Microsoft Explains HealthVault Strategy

I didn't get around to writing about this at the time, but a couple weeks ago I read in eWeek about how Microsoft Explains [its] HealthVault Strategy. There are a couple of analogies I wouldn't have made myself: MS compares HealthVault to XBox and PayPal.

The goal was to provide ways for consumers to better understand their health and health information and manage that information for themselves.

Conn [Grad Conn, Healthcare and Life Sciences senior director for global consumer strategy] explained that with consumers as the aggregators and the controllers of to whom, how and when their information can be shared, the traditional health information model is turned on its head.

"Right now, the mechanism for this is through HIPAA, which dictates how to control patient privacy when patients don't control the records," Conn said. HIPAA, he said, has very clear rules that patients can request to see, copy, add to or delete any piece of health information in their record, and HealthVault uses those same procedures, but in a digital format.

So far so good. This (when properly implemented, whether by Microsoft, Google, or some other "fourth party") will accomplish in nimble form what is already one of the clumsiest and least effective of the HIPAA provisions, the portability requirements. Your health records are indeed available to you as a patient, but the care provider has the option of charging you for the cost of making a copy, and in virtually all cases will only supply the records in hard-copy format, even when an underlying EMR or EHR is in use.

Now, on to the first of the startling analogies:

NIH security breach includes data on U.S. Rep - FierceHealthIT

This just in, a story about how to get exactly the wrong person really, really angry at you, in the FierceHealthIT newsletter piece entitled NIH security breach includes data on U.S. Rep.

Now this must be a little embarrassing for officials at NIH. As it turns out, Rep. Joe Barton (R-TX) was one of 3,000 patients involved in a cardiac MRI study whose records were possibly lost when a laptop computer was stolen from the agency. Not only is the loss of records on a U.S. Representative a faux pas, Barton happens to be a founder of the Congressional Privacy Caucus, which focuses on educating other Congressional offices and staff members on individual privacy issues.

Broken Is Fixed: Health informatics standards in light of Clay Shirky's "In Praise of Evolvable Systems"

I recently re-read an old essay by Clay Shirky (shirky.com) called In Praise of Evolvable Systems. It opens with a laughable description of designing a novelty protocol to slip past the IETF as a joke - however, the feature set described is an accurate description of the World Wide Web, as it existed when Shirky wrote the essay in the late 1990's. That lead-in ends with this:

HTTP and HTML are the Whoopee Cushion and Joy Buzzer of Internet protocols, only comprehensible as elaborate practical jokes. For anyone who has tried to accomplish anything serious on the Web, it's pretty obvious that of the various implementations of a worldwide hypertext protocol, we have the worst one possible.

Except, of course, for all the others...

It seems the WWW protocol family has turned out to be another example of "less is more", or more accurately, "broken is fixed".

An unsettling trend: Texas patients choosing Mexican hospitals

The Fierce Healthcare e-newsletter had a story today about  Texas patients choosing Mexican hospitals. It paints a disturbing picture.

In Texas, [many] affluent patients ... now choose to get their care in Monterrey, Mexico, impressed by the low prices and high-quality care they're finding there.  When they get to Monterrey--or other medical tourism hotspots like Santa Eulalia, Chihuahua and Village de Santiago, near Monterrey--they're finding not only cozy amenities but also welcoming communities.

To capture such patients, two north Texas-based hospital chains, Christus Health of Irving, Tex., and International Hospital Corp. of Dallas run Mexico-based hospitals. Christus Muguerza, a partnership of Christus Health and Monterrey based Muguerza, has identified 40 communities along the Mexican border where it plans to expand.

Here's a real security risk in the making, resulting from the dysfunctional US healthcare system Michael Moore recently hyperbolized in the great yellow journalism film Sicko. Does Mexico have a HIPAA equivalent? Do they enforce it at least as well as we do ours? Who will you go to for redress if your protected health information ends up on the Internet?

Frankly it's very possible the healthcare system in Mexico is better than ours, at least if one is paying for care directly. They may also have a stronger law than HIPAA and be enforcing it more stringently than we do our law. But what does it do to our way-late attempt at a national electronic health record if we have people getting significant portions of their healthcare outside our borders?

We'll see how this goes. I'm not optimistic in the near term.

Health IT theft prevention made easy... for some of us

A few paragraphs down in my recent post entitled Surface computing and the future of health IT, I wrote about Motion Computing's C5 Mobile Clinical Assistant, the first truly usable portable computer for clinicians I have seen. If you weren't interested in Microsoft's Surface Computing initiative, you may not have got that far in reading the post; the post title didn't reflect that it was partly about the C5. I'll need to do it more justice in a future post. While looking into the C5, I ran across a page on their anti-theft technology service. It definitely deserves attention of its own.
 

Losing portable devices containing HIPAA protected health information (PHI) is one of the nightmares everyone suffers from on our Health System's IT security workgroup, and I'm sure it's on the minds of everyone responsible for securing healthcare information technology against preventable loss of PHI, a serious violation of HIPAA.

Report: HHS Has Weak Plan for Health IT Privacy

This post is just a pointer, for now, to some disturbing news in Congressional testimony by the managing director of the Markle Foundation via eWeek, in an article entitled Report: HHS Has Weak Plan for Health IT Privacy.

Carol Diamond, managing director of the Markle Foundation, said that health IT in the United States is "missing a strong policy framework that would protect people's health information."

She advocated adopting policies such as limiting use of information and making sure data storage is decentralized. However, she also noted that Congress was considering the statutory authority of several federal organizations created by President Bush, including the Office of the National Coordinator for Health Information Technology and the American Health Information Community, a brainstorming group consisting of industry and government leaders. Diamond suggested that the organizations that "initiate" actions may not be appropriate for longer-term implementation and policy making. She called for a highly visible independent mechanism to hear public complaints.

You can find Carol's testimony in full at this location: http://www.markle.org/downloadable_assets/caroldiamond_february12007final.pdf

CP Split™ Technology

I'm always looking for better ways to secure patient/research subject data, because conformance to HIPAA Privacy and Security and the Common Rule is very important to my institution (as it is to every academic health center and pharma).  This task is made especially difficult by the need to integrate multiple applications containing sensitive information, stored in many different formats and often only accessible through some application-proprietary interface.

Dr. Steve Beller, an entrepreneurial sort of health IT guru who has written very insightfully about the current state of the US healthcare system in the Wellness Wiki, has introduced a technology framework that shows great promise. I'm still studying this, but I'll be writing more about it soon. The most interesting aspect to me is called CP Split™ Technology.

Node-to node with universal translation is an application that manages the transfer of information between two computers in an asynchronous manner, requiring a node on one computer to be a publisher (sender) of information, and one or more nodes on other computer(s) to act as subscriber(s). This is an application to application information transfer process requiring each computer involved to support an operating system and a connection to the Internet via broadband or dial-up service. At one end of the connection, the publisher node must authorize the information transfer by authenticating that the subscriber node is allowed to receive the information. At the other end of the connection, each subscriber node must allow the publisher to deposit the information into a directory as a file with a common extension. Universal translation requires that the publisher be notified by each subscriber how the information, when received, will be formatted by the subscriber for presentation as a report, which enables the publisher to transform the information as necessary, so it can be used by different subscribers (e.g., performing language translations and data set modifications).

Publish/subscribe interfaces go back a long way, of course, but I know of no attempts to apply them to sensitive healthcare information in a regulatory-compliant manner.

Steve is looking for vendor partners to help propagate the technology. I'm out of the entrepreneurial game for the time being, but I must admit that from what I have seen so far I am sorely tempted to jump back in. I'll be writing more about this soon.

eWeek: What Scares Me About Security in 2007

On the subject of security, this just came in from eWeek's Security Center Editor, Larry Seltzer: What Scares Me About Security in 2007.

...the real action in vulnerabilities and exploits is on the server, where more than 70 percent of vulnerabilities are from Web apps, PHP, Perl and similar systems. Many of the sites with these vulnerabilities are front ends for important databases. With such potential you can expect to see Web app worms going nuts this year, causing massive damage. And since PHP has suffered them before and so much research is focused on it, expect the attacks to center on those servers. If you run a PHP server, better keep up with those updates. It's going to be a harder year for security in 2007 because it will be harder to explain problems, and perhaps harder to write tools to detect them. But part of this is because we've already made things hard for the bad guys.

This illustrates the problem I have with security experts: they're focused on the technical problems. As my previous post indicated, the real problems aren't technical, they're administrative. Technical problems are more addressable, hence get more attention. It's like searching under the streetlight for the key you dropped on the dark corner nearby, because the light is so much better under the streetlight.

Insider security threats come in many forms

I have sat on the Health System's Information Security Workgroup for a couple of years now, and have gained a lot of insights into the kinds of threats that actually put patient data at risk. The teenage hacker and the identity thief from some country in the former Soviet bloc get a lot of traction in the press as villains.

However, what I have come to understand gradually is expressed in the title of this article from last November on SearchSecurity.com: Insider security threats come in many forms. The most likely candidates for identity theft in your organization are the people working alongside you.

More EHR products get certified, and I become a convert

CCHIT recently announced the second round of Certified EHR Products, bringing the total number to 33. This is great news. I'm curious, though about the use of the word "evolve" in this excerpt from the press release:

The certification criteria have been developed to ensure that products provide a broad foundation of functionality, will evolve to deliver standards-based interoperability with other systems, and include security features to protect the privacy of personal health information.

Oops. I thought we were doing this to achieve interoperability in the first place. One of the goals in CCHIT's About page reads: "Ensure interoperability (compatibility) of HIT products ".  It turns out that is in the future, and it's not clear when interoperability standards will be delivered.

Forget all those things about being skeptical about interoperability with respect to CCHIT's efforts (for example, see CCHIT EMR Certs: The Prisoner's Dilemma Revisited). CCHIT is starting from a different Square One than I was assuming, so at least some of my complaints are off-target. My bad.