posted by adgrooms on June 19, 2019

On March 27, 1977, two Boeing 747s collided killing 583 on a runway in Tenerife, in the Canary Islands, off the coast of Morocco. This accident led to a new era of standardization and safety in aviation. Aviation studied its vulnerabilities and innovated to be a much safer form of transportation with .07 deaths per billion passenger miles, reducing the number of commercial fatalities from the thousands at the time of the Tenerife accident to a few hundred in recent years.

Medical errors and injuries are an ongoing problem for healthcare. Are there systemic gains that aviation has accomplished that healthcare can use to improve outcomes?

In comparison, both professions require years of rigorous training. One difference is that aviation includes extensive leadership, decision making, teamwork, and other non-technical skills where physicians receive little, if any, of this line of training. Physicians are required to interact with patients and staff as a leader while making numerous difficult decisions. Why wouldn't this type of training and support be provided in healthcare?

The safety initiative in aviation discovered that lack of communication was the root cause of many accidents. One response was a move to flatten hierarchies. The captain is in charge and has the last say in decision making, but if a co-pilot sees a problem, they are encouraged to speak up, not shut up. Collaborative approaches like team-based care have a positive impact in the clinical setting, but it only works if every team member feels valued and each voice is welcome. A culture of mutual respect for every role is needed for a cohesive, well-functioning medical environment.

The healthcare industry needs to provide an avenue for physicians to report a mistake without fear of repercussion. Aviation has cultivated a culture of reporting mistakes through the Aviation Safety Reporting System run by NASA. It is a place where pilots, air traffic controllers, flight crew, and maintenance can report errors voluntarily. The reporting is then used to improve whole systems, not to punish individuals. This allows for constant improvement in safety processes that benefit the whole industry. Healthcare already suffers from too much bureaucracy but a similar, industry-wide reporting system could simplify and standardize reporting while creating a culture of safety and a shared resource for improvement.

Aircraft have systems that collect a massive amount of information. This information is used to refine workflows. Much of the process has been automated such as controlling the plane in level flight. Healthcare has gone in the opposite direction with the implementation of EHRs. Doctors are burdened by required manual input in clunky interfaces. Modern aircraft interfaces offer inspiration to the development of more robust clinical software.

Airlines invest heavily in the wellbeing of their staff. There are strict guidelines on how much pilots can work, and psychological staff are readily available for support. This is not necessarily the case for physicians. With ongoing shortages, physicians are working longer hours, and burnout has become a heavily discussed problem. The safety improvements of the airline industry provide good justification to healthcare for making similar investments in the wellbeing of their team.

There is an effort in health care to learn from aviation. Captain Chelsea "Sully" Sullenberger, famous for the miracle on the Hudson emergency landing, speaks to doctors on improving systematic processes in the pursuit of patient safety. Although there are differences between the two disciplines, safety and the outcomes of patients/passengers are a shared objective.

posted by adgrooms on June 18, 2019

Encouraging and enforcing secure passwords is an ongoing challenge for any organization. In healthcare, patient data is a valuable target. The easiest, cheapest, and lowest risk hack is to guess a password. It happened to Mark Zuckerberg in 2016. There is no easy, perfect answer. So what can help?

Brute force attacks are a common form of password attack. This method uses trial and error of an automated program that runs through every combination of characters possible. Instead of random characters, it can be faster to start by trying common passwords and dictionary words. Hackers draw on resources such as lists of compromised passwords and common words. The longer and more random appearing the password is, the harder it will be for a password cracking program to find the combination. Furthermore, including numbers and special characters expands the number of combinations and increases the difficulty of guessing with brute force.

These attacks succeed because most passwords are short and/or easy to guess. A password needs to be personal, meaningful, and difficult to guess. The usual approach is to pick a combination of significant names and dates. There is a simple trick to help that builds on the psychology of password selection. To help users create a password that is easier to remember but harder to guess, you can share this method and make it fun: Choose a long phrase that is meaningful to you. It could be song lyrics, a line from a movie, or a favorite poem. Use the first character (or two or three) of each word in the phrase. For example "When you eat pickles, don't get your hand caught inside the jar", but don't use that, that one's mine ;-) Decide on a character substitution that is easy for you to remember. There are common substitutions like the number zero for the letter 'O' that hackers already try. You can foil this by making your own meaningful substitution for example: substitute the number zero for the letter 'Z' because they both start with 'Z'.

Using the same password for different accounts is unsafe. Did you read that linked article about Zuckerberg? Oh yes, it does happen. The above method helps users create a better variety of memorable passwords, but if you have a lot of passwords to remember, a password manager can help. All passwords are securely stored, you just have to make and remember one really really good (and memorable) master password.

One last thing that helps: The National Institute of Standards and Technology recommends ending policies of changing your password every month. The practice of requiring scheduled password changes leads to using less secure passwords. Users' response has been to change one character of a base password, keeping it easy to remember and meeting the bare minimum requirement to change. Bad actors know that this is a common practice. If a password is compromised and changed, a similar password is an easy target to obtain access again.

The best way to combat hackers is awareness and education. Understanding user friction and creating smoother and more fun solutions eases the burden for the security team and everyone else.

posted by adgrooms on June 14, 2019

The ability to retrieve patient information on a computer is an improvement over the paper filing system of years past. Some benefits have yet to be realized but among them are the potential to give patients greater access to their information, doctors greater visibility into patient history, and researchers a wider view to learn more about our health. But this transformation has brought unanticipated pitfalls.

When we talk about user experience (UX) in EHRs, often we talk about how it is hard to navigate. The screens are cluttered, and in general, it takes unnecessary time to accomplish straightforward, common tasks. The real danger is the effect of cognitive overload on the user that in turn produces mental fatigue. Are EHRs detrimental to decision making?

The human brain uses three types of memory:

  • Sensory memory, where incoming information is first received and filtered

  • Working Memory, where critical thinking and problem solving happen

  • Long Term memory, where information is categorized and stored

Physicians have to make many high-risk decisions every day, which requires a high level of thinking and understanding of complex problems. This is primarily done in working memory. However, working memory has limited capacity and different types of information use up working memory's capacity at different rates.

Cognitive load theory shows how different information uses the working memory. Intrinsic cognitive load is the complexity or weight of a task. These are the high stakes decisions that physicians make all day pertaining to patient care. Extraneous cognitive load is determined by the organization of a task or information. This is where poorly designed UX in an EHR can have a detrimental effect on the overall cognitive load. Overly cumbersome systems and processes leave less space for patient care decisions.

How do we improve the situation for physicians? We need to talk about what information is shown and how it is presented in the EHR system. Asking providers to adjust thinking to varied layouts between systems slows workflow and produces cognitive load. A standardized design will make EHR more familiar and consistent, and reduce mental burden.

Borrowing from aviation, EHR developers can design systems with fewer interruptions such as clicking to new windows to find information. The transition between windows causes "blink" attention diversion that can last up to 90 seconds. A well-designed tool will have all of a patient's relevant information available for the physician to view in one window.

One study found that enhanced decision-making support in EHR resulted in less cognitive load and better clinical performance. Enhanced decision-making means providing clear, simple decision pathways based on a standard procedure to information that is needed for a particular patient. It reduces the need for thinking inside the computer system so that the provider can focus on thinking about the patient.

The frustrating thing is that these are not new or unproven ideas. They are simple, well-known, well-tried usability techniques that urgently need to be applied to medical systems. We do not recommend this lightly. Applying a massive user-interface redesign is disruptive. It means yet another round of training and another round of adaptation. There is a high cost to change. The cost to remain the same is much much higher.

posted by adgrooms on June 13, 2019

Healthcare and auto manufacturing may not appear to have a lot in common, but healthcare is experimenting with Lean, an organizational methodology that comes from the auto industry. Since patients aren't cars and doctors aren't robots, how is this going to work in healthcare? Does it belong in healthcare? Why consider it at all?

Changes to regulations in the last decade, such as HIPAA and HITEC, have led to increased administrative oversight and increasing waste. This costs the organization, staff, and patients time and money. The basic principles of Lean include mastering simplicity, eliminating waste, and constantly improving. The Lean model is thus an appealing countermeasure that could provide positive results. Well implemented Lean processes locate and eliminate inefficiencies and redundancies to create a smoother workflow.

Another basic tenant that is particularly relevant to healthcare is respect for the workforce. It is supposed to give employees more say in how things are done. Employees are encouraged to find processes to improve and increase quality. Giving employees the latitude to find and use software that makes their job more efficient, within secure parameters, could also reduce some of the waste.

Lean practices narrow the scope of work and eliminate administrative obstacles. EHRs have shifted providers' daily work away from caring for patients. They are now overwhelmed with data entry. Asking providers to give care and code for billing goes against the Lean ideal of each job having a specific purpose. Although capturing reimbursement is a very important function, according to Lean principles, a physician should be focused on the care of the patient. Another role, or ideally automation, should be responsible for coding and reimbursement.

As Lean is tried in healthcare, it is getting mixed reviews. It shows promise but is not yet proven. In future posts, we will look at the successes and failures to try to determine whether and how Lean benefits healthcare.

posted by adgrooms on June 12, 2019

Ransomware is in the news again for a weeks-long ordeal for the city of Baltimore. Healthcare is another favorite target. In cities and health systems the need to access data is vital to operation. Attacks are growing in number and becoming more sophisticated. The FBI reported that healthcare lost $4.5 million over 337 victims in 2018. The cost could be even higher if patient data was also stolen for exploitation. What is ransomware, how can an attack be avoided, and how can it be dealt with effectively?

Ransomware is a type of malware that prevents users from accessing data, usually by encrypting the data. The hacker demands a fee to restore access. However, there is no guarantee that the attacker can or will restore access once payment is made. Bad actors apply this technique wherever they can, to any industry and even personal systems. Unfortunately, these bad actors have realized that data lockouts create dangerous and life-threatening conditions when applied to critical systems in healthcare. This urgency can motivate an unprepared health system to comply in order to protect patients.

Ransomware spreads like a virus. It requires a person to run malicious code that locks the system. Phishing and drive-by downloads are two common ways to spread ransomware. Phishing is a trick that deceives a person into running a malicious program with a legitimate-looking email. Drive-by downloads either trick a person into running a malicious program off of a website or secretly download and run a program while the person visits a site. All healthcare employees should be extensively trained on how to spot malicious emails and suspicious links. Regular security meetings should be held to remind and update employees on the latest tricks and traps.

The best overall tactic in security is to make yourself a difficult and undesirable target. You want to become not worth the effort. Either the value is too low or the cost is too high. The best defense against ransomware is a disaster recovery plan. With a solid disaster recovery plan in place, ransomware is neutralized. They can go to the trouble of getting in and locking your data up, but you'll sidestep the attack and resume operations. It may cost some time to restore data and systems, but showing yourself as able to recover and unwilling to negotiate will deter future efforts. A good disaster recovery plan should be in place for any medical institution.

The only perfect security is zero access at all. If authorized individuals can access a system then motivated, unauthorized individuals can find a way in. Vigilance from all employees is the first line of defense, and quick recovery is dependant on good planning.