Doctors are about handling the unexpected and dealing with the extreme and unfamiliar like lymphedema.
If they will ever bridge this gap, IT and physicians must adopt a common goal and a common language – a language of patient-centric threat analysis.
Why is there a valley of death between IT and physicians?
When a company or business unit needs a new line of business software application, IT staffers will do a system analysis starting with business requirements and then proceed to buy or build an application and deploy it.
Similarly, when the bio-informatics group in a healthcare organization needs a better EHR system, system analysts do requirements analysis, test products, and proceed to buy and deploy a new EHR solution.
Things have changed, in IT and medicine, not necessarily for the better
Web 2.0 SaaS (software as a service) offerings, mobile health apps and private social networks for healthcare delivered as a consumer service, can replace those old structured systems development methodologies.
There are of course, good things about not having to develop a design (like not coming down with an advanced case of analysis paralysis) and iterating quickly to a better product, but there is also a downside of not implementing apps according to a structured systems design methodology. Without a plan and structured methodology, you end up with a patchwork of complex and buggy software with all kinds of glue and bailing wire holding things together.
Complex buggy software is insecure software, software that threatens patient privacy and does little to help physicians make easier and faster decisions and keep their patients healthy.
Then there is lip-service to so called user-centric development methodologies which despite their intrinsic value, are often ignored in the breach by practioners). As important as user-centric is, it is still not a replacement for a serious look at business and end-user patient requirements.
IT is busy talking to vendors and doctors are busy installing iPad apps because they can’t get the answer from IT.
This deepens the fundamental divide, the metaphorical valley of death of mentality and skill sets between IT and medical professionals.
- IT is about executing predictable business processes.
- Medicine is about reducing the impact of unpredictable events
IT’s “best practice” is technology – things like firewall/IPS/DLP. IT is concerned with unconventional threats (for example a combination of trusted contractors exploiting defective software applications, hacktivists or competitors mounting APT attacks behind the lines),
IT management tend to seek a vendor-proposed, one-size-fits-all “solution” instead of performing a first principles threat analysis and discovering that the problem has nothing to do with malware on the network and everything to do with crappy EHR software that kills customers because it doesn’t help the doctor in the front lines.
Patient threat modeling and risk analysis is the antithesis of IT installing a firewall, anti-virus or IPS.
Analyzing the impact of clinical issues requires hard work, hard data collection and hard analysis followed by education and implementation:
Patient risk analysis may yield results that are not career enhancing, and as health issues like lymphedema grow into pandemic proportions, with big and expensive consequences to public health – so the IT security valley of death deepens and gets more untraversable.
There is a joke about systems programmers – they have heard that there are real users out there, actually running applications on their systems – but they know it’s only an urban legend. Like any joke, it has a grain of truth. IT is primarily systems and procedures-oriented instead of patient-health and safety oriented.
Truly – the essence of healthcare is protecting the health of patients who use a healthcare providers products and services.
What is the point of complex and costly EHR systems and losing patients simply because the organization is focused on “big data” instead of helping doctors understand and treat pandemics like lymphedema effectively?
Clearly – the challenge of running a profitable company that values patient health must be shouldered by IT and medical teams alike.
Around this common challenge, I propose that IT and clinical care teams adopt a common goal and a common language – a language of patient-centric threat modelling – threats, vulnerabilities, attacks, entry points, assets and evidence-based-medicine.
This may be the best or even only way for IT and doctors to traverse the valley of death successfully.