Friday, May 1, 2009

Speech recognition software and new security rules for electronic medical records (EMR)

The Stimulus Package includes new HIPAA Security Rules that require practices to post information about security breaches if a breach affects 10 or more patients. If a security breach affects 500 or more patients, practices must notify all of their patients, a local media outlet, and the HHS secretary. And, of course, there’s always the chance of a law suit brought against individuals or organizations when only a single breach occurs.

The new legislation also calls for beefed up enforcement rules and a new aggressiveness in assigning fines. Fines for security breaches start at $100 and can go as high as $1.5 million. In addition, the legislation empowers state attorneys general to enforce some HIPAA elements and gives them the authority to bring class action suits.

These requirements are very similar to those in a lot of states that have laws against identity theft.

So, many of the discussions about this new legislation, especially media reports, center around patient records that have been misplaced, stolen, or hacked from storage in databases, PDAs and the like.

In this post, however, I’ll be concerned only with some security risks that can arise in the very front end of the health information system.

“A journey of a thousand miles must begin with a single step.”

...... - Lao-Tsu

The front end

Voice recognition software and Dragon NaturallySpeaking Medical (DNS) in particular are a great companion to an EMR implementation (and, ultimately, an EHR implementation). You can see what I mean in the following video that shows DNS combined with a Microsoft Word macro automating ICD-9 look up (as it can with any other codes).

And, click here for a video that shows DNS used to dictate a patient history in PatientOS, a free, open source (GPL) healthcare information system (starting at about one minute into this 10 minute demonstration). Note: After watching the video, click the "Back" button of your browser to return to this page.

The figure above shows a very simple EMR system for speech-to-text form generation. Virus attacks (control) of Word itself, as opposed to attacks (control) of its macros, wireless (802.11) breaches, and the like are not considered.

Macros, small programs that run within the application, are of special interest because they can add functionality -- such as laying out a form or, as shown in the video above, automating code look up -- that make the creation of voice-generated EMR forms efficient.

The figure shows a worst case scenario: a speech-to-text process starts with the user speaking into a wireless microphone and finishes with the creation of a Word document. But, Bluetooth (the technology used between the wireless headset and the laptop running speech recognition software) and the macros (VBA) used by the word processor are compromised.

Normally, this implementation is safe, but you should check to assure that it is in your organization.

Bluetooth headset - dongle packages like the one shown in the figure are usually factory paired to each other and safe. However, if you have purchased them separately, or if you wish to use a replacement headset with your existing dongle, you must pair the units. For this, you could use an application like Logitech SetPoint -- one of many -- whose dialogs are shown in the slide show below.

I've laid out these dialogs not as a tutorial but as a reference for you to use as you watch the video that's located immediately above the slide show. In the video, a stealth connection is established between a Bluetooth headset and a hacker standing out of site. The video also shows this task being accomplished using text commands entered in a Linux terminal. The SetPoint dialogs provide a more user-friendly way to enter the same commands: via a Windows GUI.

Neither the video nor the slide show note that, under special conditions, even when a Bluetooth device is not discoverable, a hacker may manage to discover it. Click here for more information on this topic. Note: After visiting the site, click the "Back" button of your browser to return to this page.

The majority of attacks that succeed are simply let through by us users. So, you might consider keeping your device’s Bluetooth turned off or hidden if it isn’t needed. And, never accept any incoming connection requests you don’t recognise.

Of course, you can bypass any and all security risks associated with Bluetooth technology simply by using a wired headset for the creation of your EMR.

Once speech has been translated into Word text, it's accessible by VBA, Microsoft's built-in scripting language. Unfortunately, VBA scripts are prone to viruses.

Click here for a discussion -- one of many -- on macro virus detection. As you will read, this is a complicated business. So, if you're not afraid of being accused of throwing the baby out with the bathwater, you could always disable scripting commands in order to block VBA viruses, by using the Word dialog shown in the next figure. There may be, however, compelling reasons for you not to take this step.

Bottom line: Modern information technology is employed to deliver better healthcare at lower cost. However, it can sometimes be responsible for bad outcomes. It's up to you assure that IT serves its intended purpose.

You can view this post as the ranting of a doomsayer or simply a reality check. Your call! For the sake of full disclosure, I should add that I use Bluetooth technology, Word macros, and even eat junk food occasionally.


After DNS 10 Medical was released, I installed it on a fairly high end PC running the 32-bit version of Windows Vista, put on the wire headset that came in the box and started speaking before I had read any of the manuals or knew any of the suggested first steps.

I didn't check my audio settings:

(1) Correct positioning of microphone
(2) Microphone volume check
(3) Microphone and sound system quality check

And, I skipped the suggested general training session.
And, I skipped using the vocabulary optimizer.
And, I didn't move the Speed vs. Accuracy Slider away from its midway position

I then read out loud a paragraph from the product description literature and watched my every spoken word - save one - appear correctly in Microsoft Word. That one word, oddly enough, was "Plantronics," the manufacturer of the headset that came with DNS 10. A subsequent session of only a few seconds with the DNS voice trainer corrected this result.

Finally, using only the General Medical vocabulary, i.e., not the DNS vocabulary for one of the medical specialties, I read from the opening paragraph of a recent New England Journal of Medicine article. DNS 10 Medical produced the text with no errors whatsoever.

32- and 64-bit versions of Dragon NaturallySpeaking

Recently, 64-bit PCs have been increasingly introduced to the mainstream personal computer arena, previously dominated by 32-bit systems. (In fact, the Microsoft Vista 64-bit operating system now ships on almost 1/3 of all new computers at some retailers.)

The benefit for PC users is that 64-bit versions of the Windows operating system can utilize more memory than 32-bit versions of Windows. In addition to overall program performance, 64-bit PCs can offer added responsiveness when running a lot of applications at the same time.

This higher level of performance is exploited by a new 64-bit version of DNS.