Black Turtlenecks, Data Fiends and Code. An Interview with John Halamka

John Halamka-Google Glass

Of the nearly 100 people I interviewed for my upcoming book, John Halmaka was one of the most fascinating. Halamka is CIO of Beth Israel Deaconess Medical Center and a national leader in health IT policy. He also runs a family farm, on which he raises ducks, alpacas and llamas. His penchant for black mock turtlenecks, along with his brilliance and quirkiness, raise inevitable comparisons to Steve Jobs. I interviewed him in Boston on August 12, 2014.

Our conversation was very wide ranging, but I was particularly struck by what Halamka had to say about federal privacy regulations and HIPAA, and their impact on his job as CIO. Let’s start with that.

Halamka: Not long ago, one of our physicians went into an Apple store and bought a laptop. He returned to his office, plugged it in, and synched his e-mail. He then left for a meeting. When he came back, the laptop was gone. We looked at the video footage and saw that a known felon had entered the building, grabbed the laptop, and fled. We found him, and he was arrested.

Now, what is the likelihood that this drug fiend stole the device because he had identity theft in mind? That would be zero. But the case has now exceeded $500,000 in legal fees, forensic work, and investigations. We are close to signing a settlement agreement where we basically say, “It wasn’t our fault but here’s a set of actions Beth Israel will put in place so that no doctor is ever allowed again to bring a device into our environment and download patient data to it.”

RW: Is this the number one crazy-making issue for CIOs?

JH: Absolutely. Basically, my medical center board, the Attorney General, and Federal regulators are saying, “You are personally accountable for every byte of data on every thumb drive, every mobile device, and every network in your system.” So I came up with a 3-year plan where I explained to the board that it’s going to cost 5 million dollars a year and I’ll need 14 new staff. They said, “Okay.”

RW: I see how expensive and impossible that is. But how does it harm patient care?

JH: What ends up happening is that, to protect the 3% of patients who deeply care, I have to compromise the liquidity of 97% of the patients’ data. My medical record is public. My wife’s record is public. My father-in-law’s record is public. We don’t care. My daughter is 21, and she puts her relationship status on Facebook. Does she care about her flu shot? No. It’s just fascinating. We create this culture of culpability and fear to address a very small percentage of the population that is convinced that their allergy to whatever is going to cause them loss of standing in their community.

RW:  Between meaningful use requirements and HIPAA, there’s no doubt that the world of health IT has become far more bureaucratic and restrictive. Would you say that that’s getting in the way of nimbleness and innovation?

JH: Basically, I spend 50% of my time – five-oh – on this stuff. Not on building innovative, mobile devices for our doctors. Not on building highly usable applications for the inpatient ward. It’s on, “How do I prevent your iPhone from downloading a piece of patient information should you lose your phone?”

I became the CIO of Beth Israel Deaconess in 1997. Since that time, 300,000 pages of new healthcare regulations have been published. Back in ’97, I actually spent my day writing applications. We thought, “Let’s see how we can engage patients and families? Let’s create the first personal health record in the country.” We had daily meetings about features and functions we would add to the PHR.

Today it’s like, “Oh God. ICD-10. I need to come up with a new interface to allow you to code guinea fowl injury.”

RW: If a young person came to you and asked, “Should I go into clinical informatics?” what would you say?

JH: I’m in this field not for fame and fortune but to make a difference. It’s possible to make a difference, but you may want to do it in a different context than being in a healthcare delivery organization.

Can you create an app that will revolutionize patient care? Yes. But can you – in the context of working in a hospital, which is trying to meet the requirements of ICD-10, meaningful use, and the ACA – spend vast amounts of time on innovation? You can’t, really.

With HITECH and meaningful use, this is a time of great change in health IT. I asked Halamka to sketch out his vision for health IT after the dust settles.

JH: Today’s EHRs – they’re a horribly flawed construct. It’s just digital paper. What we really need is a combination of Wikipedia and Facebook. The Wikipedia part is the narrative of your life, and it’s written by a team and updated frequently. Facebook-like walls contain the events that are happening now. They say, “Oh, I had a TIA today. And I went to the ED. Oh, and I had a head CT …”

RW: What does the future doctor-patient visit look like?

JH: We use scribes in our emergency department and that has vastly improved physician productivity and the quality of the record. Why should a doctor have to document the vital signs? It’s crazy. So shared team documentation with a single accountable person who just edits the note inside the EMR – that’s the future.

I do envision a day where the medical record could simply be an audio or video record of the encounter. We’ll say to patients, “We’re going to put that in a shared medical record where you and I can see and hear what we’ve talked about today.” But unfortunately, it’s very hard to do quality measures on that.

I asked Halamka to share a bit of his personal story.

JH: When I was 12 years old, I lived in Southern California. My parents went to law school. I was a latchkey child in the early 70s, when defense contractors were very, very big in Southern California. It was the heyday of that industry.

Integrated circuits were very expensive and rare, but when a TRW or a Hughes Aircraft would build a satellite and things didn’t meet military spec, they would sell their integrated circuits by the pound.

As a 12-year-old, I rode my bike to surplus stores picking up integrated circuits. Then I got the manuals for the circuits and I taught myself analogue and digital logic, then early programming. In 1979, when Altair came out with the 8800 and the specs were published in Popular Electronics, I built an Altair 8800.

When I arrived at Stanford in 1980, I was the first student there to have a computer. While I was there, both the PC and the Apple were introduced. I was in the middle of that environment as this whole revolution was taking place.

RW: That’s pretty incredible. You could have gone on to work in Silicon Valley. What made you want to go to med school?

JH: From about the age of eight, I wanted to be a doctor and a scientist. Biological systems really fascinated me. The Six Million Dollar Man and the idea of machine-human integration really fascinated me.

My dual interests – in life sciences plus technology – led me to enroll in the MSTP [MD/PhD] program at UCSF. My advisors were [future Nobel prize winners] Harold Varmus and J. Michael Bishop. They said, “You want to do engineering? Why?” While working at Lawrence Livermore Laboratory, I founded a technology start-up. But one of my med school advisors said, “You cannot be a medical student and run a company. We’re either going to kick you out of medical school or you have to give up your company,” so I gave up the company.

During my emergency medicine residency at Harbor UCLA, I helped computerize the ED – the ED became mobile and paperless. The county of Los Angeles gave me its Employee of the Year award in 1996.

RW: Did people think you were a complete oddball?

JH: Yes. But when I came out to Boston, I was finishing up a fellowship at MIT while attending in emergency medicine. Tom Delbanco [then chief of general medicine at Beth Israel Hospital], said, “You know what we need? We need somebody who understands technology and medicine. You’ll be responsible for all quality measurements and business intelligence within our delivery system.”

So here I was, a month out of fellowship, now running a staff and a budget. Jim Reinertsen, the new CEO of the medical center, said, “I’ve got a problem. The doctors hate IT and hate the IT leader here. I hear there’s this young guy who has created things on the web.” In an act of administrative malpractice, he made me the CIO in one bold stroke. No interview. Just “You’re the CIO, okay.” And I’ve been on this ride since ‘97.

I ended by asking Halamka whether computers will ever replace physicians.

JH: Of course I embrace technology and innovation, but remember that IBM’s Watson thinks Toronto is a U.S. city [a famous misstep in its otherwise astounding 2011 Jeopardy victory]. As an emergency physician, what do I believe is the difference between a novice and an expert? Two things: I know what data to ignore, and intuition.

RW: What does intuition mean in the IT world?

John: You walk into a patient’s room and see objective data. But then you look at the patient, and can say in 30 seconds whether this person needs to be admitted, or not.

RW: But won’t computers figure out how to do that?

JH: Computers can be excellent filters. Then a human can look at that filtered result and say, “Ah, I think this is a patient who has X.” Yes, absolutely. They can turn unstructured data into structured data. They can highlight, they can emphasize, they can alert, and they can remind. But the decision-making – I think that is still ultimately human.

RW: Why?

JH: Because of nuance. Take my wife and her cancer treatment. She had totally protocol-driven cancer treatment. But she’s a visual artist. Taxol has this interesting problem of causing neuropathy, which if you’re a jackhammer operator, who cares? But if you’re a visual artist and there’s this subtle loss of feeling in your fingers, what should the computers say? Stop the Taxol. Change the protocol. This is a judgment based on subtlety. I just worry that computers will never quite get there.

RW: Never, as opposed to, say, in the next 20 years?

JH: Without question they can simplify, they can make our lives and our workflow more efficient. But they can’t replace us.

*     *     *

Edited for length and clarity. I’ll post additional interviews over the next few months. My book, The Digital Doctor: Hope, Hype, and Harm at the Dawn of Medicine’s Digital Age, will be published by McGraw-Hill in early April; it’s available for advance purchase now.

Happy New Year to you and yours.

Spread the love

36 replies »

  1. This article is very interesting. Patients and employees need their medical histories protected. Especially since my old employer put bold horrible lies about my medical history on the Web to defame me. I goggled my name and it popped up with horrible lies regarding facts that have never been true regarding my medical history.This did effect me in my chosen profession. Yes we need the HIPAA regulation to govern fools who use MIS work to sabotage and bully innocent victims.

  2. Dr. Halamka is one of my favorite people. Years ago (back when we used aggregators — I did love my Bloglines) I followed his blog posts regularly. I hadn’t thought about him for some time.

    I see his mention of making records public has struck a nerve. There are plenty of arguments pro and con, but the one glaring reality of HIPAA is that our obsession with privacy is probably costing more lives than it saves, especially when it comes to keeping firearms out of the hands of crazy people. I know that insurance underwriters and other huge corporate entities buy and sell our health records all the time, so access is not nearly as limited as we like to imagine. Just thought I’d mention that.

    Meantime, I need to remind myself to drop by THCB more often. I delete so many of those email notices from spam comments that I sometimes forget this place is still out there. I need to find time to stop in more often.

    Carry on.

  3. Tanq for sharing your thoughts to us .it’s really helpful to me
    This will be required reading for future generations doing a PhD in “Unintended Consequences

  4. Almost no one believes that EHR’s have yielded a net positive benefit.
    Most medical providers believe it has been a net negative.

    Yet billions have been spent….and the spending goes on and on.

    Why don’t we repeal any legislative mandates or HHS policy mandates and just stop? Let any private system that thinks they can make it work proceed, but stop the incentive payments and coercion…..the savings would be immediate and substantial.

  5. If Halakma had secured the network, had real Network Access Control, and other proper measures in place, there would not have been an issue. So perhaps the hospital should charge him for the costs related to the breach.

    That said, I can imagine that there isn’t time for a Chief Information Officer to ensure all that trivial stuff like protecting patient information when there are blogs to write. It’s all a matter of priorities.

  6. I’ve had patients beg me to destroy records. “I don’t care” is not the correct response. We are all in love with computers and they will, alas, never be secure. The asymptotic approach to security is not good enough if you are running for office and you had an STD. We fell in love with a flawed product….just like sucrose. Patients are not going to agree to have all their data entered, especially after a few more Sonys. Interoperability simply tells the hackers “Make my day”.

    We may have to go to something radically different from TCP/IP and use LANs which are deliberately non-interoperable, with quantum cryptography all over the place. The costs and the effort may not be worth it.

    • WP alludes to another devilish problem. When patients know their clinical data are not secure, they will stop telling us the things we need to know to give good care. What is withheld may be trivial or critical. We won’t know until there are adverse outcomes.

      I, too, have had patients beg me to destroy records. I have had many requests to treat off the record, particularly STDs, contraception or unintended pregnancy counseling for women whose partners have had vasectomies and in cases of abuse.

      I’ve told women once they tell me something, it’s difficult to take it back and advised them to go to another provider before I create a note. Pay cash, use a false name and demographics and refuse to show your DL. It’s tough, but it can be done.

      Statins? Flu shots? Spend some time in gyn, then we can talk about interoperability. WP is spot on.

      • Dr Kapsa you are quite correct. The successful doctors of the future will have WRITTEN records of their patients, which they will maintain in the secure environment of their offices. Just like Marcus Welby.

        Patients will pay them with REAL money, not fake money. The doctor will decide what fees are appropriate. Just like Marcus Welby.

        The records of the patients will be secure and confidential. The people who work in the hospital up the street will not have access to gossip about them. The patients will be happy because they know their private information is not spewed all over the internet, or owned by the government or some giant insurance entity. Just like Marcus Welby.

        The doctors will be pleased to take care of their patients. The patients will be pleased to have the doctor’s advice. They will trust the doctor and view him/her with respect. The doctors will have time to spend with their patients. Just like Marcus Welby.

    • “We fell in love with a flawed product….just like sucrose.”

      Spot on.

      This will be required reading for future generations doing a PhD in “Unintended Consequences”.

      I think it will be a separate branch of study in another 10 years.

  7. Jeff is right to be wary of insurance company benevolence. I worked in the industry for a couple of years and was taken aback at the depth of info the company had on “insureds” and dependents. And providers. No pretense about de-identified data. The most unsettling aspect is all these data also flow to their business associates, fully identified.

    It is ALL follow the money. Many insurance industry BAs want the full info for data mining. The combo of names, SSNs, ICD-9/10, Rx’s and prescribers is solid gold. Becoming an insurance company BA is relatively easy.

    We’re all creating revenue streams for McKesson, Optum, Medco and the like.

  8. I wonder what the feasibility would be to have several levels of security that would apply to the same individual’s medical record. For the most sensitive information, access would be extremely limited while much less sensitive information would be readily available to a broad audience. Under such a system, employers, for example would not be able to gain access to the most sensitive information under any circumstances no matter how much they were willing to pay for it.

    • Unless your medical record has notes about your treatment for bipolar disorder, a positive BRCA test, your kid’s autism, your losing fight with your cocaine habit, family history of Huntington’s Disease…and on. And on.

      Then, federal protections or not, most employers will find ways to lose your application. Employers check Facebook, Instagram and other social media before making offers to prospective employees. If they’ll pull an offer because of questionable behavior on spring break, they’ll run screaming in the other direction when they find out what your illness is going to do to their insurance risk pool.

      And it’s not just employers. Perhaps I’m sensitized to privacy issues after a quarter century of Ob/Gyn. Most folks reading this (unless they do Ob/Gyn) would be stunned at the number of husbands, ex-husbands, ex-boyfriends, ex-lovers, divorce lawyers, mothers-in-law, mothers and miscellaneous busybodies who claimed rights to get women’s reproductive histories.

      Just what’s needed. A frightened woman with an abusive ex-partner and publicly searchable records of her contraceptive history.

      The Law of Unintended Consequences is as immutable as the laws of thermodynamics. But less predictable.

        • You are right – privacy matters to many and loss of privacy makes a few (or many, or significant many) very vulnerable.

          JH is also right – privacy is not such a big deal to many.

          JH is right that it costs tons to safeguard a few, diverts resources from innovative use (opportunity costs) and that there is a law of diminishing returns.

          You are all correct. Which is why this is a wicked problem with no solution.

          Electronic records is a boon. No denying that.

          Electronic records create a fragile system and is a curse. We are finding that out as well.

          Boon – curse – inevitability. This is stuff of Greek Tragedies.

          • Wouldn’t it be great if we could tune the system to adjust to peoples’ privacy preferences, instead of fetishizing medical privacy and encasing the system in thousands of pages of incomprehensible and inflexible regulations?

            I am a privacy fundamentalist with limited trust in the benevolence of our health insurance system. Nevertheless, the health information architecture I would impose on society to accomodate my lack of trust carries HUGE societal and institutional costs along with it (which I think we’ ve already incurred).

            We haven’t had a very constructive societal conversation about this stuff, like a lot of other important things (end of life preferences, how to manage our personal health risks, eg.). The bigger and more polarized our society gets, the worse it is at dealing with this stuff.

          • “Wouldn’t it be great if we could tune the system to adjust to peoples’ privacy preferences”

            Jeff, that is a plausible solution if you could fine tune privacy and get people to pay the marginal cost of added privacy.

            Otherwise everyone will prefer less privacy for others but not for themselves. A bit like mutiny at Harvard over Obamacare’s rising cost sharing – over which I have been laughing so hard that I’ve burst three hernia orifices (HIPAA, I permit myself to disclose this sensitive medical information)

          • Can’t help but wonder what would happen if there was no way to monetize the data. Would JH be so interested in “data liquidity” then?

            We all have spheres of privacy. For some, it’s health or person lives. For others, it’s financial dealings. It was instructive to search JH’s conflicts-of-interest. He has multiple positions on the boards of HIT companies, among others. For these companies liquid data are life blood.

            For one company, Imprivata, he states he does not currently own stock. Odd wording. Red flag. Technically true. But a quick SEC search showed he holds options to purchase 70K shares at a very favorable price compared to yesterday’s close. That’s a cloud across the Sunshine Law.

            If you hold options, say so. Or is that no one’s business?

            I laughed so hard the dogs gave me strange looks. No hernia worries, though.

          • “For one company, Imprivata, he states he does not currently own stock. Odd wording. Red flag. Technically true. But a quick SEC search showed he holds options to purchase 70K shares at a very favorable price compared to yesterday’s close. That’s a cloud across the Sunshine Law.”

            Yes, that’s all very interesting but it does not diminish the validity of his concerns. Nor do his concerns diminish the reality of your concerns. This is a tricky cerebral exercise for some, but perhaps you’re both right.

            Once we stop playing the man and play the ball, we can grasp the magnitude of the cluster—– we are in.

            This could be worse than sub prime mortgages.

            Fragility +++

            The hubris of Homo Sapiens designing a perfect society will either induce laughter or tears.

            I plan on laughing.

  9. I have an uncanny suspicion that the price of stolen PHI is high precisely because we safeguard it as if we are safeguarding the names of Taliban informers in North West Frontier Province (sorry, just finished watching Homeland).

    I don’t think the average citizen would care terribly if one knew which brand of statin they were taking. But I would certainly care, if I knew my concern was the path to a multi-million dollar lawsuit.

    Could someone kindly steal my PHI?

  10. ” Few women would be eager to have records of STDs, contraception, partner abuse, substance abuse, mental health treatment, infertility or high-risk pregnancies publicly available.”

    I’m no Halamka booster – he CAN be by turns both arrogant and ignorant – but at the same time no one is proposing to make the information you mention, or any other personal information “publicly available” by default.

    Halamka SHOULD, & probably does, understand that having tight access and usage tracking & recording controls is of great benefit to his organization and to each and every person whose data flows through his organization’s IT apparatus and/or makes use of that information and equipment. People and organizations are going to be much more reluctant to misuse information if they know that they can & will be held accountable for it.

    He’s right that it’s a waste of his time to build impenetrable, leak-proof information “pipes” for health information. There’s no way any such system will ever be 100% leak-proof. Instead, rigorously document whose data is entered & accessed & revised, by whom, when. And devise rules about who may use data, for what purposes, and always, always, always require active permission from people whose existence generates the data before it’s used for any purpose, ever. Computers are good at keeping records like that.

    • Respectfully disagree. When Halamka speaks about the medical records of his extended family all being public, the implication is that should be the default. He dismissively mentions flu shots and allergies, seeming to forget that medical records contain considerably more sensitive data. He even speaks of ditching EHRs in favor of some Facebook/Wikipedia-like construct.

      And even PHI for healthy people that records only allergies and flu shots has SSNs, medical histories, family history, demographics and insurance info. It may include genetic testing results and other labs, consults, photocopied driver’s licenses, email addresses and contact names. All data valuable to identity thieves.

      Halamka uses the phrase “liquidity of patient data”. The phrase suggests such data is a commodity Halamka has some self-granted right to use. It does not follow because Dr. Halamka thinks his IT projects are critical to health care, he has a right to belittle other peoples’ preference for medical privacy and PHI security..

      Perhaps he intends to be provocative. Nothing wrong with that. Unless one is the CIO of a major teaching/research medical center. That position calls for circumspection.

      Arrogant technocrats are every bit as scary as arrogant federal bureaucrats.

  11. This interview is one of the finest things I’ve seen in seven plus years on this blog. As you can see, John was “present at the creation” of this digital world, and voluntarily chose to work in medicine. He donated at least a kidney and a half acre of brain cells to work in our screwed up field.

    My favorite line:

    “As an emergency physician, what do I believe is the difference between a novice and an expert? Two things: I know what data to ignore, and intuition.”

    Right frigging on, John! This is why people call it medical PRACTICE. The practice part is really important.

    Note to Matthew Holt: we need to have a “double keynote” session at a future 2.0 between this reality based individual and either Vinod Khosla or Eric Topol.
    I would pay to sit in the front row and watch the fur fly. There’s nothing like actually WORKING with technology to understand its limits.

    Bravo , John and Robert.

  12. It’s difficult to say whether Dr. Hamalka’s comments reflect arrogance or ignorance. Or both. His assertion that only 3% of people care about medical privacy is no doubt based upon a survey. I suspect if you surveyed the same people and asked them whether they want their most intimate health records searchable by Google (or their employers), the results would look different.

    I practiced Ob/Gyn for 25 years. Few women would be eager to have records of STDs, contraception, partner abuse, substance abuse, mental health treatment, infertility or high-risk pregnancies publicly available.

    Further, medical records are a gold mines for identity theft. See: http://kaiserhealthnews.org/news/rise-of-indentity-theft/. Patients aren’t keen to get over serious illnesses, then spend years dealing with identity thefts.

    Since Dr. Hamalka’s commitment to patient privacy seems ambivalent, at best, perhaps his employer would do well to replace him with a CIO invested in patient privacy. Before New England Deaconess’s data joins Target’s and Home Depot’s on Eastern European servers.

  13. “I just worry that computers will never quite get there.”

    This is interesting to hear coming from an info tech guy.

  14. The nine most terrifying words in the English language are: ‘I’m from the government and I’m here to help.’ – Ronald Wilson Reagan

      • yes thank GOD we have obama to save us . . .

        the government is perfect now and never makes mistakes, or spies on us, lies to us, or spends our money wisely on programs and never wastes it. we all sleep better at night knowing that we are protected from all our enemies, foreign and domestic . . .

          • I was no big fan of Reagan, and certainly not of Bush. But to compare the two to our current buffoon is ridiculous.

            Under your logic, Nixon should never have been impeached, because he only lied, covered up scandals, and misled the American people, (just like obama).

          • Huge differences between Reagan and Obama, not even close. Nice try, though. Reagan believed in America, Obama not. Reagan LOVED America, Obama not. Reagan was able to compromise and bring folks together, Obama has done all he can to divide this country by: race, income, gender; Reagan was respected by world leaders and they believed he not only believed what he said, that he would do what he said (Berlin wall falling, anyone), Obama is laughed at by other world leaders and publicly mocked (he looked like a child next to a true statesman like Netanyahu); Reagan wrote his own speeches and believed every word he said, and did not need a teleprompter to talk about what he believed in, Obama needs a teleprompter to read someone elses “polled” speech, and every time he goes off the script he gets in trouble; Reagan believes in a strong defense to protect America, Obama hates the military and is gutting it…

            Shall I continue? No, I didn’t think so.

            Good luck with all of that.

  15. “Taxol has this interesting problem of causing neuropathy, which if you’re a jackhammer operator, who cares? But if you’re a visual artist and there’s this subtle loss of feeling in your fingers, what should the computers say? Stop the Taxol. Change the protocol. This is a judgment based on subtlety. I just worry that computers will never quite get there.”

    Interesting. I have a dear friend of some 40 years. An incredible musician, — drummer, keyboardist, and songwriter. I had to incredible good fortune to share a stage with him in the early 70’s back in my musician days.


    One of the finest percussionists in the nation. That’s him on drums live during a small club gig. For more than a decade he’s been fighting off mantle cell lymphoma. His myriad treatments (the gamut; radiation chemo, bone marrow transplant) have left him fairly crippled with neuropathy.

    And reduced to penury (The American Way!). We held a couple of benefit shows for him. We basically had to “launder” the proceeds so as not to screw up his Medicaid eligibility. He’d had insurance too, but blew through the coverage, lost his house to foreclosure. His wife died from COPD complications last year.

    I don’t know how he keeps his will to survive. He still tries to play drums, but the neuropathy renders it problematic.

Leave a Reply

Your email address will not be published. Required fields are marked *