News

iPhone Security and Corporate Networks

Some brouhaha has been brewing over how the iPhone addresses encryption with Microsoft Exchange.  (See the Article Here on Infoworld).  According to InfoWorld, iPhones prior to version 3.1 of the OS did not accurately report whether they supported encryption locally of data stored on the iPhone.  For some corporate networks, encryption is mandated for devices controlled by the organization that are connected to their Exchange servers.  Apparently, prior to 3.1 of the OS, the iPhone would report that it was encrypted, regardless of whether it was or not, as a way to ensure that the iPhone would connect to the Exchange server.

This fact apparently has some IT and compliance staff in a tizzy, because they may have introduced a number of these devices over blackberrys on the basis that the iPhone would comply with a local encryption policy or organizational requirement.  For example, the Health Insurance Portability and Accountability Act (HIPAA) security regulations, in the technical standards, do address the need for encryption of protected health information (PHI) transmitted over networks.  For some organizations, in order to simplify regulatory compliance, establishing a universal mandate that there be encryption between devices outside of the corporate LAN and sensitive servers in the LAN may be the most sensible approach.  Of course, if we are talking about email, email received and read is generally not encrypted to begin with, whether it is sensitive or not.  That’s because most users of email  find it too complicated to digitally sign an email with their own personal certificate and ensure that the receiving party had a way to decrypt the message with the typical certificate exchange approach to email encryption.

Microsoft Exchange does allow for the transfer of other information (like calendars and tasks), but I would seriously doubt many health organizations use the Microsoft calendar to manage patient appointments or would be putting PHI into either of these data types.  Most of the PHI action in health care facilities is within their charting and practice management systems.  Neither usually integrate or are based on Microsoft Exchange.  So, to establish a blanket policy requiring that remote devices controlled by the organization be encrypted to connect to corporate resources can be a reasonable approach, but the reality is that HIPAA doesn’t automatically mandate that for iPhones.

There should be a documented risk assessment for iPhones that connect to the corporate network which would evaluate the risk of loss of PHI against the cost of mitigating that by encryption (and perhaps other mechanisms like remote wipe).  Encryption should be used if there is a substantial risk of PHI being lost from an iPhone being stolen.  But to establish that, the risk analysis would need to evaluate how often these devices are lost per total phones per year, and how many of the lost phones actually had PHI on them.  My guess is that the likelihood of this would generally be small for most organizations.  The issue, then, is how to make your compliance plan flexible but also enforceable and effective at protecting your PHI.  And that, my friends, is the art of information security!

Linden Labs and Virtual Sex Toys? Huh?

Oh, yeah, there is a lot of kinky virtual sex going on in Second Life.  And to support all of that activity, there are apparently a lot of vendors selling knock-offs of the “real” virtual sex toys of one vendor who is mad enough to sue.  (See Wired Article)

Yes, a few years ago, Linden Labs set up a special “mature” designation for areas in its virtual worlds that were aimed at “adult” conduct, so those under 18 and others with sensitive eyes  would not be offended by what they found.  However, probably much like the real world, virtual sex is rampant in Second Life.  As a consequence, there is a heavy trade in sex-related objects.  According to the plaintiff, Eros Products LLC, his SexGen products line has sold about $1 million (that’s U.S. dollars) within Second Life over the past five years.  (A copy of the Complaint is here)

Vicarious and contributory liability for copyright infringement is recognized by the courts as a cause of action under federal law.  This kind of liability has been raised in recent years by the various music file sharing services that came and went, such as Napster (originally a file sharing service without any copyright licensing from the music companies that owned the music being shared), Gnutella, and Limewire.  Each of these services were held to be liable for the file sharing of their users, in part based on the notion of vicarious liability.  Cases prior to Napster et al. that addressed this kind of liability along two lines: landlord-tenants where the landlord exercised no control over the leased premises, and dance-hall cases where the operator of the hall controlled the premises and obtained a direct financial benefit from the infringing performances.  Fonovisa, Inc. v. Cherry Auction, Inc., 76 F.3d 259 (9th Cir. 1996).  Under common law, landlords have not been held to have copyright liability where dance-hall operators have.

In Fonovisa, the defendant operated a “swap meet” where the operator rented stalls to individuals who were selling unlicensed copies of bootlegged music owned by the plaintiff.    For the swap meet operator to be liable, the plaintiff had to prove that the operator controlled the marketplace and obtained a direct financial benefit from the sales of infringing works.  The Court sided with the plaintiff in this case, even though Cherry Auction did not receive a commission from the sales of the infringing materials.

Assuming that Eros Products LLC (and other plaintiffs that may join the suit should the court certify this as a class action) can prove that they are the valid owner of the copyrighted works, the question for the court is whether Linden Labs can meet the standard for contributory liability.  Linden Labs is a virtual landlord in the sense that users of Second Life pay an annual subscription in order to “own” virtual real estate within the virtual world.  The right to own this virtual property is limited by payment of the subscription.  You will note, however, that there are plenty of users that do not acquire any virtual real estate in Second Life – and for them, there is no fee to participate.

However, Linden Labs also charges fees for the conversion of Linden Dollars into U.S. Dollars through the Linden Exchange.  For infringers seeking to sell pirated works in the virtual world, the real benefit to them is the ability to take the proceeds of those sales and convert them back into hard currency for use in the real world.  Approximately 250 Linden Dollars are worth a U.S. Dollar (the trading in this currency fluctuates).  In order to convert Linden Dollars back to U.S. Dollars, Linden Labs charges a fee of 3.5% of the value of the transaction.  So, indirectly, Linden Labs benefits from the sale of infringing goods every time that the infringer converts his Linden Dollar proceeds to hard currency.

There is a question, however, of whether Linden Labs is merely a landlord who relinquished control to his infringing tenant.  Eros Products LLC claims that Linden Labs did exercise control over the activities of its users because all of the virtual worlds within Second Life are ultimately housed on servers controlled by Linden Labs.  Pl.’s Complaint at ¶ 127-128.  And furthermore, Linden Labs has ultimate control over its software that operates Second Life, and I suppose that Linden Labs could alter its software to prevent copyright infringement if it wished to do so (how, exactly, is another story).  Factually, however, I think this is going to be tough to prove.  Unlike Grokster, who marketed itself as the successor to Napster for those looking to willfully infringe on the copyrights of others, Linden Labs has not marketed itself as a safe haven for willful copyright infringers.  On the contrary, Linden Labs gave some thought to copyright in its license agreement, granting its users rights in the works they create in-world.  (See Terms of Service here at section 3.2)

The other question is whether Linden Labs, in light of the DMCA, fits within the safe harbor established for internet service providers, shielding it from liability for the infringing acts of its users.  More on that in another post.  Stay tuned!

IT Changing the Law Profession?

There are an incredible number of lawyers in the United States today – estimated at more than 1 million and growing, based on the number of students enrolling in law schools across the country. Technology is changing how we do law.

The number of lawyers providing legal services has pushed lawyers to become specialists so that individual attorneys can differentiate themselves within the legal services market.  The ABA, which claims a membership in excess of 400,000 members, is probably the largest association of attorneys in the U.S.  There are about 35 different sections of law that an attorney could join, with several subsections and numerous committees within each section of law – all representing a specialty area of knowledge.

As a result of its size, the ABA has a global reach and has an impact on legislation at the state and federal level.  The ABA also presents opportunities for attorneys to meet and work with other attorneys, and to learn about a legal issue or area from an expert in the field.  These learning and working opportunities have been expanded by technology.  For example, ABA’s web site contains a substantial amount of knowledge and information for attorneys.  ABA committees regularly meet by phone to plan for events and activities.  In fact, last year I attended a conference in Second Life on the use of virtual worlds by attorneys and professionals.

Legal research and management has also been changed by the advent of Westlaw and Lexis, giving attorneys access to an unprecedented amount of information (if you can afford the costs for searching their databases) without the need to travel to a library or to purchase a private library.  And Google, blogs, twitter, youtube, facebook, and linkedin have all added another layer of interaction and knowledge sharing.  The question for attorneys is whether there is more to come.

Specialization inherently requires specialized knowledge that is generally unique or rare in the market, allowing the owner of that knowledge to exploit it.  The general knowledge of an attorney of the legal system in general is not very rare – most attorneys have the same or similar working knowledge of the courts, research tools, and document formatting as a result of the standardization of law school curricula across the country.  While there is some degree of differentiation between attorneys in terms of skill in these basic knowledge areas, the difference between attorneys here is not enough to impact the market for legal services substantially.

However, there are relatively few experts in equestrian law, for example.  Within the MSBA solo listserv, I can think of only one attorney in Maryland that specializes in this area.  So, if you have an issue with a horse, that’s the attorney to call.  There are relatively few attorneys that specialize in non-profits.  And there is long list of specialists in other areas.  Statutes sometimes create specialists.  For example, when the Copyright Act was revised in 1976, there were initially few experts of the revised Act.  As time has progressed, more attorneys have entered the field of copyright law so that now there are a fair number of attorneys that can help you register a copyrighted work or litigate an infringement claim.

This move towards specialization within the market also tends to lead towards competition, which pushes down the value of legal services in a particular area as there are more market entrants in the area of specialty.  So, the value of registering a copyright at the Copyright Office, beyond the fee charged by the Office for the registration, is not very high.  Plenty of attorneys can help a client fill out the form and attach the appropriate number of examples of the work and mail it to the Copyright Office.

This trend led one author, Richard Susskind, to write The End of Lawyers? Rethinking the Nature of Legal Services.  The book discusses the tendency for legal work to go from “bespoke” or a highly specialized experience for each client (like trial litigation) to commodity (such as tax compliance software developed by Anderson & Cooper and now marketed by Deloitte Touche) with time as the result of developments in information technology.  Richard Granat, a Maryland attorney who works from Florida, has developed “Direct Law,” which is an automated document assembly system for attorneys and is available on a subscription basis.  This system utilizes specialized knowledge in order to automate legal service delivery by establishing business rules that are defined by a specialist attorney and writing those rules into the application that is used to assemble the documents.

There will be more of this sort of thing over time, which will expand the supply of attorneys that can deliver more specialized legal services.  Increasing supply inevitably leads to a lowering of the cost per transaction to clients, while still maintaining a minimum level of quality as the information system consistently enforces the applicable business rules.  In turn, this pushes more attorneys to find a new specialized area, creating another market for automation.  Maybe Ray Kurzweil is right – in the future, we will all be small business owners that employ automated systems to generate revenue.  I suspect that some attorneys fear this future will make them unemployed.  What do you think?

Banished? Who Knew Facebook Was Sovereign?

Facebook has threatened to “banish” users that buy friends on the popular social media web site, according to Yahoo.  The Australian company offering to sell you friends or fans, uSocial, is actually offering for sale what you otherwise just have to buy from Facebook directly through advertising.  Facebook has claimed that the method that uSocial is using, logging into other user accounts to make them a fan or friend of the business that paid it, violates Facebook’s terms of service.  But, my bet is more that Facebook just doesn’t appreciate the competition with its own ad service.  Besides, who made Facebook king anyway?  Oh yeah – its 200 million users.  Uh oh.

Snow Leopard (OS X 10.6)

Apple released Snow Leopard this past Friday, August 28, to the general public.  Version 10.6 of their operating system has been billed as primarily a “behind the scenes” improvement in OS X, building on the technology that runs Apple’s computers and smartphones today.  (See Wired Article)  I decided I would go ahead and install 10.6 on my first generation Intel Macbook and also on my Macbook Air.

So far, so good.  I use Parallels to operate a virtual Windows XP machine.  Parallels 3 is not compatible with OS X 10.6.  I therefore upgraded to version 4 of Parallels, and my virtual machine works again.  I did run into some problems getting the upgrade to run (my VM was left in a paused state before the upgrade, and I could not open it in Snow Leopard to stop it.  There is a workaround available for this on Parallels web site if you search for it in help).  And, sadly, my venerable Lexmark Z715 lacks drivers in 10.6, and none are available (or planned by Lexmark).  But my Z1420 does work just fine, so I can still print to my heart’s content at the office.  Perhaps I will finally break down and get a new printer for the home office.

Other than the few incompatible items listed above, the OS X install was itself rather smooth and did result in saving me between 7 and 10 gigabytes of hard drive space.  In addition, because a number of the processes that run in 10.6 are 64-bit, they run considerably quicker than the prior versions of these items.  64-bit programs take advantage of being able to send instructions that are twice as large as older software to the central processor.  Safari opens more quickly and is more responsive than pre-upgrade, and other software like Mail, iPhoto, and iTunes all are much more efficient, as is Finder.

I am still using Microsoft Word 2004, and unfortunately, Word does not get noticeably quicker under Snow Leopard.  It appears that this version of Office is running as “Power PC” rather than a native 64-bit application, but then it was slow in 10.5 as well.  The Office suite has always run faster on Windows.  Personally, I think Microsoft is just trying to tell us all that we should use their products on Windows.  Perhaps the next major release of this package will be an improvement.

Others have written about the new features and what went where in 10.6.  (See Wired; Leopard Tricks Tips and Tools)   Overall, I think 10.6 is a nice upgrade and worth the $30 for a license.  Compared to other, more disastrous upgrades from our friends at Microsoft, most will not have an issue going from 10.5 to 10.6.  Good luck.

Update September 9

I am still running Snow Leopard on my Macbook and Macbook Air.  I have run into compatibility issues with Quickbooks for Mac 2009 – the program mostly works except it crashes when I attempt to record deposits.  I understand from Intuit’s web site that they are working on a patch for compatibility issues with their product.

I have also noticed that periodically mail gets upset and downloads a duplicate copy of message in my gmail account.  Closing and re-opening the application seems to solve this issue, even though I have no idea why it does that.

Because my Lexmark Z715 no longer works with OS X 10.6, I tried my other handy printer – an HP J3680 all in one printer.  The HP web site claims that the drivers for the J3600 series printers were included with the 10.6 upgrade, but when you check this claim against the Apple support web site, the J3600 series is notably missing from the compatible list.  So when I try to add this printer to my MBA, OS X tries to connect me to Apple to get a mysterious update that will provide the driver.  Needless to say, no update is forthcoming.  Perhaps HP will fix their driver for this printer series, which would save me the trouble of buying a new printer for home.

In spite of these issues, I still think the upgrade was a reasonable one.  Compared to other upgrades, the inconvenience has been generally small, and besides, the problems seem to be tied to some of the big vendors for software and hardware that ought to be more on the ball.  Isn’t that what the Microsoft people always say when stuff stops working after an upgrade?

Update September 15

Intuit released and re-released a patch which has addressed the issues I had with Quickbooks 2009 on OS X 10.6, so all is now well with that program.

In addition, I noticed last night that I was able to connect to the HP J3680 at home, though I am not able to use this printer through my older airport express.  It works just fine, however, shared through my other Macbook, and I am also now able to scan pdf files to the Macbook from this printer.

The upgrade has gone relatively smoothly, all things considered, and now that I can print again at home, I am gearing up to destroy a forest!

Google: The New Public Library?

I suspect a fair number of people are really struggling with the proposed settlement between Google and the Author’s Guild over the wholesale scanning of more than 10 million copyrighted works.  At the heart of the settlement is a compromise that would allow authors to financially benefit from the sale of their works as a result of the Google index.  This would in turn allow Google to provide an index to these works that would be searchable using the google search engine.

The original thesis that permitted, according to Google, an “opt out” system for scanning and indexing these books was that Google’s use was a “fair use” as that phrase is defined within U.S. copyright law.  See 15 U.S.C. § 107.  Libraries, for example, acquire and make paper books available to the general reading public for loan.  Academics and journalists are specifically identified as “fair users” of the copyrighted works of others within the statute; these kinds of uses are recognized by federal law as having general utility that should be encouraged, in spite of the monopoly otherwise enjoyed by authors of works.  Google probably does not fit within any of the specifically mentioned groups.  Google is a very large, international, for-profit company that provides web search and related web services to internet users.

And, as has been spelled out in a number of federal cases on fair use, exploiting the works of another protected by copyright for profit and without paying the “customary fee” to the author almost always spells “not fair use.”  In this case, Google has reproduced wholesale into digital form the works of others without paying them any compensation.  Google’s activities are presumably part of its mission as a for profit entity.  One would anticipate that Google would be able to expand its AdWords presence to searches that turn up digital copies of the works that it scanned, and that Google could therefore gain a profit from these ads, without necessarily compensating the owner of the work whose content helped Google in getting its ad revenue.  Not fair use if we are all reading the same statute.

Nor is the phrase “opt out” found anywhere in the statute on fair use.  A copyright owner is not required to “opt out” of an infringer’s database in order to protect or reserve his rights in restricting how the work is reproduced or duplicated.  Implementing such an opt out system does not necessarily make the subsequent use a “fair use” under the Copyright Act.  For Google, I’m presuming that they would have argued that there were other overriding policy objectives that supported their project of scanning and indexing all of these books and placing them into the hands of internet searchers.  Perhaps chief among these is that Google was simply creating version 2.0 of the local public library, bringing more content to the more than one billion internet users that might be looking for an otherwise unretrievable work.  We actually pay (through taxes, at least for public libraries) the use that our brick and mortar libraries make of copyrighted works, why not tolerate a better library that its users by and large do not pay for (except by tolerating the ads that appear unctuously alongside search results)?

From a technical perspective, Google is absolutely right about its search engine as compared to the typical card catalog at the local library.  Google wins hands down.  When you consider that the majority of these books are out of print and hard to come by (about 3-4 million books are in print at any one time in the world), the settlement proposed would put back into “print” of a sort a whole lot of books that are otherwise hard to find unless you go to some “old school” library and use their card catalog.  Google’s index, however, improves the library card catalog, because the card catalogs are generally useful if you are already aware of the work, or the work happens to be cross-indexed in a meaningful way in relation to how you are searching the catalog.  Most catalogs in libraries are not full text indexes of the individual works in the library, so a google index would represent a huge leap forward for finding material online.

However, the legal argument (to the extent one has been made – Google entered into settlement negotiations promptly with the plaintiff such that Google has not had to file much in response to the Complaint) appears a little wanting.  Financially, most authors will probably be satisfied with the relatively small settlement amount per book, and the potential share of revenue for actual book sales through the Google service.  But the problem with the settlement for some is that they can get a better financial deal than Google is going to offer them.  Hopefully these authors will simply opt out of it to allow those authors that want to participate the option to do so.  But I think there is trouble ahead for this group of authors in the longer term as a consequence of what Google has been doing with its indexing.

This project poses a larger question that is aimed at the fundamental structure of what the Copyright Act protects in intellectual property: how authors can actually get paid for writing works in light of the free availability of huge amounts of information on the internet.  In years past, it was much easier to control access to information published in books, which provided a way to get paid via book sales.  I’m sure more popular books were plagiarized and reproduced without authorization of the publisher, but mass reproductions of a popular book would generally cost real money, which would limit the number of persons willing to engage in such wholesale theft.  Generally, in a paper world, authors had a way to generate revenue from book sales and royalties that was protected by the Copyright Act.

The internet has altered the level of accessibility to information.  Post 9/11, many U.S. government agencies and larger private companies began slimming down the amount of information available online (I guess posting our nuclear launch codes on the interweb was not so smart!) that was posted as part of transparent governance and the culture of openness encouraged by the internet.  However, in spite of a more security-conscious culture, the overall internet’s content continues to grow.  The information available in the written works of the world’s authors, especially highly searchable content from these works, would add substantially to the value and utility of the internet.  But can authors make a living if the information in their works is free?  Will authors continue to write works as a “hobby” and will this reduce the extent and value of works written in the future?  Can new works be written that are supported by advertising (e.g., Google Adwords on blogs)?

The “free” value of things available on the internet is challenging many of us to make a living in a new way.  And I think as a result, authors may need to seriously reconsider how they will survive as well.  To a certain extent, those that sit down to write a book must have (or develop through writing) some expertise in the subject matter for the book to have utility (not always true, but more often than not there is a correlation between authorship and subject matter expertise).  Our economy is benefitted by the high availability of specialists and experts that can help us beyond what we might self-educate ourselves about via internet research.  So there is value to the economy as a whole to the extent that authorship encourages the development of expertise.

The works created through this process also have intrinsic value to the economy to the extent that they are available for public consumption.  I certainly learned a fair amount about virtualization, for example, by reading white papers and other freely available articles online.  However, in spite of my self-education online, I would not have been comfortable implementing virtualization in a production environment without help.  Our project was benefitted greatly by the wisdom and experience of a technology professional that implemented these systems on a regular basis.  Perhaps this is how authors can make a living – by reselling their expertise in their field to more educated internet users that found the author through a Google book search.  But for those of you counting on royalty payments to make a living until 70 years after your death, I think Google is going to put you out on the street looking for a job!

Here are some links to several CNET stories that discuss the details of the proposed Google settlement.

CNET Story

CNET Story 2

CNET Story 3

Health Policy & U.S. Healthcare

I usually do not write about health policy in the U.S. because it is somewhat outside of my area of expertise, but I have been thinking about the issues with health care reform this year and thought I would provide some analysis.  Watching the news, there seems to be a lot of resistance to health care reform this year.  The cost for reform is one of the big stumbling blocks – given the actual price tag to the country that was floated by the various agencies charged with analyzing such things.  However, if you think about it, our current, unreformed system of health care results in the insured paying for more than their own care.

For one, let’s talk about the uninsured.  There are approximately 50 million Americans that lack health coverage today in the U.S.  This does not mean that this people do not get any health care.  To the contrary, well over 10 million Americans get health care from Federally Qualified Health Centers (FQHCs), a significant proportion of which are people without health insurance.  In addition, there are a substantial number of other health care entities that provide health care to the uninsured at low or no cost, but are not yet federally qualified to do so.  FQHCs are funded by the federal government today, at a cost of about $2 billion.  We taxpayers pay for this.  We are subsidizing this care today.  Other entities that provide free or subsidized care do so through private grants, which some of us subsidize today through charitable donations, the United Way, or so forth.

Second, some have been claiming that health reform in the U.S. will just lead to a lot of people waiting around to get health care.  At least in Maryland, by law, emergency rooms are required to treat whoever shows up in them, whether the patient is having a cardiac arrest or just has the flu.  (See Md. Health-General Code Ann. 19-3a-02(b)(2)(vi) for freestanding emergency centers).  Because of this, there are a fair number of patients that present to the ER who are uninsured.  As an aside, economically speaking, emergency rooms tend to be loss leaders for the inpatient facilities to which they are attached.  What this means is that the ER’s costs are not fully borne by the ER revenue stream from patients and insurers; much of the cost is actually covered by the patients that the ER can admit to the main hospital after initial workup and treatment by the ER physician.  However, that also means that uninsured patients who present to the ER for a non-emergency health condition pass costs along to the main hospital which must be covered by inpatient operations, and by extension to those of us that are insured and go to that hospital.

For example, an uninsured patient that presents with the flu at the ER is treated and sent home.  They may pay little or nothing for the visit, but the visit actually costs $800.  The hospital covers this cost by charging a bit more for every patient who is actually admitted on a per day basis (or other costs that are charged in units).  Some admitted patients won’t be able to pay either, so those that can also end up paying a bit more to cover uninsured admitted patients and uninsured ER-only patients.  So if you have private insurance today, your rates are set in part based on the actual costs of providing health care to uninsured patients who can’t afford to pay on their own, because the hospital has to pass the costs of treating these patients to someone who can pay the hospital.

If health reform meant that everyone would now go to their local ER, regardless of what the condition or illness was, this would be a bad idea.  Any time that I have been to an emergency room, there is a queue; the waiting room is always full no matter the time or the season.  However, if health reform actually could redirect patients that do not have emergency health issues to an alternate resource that they could actually afford and would see them, this would help improve an existing “wait problem” for care today, while simultaneously reducing the actual costs borne by hospitals for non-emergent ER visits (which should mean that we can pay less per visit to the inpatient section of the hospital).

And speaking of waiting around – the truth is that even insured people tend to wait for health resources to be available under the current U.S. system of care delivery.  Many doctors have 3-6 week lead times for scheduling in advance, their schedules are crowded with overbooks and double books, they often run late because of inefficiencies with the schedule and with administrative tasks; in short, competent physicians usually have too much demand for their services.  This causes queuing.  Health reform may not really be able to address this problem head on.  Part of it is a technology issue; there could probably be developed a more sophisticated scheduling algorithm that would help to improve scheduling patients for care delivery, and allow for overflow to other providers, etc.  But part of the problem is insufficient health care delivery points on the map.  We apparently need more physicians to treat us.

Third, there are a fair number of U.S. personal bankruptcies each year (granting that the rates have been higher than normal this year because of the recession).  Lack of insurance and a large, unpaid medical bill are a primary cause of personal bankruptcies.  On the surface, if you haven’t filed bankruptcy yourself you might think that this has no effect on you.  But bankruptcy is a bad thing generally.  For one thing, the person who files for protection and has a $100,000 medical bill they have no hope of paying is injured because the cost to them for credit post-bankruptcy is considerably higher than pre-bankruptcy.  In addition, a bankruptcy will limit the person’s job opportunities, will probably prevent them from gaining security clearance for sensitive jobs in the government, and otherwise limits their economic productivity within the U.S. economy, all of which is bad for the economy and for all of us.

But, in addition, that bankrupt’s medical bills are very unlikely to be paid through the bankruptcy proceeding.  The hospital is likely an unsecured creditor, and they are at the end of the line with their hand out to the bankruptcy trustee.  That “bad debt” is a cost to the medical provider, who will pass it along to patients in the future that will pay for medical care in the form of slightly higher unit costs.

The more bankruptcy filings, the more unsecured creditors that aren’t made whole who are health care providers, the higher the costs of care for everybody else.  So again, us taxpayers are by and large the same people who actually end up paying the medical bills of the bankrupt, either out of our own pockets when we go to the hospital, or through higher health insurance premiums that our employers pass on to us each year, or through our taxes (think Medicaid and Medicare, both of which pay for inpatient stays, both of which are paid for by taxes, and both of which are billed at increasing rates by hospitals, in part to cover overall costs of providing care to patients without insurance who lead to bad debt for the hospital).

Fourth, there was this whole “death panels” claim about health reform, whereby the government was going to establish panels that would deny care to the elderly because they were too expensive.  Of course, this is silly.  If we were going to have such things, we would have a better name for them (maybe, “end of life decision making committee” or better yet “pull the plug on granny committee”, or something else that would be more catchy and might be more alliterative).  But, really, this is tied into the idea that the government, through health reform, would stop a person’s doctor from treating the patient appropriately, perhaps because of cost, or just because the government bureaucrat was a nasty person.  The whole matter is rather bizarre.

But, it also doesn’t speak to what goes on today.  For example, there are committees that determine the priority and qualifications for patients to receive replacement organs because there is a long line and a short supply of organs available.  Plenty of patients die each year for lack of an available replacement organ that was needed.  (See this article for 2008 statistics on this issue)  I don’t know that we call the committees “death panels,” but it is a classic example of a pre-existing queue that results in health care rationing.

Health insurance companies also make decisions about what they will pay for and what they will not.  As far as I know, health insurers don’t decide to pull the plug on the elderly per se, but health plans do make choices for their insured patients about what services the patients will pay for out of pocket (or not receive at all if too expensive for the patient), what drugs are on and off the formulary (you may have to take the generic version of a pill, even if you’d rather take the brand name, for example), along with a host of other choices made ultimately to reduce overall costs to the plan.  In our market system, I suppose you can change plans if you choose to, but because your health plan is often tied to your employer, that would usually mean changing jobs – which is not a very practical way to change your health plan.

So, this whole “death panels” thing is really about trying to “ration” care to patients so that more people get the basics, most likely at the expense of others that can pay for optional services.  I’m sure that isn’t very palatable to patients with the means to pay for their thirteenth tummy tuck, but this is also, more or less, the status quo.  Health care is rationed today by our insurers for most Americans.  If health reform led to a more rational way to provide basic health care to more Americans, it would be the right thing.

And here is the other side to this: let’s say that we did institute a governmental body that would “ration” care.  Such an entity is governed directly by the U.S. constitution and federal law.  Do you really think that such a group would implement the “no life support for patients over 75” rule?  Really?

To summarize, the U.S. spends about 16% of GDP on health care, which is substantially more than most other places in the world.  Approximately $2.4 trillion (that is trillion with a “t”) is spent each year on this, or the total economic output of Italy.  And ultimately, this money comes out of the pockets of those who can actually afford to pay for health care.  By design, that means that those who can’t afford health care are being subsidized today by those that can.  The challenge for health reform is to do a better job at cost redistribution than our present system, either by spreading out costs over a much larger pool (such as all 300 million Americans, rather than over the much smaller pools of employer-sponsored health plans today), increasing efficient delivery of health care (through technology that saves time or increases accuracy and reduces risk of harm), and/or perhaps encouraging more supply of health care  providers to help meet the existing demand for services.

We’ll see what happens.  Stay tuned for developments.

Lessons From IT Management: Introduction

For the last ten years, I worked for a health center that serves several underserved populations: the gay and lesbian community, HIV positive patients, and patients that lack sufficient health care.  Over that time, we have built a complex and extensive information system to help support the mission of the organization.

This series is about how technology can be integrated into the delivery of health care, and the problems that come up along the way in getting the technology to work.  I suspect that technology causes suffering for some in spite of our best efforts to the contrary.  But our purpose in implementing technology is to reduce suffering by passing repetitive tasks to the computer while increasing the amount of time available to people to do what they are good at (like doctoring, lawyering, and so on).  Within healthcare, automation can also reduce patient suffering by reducing errors (for example, by ensuring accurate prescriptions, or reducing the number of times the same data must be entered into systems that support patient care), which should improve the quality of care that patients receive from their physicians.  When used properly, technology should also bring relevant knowledge to the user as they are doing their job (by making negative drug interactions known to a prescriber, for example).

But technology can cause trouble for users that were perfectly happy with their paper documents. The transition to an electronic system from paper can be tricky; moving from one computer system to a newer one can also pose real challenges.  This series is meant to help technologists and users out there in the world to avoid some of the common pitfalls with technology as both start full steam in implementing health IT to take advantage of the incentives in the ARRA.

This series is also about the place where the rubber of our lofty humanitarian and economic goals meet the road of personality disorders, unreasonable expectations, and inefficiency – which is to say the path to get a computer system working for the people that will ultimately use it.  For the technologist, I do not think you can avoid the road (there are not yet helicopters in the arena of health IT implementation – though one day there may be), but you may at least find some solace in the fact that you are not the only one to have traveled this path.  For end users that might happen to read this book, you might perhaps recognize a peer or yourself in this book and gain some insight into why your IT staff always seem to grumpy.

While others have contributed to the subject matter, any mistakes in this series remain solely those of the author.   Please feel free to contribute by making comments on the blog.  And good luck to those of you implementing technology.

Lessons from IT Mgmt Chapter 1: Information Insecurity

To improve the security of our network, we decided to close port 3389 and no longer publish a Windows terminal server to the internet.  In order to continue to support remote access to our network, we implemented a secure socket layer (SSL) virtual private network (VPN) device that allows users outside of the corporate network to create an secure tunnel into the network.  As implemented, end users were required to use a particular operating system, and to follow relatively simple instructions to install a small program that would initiate the tunnel from the home user’s workstation to the corporate network.  Authentication relies on the existing Active Directory accounts so that users didn’t need another login.  The appliance also allowed us control over which accounts could have remote access, so we could limit the known trouble accounts, such as guest and administrator, from having access to the protected network.

By corporate policy, remote access was originally designed for clinicians to be able to access patient medical records while the clinician was on call.  Over time, end users have been able to use remote access to work in the comfort of their homes, whether on call or not.  However, in no case has the corporation required that end users be able to work remotely as a matter of course, except for a few traveling staff that work during the day at a third party facility.

Nonetheless, users had gotten into their heads that working from home was a right, not a privilege.  And with that right flows the obligation on the part of IT to support the home user’s network configuration.  The change, therefore, by IT to the method of access to the remote network was unwelcome by some and was met with resistance, even if the new method was in fact more secure, recommended by our outside information security consultant, and addressed a major security vulnerability within our network.

There were really two important lessons from this experience.  First, proactive communication and involvement of the user community in implementing changes to remote access is an important element to the implementation plan.  I suspect some would still have grumbled at the change, but we may have headed off some of the complaints simply by better explaining why the change was being made.  Second, remote access had grown organically over time such that a lot of people were using it on a wide variety of home computers and home networks.  Many of the staff were not particularly competent at using their home firewalls, routers, or other network devices if the users needed to make changes to these devices to access the corporate network.  We also underestimated how diverse and how much configuration could be required in order for the SSL VPN device to be able to connect to our network and establish the tunnel for secure communications.

We also discovered that the device was not particularly compatible with OSX (there was a guest kiosk function that would work within OSX, but the screen resolution and performance was poor and effectively unusable for most staff that had to be in for longer periods of time).  We had not realized at the time how many staff were actually using Macs at home, so this also caught us off guard.  Of course, Parallels and VMWare both offer virtualized Windows XP desktops (with which the appliance was compatible), but users still complained that they had to implement this in order to access the network.

Inherently, there is tension between user access and security, and it is up to IT management to determine how much pain to inflict upon the users to protect network assets.  Not everyone will be happy with the balance.  In this case, I still think we made the right call, but we didn’t implement according to a complete plan.  Next time will no doubt be better.

Reducing Health Care Inefficiencies

Can Health IT save us from ourselves?  See the Yahoo Article on another assessment of health care spending in the U.S. and how much money is wasted in service delivery costs.  According to this article, about 1/2 of the spending of the U.S. on health care is wasted in inefficient use of resources.  Now, if you read the article, you will note that the top 8 items on their list only add up to about $600 billion, where the claim is that $1.2 trillion is lost (and you would think that a bunch of accountants could add, so maybe the journalists misread the fine print on the analysis), but even if you accept that much as the cost of inefficiency, that is more than it costs for the Medicare program in the U.S.

One of the big items on the list is inefficiencies with insurers who “magically deny” claims or otherwise require far too much in order for a provider to get paid appropriately.  I find it interesting that this remains on the list of problems.  In 1996, HIPAA was originally passed by Congress.  Part of HIPAA was to mandate that, through regulation, standards be developed for the electronic transfer of information between insurers and providers of health care, including claims.  The regulations eventually required that all or substantially all providers be able to submit claims electronically, which, one would expect, would be more efficient than the manual processing of paper claim forms.

So, if the auditors suggest that we still are wasting $200 billion per year on inefficient data exchanges with insurers, perhaps this deserves more focus.

Getting paid by insurers happens at the end of the process of service delivery to patients by providers.  At the beginning, patients present to the doctor’s office with a problem, see a Medical Assistant or Nurse for preliminary weights and measures (like blood pressure and weight, etc.), see the physician, CRNP or physician’s assistant, who may then refer the patient to another provider, write a prescription, make other suggestions to the patient, require that the patient get lab work to rule out certain causes, and so on.  At the conclusion of the visit, the physician will document, diagnose, and generate a financial transaction that must be processed and submitted to an insurer for payment.

The patient then will see other providers, the lab, the pharmacy, and perhaps come back for a follow-up visit with the physician.  All of the steps in the process involve data transfer between several information systems, often housed in several different facilities, with different standards and different purposes.  A key for a physician to get paid at all is to have accurate insurance information about the patient.  Surprisingly, patients are not necessarily the best source of this information.  However, insurers are apparently no better at knowing this on average.  Otherwise, it would follow that we would already have regional databases or a national database of eligibility data available for all providers.  I assert this because the standards for eligibility data have been around for a fair amount of time in the form of the ANSI X12 standard, but still there is a fair amount of lost dollars in the claims processing area of health care.

Perhaps this is so because providers want to get paid but insurers don’t have a good reason to pay them.  Insurers do benefit from holding onto capital to accrue interest on it.  The longer an insurer can do this, the more interest on the investment they collect, which goes straight to their bottom line.  ARRA’s incentive system requires that physicians meaningfully use health IT and participate in some form of a health information exchange.  But there is no comparable set of incentives for insurers to participate in HIE’s, or to incentive providers.

For example, this could be achieved by insurers preferring providers with health IT in place compared to those that don’t.  Another example would be for insurers to pay incentives to providers for a higher degree of clinical outcomes (only possible if the providers can produce useful and independently verifiable data such as lab information, which is really only possible through the use of an HIE).  The market may figure this out on its own, but I honestly doubt it.  Perhaps the feds will pick up on this market failure and intervene to start improving efficiencies in this area in either health reform now or in ARRA part II in the next several years.