The Risk Factor

In yesterday's London Telegraph, there was a story on how the NHS had a new website that was meant to help people understand their health risk. As the story describes, your risk was more of a function of where you lived (i.e., your post code), than your lifestyle or genetics. A 40-year old woman living in central London was most likely to be hospitalized for breast cancer, but if she moved to Manchester, it would be for gynecological issues. Interesting, but useless from an individual decision making point of view. Or, as it was put in the story," the British Medical Association (BMA), accused the Government of offering patients 'totally misleading and useless' information which only increases anxiety."

The article brings up once more the issue of the Web and its value in providing health information, as well as whether this information really informs or worse mis-informs patients when they are trying to understand the risk(s) of a particular disease or treatment. There is an intersection of IT as information purveyor, health care, business and ethics, and risk analysis and management that has not been well explored, but definitely needs to be.

I often wonder why government officials think your private information is their private information.

A news item that appeared on the UK Register website reveals that the NHS appears to be planning to share patient information with the social services, education and police. The controversy about patient privacy in the age of electronic health records is not new in the UK, and has been simmering over the past couple of years. Patients who are worried about their privacy can opt-out: I suspect many more will decide to now.

Give government the capability to gather information, and it will.

While concerns were being raised in England about patient privacy (see today's previous post), there were also two interesting stories (here and here) in the New York Times about US patient privacy rules described in HIPAA (Health Insurance Portability and Accountability Act) that was passed to much fanfare in 1996. It seems that confusion about what can and cannot be disclosed may be hurting patient care. Why is anyone surprised?

And what is worse, almost no one is ever fined or prosecuted for HIPAA violations anyway. So we have a law that no one enforces, yet causes potential medical harm.That's a great two'fer, don't you think? I can hardly wait for electronic health records to hit the US.

A couple of years back, I wrote a story for IEEE Spectrum on Why Software Fails. I opened with the story that has been floating around the software business for the past twenty years about the disappearing warehouse. Well, yesterday I read a story in the Wall Street Journal about another "disappearing" warehouse - this time to help hide accounting fraud.

Some 20,000 ex-Enron workers who finally received their first payment for some of their lost retirement funds were told that they were over-underpaid (12,800 total) or maybe worse over-paid (7,700 total) because of a computer burp. Those over-paid are probably going to have to pay the money back.

Of course, the company involved could just reprogram the software to account for the over-payment/under-payment in the next payment due, but ...

In another software burp reported last week, some Scotiabank customers in Vancouver, Canada were surprised to find that their pre-authorized payments had been withdrawn twice from their bank accounts.

I personally know the fun that can cause. Many years back, I tried to withdraw $50 at my local bank's ATM. I was informed that this wasn't possible, since my account was overdrawn by roughly $1.4 million. That was news to me. Since I discovered this on a Friday night, I had to stew on it until Monday morning.

A "small software problem" (the bank's terminology) caused my overdraft which in turn meant my pre-authorized payments (like my mortgage) weren't paid on time. It took a good long while to get this mess straightened out, especially with the credit scoring companies who saw that I had missed a whole bunch of payments. Try telling them that it was just a computer error. I stopped using pre-authorized payments after that little episode, as well as changed banks.

Anyway, what caught my eye in the article were some quotes allegedly made from a person at a local university who said that he "wasn't surprised to hear of a technical error with banking systems." Me either - been there.

A small story was published over at Government Executive magazine on the possibility that the wireless network used to support the Secure Border Initiative Network (SBINet) might be susceptible to hacking, and that the prime contractor Boeing is looking for ways to increase its security.

I wish Boeing luck. As my friend Peter Neumann wrote a long time ago, it is awfully hard to build security into a system after the fact.

This week two non-IT news items on what happens when you don't manage risk well appeared. The first was on the National Transportation Safety Board (NTSB) report of the collapse of the ceiling panels in Boston's Big Dig Tunnels that killed a woman. It seems that the epoxy glue holding the bolts that held up the concrete panels was of the wrong type.

The second was a report commissioned by the US Army Corps of Engineers on the decision making that led up to the failure of the levees in New Orleans. It seems that because of budget constraints and opposition of local leaders and environmental groups, that a great many decisions were made over time that incrementally increased the risks of the levees collapsing in a hurricane.

After a relatively quiet period, IS&T glitches popped up in several places.

In Japan, sales of some mobile phones made by Sony Ericsson were continued again after they had been stopped on 4 July because of software problems that could erase stored telephone numbers among other items.

A Target department store in San Diego, California saw its point-of-sales system fail for a few hours, which likely cost it tens of thousands of dollars.

A computer problem created headaches for motorists trying to renew their car registrations at the Bureau of Motor Vehicles across Indiana. It had to happen, of course, the day when many registrations expire.

A software error in cable boxes in Burbank, California shut down a cable television system for six hours which affected 35,000 customers.

A lawsuit was filed in West Virgina against telecommunication company FiberNet alleging "breach of contract, fraud and negligence, and seeks class-action status and unspecified punitive and compensatory damages." Seems that a computer problem stopped service for two days to about half of its 24,000 customers, which included hospitals, police, businesses, etc.

And my favorite, five hundred and eighty-seven patients at Northern Cochise Community Hospital in Wilcox, Arizona received inaccurate hospital bills. The new billing software decided to keep adding the bill of the previous patient onto to the next patient's bill. Someone received a bill for $49 million.

Hope that last one didn't put the person back into the hospital.

It appears that the Security and Exchange Commission (SEC) is going to look, at least informally for now, at the blogs of John Mackey, CEO of Whole Foods. It appears that he posted rather unflattering opinions using a pseudonym of a major competitor, Wild Oats, which his company is now trying to buy.

While CEO's blogging and bad mouthing competitors is not unheard of, what is getting SEC attentions is that Mackey's musings might be interpreted as a means to drive down Wild Oats stock before an acquisition bid. Mackey also appeared to disclose company sensitive financial information in his blog. The question is whether there was "intent" to damage Wild Oats or "intent" to disclose information that could be interpreted as inside information.

Another interesting story from the UK from ComputerWeekly.com. It seems that HM Revenue and Customs is having trouble matching pay and tax details to individual taxpayers - about 13 million of them or 32% of taxpayers.

To make matters more "interesting," Revenue and Customs is about to transfer taxpayer files from one computer system to another, before all the taxpayer discrepancies are resolved. A Revenue spokesperson said that at least 75% of taxpayers had paid the right amount of tax (gee, only a 1 out of 4 chance that you paid too much or too little) and that the "good news" was that the back log of open cases would be reduced to 10.5 million having discrepancies by April 2008. I hate to know what bad news means to Revenue and Customs.

The US Internal Revenue Service has had long-term problems itself in trying to achieve modernization, but I don't recall it ever having reached this level of poor data quality. Those of us in the US may complain about the IRS, but I think our friends in the UK should have our profound sympathy.

There was a great commentary piece in the Wall Street Journal (subscription required) yesterday titled, “Where are the Innovators in Health Care?” written by Regina Herzlinger, a professor at Harvard Business School, a senior fellow at the Manhattan Institute and the author of the book "Who Killed Health Care?"

Herzlinger describes the perverse disincentives to innovation in the health care industry, something that I wrote about last year for IEEE Spectrum and the various electronic health record initiatives being implemented by governments around the world. Basically, she argues, if a health care provider finds innovative ways to reduce the cost of treatment, the health care provider cannot share in the savings.

As I wrote about in my previous post, world-wide efforts are underway to replace the paper-based medical record with electronic medical records (EHRs). For information on the US effort, you can visit the White House website to get some background information of the US effort, as well as the US Department of Health & Human Services (HHS) website to see current status information.

Something that has gone surprisingly unnoticed is that this month marks the hundredth anniversary of the modern paper medical record. This innovation, which we all take for granted, can trace its origins to Dr. Henry Plummer, a partner at the Mayo Clinic, in the year 1907. Plummer recognized that each patient’s medical history needed to be recorded, stored and retrieved in a different manner than was the current practice if the quality of patient care were to improve.

About 30 patrons of the Caesars Indiana casino in Elizabeth, Indiana reportedly might be facing felony criminal charges for winnings that the casino is claiming is not theirs. Seems that there was a software error in the slot machine called Easy Money which registered $10 worth of credit for every dollar inserted. Caesars reported that it had lost $487K over the July 21 weekend.

Turns out this is not a new occurrence. The Majestic Star Casino in Gary, Indiana lost more than $300K in February to the same software problem. Seems strange that the problem wasn't fixed on every machine after that incident, or if it was, maybe the patch caused a new problem with the same result.

Nothing like a potentially good controversy to keep one's interest during the dog days of summer. The Dublin-based company, Heavey RF Ltd., which builds rugged mobile solutions using Radio Frequency (RF) technology, posted a small report on its website that questioned the overall business value of RFID. The report concludes,

Given that bar-coding still hasn’t been fully deployed after 40 years in the supply chain, I find it hard to accept that this much more expensive, infinitely more complicated and not yet mature technology is going to be any different. Given the last 15 years of what is effectively an RFID failure in the supply chain, insist in seeing a proven working solution before taking what is ultimately a big leap of faith. History is littered with large technical blunders – RFID in the supply chain could be one of the biggest…

As most of you know, I have been regularly writing about the various initiatives involving electronic health records (EHRs). EHR advocates claim that they are necessary to empower consumer-driven health care.

One of the assumptions, however, is that consumers are medically literate - which is a problem if they are in fact illiterate. Articles in the New York Times and Baltimore Sun (registration may be required) this week highlight the problem.

As reported in the Sun in a study conducted by Northwestern University's Feinberg School of Medicine, for patients over 65,

Almost 40 percent of those deemed medically illiterate died during the study, compared with 19 percent of those who were literate. Factoring in health at the outset and other variables, medically illiterate patients were 50 percent more likely to die than the others.

A few years back, Ray Kurzweil wrote a nice article on the promise and peril of technology in the 21st century. He writes,

As technology accelerates toward the full realization of genetic engineering, nanotechnology and, ultimately, robotics (collectively known as GNR), we will see the same intertwined potentials: a feast of creativity resulting from human intelligence expanded manyfold, combined with grave new dangers. We need to devise our strategies now to reap the promise while we manage the peril.

Last week the US House Committee on Oversight and Government Reform held hearings on "to examine recent developments regarding inadvertent file sharing over peer-to-peer (P2P) networks, the impact of such sharing on consumers, corporations and government entities, and whether such sharing creates privacy or security risks for users."

Today's Wall Street Journal (subscription required) published a "helpful" set of tips to those who find their IT Department's desire to keep their network safe and secure or their company's desire to have their employees work during business hours unreasonable or overly restrictive.

To find out whether it's possible to get around the IT departments, we asked Web experts for some advice. Specifically, we asked them to find the top 10 secrets our IT departments don't want us to know. How to surf to blocked sites without leaving any traces, for instance, or carry on instant-message chats without having to download software.

Other tips are on to download blacklisted software onto your network, or cover up the fact that you are using your work computer for non-work activities during work time.

The Journal - to cover its butt - also posted advice on how to keep everything "safe" while you hacked your IT Department's system. Very nice of them.

Of course, the Journal reporter did not interview the Journal's IT Department manager to see what he or she thought of the tips; one can only assume that hacking the Journal's IT network using these tips is an acceptable, if not, endorsed behavior.

So, to all you Journal employees, I say, go for it. Hack away at the chains the Journal's IT Department has shackled you with.

Oh, BTW, if I find any of my personal information has ever been exposed by such hacking - since I am a subscriber to the Journal - I know exactly who I am going to sue. And you know what, I bet you I am going to win.