2009 will be a challenging year as budgets are constrained, a new administration is launched, and more demands are placed on IT to help stakeholders work more efficiently.
Here are my goals for 2009.
BIDMC
1. I will continue to evolve cloud computing offerings in 2009, including the rollout of a new storage design, offering generous amounts of low cost space for clinical care, email, and research.
2. I will continue the rollouts of software as a service EHRs for our community providers including connectivity to the MAeHC quality warehouse, the MA-Share healthcare information exchange, and Google Health/Microsoft Healthvault.
3. I will work collaboratively with all our corporate communications, clinical, and administrative stakeholders to launch a new intranet that includes many social networking features.
4. I will support the Federal and State economic stimulus activities for Healthcare IT.
HMS
1. I will work with Public Affairs, research, and administrative leaders to redesign and unify the external web presence at Harvard Medical School, which today has many disparate websites with heterogeneous navigation and search.
2. I will work with administrative stakeholders to implement a next generation of web-based workflow tools which improve efficiency by automating document management, routing, and communication.
3. As with BIDMC, I will evolve my cloud computing offerings for storage (high performance, mid-tier, archive) and implement the first pilots of our New England Biocomputing Center.
4. I will support the Federal and State economic stimulus activities for Healthcare IT.
MA-Share/NEHEN
I've listed these two organizations together because my goal is to ensure a successful merger of these two complementary organizations in 2009, creating a single statewide health information exchange for all types of data among all stakeholders. The combined organization will work with all the other great ehealth organizations in Massachusetts to support the Federal and State economic stimulus activities for Healthcare IT.
HITSP
By charter, which limits me to two terms, I must hand off the HITSP chairmanship on October 1, 2009. What will I focus on for these next 10 months?
1. I will work with all stakeholders to ensure we have all the standards we need for exchange of clinical summaries, both simple and complex, that meet all the data exchange requirements of EHRs and PHRs.
2. I will work with all stakeholders to move HITSP interoperability specifications to a service oriented architecture, making implementation much easier, such as conforming to a published WSDL
3. I will work with HITSP teams to develop a data dictionary for interoperability, making it easy for an implementer to locate all the standards they need for specific data elements. I will work with all the CEOs of EHR vendors and CCHIT to ensure we reduce their barriers to standards implementation.
4. I will support the Federal and State economic stimulus activities for Healthcare IT.
Personal
My personal goals will stay very focused in 2009
1. Continue my vegan lifestyle, eating locally grown foods
2. Continue my outdoor activities - hiking/running, climbing, kayaking, cycling, skiing
3. Continue my Japanese flute (Shakuhachi) and Turkish Flute (Ney) training
4. Continue my "Dreams of Green", learning more about systems to heat/cool and generate power using sustainable, non-polluting technologies.
I'm sure 2009 will have its economic bumps, but the future looks very bright.
As president of the Mayo Clinic Platform, I lead a portfolio of new digital platform businesses focused on transforming health by leveraging artificial intelligence, the internet of things, and an ecosystem of partners for Mayo Clinic. This is made possible by an extraordinary team of people at Mayo and collaborators worldwide. This blog will document their story.
Wednesday, December 31, 2008
Tuesday, December 30, 2008
Looking back on 2008
It's the eve of New Year's Eve. Since I'll be posting my 2009 New Year's resolutions tomorrow, today's blog is a look back at my 2008 resolutions. How did I do and most importantly what did I learn along the way? This is a very long blog entry, so my apologies to readers on iPhones and Blackberrys.
BIDMC
1. One of my major 2008 goals for BIDMC was to build a cloud computing center hosting EHRs for community clinicians in Massachusetts via software as a service of approach.
Status - the center is live and 4 practices are fully implemented. We're implementing 6 practices per month throughout 2009 and 2010. We're in progress creating a connection the the Mass eHealth Collaborative quality data warehouse, integrating with the MA-Share health information exchange, and piloting Google Health PHR integration.
Lessons learned - Free is not cheap enough for primary care physicians in the US. Stark safe harbors enable hospitals to subsidize 85% of the costs of EHR implementation. Many PCPs do not have enough spare cash to fund the 15% plus office hardware. In 2009, I'll work with our physicians' organization (not bound by Stark funding restrictions) to develop a strategy to reduce the cost even further.
2. BIDMC has centralized just about all IT application and infrastructure services. My 2008 goal involved creating a plan for centralizing image lifecycle management of radiology, cardiology, pulmonary, GI, and Ob/Gyn.
Status - We've made progress but still have work to do. We've created the governance to do this - an Enterprise Image Management Steering Committee including all departmental stakeholders. We've assigned project management responsibility. Enterprise Image management software selection is led by a consultant, Joe Marion, one of the most knowledgable PACS experts in the country. Infrastructure design and PACS disaster recovery efforts are led by my internal management and staff.
Lessons learned - In the image management industry, products are still rapidly evolving. We're approaching this project using hardware (EMC Atmos) and software that did not exist when I wrote my 2008 goal. We plan to pilot of our design in 2009 by unifying all cardiology image sources (cath, echo, vascular).
3. 2008 was a tumultuous time for my infrastructure teams since we moved over 2000 people for the opening of our new Center for Life Sciences research building. Completing this project plus those of our physician practices, community sites, and our internal moves led to many deferred vacations, long nights and weekend work. One of my goals for 2008 was to ensure the moves/adds/changes plans were better communicated from business owners to IS.
Status - We've increased the size of our project management and community support teams, built a standardized process for project intake, and assigned an IT liaison to our facilities and community practice departments.
Lessons learned - There is no substitute for formal project management. Every project requires communication, coordination, and resource allocation. Whenever I'm asked to bypass my usual processes to accelerate projects, the answer is that workarounds will actually slow down the project.
Harvard Medical School
1. The Clinical Translational Science Awards (CTSA) brought over $200 million in NIH funding and in kind contributions to Harvard Medical School. One of my goals for 2008 was to build the social networking infrastructure to support collaboration throughout the Harvard Empire.
Status - Catalyst is live and includes a very powerful function called Profiles to identify collaborators based on the their publications and funding. In 2009, Profiles will include even more advanced tools for active and passive networking
Lessons Learned - Every aspect of catalyst is via Google Analytics so we know what is used and how. Our plans for features and new applications were markedly changed to match the demands of our users.
2. In an era of budget reductions (Harvard's endowment losses have led the medical school to implement a 10% cut in all departments), strong financial management is a necessity. Once of my goals was to implement financial analytics/business intelligence and not just a budgeting function in IS.
Status - we hired a business manager who brings thoughtful analysis to IS financial operations.
Lessons Learned - As organizations mature, their needs change. The budgeting function of the past needed to evolve into strong financial analysis for us to manage the budget as tightly as the economy demands.
3. When budgets are tight, economies of scale must be exercised whenever possible. In 2008, one of my goals was enhance our centralized high performance computing capabilities.
Status - During our 2008 Harvard High Performance Computing Symposium, we announced the New England Biocomputing Center, a collaborative of many academics, researchers, and industrial affiliates that will serve as a resource for all of New England. Thus far, we've had substantial commitments to donate and participate in building our economies of scale beyond just one school.
Lessons Learned - Cloud computing for research offers such great capabilities and low cost that political barriers are not an issue.
MA-SHARE
1. In 2008, we continued the expansion of our statewide e-prescribing gateway and our health information exchange of clinical summaries. My goal was to increase the number of organizations exchanging data.
Status - e-prescribing is live for all the physicians of BIDMC and Partners healthcare. Clinical data exchange is live for BIDMC and its network of private clinicians. Children's and Northeast Health System are live. Others will soon follow.
Lessons learned - Health information exchange for technology's sake is not sustainable. There must be a business value case. In Massachusetts, the exchange of medication transactions and sharing of clinical summaries brings cost avoidance that payers and providers are willing to fund.
NEHEN
1. NEHEN has been the administrative healthcare information exchange for Massachusetts since 1997. Our implementations started with institutions and large provider organizations than expanded to community hospitals. My 2008 goal was to expand NEHEN capabilities to small providers.
Status - We have made significant progress in 2008, approaching our goal of adding an additional 80 organizations to the data exchange.
Lessons Learned - As with our EHR implementation, we learned that physicians in small practices are struggling. We reduced the price for solo practitioners to accelerate adoption.
HITSP
1. AHIC gave HITSP 3 use cases in 2006, 4 in 2007 and 6 in 2008. The 2008 Use Cases were particularly difficult because of rapid change in some of the domains, such as the genome and consumer healthcare devices. My goal was to facilitate standards harmonization for the genome/family history, secure provider/patient messaging, connectivity to healthcare devices, public health reporting, immunization history, and consultation/transfers of care.
Status - all HITSP deliverables were completed and presented to AHIC.
Lessons Learned - Implementation is a very important measure of standards harmonization success. HITSP work products are implemented by several organizations now with more to follow in 2009. The Value Case approach suggested by the AHIC Successor prioritizes work for HITSP and CCHIT based on factors such as customer demand and likelihood of implementation will accelerate interoperability in the US in 2009.
Personal Goals
1. My 2008 personal goals included a major effort to further refine my vegan lifestyle to eating locally and regionally. From May until November we grew our own vegetables and picked up weekly vegetable shares from our CSA, Redfire Farm. We canned throughout October and now continue to enjoy vegetables from canning stores and root cellar.
2. I tried very hard to fly less in 2008, using Webex, teleconferences, and trains as much as possible. I still traveled too much. Cisco has agreed to partner with me on a home telepresence pilot. I'll blog about that effort next month. If works well, I may be able to reduce many flights in 2009.
3. In 2008, I've kept up my physical activity with kayaking from April through October, cycling May through November, climbing June through October, skiing December through March and hiking year round. I did climb the Eichorn pinnacle (photo above) and played my Japanese flutes on many summits. My daughter joined cross country and track so our walks have turned into runs together.
Status - the balance of family, personal and work time seems to be working
Lessons learned - a vegan lifestyle, consistent exercise, and reserved time for family have resulted in a happy and healthy 2008.
Tomorrow - a glimpse of what I hope 2009 will bring.
BIDMC
1. One of my major 2008 goals for BIDMC was to build a cloud computing center hosting EHRs for community clinicians in Massachusetts via software as a service of approach.
Status - the center is live and 4 practices are fully implemented. We're implementing 6 practices per month throughout 2009 and 2010. We're in progress creating a connection the the Mass eHealth Collaborative quality data warehouse, integrating with the MA-Share health information exchange, and piloting Google Health PHR integration.
Lessons learned - Free is not cheap enough for primary care physicians in the US. Stark safe harbors enable hospitals to subsidize 85% of the costs of EHR implementation. Many PCPs do not have enough spare cash to fund the 15% plus office hardware. In 2009, I'll work with our physicians' organization (not bound by Stark funding restrictions) to develop a strategy to reduce the cost even further.
2. BIDMC has centralized just about all IT application and infrastructure services. My 2008 goal involved creating a plan for centralizing image lifecycle management of radiology, cardiology, pulmonary, GI, and Ob/Gyn.
Status - We've made progress but still have work to do. We've created the governance to do this - an Enterprise Image Management Steering Committee including all departmental stakeholders. We've assigned project management responsibility. Enterprise Image management software selection is led by a consultant, Joe Marion, one of the most knowledgable PACS experts in the country. Infrastructure design and PACS disaster recovery efforts are led by my internal management and staff.
Lessons learned - In the image management industry, products are still rapidly evolving. We're approaching this project using hardware (EMC Atmos) and software that did not exist when I wrote my 2008 goal. We plan to pilot of our design in 2009 by unifying all cardiology image sources (cath, echo, vascular).
3. 2008 was a tumultuous time for my infrastructure teams since we moved over 2000 people for the opening of our new Center for Life Sciences research building. Completing this project plus those of our physician practices, community sites, and our internal moves led to many deferred vacations, long nights and weekend work. One of my goals for 2008 was to ensure the moves/adds/changes plans were better communicated from business owners to IS.
Status - We've increased the size of our project management and community support teams, built a standardized process for project intake, and assigned an IT liaison to our facilities and community practice departments.
Lessons learned - There is no substitute for formal project management. Every project requires communication, coordination, and resource allocation. Whenever I'm asked to bypass my usual processes to accelerate projects, the answer is that workarounds will actually slow down the project.
Harvard Medical School
1. The Clinical Translational Science Awards (CTSA) brought over $200 million in NIH funding and in kind contributions to Harvard Medical School. One of my goals for 2008 was to build the social networking infrastructure to support collaboration throughout the Harvard Empire.
Status - Catalyst is live and includes a very powerful function called Profiles to identify collaborators based on the their publications and funding. In 2009, Profiles will include even more advanced tools for active and passive networking
Lessons Learned - Every aspect of catalyst is via Google Analytics so we know what is used and how. Our plans for features and new applications were markedly changed to match the demands of our users.
2. In an era of budget reductions (Harvard's endowment losses have led the medical school to implement a 10% cut in all departments), strong financial management is a necessity. Once of my goals was to implement financial analytics/business intelligence and not just a budgeting function in IS.
Status - we hired a business manager who brings thoughtful analysis to IS financial operations.
Lessons Learned - As organizations mature, their needs change. The budgeting function of the past needed to evolve into strong financial analysis for us to manage the budget as tightly as the economy demands.
3. When budgets are tight, economies of scale must be exercised whenever possible. In 2008, one of my goals was enhance our centralized high performance computing capabilities.
Status - During our 2008 Harvard High Performance Computing Symposium, we announced the New England Biocomputing Center, a collaborative of many academics, researchers, and industrial affiliates that will serve as a resource for all of New England. Thus far, we've had substantial commitments to donate and participate in building our economies of scale beyond just one school.
Lessons Learned - Cloud computing for research offers such great capabilities and low cost that political barriers are not an issue.
MA-SHARE
1. In 2008, we continued the expansion of our statewide e-prescribing gateway and our health information exchange of clinical summaries. My goal was to increase the number of organizations exchanging data.
Status - e-prescribing is live for all the physicians of BIDMC and Partners healthcare. Clinical data exchange is live for BIDMC and its network of private clinicians. Children's and Northeast Health System are live. Others will soon follow.
Lessons learned - Health information exchange for technology's sake is not sustainable. There must be a business value case. In Massachusetts, the exchange of medication transactions and sharing of clinical summaries brings cost avoidance that payers and providers are willing to fund.
NEHEN
1. NEHEN has been the administrative healthcare information exchange for Massachusetts since 1997. Our implementations started with institutions and large provider organizations than expanded to community hospitals. My 2008 goal was to expand NEHEN capabilities to small providers.
Status - We have made significant progress in 2008, approaching our goal of adding an additional 80 organizations to the data exchange.
Lessons Learned - As with our EHR implementation, we learned that physicians in small practices are struggling. We reduced the price for solo practitioners to accelerate adoption.
HITSP
1. AHIC gave HITSP 3 use cases in 2006, 4 in 2007 and 6 in 2008. The 2008 Use Cases were particularly difficult because of rapid change in some of the domains, such as the genome and consumer healthcare devices. My goal was to facilitate standards harmonization for the genome/family history, secure provider/patient messaging, connectivity to healthcare devices, public health reporting, immunization history, and consultation/transfers of care.
Status - all HITSP deliverables were completed and presented to AHIC.
Lessons Learned - Implementation is a very important measure of standards harmonization success. HITSP work products are implemented by several organizations now with more to follow in 2009. The Value Case approach suggested by the AHIC Successor prioritizes work for HITSP and CCHIT based on factors such as customer demand and likelihood of implementation will accelerate interoperability in the US in 2009.
Personal Goals
1. My 2008 personal goals included a major effort to further refine my vegan lifestyle to eating locally and regionally. From May until November we grew our own vegetables and picked up weekly vegetable shares from our CSA, Redfire Farm. We canned throughout October and now continue to enjoy vegetables from canning stores and root cellar.
2. I tried very hard to fly less in 2008, using Webex, teleconferences, and trains as much as possible. I still traveled too much. Cisco has agreed to partner with me on a home telepresence pilot. I'll blog about that effort next month. If works well, I may be able to reduce many flights in 2009.
3. In 2008, I've kept up my physical activity with kayaking from April through October, cycling May through November, climbing June through October, skiing December through March and hiking year round. I did climb the Eichorn pinnacle (photo above) and played my Japanese flutes on many summits. My daughter joined cross country and track so our walks have turned into runs together.
Status - the balance of family, personal and work time seems to be working
Lessons learned - a vegan lifestyle, consistent exercise, and reserved time for family have resulted in a happy and healthy 2008.
Tomorrow - a glimpse of what I hope 2009 will bring.
Monday, December 29, 2008
The Broken Window Effect
As an adult I've returned to various locations from my childhood and found the white picket fences, station wagons, and neighborhood shops transformed into rough, run down, and unsafe neighborhoods. This did not happen overnight. What happened in these places is the same thing that can happen in a business or your personal life. I call it the "Broken Window Effect"
Imagine the perfect "Lake Wobegone" neighborhood where everything is above average. A baseball goes through a window, but the owner decides not to fix it. Then, because the house looks a bit shabby, another neighbor leaves a junked car on the street. Then a bit of graffiti is not cleaned up. Then folks stop picking up garbage from their yards.
The can happen inside a house. One pile on the floor doesn't take too much room, so a few more piles are put around it. Before long, all floor spaces have piles on them. Maintenance items are deferred and junk is not tossed. Years pass and eventually the house is unhealthy to live in, but no one really notices because it happened so gradually.
In IT organizations the Broken Window Effect can occur when management begins to tolerate downtime, constant workarounds, and broken processes.
How do we prevent the Broken Window Effect?
Every downtime incident is investigated within hours of the problem, and a full report is issued to our weekly change control board meeting. The meeting is not punitive, it is a learning environment attended by all my technical managers so that the entire organization can learn together. Questions include
Was there a process failure?
Was there a training failure?
Was there a policy failure?
Was there a planning failure?
Was there a lifecycle maintenance failure?
By examining ever incident when it happens and by building a culture that encourages constant improvement based on collective sharing of our experiences, we ensure that "broken windows" are fixed and that problem recurrence is minimized.
The change control board was created after my Network collapse in 2002 because at that time we discovered several aspects of the IS organization that needed improvement such as
Lack of transparency to downtime with details not openly shared among all groups
Silos of technical knowledge
A tendency to work around and patch rather than identify and correct root causes of problems
A lack of planning projects as a coordinated whole with all services - applications, networks, servers, storage, desktop - considered components of a single comprehensive implementation.
The change control board is so rigorous that even I can get into trouble. I recently implemented a health information exchange application update and did not discuss it at the change control board. Thinking that it was just a minor update, I assumed that there were no infrastructure implications. However, given the fact that the application exchanges data securely outside our firewall, involves databases, integration engines, and application teams, it was important to brief everyone first. My next directors meeting will include an overview of all our health information exchange projects - past, present and future - for all IS stakeholders.
On a personal level, I also try to avoid the broken window effect by renewing/maintaining all aspects of my life ie.
I erase all emails older than 90 days and all files older than 1 year. It's really rare that issue has not been resolved after 90 days or someone requests a file older than a year.
I replace my laptop every 2 years
I replace my blackberry every 2 years
I replace my clothes every 3 years
I keep no paper of any kind in my office and very little in my home. All my reading materials are digital.
Every season has its activities that lead to renewal - Spring house cleaning, Summer planting, Fall yard cleanup, Winterization to prep the house for cold weather.
Whether it's your neighborhood, your home or your office, I recommend you stay vigilant for the Broken Window Effect. Fixing all those broken windows keeps everyone engaged in renewal.
Imagine the perfect "Lake Wobegone" neighborhood where everything is above average. A baseball goes through a window, but the owner decides not to fix it. Then, because the house looks a bit shabby, another neighbor leaves a junked car on the street. Then a bit of graffiti is not cleaned up. Then folks stop picking up garbage from their yards.
The can happen inside a house. One pile on the floor doesn't take too much room, so a few more piles are put around it. Before long, all floor spaces have piles on them. Maintenance items are deferred and junk is not tossed. Years pass and eventually the house is unhealthy to live in, but no one really notices because it happened so gradually.
In IT organizations the Broken Window Effect can occur when management begins to tolerate downtime, constant workarounds, and broken processes.
How do we prevent the Broken Window Effect?
Every downtime incident is investigated within hours of the problem, and a full report is issued to our weekly change control board meeting. The meeting is not punitive, it is a learning environment attended by all my technical managers so that the entire organization can learn together. Questions include
Was there a process failure?
Was there a training failure?
Was there a policy failure?
Was there a planning failure?
Was there a lifecycle maintenance failure?
By examining ever incident when it happens and by building a culture that encourages constant improvement based on collective sharing of our experiences, we ensure that "broken windows" are fixed and that problem recurrence is minimized.
The change control board was created after my Network collapse in 2002 because at that time we discovered several aspects of the IS organization that needed improvement such as
Lack of transparency to downtime with details not openly shared among all groups
Silos of technical knowledge
A tendency to work around and patch rather than identify and correct root causes of problems
A lack of planning projects as a coordinated whole with all services - applications, networks, servers, storage, desktop - considered components of a single comprehensive implementation.
The change control board is so rigorous that even I can get into trouble. I recently implemented a health information exchange application update and did not discuss it at the change control board. Thinking that it was just a minor update, I assumed that there were no infrastructure implications. However, given the fact that the application exchanges data securely outside our firewall, involves databases, integration engines, and application teams, it was important to brief everyone first. My next directors meeting will include an overview of all our health information exchange projects - past, present and future - for all IS stakeholders.
On a personal level, I also try to avoid the broken window effect by renewing/maintaining all aspects of my life ie.
I erase all emails older than 90 days and all files older than 1 year. It's really rare that issue has not been resolved after 90 days or someone requests a file older than a year.
I replace my laptop every 2 years
I replace my blackberry every 2 years
I replace my clothes every 3 years
I keep no paper of any kind in my office and very little in my home. All my reading materials are digital.
Every season has its activities that lead to renewal - Spring house cleaning, Summer planting, Fall yard cleanup, Winterization to prep the house for cold weather.
Whether it's your neighborhood, your home or your office, I recommend you stay vigilant for the Broken Window Effect. Fixing all those broken windows keeps everyone engaged in renewal.
Friday, December 26, 2008
Cool Technology of the Week
Admittedly, this cool technology of the week entry is about an idea, since I have not used the product/service directly.
As I've written about many times, I'm passionate about protecting patient privacy.
The new Massachusetts Data Protection regulations require reporting of breaches and mandate compliance with several new security practices. Many hospitals outsource various aspects of their medical records workflow such as transcription, optical scanning, and data entry of scanned forms. When these services are purchased offshore, how can we reduce the risk that personally identified data will be compromised or identity stolen?
The folks at Tech Speed have a creative answer called Imagefracture.
They provide an editor to markup electronic images and identify fields containing sensitive data. Information that might be used in combination to compromise privacy can then be separated into separate scanned images.
Each of these images is sent to a different work team but enough metadata is retained centrally to reassemble the parts. Here's an example of how it works - suppose that form is comprised of name, address, social security number, medications, and problem lists. If the name is sent to one work group, the address to another, the social security number to another, and the medications/problems lists to another, no single work group has enough information to breech privacy or steal identity.
Thus, offshore data entry or business process outsourcing can continue without fear of data compromise. It has the added benefit that individual outsourced work groups do not need security policy audits for HIPAA, PCI, or SOX requirements.
There have been case reports of rogue employees at outsourcing operations threatening clients with data disclosures and blackmailing them to prevent these releases. Since some countries do not have strict privacy laws, there may not be criminal penalties for inappropriate data releases.
Breaking up work into non-identifiable pieces to protect privacy via a customized image editing and metadata management system. That's cool!
As I've written about many times, I'm passionate about protecting patient privacy.
The new Massachusetts Data Protection regulations require reporting of breaches and mandate compliance with several new security practices. Many hospitals outsource various aspects of their medical records workflow such as transcription, optical scanning, and data entry of scanned forms. When these services are purchased offshore, how can we reduce the risk that personally identified data will be compromised or identity stolen?
The folks at Tech Speed have a creative answer called Imagefracture.
They provide an editor to markup electronic images and identify fields containing sensitive data. Information that might be used in combination to compromise privacy can then be separated into separate scanned images.
Each of these images is sent to a different work team but enough metadata is retained centrally to reassemble the parts. Here's an example of how it works - suppose that form is comprised of name, address, social security number, medications, and problem lists. If the name is sent to one work group, the address to another, the social security number to another, and the medications/problems lists to another, no single work group has enough information to breech privacy or steal identity.
Thus, offshore data entry or business process outsourcing can continue without fear of data compromise. It has the added benefit that individual outsourced work groups do not need security policy audits for HIPAA, PCI, or SOX requirements.
There have been case reports of rogue employees at outsourcing operations threatening clients with data disclosures and blackmailing them to prevent these releases. Since some countries do not have strict privacy laws, there may not be criminal penalties for inappropriate data releases.
Breaking up work into non-identifiable pieces to protect privacy via a customized image editing and metadata management system. That's cool!
Wednesday, December 24, 2008
My Favorite Vegan Resources
Since I'll be taking tomorrow off to spend Christmas with my family, I'm writing my typical Thursday more personal blog entry today. I'm often asked about resources for adopting a vegan diet and lifestyle. Here are my favorites:
Favorite Vegan Web Resources
The Vegetarian Resource Group
Bryanna's Vegan Feast
Fat Free Vegan Kitchen
Vegan Food
Cool Vegan
Happy Cow
Favorite Books
Becoming Vegan: The Complete Guide to Adopting a Healthy Plant-Based Diet
Cooking the Whole Foods Way
This Crazy Vegan Life
Vegan with a Vengeance
Veganomicon
Vegan Express
The Joy of Vegan Baking
The China Study
The Food Revolution
The Gluten Free Vegan
I'm always happy to answer questions and offer advice. After more than 5 years as a Vegan, I can say that it is not a diet, it's my lifestyle. I have no regrets, no cravings, and no desire to return to my old carnivore ways.
Favorite Vegan Web Resources
The Vegetarian Resource Group
Bryanna's Vegan Feast
Fat Free Vegan Kitchen
Vegan Food
Cool Vegan
Happy Cow
Favorite Books
Becoming Vegan: The Complete Guide to Adopting a Healthy Plant-Based Diet
Cooking the Whole Foods Way
This Crazy Vegan Life
Vegan with a Vengeance
Veganomicon
Vegan Express
The Joy of Vegan Baking
The China Study
The Food Revolution
The Gluten Free Vegan
I'm always happy to answer questions and offer advice. After more than 5 years as a Vegan, I can say that it is not a diet, it's my lifestyle. I have no regrets, no cravings, and no desire to return to my old carnivore ways.
Tuesday, December 23, 2008
Troubleshooting Complex IT problems
Whenever I'm asked to solve an intermittent IT problem such as a occasional slowness, occasional lost data or intermittently failing hardware, the research is often complex.
Here's a brief example of the efforts we employ to solve IT mysteries.
A few weeks ago we were told that the Interpreters at BIDMC often received pages with ambiguous call back numbers. At BIDMC, valid numbers are 5 digit extensions, 7 digit local numbers and 10 digit long distance numbers. Interpreters often received 4 digit or 6 digit numbers that were impossible to call back.
The most obvious explanation for such an intermittent problem that only seemed to occur in one department was human error. Doctors misdialed numbers, assuming the last 4 digits would be enough to identify their call back number.
We sent out a broadcast email instructing the clinicians to always dial at least 5 digits.
That did not cure the problem.
We then began a data analysis. Could we relate the bad pages to a particular individual, department or location. We found no correlation.
We then asked if the problem was truly isolated to Interpreters. Our data analysis suggested that it occurred regularly in several departments. No others had mentioned it, but the problem was real.
We then asked if the problem was unique to BIDMC, since we share a paging system with other hospitals. The analysis suggested that it was unique to us, since other hospitals did not have the problem.
It seemed unlikely that just our doctors were using the paging system improperly, so we began analyzing all the hardware involved in paging - phones, interface boards, servers and software. Since some of these components were redundant we experimented with taking one member of clustered services offline to see if we could isolate a problem in one switch, one signal processor or one server. Still no resolution.
We then spoke with the manufacturer of the paging software. They had no reports of similar problems. When then spoke to engineer who wrote the software. He had an idea.
When you use a paging system, the dialog goes something like this
"Please dial the person you wish to page"
User enters pager number
"Please enter your call back number"
User enters call back number
"Thank you"
Page is sent
Many interactive telephone systems have a "buffer clearing function" that clears any input before users enter numbers to eliminate digits being carried over between voice prompts and to cancel out any background sounds that might have occurred between prompts. This sounds great, but what happens if an experienced user begins to dial immediately without listening for the prompts i.e. a person dialing very fast, just immediately enters the pager number, then pauses for 1 second before the "Please enter your callback number" prompt is completed, and enters the call back number. It's likely call back number digits would be truncated.
We turned off buffer clearing and here's what happened.
------Percent Bad Call Back Numbers------
Pager Pre-change Post-change
Russian interpreter 163/493 = 33% 3/244 = 1%
Spanish interpreter 262/959 = 27% 4/404 = 1%
Chinese interpreter 207/1086 = 19% 8/417 = 2%
Of the 15 pages in the post-change group listed as bad, most, if not all, were likely miss-dialed. For example, a couple were "123". Others were bad, but were immediately followed by what appeared to be a correct return page suggesting the caller knew they had entered bad data.
The troubleshooting process was complicated by the fact that truncation only occurred with pagers signed out to other numbers as is the case with Interpreter Services. The "clear buffer" had no impact on pagers not signed out. We tried many times to "type ahead" call back numbers for these and were unable to mimic the problem. It appears to have only been a problem if someone signed their pager out to another. It turns out that the buffer clearing software works differently for pagers with a status of "signed out/covered by"
My advice for diagnosing complex operational IT problems is to work stepwise with every layer of architecture, and isolate the problem. Then, follow the advice of Sherlock Holmes in The Sign of Four "How often have I said to you that when you have eliminated the impossible, whatever remains, however improbable, must be the truth?”
Along the way, you may need tools such as OpNet to help isolate every component of hardware and software and gather data. In this case, our usual network-based software tools did not help because the critical connection we needed to check was the traffic between the phones and the interface boards on the paging server. We needed to analyze if the DTMF input coming from our telephone system was providing the correct digits. If the digits captured before hitting the interface boards were bad, we would know it was how the DMTF signals were handled on our side. If the digits differed from what was being logged in the paging server, we would know the problem was inside server.
I wish troubleshooting intermittent IT problems was easier, but alas, many modern technologies have so much complexity that it takes all the skills of forensic pathologist to solve the problem.
The folks at CSI would be proud of my team.
Here's a brief example of the efforts we employ to solve IT mysteries.
A few weeks ago we were told that the Interpreters at BIDMC often received pages with ambiguous call back numbers. At BIDMC, valid numbers are 5 digit extensions, 7 digit local numbers and 10 digit long distance numbers. Interpreters often received 4 digit or 6 digit numbers that were impossible to call back.
The most obvious explanation for such an intermittent problem that only seemed to occur in one department was human error. Doctors misdialed numbers, assuming the last 4 digits would be enough to identify their call back number.
We sent out a broadcast email instructing the clinicians to always dial at least 5 digits.
That did not cure the problem.
We then began a data analysis. Could we relate the bad pages to a particular individual, department or location. We found no correlation.
We then asked if the problem was truly isolated to Interpreters. Our data analysis suggested that it occurred regularly in several departments. No others had mentioned it, but the problem was real.
We then asked if the problem was unique to BIDMC, since we share a paging system with other hospitals. The analysis suggested that it was unique to us, since other hospitals did not have the problem.
It seemed unlikely that just our doctors were using the paging system improperly, so we began analyzing all the hardware involved in paging - phones, interface boards, servers and software. Since some of these components were redundant we experimented with taking one member of clustered services offline to see if we could isolate a problem in one switch, one signal processor or one server. Still no resolution.
We then spoke with the manufacturer of the paging software. They had no reports of similar problems. When then spoke to engineer who wrote the software. He had an idea.
When you use a paging system, the dialog goes something like this
"Please dial the person you wish to page"
User enters pager number
"Please enter your call back number"
User enters call back number
"Thank you"
Page is sent
Many interactive telephone systems have a "buffer clearing function" that clears any input before users enter numbers to eliminate digits being carried over between voice prompts and to cancel out any background sounds that might have occurred between prompts. This sounds great, but what happens if an experienced user begins to dial immediately without listening for the prompts i.e. a person dialing very fast, just immediately enters the pager number, then pauses for 1 second before the "Please enter your callback number" prompt is completed, and enters the call back number. It's likely call back number digits would be truncated.
We turned off buffer clearing and here's what happened.
------Percent Bad Call Back Numbers------
Pager Pre-change Post-change
Russian interpreter 163/493 = 33% 3/244 = 1%
Spanish interpreter 262/959 = 27% 4/404 = 1%
Chinese interpreter 207/1086 = 19% 8/417 = 2%
Of the 15 pages in the post-change group listed as bad, most, if not all, were likely miss-dialed. For example, a couple were "123". Others were bad, but were immediately followed by what appeared to be a correct return page suggesting the caller knew they had entered bad data.
The troubleshooting process was complicated by the fact that truncation only occurred with pagers signed out to other numbers as is the case with Interpreter Services. The "clear buffer" had no impact on pagers not signed out. We tried many times to "type ahead" call back numbers for these and were unable to mimic the problem. It appears to have only been a problem if someone signed their pager out to another. It turns out that the buffer clearing software works differently for pagers with a status of "signed out/covered by"
My advice for diagnosing complex operational IT problems is to work stepwise with every layer of architecture, and isolate the problem. Then, follow the advice of Sherlock Holmes in The Sign of Four "How often have I said to you that when you have eliminated the impossible, whatever remains, however improbable, must be the truth?”
Along the way, you may need tools such as OpNet to help isolate every component of hardware and software and gather data. In this case, our usual network-based software tools did not help because the critical connection we needed to check was the traffic between the phones and the interface boards on the paging server. We needed to analyze if the DTMF input coming from our telephone system was providing the correct digits. If the digits captured before hitting the interface boards were bad, we would know it was how the DMTF signals were handled on our side. If the digits differed from what was being logged in the paging server, we would know the problem was inside server.
I wish troubleshooting intermittent IT problems was easier, but alas, many modern technologies have so much complexity that it takes all the skills of forensic pathologist to solve the problem.
The folks at CSI would be proud of my team.
Monday, December 22, 2008
Next Steps for Interoperability
There are some folks in Washington who have made statements that we should delay investments in EHRs because current vendor products lack the functionality needed to support a coordinated healthcare system. Others have said that we lack the standards or security framework to implement interoperability. Here are my thoughts.
Take a look at the successes in Massachusetts and New York with commercial EHR products. We've implemented eClinicalWorks, which includes decision support, e-prescribing, administrative transactions with payers, clinical summary sharing across the community, and quality measurement (all the National Quality Forum high priority measures). It's web-based, using a service oriented architecture in a cloud computing environment. By implementing this product at BIDMC, we're meeting all the payer guidelines for delivering appropriate, coordinated, high value care. Vendor products from Epic, Allscripts, NextGen, GE, Meditech, eMDs, MedSphere, and other CCHIT certified vendors have similar features.
Should we wait for something better that has more interoperability?
Do you drive a car? Why? It pollutes, costs a lot, and generally is not very efficient in traffic. You'd be much better off asking Scotty to beam you up via the transporter. Should we eliminate all cars, planes and trains until the transporter is invented? The same can be said of EHRs and health information exchange. My definition of good enough includes:
*Support for medication interoperability such as e-prescribing linking providers, payers, and pharmacies
*Support for laboratory and radiology interoperability such as orders and results integration among providers, hospitals and commercial labs
*Support for seamless electronic interchange between providers and payers for administrative data flows.
In 2009, several EHR vendors will support clinical summary exchange.
We can achieve a substantial improvement in care quality and coordination by implementing the systems available now and not waiting. If anyone thinks writing a next generation interoperable EHR from scratch is a good idea, have them look at the UK implementation of the NPFit/Connecting for Health project. They hired numerous companies to implement an new scheduling/booking system, a nationwide PACS system and a coordinated health record. After spending billions, they have limited success and low provider satisfaction.
On December 18, HITSP completed all the national standards harmonization work for 2008. This included:
*Biosurveillance Interoperability Specification (IS02)
*Consumer Empowerment and Access to Clinical Information via Networks Interoperability Specification (IS03)
*Emergency Responder Electronic Health Record Interoperability Specification (IS04)
*Consumer Empowerment and Access to Clinical Information via Media Interoperability Specification (IS05)
*Personalized Healthcare Interoperability Specification (IS08)
*Consultations and Transfers of Care Interoperability Specification (IS09)
*Immunizations and Response Management Interoperability Specification (IS10)
*Public Health Case Reporting Interoperability Specification (IS11)
*Patient-Provider Secure Messaging Interoperability Specification (IS12)
*Remote Monitoring Interoperability Specification (IS77)
The documents are accessible through www.hitsp.org
This latest round of work means that we've completed the three year AHIC roadmap for standards. There are no unapproved standards at this point!
Of course standards will evolve and we'll keep enhancing this work, including lessons learned from implementation in vendor products. In 2009, we'll be given a new body of work including Newborn screening, and filling several small gaps required to support clinical workflows.
Thus, if we have products that are good enough and interoperability standards, what are we lacking? Some say security.
HITSP completed security standards harmonization in 2007.
The 2008 CCHIT criteria for security are rigorous. Vendors have described them to me as one of the most challenging aspects of certification.
Although there is still local/state variation in policies, we do have a national framework for EHR and PHR data exchange.
Some say that they have personal experiences with lack of coordinated care among multiple providers. Is that an issue with EHRs and standards? My view is that this is a process and policy issue. In the US we do not have a healthcare system, we have numerous providers, labs, pharmacies, and hospitals which do not constituent a single medical home for the patient.
Let's implement EHRs now and realize their benefits. Let's implement the interoperability for administrative transactions, labs/rads, and e-Prescribing that is robust today. Then let's implement the clinical summary exchange that's coming soon. It's a journey and we should start immediately. There is no reason to wait.
Take a look at the successes in Massachusetts and New York with commercial EHR products. We've implemented eClinicalWorks, which includes decision support, e-prescribing, administrative transactions with payers, clinical summary sharing across the community, and quality measurement (all the National Quality Forum high priority measures). It's web-based, using a service oriented architecture in a cloud computing environment. By implementing this product at BIDMC, we're meeting all the payer guidelines for delivering appropriate, coordinated, high value care. Vendor products from Epic, Allscripts, NextGen, GE, Meditech, eMDs, MedSphere, and other CCHIT certified vendors have similar features.
Should we wait for something better that has more interoperability?
Do you drive a car? Why? It pollutes, costs a lot, and generally is not very efficient in traffic. You'd be much better off asking Scotty to beam you up via the transporter. Should we eliminate all cars, planes and trains until the transporter is invented? The same can be said of EHRs and health information exchange. My definition of good enough includes:
*Support for medication interoperability such as e-prescribing linking providers, payers, and pharmacies
*Support for laboratory and radiology interoperability such as orders and results integration among providers, hospitals and commercial labs
*Support for seamless electronic interchange between providers and payers for administrative data flows.
In 2009, several EHR vendors will support clinical summary exchange.
We can achieve a substantial improvement in care quality and coordination by implementing the systems available now and not waiting. If anyone thinks writing a next generation interoperable EHR from scratch is a good idea, have them look at the UK implementation of the NPFit/Connecting for Health project. They hired numerous companies to implement an new scheduling/booking system, a nationwide PACS system and a coordinated health record. After spending billions, they have limited success and low provider satisfaction.
On December 18, HITSP completed all the national standards harmonization work for 2008. This included:
*Biosurveillance Interoperability Specification (IS02)
*Consumer Empowerment and Access to Clinical Information via Networks Interoperability Specification (IS03)
*Emergency Responder Electronic Health Record Interoperability Specification (IS04)
*Consumer Empowerment and Access to Clinical Information via Media Interoperability Specification (IS05)
*Personalized Healthcare Interoperability Specification (IS08)
*Consultations and Transfers of Care Interoperability Specification (IS09)
*Immunizations and Response Management Interoperability Specification (IS10)
*Public Health Case Reporting Interoperability Specification (IS11)
*Patient-Provider Secure Messaging Interoperability Specification (IS12)
*Remote Monitoring Interoperability Specification (IS77)
The documents are accessible through www.hitsp.org
This latest round of work means that we've completed the three year AHIC roadmap for standards. There are no unapproved standards at this point!
Of course standards will evolve and we'll keep enhancing this work, including lessons learned from implementation in vendor products. In 2009, we'll be given a new body of work including Newborn screening, and filling several small gaps required to support clinical workflows.
Thus, if we have products that are good enough and interoperability standards, what are we lacking? Some say security.
HITSP completed security standards harmonization in 2007.
The 2008 CCHIT criteria for security are rigorous. Vendors have described them to me as one of the most challenging aspects of certification.
Although there is still local/state variation in policies, we do have a national framework for EHR and PHR data exchange.
Some say that they have personal experiences with lack of coordinated care among multiple providers. Is that an issue with EHRs and standards? My view is that this is a process and policy issue. In the US we do not have a healthcare system, we have numerous providers, labs, pharmacies, and hospitals which do not constituent a single medical home for the patient.
Let's implement EHRs now and realize their benefits. Let's implement the interoperability for administrative transactions, labs/rads, and e-Prescribing that is robust today. Then let's implement the clinical summary exchange that's coming soon. It's a journey and we should start immediately. There is no reason to wait.
Friday, December 19, 2008
Cool Technology of the Week
In my experience, social networking applications gain marketshare by being first to innovate and then spreading virally.
I was an early adopter of Facebook but delayed joining Twitter, a microblog that enables me to post instant blog entries via SMS from my Blackberry.
Over the past 60 days, I have seen an incredible rise in Twitter use among my colleagues and have now joined the ranks of folks who "Tweet" their blogs. You'll find me at http://twitter.com/jhalamka
Here's what I do to use Twitter
1. I've added Twitter's SMS address (40404) to my Blackberry and can send a message directly to my Twitter blog from my Blackberry wherever I'm traveling
2. I've linked my Life as a Healthcare CIO blog to Twitter via TwitterFeed . TwitterFeed supports OpenID for authentication, so you do not need yet another password. It automatically checks my blog's Feedburner RSS feed 5 times a day and creates a microblog entry using tinyurl.com to keep the links short.
3. I follow just a few people, but have increasing numbers of folks following me. I try to limit my Twitter posts to just my blog entries and one interesting factoid per day about a meeting or travel. Sometimes Twitter can get overwhelming if you're following several people who post multiple times per day.
As with blogs, Facebook, forums and other aspects of the interactive web, it's a way to stay connected with your friends and colleagues. Is there a business purpose for Twitter? For me, it does connect me to an entirely different audience for my blog. If I can reach my staff and colleagues via the means of communication they find best - IM, email, blogs, microblogs, phone/voicemail, fax, and Plaxo/LinkedIn, then I've met my goal of overcommunicating with all my stakeholders to ensure they understand my strategy, priorities, and important healthcare IT news of the day.
Twitter is another communication tool for me that easy to use, integrated with my existing devices, and a low burden to maintain. Staying in touch with microblogs - that's cool!
I was an early adopter of Facebook but delayed joining Twitter, a microblog that enables me to post instant blog entries via SMS from my Blackberry.
Over the past 60 days, I have seen an incredible rise in Twitter use among my colleagues and have now joined the ranks of folks who "Tweet" their blogs. You'll find me at http://twitter.com/jhalamka
Here's what I do to use Twitter
1. I've added Twitter's SMS address (40404) to my Blackberry and can send a message directly to my Twitter blog from my Blackberry wherever I'm traveling
2. I've linked my Life as a Healthcare CIO blog to Twitter via TwitterFeed . TwitterFeed supports OpenID for authentication, so you do not need yet another password. It automatically checks my blog's Feedburner RSS feed 5 times a day and creates a microblog entry using tinyurl.com to keep the links short.
3. I follow just a few people, but have increasing numbers of folks following me. I try to limit my Twitter posts to just my blog entries and one interesting factoid per day about a meeting or travel. Sometimes Twitter can get overwhelming if you're following several people who post multiple times per day.
As with blogs, Facebook, forums and other aspects of the interactive web, it's a way to stay connected with your friends and colleagues. Is there a business purpose for Twitter? For me, it does connect me to an entirely different audience for my blog. If I can reach my staff and colleagues via the means of communication they find best - IM, email, blogs, microblogs, phone/voicemail, fax, and Plaxo/LinkedIn, then I've met my goal of overcommunicating with all my stakeholders to ensure they understand my strategy, priorities, and important healthcare IT news of the day.
Twitter is another communication tool for me that easy to use, integrated with my existing devices, and a low burden to maintain. Staying in touch with microblogs - that's cool!
Thursday, December 18, 2008
Trains, Planes and Automobiles
Yesterday I was in New York, today I'm in Washington, and tomorrow I'm in Boston.
I travel 400,000 miles a year. Flying in 2008 is not fun and certainly not easy.
I'm learning to travel less and to travel differently. Ideally WebEx, iChat, and Teleprescence will eliminate 50% of my travel in 2009, but when I must be at meetings in person, I strive for more green approaches than flying - driving my Prius to the train station and taking regional rail.
Today, I'm on the Acela Express, the Amtrak service from Washington DC to Boston.
Acela Express is the name used by Amtrak for the high-speed tilting train service operating between Washington, D.C. and Boston via Baltimore, Philadelphia, and New York. The tilting design allows the train to travel at higher speeds on the sharply curved New England tracks. High speed has made the trains very popular and Amtrak has captured over half of the market share of travelers between Washington and New York.
Let's take a look at my alternatives:
Travel Plan 1 6:00am Shuttle to LaGuardia
4:00am Get up
4:45am Drive to Logan Airport
5:05am Discover that the Mass Pike is partially closed due to some random roadwork that never seems to be done. Take detour through South Boston
5:15am After getting hopelessly lost in South Boston, arrive at Logan to discover that no parking is available in the Terminal B lot
5:20am Park in Terminal C lot and run to Terminal B
5:30am Discover 200 people in the security line (note that previously I would have included waiting behind 50 people for boarding passes due to out of order check-in kiosks, but now I check-in via the web and bypass check-in lines). I beg to go to the front of the security line to avoid missing my flight
5:40am Get selected to have my laptop scanned for nitrates
5:45am Get into the gate area and run to the plane. Do battle with the other passengers who have chosen to bring Steamer trunks as carry on baggage onto a commuter shuttle.
5:50am Asked to turn off my laptop and blackberry by a flight attendant who is convinced I will unilaterally bring the plane down
6:10am Captain announces that (choose one) a. baggage compartment door will not close b. some flashing light in the cockpit indicates a major equipment problem c. crew needed for the flight is stuck on the tarmac in Pittsburg, which will result in a 30 minute departure delay.
6:45am Flight leaves
7:30am Captain announces that airspace over New York is hopelessly congested and we'll circle for a while
8:00am Flight lands and I run to the taxi line. My driver does not speak English and is not familiar with my destination, but is sure he'll find it. We nearly plow into a few other cars as he pretends to be an Indy 500 driver on the way to the Expressway.
8:15am The commute from LaGuardia to Manhattan is a complete traffic snarl. My driver has one foot on the accelerator and one hand on the horn, as is required for New York driving
9:00am Arrive at my meeting a complete emotional wreck due to the traumatic taxi ride. I have not accomplished anything productive during my 5 hour commute.
Travel Plan 2 5:24am Acela Express to Penn Station
4:30am Get up
5:00am Drive a few leisurely miles down 128 to the University Avenue train station in Westwood. Park in the ample free parking.
5:24am Walk onto the ontime train and choose a spacious seat with laptop power and a work table.
5:30am Grab a cup of hot tea, spread out and complete my prep for the day's meetings on my Macbook Air. Enjoy the sites of passing cities as we cruise through Providence, New Haven, Stamford, and NYC.
8:45am Arrive at Penn Station in the heart of Manhattan. Take a stroll down 7th Avenue to my meeting
9:00am Arrive at my meeting refreshed, prepared, hydrated, and with the physical benefits of walking.
As you can see, although the flight time is 1 hour and the train time is 3 hours, there is no real difference in end to end travel time due to security and taxi time when flying to NYC. If it's raining or snowing, LaGuardia will generally close, making the flight even more problematic.
After my meeting in NYC, I'll walk back to Penn Station, take the train to Washington DC and arrive at Union Station in just 2 hours, right on the Metro Red line, making for an easy commute anywhere in town.
For this traveler, it's goodbye Logan and hello Acela.
I travel 400,000 miles a year. Flying in 2008 is not fun and certainly not easy.
I'm learning to travel less and to travel differently. Ideally WebEx, iChat, and Teleprescence will eliminate 50% of my travel in 2009, but when I must be at meetings in person, I strive for more green approaches than flying - driving my Prius to the train station and taking regional rail.
Today, I'm on the Acela Express, the Amtrak service from Washington DC to Boston.
Acela Express is the name used by Amtrak for the high-speed tilting train service operating between Washington, D.C. and Boston via Baltimore, Philadelphia, and New York. The tilting design allows the train to travel at higher speeds on the sharply curved New England tracks. High speed has made the trains very popular and Amtrak has captured over half of the market share of travelers between Washington and New York.
Let's take a look at my alternatives:
Travel Plan 1 6:00am Shuttle to LaGuardia
4:00am Get up
4:45am Drive to Logan Airport
5:05am Discover that the Mass Pike is partially closed due to some random roadwork that never seems to be done. Take detour through South Boston
5:15am After getting hopelessly lost in South Boston, arrive at Logan to discover that no parking is available in the Terminal B lot
5:20am Park in Terminal C lot and run to Terminal B
5:30am Discover 200 people in the security line (note that previously I would have included waiting behind 50 people for boarding passes due to out of order check-in kiosks, but now I check-in via the web and bypass check-in lines). I beg to go to the front of the security line to avoid missing my flight
5:40am Get selected to have my laptop scanned for nitrates
5:45am Get into the gate area and run to the plane. Do battle with the other passengers who have chosen to bring Steamer trunks as carry on baggage onto a commuter shuttle.
5:50am Asked to turn off my laptop and blackberry by a flight attendant who is convinced I will unilaterally bring the plane down
6:10am Captain announces that (choose one) a. baggage compartment door will not close b. some flashing light in the cockpit indicates a major equipment problem c. crew needed for the flight is stuck on the tarmac in Pittsburg, which will result in a 30 minute departure delay.
6:45am Flight leaves
7:30am Captain announces that airspace over New York is hopelessly congested and we'll circle for a while
8:00am Flight lands and I run to the taxi line. My driver does not speak English and is not familiar with my destination, but is sure he'll find it. We nearly plow into a few other cars as he pretends to be an Indy 500 driver on the way to the Expressway.
8:15am The commute from LaGuardia to Manhattan is a complete traffic snarl. My driver has one foot on the accelerator and one hand on the horn, as is required for New York driving
9:00am Arrive at my meeting a complete emotional wreck due to the traumatic taxi ride. I have not accomplished anything productive during my 5 hour commute.
Travel Plan 2 5:24am Acela Express to Penn Station
4:30am Get up
5:00am Drive a few leisurely miles down 128 to the University Avenue train station in Westwood. Park in the ample free parking.
5:24am Walk onto the ontime train and choose a spacious seat with laptop power and a work table.
5:30am Grab a cup of hot tea, spread out and complete my prep for the day's meetings on my Macbook Air. Enjoy the sites of passing cities as we cruise through Providence, New Haven, Stamford, and NYC.
8:45am Arrive at Penn Station in the heart of Manhattan. Take a stroll down 7th Avenue to my meeting
9:00am Arrive at my meeting refreshed, prepared, hydrated, and with the physical benefits of walking.
As you can see, although the flight time is 1 hour and the train time is 3 hours, there is no real difference in end to end travel time due to security and taxi time when flying to NYC. If it's raining or snowing, LaGuardia will generally close, making the flight even more problematic.
After my meeting in NYC, I'll walk back to Penn Station, take the train to Washington DC and arrive at Union Station in just 2 hours, right on the Metro Red line, making for an easy commute anywhere in town.
For this traveler, it's goodbye Logan and hello Acela.
Wednesday, December 17, 2008
A Privacy Framework for Personal Health Records
When I lecture about the new generation of personal health records such as Google Health and Microsoft Healthvault, I emphasize that these applications are not covered by HIPAA. Google and Microsoft are not healthcare provider organizations and thus their privacy is only as strong as the policies they post on the website. Since Google and Microsoft monetize these sites by attracting search traffic, they are highly motivated to build secure and trustworthy systems. As a member of the Google Advisory Council, I know that the Google privacy policies are stronger than HIPAA. Microsoft has very similar policies.
These policies are good, but they are self developed by the companies. Ideally we would have a single national privacy policy framework for all personal health record products.
On Monday at the Nationwide Health Information Network meeting, Secretary Leavitt released the nation's first national privacy framework for personal health records.
This framework builds upon national and international efforts such as the Markle Connecting for Health Framework , HIPAA, and privacy legislation from the EU/Japan/Australia/Canada.
The framework is based on 8 principles:
Individual Access - HIPAA mandates that every patient have access to their records, but it does not specify the means of access. The default in most institutions requires patients to visit medical records and request a paper copy. This privacy principle highlights the need for secure electronic delivery of medical records to patients.
Correction - Existing regulations and best practices mandate the non-repudiability of the medical record. Doctors cannot simple delete data or change previously signed notes. However, medical records often contain incomplete or inaccurate information. This privacy principle requires that a process exists for amendment/correction of inaccurate information. In the case of Beth Israel Deaconess, we do not delete or edit previously entered information, we amend it with a time/date stamp to reflect an audit trail of correction to previously documented records.
Openness and Transparency - HIPAA mandates that health care providers provide a notice of privacy practices to patients. The Openness and Transparency privacy principle extends that to include a notice of how information is collected, used, and disclosed including policies, procedures, and technology. Also it importantly highlights the need to explain to patients their control over the use and disclosure of their information. In Massachusetts, all our community data sharing efforts require opt in consent.
Individual Choice -- Consumers should be empowered to make decisions about with whom, when, and how their personal health information is shared (or not shared).
Collection, Use, and Disclosure Limitation – It is important to limit the collection, use and disclosure of personal health information to the extent necessary to accomplish a specified purpose. The ability to collect and analyze health care data as part of a public good serves the American people and it should be encouraged. But every precaution must be taken to ensure that this personal health information is secured, deidentified when appropriate, limited in scope and protected wherever possible.
Data Integrity – Those who hold records must take reasonable steps to ensure that information is accurate and up-to-date and has not been altered or destroyed in an unauthorized manner. This principle is tightly linked to the correction principle. A process must exist in which, if consumers perceive a part of their record is inaccurate, they can notify their provider. Of course the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers that right, but this principle should be applied even where the information is not covered by the Rule.
Safeguards – Personal identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
Accountability – Compliance with these principles is strongly encouraged so that Americans can realize the benefit of electronic health information exchange. Those who break rules and put consumers’ personal health information at risk must not be tolerated. Consumers need to be confident that violators will be held accountable.
Having a framework for privacy that can be applied to all PHR products - those tethered to an EHR, those offered by a payer, those sponsored by an employer or those created by third party vendor ensures that consumers have a rubric to evaluate these products. Hopefully a certification group like CCHIT will also certify PHR products to these framework, making it easy for consumers to look for the "Good Housekeeping Seal" and be confident that their privacy is being protected.
As I have said many times, with good policy, appropriate technology, and funding, we can do anything. With the the release of this framework, the policy is now available.
These policies are good, but they are self developed by the companies. Ideally we would have a single national privacy policy framework for all personal health record products.
On Monday at the Nationwide Health Information Network meeting, Secretary Leavitt released the nation's first national privacy framework for personal health records.
This framework builds upon national and international efforts such as the Markle Connecting for Health Framework , HIPAA, and privacy legislation from the EU/Japan/Australia/Canada.
The framework is based on 8 principles:
Individual Access - HIPAA mandates that every patient have access to their records, but it does not specify the means of access. The default in most institutions requires patients to visit medical records and request a paper copy. This privacy principle highlights the need for secure electronic delivery of medical records to patients.
Correction - Existing regulations and best practices mandate the non-repudiability of the medical record. Doctors cannot simple delete data or change previously signed notes. However, medical records often contain incomplete or inaccurate information. This privacy principle requires that a process exists for amendment/correction of inaccurate information. In the case of Beth Israel Deaconess, we do not delete or edit previously entered information, we amend it with a time/date stamp to reflect an audit trail of correction to previously documented records.
Openness and Transparency - HIPAA mandates that health care providers provide a notice of privacy practices to patients. The Openness and Transparency privacy principle extends that to include a notice of how information is collected, used, and disclosed including policies, procedures, and technology. Also it importantly highlights the need to explain to patients their control over the use and disclosure of their information. In Massachusetts, all our community data sharing efforts require opt in consent.
Individual Choice -- Consumers should be empowered to make decisions about with whom, when, and how their personal health information is shared (or not shared).
Collection, Use, and Disclosure Limitation – It is important to limit the collection, use and disclosure of personal health information to the extent necessary to accomplish a specified purpose. The ability to collect and analyze health care data as part of a public good serves the American people and it should be encouraged. But every precaution must be taken to ensure that this personal health information is secured, deidentified when appropriate, limited in scope and protected wherever possible.
Data Integrity – Those who hold records must take reasonable steps to ensure that information is accurate and up-to-date and has not been altered or destroyed in an unauthorized manner. This principle is tightly linked to the correction principle. A process must exist in which, if consumers perceive a part of their record is inaccurate, they can notify their provider. Of course the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provides consumers that right, but this principle should be applied even where the information is not covered by the Rule.
Safeguards – Personal identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
Accountability – Compliance with these principles is strongly encouraged so that Americans can realize the benefit of electronic health information exchange. Those who break rules and put consumers’ personal health information at risk must not be tolerated. Consumers need to be confident that violators will be held accountable.
Having a framework for privacy that can be applied to all PHR products - those tethered to an EHR, those offered by a payer, those sponsored by an employer or those created by third party vendor ensures that consumers have a rubric to evaluate these products. Hopefully a certification group like CCHIT will also certify PHR products to these framework, making it easy for consumers to look for the "Good Housekeeping Seal" and be confident that their privacy is being protected.
As I have said many times, with good policy, appropriate technology, and funding, we can do anything. With the the release of this framework, the policy is now available.
Tuesday, December 16, 2008
The Lexicon of the Interactive Web
As a champion for social networking and next generation web functionality, I'm often in meetings with folks who are not sure what I mean by Twittering, Facebooking, or Texting. Here's a lexicon of the interactive web, assembled by my colleague, Dr. Michael Parker. Feel free to share it with anyone who has not yet joined the overly connected set!
Web 2.0 – A somewhat loosely defined idea, rather than a reference to any specific technology. It generally refers to use of the web in participatory, collaborative ways where users shape the content. The ability for users to contribute and/or interact is one of the features distinguishing Web 2.0 from the model of viewing static web pages. Web services that fall under this umbrella include social networking sites, video sharing sites, wikis, blogs, and folksonomies (each of which is described briefly below).
Social networking sites – These web sites allow users to form online communities, which can be further organized around specific topics (work or recreational). In general, these sites allow users to maintain profiles with information about themselves and to make connections to other users. Examples include MySpace and Facebook, among many others. More focused examples include LinkedIn and Epernicus.
Video sharing sites – These are sites that allow uploading of video clips for others to view. Probably the most popular example is YouTube.
Wikis – Web pages or web sites that allow people to contribute to and/or edit existing material. Whereas blogs are cumulative, with little if anything being subtracted or modified over time, wikis are iterative in that users continually modify and build upon existing content. Wikipedia is probably the most well-known example of a wiki.
Collaborative document creation – Software that allows multiple users to co-author a document. Web-based versions can maintain multiple backup versions of documents, allow simultaneous editing by multiple users, enable email notification of document changes, among other features. Examples of such software include Buzzword by Adobe and Google documents.
You can also subscribe via RSS (see link at bottom of page when you visit the document) to receive notifications of document changes via programs like Google Reader (see RSS below).
Blogs – A blog is a web site, usually of an individual (although sometimes representing an organization), that has chronological entries of text and sometimes multimedia. Entries are usually shown in reverse chronological order, with most recent entries shown first. Blogs form cumulative records with “posts” (blog owner’s entries) and viewer comments accumulated over time.
RSS – Sites that offer RSS (Really Simple Syndication) feeds allow users to be notified of new or changed content by receiving e-mails or by subscribing via “Reader” technology (like Google Reader). Blog readers are one example, although RSS technology is not limited to blogs.
Folksonomies – A folksonomy may be thought of as a collective of user-defined tags (simple, often single word, descriptions) on web objects (pictures, web pages, documents, etc.). This is different than an expert-defined taxonomy (e.g. MESH terms) in that users are free to come up with their own terms. A folksonomy may facilitate interesting methods of search and exploration, particularly if association is maintained between a user, his or her tags, and the objects being tagged. For example, user #1 could observe that user #2 has tagged a web page with terms that make sense to user #1; user #1 could then look at the rest of the items user #2 has tagged with those terms. The site Delicious is a good example of such tagging and association.
Tags – Simple, often single word, descriptions that users assign to web objects (eg photographs or web pages). These are often free-form, in other words, users can come up with their own terms rather than being constrained to choose from pre-existing terms. Although tagging is often performed for one’s own personal retrieval of information, there may be power in making use of the collective set of tags assigned by many users (see Folksonomy).
Instant messaging – Refers to synchronous or near-synchronous interaction via short text-based messages over the internet. It is basically a text-based conversation in real time. AOL (with AOL Instant Messenger or ‘AIM’), Yahoo!, and Microsoft (MSN Messenger) are some of the more popular technologies in this category.
Chat – This tends to refer to multi-user instant messaging applications, and is also called synchronous conferencing.
Text messaging (aka “texting” or SMSing) – Refers to sending short text messages, usually from cell phones. SMS stands for ‘Short Message Service.’ This is a phone-based version of instant messaging, although it has a broad range of applications other than conversational (for example, polling or surveys can be conducted this way).
Voice over IP (VoIP) – Software that allows users to make telephone calls (real time audio communication) over the internet. In many such calls, there are no phones involved, and users are talking/listening via microphones/speakers connected to their computers. Skype is a good example of such a service. These services often also include text-based features like chat.
Web conferencing – Software that allows users to conduct meetings over the web. Common features include screen sharing, text chat, voice over IP, and virtual whiteboard. Examples of software in this category include Adobe Acrobat ConnectNow, GoToMeeting, WebEx, and Elluminate.
Project management software – Applications for managing multi-person projects; may have a variety of features, such as to-do lists, timelines, document version control, multi-person document editing, email notifications of document updates, etc. BaseCamp is one web-based example of such software.
Recommendation engines – Algorithms, like on Amazon or NetFlix, that analyze your shopping/browsing/renting habits and those of others like you and make recommendations as to what you might like.
As a member of the overly connected, you'll find me at:
Facebook
Twitter
Plaxo
LinkedIn
Web 2.0 – A somewhat loosely defined idea, rather than a reference to any specific technology. It generally refers to use of the web in participatory, collaborative ways where users shape the content. The ability for users to contribute and/or interact is one of the features distinguishing Web 2.0 from the model of viewing static web pages. Web services that fall under this umbrella include social networking sites, video sharing sites, wikis, blogs, and folksonomies (each of which is described briefly below).
Social networking sites – These web sites allow users to form online communities, which can be further organized around specific topics (work or recreational). In general, these sites allow users to maintain profiles with information about themselves and to make connections to other users. Examples include MySpace and Facebook, among many others. More focused examples include LinkedIn and Epernicus.
Video sharing sites – These are sites that allow uploading of video clips for others to view. Probably the most popular example is YouTube.
Wikis – Web pages or web sites that allow people to contribute to and/or edit existing material. Whereas blogs are cumulative, with little if anything being subtracted or modified over time, wikis are iterative in that users continually modify and build upon existing content. Wikipedia is probably the most well-known example of a wiki.
Collaborative document creation – Software that allows multiple users to co-author a document. Web-based versions can maintain multiple backup versions of documents, allow simultaneous editing by multiple users, enable email notification of document changes, among other features. Examples of such software include Buzzword by Adobe and Google documents.
You can also subscribe via RSS (see link at bottom of page when you visit the document) to receive notifications of document changes via programs like Google Reader (see RSS below).
Blogs – A blog is a web site, usually of an individual (although sometimes representing an organization), that has chronological entries of text and sometimes multimedia. Entries are usually shown in reverse chronological order, with most recent entries shown first. Blogs form cumulative records with “posts” (blog owner’s entries) and viewer comments accumulated over time.
RSS – Sites that offer RSS (Really Simple Syndication) feeds allow users to be notified of new or changed content by receiving e-mails or by subscribing via “Reader” technology (like Google Reader). Blog readers are one example, although RSS technology is not limited to blogs.
Folksonomies – A folksonomy may be thought of as a collective of user-defined tags (simple, often single word, descriptions) on web objects (pictures, web pages, documents, etc.). This is different than an expert-defined taxonomy (e.g. MESH terms) in that users are free to come up with their own terms. A folksonomy may facilitate interesting methods of search and exploration, particularly if association is maintained between a user, his or her tags, and the objects being tagged. For example, user #1 could observe that user #2 has tagged a web page with terms that make sense to user #1; user #1 could then look at the rest of the items user #2 has tagged with those terms. The site Delicious is a good example of such tagging and association.
Tags – Simple, often single word, descriptions that users assign to web objects (eg photographs or web pages). These are often free-form, in other words, users can come up with their own terms rather than being constrained to choose from pre-existing terms. Although tagging is often performed for one’s own personal retrieval of information, there may be power in making use of the collective set of tags assigned by many users (see Folksonomy).
Instant messaging – Refers to synchronous or near-synchronous interaction via short text-based messages over the internet. It is basically a text-based conversation in real time. AOL (with AOL Instant Messenger or ‘AIM’), Yahoo!, and Microsoft (MSN Messenger) are some of the more popular technologies in this category.
Chat – This tends to refer to multi-user instant messaging applications, and is also called synchronous conferencing.
Text messaging (aka “texting” or SMSing) – Refers to sending short text messages, usually from cell phones. SMS stands for ‘Short Message Service.’ This is a phone-based version of instant messaging, although it has a broad range of applications other than conversational (for example, polling or surveys can be conducted this way).
Voice over IP (VoIP) – Software that allows users to make telephone calls (real time audio communication) over the internet. In many such calls, there are no phones involved, and users are talking/listening via microphones/speakers connected to their computers. Skype is a good example of such a service. These services often also include text-based features like chat.
Web conferencing – Software that allows users to conduct meetings over the web. Common features include screen sharing, text chat, voice over IP, and virtual whiteboard. Examples of software in this category include Adobe Acrobat ConnectNow, GoToMeeting, WebEx, and Elluminate.
Project management software – Applications for managing multi-person projects; may have a variety of features, such as to-do lists, timelines, document version control, multi-person document editing, email notifications of document updates, etc. BaseCamp is one web-based example of such software.
Recommendation engines – Algorithms, like on Amazon or NetFlix, that analyze your shopping/browsing/renting habits and those of others like you and make recommendations as to what you might like.
As a member of the overly connected, you'll find me at:
Plaxo
Monday, December 15, 2008
Policy Enablers for Healthcare Information Technology
I've often written that technology needs to be complemented by policy in order to be successful. Local policies help protect privacy by documenting "community standards" and ensure local IT assets are used wisely. Federal and State policies define best practices, align incentives, and establish priorities.
I try to divide my time on various local, state and federal initiatives between technology and policy work to ensure I meet all stakeholder expectations for data use.
Last week I read a great summary of the policy work being done throughout the country. The National Conference of State Legislatures published "Health Information Technology: 2007 and 2008 State Legislation"
Over the past 18 months, 132 bills related to health information technology were enacted in 44 states (everywhere except Arkansas, Kentucky, Mississippi, Nebraska, South Dakota, and Wyoming). Legislation included EHR adoption, e-prescribing incentives, financing, healthcare information exchange, and privacy. This burst of legislative activity demonstrates that eHealth is on the radar screen of just about every state and the pace of change is truly enabling interoperability.
In Massachusetts, there were 3 major legislative efforts in 2007 and 2008
Massachusetts HB 4141, 2007 (Enacted 7/12/2007)
* Creates an eHealth Task Force that will develop a healthcare information exchange plan to link multiple settings of care, both public and private 2) evaluate the economic model and the anticipated benefits of electronic health record implementation and 3) provide quarterly updates to the governor and the chairs of the House and Senate committees on Ways and Means and the chairs of the Joint Committee on Health Care Financing regarding the status of national standards efforts
Massachusetts HB 4900, 2008 (Enacted 7/13/2008)
* Establishes and appropriates $25 million to the e-Health Institute Fund. Provides the Department of Public Health with $425,710 for a federally funded grant entitled Enabling Electronic Prescribing and Enhancement.
Massachusetts SB 2863, 2008 (Enacted 08/10/2008)
* Establishes the Healthcare Quality and Cost Council, which just launched its transparency site documenting procedure costs, quality and patient satisfaction measures for all hospitals in the state.
*Establishes the Massachusetts e-Health Institute and the e-Health Institute Fund to accelerate EHR implementation.
*Defines consent as Opt-In (no data is shared until patients give permission)
*Establishes rules for reporting unauthorized access or disclosure of healthcare data.
*Requires Computerized Physician Order Entry as a requirement for hospital licensure by October 1, 2012. Requires interoperable CCHIT certified EHRs by October 1, 2015 as a condition of hospital licensure.
*Requires IT competency as a condition for licensing healthcare providers.
*Calls for a medical home demonstration project based on IT interoperability.
The combination of technology, policies, and funding is all we need to accelerate health information technology. The legislative accomplishments of 2007-2008 are a great enabler.
I try to divide my time on various local, state and federal initiatives between technology and policy work to ensure I meet all stakeholder expectations for data use.
Last week I read a great summary of the policy work being done throughout the country. The National Conference of State Legislatures published "Health Information Technology: 2007 and 2008 State Legislation"
Over the past 18 months, 132 bills related to health information technology were enacted in 44 states (everywhere except Arkansas, Kentucky, Mississippi, Nebraska, South Dakota, and Wyoming). Legislation included EHR adoption, e-prescribing incentives, financing, healthcare information exchange, and privacy. This burst of legislative activity demonstrates that eHealth is on the radar screen of just about every state and the pace of change is truly enabling interoperability.
In Massachusetts, there were 3 major legislative efforts in 2007 and 2008
Massachusetts HB 4141, 2007 (Enacted 7/12/2007)
* Creates an eHealth Task Force that will develop a healthcare information exchange plan to link multiple settings of care, both public and private 2) evaluate the economic model and the anticipated benefits of electronic health record implementation and 3) provide quarterly updates to the governor and the chairs of the House and Senate committees on Ways and Means and the chairs of the Joint Committee on Health Care Financing regarding the status of national standards efforts
Massachusetts HB 4900, 2008 (Enacted 7/13/2008)
* Establishes and appropriates $25 million to the e-Health Institute Fund. Provides the Department of Public Health with $425,710 for a federally funded grant entitled Enabling Electronic Prescribing and Enhancement.
Massachusetts SB 2863, 2008 (Enacted 08/10/2008)
* Establishes the Healthcare Quality and Cost Council, which just launched its transparency site documenting procedure costs, quality and patient satisfaction measures for all hospitals in the state.
*Establishes the Massachusetts e-Health Institute and the e-Health Institute Fund to accelerate EHR implementation.
*Defines consent as Opt-In (no data is shared until patients give permission)
*Establishes rules for reporting unauthorized access or disclosure of healthcare data.
*Requires Computerized Physician Order Entry as a requirement for hospital licensure by October 1, 2012. Requires interoperable CCHIT certified EHRs by October 1, 2015 as a condition of hospital licensure.
*Requires IT competency as a condition for licensing healthcare providers.
*Calls for a medical home demonstration project based on IT interoperability.
The combination of technology, policies, and funding is all we need to accelerate health information technology. The legislative accomplishments of 2007-2008 are a great enabler.
Sunday, December 14, 2008
Luminary Night
Tonight in Wellesley, we had a very spiritual experience.
1000 families donated to help the local food bank and as a sign of solidarity for the season we placed candles (safely in pools of water in paper bag luminaries) in our yards.
The photo above shows the view down my street.
It was a wonderful opportunity for families of all ages, religions, and backgrounds to come together, enjoy the light, and donate to a worthy cause.
My wife, daughter, and I wandered the neighborhood, reconnecting with folks who had retreated into their homes when the weather turned cold a month ago.
One house built a fire ring and offered smores, folks brewed hot chocolate and cider, and a horse drawn carriage filled with children circulated the neighborhoods.
Definitely a magical time. My daughter told me that these are the memories she'll remember as an adult. Not a Wii, not an iPod, but families coming together to share the spirit of the season.
1000 families donated to help the local food bank and as a sign of solidarity for the season we placed candles (safely in pools of water in paper bag luminaries) in our yards.
The photo above shows the view down my street.
It was a wonderful opportunity for families of all ages, religions, and backgrounds to come together, enjoy the light, and donate to a worthy cause.
My wife, daughter, and I wandered the neighborhood, reconnecting with folks who had retreated into their homes when the weather turned cold a month ago.
One house built a fire ring and offered smores, folks brewed hot chocolate and cider, and a horse drawn carriage filled with children circulated the neighborhoods.
Definitely a magical time. My daughter told me that these are the memories she'll remember as an adult. Not a Wii, not an iPod, but families coming together to share the spirit of the season.
Friday, December 12, 2008
Cool Technology of the Week
Given our new 2009 Massachusetts Data Protection regulations, I've been focusing on cool technologies related to information security such as Lo-Jack for Laptops/Blackberries and Third Brigade's Host-based intrusion protection.
Completing the triad of security postings, my cool technology of the week is the Bio-key fingerprint biometrics authentication system, an authentication solution that is my favorite candidate for two factor authentication, such as will likely be required by the Drug Enforcement Agency for e-prescribing of controlled substances.
We're testing their Web-Key product which provides a browser plug in for the most popular browsers and interfaces with any fingerprint reader. Our implementation of the software development kit eliminates the need to use passwords and connects our Emergency Department Dashboard web application, our authentication/authorization web service and a fingerprint reader.
Here's the challenge we've had with authentication in the Emergency Department.
Per my recent post about application timeouts, clinicians in the Emergency Room are moving fast from workstation to workstation. The time to sign in can impact their productivity. However, we need to protect patient confidentiality, so we cannot leave workstations logged on.
Ideally, a clinician should be able to walk up to computer, open a browser, wave their finger over a reader, and get instant access to applications. The Web-Key client is easy to deploy. Once you download their applet it autodetects the fingerprint reader and the client pops up in the browser, offering seamless integration with the web application. It works just as well in Firefox as it does Internet Explorer.
Simple to implement, standards-based, and easy to use biometric authentication - that's cool!
Completing the triad of security postings, my cool technology of the week is the Bio-key fingerprint biometrics authentication system, an authentication solution that is my favorite candidate for two factor authentication, such as will likely be required by the Drug Enforcement Agency for e-prescribing of controlled substances.
We're testing their Web-Key product which provides a browser plug in for the most popular browsers and interfaces with any fingerprint reader. Our implementation of the software development kit eliminates the need to use passwords and connects our Emergency Department Dashboard web application, our authentication/authorization web service and a fingerprint reader.
Here's the challenge we've had with authentication in the Emergency Department.
Per my recent post about application timeouts, clinicians in the Emergency Room are moving fast from workstation to workstation. The time to sign in can impact their productivity. However, we need to protect patient confidentiality, so we cannot leave workstations logged on.
Ideally, a clinician should be able to walk up to computer, open a browser, wave their finger over a reader, and get instant access to applications. The Web-Key client is easy to deploy. Once you download their applet it autodetects the fingerprint reader and the client pops up in the browser, offering seamless integration with the web application. It works just as well in Firefox as it does Internet Explorer.
Simple to implement, standards-based, and easy to use biometric authentication - that's cool!
Thursday, December 11, 2008
Chestnuts roasting on an open fire
I recently visited the Old CiderPress Farm in New Hampshire and had a great conversation with owners Angie & Marius Hauri.
In addition to 60 varieties of apples, they have a magnificent row of Chestnut trees which produce up to 250 pounds per mature tree per season. We bought several pounds of fresh chestnuts, which led us to ask just how do you create "chestnuts roasting on an open fire?" (We already figured out the jack frost nipping at your nose)
First - what is a chestnut? It's not a Water Chestnut. Those are the edible corm of the Chinese Water Sedge (Eleocharis Duclis). It's not a Horse-chestnut (Aesculus hippocastanum), which has bitter/poisonous nuts. (The Horse-chestnut is the spreading chestnut tree mentioned in Longfellow's The Village Blacksmith)
The chestnut we roast over open fires is the edible, starchy seed of Castanea species, native to Europe, Asia and North American. It has a long history of being a staple food in all these these cultures. When I researched the chestnut, I found its nutritional characteristics to be fascinating. One cup of peeled fresh chestnuts contains:
Calories 285
Protein 6.3g
Fat 1.7g
Carbohydrates 74g
Water 66
Fiber 2.6g
Unlike many other nuts, the chestnut is a low fat nut. It's closer to a grain than a nut. For thousands of years it's been ground into flour and used as a vegetable, thickener, and flavor enhancer for pastas.
Roasting chestnuts is a great tradition and I've had bags of hot chestnuts in Tokyo/Kyoto, Taipei, Bejing, London, Paris, and New York. Here's how to do it from The Chestnut Cookbook by Annie Bhagwandin:
To roast a chestnut, you must first pierce the shell to allow hot air to escape while cooking. Use a sharp paring knife to cut a slash through shell but not into the nut. The larger the cut, the easier the nut will be to peel. Heat the nuts by shaking them in a dry skillet over medium heat for 20 minutes. Alternatively, microwave them on a paper plate for 4 minutes. In an over place them on a cookie sheet, sprinkle with water and bake at 400F for 15-20 minutes.
In my experience, baking is best.
Once the nuts are roasted, slice the shells and peel them while they are hot. Hot roasted chestnuts are remarkable. If making a meal of chestnuts, plan on 1/3 pound per person.
For Thanksgiving, we made fresh bread stuffing with pecans and roasted chestnuts. An all vegan dish that was remarkable! You can buy your own online.
In addition to 60 varieties of apples, they have a magnificent row of Chestnut trees which produce up to 250 pounds per mature tree per season. We bought several pounds of fresh chestnuts, which led us to ask just how do you create "chestnuts roasting on an open fire?" (We already figured out the jack frost nipping at your nose)
First - what is a chestnut? It's not a Water Chestnut. Those are the edible corm of the Chinese Water Sedge (Eleocharis Duclis). It's not a Horse-chestnut (Aesculus hippocastanum), which has bitter/poisonous nuts. (The Horse-chestnut is the spreading chestnut tree mentioned in Longfellow's The Village Blacksmith)
The chestnut we roast over open fires is the edible, starchy seed of Castanea species, native to Europe, Asia and North American. It has a long history of being a staple food in all these these cultures. When I researched the chestnut, I found its nutritional characteristics to be fascinating. One cup of peeled fresh chestnuts contains:
Calories 285
Protein 6.3g
Fat 1.7g
Carbohydrates 74g
Water 66
Fiber 2.6g
Unlike many other nuts, the chestnut is a low fat nut. It's closer to a grain than a nut. For thousands of years it's been ground into flour and used as a vegetable, thickener, and flavor enhancer for pastas.
Roasting chestnuts is a great tradition and I've had bags of hot chestnuts in Tokyo/Kyoto, Taipei, Bejing, London, Paris, and New York. Here's how to do it from The Chestnut Cookbook by Annie Bhagwandin:
To roast a chestnut, you must first pierce the shell to allow hot air to escape while cooking. Use a sharp paring knife to cut a slash through shell but not into the nut. The larger the cut, the easier the nut will be to peel. Heat the nuts by shaking them in a dry skillet over medium heat for 20 minutes. Alternatively, microwave them on a paper plate for 4 minutes. In an over place them on a cookie sheet, sprinkle with water and bake at 400F for 15-20 minutes.
In my experience, baking is best.
Once the nuts are roasted, slice the shells and peel them while they are hot. Hot roasted chestnuts are remarkable. If making a meal of chestnuts, plan on 1/3 pound per person.
For Thanksgiving, we made fresh bread stuffing with pecans and roasted chestnuts. An all vegan dish that was remarkable! You can buy your own online.
Wednesday, December 10, 2008
A Dispatch from IHI
Today, I'm at the Institute for Healthcare Improvement Conference in Nashville, Tennessee. For the past 5 years, I've had the privilege of presenting the Information Technology workshops at IHI, focusing on the quality impact of EHRs and PHRs.
The highlight of IHI is always the keynote address by Don Berwick, CEO of IHI. Past presentations have included Escape Fire and Eating Soup with a Fork
I'm blogging this year's keynote in real time to capture the high points. The title of the presentation was "Tense". Don began with a poem by David Whyte called Loaves and Fishes
He noted that hospitals have to report 1500 different quality and performance measures to hundreds of organizations demanding compliance. This takes incredible energy and feels chaotic.
In the past, IHI has tried to organize this chaos into 5 "portfolio areas"
Hospitals
Continuum of Care
Population Health, Experience of Care, Per Capita Cost
Developing Nations
Professional Development
Don hypothesized that 80% of healthcare can be reduced to approximately 100 processes. If we focus on perfecting these 100 processes, we're likely to make a major impact. IHI will soon implement an Improvement Map as a next step to the 5 million lives campaign. He highlighted three new focuses for IHI
Quality and Financial Management - increased value
Prevent Catheter associated urinary tract infections
WHO Surgical Safety checklist
Atul Gawande took the stage and spoke about the WHO Surgical Safety checklist - SignIn, TimeOut, SignOut. Early pilots suggest it may be the most powerful way for hospitals to reduce harm.
Don announced a challenge to all the hospitals in American - a sprint to implement the WHO Surgical Safety Checklist in 90 days.
Don then described the future by reading two letters that he's written for his daughter Jessica to open in 20 years, describing two healthcare futures.
The first was an apology that we failed to reform and improve healthcare, we tried and failed because change was too hard. The second described the success of change embraced and resistance overcome.
The summary of Don's remarks is that we must cut through the chaos and the overwhelming amounts of data, instead focusing our efforts on just a few high value projects that will create definitive results.
As I wrote in my blog entry Data, Information, Knowledge, Wisdom , simplifying our care processes and ensuring every patient gets the right care at the right time is not only a good idea, it's a necessity.
The highlight of IHI is always the keynote address by Don Berwick, CEO of IHI. Past presentations have included Escape Fire and Eating Soup with a Fork
I'm blogging this year's keynote in real time to capture the high points. The title of the presentation was "Tense". Don began with a poem by David Whyte called Loaves and Fishes
He noted that hospitals have to report 1500 different quality and performance measures to hundreds of organizations demanding compliance. This takes incredible energy and feels chaotic.
In the past, IHI has tried to organize this chaos into 5 "portfolio areas"
Hospitals
Continuum of Care
Population Health, Experience of Care, Per Capita Cost
Developing Nations
Professional Development
Don hypothesized that 80% of healthcare can be reduced to approximately 100 processes. If we focus on perfecting these 100 processes, we're likely to make a major impact. IHI will soon implement an Improvement Map as a next step to the 5 million lives campaign. He highlighted three new focuses for IHI
Quality and Financial Management - increased value
Prevent Catheter associated urinary tract infections
WHO Surgical Safety checklist
Atul Gawande took the stage and spoke about the WHO Surgical Safety checklist - SignIn, TimeOut, SignOut. Early pilots suggest it may be the most powerful way for hospitals to reduce harm.
Don announced a challenge to all the hospitals in American - a sprint to implement the WHO Surgical Safety Checklist in 90 days.
Don then described the future by reading two letters that he's written for his daughter Jessica to open in 20 years, describing two healthcare futures.
The first was an apology that we failed to reform and improve healthcare, we tried and failed because change was too hard. The second described the success of change embraced and resistance overcome.
The summary of Don's remarks is that we must cut through the chaos and the overwhelming amounts of data, instead focusing our efforts on just a few high value projects that will create definitive results.
As I wrote in my blog entry Data, Information, Knowledge, Wisdom , simplifying our care processes and ensuring every patient gets the right care at the right time is not only a good idea, it's a necessity.
Tuesday, December 9, 2008
Timeouts for Clinical Applications
I've recently been asked to describe our approach to security timeouts for clinical applications. Maintaining confidentiality of healthcare data is a balance between ease of use and bullet proof security. In an ultimately secure configuration, all logins would require hardware tokens, timeouts would be under a minute, and no remote access would be available. Clearly, such restrictions would be very secure, but so hard to use that patient care may suffer. As an analogy, I tell my staff that the most secure library would never allow its books to be checked out.
What have we done? Virtually all our applications are web-based and we've set a 20 minute timeout for all the web applications we create. Additionally, we have a 20 minute timeout on our SSLVPN for remote access, and a 20 minute timeout for Citrix access. In our experience, 20 minute timeouts enable clinicians to login, check results, talk to patients, complete a note, write prescriptions, and keep the office running without requiring a frustrating number of logins each day.
The one area where we've used a different approach is the fast paced Emergency Department.
The ED is a challenging computing environment - dozens of users are sharing relatively few machines for just a few minutes at a time. Interruptions are common and although we reinforce the importance of logging off, a security model cannot rely on people remembering to do that. The computer must determine whether the authenticated user is still present and if not, it must restrict access to private data.
Ideally, the computer would use physical detection such as face recognition or signals from an RFID chip on (or in) the user. However, widespread implementation of these systems is complex and expensive, so in most cases the computer must try to infer user presence from available data.
The ED Dashboard is a web based application that uses javascript to detect mouse movement and typing. If three minutes go by without the user moving the mouse or typing a key it will assume they have left and close the browser's window, hiding all PHI. To avoid closing the window on a user who is still working, there is an indicator that shows the countdown and slowly blinks when 30 seconds remain. As the time approaches zero, the blinking becomes faster and more frenetic in an attempt to catch the eye of the user, if they are still present. A simple twitch of the mouse is all that's needed -- that resets the timer back to three minutes. If the user does not respond in the allotted time, the system initiates a log off sequence that first saves their work before closing the window.
For the current application and use, three minutes strikes the right balance-- if the user is actively working on the computer, the timer will invisibly reset as a side-effect of their work. If they are sitting and reading a note or talking, then wiggling the mouse once every few minutes is a minor imposition.
New functionality, such as clinical documentation and mobile computing are changing the way people use these systems, and requires re-evaluation of this setup. We are also looking at biometric login capabilities to make secure login much easier and therefore the lessen the inconvenience of timing out.
In addition to all these timeout features, we have a comprehensive access auditing system. Auditing is an often overlooked but important adjunct to timeouts. A decade ago, we began with a manual review of access made by users each month. When then implemented an automated report. We added IP location information to the report and started tracking accesses from unusual locations. Our next steps are to continue to add more systems into the audit and to enhance the sophistication of the automation. Our ultimate goal is to run nightly heuristics on log information, cross walk that data with the Active Directory logs, network logs and historical patterns to identify any accesses that look questionable for manual review.
What have we done? Virtually all our applications are web-based and we've set a 20 minute timeout for all the web applications we create. Additionally, we have a 20 minute timeout on our SSLVPN for remote access, and a 20 minute timeout for Citrix access. In our experience, 20 minute timeouts enable clinicians to login, check results, talk to patients, complete a note, write prescriptions, and keep the office running without requiring a frustrating number of logins each day.
The one area where we've used a different approach is the fast paced Emergency Department.
The ED is a challenging computing environment - dozens of users are sharing relatively few machines for just a few minutes at a time. Interruptions are common and although we reinforce the importance of logging off, a security model cannot rely on people remembering to do that. The computer must determine whether the authenticated user is still present and if not, it must restrict access to private data.
Ideally, the computer would use physical detection such as face recognition or signals from an RFID chip on (or in) the user. However, widespread implementation of these systems is complex and expensive, so in most cases the computer must try to infer user presence from available data.
The ED Dashboard is a web based application that uses javascript to detect mouse movement and typing. If three minutes go by without the user moving the mouse or typing a key it will assume they have left and close the browser's window, hiding all PHI. To avoid closing the window on a user who is still working, there is an indicator that shows the countdown and slowly blinks when 30 seconds remain. As the time approaches zero, the blinking becomes faster and more frenetic in an attempt to catch the eye of the user, if they are still present. A simple twitch of the mouse is all that's needed -- that resets the timer back to three minutes. If the user does not respond in the allotted time, the system initiates a log off sequence that first saves their work before closing the window.
For the current application and use, three minutes strikes the right balance-- if the user is actively working on the computer, the timer will invisibly reset as a side-effect of their work. If they are sitting and reading a note or talking, then wiggling the mouse once every few minutes is a minor imposition.
New functionality, such as clinical documentation and mobile computing are changing the way people use these systems, and requires re-evaluation of this setup. We are also looking at biometric login capabilities to make secure login much easier and therefore the lessen the inconvenience of timing out.
In addition to all these timeout features, we have a comprehensive access auditing system. Auditing is an often overlooked but important adjunct to timeouts. A decade ago, we began with a manual review of access made by users each month. When then implemented an automated report. We added IP location information to the report and started tracking accesses from unusual locations. Our next steps are to continue to add more systems into the audit and to enhance the sophistication of the automation. Our ultimate goal is to run nightly heuristics on log information, cross walk that data with the Active Directory logs, network logs and historical patterns to identify any accesses that look questionable for manual review.
Monday, December 8, 2008
Obama's Economic Plan
At 11am on Saturday December 6, President-elect Obama announced the three major pillars of his economic recovery plan: rebuild our roads/bridges, enhance our schools including broadband, and deploy electronic health records for every clinician and hospital in the US.
I've written several recent blogs about the cost of electronic health records, the state of interoperability, and my predictions for the early healthcare IT activities of the Obama administration.
I can summarize all my advice to the new administration in one sentence:
Allocate Federal funds of $50,000 per clinician to states, which will be held accountable (use it or lose it) for rapid, successful implementation of interoperable CCHIT certified electronic records with built in decision support, clinical data exchange, and quality reporting.
Not only will this improve care coordination which will lead to better healthcare value (reduced cost, enhanced quality), it will create jobs.
Just how many? For just the Beth Israel Deaconess Community Clinician project, here's the list of jobs we created:
In 2009, we will implement 150 physicians in 75 practices, or 13 physicians in 6 practices per month. The direct staff we'll need are:
Massachusetts eHealth Collaborative: 6 FTEs (5 practice consultants plus a project manager)
Concordant: 9 FTEs (5 on-site assessment/design/deployment/support, 2 technical lead/system architect, 2 project management)
eClinicalWorks: 4 FTEs (3 on-site trainers, plus part of a product specialist and a project manager)
At BIDMC, the project is run by 3 FTEs (Project Director, Technical Lead, Senior Practice Consultant)
Thus we've created 22 jobs for the rollout and support of our EHR project. Multiply this by the number of clinicians needing EHRs in the country and you'll see that the Obama plan will create tens of thousands of new high tech jobs.
When I've discussed the Obama Economic plan with my colleagues, some have said that it's too early to invest in EHRs because they are not yet standards-based or fully interoperable. I believe that commercial EHRs are good enough and as of 2008, we have many real examples of data sharing. Here are the statistics from our work in Massachusetts that includes homegrown EHRs, eClinicalWorks, GE Centricity, Next Gen, Allscripts/Misys, and Epic.
NEHEN - In 2008, we've done 60 million data exchange transactions a year from EHRs, practices management systems, and hospital information systems.
MA-Share - We've done half a million e-prescribing transactions among providers, payers and pharmacies. Every discharge from the hospital and emergency department at BIDMC generates a standards-based clinical summary which is sent electronically to PCPs and referring clinicians. In 2009, we'll expand this to include referral workflow, community to community exchange, and several additional hospitals including Children's.
Massachusetts eHealth Collaborative - We've wired three communities (Brockton, Newburyport, North Adams) with roughly 500,000 patients, 597 physicians in 142 practices in 192 sites, and 4 hospitals including hospital-based laboratories and imaging centers. North Adams went live in May 2007, Newburyport went live in September 2008, and Brockton is 40% complete. Data exchange includes problem lists, procedures, allergies, medications, demographics, smoking status, diagnoses, lab results and radiology results. Standards used include HL7 2.6, Continuity of Care Record/Document, NCPDP Script 8.1, LOINC, CPT4, ICD9, and RxNorm. Over 90% of patients have opted in for community data sharing. Over 300,000 records have been exchanged, all from existing commercial EHRs.
Thus, the EHRs are ready, the standards are harmonized, the architecture is designed, and the only barrier is political. The Obama commitment to a nationwide EHR implementation effort means that 2009 is the tipping point. Let us band together, payer, provider, employer and patient, to make it happen!
I've written several recent blogs about the cost of electronic health records, the state of interoperability, and my predictions for the early healthcare IT activities of the Obama administration.
I can summarize all my advice to the new administration in one sentence:
Allocate Federal funds of $50,000 per clinician to states, which will be held accountable (use it or lose it) for rapid, successful implementation of interoperable CCHIT certified electronic records with built in decision support, clinical data exchange, and quality reporting.
Not only will this improve care coordination which will lead to better healthcare value (reduced cost, enhanced quality), it will create jobs.
Just how many? For just the Beth Israel Deaconess Community Clinician project, here's the list of jobs we created:
In 2009, we will implement 150 physicians in 75 practices, or 13 physicians in 6 practices per month. The direct staff we'll need are:
Massachusetts eHealth Collaborative: 6 FTEs (5 practice consultants plus a project manager)
Concordant: 9 FTEs (5 on-site assessment/design/deployment/support, 2 technical lead/system architect, 2 project management)
eClinicalWorks: 4 FTEs (3 on-site trainers, plus part of a product specialist and a project manager)
At BIDMC, the project is run by 3 FTEs (Project Director, Technical Lead, Senior Practice Consultant)
Thus we've created 22 jobs for the rollout and support of our EHR project. Multiply this by the number of clinicians needing EHRs in the country and you'll see that the Obama plan will create tens of thousands of new high tech jobs.
When I've discussed the Obama Economic plan with my colleagues, some have said that it's too early to invest in EHRs because they are not yet standards-based or fully interoperable. I believe that commercial EHRs are good enough and as of 2008, we have many real examples of data sharing. Here are the statistics from our work in Massachusetts that includes homegrown EHRs, eClinicalWorks, GE Centricity, Next Gen, Allscripts/Misys, and Epic.
NEHEN - In 2008, we've done 60 million data exchange transactions a year from EHRs, practices management systems, and hospital information systems.
MA-Share - We've done half a million e-prescribing transactions among providers, payers and pharmacies. Every discharge from the hospital and emergency department at BIDMC generates a standards-based clinical summary which is sent electronically to PCPs and referring clinicians. In 2009, we'll expand this to include referral workflow, community to community exchange, and several additional hospitals including Children's.
Massachusetts eHealth Collaborative - We've wired three communities (Brockton, Newburyport, North Adams) with roughly 500,000 patients, 597 physicians in 142 practices in 192 sites, and 4 hospitals including hospital-based laboratories and imaging centers. North Adams went live in May 2007, Newburyport went live in September 2008, and Brockton is 40% complete. Data exchange includes problem lists, procedures, allergies, medications, demographics, smoking status, diagnoses, lab results and radiology results. Standards used include HL7 2.6, Continuity of Care Record/Document, NCPDP Script 8.1, LOINC, CPT4, ICD9, and RxNorm. Over 90% of patients have opted in for community data sharing. Over 300,000 records have been exchanged, all from existing commercial EHRs.
Thus, the EHRs are ready, the standards are harmonized, the architecture is designed, and the only barrier is political. The Obama commitment to a nationwide EHR implementation effort means that 2009 is the tipping point. Let us band together, payer, provider, employer and patient, to make it happen!
Friday, December 5, 2008
Cool Technology of the Week
As we prepare for compliance with Massachusetts Data Protection regulations, I've been checking out ways to encrypt, remotely manage, and track the location of mobile devices.
I recently had lunch with John Livingston, CEO of
Absolute Software to discuss their laptop encryption and asset tracking solutions . I agreed to serve as a personal beta tester of their new Blackberry Computrace Mobile location tracking and data protection solution.
Here was my evaluation. On Monday, I installed the agent on my Blackberry Bold 9000 and boarded a plane for Rapid City, South Dakota. I spent the day with the board of Regional Hospital to discuss their options for EHR rollout and community connectivity throughout Western South Dakota. While sitting in a diner near Mt. Rushmore and staring into my vegan mashed potatoes, I had the sudden compulsion to drive to Devil's Tower, Wyoming (pictured above) about 100 miles away.
I left I90 at exit 199 and drove the scenic route through Hulett, Wyoming to arrive at the base of the tower at sunrise. Other than a flock of turkeys and a herd of deer, I was the only human for miles. I ran around the base passing hundreds of Native American prayer cloths and offerings. I drove back along Highway 14 through Spearfish, South Dakota to the Rapid City Airport and flew to Denver. From Denver I returned to Boston, then Wellesley, then Harvard.
The Absolute Computrace agent tracked my every move in High Plains, and my entire route to Boston and back.
The Computrace Customer Center keeps a record of all my Blackberry locations and makes it easy to track me, track my devices, report a theft, and if needed do a remote wipe of all the data on my devices.
I've given my wife and daughter a login to the site so they can track me at all times. Although the Absolute products are primarily encryption, tracking, and data protection systems, they are also a very cool geotracking system for Blackberry owners (with their consent).
Tracking my devices and tracking me on the web, that's cool!
I recently had lunch with John Livingston, CEO of
Absolute Software to discuss their laptop encryption and asset tracking solutions . I agreed to serve as a personal beta tester of their new Blackberry Computrace Mobile location tracking and data protection solution.
Here was my evaluation. On Monday, I installed the agent on my Blackberry Bold 9000 and boarded a plane for Rapid City, South Dakota. I spent the day with the board of Regional Hospital to discuss their options for EHR rollout and community connectivity throughout Western South Dakota. While sitting in a diner near Mt. Rushmore and staring into my vegan mashed potatoes, I had the sudden compulsion to drive to Devil's Tower, Wyoming (pictured above) about 100 miles away.
I left I90 at exit 199 and drove the scenic route through Hulett, Wyoming to arrive at the base of the tower at sunrise. Other than a flock of turkeys and a herd of deer, I was the only human for miles. I ran around the base passing hundreds of Native American prayer cloths and offerings. I drove back along Highway 14 through Spearfish, South Dakota to the Rapid City Airport and flew to Denver. From Denver I returned to Boston, then Wellesley, then Harvard.
The Absolute Computrace agent tracked my every move in High Plains, and my entire route to Boston and back.
The Computrace Customer Center keeps a record of all my Blackberry locations and makes it easy to track me, track my devices, report a theft, and if needed do a remote wipe of all the data on my devices.
I've given my wife and daughter a login to the site so they can track me at all times. Although the Absolute products are primarily encryption, tracking, and data protection systems, they are also a very cool geotracking system for Blackberry owners (with their consent).
Tracking my devices and tracking me on the web, that's cool!
Thursday, December 4, 2008
A Toolbox for Sustainable City Living
It's a small world and we're all connected.
A few weeks ago, I was playing my Japanese flute in a forest near my home in Wellesley. A gentleman stopped to listen and introduced himself as Gregory Peterson, a Harvard alum who owns a communications firm. He wondered if I was a musician. I explained that I was a CIO. He then asked if knew anything about Green IT. I told him that I've blogged extensively about it.
Greg introduced me to Susan Labandibar, President of Tech Networks of Boston. She, Greg and I had a vegan lunch last week at My Thai Vegan Cafe in Brookline. Susan is also a vegan and is deeply committed to sustainability in IT and in life.
We talked about Power Usage Effectiveness and measuring the energy savings of Cloud Computing/Software as a Service. We talked about thin client computing. We talked about virtualization.
I truly believe that in an era of constrained resources, rising expenses and a faltering economy, all of these issues will be increasingly important to CIOs and I expect Susan's company to be very successful.
On a personal note, Susan gave me a copy of "Toobox for Sustainable City Living" by Scott Kellogg and Stacy Pettigrew. It's available from South End Press.
I've written about lowering my impact on the planet and my dreams of a greener existence.
This book is a great primer for those seeking to move off the grid. Admittedly, some may find the recommendations a bit extreme, but I really appreciated the authors' point of view.
Although I've considered building a solar cell array on the south facing rooflines of my house, solar cells have a reasonably short lifespan and require a high level of technological sophisticated to fabricate.
Creating passive solar systems which capture the sun's light via south facing greenhouse windows, using biofuels, and building small scale wind power are ultimately more sustainable because a non-technological society can easily create and install such systems.
The book includes chapters on sustainable food strategies, water collection/purification, waste recycling, energy, and bioremediation of pollutants.
When I read this book, I really thought of Myst. Imagine a world in which the inhabitants create self sufficient communities using basic technologies in advanced ways to achieve sustainable, environmentally friendly homes.
I realize that the idea of growing your own foods, providing for your own water, harnessing your own energy, and recycling your wastes seems out of the mainstream for the 21st century. However, as resources become more constrained and the world economy seems increasingly unstable, such self sufficiency seems very forward looking. I want my daughter to inherit a planet she can thrive in, so I will pursue sustainability in my own incremental way, for the rest of my life.
A few weeks ago, I was playing my Japanese flute in a forest near my home in Wellesley. A gentleman stopped to listen and introduced himself as Gregory Peterson, a Harvard alum who owns a communications firm. He wondered if I was a musician. I explained that I was a CIO. He then asked if knew anything about Green IT. I told him that I've blogged extensively about it.
Greg introduced me to Susan Labandibar, President of Tech Networks of Boston. She, Greg and I had a vegan lunch last week at My Thai Vegan Cafe in Brookline. Susan is also a vegan and is deeply committed to sustainability in IT and in life.
We talked about Power Usage Effectiveness and measuring the energy savings of Cloud Computing/Software as a Service. We talked about thin client computing. We talked about virtualization.
I truly believe that in an era of constrained resources, rising expenses and a faltering economy, all of these issues will be increasingly important to CIOs and I expect Susan's company to be very successful.
On a personal note, Susan gave me a copy of "Toobox for Sustainable City Living" by Scott Kellogg and Stacy Pettigrew. It's available from South End Press.
I've written about lowering my impact on the planet and my dreams of a greener existence.
This book is a great primer for those seeking to move off the grid. Admittedly, some may find the recommendations a bit extreme, but I really appreciated the authors' point of view.
Although I've considered building a solar cell array on the south facing rooflines of my house, solar cells have a reasonably short lifespan and require a high level of technological sophisticated to fabricate.
Creating passive solar systems which capture the sun's light via south facing greenhouse windows, using biofuels, and building small scale wind power are ultimately more sustainable because a non-technological society can easily create and install such systems.
The book includes chapters on sustainable food strategies, water collection/purification, waste recycling, energy, and bioremediation of pollutants.
When I read this book, I really thought of Myst. Imagine a world in which the inhabitants create self sufficient communities using basic technologies in advanced ways to achieve sustainable, environmentally friendly homes.
I realize that the idea of growing your own foods, providing for your own water, harnessing your own energy, and recycling your wastes seems out of the mainstream for the 21st century. However, as resources become more constrained and the world economy seems increasingly unstable, such self sufficiency seems very forward looking. I want my daughter to inherit a planet she can thrive in, so I will pursue sustainability in my own incremental way, for the rest of my life.
Wednesday, December 3, 2008
The Costs of Accelerating EHR Adoption
Many studies have demonstrated that Electronic Health Records (EHRs) can improve quality and reduce costs through coordinated delivery of the right care at the right time. The escalating cost of healthcare and the downturn in the economy are the perfect storm to create real urgency for implementing Healthcare Information Technology.
Many clinicians cannot afford EHR implementation. Stark safe harbors help physicians affiliated with hospital systems but do not help unaffiliated clinicians.
An early priority for the Obama administration should be decisive, rapid action to accelerate the adoption of EHRs via broadened Medicare/Medicaid incentives to implement and use Certification Commission on Healthcare Information Technology (CCHIT) certified products. Federal funds are needed to subsidize implementation teams and locally credible EHR champions who inspire and motivate providers at the grass roots level in each State. In order to receive funding, States should have to create EHR adoption services that effectively and efficiently deploy EHRs to achieve low failure rates and meet quality/safety goals. Funds should include direct payment, low interest loans, tax credits, pay for performance incentives, and penalties for delayed adoption. Grant funding, however, is probably not an effective vehicle, since it doesn't give Federal/State governments enough control, nor is it usually focused on sustainability.
How much is needed? Our Massachusetts experience suggests that approximately $350 million is needed to complete the rollout of EHRs in our state - about $50,000 per practicing unaffiliated clinician.
Here are the breakdowns of community EHR implementation costs at BIDMC/BIDPO, the Massachusetts eHealth Collaborative, and the New York Department of Health and Hygiene EHR project.
Assumptions:
1) Software costs include only the direct licensing costs for EHR and non-EHR software. MAeHC software costs are higher because several different EHRs were implemented, creating more complexity.
2) The NYC costs do not include non-EHR software
3) Hardware includes practice-level and central-site hardware.
4) People includes direct services from staff, whether vendor-provided or sponsor-provided.
5) These costs are for implementation only. The average annual per physician support costs are roughly $5,500 per user for BIDMC and $6,500 per user for MAeHC.
Further detail:
1) BIDMC includes 300 docs. MAeHC includes 575 docs. NYC includes 1,200 docs.
2) The people costs are not directly comparable, because neither MAeHC nor NYC have accounted for the entire provider-side of the costs of hardware integration. For example, with MAeHC, vendors designed and the hospitals implemented the local ASP environments, but we do not know the labor cost at the hospitals. With the BIDMC project all costs are explicit because the ASP environment was outsourced. The NYC practices are purchasing hardware on their own, so we do not know the exact costs.
3) BIDMC will get some scale benefit once the number of implementations grows. The per user people costs include the design and build of the central site and the cost of the Project Management Office.
4) BIDMC actual hardware costs will probably be higher based on the implementations to date because the practices are purchasing more equipment than original budgeted (i.e. more printers, laptops, and tablets for support staff)
As a country, we have enough experience with live implementations to know what needs to be done to implement EHRs and the cost of doing it. The time for grants and experimentation has passed. To borrow a marketing slogan, the time is right to "Just Do it" by providing financial incentives.
Many clinicians cannot afford EHR implementation. Stark safe harbors help physicians affiliated with hospital systems but do not help unaffiliated clinicians.
An early priority for the Obama administration should be decisive, rapid action to accelerate the adoption of EHRs via broadened Medicare/Medicaid incentives to implement and use Certification Commission on Healthcare Information Technology (CCHIT) certified products. Federal funds are needed to subsidize implementation teams and locally credible EHR champions who inspire and motivate providers at the grass roots level in each State. In order to receive funding, States should have to create EHR adoption services that effectively and efficiently deploy EHRs to achieve low failure rates and meet quality/safety goals. Funds should include direct payment, low interest loans, tax credits, pay for performance incentives, and penalties for delayed adoption. Grant funding, however, is probably not an effective vehicle, since it doesn't give Federal/State governments enough control, nor is it usually focused on sustainability.
How much is needed? Our Massachusetts experience suggests that approximately $350 million is needed to complete the rollout of EHRs in our state - about $50,000 per practicing unaffiliated clinician.
Here are the breakdowns of community EHR implementation costs at BIDMC/BIDPO, the Massachusetts eHealth Collaborative, and the New York Department of Health and Hygiene EHR project.
Costs per licensed user | BIDMC | MAEHC | NYC |
Software | 5,998 | 10,800 | 4,500 |
Hardware | 10,561 | 17,783 | 15,000 |
People | 29,641 | 17,660 | 16,000 |
Total | 46,200 | 46,243 | 35,500 |
Assumptions:
1) Software costs include only the direct licensing costs for EHR and non-EHR software. MAeHC software costs are higher because several different EHRs were implemented, creating more complexity.
2) The NYC costs do not include non-EHR software
3) Hardware includes practice-level and central-site hardware.
4) People includes direct services from staff, whether vendor-provided or sponsor-provided.
5) These costs are for implementation only. The average annual per physician support costs are roughly $5,500 per user for BIDMC and $6,500 per user for MAeHC.
Further detail:
1) BIDMC includes 300 docs. MAeHC includes 575 docs. NYC includes 1,200 docs.
2) The people costs are not directly comparable, because neither MAeHC nor NYC have accounted for the entire provider-side of the costs of hardware integration. For example, with MAeHC, vendors designed and the hospitals implemented the local ASP environments, but we do not know the labor cost at the hospitals. With the BIDMC project all costs are explicit because the ASP environment was outsourced. The NYC practices are purchasing hardware on their own, so we do not know the exact costs.
3) BIDMC will get some scale benefit once the number of implementations grows. The per user people costs include the design and build of the central site and the cost of the Project Management Office.
4) BIDMC actual hardware costs will probably be higher based on the implementations to date because the practices are purchasing more equipment than original budgeted (i.e. more printers, laptops, and tablets for support staff)
As a country, we have enough experience with live implementations to know what needs to be done to implement EHRs and the cost of doing it. The time for grants and experimentation has passed. To borrow a marketing slogan, the time is right to "Just Do it" by providing financial incentives.
Tuesday, December 2, 2008
An Epidemic of Overtreatment
This blog entry was co-authored with Rich Parker MD, Assistant Professor, Internal Medicine, Healthcare Associates.
Healthcare costs in the US are approaching 17% of the GDP and may be as high as 20% in the next few years.
What is causing the US to have the highest cost and lowest value for the healthcare dollar? Simple - it's overtreatment.
Overtreatment takes many forms - from over ordering expensive diagnostic tests to the prescribing of expensive and sometimes unneeded therapeutics.
There are many reasons for this. Here are just a few:
1. Incentives are misaligned. Healthcare reimbursement in the US pays for quantity, not quality. This means that clinicians benefit from performing more procedures, hospitals benefit from more diagnostic testing, and the pharmaceutical industry benefits from adoption of new name brand drugs. If you do not believe this to be the case, spend a day in an ambulatory care clinic or a hospital and see what goes on. Ask any resident, fellow or attending how many tests and treatments are unneeded. We believe that paying for wellness or paying for outcomes will solve this piece of the overtreatment puzzle. If doctors and hospitals had to live within a budget, diagnostic and treatment strategies would change quickly and become less expensive for all of us with equally good clinical outcomes.
2. We've attended many gatherings where parents discuss brand name powerful antibiotics and recommend that they become the first line drug for treatment of anything their children complain about. "Don't accept Amoxicillin, go for the Augmentin or Cipro". John's daughter is 16 and has not ever taken an antibiotic in her life. She's had a few viruses, but no virus is cured by antibiotics. Overtreatment of the pediatric population with powerful antibiotics creates resistant organisms that make children sicker and create a dependency on ever more powerful antibiotics. The problem with adults is equally severe. Watch the evening news and within an hour you'll hear about a dozen brand name pharmaceuticals treating diseases you've never heard of, but may now suspect you have. The United States is the only country in the world that allows “direct to consumer” advertising. We believe this advertising should be regulated to solve this piece of the overtreatment puzzle. Those advertising dollars end up coming out of your pocket too!
3. Some patients are not willing to accept risk or shared decisionmaking with their doctors. They want to begin the evaluation of back pain with an MRI instead of trying a course of gentle exercise and pain meds. Many issues do not have a clean or simple diagnosis. Eat right, exercise, avoid caffeine/nicotine, and let the body heal itself. For many conditions, rest and time cure the problem. Although the healthcare systems of Canada and the UK have their problems, the fact that access to expensive diagnostics is limited enables patients and their doctors to work together on simpler evaluations and therapies as a first step. We need to change the cultural expectation that expensive tests are "first line".
4. As a country the US eats poorly, avoids exercise, drinks an infusion of lattes, and then wants to take a pill to make all the lifestyle diseases go away. Lifestyle issues should be treated with lifestyle changes, not pharmaceuticals or nutraceuticals. Our own experience convinced us of this. John gave up the lattes, the super-sized meals, and began daily exercise 7 years ago. Since that time, all his lifestyle diseases have disappeared.
5. Overtreatment begets overtreatment. If a lifestyle disease is treated with pharmaceuticals, it's likely that those medications will cause side effects. The symptoms of side effects lead to further diagnostic testing and more pharmaceuticals are often the result. We know several patients who are on medications for hypertension due to overeating, H2 blockers due to excess caffeine/nicotine consumption, and several medications to treat the side effects of their initial medications. Two or three medications can fast become ten. We've suggested taking a medication holiday with appropriate clinical supervision, redesigning their diets, and beginning daily exercise. The answer we often hear is that taking all those pills, having all those tests, and visiting their clinician often is easier than changing their lifestyle.
6. Today on the local radio station, an attorney asked the question "have you ever had a bad outcome or misdiagnosis? I've been holding doctors accountable for 30 years. Call me and we'll get you the cash settlement you deserve." There are bad doctors. There are doctors who are unskilled at surgery or provide very non-standard care. However, most clinicians are trying to do the right thing. Medicine is not an exact science. It's based on experience and probabilities. This means that even the best clinician will miss a rare disease or an atypical presentation of a common disease. As a country, we need to realize that delayed or misdiagnosis will occur despite best efforts and accept a low level of imperfect outcomes instead of forcing every doctor to overtreat every patient in the pursuit of 100% certainty. Both patients and doctors together must accept some degree of uncertainty or we will continue to bankrupt our system.
Our economy has lost its competitive edge because our healthcare costs have ballooned to extreme levels due to misaligned incentives, overzealous pharmaceutical marketing, expectations of high cost testing/therapeutics, excessive administrative costs and complications due to overprescribing and fear of litigation.
The diagnosis of overtreatment is simple. The therapies are complex. We've proposed a few fixes above and will continue to write this topic in blogs to come.
Healthcare costs in the US are approaching 17% of the GDP and may be as high as 20% in the next few years.
What is causing the US to have the highest cost and lowest value for the healthcare dollar? Simple - it's overtreatment.
Overtreatment takes many forms - from over ordering expensive diagnostic tests to the prescribing of expensive and sometimes unneeded therapeutics.
There are many reasons for this. Here are just a few:
1. Incentives are misaligned. Healthcare reimbursement in the US pays for quantity, not quality. This means that clinicians benefit from performing more procedures, hospitals benefit from more diagnostic testing, and the pharmaceutical industry benefits from adoption of new name brand drugs. If you do not believe this to be the case, spend a day in an ambulatory care clinic or a hospital and see what goes on. Ask any resident, fellow or attending how many tests and treatments are unneeded. We believe that paying for wellness or paying for outcomes will solve this piece of the overtreatment puzzle. If doctors and hospitals had to live within a budget, diagnostic and treatment strategies would change quickly and become less expensive for all of us with equally good clinical outcomes.
2. We've attended many gatherings where parents discuss brand name powerful antibiotics and recommend that they become the first line drug for treatment of anything their children complain about. "Don't accept Amoxicillin, go for the Augmentin or Cipro". John's daughter is 16 and has not ever taken an antibiotic in her life. She's had a few viruses, but no virus is cured by antibiotics. Overtreatment of the pediatric population with powerful antibiotics creates resistant organisms that make children sicker and create a dependency on ever more powerful antibiotics. The problem with adults is equally severe. Watch the evening news and within an hour you'll hear about a dozen brand name pharmaceuticals treating diseases you've never heard of, but may now suspect you have. The United States is the only country in the world that allows “direct to consumer” advertising. We believe this advertising should be regulated to solve this piece of the overtreatment puzzle. Those advertising dollars end up coming out of your pocket too!
3. Some patients are not willing to accept risk or shared decisionmaking with their doctors. They want to begin the evaluation of back pain with an MRI instead of trying a course of gentle exercise and pain meds. Many issues do not have a clean or simple diagnosis. Eat right, exercise, avoid caffeine/nicotine, and let the body heal itself. For many conditions, rest and time cure the problem. Although the healthcare systems of Canada and the UK have their problems, the fact that access to expensive diagnostics is limited enables patients and their doctors to work together on simpler evaluations and therapies as a first step. We need to change the cultural expectation that expensive tests are "first line".
4. As a country the US eats poorly, avoids exercise, drinks an infusion of lattes, and then wants to take a pill to make all the lifestyle diseases go away. Lifestyle issues should be treated with lifestyle changes, not pharmaceuticals or nutraceuticals. Our own experience convinced us of this. John gave up the lattes, the super-sized meals, and began daily exercise 7 years ago. Since that time, all his lifestyle diseases have disappeared.
5. Overtreatment begets overtreatment. If a lifestyle disease is treated with pharmaceuticals, it's likely that those medications will cause side effects. The symptoms of side effects lead to further diagnostic testing and more pharmaceuticals are often the result. We know several patients who are on medications for hypertension due to overeating, H2 blockers due to excess caffeine/nicotine consumption, and several medications to treat the side effects of their initial medications. Two or three medications can fast become ten. We've suggested taking a medication holiday with appropriate clinical supervision, redesigning their diets, and beginning daily exercise. The answer we often hear is that taking all those pills, having all those tests, and visiting their clinician often is easier than changing their lifestyle.
6. Today on the local radio station, an attorney asked the question "have you ever had a bad outcome or misdiagnosis? I've been holding doctors accountable for 30 years. Call me and we'll get you the cash settlement you deserve." There are bad doctors. There are doctors who are unskilled at surgery or provide very non-standard care. However, most clinicians are trying to do the right thing. Medicine is not an exact science. It's based on experience and probabilities. This means that even the best clinician will miss a rare disease or an atypical presentation of a common disease. As a country, we need to realize that delayed or misdiagnosis will occur despite best efforts and accept a low level of imperfect outcomes instead of forcing every doctor to overtreat every patient in the pursuit of 100% certainty. Both patients and doctors together must accept some degree of uncertainty or we will continue to bankrupt our system.
Our economy has lost its competitive edge because our healthcare costs have ballooned to extreme levels due to misaligned incentives, overzealous pharmaceutical marketing, expectations of high cost testing/therapeutics, excessive administrative costs and complications due to overprescribing and fear of litigation.
The diagnosis of overtreatment is simple. The therapies are complex. We've proposed a few fixes above and will continue to write this topic in blogs to come.
Monday, December 1, 2008
Interoperability Advice for the New Administration
As policymakers consider ways to reduce healthcare cost and improve quality, I'm often asked about the current readiness of standards and interoperability.
I believe that standards are no longer the rate limiting step.
On November 12, I presented an overview of standards readiness to Secretary Leavitt and AHIC. The video is available online
My presentation begins at 1 hour and 8 minutes. Anyone wanting to view it can just use real player to advance to that point.
You'll see that as a country, we have finished:
2006 - Personal Health Records, Laboratories, Biosurveillance
2007 - Medications, Quality, Clinical Summaries
2008 - Medical devices, Referrals, Family History/Genome, Secure messaging, Public Health Reporting, Immunizations
In 2009, we'll complete Newborn screening, Clinical Trials/Research and close a few minor gaps
All the stakeholders (vendors, government, academic, pharma, labs, payers, providers, patients) have agreed on the needed standards by consensus. Secretary Leavitt has Recognized all the 2006 and 2007 standards and will be Accepting the 2008 standards on January 8, 2009. Recognition means that the standards are required for use by all Federal agencies. Acceptance means that a year of testing begins and Recognition will follow.
Thus, there is no need to wait for the standards. Vendors are beginning to implement these standards and the Certification Commission on Health Information Technology is beginning to require them.
If standards are not the issue, what about security and privacy? As readers of my blog know, I am passionate about the need to protect confidentiality.
I believe that security is no longer the rate limiting step.
The standards for security were finished in 2007. They are available online and have been fully incorporated into all the HITSP interoperability specifications including all the needed security standards to support encryption, authentication, authorization, audit trials, non-repudiability, and patient consent.
These security standards can enforce any local privacy policies - from something basic like HIPAA to something complex like the Massachusetts approach to opt-in consent at the institutional level.
It is true that the US has very heterogeneous privacy policies in states and localities that pre-empt HIPAA, but that is not a security or technology issue.
What about architecture?
I think that we've done enough pilots and experiments to know what architecture we need.
The US already has a functional architecture for e-Prescribing including retrieval of comprehensive medication history. The US already has a functional architecture for exchange of lab results among providers, patients and commercial labs.
What's missing is a clinical summary exchange that ensures care coordination among providers of care and patients. I've written about a simple, internet-based, service oriented architecture that can securely exchange structured healthcare data between stakeholders. This can approach can be used to
a. Send / push / route hospital data to appropriate parties
b. Send / push / route visit and other data in support of referral consultation
c. Send / push / route visit and other data for standardized quality reporting
d. Send / push / route data for patient health records (PHRs)
Note that none of these transactions creates new privacy issues. Every one of them is currently required by good medical practice or by law, and are performed on paper today.
Thus, interoperability is implementable today with harmonized standards, appropriate security, and a service oriented architecture using the internet.
Now we need incentives to implement it.
Data exchange is a public good in many ways, so it will be challenging to fund purely based on local stakeholder contributions. There is a need for Federal leadership and funding to mandate very specific transactions on a defined implementation timetable. We should accelerate adoption through the same approach the US is using for e-Prescribing: regulation to create mandates and incentives to create urgency, followed by penalties for late implementation.
Experience has taught me that it's best to automate existing processes rather than trying to simultaneously change process and add technology. The approach I've presented above is a good short term solution. In the long term, let's hope that patients become a steward for their own data via PHRs or establish a "medical home" - a primary care giver who coordinates all their care. The architecture could easily evolve such that every entity which provides care has to push the data into a "medical home" EHR in a standardized fashion.
I believe that standards are no longer the rate limiting step.
On November 12, I presented an overview of standards readiness to Secretary Leavitt and AHIC. The video is available online
My presentation begins at 1 hour and 8 minutes. Anyone wanting to view it can just use real player to advance to that point.
You'll see that as a country, we have finished:
2006 - Personal Health Records, Laboratories, Biosurveillance
2007 - Medications, Quality, Clinical Summaries
2008 - Medical devices, Referrals, Family History/Genome, Secure messaging, Public Health Reporting, Immunizations
In 2009, we'll complete Newborn screening, Clinical Trials/Research and close a few minor gaps
All the stakeholders (vendors, government, academic, pharma, labs, payers, providers, patients) have agreed on the needed standards by consensus. Secretary Leavitt has Recognized all the 2006 and 2007 standards and will be Accepting the 2008 standards on January 8, 2009. Recognition means that the standards are required for use by all Federal agencies. Acceptance means that a year of testing begins and Recognition will follow.
Thus, there is no need to wait for the standards. Vendors are beginning to implement these standards and the Certification Commission on Health Information Technology is beginning to require them.
If standards are not the issue, what about security and privacy? As readers of my blog know, I am passionate about the need to protect confidentiality.
I believe that security is no longer the rate limiting step.
The standards for security were finished in 2007. They are available online and have been fully incorporated into all the HITSP interoperability specifications including all the needed security standards to support encryption, authentication, authorization, audit trials, non-repudiability, and patient consent.
These security standards can enforce any local privacy policies - from something basic like HIPAA to something complex like the Massachusetts approach to opt-in consent at the institutional level.
It is true that the US has very heterogeneous privacy policies in states and localities that pre-empt HIPAA, but that is not a security or technology issue.
What about architecture?
I think that we've done enough pilots and experiments to know what architecture we need.
The US already has a functional architecture for e-Prescribing including retrieval of comprehensive medication history. The US already has a functional architecture for exchange of lab results among providers, patients and commercial labs.
What's missing is a clinical summary exchange that ensures care coordination among providers of care and patients. I've written about a simple, internet-based, service oriented architecture that can securely exchange structured healthcare data between stakeholders. This can approach can be used to
a. Send / push / route hospital data to appropriate parties
b. Send / push / route visit and other data in support of referral consultation
c. Send / push / route visit and other data for standardized quality reporting
d. Send / push / route data for patient health records (PHRs)
Note that none of these transactions creates new privacy issues. Every one of them is currently required by good medical practice or by law, and are performed on paper today.
Thus, interoperability is implementable today with harmonized standards, appropriate security, and a service oriented architecture using the internet.
Now we need incentives to implement it.
Data exchange is a public good in many ways, so it will be challenging to fund purely based on local stakeholder contributions. There is a need for Federal leadership and funding to mandate very specific transactions on a defined implementation timetable. We should accelerate adoption through the same approach the US is using for e-Prescribing: regulation to create mandates and incentives to create urgency, followed by penalties for late implementation.
Experience has taught me that it's best to automate existing processes rather than trying to simultaneously change process and add technology. The approach I've presented above is a good short term solution. In the long term, let's hope that patients become a steward for their own data via PHRs or establish a "medical home" - a primary care giver who coordinates all their care. The architecture could easily evolve such that every entity which provides care has to push the data into a "medical home" EHR in a standardized fashion.