Previous month:
November 2015
Next month:
June 2016

May 2016

Increasingly hazardous healthcare environment should urge Congress to create a National Health IT Safety Center

Discharge instructions for a child’s insulin dose were correctly entered into the electronic health record (EHR), but when the mother received the printed instructions there was a decimal point error resulting in a 10-times dosing error.  This error was fortunately noticed by the bedside nurse and corrected manually.  I reported this near-miss to the EHR vendor and they corrected the technical problem.  However, when I asked vendor representatives whether or not this problem was being corrected with other physician clients across the country, they informed  me that no other client had reported such a problem. 

This is analogous to a situation where an airbag explodes and sends shrapnel into your face.  You might ask the automaker whether this is a problem with their other vehicles.  They might tell you that they are not aware of others having the same problem.  However, in the transportation industry they are required to report safety incidents and near-misses.  These reports are collected, aggregated and analyzed by the National Transportation Safety Board (NTSB).  If NTSB notices a trend in airbag-induced shrapnel injuries, they will initiate an investigation.  When NTSB discovers a problem with a specific airbag that is used across multiple types of automobiles, not just the type you purchased in your own state, then they are authorized by Congress to make safety recommendations to help ensure the risk is appropriately managed across the industry.

This insulin dosing incident is one of many health IT-related patient safety risks I have encountered and resolved in collaboration with an EHR vendor.  When my experience is extrapolated to the experiences of all physicians and EHR vendors, the scope of health IT-related patient safety risks can be seen as immense.  But unlike the safety of interstate commerce produced by the auto industry that is overseen by the NTSB, the safety of interstate commerce produced by EHR vendors has no cohesive oversight mechanism.  

The lack of oversight for health IT-related patient safety incidents and near-misses creates a hazardous patient care environment that I believe is urgent for Congress to address. The threat is increasing because the Meaningful Use Program (MU) has led to an exponential increase in the use of EHRs and other technology.   As a result, physicians are assuming a higher level of risk and accountability for computer programs, networks and infrastructures that are increasingly used as tools to generate patient care actions and facilitate medical decisions.  Although health IT-related patient safety risks would best managed through a shared accountability between physicians and EHR vendors, the vendors are not currently held accountable for patient safety.  Furthermore, the aggressive MU timelines have required EHR vendors to make rapid changes to EHRs without sufficient time to align changes with efficient physician workflows or to improve the flow of data between systems.  As a result, EHRs are increasingly plagued by poor usability problems and  lack of interoperability between EHR systems--both of which are patient safety risks that physicians commonly encounter.

So it is time to urge Congress to create a National Health IT Safety Center that can implement an effective EHR safety program designed to reduce EHR-related patient safety risks.  Within this concept EHR vendors could be required to report patient safety incidents and near-misses to the Health IT Safety Center similar to how transportation safety incidents must be reported to the National Transportation Safety Board.   The Health IT Safety Center could collect, aggregate and analyze reported data.   It could have power to investigate incidents involving patient harm and require EHR vendors to make appropriate changes.  It could monitor near-misses to identify trends and risks.  It could coordinate with other agencies to develop and broadly disseminate educational information and tools that mitigate identified patient safety risks related to technology use.  

I also envision that this resolution would lead to an entity that has the authority and influence to drive improvements in EHR usability and

 
 

interoperability, which are the two most significant impediments to effective and meaningful use of electronic medical records.   

 .

 

  

Improved Physician Practice Preparedness To Recover from EMR Downtime and Other Technology Risks is Needed

It should not take 3 weeks to restore an EMR system.  

I was not surprised when one of my colleagues told me his EMR unexpectedly "went down", as there are many threats to hardware and software--wind, fire, water, construction equipment, human error and cyber crimes to name a few.  It was the rest of his story that was so disheartening.  As he recalled the struggles that his group endured for three weeks, his facial expression contorted into what I can best describe as that of "helpless resignation".   The complexities of technology had held him and his group hostage for three weeks.   At the time of our initial discussion he was still in the "grieving" stage, so I felt it to be too early to engage in a healthy discussion about IT risk management.   He needed to vent.   I needed to listen.  

And this story exemplifies what drives me to spend time collaborating with the Texas Medical Association (TMA) and others to raise physician awareness about the safe use of EMRs.   I do not have data, but my gut tells me that the majority of physician practices underestimate how vulnerable they are to EMR threats, especially small physician practices who lack internal IT expertise.  Perhaps the recent rise in ransomware attacks will actually be beneficial.  A ransomware attack on a physician office in South Texas earlier this year has led the TMA to increase communications to physicians about the threat of ransomware and other cyber attacks.    

Until recently the focus of preventive strategies against cyber attacks has been to ensure that the privacy and confidentiality of electronic medical records (EMRs) are maintained.   HIPAA stuff.   And this is understandable since privacy breaches are expensive for a practice to manage, and such breaches have the potential to financially hurt patients if their data is used maliciously.  But ransomware attacks are different because they make a physician's EMR unusable until a ransom is paid (or the EMR is otherwise restored).  Unlike privacy breaches, ransomware attacks are disruptive to the daily operations of the practice.  It is a disruption that impairs the ability to take care of patients who are in the office as well as those who call the office.  At the end of the day the physician is left struggling to take care of patients who are sick without access to information that is really needed.  This is a "new normal" that should brightly illuminate the need for improved disaster recovery preparedness and IT risk management for physician practices.    

There are ways to reduce the threat of ransomware attacks and other health IT risks.  A thorough security risk analysis can identify weaknesses that could be targeted by cyber criminals.  Steps can then be taken to reduce the chances of being victimized.  Establishing a habit of continually identifying and managing these technical risks will further reduce the chances of an EMR shutdown.  

But one of the major obstacles is that physicians generally do not have the knowledge, expertise and time to do this themselves.  Another obstacle is that security risk analyses tools are designed primarily for large healthcare systems and do not translate well onto a small physician practice.  That is why the TMA's ad hoc Health IT Committee is currently collaborating with a vendor, a state agency and one small physician practice to hone down a security risk planning tool into something that would be feasible and effective for small physician practices to adopt.  For now physicians have to rely on consultants or train/hire IT staff to identify and manage technology security risks.

Nevertheless, no system can be 100% "downtime-proofed".  So even if a physician practice adopts best practices for security risk management, they must be prepared for a disaster to strike at any time.  After a disaster strikes, maintaining the ability to effectively care for patients must be the first priority.  I have coined the term, "clinical continuity planning", to characterize this planning.  I base the term on a similar commonly used term, "business continuity planning", which is the plan businesses develop to maintain daily operations during technology downtimes and disasters.  A physician office certainly is a business and should have a business continuity plan to maintain economic viability during disasters.  But the life-and-death nature of patient care is so unique that I believe a clinical continuity plan should be developed by each practice and be considered as the first priority in disaster planning.  Business continuity is integrated with clinical continuity and is also vital to the physician practice, but it should be considered as a lower priority.  In the real world this means that when weaknesses in security and downtime planning are identified, clinical continuity weaknesses should be addressed before business continuity weaknesses are addressed.  
 
The most effective protection against a ransomware attack and other types of "downtime" is to have a complete back up of EMR data and an ability to quickly restore the EMR system.  If the practice can do that, they may not have to pay a ransom, and the impact on patient care can be minimized if the back up and restore tools/processes are effective.  
 
With the rise of ransomware attacks I believe the primary focus of health IT risk management for physician practices should be to ensure an acceptable degree of clinical continuity can be maintained during EMR downtimes.  Secondarily, the practice should understand the tools and processes that are in place to back up and restore the EMR in the event of a disaster.  And to make sure they get tested.    The first time a physician discovers that it will take 3 weeks to restore their EMR should not be after a real disaster strikes.   
 
 
mattmurraycook children's
 mgg