Proposed Center to Focus on Health IT Safety Issues

Building on several reports in recent years that focused on the intersection of health IT and patient safety, the Office of the National Coordinator for Health Information Technology (ONC) has released a roadmap for developing a national Health IT Safety Center.

The proposed center would focus on two main objectives: “using health IT to make care safer, and continuously improving the safety of health IT.”

Safety center would aim for ‘achieving safer care through collaboration’

Working with ONC, RTI International brought together a task force of health IT developers, clinicians and other insiders to help develop the roadmap. The projected cost of the center – which could begin with federal funding to a host organization – might range from $17.8 to $20.6 million over five years.

The planners did not propose a regulatory function for the center. Instead, its activities would include:

  • Bringing together health IT stakeholders from the private and public sectors to exchange ideas.
  • Identifying, testing and supporting the implementation of solutions for health IT concerns.
  • Supporting health care providers regarding optimal IT usage.

Developers and vendors of health care IT products would play an important role in the center’s activities, as “Often they will be their customers’ best sources of information on the safety and safe use of health IT,” the authors wrote.

Many factors contribute to health IT safety

One of the publications the ONC cited in its roadmap was the Institute of Medicine’s “Health IT and Patient Safety: Building Safer Systems for Better Care” report from 2011. In it, the authors write that “In looking for ways to make health IT– assisted care safer, it is important to recognize that the products are not used in isolation. Rather, they are part of a larger sociotechnical system that also includes people — such as clinicians or patients — organizations, processes, and the external environment.” Safety requires optimum interactions between all these moving parts, and safety analyses “should not look for a single ‘root cause’ of problems,” the authors wrote.

At the Health Affairs Blog, Dean Sittig and Hardeep Singh asked: “Why hasn’t all of this [the activities of the proposed Safety Center] been done by now? The answer lies in the complexity of health IT use. In addition, research to understand unintended consequences of Health IT has emerged mostly in the last decade. As recognized in the roadmap, a comprehensive, sociotechnical approach is essential; this must include technical factors, as well as nontechnical factors such as people, workflow, and organizational issues.”

The authors discussed a Quality & Safety in Health Care paper they coauthored that provided a model with eight interrelated dimensions “designed to address the socio-technical challenges involved in design, development, implementation, use, and evaluation of HIT within complex adaptive healthcare systems.” These dimensions include:

  • Hardware and software
  • Clinical data stored on the system
  • The developers, clinicians, patients  and other humans who create and use the technology
  • The workflow in which the technology is used
  • The policies and procedures of the organization using the technology

“The proposed Safety Center is a step forward, but it will require strong and sustained support from a multitude of stakeholders, including vendors, researchers, and policymakers. A great deal is at stake here,” Sittig and Singh concluded. “In the absence of any other central oversight, the Safety Center will need to lead the way in making health IT safer and better, so we can improve the health and health care of our patients.”

Cyber threat running high for health care

The health care field continues to present an appealing target for cybercriminals. Yet organizations are showing varying degrees of ability to keep up with this threat, as several new surveys suggest. 

In June, the Workgroup for Electronic Data Interchange noted that data breaches compromised roughly 37 million healthcare records between 2010 and 2014. The pace has accelerated quickly, with attacks exposing roughly 100 million records in just the first four months of 2015.

According to the WEDI report, criminals are willing to pay more for medical records than credit card numbers because the rich supply of information they contain (addresses, Social Security numbers) is useful for identity theft.

"Health care continues to be an appealing target for cybercriminals."

Resource limitations may affect organizations' cyber readiness
Corporate board members may have a weak grasp on cybersecurity threats as well. A National Association of Corporate Directors survey found that just 11 percent of corporate directors had a high-level understanding of these risks.

New findings from the 2015 Healthcare Information and Management Systems (HIMSS) Cybersecurity Survey highlighted the importance of maintaining internal resources to prevent and manage attacks. Of 297 participants – who work in healthcare information security – two-thirds said their organization "had experienced a significant security incident in the recent past."

Employee negligence was the largest single reason for incidents. But 64 percent said hackers, scammers and other outsiders had been responsible for such events. In about one-fifth of cases, the attack exposed "patient, financial or operational data."

More than half of the organizations employed full-time personnel to handle information security. Yet 64 percent felt that insufficient cybersecurity staffing presented a barrier to properly managing these incidents.

Keeping good information security staff on board to protect against the rising threat is a challenge for healthcare organizations, Mayo Clinic's chief information security officer, Jim Nelms, recently told the Wall Street Journal. The lure of bigger paychecks makes this workforce "quite a transient population," he said.

Cyber crime has become a major issue in the field of health care.
Cybercrime has become a major issue in the field of health care.

Recent health care data breaches "have been a wake-up call that patient and other data are valuable targets and healthcare organizations need a laser focus on cyber security threats," said Lisa Gallagher, vice president of technology solutions for HIMSS. "Healthcare organizations need to rapidly adjust their strategies to defend against cyber-attacks. This means incorporating threat data, and implementing new tools and sophisticated analysis into their security process."

WEDI urges health care organizations to address cyber threats at the highest levels. "The risk of cyber attacks is no longer limited to the IT desk, it is a key business issue that must be addressed by the C-suite," the authors note. "…[N]o healthcare organization can be completely immune from cyber attacks and adversaries. However, they can take appropriate measures to erect defenses and integrate cyber security into the business environment and culture."

These steps include:

  • Ensuring that all employees remain aware of the role they play in limiting their organizations' exposure to threats via potentially harmful emails, websites and files.
  • Properly updating and patching operating systems, antivirus software and anti-malware programs.
  • Maintaining automated alerts to notify staff to take appropriate action, according to protocol, in the event of a breach.