Medical Devices

Re: Medical Devices

So our privacy Guru is curious about speaking gigs to talk about this stuff (non-politically of course). Have'nt yet told her these things don't pay for anything, but I'm curious about the potential.

Is there interest from the assembled crowd here in the privacy angle of the Alberta EMR push? I know there's a few others in the community in the medical aspect of things, perhaps a cross border panel?

Re: Medical Devices

I wouldn't say that I see you on the wrong side of things, but rather that your expectations seem unrealistic. You seem to want a system that makes records openly available when they would best serve to expedite treatment, yet at the same time you say you want to protect the privacy of the individual. To me those two things are diametrically opposed.

My opinion is that HIPAA is that it is far from perfect, but is a step in the right direction as far as protecting the rights of the individual. I also see EMR as a huge erosion of those rights. At this time, I am totally against EMR. The implementation is poor, and the current systems are already rife with abuses. For proof you only have to look as far as the supermarket tabloids. As far as I can tell, it will only get worse at this point.

Re: Medical Devices

Thorn,

We've debated this in the past and I know I can't convince you one way or another but I do have some questions to help me understand your side.

Obviously we are on different sides of the border and all sorts of things are different so it's not just one thing that's different that we can pin down.

1. In what way does and EMR erode rights? If no information other than that in a paper chart is collected where's the erosion.

2. I'd be curious what tabloid articles you are referencing. Obviously I'm not seeing the same as you are.

3. In my experience, alot of the issues (security, functionality) with EMR's are due to a facility or HMO rolling their own system and letting Doc's, administration or monkys design it . This inevitably leads to some of what I'm assuming are your complaints, though you never really spell out what they are. If a system were designed competently and some sane policies went along with it, would you be as opposed?

Just trying to understand your opposition. Looking around me by your logic at times, we should all be dead up here.

Re: Medical Devices

Just to be clear, I see the goverment socialization of health care to be a political issue that isn't directly associated with EMRs. In your case they are obviously tied together because of they system you live under, but my opposition to EMRs is the same whether they are privately run or on a government system.

I see the issue of EMRs more akin to the mess with electronic voting. Yes, the current system sucks, but the electronic implementation is much, much worse in the consequences of failure.

It's not the collection where the erosion occurs, but rather it's in the availability and the dissemination. A paper chart can only be read by one or two people at the same time; three if they stand real close together. An EMR can be read by literally thousands of people at once by merely accessing the record online. To be sure, a paper chart can photocopied, but that does take some time and effort, and is less likely to happen to the majority of records due to the effort involved.

Furthermore, a person in the hospital account department would probably never see anything beyond basic account information with a paper record, and they should have no reason to look beyond basic account information. But with EMRs that person can look up the record of their favorite celebrity or their neighbor with minimal effort.

Sure, account permissions and rights can prevent some abuses, but those of us in infosec know that those very things are violated and circumvented by users all the time. Audit trails may find a problem after the fact, but won't actually stop the information from being sent out.

The most recent case I can think of is that of octuplets mother Nadya Suleman. On March 31st, the hospital where Suleman gave birth announced that network security monitoring had found that her medical records had been accessed unnecessarily in direct violation of a HIPAA and California health care data privacy law.

Due to this violation, two of the hospital's employees were fired, thirteen opted to resign in lieu of termination, and eight others were disciplined. This occurred despite the fact that the hospital had done special training about patient confidentially. That training had been given before Suleman was admitted, and was done specifically because the hospital anticipated national attention in response to Nadya Suleman’s multiple births.

Here's just one story about it:

http://www.computerworld.com/s/artic...edical_records

Another case that springs to mind is that of George Cloony:
http://abcnews.go.com/US/Story?id=3714207&page=1

Other coverage of that and similar cases:
http://www.thesmokinggun.com/archive...9082ucla1.html
http://www.huffingtonpost.com/2008/1..._n_147591.html
http://blogs.wsj.com/health/2008/04/...l/?mod=WSJBlog
http://blogs.wsj.com/health/2008/04/...leb-curiosity/
http://www.healthcareitnews.com/news...ed-new-zealand
http://www.stlbeacon.org/cindy_haine...cords_violated

Plug a couple of combinations of these various words and phrase into your favorite search engine and you can find quite a few instances of this problem:

celebrity
celebrites
EMR
EHR
electronic medical record
electronic health record

Oh, and this should heighten your paranoia:

http://www.injuryboard.com/newspost....googleid=29746


No, not at all, but the rub is that I'm not sure such a system can be created. As I said, from what I've seen in infosec, that things like permissions and audit trails won't actually stop the information from being sent out.

To clarify my main complaint, it's simply this: The privacy of patients is being sacrificed for a gains that are not proven, and may be questionable at best. It is very similar to my views on RFID in passports, and electronic voting, two subjects I know we do agree upon.

A related issue is that there is no way for an individual to opt of any medical record system (electronic or otherwise) that I've seen. Having that option might at least alleviate some of my queasiness at the whole idea of EMRs.

Despite the advocates claims about EMRs, those that have thus far been instituted rarely make for more efficient patient care. That may happen in case of an accident were something emergent such as finding the blood type quicker, results in making a transfusion happen faster, but that kind if event is pretty rare. Truthfully, EMRs are about making doctors and nurses see patients quicker -essentially making health care more streamlined as a system- but that seems to come at the cost of the individual patient's privacy. Back when I was an EMT, it was pounded into our heads that the patient was our highest priority. It would seem to me that as a whole health care has forgotten that as it tries to transform itself into a sleeker system.

Well, I do have deep qualms about socialized medicine, especially having seen your system first-hand. But as I said, I also consider that as a separate (and much more politically charged) debate.

Cleo: One other thing about the doctor who's dying of cancer and sees privacy issues as being obstructive. Sometimes people feel the opposite way. My wife's best friend died eleven years ago due to breast cancer. She was a fierce advocate of her own privacy. After being diagnosed she felt that she only wanted to share this information with certain people, including certain doctors. True, that may have been counterproductive to her treatment, but that was the way she felt about it. She was very surprised and angered when she went to see different doctors in the who already knew about the disease due to an early EMR system in this area. She felt extremely violated, and thought that her privacy was sacrificed to people who had no right to the information unless she specifically told them or allowed them to access it. As a result she went to her grave hating doctors who would thoughtlessly violate her privacy in the name of being more efficient in seeing more patients.

Re: Medical Devices

Thorn - I'm sorry to hear about your wife's friend. That's horrible. I like your idea for an opt out. They could easily create a field in the EMR that indicates the patient has opted out of the EMR system and they will need to pull the paper records to proceed with treatment.

I don't necessarily want to jump in on the debate but I do want to add some info to it since the past 13 years of my work history have been in IT at large Medical Centers. Though EMR has a big help with efficiency and cost savings to a financially hurting industry, it came with an increased risk to patient safety and privacy. The industry acknowledge this and is taking steps to rectify it but it has a long way to go.

Here are the problems I've seen with the EMR system as it stands today:

• PMI Accuracy – In many institutions, the patient data is entered into the system by data entry techs and not clinicians. This frees up clinicians time and lowers cost. Unfortunately, they are some of the lowest paid workers at the hospital with a huge workload, no variety, and low job satisfaction. The result is a burnt out employee prone to making mistakes.
  
  
• Malware - If a keylogger configured to watch for Social Security #'s and "phone them home" gets on a system used to enter the PMI, the damage would be catastrophic. I've had to fight several cases of the Boot.Mebroot virus and that sucker is completely invisible on the system except to our AV that detects it.
  
  
• Poor Applications – Many of the medical applications I’ve experienced are best described as crapplications. They are bloated, poorly designed, expensive crap with bare minimum security. Some routinely crash causing the clinicians to fail over to the paper method until the app comes back online. Any information in the computer that has yet to be updated in the patients paperwork increases the risk to the patient. Data corruption (like where two people’s records get merged) can also happen.
  
  
• Medical Identity Theft – If you are unfamiliar with the issue, it's where someone either impersonates you to get medical services billed to your insurance or they impersonate a medical institution to bill your insurance company for services that you didn't receive. The result can be denied coverage or incorrect diagnosis. Though this can happen from paper medical records, EMR makes it easier to accomplish. Basically, a corrupt employee with legitimate access can download large quantities of information and do the crime from the comfort of their home (this happened last year in CA). Yes, auditing would help fix this scenario but most medical institutions don’t have the time or resources to do it effectively.

Re: Medical Devices

Thanks. We still miss her. There's no telling how she'd feel about the present EMR proposals, but knowing her she'd very likely be truly horrified that anyone would see this as a positive. She was a very private person.

I can see some potential benefits, but my feeling is that a person's privacy trumps making a doctor's job easier.

By the way, if any of you who are involved in the EMRs is interested in seeing that system from the mid-late nineties, it was called VTMedNet, and a slide deck from 1998 about it can be found here, at the National Institutes of Health. Some limited technical details about it are even included.

<shrug> I don't know where it came from, although the more I think about it, the more it seems a obvious solution.

Re: Medical Devices

If anyone is still interested in this topic, Syngress this morning just published the first issue of an online newsletter. In it is an article that I wrote about EMRs for them. It's a more neutral in tone, although it is aimed at potential infosec issues with EMRs.

Newsletter: (The article is the second one down.)
http://mail.elsevier-alerts.com/go.asp?/mEAPFU8/bESB001

Direct link:
http://www.elsevierdirect.com/downlo...k_thornton.htm