Healthcare Clinical Information Systems can be hosted in the cloud as described in this HealthcareIT News article. Hospitals are not rushing to embrace public clouds rather for privacy and security reasons hospitals are hosting applications in a private cloud. A radiology application is highlighted, for example Carestream Vue - the benefit being collaborative view of radiology images amongst phyisicans who don’t have to use a computer at the hospital to use the RIS/PACS software.
To translate the HealthIT News article terminology into cloud computing terms, I will quote some of the sentences and provide links and details
“Cloud-based healthcare IT services reduce or indeed eliminate investment costs and replace them with running costs.”
Enables the user to deploy whatever tool and whatever client wherever they want. And in addition, they don’t have to become IT gurus themselves to maintain the system
In cloud computing “investment costs” = CAPEX (Capital Expenditure) and “running costs” = OPEX (Operational Expenditure). For healthIT professionals who need an overview of cloud computing, please see this post
Software as a service (SaaS) and infrastructure as a service (IaaS) have been marketed as potentially attractive alternatives to buying large-scale information systems
Nate Bagley from Software Advice asked me to review his article and it jogged my memory… I wrote this a few years ago. Only Nate offers some Google data to back up the idea that essentially an Electronic Medical Record (EMR) is a patient’s medical record sourced from one provider; an Electronic Health Record (EHR) is sourced from several providers. This is in line with Nate’s quote from Don Fluckinger, “EHR seems to refer to a record that can be shared back and forth and amended among multiple providers.“
If I get my healthcare from one provider, say Sutter Health, where one electronic record is shared between primary care, nurses and specialists, is that an EHR or EMR?
Until the NHIN or HIEs gain traction, Sutter’s health record cannot be shared with Stanford Hospital literally across the street!
On behalf of a peer, Chris Thorman, I offer his breakdown of the EMR market:
- The size of the outpatient EMR market;
- What EMR vendors have the most physicians using their system; and,
- What EMR vendors have the most practices using their system.s
After a hiatus of a few weeks, adjusting to my new position selling this, I am back in the blogosphere.
With my new focus on security for cloud, virtualization and general data center, I bring a new perspective and focus on healthcare IT – that is security of patient data. Ever so important if patient records are going to go electronic, especially if stored in the cloud. Aside from my new paid position, I have also had the privilege of volunteering under the stewardship of Arien, as the leader of the Security and Trust Workgroup of NHIN-Direct. I also have the privilege of working with the likes of Sean Nolan, who wrote a terrific compliment on my comparison of a Google and Microsoft PHRs.
So, securing electronic health data: Last week I attended a CSO (Chief Security Officer) conference in San Francisco and learnt some interesting lessons:
- Trust is fundamental in healthcare – patients may not disclose an embarrasing disease if they fear the data is not private.
- Security is required for regulatory purposes and patient safety.
- Computers are not personal. When IBM coined the term, PC or Personal Computer, computer users at work believed that the computer they used was theirs. Thus security software that is designed to restrict the flow of data, prevent users from accessing certain websites, download specific files or copy files to disks/thumb drives is viewed by the user as an invasion of their personal space, a restriction on their personal computer. Don’t make users paranoid to do their job or feel that big brother is watching their every mouseclick, but rather explain the highly personal nature of healthcare records and the need to secure access.
- Refine business processes. Often one reads of data lost when a laptop or external hard-drive is stolen, for example: 600 patient records lost on a stolen laptop. A natural reaction is one of horror and surprise. While certainly justified, a more analytical reaction would be “Employees are rarely malicious or dishonest, so what business process necessitated copying patient data to a laptop?” Refine, the business process that necessitated this action. Remove the individual choice of where to store patient data, rather make a business decision and apply a policy based on the data.
More on cloud and SaaS security to follow. I was pleased to read that the VA is taking steps to tighten security.
It’s good to be back!
An article in the New York Times describes the movement of physicians from private practice to becoming employees of medical clinics. Of particular interest to me was this:
But an even bigger push may be coming from electronic health records. The computerized systems are expensive and time-consuming for doctors, and their substantial benefits to patient safety, quality of care and system efficiency accrue almost entirely to large organizations, not small ones. The economic stimulus plan Congress passed early last year included $20 billion to spur the introduction of electronic health records.
I question the above statement for the following reasons:
- Cost: Web based (SaaS) EMRs such as those offered by PracticeFusion (actually free), SOAPware, and others are less expensive since the Physicians do not have to maintain expensive in-house hardware and software.
- Time-consuming for doctors: I don’t see why an EMR used by private practice is any more time consuming than an EMR used in a clinic. All a Physician has to do is learn to type with 10 fingers and he/she will discover e-prescribing, electronic lab orders, faster patient search etc are features that far outweigh their paper alternatives.
- Patient safety and quality of care: These benefits accrue equally to users of EMRs be they in private practice or clinics.
electronic health record programs, posted a good article proposing that data from (EMRs) be used for , with the following benefits for Physicians considering the purchase of an EMR:, from a web site that reviews of
- Participating in these trials is easier through an EHR than through traditional paper means;
- Using EHR data solves many of the major problems that clinical trials face; and,
- Purchasing an EHR creates a big ROI for physicians who decide to participate in clinical trials.
In theory, this sounds great and I found one example: the renowned Mayo clinic’s effort with Centerphase.
I ask the following questions, offer my answers, and welcome comments.
- What part of the pre-consent record can a clinical trial investigator access? Only data that is marked ‘non-confidential’ and does not identify the patient.
- As a follow on, if the trial investigator is allowed to see pre-consent eligibility or screening attributes only, how can access to the rest of the patient record be suppressed? Implement strict fine grained access controls at the attribute level of a patient record.
- Can the investigator access pre-consent data that is marked as confidential? He/she cannot!
- Can the patient waive confidentiality or regulatory access restrictions on sensitive pre-consent data? Only with full understanding of the implications
- If clinical trial specific data is co-mingled with standard care data, is that data available for insurance/reimbursement purposes? No
- As a follow on, what constitutes the “legal medical record” when clinical trial and standard care data are commingled? Only standard care data, acquired by a diagnosis
- When a study subject either completes a study or withdraws study consent, does their research-only data remain part of the permanent EMR database? No, it should be erased
- Assuming access to trial-specific data is allowed, can a physician who is not a clinical trial investigator, change trial data that they feel are incorrect? No
- Should research data be separated from standard clinical care data? Yes
- Is there a difference in access rights between standard care data that will be included in the research versus standard care data that will not be included in the research? No, clinical trial investigators should only have access to data that is included in the research.
Go here and listen to the webinar happening now (11:00am PST 3/16/2010) or the recording available soon
This posting is an assignment from my ongoing Informatics, the Internet and Future of Patient Care class.
Google Health and Microsoft HealthVault are Personal Health Record (PHR) services that allow people to store and organize their health records online. The following is a description and comparison of each service.
Creating an online medical record
Google and Microsoft allow a user to create their own online medical record and enter personal information. Basic personal information such as age, gender, medications, illnesses etc must be entered. Microsoft account creation differs in that it stipulates that the user’s data will reside in (software and services) located in the USA. While this may be true for Google, it is not explicitly stated. Secondly, when creating an account in the Microsoft PHR. the user does not have to disclose their gender and online videos are available to demonstrate ease of use.
Both services also allow medical records to be imported and partner with 3rd party companies that provide medical record import services. For example, retrieving a medical record from a hospital, converting it into the format required by Google or Microsoft and importing the data into the user’s medical record. A user can also upload files, for example scanned medical records, into their online medical record.
Both services require a username and password to sign-in, the same username/password combination can be used to access other Microsoft or Google services. Microsoft also provides support for a few openid providers pip.verisignlabs.com, openid.trustbearer.com, myopenid.com and myvidoop.com.
Share an online medical record
Google and Microsoft allow the user to share their online medical record with a doctor, caregiver or family member. A patient can share their online medical record with a physician in order to provide up-to-date medical information to their physician or in case the patient is travelling and needs to share medical information with a new physician. An online medical record can be shared with another family member in case of emergency when the patient is unable to share their medical history themselves. Microsoft differs from Google in this feature, since Microsoft provides richer access controls or who can access a person’s online medical record.
Software engineering Application Program Interfaces (APIs)
Google and Microsoft offer interfaces for 3rd party companies to create software products that interface with the Google or Microsoft online health record service. For example, companies that convert paper medical records to online format, write a software interface that allows their software product to interface with the Google or Microsoft product.
Google Health API
The Google health API allows another software product to create new medical records that my contain CCR data or read data from an online medical record. Google Health API is available in Java, .net, php and python programming languages. Samples are here, developer guide and sample CCR.
Microsoft HealthVault API
The Microsoft API is more comprehensive than Google’s. There is an SDK (Software Development Kit) for creating software applications and DDK (Device Development Kit) for creating devices. An entire section of the MSDN (Microsoft Developer Network) is dedicated to HealthVault. Unlike Google Health which is multi-platform, the Microsoft SDK is available on Windows platforms only and only supports the .NET programming language. Microsoft and Google allow third party applications to create a Continuity of Care Record (CCR); Microsoft’s guide and Google’s.
Privacy concerns would hinder many users from using online Personal Health Record services. What are the concerns? That the online health record service could be hacked, data stolen and the health records used for nefarious purposes such as:
- Embarrassing users who have personal health details disclosed, such as STDs. or weight problems.
- Selling medical records to prospective employers who could screen candidates based on private medical data.
- Defrauding health insurance companies or medicaid by submitting false claims under a different name.
- That large companies like Google and Microsoft would collect user information for their own data-mining or statistical purposes.
HIPAA is a federal law that regulates doctors and health insurance companies, to ensure that patient information is kept private and secure. Microsoft and Google not hold designated record sets as defined under the U.S. Health Insurance Portability and Accountability Act of 1996 and the regulations promulgated thereunder (HIPAA), nor medical records as defined under state law.
If personal medical records are now controlled by the patient and stored in computer servers operated by Google or Microsoft, how can the user be comforted to know that their medical records are safe and secure from prying eyes? Standard HIPAA law does not apply to a PHR service from Google or Microsoft, as neither entity provides patient care. (The HIPAA law was written years before online PHRs became pervasive and should be revised to avoid confusion).
HIPAA aside, what about privacy of patient records?
Employees in particular job functions may have access to patient information without patient authorization as reasonably necessary to carry out duties relating to treatment, reimbursement, or health care operations, such as to communicate about health benefit plans or to recommend alternative treatments or therapies.
A limited number of employees in particular job functions may have access to user information in order to operate and improve Google Health. Users consent to this limited internal use when they sign up for Google Health.
Both Microsoft and Google stipulate that user deleted data will still be available in backups for up to 90 days.
Microsoft privacy controls are similar to Google, how Microsoft’s access controls are more granular. With the Microsoft PHR, roles can be created that provide, View-only access (time-limited access), View-and-modify access (time-limited access) and Custodian access (no time limit). (Access becomes active only when the recipient accepts the invitation). Custodian access is the highest level of access. A custodian of a health record can:Read the record, Change the record, Delete the record, Grant to others any level of access to the record, including custodian access, Revoke the access of anyone to a record, including other custodians, and including the custodian who granted them custodian access in the first place.
Microsoft has a developer security policy, as does Google. Microsoft further stipulates that HealthVault servers undergoes extensive security, penetration and testing by “white hat hackers”. Furthermore, HealthVault servers are located in controlled facilities in physically separate locked cabinets, HealthVault traffic in our data centers runs on a virtually separate network, all health information transmitted between HealthVault servers and program providers’ systems is encrypted and HealthVault data is encrypted upon backup. Google does not explicitly state that the same measures are in place.
My assessment – Online PHRs and the future patient care
Privacy and security: Realistically, I am not concerned about a data breach and possible sale of a medical record to defraud medicaid or an insurance company. The possibility and technology has existed for decades for these crimes to occur. Personal health data today is stored in online databases at hospitals, clinics and insurance companies. While this may be disconcerting to new users of a Google or Microsoft PHR, it is in essence no different from data stored by other services. For example, information in your bank, investment and credit card accounts is viewable by employees at the respective financial institution. Secondly, medical data stored in databases at insurance companies, medicaid and hospital/clinic EHRs can be viewed by employees with appropriate access. Most accounts of data theft come from employees breaking with company protocol and copying data to laptops or detachable disk-drives which are subsequently stolen from parked cars or homes. This site tracks such incidents, note how many incidents there are of stolen laptops (lots!)…. Try find one incident of a database breach???
User entered data: A physician or healthcare provider who is presented with medical records entered by a user might ask him or herself, “how can I trust this data to be accurate?” A legitimate question- would an obese patient enter lower weight, might a diabetic patient enter lower blood sugar? In order to make data in a user PHR reliable and trustworthy, that data should be flagged as “user entered”, “entered by physician”, “imported from existing medical record”. A physician would then be able to make a clinical decision based on the data provided.
Benefits of an online PHR:
- Medical records are coalesced from a variety of sources into one comprehensive record. This is useful since electronic exchange of medical records between providers is a long-way-off.
- Patients have direct access, control and view to their medical record.
- Users can control medical records on behalf of others such as an ill-parent or minor child.
- Patients can grant access to care providers of their medical record, for example when traveling beyond the realm of their current medical provider, and the patient visits a new physician, that physician can see the entire patient medical history.
The future: I think online medical records are here to stay and a force to be reckoned with. Medical care providers must become comfortable with the data entered into PHRs; users must become comfortable with PHR providers such as Microsoft and Google that their personal medical history will be safe and secure. American’s fear of the power of large companies and government to spy on common citizens, probably harkens to the fear of big brother.
This posting is an assignment from my ongoing Informatics class.
SecondLife is a virtual world where users create an avatar and navigate through virtual worlds. What are the uses of SecondLife in the practice of Medicine?
Primarily, SecondLife is used for “role playing” or “game playing” where medical students can simulate their roles as Doctors who are taking care of patients. Imperial College of London has established a learning environment which “aims to design game-based learning activities for the delivery of virtual patients that can drive experiential, diagnostic, and role-play learning activities supporting patients’ diagnosis, investigation and treatment.” SecondLife does not replace human interaction or walking real wards and treating real patients, but it does provide an environment for students to learn off-hours. Since SecondLife is available 24×7, students can simulate a hospital or patient treatment experience any time of day or night. Another use of SecondLife is collaboration across international boundaries. Students in Australia can perform role playing/game playing with students in the USA to learn and share medical knowledge and experiences.
Could Patient-doctor relationships could be enhanced by using SecondLife ? I don’t think so because traditional doctor-patient relationships involve deep levels of trust. Not only because of the physical interaction between doctor and patient, but because patients reveal deep personal details of their lives to physicians. Patients might be reticent to do this if the doctor is a virtual avatar. Even if the physician avatar is known to the patient in real life, the role of the avatar might behave differently in SecondLife. Patient’s values about which uses of technology are good or not good for their health are at stake in SecondLife, and diverse cultural behaviour and values create different SecondLife experiences. To create a real “virtual” connection with patients in SecondLife, doctors must be creative and self critical about their practices and be cautious not to replicate the same behaviour that generate power imbalances between medical professionals and patients in real-life.