Recently officials at Oregon Health Sciences University discovered that residents in several departments were storing patient information on Google Drive, and had been doing so for the past two years. They treated this discovery as a breach of privacy and notified 3000 patients about the incident.
While I don’t condone the storage of patient information on unapproved services like Gmail or Google Drive, this incident pretty much highlights the sorry state of information systems within the hospital and the unfulfilled need by physicians for tools that facilitate workflow and patient care.
It says something that the Oregon residents felt compelled to take such a drastic action. I don’t know what punishment – if any – those responsible were given by administrators for their “crimes.” I’ll leave it to readers to make up their own minds about the wisdom of the unauthorized workaround and the appropriateness of any punishment. But I do know that the message the incident sends is a very clear one.
We’re screwing this up. There is really no earthly reason why it should be any more difficult to share a patient record than it is to share a Word doc, a Powerpoint or yes, even a cloud-based Google Drive spreadsheet.
Why the Breach Happened
What’s going on here? Let’s say I admit a patient to the hospital. Our friend was hospitalized here just last month, and like many patients, he has dementia or is poorly educated, and does not know the names of the medications he takes. Unfortunately, I don’t have the ability to see what he takes or how he was treated during the prior admission because the records in the computer are there for documentation’s sake and don’t contain any meaningful information. This is clearly a problem for me.
Therefore I will spend time calling outside facilities to gather information and repeat several tests and imaging procedures.
Medical care has become a team sport, and residents have developed systems for keeping track of their patients and communicating to other physicians. It takes some time to think about and process each patient that comes in, to consolidate all the information. Ultimately, I need to boil that information down to a five-minute description on the patient, their problems, the status of their current admission, and what needs to happen before they go home. We do this in the form of a signout document.
Figure: The signout document has four to five columns and includes the To Do list for each patient.
The EMR does not have a good way to store information in this format, and additionally I have no way of editing this in real-time to communicate with my
coworkers what still needs to be done. That’s why residents were storing their signouts in Google Drive.
What providers need here is simple data management. We need to store and access this list from different computers. We need the ability to enter a subset of those data using a custom form, and the ability to print subsets of those data to create a To Do lists, rounding sheets, or progress notes.
What we can learn from this breach
In the end, there was no actual breach of data. Don’t blame the residents for what happened in Oregon. They have, better than anyone, demonstrated an unfulfilled
need for good medical software that is user-tested. Products that develop through hospital IT departments are slow, non-intuitive, and buggy. Hospitals need to invest
in health IT, above and beyond that need to meet the requirements of Health IT legislation. We need designers, software product mangers, and user testers from
David Do, MD is a graduate of The Johns Hopkins University School of Medicine and a resident physician at the Hospital of the University of Pennsylvania. He is an agile software developer and Chief Technology Officer at Symcat.com.