Tom Munnecke’s Eclectica

Here is  Wall St. Journal Op-Ed piece by Deborah Peel arguing that our medical records aren’t secure.

I did a video interview of her a while back:

She was watching a video I had posted earlier by Esther Dyson, who explained her reasoning about having her personal genome and medical records published openly:

These are two very intelligent, accomplished women, both of whom I have great respect. It’s amazing to see how diametrically opposed they are on the issue of patient privacy.

I stand somewhere in the middle between these two positions. The #1 thing to do, I think, is to reduce or eliminate the downside potential of getting medical information… reducing the risk involved lowers the cost of the security. This is not possible for all information, but we can do a lot to make this better.

I also take exception to Deborah’s use of “security” as if it is an absolute go/no go term. All security is a tradeoff between risk and reward. It is more a matter of how much someone is willing to pay to get the information. Security raises the cost of getting the information, but to have absolute security, we would have to shut down all access.

The other issue I think is relevant is that computer-based security systems can track who accesses the information, so there can be an audit trail that John Smith accessed Mary Jones’ record. With paper-based systems, John Smith can copy the record on a copy machine, slip it into his pocket, and walk out completely undetected.

I designed the information security systems for both the VA’s VistA and DoD’s CHCS systems, and defended the architecture to visitors in black suits, sunglasses and no names from unnamed agencies in the DC area – something out of a b-grade movie. These systems have been operational for over 20 years now, supporting about 10% of the US hospital information. To my knowledge, all privacy leaks have been from legitimate users leaking the data manually. I have not heard of any electronic attacks to get the data.

This might change, but at the moment, I think that the security risks are a people problem, not just a computer problem. The way forward, I think, is to mediate access to the medical record by a person-specific system. We need to have a personally controlled health record, something that I’ve been advocating for 15 years now.

Here are some comments Esther Dyson sent me after I posted this entry:

I wouldn’t say we are diametrically opposed. I published my *own* records, not other people’s…. I understand there are reasons many people want to keep them private, and they should have that right (and ability). At the same time, I think it’s more important to fix the system so that having your records leak out isn’t financially dangerous, even though it may still cause people genuine harm as a breach of privacy. (That will also reduce the incentive to use the records except as they apply to celebrities.)

so.. I think we should have good security. I think people should be able to decide for themselves what happens to their records. I do not think loss of privacy is the worst harm that could happen to someone… but people who disagree should be able to act on that belief. However, people who are willing to take that risk will benefit not only themselves – better support and treatment – but also others, when their data is used (under conditions they consent to, understanding that security is not perfect) as the basis for medical research.

I watched an hour or two of the Health Care Reform Summit at the White House today.   My overwhelming reaction to it was how much effort was being expended on just a tiny part of the whole equation.  First of all, it should be called Health Insurance Reform, for it has little to do with the health process at all.  Second, it treats health care as an industry, as if it were a factory taking in sick people and producing well people.  All that we need to do is figure out faster/better/cheaper ways to run the assembly line, and make room for more people to get on it.  It is firmly locked in to the notion that health care is something the system does to the person, patients are “consumers” and doctors are “providers.”  We have transactionalized health care – defining disease/billing codes that shape doctor behavior.  If someone cures their depression by taking up running on the beach, they generate no transactions, incur no medical costs, and improve their health in many other ways.  If they get an antidepressant and go back to sit on a couch to wait for their depression to clear, this generates many transactions, incurs potential side effects, and may diminish their health in other ways.  Unfortunately, our health care system only recognizes the latter… things that don’t get transactions don’t get recognized.  Things that cause health transformations (such as running on the beach) are lost below the radar of the disease industrial complex.

Addiction is one of the great health problems of our time, and Alcoholics Anonymous is the premier organization for treating it.  I recently had dinner with a man celebrating his first year of sobriety, and he was glowing about AA, and has turned his life around.  He is an enthusiastic mentor for 5 others.  AA generates no medical records, no master patient index, and incurs no costs.  The more members it gathers, the more members it can support – members help themselves stay sober by helping others stay sober.  AA in San Francisco has over 700 active groups meeting weekly, yet is has only a tiny staff of 10 to organize it.

So, here is one of our most pernicious health care problems that is being solved virtually cost-free in a self-organizing, self-propagating manner.  It is a transformational approach to health – utterly outside of the transactional provider/consumer model that dominates all health care reform discussion.

The 600 pound gorilla in our health care system is ourselves.  Obesity, smoking, drugs, alcohol, and sedentary lifestyle drive a huge portion of our health care costs… and these are personal life-style issues, not things that “providers” do to “consumers.”

People don’t necessarily “consume” health care when they get healthier.  AA members help others when they become sober – its “baked in” to their 12 step process.  People can get healthier, and in so doing, make other people become healthier.  The fact that your immune system fought off TB today makes everyone else around you a little healthier.

AA attributes their success in part to the fact that that they were underfunded when they got started:

Mr. Rockefeller decided to turn down the request for the money requested by Frank Amos. He reiterated, “I am afraid that money will spoil this thing”… Both Bill and Dr. Bob could access this account and funds could be withdrawn as needed. Rockefeller warned them that despite his help, the movement must become “self-supporting” in order to eventually become a success.

Jonas Salk (in Anatomy of Reality, Columbia University Press, NY, 1983, p. 122) spoke of the need for health care reform to be framed as “Creating an Epidemic of Health.  Only a few are needed to visualize and to initiate a process that would become self-organizing, self-propelling, and self-propagating, as is characteristic of evolutionary processes.”  AA could be viewed as an example of the kind of transformational, “viral” models of health that Salk was talking about.

Are there other self-organizing, self-propelling, and self-propagating models of health out there?  I don’t know.  But I do know that the transaction health industry would not be the place to look for them.  Pharmas are not going to fund products that decrease their dependency on them.  Nephrologists who are sitting on dialysis “gold mines,” despite stated good intentions, would worry about the financial ramifications of a treatment that diminished the need for dialysis.  A approach based exclusively on the notion of health as something the system does to the consumer would not see much virtue in their “consumers” running off and doing things independently of them.

This dependency relationship is exactly what Rockefeller saw when he refused to fund the local chapters of AA… and yet it is the glue that our system is based on.

I participated in a health care reform effort called Valeo about 10 years ago.  It was an effort to apply Dee Hock’s theory of “Chaordic” organization to health care reform, coupled with David Cooperrider’s “Appreciative Inquiry”   We ended up in a summit meeting of about 180 stakeholders from the entire health care field.  My Duh! moment from this event was that gathering all the stakeholders in a perversely incentivized system and asking them to self-organize into a more efficient system is not a recipe for success.  Asking some to jump off the gravy train so that others can ride more comfortably is not going to attract many volunteers.

I don’t recall any political stakeholders in the group – certainly nothing like I saw today at the White House.

Health insurance reform is but the tip of a very large iceberg of reform.  Given the enduring complexity of the problem, I have to wonder whether its humanly possible to come up with an effective solution.  Perhaps we need to declare a “complexity crisis” and rethink ways of minimizing complexity, rather than fixing problems.  Maybe adding 2700 pages of legislation to 125,000 pages is not going to create a workable system.  If so, how much is too much?  If we got to 1 million pages of legislation, would we have solved the crisis?  Or would it be an indicator of intractable complexity?

Here are some thoughts towards simplifying health care:

1.  Decouple the employer relationship from the health care system.  Employers don’t buy our car insurance, why should they buy our health insurance?  This would remove a huge load of issues relating to insurance portability, privacy, unemployment, big- vs small business, and taxes.

2.  Give up on the notion that we have a “system.”  It is just too big and too diverse to think of it in the factory model – that there is One Correct Way to push things down the assembly line.  Rather, we should frame things as a Health “Space” – much in the way that the web was designed as a “space for information to exist” rather than a “system for retrieving information.”

3.  Start with a communications-oriented approach rather than a records-oriented approach.  The problem is that we have a failure to communicate, not that we haven’t standardized, organized, and shared our file cabinets in the proper way.  One form of communication is the medical record,  but not the only one.

4.  Start with the transformational notion of health.  Health is something we all do, and are primarily responsible for it ourselves.  Providers are the edge, people are the center.  Let’s discover all kinds of new approaches to this, to communities of health, to buddy-systems, and the like.  Patients Like Me is a great example of this kind of thinking.

5.  Free up telemedicine.  While its nice to have the super hi res, high bandwidth hi-tech telemedicine systems I’ve seen pitched for decades now, the fact is that a lot of good can come from a simple cell phone photo or video.  There are lots of legal (and some would say ethical) issues to be dealt with, but I think that this should be a basic notion for any future system of health.  We need to design from a state of connectivity.

So, my advice to President Obama: make whatever simple changes that can be agreed upon today, but declare a complexity crisis and move to a new model specifically designed to be a simpler, more adaptive, and more resilient health care system focusing on the transformational rather than the transactional nature of health.

I just ran across this disgusting article Favoritism fears halt major military health upgrade:

Work on a high-priority project to integrate the Pentagon and Department of Veterans Affairs health care systems has been delayed by up to two years because of a “potentially unethical” relationship between a government staffer and a contractor, according to an internal Pentagon report….

This month marks the 31st anniversary of the 1978 Oklahoma City conference that was the kickoff for the software architecture that lead to the current VA’s VistA system, the DoD Composite Health Care System (CHCS), and the Indian Health Service’s Resource and Patient Management System (RPMS).  (I have several boxes of papers from the conference that I am going to scan and post online Real Soon Now).  I took it as a given that we would design a single architecture that would seamlessly integrate all of the federal health IT systems.  I reviewed the state of the art in database management systems at the time, and rejected SQL as being too “pigeonhole” oriented… it expected everything to be nicely laid out in a predefined structure: a place for every datum and every datum in its place.  I used IBM’s IMS (Information Management System) as a counter example for the design of FileMan: whenever I was in a quandry about how FileMan should work, I asked myself, “How would IMS do it?” and then did it the opposite way.  We designed the Kernel architecture as a device- and vendor-independent layer built upon an amazingly simple core MUMPS technology: one data type, 19 commands, and 22 functions.

This approach was amazingly successful, it was eventually used in all federal health care facilities – about 10-15% of all hospital information systems nation wide.  By 1982, we were deploying the system throughout the VA, and in 1984, I implemented my first of many VA-DoD interfaces between the VA hospital at Loma Linda California and March Air Force Base in Riverside.   The system worked very well, and it only took a team of 2-3 programmers less than a year to make it happen. We had staffers from Congressman Sonny Montgomery’s office visit, and it became a major impetus to require one of the bidders for the DoD’s Composite Health Care System “fly off competition” to propose an adapted VA solution.  We had a similar integrated system operating at Fitzsimmons Army Medical Center in Colorado.

My first inkling of the power of the Beltway Bandits came when DoD hired a consultant from Arthur D. Little to study the system.  I discovered that they had a budget several times greater to STUDY the interface than I had to DO the interface.  And I wasn’t convinced that the study was necessarily looking for the benefits of the interface, but rather seemed politically motivated with “push polling” style of interview looking for the negative.

March AFB was closed down, and the interface forgotten.  After I moved to SAIC, I did another interface between the DoD (which went nowhere), and then set up a lab running an integrated version of VA, DoD, and Indian Health Services systems.  Again, this got nowhere.

Now that the interface had surfaced in the world of beltway economics, it rapidly escalated to a multi-million extravaganza.  I’m not sure of the cost of the GCPR (Government Computer Patient Record) in the mid 1990s to integrate the systems – it was in the hundreds of millions.

After 31 years now, I see a recurring pattern.  Someone in congress gets upset about the disintegration of VA and DoD information systems, and huffs and puffs about doing something.  The call hearings, and various secretaries and program managers pledge to make things happen.  Big bucks are allocated, committees are formed.  However, by the time it gets down to the worker-bee level, folks suddenly realize that if they integrate their information systems, their health care facilities might follow as well.

This violates Munnecke’s First Law of Bureaucracy: Never stand between bureaucrats and their retirement program.  Successfully integrating an interface between the VA and DoD – increasing efficiency – would result in someone losing their job security.  Bolixing up the interface, creating a backlog of work to do – decreasing efficiency – results in greater job security.  Meanwhile, the huffing and puffing at the top has been directed at other causes, and folks have probably moved on to other jobs.  And so the cycle continues.

Meanwhile, we pour more money down the drain, feeding the beltway, ethically or not:

the mishandling of the project has delayed the military’s effort by “a minimum of one year up to two year [sic]” and could leave the military with nothing to show for the $13 million it has already spent, the internal report says.

To further compound the problem, we are trying to interface other systems to the VA, such as the Kaiser-VA interface which strikes me as a very brittle architectural approach.  Now, all of VA is trusting all of DoD and all of Kaiser to do the right thing with their medical records.  The trustworthiness of the extended web of interactions is only as trustworthy as the weakest link.  And as we see here, weak links do appear.

The way out of this mess is to reframe our information architecture around the individual, not the enterprise, something that I concluded 10 years ago.  We should reframe health information technology around then notion of a Space, rather than an absurd presumption that we have a health care “system” akin to a car factory, taking in sick people and spitting out healthy ones at the other end.

I think that there are many foundation issues that need to be addressed regarding our health care system that are being ignored in the rush to “pave the cowpaths” of the very practices that most desperately need changing.

Here is a great article by Kenneth Mandl and Isaac Kohane No Small Change for the Health Information Economy on the need for health IT to be flexible and adaptive:

Flexibility is critical, since the system will have to function under new policies and in the service of new health care delivery mechanisms, and it will need to incorporate emerging information technologies on an ongoing basis. As we seek to design a system that will constantly evolve and encourage innovation, we can glean lessons from large-scale information-technology successes in other fields. An essential first lesson is that ideally, system components should be not only interoperable but also substitutable.

I’ve worked with (Zak) Kohane for 15 years or so, and have always appreciated his perspective on health IT.  I’ll quibble with his use of ATM machine metaphor for health IT, though.  ATMs deal with transactions – things that happen at a specific commit point (“press the OK button”), according to an exactly predefined categories (there is not confusion about credit or debit, or amount), and can be added up at the end of the month: your beginning balance plus transactions equals your ending balance.  This is wonderful for checking accounts.

However, I don’t think we can run the health care system using the metaphor of the transactions.  We can’t simply add up everything the doctor does to you for the month, add it to your health at the beginning of the month, and come up with your current health.  In fact, transactionalizing health care is one of the fundamental evils of our current system.  Things that DON’T happen as transactions (e.g. taking a brisk walk with one’s spouse every night) may actually have the greatest health care benefits.  If we wait for problems to require intervention (being prescribed antidepressants for feeling like a worthless couch potato), we see transactions appearing, and it would seem that we are doing the right thing.

We need a model of health care that deals with transformations, not transactions.  Transformations happen to the individual – and may not even involve interventions by professionals, hospitals, or even generate billable transactions.  To design health IT to be exclusively focused on “enterprises” delivering “health care” to “consumers,” even “empowered consumers” is backwards.

We need to be focused on the individual first and foremost.  Enterprises should be “tethered” to their patients, not the other way ’round.

I wrote a little about this in Transformational Ensembles.

(Tip of the Hat: This post came out of a conversation with Heather Wood Ion about health care reform)

One of the most critical issues facing our health care reform efforts today is how information technology will relate to it.  Since I’ve been running around the Health IT briar patch for three decades now, I’ve seen wonderful examples of successful (VA’s VistA), featured in Philip Longman’s Best Care Anywhere as well as an endless stream of failures (Kaiser Permanente threw out a $1.5 billion effort to automate its hospitals; DoD has spent $4 billion on its AHLTA system that is so bad that it is cited as the third most frequent reason causing docs to leave military service.)

Lesson Learned:  Throwing money at a hospital information system does not guarantee it will work.  It is the conceptual foundations of the approach and the organizational readiness to change that are the most critical factors.

I am concerned about much of what I read about the Health IT spending – and the assumption that $20 billion or $100 billion stimulus will result in a viable national health information network.  There is very little empirical evidence that these assumptions are reasonable.  Even more so, the system that we might end up with risks severe negative consequences to the our health care system (see AHLTA is Intolerable)  We run the very real risk of a system that falls behind in practice, yet is propped up by bureaucratic inertia and the assumption that “$100 billion can’t be wrong.”  France faced a problem like this as they supported a “MiniTel” system as a kind of dedicated telephone-keyboard-yellowpages service to all customers just as the World Wide Web was taking off.  The French ended up with a closed, expensive, slow system even while the web offered an open, inexpensive, high speed solution which set them back billions of Francs and years of technology advance.

I believe that we should drive our health care reform from an information technology perspective.  This was my goal in working with the original VistA system for the VA – overcoming all the bureaucratic “stovepipe” divisions by introducing decentralized information systems.  We are seeing today only the tip of a huge iceberg in terms of the amazing advances in computing, communications, telemedicine, lab-on-a-chip, genomics, etc.

The status quo is not going to be happy about all these changes.  Clinical laboratories are not going to be happy about inexpensive home use of lab-on-a-chip diagnositic tools.  Audiologists who sell $3600 hearing aids (using today’s $20 chips) with complicated fitting procedures are not going to be happy with the $100 self-fitting aids.  Optometrists are not going to be happy with over the counter eyeglasses that would allow Wal Mart customers to insert blank lens into a machine, tweak the dials until they see best, press a button, and walk off with a new set of glasses that work exactly how they want for $20.

Disruptive innovation is by definition not welcome to the status quo, but it is a necessary task of innovation and growth.  The automotive industry was not invented by the buggy-whip manufacturers.  And if they held sway in controlling the transportation industry, we would never have evolved past the horse-and-buggy.

A key issue in the coming heath IT/health care reform is the role of the Personal Health Record (PHR).  I’ve been advocating a PHR-based approach for 10 years now   The question to be resolved is how this is to be structured: is the personal health information tethered to a specific enterprise, or is it the other way around.  Why not make the patient the center of the health care universe, and tether the providers to them?

This is disruptive innovation at its best.  Imagine having a Universal Health Dashboard for every American.  They would be able to see all of their health information, and see who has been accessing it.  Patients could see if their doc looked at the lab tests from last visit; docs would know that their patients would see if they’ve ignored their tests).  Enterprise health records would appear as folders on the individual’s dashboards, just part of a much larger Health Communication System.

Here are some papers I’ve written in the past:

See Concepts of the Data Vault

HealthSpace

Health and the Devil’s Staircase

Ensembles and Transformations

and Many More

If you go to a restaurant, its very common to find the wait staff swiping a security card before they order your food.  The kitchen computer prints out a perfect copy of your order, and at the end of the meal, you have an itemized list of everything you’ve ordered.  This is an amazingly efficient and secure system – the management doesn’t want the staff slipping their friends free hamburgers or whatever.

If you go to a hospital, however, it’s likely that your doctors orders are hand written, and perhaps faxed to the pharmacy over a public phone line.  This information, which may have life-critical implications, may have no security, no computer verification, be delayed in transmission, misinterpreted by the staff, or misdirected to the wrong patient.  Computer order entry systems have been a hot topic for decades, and the cost of manual system in patient safety has long been recognized. (See 200,000 preventable deaths per year? and The National Health Emporer has no clothes)

If we accept the conclusions of the Institute of Medicine’s study To Err is Human then preventable medical errors (44,000 per year) are one of the leading causes of death in the US)

Why should even mom-and-pop restaurants have secure, online order entry systems to protect their food orders when hospitals dealing with life-critical information, prone to fatal errors still use clumsy, manual, insecure systems?

Having designed hospital computer systems for 30 years, I understand that a hospital order entry system is a complex task, much more complicated than a restaurant.  But with the right initiatives, it can be done.  The VA has been doing online order entry for decades.

The industry IS capable of maintaining integrated data bases… For example, see Health Insurers quietly keep blacklist.  The insurance industry has an extremely efficient blacklisting system that maintains files on you:

Trying to buy health insurance on your own and have gallstones? You’ll automatically be denied coverage. Rheumatoid arthritis? Automatic denial. Severe acne? Probably denied. Do you take metformin, a popular drug for diabetes? Denied. Use the anti-clotting drug Plavix or Seroquel, prescribed for anti-psychotic or sleep problems? Forget about it.

What’s more, you can discover that if you lie to an insurer about your medical history and drug use, you will be rejected because data-mining companies sell information to insurers about your health, including detailed usage of prescription drugs.

So, when it comes to figuring how to deny coverage to you, the industry has managed to create seamlessly integrated, state-of-the-art information systems.  When it comes to protecting patient safety, well, they are still trying to figure out how to deal with this… for over 20 years.

Restaurants and insurance companies didn’t require any federal agency or stimulus money to be stimulated install state of the art secure systems they did it out of their own (possibly nefarious) self-interest.

The problem is a lack of incentives, not lack of stimuluses.

The problem is that we are dealing with a Disease Industrial Complex, not a Health care system.

At a Armed Services Comittee hearing yesterday, AHLTA managers presented a rosy future for the $4-going-on-$6 billion system. (see AHTLA is Intolerable) Whereas just last year it was called “Intolerable,” now we hear promises of future success:  Ward Cascells, Deputy Assistant Secretary of Defense for Health Affairs: “I’m wary of over promising, but I’m excited about this chance for us to be leaders in nation in EHR.”

However, I have been getting a stream of messages from AHTLA who don’t have much confidence in what was said on the hill:

• “It was ironic, that within 5 minutes of the live feed, that AHLTA went into Fail-Over.  Sure wish there was a Live feed from our clinics to show the impact.  Still Fail-Over is better than no connectivity, which had previously been the case.  Providers still hate Fail-Over and find it so slow and unreliable.”
• “No one will ever admit the failure of AHTLA, it’s just too expensive, when they can tout the terabytes of garbage data the system contains.  We have yet to get a single operational report out of the system.”
• “Duplicates!  I can’t even begin to tell you the mess and the costs to clean up the duplicates.  Some are introduced by CHCS users by forcing duplicates by creating “”dummy” SSNs, but AHTLA failed to integrate the necessary matching algorithms software for the CDR.  They are just now acquiring the critical tools needed for this.  CHCS was nearly shut down by the GAO for Duplicate Patients.”
• Another AHTLA user wrote his congressman yesterday: “I urge you to hold DoD personnel accountable for this abysmal and costly failure which may have adversely the health management of literally millions of DoD personnel.“
• “AHLTA is more than Intolerable…It’s the 3rd highest reason listed by the Army at the June 08 AUSA Conference Providers are leaving the military…”
• ” Health IT is so deeply political that common sense and patient welfare (not to mention the clinician user experience) often seems to be mere afterthought.”

If the hearing attendees were AIG executives, explaining that they had spent $4 billion of taxpayer money and wanted $2 billion more to improve it, and that their actions had adversely affected the health care management of millions in an abysmal and costly failure, Congress and the press would have been calling for scalps.  But apparently federal bureaucrats can just blow smoke on the hill with impunity, promising results that will happen on someone else’s watch.

I say fire the bunch of them tomorrow, holding them accountable for the mess they’ve created.  And demote every one who approved this slow-moving train wreck in the past.  And create an AHLTA “Hall of Shame” for all the world to see who are the contractors and vendors who helped make this such a fiasco.

Here are some comments to Peter Groen asking for comments on the future of health care information technology (see end of message for details)

Peter, this is all interesting research… 2040 is as far from now as the initial 1978 Oklahoma City VA/DoD/IHS meeting was in our past.

In looking back at the trajectory from 1978 to now, I think that some of my key lessons learned are:

Future Binding. When I designed MailMan in the early 1980′s, I knew that the Internet was coming, and spent a lot of time talking to folks at ISI in Marina Del Rey, who were just developing the SMTP mail protocol, (Jon Postel, in particular).  However, I had only a very primitive IDCU communications infrastructure to work with.  So, I designed MailMan as if it had access to the internet using TCP/IP, and then built a protocol (SCP) that emulated it in whatever form was available over time.  The MailMan handshake would figure out the best performing mutually understood protocol, and so the network could “ratchet up” to higher and higher performing protocols in a self-organizing manner.   I think the process worked pretty well, and it got me started thinking about how one builds systems that are bound to the future (rather than the past).  We could think of Cobol as an early binding language, MUMPS as a late binding language, and the MailMan technique as a future binding approach. Continue Reading »

This is a very big rock that I’m pushing up a very big hill, but I guess I try it one more time.

I just ran across this hearing announcement from the House Armed Services Committee:

“The Joint Military Personnel and Terrorism, Unconventional Threats and Capabilities Subcommittees will meet to receive testimony on Department of Defense Health Information Technology: AHTLA is “Intolerable,” Where Do We Go From Here?”

Continue Reading »