Archive for the ‘Medicine’ Category

I like statistics. When properly used, they can tell you what has actually happened in the past. Statistics can provide valuable information to help you run your company or for the government to run the country. Statistics can tell you how closely two sets of data are related, their correlation. You might notice, for example, that since you introduced pastel colored widgets, your sales to teenage girls have significantly increased. You might jump to the conclusion that teenage girls prefer pastel colored widgets, and you might be right. On the other hand, the increase in sales to teenage girls could be due to your increased marketing of widgets in women-only high schools and colleges.

When statistics tell you that two quantities vary together, most people will believe that they are related in some way. You should always beware of jumping to conclusions. Correlation does not equal causation. Here are three very high correlation examples from Tyler Vigen’s book Spurious Corrections.” I suspect there really is no relationship between the two quantities in each case.

CorrelationEven if there is an actual cause and effect relationship, it may not be in the direction you think.

Your company collects more and more data about its operation, products and customers. Additionally, thousands of data sets are available from public and private sources about behavior, health, poverty rates, driving accidents and just about anything you can think of. Given enough processor power, you can search for correlations among these data sets. Sometimes these “strange” correlations can prove valuable. A dozen years ago, an almost random check of the correlation between auto accidents involving personal injury or death across the counties of one state had a very high correlation with the number of people over 55 who were taking a specific medicine. The resulting investigation by the pharmacy company that manufactured the drug led to increased warnings to doctors and patients about a previously unsuspected age-dependent side effect.

When someone brings you one of these correlations, pay attention, but apply reason. Correlation is not causality

The last word:

President Obama and many other politicians on the left want to make it illegal for law abiding citizens to own a gun. In their view, only the government should have any weapons. They want to eliminate the Second Amendment to the US Constitution. The primary reason the first session of the US Congress included that amendment in the Bill of Rights was the recent experience with their prior government. The British Government severely limited gun possession in towns and cities; they could not police the rest of the colonies. They feared, rightly it turned out, that the colonists could use those weapons against the British government. The US Founding Fathers wanted to make sure that a future government could not take away citizens rights without the citizens having a last resort to deal with a run amok government.

President Obama will tell you that eliminating all legal guns is the solution to these tragic mass-shooting events. But we know that is a false argument. Almost every one of the mass shooting events in the past two decades has been in a “gun-free zone.” We have been steadily increasing the number of these zones, so it includes virtually every school, sporting event, shopping area, government facility, and even most portions of our military bases. We actually put signs up to indicate to potential terrorists of where they will have five to thirty minutes of unbothered time to kill as many unarmed victims as they can.

Consider the recent Oregon tragedy. Chris Mintz is student at Umpqua Community College. As a decorated Army veteran, he tried to stop the gunman before he entered the classroom where the gunman killed nine students. Mr. Mintz was shot seven times for his bravery. If Mr. Mintz had a weapon with him, the results could have been vastly different.

Oregon state law actually requires that colleges allow guns on campus in some circumstances. At a minimum, a college must allow a visitor with a carry permit to bring a gun on campus, but not necessarily a student. Until police arrived, the gunman was the only person with a weapon on the campus.

Gun control laws do not keep guns out of the hands of criminals and terrorists; they only keep them out of the hands of law-abiding citizens. Chicago, with restrictive gun control laws, had over 400 murders in 2014. That is the equivalent of an Umpqua Community College event every 8 days.

We are painting a target on the back of our children.

Comments solicited.

Keep your sense of humor.


Read Full Post »

1000-year-old-recipeA writer friend posted a blog about Ancient Remedies Resurrected. He blogs mostly to help other writers use medicine correctly in their fictional murders. This particular post discusses the surprising success of a medieval recipe in killing specific troubling antibiotic resistant bacteria.

  • Who would suspect that a thousand-year-old Anglo-Saxon recipe to vanquish an infected eyelash follicle could do that?
  • Who even tried the recipe on something different than its original documented purpose?
  • Why was the recipe still around?
  • Who could read it?

Babylon-recipeThe first two questions are relatively easy. Some ancient remedies actually work. They were created over hundreds or even thousands of years of experimentation in the real world. Many experiments failed, with the expected unpleasantotherresults. Some worked and were passed down orally from “doctor” to “doctor,” often from parent to child. Often the “doctor” was closely associated with the local religion. One recipe for curing fever occurring in the brain is on an eight century BC tablet. The particular poultice is attributed to oral medical lore dating back to around 1860 BC. The tablet itself cites “mythological sages from before the Flood.” It is hard to argue with such authority. Enough of these old recipes work that it is well worth the effort to test them. Government agencies, pharmaceutical companies and universities all spend some effort searching ancient texts and experimenting. Looking at what the recipe does from a scientific viewpoint may point out some other possible uses of the drug.

The last two questions are the really important ones.

The survival of any particular ancient text is more due to luck than good data management. There is so much that can go wrong. The document first of all has to avoid being broken into a thousand pieces, sunk in the middle of the ocean, cleaned and reused, or being damaged by the ravages of nature with floods, fire, mold, or rot. But perhaps the most danger to old documents is man. Opened in the third century BC, the Library of Alexandria was one of the largest and most significant libraries in the world of its time. The library was destroyed, first by Julius Caesar when he conquered Egypt in 30 AD, and finally by Coptic Pope Theophilus in 391. Pope Theophilus was very thorough. Not only did he complete the destruction of the main library, but also a smaller version, the Serapeum, located elsewhere in Alexandria. Perhaps the first recorded case of a backup failure.

Maya-CodexMaybe as significant for the preservation of possible ancient medicinal cures was the destruction of all but four of the thousands of Maya codices by Spanish conquistadors and Catholic priests. Why were they destroyed? According to Bishop Diego de Landa in July 1562, because “they contained nothing but … superstition and lies of the devil.”

Unfortunately, this organized destruction of the past continues to this day as the result of conquest and religious fanaticism.

We recently visited one such ancient document, and it was only 800 years old. If was both surprisingly readable and very hard to read, and it was a language we had some rusty familiarity with. Image the difficulty of even deciphering an ancient text and then determining its meaning. We do not have a Rosetta Stone for most ancient languages. I am referring to the multi-language stone found in Egypt during Napoleon’s conquest, not the language instruction company – although the statement applies to both. Often even the structure of the language as well as the meaning of individual characters or symbols had to be coaxed out of many documents by many people over many years. Only after that can other researchers begin to search for specific snippets of interest, like medical recipes.

In trying to recreate the recipe that began this post, researchers had to figure out what the ingredients really were, and hope that modern garlic is similar enough to 1,000 year old garlic to actually work. In most cases an ancient text will not describe exactly how hot or long to cook something, or even how much of each component was to be used.

As a discussed earlier, it is perhaps as difficult to keep data for the long term in today’s electronic age as it was in ancient times.

The last word:

Save the data, especially if you have no idea what value it might have in the future. Pictures, movies, personal history stories whether written or currently only oral could be important. Talk to older relatives and friends and get their stories saved. Do it now while you still can.

If you save oral recordings, go back and make transcripts that can also be saved. A hundred years from now there may be no one who can understand what was said.

If your family knows a language that is little used, work to preserve it so its oral and written legacy can be saved.

Even mundane business records can have historical value in a distant future. Kyle Harper used ancient purchase records to reinterpret the end of Roman slavery by determining what slaves were eating in Rome around 300 AD. This kind of information can help fill in the gaps about a civilization and the well-being of its people, whether wealthy citizens or slaves.

As I have said before, keeping data on paper only is not the best idea.

Comments solicited.

Keep your sense of humor.


Read Full Post »

AnthemOnce again a company that we trust with our health and personal information has betrayed that trust. Cybercriminals were able to hack into an Anthem database that contained up to 80 million records of current and former customers and company employees. The information now in the hands of criminals includes names, Social Security numbers, birthdays, postal and email addresses, and employment information including income data.

Anthem stated that no credit card or medical information was compromised, but the information that was stolen is sufficient to launch successful identify theft attacks against every one of the tens of millions of compromised individuals.

Anthem noted the intrusion on January 29, but based on analysis of the cybercriminal infrastructure likely used suggests that the attackers first gained a foothold into Anthem’s servers in April 2014, nine months before Anthem noticed the attack. One link in the chain of establishing the Malware at Anthem went through China. Whether that is a significant fact is unknown at this time. Anthem immediately notified the FBI.

Since admitting the attack, Anthem has been sharing information about the attack including IOCs (indicators of compromise) with HITRUST, the Health Information Trust Alliance, and NH-ISAC, the National Health Information Sharing and Analysis Center. These groups disseminate information about cyber threats to the healthcare industry. So far, these IOCs have not been discovered by other health care organizations. It appears that this attack was focused against Anthem.

Clearly, Anthem is not paying attention to the security of their customers’ data. None of this data was encrypted. Anthem has contracted with Mandiant, a cybersecurity firm, to evaluate their security systems and identify solutions. Seems to me they are a year late with this kind of analysis.

The brands impacted by this breach: Anthem Blue Cross, Anthem Blue Cross and Blue Shield, Blue Cross and Blue Shield of Georgia, Empire Blue Cross and Blue Shield, Amerigroup, Caremore, Unicare, and Healthlink. It can also impact anyone holding a BlueCard. A BlueCard enables members of one Blue Cross / Blue Shield plan to obtain healthcare sevices while traveling or living in another service area. Blue Cross / Blue Shield Federal Employee Programs are also impacted. This information is linked through a single electronic network throughout the US and 200 other countries and territories.

What should you as an individual do if you think you were impacted?

  • You may receive an email apparently from Anthem. These emails are not from Anthem and are scams attempting to get your personal information. Do not click on any link in such an email.
  • You may also receive a phone call apparently from Anthem about the attack. These calls are also not from Anthem. As always, do not give out credit card or Social Security numbers over the phone on any call you did not initiate. Hang up.
  • According to Anthem you should receive a letter in the mail “in the coming weeks.” That letter will advise you of the protection(s) being offered.
  • Take whatever identity theft services they offer.
  • Continue to monitor all of your financial accounts, including mortgage, investment, and loan accounts.
  • Consider putting a security freeze on your credit reports at each of the three reporting companies, Equifax, Experian, and TransUnion. Since most businesses will not open a new account without first checking your credit history, if they can’t access your credit history they are quite likely to deny someone getting credit in your name. It may cost you a few dollars, but it really does stop most identity theft. Availability and cost vary by state. If you want to request credit, you can lift the freeze enough to let a specific request be accepted.

If you are responsible for the personal information of your customers, employees or contractors, how vulnerable are you? You should not guess the answer. Find out, before you become the next Anthem.

Anthem will have some very stiff fines as a result of this breach. Between 2009 and 2013, HIPAA has levied fines of more than $25 million for data breaches. But this attack impacts more than twice as many people as all of the 2009-2013 breaches involving fines combined.

In 2014, Columbia Medical Center was fined $4.8 million for a data reach involving less than 10,000 people.

The last word:

Sometimes personal data is “released” on paper. Hundreds of documents from the Philadelphia Adult Probation and Parole Department were found in early February strewn across several streets in part of Philadelphia. These documents contained names, addresses, birthdates, Social Security numbers and signatures. The best guess as of this writing is that one or more boxes of information fell of a truck on the way to a nearby recycling center. The documents were not shredded.

Comments solicited.

Keep your sense of humor.


Read Full Post »

I recently wrote about some of the impacts that government regulations around the Affordable Care Act are having on small medical practices. One of those differences has to do with coding. These codes are established by the World Health Organization, part of the United Nations, in a medical classification list called the International Statistical Classification of Diseases and Related Health Problems, usually just called “ICD.” This is really two lists: a list of diagnosis codes and a separate list of procedure codes.

The current set, ICD-9, has about 13,000 diagnosis codes and 3,000 procedure codes. The 30-year old ICD-9 suffers from several problems: it lacks detail, uses generic terms, is based on outdated technology,and has limited capability to add new codes.

The new set, ICD-10, addresses those problems. It provides for up to 68,000 diagnosis codes and 87,000 procedure codes.

In a recent one-week nation-wide test involving over 127,000 claims from 2,600 health care providers, suppliers, billing companies and clearinghouses, only 89% of the claims were accepted without issues. This test involved claims from only about 5% of potential claim submitters, and only included those who agreed to be part of the test and had been working on this conversion for years. After October 1, 2015, claims that do not use ICD-10 or have issues with the ICD-10 codes will not be processed, and claims not processed will not be paid. The official position: physicians are urged to set up a line of credit to mitigate any cash flow interruptions that may occur.

As you can imagine, there are some fairly unusual codes. One that has made the NPR circuit is V91.07: burn due to water-skis on fire. But NPR did not get the story correct. V91.07 is an invalid code; you must use one of the three subservient codes to describe the diagnosis in greater detail:

  • V91.07XA – initial encounter
  • V91.07XD – subsequent encounter
  • V91.07XS — sequela

A “sequela” is a chronic condition that is a complication of an initial event.

Before you scoff at this diagnosis, check out these guys.

For some reason, there are different sets of ICD-10 for different countries, so for those of us who travel to foreign countries, there is likely to be some confusion with your insurance provider and local healthcare facility if you are injured or sick outside your home country.

Many organizations have already been working on this conversion for a few years. There are also lots of companies out there to help medical staffs make the transition. For example, Find-A-Code has search solutions for small practices ($300/year) and larger facilities ($950/year).

Like a lot of things in the Affordable Care Act, the end result of the convesion will be beneficial to patients. Getting there will be a really interesting ride, and will contibute to the loss of small medical practices with potentially a significant negative impact in rural areas.

The real concern will be the significant number of coding errors during the transition. Each diagnosis coding error can lead to health workers adminstering the wrong procedures, especially as patients are shifted between doctors and other care providers in larger medical organizations.

The last word:

Considering the large number of people who have access to your health care information, and the number of breaches in personal health care data, you should be concerned over misuse of your data. Certainly the government will have access. Expect companies, perhaps legally, to offer your health care information to your current or potential employer, and certainly to your insurance providers.

Read carefully the fine print around any job or insurance application you submit. You may be granting them access to all of your medical data as well as your financial data as part of a “background check.” HIPAA actually treats much of your medical information as a valid part of your employment record. This includes anything related to drug testing, Family and Medical Leave Act, Americans with Disabilities Act, Occupational Safety and Health Administration, workers’ compensation records, sick leave or return to work documents, and anything related to a drug or alcohol free workplace.

There are legal restrictions on what a company can access or ask for, but if you say “yes” in a job application all bets are off.

Comments solicited.

Keep your sense of humor.


Read Full Post »

Last time I wrote about The Need to Protect Healthcare Data, or perhaps more importantly the potential cost of not protecting it. This time I want to talk about how to do that in a non-disruptive way that will probably save your organization money while significantly reducing the chances of a major data breach involving hundreds or thousands of patient records.   Of course the same approach can be used to protect any kind of protected information from exiting en masse in any line of business.

The key is to protect the “crown jewels” – the database that contains the data that must be protected. Normally, these systems are implemented as three-tier environments. To keep the picture and words simple, in this discussion each tier has only one server but in a real implementation each tier is usually composed of multiple servers for redundancy or to provide the necessary performance.

  • The data tier contains the database server that actually contains the database. This server contains the software that manages all access to the data: no one can access the data without eventually getting to the database server.
  • The application tier that controls the business logic that uses the database. These are the programs that implement information retrieval and update for the medical staff, capture information from medical device controllers, and handle data retrieval for meaningful use and billing.
  • The presentation tier is what interfaces with the user or another application system. It is often implemented as web services so that any device with a web browser can access the same information.

For example, when a doctor needs to see a patients chart from her tablet, she can use a browser or a special tablet application to ask for the current chart for “John Smith DOB 04/23/1945.” The tablet browser or application sends that request to the presentation tier, where the doctor is authenticated if necessary, then sends that request to the application tier. There a program formats a query against the database and sends it to the data tier. The data tier retrieves the information and sends it back to the application tier, who formats the specific information for the chart and sends that to the presentation tier. The presentation tier then sends it to the tablet browser or application for display to the doctor.

While this may seem like a complicated process, it nicely separates the operation so that, for example, a different kind of user device with completely different display characteristics can be easily added by changing only the presentation tier, and usually just making a single change that will work independent of the specific kind of transaction. Similarly, it allows the application layer to perform additional validation on a specific transaction, such as verifying that the doctor is permitted by HIPAA to see John Smith’s information.

The purpose of this requirement is to limit access to the application and data tiers to only those specific devices that have a valid need to access those tiers. In particular, only the servers in the application tier should be allowed to access the servers in the data tier, and only the servers in the presentation and data tiers should be allowed to access the servers in the application tier. There are, of course, users called administrators that require access directly to the application and data tier servers. These are the people who are responsible for the management and operation of the applications and database. In most organizations, there are just a few database administrators and application administrators who must have direct access into those servers.

This solution described there uses the Unisys Stealth Solution. Stealth uses state-of-the-art encryption, but the key principle behind Stealth is that it only allows a device to communicate with another device if they share a Community of Interest, a COI. A COI is nothing more than a group of people and servers. Data can be shared freely within a COI, but must not be shared with any person or server not in the COI. In the usual Stealth installation, a user’s COI or set of COIs is specified in the site’s identity management system, the system that is used to authenticate a user when the user signs on. If some device tries to access a Stealth-protected server or workstation without belonging to the same COI, then the Stealth-protected device is completely invisible; the Stealth-protected device simply will not respond to anything from that device.


The picture represents each tier by a single server and shows one database and application administrator. As stated before, there are usually multiple of each. The red lines show the communications paths protected by Stealth. The black line represents clear-text traffic coming from the organizations internal network or over the Internet. The Internet traffic should already be protected by some form of encryption such as IPsec or SSL. There are three Communities of Interest (COIs) in the diagram. The green dots represent devices in the DB COI, the blue dots represent devices in the Application COI, and the yellow dots represent devices in the DB Administrator COI. Only the database Administrator and the application tier server can access the data tier server. Only the data tier server, application administrator, and presentation tier server can access the application tier server. Any other device attempting to access the data or application tier servers would be completely ignored.

Since the individual administrator’s COI is determined at log on time, it does not matter which workstation an administrator uses. When an individual signs on with a database administrator’s credentials, he now has the DB ADMIN COI and can access the data tier server.

One Stealth implementation can protect multiple databases that are in the same network segment, i.e., are visible from each other in the network. Otherwise you can replicate the Stealth implementation as needed.

This solution has no impact on existing applications and is invisible to end-users and even to the database and application administrators. Capital savings come from not requiring as much network infrastructure such as firewalls. Operational savings come from not needing to reconfigure firewalls or other network security devices and applications. If an administrator is added or moves on, simply change your identity management system. Stealth then automatically permits or prevents the individual from accessing the database or application servers.

If you do not have a tiered implementation or have collapsed the tiers onto a single server, and therefore allow end users to directly access the server containing the database then this mechanism does not help. Then again, not much would be able to help in this situation. You first need to separate your environment into multiple tiers so that any security solution can control access to the database and application servers.

The last word:

This mechanism does not protect against the accidental or deliberate loss caused by inappropriate actions of individuals who are authorized to access the data. This includes the file clerk who walks away from a logged-on workstation in a semi-public area, or the doctor who foolishly loads a couple of patient files on her son’s laptop at home. There are ways to reduce the chances of these kinds of incidents, and in super-sensitive environments it makes sense to make those investments. But they are very expensive and usually not worth the cost. While these errors are regrettable they rarely lead to fines or the risk of losing accreditation, or the CIO needing to find a new job.

As always, the key is to have a good security policy document and provide annual security training emphasizing to employees and contractors that you are serious about data security.

Comments solicited.

Keep your sense of humor.


Read Full Post »

Healthcare CIOs have some real problems today. The Affordable Care Act (ACA) is having a big impact on the industry. The rules themselves are changing as the US President makes changes to the law, and depending on the outcome of the November congressional elections in the US we may have a congress that makes additional changes. The behavior of insurance companies is transforming as a result of the ACA, and health care customers, like you and me, are changing the way we access health care as we learn, usually the hard way, what is and is not covered and how much it will cost us. Just adding millions of new customers can have a destabilizing impact to the industry.

On top of that, factor in the government mandated migration from paper records to electronic medical record (EMR) systems. While the end results are probably beneficial, the migration is nothing but pain over many months or years for most organizations.

If that wasn’t enough, a combination of factors, including the ACA, is leading to massive mergers of hospitals and medical practices into larger and larger enterprises. A decade ago dozens of hospitals in my area are now just a couple of mega-medical companies. These mergers and acquisitions offer the CIO the opportunity to reconcile and merge a number of totally different hardware and software medical systems into one, or figure out how to run a business with multiple billing systems and keeping patients records accurate across multiple EMR systems.

No wonder that most of these CIOs do not have the time to be very interested in data security. There are millions of dollars of government rewards for moving to EMR and enabling Meaningful Use. Meaningful Use has the potential to provide significant benefits in health care and could lead to quicker approval of new uses for existing treatments, along with a significant increase in the potential for the government and insurance companies to misuse data about individuals. There are millions to be saved by quickly moving to a single software environment in these growing amalgamations of separate health care organizations. Besides, what’s the worse that can happen if a few records are stolen? It happens every day with doctors and file clerks accidentally leaving patient records out on an unattended desktop or similar sloppy behavior at labs, pharmacies and hospitals.

To a large extent, that is a reasonable response. Even in the desired end state of complete integrated EMR and billing systems plus a fully functional nationwide Meaningful Use infrastructure will not prevent these kinds of small errors. The loss of one person’s information is not a big problem for the medical institution.

However, the loss of thousands or millions of people’s medical records is a big problem for a medical organization. In my February 2014 posting The Cost of a HIPAA Breach I show that for significant breaches the cost in fines alone can start at $150,000 and easily rise to over a million dollars per incident. This does not include the approximately $200 for each lost record that it costs an organization on average to deal with a data breach.

A major data breach at your hospital or medical practice can cost million of dollars in fines, plus risks the loss of accreditation of your organization. It also often causes the CIO, or even the CEO, to seek employment elsewhere. If you think you have never had a breach, you would be better to think instead that you don’t know that you have had a data breach. Health care data accounted for 43% of major data breaches in 2013, and the Washington Post reported that over 30 million patients have been impacted by health care data breaches. Over 80% of data breaches are discovered by a third party.

For a longer look at these issues, check out Daniel Berger’s June 2014 What Healthcare CEO’s Need to Know about IT Security Risk paper. Mr. Berger is President and CEO of Redspin, Inc. Based in Santa Barbara, California, Redspin has become a leader in healthcare IT security and provides HIPAA security risk analysis and compliance, including meaningful use.

As your organization advertises its new treatment options, new care centers and new growth, a front page article that you have just lost thousands of patients’ data can negatively impact its reputation.

Next time I plan to talk about a way to protect the crown jewels of your IT infrastructure: the databases that contain your critical health care and financial data.

The last word:

In addition to the financial risks, hacking into health care records can kill people. Changing prescriptions, diagnosis, or test results, or modifying instructions to network-connected imaging, drug dispensing, and operating room equipment can kill or seriously harm a patient. Or a thousand patients.

Comments solicited.

Keep your sense of humor.


Read Full Post »

Science and technology have provided many new wonders in the past few years.

DNA analysis is an important tool in convicting and exonerating criminals, and just opening up new possibilities in medicine, with some cancer centers analyzing your DNA to help determine the most effective treatment program.  Check out Jim Murray’s blog for lots of postings on the intersection of murder and medicine.

But an even more enabling technology has been the Internet and Cloud Computing.  You are all aware of their impact on business.  The Cloud has disrupted the music and movie industry, news media, and many consumer-oriented businesses.  Legacy companies who have learned to embrace a new paradigm for customer relationships and doing business by seamlessly integrating their brick and mortar and on-line presence are thriving.  Those who have not are in deep trouble even if they don’t know it yet.  New companies have almost unlimited opportunities for growth at costs that are a fraction of the cost of starting a new business just ten years ago.

As I recently posted, the Cloud is also driving a much-needed revolution in education, with the opportunity for vastly superior education opportunities at significantly reduced cost.

Sometime in the next five years, after we get over the conversion hump, electronic medical records (EMR) will revolutionize the actual practice of medicine, significantly reducing errors while reducing clerical requirements.  EMR is impossible without the Cloud providing a consistent set of information everyone connected with your health care including doctors, hospitals, pharmacies and other caregivers.

Last year I wrote about “Your Smart House in the Cloud.”  Home security is also changing, with traditional home security services and traditional ISPs (like Comcast or Verizon) are offering the ability to monitor and control your house from a smart phone.  Want to see what your children are doing while you’re on a busy trip?  No problem.  Forget to set the thermostat?  No problem.

Google and others already have cars that can successfully navigate autonomously.  No more getting turn-by-turn directions from Google maps, let the car do that and get you there while you read, watch a movie, or get some shuteye.  Although, based on a recent personal experience with a closed bridge, it could be amusing.  Our smart phone was baffled by the situation and kept trying to get us back to where we could try to cross the same closed bridge.  In October 2012, California joined Nevada and Florida in approving those cars for the public highway.  (Interestingly, no state actually has a law that prohibits a driver-less car, and as of this writing, none of the autonomous cars can backup, yet.)

By every one of these benefits is potentially a two-edged sword.  One of the most serious dangers is what I call “predictive punishment.”

Some auto insurance companies want to constantly monitor your car to determine how your are driving in real time, and set your rate accordingly.  I’m not sure what kind of algorithm they are using, but at least it includes speed and braking information.  Someone driving at 75 mph on I80 in Nevada is likely to be a safe driver, yet someone driving 75 mph on the Schuylkill Expressway in Philadelphia is definitely not a safe driver.  This is a maybe benign form of predictive punishment: based on a couple of data points on your driving, I will punish you with a higher rate.

Jim Murray often writes about the relationship between genes and crimes or diseases.  While there may be statistically significant relationships between a particular gene or set of genes and socially unacceptable behavior (the “killer gene,” for example), these relationships are not guaranteed.  The vast majority of people with these genes do not actually commit the crime or exhibit aggressive behavior, and many people who do murder do not have the gene.

We are steadily accumulating DNA.  In some jurisdictions, police officers collect DNA from anyone they bring into the police station, even if they are not a suspect, never tried, and never convicted.  That DNA is never destroyed.

Expect your health insurance company to ask for and eventually demand your DNA.  Or, more likely, the U.S. government will demand your DNA for identification as well as health care.  Already the government controls what medical treatment you can get based on symptoms, as I found out when my doctor prescribed a specific test and Medicare told me I could not get the test because I did not have the appropriate symptoms.  This happened on two separate occasions with two separate tests.  Under U.S. Health and Human Services Rules, the government can violate HIPAA security requirements to use your health data for “meaningful use.”  It is not a leap to some serious predictive punishments by forcing or denying treatment based on your DNA.

DNA information could also be used to set your life insurance rate, or prevent you from getting a job.  If a company had your DNA, they could deny you a job because you had a slightly high probability of being aggressive or getting an expensive disease.  If they had two qualified candidates, it would be very hard to prove that they used DNA in the final selection.  On the other hand, if they had a candidates DNA, hired him, and he later “went postal” the company could be liable for law suits because they knowingly created a higher risk working environment.

The issue is that there are far too many false positives: indications that something might happen.  This type of statistical analysis, whether based on how fast you drive or your DNA, may be exceedingly likely over a large population but is almost useless as a prediction for the individual.

We may want to consider an addition to the protections against government provided by the U.S. Constitution: the protection against predictive punishment based on statistical analysis and not behavior, especially as related to our personal DNA.

The last word:

Once something gets into the Cloud or on the Internet, it is there forever.  That data is vulnerable for attack by cybercriminals and governments.  Incidentally, that includes the camera feeds from your new home security system.

As companies and governments collect more and more personal data, the risk that data will be used against us increases.  The recent revelations of what the U.S. National Security Agency collects from the Internet is likely just the tip of the iceberg of what they really collect.  The U.S. intelligence agencies have demonstrated that they are very bad at “connecting the dots” before an event.  That does not stop them from violating U.S. citizens’ rights as they come into the U.S. because of a random “connection.”  Check out a recent NPR On the Media article.

Comments solicited.

Keep your sense of humor.


Read Full Post »

I first blogged about electronic medical records (EMR) almost three years ago, comparing the effort necessary to convert just the US medical industry to their use with the effort around Y2K, the effort to make computer systems survive the transition from 1999 to 2000.

The Y2K effort was huge.  Most people today think it was a non-event, but the worldwide cost was estimated at more than US$300B.  Oh, there were some amusing incidents like the inability of California to issue five-year driver’s licenses in 1995 and 1996 (the license showed up as expired when a police officer ran your license after a traffic stop).  There was the hilarious story of the lady who bought a 10-year CD in January 1990, and the bank added a few million dollars of interest overnight (thinking that the CD had matured in 1900).  Cars and planes and trains and ships, elevators and bank accounts and defense systems all continued to operate just fine.  The boss of the company I worked for at the time brought in a big screen TV to the lounge, added a few cots, and scheduled 24 hour a day coverage by support and engineering teams starting December 30.  We were all staring at the phones and emails when Guam hit midnight on 12/31.  By the time midnight reached Hawaii, the boss sent back the TV and we all went home.  Other than a couple of “hey, it worked!” emails, nothing happened.  The many hours we had spent making it a non-event were effective.

The EMR issues dwarfs the Y2K issue.  It will cost a lot more, and almost everybody will notice.

I went to an eye doctor two years ago.  Behind the reception area was a large room with rows of tall file cabinets full of paper files, probably going back decades.  The clerks had dozens of computer systems for appointments, billing and payments, interfacing with multiple insurance companies and governments, and lots of paper-based systems to keep records, doctor’s notes, prescriptions, and inventory.  They were just starting to transition to an EMR system.  They were ecstatic; soon everything would be in one system and they could get rid of the tons of paper.  The doctors expected to be able to reduce the size of their clerical staff, get insurance payments quicker, and in general eliminate a bunch of the stress of just running a small medical practice.  In preparation for my appointment, they had copied my paper records into the computer, and I spent 15 minutes with them reviewing it for accuracy.

I went back a couple of months ago for my annual (OK, bi-annual) checkup.  There were some obvious changes.  Oh, all the paper was still there, and all of the computer and paper systems still seemed to be in operation.  What had changed was the addition of a couple more clerks, and an increased stress level on everyone.  They were still in transition, and weren’t very happy about it.  They had yet to get to any of the benefits, but the journey was “interesting.”  I spent another 15 minutes with them reviewing my EMR for accuracy.

This is not a unique occurrence.  I have yet to talk to any medical facility that has had a smooth transition.  The best one was a transition that occurred in six months; most take one to two years, some are still going on after five years.

Scot Silverstein from Drexel University was quoted in a February 18, 2013, article in the Philadelphia Inquirer newspaper.  Silverstein believes that we are rushing too fast to EMR and that the notion that they prevent more mistakes than they cause is not proven.  He cites serious issues with some software components that printed orders for the wrong medicines, or the wrong dosage.  “We are in the midst of a mania” to convert to EMR, largely spurred by government carrot and stick tactics: money if you convert, delays in payments if you don’t.  “We know it causes harm, and we don’t even know the level of magnitude.  That statement alone should be the basis for the greatest of caution and slowing down.”  Silverstein does hold a minority view and he believes in the potential benefits of EMR over time, but “patients are being harmed and killed as a result of disruptions to care caused by bad medical IT.”

What happened?  Why isn’t the transition to EMR as smooth as the Y2K effort?  What happened is that IT folk treated EMR like they did Y2K – a huge project management problem, millions of separate things to be done in a specified time; 12/31/1999 was not going to slip.  Yet it all involved computer systems.  Fix the software, test it, and move to the next step.  IT people know how to do these kinds of projects, no matter how large.  The average person saw nothing, did nothing different other than, in a few cases, have to enter a four-digit year instead of a two-digit year.

But while Y2K was just an IT issue, EMR is an IT issue, a data conversion issue, and a people issue.  The IT issue is complicated, but really has no unknowns.  IT has done these kinds of software development projects before.

The data conversion issue is huge.  The electronic data is relatively easy, although there is usually a significant code conversion issue: the old system used “measles” and the new system uses “783.2” and each insurance company has a different code.  The hard part is paper.  Even a small medical practice has tons of paper.  For those skeptics, a box of paper (5,000 sheets) is 50 pounds.  A typical four-drawer file cabinet even if not stuffed will have about 200 pounds of paper in it.  It’s easier to count boxes or drawers – look in your doctor’s office file room and do a quick count.  A ton is about 200,000 pieces of paper.

Much of the data on those sheets is hand written, often by people in a hurry and not known for good handwriting.  A lot of it is second or third carbon copies, or faxed sheets.  OCR (optical character recognition) technology does not work very well under these conditions.  Each of those sheets has to be scanned, processed electronically, and then manually verified.  A trained clerk can do much of that verification, but some will require a medical professional to figure out.  This data conversion effort will probably be 99% correct, but that is hardly good enough since it probably means several errors per patient.  Most are likely trivial, but some may be critical.

But the real problem is people.  Every process changes: how you schedule appointments, admit patients, move patients between rooms, deliver medicines, conduct and review tests, bill, record doctor’s comments and directions, generate and fill prescriptions, …

The transition is a nightmare.

Some places try a slow phased transition – one system at a time or one ward at a time.  In general, I recommend this approach because you learn something at each phase, but it has the problem that you have to keep both the old systems and the new system running for a long time, probably several years.  When you have patients that move from an “old” environment to a “new” environment you have to scramble to get their information into the EMR system.  Worse, if you have a patient who moves from the “new” environment to the “old” environment, you end up in a real mess that confuses everybody.

Some places try a cold-turkey approach.  I have a good friend who is a senior doctor at a major hospital.  They decided to switch everything at once.  They picket 5PM Friday, since over the weekend it is primarily the ER that is really busy – everything else slows down significantly.  They put on extra doctors, nurses, clerical people and representatives from the EMR vendor and concentrated them in ER for the weekend.  I haven’t talked with her for five weeks.  A mutual friend says, “She is very busy.”  I suspect they all are.

This is what I think Scot Silverstein was really worried about: disruption.  The addition of process stress on top of the normal stress caused by caring for people’s lives must lead to errors.  A mistake can kill a patient, no matter where the mistake originates in the transition process.

The last word:

The value of EMR has not changed.  When we get there, we will have a less expensive more efficient and safer care delivery environment.  The journey is just longer and more difficult than anybody imagined.  There is huge training effort required, which I believe is largely ignored or significantly short-changed.  But it is a journey we all need to take.  It needs to be carefully planned.  Do not simply take the “migration plan” provided by the EMR vendor.  If you do not have project planning and management people on staff, get some that work for you and have them create a workable plan.  This process will take months, but is critical.

I repeat my recommendation from 2010:  If you are a young software developer looking for a career, I have one phrase for you: “Electronic Medical Records.”  But I now add that same recommendation to you as a business graduate.  Medical organizations need even more help in the management of the transition to EMR.

Comments solicited.

Keep your sense of humor.


Read Full Post »

Mother.  I’ve known her a long time.

She was born in 1917 on a poor farm in western Pennsylvania.  Horses and people provided the only power.  She remembered when gaslights finally arrived, and they never had electricity on the farm.  On the rare occasions she had a spare dime, she would walk down the long hill to the crossroads village of Harlansburg, and then back up the hill with her treasure.  Yet during the Depression, they always had lots of food, mostly what they raised, grew and canned themselves or traded with their neighbors and family.  A nearby farm had a surface vein of coal, so they were always warm.  While it was just five of them on the farm, Mother, her Grandfather who owned the farm, her parents and her older brother, they were surrounded by their large family, enough cousins to field two football teams, a gaggle of cheerleaders, and a reasonable set of fans.  Her parents had been married at that farm on Christmas Day “because the house was clean and the whole family was there.”  Almost all the clothes Mother wore, even into her nineties, were clothes first her Mother and then she made.

She went to a one-room school for the first eight grades.  Shaw School was a very small clapboard building with a little porch and a warm cast-iron stove, one teacher, and not much else. High School was the new building a couple of miles away – two story stone, probably eight classrooms, with a bookcase in the hall acting as the library.  She really did walk to school, through the snow in the winters and uphill both ways to the High School, as there was a small rise between home and school.  Some winter days when the snow was just right, Grandpa would hitch the gray mare to the sleigh and take her to school.  We still have the sleigh bells that the horse wore.  It must have been a “Jingle Bells” moment.

After high school she went to Slippery Rock State Teacher’s College and got her teaching certificate and found her first job.  But she couldn’t teach.  She was only 17.  She sat out a year, a very frustrating year, and then started teaching in another one-room school.  Schools were much different then.  They lacked a lot of what we consider critical in education.  One such thing was the importance of grade level.  Back then you advanced in each subject at the pace you were willing to advance.  This is easy to do in a one-room school. When you passed the eighth grade test, you moved on to high school. As an eighteen-year-old rooky teacher and the only adult in the building, she had a student who was nineteen because he had not “finished” grade school.  She decided to get him through that year, and she did.  It was the first indication of her skill and dedication to teaching.

Yes, she was poor in terms of money, but rich in terms of love of family, love of education, and a love of music.  She played violin in High School, the piano “forever” and had her own organ for decades.  She loved the music of people like Lawrence Welk and the big bands, going to as many live events in the Pittsburgh area as she and Dad could afford.

She met Dad because he was a friend of her brother, and they saw each other a lot because he lived across the road from the High School.  Immediately after Pearl Harbor, Dad re-enlisted in the Army.  In January of 1942, he was a private in Mississippi.  By August he was a 2nd Lieutenant in Iceland starting up V-Mail, the microfilm service set up to deliver mail to and from American military personnel in the European Theater.  In between, and with about two weeks’ notice, they got married.  After Mother said goodbye to him at the New York pier, it was 41 months before she saw him or heard his voice again.

Some of her family were upset with this marriage.  After all, Mother’s family had been in North America since the 1600’s and came from a Scotts Irish English heritage.  Her ancestors fought in the Revolution and the War of 1812.  Her Grandfather and his brothers fought in the Civil War, carrying their own hunting rifles and walking or riding the army trains to places like Vicksburg and Fredericksburg.  The trains didn’t go very fast.  Often a soldier could get off the first car while the train was going, pick some fresh fruits or vegetables from the adjoining field, and then jump back on the last car.  Her Grandfather went to Gettysburg to hear Lincoln.

Dad’s family, on the other hand, first showed up at Ellis Island in 1908 from some obscure unpronounceable town in Przemysl District in Eastern Europe.  His Dad had been in the Austro-Hungarian army because at that point it controlled the area.  At other times, so did Russia, Poland, and the Ukraine. They were a poor immigrant family that did not speak any English when they arrived, often staying with family and friends who had previously settled all over the country.

After the war, Mother and Dad started traveling.  I vividly remember our eight week summer road trip from Western Pennsylvania to the Pacific Ocean and back, the long way – about 11,000 miles worth.  I was seven.  Over the years, they visited, not just passed through, every State in the US, and most of Canada.  After Dad died, she visited much of Europe, New Zealand, Australia, the Caribbean, Central America, Iceland, and she rounded Cape Horn when she was 91.

People will remember Mother for a variety of reasons.  Some because of her love of a game of Bridge.  She always said she only played for the fun and conversation, but she could recall every hand played over a long afternoon, and was especially satisfied when she could beat a “better” player.

In the 1960s, Dad got very interested in, and very good at, lapidary: the art of cutting gemstones and making jewelry out of “rocks.”  While Mother never cut a rock, she was good at designing jewelry and helping the clubs organize events.  Until recently, she communicated with people on both coasts that knew her primarily because of her rock work.

But she is most known for her teaching.  She positively influenced thousands of students with her love of knowledge, curiosity, reading, exploring and most importantly thinking.

Mother.  I sure am glad I knew her.

The last word:

My Mother passed away peacefully in her sleep on Sunday, February 10, at the age of 95.  When we moved from Michigan back to Pennsylvania in 2000, we convinced my Mother to move from San Diego and live with us.  She was only 83 and in good health, but we did not want her 3,000 miles from any family as she got older.  She and Suzy shared the driving on a wonderful road trip across the country.  She continued to drive, play bridge, visit friends, and take cruises until about two and a half years ago.  She had a very sharp decline starting about Thanksgiving.

Hospice has been a great organization for us, providing the support we needed to be able to care for Mother in our home.  When we could no longer keep her safe at home, they took her to their respite center and kept her comfortable for the last four days.  We used Neighborhood Hospice, but I have not heard anything but good things about hospice providers anywhere.

Comments solicited.

Keep your sense of humor.


Read Full Post »

It is the time of the year for “State of the …” messages.  How is the Cloud doing, and where is it going?  What do your peers think about it?

Amazingly enough, I still get questions about the value of the Cloud.  I had a senior executive at a global company tell me that the Cloud was just a fad, and that he was busy figuring out what was coming next.  The company’s current Cloud offering was part of his empire, and, maybe not surprisingly, not going anywhere.

In one sense, he is right.  There will be something beyond the Cloud.  Facebook, Twitter, Amazon, Google and the iTunes Store are way beyond the Internet as we knew it in 2000, but they all absolutely depend on the Internet.  In my view, the next big thing, or more likely, panoply of big things, will all depend and build on today’s Cloud.  Smart power grids, smart cars, smart homes, and smart cities will all be enabled by an all-encompassing and all-connecting Cloud.  And like the Internet, no company or government will own or control very much of it.

But, you say, the Cloud has not taken hold as much as we were told it would.  Probably true, but there is a lot more Cloud usage than you might believe.  Even in your own company, there may be several Shadow IT projects going on that you are not aware of.  What is your competition doing about the Cloud?  Keep in mind that it may be hard to determine whether they have begun that journey, until they demonstrate their ability to react faster than you can.

I’ve been in the IT industry for a very long time, and almost always the marketing and analyst predictions on a new product are inflated.  I’m not surprised that the Cloud has not achieved, in hindsight, the unreachable growth predicted a few years ago.  There are some obvious reasons for this:

  • The soft worldwide economy, along with the seeming rush of many countries to devalue their currency.  Only the ones who devalue their currency first really win even in the short term, but it plays havoc with international trade.
  • Uncertainty about the impact of US government executive orders, laws and regulations on the cost of running a business, especially in the areas of taxes and health care.
  • Uncertainty of the economic situation in the Euro Zone.  While the noise has lessoned, it is fairly clear that the underlying problems have not been fixed, or probably even eased.
  • The economic threat against Mideast oil by the unintended consequences of the Arab Spring and potential actions by countries like Iran or Israel.
  • The switch to Windows 7.  It is amazing how distracting this kind of exercise is to an IT shop.
  • The huge adoption of tablets and smart phones by employees, often against the wishes or even commands of IT.  Again, a huge distraction.

Most of these economic issues have not disappeared with the New Year.  If there is one word to describe the 2013 economic outlook, that word is “uncertainty.”

But the Cloud is taking hold.  As one example, an IDC survey of UK-based Cloud managers reported that three quarters of the surveyed companies “viewed the Cloud as the way to solve their key business issues.”  One thing that is changing is that Cloud managers are realizing that the real benefit of the Cloud to their business is in increased agility giving them a competitive edge.  Saving money, while still important, is no longer than main driver for most companies.

Another significant change is that companies are starting to move their “bet the business” applications to the Cloud.  This is largely enabled by the maturity of the major Cloud Service Providers (CSPs) and their ability to scale almost without bound.  Some CSPs have signed deals with blue chip companies to support applications with significantly more than 100,000 users.  Most companies are planning to move additional applications to the Cloud in 2013.

The entire Health Care industry is impacted by existing legislation requiring the adoption of electronic medical records (EMR).  This adoption is absolutely necessary, with improved patient care, reduced medical accidents, and in the end reduced total cost to provide care.  The Cloud is a key enabler, allowing insurance companies, pharmacies, doctors and hospitals to share information about a patient enabling quicker and more accurate treatment.  Getting there can be a real pain, especially for those organizations with only paper-based patient records.  These companies are not just moving their existing IT to the Cloud, they are moving to an automated computer-managed environment, actions that most older companies took decades ago, and a phase newer companies never went through at all.

An October ComputerWeekly.com report indicates that only 5% of companies have a Cloud strategy, and only 20% of companies have the resources to actually create a plan. This means that a lot of companies are moving into the Cloud without a plan.  Is yours one of them?  If so, I suggest that is a bad idea.  While the Cloud can have significant benefits in terms of reduced costs and increased agility, if used inappropriately it can have severe security, performance and availability issues.  If you are not part of the lucky 20% with the appropriate internal knowledge, skills and time to create your Cloud adoption plan, then get help.

If you believe the key word for 2013 is “uncertainty” then the journey to the Cloud is likely to be critical to your company’s future.  Only the Cloud allows you to quickly react to the upward and downward changes that are coming.

The last word:

The recent tragedies in the U.S. are yet again bringing gun control into the forefront of government, pundits and the average citizen.  Various governments at many levels are enacting new laws and regulations.  Very few of these new rules get at the real problem, and I fear very few will have any real beneficial outcome.  In the U.S., over 60% of gun-related deaths are suicide.  No matter which side of this issue you are on, I would like you to consider one thing.  The Second Amendment, part of the Bill of Rights, was enacted during the First Congress of the United States in August of 1789, shortly after the end of the Revolutionary War.  The purpose of the Second Amendment was not to protect hunters, or to enable someone to protect their family or valuables from a criminal although it did support those activities.  The purpose of the Second Amendment was to enable the people to protect themselves from their government.

St. George Tucker, a lawyer, Revolutionary War militia officer, legal scholar, and later a U.S. District Court judge (appointed by James Madison in 1813), wrote in 1803:  “Whenever standing armies are kept up, and the right of the people to keep and bear arms is, under any color or pretext whatsoever, prohibited, liberty, if not already annihilated, is on the brink of destruction.”

The Swiss government requires that at least one person in each household be armed.  This is what has enabled them to remain a Neutral Country for so long.  And a Free People.

Comments solicited.

Keep your sense of humor.


Read Full Post »

Older Posts »