electronic medical records

RECENT POSTS

Lessons From Boston Children’s: When Hackers Attack Your Hospital

Boston Children's Hospital (Wikimedia Commons)

Boston Children’s Hospital (Wikimedia Commons)

Last April, during the parents-versus-hospital custody dispute over teenager Justina Pelletier, Boston Children’s Hospital found itself under cyberattack, apparently by the hacker group Anonymous. The hospital’s website was flooded by traffic that hindered its operation, and other online operations were affected as well.

The assault brought widespread condemnation — BetaBoston called the attackers not activists but “criminals” — and subsided after about a week.

Now, Dr. Daniel Nigrin of Children’s offers some details and lessons from the assault in the latest New England Journal of Medicine: When Hacktivists Target Your Hospital.

He writes that the attack began with a warning message on Twitter relaying a set of demands, and then the hackers posted “the home and work addresses, phone numbers, and e-mail addresses of some of the people involved in the case (a tactic called ‘doxing’). The hackers also posted technical information about the hospital’s public-facing website, suggesting that it might become a target.” A few weeks later, the “distributed denial of service” — the flood of traffic — attack began.

Nigrin writes:

Over the course of the next week, the hospital was subjected to several other attacks that were intended to do more than affect its Internet connectivity. These included multiple attempts to penetrate its network through direct attacks on exposed ports and services, as well as through the use of “spear phishing” e-mails, which are intended to get recipients to click embedded links or open attachments that would provide a means for the attackers to gain access to the portion of the hospital’s network behind its firewall.

No patient data were damaged or exposed, Nigrin writes, but the experience underscores the important of planning for the possibility of losing Internet connectivity. Continue reading

Author Robin Cook: When Your Smartphone Becomes Your Doctor

Author Robin Cook in 2008 (Patryk Korzeniecki via Wikimedia Commons)

Author Robin Cook in 2008 (Patryk Korzeniecki via Wikimedia Commons)

Some doctors might tell you that their electronic medical record systems have already plunged them into a horror story along the lines of a “Coma”-like Robin Cook thriller. Dr. Cook himself sounds the alarm about the possible dangers of high-tech health tools in his latest bestseller, “Cell.” (As in cell phone. As in an app that functions as your dream doctor. Except when things go wrong in that sinister Robin-Cook-ish way.)

But there’s not a trace of the Luddite about him; he co-wrote a piece in the Wall Street Journal recently that began:

A sweeping transformation of medicine has begun that will rival in importance the introduction of anesthesia or the discovery of the germ basis of infectious disease. It will change how patients and physicians interact. It will change medical research and therapy. “Sick care”—the current model of waiting for you to get sick and then trying to alleviate symptoms and make you well—will become true “health care,” where prevention is the mantra and driving force. Welcome to the world of digital medicine.

We chatted at a lunch last week for the Friends of the Newton Free Library, where Dr. Cook taught a rapt audience the rudiments of thriller-writing. Our conversation, lightly edited:

In your latest book, “Cell,” a virtual-doctor app goes horribly wrong. But in your recent op-ed piece in The Wall Street Journal, you sound very bullish about digital medicine. So are you feeling some ambivalence here about digital medicine?

The point is that it’s coming and nobody’s going to stop it. And none of the stakeholders are all that excited.

I was thinking that you’ve written a kind of an electronic health record nightmare — but then, some doctors say they’re already living that in real life. Continue reading

NFL Goes Medically Digital With Mass. Firm’s System

(Wikimedia Commons)

I bet you’ll have the same dark reaction I did: “Good, now they’ll be able to keep better track of their concussion treatments.”

This just in from the Westborough-based firm eClinicalWorks, a major player in electronic health records:

NFL Adopting Electronic Health Records for Care Coordination

WESTBOROUGH, Mass.—November 19, 2012—eClinicalWorks®, a market leader in ambulatory clinical systems, today announced that the National Football League (NFL) is moving from paper medical records to electronic and will utilize the company’s comprehensive electronic health records (EHR) solution for this endeavor.

“The NFL and its healthcare professionals pride themselves in maintaining a leadership role in sports medicine developments,” said Dr. Tony Yates, president of the NFL Physicians Society and member of the EMR Committee for the National Football League. “We are always looking for innovative ways to enhance healthcare within the organization. Electronic health records are the next logical step and we look forward to partnering with eClinicalWorks on this initiative.”

See the full release here.

Report: Electronic Medical Records Uptake ‘Encouraging’ But Digital Divide Remains

Even though the majority of doctor’s offices across the nation have adopted electronic medical records for patients, a clear divide remains between large urban teaching hospitals and their smaller, rural counterparts, according to a new Robert Wood Johnson report.

The report, released today, found that adoption of electronic health records reached 57% last year, a 17% jump from 2002.

Still, researchers note that while the increases in adoption are “encouraging” there are signs of trouble:

The gap in EHR adoption rates based on hospital size, teaching status, and location has become larger, indicating that hospitals with certain characteristics continue to adopt HIT at a faster rate than others. Adoption among large hospitals, for example, increased by 17.3 percentage points, as compared to 10.1 percentage points among smaller hospitals, widening the gap in adoption from 15.0 percentage points in 2010 to 22.8 percentage points in 2011. Similar differences were found based on teaching status and location.

But, as one of our guest bloggers recently noted, the digital divide doesn’t end with the the urban/rural, academic/non- academic split. There is also the great human/pet divide. Professional patient advocate Ken Farbstein writes here about his dog Jackson’s handy EMR printout, something he, as a human patient, still does not have access to.

The Robert Wood Johnson report also offers a state-by-state comparison on the top EMR adopters:

Minnesota (60.9%), Wisconsin (59.9%), and North Dakota (57.9%) had the highest rates of adoption, while Louisiana (15.9%), New Jersey (16.3%), and South Carolina (19.5%) are at the low end of the scale.

Massachusetts was in the higher-end range at 43.6%.

Should You Have A Unique ID Number For All Your Medical Records?

UMass Medical School Chancellor Dr. Michael F. Collins

Should you have a unique ID number for all your medical records? The Wall Street Journal asks that question today on its debate page, and University of Massachusetts Medical School chancellor Dr. Michael Collins answers with a resounding “Yes!”

The Journal offers this background:

Proponents say universal patient identifiers, or UPIs, deserve a serious look because they are the most efficient way to connect patients to their medical data. They say UPIs not only facilitate information sharing among doctors and guard against needless medical errors, but may also offer a safety advantage in that health records would never again need to be stored alongside financial data like Social Security numbers. UPIs, they say, would both improve care and lower costs.

Privacy activists aren’t buying it. They say that information from medical records already is routinely collected and sold for commercial gain without patient consent and that a health-care ID system would only encourage more of the same. The result, they say, will be more patients losing trust in the system and hiding things from their doctors, resulting in a deterioration in care. They agree that it’s crucial to move medical records into the digital age. But they say it can be done without resorting to universal health IDs.

Continue reading

Doctor As Shaman Of The Digital Village, And Other Blog Pearls

Dr. Vikas Saini

“Shaman of the digital village.”

What an intriguing phrase. It refers to the special magic that human doctors will still possess even if IBM’s Watson and other electronic tools take over many of their current functions. And it comes from the keyboard of Dr. Vikas Saini, president of the Lown Cardiovascular Research Foundation and — I’m delighted to report — another Boston health care leader who has stepped up to the online podium.

For bookmarking purposes, here’s his blog. It’s titled “Off the Cuff: A Cardioblog,” but though the Lown Center is renowned for its heart work, Off The Cuff is by no means limited to cardiovascular thoughts. And thank goodness for that. Vikas has a wide-ranging past: Indian origin, youth in Canada, Princeton philosophy major, Johns Hopkins and Harvard clinical and research training. Also, involvement in the medical device industry and in the management side of a big Cape Cod physicians’ group.

“Talking about Skype and video for medicine is like asking the question in 1905, ‘Will the telephone have a role in health care?'”

Put it all together, and he can comment from a personal knowledge base on anything from health care economics to new heart drugs. When he talks about the American “health care bubble,” I feel dark dread. Not that he limits himself to his expertises, though; the blog’s logo is “humani nihil a me alienum puto,” which means “I consider nothing that is human alien to me.” (Thank you, Wikipedia; I didn’t have to resort to Google Translator.)

About the digital shaman: In a post earlier this month titled “Doctors in a brave new world,” Vikas responds to a recent op-ed piece evangelizing a technological revolution in health care that could move “much of health care out of hospitals, clinics and doctors’ offices, and into our everyday lives,” through home and mobile monitors, remote communication and the like.

Vikas welcomes the technology’s promise, but writes:

The challenge for me is in defining the role of the doctor in that scenario. That depends in part on the bigger question of whether people really want to grapple with their anxiety about mortality (which every illness however mild seems to trigger, even if it is in some primal, subconscious sense) in isolation from other caring human beings. Continue reading

Breaking: 638 Brigham & Women’s Patients Warned That Doctor Lost Hard Drive

This release just in from Brigham and Women’s Hospital:

Brigham and Women’s Hospital Notifies 638 Patients of a Potential Data Breach
Device containing patient information lost

Boston, MA – An external hard drive belonging to a Brigham and Women’s/Faulkner Hospital (BW/F) physician was lost on June 21, 2011. BW/F has sent letters to notify the 638 patients whose medical information may have been on the device.

The following information related to inpatient hospital stays from July 10, 2009 to January 28, 2011, may have been present on the device: patient name, medical record number, dates of admission, medications and information about diagnosis and treatment. The information did not contain Social Security numbers, insurance numbers or other financial account information.

“BW/F takes the privacy and security of our patients’ information very seriously. We are taking steps to reduce the risk of such events occurring in the future, including addressing the incident specifically with those involved, reviewing and augmenting our policies and procedures, and enhancing our training regarding technical safeguards required on external hard drives that may contain sensitive data, as well as limiting the amount of data stored on such devices,” said Sue Schade, BW/F’s chief information officer.

“It is fortunate that no Social Security numbers or financial information were included in the information that was lost. We have no knowledge that the information on this device has been accessed. However, as a precaution, we are offering affected patients identity protection services,” said Schade. “We apologize for any inconvenience and deeply regret any concern this situation may cause our patients.”

Patients who require additional information, or have questions can call toll free at 877-694-3367.

I’m immediately cast back to the last big news story about a data breach: Those Massachusetts General Hospital records that were left on a subway. They included records of HIV patients. The hospital ultimately agreed in February to pay $1 million to settle claims that it had violated patient privacy. That story is here.

What baffles me is that both Mass. General and the Brigham have some of the most advanced electronic medical record systems around. Personally, at this point I’d say I’d rather have my records in the cloud than on an external hard-drive: I’m less afraid of hackers than of absent-minded staffers…

What Killed Google Health? And What Does Its Untimely Demise Mean?

I love a good mystery. And I’ve noticed one post-mortem analysis after another lately exploring the recently announced impending demise of Google Health, a service aimed at helping people manage their own health information. Why would as powerful an entity as Google abandon so major a project in such a seemingly promising field?

Google’s own explanation, in a blog post, is that the service just “didn’t catch on” as hoped. That rings true to me: Here I am, immersed in health care news, and I’d heard little about Google Health and nothing enticing enough to make me want to sign up. But the answers go deeper.

In MIT’s Technology Review, David Talbot recently wrote of Google Health that its passing reflects a broken medical system: “Experts say its untimely death is, in many ways, an extension of U.S. health-care providers’ failure to share data across institutions, or make it easy for patients to obtain it.” (Tech Review also has an interesting new article out here about a Cambridge company’s health-tracking platform for employers.)

I just spoke with Dr. Kenneth Mandl, an associate professor at Harvard Medical School, physician and researcher in the informatics program at Children’s Hospital Boston, and co-founder of the open-source project Indivo, the first electronic personal health record. Indivo, he says, began in 1998, inspired the Google Health model in 2006 and is still in wide use, including for patients at Children’s.

The concept behind personal health records is that each of us should have access to our own medical information, and the ability to share it where needed—with our doctors, our family, and with computer apps that can help care for us. Here is his detective work, lightly distilled:

Q: So, Ken, whodunit?

Basically, it was a combination of a couple of factors—the stagnant data flow in the health system and some failures in Google’s strategic execution.
.
The data about our health histories, medications and treatments, usually captured by our physicians on paper or, increasingly, in electronic health records, usually stay put—in physicians’ offices or hospitals–even though federal law entitles patients to copies of their electronic health records.

‘They didn’t do very well in establishing a trust model. What would Google do with your health data once they had it?’

And Google was more dependent on real ‘data liquidity’ than I think they fully realized. Job number one for them, with their enormous resources, should have been to try to ensure that there were generalizable, standardized ways to move data around in the health system. They needed to dig in and do serious engineering with clinical systems. But they didn’t do that. They were hoping to sit on a high perch and to provide storage and applications for managing that data. But the data were not there.

So there’s real work to be done. Google was a little ahead of its time in a sense, but really, they should have spent more energy and dollars helping to generate data flows through policy reform and technological innovation.

Also, Google Health fell short as an “apps” platform. Contrast it with the iPhone platform — Google never really captured a serious community of third-party developers who could add value to data by generating apps that could run against their programming interface. Continue reading

Report: Security Lapses Seen In Push For Electronic Medical Records

How can we better secure electronic medical records?

The Washington Post has an important piece on this just-released report from the U.S. Department of Health and Human Services detailing potential security gaps and privacy problems as the country moves toward a system of electronic medical records for all patients.

Two reports released Tuesday by the inspector general of the Health and Human Services Department find that the drive to connect hospitals and doctors so they can share patient data electronically is being layered on a system that already has glaring privacy problems. Connecting it up could open new pathways for hackers, investigators say.

The market for illicit health care information is booming. In recent years, the case of a former UCLA Medical Center worker who sold details from the files of actress Farah Fawcett, singer Britney Spears and others to the National Enquirer gained notoriety.

Most cases don’t involve celebrities or get much attention. Yet fraudsters covet health care records, since they contain identifiers such as names, birth dates and Social Security numbers that can be used to construct a false identity or send Medicare bogus bills.

The shortcomings in the system “need to be addressed to ensure a secure environment for health data,” said the main report, adding that the findings “raise concern” about the effectiveness of security safeguards for personal health care information.

In a second, related report, auditors “examined computer security at seven large hospitals in different states and found 151 security vulnerabilities, from ineffective wireless encryption to a taped-over door lock on a room used for data storage. The auditors classified 4 out of 5 of the weaknesses uncovered as “high impact,” meaning they could result in costly losses, even injury and death.”

The hospitals were located in 7 states, including Massachusetts, but were not identified in the report.

I have a call in to Dr. David Blumenthal, the former National Coordinator for Health Information Technology at HHS, who recently left his post (just in time!) to return to Massachusetts General Hospital, on whether he agrees that the rush toward EMR’s is overlooking serious security gaps. I’ll post his response when I get it.

Dr. Blumenthal Went To Washington

For the last two years, Dr. David Blumenthal was the czar of Health Information Technology for the Obama administration, overseeing its monumental efforts to push the country toward electronic medical records. This is his first week back at his Harvard home. In case you missed it yesterday, CommonHealth featured him in the above brief video, on what we should all be asking of our doctors, electronically speaking. Today, we continue our debriefing, lightly edited:

Q: You’re just back from two years in Washington, DC. What will you do now?

To be absolutely frank, I’m exploring lots of different options. It’s virtually impossible to plan your next step while you’re in government, because of all the potential conflicts of interest. I’m back as a professor at Harvard and I’m sure I’ll be doing some writing, and probably some academic work, and a lot of speaking and guest-lecturing. I also have acquired something of a taste for having an impact on the real world — I spent two years trying to do that in Washington — so I’m looking for opportunities to affect health care delivery, and I’m not sure what form that will take.

I’ve become a convert to the idea that information really is power, in health care just as in everything else. The information platforms that systems work with are vital to their success, and getting those better-integrated into the day-to-day delivery of care is important for patients, doctors, nurses, hospitals — everybody. I don’t see a pathway to accomplishing everything we want to accomplish, in the commonwealth or nationally, until we have much more powerful information systems.

You can make big changes in the delivery of health care just by giving people better information. Most health care professionals go to work every day wanting to do a good job, and when they fall short, it’s often because they don’t have the information they need.

Q: Could you share a telling example of the power of information in health care?
Continue reading