The Risk Factor

An article that caught my eye a few weeks back was the announced acquisition of the Reuters Group by the Thomson Corporation for over $17 billion. The combined companies would create the largest financial news provider.

More interestingly to me than the acquisition itself is the potential impact on future stock market trading. About one-third of stock market trading is currently performed through program or automatic trading. During the week of 14 – 18 May, for example, the New York Stock Exchange reported that “program trading amounted to 35.3 percent average of NYSE daily volume of 3,233.2 million shares, or 1,142.9 million program shares traded per day. This included program trading associated with the May 18 monthly expiration of stock-index options and futures.”

Program trading is inherently “backward looking” in the sense that the trades are automatically made based on price fluctuations that meet certain criteria. The focus in recent years has been on increasing the speed of such trades.

However, both Reuters and Thomson have been working on what is generally called machine readable news, for instance, a “Reuters system will 'read' news articles and score how positive or negative they are. The system will enable customers to analyse news across thousands of companies, far more quickly than can be done by humans. This will enable trading machines to react to market moving news in milliseconds.” Not only are current news stories being made “machine readable,” but Reuters is making its archives machine readable as well.

The Financial Times reports that Thomson has developed software that can automatically “generate the stories work so fast an earnings story can be turned around within 0.3 seconds of a company making results public.” In addition, as noted in the FT story, program trading, “… is set to rise much further in the coming years as fund managers, along with brokers and exchanges, strive for ever-greater speed and control over the trading cycle amid heightened market competition and consolidation.”

The combination of incredibly fast automatic news generation along with historical data to create predictive market responses to such news may create some interesting program market trading impacts. It will be interesting to see, as machine readable news becomes more available, whether the market becomes more volatile as a result, or whether dangerous feed-forward loops are produced during boom times, or more likely, individuals or governments will make use of this capability to deliberately hoax financial markets for either personal or strategic gain.

A government run news agency, for instance, could find it in its self-interest to plant a financial story, say involving some scarce resource – say petroleum – which could cause a panic in the market. By studying the conditions that caused market panics in the past, it might turn into a potential non-military but very effective weapon. Maybe governments (and the exchanges) may want to start thinking about how financial companies could use all this information for not only creating financial rewards, but how others could manipulate it to create major financial risks.

A nice little controversy concerning risk and IT systems has been brewing in the UK. As first reported by ComputerWeekly, government officials are ordering the destruction of what are called Gateway review reports. A Gateway review is “a ‘peer review’ in which independent practitioners from outside the programme/project use their experience and expertise to examine the progress and likelihood of successful delivery of the programme or project. They are used to provide a valuable additional perspective on the issues facing the internal team, and an external challenge to the robustness of plans and processes.” There are several “gateways” an individual UK government IT project is supposed to pass during its life, starting with Gateway 1 (Business Justification) to Gateway 5 (Operations Review & Benefits Realisation).

The reviews are meant for internal project consumption only, but there has been a long-standing demand by newspapers like ComputerWeekly and government critics to make the results of these reviews public. The Gateway reviews of two major UK IT projects in particular – the National Health Service electronic medical record project National Programme for IT (NPfIT) and the National Identity Scheme’s Identify Cards Programme – both of which are highly controversial, costly, and in trouble.

Supporting ComputerWeekly’s bid to have the Gateway Reports made public has been a ruling by the UK government’s Information Tribunal, an organization that hears appeals regarding whether government information should be publicly released or not, stating that the public interest trumps the desire of the government agencies to keep the reviews private. The UK Parliament’s Public Accounts Committee (PAC) also supported their disclosure.

However, the government – through the Office of Government Commerce (OGC) – which oversees the Gateway review process, insists that making these reports public would fundamentally undermine their use. The OGC claims that IT program management would not get open and honest appraisals of their programs if the people involved knew that there private opinions would be made public.

I can sympathize with that view. Having conducted hundreds of risk assessments over my career and many high profile government ones at that, there is something to be said for confidentiality. I promise confidentiality to programs as a matter of policy myself. Public disclosure will put people on their guard, and the tendency is for you to get optimistic, rather than realistic, estimates of the state of the project’s problems and risks.

When I was involved in the US DoD Tri-Service Assessment Initiative (TAI), program managers were the sole owners of the assessment reports. They could disclose them as them pleased. Our advice to program managers was they should disclose the reports as widely as possible, since for the most part, many of the probelms and risks they faced were created by events and situations outside of their control, and which they needed outside help to address. What we did do, however, was to take the results of every project assessment, sanitize the results, and conduct analysis on the aggregate to try to discover systemic issues that were plaguing most DoD programs.

On the other hand, the public does have a right to know of the technical, financial, and social risks being taken in their name. Both NPfIT and the Identity Card programs will affect every person in the UK, and both not only have seen major cost increases, but there are major issues of privacy protection involved.

Also undercutting the OGC’s arguments somewhat is that many IT projects ignore the results of the Gateway reviews, including some that should never have been initiated or should have been cancelled more than once. Further, a report yesterday by the PAC on Delivering Successful IT-enabled Business Change states that many senior managers responsible for major IT programs are inexperienced, don’t pay much attention to the programs they are responsible for, and don’t seem to care much about the Gateway review or other risk reviews of their programs.

Also, one can’t help wondering whether the real reason that the OGC is so adamant about not wanting to make Gateway review reports public is plain, old embarrassment. As the US FBI found out with its Virtual Case File (VCF) project, not taking the warnings of outside reviewers seriously can end up making you a poster child of poor judgment, an eternal business case study, and also a laughing stock to all your peers.

It will be interesting to watch how the little rhubarb in the UK ends up. But it does raise a set of questions about the public’s right to know about the risks posed by large, government IT projects. How much should be disclosed? How does a program or project manager get honest opinions on the state of their project if everything can be disclosed? And don’t most government program managers have too many backseat drivers and second guessers in trail already?

It appears that the Security and Exchange Commission (SEC) is going to look, at least informally for now, at the blogs of John Mackey, CEO of Whole Foods. It appears that he posted rather unflattering opinions using a pseudonym of a major competitor, Wild Oats, which his company is now trying to buy.

While CEO's blogging and bad mouthing competitors is not unheard of, what is getting SEC attentions is that Mackey's musings might be interpreted as a means to drive down Wild Oats stock before an acquisition bid. Mackey also appeared to disclose company sensitive financial information in his blog. The question is whether there was "intent" to damage Wild Oats or "intent" to disclose information that could be interpreted as inside information.

There was a great commentary piece in the Wall Street Journal (subscription required) yesterday titled, “Where are the Innovators in Health Care?” written by Regina Herzlinger, a professor at Harvard Business School, a senior fellow at the Manhattan Institute and the author of the book "Who Killed Health Care?"

Herzlinger describes the perverse disincentives to innovation in the health care industry, something that I wrote about last year for IEEE Spectrum and the various electronic health record initiatives being implemented by governments around the world. Basically, she argues, if a health care provider finds innovative ways to reduce the cost of treatment, the health care provider cannot share in the savings.

As I wrote about in my previous post, world-wide efforts are underway to replace the paper-based medical record with electronic medical records (EHRs). For information on the US effort, you can visit the White House website to get some background information of the US effort, as well as the US Department of Health & Human Services (HHS) website to see current status information.

Something that has gone surprisingly unnoticed is that this month marks the hundredth anniversary of the modern paper medical record. This innovation, which we all take for granted, can trace its origins to Dr. Henry Plummer, a partner at the Mayo Clinic, in the year 1907. Plummer recognized that each patient’s medical history needed to be recorded, stored and retrieved in a different manner than was the current practice if the quality of patient care were to improve.

As most of you know, I have been regularly writing about the various initiatives involving electronic health records (EHRs). EHR advocates claim that they are necessary to empower consumer-driven health care.

One of the assumptions, however, is that consumers are medically literate - which is a problem if they are in fact illiterate. Articles in the New York Times and Baltimore Sun (registration may be required) this week highlight the problem.

As reported in the Sun in a study conducted by Northwestern University's Feinberg School of Medicine, for patients over 65,

Almost 40 percent of those deemed medically illiterate died during the study, compared with 19 percent of those who were literate. Factoring in health at the outset and other variables, medically illiterate patients were 50 percent more likely to die than the others.

A few years back, Ray Kurzweil wrote a nice article on the promise and peril of technology in the 21st century. He writes,

As technology accelerates toward the full realization of genetic engineering, nanotechnology and, ultimately, robotics (collectively known as GNR), we will see the same intertwined potentials: a feast of creativity resulting from human intelligence expanded manyfold, combined with grave new dangers. We need to devise our strategies now to reap the promise while we manage the peril.

Last week the US House Committee on Oversight and Government Reform held hearings on "to examine recent developments regarding inadvertent file sharing over peer-to-peer (P2P) networks, the impact of such sharing on consumers, corporations and government entities, and whether such sharing creates privacy or security risks for users."

The US Department of Defense announced that it was shutting down its controversial Talon data gathering program.

Talon was established in 2002 by then-Deputy Defense Secretary Paul D. Wolfowitz as a way to collect and evaluate information about possible threats to U.S. servicemembers and defense civilians at stateside and overseas military installations. It is being closed because reporting to the system had declined significantly, and it was determined to no longer be of analytical value, said Army Col. Gary Keck, a Pentagon spokesman.

A reason for its shut down was noted in an article in Government Executive,

A June 2007 report by the Defense Department's inspector general found that counterintelligence officials "maintained TALON reports without determining whether information on organizations and individuals should be retained for law enforcement and force-protection purposes."

In addition, the article notes that:

To ensure a mechanism to document and examine potential threats, Assistant Defense Secretary Paul McHale plans to propose a new, streamlined reporting system that can better meet the Pentagon's needs, an agency press release said. In the interim, Defense Department officials will send information pertaining to protection concerns to the FBI's Web-based threat tracking system.

What a "streamlined reporting system" means hasn't been explained, but past history says don't place bets that it isn't going to resemble a data vacuum cleaner.

Over the past decade or so, the UK certainty seems to been in a hurry to implement a 1984 society. It already has the largest DNA registry in the world, the UK National Criminal Intelligence DNA Database, which contains the records of over 4 million individuals. The fact that 1 in 8 records is faulty doesn't seem to be a deterrent to the police or government officials (like former PM Tony Blair) wanting everyone's DNA on file.

Then there is the children's' national registry, which by next year will have details of every child under 18 (all 11 million of them), including, "the country, listing their name, address and gender, as well as contact details for their GP, school and parents and other carers. The record will also include contacts with hospital consultants and other professionals, and could show whether the child has been the subject of a formal assessment on whether he or she needs extra help."

Of course, certain children 's records will be excluded (like those of politicians and celebrities), but for everyone else, some 330,000 "vetted" others will have access to them. The government has promised tight security over the records, but then why are some records being excluded? I wonder if celebrity and politician children have their DNA kept off the DNA registry as well - since there are over 100,000 innocent children DNA records on file.

Of course, the UK has a big lead in security and CCTV cameras as well, with an estimated 4.2 million in operation. There are red light enforcement and speed cameras throughout the country as well. This spring, new "talking" CCTV cameras were being installed in 20 areas across England that will inform individuals that they are engaged in littering or other anti-social behaviors.

And to add a bit more emphasis to the idea that we're from the government and we are here to help is a plan to implant microchips in trash containers as a means to encourage people to throw out less rubbish.

The UK does seem on the cutting edge of using IS&T to shape a different - if not necessarily - better society.

" ... the technology road is bumpy... This is life in the technology lane"

And it is full of pot holes. No, that wasn't in Steve Jobs open letter to early adopters of Apple's iPhone, but it was at least implied.

Mr. Jobs had to issue the apology after thoroughly irritating customers who shelled out $599 a few months ago for their new iPhone only to learn that Apple was cutting its price by $200 to try to gain a strategic if not insurmountable market share during upcoming Christmas season.

Jobs appears to be following former HP Chairman and CEO Lewis Platt's old dictum, “We have to be willing to cannibalize what we’re doing today in order to ensure our leadership in the future. It’s counter to human nature, but you have to kill your business while it is still working.”

Investors didn't take to kindly to Jobs announcement, as they viewed it as Apple cannibalizing its earnings too soon and therefore their investments. Apple also didn't help matter much by announcing a new iPod which appears a lot like an iPhone without the calling features. Apple's stock dropped about 5% in all this week.

Probably more of an issue is that many folks who bought iPhones now think they were not only out $200, but went from being cool to being uncool. Even my local small town newspaper has an article about how much coolness that $200 bought.

The Conference Board, a leading business thought leadership organization, has released a report on the trend of companies using virtual worlds. As the Conference Board notes in its press release,

Leading companies including Cisco, IBM, and Dell already have a substantial presence in Second Life. Retailers such as Circuit City and Sears also have a presence, and information services providers such as Reuters have built large installations that offer a menu of financial data, including videos of up-to-the-minute news clippings.

The Conference Board report discusses eight questions executives should ask about whether they should create a presence in virtual worlds, ranging from "What is your entry strategy" to "Is your IT department up for the job?"

You can tell that virtual worlds are more than a fad when the Conference Board writes a report on it.

You may be able to trust your friends with your secrets, but your PC and telephone will rat you out in a heartbeat.

That's the gist of story in yesterday's New York Times about the ever increasing use of e-mail messages, Web site visits, text messages, and the like in divorce proceedings.

One New York lawyer said that 75% of her cases involve some kind of electronic communication, and that she routinely asks for court orders to seize and copy hard drives. Installing spyware on the family computer or stealing a phone to get at the stored text messages are also described as being common tactics used by one or both spouses looking for evidence of say infidelity.

Different states have different rules for admitting this type of information, but most lawyers interviewed said that if something is stored electronically, if will likely be used.

One more benefit of living in a computerized age.

Just in case you missed it, by the end of May 2008 paper tickets will virtually be no more. According to the Associated Press, on June 1, the International Air Transport Association that handles ticketing for most major airlines will stop issuing paper tickets. Some small regional or foreign airlines will continue to issue paper tickets, but they will be a small minority of regional carriers.

I can hardly wait for the day when several major airline reservation and ticketing systems like what happened to All Nippon Airways in July have software problems simultaneously, which will no doubt happen on a day where there is bad weather everywhere.

At 0819 this morning, a gentleman emailed to the Department of Homeland Security (DHS) a note that said he was changing jobs, and would like to receive the DHS daily reports at his new email address. The DHS daily report provides an open source news summary of articles involving the US infrastructure that might be of interest to the security community.

This gentleman mistakenly sent his request to the Distribution List email header, which was also configured incorrectly. Instead of this gentleman's request being bounced, his email went out to all the DHS daily report distribution list recipients. Chaos (and spam) soon began.

People who received this gentleman's email soon emailed back him saying that he had made a mistake - unfortunately, some used the "Reply All" button. This started another round of email broadcasts.

The New York Times wrote a nice little article this morning on the e-mail spamming mess. It claims that over 2.2 million emails were generated by the incident.

What will be more interesting to watch is how people who helped keep the spurious email traffic going and disclosing their personal contact information along the way to boot, will like seeing their names and email posted in the New York Times.

I would love to be a fly on the wall when some of these folks are explaining in the future to their bosses why IT security policy is important, why everyone needs to follow it, why they need more resources for improving security, etc., etc., and then being asked by their boss why they couldn't keep their own damn hands off the keyboard.

As the Times article notes:

"The accident raised questions among cybersecurity experts about how well prepared the Homeland Security Department is to defend against a cyberattack because it had trouble dealing with this computer problem."

No kidding.

I wouldn't be surprised that Congress gets interested in this little episode, given the response of both DHS and the many government security professionals (the term is debatable) who kept it going. Maybe Congress will call a few in to testify to find out what was so irresistible about keeping a spam chain letter going, and clogging up government servers. Or maybe disclosing what appeared to me to be email addresses and telephone numbers including cell phones of folks doing highly classified work. And now that this incident has been reported world wide, how valuable do you think this information is going to be, even if only for a short time?

I'll also be curious to see how the employers of those folks looking for new jobs will view it. Maybe they will help their employees find new ones.

Please, all of you who I am sure are happy to get their names and places where they work in the NY Times, let me know.

According to today's Boston Globe (registration may be required), the Massachusetts Appeals Court upheld the accuracy of information received from automobile event data recorders (EDR) for use in court cases. Event data recorders, sometimes called car "black boxes," are devices installed in a motor vehicle to record technical vehicle and occupant information for a brief period of time (seconds, not minutes) before, during and after a crash, according to the National Highway Transportation Safety Association website.

An EDR may record (1) pre-crash vehicle dynamics and system status (e.g., wheel speed, engine rpm), (2) driver inputs (e.g., braking, acceleration), (3) vehicle crash signature, (4) restraint usage/deployment status, and (5) post-crash data such as the activation of an automatic collision notification (ACN) system. According to an article in Time magazine, some 64% of cars made today have EDRs, and about 33% of all cars on the road today have them installed.

In the Massachusetts case, a woman was sentenced to two years in prison after her GMC Yukon skidded on ice and hit a tree, killing her passenger in 2003. The woman claimed that she was traveling only 20 to 30 miles per hour when she lost control, but the car's recorder showed that she was traveling 58 m.p.h. in a 40 m.p.h. zone. Her lawyer appealed her case arguing that the EDR's information was not reliable or accurate.

Consumer and privacy advocates have been opposite sides of the debate. According to the Time article, Public Citizen's Joan Claybrook "wants tougher rules compelling automakers to install EDRs in every car because objective crash data will lead to the design of safer cars and highways. Privacy activists want the government to prevent police and insurance companies from checking drivers' black boxes without permission. 'We have a surveillance monster growing in our midst," says Barry Steinhardt of the American Civil Liberties Union. 'These black boxes are going to get more sophisticated and take on new capabilities.' "

Like most technologies, once out of the bottle, they can't be put back in. And when its a question of public safety or privacy, privacy usually loses. The same will likely be true in the case of electronic medical records.

As many as 40 employees at Palisades Medical Center in North Bergen where actor George Clooney and a companion was taken after his motorcycle accident a few weeks back are being investigated for looking at his medical records, with over two dozen suspended without pay so far. It is probably a safe guess that at least one leaked Clooney's records to the press, since the media reported in detail on his injuries within "minutes" of his admittance.

The employees got to Clooney's medical records by accessing the hospital's computers. Let's hear it for computerized medical records - makes spying so easy.

As I noted a few weeks back, a celebrity's (reported to be ex-English football coach Sir Bobby Robson) medical records were looked at in a UK hospital.

A Palisade's hospital workers union spokesperson said, "It was inappropriate but they [the employees who sneaked a peak] are paying a steep price. But I don't even think George Clooney would want people to pay. Again, the apology to him for his privacy rights [is necessary], but I think in fact the hospital is overreacting."

"There are hospital obligations to have security systems so that a breach can't occur -- obviously that failed," she added. The spokesperson also tried to argue that since the employees (for the most part) only looked at Clooney's medical record and didn't disclose it (what, other than to friends and relatives?), it was a "no harm, no foul situation."

I hate to differ - I think they all need to be terminated. Or how about this as a compromise: a full public disclosure of the medical records (or better tax records - what's the difference?) of all those who sneaked a peak, and for fairness, let's include the union spokesperson since she thinks snooping does not rate a suspension, let alone a firing. That's a fair trade, right?

Furthermore to say that it's the hospital's fault for not having technology to keep prying eyes out is more than a bit self serving. In the UK incident, for example, those authorized to look at Robson's medical records simply gave access to those who did not. Technology doesn't prevent bad behavior or a lack of personal responsibility.

With attitudes expressed by this spokesperson, I would say that ensuring the privacy of electronic health records still have a long way to go.

In November 2006, "Democrat Christine Jennings, lost to her Republican opponent, Vern Buchanan, by just 373 votes out of a total 237,861 cast — one of the closest House races in the nation. More than 18,000 voters in Sarasota County, or 13 percent of those who went to the polls Tuesday, did not seem to vote in the Congressional race when they cast ballots, a discrepancy that Kathy Dent, the county elections supervisor, said she could not explain," according to a story in the New York Times.

The uproar was such that this past February, Florida Gov. Charlie Crist announced that Florida would get rid of all of its touch-screen voting machines, and instead use a system whereby voters would cast paper ballots that would be counted by scanning machines. Crist demanded that this new voting system be put into place in time for next year's presidential election.

A recent story in the New York Times discusses Florida's on-going problems with dumping all 25,000 of its e-voting machines, purchased for tens of millions of dollars merely six years ago as a result of the voting problems in the infamous 2000 presidential election. Some Florida counties, like Miami-Dade, is now in the process of throwing out 7,200 touch-screen machines alone, even as the county still owes $15 million on them. Palm Beach county is trying to get rid of 4,900 touch-screens and it still owes $4.8 million. No one, it seems too interested in buying them.

As I noted a few months back, California has placed very severe limits on the use of electronic voting machines. The road to e-voting is a hard one, I guess.

By the way, the voting machines used last year in Sarasota County are sequestered under court order as the investigation into the apparent voting irregularities continues.

Last May, you may recall, TB patient Mr. Andrew Speaker flew back to the US from Europe over his doctors’ objections, and was able to enter the US even though he was on a travelers’ watch list. To reduce the possibility of something like this happening again, US Custom and Border Protection officials said that they were putting new procedures in place.

Well, last week it was disclosed that a Mexican national with multi-drug-resistant tuberculosis boarded 11 flights, at least one to the United States and crossed the US border a total of 76 times. Customs and Border Protection (CBP) officials were warned on April 16 that this person was infected, but it took the Department of Homeland Security until June 7 to warn the inspectors on the border and the Transportation Security Administration to add this traveler to the travelers' watch list.

So there were actually two incidents, one highly publicized and one not, happening simultaneously. During the Speaker incident, DHS said that it was inexcusable what happened.

However, it is very clear that given the bad publicity of the Speaker case, senior DHS officials deliberately tried to keep this other traveler off the watch list until things quieted down a bit. The DHS, surprise, surprise, is not commenting on this latest "oops".

As I wrote before, I was skeptical that the Speaker incident would trigger a wider review of the limitations of the Custom and Border automated travelers' watch system as well as its systemic role in being able to manage the risks of travelers having infectious diseases. I guess I was more correct than I knew, unfortunately.

The BBC reported last week that the decision to move forward in 2002 with the UK National Health Service's electronic health record's National Programme for IT (NPfIT) took place after a ten-minute presentation to then Prime Minister Tony Blair. The cost estimate for NPfIT - done basically on the back of an envelop - was for £2.4bn over three years, to which Blair basically said, "Go for it."

Surprise, surprise, NPfIT is currently projected to cost £12.4bn over ten years, and even that estimate is likely severely optimistic. Tony Collins over at ComputerWeekly who has been following the NPfIT situation for years has all the gory details. Collins has been trying to get the minutes of the meeting released, which the government refuses to do, despite being directed to do so by the Information Commissioner.

The NHS has recently stated that regardless of the many problems the NPfIT has faced, it is highly successful, and that it is "so well advanced that the health service 'could no longer function' without it."

This is kind of like Homer Simpson saying,“I think Smithers picked me because of my motivational skills. Everyone says they have to work a lot harder when I’m around.”

MIT filed a negligence lawsuit against architect Frank Gehry and construction company Skanska USA Building Inc, claiming “design and construction failures” exist in its $300 million Stata Center that was opened in 2004, according to stories in the Boston Globe and New York Times. The Center opened to widespread praise by MIT.

Gehry has described as looking like "a party of drunken robots got together to celebrate," claims the issues are "fairly minor" and should be expected "in the design of complex buildings."

"These things are complicated and they involved a lot of people, and you never quite know where they went wrong. A building goes together with seven billion pieces of connective tissue. The chances of it getting done ever without something colliding or some misstep are small."

The executive vice president and area general manager of Skanska USA however, said that, "This is not a construction issue. Never has been." He claims that Gehry had rejected Skanska’s formal request to change the design of the outdoor amphitheater, a source of the many of the problems; "We were told to proceed with the original design."

Gehry in turn, blamed cost-cutting by MIT: "There are things that were left out of the design.The client chose not to put certain devices on the roofs, to save money."

Doesn't this just sound like the aftermath of an IT project gone bad?

A small news item appeared in the London Guardian this past week about how Cambridge University in England is desperate for computer science applicants. Cambridge is receiving only 40% as many applicants that it did in 2000. Professors there blame the drop on the perception that computer science students are "geeky" and that the best jobs are being outsourced to India and China.

Air Canada said there was a communications error between the airline's central reservation and check-in system affecting airports across Canada beginning at 0430 Friday morning. The system-wide problem affected both international and domestic flights with the worst delays experienced during the peak morning travel hours.

The delays weren't as bad as the recent problems at LAX.

Spectrum's Senior Associate Editor Samuel Moore sent me a note on an interesting news release titled, "Design of Patient Tracking Tools May Have Unintended Consequences" about a study by researchers at the University of Buffalo regarding the replacement of dry-erase patient status boards by electronic patient tracking systems. The researchers studied how new electronic patient-status boards were functioning in the emergency departments of two busy, university-affiliated hospitals.

What the researchers found was while there were surface similarities between the manual and electronic systems, there were subtle differences in the design of the latter that affected how health-care providers communicated and tracked patient care, sometimes not for the better. As one of the researchers noted,

"The manual whiteboard allows flexibility in tracking patients. For example, maybe the first time the provider sees a patient, she initials the name on the whiteboard, then the next time she circles the initials, then when the patient is discharged, she might put an 'x' in the circle, signals that are a means of communicating with her colleagues in the ER."

"With a computerized system, providers have to find an available computer terminal and log-in. The providers can't just walk up to the whiteboard and make a notation."

Whiteboards also provided immediate visual clues that the electronic tracking system did not, like how busy the emergency room was and how critical resources were allocated.

The researchers note that future electronic patient tracking systems need to investigate workflow and communication issues more carefully, and hope their study will encourage designers to better meet user needs.

Last week, ComputerWorld published a lengthy story about the disruption of the US Department of Veterans Affairs' VistA electronic health record (EHR) system in Northern California last August. According to the story, the outage was caused by "a simple change management procedure that wasn't properly followed."

It turns out that one group of maintainers asked another to make a change to a network port configuration without having the proper authorization to do so, which the second team did. In other words, the system was done in by poor configuration management.

For reasons left better explained by the ComputerWorld article, the VistA back-up systems that were supposed to kick in, didn't.

The outage caused the VistA system to be down for a good part of a day, which caused healthcare workers to revert to paper and pencil. Patient safety was increasingly put at risk, because the VA health system is almost completely electronic. In the VA's words, the outage was "the most significant technological threat to patient safety (the) VA has ever had.” It has taken months to put all the paper-based information created that day back into electronic format.

The VA experience provided a glimpse of what may happen if a major outage and back-up systems fail once EHR systems are fully up and running. System designers of EHR systems need to think a bit harder about what happens when the "unthinkable" does indeed happen.

According to ComputerWeekly, doctor support for the NHS National Programme for IT (NPfIT) has dropped sharply over the past three years. Only 23% of general practitioners and 35% of other medical specialists surveyed now support the aims of the NPfIT, while in in 2004 it was 56% and 75% respectively. Less than 50% of the doctors surveyed believe that the NPfIT is an important NHS priority, while in 2003 some 80% did so.

The NHS said the survey results did not match up with its own surveys, and that the NPfIT is working just fine, thank you very much.

Of course, the NHS also said it would never have to alter the supplier contracts for the NPfIT implementation, but last week the NHS admitted it was in fact altering them, but it really wasn't a contract renegotiation. The NHS suppliers apparently didn't get the word, however, because they refused to discuss what it was all about, citing “ongoing commercial negotiations."

I love politicians who think they are software architects or system engineers. I wince whenever they pass some ill-conceived legislation, the success of which critically depends on information systems & technology (IS&T) without ever bothering to consider the technological and management risks involved. Like Captain Jean-Luc Picard, they just order, "Make it so."

This time Congress has screwed around and not passed legislation that has another signficiant IS&T component, namely the promised fix to the alternative minimum tax (AMT). The AMT was passed in 1969 as a way to make 155 very wealthy families (of the time) pay some taxes (they were able to avoid doing so by claiming lots of state and federal deductions).

Over time, the AMT has grown (it isn't inflation adjusted) to hit more and more taxpayers - 4 million in 2006. If changes aren't made, it will likely hit 25 million taxpayers this year, most who aren't aware that they will owe lots more money (about $2,000 on average), and possibly penalties for underpaying their taxes.

Congress is supposed to legislate a fix, but squabbling between Congress and the White House has delayed progress. Any legislative change, of course, may require changes to millions of lines of software in IRS computer systems since the AMT affects so many different tax computations. Reprogramming the IRS computer systems to deal with new AMT legislation requires 12 weeks from the time the bill is signed into law; the IRS also needs three weeks to print new tax forms.

The IRS is warning that if Congress waits too much longer, it may have no choice but to delay not only the tax filing season start date of 14 January 2008 to mid-February, but also refund checks for another 25 million taxpayers to the tune of some $87 billion.

I also suspect that, on top of all the confusion that will ensue, those IRS computer systems won't be able to be fully system tested given the schedule pressure, so some AMT-related problems likely won't surface until well into next year. And even though the various makers of home tax preparation software claim the delay is no big deal, I bet it will be if things drag on much longer. The risk of both deliberate and unintended tax noncompliance will soar.

Congress has been warned about this problem for over a year, but I guess it had better things to do.

The Food and Drug Administration (FDA) Science Board's Subcommittee on Science and Technology released a very worrying report late last week on the current state of science and technology at the FDA:

"The Subcommittee concluded that science at the FDA is in a precarious position: the Agency suffers from serious scientific deficiencies and is not positioned to meet current or emerging regulatory responsibilities."

According to the FDA, it is responsible for protecting the public health by assuring the safety, efficacy, and security of human and veterinary drugs, biological products, medical devices, the nation’s food supply, cosmetics, and products that emit radiation. The FDA is also responsible for advancing the public health by helping to speed innovations that make medicines and foods more effective, safer, and more affordable; and helping the public get the accurate, science-based information they need to use medicines and foods to improve their health.

As the Subcommittee points out in its report,"The nation is at risk if FDA science is at risk."

In addition to the scientific deficiencies, another one of the critical findings of the Subcommittee's report is that, "The FDA cannot fulfill its mission because its information technology (IT) infrastructure is inadequate."

As I mentioned the other day, too many politicians pass legislation without understanding the full IT ramifications involved. In the Washington Post on Sunday, blogger-reporter (or is it reporter-blogger) Garrett M. Graff travels a bit further in his essay entitled Prehistoric Pols Don't Know Their Yahoo From Their YouTube.

Graff hopped on Sen. John McCain for saying at last Wednesday's CNN/YouTube debate that he "wouldn't need t