At first, bioterrorism — whether it's inhalation anthrax, smallpox, pneumonic plague or something else entirely — will probably feel like the flu. You'll be miserable, but you probably won't be alarmed. You'll go to your local drugstore, clinic, maybe an emergency room. Doctors in one place or another might notice a small uptick in patients with flulike symptoms. But no one will see the pattern. Until people start dying.
That is, unless a sophisticated computer network could transmit and integrate patient information in real-time so that health officials could see what was happening across hundreds, if not thousands, of facilities. And that's just what legions of technologists and clinicians in US public health departments, hospitals, laboratories and pharmacies are trying to develop right now.
"The systems are being defined and created as we speak," says Rosemary Nelson, chairman of National Preparedness and Response, a new bioterrorism task force created by the Healthcare Information Management and Systems Society (HIMSS). If such a network existed, health officials could sound the alarm in that precariously short window of time when the spread of the disease could be stopped.
The system could be information technology's finest hour, saving lives as well as money. Even without a bioterrorism attack, a surveillance system would be useful in detecting the early stages of any disease, such as the recent outbreak of the mysterious ailment called SARS, or severe acute respiratory syndrome. Such a system could also help lay the groundwork for a long-desired standardisation of electronic medical records, which would significantly reduce errors in patient care and save substantial amounts of time and money.
But if the pieces don't come together — or if they do but in the process erode the concept of patient confidentiality — then that could be IT's greatest failure.
"[Technology] has so much potential use in bioterrorism and health care, but the word is potential," says Dr Eduardo Ortiz, a senior fellow with the Agency for Health Care Research and Quality at the US Department of Health and Human Services, which in August 2002 released a 354-page report about how IT could be used for bioterrorism preparedness and response. "We're not there yet; we're not even close," he says.
Since the anthrax attacks in Connecticut, Florida, New York and Washington, definite progress has been made in creating an effective early warning system for bioterrorism. But wildly disparate computer systems, disconnected and often overlapping projects, and a lack of industry standards still stand in the way of creating the kind of network that can save lives.
In late January, HHS Secretary Tommy Thompson unveiled a $US3.5 million command centre in Washington. Seeking to reassure a public nervous about biological and chemical attacks, Thompson explained that this new command post would let him coordinate the response to a bioterrorist attack and bring together everyone from the CIA to the Centres for Disease Control and Prevention (CDC), which is part of HHS. As CNN cameras filmed a wall of video screens 24 feet wide and 7 feet tall, correspondent Wolf Blitzer told viewers that they were witnessing "how your life could be saved."
It was all window dressing. In many parts of the country, the primary mechanism for detecting bioterrorism — or any epidemic — is still the cards that doctors are required to fill out with the patient's name, address and diagnosis, and submit to local health departments when they come across a disease that poses a significant health risk. The diseases that must by law be reported vary state to state: West Nile in New York; the hantavirus in New Mexico; most sexually transmitted diseases, everywhere. The root philosophy is that doctor-patient confidentiality must sometimes be secondary to preserving public health. (The notable exception to that rule is when a patient has AIDS or is HIV-positive.)
On a local level, health officials use those reports to track treatment, notify others who may have been infected or quarantine an individual if necessary. On a broader level, epidemiologists look for disease patterns across the city, county, state or nation, and alert health-care practitioners and the CDC to anything unusual.
Some local health departments have started allowing clinicians to submit this information electronically, but not many do. Many health departments still worry about upgrading their dial-up Internet connections to broadband.
For doctors, the reporting process is so labour intensive that observers put the compliance rate at less than 20 per cent. That means that four times out of five, doctors never even bother to fill out a report. Fortunately, the laboratories where they send their tests tend to be more automated and therefore more likely to file that information electronically with the public health department. But no one believes that public health departments have anywhere near a complete view of what's going on — regardless of the bank of video screens that adorn Thompson's command centre.
"In retail America, they long ago made the entire supply chain of data electronic from cradle to grave," says CDC CIO James D Seligman. "The chairman of Wal-Mart can find out how many widgets got sold an hour and a half ago anywhere in America. That's where we're trying to get with health data — to enable that electronic passage of information from the point of encounter, when a patient sees a health-care professional, and then pass all that data on electronically to the appropriate jurisdictions."
The health-care system is a long way away from that, says Jim Klein, a vice president and research director for Gartner. Even in areas where local health departments do accept information electronically, Klein estimates that only about 5 per cent of hospitals have fully automated medical records. That lack of automation and standardisation means that the disease-reporting process is not only spotty but also slow. A doctor's office might wait until the end of the month to mail its stack of forms to the local health department. From there, the forms could take another month to be processed, analysed and sent on.
Needless to say, that's just not fast enough for bioterrorist incidents, which doctors say they must respond to in hours, not weeks. Anthrax victims, for instance, should be treated in the first couple of days after exposure. By day six, when a person is sick enough to go to the emergency room, she might be too sick to be saved.
"Epidemiology is good and gets you to disease recognition, but unfortunately [the recognition comes] a month or two after the information is worth anything," says Dr Michael Allswede, an emergency room physician and clinical associate professor at the University of Pittsburgh School of Medicine, who was also a US Army medical company commander in Desert Storm.
It gets worse. Even if all the information available about disease diagnoses were collected and analysed in real-time, that still wouldn't be enough to short-circuit a biological attack. That's because the information US health officials possess under current law and practice is insufficient. Doctors have no reason or obligation to report many of the early warning signs of bioterrorism — the flulike symptoms that could be public health officials' first hint that something has gone wrong. In fact, the Health Insurance Portability and Accountability Act (HIPAA) prevents doctors from sharing any kind of personally identifiable patient information with a third party, except in cases when the public health departments need to know about a legally reportable disease. In other words, a doctor is legally obligated to notify public health that a certain patient has anthrax but legally forbidden from notifying public health that a specific patient has the symptoms of anthrax.
Nevertheless, a few local health departments are starting to gather symptom information that could give early warnings about the outbreak of a disease. But this "syndromic surveillance," as it's known, is being held back not just by technological challenges but by political ones, as health-care providers grapple with the line between trend information — perhaps including a patient's age, gender and ZIP code along with his symptoms — and the personally identifiable information protected by the HIPAA legislation.
Tracking Symptoms in New YorkNew York City has stopped waiting for doctors to fill out those little cards. Instead, the city is working on what it hopes will one day be a model of how to identify the outbreak of a disease in its earliest stages. More than two years ago, the New York City Department of Health and Mental Hygiene started gathering 911 call data for cases involving sickness and respiratory distress. Then, shortly after September 11, the department also began collecting from emergency rooms what's known as the "chief complaint" of incoming patients, such as fever, nausea or a persistent cough. This is the most likely health information to be entered into a computer because even if patient case files are not automated, insurance and admittance systems usually are. That information also includes a patient's age, gender and ZIP code, but not his name, ethnicity or other personal data.
The information comes in to the NYC Health Department via secure FTP once or twice a day, sometimes just in ASCII format, with about 40 of the city's 90 hospitals participating so far. "We said, 'Give us whatever you have, and we'll put it in a common form for analysis,'" says Ed Carubis, CIO of the NYC Health Department. "We didn't force them to use a certain data standard or make them jump through hoops because what we really wanted was participation."
Using that information, public health officials can now identify the start of flu season two weeks before the trend shows up in laboratory results, allowing them to get a jump on awareness campaigns. The department has also started gathering information about certain kinds of prescription and over-the-counter drug sales (from at least one major pharmacy chain) and absentee rates (from a few major employers in the city).
Will the city start tracking sales of orange juice and Kleenex next? Carubis can't be sure because the NYC Health Department is still trying to figure out how, exactly, to extract meaning from pharmacy sales and absentee rates. (What red flag goes up when there's a run on Maalox?) He also won't say which pharmacies or employers are sharing numbers with the city. That probably has something to do with the fact that this kind of system, frankly, gives some people the creeps. Privacy advocates wonder how useful this kind of information can really be and what further invasions of privacy it might lead to.
Who's Doing What?For one researcher, New York's fledgling surveillance project is just line 47 on a spreadsheet of projects. John McLamb has been trying to pull together a comprehensive list of all the national, state and local bioterrorism initiatives that health departments, universities, professional associations and even the Department of Defense are currently attempting. McLamb, who is director of informatics for emergency medicine at the University of North Carolina at Chapel Hill, is doing the work for HIMSS's group on bioterrorism and not at the behest of any federal agency.
Every line on his spreadsheet has a story. In Kansas City, for instance, health-care vendor Cerner is working with local hospitals to automatically send certain computerised lab reports to health departments in Kansas and Missouri. Only health departments have the key to unencrypt identifying information, but physicians at any of the 23 participating hospitals can view the region's trend data for research purposes. "Before, we were living in our own little pockets of data," says John Wade, vice president and CIO of Saint Luke's Health System, one of the participating organisations.
In the Minneapolis area, after much wrangling over HIPAA, the nonprofit health-care organisation HealthPartners started sending information about flulike illnesses to researchers at the Harvard Medical School, as part of a $US1.2 million early warning system funded by the CDC. Other participants include the HMO Kaiser Permanente and Optum, which operates a national 24-hour health hotline. "I've spent as much time working on the privacy concerns as everything else combined," says Dr James Nordin, a clinical research investigator at HealthPartners. "What we have done is to be very limited about the information that goes out to the Minnesota Department of Health and even more limited about the information that we send to the data centre at Boston."
And in New Mexico, researchers at Sandia National Labs have developed a system called the Rapid Syndromic Validation Project — the only one of the bunch that, instead of fishing information out of existing data streams, requires health-care providers to actually log on to a secure Web site and type in information about a patient's symptoms in exchange for trend and treatment information. "We tell the doctor that we only want sick people, and we give the doctor something back that's relevant to the patient they're treating — not in 10 days but in 10 seconds," says Alan Zelicoff, the senior scientist who developed the system and hopes it will eventually be used across the country.
In those programs and dozens of similar ones in the works, there's more than a little braggadocio involved. "This one's the best," Zelicoff says, by way of greeting this reporter when I called for an interview.
And there's more than a little overlap too. "I see a lot of efforts out there that are redundant," McLamb says. "If people who are doing the same thing would get together, they wouldn't have to reinvent the wheel."
Pocketbook PersuasionWith so many projects being developed by so many entities, the ultimate success of any national bioterrorism surveillance system will depend on one thing: whether those systems can ever talk to each other. And if there's one thing that everyone involved agrees on, it's the need for standards.
The federal government has taken one big step in that regard. In March, the US Department of Health and Human Services along with the departments of Defense and Veterans Affairs jointly released the first set of uniform health information standards for exchanging clinical data electronically across the federal government. When developing new systems, all federal agencies are now obligated, among other things, to use the Health Level 7 messaging format — a set of drug-ordering guidelines already adopted under HIPAA — and a group of codes for laboratory results.
Ultimately, though, public health is a very local activity. It's you, your doctor, your exam room, your lab test results. When it comes to reaching the state and local health departments that interact with all the players, the federal government has a lot less control than one might expect. "Typically, if there's an outbreak of a disease at the local or state level, they will handle it locally or invite the CDC in on an as-needed basis," the CDC's Seligman says. "We offer our assistance, but ultimately it's their call."
The one way that the federal government does have power to persuade is with its pocketbook. And that's where the CDC's National Electronic Disease Surveillance System (NEDSS) comes in. This system lays out a sort of meta-standard for both health-care information and IT standards. All state health-department systems must be NEDSS- compatible — at least they do if they want a piece of the $US918 million in bioterrorism grants that the CDC is handing out this year.
This pocketbook persuasion could pave the way for electronic medical records in the health-care industry. "These standards that make national disease surveillance work are the same standards that we'll need if we're going to move forward to a day when you can ask a doctor to send your medical records electronically to a new doctor," Gartner's Klein says. But the work also highlights just how difficult the journey will be.
Pennsylvania is one of the few states that has already adopted the system. There, the state Department of Health built a NEDSS-compliant application that allows doctors to go to a secure Web site to report a disease. As soon as a doctor hits "save," the information is available to public health investigators.
Development was no small task, says Mary Benner, CIO and IT director for the Pennsylvania Health Department. The state had to consolidate some 6000 data fields from 100 forms to 600 actual data elements in the database, and also work out problems with providers on antiquated operating systems trying to use the digital certificates that enable secure, encrypted communications.
Now, the biggest challenge is getting doctors to register. Since July 1, when the system went live, the department has received 57,000 cases of reportable diseases electronically. It also gets several hundred reports a week in paper form. "Some [doctors] are very enthusiastic, and others don't have a computer in their office and don't want one," Benner says.
With that kind of reluctance and the ongoing challenge of getting the industry to adopt a set of standards, a national bioterrorism surveillance system seems far off, indeed. Right now, truly effective public health surveillance must await the resolution of a national debate on how homeland security will play out in a country that has always prided itself on its freedoms. And that debate will increasingly depend on how well technology balances the public's need to know with the individual's right to privacy.
"We have to decide as a nation how much security and privacy we need when those two things are in a trading relationship," says Pittsburgh School of Medicine's Allswede. "What we're doing in terms of information technology — and where it has to progress — is a microcosm of that larger sociological change."