Security and Privacy Considerations for Health IT Systems

I find the links at this piece from George Mason University, "Security and Privacy Considerations for Health IT Systems", and the opinions expressed within it of interest.

Emphases and [bracketed comments in red italics] mine:

First posted: 3 March 2010
Last updated: 26 March 2010

Preface

We seek to understand the nature and distribution of risks to security and privacy inherent in designing and deploying health information technology (HealthIT, eHealth; we use both terms interchangeably). We posit that achieving the appropriate balance of these risks and potential costs (to doctors, patients, hospitals, and the American taxpayer) requires careful, deliberate study to understand the nature of this new problem. [This is not occurring anywhere near the extent it needs to, and the absence of health IT industry regulation in the U.S. does not help; cf. 2009 National Research Council report on health IT summarized here - ed.]

Although health care reform in the United States is a highly-charged political issue, this Web page is not meant to be a political document or support a particular political point of view or legislative agenda. Instead, this page supplies a collection of information detailing the pitfalls and challenges involved in deploying a large-scale information infrastructure around the recording, tracking, and maintenance of patient and other medical information.

We are interested in the technical security and privacy issues that emerge from what we believe is a fundamentally different data acquisition and storage problem than previous industry efforts at record keeping for other forms of data. [Clinical computing and business computing are indeed different - ed.]

Our central hypothesis is that the government and private sector are rushing [you think? - ed.] into the deployment of eHealth technology without careful consideration of the design criteria necessary to ensure accurate and private data collection and without a realistic understanding of the costs of such a large software deployment. We certainly agree that improving the efficiency and efficacy of health care delivery while reducing the cost to the taxpayer and patients is an important and critical activity. Achieving this goal, however, demands a more careful approach than has heretofore been adopted.

Introduction

The application of information technology (especially back-office data storage applications) to various facets of medical care in the U.S.A. and other countries has often promised decreased cost, increased quality of health care, and no risk to privacy, among other benefits. Such belief in the reliability and integrity of information systems is an unwarranted leap of faith on behalf of legislators and the general public. [I have written similar words - ed.]

Designing health IT systems for medical environments requires careful, thoughtful analysis. Yet, Health IT (particularly EMR systems) are de facto seen as a solution to the problem of costs, waste, fraud, and needlessly duplicated medical tests. The White House web site comments on ARRA funding for EMR work: "The Recovery Act also invests $19 billion in computerized medical records that will help to reduce costs and improve quality while ensuring patients’ privacy."

The scientific community has largely been silent on this issue, although the political rhetoric can be quite intense. Yet, most every side of the health care debate currently raging in the US accepts without question the benefits of health IT while ignoring the potential pitfalls and downsides of such technology. [Again, this is a common theme here at Healthcare Renewal - ed.]

We use the terms "eHealth" and "Health IT" interchangeably. In large part, we consider the application of computer technology in medical devices and procedures (such as remote operating rooms, advances in digital imaging, etc.) as a related but separate area from our criticism of the management of healthcare and patient information. Those systems pose different risks to patients; we comment on them only insofar as their use is driven by analysis of data held in IT systems.

General Resources

1. Patient Privacy Rights website (added 26 March 2010, G. Weaver)
2. Scot Silverstein's Healthcare IT Failure and Difficulties Case Examples: Medical Informatics Perspectives on Clinical Information Technology (added 24 March 2010)
3. Health Information Technology Reference Guide -BusinessWeek
4. The Privacy Rights Website on Medical Privacy
5. OpenMRS an open-source medical records system
6. Another MRS
7. Learning From Software Failures (frontmatter prefacing the IEEE Spectrum analysis of the FBI's Virtual Case File system) [PDF]
8. Capability Maturity Model
9. A workshop on Health Security and Privacy, sponsored by the USENIX Association

Risks to the Public Trust in Computer Professionals

Hastily undertaking the transformation of the information infrastructure behind health care systems with little forethought or oversight entails the risk of the public rejecting the expertise and credibility of the computing profession. Just because we could do something does not mean that we should. There is an imperative to study the new problems posed by large-scale EMR, particularly one of national scope or connectivity. [One reason is that the risks and benefits are unknown - ed.]

No imperative exists, however, to aggressively adopt the current generation of solutions that are little more than back-office data management applications dressed up with new terminology. [This description of health IT and the lack of imperative is excellent. Adopting national HIT prior to reasonable understanding of the possible problems and risks to patients is what I have referred to as "putting the cart before the horse"- ed.]

Furthermore, academics and scientific professionals have a conflict of interest in this area. Indeed, academics stand to benefit tremendously from money being spent on this area: schools (GMU included) are quick to set up research centers dealing with various aspects of medical IT and eHealth. While there is a need for careful research into the many security, privacy, and functionality aspects of large medical IT systems, academics can be in the uncomfortable position of being funded by government or corporate money and trying to formulate an unbiased opinion as to the quality and efficacy of the state of the art in eHealth systems and practices. [COI in biomedicine is another common topic addressed at HC Renewal - ed.]

1. Dartmouth received $3 million under ARRA for an NSF-funded TISH program
2. GMU's internally funded Mason Center for Health Information Technology
3. Reflections on Trusting Trust (reputation is important in designing infrastructure)

Risks to Good Medicine

Health IT systems are not a panacea. Data models, systems, and user interfaces designed by computer scientists and professional software developers without much substantive input from health care professionals can lead to inefficiency and bad medicine [the common scenario for HIT development today - ed.], and risks loss of life or permanent injury to patients. [I, unfortunately, have family experience in that regard now - ed.]

1. The Data Model That Nearly Killed me [PDF] [An excellent essay by a patient who is also a data modeling expert - ed.]
   
2. The Dubious Promise of Digital Medicine [PDF]
3. Slashdot: Why Digital Medical Records Are No Panacea 28 April 2009 [PDF]
4. http://community.livejournal.com/therightfangirl/1142946.html

Data Leakage Models and Data Corruption Issues

One risk of large-scale EMR is a misunderstanding of the data loss dynamics of large public data systems. In addition, large databases tend to have errors: errors that are insidious and easily replicated due to the amount of automation present in such systems. It is an open question whether these errors pose a lesser or greater risk than errors due to bad handwriting on transcribed paper records. [The last point is controversial, but likely accurate - ed.]

1. Your Medical Records Aren't Secure [PDF] (March 23, 2010)
2. Why Cloud Storage Use Could Be Limited in Enterprises [PDF]
3. Dan Geer on Back-of-the-envelope style estimates [link is to PDF]
4. Woman Loses Job Due to Error in FBI Criminal Database [PDF]
5. P2P Networks Rife With Sensitive Health Care Data, Researcher Warns
6. Medical data leakage rampant on P2P networks [PDF]
7. The previous two links refer to this study by researchers from the Tuck School of Business at Dartmouth College
8. A Framework for Health Care Information Assurance Policy and Compliance Communications of the ACM, 1 March 2010

Assessing the Cost of Large Software Projects and eHealth

Managing the design, construction, and delivery of a large software project is a complicated, fluid process. Government and industry can often fail in expensive and spectacular ways. [Indeed - ed.] Government agencies (particularly state and local government without in-house expertise), may play the role of uninformed client being sold digital snake oil at the expense of the taxpayer. Examples include the FBI's Virtual Case File system, AT&T's wireless database failure, and the Ontario eHealth scandal, among others listed below.

1. Report: FBI wasted millions on 'Virtual Case File' CNN.com [PDF]
2. The FBI's Upgrade That Wasn't: $170 Million Bought an Unusable Computer System by Dan Eggen and Griff Witte, Washington Post, 18 August 2006 [PDF]
3. Who Killed the Virtual Case File? IEEE Spectrum [PDF]
4. Project Management: AT&T Wireless Self-Destructs [PDF]
5. Slashdot: Harvard Says Computers Don't Save Hospitals Money [PDF]
6. Harvard study: Computers don't save hospitals money Computerworld, 30 November 2009 [PDF]
7. The aforementioned Harvard Study
8. EHealth scandal a $1B waste: auditor -CBC News, 7 October 2009 [PDF]
9. Head of eHealth Ontario is fired amid contracts scandal, gets big package -CBC News, 7 June 2009 [PDF]

The Role of Health IT in Health Care Public Policy

1. Health Care: The President's Proposal for Health Reform - whitehouse.gov [PDF]
2. Obama's big idea: Digital health records -CNN.com, 12 January 2009 [PDF]
3. Where's the HIT in HCR (Health Care Reform)? -ihealthbeat, 8 July 2009 [PDF]
4. What Obama Means for Health Information Technology -HealthLeadersMedia, 11 November 2008 [PDF]
5. The Healthcare Bill's Take on Technology -The Hill, 12 September 2009 [PDF]

I discovered this piece after someone clicked on the contained link to my Drexel University website. I find the thoughts here and the hyperlinks of great interest, forming yet another "primer" on the real world issues affecting health IT adoption.

-- SS

...THEM OR YOUR LYING EYES?

…THEM OR YOUR LYING EYES?

A few days ago I discussed stonewalling by the American Psychiatric Association over charges that they were partners in a ghostwritten textbook. The issue resonated with many people, including Daniel Carlat, John Nardo, the POGO blog, Alison Bass, Ed Silverman, and others. The APA has not seen its way clear to releasing key documents that might clear up the charges. By stonewalling, the APA just does more damage to its image and credibility. They come across as uninterested in transparency, and they appear to be fighting a rearguard action to defend the indefensible.

What kind of key documents could the APA have released? In our letter last January we suggested several, including the contract involving the American Psychiatric Press, the medical communications company (Scientific Therapeutics Information, Inc. or STI), the grant-giving drug company, the professional writers, and the nominal authors of the allegedly ghostwritten book. What might the contract have told us? Well, it probably looks a lot like this contract, which involves the same medical communications company, the same drug company, and one of the same professional writers, Sally Laden. It was developed right around the same time as the textbook was planned, and it is for a ghostwritten journal article promoting the infamous Paxil Study 329. Look carefully at this contract and you will be in no doubt about who did the essential work of writing and framing the article or about whether the corporation had control over the content. Now ask yourselves, if the contract for the textbook doesn’t look like this then why ever would the APA want to suppress it? That behavior just makes people conclude that the contract for the textbook does look like this contract and that the APA knows it has plenty to hide.

A first principle of cover-ups and stonewalling is that everyone needs to be on the same page with the cover story. When they are not, the façade collapses and the actors come across like the Three Stooges, all heading for the door at the same time. Today, thanks to the sleuthing of Phyllis Vine at Mental Illness Watch, we saw the stooges exposed in their clumsiness. Phyllis Vine discovered material on the corporate website of STI that has them featuring the textbook in the ‘portfolio’ that aims to attract new business to the company. Juxtapose that with the adjacent claim that STI’s skills are to "develop, write, edit, and submit a high-quality article to your target audience." Now is there any doubt about how this game is played? Now is there any doubt about whether the APA has come clean?

Well, if there were any remaining doubt it has been removed by another development: All the materials describing the STI ‘portfolio’ have been removed from the company’s website. Fortunately, Phyllis Vine had captured it here, and so did Daniel Carlat through the Wayback machine. It was picked up some more by Mickey Nardo today. It looks like the APA is going to have more explaining to do.

As the old Groucho Marx line goes, Who you gonna believe, them or your lying eyes?

Bernard Carroll

What's Killing Pharma, With Some Lessons For Hospital IT

An excellent essay on the pathologies killing the pharmaceutical industry is at this link: http://www.eyesopen.com/en/blog/what-is-really-killing-pharma .

The essay talks about mismanagement, marketing over R&D, management fads, ill-informed managers and many other issues we've discussed in one context or another here at Healthcare Renewal.

This paragraph in particular struck my eye for several reasons:

... Another good one [reason pharma is dying - ed.]: empowering IT departments to make scientists use the same infrastructure as the guy at the front desk. Rather than see that scientists often have different computing needs than other parts of the business, IT demands obeisance to the corporate norm. In doing so, they hinder the kind of innovation (e.g., Linux, GPU solutions) that used to regularly occur because scientists are quite computer literate, thank you. Instead, IT departments make it impossible for competent people to manage their own resources. They create obstacles instead of removing them. Machine was made for Man, not Man for the Machine.

The paragraph struck me because:

• It fits with my experience and that of my colleagues in other pharmas. See my essay "Sure path to R&D and industrial failure: Conflation of IT with information science in the pharmaceutical industry."

• Replace "scientists" with "doctors" and you have defined a major problem with health IT In the healthcare delivery sector.

• Finally, this bon mot is extremely apropos to both environments: "Machine was made for Man, not Man for the Machine."

Sixty years into the "computer revolution", pharma, healthcare, and the IT industry itself have not learned this simple lesson.

I have to believe in 2011 this phenomenon is at least in part due to an abundance of powerful computers relative to the supply of humans in these industries with densely-interconnected gray matter.

I think the author of the aforementioned piece agrees. He concludes:

... The film industry long ago recognized that what is important is talent. No one can predict what will be a blockbuster (drug or movie), but Hollywood has at least recognized that movie-making is a talent-based industry. Perhaps today’s pharma chiefs need to see themselves as latter-day studio heads—I’m sure they’d love that!—and come to the same conclusions. Define the vision, get and keep the right people, stop making it harder for talented people to do their jobs, give them the time and resources to be creative. Then maybe, just maybe, they would start curing pharma.

-- SS

BLOGSCAN: Circling the Wagons Around the RUC

On the Care and Cost Blog, Brian Klepper suggested that the defenders of the RUC (RBRVS Update Committee) are getting worried.  He showed that a letter signed by medical specialty societies, but not the major societies that represent generalists, deployed logical fallacies in support of the secretive committee dominated by proceduralists that de facto sets payments to physicians by the US Medicare system, and which seems largely responsible for the gulf between payments for procedures and for primary and "cognitive" care.  His summation:

The arguments mounted by the AMA and the specialty societies are really nothing more than a vested industry’s efforts to preserve the status quo at all costs. (Think Wall Street’s apologists in this year’s Oscar-winning documentary, Inside Job.) But this approach has brought health care and the US economy to the brink of economic catastrophe.


Averting disaster will require an approach that dampens or bypasses the voices of the advisors who got us here, and strengthens the voice of primary care, which overwhelming data show produce better care at lower costs.

Dr. Silverstein and Dr. Poses in WSJ: "The Literature Is Hardly Pristine"

I have considered Dr. Roy Poses' Dec. 14, 2010 post "The Lancet Emphasizes the Threats to the Academic Medical Mission" (with its hyperlinks to source posts and articles) an excellent summary of many of the pathologies we address at Healthcare Renewal, especially with regard to the academic mission and the disruption of the integrity of the medical literature by commercial interests. His post is consistent with what might be considered our mission statement:

Addressing threats to health care's core values, especially those stemming from concentration and abuse of power. Advocating for accountability, integrity, transparency, honesty and ethics in leadership and governance of health care.

The Wall Street Journal published the following letter to the editor authored by me today in which I cited and summarized Dr. Poses' accounting of the medical literature's ills.

Unfortunately, the print version cannot contain the hyperlinks as in the aforementioned source post, but I have included them in the reproduced letter below in [brackets]. They are worth reviewing, along with additional links at the aforementioned source post "The Lancet Emphasizes the Threats to the Academic Medical Mission":

April 8, 2011
Wall Street Journal
Letters to the Editor

The Literature Is Hardly Pristine

I find it unfortunate having to inform reader James Reichmann, (Letters, April 1) who prefers his physician to recommend only treatments proven in the "synthesized medical literature," that the very literature on which he wishes his life to depend may be tainted.

As Dr. Roy Poses points out on the Healthcare Renewal Blog, numerous factors common in today's culture can and do corrupt the literature.

The factors include but are not limited to: rampant commercialization of medicine [here, here, here and here], research universities with lax conflict of interest policies [here], faculty as de facto employees of industry through grants [here], academics paid to be "key opinion leaders" to stealth-market drugs and devices [here], control of clinical research given to commercial sponsors [here], conflicts of interest allowing manipulation and suppression of clinical research [here and here], academics taking credit for articles written by commercially paid industry "ghost writers," [here and here], whistleblowing discouraged [here and here], leadership of academic medical centers by business people [here] and medical school leaders becoming stewards (as members of boards of directors) of for-profit health-care corporations [here, here, here and here].

As for me, until the medical literature can be freed of these contaminants, I'd rather trust a well-trained personal physician's good judgment in my own medical care.

Scot Silverstein, M.D.

Drexel University

Philadelphia

I believe it's also worth reviewing my own views on the subject, that the degree of contamination of medical literature is unknown and may be unrecoverable, due to spread of the contaminant vectors to the "experts" who then propagate the disease.

See my Aug. 2009 post "Has Ghostwriting Infected The Experts With Tainted Knowledge, Creating Vectors for Further Spread and Mutation of the Scientific Knowledge Base?" where I raise these questions.

At that post I suggest that while the damage might not be easily recoverable, the practices that lead to contaminated literature must be stopped going forward if true evidence-based medicine is ever to be a reality.

-- SS

4/12/2011 addendum:

Almost predictably, some anonymous person, this time over at the Respectful Insolence blog in commenting on a post there that attacks "naturopathic" medicine, proffered strawman arguments about my piece above in comment #26.

... So Dr. Silverstein thinks that the defects he cites (many of which have been revealed by and hotly debated within the scientific community) are ample justification for tossing out the entirety of research in favor of the sort of "clinical intuition" that's repeatedly been found false over the years

This binary, two-dimensional thinking is quite sad to read, if real. I'll be charitable in saying that the comment does have the "feel" of something contrived, such as received before from corporate sockpuppets.

-- SS

4/13 addendum:

The proprietor of Respectful Insolence assures me that "anonymous" quoted above is not a sockpuppet. My response was basically that before attacking non-anonymous authors by name on the web who in fact (as is clear from my writing here) share similar views on medical quackery, one should contact them first to ensure you truly understand their views.

(In my case, my view is that the "well-trained physicians" of good judgment I wrote of consider the literature critically but are not bound to it, in consideration of the unknown level of its commercialization-based contamination and the variability of individual patient situations. They treat the patient, not the guideline.)

-- SS

Mission Hostile Health IT Obstructs Physicians From Ordering Life Saving Drugs In Critical Emergency

"You should not have to work around something that is not in the way" - SS

This post can be considered Part 9 of my multi-part series on the mission hostile user experience presented by commercial healthcare IT.

(Note: Part 1 of this series is here, part 2 is here, part 3 is here, part 4 is here, part 5 is here, part 6 is here, part 7 is here, and part 8 is here. 2011 addendums: a post that can be considered part 9 is here, part 10 is here.)

Special K® Red Berries is one of my favorite cereals.




In this context, however, "Special K Red Berries" is a metaphor for cerebral and other hemorrhages caused by health IT getting in the way -- actually obstructing -- physicians ordering emergency medications such as vitamin K given via the fastest route, intravenously.

A cerebral hemorrhage at post-mortem (obviously). Note the "red berry." Similarities in appearance to above cereal bowl ironic.

This EHR system has been deployed for approximately a half decade in a hospital I'll leave unnamed.

It is stunning to me that no clinician has apparently ever complained about the following informatics/relational database integrity "glitch" regarding a not-uncommon clinical scenario, over-anticoagulation (too much blood thinner). If they did complain, however, it would be criminally negligent if the following issue was not corrected.

Atrial fibrillation (Afib) is a heart rhythm disturbance that makes a person prone to throw blood clots from the heart and suffer strokes, and is treated in part by anticoagulant drugs such as heparin and coumadin.

Atrial fibrillation is a disorder found in about 2.2 million Americans. During atrial fibrillation, the heart's two small upper chambers (the atria) quiver instead of beating effectively. Blood isn't pumped completely out of them, so it may pool and clot. If a piece of a blood clot in the atria leaves the heart and becomes lodged in an artery in the brain, a stroke results. About 15 percent of strokes occur in people with atrial fibrillation. The likelihood of developing atrial fibrillation increases with age. Three to five percent of people over 65 have atrial fibrillation

A patient with Afib on coumadin was found to be over-anticoagulated, with a dangerously high INR value, greater than 5. This patient already had a history of a life threatening subdural hematoma (bleeding hemorrhage under the lining of the brain, potentially fatal) a few years prior.

This, the patient was at great risk of catastrophe.

The international normalized ratio (INR) test is a measure of the extrinsic pathway of blood coagulation. It is used to determine the clotting tendency of blood...A high INR level such as INR=5 indicates that there is a high chance of bleeding.

Vitamin K (Aquamephyton) reverses the blood-thinning effects of coumadin. It acts most quickly and is most effective when administered intravenously.

That is, if the computer, now mediating and regulating an increasing amount of healthcare operations, allows the physician to order it that way.

It takes perhaps 3 seconds to write an order such as "aquamephyton 10 mg IV STAT", and a minute or less for the order to be called down to pharmacy by a clerk.

The computer version of the same task worked a bit differently for a very ill patient:

A hospital resident physician, when told to order IV Aquamephyton for urgent administration to this over-anticoagulated patient with atrial fibrillation who had already suffered a subdural hematoma, could only order it subcutaneously due to computer restrictions.

A half-hour of investigation, IT experimentation and phone calls needed to be made to the attending physician and the pharmacy to override that limitation, while the patient lay at critically high risk for another life threatening bleed.

Here are actual de-identified screen shots displaying the mayhem:

Screen 1. Click to enlarge. The physician typed the partial search term "aquam" to locate "aquamephyton", but the order menu stated that "no matching entries found."

Screen 2. Click to enlarge. The physician as a guess then typed "aqua" (instead of "aquam") and the drug and dosing options are listed (but spelled wrong in 2 ways - "aquaAMEPHYTOIN" - which is why "aquam" failed to match anything).

Screenshot 3. Click to enlarge. The physician clicked on the drug to override the fixed options presented in the listing, but the IV route of administration was not available in the drop down box, nor could it be entered in any way.

Screenshot 4. Click to enlarge. Same as #3 but with dose "10 milligrams" filled in. Still no option for IV route on the drop down.

Screenshot 5. Click to enlarge. Continuing the doctor's waste of time and IT misadventure, the doctor typed in "aqu", which leads to the same options. Still no IV route available! Note that there is no automatic reference for the drug offered by the computer.

Screenshot 6. Click to enlarge. After consultation on phone with pharmacist, more time wasted, physician now typed in "phy" (part of the generic name for the drug, i.e., "phytonadione"). BINGO! More options are now available, that are continued on screenshot 7 after scrolling down.

Screenshot 7. Click to enlarge. Med list has been scrolled down. Finally, an IV option is located after a bit of wild goose chasing. ("IVPB" stands for intravenous piggyback). Why were these choices not available under the drug's brand name? It's the same drug!

I won't even go into the computational-linguistics and HCI backwardness of forcing clinicians to go on a distracting 'treasure hunt' through a list of permutations of drug doses and routes, or a menagerie of widgets for parameter specification, for each drug they order, as compared to more advanced methods of command entry. Such methods would have the computer (via the programmers) algorithmically do the bulk of the work. The concept of "parsing" seems alien to health IT vendors, who seem stuck in the paradigms of an earlier data processing era.

Screen shot 8. Physician typed in "vitamin K" and the same options appeared as with "phy." The computer response and administration options to the physician for any of these synonymous drug names should have been exactly the same (even with the "aquaamephytoin" misspelling, once the physician located the drug by luck).

The simple has been turned into the complex, with misspellings, delays and frustration, while a patient at great risk for literal red berries accumulating in his or her head lay in bad, waiting for treatment.

There are parallels between this "glitch" and glitches reported in a competitor's EHR reported by Dr. Jon Patrick in Australia at these links, e.g., regarding faulty data and linkages, user interface problems obstructing clinical work, etc.:

• Analysis of Cerner Problems Defined by ED Directors, http://sydney.edu.au/engineering/it/~hitru/index.php?option=com_content&task=view&id=120&Itemid=116

• A study of an Enterprise Health information System, http://sydney.edu.au/engineering/it/~hitru/index.php?option=com_content&task=view&id=91&Itemid=146

Several questions:

• Is this a configuration/formulary problem local to this organization, or is it a generalized problem with this system originating at the manufacturer? (I've personally reported health IT defects in this software I'd observed in hospitals to FDA's MAUDE database, discovering that the institution itself, whose officials I alerted to the problems, did not. An example of a possible systemic problem is in MAUDE here.)

• What other drugs are misspelled, and/or listed under different names with different (and incomplete) ordering options, with no easy and quick override?

• How did these errors get into the system, and why were they not corrected earlier?

• Were patients ever injured by this or other similar IT defects within this system?

• Is this the technology that will reduce errors and "revolutionize medicine"?

• Would you, the reader, want to be that patient waiting for the vitamin K or other critical drug while the doctors fritter away their time and energy on mission hostile computer systems?

Some day you or your family member might be.

-- SS

WHO YOU GONNA BELIEVE?

WHO YOU GONNA BELIEVE?

Ghostwriting Charges and Stonewalling at the American Psychiatric Association

The American Psychiatric Association came under a searchlight this past December over allegations of ghostwriting. The story originated with a public letter from Project on Government Oversight (POGO) to the Director of NIH, and it was picked up by Duff Wilson writing in the New York Times. The book was Recognition and Treatment of Psychiatric Disorders: A Psychopharmacology Handbook for Primary Care. The named authors were Charles Nemeroff, now chairman of psychiatry at the University of Miami, and Alan Schatzberg, formerly chairman of psychiatry at Stanford University. Both are well known for ethical controversy – see here and here. Soon, these allegations were being dissected in the blogosphere, with stellar contributions from Daniel Carlat, 1boringoldman, Ed Silverman, and Alison Bass.

The APA and its publishing arm, known as American Psychiatric Press, Inc. or APPI, came to the defense of the two prominent academic authors over the ghostwriting charge. In particular, an APA employee named Mark Moran authored a denial of the charge in the January 2011 issue of the APA news magazine, Psychiatric News. As the controversy played out, letters from attorneys demanded retractions, and partial qualifications of the original story appeared in the New York Times and on the POGO weblog. There was never any doubt that the heavy lifting was done by a pair of professional writers employed by a medical communications company under a financial grant from a drug company. Nemeroff defended his role by averring that he ‘scrutinized’ the work product of the professional writers. Threatening letters from lawyers for Nemeroff and Schatzberg were publicized, and the APA weighed in.

The coup de grâce was administered by blogger Daniel Carlat’s withering review of the book’s artful construction to highlight the use of the sponsoring company’s antidepressant and anti-anxiety drug in primary care, while muting important information about the drug’s liabilities. Nevertheless, the APA held to its legalistic stance in defense of the ‘authors.’ This behavior is counterproductive for professional medical organizations, as I have discussed before, because it misses the ethical forest for the legal trees.

Now comes the good part. In response to the piece by Mark Moran in Psychiatric News, Leemon McHenry prevailed on Robert Rubin and myself to write with him to the magazine’s editors. Leemon is a faculty member in the Department of Philosophy at California State University, Northridge. He also has experience evaluating legal documents arising in litigation over antidepressant drugs. Robert Rubin has partnered with me in outing several notable ethics compromises involving Nemeroff and Schatzberg, going back as far as 2002, though we always call ourselves equal opportunity critics.

Our letter sent in late January to Dr. Carolyn Robinowitz, the Interim Editor of Psychiatric News, has been posted today on the POGO site. In our letter, we challenged much of Mr. Moran’s defense, and we called attention to what WASN’T in the public domain, despite all the claims and counterclaims. Essentially, the partial qualifications of the original reports that appeared in The New York Times and in the letter to NIH from POGO resulted from the inconclusiveness of some of the documents. We called on the APA to come clean with the release of all relevant materials, in the interest of transparency.

For instance, what WASN’T known were the specifics of the contract involving the corporation, the (ahem) authors, the publisher (APPI), and the medical communications company. Or the money flow to the ‘authors’ from the contract in addition to their royalties. Or the legal release form transferring ownership of the work product to the ‘authors’ and APPI. Or the corporation’s planned marketing activities, given that the corporation ordered 10,000 copies of the book. Or the correspondence among all parties that might reveal who actually did what.

Leemon McHenry’s perspective is that this hidden layer of documents may well be available if they could be unsealed in pending litigation. Naturally, corporations and their attorneys strive to keep the information hidden. But our general point is that the APA has a different duty – which is to transparency rather than to stonewalling. Did the APA do that? Sadly, no, they did not. Here is the curt reply from the Executive Editor Catherine Brown denying publication of our letter after a delay of almost 8 weeks. Now that’s what I call stonewalling.

Medicare/Medicaid Cuts? Spend Money on Patients - Not Computer Experiments

There has recently been much debate about how to save this country from European-style financial ruin. From "GOP 2012 budget proposal cuts taxes on rich, cuts Medicare in the future", Examiner.com, April 3, 2011:

On Tuesday House Budget Committee Chairman Paul Ryan (R-WI) is expected to release the Republicans’ 2012 budget proposal. Currently Democratic and Republican leaders are trying to negotiate a compromise on the 2011 budget would make some cuts to discretionary spending. Republicans have said they would not be able to propose really significant cuts to lower the deficit until 2012. According to reports, the GOP proposal would dramatically cut taxes on corporations and the rich, while also making significant cuts to Medicare and Medicaid.

I propose the cuts to Medicare and Medicaid, which will directly affect medical care delivery to the elderly and poor, be traded for cutting extravagant expenditures for experimental medical computer technology. This could be accomplished through repeal of HITECH and diversion of those funds to patient care, where it's more urgently needed.

Let scarce taxpayer dollars be spent on the health of human beings, not on machines of uncertain value and risk at their current state of evolution in 2011.

At my Jan. 2011 post "US House of Representatives Proposes to Defund Largest Non-Consented Medical Experiment in U.S. History: HITECH" I had written about H.R.408, the Spending Reduction Act of 2011 Introduced in the House of Representatives:

In a new bill in the House of Representatives, the ‘‘Spending Reduction Act of 2011’’ (link - PDF), it is proposed to cut unobligated funds of, among others, division A of the "American Recovery and Reinvestment Act of 2009":

... Spending Reduction Act of 2011

DIVISION A—APPROPRIATIONS PROVISIONS

... TITLE XIII—HEALTH INFORMATION TECHNOLOGY

Title XIII of the ARRA along with title IV of division B is better known as HITECH:

SEC. 13001. SHORT TITLE; TABLE OF CONTENTS OF TITLE.

(a) SHORT TITLE.—This title (and title IV of division B) may be cited as the ‘‘Health Information Technology for Economic and Clinical Health Act’’ or the ‘‘HITECH Act’’.

I commented that it looked like HITECH was one of a number of spending extravaganzas on the proposed chopping block.

Health IT under the country's current financial condition is indeed an extravagance, especially considering the experimental nature of the technology and the doubts expressed by experts as to its true value in its current state of development (see "An Updated Reading List on Health IT" at my Drexel Univ. Healthcare IT failures site).

This recent revelation should also be considered:

The quality of the technology is likely far, far worse than anyone, including the pessimists, imagined. The HIT problem reports in FDA's MAUDE database (link) are child's play compared to the following.

The unprecedented, recent, detailed analysis of a major American electronic health record system for use in Emergency Departments (of all places) by an Australian health IT expert at the following links is simply astonishing, if not downright frightening. See:

• Analysis of Cerner Problems Defined by ED Directors, http://sydney.edu.au/engineering/it/~hitru/index.php?option=com_content&task=view&id=120&Itemid=116

• A study of an Enterprise Health information System, http://sydney.edu.au/engineering/it/~hitru/index.php?option=com_content&task=view&id=91&Itemid=146

If even a fraction of this analysis is correct, we should simply take those billions of dollars and turn them into cigar wrappers.

Or perhaps coffins.

I will also repeat some of my rationale in my Jan. 2011 post for repeal of HITECH:

• This country cannot afford HITECH at this time. Put simply, we are broke, and the national deficit is ballooning far out of control. The money would be far better spent at this time on care of those who cannot afford that care.
  

• HITECH appeared as if out of nowhere, with little to no input time from stakeholders. This suggests lobbying by those with conflicts of interest to push this bill onto the public, affecting their medical care without informed consent (see my March 2009 post "Draft Patient Rights Statement and Informed Consent on Use of HIT"). The bill includes persuasion along with economic coercion for non-adopting organizations and physicians. ("Adoption" = adherence to government-set standards of "meaningful use" of poorly usable technology.) I disapprove of the stealth process by which HITECH appeared. This is the U.S., not the old USSR.

• Mass social experiments involving major systemic changes to our healthcare delivery system, with exceptional claims being made about IT, need to be backed by exceptional evidence. That evidence is lacking. In fact, the evidence might actually point in the negative direction. See my aforementioned post "An Updated Reading List on Health IT."
  

• The technology is not ready. It is dangerous in unqualified hands, which most every medical center and physician office is in 2011 (i.e., an IT backwater). The field of health IT was somehow transformed from an experimental field into the 'savior of medicine' without the proof of value and safety that would ordinarily be required to move an experimental technology from lab to national rollout. Per the Washington Post, this process appears to have been a highly politicized one, favoring the corporate elites. The Washington Post’s 2009 article on the influential HIT vendor lobby “The Machinery Behind Healthcare Reform” is at this link.

To these I will add a few more reasons to convert HITECH extravagance in time of financial distress and high unemployment to direct care provision:

• A similar experiment in the much smaller and strongly government-managed healthcare system of the UK didn't exactly have stellar results (link, link). We also have been warned not to make the same multi-billion dollar errors (link).
  

• The cavalier attitudes by the administration-appointed ONC director Blumenthal towards evidence of health IT-caused adverse effects, including deaths, reported to him by the FDA (see this Feb. 23, 2010 Internal FDA Memorandum on Health IT Safety Issues, PDF).
  

Despite the fact that the Director of FDA's Center for Device and Radiological Health Jeffrey Shuren (a physician and lawyer) testified these reports were likely just the "tip of the iceberg", ONC director Blumenthal glibly stated, per the Aug. 2010 Huffington Post Investigative Fund article FDA, Obama Digital Medical Records Team at Odds over Safety Oversight, that FDA's reports of health IT related injuries and deaths were “anecdotal":

ONC director Blumenthal, the point man for the administration, has called the FDA’s injury findings “anecdotal and fragmentary.” He told the Investigative Fund that he believed nothing in the report indicated a need for regulation.

These exact cavalier attitudes about "anecdotes" just failed in the Supreme Court. (See my Mar. 27, 2011 post about the Zicam decision in "Those Who Dismiss Healthcare (and Healthcare IT) Adverse Events Reports as Mere "Anecdotes" Have Lost - Supreme Court-Style").

More reasons for diverting HITECH funds to patient care include government waste driven by irrational exuberance and idealism:

• The irrational exuberance and idealism about this technology purportedly saving money, a dreamer's dream explicitly refuted, for example, by notable figures at Wharton (link) and Stanford (link). (Also see "Pessimism, Computer Failure, and Information Systems Development in the Public Sector", Shaun Goldfinch, Public Administration Review 67;5:917-929, Sept/Oct. 2007).

• More on purported cost savings - Peter Orszag, former head of the Congressional Budget Office, said the use of electronic health records, without a major change in health care delivery, "would not significantly reduce overall health care costs" in the agency's 2007 report on long-term health care spending. He also said that according to data from the report, the return on investment for EHR's "is not going to be as substantial as people think." The CBO concluded that predictions of cost savings from EHR's relied on "overly optimistic" assumptions and said much is unknown about the potential impact of health information technology. [That is, it is an experimental technology - ed.] Mass savings from health IT is an assertion that is both unproven and highly unlikely in my view.

• Yet another irrationally exuberant dream about the use of the massive amounts of uncontrolled clinical data, entered by myriad observers in an infinite variety of situations into these systems, to be used for research. This is the antithesis of sound methods for data collection and management in medical research. It is a dreamer's concept of the "Randomized Controlled Clinical Trial Made Easy." (See my essay "The Syndrome of Inappropriate Overconfidence in Computing: An Invasion of Medicine by the Information Technology Industry." Also see "Have we suffered a complete breakdown in the scientific method with regard to EHR and clinical IT?".)

Finally, here's another reason to withdraw HITECH for now:

• As I'd written in a series of essays at this blog query link, we simply don't know how to make computerized medical information reasonably private and secure. (One might wonder whether the current administration, sponsors of the out-of-the-blue HITECH act, actually wants healthcare information to be private and secure.)
  

I reiterate from my January 2011 post:

I would not weep for the HITECH act's passing. It would allow the restoration of health IT back to an unrushed and careful experiment.

It would also give time to work out the significant issues causing health IT difficulty (such as raised in 2009 by our National Research Council) before we embark on national health IT diffusion.

In other words, its passing would reduce risk and help restore an essential level of sanity and due diligence to the healthcare IT sector, now afflicted by irrational exuberance bordering on delirium.

We would avoid the largest unconsented medical experiment in US history, which as I have repeatedly written I feel would be disastrous with current levels of understanding of this technology and how to design, deploy and manage it. (My relative's 2010 HIT-related injuries only strengthened my convictions in this regard.)

Disclosure: I have no financial conflicts of interest regarding HITECH or health IT to weep about. Others do, and it's not hard to predict their financial interests will push them to oppose HITECH repeal "by any means necessary."

A replacement HITECH act that's "HIGH" on research and caution, but not so high on stealth, coercion and idealistic euphoria would be welcomed.

-- SS

With this device in your chest, an Elvis suit for the doc?

The April 3, 2011 NY Times has a nice piece about pacemakers and AICDs from a little-known and low market share German device manufacturer, Biotronik. Apparently this company's pacemakers have pretty much cornered the market among cardiologists at University Medical Center in Las Vegas.

(By the way, the Times has gone to a pay-wall, so the above link to it can't be counted on to work for too long after this posting comes out. Try a search engine. There's no permalink as one used to use to make sure the link stayed put.)

In any case, how fitting it all seems in anything-goes Nevada. According to the article the Feds may or may not be going after this egregious example of conflict of interest. Let's hope they are. But at least we can make sure that what plays in Vegas doesn't stay in Vegas.

Apparently some of the cardiologists at UMC are (or were) pulling down up to 5k a month in consulting fees. That may or may not have anything to do with the fact that the small German device-maker went from having, oh, zero 2-3 years ago to 95% of all devices implanted there last year, by total number of patients.

Good work, gentlemen. Let the word go out. Come to America and roll the dice in Las Vegas. It's almost enough to make me want to become a brimstone-spouting right wing pastor. "To gamble, it's of the devil."

But this is a place where the state's new governor is a former chair of the gaming commission.

Of course, the real culprit here is, collectively, those cardiologists and the middle-man distributors who court them. According to the article, the cardiologists who didn't enroll their patients (and presumably take dough) were on what the sales guys called the "loser" list.

Yes, "winning" in health care is about market share and effective sales. No surprise here. We knew that already, of course, from Wendell Potter's Deadly Spin, with which most readers of this blog are no doubt already familiar.

It sure as hell isn't about the patient winning. But last time I checked, professionalism and the Hippocratic Oath have something to say about the patient being the one who's supposed to win.

One understands that these gotta-make-a-buck middle-men, and the device vendor-manufacturers, are interested in the almighty share. Birds gotta fly, fish gotta swim. But the doctors--a sad commentary indeed if, as this articles says, "[they] then did the rest."

In this same vein, loss of meaning, clearly the word "university" in hospitals' names has ceased to have much real meaning. The article says the hospital CEO never bothered to ask the docs whether they had a conflict of interest.

Alas, too often that's equally true across the rest of the country. "University" centers behave just like proprietary players, as anyone reading this blog can't have failed to notice.

Maybe just a wee bit more glaring in Vegas, though, where guys in Elvis suits fall out of the sky and pay-to-play pacemakers fall into patients' chests.

Making a Stat Less Significant: Common Sense on "Side Effects" Lacking in Healthcare IT Sector

At my Mar. 27, 2011 post "Those Who Dismiss Healthcare (and Healthcare IT) Adverse Events Reports as Mere "Anecdotes" Have Lost - Supreme Court-Style" I wrote that the SCOTUS decided in MATRIXX INITIATIVES, INC., ET AL. v. SIRACUSANO ET AL. (link to PDF) that:

... We conclude that the materiality of adverse event reports cannot be reduced to a bright-line rule ... Because adverse reports can take many forms, assessing their materiality is a fact-specific inquiry, requiring consideration of their source, content, and context.

Wall Street Journal author and "Numbers Guy" Carl Bialik adds to that point in an article today "Making a Stat Less Significant" where he writes:

To determine whether a medical side effect is significant in an experiment requires knowing that every incidence of that side effect is being reported. Researchers can feel confident that is happening in a controlled clinical trial of a drug, but they can't be sure when a drug is being sold to the general public, as was the case with Zicam.

In other words, when one is not sure that every incident of a side effect is being reported, one should not cavalierly dismiss "anecdotal" reports of side effects, especially from reliable reporters.

The practictioners of Medical Informatics, along with the HIT Industry and its customers, appear to have failed in that regard with respect to clinical IT (electronic medical records, CPOE etc.) For years they have argued that these medical devices should not be regulated because that would "stifle innovation" and that reports of device adverse events were "anecdotal." Many in the field still make these arguments.

This view extends all the way up to the Director of the Office of the National Coordinator for Health IT, who glibly stated per the Aug. 2010 Huffington Post Investigative Fund article FDA, Obama Digital Medical Records Team at Odds over Safety Oversight that FDA's own reports of health IT related injuries and deaths were “anecdotal":

ONC director Blumenthal, the point man for the administration, has called the FDA’s injury findings “anecdotal and fragmentary.” He told the Investigative Fund that he believed nothing in the report indicated a need for regulation.

Those "injury findings" appear in an FDA Internal Memo made available by the aforementioned Huffington Post Investigative Fund and archived at the following link:

Internal FDA memorandum on HIT risks (PDF) to Jeffrey Shuren MD JD (Director, Center for Devices and Radiological Health). Health Information Technology (H-IT) Safety Issues. "This is an Internal Document Not Intended for Public Use." Feb. 23, 2010.

(My description/summary of the memorandum is at my Aug. 2010 post "Internal FDA memorandum of Feb. 23, 2010 to Jeffrey Shuren on HIT risks. Smoking gun?")

That memorandum itself emphasizes how FDA's own knowledge of these events is partial due to reporting impediments and lack of knowledge of resources such as FDA's MAUDE database.

The known reports were likely "the tip of the iceberg" according to the Director of FDA’s Center for Devices and Radiological Health (CDRH) Jeffrey Shuren, MD, who also happens to be a lawyer.

As at the aforementioned "tip of the iceberg" link, at an HHS meeting of the HIT Policy Committee's Adoption/Certification Workgroup on February 25, 2010, Shuren testified:

... In the past two years, we have received 260 reports of HIT-related malfunctions with the potential for patient harm – including 44 reported injuries and 6 reported deaths. Because these reports are purely voluntary, they may represent only the tip of the iceberg in terms of the HIT-related problems that exist.

Even within this limited sample, several serious safety concerns have come to light. The reported adverse events have largely fallen into four major categories: (1) errors of commission, such as accessing the wrong patient’s record or overwriting one patient’s information with another’s; (2) errors of omission or transmission, such as the loss or corruption of vital patient data; (3) errors in data analysis, including medication dosing errors of several orders of magnitude; and (4) incompatibility between multi-vendor software applications and systems, which can lead to any of the above.

The problem with ignoring testimony and reports of health IT-related difficulties and dismissing them as "anecdotal" goes back to the issue of "knowing that every incidence of that side effect is being reported."

While FDA itself admits significant doubt about completeness of reporting in its memo, what's worse is that Koppel and Kreda at University of Pennsylvania wrote a paper from which one might conclude that the healthcare and health IT industries are themselves aligned to conceal health IT adverse events reports.

In their remarkable article Health Care Information Technology Vendors' "Hold Harmless" Clause - Implications for Patients and Clinicians, Journal of the American Medical Association, 2009;301(12):1276-1278, we learn that there is little motivation for device safety in the health IT industry:

Healthcare information technology (HIT) vendors enjoy a contractual and legal structure that renders them virtually liability-free—“held harmless” is the term-of-art—even when their proprietary products may be implicated in adverse events involving patients. This contractual and legal device shifts liability and remedial burdens to physicians, nurses, hospitals, and clinics, even when these HIT users are strictly following vendor instructions...HIT vendors are not responsible for errors their systems introduce in patient treatment because physicians, nurses, pharmacists, and healthcare technicians should be able to identify—and correct—any errors generated by software faults. [In other words, they are expected to be clairvoyant when presented with erroneous or missing data - ed.]

We additionally learn that:

The significant disparity between buyers and sellers in knowledge and resources [about healthcare IT problems] is profound and consequential. Vendors retain company confidential knowledge about designs, faults, software-operations, and glitches. Their counsel have crafted contractual terms that absolve them of liability and other punitive strictures while compelling users’ non-disclosure of their systems’ problematic, or even disastrous, software faults.

In other words, health IT customers and users have a gag order imposed on them regarding software faults and defects.

I think any reasonable person would conclude there is great doubt as to whether "every incidence of [HIT side effects] is being reported."

I also pointed out in JAMA (link) and on my Drexel website (link) how agreeing to these terms caused hospital executives to violate both their fiduciary duties to their organization's workers as well as Joint Commission safety standards obligations.

(I've personally reported health IT defects I'd observed in hospitals where my relatives were patients to FDA's MAUDE database, discovering that the institution itself, whose officials I alerted to the problems, did not. An example is here.)

The above is all common sense.

Thus, the dismissal of reports of health IT-related patient injury, deaths, and "near misses" represents a failure of common sense, as well as a massive abrogation of fiduciary responsibilities and legal and ethical obligations among the Medical Informatics, health IT vendor, healthcare delivery, and healthcare regulatory sectors.

One end result is that it permits software like this to be mandated by state governments on hundreds of hospitals. One can only imagine the public, press and legal reactions if mission-critical software issues of this magnitude were brought forth after an aviation or nuclear power plant disaster.

The cavalier dismissals of HIT mishap reports clearly fall into the "knew, or should have known" category of negligence.

Plaintiff attorneys for patients injured or killed via HIT-related mishaps should take note.

-- SS

Note: my WSJ comment on this issue appears here.