Friday, May 30, 2008

Dispatch from Istanbul

Friday to Sunday, I had a very spiritual experience in Istanbul. As I wrote in my Overcoming Jet Lag blog entry, taking the road less traveled and sharing time with the people of a country rather than sitting in a tour bus makes a difference.

Searching on the Internet for Turkish Flute makers, I found Rifat Varol, a master player and Ney maker in the Sultanahmet district of Istanbul. I emailed him and he agreed to meet me at the Firuz Aga Mosque so that we could share each other's traditional flute experiences. I told him that finding me would be easy - I would be in the door of the mosque, wearing all black and holding a Japanese flute. We met and went for tea, a great Turkish social tradition. We drank our team in a public meeting place with a domed ceiling that had perfect acoustics. I played Choshi and Banshiki on my 1.8 Shakuhachi in the key of D. He played a variety of traditional Turkish pieces on a Kiz Ney (key of B) and the longer Mansur Ney (key of A). We then tried playing to together using his Sipürde Ney (key of D), which matched the tone of my flute perfectly. The result was a harmonious blending of the two very different flute sounds. The Ney is a 5000 year old instrument and may very well have been the predecessor to the Japanese flute, having traveled as part of the spice and porcelain trade to China, then Japan. Rifat tried to play my flute and I tried to play his flute, with similar results - no sound. The Ney is blown from the side with a kissing-like position of the lips. The shakuhachi is end blown with flat pursed lips and small embesure. After an hour of practice, I was able to make a few notes. I purchased a Mansur Ney from Rifat and will carry it back to Boston, where I've identified a local Massachusetts Ney master to teach me the way of the Ney. I may not be a nay sayer, but someday I may be a ney player.

I also had the opportunity to spend an afternoon with Dr. Heath Lowry, the Attaturk Professor of Ottoman History from Princeton, who is on sabbatical in Turkey. We met in the Istanbul suburb of Kabatas, and drove up the Bosphorus, half way to the Black Sea to Emirgan, where he lives. It's a amazing to travel the Bosphorus realizing that one side of river is Europe and the other side of the river is Asia. I learned a great deal about the history of the area, from Constantine to the Ottoman Empire to the Republic of Turkey.

Eating vegan in Turkey (that sounds a bit unusual) was easy - many tomato, cucumber, eggplant, olive, and mushroom dishes, accompanied by great fresh breads are available in most restaurants.

I explored the most famous sights in Istanbul - the Blue Mosque, the Aya Sofia church, the Topkapi palace, Basilica Cistern, the Archaeology/Ceramic/Ancient Orient museums, the covered bazaar, the Golden Horn waterways, the Galata Tower and numerous small mosques, sidestreets, and shops, traveling by local tram, bus, metro. The Istanbul area is very easy to navigate with many signs in English, a very welcoming people, and modern infrastructure.

Since I visit a new world city every May as a part of my teaching for Harvard Medical International, I'm thinking next year will be Budapest. I'll try to arrange a meeting with Bán György a master furulya (hungarian wooden flute) maker to arrange another cross cultural traditional flute experience.

Back to Boston in time for Monday meetings and given that I've followed my own jet lag rules, hopefully I'll be coherent.

Thursday, May 29, 2008

Positional Vertigo - Common and Treatable

One of the most common ailments I treat is Benign Positional Vertigo. The patient usually feels awful, off balance and with the room spinning for no reason. It can occur suddenly and dramatically when he gets out of bed and cause vomiting and unsteadiness when walking. The episodes can be continuous or in brief episodes that are worse as the head is moved. A good neurologic exam and absence

Overcoming Jet Lag

Every May on the last Thursday of the month, I lecture to European Hospital CEOs in Geneva. After a full day of teaching, networking, and group meals, I have two choices - fly back to Boston on a Friday, or travel to some European city for the weekend, then fly back on Sunday. For the past few years, I've done the European weekend option, visiting Paris, Prague, Rome, and Vienna/Saltzburg. This year, I'll be in Istanbul for the weekend and my experiences there will be the subject of my blog tomorrow (no cool technology blog this week).

My schedule this week will be Boston to Paris to Geneva to Lausanne to Geneva to Zurich to Istanbul to London to Boston in 4 days with 6 to 7 hour time changes.

Traveling in economy class, wedged in a middle seat, traveling from point to point just in time for my lecture responsibilities, how do stay coherent? Overcoming jet lag and enjoying foreign travel requires a few simple steps

1. Avoid all caffeine and alcohol - they truly do not help. Caffeine leads to more fatigue and alcohol leads to interrupted sleep. I have similar feelings about taking medications on airplanes like ambien, benadryl etc for sleep. They just make you groggy.

2. Wherever in the world you arrive, push through to the time you would normally go to sleep in that country. Never take naps - that will prevent your body from adapting. If you go to be at 10pm each night at home, go to bed at 10pm local time on the first day you arrive at your destination, no matter how painful it is to stay awake that first day. By the second day, you'll be adapted.

3. Expose yourself to sunlight as much as possible (with appropriate sunscreen to avoid too much UV). Rising with the dawn and staying outdoors will help your body rapidly adjust to the new time zone.

4. Avoid heavy, fatty meals. Several light meals make adaption easier. To the extent possible try to eat similar foods to your diet at home. Traveling as a vegan is sometimes challenging, so I eat vegetarian while traveling. Eating light salads, fresh breads, and soups keeps my energy up without weighing me down.

5. Stay hydrated. I drink 1-2 liters a day while traveling, especially when I'm wandering through a city on foot. I use a Platypus Hydration bladder in a small backpack as I'm walking the streets of Europe. http://www.platypushydration.com/

6. Avoid pre-packaged tours. While traveling, I like to experience a country by walking among the locals, visiting their shops and restaurants, and understanding the terrain between points of interest instead of crowding on a bus to sprint from point of interest to point of interest, then eating an Americanized meal of rubber chicken at a roadside tourist diner. Pre-package tours tend maximize crowds and minimize walking, making you feel more fatigued.

7. Do something out of the box. While in Japan, I climbed Mt. Fuji at dawn on the first day of the climbing season. While in Salzburg, I hiked up the Untersberg, where the Sound of Music was filmed ("the hills are alive...") to enjoy the wildflowers. In Istanbul, I've found a master flute maker who creates and plays the Turkish Ney. The Japanese flute is said to be the most challenging instrument to play with the Ney a close second. I've arranged to purchase one of his flutes and take lessons. Luckily, I've also found a Ney master in Boston so I can continue the instruction when I return. Doing something that's not in any tourist guide will give me a reason to want to get out of bed in the morning and will create a lifelong memorable experience.

8. Exercise. Rather than consider caffeine or other stimulants, get moving. Walk the city and you'll feel more invigorated throughout the day. Generally I walk 15-20 miles a day while I'm touring a city.

9. Do something intellectual. While in Istanbul, I've arranged to have lunch with a Professor of Ottoman History and we'll walk the Sultanahmet area (Hippodrome, Blue Mosque, Hagia Sofia) reflecting on the history of old Constantinople. This will keep my brain engaged so I'm not just wading through a sea of tourists.

10. Go with the flow. From the moment I land in Turkey at 1pm on Friday to the moment I leave at 1pm on Sunday, I have no schedule and no plans other than to call the cell phone numbers of the Ney maker and Ottoman Professor to arrange meetings. This means that I can explore Istanbul 20 hours a day without any concern of the next tour bus to catch. I can eat when and where I find something interesting. I can take side trips I would have never been able to plan. The end result is a stress free unique experience.

I may not have WiFi access in Istanbul, so tomorrow's blog entry may have to wait until Sunday night, but I'll be on Blackberry if you need me.

Wednesday, May 28, 2008

A Cup of Cocoa Helps Diabetes

Time for health news that is warm and fuzzy!A new study reported in the Journal of American College of Cardiology shows that a big mug of hot cocoa can reverse vascular dysfunction in patients with diabetes, suggesting a therapeutic potential of cocoa in this patient population.Prior studies have shown that flavanol-containing foods, including cocoa, certain fruits and vegetables, tea, and red

Marketing IT

The role of the CIO is very operational - keeping the trains running on time, ensuring budgets are sufficient and aligning IT resources with the needs of stakeholders. One other important task of the CIO is to market the work of the IT Department to internal and external audiences. Although IT staff and those involved in IT governance committees are interested in the granular details of projects and their timelines, many audiences want the vision - the big, audacious goals that are really transformational.

To ensure I target the right message to the right audience, I create two documents each year - an operating plan and an "elevator speech". I'm working with all our governance committees over the next few months to complete the details of the operating plan, but here's my strawman elevator speech for 2009:

1. We will lead the country in interoperable electronic health records
a. Every doctor in New England affiliated with BIDMC or its associated organizations will have a hospital provided or hospital subsidized electronic health record with e-Prescribing and connections to our community data sharing systems by the end of 2011
b. Every patient will be given the opportunity to have a Patientsite, Google Health, Microsoft Health Vault or Dossia personal health record by the end of 2011
c. All inpatient documentation will be electronic and multidisciplinary by the end of 2011

2. We will lead the country in 'social networking tools' for healthcare
a. We will launch a new intranet which includes IM, blogging, wikis, and forums by the end of 2009 ensuring every doctor and staff member can be an author and publisher.
b. We will pioneer the concept of the "patient specific healthcare wiki" for team management of patient medications, documentation of problem lists, and creation of clinical documentation by 2010. The idea behind this concept is that an entire community of caregivers should work together to create and maintain the lifetime medical record of each patient. This means that any caregiver should be able to add/amend/correct the patient's lifetime record, with a complete audit trail to identify every source of data and edits.
c. We will use a combination of personal health records, electronic health records, and social networking tools to ensure continuity of care among all stakeholders in our community by 2011.

3. We will lead the country in 'event driven' medicine
a. We will adopt electronic clinician notification systems for our hospital applications based on physician communication preferences (EHR, email, fax, page, cell phone) by the end of 2009. These systems will close the loop for laboratory, radiology, discharge, referral and other important communications needed to ensure safety.
b. We will deploy business intelligence tools connected to our clinical data marts by the end of 2009
c. We will embrace next generation decision support tools from Safe-Med and others by the end of 2010 which will provide the business rules to trigger notification of clinicians. This will ensure that clinicians receive just in time information to deliver the best possible care.

These three concepts will be challenging to implement because the path to success is not entirely clear. There are few vendors or hospitals which have implemented this functionality. Along the way, I'll share all our lessons learned - good and bad.

Tuesday, May 27, 2008

Ideal Mobile Technologies for Healthcare

I was recently asked about the ideal mobile devices for healthcare.

In the past, I've said simply - under a pound, 8 hour battery life, and can be dropped from 5 feet onto concrete without damage. The Emano-Tec's MedTab prototype is close. The Intel/Motion Computing C5 Mobile Clinical Assistant is close but a bit heavy to carry for 8 hours.

The three questions I was asked and their answers are below.

How satisfied are you today with your ability to get the information or communications you want on your current mobile device?

The Palm/Treo line of products are diminishing in popularity because they are not optimized for the web and do not have the enterprise management features desired by hospital IT departments. Pocket PCs are just too challenging to use. Windows CE/Mobile on a mobile device is not easy to use since the screens are too small and the mouse/pointer support too poor to support the Windows operating system. While Treo and Pocket PC lose market share, Blackberries and iPhones are gaining marketshare.

I'm very satisfied with my Blackberry as a email device, but it's a less than perfect web device. I've used an iPhone 1.0 and it's a great web device but I find using a non-tactile keyboard challenging for high volumes of email. I'll test the iPhone 2.0 as soon as it's available to study its security and enterprise integration features. My Macbook Air subnotebook laptop is ideal for applications requiring a larger form factor.

Thus, with the existing devices on the market today, I can say that the combination of a Macbook Air subnotebook for lightweight web and Blackberry for mobile email works pretty well. Neither however is ideal for work on medical wards where a lightweight, pocket sized, mid-sized screen, and disinfectable device would be perfect.

What would you like to be able to do with your mobile device that you can’t do today?

The web is the key application that needs to be supported well on a mobile device with a 1024x768 screen that could fit in a white coat pocket. Network support should include 802.11 and optional EVDO/EDGE if possible. Of course battery life is a trade off. I'd choose the network support that offers 8 hours of work at speeds of a megabit/second or so.

Also important is support for reference applications like ePocrates and UptoDate.

The Amazon Kindle is lightweight, web connected, with a long battery life and a full keyboard. It's starting to approach the kind of form factor I find ideal, but it is does not have an operating system that is compatible with existing reference applications and does not support color.

You’re obviously a power user, how well are less proficient users responding to the capabilities and requirements of mobile applications?

Among all the users of Harvard Medical School and Beth Israel Deaconess Medical Center, I've seen a increasing interest in the iPod Touch, iPhone and the web via subnotebooks because they are easy to use and intuitive.

Over the next few months, we'll be piloting a number of devices - iPod touch, Kindle, Blackberry and iPhone 2.0 - with a group of student volunteers to assess the utility of these devices for education and clinical education. I'll report on the results, but at this point it is clear that the PDAs of the past are no longer sufficient for the interactive, web-based, social network era.

Sunday, May 25, 2008

Our Rights as Americans

This is the opposite of EverythingHealth. Why anyone would need this object of destruction is a mystery to me. Coming soon to a gun show near you! (Hat tip to Ray B. for this)

Saturday, May 24, 2008

Popular Music Influence

I like popular music, along with all genres like R&B, hip-hop, classical and golden oldies. The pre-teens and adolescents that I know are fixated on Rap and don't listen to much else. The influence of Rap music is world-wide, not just the United States, and the entire rap subculture has permeated the world.The Archives of Pediatrics and Adolescent Medicine published a study that looked at

Friday, May 23, 2008

Bloggers Love Comments

Happy Memorial Day Weekend to readers of EverythingHealth. If you are from another country, I wish you a wonderful weekend also and hope you are having nice weather!We bloggers love comments. It tells me that you are reading the blog and that what I have written stimulates you in some way...either good or bad. It is also a way for readers to add information or share an idea.Due to recent spam

Exercise Your Brain

(Homer Simpson's brain)I have a big birthday coming up so aging is on my mind. Having things "on your mind" is good because the brain benefits from being stimulated.The story that you are born with all of your brain cells and you use only 11% of your brain throughout your life is wrong, wrong, wrong. Brain imaging research with PET scans and fMRI scans show all areas of the brain are stimulated

Cool Technology of the Week

Harvard Medical School has a digital curriculum. We offer podcasting, streaming videos with voice recognition indexing of content, over 100,000 PDFs/Powerpoints, and hundreds of simulations. One technology, we've never implemented is electronic whiteboarding - capturing the handwriting and doodles of lecturers.

During the annual Massachusetts CIO retreat last week, I was introduced to a simple form of whiteboard called the Livescribe Smart Pen. This pen, about the size of a laser pointer, digitally captures video of handwriting and the audio of the presenter. It's the cool technology of the week.

Software tools bundled with the Pen make it easy to share the contents on the web using Flash.

Here's an example of a whiteboard session at the retreat reviewing the architecture of health information exchange activities.

The Livescribe pen is an interesting tool for capturing development sessions and sharing initial requirements with a group. I can imagine using it with Facebook and other social networking collaboration tools. A Livescribe pen and Facebook is certainly less expensive than outfitting classrooms with digital whiteboards. We'll see how the faculty react!

Thursday, May 22, 2008

The Fullerenes

My 46th birthday is tomorrow. I was born on the same day as Margaret Fuller, a leading transcendentalist of the 19th century and the Great Aunt of Buckminster Fuller. I've been asked to join the yearly May 23rd pilgrimage to the Fuller burial plot in Mt. Auburn Cemetery to play an early morning Shakuhachi Honkyoku meditation. I'll be playing my concert flute, a 2.4 foot long single piece of bamboo made by Shugetsu in Nara, Japan. It has a remarkable deep and spiritual sound. I hope we have a spiritual occasion, celebrating life and transition. Here's the announcement:

Friday, May 23, 2008, is the 198th birthday of Margaret Fuller. As usual, we travel to the Fuller Lot, Pyrola Path, Mount Auburn Cemetery at 8 AM to walk around, pay homage to Bucky and Anne Fuller, and talk about Margaret. This year, special guest John Halamka - it’s his birthday too - plays a Japanese mourning song on his Shakuhachi (Japanese flute). Please join us.

John writes: "'I'll play Banshiki, which comes from the Itcho-ken Temple in Hakata, on the island of Kyushu, Japan. This very Buddhist honkyoku (meditation) recounts the soul's journey from this life, full of attachments and feelings, toward the peace of enlightenment, which lies beyond. The word 'shiki' in the title means to 'pass or cross over.'"

Wednesday, May 21, 2008

Suicide by Self Burning

The New England Journal of Medicine reported on the tragic plight of women in Afghanistan that causes women to burn themselves as a means of suicide. The United Nations Development Fund for Women reports that 70-80% of female Afghanis are forced into marriages and more than half are married before they are 16 years of age. Women have an 84% illiteracy rate and average 7.5 births per mother.

Remote Access for Vendors

BIDMC works with many external technology vendors which need access to our internal systems. I've been asked how we provide such access in a secure and HIPAA compliant fashion.

We provide vendors two methods of remote access for the purposes of supporting their equipment on our networks. The first is the traditional Lan to Lan tunnel model. If they choose the Lan-to-Lan model we required that they define the TCP/UDP ports required. We then restrict the tunnel down to those ports and to the specific IP address(s) required. This tunnel is terminated at a location on the network that then permits us to subject all of the traffic to inspection by our security devices/tools.

The second option we provide is through our Juniper SSLVPN infrastructure. This is a more flexible and resilient solution and provides more protection from infection by the vendors network. It also provides a much more robust audit log trail of usage. If the vendor does not require any access other then RDP, Telnet, or SSH the SSLVPN provides access as a proxy service from a large list of Java compliant systems. We restrict the usage of the vendor account to the vendor's public address space. This is done to provide a degree of assurance that an employee who has left the vendor, but has an account on our system will no not be able to gain access. The assumption here is that they would no longer have access to the vendors corporate infrastructure so would not be able to get to us either. We use an online provisioning system for these accounts that we wrote in-house - a simple web page with a SQL database backend. As part of the form there must be a BIDMC employee who has oversight of the vendor. Every night at midnight the logs are scrubbed and cross indexed to the submitted forms. The access performed by a vendor account is bundled up and mailed off to the BIDMC employee listed on the request form. This is done to ensure the there is an awareness of vendor activity. There is also an audit job run to make sure that the employee listed in the forms is still employed at BIDMC and if not we chase down who the replacement is.

If the vendor requires access to the machine through a mechanism other then RDP, Telnet or SSH then there are some additional options the SSLVPN provides. One is a port forwarding service and the other is a Java based equivalent to a IPsec VPN client granting them full layer two access into the network. We have done a couple of port forwarding setups but have not yet needed to provide a vendor with the layer 2 capabilities.

We also require all systems with a Lan-to-Lan tunnel or have a vendor remote access to them to pass an initial vulnerability scan. They are then subject to random scans from that time forward until the remote access is no longer in place.

We do not permit any vendor to place a router , firewall or any other networking equipment on the network. By extension they are unable and not permitted to terminate or originate any VPN connections that we do not control.

We have run into some problems with vendors related to this policy. We often hear the same statements from vendors - we do this everywhere else and should be granted an exception. I simply state our policy does not permit it.

Thus far these technologies and policies have worked very well for us. Security is always a journey and we'll continue to be vigilant about evolving technologies and security risks.

Tuesday, May 20, 2008

Ted Kennedy - Brain Tumor

I wrote about Senator Kennedy's seizure yesterday and now the results of a biopsy show he has a malignant brain tumor. Unfortunately he has a glioma in the left upper part of his brain, the parietal lobe. At age 76, Senator Kennedy's prognosis is poor because gliomas, particularly in the parietal lobe are difficult to treat.The cause of glioma brain cancer is unknown and it is not linked to

Google Health-a review

Google Health is officially open for business after much pre-development fanfare. It is an on-line medical record that can be added to and accessed by the patient and any entity he/she authorizes. Since the Electronic Medical Record is such a big deal, many people think Google Health will solve the problem that medical groups and hospitals have been struggling with for decades.I checked out

Monday, May 19, 2008

The Launch of Google Health

BIDMC is now live with Google Health. In the interest of full disclosure, I am a member of the Google Health Advisory Council and have not accepted any payments from Google for my advisory role. BIDMC is also working with Microsoft Health Vault and Dossia.

I'm now at Google Headquarters in Mountain View with the Google Health team - Roni, Missy, Maneesh, Jerry etc. and several dozen reporters.

Here's the functionality we've launched.

When a user logs into Google Health and clicks on Import Health Records - the following choices appear

BIDMC
Cleveland Clinic
Longs
MEDCO
Minute Clinic/CVS
Quest Laboratories
RxAmerica
Wallgreens

which are all early integrators with Google Health. At BIDMC, we have enhanced our hospital and ambulatory systems such that a patient, with their consent and control, can upload their BIDMC records to Google Health in a few keystrokes. There is no need to manually enter this health data into Google's personal health record, unlike earlier PHRs from Dr. Koop, HealthCentral and Revolution Health. Once these records are uploaded, patients receive drug/drug interaction advice, drug monographs, and disease reference materials. They can subscribe to additional third party applications, share their records if desired, and receive additional health knowledge services.

A few important notes.

Security and privacy are foundational to Google Health. The privacy policy, with oversight from the Google Health Advisory Council, stipulates that data will never be transfered, sold, mined or released without specific consent of the patient. Patients completely control the content and may remove it any time. This is similar to the Microsoft Health Vault policy.

Security standards include use of certificates, IP address restrictions controlling partner transmissions in and out of Google health, no caching of health data to the desktop (Google desktop will not index Google Health pages) and encrypted transmission.

The data standards underlying Google interoperability include a proprietary form of the Continuity of Care Record, called CCR/G. Google has committed to supporting the standards which have been recognized by HHS Secretary Leavitt including the Continuity of Care Document. The vocabulary standards used by Google and its decision support partner, Safe-Med, include SNOMED CT, LOINC, NDC, RxNorm, and ICD9.

Over the next few months, it will be interesting to see how many of the 40,000 monthly users of BIDMC's Patientsite will elect to use Google Health. Our plan is to continue to support Patientsite but also enpower patients with interoperability to other personal health records that they may find useful.

Our rollout strategy is that we've enabled the Google Health link to 5000 patients with existing Google gmail accounts (based on their Patientsite email addresses). We'll then expand the rollout as rapidly as we can based on our experience with supporting patients who use Google Health. Here's the message we sent out to our Clinicians and their Patients:

"Over the past year, BIDMC has worked with Google Health to integrate Patientsite and Google's new patient portal.

Google Health is a place for patients to gather their data from providers, payers, pharmacies and labs in one place, then receive decision support such as drug monographs, and disease information.

It is an Opt-In service and the patient controls every aspect of the Google Health site.

There is no additional work for you or your practice.

More information will be coming soon and we'll followup next week. Below is the email we'll send to your patients:

Beth Israel Deaconess Medical Center has partnered with Google Health to offer you additional features regarding your personal health records.

Patients who use PatientSite will now be able to upload their records about diagnoses, medications and allergies from PatientSite to Google Health, and then also use Google's specialized medical knowledge features - online reference materials about medical conditions, information about drug safety, questions to ask your doctor, and more.

How will this work? Initially, patients with a Google Gmail email address will have a new link in PatientSite called Google Health that will enable them to optionally use these Google features. We will add this link to additional Patientsite patients over the next few weeks.

These features are completely optional and will always be under the control of the patient. Google will not target advertising to the site, use the data, resell or share this data in any way. At no time will BIDMC share your data with Google without your consent. The decision to participate and share data is completely up to you. If you decide to participate, you can change your mind at any time and not participate. We hope these new features are helpful to you.

PatientSite Support"

A cure for the 802.11 ABC's

Every week, some industry publication calls me to discuss the latest wireless acronym. Questions abound such as "are you implementing 802.1x on your 802.11a/b/g networks? How about EAP-FAST supplicants? IPSec VPN over wireless? TKIP, MIC, LEAP? How do you feel about the future of 802.11n....w,x,y,z?

It's dizzying.

Users want something simple - just open a laptop and be connected to the internet. If they can do it in a hotel why is the corporate enterprise any different?

At BIDMC and Harvard Medical School, I need to support several wireless use cases ranging from insecure wireless internet access for visitors with unmanaged virus-infected laptops to highly secure wireless access for trusted users of corporate managed devices.

With thousands of PCs, Macs, Linux variants all needing wireless access, what can a CIO do to navigate the 802.11 ABC's and create a sustainable, supportable solution?

After months of experimentation by my teams, we found an approach that meets the needs of our users, provides reasonable security, and keeps help desk calls to a minimum.

Before I discuss our solution, a few comments on what did not work.

Although supplicants worked fine on PCs, support for Macs and Linux machines was problematic and a support challenge.

Configuring complex wireless protocols such as TKIP/MIC/EAP-FAST on Red Hat Enterprise Linux required expert engineers.

Using IPSec VPN's on any platform was very invasive to the operating system and tended to cause errors, instability and calls to the help desk.

After ruling out these technologies, we implement something very simple.

For the visiting user who wants access to the internet and nothing more, we created an 802.11a/b/g SSID which offers access only to the public internet and sits outside the firewall. Any laptop - PC, Mac or Linux (such as Red Hat Fedora) can pick up this SSID without any configuration. Just open up the lid and you're on the internet. We do show an "appropriate uses" page when users first open their web browser to discourage violations of the Digital Millenium Copyright Act, but no login or configuration is required.

Once on the internet, any user on any platform can access secure resources behind the firewall via an SSLVPN. The SSLVPN (Juniper) works in any browser, on PCs, Macs, and Linux-based laptops with identical features, no client and few support issues.

For our power users who are willing to accept a minimal amount of configuration to get behind the firewall without SSLVPN, we created an SSID that uses WPA and PEAP. For Mac users, no configuration is necessary, just open the laptop lid and sign in to the network using enterprise (Active Directory) credentials. For PC users, a small amount of configuration is necessary depending on the driver used for wireless (Windows, Intel, IBM etc.). For Linux, a custom driver may need to be downloaded, which makes the solution less than perfect, but most Linux users are happy with SSLVPN, so calls to the help desk are limited.

The bottom line - two SSIDs, one unsecured with a simple "appropriate uses page" and one with WPA/PEAP, provides a wireless solution that works everywhere for anyone.

One caveat - after hours guest network support is tricky, especially for private laptops, because we have no control over 1) who is using the system 2) what they are doing on the system 3) the integrity of the laptop software and drivers. One misbehaving user and/or laptop driver can wreak havoc on other local users.

As more and more mobile devices provide support for wide area networks, users are likely to be able to connect to their choice of high speed EDGE, EVDO and eventually WiMax, making guest connectivity to 802.11 in public places less important. The current Verizon commericial is about getting out of the jail of your Wi-Fi internet cafe. Staying connected will become easier and easier.

Sunday, May 18, 2008

Ted Kennedy's Seizure

Ted Kennedy, age 76, was rushed to Massachusetts General Hospital in Boston yesterday after suffering a seizure at his Cape Cod home. The first report was that he had suffered from a stroke, but that has been ruled out. He is reportedly doing fine and has no after-effects from the seizure, although he is still undergoing tests in the hospital.In medicine, when I hear of a first seizure

Friday, May 16, 2008

Acute Hepatitis C from Unsafe Injections

The CDC has concluded an investigation of a clinic in Nevada that reported an outbreak of Hepatitis C Virus (HCV) in 6 people that resulted from unsafe injection procedures. Here's what happened:Hepatitis C is a reportable infection to the health department and when 3 people were reported in 2 days it raised concern about an outbreak. It turned out that all three persons underwent procedures

Answer to Medical Quiz

The answer is #1 - Hyphema. This is a common condition and it looks worse than it is. Blood (from a broken vessel or trauma) layers in the front of the eye. If it pools over the sclera (white part of the eye) it looks like a bloody blotch and can be quite frightening. Like a bruise, it resolves without treatment.For the other players - Hypopyon refers to pus. Iridocyclitis refers to

Cool Technology of the Week

How many times have you been wandering through an airport, a hotel lobby, or conference room and wondered if wireless was available? You boot your computer, scan for networks, try to connect and after a bit of trial and error, you conclude that the signal is too weak to sustain a connection.

The cool technology of the week, is the Wi-Fi Shirt from ThinkGeek.com.

This shirt includes an embedded wi-fi receiver, miniature battery pack and a detachable illuminated display that shows wi-fi strength in real time.

This is clearly the must have fashion for network engineers and frequent fliers.

As to the claims on the website that it will attract the opposite sex in wireless cafes, I'm dubious. As a happily married man, I do not think about such things. And besides, my pickup lines such as "I'm a Harvard faculty member and CIO" would never impress the cafe crowd.

Thursday, May 15, 2008

What's the Diagnosis? Medical Quiz

Here is today's Medical Quiz compliments of the New England Journal of Medicine. This patient awoke with a very red eye that looked like blood. There was no pain and it did not affect his vision. What is the diagnosis? Click on the image for a better view.The answer will be posted tomorrow.

The Way of Tea

I've written about drinking green tea, the art of Japanese incense, and playing the Japanese flute. Another Japanese tradition I enjoy is the tea ceremony, (chanoyu meaning "tea hot-water" or chado meaning "the way of tea"). For folks who visit my Harvard office, pictured here, I prepare a ceremonial powdered green tea called Matcha.

Matcha begins as a high grade tea leaf, grown in the shadows, just like my favorite Gyokuro Asahi green tea. Reduced light slows its growth, creates a deeper shade of green, and results in a higher concentration of amino acids, making the tea sweeter.

The leaves are harvested and laid out to dry. They are de-veined, de-stemmed, and stone grown, to produce a fine bright green power - matcha.

I store the tea in a tea container made of lacquered wood called a Natsume.

For the honored guests visiting my office, I place a small amount of matcha in my tea bowl (chawan) that was handmade in Kyoto. I use a deep bowl that keeps the tea warm. The bowl is irregular with several colors and imperfections. The most beautiful portion of the bowl is one of the emerald shaded irregularities.

To remove the tea from the Natsume, I use a lacquered bamboo scoop (chashaku). The amount of tea I add depends upon the style of tea I'm preparing.

Usucha, or thin tea, is prepared with half a teaspoon of matcha and 2.5 ounces of 170 degree hot water. Usucha creates a lighter and slightly more bitter tea.

Koicha, or thick tea, requires significantly more matcha, about 5 teaspoons, and 6 ounces of hot water. Koicha produces a sweeter tea.

To mix the tea, I use a tea whisk (chasen), which is carved from a single piece of bamboo. For thin tea, I briskly stir the tea and water together, creating a foam. For thick tea, I stir more slowly, without foam.

I serve the tea by presenting the most beautiful part of the bowl to my guest, who appreciates the bowl, turns it 180 degrees to show me the most beautiful portion of the bowl, then drinks a small amount of tea.

I typically serve the tea with a small sweet to refresh the palette.

You may ask, what ceremony do I use in the heat of the New England Summer? I recently visited a remarkable potter at his kiln in North Carolina, Mark Hewitt.

I asked him to create vessels for "Iced Tea Ceremony". This is truly a fusion of Southern traditions, New England practicality, and Japanese inspiration. Thanks Mark for great work.

Wednesday, May 14, 2008

Conservation of Aggravation

The first law of thermodynamics tells us that energy is neither created nor destroyed, it is simply converted from one form to another.

For IT professionals, I believe in the first law of project dynamics - Aggravation is neither created nor destroyed, it is simply converted from one project to another.

As CIO of Harvard Medical School and Beth Israel Deaconess Medical Center, I oversee 200 projects a year. A few examples of Conservation of Aggravation.

In 2003, we had a growing problem with Spam and I received many requests each day to implement a centralized Spam filter. We initially tried Spam Assassin, but found that it could not distinguish between advertisements to enlarge body parts and physician referrals to clinics for diseases affecting body parts. In a medical environment we wanted very few false positives (real mail marked as Spam), so we implemented Brightmail (now a Symantec product). Today, I receive many requests a day to loosen the Spam filters, which are blocking important business email such as eBay receipts, newsletters from professional sports organizations, and casual email conversations (Subject: Hi!) from friends and relatives. Aggravation has been conserved.

In 2002, Beth Israel Deaconess experienced a 1.5 day network outage when a misperforming application flooded the network and overwhelmed the spanning tree algorithm in our older network gear. In 2003, SQL Slammer and other Microsoft-related security issues caused server downtime. I spent a year creating highly redundant state of the art networks, server clusters and virtualized central storage. Uptime 2004-2008 has exceeded 99.9% for all applications and services. On rare occasions, I need to take down a segment of the network to upgrade hardware or firmware. Trying to find an acceptable 15 minute window to take down IT services is nearly impossible. Sunday at 4am? We could have trauma patients arriving in the ER then... By creating complete reliability, we have made downtime unacceptable. Aggravation has been conserved.

In 2006, we implemented electronic prescribing for our clinicians. We replaced unreadable handwritten paper and free text typing (take some Tylenol) with structured, standards-based, secure electronic messaging from doctor to pharmacy. Clinicians welcomed the idea of more accurate, safer medication practices, requiring fewer callbacks from Pharmacists with questions about handwritten scripts. However, clinicians rapidly discovered that older prescriptions, written before the new system required structured prescribing, had to be retyped because the computer could not automatically convert "take some Tylenol" to "take Tylenol 1-2 tabs every 4-6 hours as needed for pain". They wanted accuracy and ambiguity to be acceptable simultaneously. Aggravation has been conserved.

In writing this, I feel so much better that I've shared the challenges of being an IT professional. Will this catharsis lead to less aggravation? Nope. Within 48 hours of this blog being published, 25 salespeople will call and email me about Spam solutions that block all bad emails but allow eBay/sports/casual email, about highly reliable infrastructure components that require no maintenance, and about e-Prescribing systems that do everything for everyone. Some of these sales offers will make it through the spam filter. (Do these folks believe that CIOs have the time to read unsolicited sales emails?) Some salespeople will pester my assistant to the point that she whimpers in frustration. I have no doubt that aggravation will be conserved!

Tuesday, May 13, 2008

How to Take a Vacation as a CIO

I've written that being a CIO is not a job, it's a lifestyle. Given the CIO's responsibilities, is a vacation possible? Can you really unplug? Here's the way I do it.

1. Pick a second in command to run the operation while you are away
Just as a military operation would appoint a commander or watch officer, assign someone else to run the operations while you are away. Broadly communicate that this delegate is in charge and can make decisions in your absence.

2. Email a bit in the morning and at night
When I go on vacation, I do email early in the morning before my family gets up and I email late in the evening after my family goes to bed. This means that I can resolve all issues and keep my email queue empty. When I return to the office, there is nothing waiting for me. A great vacation is one that is easy to return from. The burden of having 5000 emails and 5 crises to resolve is high, so I invest a bit of time each day to ensure my desk is empty when I return, minimizing the emotional cost of a vacation.

3. Set expectations with an out of office message and enjoy each vacation day
Since I have a Blackberry strapped to my body 21 hours a day, I generally do not use out of office messages. During August, while I'm climbing in Yosemite, I cannot physically answer email most of the day. My out of office message provides the details of my climbing schedule and sets expectations when I will be reachable.

4. Own the appropriate mobile technologies
I own a Blackberry 8707G six band phone which works on every square inch of the planet with cellular technology, including Japan. Every airport I land at has GSM/GPRS or UMTS, ensuring I can connect as needed. During my 2 weeks of climbing and hiking in August, I will not bring a laptop and will exclusively rely on my Blackberry to keep my email queue empty.

5. Avoid major infrastructure changes during your vacation
Change is the most likely cause of downtime. By minimizing major change during your time away, you can reduce the risk of outages during vacations.

6. Pick the time of year when stakeholders are on vacation
If senior management and other major stakeholders are on vacation, there are fewer urgent requests for new projects or issue resolution.

7. Avoid vacations during a time of organizational instability
I've been in organizations with major leadership changes i.e. CEO, Dean, your boss etc. I recommend avoiding vacations during times of great transition, since you want to be around to defend your position and your department as needed.

8. Be able to return in case of emergency
Last year, the Joint Commission arrived for a surprise accreditation inspection on the first day of my vacation. It was so important to demonstrate our medication reconciliation system and communicate our plans for quality improvement applications that I agreed to travel back from my vacation for a day to ensure we had the best showing possible.

9. Build a Partnership with your family
My wife and I have been together for 28 years (I married the first woman I dated in college), and she's very tolerant of my various activities from working long hours to climbing isolated mountains. My wife, daughter and I spend time together every day and we support each other's lives, realizing that at times the best support is allowing each other time alone.

10. Tolerate ambiguity
Take each day of your vacation as it comes, and go with the flow. If you need to make a critical call, that's ok, your family will forgive you. If you are late responding to important email that's ok, your customers will forgive you. Staying loosely connected, not disconnected, and reacting to events without worrying about a precise schedule will make your vacation restorative and your return to the office easy.

Using these approaches, I'm able to balance family time, personal time, and work time on vacation in a way that works for everyone. From August 9 to August 24, my blogs will slow down and my email will flow only in the night and morning hours. I hope you'll enjoy a bit of time off too!

Monday, May 12, 2008

How to be a Great Boss

In my career, I've reported to CEOs, Professors, Doctors and Deans. I've had good bosses and bad bosses. I've had bosses who have leveraged me as a strategic asset (my current bosses do) and others who have not.

In my opinion, there are 10 characteristics that make a great boss. These are based on my own reporting experiences and are the behaviors I try to use with staff I supervise.

1. Responds rapidly - In general, employees escalate issues when they feel anxious, conflicted or powerless. When an employee asks for clarification of a strategy, help with a political conflict, or a decision about resource allocation, bosses should respond rapidly with a decision, so that the boss is not the rate limiting step to progress. A boss does not need to carry a Blackberry, but should acknowledge every email the same day it was sent, even if the resolution will take a little longer. My personal goal is to clear my Inbox completely before bed each day, ensuring every issue is responded to and resolved if possible.

2. Embraces process - Every problem, even a crisis, can be resolved by initiating the right processes. Each organization should have budget processes, position control (new hire) processes, governance processes, communication processes, conflict resolution processes, and human resource processes that can address every issue. If a boss cannot respond immediately with the resolution of an issue, he/she should identify the processes needed to bring it to closure. Giving employees definitive directions about which processes to pursue and guidance about how to pursue them is a great way to resolve complex issues.

3. Micromanages and Macromanages - Some projects are so complex and require such alignment of stakeholders that the boss needs to get involved with the details of the people, budgets and project plan. Most projects require just general oversight of progress. A boss should get involved in the details when asked to help, but otherwise should follow project progress at a high level, leaving the details to those experts who are immersed in the project specifics.

4. Empowers - A boss should use his/her authority to support direct reports, giving them the freedom to execute their projects per their best judgment while giving them the political support they need to be effective. As a project sponsor, the boss can help with stakeholder alignment, project vision, and building a guiding coalition in support of the project.

5. Provides Resources - Staff counts and operational budgets should be increased yearly based on workload, strategic plans, infrastructure demands, and compliance requirements. Of course, most organizations are resource constrained so it may not be possible to fund all new staff needed, but since each project is a function of scope, time, and resources, the boss needs to pay attention to resources to avoid turning a "lean and mean" organization into a "bony and angry" one.

6. Stands by you in good times and bad - One of the great joys of IT is that the organization rarely gets credit for the thousands of things it does right, but is often criticized for the few things that go wrong. A boss needs to support employees with personal thanks and praise when things go right and support them when things go wrong. The organization should not punish the individual but should ask how processes can be improved to avoid bad outcomes. Whenever we have downtime, project delays, or budget overruns, we improve our processes to reduce the likelihood of future problems, supporting our employees completely along the way.

7. Communicates Consistently - I would much rather hear often from a boss about strategy, priorities, politics, and rumors than be surprised with sudden changes in direction or given emergent deadlines. Everyone in the organization is happy to work hard, but they need to the flexibility to plan their own schedules and control their own destiny. I try very hard to communicate to all my staff via blogs, email, town meetings and very predictable priority setting. With consistent communication, I will never be accused of "priority deficit disorder", a corollary of attention deficit disorder which occurs when executives and organizations forget the priorities for year long projects half way through them.

8. Delegates and trusts - A boss must build a trustworthy team of people and delegate the details to them. I try to master the technical and process details of all our major projects but as my authority becomes broader, my depth of understanding of the details shrinks. My teams support each other and I watch their progress. Unless I see someone on the team impeding the work of others, I leave the team alone to execute the projects using the standardized processes we have established together.

9. Has boundless energy and enthusiasm - Bosses should be your greatest fan and marketeer. They should show real passion for your work and tell the world about it. An optimistic, highly visible, and energetic boss keeps the employees optimistic, visible and enthusiastic. Of course, the boss should also respect the need for downtime and temper that boundless energy during employee vacations, family time, and weekends.

10. Focuses on the trajectory and not the position - Every day the organization will have some new need for an IT project that is deemed critical for quality, safety, compliance, profitability, or customer satisfaction. Governance committees need to triage these using objective criteria. More often then not, new projects will be placed in a queue behind existing priority projects. The boss must realize that on any given day, 10% of the organization will feel that their needs are not being addressed, but that over time, all projects get done based on the prioritization of governance committees. If the track record of the organization is that projects get done consistently and needs of stakeholders are addressed year to year in a way that keeps most people happy, the trajectory is good. I especially apply this concept to audits. Every kind of audit - security, governance, strategy review, or specific technology -will identify dozens of opportunities for improvement. Every year gets better and better, but the position is never perfect. That's a great trajectory.

Let's hope you have a great boss. If not, keep the faith. The one constant in this world is change and over time you'll have one. In the meantime, be the best you can be by using the 10 behaviors above with your staff and you'll succeed.

Friday, May 9, 2008

Cool Technology of the Week

Today is my 150th blog entry since I started Life as a Healthcare CIO in October of 2007. Over the past 7 months, I've become a real fan of social networking technologies and have been an active participant in Blogger, Facebook, LinkedIn, Plaxo, various Wikis, and countless Webex collaborations. I'm a champion of any technology which democratizes the communication process, turning anyone into an author, publisher or broadcaster. One such technology is Social Networking Radio from blogtalkradio.com

The concept is simple. Using a simple phone line and an internet connection, anyone can broadcast their own internet radio program worldwide. You create an account, establish a broadcast schedule, invite guests and the public to participate, and you're broadcasting. Shows are streamed live and available after the broadcast as Podcasts/MP3 downloads.

I recently participated in a 90 minute live Talk Show with Dr. Anonymous on Blog Talk Radio to discuss electronic health records, life as a CIO, and my experience as a doctor.

It's easy to use and free.

Social networking meets internet broadcasting, turning anyone into a DJ or anchorperson. That's Cool.

Thursday, May 8, 2008

I'm Off To The Big Apple

EverythingHealth will be taking a little break for the next few days as I will be in New York City. It will be a thrill to be on the East Coast and experience the great New York. For your reading pleasure, check out my favorite blogs on the right side. You will find plenty to keep you occupied until I return next week.

Answer to Medical Quiz

This was a hard one. The answer is number 5 - Keratoderma blennorrhagicum.These foot lesions are a feature of Reiters Syndrome, which is a reactive arthritis that is often the result of a sexually transmitted disease or a gastrointestinal infection. The foot lesions occur in about 20% of people with Reiters Syndrome.

Dreaming of Green

Although being a CIO is my passion and my lifestyle, there may come a time when I want a less operational role, a focus on the simple pleasures of living, and to apply my energy on leaving an environmentally responsible legacy for my daughter. She will inherit the earth I leave her.

The engineer in me wants to pursue a low impact, off grid, eco-friendly life using all the tools and technologies available. Here's my list of Dreaming of Green lifestyle ideas

1. Pick a location with temperatures that vary between 20F and 80F to minimize the need for heating and cooling energy sources. My early research suggests that Portland, Oregon is a good choice for its mild climate, bicycle paths, vegan restaurants, and environmentally enlightened culture.
2. Live in a home under 1000 square feet. That should be more than enough for 2 people and their stuff.
3. Build with sustainable materials such as rammed earth walls, bamboo flooring, and a living roof.
4. Use geothermal heat pumps to heat and cool the house using the fact that the earth maintains a constant temperature across the seasons. Radiant floor heating is another technique that can be used that is more energy efficient and forced air or radiators. Wood pellet stoves use renewable fuels and are energy efficient.
5. Use photovoltaic solar panels, hydroelectric energy and windpower to generate electricity for the home.
6. Use minimal electrical appliances and choose devices that have minimal use of resistive heating elements.
7. Use natural light and compact fluorescent bulbs for illumination.
8. Wear sustainable clothing made from linen, hemp, and rayon. Avoid leather and any animal products.
9. Use an on demand water heater to eliminate the energy needed to keep a tank of water hot.
10. Use the Japanese technique of washing with minimal water outside the tub, then soaking inside the tub, changing the water every few days.
11. Recapture sink wastewater via grey water recycling for plants.
12. Use composting toilets.
13. Eliminate junk mail and strive to purchase items with minimal packaging.
14. Be vegan. Eat local/regional foods. Grow your own when possible. Compost your biodegradable garbage. Recycle everything you can. In Wellesley, Massachusetts, we recycle over 85% of our solid waste.
15. Use public transportation, hybrid vehicles, bicycles and walking to get around.

Thus far, I've done as many of these as I can in Massachusetts, including many IT related efforts described in my previous blog entries Kill a Watt, Some Like it Hot, and A Green Approach to Storage.

I look forward to the opportunity, in retirement, to make green living my lifestyle and my job. I know that I'll never truly eliminate my impact on the environment, but the journey to minimize it will be very rewarding.

Wednesday, May 7, 2008

Medical Quiz - What's the Diagnosis?

This patient is a young man with abdominal pain, diarrhea and these non-itchy lesions on his feet. What is the diagnosis?1. Dermatopathia pigmentosa reticularis2. Lichen planus2. Psoriasis4. Rubella5. Keratoderma blennorrhagicumClick on the image for a better view. The answer will be posted tomorrow.

New and Improved!

CIOs rarely receive credit for keeping the trains running on time . Instead, they receive credit for implementing new applications and cool infrastructure features. The challenge is that 80% of IT resources are needed to maintain existing applications and infrastructure, leaving 20% of the total IT budget to be spent on new work. When you consider the multi-year larger projects, the must do compliance issues, and the tyranny of the urgent, there is very little left over to focus on discretionary innovation.

A cutting edge application can rapidly become a legacy system if the stakeholders feel that IT has lost the ability to respond to the needs of the users. What is the best strategy to keep the users happy and make the organization feel that IT is constantly innovating? Here's my approach:

Establish Strong Governance
Governance committees have three major purposes. They provide a process for prioritizing new requests, they establish a team of champions for the application, and they provide a forum for education about an application's features and benefits. Whenever I hear that an application is non-intuitive, has ceased to be innovative or lacks critical features, most of the time it's a governance problem. Do not replace the application, establish a multi-stakeholder governance committee as your first step.

Implement small continuous improvements instead of big bang new applications
A few times in the history of my organizations, stakeholders outside of IT have decided that wholesale replacement of applications or massive new implementations will solve workflow issues. In each case, the issues turned out to be non-IT process problems or weak governance caused by internal politics. The problem with big bang new applications is that they consume all available IT resources and often require existing applications to be frozen for months (if not years) while the new implementation progresses. Lack of progress in existing applications causes even more frustration and by the time the new application is ready, it's common that needs have changed and the new application is no longer the nirvana it was once thought to be. Making constant small changes in response to constantly evolving customer needs is the best way to achieve satisfaction.

Communicate broadly
For the past decade, I've written an email to everyone in the organization at least once a month describing the latest in IT innovations. With the increase in sensitivity to Spam and broadcast email, I've replaced that communication with blogging. My recent blogs about Integrating the Medical Record, Providing Decision Support, and Clinical Documentation were all in response to internal customer questions about strategy, new features, and priorities. I use blogs, emails, and in person presentations to celebrate IT successes and to educate naysayers.

Enhance the user interface
Just as many people are attracted to new car models because of changes in style or color, users find a new user interface to be a sign of innovation. Especially with the web, it's important to evolve user interfaces to embrace a modern look and feel. The late 1990's were about lists of links. The early 2000's were about graphical elements and color. The mid 2000's were about clean interfaces with blues and whites. 2008 is about pastels, brushed steel, and effective use of screen real estate. All my organizations are now implementing modern 2008 looks to our internal and external web applications.

Run Focus groups and do surveys
As a corollary to governance, it's important to get feedback from the trenches. Doing usability testing with Focus groups and getting candid feedback from a large number of stakeholders via surveys is an effective way to measure the pulse of the organization. When I get detailed feedback, I often find that the issues which are most bothersome to users are the easiest to fix, such as relabeling a button, changing a screen layout or improving workflow through refinement of a minor feature.

Thus, continuous incremental improvement driven by strong governance is the path to success. For me, 2008, has been more about people than technology. My governance groups are stronger than ever and the buzz is that "New and Improved" applications are rolling out faster than ever.

Tuesday, May 6, 2008

Screening Blood Panels - Overused, Overtested

The Annals of Internal Medicine has reported that "frequent cholesterol measurement may be misleading." There are normal variations and fluctuations in any blood test that give erroneous information and frequent checking (even annually), when a person is stable on a cholesterol lowering drug, is pointless.Other studies have shown that the "routine" blood tests we Internists and Family Doctors

We Love Big Cars

Role-based Access Control

Protecting privacy is foundational to electronic health records and healthcare information exchange. In 2007, the Healthcare Information Technology Standards Panel specified the technical standards needed to ensure the security of patient records and these will be incorporated into vendor products over the next 2-3 years.

At BIDMC, our privacy controls are based on the concept of "minimum need to know" and are implemented via single sign-on authentication, auditing, role-based access control and a "lock box" for mental health notes.

Authentication
Each person working at or affiliated with BIDMC has a unique username and password which they use to access applications, sign notes, and write orders. In the 1990's each person had numerous usernames and passwords of differing complexity and password expiration timeframes. In 2000, we built an enterprise wide LDAP directory to manage all our user accounts. In 2003, we interfaced it to Micrsoft's Active Directory and we created processes to tightly manage these accounts including standardizing our policies for password complexity and expiration. In 2005, we built a portal and web-services to enable single sign-on authentication to virtually all our applications. This means that our users only have to remember one password, albeit a very complex password (non-english word, mixed case, alphanumeric) that expires every 200 days. Passwords are activated centrally to ensure we have appropriate approvals and management oversight of each user. Whenever a clinician or staff member leaves the organization, their password is immediately deactivated for all applications.

Auditing
We store an audit of every patient lookup made by a clinician or staff member. All stakeholders at BIDMC know that violating confidentiality results in termination. We run automated tools to examine the audit trails and highlight suspicious behavior.

Authorization
The centerpiece of our privacy controls are over 500 access control rules which limit access to information based on job role and application function. For each application, we work with our stakeholders and Governance Committees to define the required levels of access based on the functions within the application. End users are then assigned an “authorization string” that offers access to the minimum information relevant to their role for each application.

For example, in an Appointment Scheduling application, front desk staff can make appointments, update registrations and perform charge entry. A practice manager can do all of that plus maintain schedules and run management reports. As we add functions to our applications, we determine which authorization is required to access each function.

Role-based access also has workflow implications. In our Provider Order Entry application, a staff doctor or resident can write an order but if a medical student writes an order, it is not visible to the nurse until it has been co-signed. A nurse can write only verbal orders, and a unit coordinator cannot write orders but can discharge patients. In our electronic health record, a resident can write a progress note but only a staff doctor can co-sign that note.

Monitored notes
We recognize that some portions of the medical record such as mental health notes are more sensitive than others. In the early 1990's we created a lock box for such information called "monitored notes". The author of protected informations places the data in the electronic lock box. Other clinicians can only access this data by providing written justification of the need to open the lock box. Each lock box access is emailed to the author of the content and is reviewed by our security team.

Health Information Exchange between organizations relies on all these protections plus opt-in patient consent for sharing data with external providers. HITSP standards include the use of the OASIS standard called XACML for role-based access control and HL7 Consent standards to document patient data exchange preferences. The current Nationwide Health Information Network pilots and our project to exchange disability application data with the Social Security Administration includes these protections.

Our over 500 rules controlling every data element in every application have been an effective means to protect confidentiality. With constant vigilance, a team of 4 full time security professionals monitoring our systems, and yearly third party audits, we're doing our best to maintain the trust of our patients.

Monday, May 5, 2008

Denial - Not a River in Egypt

It amazes me how people can justify just about anything...despite all the evidence to the contrary. As they say "De-Nial is not a River in Egypt."A guy I know came up to me at an event, reeking of tobacco smoke. Seriously, I had to take a few steps backward because of the odor. Because I am a doctor, he launched into a story about a study he is in at Stanford, where they are testing him for some

Semantic Interoperability for Electronic Health Records

Whenever I lecture about standards harmonization, I'm asked how far along we are on the journey toward interoperability. First a definition of interoperability:

Technical interoperability - the ability to send a human readable record from place to place. A fax machine, secure email, and sending of free text from EHR to a PHR are examples of technical interoperability. For example, at present, Microsoft Health Vault enables documents and photos to be sent from a hospital, clinic, lab or pharmacy to a secure personal health record. Once there, they are viewable by the patient. However, at present, Microsoft Health Vault cannot combine multiple documents together to create a single uniform medication list, problem list and allergy list for the patient. Health Vault supports technical interoperability but not semantic interoperability.

Semantic interoperability - the ability to send human readable and computable records from place to place. An electronic health record with vocabulary controlled, structured problem lists, medications, labs, and radiology studies sending this data into structured lists within a personal health record is an example of semantic interoperability. Semantic interoperability ensures that decision support software can interpret the transmitted data and perform quality and safety checks such as drug/drug or drug/allergy checking. Google Health supports semantic interoperability for problems, medications, allergies and laboratories. The Continuity of Care Document, the clinical summary which has been recognized by Secretary Leavitt and the American Health Information Community (AHIC) is semantically interoperable, as detailed below.

Process interoperability - Per my recent blog about Decision Support Service Providers, wouldn't it be great if the best practices for healthcare including protocols, guidelines, care plans, and rules were transferable from one organization to another? Sending a clinical summary from one organization to another would immediately result in event driven medicine based on all the new data provided. Unfortunately, we really have not achieved this degree of interoperability.

At this point in the standards harmonization work, based on the efforts of 500 organizations working in HITSP over the past 2 years, we have achieved semantic interoperability for Electronic Health Records and Personal Health Records using the Continuity of Care Document clinical summary Here's the state of the art of interoperability:

a. Problems - CCD contains human readable and semantically interoperable problem lists, using SNOMED CT as the problem list vocabulary.
b. Medications -CCD contains human readable and semantically interoperable medication lists, using RxNorm as the medication list vocabulary.
c. Allergies - CCD contains human readable and semantically interoperable allergy lists, using UNII as the vocabulary for Food and Substance allergies and RxNorm for Medications.
d. Notes - CCD contains human readable structured and unstructured clinical notes/reports. Additional HL7 ballots over the next few months will provide even more options for structured notes via the Clinical Document Architecture.
e. Labs - CCD contains human readable and semantically interoperable lab results using LOINC vocabularies to describe the lab test and UCUM to indicate the unit of measure of the result.
f. Radiology - CCD contains human readable reports, but does not yet include images. In 2008, the HITSP Consultation and Transfer of Care use case will require us to develop interoperability specifications to share images.
g. Vital signs - CCD contains human readable and semantically interoperable vital sign measurements, using LOINC as the vocabulary to describe the site and method of measurement for each vital sign.

Thus, in 2008, we have all the standards needed to send structured information from provider to provider, from provider to patient, and from provider to public health agency. Of course, this data must be sent with appropriate security to protect the privacy of the patient. My blog entry tomorrow will describe the national, regional and local efforts that ensure confidentiality is maintained per the wishes of the patient.

Sunday, May 4, 2008

Women's Choice

I came across a blog that I want to share with the readers of EverythingHealth. This New York gynecologist wrote a compelling blog on why she chose her specialty. It's worth a read here at The Blog That Ate Manhattan.

Friday, May 2, 2008

McCain's Health Plan - seriously flawed

Candidate John McCain has proposed a health policy reform that will not work, and would worsen the uninsured problem in the United States. Let's take a look:Seventy-one percent of insured people are now covered (in some fashion) by their employers. McCain proposes eliminating employer sponsored health insurance and giving tax credits to people to buy their own insurance. A family would receive a

Cool Technology of the Week

As I write this on my MacBook Air connected to my home WPA-secured 802.11a wireless network traveling over the internet at 20 megabits/second via Verizon FIOS, with my Blackberry 8320 strapped to my belt, and my 4 Gig USB drive in my pocket, my vote for the Cool Technology of the Week is the all of them.

Let's consider how these technologies have evolved in my lifetime. The photo is a 1956 IBM 305 REMAC, the first computer with a hard disk drive. It weighed over a ton and stored 5 Megabytes of data.

In 1984, I bought my first IBM XT that weighed 32 pounds and stored 10 Megabytes of data.

In 1987, I bought a Unisys server to run my small company that included 128 Megabytes of RAM and half a Gigabyte of storage - a supercomputer for the time.

In 2008, Gigabyte USB drives are given away in junk mail and weigh 1 ounce.

Think about the impact of traveling back in time with the Macbook Air, Blackberry and USB drive.

Think about showing the Macbook Air to Alan Kay in 1972 at Xerox Parc, side by side with drawings of his fictional Dynabook.

Think about showing a functional 2008 Blackberry to Gene Roddenberry in 1965, side by side with his fictional Star Trek Communicator.

Think about explaining to an IBM engineer in 1956 that Gigabytes are free, Terabytes are cheap, and Pedabytes are the technology we're now installing. Exabytes (1000 Pedabytes or 1,000,000,000,000,000,000 bytes) will probably be included in my daughter's laptop in her lifetime.

Arthur C. Clarke formulated the three "laws" of prediction which apply well to the evolution of technology in my lifetime.

1. When a distinguished but elderly scientist states that something is possible, he is almost certainly right. When he states that something is impossible, he is very probably wrong.

2. The only way of discovering the limits of the possible is to venture a little way past them into the impossible.

3. Any sufficiently advanced technology is indistinguishable from magic.

The Macbook Air, the Blackberry, and the USB drive are magic for a guy born in the same era as the IBM 305 REMAC.

The greatest benefit of being a CIO is experiencing the daily march of innovation. I know that my job will never be done and life will never be boring.

Thursday, May 1, 2008

Grand Rounds This Week

For a fun spin around the medical blogosphere check out this weeks Grand Rounds, hosted by Dr. Gurley. Lots of great and stimulating reading!

Breastfeeding New Infants

The benefits of breast feeding for at least the first six months of life have been proven over and over with scientific studies. Let's face it...nature hardly ever gets it wrong. Breast milk is a perfect nutrient, contains antibodies and is easy to digest. It is also free and readily available!A new study by the Center for Disease Control and Prevention shows that 77% of new mothers

The Way of Koh

You're probably familiar with the Japanese martial art Ju-do ("the gentle way"), the Japanese martial art of fencing Ken-do ("the way of the sword"), and you may have heard of the Samurai code of honor Bushi-do ("the way of the warrior"), but you probably have not heard about Japanese Koh-do ("the way of incense").

At the end of each day, I have a de-stressing ritual. I leave the anxiety, frustration, and emotion of each day at the office, so I'm always optimistic, energetic, and focused on my family when I arrive home. I chat with my wife and daughter about their day, change in my causal clothing, make a cup of Gyokuro Asahi green tea, and light a stick of incense in my 300 year old Buddhist incense burner. Then I "listen to" the fragrance. This is Koh-do, the Japanese Incense Ceremony.

During Japan’s Muromachi Period (1333-1576), Incense Ceremony became formalized as one of the one of the three leading traditional Japanese arts, along with Tea Ceremony (chanoyu) and Flower Arrangement (jkebana). In the incense ceremony, aromatic wood (koh) is burned and participants appreciate the aesthetic qualities of the aroma. Although the sense of smell plays a leading role, the appreciation of the mood/atmosphere created by entire experience of burning fragrant wood leads practitioners of the art say that they are “listening to” the aroma. Understanding the Japanese art of Koh-do is as fascinating as understanding the tea ceremony, the Japanese Flute or Sake.

Lafcadio Hearn, a 19th century American author famous for his books about Japan wrote about the experience of Koh in his book Ghostly Japan (1899)

"Wherever Buddhism lives there is incense. In every house containing a Buddhist shrine or Buddhist tablets, incense is burned at certain times; and in even the rudest country solitudes you will find incense smouldering before wayside images, -- little stone figures of Fudo, Jizo, or Kwannon. Many experiences of travel, -- strange impressions of sound as well as of sight, -- remain associated in my own memory with that fragrance: -- vast silent shadowed avenues leading to weird old shrines; -- mossed flights of worn steps ascending to temples that moulder above the clouds; -- joyous tumult of festival nights; -- sheeted funeral-trains gliding by in glimmer of lanterns; -- murmur of household prayer in fisherman's huts on far wild coasts; -- and visions of desolate little graves marked only by threads of blue smoke ascending, -- graves of pet animals or birds remembered by simplehearts in the hour of prayer to Amida, the Lord of Immeasurable Light."

There are five traditional incense materials described in early Buddhist texts. Aloeswood is associated with the Buddha Family, and symbolizes the transmutation of the "poison of ignorance." Sandalwood is associated with the Padma or Lotus Family and symbolizes the transmutation of the "poison of attachment." Clove is associated with the Vajra or Wisdom Family and symbolizes the transmutation of the "poison of aversion." Turmeric is associated with the Karma Family and symbolizes the transmutation of the "poison of jealousy". Borneol Camphor is associated with the Ratna family and symbolizes the transmutation of the "poison of pride".

If these particular incense materials were unavailable, Buddhist monks made substitutions including Patchouli, Benzoin, and Cinnamon.

My Koh-do ceremony uses a mixture of the Sandalwood, Clove, Turmeric, Camphor, Benzoin and Patchouli called Matsu-no-tomo (Friend of Pine)

The most extraordinary experience I've had with Koh-do is the burning of Aloeswood. Aloeswood is the resinous wood from the Aquilaria tree, an evergreen tree native to northern India, Laos, Cambodia, Malaysia, Indonesia, and Vietnam. The trees frequently become infected with the fungus Phialophora parasitica, and produce an aromatic resin as a defense mechanism. This resin is Aloeswood and it's often aged for many years before burning. The Aloeswood Koh-do experience is so memorable that the Japanese have a classification system to describe the 5 aromas you may sense as the wood burns

1. Sweet -- Resembles the smell of honey or sugar
2. Sour -- Resembles the smell of plums or other acidic foods.
3. Hot -- Resembles the smell of peppers on a fire.
4. Salty -- Resembles the smell of ocean water when seaweed is dried on a fire.
5. Bitter -- Resembles the smell of bitter herbal medicine when it is mixed or boiled.

High quality Aloeswood is so rare and expensive, that I've only experienced it in Koh-do ceremonies in Japan.

So, pour a cup of tea, light a stick of incense, listen to the aroma, and de-stress. You'll recharge and be ready for the challenges ahead.