Our Cancer Journey - Week 8

Kathy finished Cycle 3 of Adriamycin/Cytoxan, has weathered the most difficult treatment symptoms, had a positive rebound of her blood cell counts, and continued to receive an outpouring of support from the community.

Per the screen print above from BIDMC's web-based Online Medical Record, her neutrophil count increased from 3610 to 5660, ensuring she can fight infection.   Neutrophils are significantly affected by chemotherapeutic agents but Neulasta, a bone marrow stimulant, prevents cancer patients from the neutropenic nadirs that once caused multi-day hospitalizations requiring antibiotics.

Dr. Robin Schoenthaler, a Radiation Oncologist in the MGH Department of Radiation Oncology at Emerson Hospital and Director of Medical Education  at Emerson wrote to me with very helpful advice for husbands and families supporting breast cancer patients:
   
"I am a radiation oncologist at MGH specializing in the treatment of women with breast cancer and I have been following your blog (from which I heard about that very cool I-phone charger; thank you very much!) for some time.  My heart goes out to you and your wife.  I hope that things go as swimmingly as possible for you during and after the acute phase of treatment.

I have many many thoughts about what you have written; but yesterday's column which touched on the issues of 'causality' rang a real bell for me in three areas.


First off, it may interest you to know that, as far as I can find,  there are no good studies that absolutely link breast cancer (or any cancer) with stress.  Studies looking at extreme stress (eg war, famine, rape) have not shown a clear-cut link with the later development of cancers.  Studies looking at day-to-day stressors have been negative, and studies evaluating severe stressors (recent divorce, death of loved one) are extremely mixed -- some show perhaps a small link and some actually show that severe stressors are associated with a LOWER rate of breast cancer (eg the Women's Health Initiative).  This stuff is terribly hard to tease out so all we can say at the present time is that while there MAY be a link, and although there are hypothetical reasons to be concerned about a link, thus far many good studies do NOT show an absolute connection between being under stress and then getting breast cancer.


This may well be because 'cancer' is such a heterogenous disease, and it may also be related to the fact that cancers grow at such different rates, so that it's nearly impossible to say that a defined 'stressor' (and who can say exactly what stress is -- for some people it's their mother-in-law!) is linked to a very slow-growing breast cancer (or a fast one) or a lightning-fast lymphoma.  It's just too hard to connect the dots.

The second idea I would like to convey to you is that your search for a cause -- wondering if it's paints, or stress, or radicals (or for other women: fertility treatments, or living under power lines, or pesticides) is a specifically AMERICAN response to disease, or more fundamentally, why bad things happen to good people.  If you and your wife lived in India, you would probably think this disease occured because of something harmful you did in a past life prior to this reincarnation (karma, etc).  If you lived in Mexico, you might well think your wife was bound to suffer this way so she could offer it up and then sit at the right hand of Mary in heaven.

But here in America, we always, always, think it's something we did.  We think we are the cause.  We ALWAYS think we are the cause, and if only we had done x or y or z maybe this wouldn't have happened.  We like to think we are in control, us Americans (especially the engineers and computer people amongst us, despite the fact Mother Nature that is constantly showing us who rules.

I do think this is an important thing to think about -- maybe it wasn't environmental, maybe it had nothing to do with behavior, maybe it was just stone cold bad luck.  I think it changes the way one approaches disease sometimes and I offer it to you as a possibility.

The third thing I want to say to you is that you are really being a model Husband/Caretaker, and my hat is off to you and to all such wonderful men.  I call men like you 'Purse Holders' and in fact I wrote an essay in the Globe about them a couple of years ago.  If you care to read it you can find it here.

I send you my very best regards and wishes, and if you would like to further discuss these or any other breast-cancer-related issues or questions, please consider me your go-to person."

Thanks Robin, your support is much appreciated.  And you're right, since treating breast cancer is a partnership, all aspects of treatment including the driving, the listening, and the purse carrying are a shared responsibility.

On Sunday, I must fly to China to fulfill a promise I made a year ago to assist with healthcare IT design in Shanghai and Hong Kong.   My absence is timed for those treatment days when Kathy is at her best and her energy has returned.   I'll be back before the symptoms of Cycle 4 begin.    I'll write my post next week during the first time we've been apart overnight since her diagnosis in December.   As we travel the treatment path together, the experience of caring for Kathy long distance will bring new emotions.

Two Factor Authentication

I've previously written about innovative approaches to strong identity management which we're investigating.

SAFE-BioPharma has implemented a thoughtful two factor authentication solution that leverages mobile devices and is provisionally certified as a trust framework provider for NIST level of assurance 2 and 3 by the General Service's Administration FICAM program. Their solution is cross certified with the Federal Bridge Certificate authority.  Thus, their credentials are trusted in both the Public Key Infrastructure (PKI) and non-PKI sectors for authentication to any Federal application or infrastructure.

Here's how credentials are issued per Richard Furr, Head of Global Regulatory Affairs, Policy and  Compliance, SAFE-BioPharma Association:

The applicant is nominated for a credential by a sponsoring SAFE-BioPharma member.  It is important to note here that SAFE-BioPharma is a member driven non-profit association and only members of the association can nominate applicants for credentials.  Applicants must be employees or business partners of that member. Membership in SAFE-BioPharma is limited to entities that operate in the biopharmaceutical or healthcare delivery sectors.

The nomination is made on-line by a specially trained member of the member staff who enters specific data, I.e, at least name and business e-mail address, into the registration authority system (UIS) that Verizon Business operates as a contracted infrastructure provider for SAFE-BioPharma.

The UIS generates an email to the applicant address which contains a link to the UIS and a one time password to allow the applicant to access the UIS.

The applicant completes a user profile including other information, e.g., address, telephone, last 4 digits of their social security number, date of birth, medical license number if they have one, that the UIS uses to build out their identity.

Based on the data entered by the applicant the UIS develops their identity and through a contracted data source (LexisNexis) the applicant is presented with five multiple questions to which only they should know the correct answers.  The applicant has 2 minutes to answer 4 of the 5 questions correctly.  If they fail the first time they are presented another 5 questions.  If they answer 4 correctly their identity is confirmed and they can complete the registration process.  If they fail a second time they are rolled over to a manual notary process.

Once the identity is confirmed, the applicant creates an account with the UIS Identity Broker by creating a strong user name and password according to the parameters of the system.  Then, the applicant registers one or more devices that are capable of receiving a cryptographically generated one-time password, e.g., smartphone (Android or iPhone), SMS capable cell phone, iPad, other mobile tablet, landline phone capable of receiving interactive voice response, other token (RSA, OAuth, etc,) or other types of devices that can receive the One Time Password (OTP) .

Upon completion of these steps the system also generates an X.509 certificate that is downloaded to a cloud-based FIPS 140-2, level 3 certified hardware security module.  This certificate is the applicant's digital signing certificate.  It can be accessed using the 2-factor non-PKI credential that was just generated.  Upon completion of these steps the applicant digitally signs their Subscriber agreement and is ready to go.  The entire process takes about 10 minutes. It is also important to note that the last 4 of the social security number and date of birth are deleted after the initial registration process so they are never kept in the system.

Here's how actual authentication works:

1.  The use accesses an application or portal via the internet.
2.  The accessed application or portal displays a login dialog that asks for the  user name and password.
3.  The user enters their user name and password and selects the pre-registered device to which they wish their OTP to be sent.  This is the first factor of the 2-factor authentication – something the user knows.  The app or portal also generates a SAML2 request to the identity broker.
4.  The identity broker verifies that the Account is valid and uses a cryptographic algorithm to generate the OTP and send it to the selected device.
5.  The app/portal displays a dialog for the user to enter their OTP.  The user has 5 minutes to enter the OTP.  When they do, the identity broker verifies the OTP as being the one that was generated and this completes the second factor – something the user has – in this case the pre-registered device that received the OTP. Based on this successful completion, the identity broker generates a SAML2 response to the app/portal verifying the identity.

If the user needs to digitally sign a document, such as an e-prescription, they can do so using this same process to authenticate to their X.509 certificate in the cloud.  It appears that the DEA will accept this process as part of the final rule for e-prescribing controlled substances.

Since the credentials are FICAM certified, it seems reasonable that such an approach meets all compliance criteria that require strong authentication for securing protected healthcare information.

Attesting to Meaningful Use Quality Measures

I was recently asked how eligible professionals should report the Meaningful Use Clinical Quality Measures if there are zero denominators (i.e. you do not have any hypertensives, adults, or patients with 2 or more visits in the measurement period)

Here's the answer as I understand the regulations and FAQs:

1.  Report on the 3 Core measures if you can, which include
*Hypertension: Blood Pressure Measurement
*Tobacco Use Assessment and Tobacco Cessation Intervention
*Adult Weight Screening and Follow-up

2.  If any of the 3 Core measures has a zero denominator, replace them one-for-one with one of the 3 alternate core measures.   If you can’t get to 3 non-zero denominators between the core and alternate core, report on all 6 (even if it means that you have to report 6 zero denominators)
*Weight Assessment and Counseling for Children and Adolescents
*Preventive Care and Screening: Influenza Immunization for Patients ≥ 50 Years Old
*Childhood Immunization Status

3.  Regardless of the above, you MUST report on 3 of the remaining 38 Additional Set measures.  If you are reporting any zero denominators from these Additional Set measures, you must attest that you have no other non-zero denominator measures.  Essentially, you have to confirm that you’re not running away from non-zero denominator measures.

In summary, the minimal requirement is for 6 measures (3 core or alternate core, 3 additional set).  You may have to report up to 9 measures if there are zero denominators involved.  If you can’t find 3 non-zero denominators among the core and alternate core, you have to report on all 6 (even if it means that you’re reporting 6 zero denominators).  In addition, you still have to report on 3 from the remaining 38 additional set measures.  If any of these 3 additional set measures is a zero denominator, you must confirm that you don’t have a non-zero denominator for any of the remaining 35 that you’re not reporting on.
 
Micky Tripathi posted a blog about this last summer that provides additional detail.

You'll find the FAQs that address the Clinical Quality Measures here.

The Perfect Storm for Innovation

In my career, there have been a few perfect storms, defined as "a confluence, resulting in an event of unusual magnitude".

When I was an undergraduate at Stanford University in 1980, two geeky guys named Jobs and Wozniak dropped by the Homebrew Computer Club to demonstrate a kit designed in their garage.   IBM introduced the Personal Computer and MSDOS 1.0.   I purchased an early copy of Microsoft Basic and began creating software in my dorm room including early versions of tax calculation software, an econometric modeling language, and electronic data interchange tools.   Every day brought a new opportunity. The energies of hundreds of entrepreneurs created an industry in a few intensely creative months that laid the foundation for the architecture and tools still in use today.   A guy named Gates offered me a job and I decided to stay in school instead.

In 2001 when I was first hired at Harvard, a visionary Dean for Medical Education, a supportive Dean of the Medical School,  talented new development staff, and a sleepless MD/Phd student came together to create one of the first Learning Management Systems in the country, Mycourses.   Robust web technologies, voice recognition, search engines, early mobile devices, and new multi-media streaming standards coincided with resources, strong governance, and a sense of urgency.  Magic happened and in a matter of months, an entire platform was created that is still powering the medical school today.

At BIDMC in 2010, IS Clinical Systems staff and key operational leaders realized that Meaningful Use Stage 1 was within reach if we temporarily put aside other work and focused our energy, creativity, and enthusiasm on rapid innovation, process change, and education.   In a few weeks we became the first hospital in the country to certify our EHR applications - inpatient and ambulatory.    We became the first hospital to achieve Meaningful Use.  More than 70% of our eligible professionals have surpassed meaningful use performance thresholds.   We had no budget, no dedicated resources, and nothing but strength of will to make it happen.   It was one of our finest hours.

In 2011, the Massachusetts public sector (Secretary of EOHHS, CIO of EOHHS), private sector healthcare leaders, and healthcare IT experts had a bold idea - create a public utility that links together all the existing regional health information exchanges, public health, small clinician offices, payers, and patients using modular components procured and initially operated by state government.   We aligned forces and in a few weeks created budgets, project plans, a new State Medicaid Health Plan, and a guiding coalition of stakeholders.    Political, organizational, and technical barriers were broken down and unbridled optimism rekindled our health information exchange momentum.    2012 will be a transformative year in the Commonwealth, truly a perfect storm.

My advice - look for the perfect storms in your own life.  Minimize your distractions, cancel unnecessary meetings, and put aside those tasks that don't add value.   Take a risk and dive head first into the possibility of creating greatness.   I've seen opportunity come and go in my life.   No one remembers the mundane.  No one forgets the events of unusual magnitude.

Recently, I updated my BIDMC job description to include fostering healthcare information exchange among affiliates, accountable care organizations, and the community.   The Massachusetts Health Information Exchange is the next perfect storm in my career and I will devote all of my energies to the confluence being created by EOHHS CIO Manu Tandon, Massachusetts eHealth Collaborative CEO Micky Tripathi, and the dozens of volunteers lending the wisdom to the process.

Cool Technology of the Week

I recently wrote about the explosion of business spam.

One of my blog commenters introduced me to Unsubscribe.com which provides a free, timesaving, easy to use unsubscribe utility.

Numerous times a day, I click on an email scroll to the unsubscribe area, have to figure out the proprietary unsubscribe functionality of the business spammer, retype my email address, and hope it works since unsubscribe sites are generally slow and unreliable.

With Unsubscribe.com, I just download a plug in for my email client (apple mail), and simply click on the unsubscribe icon whenever unwanted email appears in my inbox.   The unsubscribe servers use natural language processing to figure out the unsubscribe methodology and send the unsubscribe request.

It has easily saved me 15 minutes a day.

Of course the ultimate answer would be for advertisers to act more ethically.   I had a great conversation with Dave Smith, Compliance Officer for Constant Contact about their efforts to enforce email advertising best practices.    A few items

1.  They ask their clients to certify pre-existing business relationships or opt-in before sending email.   Some clients do not follow this policy guidance the Constant Contact compliance team does their best to identify and stop abuses by their customers.

2.  They created "Safe Unsubscribe" to make it easier for recipients to remove themselves from mailing lists.   It really works - Safe Unsubscribe does actually stop the flow of advertising.

3.  They will honor a  global "do not call" designation for all email newsletters if such a request is made to the compliance department.

My wife uses Constant Contact for her NKG Art Gallery Newsletter, so I'm not opting out of all communications just yet.   Only a small portion of my business spam comes from advertisers using Constant Contact - a tribute to their ethical marketing compliance efforts.

A utility to automatically unsubscribe and a company using a compliance team to reduce unwanted email.    That's cool!

Our Cancer Journey - Week 7

Tomorrow we begin the third cycle of Cytoxan/Adriamycin.   In the journey thus far, Kathy has had good days and bad days.   High energy and low energy days.    Meal days and BRAT (Bananas, Rice, Apples, Toast) days.    We frequently discuss the factors that put Kathy at risk for cancer at this point in her life.   We talk a lot about the future.

Kathy's typical pattern is

Friday - Chemotherapy infusion day, good energy, good appetite, some jitters from the steroids
Saturday - Good energy, good appetite, some jitters from the steroids
Sunday - Waning energy, moderate appetite, bone pain
Monday - No energy, moderate appetite, extra sleep needed, bone pain, bland diet
Tuesday - Low energy, extra sleep needed, bone pain, bland diet
Wednesday - Low energy, bland diet, extra rest needed
Thursday - Moderate energy, bland diet
Friday - Moderate energy, stomach pain, bland diet
Saturday - Moderate energy, stomach pain, bland diet
Sunday - Moderate energy, stomach pain, bland diet
Monday - Good energy, moderate appetite
Tuesday - Good energy, good appetite
Wednesday - Good energy, good appetite
Thursday  - Good energy, good appetite

What environmental risks caused the cancer at this point in her life?  Exposure to the cadmium and other heavy metal pigments in her traditional oil paints? Pesticides in the environment? Bisphenol in cans? Free radicals?

We've talked about psychoneuroimmunology, the impact of mood and outlook on the ability to combat disease.

The past two years have been challenging for Kathy - helping our daughter grow from high school to college, transitioning to an empty nest, creating an art gallery business in a challenging economy, sharing the stresses of my Federal/State/local work (especially Meaningful Use for several hospitals and 2000 doctors), and supporting the health needs of our parents.

Although they past few years have been stressful, all the events are consistent with our expectation for this stage of life.

One event in the past year was a bit out of the ordinary.  A 19 year old with a very poor driving record (4 points on his license, 1 high speed collision, 1 hit and run etc.) drove down the wrong side of the road around a line of traffic and hit Kathy's car as she was exiting a parking lot.   It was very clear from the position of the impact that it was caused by a driver violating the law.

Kathy filed an insurance claim and provided all the details of the accident.

The 19 year old driver lied about what happened.

Our insurance company decided Kathy was at fault, gave her a point on her driving record, and added a multi-year surcharge to her insurance.

When Kathy pursued the issue, noting that the 19 year old with the poor driving record was lying, the insurance company told her that without a photograph of the accident or an independent witness who was willing to verify the events, they would have to believe the 19 year old because Kathy was exiting a parking lot and that makes her at least 51% responsible.  Despite Kathy's over 30 year good driving record, the insurance company representative literally ended the conversation with the statement "Life isn't fair".

That episode temporarily caused Kathy to lose her faith in humanity and gave her a sense of helplessness in a hostile world.

As with any conflict or issue, for everything there is a process.

Kathy appealed the ruling to the Massachusetts Board of Insurance and wrote an eloquent letter stating the facts.

Today the Board of Insurance ruled she was not at fault, rescinded the point on her license, and demanded that the insurance company refund/rescind the surcharge.  She cried when she opened the letter. The nice guy can still finish first.

This weekend we'll continue our search for local farmland by touring Harvard, Massachusetts with locals recommended by our next door neighbor.  The cancer diagnosis constrains our possibilities but has not dulled our enthusiasm for a long and fulfilling future.

Provider Directories and Public Key Infrastructure for HIE

As Massachusetts prepares a Request for Response (RFR)  to procure healthcare information exchange infrastructure and applications,  many stakeholders have been hard at work documenting requirements.

The Provider Directory and Public Key infrastructure are some of the hardest specifications to write since they have not yet been widely deployed for healthcare information exchange anywhere in the country.

The leaders of the Massachusetts HIE effort have held 3 major vendor and user forums over the past month and have been told that no vendor has a standards-based provider directory in production at any customer site.

Here's our best thinking about Provider Directory and Public Key infrastructure services.

Provider Directory
The Directory will have a schema within a relational database that enables lookup of entities, which could include a person (John Halamka),  an organization (BIDMC), a department (The BIDMC Department of Emergency Medicine), a state entity (Massachusetts Department of Public Health),   a payer (Blue Cross Blue Shield of Massachusetts), a vendor (The Massachusetts eHealth Collaborative Quality Data Center), or a PHR infrastructure trusted by the HIE (Microsoft Healthvault).     There will be two ways to query this database - Lightweight Directory Access Protocol (LDAP) for  use within the Massachusetts state government firewall and SOAP-based web service APIs for all users external to the firewall.   The response to a query will include the node name for communication to the entity i.e. John Halamka will not have a node, but the BIDMC Department of Emergency Medicine or BIDMC could.   Digital certificates are not stored in the Provider Directory.

Public Key Infrastructure
Certificates will be issued by a single Certificate Authority and will be stored in one of many Domain Naming System (DNS) services capable of supporting certificate queries such as BIND or Microsoft's special implementation of DNS created for the Direct Project (http://directproject.org/).    For example, BIDMC could offer a DNS service called Direct.bidmc.org which hosts the public keys for all our nodes.

Here's how it would be used.  An EHR would look up an entity in the Provider Directory and then use DNS services to retrieve the certificate for the entity's node.

We're also considering an alternative approach using the open source tools available in the Direct Project's Reference Implementation.   These tools include administrative tools to store and manage certificates and an adapter that links the directory store to a DNS responder.    Participants could upload their certificates to this centralized data store.  For example:

DNS Responder <--DNS Web Services--> Direct Reference Implementation Web Services <--BIDMC adaptor--> BIDMC datastore

The vendor community has told us that they want a single simple directory and public key infrastructure specification they can implement one time for an entire state.   We'll give that to them and I'll write about their responses in future posts.