Just as the levees of New Orleans stood little chance against the wrath of Hurricane Katrina, our overly complex, inflexible, noninteroperable, and often off-purpose electronic health record systems aren’t ready for an average Sunday afternoon, let alone Covid-19.
As the novel coronavirus that causes Covid-19 continues its march around the world and through the United States, it is spawning another kind of infection: Covid-19 cyber threats aimed at individuals and health systems.
We aren’t crying wolf here. Disaster planning experts know all too well that preexisting weaknesses become worse during crises. The WannaCry cyber attack that devastated the United Kingdom’s National Health Service is a good example. Outdated infrastructure containing components with long-understood vulnerabilities are a hacker’s paradise.
But here’s the silver lining: Because the weaknesses are well-known, health systems can plan for them and around them.
Functionality and usability
The undeniable fact that electronic health record systems are designed to track and bill procedures rather than provide optimal patient care is likely to be on full display as the health system becomes increasingly saturated with Covid-19 patients.
Because of the way most modern electronic health record systems are built, it can take a clinician a long time to get a clear picture of the patient in front of him or her. That’s because a patient’s electronic health record is split into many tabs. Some information is under the problem list, some under medications, some under imaging, and so on. The essential timeline of health data is lost. This may mask underlying vulnerabilities because it is difficult to reassemble a patient’s data into a cohesive narrative, causing an incorrect view of the patient’s risk for Covid-19.
This offers an opportunity to consider two issues. One is the lack of a cohesive data model for patients in most electronic health records — an intuitively patient-centric construct that allows clinicians to start with a patient and trace back to their signs, symptoms, and diagnostic tests. The other is whether tightly focused health apps represent an opportunity to streamline patient evaluation, triage, and other essential functions that may be too burdensome within current EHR workflows. Fit-for-purpose health apps may also assist with interoperability, another well-known weakness within our health information technology infrastructure.
Need for rapid updates
Covid-19 cyber threats, made more complicated by the unknown unknowns that always accompany emergencies, will require increased resources and rapid updating. To be fair, the electronic medical record industry is not sitting on its hands. Epic, maker of the most widely used electronic health record, has released an update that potentially helps clinicians spot possible Covid-19 patients.
But as the case definition evolves to include new symptoms, comorbidities, risk factors, and the relevance of geographic location, this will test the agility of such updates, which aren’t very agile. The complexity of most EHR systems makes upgrades and changes slow and expensive. Today, even the quarterly software updates that Epic announced in 2019 are too resource-intensive for some.
By contrast, health care’s peers in the technology industry using best practices in software engineering can update many times a day. Without their customers noticing, Netflix releases thousands of code updates daily.
Data sharing across platforms and with patients is essential, especially during a disease outbreak. Data from diagnostic tests, locations of confirmed positive cases, the denominator of total tests administered, treatment results, evolving case definitions, and many other streams of data must flow as freely as possible without sacrificing privacy or other essential elements of ethical care and research. Scale, however, matters.
Tracking dozens of patients in an electronic health record system is feasible in many health care systems, but current capabilities are unlikely to scale to hundreds or thousands. According to FEMA training on communications during emergencies, information can be as important to people as food or water. During the response to Covid-19 and beyond, data must flow and conversations on interoperability must be treated like the public health issues they are, not the kind of business agenda pursued by the CEO of EPIC, who wrote a letter to hospitals opposing provisions of the 21st Century Cures Act.
The final interoperability ruling, released this week by the Trump administration, mandates standards-based exchange of health information through information sockets known as application programming interfaces, or APIs. If this capability currently existed across in all of U.S. electronic health records, the ability for health systems to securely and appropriately share information in public health emergencies would be vastly improved.
Ironically, one of the greatest gaps in health information flow in the U.S. is the ability to count and track death. More reliable sources, such as retrospective studies using Social Security death indices, are also imperfect and don’t provide real-time information. A health infrastructure that cannot properly track death is unprepared to manage catastrophes.
5 steps to improve resilience
Disaster resilience is the ability of individuals, communities, organizations, and governments to adapt to and recover from hazards, shocks, or stresses. Here are five things that should be at the top of the emergency preparedness plans and conversations at all health care institutions as they prepare to deal with an influx of Covid-19 patients.
First, all institutions that have business continuity plans should be reviewing them and ensuring that all technology staff are up to date. One essential element of such plans should be a clear hierarchy of technology, data, and business priorities. Not all systems — such as those tied to reimbursement or tracking grants — are equally important in a health emergency. For organizations that don’t have plans, it isn’t too late to prepare one.
Second, oversight and diligence on all computer system administration procedures should be ramped up. Queued administrative patches for electronic health records and other systems must be prioritized. Change control — a systematic approach to dealing with all changes made to a product or system — must be enforced. If the situation grows darker, IT administrators should consider whether nonessential projects and activities should be stopped and personnel reallocated. Shutting down nonessential applications may be helpful in the event of network bandwidth issues. Performance of essential systems should be monitored and tuned as precisely as possible.
It is also essential to make sure that systems and data backups are functioning and recent backups have been tested to ensure they can be fully restored. Most emergency procedures are never tested, which is a huge driver of failure.
Third, cybersecurity awareness, preparedness, and activity must be heightened. Criminals are not looking for a fight — they are looking for victims, and organizations under stress are easier marks.
Security patches must be applied as soon as possible given that health care institutions are among those most targeted by hackers. The federal Cybersecurity and Infrastructure Security Agency has published risk insights for Covid-19 that provide a starting point. The agency is also tracking Covid-19-specific cyber alerts. Managing cyber threats during this outbreak will require exquisite communication and collaboration between information security professionals and all of their business partners. The possibility of a ransomeware outage during an epidemic is far too important to neglect.
Fourth, if there is an “app for that,” consider using it, especially if and when people start reaching for paper and spreadsheets to enable new or evolving workflows or data collection. Supplementing the clinical workflows of electronic health record systems with specialized mobile applications is a well-understood way to enhance productivity, and it may be essential in an emergency situation. For example, a simple app that guides frontline clinicians through a decision tree for evaluating and managing potential Covid-19 cases could reduce confusion and variation in care.
Because disease outbreaks are also times of intense research activity, well-designed apps may improve digital data collection and help research occur in a way that is less disruptive to clinical care. Institutions that have already invested in APIs are a step or two ahead of others.
Fifth, put humans to work. Scribes have been shown to cut by half the time it takes a clinician to document a patient encounter. While scribes may be a luxury for most practices and health systems in normal times, they may be essential during an outbreak to increase the efficiency of clinicians. Institutions that have cross-trained clerical staff for data entry and data management functions as part of their emergency planning are in better shape than others, but now is the time to catch up. In addition, it could be helpful to redirect staff who typically focus on analytics and other data tasks toward specific Covid-19 reporting.
It’s never fair to paint entire industries like health care with the same brush. But it is important to occasionally dial up and look at macro trends and long-term effects. Disasters put systems under intense pressure and it is on us to see it coming.
Shame on us if we don’t do that with Covid-19, regardless of whether this outbreak overwhelms our health care system or fails to live up to its advance billing.
Eric Perakslis, Ph.D., is a Rubenstein Fellow at Duke University. Erich Huang, M.D., is a data scientist, chief data officer for quality for Duke Health, and director of Duke Forge.