Happy 4th

Distributed Presence

Two hundred years ago, if I walked across the town square to greet a visitor to our town, this would constitute a local social interaction. If I call someone on the phone or speak to a large group at a conference—it's still social interactions, the former at a distance and the latter distributed among many recipients. If the speech at the conference is delivered in a prerecorded manner or with a non–interactive live feed the social aspect is lost. Historically, social interactivity has been sensitive to the nuances of simultaneous (synchronic) presence.

Technologies, and the world wide web specifically, have challenged this historical sensitivity by facilitating both asynchronous and presence–by–proxy social interactions. An avatar is a socially acceptable representation of presence (proxy) characterized as permission–based attention and willingness for interactions.

Somewhat of a circuitous path to the question what is social media? At one level social media is any media that is socially produced? From a business perspective, this is user–generated content (UGC), generated by individuals, collectives of individuals (e.g., corporations, organizations), or their representational agents—avatars, or user–generated presences (UGPs).

Social media, or UGC, is seen in two broad venues: open access (to all, in–the–wild), permission–based access (walled–garden, e.g., Facebook, Twitter, a corporation's blog or wiki).

Content, Presence, Permission, and Venue

	in–the–wild	walled–garden
UGC	?	?
UGP	?	?

The table above is a marked simplification of the problem with social media. There are four variables: content, presence, permission, and venue. The simple 3×3 matrix assumes static content, representational presence, and permission set—allowing for a variance in venue alone. Collectively this might be termed a distributed presence that is socially consumable. Contrast this with the town square of two hundred years ago—where we had to contend only with local presence.

Social media perhaps is a misnomer, because it's not about the media per se, but rather the relationship (actual or putative) that drives the participatory nature. It's customers, clients, recruits, partners, lovers, etc. The media is actually an inducement, maintenance, or termination of relationship. The media, because of the nature of the world wide web, has the added dimensions of context (original and appropriated), permanency, and breaches in privacy or security with separate and indepedent impacts upon relationship.

Social media is probably not a thing at all—not a blog post, a tweet, a video upload, nor a meetup. It's a socially perceived manifestation (social breadcrump) of a process—the management of a distributed presence as the currency for distributed relationships between individuals and collectives of individuals.

Distributed Content

If content (information) is semantic (meaning) wrapped in syntax (structure), then historically content has been locked to a singular form. The structure of language extends to a physical structure of containment—a book, a photograph, a CD, etc.

Personal computing followed a similar pattern of containment—in essence locking content and machine. Structural barriers existed because either there was no physical mechanism to transfer content or the content was layered in proprietary syntax that rendered transfers moot. What breached these barriers has been the introduction and pervasiveness of the world wide web and the expectation that content should be easily transferable.

With the ease of transferability of content, the machine, or device, becomes almost irrelevant except for the residual issue of storage. Storage per devise has increased many orders of magnitude since the beginning of the personal computing era, but with little change in the concept, acceptance, and expectation that storage is always locally defined. The notable exceptions are for photos, videos, and music—where distributed content is becoming widespread and approaching normative. Distributed content is content that permanently resides somewhere—but not on personal devices.

We have had content fixed to physical forms. We have had content exchangeable amongst physical forms. We are moving to a time where content is delivered transiently to physical forms—where personal devices are for the transient presentation of content. We are moving to a trifurcated future: content, presenting devices, and storage sites.

I personally became acquainted with this trifurcation on April 30^th—the day my iPad arrived. What started was a personal experiment into what is necessary to maintain the same level of functioning that was provided by personal computers. The transition to a virtual keyboard was relatively easy. The more difficult task has been the issue of accessing and storing content from different devices (iPhone, iPad, notebook, and desktop). How does one move to content use that is device independent? Especially when you consider that content use is much more complex than mere content consumption—streaming audio or video. Use is a generative activity, whereas consumption is a non–generative activity.

My solution has been to address the issue of storage—in particular storage of generative content. I've dealt with my non–generative (archival and incremental) storage issues here. This generative content storage solution is also an example of interpermissibility at the individual level.

Content is not moved amongst devices, but rather permissive access to cloud storage. Generative content is not subjected to device–induced versioning problems. The device can be wiped (or bricked) at any time, because devices are only used for presenting and generative–activities with storage off–device.

Distributing Services

Are all these services necessary? No, but device–independent use of generative content is new—what we'll need are multiple competitive vendors offering holistic solutions.

Co–Location: Interaction, Permission, Transport, and Content

Distribution: Interaction, Permission, Transport, and Content

Leapfrog on CPOE

Leapfrog Announces New Report on the Safety of Electronic Prescribing Sysems in Hospitals (Report PDF, Press Release PDF)

Executive Summary

Using The Leapfrog Group's web‐based simulation tool, 214 hospitals tested their computerized physician order entry (CPOE) systems for their ability to detect common medication errors and errors that could lead to fatalities. The CPOE systems on average missed one half of the routine medication orders and a third of the potentially fatal orders. Nearly all of the hospitals improved their performance after adjusting their systems and protocols, and running the simulation a second time. The simulations were conducted from June 2008 to January 2010.

The Leapfrog simulation tool used to develop this report is the only one of its kind available to all hospitals through The Leapfrog Hospital Survey. Every hospital that employs a computer prescribing system should incorporate the Leapfrog simulation tool into their ongoing quality assurance and improvement processes.

For the sake of safe patient care, hospitals must test and monitor their CPOE systems on an ongoing basis to achieve true meaningful use. In addition, vendors and hospitals must collaborate more closely during the pre‐implementation and implementation phases to ensure that best practices are shared and followed.

The Leapfrog Group is calling on the federal government to ensure that any definition of meaningful use employed as a requirement for federal financial assistance to hospitals to adopt CPOE and other health care IT systems require monitoring and improvement at implementation and on a long‐term basis.

Adult & Pediatric Medication & Potentially Fatal Orders

	Medication Orders without Proper Warnings	Potentially Fatal Orders without Proper Warnings
Adult Hospitals (n=187)	8,716 (52%)	311 (33%)
Pediatric Hospitals (n=37)	1,731 (42%)	62 (34%)

YouTelephony

Finally, telephony you control…perhaps health information isn't far behind?

History of Telephony

Interpermissibility

Premise

Ownership of health information is vested in the person (patient). Ownership is defined as access and control (of permission). Provider (of services) has permitted access to modify and act upon health information. Privacy and security of health information is maintained by permission (or permission sets). For any patient seeking healthcare from any provider there should exists a mechanism to automatically provide all permitted and relevant health information in a timely manner.

Data Portability/Interoperability

To have such a mechanism, either all health information (content) for every patient must be ubiquitously, instantaneously, and redundantly available, or there exists a ubiquity of permission practices that instantly grants access to a store of wholly unique singular content. This begs the question whether, for health information, data (content) portability and interoperability are the correct paths?

Interoperability and health information exchanges (HIE) are predicated on the belief that moving content is the only feasible and safe solution in creating a national health information infrastructure. Can an alternative model infrastructure be conceived where content is not moved, but rather permissive access and use is facilitated? Data portability and interoperability would be replaced with permission portability and interpermissibility.

Interoperability's feasibility is dependent upon the build–up and build–out of HIEs, voluntary (albeit initially incentivized) participation of vast numbers of health enterprises and entities, and the indefinite sustaining and improvement costs and duration of such an infrastructure. Interoperability will literally take a village—innumerable villages. It is also about the creation and entrenchment of a whole new healthcare industry—an industry (in aggregate) that Blumenthal's has characterized as "a stalking horse—for…changing compensation of medicine and the economics of health care."

Interoperability's safety is dependent upon the belief that vast numbers of health enterprises and entities can individually secure their health information. Because interoperability requires innumerable villages—every window in every house in every village will need to be safely secured. This is contrary to the 3,432,833 breaches reported since September 2009 (90% from digital sources).

Interoperability is core to cellular roaming and to the use of ATMs, but differs fundamentally from interoperability within healthcare. The former renders a transactional service and only retains a residual of the service rendered. There is no movement of your account, or substantial parts, from your cell provider or bank. What is exchanged is the permissive use of a service for the verification of identity. Contrast that with healthcare where interoperability is both a maintenance of information in perpetuity and the creation of innumerable additional partial stores of one's health information. Instead of a communication to facilitate a service transaction, it is a senescence therapy and a form of parthenogenesis.

Healthcare's interoperability raison d'être may be to fundamentally change it's economics, but for patients and providers it's solution must include ubiquity, low–cost to implement and sustain, and more secure than existing practices. It has to work right out–of–the–box with a simplicity that rivals cellular roaming and ATM use to precipitate rapid and universal adoption. Where this simplicity does not exist, is there not a high likelihood of a myriad incremental patchworks?

Information

Generally, information may be characterized as a construct of content and permission. Content is a language–based representation of real or imaginary objects or things. Permission is a set of values that determine access to content.

Content may be further characterized as a combination of semantic wrapped in syntax. Semantic is the meaning–representation of language. Syntax is the structural–representation of language.

Informational Content

Content is always described in terms of a context, e.g., Smith's health record, the Times' article, Sally's car. A set of permission values is a form of contextual framework that wraps around content defining ownership, accessibility, mobility, and actionability.

Informational Payload (Resting State)

Transport of content is similarly contextual and will impose a distinct separate layer of permission values.

Informational Transport (Active State)

A distinction between data portability and interoperability exists where two entities share information but do not share a common semantic. Data portability is the general case where there is a permissive sharing of syntax, and interoperability is the specific case where there is the addition of a common semantic.

Informational Sharing

	syntax	semantic	permission
common values			×
common structure	×
common meaning		×
data portability	×		×
interoperability	×	×	×

Permission

Permission (broadly construed) is either affirmative and permissive, or negative and restrictive. Permission may also be active or passive. A breach is a negation of a value, or values, constituting a given permission state. A breach may be strict (no intent required), by intent, or with negligence (without intent).

Characterizations

	active	passive
affirmative	granted	have
negative	denied	don't have

Scope: affirmation

	affirmative	negative
access	grant	deny
modify	grant	deny
act upon	grant	deny

Scope: action

	active	passive
access	enable	request
modify	enable	request
act upon	enable	request

Breach

	intent	no intent
strict	…	…
intentional	×
negligent		×

A breach may also occur at the level of transport, gaining access to the informational payload. A second breach is then required to access the informational content.

Payload Breach

Payload and Transport Breach

Interpermissibility

Interpermissibility (Interper) doesn't exist, but if it did—what are some of the characterizations?

Characteristics

1. Interper is a nascent enterprise, no legacy baggage.
2. Ownership of content is at the person–level.
3. Single content or informational (data) storage.
4. Syntax and semantic based upon open standards.
5. Permission sets are imposed on all content.
6. Content is not transmitted.
7. Permission to access, modify and act upon is transmitted.
8. A potent deterrent to content breaches is to maintain zero or low residual content on the myriad of healthcare devices that may access and have capability and capacity to retain content. The analogy would be to reduce the informational footprints to that seen in cellular roaming and ATM use.
9. Interper is a subscription service with no hardware or software requirements beyond a web–enabled device capable of using open web standards.
10. UI/UX would be permission set configurable (both for patient and the subscribing enterprises and entities).
11. Interper is scalable, because it is just a matter of adding capacity to the system.
12. The cost for patients and providers could essential be zero (except for the cost of web–enabled devices). Where enrollment in the service is sufficient, the cost of the service may be offset by providing deidentified patient information to the secondary health data markets. Additional offset to cost where duplication of services are avoided because of the wholeness of the stored content and the timeliness of permissive access, modifications, and actionability.
13. Where Interper is in widespread use, there will be no need for HIEs—because what they would be exchanging resides and is permissively accessible from a single source.

Interoperability's Hurdles

1. Cost to enterprises and entitities to implement and sustain indefinitely (well beyond the ARRA/HITECH meaningful use inducements).
2. Cost to implement and sustain indefinitely the extra–enterprise and extra–entity interoperability's infrastructure—HIEs and their kin (well beyond the ARRA/HITECH seed funding).
3. Cost of breaches because of the potential exposures from the innumerable enterprises, entities, and their devices that may have unsecured or breachable content.
4. Cost incurred from and savings denied to those partiipating in the interoperability infrastructure by those that do not. Cost and potential savings will be incrementally linked to the degree of participation by all eligible to participate.

Interper Candidates

There are none, but their are harbingers. Google Health and Microsoft HealthVault could up their game. Amazon could! Could we trust Google, Microsoft, or Amazon? That's probably not the right question. Breaches happen, and they will continue to happen. It's not the happening that should be disturbing or determinative, but rather the propensity for breaches. Do you trust your doctor's office staff, your dentist's billing company, or your insurer's claims agent's laptop?

The analysis should also center, in addition to the propensity of a particular enterprise or entity, on the sheer number of enterprises and entities that have our health information. If it should come down to a choice amongst Google, Microsoft, or the present arrangement to secure my health information—without a doubt or hesitancy I would go with either Google or Microsoft (putting all the baskets in one egg).

If the first and most important barrier to health information breaches is the permission set surrounding the content, then the more controlled and limited those acting on that permission set the better. Where those acting on the permission set is reduced to unity that is a barrier we should all want. The single barrier is the easiest to control, vis–a–vis a permission set, and will maximize the internal scrutiny efforts, governmental regulatory oversight, and public angst.

Footnotes

1. Most current [information] systems have methods of administering permissions or access rights to specific users and groups of users. These systems control the ability of the users affected to view or make changes to the contents of the [information] system. Wikipedia.
2. Data portability is the ability for people to reuse their data across interoperable applications—the ability for people to be able to control their identity, media and other forms of personal data. Wikipedia.
3. Interoperability is a property referring to the ability of diverse systems and organizations to work together (inter–operate). Interoperability is a property of a product or system, whose interfaces are completely understood, to work with other products or systems, present or future, without any restricted access or implementation. If two or more systems are capable of communicating and exchanging data, they are exhibiting syntactic interoperability. [S]emantic interoperability is the ability to automatically interpret the information exchanged meaningfully and accurately in order to produce useful results as defined by the end users of both systems. To achieve semantic interoperability, both sides must defer to a common information exchange reference model. The content of the information exchange requests are unambiguously defined: what is sent is the same as what is understood. Wikipedia.
4. Health information exchange (HIE) is defined as the mobilization of healthcare information electronically across organizations within a region, community or hospital system. HIE provides the capability to electronically move clinical information among disparate health care information systems while maintaining the meaning of the information being exchanged. The goal of HIE is to facilitate access to and retrieval of clinical data to provide safer, more timely, efficient, effective, equitable, patient-centered care. Wikipedia.

Text Messaging, Privacy, and Common Sense

Fourth Amendment to the U.S. Constitution

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

U.S. Ninth Circuit Court of Appeals: Quon et al. v. Arch Wireless et al. (PDF)

This case arises from the Ontario Police Department's review of text messages sent and received by Jeff Quon, a Sergeant and member of the City of Ontario's SWAT team. We must decide whether (1) Arch Wireless Operating Company Inc., the company with whom the City contracted for text messaging services, violated the Stored Communications Act, 18 U.S.C. §§ 2701-2711 (1986); and (2) whether the City, the Police Department, and Ontario Police Chief Lloyd Scharf violated Quon's rights and the rights of those with whom he "texted"—Sergeant Steve Trujillo, Dispatcher April Florio, and his wife Jerilyn Quon—under the Fourth Amendment to the United States Constitution and Article I, Section 1 of the California Constitution.

The search of Appellants' text messages violated their Fourth Amendment and California constitutional privacy rights because they had a reasonable expectation of privacy in the content of the text messages, and the search was unreasonable in scope.

City of Ontario v. Quon—SCOTUS Wiki

Issues: (1) Whether a SWAT team member has a reasonable expectation of privacy in text messages transmitted on his SWAT pager, where the police department has an official no-privacy policy but a non-policymaking lieutenant announced an informal policy of allowing some personal use of the pagers; (2) Whether individuals who send text messages to a SWAT team member’s SWAT pager have a reasonable expectation that their messages will be free from review by the recipient’s government employer.

Decision: Reversed and remanded in a 9-0 decision….

U.S. Supreme Court: City of Ontario, California, et al. v. Quon et al. (PDF)

Held: Because the search of Quon's text messages was reasonable, petitioners did not violate respondents' Fourth Amendment rights, and the Ninth Circuit erred by concluding otherwise.

1. The Amendment guarantees a person's privacy, dignity, and security against arbitrary and invasive governmental acts, without regard to whether the government actor is investigating crime or performing another function. It applies as well when the government acts in its capacity as an employer.
2. Even assuming that Quon had a reasonable expectation of privacy in his text messages, the search was reasonable[.]

529 F. 3d 892, reversed and remanded.

No reasonable expectation of privacy, reasonable search, and common sense…

Breach Analysis

U.S. Department of Health & Human Services's Office of Civil Rights recently released list of health information privacy breaches (list, spreadsheet).

Breaches: Sources

Breaches: Covered Entities (CE)

Breaches: Methods

Breaches: States

Beaches: Covered Entities (CE) v Business Associates (BA)

Breaches: Digital v Paper

Breaches: Monthly

So, I'm Putting My Baskets in One Egg

How do we conceive, package, control, and secure personal information? More specifically, how do we control our health information—a subset of personal information?

Putting All the Eggs in One Basket

So, I'm putting my eggs in one basket
I'm betting everything I've got on you
Everything I've got I bet on you, everything I've got on you
Everything, every single thing, I've got I bet on you.

Follow the Fleet, Irving Berlin 1936

There is a common belief that goes beyond mere lyrics—a belief that safety is assured when we place things of value in more than one store. But is this correct? Do we store a portion of our money at the grocery store, at the gas station, or at the mall? Do we like music or video that are only playable on a single device? Do we like social networks that restrict our relationships and conversations to an imposed logged–in session?

Commensurate with this belief is the companion notion that interests can be self–assembled into discrete packages. Overlaps do not occur and are disallowed where conditions would bring about an overlap.

Expanding the metaphor—the basket exists as an empty (or relative) construct that is defined by the aggregation of discrete interests—that which holds. Each egg is an world unto itself—defining both the dimensions and duration. Privacy and security of the eggs' contents are subject to the discretions of the eggs' defining entities. Safety is entrusted to others, with the semblance of control ours.

Putting All the Baskets in One Egg

Wonder if we flip the metaphor. The egg becomes the defining artifact and the baskets relative catergorizations. The egg is co–existent with the life and interests of the individual. Privacy and security concerns are now spread uniformly over the whole; instead of discretely at a particulate level.

Safety is evenly and uniformly distributed over the baskets. Control goes from a semblance to an actuality. This becomes an argument of local (eggs within a basket) v non–local (or global; baskets within an egg) control.

We have few qualms over the entrustment of our financial information to an American Express, Citibank, or VISA. We would never consider a similar entrustment to the local grocery store, department store, or resturant. Instead we use financial instruments (check or card) of the former for the finanical information transactions with the latter. Financial information is vested with a third party (bank or credit card company) to conduct business, on our behalf, with a merchant. Personal financial transactions, except for cash, are examples of non–local (or global) control via third parties.

In contrast, most of us (if we do at all), backup our personal computers and smartphones locally to harddrives, DVDs, or flash storage units. Most of our pictures and home videos are stored on original recording medium and may be duplicated and locally stored. Non–local ("third party") storage is not widely used. Would anyone consider exclusive home storage of irreplaceable family memories secure storage? In this sense local measure are not secure measures, but rather measures of convenience and historical practices.

Health information, like personal memories, are subject to local security practices. The question is often asked how could anyone trust Google Health or Microsoft's HealthVault? It's the wrong question—the question is how can you trust the dozens or tens of dozens of entities and institutions that you have entrusted with your health information all along?

Banks and credit card companies make mistakes and have security breaches. Will Google or Microsoft have similar problems? Of course they will, but it's not having the problem that should be the concern—the concern lies where the problems occur and there is no entity or institutional awareness or no third party oversight.

Because breaches happen, and do so with seamingly increasing frequency—begs the questions where the information should reside and where the safety measure should be exerted. Do we need a third party industry to manage our personal information (including health information) that is separate and distinct from those entities and institutions that conduct informational transactions? Do we need to consider the relationship of eggs and baskets? Do we need to force a transactional dichotomy between storage and use as we see and utilize with our financial transactions?

White Elephant Team

Sweeney's Congressional Testimony (PDF)

Designing a Trustworthy Nationwide Health Information Network (NHIN) Promises Americans Privacy and Utility, Rather than Falsely Choosing Between Privacy or Utility

Since the passage of HIPAA, there has been an explosion in the collection and sharing of patient information. While HIPAA explicitly identifies covered entities that handle patient information, there is no identification of the vast number of business associates who receive patient information from covered entities, or of the business associates of those business associates, and so on, as secondary sharing is unbounded. Data sharing through business associate arrangements is widespread yet hidden from patients, making harms difficult to trace.

The current approach to NHIN design can be characterized as "let a 1000 flowers bloom" [o]r…"let 1000 weeds fester." The lack of architectural direction allows simultaneous efforts to proceed in different, even opposing directions, exposing patient information to various risks and limiting benefits. States and regional organizations are making independent isolated decisions. Various competing industry efforts are underway. [N]ational efforts recognized by ONC are inconsistent and problematical.

As Aneesh Chopra said, "We are not building on a firm legacy of success, we are looking for a pathway to success." (PPT, PDF)

Privacy & Security Tiger Team—ONC

The Office of the National Coordinator for Health IT (ONC) has organized a workgroup (subcommittee) under the auspices of the HIT Policy Committee to move forward on a range of privacy and security issues. A new Privacy & Security Tiger Team (comprised of members from the HITPC and the HITSC as well as NCVHS) will work over the next few months to address the requirements of HITECH and the needs of many new organizations created under that law. We expect the work of the Tiger Team to be completed by late fall 2010.

Tiger team is a specialized group that tests an organization's ability to protect its assets by attempting to circumvent, defeat, or otherwise thwart that organization's internal and external security. The term originated within the military to describe a team whose purpose is to penetrate security of "friendly" installations to test security measures. It now more generally refers to any team that attacks a problem aggressively.

Modified from Wikipedia, the free encyclopedia…

[W]hite elephant is an idiom for a valuable possession of which its owner cannot dispose and whose cost (particularly cost of upkeep) is out of proportion to its usefulness or worth.

Modified from Wikipedia, the free encyclopedia…

For the sake of discussion, and simplicity, the issues of privacy and security of personal health information might be reduced to a singular issue of the violation of privacy rights. Such a violation occurs where there has been a failure to discharge a duty, whether by intent or neglect, owed by other(s) to the individual. Failure constitutes the violation.

An analogous argument might be made where we have determined that it is a basic right in our society to have electrical services in our residences. A violation in that right occurs where there is a failure, by intent or neglect, to provide electrical services to a residence. A right is violated where a duty is not discharged in an affirmative manner. Of course this has nothing to do with privacy rights…

There are generally two methods to provide electrical services to all residences. One, provide the electrical services globally with a distribution network to each residence. Two, provide the electrical services locally with a distribution network communicating the compliance with the right for electricity. The distinguishing differences are the provisions of service and accountability with the former and the provision of accountability only with the latter.

Now our society wishes to superimpose regulatory measures that monitor the efficiency and safety of electricity generation. Monitoring the generation of electricity locally is orders of magnitude greater than the monitoring the generation of electricity globally. Similarly, monitoring the violations of the right to electricity vary by orders of magnitude based upon global or local origin.

The global and local generation of electricity options have fundamental cost differences as well. The global option requires significant initial costs of equipment and distribution network and also sustaining costs of infrastructure. The local option requires the individual to have and maintain the wherewithal for both the initial and sustaining costs of the necessary equipment and the reporting infrastructure to be compliant with regulatory requirements.

Which cost is greater? That's subject to conjecture. But what should be immediately obvious is the complexity differences between a global versus a local generation of electricity. We know empirically, from our own neighborhoods, what our communities would look like if generation of electricity was left to the individual. What a tapestry of failures that would be. What a white elephant the locally–centered right to electricity would become—a valuable commodity and an essential non–disposable service dwarfed–in–proportion to the initiating and sustaining costs.

Coming back to privacy rights, should the infrastructure that warrants these rights be locally or globally constructed? There are significant costs with either approach, but as with electricity, should privacy rights be subject to the wherewithal and whims of the individual provider or institution—particularly since participation is voluntary.

There are no doubts what a electricity rights tiger team would find and recommend. But should a tiger [] be sicced on a white elephant?