Guest Blog: The hidden cost of healthcare IT

Fellow blogger Tim Wilson recently mused about the true cost of deploying new health information systems.   I asked Tim if I could share these musings with my readers on the eHealthMusings blog.  He graciously agreed.

——-

WRITTEN BY TIM WILSON ON 15 AUG 2018 FOR CANADIANHEALTHCARENETWORK.CA

When analysts assess the material benefits associated with digital health, they’re happy to crunch numbers that reveal the overall savings that electronic health information systems (HIS) deliver to the bottom line.

But there’s a hidden cost to HIS that’s often overlooked, and it’s related to security and privacy. Although digital systems can be made more secure than the old lock-and-key filing cabinets, they also add immense risk. We all know why: With a digital system, a breach can result in access to immense volumes of personal healthcare data.

To protect ourselves, we need to increase spending in two key areas: IT security and privacy training. Unfortunately, that’s not happening. Why? Because these added cost aren’t associated with improved system efficiencies and healthcare outcomes.

IT security is understood to be a critical concern in healthcare, but is cybersecurity spending keeping up? Well, no. According to Juniper Research, cross-organizational cybersecurity spend is expected to increase by an average of 9% per annum. Canada’s hospitals aren’t seeing that kind of growth in targeted IT spend for cybersecurity. A typical hospital CIO would no doubt say that—barring a specific initiative or rollout—a 9% budget increase year-over-year is excessive in any one IT area, security included.

And that CIO might have a point, because the big privacy breaches in hospitals often center on human activity, and not a technological failure. A recent study by U.S.-based cybersecurity software company Protenus found that insiders were responsible for 31% of the total number of healthcare breaches, and that almost 30% of privacy violations were repeat offenders.

The followup to that would naturally be to ask what the budgets are for workforce training on privacy. You can be sure of two things: those budgets are very low, and they also aren’t growing at 9% a year.

The answer is to maintain constant investment in both areas, and for the initiatives to be inter-related. But for that to happen there has to be a broad cultural shift that’s reflected in more rigorous legislation. The European Union’s General Data Protection Regulation (GDPR) requires privacy breach notification within 72 hours—far beyond the requirements of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).

With a more significant legal deterrent, one could argue that healthcare privacy training with organizations would be more effective, thus reducing the cost burden. As it stands, in Canada the legal repercussions for privacy breaches are minimal. A nurse in Alberta who was recently caught snooping on two individuals—she illegally accessed their health information 138 times over a three year period—was fined $3,000. She kept her job, and was ordered to take some “remedial privacy training.”

Back in May, a nurse at Grace Hospital in Winnipeg accessed emergency room data on hundreds of individuals. The motive, apparently, was “personal curiosity.” The nurse lost her job. End of story.

More recently, in June CarePartners in Ontario was hacked. The criminals claimed they had hundreds of thousands of patient records and related materials dating back to 2010. If CarePartners were to be found guilty of not properly safeguarding the data, as an organization they could be fined up to $500,000 (individuals max out at $100,000).

It’s extremely unlikely that CarePartners will be fined. And maybe that’s okay, because a fine is not necessarily the best approach. Instead, CarePartners could be ordered by the courts to commit to permanent and ongoing investments in improved security and training. (This would be far more rigorous than their current “Privacy Pledge” and the requirement that their workers sign a “Pledge of Confidentiality.”)

The three stories mentioned above have one thing in common: it wasn’t the healthcare organizations’ internal processes that figured out what was going on. In the case of Alberta, the problem was discovered because two patients requested access to their audit logs. At the Grace Hospital in Winnipeg, it was a manager who caught on to the inappropriate behaviour, and reported it. And at CarePartners, it was the criminals themselves who blew the lid on things, even contacting the media.

Which brings us to the necessary conclusion that there are a lot of digital health system breaches that aren’t being found in regular audits. Sadly, this has allowed for the laissez-faire attitude to continue. That serves CIOs, because it means they can keep a hold on their cybersecurity technology and training costs, while also maintaining or increasing investments in priority “high reward” areas that directly relate to improved system efficiencies and patient outcomes.

According to Juniper Research, over 33 billion records will be stolen by cybercriminals in 2023, an increase of 175% over the 12 billion compromised this year. A lot of those 146 billion records will be in healthcare. Among those that will be in Canada, rest assured that many will fly below the radar. The result is that the depth of the problem will be obscured, and the response won’t be as serious as it should be.

Ask yourself: are the training requirements in your organization for security and privacy becoming more rigorous? Is the training an ongoing, and recurrent phenomenon, designed to maintain awareness, or is it a one-off?

My guess is that your healthcare organization’s cybersecurity budget is an annual line item that, as a percentage of overall spend, is well below the steady increases in the overall threat level—unless a specific project is being funded. My guess too is that training is a one-time affair. You’ll see lots of signs reminding people to wash their hands. You won’t see many advisories reminding digital health workers to respect patient privacy.

Around the world, cybersecurity breaches are expected to result in over 146 billion records being stolen by 2023. The number of records breached annually will nearly triple over the next 5 years. And unless someone does something about the poor training and oversight, the situation will only get worse. The Protenus report stated clearly that “health systems accumulate risk that compounds over time if proper reporting and education do not occur.”

This is happening now in Canada’s hospitals and clinics, and without better training and stricter oversight it’s only going to get worse. The solution requires leadership and investment akin to how we approach hospital infection and safety. Imagine having a ward with a notice in a hallway bragging about the numbers of days since the last privacy breach. Imagine if privacy were understood to be part of the “continuum of care”—a reasonable idea, given the psychological and emotional damage that breaches cause patients.

It’s time for an honest discussion about what this kind of commitment will cost. Once that’s understood, it can be baked into budgets, and not treated as ad hoc spending, or addressed in a reactive basis after a crisis. Only that way can we keep Canadians as safe as possible from data breaches.

 

Tim Wilson is principal of T Wilson Associates. Follow him on Twitter: @TimothyEWilson

Advertisement

Guest Blog: Are we getting value from our healthcare technology?

A recent article by Tim Wilson caught my attention and I asked Tim if I could share it wiht my readers on the eHealthMusings blog.  He graciously agreed.

——-

WRITTEN BY TIM WILSON ON JULY 18, 2018 FOR CANADIANHEALTHCARENETWORK.CA

The Council of Academic Hospitals of Ontario (CAHO) recently launched a new tool to help hospitals pull innovation into Ontario’s healthcare system. The tool is actually a quick reference guide titled “The Art of the Possible,” which exposes 16 myths with regard to public sector procurement in Ontario. The idea is that awareness of these myths will then help bring innovation into the system faster, while also improving patient care and health system efficiency.

It’s a reasonable idea, but it’s also debatable to what extent a 19-page reference guide can function as a strategic tool for improved procurement practices. Instead, it’s more of a handy factsheet. The guide itself, which was developed by a small panel of experts, claims to be of use for hospital executives and for individuals with intermediate to advanced knowledge of procurement. However, I can see how it would also be helpful for vendors who are either new to the market or considering entering into it.

The rationale for the reference guide was a 2016 survey across CAHO’s membership of Ontario’s 23 academic research hospitals, in which 76% of respondents identified “policies, directives and procurement rules as major hurdles to innovation adoption within their organizations.”

That isn’t surprising. What is surprising—to me at least—is that in setting out to expose the myths, CAHO is in effect saying that the barriers to innovation have more to do with a series of misunderstandings, as opposed to real structural problems.

The first myth tackled in the guide, and of course a real bugaboo in the discussion of value and innovation, is the notion that organizations must pick the lowest cost option in order to be consistent with the “value for money” principle in Ontario’s Broader Public Sector Procurement Directive.

The guide points out that value for money is to be assessed alongside accountability, transparency, quality service delivery and process standardization. And value for money itself can include other factors, such as the qualifications and experiences of the supplier.

The second myth is that organizations are stuck with traditional procurement models. In fact, the directive permits a variety of approaches as long as the approach is “fair, open and transparent and in compliance to the organization’s procurement-related trade obligations.” What that means is that negotiated requests for proposals (RFPs)—including with outcomes-based specifications—as well as competitive dialogue, innovation partnership, reverse auctions, and best and final offer, are all allowed.

Another myth is that the directive is inflexible; not true—as long as the procurement process is transparent, there are ways to build in flexibility. And organizations needn’t always go to market, given that non-competitive procurement processes are allowed in specific circumstances. The guide also asserts that the directive isn’t overtly bureaucratic nor is it only a “guideline”—compliance is required by law.

There are plenty of myths around vendor engagement, too. For example, you’re allowed to talk to vendors about unsolicited proposals outside of the procurement process, and RFPs can include opportunities for alternative proposals. Importantly, the guide clarifies that requests for information (RFIs) and requests for expressions of interest (RFEIs) can’t be used to prequalify or shortlist vendors. That said, there is some wriggle room with regard to conflict of interest, which is worth knowing given how small the community is in Canada.

In the sometimes rarefied world of hospital procurement, the guide confirms that advance contract award notice (ACAN) is permitted when no other vendors can provide the good or service, or meet related conditions. And you can still negotiate with vendors if desired, so long as that intent is covered in the RFP. Before the procurement process is initiated there is also plenty of legitimate opportunity for market engagement.

With regard to intellectual property, all IP issues needn’t be resolved to start a pilot, though they should always be taken into consideration. As well, an open process may not be required for a pilot. It could kick in if you then move to actual procurement, but co-development may not always require you to go to market. To help with this, organizations can consider engaging a fairness adviser.

That summation of the 16 myths is a lot to digest, and the guide does an admirable job of setting the record straight. It’s a bit of an overstatement, however, to say that it offers any deep strategic advice. That said, as panel member and procurement expert Sarah Friesen has noted, the guide “will increase confidence in exploring innovation procurement opportunities,” which in itself is a worthwhile goal. To some extent, the guide helps flesh out CAHO’s role as an innovation broker with the office of the chief health innovation Strategist.

Where I see the “The Art of the Possible” having an important—and perhaps unforeseen—role is in the vendor community. Brian Mackie, co-chair of CAHO’s Innovation Broker Task Force and vice-president of finance and chief financial officer at Baycrest Health Sciences, has said that “this work is helping us pull new technologies into our hospitals faster.” If that’s true, then healthcare tech innovators will be thrilled with this shift in focus.

But they may be wary, as well. There’s much in the document that suggests Canada—or in this specific example, Ontario—can move beyond a pre-commercial test-market, with wave after wave of small-scale pilots, and little transformation when it comes to using procurement as a tool of innovation. Still, we remain in a zero-sum environment, in which stakeholders compete for limited budgets, and in which administrators are pressured to satisfy numerous disparate interests.

In these environments, no matter what method or scorecard system you use, there is often a temptation for the final decision-making to default to arbitrary, executive-level preferences for purchases that keep as many people happy while solving as many urgent problems as possible—often in limited timeframes. In these scenarios, the emphasis is on keeping the ship afloat as opposed to embarking on longer voyages that embrace at times nebulous concepts of “innovation” and “value.”

Here is where it might be helpful to have a larger strategic discussion with regard to how to make decision-making objective and autonomous, and what we really mean by “transparency.” We don’t really have full public transparency and accountability on how individual organizations allocate budgets, or to what extent final procurement decisions off of RFPs are autonomous from administrative interference. A strategic approach to dealing with the political reality of budget-conscious decision-making, the real size of opportunistic shadow spending, and the positive role that the vendor community can play, could help bring about the cultural shift needed to get the best technology into our hospitals.

 

Tim Wilson is principal of T Wilson Associates. Follow him on Twitter: @TimothyEWilson