Saturday, February 11, 2006

The Elephant in the Clinical Computing Living Room

The presence of clinical computing (EMR, CPOE, etc.) in hospitals has the potential to significantly increase the quality of care. This assumes that the IT is designed and implemented properly, not just technically but from the perspective of the complex world that medicine has become.

When healthcare IT is implemented improperly, however, the technology gets an undeserved bad reputation, as opposed to the information technology management responsible for the defects, who seem to get a pass. "IT malpractice" is a term not yet in the lexicon of healthcare, but perhaps it should be. For when patients (and politicians) read stories like the Seattle Times story below, support for clinical IT is injured. This is a shame.

The good news in this healthcare computing near-disaster story: manual systems were in place so that when the computers died, patients lived.

The bad news in this story is the obvious but unmentioned "elephant in the living room," that is: the IT errors that allowed a 20-year-old Walmart employee to hack a hospital, including its ICU systems, and how and why such fundamental errors occurred.

Just how were hospital computers, including those in an ICU, exposed to the hacking of a 20-year-old outsider who worked at Walmart? What type of network architecture was in place? Who designed the hospital computing infrastructure? Who approved it? Why were ICU computers as well as administrative (e.g., pager) computer affected? What were the safeguards? Who was monitoring the IT at this hospital? Were 'cost-saving' measures in effect that facilitated this intrusion?

The young hacker and his juvenile accomplices should not be the only people held accountable. Perhaps the hospital Chief Information Officer and his or her senior management should also be held accountable. If a patient had suffered harm or died as a result of this situation, I would not have hesitated to have been a plaintiff's witness regarding negligence. It seems IT leaders in hospitals, who most often have no clinical background whatsoever, seem relatively immune from accountability, and this portends badly for events to come as the Electronic Medical Record becomes more widespread.
3 accused of inducing ill effects on computers at local hospital

By Maureen O'Hagan

Seattle Times staff reporter

One day last year, things started going haywire at Northwest Hospital and Medical Center.

Key cards would no longer open the operating-room doors; computers in the intensive-care unit shut down; doctors' pagers wouldn't work.

This might have been just another computer-virus attack, a common and malicious scheme that sometimes is done for little more than bragging rights. But federal officials say it was something far more insidious.

It turns out the Seattle hospital's computers — along with up to 50,000 others across the country — had been turned into an army of robots controlled by 20-year-old Christopher Maxwell of Vacaville, Calif., according to a federal indictment issued Thursday. And Maxwell, along with two juveniles, earned about $100,000 in the process, court documents state.

The trio had created a "botnet," a phenomenon that is on the cutting edge of computer crime, federal officials say.

"Their goal was as old as fraud itself," Assistant U.S. Attorney Kathryn Warma said Friday during a news conference. "To line their own pockets."

... Maxwell simply created a program instructing his infected computers, or "bots," to download the adware. The bots then "phoned home" to the adware company, which credits the hacker's account, unaware that he hasn't gotten the computer owner's permission.

Since 2004, Maxwell earned more on botnets than he did at his Wal-Mart job, according to court papers.

[Not mentioned is how hospital and ICU computers were able to be infected in the first place -- SS.]

Difficult to solve

"We're seeing the migration of traditional fraud to the cyber area," said Frank M. Harrill, an FBI expert in computer crime.

It's just as difficult to solve. By the time the computer owner figures out what's going on, the bot-herder has covered his tracks. In fact, some companies are reluctant to even report the attack to authorities because it can prove embarrassing to their business, government officials said.

[In clinical IT, prevention is the best medicine - and perhaps the ONLY medicine -- SS.]

But the Northwest Hospital case played out differently in January 2005. Hospital officials called the FBI immediately, and an agent went to the scene while the attack was in progress. Meanwhile, the hospital used some old-fashioned backup systems. When electronic file transfers didn't work, nurses ran the files up and down hallways. When key cards wouldn't work, they stood guard and inspected ID badges themselves.

No patients were harmed, but First Assistant U.S. Attorney Mark Bartlett said this kind of attack could easily endanger lives.

In all, about 150 of the hospital's 1,100 computers were infected over the course of three days.

150 hospital computers violoated by a 20-year-old and several juveniles? That is inexcusable. Blame Microsoft all you want, but the primary responsibility rests with the hospital MIS (management information systems) leadership.

I have observed less than ideal attitudes towards clinical IT firsthand. The hospital where I was Director of Clinical Informatics in the late 1990's, Christiana Care Health System in Delaware, hung Compaq desktop PC's from the ceilings of small ICU rooms against my advice along with uncovered keyboards and mice, potentially exposing sick patients to dust contaminated with airborne pathogens from inside the machines that was then circulated by the power supply fans - or by clinicians' hands or gloves after data entry.

The IT leader and project team then made a "political issue" out of it, in effect bullying me into silence, when I questioned these decisions and warned of this potential problem. Alternate form factor computers and input devices designed for harsh environments were ignored because "they cost too much" and "were not supported by I.S." I left the organization due to this information technology solipsism and fanaticism, which also included cavalier attitudes towards the Chair of Medicine and towards Invasive Cardiology.

-- SS

5 comments:

Anonymous said...

Someone screwed up and didn't apply patch management or basic security measures on critical workstations. The staff analysts didn't do their job and I'd be embarassed if this happened to my organization. But working in healthcare IT, I know there's a real reluctance to engage authorities because of a fear of a black eye, which is complete crap.

pansophia said...

I agree that employees are reluctant to engage with their superiors. Part of the problem is the utter failure to protect employees from petty retaliation. It's in everyone's interest to keep the doors of criticism and dissent open, without forcing people to put their livelihood at stake.

InformaticsMD said...

Someone screwed up and didn't apply patch management or basic security measures on critical workstations. The staff analysts didn't do their job and I'd be embarassed if this happened to my organization. But working in healthcare IT, I know there's a real reluctance to engage authorities because of a fear of a black eye, which is complete crap.

It's hard to say what happened without more information, but if important ICU computers are not isolated in a secure fashion from other administrative machines with regard to network traffic, that suggests a fundamental architectural flaw, not just a configuration problem.

Fear of a "black eye" is one thing, but it seems axiomatic that endangering patients should be the biggest fear of all.

-- SS

pansophia said...

//IT leaders in hospitals, who most often have no clinical background whatsoever, seem relatively immune from accountability, and this portends badly for events to come as the Electronic Medical Record becomes more widespread.//

I just wanted to add that problems also arise when the IT manager has nothing but clinical background - then they get insecure about their lack of knowledge, and project this as arbitrary power-politics that hurts everyone around them. The ideal would be a mixed team where people can trust each other to provide good information. I just blogged about a good workplace model that could appy here.

Thank you for raising this issue in context of the EMR. As much as the medical profession needs to make gains on technology, at this point it's all too easy to throw that money away on bad management.

InformaticsMD said...

I just wanted to add that problems also arise when the IT manager has nothing but clinical background - then they get insecure about their lack of knowledge, and project this as arbitrary power-politics that hurts everyone around them.

This is true. That's one of the rationale for the field of Medical Informatics, including the training programs that have been sponsored for the past two decades by the National Institutes of Health. It was recognized decased ago that cross-disiplinary expertise was of critical importance and value.

The ideal would be a mixed team where people can trust each other to provide good information

Failing such an ideal, since the quality of patient care is at stake, there should be mechanisms in place to ensure that patient care comes out on top. Petty power-politics over clinical IT is a form of severe mismanagement, I'm afraid to say.