Healthcare // Electronic Health Records
09:06 AM
Alison Diana
Alison Diana

Standardize EMRs, For Security & Safety's Sake

Electronic medical records help healthcare organizations improve patient care, but lack of standardization could cause safety and security problems.

The foundation hospitals built when they overwhelmingly adopted electronic medical records is trembling under the weight of concerns over security and lack of standardization.

Healthcare organizations already see plenty of benefits from EMRs. The Internet is full of success stories detailing how hospitals save and improve lives, reduce costs, and enhance research capabilities through new access to real-time data. Many EMR applications are high-quality tools that take users' needs and wishes into account and evolve to meet mandates and clinicians' changing requirements.

Yet healthcare sometimes seems to operate in a vacuum. It appears determined to repeat the steps already taken by industries such as finance instead of skipping the proprietary isolationist years and leaping right into the era of standards, collaboration, and data-sharing. The government is starting to shake an interoperability stick, but the industry should act on its own initiative to allow disparate systems to work together -- and not only to cut costs for healthcare provider implementations. Standardizing also will improve patient safety, care, and results, experts say, resulting in reduced care costs and data security. Establishing standards will accomplish this by enforcing guides for healthcare employees and restricting access against unauthorized users.

[Developing a healthcare app? Make sure you understand the legal requirements. Read HIPAA Compliance: What Every Developer Should Know.]

At least one report suggests these predictions are on track. Concerned that increased use of EMRs tallied with an uptick in "patient safety events," the Division of Laboratory Programs, Standards and Services in the Center for Surveillance, Epidemiology and Laboratory Services, within the Centers for Disease Control and Prevention (CDC), studied errors in labs based on electronic health record (EHR) data. In some cases, labs used outdated software that didn't support current coding -- an issue that might increase when ICD-10 finally arrives.

Different facilities also use dissimilar codes for the same tests, creating confusion -- especially among staff members who move among different hospitals and clinics, according to a CDC report. In one case, the report cited, a woman required a hysterectomy after an EMR moved her abnormal test results to the bottom of the screen instead of placing the most recent results at the top. In another, a male patient received a double dose of a blood thinner due to an EMR error.

Other areas of concern: inadequate data transfer from one EHR to another, data entry in the wrong patient record, incorrect data entry, failure of the system to function correctly, and incorrect configuration, patient safety organization ECRI Institute wrote in a separate report.

"Recognizing that such errors can occur without health IT systems, there is cause for concern as an occasional error in a health IT can be replicated very quickly across a large number of patients," the CDC's report said. "Combining documented patient safety events with the anecdotal evidence shared by individual laboratory professionals across the US presents enough concern to warrant further investigation and mitigation."

The lack of EMR standards creates a greater security burden on healthcare organizations and professionals. But the stakes are incredibly high, not only because of the number of patients who could be impacted by a single breach, but also because of the sensitive nature of the date stored in EMRs and the potential for damage to an organization's reputation.

"We're in an historic time within healthcare. The impact from a healthcare perspective has the same impact as, say, a retail breach, but you're talking about personal health information, things that should be very private," said Ken Bradberry, CTO and vice president at Xerox Healthcare Provider Solutions, in an interview. "We're talking about strategies in healthcare that haven't evolved at the rate they should have. Security has to evolve and align with where we're at with the delivery of electronic health records and the delivery of services in general. The detection and [prevention] of security breaches [and] threats has to be of paramount importance to healthcare providers."

Now that more than 93% of hospitals use at least one EMR, government agencies, researchers, and pundits point to worrisome trends that could -- left unfixed -- jeopardize patients' faith in providers, payers, and the overall system. The drive among providers to forge partnerships and integrate EMRs between smaller practices, hospitals, accountable care organizations (ACOs), health information exchanges (HIEs), and other members of the healthcare ecosystem creates additional links in the chain -- and more potential points of breach, loss, or theft.

"The government is pushing for EHRs, but no one is overseeing the security and privacy of the records," said Karl Volkman, chief technology officer at Microsoft Gold Certified partner SRV Network. "Instead, it's left up to the individual organizations, which may allow medical personnel to alter records incorrectly with little oversight -- or the entire system may not have the capacity to protect from fraudulent encounters. Instead of rewarding and punishing those who have or have not switched to EHRs, the government should consider instilling standards to identify inappropriate use of the records, fraud, and breaches."

You're mistaken if you think you can execute in the cloud without using software to orchestrate application life cycles. Here are four reasons why you must. Get the new Cloud Automation Tech Digest today. (Free registration required.)

Alison Diana has written about technology and business for more than 20 years. She was editor, contributors, at Internet Evolution; editor-in-chief of 21st Century IT; and managing editor, sections, at CRN. She has also written for eWeek, Baseline Magazine, Redmond Channel ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
7/16/2014 | 11:10:50 PM
Yes, I agree with the author.
User Rank: Apprentice
7/15/2014 | 1:51:13 PM
Standardize what?
What to you mean by EMR? Is it what the doctor uses, the nurse uses, the hospital or clinic uses?

The problem with standardization is that it ASSUMES that the goal and environment are stable or change very slowly. If you look at the history of the automobile, there was experiementation for over 100 years before "standard" features could be clearly determined. We are only 30 years into the desktop/display era of computing, and we are still evolving how a person works with inforomation.

The issues of standardization have so far approached the problem from the exactly opposite wrong end, mandating that people get EMRs to get experience with them, and then creating EMR's that function well for the goal they are intended. The first steps should have (like the Internet) focussed on how disparate systems can exchange information reliably, evolve in non-catastrophic ways, and change in order to improve the quality of the content and interaction.

Few, if any, of the government standards address this level of utility to advance the field. ICD-10 is a poorly constructed coding system built to accomodate increased granularity of data collection. It's a code with no mnemonic structure and a digital representation with no check digits to avoid common data entry and transcription errors.

The way the Internet came into existence was after years of experimentation by many different vendors (IBM, Digital Equipment, Intel, Xerox), we evolved to two working standards (IBM token ring and DEC-Intel-Xerox ethernet). Of these two, only DIX ethernet was a non-vendor specific format. When the National Science Foundation decided to connect the national supercomputer centers together, they elected to use DIX Stanford Research Institute's TCP/IP because it ran on both token ring and ethernet, and could be used across a wide range of connection technologies. From the ARPAnet base technologies, NSFnet was created and evolved into the Internet.

We should focus on interoperability not as a standardized product, but as a uniformly availble set of services which allow any system to find, query, transmit and receive, store, and share a constantly set of uniquely qualified and quantified clinical set of observations with each patient being uniquely and unambiguously identified, and services which negotiate the format and content of data they are able to exchange. We should elminate system conversions, standardized coding system updates (i.e. ICD-9 to ICD-10) conversions, and single point in time cutovers for every provider's system.

We need a better plan than brute force.
Lorna Garey
Lorna Garey,
User Rank: Author
7/14/2014 | 5:50:29 PM
Re: Utterly ridiculous
Yep, talk about a massive case of reinventing the wheel. It does seem like every industry considers itself a special snowflake that couldn't possibly adapt and reuse what was done elsewhere.

Hopefully patients won't be harmed, or if they are, that massive lawsuits will force change. Seems like that's the only thing that will.
User Rank: Author
7/14/2014 | 5:15:35 PM
Re: Utterly ridiculous
The government is starting to wake up and shake that stick, @Lorna, but it's going to cost money -- of course. What's so frustrating is that we've seen this happen in other industries. Since healthcare's move to a full-fledged (or as close to it as you'll get) embrace of EMRs happened so long after other verticals adopted their versions of this type of technology, you'd have hoped the government/user organizations/vendors would have known better. As you say, vendors win (at least initially) when they close out competitors. It's a short-sighted view, however, and one that ends up hurting customers's bank accounts and could even harm patients who have incomplete records at some providers, thinking they've already shared their full histories or believing now all providers have access to all their information. 
Lorna Garey
Lorna Garey,
User Rank: Author
7/14/2014 | 1:03:45 PM
Utterly ridiculous
Alison, It truly is mind-boggling that EMRs are non-standard, until you remember that A. The government did not shake that stick nearly soon or forcefully enough, and B. That HC providers are like any business -- they want to be sticky. So why make it easy for a patient to go to a competitor? 

Consumers of healthcare (read: everyone) should raise this issue. But how? Who should people notify that they're paying attention here? Is it too late for government to make a dent in the silos?
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.