Saturday, April 28, 2012

Don't Worry, Your Records are Safe - Part IV

At past posts "Don't Worry, Your Electronic Medical Records Are Getting Safer With Every Passing Day", "Another Episode of "But Don't Worry, Your Records are Safe..." and "Still More Electronic Medical Data Chaos, Pandemonium, Bedlam, Tumult and Maelstrom: But Don't Worry, Your Data is Secure", I wrote on the issue of medical record security.

Security from prying eyes, that is.

I didn't include security of data from placement into /dev/null (that is, destruction).

There's this email, received by East coast physicians not long ago from a claims processing company (identities redacted):

Dear Provider,

As you may be aware, we experienced a significant problem with our computer system during a software maintenance function on XX/XX/2010.

In addition to the network issue, we discovered that the redundant back-up systems were not operating as reported.  ["Reported" when, and by whom, one wonders? - ed.]

We had two on-site back-up systems that were monitored daily and which were historically reported as successful.  We have since learned that these internal back-up functions were not operating as reported and the on-site back-ups were not entirely successful. [Meaning, they were not successful, period - ed.]

Also, our software vendor, [major EHR vendor], was providing two additional remote back-ups on servers located in [city, state] and [city, state]. [EHR vendor] has informed us that these remote back-ups were not initiated as represented.  [Meaning, they screwed up - ed.]  Therefore, when our computer network system malfunctioned, there was no readily available back-up data on-site or at the remote redundant back-up servers.

Please be aware that we have replaced hardware components and were able to recreate the data bases and we are billing.  However, we are still unable to access data that was stored on our servers prior to XX/XX/2010.

[EHR vendor] is diligently working to retrieve the data from the hard drives, back-up tapes, and through other means.  Please be assured that all files will be restored, if the files cannot be fully restored electronically, then they will be fully restored manually.

At [our claims processing company], we are truly saddened by the fact that we have disappointed clients and we sincerely apologize for any inconvenience experienced by you, your staff, or your patients.

We have always appreciated your loyalty as a valued client and will continue to keep you informed of the progress.

The levels of information technology and data management incompetence exhibited in this message are stunning. 

The confidence it imparts regarding the safety of our critical medical data from destruction, and its availability when truly needed, is less than stellar.

A major problem is that the health IT industry has no accountability. 

I believe the Food, Drug and Cosmetic Act needs to be amended to become the "Food, Drug, Cosmetic, and Cybernetic" Act.

-- SS

7 comments:

Anonymous said...

The conduct of the vendors is despicable and the evaluations for safety of their devices are non existent.

That this company failed to even have simple back-up in place that was functional ought to be headlines, and, the vendor should be named so that the analysts could properly and accurately assess the stock and get priced right. A penny stock.

Steve Lucas said...

Not being a tech guy I am always amazed at these stories, I still use dial-up. Last week we had to have our large TV repaired. The local shop wanted a fee to look at the TV; we would need to bring it in, and told us they doubted it could be repaired. We should plan on buying a new one, which oh and by the way, they would be happy to sell us.

Calling the national retailer where we bought the TV got us a next day appointment, at a lower price, with a call ahead. The guy was early. He covers a three state area and shows up with a rough use lap top and a battery operated strip printer. Knowing what is wrong he tells me there are no parts, but the TV can be repaired at a set price and he is able to schedule his return since his truck is his wi-fi hot spot. I give him a credit card and receive a print out of the whole transaction.

Now we have a group in this example in a fixed location with the ability to physically cable together a back-up system with a reliable power source. Further, they can access a large capacity fixed line to send a data dump to a secure location and with all this they cannot match my TV repairman.

Decades ago a friend managed a secured large data operation with hundreds of computers doing highly sensitive work. Along with an end of the day off campus data dump, they did smaller back-ups during the day to save work. The man hour calculation was incredible.

So, our government is willing to spend billions of dollars on technology that cannot match my TV repairman’s, trying to replicate data storage and communications systems that were used decades ago in the defense industry, and we wonder why we have a ballooning national debt.

Steve Lucas

Anonymous said...

My records are obviously not safe. The breaches in privacy throughout the USA are epidemic. Checking and monitoring credit for free is meaningfully useless compensation for the breaches. In reference to the report of the desperate email presented above, one would be reasonable to believe that this fiasco is not isolated. I hope that the analyst from Barclays referenced in an earlier blog is paying attention.

InformaticsMD said...

Steve,

I've heard the term "ineptocracy" for our current healthcare/pharmaceutical leadership.

I cannot say the term does not apply to my empirical observations over the past few decades, and it appears to be getting worse.

Your TV repairman knows he either gets it right, or he's broke. It seemsfoul ups like this can get corporate IT personnel a promotion. (I've seen that happen, for example here.)

-- SS

Anonymous said...

Scot,

I enjoyed the example. My estimate is there was a 2 1/2 year delay between the start of the project and any actual work beginning. This would be unacceptable in any other area of business.

This did remind me of a situation my wife encountered. A large federally funded IT project was not going well and my attorney wife was being pushed to be involved by the Feds.

MIS said no, she did not have the skill set, they could read the law and set up the desired system.

Finally she is given a small module and was told to work with a cell phone tower programmer. My wife learns enough programing to understand system limitations. The guy learns to trust my wife's legal knowledge.

My wife had also run a state wide training system so everything developed had a training module attached.

The result was this module was brought on line ahead of schedule, below cost, and everyone was trained and the system was bug free.

The computer guy was let go. My wife was excluded from any further computer work because MIS felt she messed up their system.

Not hard to figure out the turf war and
stupidity of the MIS guys in this situation.

Steve Lucas

InformaticsMD said...

Steve Lucas writes:

My estimate is there was a 2 1/2 year delay between the start of the project and any actual work beginning.

That was about right. I came in after the delay, brought in by the Sr. VP for Medical Affairs to get something done.

You can imagine how popular I was with the IS dept. and its leadership (CIO and COO).

I'd also implored the hospital to aggressively and regularly audit EHR usage looking for unauthorized accesses and other problems. They apparently did not take me as seriously as they could have (link).

The result was this module was brought on line ahead of schedule, below cost, and everyone was trained and the system was bug free. The computer guy was let go. My wife was excluded from any further computer work because MIS felt she messed up their system.

In fact, these two embarrassed the MIS department. That is a "terminal sin."

-- SS

Live IT or live with IT said...

Soooo true. Departmental systems done in conjunction with the users are often very embarrassing to central IT. I did one and after 3 attempts to replace it, they simply absconded with it.

Frankly, I didn't want to keep it,technology ages so rapidly that they stole a system most of the way through its life cycle.

I will say, it ran almost unmodified for almost another full decade.