Is It Safe?

Tags

cancer, digital media, ehr, emr, innovation, internet security, mat honan, oncology, social media

By Richard Just, MD

When I read William Goldman’s book “The Marathon Man” years ago, I recall the evil Nazi dentist with drill in hand (played by Sir Laurence Olivier in the subsequent movie) hovering over the un-anesthetized Dustin Hoffman strapped to a chair asking the question: “Is it safe?” Of course, Hoffman didn’t know. So when Olivier turned on the drill and Hoffman started screaming, everyone in the theater identified with his pain. I still get chills when thinking about it.

In previous blog post here, I’ve described the pain I experienced when we transitioned from paper charts to electronic medical records. Certainly not as intense as having dental work without anesthesia, but agony just the same. Well guess what! Now we’re transitioning to a new EMR. In many ways, our pain level has increased from 6/10 to 9/10.

I interviewed Casey Quinlan, of Might Casey Media, a very astute commentator on healthcare in general and cancer care specifically, on This Week in Oncology last Wednesday. The “Mighty Casey” made several cogent observations on EMR’s, but, we  really didn’t address the question of security. In the December 15-16, 2012 issue of the Wall Street Journal, Ellen E. Schultz  wrote an article entitled: “How Safe Are Your Medical Records?” Two pieces of legislation are cited:

The first is the Health Insurance Portability and Accountability Act (HIPAA) which “allows health-care providers to disclose medical records without a patient’s consent when the information used is for treatment, payment and ‘health-care operations.’ Providers are supposed to exchange only relevant information, but they commonly transfer a patient’s entire file, which is easier than separating the pertinent records.” In the same manner, protection can be lost for psychotherapy records if they are co mingled with other medical records.

Second is the American Recovery and Reinvestment Act of 2009 which “prohibits the unauthorized sale of medical records, requires that data be encrypted and mandates that individuals be notified of security breaches. It is too soon to say how effective these rules will be.”

Drilling down to the core problem is Mat Honan’s original article “How Apple and Amazon Security Flaws Led to My Epic Hacking” and follow-up video entitled “Mat Honan Hacked and Digitally Destroyed” he describes an “epic hack” that destroyed his entire digital life in 1 hour. Having been the victim of a phishing expedition, a minor nuisance compared to his experience, I know how it feels to have your identity stolen.  After researching how and why hacking has become more problematical, Honan concludes: “The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place.” He continues: “The ultimate problem with the password is that it’s a single point of failure, open to many avenues of attack. Two factors should be a bare minimum.” This creates the dilemma that if the password is too simple and obvious, it’s a no-brainer to crack; if it’s too complex and obscure, the password is hard to remember. And, we are advised never to write passwords down. Why am I not surprised that the most common password used is, in fact, “password”, and second is “123456”?

Honan provides a helpful Dos and Don’ts list to survive the “password apocalypse”:

“DON’T:

1. REUSE PASSWORDS. If you do, a hacker who gets just one of your accounts will own them all.
2. USE A DICTIONARY WORD AS YOUR PASSWORD. If you must, then string several together into a pass phrase.
3. USE STANDARD NUMBER SUBSTITUTIONS. Think P455wOrd is a good password? NOp3! Cracking tools now have those built in.
4. USE A SHORT PASSWORD-no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.

DO:

1. ENABLE TWO-FACTOR AUTHENTICATION WHEN OFFERED. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it’s better than nothing.
2. GIVE BOGUS ANSWERS TO SECURITY QUESTIONS. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
3. SCRUB YOUR ONLINE PRESENCE: One of the easiest ways to hack into an account is through your e-mail and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
4. USE A UNIQUE, SECURE EMAIL ADDRESS FOR PASSWORD RECOVERIES. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name-like m****n@wired.com so it can’t be easily guessed.”

So, the answer to the question: “Is it safe?” is an emphatic NO. Honan concludes that online identity verification will not be a password-based system in the future, any more than our system of personal identification will be based on photo-ID’s. But, passwords may still be involved as just one part of a multifaceted process.

Advertisement

My Struggles With Our Electronic Health Records System

Tags

cancer, creative destruction of medicine, digital media, ehr, emr, eric topol, healthIT, oncology

By Richard Just, MD

My group purchased our Electronic Health Records system (EHR) about 5 years ago.  We had 4 clinical practice locations (soon to be 5 ½) with 1 administration office.  None of these sites are close to each other.  A major reason for purchasing an EHR was, and still is, to collect and analyze all data from our entire practice for the purpose of determining outcomes of our treatments. In other words, we wanted to know how our patients were doing in all of our offices, which treatments were working and which were not, and then use this information to refine and practice the best medicine we could. This was the promise of EHR.

And so my nightmare began.  Some of my patients define nightmare as something you didn’t wish for and it never seems to end.  Volumes could not fully describe my experiences.  I’ll just mention one “glitch”:  I noticed that some of my notes were disappearing into the ‘ethernet’ on a seemingly haphazard basis.  Sometimes I could locate them in another section of the chart; other times I wasn’t so fortunate.  Despite my staff spending weeks trying to find the defect, we had no success.  Our vendor monitored my work processes for two weeks.  Again, clueless.  To add insult to injury, I was told that I was the only one experiencing this problem which, of course, I took personally.  Turns out the problem occurred only when I started my note before my Medical Assistant entered vital signs.  So we had the explanation, but no fix.  As a result, I wait for my MA to enter her data, which frequently delays my ability to see patients on time.  Recently, we have added 2 physicians to our practice.  One of them asked me what he was doing incorrectly that caused some notes to disappear. This time I had the answer!! What’s more, I was now informed that it was a system wide problem for which there was still no fix.

When I was a kid, there was a TV show called the Naked City.  When episodes ended, the announcer said: “There are 8 million stories in the Naked City; this has been one of them.” I do know that my story is just one among many. But it’s still so annoying.  Because of the flawed design of this particular EHR system, we have been burdened with huge financial costs resulting from lost time, the need for extra IT support, and the hardening of my right carotid artery. I don’t need the added stress in this era of decreased reimbursements for providing clinical care and chemotherapeutic agents.  One of my partners has gone back to hiring a transcriptionist rather than using the EHR.  Another is chronically behind in his data entry.  To this date, we are not set up to pool and analyze our data for outcomes.  Soon, we are beginning the gut-wrenching process of converting to a new, and hopefully more user friendly, system.

A few weeks ago, I had the pleasure and honor to have a conversation with Eric Topol, M.D. on ‘this week in oncology‘ radio radio show. We were both intrigued by two articles that recently appeared in the New England Journal of Medicine on this subject.  The first, entitled “Escaping the EHR Trap—The Future of Health IT”, discredits the myth propagated by EHR vendors that health IT is different from industrial and consumer IT.  The authors suggest that vendors have alleged this to be fact “in order to protect their prices and market share and block new entrants.”

The second article is also quite enlightening:  “Unraveling the IT Productivity Paradox—Lessons for Health Care.”  In the 1970’s and 80’s, many industries adopted computers with the expectation that they would increase productivity.  To everyone’s surprise, digitization resulted in a significant reduction in efficiency. This was called the Productivity Paradox.  Subsequent research revealed that productivity attributed to computerization was underestimated due to defects in measurements, mismanagement of processes (such as summarized in the “glitch” in my system above), and poor usability.  Most systems, including mine, don’t have spell-checking capability.  Unbelievable!!

In chapter 7 of his must read, “The Creative Destruction of Medicine”, Dr. Topol discusses the benefits and challenges of Electronic Health Records and Health Information Technology in detail.  Despite the fact that digitization initially can be associated with an increase in errors, which doesn’t ease my pain, and many other challenges, he concludes:  “While some may consider the topic of electronic medical records prosaic, it should now be abundantly clear that their ultimate adoption and full interoperability will prove fundamental to the future of medicine.  Only via full electronic convergence can all the tools of digital medicine be in sync and immediately useful.  With the torrent of individualized data flow that is coming from whole genome sequencing, remote physiologic monitoring, and medical imaging, electronic information storage and processing will become more essential than even envisioned today.”

I have to agree with him. While this current transition period can be a frustrating, even painful experience, the alternative of a failed health care system is unacceptable.