Tuesday, April 23, 2013

Reflections on the Tragedy in Boston

Now that schedules are returning to normal, it's appropriate to review the events of last week and reflect on the lessons learned with the benefit of hindsight.

1.  Risk planning is forever altered

To me, risk is the likelihood of an event multiplied by the impact of that event.

Risk management for BIDMC IT now uses the NIST 800 framework, so areas of risk are formally enumerated, however, it still requires judgement about mitigation strategies.

At 2:50pm on April 15, seven BIDMC IT staff were volunteering in the medical tent/working at the Marathon finish line, a few feet from the explosions.   They were among the first responders assisting the injured.   Their work in a medical community gave them the strength to stay calm but could not have prepared them for the scenes of destruction they witnessed.   All my staff were safe and unharmed, but given their proximity to the bombs, the outcome could have been devastating.

As we think about risk planning in the future, we'll need to consider the events of last week when told something as innocent as "the  majority of the database administration team is going to volunteer at the Marathon"

2.  Secure remote access to all systems is critical to operations.

As we continue to enhance the security of our applications and networks, we're limiting remote access to those with a true need to use systems from off campus.    As the events of last week illustrated, we need to plan for future events which shut down the city for 5 days and require many people to work from home if travel is restricted or a "shelter in place" order is given.

3.  We need to consider restrictions on physical access to the data centers.

The restrictions on travel to and from communities plus restrictions on entering/leaving BIDMC were imposed with an unknown duration.   Our disaster recovery planning needs to include scenarios such as no staff able to enter the data center and no staff able to leave the data center.

4.  We may need to consider novel audit workflows.

We capture every lookup in real time and perform many analytics to ensure patient privacy preferences are respected.

We placed the following message at the top of our intranet for every staff member to see on every page:

"Urgent Reminder for All BIDMC Staff About Patient Privacy
Staff must completely protect patient privacy according to federal HIPAA regulations and BIDMC's own privacy policies. That means:
1. No sharing of ANY patient information through email, Twitter, Facebook, Flickr or other photo sites, any other social media, phone calls or conversations – or any other way.
2. Do not look at, or access by computer, medical records or other protected health information (PHI) or personal information (PI) unless you are authorized to access that information AND you need that information to care for the patient.
3. Send all media calls to the Communications Department or page the Media Relations staff on call.

Violation of these regulations and policies will lead to disciplinary action up to and including termination of employment.

Most importantly, thank you to the overwhelming majority of BIDMC staff who are doing an excellent job of keeping all patient information secure."

Might there be new workflows required in the future such that appropriate individuals are paged/notified within seconds after a lookup occurs?  In an emergency/mass casualty disaster, how can we balance the need for increased security/privacy and appropriate access with real time auditing alerts?

5.  The need for healthcare information exchange in a mass casualty disaster is very clear.

When patients have a choice of caregiver - a patient centered medical home or accountable care organization - a lifetime medical record is likely to be available, supporting safe, quality, efficient care.

The events of last week required patient routing based on acuity, urgency, and availability of resources.   BIDMC, Massachusetts General, Brigham and Womens, and Childrens did a remarkable job treating every patient even with incomplete medical information.   The Massachusetts Healthcare Information Exchange ("the MassHIWay") is currently in production for "pushing" summaries from organization to organization.   Last week's events illustrate the importance of our second phase, now under construction, for secure retrieval of information based on a record locator service and a patient consent registry.    By the second quarter of 2014, we should have the infrastructure in place to support the kind of data exchanges that would have been helpful last week - a first in the country kind of capability.

IT in general experiences more demands than supply.   Last week, we learned firsthand how technology can support a disaster. As we think about all the work on our plates,  our plans going forward must incorporate our recent experiences.


Rich Forsyth said...

Glad to hear that your team is safe and well.

This is a great summary and does point out some until now unthinkable provisions that should be included in risk planning. Sorry you had to think these through at all but your points can be useful to others in now for future planning. Thank you for your efforts.

Jan Adler said...

Dr. Halamka, I commend your staff on their response to that horrible event. I also commend you for striving to meet the needs of the public while securing their privacy. As a RN, I understand how important the patient's history is when treatment is necessary.
Thank you for your hard work and being a patient advocate.

Tom Mariner said...

Just reviewing your post, a month post-event.

Sage advice from a boots-on-the-ground guy who can instantly extrapolate to a 10,000-foot, future-looking view.

Yes on the medical records exhange -- the quiet background of possible patient care improvement gets a light shone on it with a few hundred injuries within seconds and the law enforcement clamp down.

The unauthorized access of patient record access during such an emergency, or on high investigative value patients is innovative use of IT as a Homeland Security tool.

Although the "risk planning" has the same end goal of avoiding harm to a patient, operator, or environment, to a medical device developer, the methods and focus are different. In the case of a healthcare facility and those who provide means of helping medical professionals, EVERYTHING begins with assessing risks -- yes, we all are going to have to go back over our design files to see how we would hold up to something like the bombings and subsequent law-enforcement actions.