What the Recent Data Breach Says About the State of Health IT

Recently officials at Oregon Health Sciences University discovered that residents in several departments were storing patient information on Google Drive, and had been doing so for the past two years. They treated this discovery as a breach of privacy and notified 3000 patients about the incident.

While I don’t condone the storage of patient information on unapproved services like Gmail or Google Drive, this incident pretty much highlights the sorry state of information systems within the hospital and the unfulfilled need by physicians for tools that facilitate workflow and patient care.

It says something that the Oregon residents felt compelled to take such a drastic action. I don’t know what punishment – if any – those responsible were given by administrators for their “crimes.” I’ll leave it to readers to make up their own minds about the wisdom of the unauthorized workaround and the appropriateness of any punishment. But I do know that the message the incident sends is a very clear one.

We’re screwing this up. There is really no earthly reason why it should be any more difficult to share a patient record than it is to share a Word doc, a Powerpoint or yes, even a cloud-based Google Drive spreadsheet.

Why the Breach Happened

What’s going on here? Let’s say I admit a patient to the hospital.  Our friend was hospitalized here just last month, and like many patients, he has dementia or is poorly educated, and does not know the names of the medications he takes. Unfortunately, I don’t have the ability to see what he takes or how he was treated during the prior admission because the records in the computer are there for documentation’s sake and don’t contain any meaningful information. This is clearly a problem for me.

Therefore I will spend time calling outside facilities to gather information and repeat several tests and imaging procedures.

Medical care has become a team sport, and residents have developed systems for keeping track of their patients and communicating to other physicians. It takes some time to think about and process each patient that comes in, to consolidate all the information. Ultimately, I need to boil that information down to a five-minute description on the patient, their problems, the status of their current admission, and what needs to happen before they go home.  We do this in the form of a signout document.

Figure: The signout document has four to five columns and includes the To Do list for each patient.

The EMR does not have a good way to store information in this format, and  additionally I have no way of editing this in real-time to communicate with my
coworkers what still needs to be done. That’s why residents were storing their  signouts in Google Drive.

What providers need here is simple data management. We need to store and access this list from different computers. We need the ability to enter a subset of those data  using a custom form, and the ability to print subsets of those data to create a To Do lists, rounding sheets, or progress notes.

What we can learn from this breach

In the end, there was no actual breach of data. Don’t blame the residents for what  happened in Oregon. They have, better than anyone, demonstrated an unfulfilled
need for good medical software that is user-tested.  Products that develop through hospital IT departments are slow, non-intuitive, and buggy. Hospitals need to invest
in health IT, above and beyond that need to meet the requirements of Health IT  legislation. We need designers, software product mangers, and user testers from

David Do, MD is a graduate of The Johns Hopkins University School of Medicine and a resident physician at the Hospital of the University of Pennsylvania. He is an agile software developer and Chief Technology Officer at Symcat.com.

Categories: Uncategorized

Tagged as: , , , ,

26 replies »

  1. It would appear that organizations in healthcare industry, both big and small, are targeted, and IT experts are critical in helping healthcare organizations to prepare for and defend against cyber attacks. The main reason healthcare organizations are still neglecting the issue of cybersecurity is because of the considerable costs associated with it. Training employees on how to spot a cyber attack can help to reduce the risks of a healthcare breach.Cybersecurity related online communities become a good reference for employees to get more information. I would like to suggest Opsfolio.com, an online community for those involved with healthcare cyber security, which is a right guide for me to get healthcare cybersecurity informations.

  2. It’s really a strange phenomenon: the usability of the systems we have to use at work – inside corporations and organizations – is so far behind what is available to us as consumers. And the gap seem to be widening – not closing.

    Enterprise software needs to catch up. We can, and must, demand *consumer-grade usability* at work, too.

    I quoted this post and linked to it here:

    SUNCS is the acronym for “Secretly Using Non-Corporate Software” – another kind of “BYOD” (Bring Your Own Device). Probably even more common …

  3. No CPT, ICD, or MU.

    Of course it’s useful, and of course it has nothing in common with a certified EMR.

  4. Absolutely, I say let’s force existing vendors to free the data and we can bring in silicon valley developers, designers, and security experts to do it right.

  5. Thanks for sharing, Chris. Unfortunately, when it comes to IT, hospitals are focused on security rather than what technology can do for patient care.

  6. Very telling we have faced this time and time again. We as physicians have to adapt the ways we round and see patients around the way the EMR (software) was built a decade ago instead of these programs being programmed to help you out as a provider they are an impediment to workflow.

  7. Four years go, my hospital discovered residents using Googledocs for the same purpose. A huge memo, finger-wagging, and explicit prohibition of Googledocs followed. The residents were then compelled to share spreadsheets of patients lists by email. Give them a better solution, not a lecture.

  8. With all due respect, there is nothing about ANY of the various and sundry codewastes labeled “EHR”s that stand any scrutiny as to efficacy or efficiency in regards to actually assisting in the flow of patient care or it’s documentation.
    And that is in fact due to the very specific exclusion of active physicians from their design.
    The same tired panel of executive physicians pop up to “provide the doc’s views” on every topic – reads like the AMA roster – but no one really uses this crap who is in fact accountable.
    Remove the Hold Harmless clauses and this idiocy will halt.

  9. As currently configured, the systems on which $ billions of the taxpayers is being spent, are impediments to workflows and care, which is why workarounds are commonplace, especially at Oregon U. What I like is how the government wants meaningfully unusable devices to be used in a meaningfully useful way. Hello?

  10. Yes, this is a very accurate assessment. Although #3 is not shocking to me because users should always know whats more useful–its just that developers and buyers of software need to include the users in decisions, and extensive user testing before deployment is critical.

  11. This “breach” tells a very clear and powerful message.

    1) Doctors (in this case residents) are NOT opposed to electronic medical records. They are opposed to BAD electronic medical records.

    2) If the “approved”, “meaningfully used” electronic medical record was useful, the residents wouldn’t have taken the time and trouble to write their own.

    3) If residents (in their abundant (?) spare time) can come up with something that is more useful than the system designed by professional software developers receiving subsidies from the Feds, there is something seriously wrong with the path we are on.

    The Emperor (EMR) has no clothes!

  12. Thanks for the details. Is OHSU a dangerous place for private patient data or are they reporting more than everyone else?

  13. Agreed that validation is necessary. Instead of RCTs, validation needs to be in the form of user satisfaction, less time on the computer, and more time for patient care.

  14. I would argue that more oversight for software would require more fixed versioning. That makes it less agile and ultimately less usable. Furthermore, would I go through FDA approval to build software internally too? I don’t want the FDA anywhere near my software.

  15. There were several other “genuine” breaches at OHSU in the past year (not that they’re special; this is commonplace):

    Unauthorized use of cloud computing storage services in two departments of Oregon Health & Science University has resulted in the organization notifying more than 3,000 patients that protected health information may have been compromised. The incident is the third major breach for OHSU in the past year. The previous breaches on the HHS Office for Civil Rights’ public Web site included an unspecified theft on July 4, 2012, affecting 702 patients, and the theft of a laptop on Feb. 22, 2013, affecting 1,114

    As Bill Hersh might say, though, as he has to me about EHR-related patient mishaps, “it’s anecdotal.”

  16. And by the way, IT is not a solution to anything unless said solution is validated as being a solution. Most IT in medicine right now is a solution to the bottom lines of most hospitals ( although some have had their Fitch bond ratings reduced).

  17. The FDA is fully capable of vetting these software driven workflow controlling devices in the premarket and after market. Right now, there is zero oversight.
    For instance, @curly sent in references to defects in the ordering devices of an EHR vendor. What organization is responsible to assuring that the device is actually fixed?

  18. Interesting perspective. How might you structure regulation for safety or efficacy of an IT solution?

  19. ******I don’t know if more oversight is the answer–in fact, I would caution that regulation and incentives are to blame for much of the problem.******

    There is zero regulation for safety, efficacy, and usability of these EHR and CPOE devices. ZERO! It can not be the blame if there ain’t none.

    There was not any FDA regulation of the compounding pharmacy that sold contaminated (w fungus), There is not any FDA regulation of EHR, CPOE, or CDS devices and they are disruptive to care and workflows.

    On the other hand, there are innumerable poorly conceived incentives, each with unintended consequences, and they can be blamed as an amplifier of the toxicities already in the systems.

  20. John,

    It’s easy to place blame after an incident like this, but these types of “breaches” are happening everywhere, whether its in the form of cloud storage, carrying health information on thumb drives, or using unapproved email accounts.

    There are surprisingly few “secure” ways of storing and sending health info in the hospital.

  21. Dr. Williams, the IT solutions we choose certainly have an effect on patient care that is hard to fully characterize. I don’t know if more oversight is the answer–in fact, I would caution that regulation and incentives are to blame for much of the problem. We do, however, need systems that are usable so physicians can focus on patient care.

  22. It is much worse than that. Glad someone is waking up to the toxicity that these multi million dollar systems are having on medical care, patients, and their doctors. All happening without FDA oversight. All happening devoid of any oversight. A sham on America, courtesy of the Congress of the United States, that was deceived by the HIT industry and its greenbacks.