Blogger: Kevin Kampman
In my March 10, 2008 blog entry “Short and to the point, if not so sweet” regarding the electronic capture and publication of medical records, I discussed how we frequently mask or defer basic issues by focusing our attention on something else. As Dr. Molly Coye stated in USA Today regarding the potential misuse of medical records: “But those are human actions. They have nothing to do with the technology.” This perspective underscores our fundamental tendency to gloss over technological issues by blaming mistakes on the people using the technology. I believe it is important to recognize this and to address the basic issues.
Sometimes we need to get some distance from an issue in order to see it clearly. Last week I attended a motivational seminar given by Curtis Zimmerman. Mr. Zimmerman is a talented speaker with a compelling message about overcoming adversity and changing the direction of one’s life, individually and as a leader. He teaches juggling as a way to force the audience to drop its barriers to listening and learning. The key takeaways from his presentation are that we need to change our perspectives to recognize and reward failures, not to hide them. He also identifies that we are living a script, someone else’s or our own, and that we need to rewrite the script in order to “live the dream” in our own lives.
Earlier in April, we heard about a US Airways pilot discharging his gun in the cockpit while stowing it for landing. This was an unfortunate incident, but one to learn from. In a conversation with another (off-duty) pilot on a flight to North Carolina, we determined that this situation demonstrates that current on-aircraft gun handling policies and weapon configurations are accidents waiting to happen.
The guns carried by pilots are the same as those used by law enforcement. The guns have no positive locking safety switch, a round is chambered (by policy), and the gun is out and ready to use while the craft is in the air. Given the backup and failsafe environment that a cockpit represents, it is amazing that a device configured in this manner has been introduced without appropriate, common-sense precautions. This is one reason we often read about law enforcement officers having self-inflicted accidents. Fortunately, in this case no one was injured, but the pilot did lose his job.
The bottom line here is that US Airways did not reward him for demonstrating a failure in the system and take appropriate actions to prevent similar failures in the future. The result is that we will continue playing out this flawed script. Next time, someone may get hurt.
A notorious, identity-related failure has to do with the performer and musician Britney Spears. While undergoing medical treatment, her medical records were voluntarily accessed by professional and medical staff having no reasonable association with her care. This demonstrates that the medical records system in use by her provider has inadequate controls. The resolution to this situation is that a number of non-physicians were fired, while the physicians were only “disciplined”.
The bottom line here is that we have different scripts for different people. In a medical community, the physicians are in control, and are in a position to continue to violate patient privacy at will, until fundamental changes are introduced into the records systems.
And late last week, we heard of yet another records disclosure failure. WellPoint, a health care benefits firm, exposed nearly 130,000 personal medical records (records, mind you, not attributes like social security numbers) by using a third-party’s improperly secured web servers. This is the first occurrence of a records disclosure of this magnitude, and is the harbinger of what is likely to come.
The risk of disclosure, misappropriation and misuse of our medical records is higher today than ever, and the burden of dealing with the situation is being pushed off to us. The risk of aggregation aggravates the problem even more, since companies who want to collect this information, like Microsoft and Google, will become targets of compromise. Whatever mechanisms they employ to protect this information must be professionally vetted by independent experts prior to any public deployments. Since there is no medical equivalent in this country to the credit reporting bureaus, we have even fewer means to protect ourselves than we do in the case of financial compromises. This being the case, we can’t afford to make mistakes.
The final “bottom line” is that anyone dealing with private information needs to recognize that it can cause irreparable harm if it is not handled in an appropriate manner. We have already heard of situations where a person’s medical identity has been hijacked to obtain services for someone else, and run up payments to the benefits limit. Medical conditions could also be used as a gating factor for denial of employment. My family learned of my father’s impending demise due to the disclosure of diagnostic information by an indiscreet radiology technician.
We can’t continue with the same old same old; it’s clearly inadequate, as are regulations regarding disclosure of compromises (such as California’s SB 1386). We need to examine, reward and learn from these organizational and systemic failures, or else the script of records disclosures, potentially on the order of millions of records, will continue.
Comments