Canada isn’t the only jurisdiction wrestling with billion dollar e-health boondoggles as it turns out.

Only 175 people using flagship NHS software, says minister

Lorenzo care records system is likely to be costing taxpayer hundreds of thousands of pounds per user per year

Harvard has posted a total package of information from the 2009 HIT Platform meeting.

We discussed this meeting in a prior post, and if you want a quick summary, this is a good place to start.

There are two major components of information available on Harvard’s ITdotHealth website:

If you only have time and space in your mind for one thing from this conference, please spend it on the keynote presentation from Clayton Christensen. In his keynote, he clearly articulates in very simple terms how healthcare will need to change in order to avoid complete financial disaster in the future.

Much discussion is going on in the web-o-sphere these days about Health Canada’s recent decision regarding the classification of EMR products as a Class II Medical Device.

Working within the regulatory frameworks of various jurisdictions are a normal way of life for many software applications, and OSCAR continues to meet and exceed these regulations on a regular basis.

Because of OSCAR’s unique role in numerous social communities and academic organizations, the platform has always been at the forefront of technology, capability, privacy, and regulation.

In many cases, OSCAR leads the industry in terms of practice management. For example, OSCAR’s efforts concerning security and privacy enhancing technology, especially as it pertains to delivering control and consent to clients over their own medical information, continuously shines as an example for others to follow.

It is no surprise then, that the OSCAR community continues to invest to achieve all relevant certifications for all jurisdictions that the software is deployed.

The issue of data portability is the single largest future problem that we need to address today if we have any hope of saving ourselves from our self imposed enslavement to our EMR platforms.

It is without doubt that our governments understands this.

The creation of the OntarioMD CMS v3.0 specification specifically ensures that compliant solutions will have to provide both import and export functions for a core patient data set.

In concept, this sounds very powerful. With the current standard, you are able to export and import data from any certified vendor EMR into any other certified EMR solution.

Unfortunately, this standard does not protect the doctor from EMR lock in. Unfortunately, this standard only perpetuates the problem.

It doesn’t matter if today you have the most super-amazing-incredibly-awesome EMR ever invented. Are you willing to wager that your EMR will always be the very best? Forever? Forever and ever?!?

If you are not careful you will potentially chain yourself to your EMR for the rest of your life!

By defining a standard based on the concept of a finite core data set, one guarantees that valuable information will never be able to be moved from one system to another. Stated another way, by the very definition of the data set, by the identification of a finite set of important information, the government has ensured that anything not in this data set will not be abled to be moved.

By standardizing a core data set, we are making a bet on what information will be important to future medical applications. Who can predict what will be important in the future? We can guess, extrapolate, hypothesis, but we can not be sure.

The core data set is a 68% solution.

The future of your practice and the health of your patients may depend on information captured in the other 32%.

We do not live in the world of finite solutions, finite concepts, finite applications, or finite innovation. We live in a world of constant innovation, of constant refinement to what we deem important.

To make matters worse, day by day, the data pie keeps growing. The core data set, over time, will become less and less relevant. Unfortunately, this is guaranteed by the very definition put in place to protect us.

We applaud efforts to ensure data portability, however we encourage our government to go all-in: require all vendors to guarantee that 100% of the data you enter into you EMR is able to be extracted whenever you feel like doing it.

(While you are doing this, please legislate that software bombs must not be included in medical software systems — their inclusion is morally reprehensible and those vendors that use them should be ashamed of themselves.)

100% data portability is an easy standard to define. It is future proof. Once implemented, it never has to be revisited.

If all vendors are required to make available all data at all times under all circumstances, you will be able to move to new technologies in the future, to new applications that haven’t even been dreamed up yet, to new applications that will transform the way you will live, work, and practice medicine.

Today, we don’t need to know what the applications will be. Today, we know with absolute certainty that they will come. We don’t know what data sets these fantastic new tools will require. How could anyone know this? These brilliant new tools haven’t been invented yet.

But there is one thing we do know. We know that high tech innovates on an every increasing cycle. The current technology world reinvents itself every 3 years or so.

For example, Twitter was founded in 2006. Who in 2003 could have predicted that in 2009, electoral fraud in Iran would be exposed and a revolution catalyzed by a technology that would be invented three years hence.

In 2003, no one could predict that a transformative social network, Facebook, would be founded in 2004. How could they, in 2003, people were busy trying to figure out how to integrate the modern Blackberry (first released in 2002) into their lives. In 2003, these first Blackberry users had no idea that the incredible technology that just changed their lives would be obsoleted by YouTube (founded 2005) watching iPhone users in 2007.

Now, are you absolutely sure that the EMR you implement in your office today, tomorrow, or next week will allow you to move to the next wave of technology? Are you willing to bet the health of your patients on that?

If you can only access 68% of your data, your prognosis is not encouraging.

If you deploy OSCAR in your office, your future is bright.

Congratulations to Dr. Peter Hutten-Czapski, Dr. David Price, Dr. Elizabeth Shaw, each from Ontario, and Dr. Cameron Ross, from British Columbia are in order.

These four OSCAR users are recipients of the 2009 Award of Excellence by the College of Family Physicians of Canada.

Award recipients have either performed extraordinary patient care, service to the community, humanitarian work, or service to the profession that is beyond the normal practice for family doctor.

The complete list of the 2009 Award of Excellence recipients can be found here.

Dr. David Chan will be presenting OSCAR at the Ontario GNU Linux Fest this Saturday, Oct. 24th, in Toronto.

Ontario GNU Linux Fest is the lead-off event for Toronto Open Source Week as Proclaimed by Toronto Mayor David Miller.

We hope to see you there.

Canadian Bar Association Privacy Sub-Section Talk – April 15, 2009
Excerpts of Presentation by Micheal Vonn

. . . Policy being driven by technology,
and privacy seen receding in the rear-view mirror,
this is clearly the central privacy challenge of our time.

Although the study of health information systems is now its own sub-discipline in the academy, there is no public awareness of this issue, let alone public discussion. Patients, citizens, the public have been no part of these developments and are practically barred from even venturing an opinion because of a complete failure on the part of the government to provide any meaningful information at all.

Where we would hope for comprehensive, balanced information, when we have received what amounts to advertising slogans from the PR department: Viagra will save your marriage, iPods will make you groovy, and e-Health will make you safer, cheaper.

Where, exactly would the average citizen look for a foothold to enter such a non-debate?

The presentation is so relentlessly one-sided that there is essentially – and irresponsibly – no discussion of the profound risks beyond the mandatory endorsement that systems will, of course, be “privacy protective” and “secure”.

The very troubling lack of public awareness on these issues has driven a small, informal coalition of privacy-concerned organizations to try to fill the informational void on e-Health. And I’d like to share some examples of what we think it is critical for the public to understand about the profound transformation in health care that is underway through e-Health.

First, let’s get specific about what we’re talking about. “e-Health”, writ large, is a vast field and includes all kinds of technologies that are of undisputed benefit with no privacy concerns. Technology, for example, that allows specialist surgeons to remotely direct and guide surgeries being undertaken in far-off locations. Just to be clear, there is no Luddite Conspiracy trying to derail such fantastic uses of technology.

Nor are we concerned with electronic health care records per se. If my doctor records my data electronically and that data is stored on a server in her office, there is not very much of a difference between that and paper files locked in a filing cabinet. She is the guardian and custodian of that information in the same way. We have no problem with that, naturally.

The concern is centralization: vast repositories; massive, longitudinal databases of citizens’ health information, envisioned, as you know, to ultimately be accessible across the entire country.

I have looked everywhere I can think to look and waited in vain for any government, or indeed, anyone to provide compelling evidence that a vast centralization of citizens’ health data improves health care outcomes and/or saves money.

There appears to be almost no evidence to support the very elaborate promised benefits of this system.

This is a very serious point, and yet, I admit it often takes a comic turn. Like when minutes before her keynote address at a recent e-Health conference, a BC government official changed the name of her talk from “Evidence-based Innovation” to “Leveraging the Investment”. Or the researcher at another e-Health conference who I credit with inventing the term “soft but compelling evidence”; which is rather like saying “vague but definitive”. . .

As Ross Anderson, Professor of Security Engineering at Cambridge, wrote in the Feb 2008 edition of “The Economist”:

Patient data held at a GP practice may be vulnerable to security lapse on the premise, but the damage will be limited. You can have security, or functionality, or scale – you can even have any two of these. But you can’t have all three, and the government will eventually be forced to admit this. In the meantime, billions of pounds are being wasted on gigantic systems projects that usually don’t work and that place citizens’ privacy and safety at risk when they do.

Britain, in fact, has had to stop even pretending that it can safeguard patient data faced with tens of millions of records lost or compromised and just recently, the Prime Minister’s own medical data illegally accessed and given to the media. The Telegraph reports that civil servants in the UK are fired or disciplined for privacy breaches at a rate of about one per day.

All the credible, independent security experts that I am aware of say that a massive concentration of electronic health information imperils the privacy of that data. The “Honeypot Problem” was discussed recently in an article in the Guardian:

This is the recurrent problem with large databases that contain valuable data. Because they are so valuable, they attract malevolent attention of large numbers of hackers, fraudsters, criminals, even terrorists. Under sustained attack, even such sophisticated organizations as Microsoft and the Pentagon have succumbed…

… As well as the honey pot problem, there is another difficulty that applies to these vast government databases. To do their job, these databases have to be accessible to many people…. they can only work if they have thousands of access points. If the government cannot protect one laptop or one flash drive, what chance a system with over ten thousand terminals?

All of which, I suggest, is obvious.

So, let me conclude my prepared remarks by saying this. Contrary to the reports that consensus favours the development of centralized electronic health records, I quote from the Rowntree Report:

There is a developing consensus among medical practitioners that for safety, privacy and system engineering reasons, we need to go back from the shared-record model, to the traditional model of provider-specific records plus a messaging framework that will enable data to be passed from one provider to another when it is appropriate.

In other words, the system needs to be an architecture in which data is pushed from one health care provider to another. Not pulled from every health care provider into a massive database.

We are not building the right model of patient information sharing.

Christina Blizzard of The Toronto Sun writes:

There is a strong argument that government is the wrong culture to build such IT projects. In the private sector, it’s often start-ups, or companies with a bottom line to satisfy that come up with the innovation and know-how to develop these programs efficiently.

On Global’s Focus Ontario last week, McCarter pointed out the project has been nine years in the works, $1 billion down the drain — and precious little to show for it. (You can catch the show at midnight tonight or at globaltoronto.com.) McCarter said it will be a “challenge” for this province to make the 2015 deadline for getting health records on line. This province is lagging embarrassingly behind all other provinces on this.

Perhaps the government should turn to one of its own universities for help.

McMaster University announced last week that it has developed a, “comprehensive, secure, web-based and open source electronic health records system which is ready to be rolled out across Canada.”

[...]

The system, called OSCAR, was developed by Dr. David Chan, an associate professor with McMaster’s department of family medicine.

In a press release, Dr. David Price, chair of that department, said that 8,000 family physicians in this province who are not using electronic medical records could be on-line within the next 24 months.

The cost? $20 million. Compare that to the $1 billion the government piddled down the eHealth drain.

Well said.

From Anna Paperny of the Globe and Mail

Efforts by governments in Ontario and British Columbia to drag their provinces’ medical records into the 21st century haven’t gone well: Both provinces are embroiled in eHealth scandals that have turned the endeavour into a political poison pill.

But the doctors behind two made-in-Canada electronic record systems designed years ago and adopted around the world insist it doesn’t have to be this hard.

OSCAR, an open-source software pioneered by McMaster University’s school of medicine, is being used by hundreds of doctors from Prince Edward Island to British Columbia, and many more from outside the country.

It puts patients’ information on secure servers that are based in a doctor’s office but can be accessed online from just about anywhere by logging on the same way one would to an online bank account. A separate sister system, MyOSCAR, lets patients access their own records online.

Clearly the discussion coming from the eHealth scandal is creating a conversation on what we want as a society, and whether or not we should allow the powers at be to decide what is right for us.

It is time for us to start thinking about this issue.

Who owns your medical information? Who do you want to maintain the stewardship of this, the most personal of your personal information? Would you like it to be kept, as it is today, in the private offices of your family doctor, or do you prefer that this information is keep in a large government run registry?

The security community is pretty clear on how it feels about governments maintaining large databases of their population’s personal information (“1984″ anyone?), but this isn’t a decision that should be made by the security community.

Currently, you own your own personal information. Most people currently trust their family doctor to maintain their medical information on their behalf. Would you like this to change? It is your choice on how this story ends.

From the Globe and Mail:

The eHealth scandals unfolding in both B.C. and Ontario can be tied by one theme: Governments can get into a “bagful of trouble” when they rush to embrace technology they don’t really understand.

This week, the Ontario eHealth debacle continued to spread when the Auditor-General tied Premier Dalton McGuinty to the appointment of top officials who have resigned over untendered consulting contracts.

In British Columbia, detailed allegations of breach of trust, influence-peddling and fraud involving B.C.’s share of the federal-provincial initiative were revealed in an RCMP search warrant that names a senior government official, now retired, who headed the program. No charges have been laid.

Interestingly, the highest number of OSCAR users in Canada are in… Ontario, and British Columbia.

Coincidence? I think not. Doctors know when they are being scammed by the government.