Wednesday, April 30, 2014

Security Priorities for 2014

In previous posts, I’ve described security as a process, not a project.  It’s like a cold war that never ends with new threats every day requiring new countermeasures.

As I survey the landscape in 2014, I see much more sophisticated attacks at the same time there is much more severe regulatory enforcement.    Where would I put my security dollars this year?

1.  Denial of Service/Distributed Denial of Service Mitigation

In many ways the internet was built on the Blanche Dubois (Streetcar Named Desire) principle

"I have always depended on the kindness of strangers."

No one foresaw evil actors purposely trying to pillage the network for personal gain.

Several companies offer appliances and services to reduce the impact of denial of service attacks.   It’s much easier to be proactive and prepared than reactive when an attack hits.

2.  Security Information and Event Management

As new security technologies are introduced, there is an explosion of log files produced.  Turning that data into action can be a real challenge.   If I log in from Boston 5 times on Monday morning and again from Shanghai on Monday afternoon, there is a good possibility my credentials have been stolen.   Integration of multiple data streams with threat analysis based on analytic rules is essential to identifying threats and managing them.

3.  Intrusion Protection Systems

Today’s threats are subtle and complex.   Think about the high profile events of the past few years - Target, Neiman Marcus, and RSA.   There were infiltrations of building control systems and carefully crafted spearfishing attacks.    Advanced sensors are needed to identify malicious activity, log information about the activity, attempt to block it, and report it.

4.  Network forensics

As events occur, root cause analysis requires specialized tools to reconstruct incidents, identify bad actors, examine actions taken by those actors, and report to appropriate authorities enough information to use in prosecution or to respond to regulatory action.

5.  Anti-malware

Endpoint protection is increasingly important given the virulence of malware that includes screen scraping and keystroke logging.    In addition to anti-virus, various zero-day protections including malware signature identification and removal processes are essential.

There are a variety of other tasks that need to be accomplished by the IT organization to comply with ISO and NIST HIPAA best practice frameworks including asset management, physical/environmental security, access control, incident management, continuity management, and continuing training/education for all human resources.

Given the intensity of federal and state oversight, a mature security program is no longer a luxury but a requirement to mitigate technical and reputational risks in healthcare.


Thursday, April 24, 2014

The April HIT Standards Committee meeting

The April Standards Committee began with a tribute to Jon Perlin, who is leaving his chair role of the HIT Standards Committee so that he can focus on his chair role at the American Hospital Association.   Jacob Reider, Deputy National Coordinator will serve as the Standards committee chair.   I will continue as vice-chair.     Jon Perlin has done remarkable work as chair and I look forward to his continued service as a committee member.

Doug Fridsma presented a straw man for the evolution of the HIT Standards Committee Workgroups to better align with our domain expertise, especially as term limits require the rotation of members.   The committee agreed that it made great sense to organize ourselves into content, vocabulary, transport/security, architecture/api/services, implementation/certification/testing groups.   An overall steering committee will triage questions to the right groups and collate the responses from groups.

We then began a day long look at the 2015 Notice of Proposed Rulemaking.
Liz Johnson and Cris Ross presented comments from the Implementation Workgroup.    Their key summary is reconsider the cost/benefits of frequent rule changes because there is
*No guarantee that the items contained in 2015 Edition will be part of 2017 Edition/MU Stage 3
*Unclear benefits to provider community related to implementing an incremental update while continuing to gather data for attestation period in any fiscal year on 2014 Edition
*Preference for vendors to focus on optimizing current code releases and begin preparation for MU Stage 3
*Cost burden to both vendors and providers

Next, – Majorie Rallins and Danny Rosenthal presented the Clinical Quality Workgroup NPRM evaluation.     Their key takeaways are that many of the quality standards required for the 2015 NPRM are not mature/fit for purpose and that energy should be spent improving QRDA 1 (patient level), not QRDA 2 (summary), or QRDA 3 (numerator/denominator calculations)

Next, Dixie Baker and Lisa Gallagher presented the Privacy and Security Workgroup Comments.
Their key point was the need to to ensure there is some kind of non-prescriptive functional demonstration of modular EHR components working together to ensure data integrity and privacy.

Finally Dixie Baker and Walter Suarez presented the NSTIC Hearing Update. Their key takeaway is that NSTIC is not making standards, it is suggesting frameworks for use of existing standards.   In particular OAuth and OpenID are likely to be increasingly important.

A great meeting.   I am hopeful ONC will incorporate the balanced comments for the workgroups into their regulation writing.

Wednesday, April 23, 2014

Unity Farm Journal - 4th week of April 2014

The state of Massachusetts recognized Unity Farm as a 61A agricultural property this week, so 14 of our 15 acres is now deemed as a working, producing farm!

On Easter Sunday, the ducks, chickens, and guinea fowl laid their eggs throughout the barnyard, giving my daughter the unusual experience of a completely natural egg hunt, pictured below.


The plum trees (ume) are in bloom throughout the farm and it feels like Japan


A few weeks ago we planted all our Spring vegetables in the hoop house and they have been growing nicely, until this weekend, when a vole devastated our spouts.   When we created the hoop house, we lined the sides with poultry wire to keep chickens and guinea fowl out of the vegetables, as pictured below.

However the 1 inch spacing did not block chipmunks, mice, and voles.    The end result of a hungry vole attacking a spinach bed is pictured below.   The tender leaves are bitten off at the base.    We did catch the culprit at work, at least the tail half!



Our solution was to run 100 feet of 1/4 inch hardware cloth 3 inches below ground, secured with river pebbles, and topped with soil, pictured below.   We also added live animal traps inside the hoop house to check on the efficacy of our work.   The traps have remained empty and the spouts are growing again.




We bottled another 20 liters of hard cider, using standard 22 ounce capped bottles instead of pressure resistant swing top bottles.   This bold experiment will demonstrate to us if natural carbonation will blow the tops off capped bottles.

Part of the Unity Farm property is a one acre meadow of Forget me nots, adjacent to a stream.   The area has been inaccessible in the past, so we created a trail and a low impact board walk to Forget-me-not Glen.    I'll finish everything next weekend and post pictures.

Five packages of bees (10,000 bees and a queen per package) arrive on Friday and Kathy will install the packages into new hives in our bee yard.

Next weekend we’ll apply 80 pounds of mushroom spawn to a new Oyster mushroom area and new Agaricus (button) mushroom beds.    Two Agaricus beds are in the shade of a large pine tree outdoors and two are in the hoop house.   We’ll experiment with how well this warmth loving mushroom does in outdoor and indoor settings.

Thursday, April 17, 2014

Unity Farm Journal - Third Week of April 2014

Last weekend was in the mid 60’s so we had two full days of animal, produce, and land activities.   The animals welcomed the end of snow and ice and the beginning of sunbathing season.



We had a vet visit and our alpaca and llama received the immunizations that I am not licensed to deliver - rabies and tetanus.   They had full body exams including teeth and reproductive systems.   The good news - 10 are at ideal body weight, one is slightly underweight and one is slightly overweight.   We’ll make the necessary dietary and care changes to ensure all are optimally well (call it our patient centered medical home for camelids).   We also did a parasite exam on the underweight alpaca.   Two alpaca appear to be pregnant from last July’s breeding, so we’ll likely expect cria in late June/early July.

We bottled 20 liters of cider #2, our less tart, less acidic fermentation.    Based on our experience thus far, I think I’ll take all future batches of cider through malolactic fermentation over the winter to soften their acids.


The 65 degree temperatures enabled us to perform major bee yard maintenance.   We removed every frame from every hive, inspected all the bees, removed excess wax, and placed the frames in newly painted deep boxes.    Each hive has new young brood and eggs, except one.  Clearly the queen did not overwinter.   We’ll likely merge that hive into another.   The bee yard is off to a great start and we expect a very productive honey season.

Winter moths are about to emerge and we sprayed the orchard with organic pyrethrin, avoiding contact with the bees and spraying before the trees have flowered.

The major project of the weekend was clearing vines, invasive plants, and brambles from a second of the property near the orchard.   During construction of the driveway 20 years ago, it’s clear that a section of forest was cleared and as is typical for disturbed land, the area was filled with spindly regrowth, making the land impossible to traverse.   We cleared over a ton of invasive growth and will use the area for another mushroom propagation area.  The spawn arrives next weekend.








The guinea fowl, ducks and chickens are expanding their range for insect hunting, now that the weather is warm and the mud is beginning to dry up.     Ticks are particularly dense this year, so we welcome the guineas appetite for insects.   All our birds overwintered successfully, but the Summer is the time of greatest risk to them.  The guineas begin to lay eggs and go broody - spending time overnight in the forest to keep the eggs warm.   Unfortunately, coyotes, foxes, fisher cats, and raccoons visit those nests and our experience is that an egg laying female does not last more than a few nights outdoors.   We’re increasingly vigilant to find nests and bring eggs back to the safety of the coop or incubator.

The vegetables continue to grow in the hoop house and we’re watering daily.   We’ll spread agaricus augustus (a mushroom with an almond flavor) in two of the hoop house beds, covering it with 3-4 inches of compost.   Agaricus is a warmth loving mushroom and cannot survive temperatures below 35F.   Although it is mid April, we still had sub-freezing nights and ice pellets this week.   In our area of New England, frost risk is present until Memorial Day.

Next weekend will be busy with mushroom inoculation, cider bottling, bridge building, trail maintenance, and creating a zen moss garden in addition to the usual animal, bee, and plant care.

It’s clear that my days of mountain climbing and exploring the world have been replaced with the joyful chaos of farming.   I’m completely fine with that.

Wednesday, April 16, 2014

HIPAA and Fundraising

I was recently asked about using patient identified data for fundraising.

The HIPAA Omnibus rule does permit the use of  department of service, treating physician, and outcomes information in fund raising activities with an understanding that a patient can opt out and their wishes must be respected.

*The Notice of Privacy Practices must disclose fundraising and right to opt out.
*The covered entity or business associate must not send further communications to those individuals who have opted out, but opt out can be limited to a specific campaign.
*If PHI not used (e.g., a purchased list) notice and opt out do not apply.

Here’s an excellent overview of the regulation and best practices related to fundraising

How do I think about supporting healthcare fundraising activities with IT?

*Keep all data centrally managed so that no shadow databases of patient identified information are stored in departments or on mobile storage systems.

*Ensure that experts perform all queries and create “minimal need to know” views of patient information.

*Create audit trails of all lookups

*Support the Development department with business intelligence tools that enable them to do their work but eliminate the need to access clinical systems

*Ensure that opt out requirements are respected.

As with most things involving privacy and security, it is possible to balance business needs and regulatory compliance.   Centrally managing the process requires close collaboration between IT and the fundraising business owners.    Strong policies, communication and relationships are just as important as the technology.

Thursday, April 10, 2014

Unity Farm Journal - The Second Week of April 2014

As is typical for New England, the second week of April is filled with 50 degree days and sub-freezing nights, making agriculture challenging.   The morning soil is frozen hard, and tender sprouts in the hoop house must be kept warm overnight with row covers.

Last weekend we did herd health - the complete medical examination of every animal on the farm.    We gave immunizations, trimmed toenails, examined skin/teeth, and weighed everyone.     The good news - our winter feeding program of hay, alfalfa and small amounts of grain worked well.  Not one animal lost weight over the winter.    We skipped a few months of toenail trimming , which is hard to do in ice and snow.   A few of the white alpaca have very fast growing toenails and had “Howard Hughes” nails in April.    We have a close relationship with all of our animals - they recognize us as sources of food and support.   They do not fear us or medical treatment.    We roll in the hay with them and run through the mud.   As a farmer, you’ve got to be more comfortable in muck boots than Manolo’s.

I finished the bridge and pier to Cattail Hollow.   In the shade of an enormous pine with Japanese-inspired swooping branches, you can now sit among the cattails and listen to the sounds of wood frogs and the wind blowing through the rushes.   My next task is to build a bridge and pier in the forget-me-not meadow, a football field sized carpet of flowers that grows every summer adjacent to our stream.


The winter of 2013 was very hard and the combination of snow melt/rain eroded several of our farm roads.   Using the Terex front loader, I moved a ton of wood chips into the mini-grand canyons that developed on the orchard road.    Later this summer, we’ll excavate a swale and line it with rocks, so that torrential rains have a path of least resistance to flow.

As we expand the number mushroom logs under cultivation, we’re making the process easier by cutting access roads to shady pine groves and covering the road with wood chips.    Last weekend, I created the road and the 72 log area pictured below.   It’s moist and shady - perfect for Oyster mushrooms.    I ordered another 60 pounds of mushroom spawn and will inoculate logs with 6 different types of oyster mushrooms over the next few weekends.



The Spring vegetables have begun to sprout in the hoop house - we have garlic, lettuce, spinach, chard, peas, and bok choi growing now.   Voles have a particular affinity for pea sprouts, so I’ve put hardware cloth cages around the tender shoots.






Last weekend we bottled the first of three hard cider batches.   Batch #1 is sparkling without malolactic fermentation - it’s a crisp, tart cider crafted to pair with food.   Batch #2 is sparkling with malolactic fermentation - it’s a smooth, rounded, complex cider for drinking on a hot summer day.   Batch #3 is a still cider with malolactic fermentation, created for sipping.     Bottling involves sterilizing all the equipment with 5% potassium metabisulfite solution/ascorbic acid, washing bottles, and measuring ph/titratable acidity.    Batch #1 has a ph of 3.55, while batch #2 and #3 with malic acid converted to lactic acid have a ph of 3.9.

Finally, we completed the first draft of the farm website, Unity Farm Store.   As the growing season evolves you’ll begin to see the availability of mushrooms, honey, fiber, and foods online.    We're making progress.

Wednesday, April 9, 2014

Google Glass - the Details

I’m now able to publicly write about the work that Beth Israel Deaconess Medical Center has been doing with stealthy start up, Wearable Intelligence. We’ve been working over the past 4 months on pilots that I believe will improve the  safety, quality  and efficiency of patient care through the integration of wearable technology such as Google Glass in the hospital environment. I believe that wearable tech enables providers  to deliver better clinical care by supporting them with contextually-relevant data and decision support wisdom.

 One of our Emergency Department physicians, Dr. Steve Horng, said it best:

 "Over the past 3 months, I have been using Google Glass clinically while working in the Emergency Department. This user experience has been fundamentally different than our previous experiences with Tablets and Smartphones. As a wearable device that is always on and ready, it has remarkably streamlined clinical workflows that involve information gathering.

For example, I was paged emergently to one of our resuscitation bays to take care of a patient who was having a massive brain bleed. One of the management priorities for brain bleeds is to quickly control blood pressure to slow down progression of the bleed. All he could tell us was that he had severe allergic reactions to blood pressure medications, but couldn’t remember their names, but that it was all in the computer.

Unfortunately, this scenario is not unusual. Patients in extremis are often unable to provide information as they normally would.  We must often assess and mitigate life threats before having fully reviewed a patient’s previous history. Google Glass enabled me to view this patient’s allergy information and current medication regimen without having to excuse myself to login to a computer, or even loose eye contact. It turned out that he was also on blood thinners that needed to be emergently reversed. By having this information readily available at the bedside, we were able to quickly start both antihypertensive therapy and reversal medications for his blood thinners, treatments that if delayed could lead to permanent disability and even death. I believe the ability to access and confirm clinical information at the bedside is one of the strongest features of Google Glass.”

As procedure oriented specialists, emergency medicine clinicians must stay visually engaged with their patients while also using their hands to complete critical tasks.  Wearing a device that enables clinicians to view different forms of information without having to disrupt workflow to access a computing device is  empowering.

 This video demonstrates the value and impact that the technology can have.

 Here’s how we are currently using it:

When a clinician walks into an emergency department troom, he or she looks at bar code (a QR or Quick Response code) placed on the wall. Wearable Intelligence’s software running on Google Glass immediately recognizes the room and then the ED Dashboard sends information about the patient in that room to the glasses, appearing in the clinician’s field of vision. The clinician can speak with the patient, examine the patient, and perform procedures while seeing problems, vital signs, lab results and other data.

Beyond the technical challenges of bringing wearable computers to BIDMC, we had other concerns—protecting security, evaluating patient reaction, and ensuring clinician usability.

We have fully integrated with the ED Dashboard using a custom application to ensure secure communication and the same privacy safeguards as our existing web interface.  All data stays within the BIDMC firewall.

Wearable Intelligence has designed a custom user interface to take advantage of the Glass’ unique features such as gestures (single tap, double tap, 1 and 2 finger swipes, etc.), scrolling by looking up/down, camera to use QR codes, and voice commands. Information displays also needed to be simplified and re-organized.

We implemented real-time voice dictation of pages to staff members to facilitate communication among clinicians.

 After several months of testing, we have deployed the product to clinical providers in the ED and are completing the first IRB approved study (to our knowledge) of the technology’s impact on clinical medicine.

Working on novel technology with Wearable Intelligence provides respite from an agenda that has been filled with meaningful use, ICD-10, ACA, and the HIPAA Omnibus rule.   I look forward to reporting further about our experience.

Thursday, April 3, 2014

Building Unity Farm - The Farm Journal begins

This month marks the two year anniversary of our move to Unity Farm. We planned the farm with the desire to be as self sufficient as possible.  Kathy closed her art gallery and now works on the farm full time.

In the past two years, we have installed a poultry yard, created paddocks for the animals, and removed 2 acres of trees to plant the orchard.  We built a hoop house for produce and inoculated shitake/oyster mushroom logs from our woodland management work. We  developed a 1 mile trail system and planted a diverse range of multi-season annuals, perennials, shrubs and trees for the bees.  We've worked the property and orchard/blueberries organically.

At some point, “Building Unity Farm” must transition into an operational and maintenance phase.   Given our two year anniversary as a working farm, today I’m turning my Thursday blog posts into the Unity Farm Journal, describing the weekly activities that are involved in running the farm.  It’s not art, romance or glamour.    It’s mud, heavy lifting, and joyful chaos.  Here’s my first entry in the Unity Farm Journal:

First week of April 2014

Our daytime temperatures are consistently in the 50’s with nighttime temperatures hovering at freezing.   The snow has melted and the paddocks have become a sea of mud.   The ducks can swim across the female alpaca compound which reflects the amount of snow we had this winter and the amount of rain we’ve had in Spring.

As usual the weekend was filled with farm tasks.     We finished the spring planting in the hoop house and now have beds of garlic, romaine, spinach, chard, peas, carrots, and bok choi.  We’ll plant beans and cucumbers in the next few weeks.      Here’s what the hoop house looks like with greenhouse blankets to protect the early seedlings from cool nighttime temperatures.


 I created templates, pictured below, for seed planting to ensure appropriate spacing between rows and plants.

Now that the ground is thawed, work on the farm trails can continue.   When I first laid out the trails, I traversed uneven ground just to bring access to every corner of the 15 acres.   Now I’m refining the trails, adding landscape timbers driven into the ground with rebar to terrace sloping paths, like the one below.


Last week I described my effort to create a trail to our vernal ponds.    We also have a cattail area - an acre of skunk cabbage, cattails, and forget me nots.   It would be very disruptive to walk through such an environmentally sensitive area.   To bring access to this area, I built a bridge and floating pier from the Marsh trail into “cattail hollow” which I’ll finish next weekend.  Here’s the general layout



Our major project last weekend was to complete our reconstruction of the bee yard.   We now have 10 hives set up, all outfitted with a landing board, a ventilated base, 2 deep boxes, an imrie shim to enable pollen patty and fondant feeding, a hive top “bee tea” feeder, an inner cover and outer cover.    Here’s what the bee yard looks like and a closeup the girls coming back to the hives covered with pollen.





The upcoming weekend will be filled with more animal/bee care and bottling of our hard cider if time permits.   My daughter turns 21 this weekend, so we’ll toast her with Unity Farm Cider.

Wednesday, April 2, 2014

ICD-10, What next?

After the senate vote  on HR 4302  last night , I sent an email to the CIOs of payers and providers in Massachusetts, suggesting that we need to capture the millions spent locally in ICD-10 preparations before mothballing our projects.    I suggested that we should continue with testing and go live with as much technology as we can in 2014, minimizing risk to our revenue cycles.    Here are some of the responses I received, edited to protect anonymity:

It would be nice if a couple of us in Mass. could at least say we completed testing and validation and next year we will just regression test.

I am completely supportive of us maintaining momentum to protect the investments to date.  I was also thinking through the ICD-10 transition and potential to down coding to ICD-9 until 10/15.  This would require a lot of testing to validate that there is no revenue risks related to the coding conversion.  I am not sure if the teams would want to invest the time in that exercise but would support the evaluation process if there is support from coding and finance departments.

I agree if we could keep provider/payer testing going that would be good.   It would also be great if we could get native coding from providers versus using a tool to  get manufactured data.  This doesn't give us a very good test.  I don't agree with accepting ICD-10s and mapping to ICD-9.  This concept introduces too much risk and it's additional work that we've have to take on.  I wouldn't be able to get internal buy-in on this approach.

We are still discussing internally but I had assumed we would continue with the current test plan.  I am not sure we will continue the same level of testing efforts after 10/1/14.

Technically, Oct. 1st, 2015 is not the new date, it is the earliest date.  We could lobby our legislators to rescind the move to ICD-10 altogether and work towards ICD-11 in 2018.

On April 7, the CIOs will have a community-wide planning call.  I’m hopeful that we’ll complete our 2014 ICD-10 projects, do end to end testing, and then stand ready to go live fully with ICD10 in the future without significant additional work.

Although I know that many small practices were not ready for ICD10, the majority of hospitals and payers were ready for 2014.   A delay in 2013 may have been helpful, but a delay in 2014 is just going to cost hospitals more as timelines and consulting engagements are extended.