Medicine in an electronic age

The following is the fifth (and probably final) post in a series entitled, “Securing your Email.” I’ve spent the majority of the series talking about logistical things like why secure email is important and how to get started with public-key cryptography. If you look back at my first post, you’ll see that the reason I went out and learned all of this (and wrote about it ad nauseum) is because I feel like it’s an incredibly interesting and important topic where medicine meets technology.

Communication throughout the world is becoming more and more electronic, and things are changing rapidly. In the field of medicine five years ago, most institutions (including very large hospitals) were still using paper records. In fact, even today a number of institutions still do. Doctors communicated by telephones and pagers, and records from other facilities were carried in by hand or faxed. With the technological advances in the last 10 years, today a physician could easily be consulted halfway around the world with a simple email, and a copy of an X-ray or CT-scan could be sent electronically. These changes in the way health care is administered presents a new set of problems to the industry.

This electronic age spawned a strong concern about health care privacy in the United States, which was addressed by HIPAA. The health care industry spends an incredible amount of time and resources dedicated to preserving people’s privacy. They spend millions and millions of dollars on “enterprise level solutions” to make sure that they can work online safely. These are not always dollars well-spent, but that’s the topic for another day. Unfortunately these solutions end up restricting health care professionals in such a way as to reduce the utility of the system. As an example, I’m going to talk about email (as you might have guessed).

As I pointed out in my first post, I’ve been thinking about this for a while. How in the world can health care institutions, who are so concerned about privacy and protection of their patient’s data, not be doing more to provide secure email solutions? I think I’m in an appropriate position to answer that question. I’m part of a committee that has been charged with selecting a new email provider for the hospital. We’re currently looking into a number of different vendors, and a question that consistently comes up is about “email security.” We’ve got a number of people on our committee including people from IS, the legal department, and human resources staff as well as physicians, nurses and students. Their “email security” questions have the best intentions. They want to make sure that the solution we choose is going to keep our patients’ data safe.

At the same time, however, I feel like there is a knowledge gap as to what they know about email security. I feel like most (if not all) of the people involved just want someone to say “your email is super-duper secure with our system.” One vendor took it a step further and started talking specifics of cool stuff that their system can do to prevent, for example, someone from emailing Protected Healthcare Information, or PHI, to someone outside of Rush. The problem I (and some members of the legal department) have is that sometimes this information needs to be sent out, for example to a lawyer’s office. From a patient’s perspective, if I request that my physician contact me via email with my lab results as opposed to over the phone, should that be discouraged? But it is, and that’s because some of the people in the IS departments across the land realize how insecure email is. So we need to make it more secure, and in order to do that, we have to understand where its security flaws lie.

The problem is that most institutions don’t look at the problem like that. They don’t get an unbiased assessment of email security. Instead they get a vendor to sell them an “email security solution” in which the vendor defines what secure email is and how their solution fits the bill. I’m not saying that all companies are giving a false sense of security, but it’s definitely a concern. It’s exactly why you have to understand the problem before you go looking for an answer. Things would be significantly different if a group of people like the “free software community” assessed a health care institution’s email security needs. In fact, the purpose of my post is to propose the following: the health care community should embrace the free software community’s model of email security.

Health care institutions have all the right resources already in place. They simply need to implement it. It would be fairly easy the create a public key server for your health care institution. When Housestaff and Physicians begin their tenure, they could easily be required to create a key pair during new employee orientation. Key pairs could be distributed on cheap flash drives for safe keeping and stored on a private server for easy access while on campus. Alternatively, keys could be distributed on smart cards. Since an institution has verified who an employee is, their internal web-of-trust will form easily. As long as someone’s public key has been signed by the company’s IS department, it can be trusted. These key servers could be made to exchange keys with those of other institutions or even external key servers, such as one set up by the NIH or the Department of Health and Human Services. Physicians also often travel to conferences, and “key signing parties” or booths could be set up to create a more full-fledged web of trust.

Having public keys freely available would make it easy for physicians to communicate more securely with one another. They’d be able to trust an email from a colleague. Plus, they’d be able to encrypt emails and attachments containing PHI. Physicians would also be able to communicate with their patients via email more freely. Patients could be given instructions how to acquire the physician’s public key and how to use it. It would be even better to set up a way to simplify the process by just emailing the patient a link so that an encrypted email could be viewed directly on the institution’s website. They wouldn’t need to worry about having the proper GPG client software installed, since they’d just have to click a link and the web page would decrypt the email for them.

Unfortunately, there are many in the health care IS industry that would rather none of this communication go on via email. They are probably smart to have a firm stance that no PHI should be communicated via email at this point since their email system is probably very insecure. The problem with their plan is that both now and in the future PHI is being sent via email and it’s probably not going to stop unless some serious consequences are put into place at individual institutions.

I have to wonder though. If the email system was actually set up securely and properly, why couldn’t PHI be sent via email? Why shouldn’t I be able to request my test results in electronic format from my doctor? These aren’t questions that are going to be addressed by any single institution, unfortunately, and this presents a very big problem in the near future. A number of other industries are currently caught in a downward spiral because they chose not to adapt to the Internet era. Does a similar fate await a health care industry that wants to deny physicians and consumers access to the PHI electronically under the guise of HIPAA and “we know what’s best” for protecting patients rights? Doing so is just going to drive the process more underground, giving them less control over the situation in the future. They’d be better off embracing the idea now and preparing for the future of medicine in an electronic age.

Portable Electronic Medical Records

I have been meaning to do a long post on EMRs for a while. After reading a recent post on Ars Technica on this issue, I decided this is as good of a time as any.

Although Mr. Gitlin readily admits that EMRs are unlikely to solve the problems of “inefficiency” in the medical community within the US, he claims it will decrease cost in the end. He disdainfully alludes to “high cost” in the US system without ever questioning why the costs are so high besides noting that our focus is generally on emergent and not preventive care. Now we can argue this point to death, but if you’d like an enlightened point of view on this subject, I suggest you read any number of PandaBear, M.D.‘s blog posts. I’ll leave this one lie.

My next issue was the fact that Gitlin is actually making two very distinct arguments for EMRs without differentiating the two. First, he argues that EMRs are a perfect way to organize an office. They free the workplace of excess paperwork and can make an efficient way to keep track of “billable” services, something very important to physicians. This much I can definitely support. There are considerations, but I think in the long run, physicians will be better off doing more on computers and less on paper. At the same time he alludes to EMR portability, which is a whole separate can of worms.

The long and short of it is, people need to decide what they want. Currently HIPAA dictates that medical records are on lock-down, and the only people who have access to them are are you and those whom you designate. These “others” could be someone like a spouse or a parent or another physician. I think preserving this privacy is (at least mildly) important from a patient’s perspective. After all, it’s not everyone’s business what your latest test results are or what diseases you’ve been diagnosed with or what medications you’re on. However, from a health care professional’s perspective, this is a frustrating impediment. It does matter to them what your test results were last Monday in the E.R. It’s helping dictate your treatment. Acting like electronic medical records are going to magically make that red tape junkie HIPAA disappear is naive. They might make it easier to transport the information once approval has been given, though.

If people are treating their medical records with that kind of security, then the security vulnerabilities exposed by making things electronic are significant. Even the most secure computer systems are vulnerable to attacks, and considering that many of these systems will be running on Microsoft platforms, there is an increased risk to any data on entire computer networks. If the secretary opens a bad email attachment, is it going to worm its way into the EMR database server and start uploading all the records to someone else’s computer? My point is not that the type of security necessary to run such a system is impossible. Just that it will be a lot of work for everyone, including patients. If a patient needs to “grant access” to their health care providers, they are going to be the gateway into administering their electronic medical record. This means strong passwords, which will probably need to be changed frequently. Are they going to want to do that? How about health care providers? Sure most hospitals have a (probably sub-standard) IT department, but what about your average medical practice? Are they going to be able to employ an IT professional (or pay for the temporary services of one) to set up and maintain these records? All of this is simply going to add cost and overhead to a community that is already overly criticized for how “inefficiently” it works.

The business model that will probably end up working is one where large companies are in charge of the records and medical practices pay fees for the use of their services. In other words, Dr. Jones pays $X every month to have his patients’ health records stored online by a company. When he needs to view the patient’s records, he simply logs in from his office computers (or even from home) and downloads the information. If he has new test results, they would be uploaded. This actually could be a fairly profitable market. It’s basically what’s being set up by Google. For this to be successful, they would still need cooperation from the patient, however, and there would still be security issues. While there would be IT professionals in charge of keeping the data secure, the centralization of data would make it more of a target for criminals. There probably aren’t very many people who would try to break in to Dr. Jones’ patient EMR database since it’s only for a small number of patients. If a large company was hosting hundreds of thousands of patient records, it’s more of a target.

My biggest issue with Gitlin’s argument is that he claims portable EMRs will eliminate (or even significantly reduce) the amount of duplicate testing that is performed and thus save everyone money. See this is an issue that people have to deal with concerning health care in the US. Doctors are skilled professionals. If someone comes to them (especially a specialist) with a problem, they’re going to want their own x-rays and CT scans, not ones from another facility. That’s not to say that they shouldn’t be using them, but considering there’s no incentive for them to work any differently, I highly doubt whether implementing portable EMRs is going to change things. After all, today doctors can get x-rays and CT scans from other institutions if their patients say it’s ok. They just don’t use them.

Gitlin did address my main concern with EMR portability, which is a less concrete aspect: the standards. See right now, there are no standards set in the US for electronic medical records. There’s no “right way” for information to be stored in EMRs, so if you want to transmit information from one doctor’s office to another, they probably need to be using the same program on their end as you are on your end. This is a really bad way to deal with any sort of information. The government has laid some loose guidelines, but nothing really telling people what should be done. They want the market to sort it out. The problem is businesses are all going to try to come up with a proprietary format that will gain a significant market share. This way, everyone has to use their software and their databases. In other words, all the businesses are competing to see who’s going to “win” this race to control everyone’s medical records, and by “winning” the market, they will control the standard and thus the future of the industry. This is a “great” way to form an industry from a business perspective (lock everyone into your format) but a horrible way from an end user’s perspective (doctors and patients). It would be really great if we could nip this issue in the bud now, before any one company has a market share. This way there won’t be a fight to get one big company to relinquish it’s power. Plus, it would be great if EMRs used an open standard so we can continue to have cross-platform competition in the future. We can learn a lot from the mistakes of the past on issues like this.

Look for a future post on FOSS operating systems and EMR programs to tackle some of the issues I brought up here.