Security is EVERYONE's Business

In the "be careful what you ask for" department, IS Assistant Director Noel Rasmussen alerts us to a story on nextgov.com, a website devoted to the technology and business of government, which reveals how filesharing networks, such as those used to access "free" music on other users' hard drives, have compromised tens of thousands of medical records.

This is a dramatic (and, in Noel's words "scary") illustration of the risks posed by allowing any medical information to leave our protected network. These medical records were not accessed through breaches in network security, but were obtained from external computers where the sensitive information was (hopefully) legitimately stored. But the compromised computers contained "peer-to-peer" filesharing software, typically downloaded for free for the purpose of sharing media files. Unfortunately, these applications often expose all files on the user's computer, putting any sensitive data on the computer at risk.

Since we are all individually (as well as collectively) responsible for the protection of health information that is entrusted to us, all HSD employees should be aware of these risks and use due diligence in protecting any PHI that may be stored on home computers. Please do not keep any work-related data on computers that have peer-to-peer file-sharing software!

Information Therapy

The term "information therapy" was new to me, but I think this concept should be at the core of our communication strategy:

An Introduction to Information Therapy

Information Therapy (Ix®) is the timely prescription and availability of evidence-based health information to meet individuals' specific needs and support sound decision making. Ix prescriptions are specifically targeted to an individual's needs at a particular moment in care and are delivered as part of the process of care.

Mission: To advance the practice and science of prescribing and using information to improve people's health.

Vision: A future in which every health decision is informed

Center for Information Therapy

Convenience vs. Security

You might think that IT folks would be early adopters of this communication medium, but a quick survey of posts will show that they're not flocking to this blog. So recently I posed a question to the IT community by taping it on the wall, just outside my office:

"If you can login to your banking website and be confident that your money is safe, why can't your login to the intranet from outside the firewall (i.e., via extranet) and be confident that the data is safe?"

The clever folks in IS responded with a "paper blog", attaching a string of printed responses below the original question. Because the topic is so important, I thought I'd share those responses with you. I hope they will illustrate that our "obsession" with security is not intended to create roadblocks to access but stems from serious concern for our ethical obligations to our patients and our liability under the law.

Based on all of the identity theft and credit card fraud, it's hard to believe that anyone actually thinks their data is safe... If someone gets your banking or credit card information, how much do you lose? Maybe several thousand dollars? In medical ID thefts, the costs are usually tens to hundreds of times greater. People whose medical information was compromised have received bills in excess of $100K for operations and hospital stays that they did not actually receive.... The information that we are talking about here is much more valuable and more sensitive than financial data.

All that being said, we really need to provide a much better Web presence and the ability for patients to access their information and set up their own appointments.

Another poster addressed the complexity of providing secure Web access:

My bank uses a mix of AIX and Solaris to run their webservers and databases. They have partitioned databases. Web application servers do not directly access back end databases. The web applications themselves are written in Java. Finally, they have dedicated security staff that runs regular audits & code reviews and monitors web traffic & application performance.

All of that and I still don't actually trust that the site is truly secure, but they warrant that I will not be financially liable for online fraud. What will we be able to refund or un-release if PHI is stolen?

A third poster addressed PHI directly:

Kaiser Permanente lets you see your Electronic Medical Record on their Website. Are they not as serious about protecting PHI as we are?

A fourth poster thought not, citing the following evidence:

Kaiser fined $200,000 for release of PHI
Kaiser worker data breached, identity fraud reported

We in Information Systems are working diligently to find the appropriate balance between convenience and security. We hope that our customers understand that these concerns are not trivial, and we want to work with you to craft a solution that protects patients, employees, and the County without creating undue hardships for those charged with providing direct patient services.

If you have any comments to add on this topic, I hope you will share them with us.

Getting Ahead of the Curve on Electronic Health Record Mandates

Interesting article in today's Washington Post on the potential impacts of the $19 billion in the stimulus package that is directed towards electronic health records. The article focuses on the need for standards (both legal and technical) as well as the vast amounts of additional money that will be required to make this vision a reality. (Others have concerns over the privacy implications of these measures.)

Some may feel it's best to take a "wait-and-see" attitude -- to see how the legislation actually shapes up before worrying about how we'll deal with it -- I would hope that we can take a more proactive approach.

I think we can all recognize that some form of electronic health record will become commonplace over the coming years. I hope most of us would agree that there are some health benefits to be gained from a universal, standardized system. And still, many have legitimate concerns about how such a system would be implemented and used. That is why we must begin talking now about what a human-centered electronic health record would look like.

"Human-centered" includes privacy concerns as well as software usability. And software usability includes not only the patient who owns the record, but the medical providers and clerical staff who must help keep it current and accurate, the analysts who rely on the aggregate data, and technicians who must maintain the system!

I think it's important that IS initiate this conversation about the electronic health record, but it's even more vital that it be a cross-disciplinary discussion. Medical providers and clerical support staff who will maintain these prospective EHRs must be at the table, as must representatives from the business side. Together, we should build our own vision of a humane EHR, and we can give our requirements to our representatives to help shape the policy and secure the funding.

We Have a Dream

Working with Fran Trant and Dawna Vann of the Service Excellence team, a group of IS managers and staff recently met to brainstorm a vision of their "preferred future" for Information Systems. Building on the concepts of communication, innovation, and customer service (which they identified as core values in a previous work session), the group agreed on the following statement as an accurate reflection of their dream:

We engage our customers and colleagues as we channel innovation and harness technology to create a postive customer experience.

In future working groups, IS will expand on this vision statement to create a set of core principles that exemplify Service Excellence in Information Systems. Based on those principles, IS will then define concrete "behavioral competencies" -- measurable performance objectives that can be used to evaluate an individual's success in bringing service excellence to her or his job. Eventually (after a suitable trial period during which staff becomes accustomed to the new requirements) these competencies will be incorporated into employees' annual performance appraisals.

An IS team employs kinesthetic techniques to help solidify their vision.

Virus Update

As many of you are aware, since the first of the year, IS staff has been diligently combatting an invasion by a nasty computer virus. But this is not just a local problem -- the malicious intruder continues to infect millions of computers world-wide.

"This is enormous; possibly the biggest virus we have ever seen," said software security specialist David Perry of Trend Micro.

Here's an article with more details on the Conficker virus.

Happy New Year!

Please join me in welcoming our new CIO, David Runt, to Contra Costa Health Services. With a new year and new leadership, we have an opportunity to re-invent ourselves, building on past achievements but unburdened by the baggage of habit and tradition. Our talented team is committed to collaborating with all our colleagues in CCHS to enhance the care and outcomes -- dare I say, the "experience" -- afforded to the people of Contra Costa County.

Stay tuned for more news on our plans for 2009!