Progressive Place

Thursday, October 14, 2004

What is Security, really? New Zealand, 12/10/01

I recently returned from a place that, in many ways, feels like the USA in 1982. If you're old enough to remember, think of the excitement that accompanied the publication of two seminal books: The visionary MegaTrends, and the eye-opening In Search of Excellence. The people of New Zealand still seem to have that practical, optimistic, open, and friendly feeling that Americans had in the early 80s. (Say more about that. The analogy may not work, but the feeling was definitely there. Recall, also, that 1982 was the last, previous recession. The automotive and consumer electronics fields were giving the US a feeling of being trounced by Japan, Inc. No, so maybe the1982 analogy won't work. How about using 1984, the year I actually read those seminal books?)

The things that make us secure haven't changed: trust, resilience, self-reliance, flexibility, and committed relationships. But the amount of energy and resources we're pouring into "security" have changed drastically. The terms of Security are now defined by two industries: The private Security industry, and the Government Security industry.

Of course, the threats to our security have grown drastically, too. But are the things that are being threatened worth what we're spending to protect them?
What do you really need, to be secure? (Distinguish from "feeling" secure, which is a whole different subject.)

Try this experiment: Put yourself in a pleasurable circumstance; say, at a favorite weekend retreat. Then reassess what you really need to protect. Achieving a sense of personal security is a lot easier when it isn't anchored in a mass of fragile personal possessions, which you must constantly protect against the onslaughts, real or speculated, of those without.

Find your own balance between dealing with and doing without. For many of us, recreational dreams involve getting away from our complications, and returning to the simplicity of a less cluttered lifestyle. So, what would be so bad about living like that all the time?

Translated into IT/Disaster Recovery and KM terms: What is truly vital, & would need to be recovered? What is really mission critical, and what, in a pinch, could you do without?
Now: How much of that would you be better off without, all the time?
(ref CRN 12.24-31/01)

And for ourselves, which things are truly enhancing our lifestyles, and which are just complicating them?

Mobile Health Information Commentary

(Unpublished draft, 2003)
There are advantages to being such an eclectic. When I figure out a complex topic like mobile health information, I want to share it with the very diverse audiences that need to know about it. Requirements analyses, lifecycle documentation, web-based training, and white papers rise out of the same inner drive: To communicate important information to a particular, clearly-identified audience, following a definite structure, in the way that audience can best integrate it.

Mobile health has caught my attention both for its great promise, and for its even greater complexity. The most successful mobile applications are demonstrating phenomenal ROIs. However, as with any dynamic technology, many more implementations are not successful.
To paraphrase a famous quote, the problem is not in our tools, but in ourselves.
Translation: More projects are defeated by poorly understood and articulated requirements and desired outcomes, than by leaning too far out over the leading edge.
These results are exaggerated in health care, especially when too much is riding on the outcome. I've also been investigating HIPAA, the 800 pound gorilla that's been snarling at health care information of late. I'm starting to think of a use for that Introduction to XML I had a few years ago.
There I go again--start out with a simple request, get off into an essay. Later for that.

Attn.: Steven Ortquist, Banner Health, re invitation to "Please send HCCA your HIPAA Privacy-related documents," based on my thoughts in response to this article:
Wireless health driven by HIPAA (Google search)... that lets anyone into the network." Most of the mobile ... We are integrating the handheld with our internal ... For now, Concentra's WLANs are HIPAA-compliant. ...
www.infoworld.com/articles/ct/xml/02/04/08/020408ctwireless1.xml

I'm an IT analyst studying aspects of HIPAA, toward extending my consulting practice. With HIPAA, a new word is about to enter the lexicon: Mobliability. That's Mobile Liability. "Authoritative" pronouncements about mobile health care are being made daily by writers who reveal their weak understanding of IT basics. Do health care information specialists notice the same weakness in health care knowledge among IT commentators?

My comments follow the relevant passages in italics:
Michael E. Stull, a principal at eHealthcare.net:
"Users will have to master authentication and, for example, turning on the ability of the system to use the access control lists of the MAC [media access control] address of the network card [used in] accessing the LAN."
Hey, who you callin' a user, pal? You're describing a job for a very experienced network engineer. Not what I'd consider a "user". And where'd you learn sentence structure?

Next: "Most of the mobile road map has been laid out for Concentra. The first leg of the journey was to eliminate an expensive medical transcription system that cost $3 million to $5 million."
Two misleading statements in a row. First, this is Why, not How. Second, it's a destination on the map, not the route to get there.

"Concentra's programmers spent about five months building ChartSource with ...(various Microsoft tools listed)... and XML and XSL style sheets."
It should be mentioned that without XML and XSL, not only would HIPAA be impossible, but DHHS wouldn't have had the nerve to even suggest it. A common format--or language, if you will--is the key element in portability. Reminds me of an old stand-up comic introducing a speaker with the line, "Our dear friend HIPAA, without whom none of this would have been necessary."

"The point-and-click application allows a physician to click on a patient's name to display his or her medical history. "
Point-and-click? If they mean "squint and poke", they should say so. Design for the handheld interface is a demanding, specialized discipline that few currently possess, and the screenshots shown look indecipherable.

"After an examination, the doctor feeds the diagnosis into ChartSource as well as 'the completed and signed medical note and puts it back into our Practice Management System [database],' Wilson explains."
"Feeds the diagnosis"- how? Freehand entry? selecting DRGs or codes from a list?

Also, since this article targets IT and not health care, it needs to state explicitly that only the handheld can automate the entire data path, from initial generation through all possible uses. And, once automated, it can be controlled and secured.

"The customized system includes a decision-tree application for consistency in patient reports."
How does a decision tree make patient reports more consistent? Is this a health care-specific reference?

Like many of the HIPAA regulations, this issue (where to put the firewalls) is not clear cut.
As general and vague as the HIPAA regulations seem, two things are certain. These are:
1. The regulations apply consistently to all. So, for so many organizations to be pursuing compliance in isolation is an immense waste. The health care consuming public would be better served by the industry seeking optimal collaboration and community-building toward common solutions. And if DHHS is not ideally situated to coordinate this massive effort across all 50 states, what the heck is it there for?
2. The drop-dead compliance dates are eerily similar to that much-vaunted and maligned trick of the calendar we saw a few years back, Y2K. It's big, it's comprehensive, and it's absolute. And as a fundamentally simple thing replayed billions of ways, there are just a few ways to do it right, and billions of ways to screw it up.

A final thought: When health care folks need new information to respond to a challenge, they circle the wagons and have a conference. My instructional strength is in e-Learning, so by contrast, my first impulses would be to:
1. create web-based courseware to increase the shared baseline of expertise across the varied disciplines;
2. host virtual events to build and strengthen the community of interest; and
3. invest heavily in Web-based portals to build the community of practice that will get actually the job done.

And, do you know what the outcome of all this working together will be? DUH-UH -- shared, portable health information! Remember, the P in HIPAA does NOT stand for Privacy, it stands for Portability. Isn't that what HIPAA was supposed to be about?

HIPAA- You paid the cost. Don't throw away the rewards!

HIPAA- You paid the cost, now collect the rewards (2003 unpublished draft for article)
DON'T FORGET THAT THE P IN HIPAA STANDS FOR PORTABILITY. Not Privacy.
If we remember that, then HIPAA can pave the way for a quantum leap forward in medical effectiveness. HIPAA forced the medical industry to replace numerous outdated systems based on paper forms and outdated computers.
Think about it: What are medical records? They are, basically, the recorded saga of your life, your physical existence on this planet. To make the kinds of informed treatment decisions expected of us today as medical consumers, we need to have that information about ourselves in a form that we can find, access, and comprehend.

SCENARIO. Picture yourself meeting with your physician in her office. After brief greetings and banter about your respective families, she asks the purpose of this visit. You tell her about a pain you noticed a weeks ago, that's gotten progressively worse since. She studies the screen of her tablet PC. It occurs to you that the doctor appears to be working intently on an Etch-a-Sketch, a mental image that makes you chuckle. She looks up quizzically, then returns to her electronic slate.

The physician soon looks up again, smiles, and clips the tablet into a stand. She swivels it toward you, and comes to your side of the desk so you can both see the screen. It shows a generic, naked human torso-- not your own, you are relieved to see-- with your area of complaint pulsing slightly in red. Below the image is a table listing symptoms, as well as other input you gave in an online interview yesterday at your home computer, when you went online to schedule the appointment.

With a fingernail, the physician lightly taps an on-screen button. The image tilts and rotates into a 3-dimensional view, and the body image on the screen is overlaid with another body image. With a few words from the physician, it hits you, literally in the gut, that a little problem she warned you about two years ago has now grown into a big problem, and you have to do something about it. Now.

Details to expand
- Family history & personal profile fed into an actuarily-based condition predictor, that overlays the generic body picture with personalized potential trouble spots. May be a few pre-herniated disks or a dormant mass. Or, hypertenstion & infrared cold spots pointing to constricted blood flow in some parts of the body.

- Billing and Payments- These are especially bewildering to nearly all concerned. I, for example, don’t like getting first surprise, and then repeat, invoices for medical services. Did I receive that service? Didn’t I already pay for it? I thought that was covered by my insurance, when I gave them my card. Why are they billing me now?

Solution: Illustrate relationships between services received, billing, and payments using colorful, USA Today-style graphics, flow charts, timelines, and personalized labels. Adapt for what-ifs: What if I have a prolonged illness? What if I get extended coverage? What if I self-insure for that risk? The technologies there! How freaking hard can it be? Or do they PREFER us to stay confused?

Advantages:
Make the medical process visible and open. We’re supposed to take active role in our treatment and apply it to our lifestyle, right? How about giving us the conceptual tools to make that possible, and stop obfuscating it in distressing forms and paperwork?
In the online interview situation, you had more time to …

Obstacle: In preliminary interview, I wouldn’t know to the relevant questions to ask myself, that the physician would ask. Maybe the preliminary interview should be an interactive web conference with the Physician's Assistant?

Compliance 2: Scenarios in Compliance Training

(Draft, 2002) With sweeping regulations like HIPAA, OSHA, and JCAHO, few and simple are the basic facts. Many and great, however, are the ways of interpreting and implementing these facts, and thus the errors and omissions that can result during interpretion and implemention. Training is very thoroughly in the general principles. But if people don't understand how the principles were implemented in their systems and procedures, they will act as though they were not trained, screw up, and render their organization non-compliant.

The solution is detailed scenarios that will be fodder from which practitioners can create the accurate "inner stories" that will help them remember and apply complex regulations, and on which they can model their behavior, and "Do the Right Thing."

Compliance 1: Forgetting Lessons of the Industrial Revolution

(Note: Since this was written in 2002, we've seen the advent of automated certification management systems. But the final output is still a linear text document, intended for people to read and sign-off on. That's still a weak point in the system.)
To Simplify Compliance: Certify the Content, not the Document. What's that mean? Pharmaceutical Information expert Paul Mattise says, "Certify the SOP, signatures only on the deliverable, not on the process." That's making people do with their sore, tired eyeballs what machines should do by design. Instead, reduce the workload and accelerate the process. Eliminate the source of much of the confusion: Drop the documents entirely, certify the factlets/objects and data package they're in.

The knowledge that we transmit in the vast majority of our written business documents is not nearly as tacit--i.e., as creative, unique, or expressive-- as we'd like to think it is. We are trying to use the unstructured, fuzzy, subjective tool of language to represent, badly, an underlying reality that is essentially objective, and modularly, hierarchically structured. We need to separate the factual representation from the narrative. Images, tables, lists, and standardized language--i.e., "meaning objects," or jargon--will help us to overcome the quagmire of misunderstandings in which we often find ourselves.
Have we forgotten all we learned from the Industrial Revolution, besides how to control abuse and corruption? We can create standard visual frameworks for document structures (format, styles, breaks, fonts, etc.) Then we can store and manipulate the content as XML, and put the e-signatures on that. Treat it as the data it is, and stop trying to make it literature.