Tag Archives: Pharmaceutical

Why big data for healthcare is dangerous and wrong

Compliance, Information security, , , , ,

The Mckinsey Global Institute recently published a report entitled – Big data: The next frontier for innovation, competition, and productivity .

The Mckinsey Global Institute report on big data is no more than a lengthy essay in fallacies, inflated hyperbole, faulty assumptions, lacking in evidence for its claims and ignoring the two most important stakeholders of healthcare – namely doctors and patients.

They just gloss over the security and privacy implications of putting up a big big target with a sign that says “Here is a lot of patient healthcare data – please come and steal me“.

System efficiency does not improve patient health

In health care, big data can boost efficiency by reducing systemwide costs linked to undertreatment and overtreatment and by reducing errors and duplication in treatment. These levers will also improve the quality of care and patient outcomes.

To calculate the impact of big-data-enabled levers on productivity, we assumed that the majority of the quantifiable impact would be on reducing inputs.

We held outputs constant—i.e., assuming the same level of health care quality. We know that this assumption will underestimate the impact as many of our big-data-enabled levers are likely to improve the quality of health by, for instance, ensuring that new drugs come to the market faster…

They don’t know that.

The MGI report does not offer any correlation between reduction in systemwide costs and improving the quality of care of the individual patient.

The report deals with the macroeconomics of the pharmaceutical and healthcare organization industries.

In order to illustrate why systemwide costs are not an important factor in the last mile of healthcare delivery, let’s consider the ratio of system overhead to primary care teams in Kaiser-Permanente – one of the largest US HMOs. At KP, (according to their 2010 annual report) – out of 167,000 employees, there were 16,000 doctors, and 47,000 nurses.

Primary care teams account for only 20 percent of KP head-count. Arguably, big-data analytics might enable KP management to deploy services in more effective way but do virtually nothing for the 20 percent headcount that actually encounter patients on a day to day basis.

Let’s not improve health, let’s make it cheaper to keep a lot of people sick

Note the sentence – “assuming the same level of health care quality”. In other words, we don’t want to improve health, we want to reduce the costs of treating obese people who eat junk food and ride in cars instead of walking instead of fixing the root causes. Indeed MGI states later in the their report:

Some actions that can help stem the rising costs of US health care while improving its quality don’t necessarily require big data. These include, for example, tackling major underlying issues such as the high incidence and costs of lifestyle and behavior-induced disease.

Lets talk pie in the sky about big data and ignore costs and ROI

…the use of large datasets has the potential to play a major role in more effective and cost-saving care initiatives, the emergence of better products and services, and the creation of new business models in health care and its associated industries.

Being a consulting firm, MGI stays firmly seated on the fence and only commits itself to fluffy generalities about the potential to save costs with big data. The terms ROI or return on investment is  not mentioned even once because it would ruin their argumentation. As a colleague in the IT division of the Hadassah Medical Organization in Jerusalem told me yesterday, “Hadassah management has no idea of how much storing all that vital sign from smart phones will cost. As a matter of fact, we don’t even have the infrastructure to store big data”.

It’s safe to wave a lot of high-falutin rhetoric around about $300BN value-creation (whatever that means), when you don’t have to justify a return on investment or ask grass-level stakeholders if the research is crap.

MGI does not explain how that potential might be realized. It sidesteps a discussion of the costs of storing and analyzing big data, never asks if big data helps doctors make better decisions and it glosses over low-cost alternatives related to educating Americans on eating healthy food and walking instead of driving.

The absurdity of automated analysis

..we included savings from reducing overtreatment (and undertreatment) in cases where analysis of clinical data contained in electronic medical records was able to determine optimal medical care.

MGI makes an absurd assumption that automated analysis of clinical data contained in electronic medical records can determine optimal medical care.

This reminds me of a desert island joke.

A physicist and economist were washed up on a desert island. They have a nice supply of canned goods but no can-opener. To no avail, the physicist experiments with throwing the cans from a high place in the hope that they will break open (they don’t). The economist tells his friend “Why waste your time looking for a practical solution, let’s just assume that we have a can-opener!”.

The MGI report just assumes that we have a big data can-opener and that big data can be analyzed to optimize medical care (by the way, they do not even attempt to offer any quantitive indicators for optimization – like reducing the number of women that come down with lymphema after treatment for breast cancer – and lymphedema is a pandemic in Westerm countries, affecting about 140 million people worldwide.

In Western countries, secondary lymphedema is most commonly due to cancer treatment.Between 38 and 89% of breast cancer patients suffer from lymphedema due to axillary lymph node dissection and/or radiation.See :

^ Brorson, M.D., H.; K. Ohlin, M.D., G. Olsson, M.D., B. Svensson, M.D., H. Svensson, M.D. (2008). “Controlled Compression and Liposuction Treatment for Lower Extremity Lymphedema”. Lymphology 41: 52-63.

  1. ^ Brorson, M.D., H.; K. Ohlin, M.D., G. Olsson, M.D., B. Svensson, M.D., H. Svensson, M.D. (2008). “Controlled Compression and Liposuction Treatment for Lower Extremity Lymphedema”. Lymphology 41: 52-63.
  2. ^ Brorson, M.D., H.; K. Ohlin, M.D., G. Olsson, M.D., B. Svensson, M.D., H. Svensson, M.D. (2008). “Controlled Compression and Liposuction Treatment for Lower Extremity Lymphedema”. Lymphology 41: 52-63.
  3. ^ Kissin, MW; G. Guerci della Rovere, D Easton et al (1986). “Risk of lymphoedema following the treatemnt of breast cancer.”. Br. J. Surg. 73: 580-584.
  4. ^ Segerstrom, K; P. Bjerle, S. Graffman, et al (1992). “Factors that influence the incidence of brachial oedema after treatment of breast cancer”. Scand. J. Plast. Reconstr. Surg. Hand Surg. 26: 223-227.

More is not better

We found very significant potential to create value in developed markets by applying big data levers in health care.  CER (Comparative effectiveness research ) and CDS (Clinical decision support) were identified as key levers and can be valued based on different implementations and timelines

Examples include joining different data pools as we might see at financial services companies that want to combine online financial transaction data, the behavior of customers in branches, data from partners such as insurance companies, and retail purchase history. Also, many levers require a tremendous scale of data (e.g., merging patient records across multiple providers), which can put unique demands upon technology infrastructures. To provide a framework under which to develop and manage the many interlocking technology components necessary to successfully execute big data levers, each organization will need to craft and execute a robust enterprise data strategy.

The American Recovery and Reinvestment Act of 2009 provided some $20 billion to health providers and their support sectors to invest in electronic record systems and health information exchanges to create the scale of clinical data needed for many of the health care big data levers to work.

Why McKinsey is dead wrong about the efficacy of analyzing big EHR data

  1. The notion that more data is better (the approach taken by Google Health and Microsoft and endorsed by the Obama administration and blindly adopted by MGI in their report.
  2. EHR is based on textual data, and is not organized around patient clinical issue.

Meaningful machine analysis of EHR is impossible

Current EHR systems store large volumes of data about diseases and symptoms in unstructured text, codified using systems like SNOMED-CT1. Codification is intended to enable machine-readability and analysis of records and serve as a standard for system interoperability.

Even if the data was perfectly codified, it is impossible to achieve meaningful machine diagnosis of medical interview data that was uncertain to begin with and not collected and validated using evidence-based methods.

More data is less valuable for a basic reason

A fundamental observation about utility functions is that their shape is typically concave: Increments of magnitude yield successively smaller increments of subjective value.2

In prospect theory3, concavity is attributed to the notion of diminishing sensitivity, according to which the more units of a stimulus one is exposed to, the less one is sensitive to additional units.

Under conditions of uncertainty in a medical diagnosis process, as long as it is relevant, less information enables taking a better and faster decision, since less data processing is required by the human brain.

Unstructured EHR data  is not organized around patient issue

When a doctor examines and treats a patient, he thinks in terms of “issues”, and the result of that thinking manifests itself in planning, tests, therapies, and follow-up.

In current EHR systems, when a doctor records the encounter, he records planning, tests, therapies, and follow-up, but not under a main “issue” entity; since there is no place for it.

The next doctor that sees the patient needs to read about the planning, tests, therapies, and follow-up and then mentally reverse-engineer the process to arrive at which issue is ongoing. Again, he manages the patient according to that issue, and records everything as unstructured text unrelated to issue itself.

Other actors such as national registers, extraction of epidemiological data, and all the others, all go through the same process. They all have their own methods of churning through planning, tests, therapies, and follow-up, to reverse-engineer the data in order to arrive at what the issue is, only to discard it again.

The “reverse-engineering” problem is the root cause for a series of additional problems:

  • Lack of overview of the patient
  • No connection to clinical guidelines, no indication of which guidelines to follow or which have been followed
  • No connection between prescriptions and diseases, except circumstantial
  • No ability to detect and warn for contraindications
  • No archiving or demoting of less important and solved problems
  • Lack of overview of status of the patient, only a series of historical observations
  • In most systems, no search capabilities of any kind
  • An excess of textual data that cannot possibly be read by every doctor at every encounter
  • Confidentiality borders are very hard to define
  • Very rigid and closed interfaces, making extension with custom functionality very difficult

Summary

MGI states that their work is independent and has not been commissioned or sponsored in any way by any business, government, or other institution. True, but  MGI does have consulting gigs with IBM and HP that have vested interests in selling technology and services for big data.

The analogies used in the MGI report and their tacit assumptions probably work for retail in understanding sales trends of hemlines and high heels but they have very little to do with improving health, increasing patient trust and reducing doctor stress.

The study does not cite a single interview with a primary care physician or even a CEO of a healthcare organization that might support or validate their theories about big data value for healthcare. This is shoddy research, no matter how well packaged.

The MGI study makes cynical use of “framing”  in order to influence the readers’ perception of the importance of their research. By citing a large number like $300BN readers assume that impact of big data is well, big. They don’t pay attention to the other stuff – like “well it’s only a potential savings” or “we never considered if primary care teams might benefit from big data (they don’t).

At the end of the day, $300BN in value from big data healthcare is no more than a round number. What we need is less data and more meaningful relationships with our primary care teams.

1ttp://www.nlm.nih.gov/research/umls/Snomed/snomed_main.html

2 Current Directions in Psychological Science, Vol 14, No. 5 http://faculty.chicagobooth.edu/christopher.hsee/vita/Papers/WhenIsMoreBetter.pdf

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Medical device security trends

Software security, , , , , , , ,

Hot spots for medical device software security

I think that 2011 is going to be an exciting year for medical device security as the FDA gets more involved in the approval and clearance process with software-intensive medical device vendors. Considering how much data is exchanged between medical devices and customer service centers/care givers/primary clinical care teams and how vulnerable this data really is, there is a huge amount of work to be done to ensure patient safety, patient privacy and delivery of the best medical devices to patients and their care givers.

On top of a wave of new mobile devices and more compliance, some serious change is in the wings in Web services as well.

The Web application execution model is going to go through an inflection point in the next two years transitioning from stateless HTTP, heterogeneous stacks on clients and servers and message passing in the user interface (HTTP query strings) to WebSocket and HTML5 and running the application natively on the end point appliance rather than via a browser communicating to a Web server.

That’s why we are in for interesting times I believe.

Drivers
There are 4 key drivers for improving software security of medical devices, some exogenous, like security, others product-oriented like ease of use and speed of operation.  Note that end-user concerns for data security don’t seem to be a real market driver.

  1. Medical device quality (robustness, reliability,usability, ease of installation, speed of user interaction)
  2. Medical device safety (will the device kill the patient if the software fails, or be a contributing factor to damaging the patient)
  3. Medical device availability (will the device become unavailable to the user because of software bugs, security vulnerabilities that enable denial of service attacks)
  4. Patient privacy (HIPAA – aka – data security, does the device store ePHI and can this ePHI be disclosed as a result of malicious attacks by insiders and hackers on the device)

Against the backdrop of these 4 drivers, I see 4 key verticals: embedded devices, mobile applications, implanted devices and Web applications.

Verticals

Embedded devices (Device connected to patient)

  1. Operating systems, Windows vs. Linux
  2. Connectivity and integration into enterprise hospital networks: guidelines?
  3. Hardening the application verus bolting on security with anti-virus and network segmentation

Medical applications on mobile consumer devices (Device held in patient hand)

  1. iPhone and Android – for example, Epocrates for Android
  2. Software vulnerabilities that might endanger patient health
  3. Is the Apple Store, Android Market a back door for medical device software with vulnerabilities?
  4. Application Protocols/message passing methods
  5. Use of secure tokens for data exchange
  6. Use of distributed databases like CouchDB to store synchronized data in a head end data provider and in the mobile device The vulnerability is primarily patient privacy since a distributed setup like this probably increases total system reliability rather than decreasing it. For the sake of discussion, CouchDB is already installed on 10 million devices world wide and it is a given that data will be pushed out and stored at the end point hand held application.

Implanted devices (Device inside patient)

  1. For example ICD (implanted cardiac defibrillators)
  2. Software bugs that results in vulnerabilities that might endanger patient health
  3. Design flaws (software, hardware, software+hardware) that might endanger patient health
  4. Vulnerability to denial of service attacks, remote control attacks when the ICD is connected for remote
  5. programming using GSM connectivity

Web applications  (Patient interacting with remote Web application using a browser)

  1. Software vulnerabilities that might endanger patient health because of a wrong diagnosis
  2. Application Protocols/message passing methods
  3. Use of secure tokens for data exchange
  4. Use cloud computing as service delivery model.

In addition, there are several “horizontal” areas of concern, where I believe the FDA may be involved or getting involved

  1. Software security assessment standards
  2. Penetration testing
  3. Security audit
  4. Security metrics
  5. UI standards
  6. Message passing standards between remote processes
Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

What is the value of a trade secret?

Technology, , ,

My guess is that the value of software patents is on the decline, taking value as the net of the economic upside of the software patent less the cost of  patent development, application and enforcement.

The dynamic is that the benefit from patent protection in the software industry is less than the cost of the patent development, application and enforcement.   (See Bessen and Maurer – “Patent Failure”). The key area today where IP protection has a positive ROI is chemical formulations, i.e. the bio-pharma industry,    Since most of the patents applied for/issued in the past 10 years have been related to software / algorithms it follows that the adage ‘ You can fool some of the people some of the time but not all the people all the time ” is taking effect.

Protecting software-related intellectual property  is extremely difficult – the boundaries are unclear, the algorithms are similar and people are mobile.

The patent application and registered patents are publicly available for perusal by anyone.  So it is not a privacy/compliance/data security issue at all.  The information is out there.

What is not out there – is the implementation. In the bio-pharma industry, that means the recipe for making the vaccine and in the software industry, it’s writing the software that will be secure, reliable and scalable and friendly to users.

Writing secure, reliable, scalable and maintainable software is a non-trivial exercise.

There is a huge gap between a software  patent and the software implementation.   On one hand, from the perspective of a patent as a digital asset –  the vulnerability of patent disclosure is zero  (since it’s disclosed already by the patent offices) but on the other hand, a company’s actual implementation source code and techniques may be worth a lot of money – the value of the time, know-how and software management invested and the potential downside if a competitor got a copy of the source and implementation technique and jump-started his development process.

My first recommendation to a technology company doing cutting edge software development is to   use DLP to protect your source code  since  this is one of the easiest DLP implementations to do. The prices of DLP  products are going down and $150k of DLP implementation and operations/year is cost-effective when you have a few million invested in the implementation.

There are other security countermeasures against leakage of source code and implementation – methods such as – false flags and changing your source code very quickly through agile implementation. Source code that was stolen 6 months ago is not worth much when a company cycles every day and builds a new release every morning at 830.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Secure collaboration, agile collaboration

Data leakage, Open Source, Privacy, , , , , , ,

One of the biggest challenges in global multi-center clinical trials (after enrollment of patients) is collaboration between multi-center clinical trial teams: CRAs, investigators, regulatory, marketing, manufacturing, market research, data managers, statisticians and site administrators.

In a complex global environment, pharma do not have control of computer platforms that local sites use – yet there is an expectation that file and information sharing should be easy yet there are three areas where current systems break down:

1. People forget what files had been shared and with whom they have been shared

2. People have difficulty sharing files with colleagues in a way that is accessible to everyone – firewalls, VPNs, enterprise content management, DRM, corporate data security policy, end point security, file size – these are all daunting challenges when all you want to do is share a file with a colleague in Berlin when you are working in a hospital in Washington.

3. Notifications – how do you know when new information has been added or updated? Not having timely notifications on updates can be a big source of frustration resulting in team members pinging other members over and over again with emails.

Over the past 10 years a generation of complex enterprise content management software systems have grown up – they are bloated, expensive, difficult to implement, not available to the entire multi-center team and in many cases written by English speaking software vendors who cannot conceive that there are people in the world who feel more comfortable communicating in their native tongue of French, German, Hebrew or Finnish!

We are developing (currently in beta with a Tier 1 bio-pharma in EMEA)  a Web-based, agile collaboration system with a light-weight, easy to use, simple architecture, that saves time and reduces IT and travel costs – and literally gets everyone on the same page.

The system resolves the 3 breakdowns above while recording all user activities in a detailed audit trail in order to meet internal control and FDA regulatory requirements.

The system also provides significant cost benefits in addition to improving information collaboration:

• Reduces travel costs: Using online events, integrated media and file sharing and discussions, the clinical trial team and investigators can conduct program reviews, education activities and special events.

• Eliminates proprietary IT: No proprietary software or hardware and no IT integration. No extra investments in information technologies, CRM, sales force integration and data mining.

If this interests you – drop me a line!

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Knowledge Prostitution

Anti-Fraud, Compliance, Information security, , , , , ,

After a discussion with a client today about privacy and data security in social networking, I started looking at physician portals and came across a fascinating post from Dr. Scott Shreve – Knowledge Prostitution enabling Aggregated Voyeurism: Is this a Business Model?

Voyeurism (voi-yûr’ ĭzəm) n.

1. The practice in which an individual derives pleasure from surreptitiously observing people.

2. Derives from the French verb voir (to see); literal translation is “seer” but with pejorative connotations.

The client told me that they were considering using a closed physicians’ portal to help market their products.  The business model used by closed, advertising-free, doctors portals (Sermo.com in the US or Konsylium24.pl in Poland) involves paying for market intelligence data collected from the “user generated content” in the community.   The tacit assumption is that physicians will talk freely inside a gated, advertising-free community.

Sermo.com kicks some of the revenue back to the users but the precision and recall of this market intelligence is not clear to me, considering the amount of noise in vertical social communities like Sermo and Konsylium24.pl and open social media like Facebook, Twitter and LinkedIn.

What is clear to me – is that there are data security and privacy implications when the community operator data-mines user-generated content for profit.  As a concrete example – a recent thread on Konsylium24.pl went something like this:

Doctor Number 1:

You know – Professor X is the KOL (key opinion leader) for company Y’s drug Z.  He says that drug Z is extremely effective for treating the indications of infectious disease Alpha.

Doctor Number 2:

Of course – Professor X is an acknowledged expert on infectious diseases, but he is also an expert on cash and knows how to do the math and add up the numbers…

I asked my client – “and for this kind of data, your parents sent you to medical school?

This took me back to the days of Firefly, Alexa, Hotbar and use of personal information as currency – collected with “collaborative filtering” and “automated inference” from people browsing the web.

Web 2.0 and social media seems to be going through a similar evolution as Web 1.0 – trying to monetize content by  data aggregation and analysis using “collaborative filtering” techniques.  This may have been a sexy looking business model for Venture Capitalists during the dot.com era, but in 2009 (5 years after Sermo.com launched) and a few months after their well-publicized breakup with the AMA; automated inference, knowledge prostitution and aggregated voyeurism may be  yielding to direct communications between people in B2B communities, social and professional networks.

Why peep through a window when you can just knock on the front door and ask?


Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Swine flu and social networking

Physical security,

It just occurred to me – as our partner in Poland was getting ready to drive from Warsaw to Łęczyca for a sales call – that novel H1N1 (swine flu) and seasonal influenza is a great reason to use social media and Web conferencing for customer contacts, sales and support and reduce physical contact and risk of exposure.

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

The threat behind the House Tri-Committee Bill on Health Care

Physical security, , , , , ,

Federal Healthcare Chart

Don’t ask me why, but I was invited (and joined) the Pakistan Networkers group on LinkedIn.  I see all kinds of cool job opportunities in the Emirates which I can’t really take but the traffic is interesting.

I saw this picture in a post today from the Pakistan Networkers group. It graphically describes the complexity of ObamaCare:  the Obama health care reform bill.   I then sat down and started to learn more about this proposed solution to the US health care system that will cost over a trillion dollars in the next 10 years.

The Obama Health plan and the problems the administration is currently facing getting it through Congress is second page news here in Israel (front pages this weekend in Israeli papers are how Obama and Rahm are throwing their weight around and dictating to the Jews where they can live and not live….)

I started reading about the House Tri-committee Health Care bill and my eyes started popping at the cost and complexity of the proposal. I then read the response of the Mayo Clinic – Mayo Clinic’s reaction to House Tri-Committee bill and I finally realized that just like in Cyber Security and data loss prevention – the Obama administration is more interested in compliance and big government than customers and health, safety and security.

I’ve been arguing for basing data security product purchasing decisions on value at risk and cost-effectiveness of the DLP product in reducing the value at risk of a data breach. Therefore, it is  obvious to me that the notion of a value-based decision is an important cornerstone in redefining health care – see a discussion on pay for value in health care in the open letter to congress

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Drug counterfeiting, hype or health?

Anti-Fraud, Compliance,

Dolce Gabbana dressesCounterfeiting is a hot issue not only because it hits vendors in the pocket but because of the public health/safety implications.

Product counterfeiting ranges from fashion, such as Dolce & Gabbana handbags,  high performance bike frames such as Specialized Bikes to faking innovative drugs such as Viagra.

The Israeli onlline business daily “The Marker” recently ran an item on drug counterfeiting,  pegging the volume of drug counterfeiting in Israel at 80-100 million sheqels/year.  The source for the number is the Israeli Ministry of Health, the World Health Organization and an  organisation called “The Center for Pharmaceutical Security” (המכון לביטחון פרמצבטי)  I could not find any reference to this organization online – but from the name it sounds like a pharmaceutical industry lobby.

The core issue is public health and safety. This is why I personally believe that anti-counterfeiting supply chain initiatives such as ePedigree are well-intentioned but ineffective countermeasures to this threat.  I believe that the interest of public health and safety (you can be killed on a defective road bike frame…) requires involving consumers at the point of sale.
Continue reading

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Data security – is psychology more important than technology?

Data leakage, Information security, , , , , , , ,

We had a discussion with a prospect for a DLP (data loss prevention) system) that started with discussing the pros and cons of various DLP solutions (Verdasys, Mcafee DLP, Websense, Fidelis Security) and finished with a drill-down into how they can build a business case to acquire and implement data security technology. After a very interesting session – the CIO asked me – “So why did you start with technology? we should have started with the business case?”  I replied – “Got your attention, didn’t I!”

Talking with clients we stress threat modeling and analysis and doing quantitative risk analysis but I believe that psychology may be more important than the technology. This is for several reasons:

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow

Part II – Why pharmas don’t do social networking

Compliance, , ,

If you understand how pharmaceuticals are sold, this is not surprising.

What is surprising is that a lot of people seem to think it’s just a question of time before pharmaceutical companies like GSK get into social media.  I claim that a fashion trend doesn’t make a business case. The buzz of social media and Twitter in 2009 reminds me of the buzz on virtual worlds in 2008.

There are 3 fundamental reasons why  consumer-side social media is not a good fit for pharmas and they all relate to how prescription drugs are sold:

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this
Email, RSS Follow