying this to a pilot area of eHealth will be the true test of what works, what does not work and what needs to be refined a bit.

The biggest potential obstacle that you may face is with the definition of risk.

There are many competing definitions of the word risk out there. You have defined risk as the possibility that a threat will be realized resulting in harm or loss.
The risk management world is slowly moving towards more of a risk definition that is uncertainty of outcome, with an outcome potentially having both positive and negative elements.
I like the uncertainty definition much better because it inherently contains both the positive and negative definition of risk. It also forces the risk assessor / manager to focus on events and scenarios that have not occurred yet as opposed to issues that have already materialized.

I may seem to be quibbling but I have come to the epiphany that when I talk about risk management, often everyone in the room has different definitions of risk (a bad thing, uncertainty, an impact, a possibility, etc.). If you agreed with the semantics change, the language would change slightly in the paper. For example, in the title:

The eHealth Risk Report Card:

A practical approach to realizing opportunities in eHealth from understanding and managing risk

Many in the audience for this paper could potentially have little understanding of risk management methodology. Hopefully that is not the case too often as a CIO should have at least a rough understanding of risk management. Still, you may want to have a brief primer on risk management in your back pocket or in an Appendix.

Much of the material that was brought over to SSHA to help define the risk management framework came from the brilliant Australian Risk Management Standard AS/NZS 4360:2004 RISK MANAGEMENT. You will want to cite the framework in your end notes.

What can go wrong with eHealth?

2007-04-20T10:49:00.000-04:00

The British Parliament's Committee of Public Accounts has published a report that is very critical of the NHS' National Program for IT. It identifies many issues which are captured in our eHealth Risk-Opportunity Report Card. This is a list of their conclusions and recommendations [words in square brackets are mine]:

The delivery of the patient clinical record, which is central to obtaining the benefits of the programme, is already two years behind schedule and no firm implementation dates exist. [project risk]
The Department has not sought to maintain a detailed record of overall expenditure on the Programme and estimates of its total cost have ranged from £6.2 billion up to £20 billion. [business risk]
The Department's investment appraisal of the Programme did not seek to demonstrate that its financial benefits outweighed its cost.[business risk]
The Department is maintaining pressure on suppliers but there is a shortage of appropriate and skilled capacity to diliver the systems required by the Programme, and the withdrawal of Accenture has increased the burden on other suppliers, especially CSC. [project and business risk]
The Department needs to improve the way it communicates with NHS staff, especially clinicians. [project and business risk]
We are concerned that the leadership of the Programme has focused too narrowly on the delivery of IT systems, at the expense of proper consideration of how best to use IT within a broader process of business change. [benefits realization risk]
The Department should clarify responsibility and accountability for the local implementation of the Programme. [business risk]
The use of only two major software suppliers may have the effect of inhibiting innovation, progress and competition. [project and business risk]
At the present rate of progress it is unlikely that significant clinical benefits will be delivered by the end of the contract period. [benefits realization and project risk]

It would be interesting to see what grade the NHS would get for their Programme.

Download White Paper

2007-04-17T06:08:00.000-04:00

I have finally put together a complete White Paper on the eHealth Risk-Opportunity Report Card. It is available for download in its FIRST DRAFT form. I am looking for comments and criticisms on the concept and the approach to managing eHealth opportunity and risk. In particular:

Are there any serious inaccuracies?
Are there sections or terms that require more explanation?
Could this be used by competent people in average health care organizations?
Are there points that should be footnoted and sourced?
Are there alternative standards that would be better than the standards referenced in the paper?

I plan to post all comments on this blog. A second draft will be available in a couple of weeks after I've digested comments and criticisms from the first round of review.

Effectiveness of eHealth Systems

2007-03-29T10:25:00.000-04:00

Do computerized clinical decision support systems (CDSSs) make a difference? An article published in the Journal of the American Medical Association (JAMA) titled Effects of Computerized Clinical Decision Support Systems on Practitioner Performance and Patient Outcomes concluded that "Many CDSSs improve practitioner performance. To date, the effects on patient outcomes remain understudied and, when studied, inconsistent."

This article is available for free download from the JAMA website. Definitely more work is needed to determine whether or not eHealth systems have a measurable impact on patient outcomes.

Risk of Obsolescence

2007-03-22T16:02:00.000-04:00

The following quote is from the president of the British Computer Society, Professor Nigel Shadbolt. In a keynote address to Healthcare Computing in Harrogate this week, he offered these definitions: “State-of-the-art is any computer you can’t afford; obsolete is any computer you own; a microsecond is the time it takes your state-of-the-art computer to become obsolete.”

Best Buy - Standards

2007-03-20T10:19:00.000-04:00

I've been heads down the last couple of weeks preparing for my risk workshops at the University of Waterloo. In my research I've found that the best site from which to buy standards is the ANSI (American National Standards Institute) eStandards Store. I was able to buy Security Standards ISO 17799 and ISO27001 for $30 USD each (the price on the Standards Council of Canada Website was $199.98 CDN and $131.75 CDN respectively). Other risk management standards I think are useful and will be integrated into the eHealth Risk/Opportunity Report card are:

ANSI/AAMI HE74:2001 - Human Factors Design Process for Medical Devices
IEC62198 - Project Risk Management - Application Guidelines
IEEE1490 - IEEE Guide - Adoption of PMI Standard - A Guide to the Project Management Body of Knowledge

There are also two relevant standards being developed by ISO TC215 WG4. They are at a very early stage of development. You might be able get them if you know someone on the committee ;-) They are:

Health Informatics - Application of risk management to the manufacture of health software; and

Health Informatics - Guidance on risk evaluation and management in the deployment and use of health software.

Privacy Commissioner's Order re: Laptop Theft

2007-03-08T09:55:00.000-05:00

The Ontario Information and Privacy Commissioner released an order today (Order HO-004) to Toronto's Hospital for Sick Children following the theft of a laptop containing personal health information. Her closing comment: "There is no excuse for unauthorized access to personal health information due to the theft or loss of a mobile computing device - any PHI contained therein must be encrypted."

The Order goes into considerable depth concerning the obligations of Health Information Custodians with respect to a number of issues. Its worth the read. If time is an issue the press release provides a good summary.

Electronic Medical Records - Who Cares?

2007-03-07T07:55:00.000-05:00

One of the greatest risks to the implementation of eHealth systems is the lack of awareness by decision-makers about what is happening in the real world - a lack of understanding of what the real users - patients and caregivers - really think.

Cybercitizen® Health is a syndicated consumer study and marketing data set of Manhattan Research, primarily focused on key research topics and trends impacting the ehealth market. they have recently released their annual Cybercitizen® Health report.

The following is from the ScribeMedia website.

"When asked about their interest in accessing health records electronically, only 1% of U.S. adults report currently using electronic medical or health records, while 64% report they are “not at all interested in using” an EMR.

Given the lack of consumer interest, can we expect EMR adoption will instead be driven by physicians? The story there is not any more encouraging: only 26% of primary care physicians use electronic medical records in their office, and almost one-third of PCPs have no interest in using electronic medical records in the future.

What does this mean for the future of the health IT movement? Adoption of electronic health records will clearly not be driven by consumers, who are not convinced that electronic health records are necessary; nor will adoption be driven by physicians, who in many cases, are unwilling to foot the bill or invest the time and resources required for such a substantial change in practice management – and especially heavy burden for smaller practices.

Instead, the electronic medical record movement will have to be driven by government legislation or by incentives from payers, who stand to benefit from the vast opportunities for data mining that could be made available through electronic medical records."

Sounds right to me.

COACH Guidelines Updated!

2007-03-06T09:26:00.000-05:00

The COACH Guidelines for the Protection of Health Information, Canada's definitive guide to security and privacy in healthcare has been updated in a new 2006 edition. This is undoubtedly the most comprehensive reference for any health CIO, Security or Privacy Officer. It is highly recommended.

Do No Harm!

2007-03-03T09:30:00.000-05:00

In thinking about eHealth risk I am first drawn to Hippocrates' admonition to "do no harm". What harm can befall a person because of eHealth? The possibilities are limited and closely interrelated. The ones that come to mind are:

Harm to a person's physical and mental well-being - this is the classic "safety" issue. We can cause personal physical or mental damage to people because we don't build or use our eHealth systems properly.
Harm to a person's financial well-being - personal health information can be used to steal a person's identity, making them vulnerable to financial attack by identity thieves.
Harm to a person's reputation - which can impact physical, mental and financial well-being. Release of personal information can impact a person's social standing, cause varying levels of embarrassment, and result in stigmatization.

I've strained my brain and I am challenged to add to this list. Of course, this is from a human being point of view. Organizations, many of which have the status of "natural humans" in law can also be subject to such harms, though the physical and mental well-being issue only applies in a very limited sense (an event so serious may occur that the organization might go out of business, or die).

At this stage I'm more interested in the human impacts, because addressing human health, be it physical, mental, financial or reputational, is the whole point of implementing eHealth systems in the first place.

Comments are welcome.

Legally eHealth

2007-02-19T10:23:00.000-05:00

A study in the European Union is looking at the legal aspects of eHealth. Titled Legally eHealth it will look at a range of legal issues, albeit from an european point of view. The study will be completed in the spring and may provide useful guidance for other countries on the right legal questions to ask about eHealth.

eHealth Project Risk Challenges

2007-02-16T14:57:00.000-05:00

Check this out from the eHealth-Insider

"A senior executive from local service provider to the Southern cluster, Fujitsu, has said that the intense pressure suppliers are under to deliver short-terms risks the wider aims of the NHS National Programme for IT systems, resulting in a danger of it delivering 'a camel, and not the racehorse that we might try to produce.'"

How Serious is Privacy Risk?

2007-02-16T12:02:00.000-05:00

It’s important to keep things in perspective. I have spent much of the past few years addressing privacy risks associated with eHealth systems. But how pervasive and how serious are the risks to privacy in Canadian health care.

When dealing with health care the numbers are very big: 30 million potential patients, 1.5 million people working in the health care system, hundreds of millions of health care transactions each year. When dealing with privacy breaches in health the numbers are very small.

A review of the most recent Information and Privacy Commissioner annual reports from those provinces with health privacy legislation is most revealing. In Ontario in 2005 (first full year of the Personal Health Information Protection Act) there were 177 privacy complaints . In Alberta in fiscal year 2004-2005 97 cases were opened under the Health Information Act (note that this number excludes 217 PIAs submitted to the OIPC for review). In Manitoba in 2005 9 new cases were opened under the Personal Health Information Act. In Saskatchewan 88 cases were opened of which 13% related to the Health Information Protection Act (although the report does note that many cases may have been referred to Professional colleges for review and disposition). Of these cases, only a handful resulted in orders issues by the Information and Privacy Commissioners. My guess is that there are fewer than 1000 significant health privacy issues across Canada each year.

Compare the number of privacy issues with the current estimate by CIHI that somewhere between 9,250 to 23,750 deaths occurred in Canadian health care in 2000-2001 due to “adverse events” . In 2003, 5.2 million Canadians reported that they or a family member had experienced a preventable adverse event related to their health care.

I don’t want to suggest for a moment that privacy issues are not important. The reputational damage to patients, health care providers and organizations as a result of infrequent privacy breaches can be considerable. I only suggest that we keep privacy in perspective. Canadian health care workers and organizations do an AMAZING job protecting the privacy interests of patients. They should be lauded for that.

In fact, I am concerned that the most serious threat to privacy, that of government intrusion into our lives permitted as a result of law enforcement and anti-terrorism legislation is not really addressed at all in our privacy control systems. I also think we are pretty weak on addressing the issue of identity theft associated with health information systems, which is more of a security issue.

With an over-emphasis on the privacy issue, there is a concern that resources are diverted from other issues such as system availability (security) and safety, which may be more serious risks for patients. I have seen projects where hundreds of thousands of dollars were spent on privacy impact assessments, but not a penny on an analysis of safety risk. Balance is the operative word here. We need to balance privacy concerns with our mandate to provide safe and effective health services.

References

1. Information and Privacy Commissioner/Ontario, Annual Report 2005, Toronto, p.59
2. Office of the Information and Privacy Commissioner for Alberta, 2004/2005 Annual Report, Edmonton, p.43
3. Manitoba Ombudsman, 2005 Annual Report: Access and Privacy, Winnipeg, p.16
4. Office of the Information and Privacy Commissioner for Saskatchewan, 2005-2006 Annual Report, Regina, p.7
5. Office of the Information and Privacy Commissioner for Saskatchewan, 2005-2006 Annual Report, Regina, p.41
6. Canadian Institute for Health Information, Health Care In Canada, CIHI Website,