You are here

The diagnosis for US electronic health records: Fatally flawed

public://webform/writeforus/profile-pictures/richi-2016-480.jpg
Richi Jennings, Industry analyst and editor, RJAssociates

EHR is badly broken. That’s the conclusion of a too-long report into electronic health records in the US.

It’s dangerous, buggy, expensive, over-complicated, and encourages fraud. And that’s even before we start to think of the likely security issues.

Stop. You’re killing me. In this week’s Security Blogwatch, we smell no evil.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Put a ring on it.

[ Effective SecOps requires staying one step ahead. Get up to speed with this upcoming Webinar covering UEBA and MITRE ATT&CK ]

EHR’s $36B FAIL

What’s the craic? Fred Schulte and Erika Fry beg a question—Where Electronic Health Records Went Wrong:

An electronic health records system, or EHR, made by … one of the leading sellers of record-keeping software for physicians in America [and] currently used by 850,000 health professionals in the US [has attracted] Better Business Bureau complaints … and legal cases filed around the country, suggesting the company’s technology didn’t work quite the way it said it did. [These were] clues that [the] software had major problems — some of which put patients … at risk.

Damning evidence came from a whistleblower claim [alleging] scores of troubling problems with the system. … The patient medication lists weren’t reliable; prescribed drugs would not show up, while discontinued drugs would appear as current, according to the complaint. The EHR would sometimes display one patient’s medication profile accompanied by the physician’s note for a different patient, making it easy to misdiagnose or prescribe a drug to the wrong individual.

If there is a kicker to this tale, it is this: The U.S. government bankrolled the adoption of this software — and continues to pay for it. Or we should say: You do.

[This] strange, sad, and aggravating story [is] about a trouble-prone industry that intersects, in the most personal way, with every one of our lives. It’s about a $3.7 trillion health care system idling at the crossroads of progress.

10 years after President Barack Obama signed a law to accelerate the digitization of medical records — with the federal government, so far, sinking $36 billion into the effort — America has little to show for its investment. … Rather than an electronic ecosystem of information, the nation’s thousands of EHRs largely remain a sprawling, disconnected patchwork [and the] EHR initiative has created a host of largely unacknowledged patient safety risks.

tl;dr? Clifton Leaf calls it A Healthcare Story Everyone Should Read:

The story, by two of the best healthcare journalists in the business … is nearly 10,000 words, and once you get started, I’m pretty sure you’re going to want to read every last one of them. Indeed, this is one of the most compelling, surprising, and deeply disturbing stories about our healthcare system that I’ve read in a long, long time.

It’s about what happens to your medical data when you visit the doctor or hospital—and about the unseen (and too often glitchy) technology that may affect the care you get. … And it’s a huge contributor to another, often hidden, crisis in medicine today: the epidemic of physician burnout. … That burnout, by doctors’ own admissions, too often ends up affecting patient care.

How did we get to this point? How did we get to a place where so many physicians are handcuffed … to non-intuitive systems [of] endless, numbing mazes of menus that take them away from hands-on patient care?

But this isn’t just about poor planning or government waste. Rather, it’s about people getting hurt.

Yikes. Mary Louise Kelly considers all the things—Why The Promise Of Electronic Health Records Has Gone Unfulfilled:

The switch from paper charts was supposed to be a great thing … for the whole health care system - so much so that the federal government backed the transition, even subsidizing new computer systems. … 10 years and $36 billion later, this digital revolution has not gone to plan.

It's not just a hassle. It's not just an inconvenience. It's actually causing risks to patients' safety, and even deaths.

There are also cost implications to this and concerns that the software can be misused [in] a practice known as upcoding. … We, as patients and consumers of health care, just need to be a lot more vigilant about policing our records.

What about the neighbo[u]rs to the north? Here’s Catherine McIntyre:

The investigation can be read as a cautionary tale for Canada as it considers how to manage its own EHR system. Canada Health Infoway, a crown corporation, has spent more than $2 billion trying to digitize health records in Canada, but the system here so far looks a lot like the one described in the U.S., where records still aren’t easily portable.

Dr. Nav Persaud, a physician and patient advocate, has called for Canada to build a national EHR, rather than a system of disparate initiatives and technologies that don’t communicate with each other, but that hasn’t happened yet. That lack of coordination, Persaud said, can lead to problems with oversight, including previous diagnoses and treatments being overlooked or medical testing being unnecessarily repeated.

But flagamuffin sounds slightly skeptical:

I guess I’ll stop working on EMR software for a minute to read this over lunch. I watch the sausage being made and it’s frankly embarrassing at times. but I’ve also never met an intelligent journalist.

I don’t believe [they make] an attempt to compare safety across eras — pre-EMR vs. post. I’m not sure why anyone would bother writing this article without doing that, but realistically, in the paper record era, it was pretty impossible to collect data. That’s one of the reasons for this industry in the first place. I think it extremely likely that hospitals have gotten safer since computers.

Because of government investment, this industry mostly skipped the lean, innovative startup-esque period other software industries have. When people talk about EMR problems this is what they should talk about, because these systems are unbelievably expensive.

People demand health care inelastically. Everyone wants perfect health care all the time no matter the cost. Hit pieces will always be possible as long as even one brain tumor goes uncaught.

And Hardeep Singh MD calls it a provocative piece:

Hard to defend poorly designed software, but … safety is a shared responsibility.

Time for some narrative around how EHRs are implemented at an organizational level and how local configuration impacts safety.

I’ll wait for the movie. Lambert Strether calls it A blockbuster:

No matter the initial intentions of the EHR boosters … there seems to be no other real justification for them than fraud, whether by vendors or by upcoding. Plus physician burnout, if you consider replacing humans with robots a good thing. And killing patients, if you’re an enthusiast for that sort of thing.

What a mess.

To which, Ptb adds an anecdote:

I have an acquaintance who was involved with a local hospital’s “implementation project,” when this software came online. Typical corporate IT disaster – it took superhuman efforts of the team to just keep it from crashing and install the vendor’s updates – forget about deep understanding / configuring the various interface options.

Badly under-resourced, managed by non software people, soon all the best people left and they recruited other hospital employees (i.e. low level med techs who exhibited a knack for tech and a tolerance for stress) – these were surely in over their heads.

This is the equivalent of ERP business software like SAP. Capable of being all-seeing, all-knowing, automate the generation of all your accounting data etc. If configured correctly by experienced analysts who perfectly understand the business and the software.

Such people are very rare and very expensive. In reality, clumsy all-misconfigured systems result. -sigh-

But is it at least secure? Elisa Comer—@AdminSideofSick—thinks that’s part of the problem:

I was National EHR Coordinator for Transcription from 2005-2010, when the EMR movement was beginning. Everyone was so worried about the security of the message, and the portability and accessibility of the message, that they forgot to address the accuracy of the message itself.

Quality was pushed aside and no one batted an eye. Due to health issues I had to leave my assignment, but lack of quality and completeness is a real issue, it is dangerous, and I see it up close and personal as a chronic illness patient. We must tell the patient's whole story. Too bad if that doesn't fit the drop down list - "Good enough" is never an acceptable quality score.

It's an unapologetically passionate topic for me. … I love EMR technology, I teach EMR technology - but we got this very, very wrong.

With a fascinating perspective, here’s CPlusPlusDeveloper:

Has any successful software product ever come out of a non-tech company? … I can't think of a single example.

Managing the software development lifecycle is radically different from other business process. … There's an inevitable impedance mismatch.

I can't think of any industry where this would be more true than healthcare. I really doubt that we're going to see anything other than broken systems in this field for a long time.

Last word has to go to DWXXV:

At one point … Google also tried to make [an EHR] before bailing out. It's really ****ing hard.

The moral of the story?

And you think you have problems with spaghetti code?

[ Get up to speed fast on today's tools with TechBeacon's Application Security Buyer's Guide 2019 ]

And finally

Today I learned Beyoncé’s Single Ladies is “so cool”


You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: Paul Brennan (via Pixabay)

[ Data privacy regs GDPR and CCPA are the new norm. Learn best practices from top organizations for staying on the right side of the law. ]