Friday, February 18, 2011

Doctors and IT

Well, first of all, this blog is not dead. It has just...undergone a period of deep hibernation. Unfortunately I don't think I'll ever be able to keep up with it as much as I used to, but I'll still try to post here more often than I have in the past few months.

Today, I read an interesting article intersecting technology and medicine: U.S. patients trust docs, but not e-health records, survey shows

As someone who is on the road to a medical career, it's certainly encouraging to hear that most people trust their physicians. But as a technologist, it's also worrisome to hear that patients don't always trust electronic health records, and that the lack of trust can be justified. On the one hand, a doctor's job is to be a doctor, not to worry about computer and network security, which is the job of an IT specialist. On the other hand, digital security is a real problem that every computer user has to worry about to some degree. I don't know if most doctors are aware of IT security best practices, but it is more likely that most doctors can't afford to hire an IT team to run systems and security, nor do they have the time to learn and deal with it themselves. As much as EHRs have their benefits, I can see how they become a burden as it takes considerably more technical know-how to maintain than a filing cabinet; correspondingly, hiring someone to maintain an EHR system is more costly than hiring someone to maintain a filing cabinet.

It seems that computer security is becoming increasingly important in the healthcare industry with the push for switching to EHRs. The simplest solution would probably just be to isolate EHR computers from the internet, but that runs counter to the collaborative ability to share EHRs between health organizations. As a result, doctors will probably need to have a higher level of security awareness than the average home user, simply because the stakes (i.e. protected health information as defined by HIPAA) are much higher. While I by no means claim to understand how EHR systems are being deployed, my guess is that, like other enterprise software, the software is developed and deployed by a software company that maintains an active support and maintenance contract with the medical practice. If that's the case, then perhaps those companies should include services to maintain a network where there is otherwise no dedicated IT infrastructure or staff, and at least provide minimal training materials to doctors and their staff so that the digital security issues that have plagued other industries ("Big Company loses SSNs and credit card numbers of 1 million customers due to network breach") do not now begin to affect medical practices. One way or another though, it would seem that, in general, doctors need to gain a better understanding of computer security than they have now, for the good of their patients.