PATIENT DATA IS BOTH A CONSUMER PRODUCT AND AN ENTERPRISE PRODUCT
Medical system software is frequently misunderstood through the lens of open-standard architecture. If we have open standards for web pages, just as we had one standard each for CD-ROM and VHS, why can’t we have medical software that makes our data free to store, easy to migrate and secure from hacking? With the click of a button, we can share our music, share our live camera feed, share our work documents, share our driving routes…we can share just about anything. Except our medical data. Less than 2% of the population even knows they have a right to their medical data and can ask for it.
We will get there, but it’s essential to recognize that this software runs entire hospital systems with millions of patients. Nobody complains that banks and airlines aren’t run on free, open-source software. Customers of Amazon don’t say, “Hey, I want to take both my browsing history and purchasing history over to Walmart.” But even those aren’t the best analogies, because medicine is decentralized. Health IT software companies can’t come into a hospital and tell doctors, “Well, this is how the software works, so you have to change.” The software has to reproduce the clinical practices and patient flows that the doctors decide is best.
Combine that with the challenge that medicine is evolving faster than any other industry, with each year bringing new treatments, new clinical practices and hundreds of new medical devices. As those software modules come online, they have to work every time, perfectly—for millions of people at once.
Since 2009, the federal government has disbursed $30 billion in incentive payments to foster the transition to electronic medical records, but no open standard has been in place. 456,000 physicians received some sort of incentive payment. This incentive money inflated the value of contracts, allowing hospital systems to prioritize control of their data over the cost of the system.
Over 80% of the country moved to electronic records, but the data ended up in silos. HIPAA laws and anti-kickback statutes also continue to prevent information exchanges.
During the same period, hospital consolidation continued. Mergers and buyout deal flow never slowed, as hospitals felt they had to get bigger to survive. But this led to a Frankenstein of Electronic Health Record systems on the back end.
I am a doctor. I have posted a sign over our fax machine that reads ‘THE SOURCE OF ALL EVIL.’ We’re freakin’ busy. My office struggles to get through a day not killing someone and getting everyone home at a reasonable hour. We respond to a lot of forms that must be filled out, signed and faxed back. Yes, we could do this electronically, but there exists no clear standard as to what constitutes a verifiable, secure, traceable signature that everyone recognizes.
Posting to a physician message board
JUST HOW BAD IS IT?
245 different EHR systems are in use.
Doctors in community hospitals spend 44% of their time in front of a computer, compared to only 28% in direct patient care.
Stage 2 “Meaningful Use” data sharing requirements are so complex that only about 11% of physicians have been able to comply.
Even when different hospitals use the same EHR system, their versions are often so customized that only bare-bones data can be shared.
Faxing medical records from one medical office to another is still all too common. Ironically, it’s easier.
MAKING IT EVEN MORE COMPLICATED…
Today’s EHR for a single patient can be dozens of pages long, including everything from the times of nurse check-ins to lab results to scan images. But tomorrow’s EHR will be exponentially larger and the system infinitely more complex.
245 different EHR systems is nothing compared to the 165,000 health apps for the smartphone that want to integrate sensor data into the medical record. There are over 7,000 medical device companies, and many of the gadgets they make now have sensors ready to communicate to the network.
These apps and devices provide continuous monitoring, so rather than lab results being taken once a year, they capture data minute by minute—even up to 100 times per second. Even if one could share this data stream, the tsunami of raw data would be effectively meaningless without the relevant number crunching and visualization tools.
Great examples of the power of machine learning on medical data are easy to find today. Dr. Atul Butte, director of the Institute for Computational Health Sciences at UCSF, employed AI on big public datasets to isolate a molecular treatment for small-cell lung cancer; Butte predicts computational optimization can bring drug development down from $1 billion to a mere $100,000, and from 10 years to 2 years. Many public datasets are being created: Harvard’s Personal Genome Project, MHealth, Chicago Health Atlas and HealthData.gov are just a few among dozens of accessible libraries.
However, most live medical data in EHRs is decisively not AI-ready. It has to be extracted and standardized, which is laborious work. Machine learning can then scour the data to discover “hidden layers,” i.e., patterns never seen before. But that intelligence can’t then just turn around and run on the live EHR data, especially when it’s looking for something extremely complex, such as a constellation of genes interacting with lifestyle factors. Even when EHRs do comply to a standard, that EHR architecture typically was not built from the ground up for AI optimization.
Anyone and everyone will promise artificial intelligence insight from data. But it’s those who are already doing it, across millions of patients, on live data, who have the distinct advantage.
Interoperability is the holy grail. The problem is that people have to get paid for it.
– Geoffrey Clapp, healthcare entrepreneur and advisor
Motivated by political or ideological revenge
Unskilled programmers using malware tools like CryptoLocker they can buy online
Often put lots of script kiddies to work
Sometimes the stolen data never gets used, and never reappears. One prevailing theory is they’re using the stolen data to model their own health systems.
2.3 million Americans every year are victimized by medical identity theft, most often by someone using their identity to get prescription drugs or medical services
43% of all identity thefts in the US were for fraudulent medical services
On the darknet, stolen medical data fetches 10x the price of stolen credit card data
81% of healthcare CIOs admit their organization has been compromised by cyberattacks
Average % of budget devoted to cybersecurity:
– finance & banking: 12%
– healthcare: 6%
ANATOMY OF A RANSOMWARE ATTACK
A cybercriminal network called Shadow Brokers steals hacking tools from the NSA, and releases them on the darknet to waves of script kiddies.
The NSA warns Microsoft that their operating system is at risk.
Microsoft releases a free patch to fix it in March of 2017—except those running old XP have to pay an expensive price.
The National Health Service in Britain, which uses XP and serves 50 million people, can’t afford Microsoft’s price.
May 2017: The “WannaCry” ransomware attack hits 104 countries, most notably the NHS of Britain. 48 health organizations have no access to testing equipment or patient information. Patients are sent home and surgeries postponed.
IS THE CLOUD SAFER?
Cloud systems are generally more secure, using redundancy and partitioning to limit the scale of any intrusions. However, cloud systems have been hacked, too. The weakest point of any data network is the human access. Even though data is encrypted, the decryption keys pass through a computer’s RAM, and at that point they can be accessed. The vulnerability of devices is so problematic, we will see a new branch of the FDA, responsible not for determining the effectiveness of a device, but for approving its security architecture.
Consumer data companies like LexisNexis Risk Solutions and Acxiom already have compiled thousands of data points on a majority of Americans. This data has been sold repeatedly, making it highly likely that medical data has been integrated with consumer behavior data.
SO WHAT’S THE ANSWER?
No system is entirely impenetrable. One solution: don’t make data safe—make it not worth stealing. New security systems based on the blockchain are so hard to crack that it would take supercomputers years to unlock the stolen data. They use tumblers to disperse data into fragments, so a patient’s medical record is not in one place. Companies like Blockchain Health and partnerships like MedRec (at MIT) are using blockchain on market segments like clinical research and pharmaceutical prescriptions to perfect their systems.
HAS THE BLOCKCHAIN BEEN HACKED?
Yes, Bitcoin cryptocurrency exchanges have been hacked. Twice. $118 million has been stolen. If you’re scared, you should be.
The Road from EHR to UHR—Universal Health Records
EHR companies are in a race to adapt to these new forces. Consolidation is inevitable around the EHRs that can deliver on these criteria:
WINNER TAKE-ALL AI
The migration to value-based care will only make the software system more critical. Whichever EHR standard can deliver the greatest AI benefits, both by improving care and reducing costs, will gain market share rapidly. Current clinical practices and patient flows—meticulously coded into each hospital’s custom EHRs—will suddenly be obsolete. Cloud technology and artificial intelligence will also drastically reduce switching costs. Laborious implementations won’t be necessary: AI translators will learn and migrate data for you, with no staff involvement.
MIDDLEWARE BECOMES THE IOT ACCESS POINT
Most devices and health apps read and write to EHRs via middleware systems, which serve like translators. The better these translation methods become, the more they’ll be favored as the standard to be built on for devices—because they can talk to different systems. Interoperability standards and medical device registries are essential for safety and security. It’s bad to have your EHR hacked—but it’s worse to have your pacemaker hacked.
Initiatives like CommonWell Alliance and the Sequoia Project are pushing EHRs to standardize. Open source systems exist but are not nearly as robust as Android and Linux. But don’t expect a single standard to emerge. Smartphones can exchange texts and photos, but there are competing ecosystems, not one. Apple, by maintaining strict control, gets everything to work seamlessly. Even Google has taken more control of Android.
The fight to conquer the nation will inevitably shift to conquering the globe. Global scalability requires a system that can be rolled out successfully at drastically lower price points. Epic Systems’ two lowercost versions, Utility and Sonnet, are examples of how every EHR standard will need to make itself adaptable.
THE SILICON VALLEY GIANTS
Amazon, Google and Apple are all invading the healthcare space, and will continue to make acquisitions that help patients gradually take control of their own data and understand their own health choices. Upstarts who provide a path toward true interoperability, like CrossChx, makers of universal patient-ID software, will be likely targets. But these giants will be very careful not to make a misstep in the high-stakes healthcare arena that could potentially destroy their reputation. EHRs will need to be able to read and write to patients’ “health wallets,” but don’t expect the Silicon Valley giants to make the software that runs hospitals.