The Risk Factor

Dr. Brian Randell, Emeritus Professor, and Senior Research Investigator, School of Computing Science, University of Newcastle upon Tyne, was kind enough to let me know that the Journal of Information Technology has just released an issue focused on the UK National Health Service's (NHS) National Program for IT (NPfIT), its electronic health record initiative.

I think you'll find the articles very informative.

In June, I wrote about the AMA's approval of a policy that at the time was seen as likely increasing the use of implanted chips using RFID technology to record and transmit patient medical history.

The Associated Press has recently released an investigative news story questioning the safety of these chips. Some medical studies indicated that these chip implants appeared to induce malignant tumors in some lab mice and rats. While pointing out that what happened in the lab mice and rats doesn't necessarily mean the same thing will happen in humans, a more compelling question raised in the article was why these studies did not seem to be reviewed by the FDA when it approved the use of chip implants.

As acknowledged by the FDA, there are some risks associated with chip implants, "The potential risks to health associated with the device are adverse tissue reaction, migration of implanted transponder, compromised information security, failure of implanted transponder, failure of inserter, failure of electronic scanner, electromagnetic interference, electrical hazards, magnetic resonance imaging incompatibility, and needle stick."

It is way too early to see if this possible new health risk will slow down further the use of chip implants (VeriChip, the company that has been approved by the FDA to sell chip implants did see its stock drop by more than 10% on the publication of the AP story), but in a related story, the California Senate passed legislation that blocks the mandatory use of ID chip implants in employees. The bill had already been passed by the State Assembly and now awaits action by Gov. Schwarzenegger.

Homer Simpson: Facts are meaningless. You could use facts to prove anything that's even remotely true!

Last week, Sir Derek Wanless delivered his second review in the past five years on the UK National Health Service's efforts at modernization. According to the London Times, Wanless found that even after spending an additional £43 billion:

The money poured into the NHS has failed to produce a more efficient service, or to reduce unhealthy lifestyles.

As a result, more money will be needed.

The Guardian newspaper reported that Sir Derek's report included, " a warning that slow progress on introducing new IT systems could seriously undermine the productivity gains envisaged in 2002." He recommend that, ".. the £12bn programme run by the NHS agency Connecting for Health should undergo detailed external scrutiny to ensure the benefits will outweigh the costs."

A short time ago, the Chicago Tribune ran a very interesting story on the use of bar codes as well as Radio Frequency (RF) detection as a means to keep track of surgical sponges during operations. Sponges are left in about 1,500 people a year during their operations in the US. In a 2003 study published by the New England Journal of Medicine, leaving sponges and other surgical instruments in patients happens most often during emergency surgery or because of some unexpected change in the surgical procedure.

One system by SurgiCount uses a bar-coding approach. "Essentially, the system works much like a grocery store check-out counter – every laparotomy and gauze sponge is pre-labeled with an individual and unique bar code and a scanning SurgiCounter is used to read the labels.

"When using the system, staff concurrently scan sponges during their manual counts or can scan the items before or after the manual count. The SurgiCounters can be held by the circulator, or can be placed on a holster on an IV pole in a hands-free mode. By scanning in the unique labels, the system builds a database of items used in that particular procedure. At the end of the procedure when the circulator is counting out the sponges, the circulator will again swipe the sponge under the SurgiCounter, this time in order to 'count' the sponge out of the database. Because each sponge has a unique bar code, the system automatically alerts the staff in case they have accidentally tried to count the same sponge twice. This assists the staff in validating that they have an accurate count in case the there was a manual counting error."

Another approach is that developed by Medline called RF-Detect. Here, "a sterile radio frequency chip, (the size of a grain of rice) is embedded in the surgical disposables. With the RF Detect system, a Blair-Port wand is waved over the patient accurately alerting the user when an RF-tagged surgical disposable remains in the patient before surgical closing procedures."

In a disturbing article in today's Boston Globe, it appears that there are large security gaps in "implanted devices that help regulate heartbeats and use wireless technology."

Dr. William H. Maisel, director of the Medical Device Safety Institute at Beth Israel Deaconess Medical Center, who led a research project into medical device security risks, says in the story:

"With some technical expertise, we were able to retrieve information from the device in an unauthorized fashion. We were able to send commands to the device in an unauthorized fashion and could reprogram settings and even tell the device to deliver a high-voltage shock."

Maisel goes on to say that patients with pacemakers and cardiac defibrillators that have wireless capability shouldn't be concerned because of the high level of technical skill needed to conduct such an attack.

Maisel suggests that device manufacturers and maybe regulators may need to consider adding an audible tone or a vibration that "could let a patient know whenever someone is communicating with an implanted heart device."

While the risk may be remote, I can see all sorts of new television murder mystery plots developing. A person wanting to bump off their spouse or relative who has a pacemaker hires some mysterious hacker to do the job, or a group of young people, fed up with seeing their Social Security and Medicare taxes going up or worried that there won't be any left for them as they grow older deciding to knock off seniors en mass by driving by nursing homes and fooling with implanted medical devices. Tech savvy lawyer, doctor, private investigator, neighbor sets out to solve the case, blah, blah, blah.

TV plots aside, I do wonder, though, how soon we'll see hackers in the near future offering software to destabilize medical devices for the right price.