Slashdot Mirror
High Tech Medical Clinics?
Bolus asks: "I am a physician who is setting up a new adult medicine clinic with several other physicians. We are designing our clinic from the ground up with the latest computer technology. This will include computers in every exam room, a paperless electronic medical record, and a T1 for Internet access. Patients will have the ability to e-mail their physician and access parts of their chart online, such as medications and labs. What other kinds of online service would you want your doctor's office to offer? Instant messaging to your physician? A bulletin board for general medical questions? Chat groups? Video conferencing?"
I am an Australian Doctor. I have dabbled with this very idea for some time. The infrastructure in the rooms is no problem but as mentioned above my biggest concern is security. My home computers currently live behind a series of firewalls etc everything is double encryted and deleted files are shredded 30 times. Even with all this I still would not be happy to put someones Medical records online. The medico-legal nightmare of someones AIDS test results whatever they are becoming public scares the hell out of me. If you don't know more about your computers and network than the highly paid so called "expert" consultant who has promised you the world DON'T do it. Put your static facts sheets and other general patient information online ( on a CD not hard drive), run a Mac(my bias but I think still the most secure) keep your server right in front of you in a locked cabinet or room. Security is only as good as the weakest link. If you don't want the whole world to see it(all your patients files) Don't put it online. Sorry for the downer psquared@thedr.com.au
Damn good Internet security.
© Copyright 2000 Kristian Köhntopp
All rights reserved.
Your hourly rate is set by a free market. Doctor's rates are not, thanks to all kinds of weird regulations, quasi-socialism (e.g. Medicare), big insurance carriers, the bizarre tradition of charging by procedure instead of charging by time, and a lot of other things that I don't know about (and don't want to know about). If they were able to charge what the market would bear, I suspect that their service would improve.
But perhaps some of it is arrogance too. ;-) I'm not going to defend
them; I was just trying to explain.
---
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Security Security Security.
I'm currently a 4th year medical student that is doing an independent project on Electronic Medical Records (EMRs) and what I have seen so far scares me.
Medicine as a whole has an absolutely horrid track record embracing business technologies. Inventory Control is a good example. You and I both know that I could walk into your hospital and walk out with a Cath Tray, and no one would be the wiser. Keeping this in mind, you aren't going to have much local help setting up and/or maintaining your setup.
Second, make it secure. Very secure. As in don't even connect it to the internet. You should be under the assumption that if it is on the internet, someone has already seen it.
If you want to keep your EMR from being hacked, don't have them on machines that can access the internet. Don't have machines that can access the internet access the EMR. It's that simple.
Once someone (insurance company, employee's corporation) hacks your system and gets data about your patient, you have violated their privacy, and there is absolutely no way that you can ever restore it. And believe me, Insurance Companies have a large incentive to find out who the financial bad apples are and remove them from the system.
Don't connect it to the internet. Don't allow internet accessible machines to access your medical records. Understand that these are two separate things.
EMRs have already been hacked at institutions that will have a much larger budget than you.
Feel free to email me - miracle at procyon dot com if you want to discuss the matter further. I'vee travelled the country this year interviewing for residencies, and I assure you this problem is nation wide.
Linux - Because Mommy taught me to Share.
I write/maintain scheduling software, and one thing I have learned is that, in order to max their productivity, the docs multiple book several appointments at a time.
This is only necessarily true if 100% of a doctor's work requires a time slot.
The truth is that it need not be the case. There are a lot of things that can be done at almost any time: email, telephone calls, paperwork, evaluating test results, journal reading, and so on. If they actually end up with a few spare minutes when somebody skips an appointment or doesn't take so long, other work could fill in.
According to a very interesting article in the New York Times on Jan 4 called "Remedy for Waiting", some clinics have redone their scheduling to serve the same number of people with the same doctors without the standard technique of massive overbooking. The article is now in the for-pay archives, so I can't quote from it, but it made a convincing case that it was doable. People were stunned when they could get an appointment the same week and actually be seen on time.
I agree with the original poster in this thread; the #1 thing I want is knowing that I don't have to wait six months to see a doctor, and where I don't have to spend two hours reading copies of "People" from the late 70s.
What? You mean you didn't bring your laptop with you?
Say no to software patents.
If there is to be any involvement with the internet then I suggest your number one priority be security. You don't want people leaking confidential data about your patients.
AussiePenguin
Melbourne, Australia
ICQ 19255837
Jeremy
Melbourne, Australia
Jabber Australia
A game LAN set up in the waiting room with Counterstrike.
"My doctor's ready to see me? But I've only been here ummm...four hours. Couldn't he let someone in ahead of me?"
--
Should we really be supporting this kind of behaviour? These guys don't want to talk about any real uses of technology in medicine, like for curing people. They just want to pad their fees in order to squeeze yet more $$$ out of the insurance industry, which will then have to cover its costs, so some poor schmuck gets his coverage cut. Everyone's down on lawyers, but we're freakin' little league parasites compared to this kind of doctor.
-- the most controversial site on the Web
Will my doctor be a 1337 RX0R?
microsoftword.mp3 - it doesn't care that they're not words...
Many people do not want their spouse or empolyer to know things about their medical history. And at many offices the employer can in theory look at your email. If you were to email someone something you could create some delicate situations or even get someone fired or divorced.
Even just "Your appointment is next tuesday at 10:00" could cause problems if you are not a GP. I might not want my employer to know that I had an appointment with a Psycatrist or a specalist of one kind or another. There is still a major stigma attached to mental illness in many places.
Erlang Developer and podcaster
I don't read ACs: If a post isn't worth so much as a nom de plume to its author then I wont bother either.
I have a friend from high school. Brilliant kid from a brilliant family. He is now a brain surgeon. Said he does brains instead of hearts because the brain surgeons drive better cars.
He didn't go into medicine for the money, though. His brother is making 12 times the money as an attorney in Chicago. His family has a business he could have gone into and bought 5 Lexi [plural of Lexus?]
I met him for breakfast last year. At 8 am, he had been at the hospital for 2 hrs already with a patient. I wanted to buy him a cup of coffee, but he told me had had sworn off caffiene because he could not afford a tremor in his hand, no matter how slight. He got minimum 8 hrs sleep every night and had to give up woodworking [which he loved] so his hands weren't callused.
I would GIVE this guy a Lexus if I needed someone to put his hands in my brain: I would want him. Who the fuck wouldn't?
Ever see that commercial for the Discover card? Dad buying his daughter a dog, says the $600 beagle is too expensive. Asks about the $25 hyena, which in turn eats the store clerk. Dad thoughtfully reconsiders beagle. Tag line - some things are worth more.
I'm a lawyer, kids. If you have a transaction for $100 million and you will make $10 million, do you mind paying me $500 an hour to make it work? Not likely. You get what you pay for.
I do work for neighborhood merchants and my church for free. Not to mention my entire extended family. Not everything is money.
Pay no attention to the man behind the curtain with all your metadata.
Security is hard enough for the professionals to get right, let alone a bunch of doctors designing their own system. Hire a security professional to design your security for you, but don't trust him. (Frankly, digital security pros are like car mechanics - just because they get paid for it doesn't mean they truly know what they're doing. Some might be experts who can fix it right, but others are just hacks who'll get it running but it'll break down again 100 miles down the road.)
So do your homework. Buy and read Schneier's Secrets and Lies and any other book like it you can get your hands on. Read the Privacy Digest and the Risks Digest. Don't read just the current issues - read the archives going back at least ten years. Don't read just the medical stuff - read it all, including stuff about the plane crashes, ATMs, 911 systems, banking systems, e-commerce systems, etc., etc. Reading those archives should scare you silly about the system you're trying to design. Armed with these fears, make sure you ask your security consultant lots of hard, pointed questions. Grill him. Make him sweat a little. If he has all the answers, he's bullshitting you.
Remember Scheier's motto "Security is a process not a product." Just because you buy a "secure" web server and a "secure" operating system and "secure" application software doesn't mean a thing. Your whole system needs to be designed from the beginning with security in mind, end to end. Furthermore, everyone who uses the system has to know and respect the security procedures. Does your receptionist know she can't hand out passwords over the phone, for example? Your people are going to be your weakest link if they don't know and respect your security system.
Some other random thoughts about security:
Do you know not to store passwords verbatim in the system, and not to have default passwords like the user's last name or SSN?
The machine that houses your online system should NOT be the primary system you use to store your permanent records. If someone breaks into your online system, they can compromise your database permanently! Your primary system should never ever be connected to the Internet, nor should it be connected to the online system while it is connected to the Internet.
Your system should be opt-in only. If a patient hasn't signed up for online access, his/her information should NEVER enter the online machine. It should be on the primary machine ONLY.
To illustrate the above: assume you store ALL your patient records on the online system, but you only enable passwords for those patients who opt into the online system. You're safe, right? Records can be accessed online ONLY for those patients wha have opted in, because the others have their passwords disabled... right? Right, until the day that sameone breaks into your online machine, then ALL the records are vulnerable. Or suppose your programmer makes a mistake so that a patient's web page accidently displays records for other patients? If ALL your records are on the online machine, mistakes like the above can compromise them ALL. The online records should be copies, should be online ONLY for opt-in patients, and should probably, just to be safe, be read-only copies.
Your online system should be non-critical. You should be able to run your office, diagnose and treat patients, etc., without it. Assume it's going to be broken into. Assume you're going to need to work without it, and BE ABLE TO DO SO.
Have backups of your critical primary records. Have hardcopy. Practice your backup procedures, so you know that they work. (My favorite kind of episode in the RISKS Digest is the instutition that has backup procedures, only to discover that they don't work when needed. Because they've never practiced them, never had a dry run.)
Make sure your office personnel are resistant to "social engineering" techniques. If a hacker can sweet-talk your office administrator, secretary, and receptionist into giving out a password, it doesn't matter how good the rest of your security is.
Bottom line: Security is a hard problem. That's why there are so many stories about people who get it wrong (again, read the RISKS digest). My advice would be to forget the online access to records. If you HAVE to go online, limit yourself to taking appointments, so you don't have to worry about securing sensitive information. (Even if you do take appointments online, do it from a separate, non-critical system.)
--Jim
Personally, everything else is secondary. I don't need to see my charts and meds on-line. Other doctors or specialists might, I don't need on-line video conferencing or email - and I doubt "you" would either. Why? There is a good chance that more time will be spent setting up/maintaining/playing/fixing/teaching the technology then helping the patient.
When I see a doctor-I want to physically see the doctor on time. If possible, give me a accurate diagnosis, then I can be on my way doing whatever I need to do to get better.
Or:
"I am a plutocratic [programmer] trying to make enough money to buy a fifth Lexus. Myself and a couple of other blood-sucking leeches had the idea of kitting out a [web site] with fancy-schmancy computerised bells and whistles so that we can jack up our already stratospheric fees into the ionosphere. We don't really have a clue about [making a profit], so we thought we'd ask a bunch of [consumers] what they'd like, and more importantly, be prepared to pay for. Meanwhile, malnourished kids and the homeless? Fuck 'em."
Get this straight: we are not each others' slaves. You were not born to be a slave to your fellow man. I was not born to be a slave to my fellow man. Doctors don't become doctors so they can be your personal nose wiper. If you don't wany to pay a doctor for medical help and advice, then go to medical school and you won't have to.
The fact is, you don't know jack crap. How many lives have you saved? Probably zero.
This habit of villainizing people who want something in return for what they do for others is just plain evil.
WHERE IS YOUR SENSE OF RECIPROCITY? Are you telling me that you wouldn't give a man who saved your life a Lexus is you could? Would you even give a "Thank you"?
The truth is, you probably wouldn't do anything if you could help it. People like you are the very reason people ask for money for what they do instead of accepting a vague promise to recipricate some time in the future. When you give money in return for a service, that person has some reasonable chance of being able to get something in return for what they did for you. When people say, "Hey, thanks. I'll have to help you out some day" they really mean, "thanks sucker."
I don't write this to be cynical. This is just the way it is. The fact is, paying someone for something they have made for you or done for you is the most sincere way you can tell them "thanks."