Thursday, September 25, 2008

E-prescribing and two factor authentication

The last two weeks have given any sentient American plenty to think about. At the global level, we have seen some remarkable statements about international relations, global warming, and the impact of the near-collapse of our financial system. New Yorkers first - and soon all of America - will be experiencing first-hand more of the adverse consequences of mathematical aerial palaces constructed by financial wizards who seem to have failed to notice the history associated with irrational financial instruments (see: Long-term Capital Management; the Great Depression, etc. etc.)

At these times perhaps the best one can do is focus on the small things first. For this reason, John Moore's September 26, 2008 Government Health IT article entitled "Doctors and the DEA" provides a good summary fo the inherent tension between the e-prescribing enthusiasts (call them the idealists) and the e-prescribing skeptics (call them the cynics). The enthusiasts believe that our current e-prescribing infrastructure - properly applied - will be no different in clinical outcome than the current paper system. Indeed, it should be more efficient, safe, and effective in the long-run. The cynics - noting particularly the consequences of controlled substance prescribing - ask "how do you know the prescriber is who they say they are?" (I know, how do you know that on paper...but people don't seem to compare e-anything with reality but instead with Utopia).

Let's focus on two-factor authentication. 

Some say two-factor authentication is costly.

Hmmm..... if it's that costly, why does my PayPal secureID (apparently used by some PHR models) cost me only $5? And it seems pretty secure to me. I'm unlikely to give it to someone who then could more easily, say, buy a vintage 1955 Gibson Les Paul guitar and leave me with the bill.  And why is my two-factor ID from e-trade free? And how does Bank of America do such a great job with security that includes using my cell phone as a second factor, texting me with a PIN before I can log on?

Identity management - knowing Dr. X is who they say they are - is costly if done de novo, but hospitals, medical associations, and others with longstanding interest in the identity and integrity of individual practitioners. David Miller - the very brilliant chief security officer at Covisint, says a one-time password "would cost a physician $100 to $500 a year to maintain."  I suggest local medical associations and providers seek less costly alternatives from banks and PayPal. Furthermore, the cost of these system should decrease dramatically as identity management - increasingly central to commerce and personal finance - is incorporated into health care in more consistent ways.

Some claim that two-factor authentication is onerous because systems  are expected to "time out" with disuse after two-minutes. These critics have a very real point. In particular, a time limit independent of context seems a little crazy. A two-minute time-out makes sense for NSA officials or bank clerks sitting in cubicles and typing all day. It makes sense for portable devices when one is doing refills from an airport and in settings where the device could quickly and easily fall into the wrong hands. But it is hard to conceive of such a requirement in secure practice settings. I would be worried of an anesthesiologist had to re-certify their identity every 2 minutes while keeping me alive through brain surgery.  Call me naive, but I'm willing to bet that whomever put me under is the same person who will be there two minutes later. Similarly, practitioners in their offices, clinicians in hospital settings, and health care professionals carrying home health devices should be given a little more slack. And some of the systems they use are very secure because even trained professionals have difficulty using them effectively! Perhaps the only secure information system is one that is turned off!

What are people thinking? Do they imagine that as a clinician working with her professional colleagues in a practice setting will turn away and, in a few brief moments, someone in a black mask will come in and deplete the country's supply of opiates with a few mouse clicks? Is the threat to the public so severe in fixed practice settings (in which much damage can be done through needles, scalpels, and drugs)? Isn't this why we have audits and remedies for irresponsible behavior and fraud?

Time-outs are important, but they have to be context sensitive, and knowing context is more straightforward these days of IP addresses and Wi-Fi.

Let's take an analogy from an industry that worries me more - guns. I still think I can attribute more deaths from guns than I can from illicit prescriptions. But we have developed some practical policies. If you are really afraid of the power of e-prescribing, think of these technologies as handguns.

  1. You can keep your gun loaded when standing in a shooting range
  2. You can keep your guns loaded when hunting (hopefully with the safety on)
  3. You should not keep your gun loaded in the home - indeed, you should keep it locked up away from ammunition (I'm guessing here; I'm not a gun guy).
  4. No matter what you do, some people are going to mess up; the task is to minimize the consequences, not to imagine they aren't somewhat inevitable.
As a Nation and as an industry we can develop low-cost, reliable, two-factor authentication infrastructures. It's just going to take us time to couple the new technologies with our existing organizations that manage prescriber identity for other reasons. Similarly, with a little common sense, we can arrive at context-specific guidelines for time-outs. Portable devices would have one limit, land-based devices would have others depending on their location. We can work this out. And our systems generally know where they are. 

Where are the common-sense approaches? I hope people are thinking them through. I would imagine in particular that the e-prescribing and EHR vendors have plenty of reason to figure this out. At some point a successful software has place more emphasis on creating valuable systems than on simply closing deals.  

Why are clinicians reluctant to adopt e-prescribing? Perhaps because they see polarity and conflict rather than middle-road common-sense, evolutionary approaches. Perhaps it our penchant for creating conflict and win-lose that leads to impasse. Perhaps its just our collective inability to get ahead of these problems and solve them. No matter what the behavioral cost, two-factor authentication devices should be commodities under a strong, federated identity management framework. Parties already certifying the identity and roles of health care professionals should find low-cost ways of embracing two-factor authentication. And common sense must prevail in all of this.

And I do not have the energy to elaborate on my confusion over the enormous discrepancies between practical audits and security checks and the alleged costs associated with SysTrust audits.

Where are the entrepreneurs here? If the whole world were run like some proposed eHealth constructs, my express mail package would cost $2,000 and my annual automotive emission test would cost $10,000. 

I am strongly in favor of solid authentication mechanisms, time-out requirements, security checks, and audits. We know what we have to do, we're just haggling about the real price.

We can do it well and inexpensively. We've only got to try.

Sunday, September 21, 2008

Bailing Out



Much will be written about the unprecedented steps taken by the Federal government to halt the growing fear in the world financial market. The current emphasis is on the big and the small; the "moral hazard" and the compromises that may be required to make sure the "average person" feels they get something out of all of this.

One set of facts is quite evident and when examined in light of demographics should cause concern:
  1. Our economy is smaller
  2. Many employers will have to tighten their budgets even more
  3. Most of us will have less money to spend
  4. State governments will have less revenue
  5. Poverty will increase
  6. We are getting older, fatter, sicker, and, from recent history, not much wiser
That's why a recent illustration in the NY Times (Sunday September 21) causes so much consternation. (A snapshot is included in the hope that such use is within "fair use" copyright provisions.) It brought home several realities:

Since 2000, our national debt has skyrocketed past 9 trillion on its way to 12 trillion by 2010.
Of our 3.13 trillion federal budget (2009) expenditures include:
  • $632 b - Medicare and Medicaid
  • $651 b - Social Security
  • $738 b - National Security
  • $1.1 t - Other
Add to that:
  • $700 b - Wall Street bail-out (conservative)
A recent posting by former Senator Bill Frist points on the real dilemma we face. As we address our problems - including our imperfect health care system, two wars, and a crumbling infrastructure, how can we possibly afford to dig out of the health care hole? Or, as I think the Secretary of the Treasury would say about the financial markets - how can we afford not to invest more now to stabilize our future. For me, at least, health care is every bit the crisis that we see in our financial markets; it's just not a global problem. Foreign banks and governments have invested heavily in our debt and to let the banking system collapse would jeapardize our role in the world and a global economy.

Here's the sad thing - we are the sole owners of our health care - not foreign countries, banks, or others (outside of the national debt, bonds, and other capital instruments). Bank bailouts are not designed primarily to rescue the individual who makes the payments, they are designed to rescue the individual by ensuring there is a system that will make sure that we - and our children - can borrow what we need in the future to own a home. One wonders, even in this time of crisis, why is it easier to get a home loan than to be assured affordable health care?

Senator Frist's quote is as follows:

“You can’t really cost out the impact of the McCain proposal. Basically you’re blowing up the entire system and putting people into individual market. But the cost impact of the Obama plan, 452 billion dollars per year assuming it is implemented immediately…the point is it costs a lot of money and the American people, where 700 million dollars was lost yesterday, are not going to be in the mood for a large, expansive program.”

I am not sure I agree with his sense of the public sentiment. His own extreme price tag - in the context of financial industry bail-outs, wars, and other exigencies, seems worth discussion given the enormous adverse impact a failing health care system has on the individual.

Nina Cordona of National Public Radio covered Dr. Frist's remarks and stated that Dr. Frist "anticipates the formation of a panel to study Medicare, no matter who wins the election."

Could be an important task.

Tuesday, September 16, 2008

Medicaid MMIS Conference - September 15

I had the pleasure of delivering a keynote address to the Medicaid MMIS Conference held in Nashville the week of September 15.

The slides are not particularly informative and must be examined in presentation mode.

The conference theme was "harmony"
I linked three major concerns with three definitions of harmony and addressed some simple approaches to each concern. The concerns and definitions were:
  • Complexity - congruity of parts with one another and the whole
  • Quality - Agreement
  • Value - Compatibility in opinion and action
These slides do not stand "on their own" but I've received requests, so here they are.

There is - rightly so - a lot of activity around MITA. As State budgets are shrinking with the economy and demand for services grow, the MMIS community - and Medicaid programs as a whole - are at a critical juncture. My primary theme was the balance between badly-needed innovation and personalization and unnecessary complexity. I also discussed the tensions between what we want as individuals and what society wants and can pay for. I discussed the Memphis health information exchange in the context of broader state and national initiatives.

Saturday, September 6, 2008

Puerto Rico Releases Health Care Reform Report

For a few brief days in March, citizens in the Commonwealth of Puerto Rico gathered together with a wide range of national experts to examine the curent status of their health care delivery system and to propose change. Under the leadership of the University of Puerto Rico, the report this workshop was released on September 5 during a press conference in San Juan. As I worked on this project and served as a primary author on this report, I became aware of just how formidable the challenges are. Because Puerto Rico's situation is relatively extreme, it serves as a potential laboratory both for Medicaid payment reform and for health care delivery reform in general.
As I worked on this project, I had other reflections that are not in the report and do not represent the views of the participants.

Among the diverse states and territories constituting the United States, Puerto Rico is unique. Puerto Rico was ceded from Spain to the United States through the Treaty of Paris in 1898; it has governed through a formal civilian structure since the passage of the Foraker Act in 1900. Since the passage in 1917of the Jones-Shafroth Act the United States Congress has characterized the Commonwealth as an “organized but unincorporated” territory of the United States. Under this Act, residents were granted U.S. citizenship by statute and since that time have served in the United States military service. This Act affirmed a primary responsibility of the United States in maintaining control over economic, defense, and other basic governmental affairs and reiterates the United States Congress’s authority to overrule actions taken by the Commonwealth Legislature.

In 1947, the U.S. Congress approved a law allowing the election of the governor by the people of Puerto Rico. On July 3, 1950, the U.S. Congress passed the Puerto Rican Federal Relations Act. This law gave Puerto Rico the right to establish a government and a constitution for the internal administration of the Puerto Rico government and “on matters of purely local concern.

In 1993 most of the government’s health care facilities and services were sold and their management turned over to non-government entities generally under managed care arrangements. This far more decentralized system radically changed the Department of Public Health’s influence and authority in provisioning care services.

Although the impact on efficiency and quality is controversial there is some consensus on the unintended consequences of these moves. As is the case in the 50 states, the health care delivery could benefit from less fragmentation; it would provide more good if organizations providing preventive services, health promotion, and health maintenance were better coordinated; its diverse regions and communities require a better fit of health care services; it needs a stronger infrastructure for monitoring quality, financing health care services, improving outcomes, and providing consumers with greater empowerment and choices. It is, in a nutshell, facing the same challenges as those of the 50 states and other territories - but one can argue that its situation is even more acute.

Puerto Rico’s ability to combine local and federal financing for health care programs is hobbled by its unique relationship with the Federal government. In contrast to “incorporated territories” that may petition for statehood, the “unincorporated territory” of Puerto Rico is not subject to the Constitution’s Tax Uniformity Clause on all Federal duties, imposts, and excise. Although Puerto Ricans do pay import/export taxes, commodity taxes, and payroll taxes (Medicare, Social Security) most are not required to pay Federal income tax.

Although Puerto Ricans do not pay federal income tax, few would have a significant tax burden: the median household income in Puerto Rico is only 34% of the U.S median household income (2000 census) and less than half of that of citizens in the State of Mississippi.

While many health indicators in Puerto Rico are more ominous even than those published for Mississippi, in 2006 the latter state received 78.6% in federal support for every Medicaid dollar spent (the FMAP or federal matching assistance percentage), while Federal spending caps first initiated in 1968 have limited Puerto Rico’s matching percentage to an effective rate of 18%.

The 50 states can receive up to 90% reimbursement through Medicaid for critical health information technologies; Puerto Rico is not eligible for these supplements. According to 2005 Congressional testimony by Governor Anibal Acevedo-Vila, had FMAP been allowed to operate without the cap instead of the 18% effective rate of the previous year, the Commonwealth would have received $1.7 billion dollars in federal Medicaid support instead of the $219 million received. Translated to monthly amounts, federal Medicaid support in the states approximated $330 per month per participant; the amount in Puerto Rico was about $20 per month.

Funding and health care status are only a part of the obstacles Puerto Rico faces. Its health care delivery system, health care resources, and health care financing mechanisms have been said to have been in a state of decline since the introduction of managed care programs in the early 1990s. The hospital beds per capita in the Commonwealth are less than 2/3 the average across the 50 states; salaries for health care professionals of all types are lower and emigration to the 50 states is common. As vital care resources emigrate from the Commonwealth, some believe that a growing number of Puerto Rican residents needing chronic or long-term care will emigrate as well, shifting the financial burden for care to these same states.

It is within this context of controversy, internal dispute, and at times acrimonious dialogue with the Congress and Federal Executive Branch that Puerto Rico must navigate a course to health care reform. The creation, financing, and administration of such reforms very much depends on the perception – in Washington, among the Congress, and within the Commonwealth – on the rights and responsibilities of all parties within this historically unique and volatile relationship.

Puerto Rico's voice - and their subsequent actions - may say a lot about how other parts of the Nation can address similar urgent health care financing and delivery concerns.

Readings: