Hollywood Presbyterian Medical Center: Negligent hospital IT leaders allow hacker invasion that cripples EHRs, disrupts clinicians ... but patient safety and confidentiality not compromised

Allen Stefanek computer security Hollywood Presbyterian Medical Center medical record confidentiality medical record privacy Patient care has not been compromised

Hollywood Presbyterian Medical Center: Negligent hospital IT leaders allow hacker invasion that cripples EHRs, disrupts clinicians ... but patient safety and confidentiality not compromised

Unknown 2/19/2016 Komentar

To the cybernetic idealists out there who think computers are the greatest thing next to sliced bread in the healthcare environment, I say, pray you are not on the operating table when something like this happens:

Hackers’ Ransom Attack On California Hospital More Proof Healthcare Cybersecurity Is Floundering
International Business Times
Jeff Stone
02/17/16
http://www.ibtimes.com/hackers-ransom-attack-california-hospital-more-proof-healthcare-cybersecurity-2309720

Who would have thought that, for healthcare professionals, performing surgery, working long hours and navigating the dense world of U.S. health law would be easier than protecting hospital computer networks? That, however, appears to be the case after yet another hospital was victimized in a cyberattack. It’s just the latest example of a U.S. medical provider on the wrong end of a digital assault made possible by a lack of security measures.

I, for one, would have thought that.  In fact, I've been writing about these issues for years (see my many posts at query links http://hcrenewal.blogspot.com/search/label/medical%20record%20confidentiality and http://hcrenewal.blogspot.com/search/label/medical%20record%20privacy).

Doctors at Hollywood Presbyterian Medical Center, in southern California, have been suffering serious computer issues for at least a week, the CEO announced Sunday. Doctors have been unable to digitally access patients’ medical records, staff has been communicating via fax machines and patients have reported long delays in receiving care. It’s all the result of a cyberattack carried out by unknown hackers who are demanding 9,000 bitcoins (roughly $3.4 million) to restore the system to normal.

Ransom for access to EHRs.  The hospital's IT leadership should be held accountable for this invasion of the clinic by cybercriminals.  It's not like the issue is unknown:

... “Hospitals are a veritable bullseye for hackers,” said Grayson Milbourne, security intelligence director at the cybersecurity company Webroot, which works with a number of hospitals and healthcare companies. Milbourne added that the value of patient records is an irresistible target for cybercriminals. “For starters, [hospitals] run on a tight budget and their IT infrastructure is often a very low priority when compared to affording new medical devices and staff. 

More from techtimes.com at http://www.techtimes.com/articles/133874/20160216/hackers-hold-hollywood-hospital-s-computer-system-hostage-demand-3-6-million-as-patients-transferred.htm:

... According to NBC, the damage has caused the hospital to be unable to continue day-to-day operations. To keep up activity at the medical center, the staff has turned to manual documentation using pen and paper to take down patient information and jammed fax lines and telephones to communicate from one department to another. The administration has forbidden the use of other computers for fear that the harmful software could spread to more workstations.  Allen Stefanek, President and CEO of the hospital, says that "significant IT issues" began to emerge last week, leading to a declaration of "internal emergency." He also mentions that the attack was random, not malicious, noting that the emergency rooms have been "sporadically impacted since Friday."

The realities of IT in 2016, when hospitals are increasingly dependent on IT command-and-control systems through which every transaction of care must pass, lead to the conclusion that "IT infrastructure is often a very low priority" reflects negligence.

Back to the IBT article.  The CEO at this hospital proffers the usual BS:

Hollywood Presbyterian’s CEO [Allen Stefanek] told NBC, “Patient privacy has not been compromised."  ...The intrusion  has been described as a ransomware attack, which is typically defined as an attack that involves a hacker infiltrating a victim’s computer, and encrypting their data until the victim agrees to pay a bitcoin ransom. The hospital denies any patient data has been compromised.

Right.  Hackers take control of information systems, but patient data has neither been altered, nor its privacy impaired.

From the second article:

... the patients are not safe from harm. Stefanek insists that the incident has no impact on the overall care for the patients, but some have spoken out to say otherwise. Jackie Mendez and her 87-year-old mother say that they have to drive to Palmdale to pick up medical tests, which takes them over one hour to do so. "It's bad. She's an older person. It's not right she has to do this," she says. Another patient named Belmont West is also affected by the incident. Belmont says he went to the hospital to get his grandmother's medical test results to no avail.

and there's this:

... some patients had to be transferred to other hospitals, as some of the medical equipment that need computers at the Hollywood Presbyterian Medical Center were rendered inoperable, including apparatuses for X-ray and CT scans, documentation and pharmacy and lab work.

These ridiculous executive canned lines, including "the incident has no impact on the overall care for the patients" a.k.a. "patient safety had not been compromised" (see query link http://hcrenewal.blogspot.com/search/label/Patient%20care%20has%20not%20been%20compromised), are increasingly absurd, non-credible, and tiring.

The urgency [for hospitals to meet standards of care for IT security -ed.] is growing. One in three Americans had their health records breached in 2015, according to multiple reports released last month. Many of those records were breached as part of the nation-state hacks on health insurers Anthem and Primera, though experts predict hospitals will become more attractive targets as they begin to rely on insulin pumps, intravenous flows and other machines that are connected to the Internet.

I note that if hospitals cannot afford the required diligence, they need to get out of the IT business.  Paper cannot be hacked or held for ransom en masse.

In the end, the hospital appeased the hackers:

Hospital paid 17K ransom to hackers of its computer network
By ANDREW DALTON
Associated Press
http://bigstory.ap.org/article/d89e63ffea8b46d98583bfe06cf2c5af/hospital-paid-17k-ransom-hackers-its-computer-network
Feb. 17, 2016 11:44 PM EST

LOS ANGELES (AP) — A Los Angeles hospital paid a ransom of about $17,000 to hackers who infiltrated and disabled its computer network because paying was in the best interest of the hospital and the most efficient way to solve the problem, the medical center's chief executive said Wednesday.  Hollywood Presbyterian Medical Center paid the demanded ransom of 40 bitcoins — currently worth $16,664 dollars — after the network infiltration that began Feb. 5, CEO Allen Stefanek said in a statement. ... "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," Stefanek said. "In the best interest of restoring normal operations, we did this."

They got off cheap for their negligence, relative to the initial demands.

Questions remain, however:

• Was any patient data altered or corrupted, either deliberately or as a result of the hack?
• Was any patient data copied or stolen?
• Was any malicious code left behind by the hackers on any computer on the network, e.g., "back doors" or other malware that could cause future problems?  Put another way, after paying the ransom, does the hospital believe it is dealing with 'honorable criminals'?
• One might presume the hospital, in an abundance of caution, is now paying after-the-fact for the expertise required to fully assure the integrity of its networks, computers and EHR and other business systems, but is this truly the case?
• Were any patients harmed as a result of the disruptions to information flows, and of so, are the IT leaders in part liable? 
• Will any patients suffer harm moving forward as a result of lost computer information during the episode, incomplete backloads of data on the paper that was resorted to during the crisis, or other factors?  Medical errors due to lost data can propagate forward in time, as I can attest to both personally and professionally.

It is my belief that, until and unless hospital leadership is held fully accountable for incidents such as this, such incidents will be one of many more moving forward.

Incidents like this are made more tragic by the increasing evidence that the benefits from healthcare cybernetics are not exactly what the zealots, pundits and industry opportunists advertised.

-- SS

Baca selengkapnya

Bio-Tech U, Version 2 - Current Board Member of Four Biotechnology Companies, Fomer Pfizer Director, Former Genentech Executive to be President of Stanford

boards of directors conflicts of interest Genentech Stanford

Bio-Tech U, Version 2 - Current Board Member of Four Biotechnology Companies, Fomer Pfizer Director, Former Genentech Executive to be President of Stanford

Unknown 2/12/2016 Komentar

Stanford University will soon have a new president.  According to the New York Times,

Stanford University’s incoming president, Marc Tessier-Lavigne, has developed a career that successfully melds science, business and academia.

Although he is now coming off a stint as president of Rockefeller University in New York starting in 2011,  his business connections are extensive.

A Genentech Executive

The NYT noted,

He may be best known, though, for his work at Genentech. As the No. 2 executive in research, he oversaw 1,400 scientists in one of the most innovative and successful companies in the biotech industry, known for the groundbreaking cancer drugs Avastin, Rituxan and Herceptin.

To expand that, his brief CV on the Rockefeller University website included,

1991 - 2001  increasingly senior faculty positions at UCSF
2001 - 2003  professor at Stanford

2003 - 2008  senior vice president, research drug discovery, Genentech Inc

2008 - 2009  exectuive vice president, research drug discovery, Genentech

2009 - 2011  chief scientific officer, Genentech

Member of Multiple Biotechnology Corporate Boards of Directors, Chairman of One

However, his involvement with the pharmaceutical and biotechnology industries hardly ends there.  He currently is on four biotechnology corporate boards of directors.  These include:

Agios 

For which he received compensation of $374,926 in 2014, according to the 2015 proxy statement.  His holdings in the company were then 130,122 shares.

Juno Therapeutics Inc

For which he received compensation of $30,000 in 2014, according to the 2015 proxy statement.  His holdings in this company were then 175,000 shares Series A2 convertible preferred.

Regeneron Pharmaceutical

For which he received compensation of $1,764,032  in 2014, according to the 2015 proxy statement.  His holdings in this compary were then 34,716 shares.

Pfizer, then Denali Therapeutics

Also, in 2011, he became a member of the board of directors of Pfizer, Inc.  He left in 2015 when he co-founded, and became chairman of the board of a new biotechnology company, Denali Therapeutics.  In 2014, according to the Pfizer 2015 proxy statement, he received compensation of $300,000.  His holdings in the company then were 104 shares of stock, and 24,307 stock units. 

He remains as chairman of the board of Denali, according to the company website.  Since this company is privately held, I could not find any information about the compensation or holdings of board members.

Discussion

To summarize, the incoming president of Stanford, on of the most prestigious American universities, one of the foremost US sites for biomedical research, and home to an equally prestigious medical school and academic health center, spent most of the last 15 years heavily involved with the pharmaceutical and biotechnology industries.  He was a top Genentech executive for eight of those years, served as a director of the then biggest US pharmaceutical company, and currently is a member of the boards of directors of four biotechnology companies, and is chairman of one of them.  He earned nearly $2.5 million dollars from these directorships in 2014, the last year for which such data is public, and owned hundreds of thousands of shares of stock in these companies.

How he had the time to executive all his fiduciary responsibilities as a director of four health care corporations while being the president of Rockefeller University, and apparently continuing to do his own research boggles the mind.  

However, Stanford's incoming president is a perfect example of how health care is now run by an interlocking group of insiders who have personally profited massively from their situated influence.   

So in whose interests will he act as president of Stanford?  The New York Times cited those who hailed his scientific prowess.

According to Susan K. McConnell, a professor of biology at Stanford, Dr. Tessier-Lavigne was responsible for a 'long list of amazing discoveries' involving identifying molecules that guide the growth of nerve connections in the developing brain.

On the other hand, he had important affiliations with two biotechnology companies that were known for leading the charge for stratospheric drug prices as much as they were known for developing innovative drugs.  By coincidence, or not, he was a top executive for the same company, Genentech, as was Dr Susan Desmond-Hellman, who later became the leader of the University of California - San Francisco.  As we noted here, Dr Desmond-Hellman was a public defender of such pricing, in particular, of the then (2007) stratospheric $55,000 a year price of bevacizumab (Avastin).

Prof Tessier-Lavigne also is currently on the board of Regeneron, which became known for charging $1850 per montly dose of Eylea, a drug for macular degeneration, while paying its board members and executives proportionately large amounts.  As we noted above, Professor Tessier-Lavigne got over $1.75 million in 2014 for his board service, and in 2014, the company's CEO received over $36 million.

In an interview with the NY Times, professor Tessier-Lavigne said,

We do have to ensure access [to Stanford], broadly, both in terms of access for people who are disadvantaged socioeconomically and, of course, diversity

But how easy would it be for a man with his biotechnology corporate connections and the riches they produced for him to step into the shoes of disadvantaged, diverse students (or patients)? 


When asked about his corporate background, he told the NY Times,

that before taking the reins at Stanford in September, he will review all his corporate relationships with the board to determine whether any conflicts of interest exist.

That suggests doubt about the existence of such conflicts. But as we first wrote in 2006,

Medical schools and their academic medical centers and teaching hospitals must deal with all sorts of health care companies, drug and device manufacturers, information technology venders, managed care organizations and health insurers, etc, in the course of fulfilling their patient care, teaching, and research missions. Thus, it seems that service on the board of directors of a such public for-profit health care company would generate a severe conflict for an academic health care leader, because such service entails a fiduciary duty to uphold the interests of the company and its stockholders. Such a duty ought on its face to have a much more important effect on thinking and decision making than receiving a gift, or even being paid for research or consulting services. Furthermore, the financial rewards for service on a company board, which usually include directors' fees and stock options, are comparable to the most highly paid consulting positions. What supports the interests of the company, however, may not always be good for the medical school, academic medical center or teaching hospital.

Last year, Anderson et al documented the prevalence of such board level conflicts of interests, and wrote,(1)

previous guidelines have emphasized the relationships of clinicians and researchers with industry, but institutional conflicts of interest, which arise when administrators, including executive officers, trustees, and clinical leaders have a financial relationship with industry, are increasingly recognized and pose a unique set of risks to academic missions.

If Professor Tessier-Lavigne has doubts whether his current service on four biotechnology boards of directors, as chairman of one of these companies, as former board member of Pfizer, and as former executive of Genentech could create any conflicts of interest, the students, faculty, patients and alumni of Stanford should be very wary of what direction he will take their university.

As we have said again and again, the web of conflicts of interest that is pervasive in medicine and health care is now threatening to strangle medicine and health care.  Furthermore, this web is now strong enough to have effectively transformed US health care into an oligarchy or plutocracy.  Health care is effectively run by a relatively small group of people, mainly professional managers plus a few (lapsed?) health care professionals, who simultaneously run or influence multiple corporations and organizations.

For patients and the public to trust health care professionals and health care organizations, they need to know that these individuals and organizations are putting patients' and the public's health ahead of private gain. Health care professionals who care for patients, those who teach about medicine and health care, clinical researchers, and those who make medical and health care policy should do so free from conflicts of interest that might inhibit their abilities to put patients and the public's health first.

Health care professionals ought to make it their highest priority to ensure that the organizations for which they work, or with which they interact also put patients' and the public's health ahead of private gain, especially the private gain of the organizations' leaders and their cronies.

Reference
1.  Anderson TS, Good CB, Gellad WF.  Prevalence and compensation of academic leaders, professors and trustees on publicly trade US healthcare company boards of directors: cross sectional study.  Brit Med J 2015; 351:h4826.  Link here. 

Baca selengkapnya

The Rich (Hospital Managers) Get Richer - Carolinas Healthcare Raises Executive Compensation Once Again

Carolinas HealthCare Charlotte-Mecklenburg Hospital Authority executive compensation government public hospitals

The Rich (Hospital Managers) Get Richer - Carolinas Healthcare Raises Executive Compensation Once Again

Unknown 2/08/2016 Komentar

It's that time of year again.  Carolinas Healthcare has made public its executive compensation, and once again, its CEO got a big raise, and many other executives made more than a million dollars. And once again, the CEO's raise exceeds the rate of inflation, and seems totally unrelated to how well the health system fulfilled its mission.

The History of Executive Compensation at Carolinas Healthcare

About a year ago, we noted that CEO Michael Tarwater got $5.3 million in total compensation.  In fact, we have been following his compensation since 2009 (see also posts in 2011, 2012, and 2013).  It started big, and got bigger.

- $3.4 million in 2009
- $3.7 million in 2010
- $4.2 million in 2011
- $4.76 million in 2012
- $4.9 million in 2013
- $5.3 million in 2014

The Latest Increases

Now the yearly update by Karen Garloch writing in the Charlotte Observer:

-$6.6 million in 2015

That is a 26% increase in one year, and an almost 100% increase since 2009, increases far greater than inflation.  The 2015 compensation broke down as follows:

In 2015, Tarwater received a salary of $1.28 million, two bonuses totaling $5 million, and other compensation, including retirement and health benefits of $305,318....

In contrast, the bonuses given to non-management personnel by the system were orders of magnitude smaller:

Among nonmanagement employees, more than 22,000 in Carolinas HealthCare’s Charlotte-area hospitals received 2015 incentive bonuses of $1,000 each, and 7,674 others received bonuses of $300 or $600 each, Moore said. Another “special bonus” program benefited about 24,000 employees, who received $1,000 each, and 7,568 others, who got $300 or $600 each. Total bonuses for nonmanagement employees came to $53.4 million, in addition to annual pay raises that averaged 2 percent.

Although that total sounds large in isolation, consider that one person, the CEO, got a bonus equal to one-tenth of all the bonuses given to over 24,000 other employees.

Other top executives also did very well for themselves.  

▪ Joseph Piemont, former chief operating officer: $3,200,326
▪ Greg Gombar, chief financial officer: $2, 334,150
▪ Terrence Akin, CEO of Cone Health: $1,964,482
▪ Dr. Roger Ray, chief physician executive: $1,957,065
▪ John Knox, chief administrative officer: $1,507,984
▪ Paul Franz, executive vice president: $1,500,245
▪ Dennis Phillips, executive vice president: $1,400,487
▪ Keith Smith, general counsel: $1,317,919
▪ Debra Plousha Moore, chief human resources officer: $1,306,477

CHS hospital presidents - 2015
▪ Phyllis Wingate, president, CHS NorthEast: $1,045,784
 ▪ Spencer Lilly, president, Carolinas Medical Center: $868,610
▪ Christopher Hummer, president, CHS Pineville: $711,685
▪ Michael Lutes, president, CHS Union: $690,719
▪ Brian Gwyn, president, CHS Cleveland: $664,034
▪ William Leonard, president, CHS University: $530,493
▪ Peter Acker, president, CHS Lincoln: $475,758
▪ Alfred Taylor, president, Stanly Regional Medical Center: $455,665
▪ Robert Larrison, president, Carolinas Rehabilitation: $407,503

The Usual Talking Points for Justification

Hospital management used the usual talking points to justify the pay they received,  As I wrote last year 

It seems nearly every attempt made to defend the outsize compensation given hospital and health system executives involves the same arguments, thus suggesting they are talking points, possibly crafted as a public relations ploy. We first listed the talking points here, and then provided additional examples of their use. here, here here, here, here, and here, here and here. 

They are:
- We have to pay competitive rates
- We have to pay enough to retain at least competent executives, given how hard it is to be an executive
- Our executives are not merely competitive, but brilliant (and have to be to do such a difficult job).

So, as if on cue, according to an article in the Charlotte Business Journal,

Carolinas HealthCare said in a statement that its executive compensation program is 'designed to attract, recruit and retain high-performing executives by providing market-competitive, reasonable and fair compensation.'

It notes that recruiting and retaining talent enables the health-care system to pursue 'its mission, lead in the transformation of healthcare and provide best-in-class care to our communities.'

Despite Evidence of Less than High Performance


But some recent news articles suggested that Carolinas Healthcare management is not so high-performing.  For example, we found the following articles, discussed in chronological order,

"Lawsuit: Hospitals Cheated Medicare out of Millions" (Charlotte Observer, September 2, 2015)

A newly unsealed lawsuit alleges that Carolinas Medical Center and N.C. Baptist Hospital have fraudulently obtained tens of millions of dollars from Medicare and Medicaid through an arrangement that artificially inflated their expenses.

The federal suit, filed by Forsyth County whistleblower Joe Vincoli, contends that the two hospitals overstated their costs – and thereby extracted more money from Medicare – by using a company that they own to provide health benefits to their employees.

"Employee Satisfaction at Carolinas HealthCare System Dropped in 2015" (Charlotte Observer, November 6, 2015)

The system had been rated at the 99th percentile in 2012, the 95th percentile in 2013-4, and dropped to the 76th percentile in 2015. The article stated that employees blamed staffing issues and poor leadership.

"Rehab Center Drops Program" (WSOC-TV, January 5, 2016)

The inpatient drug treatment program at First Step at Carolinas Medical Center - Union was dropped for reasons said to be "part financial- and part research-based." The overseer of the local drug treatment court decried the loss of a "very valuable" program.

"Hospitals Failed to Report Outbreaks Linked to Tainted Scopes, Senate Report Says" (Los Angeles Times, January 22, 2016)

This article lead with the failure of Carolinas Medical Center to report an infection apparently caused by the use of an endoscope that later was implicated in multiple infections at multiple hospitals.  The article noted that

Federal law requires hospitals to report deaths from a medical device to the FDA within 10 days. If the device seriously injures a patient, the hospital must notify the manufacturer within 10 days. Both notices require hospitals to fill out what the FDA calls Form 3500A.

"Notice: 360 to Lose Jobs at Health Care Facility" (WSOC-TV, January 26, 2016)

The article noted layoffs at Carolinas Medical Center- Main Rehabilitation program but noted "it's not clear why the positions are being eliminated."

So instead of high performance, the recent track-record of hospital system management included allegations of defrauding the federal government, a marked decrease in employee satisfaction, the closing of an apparently valuable rehabilitation program, the failure to report apparent adverse effects of a medical device despite requirements in federal law, and layoffs at a rehabilitation facility.  

No wonder that Karen Garloch reported in her February, 2016 article,

On hearing about the latest CHS compensation report, Mecklenburg County commissioner Pat Cotham said, 'It’s kind of depressing. … Nothing against Mr. Tarwater personally. He’s led a successful organization. … Generally I struggle with these multimillion-dollar deals. Is anybody really that valuable?'

The question becomes more acute given that it is not even clear whether Carolinas Healthcare is a private non-profit organization or a government agency.  As we noted last year, per Ms Garloch,

The system is technically a hospital authority, created by state law in 1943, and is run by a self-perpetuating board that includes top community and business leaders whose nominations get approval from the commissioners’ chairman. Over the years, chairmen have acknowledged that action is basically a rubber stamp.

A recently closed investigation by the U.S. Department of Labor focused on whether the hospital system is a governmental agency, as it claims. On Thursday, commissioner Bill James said that question remains open and might have bearing on compensation.

James said documents in the investigation included a statement by a lawyer for CHS who said hospital debts 'have been and will be backstopped by the County’s taxing power.' But James said state law has given commissioners no oversight role in connection with CHS.

'I don’t know how CHS can expect taxpayers to ‘backstop’ their billions of debt with County tax dollars without any oversight over it,' James wrote in an email.

'I do not know what is just compensation for a hospital CEO,' James wrote. But he added that most government agencies have 'typical limitations on pay.'

You would think that all those people who loudly critique spending by the "gummint" would be loudly decrying pay at Carolinas Healthcare.  However, I can find no evidence of such protests.

Summary

Whether the top managers of Carolinas Healthcare are government bureaucrats or non-profit executives, they seem to manage to pay themselves more each year, regardless of what other employees are paid, regardless of inflation, and regardless of how well the organization is upholding its health care mission.  This is another example of ho hospital managers have become "value extractors."  The opportunity to extract value has become a major driver of managerial decision making.  And this decision making is probably the major reason our health care system is so expensive and inaccessible, and why it provides such mediocre care for so much money.

So to repeat, true health care reform would put in place leadership that understands the health care context, upholds health care professionals' values, and puts patients' and the public's health ahead of extraneous, particularly short-term financial concerns. We need health care governance that holds health care leaders accountable, and ensures their transparency, integrity and honesty.

Baca selengkapnya

HIMSS 2016 Presentation: Plaintiff's Lawyers Are The Cause of EHR Problems. They're Using Pristine, White-as-the-Blowing-Snow EHRs as "An Opportunity for Litigation"

evidence spoliation Greg Goth healthcare IT evidentiary issues Healthcare IT News healthcare IT risk Mary Re Knack Ogden Murphy Wallace Reed Gelzer

HIMSS 2016 Presentation: Plaintiff's Lawyers Are The Cause of EHR Problems. They're Using Pristine, White-as-the-Blowing-Snow EHRs as "An Opportunity for Litigation"

Unknown 2/05/2016 Komentar

In perhaps the most ill-informed, perverse rationalization/defense of bad health IT I've seen to date, the following appeared in an article about an upcoming HIMSS presentation (Healthcare Information and Management Systems Society's health IT mega-industry trade show, http://www.himssconference.org).

I remind readers of the definition of bad health IT coined by myself and Australian polymath/informatics scientist Dr. Jon Patrick in 2012, as at my Drexel University College of Computing and Informatics website "Contemporary Issues in Medical Informatics: Good Health IT, Bad Health IT, and Common Examples of Healthcare IT Difficulties" at http://cci.drexel.edu/faculty/ssilverstein/cases/:

Bad Health IT ("BHIT") is defined as IT that is ill-suited to purpose, hard to use, unreliable, loses data or provides incorrect data, is difficult and/or prohibitively expensive to customize to the needs of different medical specialists and subspecialists, causes cognitive overload, slows rather than facilitates users, lacks appropriate alerts, creates the need for hypervigilance (i.e., towards avoiding IT-related mishaps) that increases stress, is lacking in security, compromises patient privacy or otherwise demonstrates suboptimal design and/or implementation.

To this definition I should add "that does not support evidentiary trustworthiness."

The article tries to make the case that Plaintiff's lawyers are "targeting" the innocent EHR:

Amid surge in malpractice lawsuits, EHRs often targeted in litigation, attorney says
Healthcare IT News, Feb. 4, 2016
Greg Goth
http://www.healthcareitnews.com/news/amid-surge-malpractice-lawsuits-ehrs-often-targeted-litigation-attorney-says

Byline:  Providers often wind up defending their electronic health records, rather than what got them sued in the first place, Mary Re Knack will explain at HIMSS16

The article continues:

As if healthcare executives don't have enough worries about implementing electronic health records, yet another issue is starting to ramp up.

"What's been happening more frequently in the last few years is that certain plaintiffs' lawyers – a kind of group of them who communicate with each other – have started to see the medical record as an opportunity for litigation," said Mary Re Knack, a Seattle-based attorney for the firm Ogden Murphy Wallace.

Knack will be presenting an exploration of these emerging litigation troubles in the session "Just Press Print: Challenges in Producing EHRs in Litigation" with colleague Elana R. Zana at HIMSS16, beginning in late February.

A group of colluding plaintiff's lawyers "see the medical record as an opportunity for litigation?"   This statement appears to say, in the words of a colleague, "it's those $%$%# plaintiff's attorneys again, preying on our worthy docs and hospitals and their good intentions with HIT for the nation's good."

Ms. Knack seems to veer in the direction of the Defense side as at http://www.omwlaw.com/seattle-attorneys/m-re-knack/:

Ms. Knack is a member of the Healthcare and Litigation Departments.  Her practice focuses on healthcare, insurance, product liability, mass tort, and civil matters.  Ms. Knack provides a wide range of legal services to members of the healthcare industry including negotiating and structuring arrangements, business, regulatory, confidentiality and privacy-related compliance services including HIPAA and state laws, licensing and risk management related services, and related investigations.

The reality in my direct experience is different.  Starting after the EHR-related injury and demise of my mother in 2010, I began lending my medical informatics expertise to lawyers as an Independent Expert Witness towards deciphering and authenticating the legible gibberish that often passes for "medical records."  In working with and speaking at national meetings to Plaintiff's lawyers at their invitation, I find that the only thing plaintiff's lawyers see EHRs as is a badly-designed tool that causes or contributes to medical malpractice itself by disrupting doctors and nurses, and befuddles any reader, attorney or clinician, regarding the true course of clinical events.

They see, in my experience, bad health IT not as an "opportunity for litigation", but as an impediment to knowing the facts of the case, and a cause of unnecessary patient harm.

(In fact, in late 2014 I spoke to U.S. House members at the Capitol on just those issues, accompanied by several Plaintiff's attorneys who'd seen horrible patient harms as a result of bad health IT, begging the congresspeople to investigate and take action.)

An early quote in the article is, I'm sure, an inadvertent but an outright condemnation of the health IT industry:

Electronic health record design is paramount among those issues, Knack said, because EHR vendors quite naturally did not build the software with litigation in mind.

It's bad enough that EHR vendors did not build the software with clinicians and clinical care in mind, resulting in a Complaint Letter from almost 40 medical societies to HHS one year ago (see my Jan. 28, 2015 post "'Meaningful Use' not so meaningful: Multiple medical specialty societies now go on record about hazards of EHR misdirection, mismanagement and sloppy hospital computing" at http://hcrenewal.blogspot.com/2015/01/meaningful-use-not-so-meaningul.html, which contains a link to the aforementioned medical societies letter).

Ms. Knack now avers that EHR vendors did not build the software with adequate due diligence towards evidentiary/litigation matters.

In other words, the software is not designed to produce court-ready records that can be easily shown to be complete, free from alteration, and trustworthy in order to meet the business record exception to hearsay (Also known as the Business Entry Rule, this exception to the evidentiary rule, which excludes hearsay from a trial, allows business records to be admitted if the proper foundation is laid to show the document is reliable, https://www.law.cornell.edu/wex/business_records_exception).

I take great issue with the declaration that such evidentiary faults were incorporated "quite naturally" by the vendors.  It's not like medical malpractice is a State Secret, and the need for records trustworthiness kept under cover by the National Security Agency.

I thus feel compelled to correct Ms. Knack's statement to read as follows:

Electronic health record design is paramount among those issues, Knack said, because EHR vendors quite negligently did not build the software with litigation in mind.

Next:

"The data is all stored behind these templates, and depending on what you are trying to look at, whether it's a summary or lab reports or such, the data then populates the template on a screen. But when you print it, it doesn't print out as cleanly or as nicely,” Knack said.

In fact, the arrangement of data on the screens is often very, very bad in terms of understanding the patient (e.g., see my Dec. 6, 2013 post "EHR Pastel Madness: Cognitive Overload in Critical Care" at http://hcrenewal.blogspot.com/2013/12/ehr-pastel-madness-cognitive-overload.html).  Usability of most commercial EHRs leaves much to be desired, and that does not involve paper printouts.

That said, I do agree with Ms. Knack that paper printouts - the reams and reams that come out of these systems even after short hospitalizations - are often informationally cryptic, sloppy, filled with distracting irrelevancy, and tiring to use.  See my Feb. 27, 2011 post "Electronic Medical Records: Two Weeks, Two Reams" at http://hcrenewal.blogspot.com/2011/02/electronic-medical-records-two-weeks.html for instance.  (Indeed, my own mother's thousands of pages are a nightmare, even for me who trained in the paper days at the very hospital in which those records were generated, was there almost every day observing events of my mother's care in 2010-11, and who is a Medical Informatics specialist).

This raises the following questions:

• Why doesn't that paper "print out as cleanly or nicely" as the (already problematic) screens?
• Who designed the systems this way?  Again in my own experience as a developer and CMIO, it is not hard to produce quality output, see for instance my report at http://cci.drexel.edu/faculty/ssilverstein/cases/?loc=cases&sloc=Cardiology%20story
• Who approved the purchase of these systems whose paper output is not "clear and nice"?  It's not as if hospitals don't have HIM medical record experts, legal counsel, and others to have demanded better;
• Who implemented the systems as such?
• Who complacently leaves them in the condition of producing bad paper printouts?

(Note, an anecdote regarding the health IT Industry in the U.S.: the cardiology information system I developed, linked to above in the 2nd bullet point, was seen in 2000 by German engineers at Siemens Healthcare Erlangen as exemplary, and they offered me a position to further develop it, that I declined due to a simultaneous superior offer from Merck Research Labs.  However, in 2007 when I again spoke to Siemens, this time to Americans at the former Shared Medical Systems in Malvern, PA that had been acquired by Siemens, they found a system that actually produced clear, detailed outputs in a critical care area and was in use at the time in a major healthcare system in the region "impractical" - and never followed up with me.  Pearls before....)

Making matters far worse for the EHR sellers and those who actually bought and implemented these cybernetic behemoths, the issues of record evidentiary fitness do not just concern litigation.   That's just the tip of the iceberg:

A colleague, EHR/HIT Systems and Policy Analyst Dr. Reed Gelzer (https://www.linkedin.com/in/reed-gelzer-4410899) also points out that:

Records management fitness is required also for:

1. Accurate clinical quality measures  
2. Regulatory reporting
3. Alternate payment model services reporting
4. Release of Information for business associates of all kinds, including transitions of care
5. Valuation of clinical organizations in mergers and acquisitions
6. Data quality assurance for each and every potential end-use of clinical information that is dependent on narrative notes (all forms of workload coding/RVUs, episode-of-care costing, etc.)
7. Risk Management of all types, not just medmal.  (Including D&O - Directors & Officers - as well as the secondary and re-insurers)

A cavalier approach to evidentiary fitness thus is a gargantuan, bull-in-a-china-shop intrusion of information technology medical amateurs into the clinical setting.  The harm that is/will be caused goes far beyond the trial court.

Then this:

... One of these obvious challenges in trying to review somebody's care is how do you see it? How do you even read what the care was? Who did what? And when?

"You may have a case that's very straightforward medical malpractice, but because of the way the medical records get printed out, the same piece of data may appear in five places. Somebody who looks at it, whose goal is to show how it's confusing, can then start to challenge the care that was given based on the fact the medical record is confusing,” Knack explained. “They can take another step, and that is questioning whether the data in the medical record is accurate or if it has been changed."

In other words, Plaintiffs lawyers get a pile of evidentiary crap that is, in fact, often confusing (even to a Medical Informatics specialist/physician such as myself), and, evil upon evil, they question whether there's been any alteration or withholding of an alterable electronic record under sole control of the defendant, to prejudice plaintiffs and advantage defendant.

Medical record alteration is, unfortunately, not that uncommon.   See the search https://www.google.com/search?q=medical+record+alteration&ie=utf-8&oe=utf-8, for instance.

EHRs have a huge vulnerability in that regard.  Plaintiff attorneys are rightly being diligent in questioning the trustworthiness of records.  As it is legally incumbent upon the producer of records to prove they are what they purport to be, and since hospitals and medical professionals have an inherent conflict of interest in producing records that could damage their defense regarding malpractice, in my view the Courts should be as diligent as well before allowing records to be admitted as trustworthy business records.

Last quote from the article:

... As a result, Knack said, a healthcare provider can find itself in litigation that is ostensibly about the care provided, when in actuality that organization has to "defend how the medical record works."

No, in reality they (rightly) have to defend their decisions to acquire, implement, and fail to remediate bad health IT that produces crap outputs.

More on evidentiary issues below. First, an aside.  It seems to me - if one wants to speak about liability, aside from medical malpractice - that there's significant grounds for product liability lawsuits regarding these IT systems being unfit for purpose, as well as corporate liability for failure of officers with a fiduciary responsibility to perform due diligence on these critical medical records apparatuses.
  
Further, if the printouts are bad compared to the screens, then it seems incumbent on hospitals to produce for legal and clinical purposes the actual screens.  Ultra-clear screenshots can be accomplished with ordinary off-the-shelf cellphones and no special conditions, as in the example I just took, unaltered, of the screen I am composing this essay on:

Cellphone screenshot: Click to enlarge

Let's get down to the real problems with EHRs and evidentiary issues. 

It's not "certain plaintiffs' lawyers – a kind of group of them who communicate with each other –  seeing the medical record as an opportunity for litigation."

It's negligent and opportunistic EHR vendors, complacent hospital officers, and a legislative and justice system that needs education as to clinical and evidentiary problems caused by the prior two groups.

Here's more on the true problems:

Electronic medical records (EMRs or EHR, for electronic health record) came about as a result of a belief by pioneers in the field of Medical Informatics at organizations such as Harvard, the University of Utah, and others, as early as the 1950’s, that computers could streamline storage and retrieval of needed medical information, help standardize the language used in medical record-keeping (thus helping the accuracy and portability of records), provide automated computer-generated alerts and reminders, and solve the issue of illegible handwriting.
  
The term “EMR” itself is an anachronism.  EMR systems today are no longer just electronic filing systems replacing the paper chart, as they were early in their development. They are now integrated systems for order entry, results reporting, alerts and reminders, etc. They are now, in effect, enterprise clinical resource “nervous systems” for control of the clinical activities of a hospital or clinic.  All transactions related to care must increasingly pass through EMR systems as an intermediary between clinicians and patients.  The records of such transactions are increasingly only in electronic form.

Importantly, EMR technology is not regulated in any meaningful way, as is IT in other sectors, such as the pharmaceutical industry (where the FDA provides regulation of quality and security of systems used to store and manipulate clinical trial data and drug manufacturing), the aviation industry (where the FAA regulates safety and testing to assure freedom from potentially catastrophic malfunctions), and other mission critical sectors of industry.   

There is no regulatory pre-market or postmarket surveillance of EMR systems in place regarding reliability, safety, information security and other areas as there is in other healthcare sectors, and efforts to have such regulation initiated by the FDA and others have been resisted by the health IT industry. 

Some examples of EMR hazards can be found in the article “E-Health Hazards: Provider Liability and Electronic Health Record Systems” by attorney Sharona Hoffman & engineer Andrew Podgurski, Case Western University (freely available at http://scholarship.law.berkeley.edu/cgi/viewcontent.cgi?article=1813&context=btlj).
  
Without regulation of EMRs, critical issues have been neglected, such as the optimal presentation and understandability by doctors and nurses of EMR outputs (often created using templates, checklists, menus etc. of various kinds) and of the need for assurance that information in EMR systems is complete unaltered, and trustworthy.  

Critically, the electronic record is a malleable and ephemeral record of events, backed up by an equally malleable and ephemeral electronic audit trail, both under the sole control of a defendant hospital or clinic. 

--------------------------------------------------------

The largest problem I've seen in Discovery is hospital and defense resistance towards production of the one item in electronic records that can allay legitimate concerns about withholding or alteration (and I say "can" because the industry has also been negligent in audit trail implementation and security): the audit trail.

An audit trail (sometimes called an audit log) is an automatically generated accounting of who accessed an electronic record, when, and the actions they took, such as document creation, alteration or deletion. 

An audit trail is the only way to authenticate electronic medical records as complete, free from alteration, and trustworthy.  An audit trail is akin to a banking statement, but instead of tracking monetary deposits, withdrawals and other financial changes, it tracks deposits, withdrawals and changes to clinical medical information. Without an audit log, the record is not authenticatable as complete and free from alteration.  Absence of an audit log would leave the electronic medical record subject to undetectable tampering or selective information withholding.  Its production is essential for evidentiary purposes, without exception.

Audit logs track changes within a record chronologically by capturing data elements, such as date, time, and user stamps, for each update to an EHR. An audit log can be used to analyze historical patterns that can identify data inconsistencies.

EMRs are vulnerable to manipulation. Electronic data are not tangible. Electronic data are invisible bits of data on some electronic storage media such as magnetic disk. As such, data can be manipulated on that media.  Detection of omissions, erasures, and alterations that would characterize tampering with paper records is not available with printouts of electronic medical records. The audit trail replaces those visual cues. 

The only way to tell if electronic records have been altered or partially withheld is via an electronic audit trail that can track creation of, and changes to, the record content.

Literature supports the necessity of reviewing an audit trail to ensure a complete medical record. 

From "ELECTRONIC HEALTH RECORDS SYSTEMS: TESTING THE LIMITS OF DIGITAL RECORDS’ RELIABILITY AND TRUST", Drury, Gelzer, and Patricia Trites, Ave Maria Law Review, Summer 2014, pg. 263, free at http://lr.avemarialaw.edu/Content/articles/v12i2.Gelzer.pdf:

... EHRs can be designed, configured, implemented, and used to render false representations in the course of “regular business.” This, then, is a principal distinguishing aspect of EHRs that tests the boundaries of current evidentiary procedures that presume their reliability and trustworthiness is no worse than other records management systems. In their current unregulated, non-standardized states where the current primary market drivers of their use exclude prior inspection against long-standing records management requirements, they illustrate the necessity of scrutiny of all outputs produced for rendering into legal proceedings. This necessity arises not simply from substantial possibility of legally dubious record management processes, but also the possibility that reliability supports, such as audit trails and near and long-term records management functions, may themselves be missing, difficult to use, or of uncertain veracity as verified by the OIG [Dept. of Health and Human Services, Office of Inspector General] survey. 

(See my Dec. 10, 2013 post "44% of hospitals reported to HHS that they can delete the contents of their EHR audit logs whenever they'd like" at http://hcrenewal.blogspot.com/2013/12/44-of-hospitals-reported-to-oig-that.html for more on the latter point and the referenced OIG report.)

In summary, it sounds like HIMSS attendees are going to hear a misdirecting presentation from, what appears to me, apologists for gross EHR defects due to industry and hospital negligence, with the blame being shifted to a patient's only hope for fair addressing of malpractice - the Plaintiff's Bar.

I consider this disappointing.

Finally, not all counsel on the defense side take anti patient-rights stances on these matters.  While I don't agree with everything in it, and have some points of significant disagreement, I've found the 2014 book "Electronic Medical Records and Litigation" by attorney Matthew Keris of defense firm Marshall Dennehey Warner Coleman Goggin useful.  I think there's realistic acknowledgement in the book of the ill effects of bad health IT, without internecine barrister-barrister attacks.

Finally, I am an independent expert witness in healthcare informatics, meaning I will work with defense when the facts and evidence merit.  In my presentations to lawyers, I include slides geared to defense.  In part these slides advise defense counsel that through their efforts in advising their clients, they hold the key, through advice rendered, to the prevention of bad health IT from ever seeing the light of day in hospitals, and thus from causing or contributing to medical malpractice, patient harm and death, and evidentiary mayhem.

I wish more of that advice-giving would occur.

-- SS

Baca selengkapnya

Whom Can You Trust? - FTC Charges DeVry University, Sister School of American University of the Caribbean and Ross University Medical Schools, with Deceptive Marketing

deception DeVry Inc offshore medical schools Ross University

Whom Can You Trust? - FTC Charges DeVry University, Sister School of American University of the Caribbean and Ross University Medical Schools, with Deceptive Marketing

Unknown 1/30/2016 Komentar

Now there is another reason for Americans who aspire to medical careers to be concerned about applying to offshore medical schools.

Introduction

Admission to US medical schools is increasingly difficult.  So many who seek medical careers may be tempted to apply to schools outside the US.  In the last 30 years, American entrepreneurs have opened offshore medical schools, mostly in the Caribbean, that cater to US students.  They teach in English, and do not require immersion in an unfamiliar culture, so may be more attractive than medical schools in other countries whose mission is to educate physicians to practice in those countries. In 2010, Eckhert documented that the number of offshore medical schools, "for-profit institutions whose purpose is to train U.S. and Canadian students who intend to return home to practice," but not to train physicians to practice in the countries in which these schools are located, was rapidly growing.(1)  By 2010, there were 33 such schools, 20 of which were new since 2000.

Such offshore medical schools exist in a grey area.  The small countries or colonies in which they are located usually do not seek to regulate them, since the physicians they produce are going to practice elsewhere. There is no requirement that these offshore medical schools be accredited in the US.  Such  accreditation is currently not required for individual graduates of such schools to be admitted to US house-staff programs or for US licensure.  So perhaps it is not surprising that little is known about these schools.

How they choose students, the qualifications or even names of their faculty, their curriculum, how they supervise clinical training (which is mostly done by affiliated North American hospitals), and what happens to their graduates are obscure.  Eckhert attempted to describe what is known, but noted "variability exists in the availability of information on faculty; where data exists, it is noted that most of the permanent on-site basic science faculty are internationally trained, many have no documented medical education experience in the United States, and it is not uncommon for them to be OMS [offshore medical school] alumni."

Such information as is available about these schools comes from the schools themselves.


DeVry Accused of Deception


Yet now there is reason to be more suspicious about the information the schools choose to reveal.  This week, media reports documented that the US Federal Trade Commission (FTC) is suing DeVry University for allegedly "deceptive" recruiting practices.  DeVry University is a subsidiary of DeVry Education Group.  DeVry has two offshore medical schools as subsidiaries, the American University of the Caribbean School of Medicine, and Ross University School of Medicine.

Here is a summary from the Miami Herald,

On Wednesday, the Federal Trade Commission sued DeVry, which operates three Florida campuses, including one in Miramar, for 'deceptive' recruiting practices. The company is one of the nation’s largest for-profit colleges, with 50-plus U.S. campuses, and more than 41,000 students. In addition to the disputed 90 percent number [of graduates who found work in their chosen field], the FTC alleges DeVry also falsely advertised that its graduates 'earn 15% more than graduates from other colleges and universities.'

The allegations were that DeVry rigged the statistics:

The FTC suit alleges that DeVry fudged the numbers on its 90 percent job placement rate by leaving out some out students who weren’t finding jobs. This was done by classifying the students as not actively seeking employment, even though that wasn’t the case, the FTC says.

According to the FTC, DeVry also boosted its job placement numbers by counting students as placed in their field even when that clearly wasn’t accurate. Examples of DeVry’s 'in field' placements cited in the lawsuit include:

▪ A graduate from the technical management degree program working as a mail carrier.
▪ A business administration graduate working as a waiter at the Cheesecake factory.
▪ A business administration graduate working as a secretary at a prison.
▪ A technical management graduate working as a sales associate at Macy’s.

The Miami Herald reporter found at least one more example,

One former student at DeVry’s Miramar campus told the Herald that the school’s recruiter made it seem like his project management degree would lead to guaranteed employment. But after graduating in 2011, the student, who asked to be identified only by his first name, Luis, said he never got a callback from the more than 50 job postings he applied for.

Luis said he has $30,000 in student loans, and is working the same type of job he had before enrolling at DeVry, as a medical device technician.

A blog post on the Republic Report included two more examples,

graduates who majored in technical management working as unpaid volunteer positions at medical centers;

a business administration graduate with a health care management specialization working as a car salesman.

Not surprising, the corporate leadership of DeVry University denied the claims, and dismissed the evidence as "anecdotal examples that exaggerate the allegations but do not prove them."  They focused on the overall numbers, claiming that "there is no national standard for calculating employment statistics...."

 Yet they did not challenge the particular anecdoes, all of which seemed to be examples of unsuccessful placements claimed by the University to be the opposite.

Adding to Previous Concerns about DeVry Owned Offshore Medical Schools

In 2013, we posted about a Bloomberg investigative article about the two DeVry owned medical schools, at the American University of the Caribbean and Ross University.  The article focused on multiple issues:
-  high attrition rates of students compared to those in US based schools
-  inability of many students to complete clinical training in the customary two years
-  low rates of students matching to US residencies compared to US graduates
-  high costs for students, presumably a cause of their high levels of debt

Keep in mind that some of these concerns were based on statistics supplied by DeVry.  Yet now there is a new reason to be doubtful about their statistics.  Furthermore, while Eckhert wrote in 2010 that the increasing presence of offshore medical graduates in the US "obligates U.S. medicine to take a closer look at these educational programs," no such scrutiny has occurred since then. 


Summary

Outsourcing US medical education to offshore schools that largely escape regulation in the US, and in the countries in which they are located is another outstanding example of how the US has applied hyper market based solutions to health care. While more US students are attending such schools, and often paying a high price and incurring high indebtedness for the privileges of doing so, there are many reasons to be doubtful about the quality of the education they may receive, and the likelihood of their long-term success as physicians.

Yet health care, and particularly the quality of education received by those who practice medicine in the US, could be viewed as a public good.  Dubious training of US doctors affect not only the doctors themselves, but their patients' and the public's health.  Outsourcing this education could put a lot of people at risk.

However, it does provide an attractice opportunity for the managers of the outsourced system to make money.  Per the DeVry Education Group 2015 proxy statement, CEO received $5,343,407 in total compensation that year, and owned over one million shares of stock (currently valued at just under $20 million).  Four other named officers each received at least $1 million.

So, we see another aspect of the US health care system in which money seems to trump mission, facilitated by an unseemly alliance between wealthy corporate executives and bad US government policy.  We need to reexamine our fascination for "market based" approaches to health care, when almost nothing about any part of health care resembles, or could resemble a free market.  We need to make health care more transparent, and shine more sunshine on the nooks and crannies, like off-shore but US corporate owned medical schools.  We need to facilitate health care leadership and governance that puts patients' and the public's health first, way ahead of the personal enrichment of the participants.  

As long as the US continues its light touch regulation of the outsourced offshore system which now educates increasing numbers of US doctors(2), Americans who want to become doctors ought to be very skeptical about the futures they may face if they choose to go to such offshore schools. 

References

 1.  Eckhert NL.  Private schools of the Caribbean: outsourcing medical education.  Acad Med 1010; 85: 622-630.  Link here.
2.  Eckhert NL, van Zanten M.  U.S.-citizen international medical graduates - a boon for the workforce? N Engl J Med 2015; 372: 1686-7.  Link here.

Baca selengkapnya