Monday, October 31, 2011

What Keeps Me Up at Night, FY12 Edition

Every year I write about the projects and trends which keep me up at night.   Here's my list for FY12:

1. Workforce recruitment/retention - $27 billion in stimulus funds from HITECH have increased demand for experienced IT staff to implement and support electronic health records.   In many ways, it's a mini "dot com" boom for healthcare IT experts.    This makes recruiting and retaining qualified staff even harder.  Tomorrow, I'm meeting with a consulting team to formulate an FY12 workforce strategy.

2. 5010/ICD10 -  5010 describes a set of X12 standards used for administrative transactions (benefits/authorization. referral authorization, claims).   Payers and providers must support 5010 by January 1, 2012 or risk disruption of the revenue cycle.   BIDMC completed all its 5010 work and is now in final testing with every payer.   Most payer and provider stakeholders will meet the deadline, but significant resources have been pulled from other projects.   ICD-10 implementation is required by October 1, 2013 and I've written about those challenges.  Billions will be spent, many healthcare IT projects will be deferred for the next 2 years, and the end result will be no cost savings (coding costs are likely to increase 50%), no quality improvement, no increased safety, and no efficiency gains.  If we complete the ICD-10 project on time, no one will notice, but customers will all be angry at the IT department (and the CIO) for the work on other projects that was deferred.

3. Vendor Product Quality - over the past year, I've had several bad experiences with infrastructure and application vendors which delivered products that did not have the reliability, security, or performance promised.   Why?
* the pace of innovation is so fast, that time for quality assurance is diminished.
* the economy has stressed companies and they are focused on making as many sales as fast as they can while controlling development  and support costs
* the end result is less satisfied customers.

4. Storage growth - BIDMC is approaching 2 petabytes of clinical data and Harvard Medical School has exceeded 3 petabytes of research data.   Balancing transactional performance, reliability, and the cost of storage at petabyte scale is very challenging.   In FY12, I'll continue to introduce new storage technologies and management tools (including chargebacks to sustain the cost of storage growth), with the hope that I'll be able to keep up with demand.

5.  Analytics/Business Intelligence - We have petabytes of data but users want information, knowledge and wisdom.    In FY12, I have a five part strategy to support analytics:

a.  For comprehensive ad hoc analytics with quality assurance, BIDMC has an expert data mining team which can explore any clinical or financial data while reviewing the accuracy of the underlying data.

b.  For less rigorous ad hoc analytics, we have a self service query tool which enables users to explore data themselves.   However,  such self service queries are unlikely to filter out data of questionable quality (men having babies, women having prostate procedures etc)

c.  For reports that are run frequently, we're developing a new set of business intelligence tools that use Microsoft SQL Analysis and Reporting services.

d.  For our Blue Cross Alternative Quality Contract and our Accountable Care organization activities we have a  Quality Data Center that aggregates clinical data.  We also have an all payer claims data warehouse.

e.  For unstructured data we plan to experiment with a new generation of natural language processing tools

6. Healthcare Reform and Mergers - Accountable care organizations require substantial IT investments and new processes to coordinate/manage care across the community.  Smaller organizations may be unable to implement all that is needed so they may seek mergers with a larger organization.   Today I oversee the IT requirements for 2 hospitals and multiple clinician groups.   Over the next year, I believe the number of affiliated organizations requiring IT support will increase, requiring new investments in healthcare information exchange and analytics.

 7. Mobile devices/consumer IT - We have 1000+ iPads accessing our web-based applications today.  Clinicians are mobile people and need to view results, enter orders, and communicate with team members at the bedside.     Increasingly they'll want to use their own devices, which creates support and security challenges.

8. Governance - Governance is essential to maintain satisfaction in budget constrained times.     In all IT organizations, the supply of resources is fixed, but demand is infinite.   There’s an direct relationship among project scope, project timing, and project resources.   Governance and communication are the best tools to reduce scope, limit demand, and keep satisfaction at reasonable levels.   Here’s how BIDMC does it.

9. Compliance/Regulatory Pressures -  At the same time that Meaningful Use empowers care coordination, population health, and public health with health information exchange, the penalties for privacy breaches have increased.   Thousands of new regulations have been enacted in the US during my 15 years as CIO.  With nearly 25% of my IT organization working on some aspect of compliance, the amount of time left for innovation is diminishing.

10. Security - The internet has become a swamp with nearly 50% of internet devices infected with some type of malware.  The most basic freedoms we've enjoyed on the internet  - the ability to visit any site, experiment with new applications, and share media with friends, is now a threat to the privacy of business data. The next year will require us to rethink how consumer computing and business computing can co-exist.

That's an intimidating list.  However, there is always hope and we'll make progress in all these areas over the next year.   By FY15, we will not even remember the events of FY12.   Accelerating challenges come with the territory of being an IT leader.  Keep smiling.

Friday, October 28, 2011

Cool Technology of the Week

On November 18, I'm giving a lecture about technologies that educators can use to mentor their students.

My experience running Harvard's Mycourses taught me that social networking for student/faculty interaction works very well.    Blogs, wikis, chat rooms, and interactive simulations are useful, but structured community question/answer requires a more powerful tool.

I recently heard about Piazza, a Silicon Valley startup that supports over 900 school campuses and ten thousands of students with a free online collaboration platform.

It has received investment from several venture capitalists, no doubt because it has attracted a large number of devoted users who spend hours per day using the site.

It provides a faculty platform for managing queues of questions, triaging crowd sourced answers to questions, and entering answers.

Also, there's a student platform for reading answers and sharing ideas with other students.

A social networking platform for students and faculty that empowers students to master difficult concepts together.   That's cool!

Thursday, October 27, 2011

A Personal Experience with 4G LTE

Steve Berry, BIDMC's Director of Academic and Research Computing, wrote this guest blog entry, about his experience with 4G LTE:

"I've had the Verizon MiFi 4G LTE card for 6 months.

In a 4G network area, the access and speed is incredible.  It is so good that you can exceed the 5GB monthly service cap in 4-5 hours!

Once you limit your new found flexibility, it is like having your Ethernet access everywhere. It even worked well while driving long distances.

In a limited 4G network (like the commuter rail line between Boston and Worcester), it is very problematic.    When the 4G signal is low and a 3G is available, the device switches modes. This drops the existing connection and  3G takes 20-30 seconds to activate.  If you happen to come back into a 4G area (signal level above the 3G value), it switches modes again taking another 30 seconds to establish an active link.  In the 1 hour Worcester to Boston route, I used to lose 3G connectivity twice and lose about 2 minutes while the SSLVPN and MiFi resynchronized.  Since moving to the 4G, I lose 30 minutes of the 1 hour commute due to continuous mode changes.

There is no ability to force the unit into 3G or 4G only mode. There is no standard for setting up a new connection before dropping an existing connection.  Recent firmware updates have not improved performance.

If you have not yet upgraded to 4G LTE, it's important to first study your usage patterns and the 3G/4G coverage in your area.  Moving through a mixed area is actually the worst of both worlds.

On my recent vacation, my daughter found that the iPad easily linked to the MiFi (all LTE in Tampa). She happily watched her Netflix videos for several days and I was none the wiser until a month later when the monthly bill came and I was being charged for 25GB of data activity. I had no idea what caused the overage until I reviewed the dates!"

Thanks for your insights Steve.

My iPhone 4S arrives soon and should not have this problem because it does not yet support LTE.  By the time Apple releases an LTE phone, 4G wireless should be more ubiquitous in Massachusetts.

Wednesday, October 26, 2011

It Takes a Village

In 2008, four people stopped by my BIDMC office to chat about the future.   They were Farzad Mostashari, Todd Park, Aneesh Chopra, and Peter Basch.   They had a vision to change the world through technology, EHR adoption, and data liquidity.

Little did I know that at the meeting, I was chatting with the future National Coordinator for HIT, the future CTO of HHS, the future CTO of the US, and an influential policy thinker at the Center for American Progress.

Since that meeting, I've stayed in touch with them to exchange ideas, seek their advice, and share lessons learned.

In 2009, I became co-chair of the HIT Standards Committee.   Little did I know that the HIT Standards Committee would become the most functional, most productive, and hardest working federal advisory committee in the Obama administration.  Its experts have helped me enhance IT capabilities in all my technology roles.

In 2010, I worked with Brian Biles and Steven Morrison of the Center for Strategic and International Studies on Japanese healthcare IT policy.   Little did I know that the work would become a foundation for earthquake/tsunami recovery IT planning.    Brian and Steve inspired several trips to Japan and meetings with numerous government, academic, and industry leaders.

In 2011, I began working with Rick Shoup, Manu Tandon, and Micky Tripathi on Healthcare Information Exchange planning for Massachusetts.   Little did I know that together they would create a unified Healthcare Information Exchange strategy for the Commonwealth that integrates public sector and private sector priorities with multiple funding streams into a single, extraordinary work plan.   It has become one of my favorite projects.

On Friday, I'm co-leading a design session for public key infrastructure (PKI) in Massachusetts.  I called my friend Dixie Baker at SAIC, my friend Arien Malec at RelayHealth, and my colleagues in government to share their experiences creating a trust fabric for large groups.   Massachusetts will succeed by seeking the wisdom of others.

When I was young, I thought I had to be smart enough to solve every problem myself.  In today's world, I'm convinced the best way to make a difference is surrounding yourself with people who are smarter than you.  The best solutions take a village.

I've said that my tombstone will hopefully read "he made a difference".   After the past few years of working with smart people, I'm convinced it would be better as "he was part of a village that changed the world."

Tuesday, October 25, 2011

The Healthpad Panel at AMIA

Yesterday I was in Washington DC at the American Medical Informatics Association annual meeting in Washington to join a panel with Dr. Henry Feldman, Dr. Larry Nathanson, and Janet Meyers RN discussing the use of tablet computers in medicine - Session S36 "Tablets in Healthcare: No Just for Pills Anymore"

Dr. Feldman began the presentation with great showmanship, pulling his iPad from a bucket of water, illustrating how the FrogSkin protects even a submerged iPad.   He discussed his iPhone sterilization experiments.   As a busy hospitalist, he explained the value of the iPad in providing "everywhere" computing - access to healthcare records, provider order entry, and clinical documentation applications at the bedside.   He illustrated patient education materials that he uses to consent patients and explain care plans.  He noted that the iPad's touch screen keyboard is good enough and that he has never used his physical keyboard dock.

Dr. Nathanson described his early adoption of the iPad to manage workflow in the Emergency Department.   Over the past year we've worked on a streamlined web-based provider order entry application from the Emergency Department which brings one click ordering on the iPad to all our ED docs.   Clinical documentation is fully functional on the iPad.   Dr. Nathanson cleans his iPad with alcohol wipes and notes that he drops it at least once shift, with no discernible damage to date.

Janet Meyers RN presented an overview of Airstrip technologies, noting that they make perinatal telemetry available anywhere anytime to clinicians.

I presented an enterprise view of mobile technologies, highlighting they importance of infrastructure, mobile-enabled applications, an organizational culture which fosters adoption of new technology, and a willingness to invest in enhanced security protections to address the security risks of supporting consumer technologies on hospital network.

I'm a great champion of mobile devices and I truly believe the future of all clinician workflow is mobile, but that enthusiasm has to be tempered by the risks of commingling "Angry Birds" with clinical lookup on the same device.  I highlighted the need for applications such as Good Technologies which separate the memory space/storage of work related applications from consumer applications.   Only through the use of advanced intrusion detection/prevention, restrictive firewalls, web content filtering, web application firewalls, and security education can we keep mobile devices safe enough for use with clinical applications.

A great discussion with the important take home lesson - tablet/pad-based computing in healthcare is the future, but it must be implemented and managed prudently.

Monday, October 24, 2011

The October HIT Standards Committee Meeting

The October HIT Standards Committee meeting included recommendations for privacy/security certification criteria, a discussion of next steps for the Standards and Interoperability framework priorities, and a review of the comments received from the Metadata Advanced Notice of Proposed Rulemaking.

We began with a discussion of the challenge of writing certification criteria for privacy and security, since the security of EHRs should depend primarily upon infrastructure assurances (networks, servers, storage, client devices, operating systems) and specialized security services.  The EHR itself should provide only those security services which are specific to protecting the confidentiality, integrity, and availability of the electronic health information it manages.

The certification criteria that the Privacy and Security Workgroup developed are all  “addressable”.  To meet the criteria, each Complete EHR or EHR Module submitted for certification needs to either:
– Implement the required security functionality within the Complete EHR or EHR Module(s) submitted for certification or
– Assign the function to a third-party security component or service, and demonstrate how the certified EHR product, integrated with its third-party components and services, meets the criterion

We discussed the important topic of securing data at rest and recommended encryption for data on end-user devices controlled by EHR.   However, we recognized that encryption of data in data centers is a risk management decision and out of scope for certification criteria.

We discussed audit trails and recognized that applications collect audit data in different formats using different architectures.    The real value of an audit trail is the events it captures, not the format it stores them in.    We selected the ASTM E2147-01 standard which specifies auditable events, leaving implementation details to each vendor.   At some future time, it may be useful to standardize audit trail formats, but for now, there is limited value in imposing a standard audit trail format and architecture on existing products.

The HITSC approved the privacy and security certification criteria recommendations by consensus, with one small clarification of SHA-1/SHA-2 encryption requirements.

Next, we discussed the Standards and Interoperability Framework efforts on the NwHIN Exchange transport standards and transitions of care as well as a brief discussion of future work on radiology image exchange standards.

We agreed that additional testimony is needed from implementers of NwHIN exchange to understand their experiences with each component of the Exchange specification:
NHIN Messaging Platform Specification
NHIN Web Services Registry Specification
NHIN Authorization Framework Specification
NHIN Patient Discovery Specification
NHIN Query for Documents Specification
NHIN Retrieve Documents Specification
NHIN Access Consent Policies Specification
NHIN Health Information Event Messaging (HIEM) Specification
NHIN Document Submission Specification
NHIN Administrative Distribution Specification

We're developing a set of questions for implementers and will seek broad input from those in trenches who have coded or operated NwHIN Exchange environments.

We had a rich discussion about the consolidated CDA project.    Consolidated CDA enhances and further constrains CCD/C32.   Wes Rishel made the following comments:

Many standards experts who have been actively working on the Consolidated CDA project feel that it is a major accomplishment by HL7 to consolidate the specifications into a single document, organize them so that consistent XML structures are used for common data items in multiple document types, and to include well-specified data element names.

Many feel that the consolidated CDA alone will prevent as much as 50% of the programming errors found in C32 testing and that disagreements on the interpretations of the specifications will be far more easily resolved.

Programming, testing and resolution will all be enhanced again when the data element names are used in less highly nested XML and when Green CDA becomes accepted as the "over the wire" format.

HITSC will continue work on Consolidated CDA as it represents an important step forward for Transition of Care summaries.

Finally, we discussed the comments received about the Advanced Notice of Proposed Rulemaking. This input will be incorporated into the Notice of Proposed Rulemaking.

September and October were landmark meetings for the HITSC, with completion of the standards and certification criteria needed for Meaningful Use Stage 2.   What's next?   Based on my discussion with HITSC experts, I believe our work ahead includes:

*Continued refinement of the Consolidated CDA implementation guides and tools to enhance semantic interoperability including consistent use of business names in "Green" over-the-wire standards.
*Standardizing DICOM image objects for image sharing and investigating other possible approaches.   We'll review image transfer standards, image viewing standards, and image reporting standards.
*Simplifying the specification for quality measures to enhance consistency of implementation.
*Query Health - distributed queries that send questions to data instead of requiring consolidation of the data

 *Extending the quality measurement vocabularies to clinical summaries
 *Finalizing a standardized lab ordering compendium

*Specifying how the metadata ANPRM be integrated into health exchange architectures
*Supporting additional NwHIN standards development (hearings about Exchange specification complexity, review/oversight of the S&I Framework projects on simplification of Exchange specifications).   Further defining secure RESTful transport standards.
*Accelerating provider directory pilots (Microdata, RESTful query/response that separates the transaction layer from the schema) and rapidly disseminating lessons learned.

I look forward to our November meeting.

Friday, October 21, 2011

Cool Technology of the Week

In the aftermath of the Blackberry outage last week, many people have asked me about iPhone 4S and Droid devices.   As I wrote about yesterday, I chose the iPhone 4S to achieve a consistent user experience between my phone and my Macbook Air laptop.

Many of my staff use Android-based devices and are very happy with application availability and phone performance.

I polled my staff and asked them to identify the best Droids available today.   Here's what they said:

1. Droid Charge by Samsung

2. Droid Bionic by Motorola

3. Droid Incredible 2 by HTC

Also worth mentioning is the Galaxy S II by Samsung

I welcome your comments about these 4 devices.   My 500 staff have spoken and believe these are the best Android phones on the market - that's cool!

Thursday, October 20, 2011

Reflections on My Daughter's College Experience

My daughter made the transition from high school to college about 2 months ago.  Already, she's matured emotionally, intellectually, and physically, becoming an independent adult.

When I reflect on my own college experience, it was not the math, science and engineering coursework that was transformative, but instead was the people I met and the independency I had to master.

In my case, I developed mentoring relationships with several professors and researchers.  I learned to shop for meals and cook for myself.  I learned how to become an advocate for my own projects and priorities.   I evolved from introverted geek to a convener of peers.

My daughter is going through the same transformation.   After two months, she's developed mentoring relationships with the Tufts faculty who are experts in Japanese language and culture.   She's advocating for a special educational experience during winter break in Japan.   She's been elected to the boards of the Tufts Japanese Culture Club and the Anime Club, making numerous friends and building relationships along the way.   She's cut her hair, replaced her glasses, and replaced her high school clothes with a look that gives her adult credibility.

Importantly, she's done this by herself - accepting all triumphs and setbacks as the consequence of her own actions.     She sets her own goals, a pace for meeting them, and the criteria for success.   Her internal motivation is responsible for getting up in the morning, triaging her activities, and defining the future.

To me, only a small portion of college is about grades and coursework.   After all, Steve Jobs and Bill Gates both dropped out.  Peter Thiel (founder of PayPal) will even pay the best and brightest to leave college and found companies to accelerate their life experience.

College is about building a desire for lifelong learning, becoming an advocate for yourself, and understanding the possibilities that life offers (both careers and relationships).

I'm extremely proud of her progress thus far.

Wednesday, October 19, 2011

The Technology I Own, 2011 edition

In 2009, I wrote about the technology I own.

In 2011, I own less.   My devices have converged and everything I need is available in two products:

1.  A Macbook Air 11" with 4G of RAM and 128 G of SSD running Mac OSX 10.7.2.  The only software I've added is Keynote, Pages, and Numbers.  Nothing more.

2.  An iPhone 4S on the Verizon network.   For 2012, I've concluded that CDMA is the best network in the US, while GSM/GPRS/EDGE/3G is the best network in the rest of the world.   The iPhone 4S is the first Apple product that enables me to leverage both technologies.   I've retired all my still and video cameras, my dictation devices, and most importantly, my Blackberry.

Starting in 2003, I was one of the first adopters of Blackberry technology, carrying the trusty 850 which was basically a push email device that looked like a pager.

From 2003-2011, I've sent over 3 million emails from these devices.   Unfortunately, my current needs are more than text messaging.   I need to read complex documents, access numerous web resources, and run a rich array of local applications.

The simplicity of owning two devices is that I carry only two small power supplies, a VGA dongle, and less than 3 pounds in my briefcase.

The iPhone weighs 4.9 ounces

The Macbook Air weighs 2.38 pounds.

The user interfaces, software applications, and engineering on the two devices is very similar, which means a fast learning curve and great synergy.

It's amazing that in 2012 I will not own any music equipment, any video equipment, any camera equipment, a desktop, or a land line phone.   All I will own is an Air and a 4S.  

As with many things in life, less is more.

Two years from now, my parsimony of devices (2) may converge further to a single device.   My prediction is that it will not be a Blackberry, which by 2013 is more likely to be associated with fruit sellers than IT organizations.

Tuesday, October 18, 2011

An Update on Massachusetts Health Information Exchange

As I've described previously, Meaningful Use Stage 1 was focused on the electronic capture of data into EHRs.  The standards we specified included content and vocabulary but not transport.

Stage 2 will be more focused on Health Information Exchange.  Transport standards will likely be included in the Notice of Proposed Rulemaking.

In order for Health Information Exchange to work, I believe we need
a.  A transport standard which can be implemented consistently for multiple senders and receivers (such as Direct)
b.  A certificate distribution infrastructure to secure the endpoints (such as via DNS)
c.  A directory for routing information between organizations (such as a RESTful API to a SQL database)
d.  Connections to the last mile -  sending/receiving directly into EHRs (such as via XDR/SOAP) or into a standalone web-portal as a short term solution while vendors build transport features into EHRs.
e.  Governance to guide the technology and policies that support the above

On October 17, the Massachusetts HIT/HIE Advisory Committee (think of it as the state equivalent of a Federal Advisory Committee) presented its recommendations to the HIT Council (the governance for Massachusetts HIT activities).   The Advisory Committee asked for the input of 88 stakeholders divided into 5 groups - legal and policy, technology and implementation, finance ad sustainability, consumer and public engagement, provider engagement and adoption.

The state HIE implementation plan we presented:

*Aligns with national interoperability standards and emerging MU stage 2 requirements
*Maximizes State Medicaid Health Plan/Medicaid Management Information System Federal Financial Participation funding,  a 9 to 1 match
*Focuses Medicaid funding on building infrastructure for statewide services, and the ONC Cooperative Agreement HIE funding for last mile implementation

What is last mile implementation?

1. Our regional extension center (REC) will do a pareto analysis of EHR adoption in Massachusetts to identify the most commonly used EHRs.  I believe that 20 EHRs are common but 5 EHRs (eClinicalWorks, AthenaHealth, NextGen, Allscripts, GE Centricity) cover 90% of the providers.   We'll negotiate with those vendors to create the software which is necessary to connect their EHRs to the statewide Direct backbone in 2012.  Yes, we could wait until 2013 when Meaningful Use Stage 2 requires them to implement transport standards, but coordinated procurement now will accelerate HIE integration.

2.  We'll provide System Integrator services to support on boarding of small practices and subnetworks of clinicians to the state HIE backbone.

3.  We'll provide education and training to foster adoption and use of HIE services.

4.  We'll devise grants and subsidies that serve as incentives for HIE adoption

5.  We'll facilitate the addition of value added services to the backbone such as public health reporting, clinical registries, and quality measurement services

As I've spoken with vendors, many have noted that State HIEs tend to build central infrastructure but assume endpoints will connect to it on their own.   My experience is that a centralized project management office and a single coordinated plan is needed to connect the endpoints.  Once every provider, payer and patient is connected, the value proposition of the HIE will increase significantly per Metcalfe's law.

We agreed that by November the Advisory Committee will complete:

*Initial State Medicaid Health Plan Implementation Advanced Planning Documents (IAPD) for review by Advisory Committee workgroups and the Secretary of EOHHS before submission to CMS
*An outline of Statewide HIE Policy Guidance that complements the technology to be built via IAPDs
*A high-level plan for entire project, so that all stakeholders understand what we're creating

I'm extremely optimistic - we have a plan with alignment of support, appropriate funding, and mature technologies that are low risk for failure.   The HIT Council, MeHI,  and Federal government stakeholders are reviewing our recommendations over the next few weeks and we'll seek their approval to move forward in November.

The momentum for Health Information Exchange in Massachusetts is building among payers, providers, patients, government, and industry.   2012 will mark the tipping point that enables us to stop talking about barriers to Health Information Exchange and instead focus on the accelerators.

Monday, October 17, 2011

Exploiting Privacy Breaches

I've described information security as a Cold War, requiring constant investment and vigilance to innovate faster than the hackers and criminals who are stealing data to commit identity theft.

I'm spending an increasing percent of my resources on regulatory compliance and data protection.

Over the past year, Federal and State governments have

1.   Specified standards to protect healthcare data during transport
2.   Required encryption of data at rest.
3.   Required breach notification to patients and prominent media 
4.   Created policy to define meaningful consent and other important patient privacy rights
5.   Launched a new initiative on data segmentation in an effort to support more granular healthcare privacy preferences

CIOs and Chief Information Security Officers are working as hard as they can, hackers are intensifying their attacks, and the world is accelerating its adoption of mobile technologies that make perfect control of data more challenging.  Despite all our efforts, breaches will occur.   Even the most sophisticated security companies have been breached by increasingly sophisticated malware.

There's a dark side to all of this that is the subject of today's blog post - using the new privacy breach reporting laws for personal gain.

There are many good attorneys.   My parents are attorneys (patent and business law).    Some of my favorite colleagues are attorneys working hard in the public interest (Deven McGraw at CDT, Jodi Daniel  at ONC).

As with any profession there are those attorneys who use the law for personal gain.    Here's a list of privacy breach class action suits, comparing payments to attorneys versus their clients.

There are many good  investors.    Accelerating new technology by providing funding to those who can build high value businesses is a good thing.     As with any profession, there are investors who put profits ahead of societal benefits.

I've heard discussion about an alarming new business model.   Investors paying attorneys to file class action suits related to privacy breaches in return for a portion of the profits.

Prviacy Breach reporting is now public.   Identifying a class is easy.

However, if the risk of harm from the privacy breach is low, attorneys may not want to bear the expense and burden of filing a suit, given that recoveries might be minimal.   If investors underwrite the risk, realizing that most healthcare organizations will want to settle rather than spend time and resources on litigation, we'll likely see a lawsuit following every reported privacy breach.

To me, there are different kinds of privacy breaches - those which are caused by true carelessness and those which occur because of sophisticated attacks that the Pentagon could not even repel.   We should hold organizations accountable for implementing best security practices to protect privacy.   We should report breaches to patients and prominent media, since breach reporting regulations provide a great incentive to invest in appropriate security.   However, we should do this in an effort to enhance the society we live in, not generate profits.

As we all work together on electronic health records and healthcare information exchange, let's try to create regulations that do that right thing

1.  Protect the data
2.  Respect patient privacy preferences
3.  Recognize the difference between hard to prevent breaches and those that occur because basic protections were not in place

Investing in class action suits that asymmetrically benefit the finance and legal professions is not something that benefits society.

As the eternal optimist, I'm convinced we can all work together for the common good and make every day better than the last.   If you hear about someone using privacy breach reporting for their own personal gain, shout out that it's the wrong thing to do.

Friday, October 14, 2011

Cool Technology of the Week

Big data has arrived.   At BIDMC, I oversee 1.5 petabytes of clinical and administrative data.   At HMS, I oversee nearly 3 petabytes of research data.

As Blackberry's recent outage illustrates depending on single monolithic infrastructure has its risks and impact of failure can be enormous.

How can we leverage commodity hardware infrastructure, reduce risk, and meet user demands for mining big data?   Apache Hadoop is a cool technology worth knowing about.

Hadoop is an open source framework that allows for the distributed processing of large data sets across clusters of computers, designed to scale from a single server to thousands of machines.  Rather than rely on hardware to deliver high-availability, Hadoop detects failures and automatically finds redundant copies of data.  The Hadoop library includes

*The Hadoop Distributed File System (HDFS), which splits user data across servers in a cluster.

*MapReduce, a parallel distributed processing system that takes advantage of the distribution and replication of data in HDFS to spread execution of any job across many nodes in a cluster.

Microsoft has just introduced support for Hadoop into SQL Server 12  as part of their  end-to-end Big Data roadmap.

A fault tolerant distributed file system using commodity hardware for big data that is even integrated into mainstream data mining tools like SQL Server.  That's cool!

Thursday, October 13, 2011

Columbus Day in New England

Every Columbus Day, my family visits New Hampshire for hiking, apple picking, and autumn color at peak.

Here's my ideal Columbus Day Weekend:

1.   Climb Mount Monadnock via the Marlboro trail - it's the road less traveled that includes easy rock scrambling, great views, and beautiful foliage.  I've climbed Mt. Monadnock over 100 times.

2.  Pick Apples and buy fresh chestnuts at Old Cider Press Farm in Westmoreland, NH.   My favorites are Gala, Empire, and Black Gilliflower.

3.  Spend the night at the Inn at East Hill Farm in Troy, NH - we've rented the upper floor of Sugarhouse on Columbus Day weekend for the past 15 years.

4.   Have a vegetarian lunch at the Zeppelin and Kaliedoscope in Marlborogh, NH.    My favorite is the Falafel platter.

5.  Meet artists throughout Southern New Hampshire as part of the Friends of Dublin Art Colony Columbus Day weekend open studios.

It's quintessential New England.   Robert Frost would be proud.

Wednesday, October 12, 2011

The Impact of Consumer IT on the CIO

I've written about the implications of staff bringing their own devices to the office instead of using corporate desktops and the challenges of keeping mobile devices secure.

I own a Blackberry Bold 9700, first released on December 18, 2009.  Since I do not read email when I drive, I hand it to my wife who instinctively tries to navigate my email by gesturing on the screen (it does not work).  I receive one email every 30 seconds (over 1000 per day), many of which contain web sites and attachments.   Reading them on a Blackberry Bold is not a satisfying experience.   It's a messaging device, not a comprehensive mobile platform.

In 2007, owning a Blackberry was cool and RIM interviewed me about the my mobile lifestyle.

The iPhone 3GS was released on June 19, 2009 and since then Blackberry has become less cool and RIM has lost $30 billion in market value.

Market changing consumer products are introduced every 6 months.  In the same timeframe, I've been working on hundreds of important enterprise initiatives.  The average hospital IT project, given limited resources and large scope, takes 18 months.

The consumer IT marketplace moves at such a fast pace, applying thousands of people to create a single device, that the average employee now expects every hospital IT project to proceed in the same manner, even though only one person may be working on a niche project that serves a small number of users.

I sometimes describe the job of the CIO as a quest to minimize negative reinforcement - "I only received 100 challenging emails, it's been a great day".  The accelerated pace of consumer IT multiplies impatience, intolerance, and emotion.

It would be great if mobile devices and the Cloud solved all our problems, but unfortunately, the enterprise world has compliance requirements, security constraints, complex business processes, controls, and workflows that are not addressed by consumer technologies.

What's a CIO to do?

1.  Embrace mobile devices and the cloud when they make sense.   We do support iPhones and Android devices for email.   We do support the cloud for image exchange and a private cloud for hosting community physician electronic health records.  BIDMC Information Systems is considered "consumer device friendly", which helps my reputation.

2.  The expectation of new infrastructure and applications every 6 months tempered by the reality of 18 month hospital project plans requires intense communication.   This week, I sent my staff a plan to create  "IT concierges" for our key stakeholders, ensuring that monthly project updates keep users informed and better align expectations with reality.

3.  Meetings with disgruntled stakeholders are really important to maintain credibility.  "Presence" of the CIO can really make a difference when customers perceive the pace of enterprise IT innovation to be slower than the consumer marketplace.

4.  Maintaining agility and flexibility without being dogmatic ensures the CIO is not the rate limiting step to innovation.  I've always said that if emerging companies can provide superior service at lower cost to any product we have currently, we should openly evaluate it.   Customers will appreciate that IT has a culture of innovation even if product life cycles are longer than the consumer marketplace.

5.  CIOs need to accept that 10% of users will dislike you on a given day because enterprise technologies are unlikely to keep pace with consumer technologies.   Rather than get frustrated, realize that by focusing on continuous measured progress, you'll create a trajectory that prudently moves forward, balancing security, innovation, and functionality.   As my daughter would say, Ganbatte!

Complexity, unrealistic customer expectations, and resource limitations make the job of CIO increasingly difficult.   By focusing on the possible, communicating your plans broadly, and accepting consumer technologies for the use cases that make sense, the CIO can continue to thrive.

Tuesday, October 11, 2011

The BIDMC FY12 Operating Plan

This is my 1000th blog post.  Readers have visited the geekdoctor blog over a million times.   The discipline of writing every day has helped me become a better communicator in my work and personal lives.    Thanks for being a part of it.

Today, I'm publishing the BIDMC FY12 Information Systems Operating plan which includes all the high priority projects I identified in my earlier post about preparing for a new CEO.    

In the Clinical Information Systems area there are numerous important goals, but five that deserve a more focused discussion:

ICD-10 - A challenging and expensive compliance project that must be done because 70% of the revenue cycle is at risk.  The scope of the project includes BIDMC, it's community hospital affiliate BIDH-Needham, the owned physician group APG, the academic affiliated group HMFP and the private physicians in BIDPO.    The likely budget - $5-10 million.   The likely safety, quality, efficiency improvements - none at all.   Many in the industry recognize ICD-10 as a colossal waste of time and effort.  I've tried very hard to communicate this broadly and will continue that effort in articles, lectures and personal meetings in Washington.

Clinical Documentation - although all the ambulatory areas and ICU areas of BIDMC have online documentation, progress notes in the wards are still written on paper.   In order to improve care coordination, decision support, and provide the granularity necessary for ICD-10 coding, we will work hard to create multi-disciplinary documentation in our ward areas.

Electronic Medication Administration Records - We're redesigning  medication management from the supply chain to the bedside.   We'll adopt innovative tools to automate the new idealized processes.

Healthcare Information Exchange - Accountable Care Organizations will require increased health information exchange analytics.   All the stakeholders in Massachusetts have worked together on an HIE plan that connects every provider, payer and patient.   Now we need to build it.

Analytics - Turning data into information, knowledge and wisdom will require a new generation of analytics.   We're building those now.

The Fiscal Systems area includes several important compliance goals such as 5010 and enhancements to our human resources management systems.

Knowledge services will continue curation of our electronic library resources.

Media Services will enhance our streaming and conference room infrastructure.

In the Infrastructure area, there are important 15 important themes:

Data Protection - Develop and implement a strategy for protecting BIDMC authentication credentials and sensitive data accessed from personally owned computers including mobile devices.

Patch Management - Improve patch management sufficiently to reduce vulnerabilities by 50 percent or more on I.S. managed systems.

Voice Mail System - Replace the current voice mail system that supports over 6,000 accounts with a more up-to-date, IP-based system without incurring extended disruption of service or loss of old content.

Clinical Systems Service Level - Implement high availability features using Cache ECP and Red Hat Enterprise Linux clustering technologies.  Increase service levels from 99.9 percent to 99.99 percent due to Cache or Linux related problems.

DR Data Network - Virtualize the distribution layer of the data network in the disaster recovery center to permit more flexible repositioning of assets without regard to VLAN assignment.

Life Cycle Management - Replace one-third of the approximately 120 data network access switches in the east and west campuses with more up-to-date and efficient devices.

Security Dashboard – Develop metrics that in combination provide a way to quantify the risk, by subnet, of devices attached to our data network.   Using this information, apply security measures that are tailored to the relative risk each subnet presents.

Vulnerability Assessments – Deploy a commercial Vulnerability scanner along with updated processes and procedures to enhance our ability to identify and remediate vulnerable systems network wide.

Windows 7 – Upgrade all kiosk/public managed workstations to Windows 7 to enhance the user experience, improve security, and take advantage of better management features.   Upgrade at least 50 percent of business builds to Windows 7 with the balance targeted for FY13.

SQLServer Enterprise Edition – Migrate two-thirds or more of the 32 data bases still using Standard Edition to Enterprise Edition.   EE provides higher availability, larger hardware, improved auditing, and other features.

Rights Management – Improve the utility of the Varonis rights management system to include surveillance of unusual access patterns that may indicate a security issue.

Exchange 2010 – Plan the upgrade and deployment from Exchange 2007 to Exchange 2010.

Internet Access – Develop and implement a strategy that reduces the exposure of BIDMC IT technical resources and sensitive data to Internet-based malware that strikes a workable balance between the security threat and business need for Internet access.

Service Level Monitoring – Extend the use of Nagios software monitoring to 75 percent or more of the data center assets to improve the reliability, granularity, and accuracy of system alerts.

Storage – Migrate all new image acquisition PACs to Atmos and begin conversion of all Centera assets to Atmos.

We'll do all of this within the FTE, operating budget (less than 2% of the BIDMC Operating budget) and capital budget assigned.

I look forward to a great year ahead and share with all of you the lessons learned along the way.

Friday, October 7, 2011

Cool Technology of the Week

As the discussion of the functionality to be included in a Nationwide Health Information Network (NwHIN) continues, there are 3 different secure transports being evaluated:

Exchange:  “NHIN Messaging Platform Specification”, which uses SOAP for transport and WS-I Basic Security Profile for security (TLS + XML signature + WSDL + AES + X.509 + SAML)

Direct:  “Applicability Statement for Secure Health Transport”, which uses SMTP for transport and S/MIME for security (AES + X.509)

Secured REST:  specification to be done, but will use HTTP for transport; candidates for security include TLS, X.509, and OAuth.

Each has different characteristics and different strengths.   The barrier to RESTful implementation is lack of a consistent implementation guide.

The folks at MITRE have implemented project hData  noting that "Current electronic health data standards are complex, hard to implement, and difficult to manage”.

hData separates transport and packaging from content – something the HIT Standards Committee has supported.   This FAQ provides more details.  Clearly hData is still in development and not yet adopted, but I do think they are pursing an appropriately simple approach to transport.

The hData content format has been balloted by HL7 and a Draft Standard for Trial Use (DTSU) is expected this month.  The hData transport format (RESTBinding) is in the Open Management Group comment resolution phase.

A RESTful implementation guide for healthcare that separates content and transport, providing easy to implement,  secure transport.    That's cool.

Thursday, October 6, 2011

The Vortexes of Sedona

Last weekend, I gave a keynote address at the eClinical Works National User Conference in Phoenix, Arizona.   As is usual when I travel, I look for interesting places to explore in the natural world within driving distance of conferences.    I flew in at 2am on Saturday morning, giving me the entire day on Saturday to explore before my Sunday morning lecture and redeye back to Boston.

Sedona is 120 miles north of Phoenix and is well known for its red rock vistas, its spirituality, and great hiking trails.

Most intriguing to me was the concept of the Sedona "vortexes", which have been described as swirling centers of energy emanating from the surface of the earth.  

Whether or not you believe in the physical manifestation of such energy centers, there are 4 great hikes to visit the vortex locations.

As you enter the Sedona area on Highway 179, you'll pass Bell Rock and Courthouse Butte.   There's a trailhead on the right side of the highway with access to numerous loop trails from 1 mile to 4 miles in length.   I highly recommend the Courthouse Butte loop, which passes the Bell Rock Vortex.

The photo above is the Cathedral Rock Vortex which is accessed via a .7 mile walk/climb accessed from Back-O-Beyond Road off Highway 179.   It's easy slab climbing and a 700 foot elevation gain from the parking lot to a beautiful vista.   I'm not sure if it recharged my spiritual batteries, but the breeze cascading through the pillars at the peak was refreshing on a 100 degree day and the shade of the Cathedral Rock walls boosted my hiking endurance.

The Airport Vortex is located on Airport Road off Highway 89A.   The view of Sedona from Airport Mesa is spectacular.

The Boynton Canyon Vortex is located at Dry Creek Road off Highway 89A.  I'm a fan of old Juniper trees (said to be an indicator of strong vortex energy) and you'll find plenty in Boynton Canyon.

After climbing/hiking 4 vortexes, I enjoyed a vegan lunch in a shaded outdoor garden at the Chocolatree Cafe , a very hip spot on Highway 89A.  Highly recommended.

Sedona proved to be a very invigorating place, well worth the day trip from Phoenix and preparing me for the double redeye flights of the weekend.

Wednesday, October 5, 2011

A Moment for Steve Jobs

Earlier this evening, I emailed my staff about the passing of Steve Jobs.   Many responded that they were genuinely sad.

It's not about being Apple "fanboys" or disliking the competition.   It's about recognizing the possibilities for what might have been if Steve had lived longer.

In some ways, his death seems like Faustian bargain - revolutionize the world with products beyond our imagination, then die too young.

In my life, I crossed paths twice with Steve Jobs.

As an undergraduate at Stanford from 1980-1984, I met Steve Wozniak and Steve Jobs at the Stanford Computer Club and saw early demonstrations of Apple II, III, and Lisa products.   I taught the first undergraduate personal computer course at Stanford in1981, using Apple products in an era when the Stanford Computer Science department told me that personal computers were a fad that soon would end.

In 1983, Steve Wozniak's mom called me and asked me to design an electronic greeting card for the Woz's 33rd birthday.    To this day, I hold the patent on all e-cards, both the paper type that play music and those you send over the internet.

Steve Jobs was at the party where my card was demonstrated for the first time.

I bought a Mac SE30 in 1990.

I was an early adopter of the NeXT cube and used it to develop all my early web applications at BIDMC when I first arrived in 1996.

My Windows years were limited to 1995-2006.   Since then I've used MacBooks, iPads and iPods as my hardware devices.    This year, I'll retire my Blackberry and replace it with an iPhone 4S.

Thanks Steve, you really made a difference.

The Responsibility of Formal Authority

You probably expected me to write about the new iPhone 4S today, but the press has analyzed it well, especially Computerworld.  Next week I will write about the impact of accelerated consumer IT product releases on CIOs, including managing customer expectations for business IT innovation.

In the meantime, a few thoughts on the wise use of formal authority i.e. that job description we were handed when we first became CIOs.

In previous blog posts I've reflected on the fact that none us of really have authority.  Instead, we have responsibility and risk.

The work that I do in all my lives - Federal, State, BIDMC, Harvard Medical School, and my home life as father/husband/son - do not rely on formal authority.   They rely on my informal authority to inspire, align, and communicate.

I have never "ordered" a change.   The best I can do is to facilitate consensus and follow Harvard Business School Professor John Kotter's principles for change management:

1. Establish urgency.
2. Form a powerful guiding coalition.
3. Create a vision.
4. Communicate the vision.
5. Empower others to act on the vision.
6. Plan for and create short-term wins.
7. Consolidate improvements, creating more change.
8. Institutionalize new approaches.

Relationship building and fostering trust bring me the informal authority I need to lead people through change.

Although the formal authority I have is never used, there are behavioral responsibilities that come with the title CIO.   I have to be careful what I say, who I speak with, and what I do, because the hierarchy of the organization assigns power relationships to the role I serve.   There are five guidelines I've assigned myself:

1.   Respect hierarchical boundaries - if I bypass my direct reports and communicate directly with their direct reports, I always ensure the communication includes everyone in the chain of command.   If I did not do this, I would disempower my managers and directors.

2.   Communicate consistently with everyone - it's bad behavior is to tell different versions of the truth to  people based on what you believe various audiences want to hear.    By communicating consistently, I create a culture of collaboration.  The last thing I want to do is create discord in the organization by encouraging people to work against each other or foster dissension among teams.

3.   Work via standard processes - it may seem expedient to invent your own processes, bypass hierarchies, or work around established lines of communication in an effort to accelerate projects.   My experience is that such an approach causes confusion, misalignment of priorities, and wasted effort.   Just as I respect hierarchical boundaries, I follow standard processes when problems need to be resolved.  

4.   Communicate broadly and honestly - if there is problem in the organization, I communicate it to all stakeholders.   It is far better to over communicate, even if the news is challenging/difficult, than to work in silos and try to hide failures for fear of embarrassment.

5.   Work openly and transparently - we've all worked in organizations with office politics that happen behind the scenes.   Back channel conversations, blind cc's on email, escalation around hierarchical boundaries, different conversations in the open verses behind closed doors, and undermining the authority of others can occur in any organization.    If someone suggests solving a problem by working on it clandestinely, I refuse.  Problems should be solved openly and transparently with all the stakeholders in the room.

These are the responsibilities of formal authority.   Although you may never use the power you've been given in your job description, your actions every day can impact your peers and your staff in subtle ways.   Once you understand that your every word and behavior can inspire, influence, or irritate, you'll have mastered the responsibility of formal authority.

Tuesday, October 4, 2011

Simvastatin Safety and Information Systems

The following is a broadcast email written by Dr. David Feinbloom, Medical Director, Medication Safety and Information Management at BIDMC.  It nicely illustrates the collaboration among clinicians, pharmacists, and Information Systems:

To all –

I am writing to update you on the simvastatin patient alert process that was initiated in July. As you will remember, this initiative was prompted by the recent Food and Drug Administration (FDA) warning for patients taking simvastatin because of an increased risk of muscle damage when taken at high doses or in combination with several other medications.

In response to this alert, the Medication Safety Subcommittee, in concert with Healthcare Quality, decided that an institutional response was warranted and we proceeded with the plan described in the original email below. In brief, we reached out to all stakeholders, developed a data query to help providers identify these patients, allowed sufficient time for providers to reach out to these patients, and then sent letters to all the remaining patients who were still taking simvastatin, at a high dose and/or in combination with several other medications. Last Monday we sent  2800 letters to the remaining patients.

This size of this initiative was unprecedented for BIDMC, and although it was largely successful, there were many important observations and lessons learned which will inform our process going forward; these include:

1. The volume of alerts, and the number of patients affected, continues to grow (see the recent FDA warning on Celexa and abnormal heart rhythms).
2. Sorting through the level of evidence and clinical relevance of these alerts is difficult and time consuming.
3. Running queries on our patient’s medication lists with sufficient sensitivity and specificity to meet our provider’s needs is not always possible.
4. Provider preference on how, or whether, to address each alert with their patients is variable.
5. Resources, at both the institutional and provider level, are insufficient to support this work.

We have assembled a group to evaluate how to meet this challenge, and anyone who would like to join is welcome. I will provide you with updates as they become available.

Thanks for your help and support.

David Feinbloom

Email to Providers

As you know, the Food and Drug Administration (FDA) recently issued a new warning for patients and healthcare professionals regarding simvastatin because of an increased risk of muscle damage when taken at high doses or in combination with several other medications.

(FDA Drug Safety Communication: Simvastatin). Although it is not uncommon for the FDA to issue safety warnings when surveillance data identifies unanticipated adverse drug effects, this case is somewhat unique because simvastatin is such a common medication among our patients at BIDMC. In addition, we know from previous medication safety initiatives in that past that most of providers do not have the time or resources necessary to identify and contact all of their patients who may require notifications. For these reasons, we are proposing the following strategy:

Healthcare Quality will work with IT to generate of list of patients that have an active simvastatin prescription, either at a dose, or in a combination identified by the FDA to be associated with an increased risk for adverse events (see Search Query below). We will then send a list to each provider by email to give them an opportunity to reach out to their patients and update their medication list.

In several weeks time we will run the same query on all patient medications again. Patient that still have a prescriptions for simvastatin in a dose or combination of concern will then be sent a standard letter asking that they contact the prescribing provider to discuss whether any medication changes should be made (see Patient Letter below).

If you have already contacted your patient and made changes to their medication list such that they no longer have a dose or combination of concern, they will not be receiving a letter. Unfortunately, if you have made the clinical decision to continue your patient on a dose, or in a combination of concern, we will not be able to suppress the letter. We expect this will happen infrequently, and if it does, the language of the patient letter is clear that if they have already discussed this you they need not re-contact you.

Your list may include some patients for whom you are not the primary provider, or may omit some patients who you consider to be part of your panel. Similarly, problems may occur for patients whose medication list is not up to date, contains errors, or includes prescriptions for split doses.

Please let me know if this plan is acceptable to your practices.  The queries we are running include

1. All patients in who have an active prescription for simvastatin 80 mg prescribed < 1 year ago.

2. All patients in who have an active prescription for simvastatin > 10 mg and any of the following medications:

·          Amiodarone
·          Verapamil
·          Diltiazem

3. All patients in who have an active prescription for simvastatin > 20 mg  and any of the following medications:

·          Amlodipine
·          Ranolazine

4. All patients in who have an active prescription for simvastatin (any dose) and any of the following medications:

·          Itraconazole
·          Ketoconazole
·          Posaconazole
·          Clarithromycin
·          Erythromycin
·          Telithromycin
·          Amprenavir
·          Atazanavir
·          Darunavir
·          Fosamprenavir
·          Indinavir
·          Lopinavir/ritonavir
·          Nelfinavir
·          Ritonavir
·          Saquinavir
·          Tipranavir
·          Cyclosporine
·          Danazol
·          Gemfibrozil
·         Nefazodone

Letter to Patients

Dear Patient –

You are receiving this letter because according to our records you are currently taking the cholesterol-lowering medication simvastatin. Simvastatin is also sold under the brand name Zocor, and is found in the combination medications Vytorin and Simcor.

The Food and Drug Administration (FDA) recently issued a new warning for patients and healthcare professionals regarding simvastatin because of an increased risk of muscle damage when taken at high doses or in combination with several other medications.

The risk of muscle damage is low and we do NOT recommend that you stop any of your medications without first talking to your healthcare provider.  Simvastatin is an excellent cholesterol-lowering medication and in many instances continuation of the medication is appropriate. However, we are recommending that you contact the provider who prescribed the simvastatin to discuss whether any medication changes should be made. You may have already had a discussion with your healthcare provider about this issue; if so,  it is not necessary for you to re-contact him or her. You should immediately contact your healthcare provider if you experience muscle pain, tenderness or weakness, or dark or red colored urine.

Monday, October 3, 2011

Bring Your Own Device

At BIDMC, I oversee 10,600 desktops and 2000 laptops.  They are all locked down with System Center Configuration Manager 2007 and McAfee ePolicy Orchestrator.

Given that most of our applications are thin client and web-based, we can stretch the lifetimes of our desktops to 5-6 years and our laptops to 3-4 years.   Capital funding puts limits on how much hardware we can buy and how long we keep it.

Like many IT departments, we have to balance many priorities - security, cost, software compatibility, performance and the user experience.

This balance means that the locked down, image managed, economical device provided by the IT department will almost always be older, lower powered, and less capable than the device in your home.

The same is true of mobile devices like Blackberries which are a one time purchase and are only replaced when they stop functioning.

Consumer devices are more than just technology, they've become lifestyle accessories.  Are you an iPad2 or a Macbook Air 11 person?   Does Android tickle your fancy or are you holding out for the Samsung tablet with Windows 8?

The cost of these devices is low enough that consumers can buy them on their own and may upgrade yearly as new models are released.

All of this has led to the BYOD movement - Bring Your Own Device to work.

One of my passions as a CIO has been to create web-based applications that run anywhere on anything.    That approach has enabled our applications to run on every version of the iPad, iPhone and iPod touch as well as Android and Blackberry devices like the Playbook.

However, I'm also accountable for the privacy and security of each byte of person identified data and we have over 1.5 petabytes to protect.

The internet is an increasingly hostile place.   Clicking on a picture of Heidi Klum results in a 1 in 10 chance that your device will become infected.

Online apps distributed via social networks are filled will malware.

Hacked websites can bring malware onto our device.   A CIO at the recent Information Week 500 conference described that hackers inserted malware, which was only one pixel by one pixel, into a public-facing website his lab supported.   All internal users who browsed to the website and did not have the latest version of Adobe Flash were infected.  Once infected, their workstations scanned for other vulnerabilities on the network.

Breach reporting regulations in HITECH are strict.   If a keystroke logger embedded in malware results in username/password compromise and a hacker downloads files or views data for more than 500 people, the prominent media needs to be notified.   It is unlikely that the media will see much difference between an infected personal device and something under the CIO's control - the CIO will be held accountable!

BIDMC has over 1000 iPads and over 1600 iPhones accessing its network for email and web applications.   I absolutely see the value of the Bring Your Own Device movement.

However, the compliance and regulatory requirements that grow more complex every day make the BYOD movement very problematic.

It may be that we'll find some compromise, such as encouraging BYOD, noting that little support will be available, and requiring mobile device security solutions such as Good Technologies before a personal device is allowed on the network.

BYOD can be empowering to users.  Let's hope we can mitigate the risk and afford the applications needed to comply with federal and state laws.