Manipulation of 12,000 Medical Records Made Easy by EHR

This from a hospital in Canberra, Australia using a common ED EHR in that part of the world, iSOFT:

Canberra Hospital embroiled in data scandal
SBI Magazine (Secure Business Intelligence)
Jul 5, 2012 

A Canberra Hospital executive has admitted to manipulating Emergency Department records to make wait times and stays appear shorter than they were.

The executive told the Director-General of the Health Directorate they had made "approximately 20 to 30 changes to hospital records" a day from "late 2010" onwards.

ABC [Australian Broadcasting Corp.] News reported that the matter has been referred to police, while the executive has been suspended without pay.

Though the data manipulation was initially said to be motivated by concerns over job security, changes in 2011 and early 2012 were said to have been made due to "managerial pressure" to improve publicly-reported performance statistics.

This raises the issue that data manipulation might have been performed not just to improve reported statistics, but to cover up medical error, computer related or not, and thus deny injured patients or their heirs the right to legal redress.

"The only thing that worked to achieve benchmark targets was to alter the data," the executive later told investigators at PricewaterhouseCoopers (PwC), which was engaged by Health to perform a forensics analysis. The analysis is detailed in a new Auditor-General report (pdf).

In total, PwC found 11,700 performance records - about six percent of all records stored in the hospital's iSOFT emergency department information solution (EDIS) - had been altered.

It is believed more staff at Canberra Hospital altered records than the executive that has so far admitted responsibility.  "While an executive has admitted to changing EDIS records, it is probable that EDIS records have also been manipulated by other persons with access to the system," the federal auditor-general noted overnight.

This is another area where electronic records make possible tasks that are probably impossible with paper.  Altering 11,000+ records would be hard in paper charts, as the alterations would likely stick out in a pronounced manner.

"The executive’s admission to Audit does not appear to account for all of the changes to EDIS records that have been made to improve timeliness performance."

For example, changes to EDIS records, albeit a much smaller number, appear to have been made on days when the executive was on leave (seven days in total in 2010-11 and early 2011-12). 

I am saddened to note, a proper term for this activity might indeed be "conspiracy":  a conspiracy is an agreement between two or more persons to break the law at some time in the future.

User access control, IT security failures

Poor controls such as generic logins and inadequate user and password security made it easy for insiders to game the data.

While EDIS was on approximately 259 workstations across the hospital and 253 users had permission to run the software, there were only 23 user accounts.

Of these user accounts, only eight were in regular use, including four named administrator accounts (specific to administrative staff) and four generic user accounts: CLERK, NURSE, DOCTOR and BEDMAN.

The generic accounts could be used by personnel across the hospital, not just within the Emergency Department.

Passwords for the four generic user accounts were "very poor" and had "never been changed". Password expiry was set at a default 999 days.

Audit logs were equally poor, not proactively checked and unreliable.

The proper term for these arrangements might be "gross mismanagement" of clinical information technology.

"A feature of the logging record is that it logs the changed field in EDIS and a number of other fields simultaneously, while not identifying which field was changed and what its original value was," auditors noted.

"Audit also notes that the logging record is also ineffective, because every entry in EDIS is logged from “Workstation 14”.  

"Although EDIS has been disseminated widely throughout the Canberra Hospital each of these users logs into EDIS using the common “Workstation 14”.

"This practice, combined with the use of generic user accounts, makes the EDIS logging information useless for investigations of unauthorised activity."

Furthermore, it was possible to edit EDIS records up to 72 hours after a patient’s treatment, providing a generous window for later unauthorised changes to the records.

These "features" sound like seller misdesign with regard to the metadata (logging records).

Noticing anomalies

It was only in April this year that a full inquiry was commissioned after "anomalies" in performance figures were spotted by the Australian Institute of Health and Welfare (AIHW).

The AIHW found an unusually high number of emergency patients that were reported to have been seen at exactly within the required time for their illness category.

For example, there was an unusually high number of patients who were reported to have been seen at exactly 30 minutes or 60 minutes.

In addition, an unusually high number of people checked out of the Emergency Department precisely 240 minutes after their recorded arrival.

If you're going to engage in this type of activity, at least be competent at it...instead of setting up a red flag bigger than the flag that used to fly over the Kremlin.

The records that were manipulated mean that publicly reported information relating to the timeliness of access to the Emergency Department and overall length of stay in the Emergency Department have been inaccurately reported.

The report could not ascertain the level of over‐estimation due to the lack of a clear audit trail identifying what were legitimate and what were fabricated entries in patients’ records.  

Timelines can be critical to proving medical negligence in court.  Further, if time data could have been manipulated, it seems clinical data could have been manipulated as well.

EHR data manipulation is of unknown magnitude worldwide, but I can imagine if it's easy to do and the benefits potentially substantial, electronic records could possibly be less trustworthy than paper records.

-- SS

Addendum:  while on the topic of clinical IT Down Under, there's also this:

Coast medical records system 'dangerous'
Stephanie Bedo
Goldcoast.com.au

July 6, 2012

SENIOR doctors say Gold Coast Heath's new multimillion dollar electronic medical record system is 'inadequate and dangerous' and could put patients' lives at risk.

Doctors have complained about the system, saying some patient documents are missing, it has log-in problems and 10-minute delays in accessing critical information.

Gold Coast Health was the first region in the state to move to electronic record-keeping, rolled out progressively from October last year.

Queensland Health spent about $200 million on the electronic medical record roll-out last year, which was delayed by 12 months because of problems with the software provider.

... Hospital cardiologist Dr Greg Aroney raised concerns about the system at a Griffith University forum on the future of health on the Gold Coast this week.

"Our system is totally inadequate and dangerous," Dr Aroney said.

Read the whole story at this link:   http://www.goldcoast.com.au/article/2012/07/06/429621_gold-coast-news.html

A similar story from the states where the doctors' complaints were actually ignored is at my Sept. 2011 post "Blake Medical Center (Bradenton, Fla.) Ignores Health IT Warning Letter From 100 Staff Physicians." 

Let's hope the Australian physicians' complaints are taken more seriously.

-- SS

Defending Academic Whistleblowers: Call Out the Marines?

At "Academic Medicine Deploys a Logical Fallacy to Avoid Disclosing Inconvenient Truths" Roy Poses wrote about the illogic employed by academia to weaken draft rules for researchers to disclose conflicts of interest.

Another major component of research in academia might be termed "gangster tactics against whistleblowers on wrongdoing."

In the following July 8, 2011 letter to Dr. Amy Guttmann, President of the University of Pennsylvania (courtesy the Project on Government Oversight or POGO), a Penn psychiatry researcher, Dr. Jay Amsterdam, has retained a law firm to represent him in alleged research misconduct by others at Penn, specifically Dwight Evans, the Chair of the Department, and an Associate Professor Dr. Laszlo Gyulai (note: I have never met and do not know any of the people involved):

"Dear Dr. Guttmann,

On behalf of my client, Dr. Jay Amsterdam, Professor of Psychiatry at the University of Pennsylvania, I would like to inform you that we have filed a charge of research misconduct with the Office of Research Integrity (OR!) against Dr. Dwight L. Evans, Professor of Psychiatry and Chairman of the Department of Psychiatry at the University of Pennsylvania, and Dr. Laszlo Gyulai, Associate Professor of Psychiatry at the University of Pennsylvania. I have enclosed a copy of the complaint and referenced documents for your reference. As chairwoman of President Barack Obama's Presidential Commission for the Study of Bioethical Issues, I feel certain you will deal with this matter in a just and sincere fashion.

Letter, page 1 (click to enlarge)

Letter, page 2 (click to enlarge)

The allegations are not in themselves surprising (at least to me). The complaint is that the defendants misappropriated data from a study conducted by the plaintiff, manipulated the data, and used it in a ghostwritten article by a major journal, the American Journal of Psychiatry, in a concealed marketing effort to increase sales of Paxil by GSK. We have documented many examples of this type of behavior in medical research at this blog.

(By way of my not being surprised by such allegations, I personally have been involved as junior Yale faulty in that research university's professors' attempts to misappropriate my IP, a computer program I wrote for a Yale collaboration on birth defects in the Arab world, for their own use. My internal complaints were followed by severe retaliation, up to the level of blacklisting and extortion. Those attempts were aided by, of all things, an Associate General Counsel who was not authorized to practice law in the state, apparently not having taken the Law Boards. I put an end to that effort through legal means. This was followed a number of years later by attempted misappropriation of the same property by a Johns Hopkins-affiliated professor with his own software company in a DoD proposal. I also put an end to the latter effort, which involved informing the DoD.)

However, my purpose here is not to comment on the allegations of research misconduct. It is to comment on a subject that occupies three of the four paragraphs in the above letter - protection from retaliation:

... By filing this complaint, I expect my client to receive full and complete protection from retaliation and/ or defamation by either the University of Pennsylvania and/ or any other parties involved in publishing the referenced study. [E.g., GSK - ed.] It is my client's belief that the data from his study was effectively stolen from him, manipulated and used in a ghostwritten article published in the American Journal of Psychiatry in order to advance a marketing scheme by GlaxoSmithKline to increase sales of Paxil.

If any acts of retaliation and/or defamation are taken against my client, I will immediately inform ORI and the Health and Human Services Office of the Inspector General. Furthermore, it is my understanding that several congressional committees have expressed an interest in investigating the problem of research misconduct and ghostwriting in academia and, thus, I intend to allow my client to fully cooperate with any investigation and will inform Congress of any retaliation against him for such cooperation.

To ensure this complaint is taken seriously, and to alert interested parties, I am providing copies of this correspondence to Senator Charles Grassley, Senator Herb Kohl, and the Chairman and Ranking members of the House Energy and Commerce, and the House Committee on Oversight and Government Reform.

About the only resources left out of the list of protectors of the plaintiff from abuse are the Marines ... and perhaps a threat of "Frontier Justice."

That a law firm must include explicit threats to expose retaliation against whistleblowers to high-ranking members of Congress suggests Research universities and their corporate allies have become more like the Mafia than centers of novel scientific discovery.

This all reminds me of my Jan. 13, 1999 letter to the editor in the Journal of the American Medical Association (JAMA) entitled "Academic and Legal Aspects of Authorship Disputes."

As a result of my Yale experience (which, incidentally, also probably damaged nascent cross-cultural progress due to the unusual aspect of my work in facilitating improved care of children with birth defects in a Middle Eastern oil-producing Kingdom), I wrote a response to a July 1998 JAMA article on growing authorship disputes and abuses at Harvard Medical School ("Authorship: The Coin of the Realm, The Source of Complaints" by then-Ombud Linda J. Wilcox).

I wrote:

Jan. 13, 1999

To the editor:

I was alarmed by the statement in the article on authorship by Ms Wilcox [1] saying, "It is unreasonable for institutions to promise that they can protect individuals from retaliation for coming forward to complain through formal grievance procedures." Most organizations have policies on retaliation, especially with regard to grievances. If enforced, these policies can discourage such behavior and ensure the victim of redress. In addition, retaliation such as that mentioned in the public and federal sectors is downright illegal, and university employees fall under Department of Labor workplace standards and laws for their respective states.

Universities have serious ethical and credibility problems if they have such poor control over their employees that they cannot promise to protect individuals from actions contrary to their own grievance policies and that are probably illegal.

I continued on with the argument that lawlessness in universities was counterproductive and needed to be halted, but Ms. Wilcox' reply was more platitudinous than substantive about the 'helplessness' of universities in protecting their own from retaliation.

It seems little has changed.

To expect the best research from such an environment is like expecting silk purses to be manufactured by pork producers.

-- SS

BLOGSCAN: Forensic Statistics

Several interesting points are raised in the newsletter of the American Association of Physicians and Surgeons (AAPS) in a post entitled "Forensic Statistics" in their July 2011 newsletter headlined "Numbers." Healthcare Renewal is cited:

Forensic Statistics

While claims from RCTs fail to replicate about 20% of the time, the problem with epidemiology is so bad as to constitute a crisis, writes S. Stanley Young (“Everything Is Dangerous: a Controversy,” National Institute of Statistical Sciences, June 2008, www.niss.org). Fewer than 20% of nonrandomized trials [e.g., observational studies - ed.] replicate; i.e. 80%-90% of epidemiologists’ claims are false.

More than $1 billion in grant/tax money flows to institutions with reproducibility problems, Young states. A fundamental flaw in their methodology is to ask multiple, often hundreds to thousands of questions, of the same data set. It’s like playing “maverick solitaire”: given 25 randomly selected cards from a deck of 52 playing cards, the probability of being able to arrange them into 5 “pat hands” (e.g. a full house) is 98%.

Since data miners are good at concealing their footsteps, critics need full access to the raw data and the code used for the statistical analysis—often not forthcoming.

The EHR software that is supposed to support all this “research” and to guide medical treatment also needs a forensic evaluation, writes Scot Silverstein, M.D., of Drexel University (see http://hcrenewal.blogspot.com). He cites such an evaluation of the Cerner FirstNet system used in New South Wales, Australia, done by Prof. Jon Patrick. The authoritarian implementation processes of the governmental HIT “support” staff were familiar to Silverstein, such as disenfranchising the clinical staff and failing to acknowledge the validity of complaints.

“Healthcare reform” demands acceptance because it claims to be based on science. But then, so did Communism.

The "maverick solitaire" data mining issues (to be used, no doubt, in future "comparative effectiveness research" based on EHR data) are a additional concern to those I raised in an essay "The Syndrome of Inappropriate Overconfidence in Computing: An Invasion of Medicine by the Information Technology Industry?" in the AAPS journal several years ago (PDF).

I can also add: where are the RCT's of EHR/CPOE systems?

-- SS

Is the Executive Branch/HHS Trying to Put Lipstick on a Pig Regarding Health IT?

In another example of executive branch spin on healthcare - this time, the Office of the National Coordinator of Health IT (ONC) within HHS - data that gave an off-narrative message about healthcare IT was initially withheld according to Modern Healthcare's Joseph Conn.

The data withholding is reminiscent of the data manipulation practiced in the pharmaceutical industry.

Legislative branch, take note:

Not-so-rosy rumors

By Joseph Conn

Modern Healthcare.com

Last week, Dr. David Blumenthal announced the results of two surveys funded by the Office of the National Coordinator for Health Information Technology on hospital and physician participation in the federal electronic health-record incentive programs.

But Dr. B left out a few numbers in going over the results of the survey of office-based physicians conducted by the National Center for Health Statistics. On request, the ONC and NCHS released those missing numbers.

Docs were asked: "Are there plans to apply for Medicare or Medicaid incentive payments for meaningful use of health IT?" Blumenthal reported on their answers in part, noting that 41.1% indicated "yes" and 14% said "no." However, a 44.9% plurality, which he did not mention, chose "uncertain whether we will apply." [Nothing to see here ... move along - ed.]

Those who answered "yes" were asked a follow-up question: "What year do you expect to apply for the meaningful-use payments?" Of the 41.1% of docs who indicated they were sure they would apply (a figure Blumenthal released), nearly one in five (19.7%, a number he didn’t mention) were unsure as to when. [Must be the Luddite faction - ed.]

Additionally, the NCHS asked physicians, "Which incentive payment do you plan to apply for?" Their responses to this question also weren’t mentioned by Blumenthal last week. Not surprisingly, given current eligibility thresholds, 65.1% selected Medicare and just 6.8% chose Medicaid, but again there was considerable uncertainty, with 28.2% choosing "unknown" or leaving the choice blank. [This finding suggests rank confusion to me more than anything else. In case nobody noticed, physicians are rather busy these days taking care of patients, and don't have time to find out what's in lengthy government documents - ed.]

Read the whole article.

It seems the executive is simply determined to push this technology onto a significantly skeptical physician community - skeptical of the incentives, of MU, of government intentions, and/or of the technology itself.

Of course, perhaps they feel that such data on a beneficent technology that will absolutely, positively benefit medicine and patients needs to be withheld - for the greater good, of course, which some people have to suffer to achieve (see the post "MAUDE and HIT Risks: Mother Mary, What in God's Name is Going on Here?"). ONC on healthcare IT in recent months:

http://healthcarereform.nejm.org/?p=3732&query=home
... The widespread use of electronic health records (EHRs) in the United States is inevitable. EHRs will improve caregivers’ decisions and patients’ outcomes. Once patients experience the benefits of this technology, they will demand nothing less from their providers. Hundreds of thousands of physicians have already seen these benefits in their clinical practice. (Also see http://hcrenewal.blogspot.com/2010/07/new-england-journal-on-meaningful-use.html).

and

http://www.massdevice.com/news/blumenthal-evidence-adverse-events-with-emrs-anecdotal-and-fragmented
... [Blumenthal's] department is confident that its mission remains unchanged in trying to push all healthcare establishments to adopt EMRs as a standard practice. "The [ONC] committee [investigating FDA reports of HIT endangement] said that nothing it had found would give them any pause that a policy of introducing EMR's could impede patient safety," he said. (Also see http://hcrenewal.blogspot.com/2010/05/david-blumenthal-on-health-it-safety.html).

A good number of physicians still appear to possess critical thinking skills.

Perhaps the new Congress (i.e., legislative branch) can benefit from physician-style skepticism about health IT as well.

-- SS