The double-edged sword of losing our privacy

Today's New York Times had a fascinating pair of articles that nicely, but seemingly without the intention of the editors, shows some of the pros and cons of applying data mining to publicly available private information.

"I was discovered by an algorithm", the lead story in the business section, is about a headhunter start-up company that aggregates information from a variety of public sources to identify high-end programming and development talent.  They use this data to supplement the standard information that an employer would receive (eg, degrees, schools, awards, work history, etc) and identify high potential candidates whose talents don't always come through in a typical resume or CV.  The article describes how "big data" techniques allow employers to utilize a richer array of variables to identify and evaluate prospective job candidates, and highlights the case of an individual who received a lucrative programming job but who would otherwise not have even passed a standard recruiting screen due to poor high school performance and lack of a college degree.  Would prospective recruits feel violated by this black-box search and evaluation process conducted without their permission or awareness?  Both the individual and his employer say no.  Score one for lack of privacy being a good thing.

"When your data wanders to places you've never been", buried inside the business section, tells the tale of a woman who gets targeted by pharma direct marketers who have mistakenly identified her as a multiple sclerosis patient based on "big data" searches of publicly available information on the web.  She ends up feeling both violated, and worse, too daunted by the complex chain of data brokers and marketing companies behind the error to do anything about it.  Score one for lack of privacy being a bad thing.

It's interesting that neither of these articles really dealt with the obvious flip sides of each situation.  Information gleaned from outside of a traditional recruiting process can be used to discriminate just as easily as it can be used to create new job opportunities.  And my health and demographic information can just as easily lead me to valuable treatments and support communities as it can to subject me to unwanted marketing and possible discrimination.

A common thread in each of these articles is that neither was a case of collection or use of illicitly gotten data (such as SSN, DOB, etc), rather, the data mining leveraged information that was voluntarily provided by the individuals in question, albeit for other purposes.  Though the information was available in the clear on the internet and was not illegally gotten, the individuals probably thought of it as perhaps not private but at least shielded or too isolated to be useful through random or targeted public searches.  In both cases they were wrong, one pleasantly and the other not so pleasantly.

The "big data" privacy issue is not so much about what a bad actor would do if they could get rare data gems like my SSN or my bank account, it's about the inferential mosaic that could be assembled by good, neutral, and bad actors alike from the many small pebbles of information that I myself have strewn across the web, such as what I say on an affinity user site or a web-based survey or an Amazon review or a Yelp comment (or a public blog).

I'm reminded of the story of an app called "Girls Around Me" that matched location data from Foursquare with profile data from Facebook to pinpoint women in a particular location and automatically stalk their Facebook pages to get pictures, background information, and messaging capability.  Not what either the women or Foursquare or Facebook had intended when they opened up their data and their APIs.

What's scary is not that there are unintended consequences, it's that there are unintended AND unpredictable consequences.  In health care, Latanya Sweeney has launched an interesting project to show how individual health information routinely and legally diffuses through a broad array of companies and websites.  Patients probably know bits and pieces of it, but probably not the scale and scope of it, as shown below.

 

This chart is most interesting for what it doesn't show, rather than what it shows:  It doesn't include the patient-generated data behind the NYT articles noted above.  As big data advances in scale and scope, it is the information that we voluntarily share -- like on PatientsLikeMe and CureTogether and SmartPatients -- that will eventually get fed into "big data" black-boxes and used in ways both good and bad that we are unable to foresee right now.

iHealthBeat Perspectives piece on over-architected HIEs

Many thanks to everyone for the comments on my iHealthBeat piece on "The Dangers of Too Much Ambition in Health Information Exchange". 

Wes Rishel was also kind enough to comment on it on his blog.

Maybe MAeHC can help teach the New York Times a thing or two.....

Today's New York Times has an article on a recent security incident that we experienced at MAeHC.  The reporter, Nicole Perlroth, does a pretty good job of bringing together different pieces of the story.  Even tries to give it some Bourne-like suspense -- I guess I'd allow Matt Damon to play me in the film version (though I would have to insist that he get in better shape first).

No story is perfect though, and this one had its share of limitations:

It didn't cite the blog post or the HISTalk Practice website that inspired the story and that accounted for much of the article's content.  OK, so I'm not a journalist, but this seems like a pretty shaky practice.  The storyline comes from the blog, not from the very short interview that I had with the reporter.  Furthermore, if my blog account had been an article in, say, Health Affairs, they would have cited both the article and the journal.  [Update Note:  I forwarded a link to this post to the New York Times and they have now added a link to my HISTalk blog post in the on-line version of their article.  Thank you NY Times for your responsiveness!]

The article notes that electronic breach reports have increased in recent years and while that is true, a closer look at the numbers reveals that that doesn't necessarily mean that there are more breaches.  There are 2 important subtleties behind this.  First, reporting requirements have increased so people have to report more now than they have in the past.  In addition, electronic systems have generally better ability to detect breaches in the first place.  This is not only due to technologies such as intrusion detection, user-based activity logging, etc etc, but also because physical devices are easier to track and manage than paper systems -- it may be easy to gloss over a few misplaced paper charts, but you can't hide the fact that you lost a laptop.  So, the fact that breach reports are up may just reflect better detection and reporting and not necessarily more breaches.

Second, the article suggests that electronic systems increase the risk of breaches.  As I explained to the reporter, I believe that electronic systems are more secure than paper/fax, but there is a trade-off in the type of risk that they introduce.  I liken this to the difference between auto accidents and plane accidents.  Auto accidents happen very frequently but with fairly contained consequences, whereas plane crashes are rare but can be disastrous.  The latest OCR report to Congress on breaches reports something like 25K small breaches (fewer than 500), a very large fraction of which are paper/fax incidents. 

Finally, I found it a little ironic, that while the NYT article itself is an important step toward educating the public about the real issues surrounding the loss of electronic patient information, it glossed over the steps we've taken to educate the industry – like writing the post that lead the Times to the story in the first place.  I think it was a bit of a missed opportunity to encourage organizations that have similar experiences to follow the path of full disclosure that we did.

Meeting halfway

Those of us focused on health IT are spending a lot of time and energy on bringing the technology to where the patients are. Interoperability is crucial because patients get care in so many different places, and through Regional Extension Centers and other programs we're trying to get EHRs into the hands of small and independent practices at the far reaches of the health care delivery system, again, because that's where the patients are. Something like 80% of practices are small practices, and 90% of outpatient encounters are in those small practices.

I've been wondering recently about whether we're going through a Copernican revolution where the patients come to the IT rather than having us bring the IT to the patients. My own personal experience started my thinking on this. I used to get my care from a small practice primary care physician in Wellesley MA -- great guy, good doctor, gives 110% every day. But he didn't have an EHR (still doesn't) and it was basically my responsibility to get specialist records back to him to make sure that he had the whole picture of my care. I switched to Harvard Vanguard not only because they have an excellent EHR but because they are multi-specialty as well. When I need a specialist I no longer scour all of Boston for the best specialist -- I only look within the Harvard Vanguard system because I want to make sure that my records are kept on the same EHR. What I might be sacrificing on the quality of an individual specialist I'm more than gaining back in having all of my physicians reading from the same page (literally).

Since my Wellesley doctor couldn't solve the interoperability issue, I solved it myself by eliminating it. My wife gets her care at the Brigham, and I've increasingly seen her focus her decision-making in the same way -- she has eliminated the need for interoperability by limiting her choice of specialists to those who are on the Brigham's EHR.

Maybe this is just a family thing. But I started thinking otherwise after I heard a very interesting story yesterday on NPR and Kaiser Health News on consolidation of the health care delivery market, and in particular, the increasing share of outpatient physicians employed by hospitals. As the story reports, almost 20% of physicians work for hospitals today, but 50% of new physicians are taking jobs with hospitals. The looming prospect of Accountable Care Organizations' becoming the operational unit of health care delivery will put increasing pressure on hospitals and physicians to keep patients within their care delivery network. Changes in health plans that limit patient choice will also drive patients to stay in closed networks. All of these trends will increasingly funnel patients into health care delivery networks that also happen to be connected on IT networks.

There could certainly be many bad affects from such consolidation, such as higher oligopolistic prices, less customer choice, the demise of solo practices that are an iconic part of the American fabric, etc etc. But from a health information exchange perspective, it's only to the good if we can get more patients to meet us halfway on the road to interoperability.

Provider Directories

The Information Exchange Working Group of the Health IT Policy Committee had a public hearing today on the topic of Provider Directories. The FACA Blog has some background on the issues that we covered today. We have a lot of information to process regarding some very complex issues and unfortunately on a very compressed timeline. Some of the major themes that came out of today's hearing are:

• We've got to get rid of the "yellow pages" and "white pages" analogies to Provider Directories. It's fraught with all of the general flaws of analogies, but more important, as my co-chair David Lansky said, "no one under 30 will know what we're talking about."

• That said, it is useful to distinguish directories that support machine-to-machine routing from those that have more of a lookup role that might be focused more on use cases involving person-in-the-loop functions. Arien Malec noted that while the latter might initially be used more by humans, there would be interesting applications for machine-to-machine transactions as well, such as identifying providers involved in "post-exchange" continuity of care. Keith Boone suggested that we use the terms "service discovery directory" and "provider discovery directory" to more appropriately describe how technology works today. Abby Sears described the need for provider directory functions, however defined, to be embedded within EHRs to make them useful to end-users.
  

• There are many well-developed directories out there already, so whatever we recommend needs to provide help to enable approaches that have barriers to moving forward while at the same time not stifling forward progress for approaches that are moving ahead. JP Little noted that a number of national directories already exist today, with some degree of interoperability. Charles Kennedy noted that there are is a lot of administrative infrastructure in the market already today, but very little clinical, so we should be thinking of ways to leverage the administrative infrastructure to lower the cost of developing and maintaining clinical infrastructure. Syd Thornton offered that though InterMountain Healthcare maintains its own directory of external providers, they would be interested consuming it from a higher-level aggregator that might offer better economies of scale. Robb Chapman described how the CDC leverages medical registration data from the Federation of State Medical Boards for its Physician Registry Project, but Martin Laventure noted that public health directories are not dynamically linked with any outside systems so updating them is difficult. Karen Trudel described that there are no "one-and-done" solutions in the market today, and even large, nationwide directories such as the NPI and PECOS have significant limitations with respect to the clinical exchange transactions being contemplated today.
  

• Directories are the means for performing value-generating business functions, they are not the end. Tom Morrison said it most clearly when he stated that "data is a by-product of a business process." Sorin Davis recommended provider accountability for entering and maintaining their data. Anita Sarnoff noted that Axolotl recommended NOT having providers be responsible for maintaining their data and leveraging existing accreditation and credentialing information instead. Linda Syth described that it cost $3M to create the provider registry used by the Wisconsin Medical Society, and about $700K per year to maintain it. Carladenise Edwards recommended mandating the use of specified provider directories to better support their sustainability. Putting all of these together suggests that we need to create or leverage directories that enable services that providers have high interest in consuming so that they themselves will feel the need to assure that their information is timely and complete.
  

• If we do nothing else, creating a framework and taxonomy for key concepts would be helpful in and of itself. Greg Debor noted that though we refer to "provider" directories, there are other health care participants (such as public health and health plans) that would be important to future value. Hunt Blair pointed to the need for a common ontology of terms such as "provider", "practice", "entity", etc.

• As states move to implementation of their HIE Strategic and Operational Plans, there is an urgent need for some type of guidance or coordination to capture any possible synergies across these efforts and to ensure future interoperability. Goerge Oestreich noted that the pressing need for immediate solutions limited how much central orchestration could be expected and suggested that the focus should therefore be on developing standard interfaces and data formats to support a federated architecture which would allow states and private actors to continue with their own development but with some level of alignment. Steve Waldren cautioned against "over-designing" too early to remain flexible to the many changes that technology change and health reform might bring. Jeff Barnett recommended the need for standards to be able to uniquely identify individuals and organizations. While there seemed to be a general consensus that "a federated approach" was preferable to any other, we did not have enough time today to define the parameters of federation in this context and what requirements would be needed to make it feasible.
  

• There seemed to be rough consensus that while both were important, the "routing directory" should be a priority. Dan Nigrin noted that they know who they need to send information to, but they often don't know how.
  

These are just some of the many thoughts that emerged from our hearing today. There are more comments posted on the FACA Blog, and additional comments will be collected through October 4.

What's in a name?

So what's in a name? The full quote of course is: "What's in a name. That which we call a rose by any other name would smell as sweet."

On September 28, the Office of the National Coordinator awarded the New Hampshire Regional Extension Center to the Massachusetts eHealth Collaborative. Is it odd that an organization with Massachusetts in our name is running the New Hampshire Regional Extension Center? I suppose so, on the face of it, but the reality is that we provide professional services in many states outside of Massachusetts. For example, we're already doing work with the regional extension centers in New York and Rhode Island, as well as Massachusetts. And we're currently working on a project with New Hampshire stakeholders on their Health Information Exchange Strategic and Operational Plan.

All companies have to be based somewhere, and we happen to based in Massachusetts. Granted, most companies don't have their home state in their name. That is a reflection of our non-profit, collaborative roots. We were founded in 2004 by 34 non-profit Massachusetts-based health care organizations. Our mission then and now is to improve the quality, safety, efficiency, and affordability of care through effective adoption of health information technology. Since our founding we've developed a national reputation for being operationally effective, mission-oriented, and consensus-driven.

We have the name collaborative because we work as partners -- we share what we've learned, and we look to learn more things that we can share. We try to develop deep ties with each new engagement, and we could not have gotten this federal award without the endorsement and backing of the State of New Hampshire -- we're grateful for the confidence they've shown in us.

My father is a family physician and surgeon who has practiced his entire career from his office in Pelham, New Hampshire. We're based in the Massachusetts Medical Society, which reflects our strong affiliation with clinicians -- we have deep ties to the physician community and we make it our business to understand the needs of physician practices.

We feel genuinely privileged to have the opportunity to help the clinicians of New Hampshire achieve their meaningful use objectives, and we look forward to deepening the ties that we already have with health care stakeholders across the Granite State. If you're a priority primary care provider in New Hampshire, we're going to be looking for you!

Guy with a good voice......and A LOT of time on his hands

For those who haven't seen it, Ross Martin's video "An Interoperetta in in Three Acts" is amusing (see below). Though I've got to say, if I had that kind of musical talent, I definitely would not be singing about health IT.....

NCVHS Meaningful Use

Thanks to John Halamka for featuring my NCVHS testimony on his blog! For those who aren't tracking this closely, all of the testimony is now posted on the NCVHS website. The transcript of the first day's testimony is also posted, which is long but a little easier to follow and also includes Q&A from the panel. There's a wide array of perspectives here, and who knows how it's going to be used to shape the definition of "meaningful use". As I describe in my testimony, I don't think there are as many degrees of freedom here than we might think, because there's not enough money or infrastructure to support a very high bar on meaningful use. I hope I'm wrong.

MAeHC launches subsidiary

Today we're announcing the launching of MAeHC Professional Services Corporation (PSC), a for-profit, wholly owned subsidiary of the Massachusetts eHealth Collaborative. Our press release is here. PSC will provide a broad range of fee-based consulting services related to EHR deployment, health information exchange, and quality data warehousing. PSC will provide these services—including strategic planning, project management, and project execution services—to both nonprofit and for-profit clients throughout the United States who are involved in a variety of health IT activities.

Today's Boston Globe gave our launch some nice coverage (New eHealth subsidiary will fund expansion), and we greatly appreciate their interest in the story. One thing from the story that I'd like to clear up is that it suggests that we don't work with so-called "web-based" applications such as athenahealth. In fact, both MAeHC and MAeHC-PSC are vendor- and platform-agnostic, and we ourselves have deployed both web-based and client/server-based applications. And, of course, we're happy to work with athenahealth.....

Darn, I'm a breach victim......

I just got the following email.

Important Message from Pentagon Federal Credit Union
Ref. Card Number
Ending In: XXXX

Dear Member,
Visa Fraud Control has recently notified us that your Pentagon Federal Credit Union Visa credit card account number, name, expiration date, and CVV (a three-digit verification value on the magnetic stripe of the plastic) may have been compromised in a processor level breach at Heartland Payment Systems, Inc. Heartland Payment Systems, Inc. is one of the nation's largest payment processors delivering credit/debit/prepaid card processing, payroll, check management and payments solutions. Heartland has dedicated a website, www.2008breach.com to provide additional information on the breach.

Information pertaining to your other Pentagon Federal Credit Union account(s) has not been associated with this event or compromised in any way. The compromise did not occur at Pentagon Federal Credit Union nor did it involve any of our systems. All of your Pentagon Federal Credit Union account information remains absolutely secure.

We continue to take all necessary precautions to safeguard and monitor your Pentagon Federal Credit Union accounts to protect against unauthorized activity. We have provided a series of frequently asked questions below that provide additional details and tips.

Please review them and if you would like to receive a new card with a new account number, please use the instructions provided below. You may reach us toll free at 800-247-5626 or online at PenFed.org.

If you have recently closed the referenced card, please disregard this correspondence. We apologize for any inconvenience this may cause. We appreciate the continued trust you have placed in Pentagon Federal Credit Union. Thank you for remaining a valued member.

Sincerely,
Vincent Gay
Director, Security
Pentagon Federal Credit Union

In this simple email we see the complexity of breach notification. Let me say for the record that I love PFCU -- I've been a member of PFCU for many years and will continue to be for many more.

On the negative side of this notification is the ambiguity. My information "may have been compromised" -- not sure if it actually was, so I'm not sure what the actual risk is. They're fulfilling a legal and/or ethical obligation to tell me the nature of the breach, but are they really helping me by telling me that it's a "processor level breach", without further explanation? And how am I as a consumer supposed to assess my level of exposure? Does this mean that there was an actual intrusion of Heartland's environment, or that they discovered a security hole that could have been entered without their knowledge but they really have no idea whether it was.

On the positive side, I'm alerted, so I myself can keep my eyes open for suspicious activity.

This notification was for a relatively simple incident in a disciplined corporate setting, and it still raises more questions than it answers. Makes me wonder about how we're going to strike the right balance as we move to stricter breach notification regimes in health care.....