Google added "confidential, personal medical records of private people" to its removal policy, signaling the company's first step to eliminating sensitive health information from its search results.

The tech giant updated the list of content it reserves the right to remove from search results June 22, according to Bloomberg. Under the revision, private medical records will be considered "sensitive personal information," which also includes information like individuals' Social Security, bank account and credit card numbers.

Prior to June 22, Google's most recent change to its removal policy took place in 2015, when it added a category related to "nude or sexually explicit images that were uploaded or shared without ... consent," according to The Guardian.

The decision follows several information security incidents that demonstrated how medical records may be posted online. A pathology lab in India unintentionally uploaded more than 43,000 patient records in December, according to Bloomberg, which were indexed in Google's search results.

The removal policy targets personal information that "creates significant risks of identity theft, financial fraud or other specific harms," according to Google. The search engine applies its right to remove content on a case-by-case basis, in part by reviewing individual requests submitted online.

Click here to view Google's removal policy.

The term “artificial intelligence” often conjures up visions of apocalyptic landscapes decimated by hyper-intelligent machines with a penchant for destroying societies foolish enough to place their trust in autonomous robots and android workers. 

While this bleak vision of the future is still firmly in the realm of science fiction novels and summer blockbuster movies, recent advances in artificial intelligence (AI) and machine learning are leaving some to wonder if Isaac Asimov’s Three Laws of Robotics are going to become applicable to everyday life sooner rather than later.

Self-driving cars, implantable medical devices, the ubiquity of smartphones and wearables, the first hints of programs that can beat the Turing test, and the financial incentive to drive automation into every imaginable business process are all bringing excitement and optimism – and more than a little trepidation – to developers across every economic sector.

The healthcare industry represents a particularly significant opportunity for machine learning to prove its value.  The sheer volume of available medical knowledge has long since outstripped even the most intelligent clinician, requiring supercomputers just to keep up with the latest best practices and big data breakthroughs in genomics, predictive analytics, population health management, and clinical decision support. 

Machine learning, natural language processing (NLP), and artificial intelligence are quickly becoming foundational components of the quest to keep ahead of the data tsunami while adhering to the most important law for robots and human healthcare practitioners alike: first, do no harm.

How are these tools already helping providers to produce better outcomes for patients, how will they evolve in the near future, and what steps should the industry take to integrate AI into the care process without fearing a disastrous big data backlash? 

HOW DOES ARTIFICIAL INTELLIGENCE WORK?

We may not be living in the Matrix just yet (probably), but artificial intelligence is starting to become a familiar concept to most of the modern world. 

On a basic level, artificial intelligence can be defined as the ability of a computer to independently solve problems that they have not been explicitly programmed to address.  Machine learning algorithms drive a computer’s “thoughts” by providing a conceptual framework for processing input and making decisions based on that data. 

An artificially intelligent machine needs to be able to accept information about the problem from its surroundings, generate a list of actions that it could take, and maximize its chance of achieving its goals by using logic and probability to choose the activities with the highest likelihood of success. 

The learning happens when the program reabsorbs its past experiences and uses that data to inform future actions.  Doing this allows the AI program to prioritize the choices that result in success more often, heightening its probability of getting the right answer.

For example, a computer may be given two sets of MRI images: one set that clearly shows a variety of brain tumors, and one that does not.  By breaking down these images into machine-readable patterns, the computer can understand which patterns are likely to indicate a brain tumor and which represent healthy patients. 

When fed a new batch of images that may or may not contain tumors, the computer should be able to use that initial reference data to identify patterns that are similar to known positive diagnoses. 

Every time it makes an incorrect diagnosis, validated by a human clinician, it “learns” to adjust its criteria a little bit more by using the previous experience to inform its future decision-making.  Eventually, it should become accurate enough to present trusted results to the user.

Humans complete these types of tasks almost without thought every moment of every day, but few algorithms are sophisticated enough to effectively mimic our natural capacity to process external input, extrapolate unspoken information from a query, use logic and reason to make a decision, and predict the likely outcomes of each action before they occur.

However, there are a few examples of projects that are coming close to beating the Turing test, opening up nearly unlimited applications for AI tools in the healthcare industry, not to mention in society at large.

Top 4 Basics to Know about Semantic Computing in Healthcare

What is the Role of Natural Language Processing in Healthcare?

WHAT ARE THE USE CASES FOR ARTIFICIALLY INTELLIGENT TECHNOLOGIES IN HEALTHCARE?

Almost every aspect of healthcare could, theoretically, benefit from an AI approach. 

Computers don’t forget what they have learned, making them perfect helpers for the biggest of big data analytics projects like personalized medicine based on genomics and clinical decision support for complex conditions like cancer.

They don’t have inherent biases, so they are more likely to produce objective diagnoses unclouded by preconceived socioeconomic notions about the patient, which can produce disparities in care. 

They can recognize shifts and patterns in data more quickly and comprehensively than most humans, so they may be able to predict conditions like sepsis before the patient even starts to feel ill.

Some of the most promising use cases for AI tools include predictive analytics, precision medicine, and clinical decision support.  Development in all of these areas is already well underway.

IBM Watson Health is probably the most well-known name in cognitive computing at the moment, although it isn’t the only player in the field.  Watson got an early start in the healthcare industry using its natural language processing and semantic computing abilities to train in clinical decision support at some of the top organizations in the country.

After ingesting millions of pages of academic literature and other healthcare data, the system can help providers make decisions by offering a series of suggestions along with confidence intervals that show how applicable the course of action may be.  The higher the number, the more certain Watson is that a particular drug, therapy, or diagnosis is the way to go.

"Healthcare is going to be one of those industries that is elevated and made better by machine learning and artificial intelligence."

IBM has been steeping Watson in healthcare data for several years, and has shelled out billions of dollars to acquire big data analytics companies that will further its goal of creating a truly intelligent partner for quality care.

Watson has its competitors in the clinical decision support space, however, and IBM isn’t the only one taking an AI approach to curing cancer.  Microsoft is also ramping up its efforts to apply advanced machine learning algorithms to the mysteries of human biology.

“One approach is rooted in the idea that cancer and other biological processes are information processing systems,” the company said in a recent exploration of the topic. “Using that approach the tools that are used to model and reason about computational processes – such as programming languages, compilers and model checkers – are used to model and reason about biological processes.”

“Researchers can apply techniques such as machine learning to the plethora of biological data that has suddenly become available, and use those sophisticated analysis tools to better understand and treat cancer.”

Artificial intelligence may be a welcome addition to the patient engagement and monitoring arenas, as well. 

As healthcare organizations start to focus on customer expectations in response to rising out-of-pocket costs and value-based reimbursements, providers will need to learn how to personalize the patient experience, reduce unnecessary expenditures, and maintain open lines of communication between office visits to keep patients as healthy as possible.

Consumers are already familiar with voice-response phone menus and automated website chat bots that can answer questions or make connections with varying degrees of success, but healthcare may be in store for a much more robust AI experience, if Amazon CEO Jeff Bezos successfully shepherds Alexa to the bigtime.

Amazon’s take on AI is based on its Echo devices, which can help to create a smart home environment by using voice recognition to activate its omnipresent Alexa personal assistant.  In a talk at the Vanity Fair New Establishment Summit, Bezos hinted that Amazon may be eyeing the healthcare industry in the near future.

“I think healthcare is going to be one of those industries that is elevated and made better by machine learning and artificial intelligence,” he said, according to an article on GeekWire. “And I actually think Echo and Alexa do have a role to play in that.”

“We’re working on having a vision in that arena because I do think it would be very helpful. … The medical care system is so big, no one company can do this. It has to be that you provide tools, and then hospitals and doctors and nurses and so on use those tools to improve healthcare.”

How Alexa will improve the healthcare experience remains to be seen, but it’s possible that the hospitals of the future will have an AI listening device in every patient room, replacing the nurse call systems, physician pagers, and overhead PA announcements of yore with an intelligent, unobtrusive, and responsive communication system.

Remote patient monitoring could also benefit from an artificial intelligence program taking on the task of coordinating Internet of Things equipment in the home for elderly, disabled, or frail patients.  The extra help could make patients less reliant on caregivers for routine tasks like turning on the lights, calling the pharmacy for a prescription refill, sending data to providers from internet-enabled home health devices, or even ordering an Uber to get to their next doctor’s appointment.

And since AI entities like Alexa can learn about the habits and patterns of their users, patients with high needs in the home may find their lives significantly simplified and streamlined, making it easier to access care and adhere to treatment regimens.

Machine Learning, Artificial Intelligence Gain Healthcare Momentum

Cognitive Computing Leaders Think Time is Right for Healthcare

WHAT CAN HEALTHCARE ORGANIZATIONS DO TO PREPARE FOR AI AND MACHINE LEARNING?

Not every AI application will come from a Silicon Valley tech giant, however.  Many healthcare organizations are already working on developing their own intelligent big data analytics systems based on machine learning principles.

Semantic data lakes are one entry point into what may eventually become artificial intelligence, and they are already finding a foothold in healthcare. 

In contrast to traditional relational databases, a data lake system doesn’t have to be targeted to a specific use case, explained Parsa Mirhaji, MD, PhD, Associate Professor of Systems and Computational Biology and the Director of Clinical Research Informatics at the Albert Einstein College of Medicine and Montefiore Medical Center-Institute for Clinical Translational Research.

“Relational databases require a very fine structure that you have to plan out before you can use it - you have to frame your problems in a very specific way,” he said to HealthITAnalytics.com in 2015. 

“Within that frame, you can do wonderful things, but you have to pre-coordinate your schema before you start investing in application development and data management.”

“The problem with that is that you have to predict all future-use cases,” he continued. “And the costs of changing your mind or your requirements are huge. And that's why you end up with these data silos. You end up with different architectures for different problems, because you have to box the problem before you begin.”

Data lakes, on the other hand, store many different types of information in their original formats in a single repository.  Each piece of data is tagged with a unique standardized identifier, which allows the system to mix and match unrelated packets of information to generate new insights. 

Using natural language processing to understand complex, free-form queries from the front end, data lakes can provide answers to questions and understand relationships that have not been explicitly programmed into the system at the start. 

“You don’t have to predict the future,” said Mirhaji.  “You can start from where you are, from exactly where you are, based on the kinds of needs that you have right now with the confidence that it will grow into the dimensions and directions as your organization wants to grow.”

Montefiore Medical Center, Partners HealthCare, and the American Society of Clinical Oncology’s CancerLinQ are just a few examples of healthcare-focused projects employing machine learning and semantic computing techniques to build semantic computing systems that can support collaborative research, predictive analytics, clinical decision support – and perhaps eventually transition into what could be considered artificial intelligence.

“There’s no room anymore for inconsistent quality and inconsistent data.”

Preparing healthcare data for the expansion of semantic computing is not going to be easy.  Many providers are still struggling to understand how big data fits into routine care tasks, how to choose products and services that support advanced analytics, how to generate clean, complete, accurate, and timely data, and why big data is so critical for population health management, value-based care, and other upcoming challenges.

But even if a particular organization has no immediate plans to jump into a big data lake, they should consider developing the analytics competencies to get ready for a future where every piece of information about a patient can be used, in some way, to improve the quality of their care.

The process starts with understanding the importance of information governance and creating an environment of trust from the first moment data is created. 

“There’s no room anymore for inconsistent quality and inconsistent data,” said Ann Chenoweth, MBA, RHIA, FAHIMA, President and Chair Elect of the 2017 AHIMA Board of Directors. 

“Trusted data must be reliable, accurate, and accessible, where and when it’s needed.  It’s not the data that comes out of here verses the other system.  It has to be an enterprise-wide framework that you can rely on.  Having that integrity and governance around the data is key.”

AHIMA’s principles of information governance stress the role of data integrity – a key concept for analytics – by urging providers to develop clear, consistent, and standardized policies and procedures for creating and managing data.

“Reliability of information is of paramount importance in the delivery of healthcare services,” AHIMA says. “Based on the nature and type of healthcare organization, measures to ensure reliability of data and information should be built in to processes and systems for creation and capture, processing, and other applicable stages of the information’s lifecycle.”

These processes may include:

• Educating clinicians and other data-creators about the importance of information governance across the organization
• Improving the quality of data at the source with clinical documentation improvement initiatives
• Investing in open, standards-based data warehousing infrastructure that prevents the development of data siloes
• Ensuring that all data assets include appropriate metadata to improve accountability and extend the usability of datasets
• Maintaining high standards of data privacy and security to protect patients from unauthorized uses of information

A firm foundation of governance will help healthcare organizations understand just how much data they have, how useful it is for advanced analytics, and what use cases it can help to address.

Before investing in semantic computing, machine learning, or artificial intelligence technologies, providers should have a clear, concrete idea of how they will use these tools to improve care quality, outcomes, or efficiencies.

Analytics leaders should work with clinical and executive staff to identify pain points and specific opportunities for improvement, such as a lack of visibility into the diabetic patient population, the need to boost performance on clinical quality metrics related to value-based contracts, or a desire to improve revenue collection by engaging patients with the highest out-of-pocket costs.

When searching for vendors offering data-driven solutions for these specific problems, providers may wish to look for products that are easily scalable, based on emerging healthcare data standards, easily integrated into existing infrastructure, and are able to maximize the value of historical data stores.

The Difference Between Big Data and Smart Data in Healthcare

How to Choose the Right Healthcare Big Data Analytics Tools

Blockchain, IoT, Artificial Intelligence Poised to Shake Up Healthcare

CONTRIBUTING TO THE FUTURE OF ARTIFICIAL INTELLIGENCE IN HEALTHCARE

It may still take a few years before clinicians can sit back and relax while their robot assistants take a crack at diagnosing their patients, but the development of artificial intelligence is moving quickly enough to warrant a serious discussion about how these technologies will impact society in the near future.

The White House is already thinking about how to address issues of safety, regulation, fairness and security as AI systems move from laboratories to real-world settings. 

A report from the Executive Office of the President National Science and the Technology Council Committee on Technology notes that AI has the potential to contribute significantly to the public good, but that “an AI-enabled world demands a data-literate citizenry that is able to read, use, interpret, and communicate about data, and participate in policy debates about matters affected by AI.”

As the healthcare industry continues to develop its own data literacy and adopt technologies that may be the precursors to true AI, it must take on a greater role in these conversations.

“The best way to build capacity for addressing the longer-term speculative risks is to attack the less extreme risks already seen today."

Patient privacy and safety are likely to be most pressing near-term issues.  Artificial intelligence will play a major role in automating tasks that are currently conducted by human decision-makers.  Automation requires the free flow of data across disparate systems, which will in turn rely on refined and strengthened protocols for obtaining patient permissions to share and use data for multiple applications. 

Providers will also need to discuss issues of accountability when an AI program makes a mistake that results in patient harm, how to gauge and manage risk when introducing AI to a new task, and how to safely test novel technologies in the healthcare setting without exposing patients to potentially dangerous situations.

“The best way to build capacity for addressing the longer-term speculative risks is to attack the less extreme risks already seen today, such as current security, privacy, and safety risks, while investing in research on longer-term capabilities and how their challenges might be managed,” the White House suggests, reinforcing the idea that addressing issues of information governance, patient privacy, and provider workflows as soon as possible will prepare healthcare for an AI-driven future.

“As the technology of AI continues to develop, practitioners must ensure that AI-enabled systems are governable; that they are open, transparent, and understandable; that they can work effectively with people; and that their operation will remain consistent with human values and aspirations,” the report continues. “Researchers and practitioners have increased their attention to these challenges, and should continue to focus on them.”

“Developing and studying machine intelligence can help us better understand and appreciate our human intelligence. Used thoughtfully, AI can augment our intelligence, helping us chart a better and wiser path forward.”

The National Health Service in England and Scotland was hit by a large ransomware attack that has affected at least 16 of its organizations, NHS Digital announced this morning.

The attackers are asking for 415,000 pounds, or about $534,146, before May 19 or the hackers will delete the files, according to MetroUK.

The attack has crippled the health system’s ability to treat patients, according to BBC News. Hospital staff are unable to access patient data. Further, ambulances are being diverted and patients are being warned to avoid some departments.

[Also: 75% of health orgs live below cybersecurity poverty line]

The organization launched an investigation and determined the ransomware is likely the Wanna Decrytor. It’s one of the most effective ransomware variants on the dark web, and at the moment, there is no decryptor available.

Officials said the attack didn’t specifically target the agency and that organizations from other sectors have been hit, as well.

“At this stage we do not have any evidence that patient data has been accessed,” officials said in a statement.

Spain said Friday that many companies, including the telecommunications giant Telefonica, were also dealing with ransomware attacks, according to Reuters. Portugal Telecom was also hit by a cyberattack that did not impact its services.

The ransomware campaign might be caused by leaked NSA hacking tools, according to Politico. The malware was included in the online dump by the hackers called Shadow Brokers, which they said were NSA tools.

“This seems to be a very large scale attack, with earlier reports of infections in Russia, Ukraine, Taiwan, as well as all over Europe,” Mounir Hahad, senior director of Cyphort Labs said in a statement. “There is cause for alarm in the U.S. as well, given the speed at which this attack as spread and the fact that it seems to know no border.”

“This shows how quickly criminals are able to adopt newly exposed vulnerabilities and how slow the rest of us are to patch,” he continued.

NHS Digital is working closely with National Cyber Security Centre, the Department of Health and NHS England to help the organizations affected by the attack and to ensure patients are protected.

“Our focus is on supporting organizations to manage the incident swiftly and decisively, officials said. “But we will continue to communicate with NHS colleagues and will share more information as it becomes available.”

At least 7,000 medical records from New York City-based Bronx-Lebanon Hospital Center were exposed by a third-party vendor, NBC News reports.

Here are four things to know.

1. A team of security researchers at MacKeeper Security Research Center discovered the breach earlier this month. Researcher Bob Diachenko told NBC News private patient information was viewable online due to a misconfigured backup server hosted by iHealth, a records management technology provider.

2. The exposed patient information included names, home addresses and medical diagnoses — along with addiction histories, mental health diagnoses, HIV statuses and sexual assault reports — of patients who visited the hospital between 2014 and 2017. Mr. Diachenko told NBC News it's unclear how long patient records were viewable online.

3.iHealth told NBC News it conducted an internal review upon learning of the breach. The vendor said one unauthorized person accessed the data, although there is no evidence that data has been misused.

"While iHealth continues to work with a leading IT security firm to validate its analysis, at this time, iHealth believes that the issue has been contained," iHealth told NBC News.

4. Bronx-Lebanon Hospital Center confirmed the exposed patient records in an emailed statement to NBC News and said it is cooperating with law enforcement agencies to address the breach.

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

EXECUTIVE ORDER

- - - - - - -

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

By the authority vested in me as President by the Constitution and the laws of the United States of America, and to protect American innovation and values, it is hereby ordered as follows:

Section 1.  Cybersecurity of Federal Networks.  

(a)  Policy.  The executive branch operates its information technology (IT) on behalf of the American people.  Its IT and data should be secured responsibly using all United States Government capabilities.  The President will hold heads of executive departments and agencies (agency heads) accountable for managing cybersecurity risk to their enterprises.  In addition, because risk management decisions made by agency heads can affect the risk to the executive branch as a whole, and to national security, it is also the policy of the United States to manage cybersecurity risk as an executive branch enterprise. 

(b)  Findings.

(i)    Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents.  Information sharing facilitates and supports all of these activities.

(ii)   The executive branch has for too long accepted antiquated and difficult–to-defend IT.

(iii)  Effective risk management involves more than just protecting IT and data currently in place.  It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity. 

(iv)   Known but unmitigated vulnerabilities are among the highest cybersecurity risks faced by executive departments and agencies (agencies).  Known vulnerabilities include using operating systems or hardware beyond the vendor's support lifecycle, declining to implement a vendor's security patch, or failing to execute security-specific configuration guidance.

(v)    Effective risk management requires agency heads to lead integrated teams of senior executives with expertise in IT, security, budgeting, acquisition, law, privacy, and human resources.

(c)  Risk Management.

(i)    Agency heads will be held accountable by the President for implementing risk management measures commensurate with the risk and magnitude of the harm that would result from unauthorized access, use, disclosure, disruption, modification, or destruction of IT and data.  They will also be held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes, in accordance with chapter 35, subchapter II of title 44, United States Code. 

(ii)   Effective immediately, each agency head shall use The Framework for Improving Critical Infrastructure Cybersecurity (the Framework) developed by the National Institute of Standards and Technology, or any successor document, to manage the agency's cybersecurity risk.  Each agency head shall provide a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days of the date of this order.  The risk management report shall:

(A)  document the risk mitigation and acceptance choices made by each agency head as of the date of this order, including:

(1)  the strategic, operational, and budgetary considerations that informed those choices; and

(2)  any accepted risk, including from unmitigated vulnerabilities; and

(B)  describe the agency's action plan to implement the Framework.

(iii)  The Secretary of Homeland Security and the Director of OMB, consistent with chapter 35, subchapter II of title 44, United States Code, shall jointly assess each agency's risk management report to determine whether the risk mitigation and acceptance choices set forth in the reports are appropriate and sufficient to manage the cybersecurity risk to the executive branch enterprise in the aggregate (the determination).

(iv)   The Director of OMB, in coordination with the Secretary of Homeland Security, with appropriate support from the Secretary of Commerce and the Administrator of General Services, and within 60 days of receipt of the agency risk management reports outlined in subsection (c)(ii) of this section, shall submit to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the following:

(A)  the determination; and

(B)  a plan to:

(1)  adequately protect the executive branch enterprise, should the determination identify insufficiencies;

(2)  address immediate unmet budgetary needs necessary to manage risk to the executive branch enterprise;

(3)  establish a regular process for reassessing and, if appropriate, reissuing the determination, and addressing future, recurring unmet budgetary needs necessary to manage risk to the executive branch enterprise; 

(4)  clarify, reconcile, and reissue, as necessary and to the extent permitted by law, all policies, standards, and guidelines issued by any agency in furtherance of chapter 35, subchapter II of title 44, United States Code, and, as necessary and to the extent permitted by law, issue policies, standards, and guidelines in furtherance of this order; and

(5)  align these policies, standards, and guidelines with the Framework.

(v)    The agency risk management reports described in subsection (c)(ii) of this section and the determination and plan described in subsections (c)(iii) and (iv) of this section may be classified in full or in part, as appropriate.

(vi)   Effective immediately, it is the policy of the executive branch to build and maintain a modern, secure, and more resilient executive branch IT architecture.  

(A)  Agency heads shall show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services. 

(B)  The Director of the American Technology Council shall coordinate a report to the President from the Secretary of Homeland Security, the Director of OMB, and the Administrator of General Services, in consultation with the Secretary of Commerce, as appropriate, regarding modernization of Federal IT.  The report shall:

(1)  be completed within 90 days of the date of this order; and 

(2)  describe the legal, policy, and budgetary considerations relevant to -- as well as the technical feasibility and cost effectiveness, including timelines and milestones, of -- transitioning all agencies, or a subset of agencies, to:

(aa)  one or more consolidated network architectures; and

(bb)  shared IT services, including email, cloud, and cybersecurity services.

(C)  The report described in subsection (c)(vi)(B) of this section shall assess the effects of transitioning all agencies, or a subset of agencies, to shared IT services with respect to cybersecurity, including by making recommendations to ensure consistency with section 227 of the Homeland Security Act (6 U.S.C. 148) and compliance with policies and practices issued in accordance with section 3553 of title 44, United States Code.  All agency heads shall supply such information concerning their current IT architectures and plans as is necessary to complete this report on time.

(vii)  For any National Security System, as defined in section 3552(b)(6) of title 44, United States Code, the Secretary of Defense and the Director of National Intelligence, rather than the Secretary of Homeland Security and the Director of OMB, shall implement this order to the maximum extent feasible and appropriate.  The Secretary of Defense and the Director of National Intelligence shall provide a report to the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism describing their implementation of subsection (c) of this section within 150 days of the date of this order.  The report described in this subsection shall include a justification for any deviation from the requirements of subsection (c), and may be classified in full or in part, as appropriate. 

Sec. 2.  Cybersecurity of Critical Infrastructure. 

(a)  Policy.  It is the policy of the executive branch to use its authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation's critical infrastructure (as defined in section 5195c(e) of title 42, United States Code) (critical infrastructure entities), as appropriate.

(b)  Support to Critical Infrastructure at Greatest Risk.  The Secretary of Homeland Security, in coordination with the Secretary of Defense, the Attorney General, the Director of National Intelligence, the Director of the Federal Bureau of Investigation, the heads of appropriate sector-specific agencies, as defined in Presidential Policy Directive 21 of February 12, 2013 (Critical Infrastructure Security and Resilience) (sector-specific agencies), and all other appropriate agency heads, as identified by the Secretary of Homeland Security, shall:

(i)    identify authorities and capabilities that agencies could employ to support the cybersecurity efforts of critical infrastructure entities identified pursuant to section 9 of Executive Order 13636 of February 12, 2013 (Improving Critical Infrastructure Cybersecurity), to be at greatest risk of attacks that could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security (section 9 entities);

(ii)   engage section 9 entities and solicit input as appropriate to evaluate whether and how the authorities and capabilities identified pursuant to subsection (b)(i) of this section might be employed to support cybersecurity risk management efforts and any obstacles to doing so; 

(iii)  provide a report to the President, which may be classified in full or in part, as appropriate, through the Assistant to the President for Homeland Security and Counterterrorism, within 180 days of the date of this order, that includes the following:

(A)  the authorities and capabilities identified pursuant to subsection (b)(i) of this section;

(B)  the results of the engagement and determination required pursuant to subsection (b)(ii) of this section; and

(C)  findings and recommendations for better supporting the cybersecurity risk management efforts of section 9 entities; and

(iv)   provide an updated report to the President on an annual basis thereafter.

(c)  Supporting Transparency in the Marketplace.  The Secretary of Homeland Security, in coordination with the Secretary of Commerce, shall provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, that examines the sufficiency of existing Federal policies and practices to promote appropriate market transparency of cybersecurity risk management practices by critical infrastructure entities, with a focus on publicly traded critical infrastructure entities, within 90 days of the date of this order.

(d)  Resilience Against Botnets and Other Automated, Distributed Threats.  The Secretary of Commerce and the Secretary of Homeland Security shall jointly lead an open and transparent process to identify and promote action by appropriate stakeholders to improve the resilience of the internet and communications ecosystem and to encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).  The Secretary of Commerce and the Secretary of Homeland Security shall consult with the Secretary of Defense, the Attorney General, the Director of the Federal Bureau of Investigation, the heads of sector-specific agencies, the Chairs of the Federal Communications Commission and Federal Trade Commission, other interested agency heads, and appropriate stakeholders in carrying out this subsection.  Within 240 days of the date of this order, the Secretary of Commerce and the Secretary of Homeland Security shall make publicly available a preliminary report on this effort.  Within 1 year of the date of this order, the Secretaries shall submit a final version of this report to the President. 

(e)  Assessment of Electricity Disruption Incident Response Capabilities.  The Secretary of Energy and the Secretary of Homeland Security, in consultation with the Director of National Intelligence, with State, local, tribal, and territorial governments, and with others as appropriate, shall jointly assess:

(i)    the potential scope and duration of a prolonged power outage associated with a significant cyber incident, as defined in Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination), against the United States electric subsector;

(ii)   the readiness of the United States to manage the consequences of such an incident; and

(iii)  any gaps or shortcomings in assets or capabilities required to mitigate the consequences of such an incident.  

The assessment shall be provided to the President, through the Assistant to the President for Homeland Security and Counterterrorism, within 90 days of the date of this order, and may be classified in full or in part, as appropriate. 

(f)  Department of Defense Warfighting Capabilities and Industrial Base.  Within 90 days of the date of this order, the Secretary of Defense, the Secretary of Homeland Security, and the Director of the Federal Bureau of Investigation, in coordination with the Director of National Intelligence, shall provide a report to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on cybersecurity risks facing the defense industrial base, including its supply chain, and United States military platforms, systems, networks, and capabilities, and recommendations for mitigating these risks.  The report may be classified in full or in part, as appropriate.

Sec. 3.  Cybersecurity for the Nation.

(a)  Policy.  To ensure that the internet remains valuable for future generations, it is the policy of the executive branch to promote an open, interoperable, reliable, and secure internet that fosters efficiency, innovation, communication, and economic prosperity, while respecting privacy and guarding against disruption, fraud, and theft.  Further, the United States seeks to support the growth and sustainment of a workforce that is skilled in cybersecurity and related fields as the foundation for achieving our objectives in cyberspace. 

(b)  Deterrence and Protection.  Within 90 days of the date of this order, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Attorney General, the Secretary of Commerce, the Secretary of Homeland Security, and the United States Trade Representative, in coordination with the Director of National Intelligence, shall jointly submit a report to the President, through the Assistant to the President for National Security Affairs and the Assistant to the President for Homeland Security and Counterterrorism, on the Nation's strategic options for deterring adversaries and better protecting the American people from cyber threats.

(c)  International Cooperation.  As a highly connected nation, the United States is especially dependent on a globally secure and resilient internet and must work with allies and other partners toward maintaining the policy set forth in this section.  Within 45 days of the date of this order, the Secretary of State, the Secretary of the Treasury, the Secretary of Defense, the Secretary of Commerce, and the Secretary of Homeland Security, in coordination with the Attorney General and the Director of the Federal Bureau of Investigation, shall submit reports to the President on their international cybersecurity priorities, including those concerning investigation, attribution, cyber threat information sharing, response, capacity building, and cooperation.  Within 90 days of the submission of the reports, and in coordination with the agency heads listed in this subsection, and any other agency heads as appropriate, the Secretary of State shall provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, documenting an engagement strategy for international cooperation in cybersecurity.

(d)  Workforce Development.  In order to ensure that the United States maintains a long-term cybersecurity advantage:

(i)    The Secretary of Commerce and the Secretary of Homeland Security, in consultation with the Secretary of Defense, the Secretary of Labor, the Secretary of Education, the Director of the Office of Personnel Management, and other agencies identified jointly by the Secretary of Commerce and the Secretary of Homeland Security, shall:

(A)  jointly assess the scope and sufficiency of efforts to educate and train the American cybersecurity workforce of the future, including cybersecurity-related education curricula, training, and apprenticeship programs, from primary through higher education; and

(B)  within 120 days of the date of this order, provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, with findings and recommendations regarding how to support the growth and sustainment of the Nation's cybersecurity workforce in both the public and private sectors.

(ii)   The Director of National Intelligence, in consultation with the heads of other agencies identified by the Director of National Intelligence, shall:

(A)  review the workforce development efforts of potential foreign cyber peers in order to help identify foreign workforce development practices likely to affect long-term United States cybersecurity competitiveness; and 

(B)  within 60 days of the date of this order, provide a report to the President through the Assistant to the President for Homeland Security and Counterterrorism on the findings of the review carried out pursuant to subsection (d)(ii)(A) of this section.

(iii)  The Secretary of Defense, in coordination with the Secretary of Commerce, the Secretary of Homeland Security, and the Director of National Intelligence, shall:

(A)  assess the scope and sufficiency of United States efforts to ensure that the United States maintains or increases its advantage in national-security-related cyber capabilities; and

(B)  within 150 days of the date of this order, provide a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, with findings and recommendations on the assessment carried out pursuant to subsection (d)(iii)(A) of this section.

(iv)   The reports described in this subsection may be classified in full or in part, as appropriate.

Sec. 4.  Definitions.  For the purposes of this order:

(a)  The term "appropriate stakeholders" means any non-executive-branch person or entity that elects to participate in an open and transparent process established by the Secretary of Commerce and the Secretary of Homeland Security under section 2(d) of this order.

(b)  The term "information technology" (IT) has the meaning given to that term in section 11101(6) of title 40, United States Code, and further includes hardware and software systems of agencies that monitor and control physical equipment and processes.

(c)  The term "IT architecture" refers to the integration and implementation of IT within an agency.

(d)  The term "network architecture" refers to the elements of IT architecture that enable or facilitate communications between two or more IT assets.

Sec. 5.  General Provisions.  (a)  Nothing in this order shall be construed to impair or otherwise affect:

(i)   the authority granted by law to an executive department or agency, or the head thereof; or

(ii)  the functions of the Director of OMB relating to budgetary, administrative, or legislative proposals.

(b)  This order shall be implemented consistent with applicable law and subject to the availability of appropriations.

(c)  All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods.  Nothing in this order shall be construed to supersede measures established under authority of law to protect the security and integrity of specific activities and associations that are in direct support of intelligence or law enforcement operations.

(d)  This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

DONALD J. TRUMP

THE WHITE HOUSE,
    May 11, 2017.

In 2016, Epic and Cerner led the EHR market space for acute care hospitals in the United States, with Meditech following close behind, according to the new KLAS US Hospital EMR Market Share 2017.

The data in this study is based on acute care EMR purchasing activity that occurred in the United States from Jan. 1 to Dec. 31, 2016.

Here are eight things to know:

1. Epic held 25.8 percent of the U.S. acute care hospital market share, with Cerner (24.6 percent) and Meditech (16.6 percent) coming in a close second and third.

2. All other EHR vendors held 10 percent or less of the market share.

3. Thirteen of 23 contracts for integrated delivery networks (multi-hospital organizations) went to Epic.

4. Small community hospitals — with less than 200 beds — drove EHR purchasing decisions in 2016, accounting for 80 percent of all hospital EHR decisions in the country.

5. The increase in EHR adoption by small hospitals was fueled by the community-specific platforms from Cerner and Epic; acquisition and EHR-standardization activity of larger organizations; as well as an increased interest in athenahealth's new offering.

6. However, customers did complain about the lack of customization capabilities in both Epic and Cerner platforms.

7. While Cerner proved to be the most popular vendor among small hospitals in 2016, athenahealth grew the most.

8. The number of hospitals that contracted with athenahealth more than doubled in 2016, and one-third of the new hospitals included more than 25 beds.

What began as a straightforward software contract with Epic resulted this week in the U.S. Coast Guard starting its entire EHR acquisition process over some seven years after it began.

EHR implementations are notorious budget-busters often fraught with missed deadlines and other unforeseen complications, but for an organization to abandon the project altogether and embark on a new beginning is uncommon.

Indeed, this occurrence includes some finger-pointing from both sides. So what exactly went wrong?

October 5, 2010
The Coast Guard awarded Epic a 5-year $14 million contract for what it said at the time would be a state of the art electronic health record platform with modules for dental, laboratory, patient portal, pharmacy, and radiology.  Epic was also contracted to offer training, testing, backup services and help desk support.

April 22, 2016
Citing significant risks and various uncovered irregularities, the Coast Guard pulled out of its contract with Epic.

"The decision was driven by concerns about the project's ability to deliver a viable product in a reasonable period of time and at a reasonable cost,” Lieutenant Commander Dave French, the Coast Guard's chief of media relations said then. “As a result of the analysis that led to the discontinuation of the project, various irregularities were uncovered, which are currently being reviewed."

At that point, the Coast Guard returned to using paper-based records for patient care.

French also said the Coast Guard would restart its EHR search.

April 26, 2016
After the Coast Guard said it was closing its Epic contracts and setting invoices, the EHR maker posted to its website a reaction piece titled Epic and the U.S. Coast Guard: the Facts where the company said the storage area network housing the software project was “inexplicably corrupted with no root cause,” and twice deleted by employees of Leidos, the Coast Guard’s partner tech support partner for the project, immediately prior to go-live. Epic also said there were hardware procurement delays, a change to the datacenter, re-contracting issues and a federal investigation, all of which pushed back the project timelines.

“We did everything in our power to complete the install. We fulfilled the terms of the agreement and provided the software and implementation services to meet the Epic obligations of the project,” Epic said. “The software was ready to go live.”

April 23, 2017
The Coast Guard’s new beginning emerged in the form of requests for information the Coast Guard posted to FedBizOpps.gov to understand what products are on the market today including cloud-based and on-premise options.

It’s early in the process. RFIs, in fact, are really meant as an information gathering step so the agency can get a sense of what a state of the art EHR looks like today, which capabilities vendors can either address now or build into their products in short-order and identify features the Coast Guard might like but are not yet realistic.

A look into the RFIs found that the agency is seeking information on EHR functions concerning information interoperability, population health, surveillance features, mental health, patient safety, as well privacy and security functions, among others.

And, of course, it needs to be interoperable with the U.S. Departments of Veterans Affairs and Defense — which already has some industry insiders speculating that the Coast Guard could pick Cerner for its next EHR.

Cerber, one of the most successful ransomware variants, was first seen in the wild with a new loader capable of evading detection from machine learning tools during March. And now it seems Cerber has overthrown 2016’s menace: Locky.

Specifically, Cerber accounts for 90 percent of all ransomware infections, a recent Malwarebytes report found. An influx of new Cerber versions released in 2017 have made the variant the most popular - and successful on the market.

In addition, Cerber adopted the Ransomware-as-service model, meaning distribution is rapidly expanding through multiple dark web actors and groups.

"It's spread is largely because the creators have not only developed a superior ransomware with military-grade encryption, offline encrypting and a slew of new features, but by also making it very easy for non-technical criminals to get their hands on a customized version of the ransomware," the report authors wrote.

Ransomware found its sweet spot in healthcare last year, with hackers using Locky to target the industry with massive phishing campaigns in August. Although multitudes of ransomware variants are available, Locky was the most popular in 2016 for its success rates and sophistication. It also can’t be decrypted without keys.

After a massive surge in Locky attacks in November, however, the virus quickly faded, the report found, but healthcare security professionals should know that ransomware has thus far continued proliferating in 2017 and ranks as the most heavily utilized type of malware used by hackers.

Further, organizations can expect an increase in the development of malware that targets both Mac and Windows systems, which includes evolved delivery, social engineering and spam methods, the report found.

“Targeted malspam has primarily been a Windows problem to date,” the authors wrote. “But the reemergence of Microsoft Office macro malware capable of affecting Macs may change this. Many of these malicious documents include code capable of detecting whether it is running on a Windows or Mac system and taking action appropriate to the system to infect it.”

Successful implementation of information technologies in a clinical environment often involves dozens of key stakeholders, hundreds of clinical and technical considerations, and thousands of end-users. With this many factors and technical details to manage, it’s easy to forget the fundamentals. From articulating a clear vision for your organization, to tracking the right metrics, to prioritizing training and education, it can be difficult to know just where to begin. To help you with the process, here are 10 steps to health IT implementation and long-term success.

1. Create a culture of collaboration and partnership. Ensure that each member of the vendor and customer teams understands that both parties will either succeed or fail together. In a culture of cooperation and shared priorities, the vendor helps the customer reach the highest level of success, and the customer helps the vendor earn the highest reputation for the work they do.  
2. Clearly identify key leaders. One of the most important investments any healthcare organization can make is in its leadership team. The customer team members must include (at the very least) an administrative champion, physician champion, and technical champion.
3. Select and empower a physician champion. Formally select a qualified physician champion based on his/her excellent communication/teaching skills, commitment to the mission, and leadership capability.
4. Document team mission, vision, and values. Have all team members contribute to and sign-off on these foundational documents. Together, they will help to establish the direction, priorities, and guiding principles that will keep everyone on task and on the same page.
5. Establish rules for communication and decision-making. Set a rule from the outset that all communications are shared among key stakeholders. Document each implementation task, assign a responsible owner, and create a due date to ensure that each person is accountable and appreciates that an incomplete task means a project delay.
6. Establish clear objectives, success measures, and timelines. Success often requires changes in technology, processes, and personnel. Start by identifying important benchmarks and metrics that best match your values and project domain.
7. Training. A training team should be established at the start of the project, including a lead trainer from the vendor, the physician champion, and other appropriate customer personnel. And remember, training is an ongoing process. It doesn’t end upon implementation.
8. Standardize implementation to boost quality and efficiency. Do what works and use those learned capabilities as you move through your implementation.
9. Agree on white-glove inspection requirements. Clearly delineate the system and personnel tests that must be completed before you go live and before you complete on-site training. For example, set up a checklist that specifies pre-go­live system validation testing, including best practice default configurations, master-file setup, and emergency procedures.
10. Measure, compare to benchmarks, and market the benefits. Use technology and the patient visit to communicate with your patient population and continuously solicit their feedback. Applicable technology may include your patient portal, your website, or patient hand-outs. Similarly, let your referring staff and contracted payers understand and appreciate your achievements. Don’t be afraid to make bold claims now that you have the data to back them up. 

VERONA — It’s not that Epic Systems CEO Judy Faulkner tries to buck convention. She just thinks her way is probably best.

In the 1980s, when other technology companies were choosing sleek, modern buildings as offices, Faulkner picked an old Victorian home.

When other young startups grew with venture capital and Faulkner was advised to seek some too, she declined. At a time when other entrepreneurs sought business degrees to help run their companies, Faulkner passed.

And when other business people wore suits, heels, ties, stockings, Faulkner, the head of the Verona-based electronic health records giant, opted for comfort.

“High heels hurt. Stockings — stockings are probably like ties. They constrain your thinking,” Faulkner said, in a recent interview with the Cap Times at Epic’s headquarters.“So a lot of it was just like, ‘I can't work this way’ rather than much thinking about defying tradition.”

Read the full transcript of the Cap Times' interview with Faulkner.

Faulkner, 73, trusts herself. She has a resolute fidelity to her own logic, relying on it to chart her course as the head of Epic.

“I wonder sometimes why more people don't do that,” she said. “I always think of it as the yellow brick road. I can see the yellow brick road. I know how to step down it and I don’t want to go off of it. I can see it. And I think for the others maybe they can see it, but they question it. They say, ‘Is it really the yellow brick road?’ But they probably know it is.”

Faulkner asks questions, too, but they are vehicles for solutions rather than doubts. They aid in her single-minded goal to create the best medical software of its kind and to effectively push her employees to help her do so.

Epic’s suite of software has influenced how health care is administered by refining how medical information is collected, analyzed and relayed. The company’s growth has reshaped Dane County — bolstering the economy, spurring housing development and igniting Madison’s restaurant scene.

At its founding in 1979, Epic had three employees: Faulkner and two assistants. Today, it has more than 9,000.

Faulkner has become one of the world’s richest women; Forbes estimates she is worth $2.4 billion. But despite her wealth and the massive influence her company has on Dane County, Faulkner keeps a low profile, avoiding the media and rarely trumpeting Epic’s success beyond the confines of its sprawling, verdant campus.

Faulkner sees health care through the frames of math, which she calls truth, and computer science, its functional better half.

“Math is truth and computer science is what works. It’s great to put them together because you need both,” she said.

From those foundations, she tackles what she sees as an ever-evolving, critical problem: the malfunction of the human body. The intersection of health care and information technology is where Epic has worked over the last 38 years, carving out a greater role for computers in medicine. The well-known MyChart application, used by patients to look up their medical information, is an Epic product.

“I think a lot of it (is) the enormity of the problems people face and the things, the details you have to know to keep them healthier. So that was fascinating to do,” Faulkner said.

“There is the deep passion the clinicians have for caring for their patients and that is infectious,” she said. “You want nothing more than to make sure that you meet the needs of each of those clinicians so they can care best for their patients because they’re depending on us to make sure that they do that well.”

GROWING UP ‘NERDY’

Growing up in New Jersey in the 1960s, Faulkner was a nerd before Microsoft founder Bill Gates made them cool.

“I was really glad Bill Gates came on the scene because he made being in our type of environment, he made being nerdy a good thing, not a bad thing,” said Faulkner.

“It was painful to be nerdy when I was growing up and I clearly was nerdy. But I think it became a perfectly fine thing to be nerdy after Bill Gates,” she said. “So that, it isn’t as much defying anything, it’s who are you, really, and can you be who you are?”

Faulkner’s life is informed by the parents who raised her. They were hard workers, longtime peace activists and community volunteers, according to their obituaries in The Oregonian newspaper in Portland. Both died in 2007.

Faulkner’s father, Louis Greenfield, was a pharmacist and helped spark her interest in health care, she said.

Her mother, Del, “never went to college. She graduated high school (with) straight A’s at age 15,” Faulkner said. “Only later did she realize she could have gotten in for free because she was such a good student and I think that really made her sad. It was a huge regret in life she didn’t do that.”

Just outside the Epic conference room window hangs a framed certificate, a reprint of a Nobel Peace Prize given to Del Greenfield. Greenfield was the director of Oregon Physicians for Social Responsibility, which, through its affiliation with International Physicians for the Prevention of Nuclear War, won the Nobel Peace Prize in 1985.

“That was pretty neat,” said Faulkner.

Faulkner has a sister who is a physician and a brother who is an attorney. Her husband, Gordon, is a pediatrician. The Faulkners have three adult children, two daughters and a son.

ENTERING A NEW FIELD

Faulkner came to the University of Wisconsin-Madison in 1965 to pursue a master’s degree in computer sciences after graduating with a bachelor’s degree in mathematics from Dickinson College in Carlisle, Pennsylvania.

UW-Madison’s computer sciences program was only the second in the country at the time. Its curriculum wasn’t finalized, professors weren’t sure in which school it fit and women researchers were few.

An early class Faulkner took at UW-Madison introduced her to the potential in pairing computer science and medicine.

“Sometimes I think it’s a river you’re floating down. Life just takes you different places,” Faulkner said. “When I was in graduate school, I took maybe what was the first-ever computers in medicine course offered in the world.”

The coupling of computers and medicine was unconventional at the time, said UW-Madison computer sciences professor emeritus Larry Travis, Faulkner’s academic adviser.

“It wasn’t clear that computer applications belonged in the field,” he said.

Early medical computing devices had to be manually fed with information, stored on spinning reels of magnetic tapes.

Travis said he got to know Faulkner “reasonably well” as a student. They met for an hour each week and she distinguished herself quickly, he said.

“She took a lot of initiative. She did have a lot to say and a lot to discuss, a lot of questions to ask,” he said. “I can remember hoping that she would stay on as my advisee. If I had the opportunity I would have liked to work with her doing Ph.D. research.”

Faulkner didn’t pursue a Ph.D. but UW-Madison awarded her with an honorary doctorate from the Computer Sciences Department in 2010. Epic has endowed three faculty positions within the department.

PATIENT POWER

Two of Faulkner’s early mentors were Dr. Warner Slack and Dr. John Greist, both advocates for applying computing devices to logistical health care problems. Faulkner did research with both men that ultimately led her to create Epic’s initial software.

“In 1965 I had the idea (called ‘patient power’) that we could program a computer to interact directly with patients to engage in a meaningful dialogue to explore medical problems in detail and do so in a personalized and considerate manner,” said Slack, a neurology resident then and now a professor of medicine at Harvard Medical School.

Physicians balked at the idea that they could be replaced, in part, by a computer to interact with patients, collect the information they reported and organize it, Slack said.

“It was quite controversial at its time,” he said. “Any doctor that can be replaced by a computer deserves to be replaced by a computer. We’re primarily interested in helping patients, not preserving the traditions of our profession.”

Slack said Faulkner was an “outstanding student and had wonderful ideas.”

“I found her to be very thoughtful,” he said. “She was far-sighted in her thinking.”

Greist met Faulkner in 1969 when he was the chief resident in internal medicine at UW. Together, they would become the primary co-founders of Human Services Computing, later to be renamed Epic.

Greist needed a graduate student to make a call schedule for the hospital using a computer, and called on Faulkner. She stayed up all night several nights in a week to finish it, Greist said.

“This tells you a lot about Judy. When she said she was going to do it, she meant she was going to do it,” he said. “She had kids, and I had kids. She would come and stay at our house over here by West High School. And she would work all night sometimes getting this program done.”

Faulkner later developed a computer program called Patient Information, Storage and Retrieval, or PISAR. She, along with Greist, decided to form a company around it, aiming to use it as a tool to organize and gather patient information.

“The goal of all of this was to bend this computing tool to things that would help people who happen to be patients,” Greist said.

COURTESY OF EPIC SYSTEMS

HUMBLE ORIGINS

Epic Systems had scrappy beginnings. Faulkner, Greist and the other co-founders started Human Services Computing in a basement on Madison's near west side in 1979.

The office space at 2020 University Avenue — a building that would later become home to Pleasant Rowland's famous American Girl doll franchise — was sparse. The business had some furniture, Steelcase desks that an interior designer had picked up for them on the cheap, and not much else.

The team did what they could to add some pop to the office, Faulkner said.

“We just got a lot of paint, and painted it different shades of purple,” said Faulkner.

The hardware that hosted the code was a top of the line Data General Eclipse “minicomputer.” The machine, small compared to warehouse-sized mainframes of the era, was housed in a metal chassis the height of a refrigerator.

“The machine was brand new. Every bit of equipment was great. We didn't have much money for anything else,” said Greist.

Jane Jiumaleh, who trained clients to use Epic’s software in the early 1980s, remembers the office as “a little slapdash.“ If she needed to find the tickets for her next flight to meet with a client, she had to rifle through piles of papers strewn across desktops.

“It wasn't messy in a slovenly way, it was messy in a busy personal way,” she said.

Even during the hardscrabble early years, Greist said Faulkner valued fun. Back then, that meant themed picnics. Today, it’s the Epic campus’ Harry Potter-themed castle, Indiana Jones-styled hallway and a treehouse.

Faulkner’s whimsy is also on display each year at the company’s Users Group Meeting — an annual gathering of thousands of Epic clients at the Verona campus — when she dresses up in costume to deliver her keynote address. One year, she was Supergirl; another, she was a Harley-Davidson biker. Most recently, she was the Mad Hatter from “Alice in Wonderland.”

John Volker, the former mayor of Verona, remembers when Faulkner personally delivered a new customized fire truck to Verona's station — a gift that would help the department respond to emergencies in Epic's underground parking structures. She showed up with her white Samoyed dog covered in black cut-out spots to make it look like a dalmatian.

“Her sense of humor, I’d say it rivals ‘Monty Python,’” Volker said.

Faulkner’s love and patronage of art is well known. Sculptures, paintings and imaginative furniture fill Epic’s company’s buildings and campus, many of which are bought at Art Fair on the Square, Madison Museum of Contemporary Art's annual summer art fair. Faulkner frequently buys big-ticket pieces that can make an artist’s year.

The art and whimsy both contribute to an atmosphere of comfort that hopefully makes work more fun, Faulkner said.

“It is not fun in that it's a party. It is that you have to like the work you're doing. Because if you don't...it's a big part of your life. It's important to enjoy it,” she said.

Enjoying the work can enable you to ultimately do it better, Faulkner said. When she meets with potential clients, Faulkner doesn't stress out about it — she just tries to get to know them and understand, she said.

“I often don't think of this as, ‘Oh, this is stressful.’ I think of it as, ‘Whether they choose us or whether they don't choose us, I want to have fun meeting them. I want to learn who they are. I want to learn what they do,’” she said.

HARD WORK, HIGH EXPECTATIONS

The Epic culture Faulkner has cultivated reflects her emphasis on fun. But she also works hard — really hard — and the rest of Epic does too.

Faulkner “was the kind of person who would stay up all night and get it done. And then she'd be looking at you like, ‘you're going to stay up all night too,’” said Jiumaleh, the early employee.

“There may be some people who work as hard as Judy,” said Greist. “But I'm pretty sure there's nobody who's worked harder.”

The impetus for the grind comes in part from the gravity of Epic’s work, recording and holding the sensitive medical information of hundreds of thousands of people and powering software in real time that enables doctors to save patients.

An Epic application misfire during an operation, or while a prescription is being filled, can have direct, intimate consequences. Those real-time ramifications translate to high expectations for employees.

“She cares very deeply. She has very high, high standards and really no tolerance for ‘We’re not going to do it because it’s hard,’” said a manager at Epic who has been with the company for more than 10 years and requested anonymity to talk openly about his employer.

“She is perfectly comfortable saying, ‘This is the right thing to do. Figure out how you’re going to do it,’ which pushes the company to do things it wouldn’t otherwise,” he said. “If you say you can do something, you better do it. And if you say something is hard and it’s going to take you longer, she is going to press you to do it a lot faster.”

Working directly with Faulkner is known to be intense. A common phrase among managers: “Working with Judy is like walking on the sun,” he said.

Jeff Wu, a former manager at Epic who worked as a software implementer there from 2006 to 2012, said Epic’s style mirrors Faulkner’s.

“She’s looking for people who have the right cultural fit,” he said. “It comes down to the mission, right? I think that’s what keeps and sustains Epic. People buy into the mission, that they’re really making a difference by making the software that’s produced there. Judy paints a really strong picture of it … then you’re more likely to make some sacrifices.”

Critics say the company exploits the sacrifices employees make. Epic has been subject to a string of class-action lawsuits for its overtime pay policies, which some critics say leave workers uncompensated for hundreds of hours of work. One such case is currently before the U.S. Supreme Court.

Wu, who now works in health care analytics in Madison, said his Epic experience was a good one that prepared him well for later career opportunities. But as the company became the leader in the electronic health record industry and grew quickly he started to see a change in the culture.

“The culture was starting to get diluted,” he said. “It’s becoming more like they’re arrogant and they assume they’re the best at it, as opposed to working hard to be the best. One of the things that Judy has said is to fight against a sense of entitlement and I think that’s been lost over the last couple of years.”

Judy Faulkner poses next to a Data General minicomputer in 1982 at the company’s headquarters in the basement of 2020 University Avenue. The computer, about the height of a refrigerator, used magnetic tape as storage.

AN EPIC JOURNEY

Epic became Epic in 1983, a decade before today’s youngest hires were born.

The Epic name was an idea from Marjorie Klein, a longtime former board member at Epic, early investor and a retired psychiatry professor at UW-Madison. Klein and Faulkner looked up “epic” in the dictionary and saw it was a “glorious recounting of a nation’s events.” They substituted “patient” for “nation” to reflect the longevity of a medical record and the continuity of care, Faulkner said.

“They were very interested in using the computers to encourage people to answer questions that would further their progress — so that’s the journey aspect of it,” said Klein.

Faulkner was a proponent of changing the company’s name to Epic from Human Services Computing. She was committed to the change, although at the time it caused friction with Greist.

In hindsight, Greist said he’s happy she fought for the Epic name.

“She was absolutely right to switch it to something simpler,” he said. “Who would remember a name like Human Services Computing? Everyone can remember Epic.”

The conflicting visions for the company led to Greist divesting and stepping back from Epic. But today, Greist said there's no bad blood between him and Faulkner. She is tough, strong-headed, and tells it like it is, he said. He likes that about her.

“There are no alternate facts with Judy Faulkner,” he said. “The facts are the facts.”

And with those facts, honesty is paramount.

“Everybody knows that you shouldn't lie,” said Faulkner. “But I think that to not omit something (is) important. To never mislead. To not allow someone to make a conclusion that is false without correcting it. Those are the things that we teach our people to do. And I think that really also frees them.”

SHE DID IT HER WAY

At the crux of Epic’s reputation in the electronic health record industry is control — a control over how it interfaces with customers, but also over the way the company itself has developed. In a market rife with billion-dollar mergers and acquisitions, Epic has never once acquired another company or piece of software. Every facet of the company’s software is made by Epic — a point that Faulkner bragged about during the most recent Users Group Meeting last fall.

Aetna announced Thursday that this would be the last year it participates on the Obamacare exchange in Iowa, where it is the dominant insurer. The move comes days after Wellmark Blue Cross Blue Shield announced it was leaving the state's market after this year. Both insurers also will stop selling individual market policies outside of the exchange in Iowa.

Aetna and Wellmark are the latest carriers to exit Obamacare for 2018. They cited financial risk and uncertainty as the reasons behind their decisions.

During a Senate appropriations subcommittee hearing on March 29, the U.S. Department of Defense presented an updated timeline for its Cerner implementation rollout.

Here are five things to know.

1. Stacy A. Cummings, a program executive officer for defense healthcare management systems, testified on behalf of DOD at a hearing on the defense health program budget for fiscal year 2018. She said rollout of the new EHR system, MHS Genesis, will follow a "wave model," ultimately replacing DOD's legacy healthcare systems, which encompass more than 9.4 million beneficiaries.

"This approach allows DOD to take full advantage of lessons learned and experiences gained from prior waves to maximize efficiencies in subsequent waves," Ms . Cummings said during her testimony.

2. The EHR system uses a commercial platform by Cerner as part of a $4.3 billion DOD contract awarded to Leidos, Cerner and Accenture in July 2015.

3. The first wave of facilities to receive MHS Genesis began on Feb. 7 in the Pacific Northwest, when the DOD implemented MHS Genesis at Fairchild Air Force Base outside Spokane, Wash.

4. The next three implementation sites will be Naval Hospital Oak Harbor, Naval Hospital Bremerton and Madigan Army Medical Center outside Lakewood, all located in Washington state. This MHS Genesis roll out will begin at the end of fiscal year 2017.

5. From there, deployment will proceed with 23 waves across three continental U.S. regions and two regions overseas through 2022. The typical wave will include three hospitals and 15 physical locations and will last for roughly one year.

Click here to view the full testimony.

Electronic health record vendors are making the software more user-friendly, but not nearly fast enough. Doctors weigh in on what they need for a better EHR experience.

Just about every week or so there’s a new report chronicling doctors’ frustrations with electronic health records. Drill down a bit and the source of discontent becomes clear: poor usability, clunky interfaces, ineffective search and too many clicks. 

So what would actually make doctors like their EHR?

“They need a tremendous makeover with lots of clinical input to make it easy to do not only the right thing, but the things you do all the time,” said Robert Wachter, MD, a professor of medicine at the University of California, San Francisco. 

Incremental improvements needed now

Wachter said that a makeover would include injecting next-generation EHRs with the ability to bolt on new applications that solve specific problems, including an advanced search function, easier copy-and-paste functionality as well as customizable views. 

But Charles Webster, MD, said what doctors want most is an EHR that fits with their workflow, not disrupts it.

Webster is president of EHR Workflow and his response is on point with widespread aggravations many physicians are expressing. What they really want, it seems, is efficient workflow – that enables them to spend less time wrangling with the software and more time focusing on patients. 

“The workflow of even workflow-oblivious systems can be tweaked and made marginally better,” Webster said. “However, at some point, the effort and cost of straining toward more automatic, transparent and flexible workflow within systems not specifically designed to make that possible, will be greater than the resulting improvements.” 

Michael Hodgkins, MD, who is CMIO at the American Medical Association, said EHRs must stop adding to the stress of burnt-out physicians and make the so-called desk work spent documenting in the EHRs after the workday considerably less burdensome. 

Physicians want to provide high-quality care but tending to the EHR takes up a disproportionate amount of their time, Hodgkins said. 

Long-term, it’s about interoperability

While nothing short of a time machine would make today’s EHRs better, Webster said, vendors are improving the software today, albeit slowly. 

Wachter said the Epic EHR he uses at UCSF now has moderately good interoperability with other Epic systems in that notes can be automatically imported and the software offers what he called modest decision support for conditions such as sepsis. 

Indeed, EHR makers Allscripts, Cerner and Epic have been building third-party developer programs that use APIs that enable software to run on their platforms and use their data. 

Wachter said that EHRs should one day take on doctors’ busy work so they can concentrate on medicine and patients. 

“It would learn from the user experience and customize views and actions to anticipate your moves.”