Monday, 30 March 2015

It is not the EMR that sucks it is your lack of a information governance strategy

Hospitals are drowning is technological deficits; aging equipment, poor information security, unusable electronic health records and importantly no way to effective share patient records with patients or partners. A recent study shows that two out of three hospitals are not meeting HITECH standards for Health Information Exchanges. The authors note that even though there are fines (see here for HITECH fines), it is unlikely that these will spur adoption of health information exchanges (HIE).

Bernie Monegain (Editor Healthcare IT News) does a great job summarizing the article. From a software vendor perspective this seems like a perfect storm; a gap in capabilities, upcoming deadlines and a change in revenue models. In any other industry there would be lines of vendors at every hospital's CFO's door trumpeting their ability to help them meet their deadlines. Unfortunately the usual suspect vendors in HealthIT have not seized the opportunity (see here).

As I have mention before this is where ECM, WEM, etc vendors should be stepping in to fill the gap.Hospitals of all sizes will need to be able to confidently exchange patient information and make it available to patients once Meaningful use 2 standards for patient accessibility come into affect. Providibng a mechanism to share patient information in a standardized, secure manner is not a nice to have item, it is a required item to meet obligations-it should be on every hospital CIO, CFO and CEO's radar.

It also speaks to the larger problem of what electronic health records are strategically versus the narrow software characterization. Healthcare providers and thought leaders need to acknowledge the software sucks, and is not the best place to share and view information. It is just a dumb database designed to HOUSE patient information in a safe manner- as the name suggests a EHR is part of a records management strategy.

Electronic Patient information has the potential to increase the efficiency and cost effectiveness of healthcare delivery. The problem is the variety of solutions deployed by individual healthcare practices makes integration at the regional and national level difficult. As a rule they have been bought as point solutions to a immediate problem rather than as part of a healthcare information governance strategy.

It is time to look past a single solution that has a single set of technical specifications and build a system that manages data access.

As with any application rationalization process, it is important to define the costs, benefits and integration needs for any new enterprise application. Make no mistake; Health IT can no longer be a single application portfolio, they have to move to an ecosystem approach based on both clinical and administrative needs.

The failure of the single point solution of EHR/EMR has cause many IT professionals to take a negative view of information technology itself. As I have mentioned before, the problem is not the storage of the information it is how to access the information- it is a content management issue-be it ECM, WCM or -gasp-(SharePoint). EHR.EMR systems are horrible at providing access. For meaningful use 3 compliance and for your external marketing you need some kind of content serving system.

For organizations in a position to move to the newest EHR/EMR products, there may be no reason to have an additional system.For everyone who doesn't see a rip and replace in their next five years, consider how all the devices and partnerships that you have (and will have to grow to stay in compliance with Meaningful use).

You have a variety of regulatory items to think about as you develop your information governance strategy:

HIPAA 5010 covers Electronic data exchange(EDI[X12]) compliance standards as mandated for 1/1/2012: It covers exchange of all data transmitted by FTP, HTTPs, etc. Also encompasses the letter and number codes used for identifying file types during transactions. 5010 is largely an attempt to standardize the file codes in a way that increases security through in-flight encryption with de-crypt at each end. This is only possible if there is a standard metadata set.

ICD-10 is completely different it is the International Classification of Diseases (Rev. 10). This is used mainly for e-billing purposes as part of the diagnostic reference. It is not the official standard in the US until 10/1/2013, HIPAA 5010 EDI standards is a prerequisite for use of ICD-10.

Device access Smartphones and tablet computers represent the next wave of technological innovation in healthcare not to mention medical devices and consumer health apps (see here for more thoughts).

Mobile is a key aspect of your long term success. Hospitals have a variety of high earning "part-time" and ad hoc employees with their own businesses to run. You need a way to integrate their independent process and access into your secure information systems.

As with any access decision the type of information that can be accesses has to be balanced against the need for audit and security. The key is to remember the needs of end-users:
Doctors need access to all data, so restricting parts of the records is not an option.
Nurses need to update records on the fly.

IoT devices- There has been a lot of new devices for use in healthcare- patient owned health apps, mobile phones and wireless medical devices (see here for more on this). One of the key short comings of today's EMR/EHR products is their lack of abilities on the user experience front. Hospitals need to move away from single point solution planning for applications to a information management strategy that includes integration of outside data- whether it comes from patients, partner clinics or device vendors.

IT managers need to take the initiative and do these three things:

  1. Ensure that the process involves care providers and administration in the same room. These meetings cannot be for show. All decision makers must be involved. 
  2. Get to know who the key decision-making doctors are in each department and develop a relationship. Some doctors are in favor of EHR find out who these are in your hospital/clinic and involve them in building a strategy for how to attack the implementation. 
  3. Get care providers on-board during the demonstration phase. Take your key decision makers through the products ask questions about the mundane parts of the software (first impressions of the GUI, how to access the records) not just the big picture items.

Tuesday, 24 March 2015

Supporting clinical research; a conversation with LifeQ

The age of biometric data is upon us, but the science is not ready to explain what the data means. In some ways it is really exciting, the potential is huge- even if we ignore the marketing materials and focus on the potential long term use of simple data collected under real world conditions. Stephanie Lee from buzzfeed had a sobering analysis of Apple's new Researchkit that the healthcare and clinical research value of the data is pretty much zero. I completely agree with (see my thoughts on Apple's foray into healthcare here). The only group that might see some value is the same group that has access to healthcare and quality jobs (see here for primary data from Pew Institute). This means that the biometric data pulled from "iEcosystem" will not reflect the population that acutely needs to be understood biometrically. (I'll provide a detailed example of the issues later in this blog.)
In my opinion; any data that is tied to a specific mobile device or "Internet of Things" (IoT) object is useless for healthcare unless it can be compared and combined on aggregate across devices and demographics.
It reminds of the mid-nineties when genomic sequencing was going to revolutionize healthcare and disease treatment. Twenty years later and we are finally realizing that the genome is an almost irrelevant piece. That the context of how that genome is read, acted upon by the cell, and communicated between cells is more important then any point mutations or small scale genomic changes. (I have written about thishere, in the context of cancer.)
The genomic age was necessary to spark the discoveries that are starting to change healthcare but the changes in healthcare won't be realized because of genomic biology. It seems to me that we are at the same crossroad with the Internet of Things (IoT). The technology is really cool and the visualizations are solid but......what do I do with it?
For example, I have a Fitbit it has literally change my activity due purely to trying to get to 10,000 steps......I think thats a good thing- I mean I lost weight, my back is better.....but I am left wanting more, what types of activity are related to my weight loss? Have I gone far enough-am I at lower risk for all of the things that I worry about from a health perspective?
I can tell you the data collected by my Fitbit is pretty useless to answer these questions. I downloaded it all ran it through a few different statistical models and guess what? None of it appears to be relevant to my on-going good health. I still use my Fitbit to track my activity but I have no illusions about the role that the collected data plays in my healthcare decisions.
I recently had a chance to talk to a really interesting start-up company called LifeQ. LifeQ (@LifeQinc) has restored some of my enthusiasm for IoT and real impactful changes in healthcare. LifeQ has taken a different approach to the internet of things. LifeQ owns intellectual property on for an optical sensor that uses light waves to penetrate the surface of the skin to monitor multiple biological measurables; heart rate, blood pressure, oxygen saturation, with other important measurables such as glucose in the beta testing phase. The real power of LifeQ is not the measurables. Most of the metrics that their sensor measures are relativelty common place. Many devices can measure heart rate, blood pressure, glucose, these are not unique. The true value of LifeQ as a IoT vendor is really in the predicative models and software that allows identification of changes in ones own biology. As Christopher Rimmer pointed out this very similar to the model that Google, Microsoft and Apple have pioneeered. LifeQ owns the core data acquisition ("OS") and the core platform for integrating and using the information ("search engine"). If LifeQ can be half as disruptive in healthcare as Google has been in mobile, they can be a driving force for systemic cost reductions and better treatment outcomes.

The device agnostic approach gives LifeQ a wide potential market in healthcare, fitness as well as the flexibility to weather the inevitable changes to the device ecosystem that end users are willing to use. The focus on data acquisition and analysis reduces the overhead and ensures that the width and breadth of data needed for accurate modeling can be gathered.
As LifeQ told me during our conversation "You can't build a great, high quality algorithm and data access AND build multi-functional devices at the level required to collect the data we need. There are plenty of companies in the health, medical and consumer device world with the pockets and desire to build high quality readers."
It is a really smart strategy, especially in the complex global healthcare and lifestyle market(s). Focusing on their strength and being choosy about the partnerships. This strategy allows LifeQ to ensure data quality and more importantly from a medical perspective, information security. High quality data that is combinable across devices is necessary to keep the predicative models relevant, and increase in accuracy with successive iterations.
Obviously the key risks are in how to ensure the partners continue to innovate on the physical devices and the integration of different device collected data into a single model. To keep with the Google analogy how do you build the back end to protect against the fragmentation of the device type when each device manufacturer has specific needs and market segments. The kind of companies that they are dealing with understand the necessity of spending on the hardware.
Not surprisingly the initial partnerships are consumer focused, within the personal potential niche, for example those that cater to extreme athletes. Some wider consumer focused. An interesting aspect will be how LifeQ can integrate the niche data into the predicative model without biasing against normal peoples fluctuations. For example, we know that part of what makes elite atheletes, well elite, is speed of recovery; their heartbeat decreases at rest faster, their rate of breathing decreases faster, muscles recover faster. So as LifeQ collects this data, what value does this data have for us "normals" will the models be accurate?
It is not an insurmountable challenge but the awareness of how the data can influence the model and vice versa is a concern for any IoT or Quantified Self technology. It is the early adopter problem, your initial feedback from fanboys and people who share your vision can blind to the general publics use cases and expectations. It is the exact problem that caused Google to shutdown Glass.LifeQ seems quite aware of the potential founder effect problems.
A more important (to me at least) is that they are also engaging the medical community to enable the kinds of use cases that have long term quality of life and better diagnostic test values for health monitoring. These kinds of markets are a growth market and can provide a reliable revenue stream. For example, at home monitoring or ambulatory care for basic monitoring of HR, breathing, Oxygen levels, blood glucose (coming soon). All of which can be monitored today by the LifeQ powered devices. The problem being that the current monitors that have the accuracy that LifeQ needs are cumbersome but they are easier to where than what most hospitals have- and can be worn for long periods of without patients being strapped to wires or stuck in bed. The potential for clearer test results under real conditions is tantalizing.
What is next?
Like all start-ups LifeQ is focusing on ensuring their product is the best by ensuring that every element that could negatively affect its core product. The really interesting piece will come from the meta-analysis once the number of users hits a large enough N to ensure predictability across populations.
LifeQ acknowledged the potential limitations of a optical sensor; skin color, lean muscle to fat ratios, as well as stability issues cause be user activity. They are working expanding the repetoire of sensors that LifeQ can collect data from as part of the platform.
The real issue that faces LifeQ and any of the more robust quantified self devices and analysis platforms really comes down to action steps. For that matter the same issue exists for personal genomics. What is the line between variation of the population and dangerous biometric signature? Is there more harm then good from telling folks everything?
LifeQ has a great platform, and appears to have all the pieces in place to be the "Google for healthcare." They certainly bear keeping an eye to see what they do next

Tuesday, 17 March 2015

Information Security and medical devices

Lately I've been thinking about consumer focused medical devices. I am a Fitbit user and only every access the information on my cell. I do not actively share my information in their communities but I assume that Fitbit uses my information, in aggregate, to make money.
I get it, they are an for-profit company and I am receiving a ultra cheap service, Fitbit needs to make money on that service somehow.
Now that I've got the niceties out of the way the rest of this blog is angry and rant-y. In terms of full disclosure some of my anger comes from the recent kerfuffle over General Mills' plan to treat social media as a binding contract to protect itself from litigation. My fright over the new internet of things and the push for an exponential growth in apps and developers by 2020 -which BTW is not that long from now.
Anytime we expand something gets left out....and usually in software development it is security and customer privacy (see here for a good summary of where we are at with App security). We already know that many vendors do not take information privacy and governance seriously. Look at the recent Anthem disclosure...and they know they are subject to HIPAA.
The Market potential is enormous
The potential market for technologically enhanced medical devices is huge. (The market breakdown and total value are Espicom numbers. All analysis of the potential of technology to replace or enhance each category is mine. The Canadian market numbers are easily available-and could be verified, most estimates put the US market at 10-100 times the size)
I estimate at a $2 Billion dollar market in Canada based on current trends and the potential for technology to enhance the current medical devices when broken down by category. If we assume that some of the devices will collect information this puts the potential software market at $1.2B in Canada alone. The opportunity is enormous...for both commercial adventures and the rampant loss of patient privacy.
A lack of responsibility on the part of software companies
The other part comes from my attempts at conversations with a couple of consumer focused but information sharing applications. One company provides a cloud based service that allows doctors and medical students to share patient information, including pictures, with other doctors. It is a great premise BUT......what protection is there for patients? I contacted the company and basically their protections are focused on their own bottom line, the have a "policy in place that meets all legal obligations in their local jurisdictions".....THEY ONLY HAVE POLICY......they also would not disclose and had no plans to be proactive about applying any technical protections to block the sharing of patient data.
Am I the only person that has a problem with this?!? This is a product designed for medical personnel to SHARE patient information and they have no plans to protect the data!@!
As we move forward into the wearables and internet of things era, what are the obligations to these companies that hold personal information? We, as consumers, need to hold customer facing companies responsible for protecting customer information. Doctors and people within the software industry in particular should be absolutely ashamed of the state of the medical device and health app security. Both groups have actively undermined efforts to enact better regulations by complaining that it will kill the industry. Here is a note if you lose private health information- it will kill your company. Shouldn't a company that provides a service that enables the sharing of medical information as accountable? Should they be allowed to merely point to a piece of "paper" and say "not our problem?!?" If your policy says that the user must comply with hospital regulations on patient data sharing, you should provide the hospital a method to enforce policy. As a patient I need to know that the med student is not sharing pictures of my serious and potentially embarrassing problem just to have a laugh with their friends. It is the reason that Box is such a fast growing product! It gives end users what they need and it gives the business the protections it may need. In this age of PRISM and companies selling your data (see here for stats), wouldn't it be a marketing advantage to tell customers you go beyond the minimal standards that were set for a paper based age?
Here is my POV on this: If you are enabling sharing of a person's medical information-whether they are your customer or the patient of a customer's- you are obligated to protect that data from the stupidity or laziness of your users. How many busy residents are really going to take the time to ask their patients if they can share the x-ray? Especially if they can control capture and share from a personally owned device? Should I as a patient be forced to spell out the conditions under which I will allow students and doctors to share my information? Is that really a winning strategy in an age of user experience? There should be no such things as Facebook, Dropbox or Google drive for doctors! At a minimum you should provide hospitals the option of enabling controls based on their policy and not just weasel out of it by throwing your hands up and saying hey we did our job, they told us that it was alright.