October 31, 2011
Every cloud has a silver lining – except for Amazon’s cloud which apparently had a sizable hole in its security. That is the story in a recent Technology Review article which reports that researchers based at Ruhr University in Germany were able to hack the messaging system that Amazon’s EC2 Cloud system uses to create and delete files among various servers. The researchers were able to change those messages in a way that Amazon’s cryptographic authentication systems failed to detect. And Amazon’s service would have executed the malicious instructions along with the proper ones (if they had not been alerted by the researchers).
Note that the Amazon spokesperson said “the potential vulnerabilities reported by researchers… have been corrected and no customers have been impacted.
However, the researcher’s successful hack raises serious questions about cloud security overall. As one of the research team pointed out, “Cloud interfaces are a prominent attack target. If an attacker compromises a cloud interface, he could misuse its vulnerabilities to get control over users’ data.”
Another scientist, Radu Sion at Stony Brook University in New York, said “Scale makes things more vulnerable—you have more components interacting with each other. This creates a larger and more attractive target.”
This troubling experiment comes at a time when many hospitals and medical groups are moving to the cloud. Advocates of cloud technology have promoted it as being safer than traditional client-server technology because the information is encrypted and stored in large, professionally staffed data centers.
For example, a 2010 report from consulting firm Accenture said security with cloud computing is actually tighter than what most healthcare organizations offer within their own walls. The Accenture report also noted that cloud computing offered significant cost advantages for small physician practices.
Like any new technology, cloud computing has been over-hyped by sellers. It does offer significant cost advantages for small practices; and we have yet to learn of a major security breach. Apparently, however, current cloud encryption practices are not enough to prevent break-ins by skilled hackers.
October 20, 2011
When it comes to the new accountable care organization initiative, the HHS can count. It apparently took very seriously the hundreds of complaints it received, some from the major provider trade associations (e.g. AHA, AMA, MGMA).
Yesterday, it released its revised ACO regs and many, but not all, of the elements provider organizations objected have been removed or amended.
As reported in today’s Modern Healthcare, hospitals and physician groups rejected the first draft proposal as too risky. A number of high-profile physician groups that tested an early model of accountable care declared the draft rules unworkable and said they would not participate without significant changes.
The major changes include:
–Allowing start-up ACOs to choose a “savings only” track without financial risk during their initial contract period; sharing savings with successful ACOs on a “first dollar” basis;
– Reducing the 65 quality performance measures down to 33;
–Dropping the requirement that 50% of primary care physicians in an ACO must meet the EHR meaningful use requirement by the second year;
–Patients will no longer be assigned to ACOs retrospectively. Instead, Medicare enrollees will be assigned to ACOs prospectively, every three months;
–New flexibility in the start date of ACOs, which was proposed as Jan. 1, 2012. Now, CMS will accept applications for an April 1 or July 1 start date, with all ACOs starting in 2012 having agreement periods that terminate at the end of 2015.
Will the changes be enough to attract enough major physician groups into the program to make it successful? I think everyone in the healthcare industry should hope so. If the ACO program is successful, it should go a long way to improving the quality of care while reducing costs. If it is not successful, the costs will be reduced anyway – while the quality of care is decreased.
October 13, 2011
One of the many famous lines in Casablanca is uttered by Captain Renault, the local police captain who is frequent habitué of Rick’s:
“I am shocked, absolutely shocked, to learn there is gambling going in this establishment.”
I had a similar reaction when reading a recent article in iWatchNews, a publication of the Center for Public Integrity, which reported that some 50% of health care providers who received the first round of incentive payments under the meaningful use program have been using health IT systems for years.
The iWatchNews investigative team surveyed 62 physician practices and hospitals that received money under the initial round of Medicare meaningful use incentives. The team found that about half of health care providers had installed health IT systems years before the federal stimulus package was enacted, even as far back as the 1990s. The early adopters of health IT upgraded their existing systems to meet meaningful use requirements.
The report warned that incentive payments designed to spur new adoption of health IT instead are instead going to health care providers who made minor alterations to systems already installed.
In addition, the article questioned whether the meaningful use program will serve its intended purpose to generate widespread adoption of health IT.
It quoted Senator Tom Coburn (R-OK), a physician, who warned “if providers have been paid for systems they already had in place that seems to be an inexcusable waste of taxpayer dollars.”
The Center for Public Integrity, which includes Ariana Huffington, Craig Newmark (Craig’s list) and CNN’s Christiane Amanpour on its board of directors, specializes in exposing government waste. I saw articles about mismanagement in the Pentagon and wasteful agricultural subsidies on its web site.
To those of us who have been working in healthcare technology for many years, this attention on the meaningful use program seems misplaced. Why should you penalize early adopters?
By government standards, it is a fairly modest program. The current Pentagon budget is $680 billion; the farm subsidy programs total some $30 billion annually. As of September 1, the meaningful use program has cost the government $870 million.
This is peanuts (pun intended) next to other federal programs.
October 9, 2011
First there was clinical decision support (CDS) software to help physicians on the front end, making a diagnosis. Now the Cleveland Clinic is using analytical software to detects inconsistencies and patterns in patient health records and flag certain cases for review.
As reported in a recent issue of Health Data Management, the new software, from 3M Health Information Systems, Salt Lake City is called Documentation, Extraction, Reporting and Transformation initiative, or DERT.
An executive at the Cleveland Clinic said DERT was started in to April 2011 to improve care for patients with heart conditions. In particular, it reviewed patient records to see where action might be taken to prevent potential complications. The clinic has recently expanded the DERT initiative to its urology department and to the urology and cardiac units of an affiliated hospital.
The DERT system also reports how many health care workers have handled a single patient’s chart. The clinic found that in the cardiac care area, an average of 28 people accessed a patient’s chart throughout treatment.
DERT could be very helpful in a number of ways. The government has started a major initiative to reduce hospital acquired infections and reduce re-admissions; DERT could be helpful in both areas.
I worked with the Isabel Health decision support team for two years. Isabel is a very well thought out clinical diagnosis support system. While a number of children’s hospitals installed Isabel, it had trouble penetrating the wider hospital market. Unfortunately, a lot of physicians are reluctant to use CDS software, apparently because they feel asking for outside help indicates fallibility or lack of confidence.
Isabel is particularly popular with ER physicians at children’s hospitals, to the point where the name became a verb, like Xerox. At a number of facilities, when they get a difficult case, the lead physician will announce, “Let’s Isabel it.”
The 3M software has a problematic acronym: DERT. I hope that it doesn’t get used in a casual way, such as “Let’s throw the DERT at that one,” or “Have you got the DERT on that case yet?”
October 3, 2011
Remember “It was the best of times, it was the worst of times?” That’s the opening of Charles Dickens’ “Tale of Two Cities.” My son is now reading this novel, set in the French Revolution, for his high school English class.
The same “best/worst” ambivalent atmosphere is now spreading over the healthcare IT industry. On one hand, record spending on software by hospitals, physicians and other providers has been predicted for 2012. On the other hand, many providers are worried about the impending (but uncertain) cuts to Medicare and Medicaid.
Reuters had an ominous article on Friday, “Lofty health IT stocks at risk if e-records delayed.”
According to the article, the stocks are “highly priced for potential revenue growth, yet vulnerable to any wobble in a government drive to computerize patients’ health records.”
In typical tech journalism fashion, the report featured deuling experts. One industry analyst warned that “these (HIT) stocks are priced to perfection” and “have very little room for disappointment.”
Another cited a recent Citigroup survey of hospital executives which found that 80% of respondents believed current market volatility would not hit near-term healthcare IT spending trends.
In contrast to this frisson of financial news is a warm and fuzzy article in the new, October issue of Healthcare IT News. Titled “Lawmakers speak up for healthcare IT,” the report quotes three different Republican congressmen voicing support for the current HITECH Act incentives. One congressman, Rep. Michael Burgess, MD, has even sponsored an amendment to extend the current act to multi-campus hospitals (must be one in his district).
It could be worse. At least we’re not in Greece.