The savvy tech strategy behind Obamacare

The ONC's Doug Fridsma explains why the health IT for EHRs and Obamacare should be like the Internet, and not like ERP or traditional IT systems

1 2 3 4 5 6 7 8 9 10 Page 5
Page 5 of 10

InfoWorld: Let me ask you a related question around a security model with the patient information. I'll use Kaiser as an example, since I know it very well. If I go to a Kaiser facility, they give me paper with all this medical information on it. If I want to take that from their patient portal and put it onto my computer, I can't. That strikes me as odd. I realize that electronic information is much more easily routable, so it's unlikely someone's going to come and steal my paper records in my filing cabinet in the home, while it would be much easier if they had access to the portals and could take that data, that they might do nefarious things with it at scale. It's easier to do it at scale electronically.

But it seems like an inhibitor for patients to aggregate their own stuff. You can't even email, for example, your doctor and get an email back. You have to log into their system. If you happen to have your phone with you and not your computer, you don't have your password, it doesn't work the same way, blah, blah, blah. I wonder if that's also something intermediate or whether there is something fundamentally different about electronic communications that's going to keep the access tighter than it is on paper.

Fridsma: Well, I think there is greater concern around electronic data because obviously you could go down to a paper-based medical records room, put on a white coat, walk in there, and pull a chart to take a look at it. But it would be hard for you to take all the records in that room, put them in the back of your trunk and take off and peruse through that or sell the information or the like. They might notice that they are gone. If they didn't, that would be an institution you wouldn't want to go to.

InfoWorld: Yeah. But electronically, when you steal it, you still leave it there. You don't actually take it, you copy it.

Fridsma: Right. Privacy and security are important aspects. We certainly believe that's an important aspect of our responsibility, to make sure that patients and the people that are entrusted with the care of that information, treat it seriously, and provide proper safeguards to that information. So I think part of that is to have some of these other things in place.

But if you think about what's happening in social media -- it's not exact example, but I think it's important just as a data point -- if you have a Facebook account, you've probably gone to Twitter or you've been on a Web page or something like that where it says, "We'd like to authenticate you." You could just authenticate with your Facebook ID and password. You could authenticate with your Gmail two-factor authentication or the like. One of the things that we're seeing that's happening in social media and out there on the Internet is you're starting to see people developing infrastructure that allows you to authenticate in one environment and use the credentials from that authentication in another environment.

The White House a couple of years ago produced a white paper report called NSTIC, the National Strategy for Trusted Identities in Cyberspace. What NSTIC is trying to do is to develop an ecosystem of identity management, if you will. If you go to a bank and you take out a loan for a house, they credential you there and give you an ID or a password or a certificate or whatever it is, something electronic that allows you to access their website and things like that, that process by which they authenticated that it was really you, you're the one responsible for this loan, and they know you are who you say you are. They may be able to issue you a credential that could be then used in other such situations. You might be able to use this to go and do not just online banking, but other things. You could manage email, or you could do something with the government, or you could whatever.

I think there is a lot of desire to create an ecosystem that allows you to get credentials that then would allow you to authenticate and use that credential in different places. In the health care space, you could imagine that you're in your doctor's office. The doctor knows it's you because he's seen you for the last couple of years. There's a credential that gets issued as part of that office that might be able to be used, say, in a hospital that's affiliated or with a consultant that the doctor refers you to that allows you to tie together all that information and not have you go to all these different websites and authenticate.

You start to see more seamless integration. I think that's a vision that the White House in the NSTIC report put forward, not just in health care but more broadly. I think what we're seeing is right now we have some initial forays into making sure we have things private and secure and we're moving incrementally to expand the level of sophistication or the level of ease of use. But we're trying to do that in a very cautious way so that we maintain that privacy and security. We want people to really understand that to get information to flow. As Farzad [Mostashari, the national coordinator for health care information technology at the ONC] likes to say, information moves at the speed of trust. You've got to be able to trust how the information is being managed and that becomes an important part of the overall strategy.

1 2 3 4 5 6 7 8 9 10 Page 5
Page 5 of 10
How to choose a low-code development platform