By Ken Olbrish, MSBE

In the June 2008 issue of 24×7 I wrote a “Networking” column discussing a scenario where an incorrectly entered IP address rendered a network at an outpatient site unavailable for several hours. The article provided a number of recommendations on how to avoid this type of event.

A couple of months ago at the FDA-Association for the Advancement of Medical Instrumentation (AAMI) Interoperability Summit, one of the examples discussed at the meeting was how an incorrectly entered IP address rendered a PACS unavailable for several days. Does this sound familiar?

Ken OlbrishKen Olbrish, MSBE

At the end of the June 2008 column I pointed out that the particular facility that experienced the outage put practices in place to ensure that a similar event would not happen again. I am happy to say that 4½ years later this facility has not experienced a similar outage because of those practices.

However, as seen at the Interoperability Summit from just a few months ago, other facilities are still experiencing this type of issue, which brings up the question of why are these types of events still taking place?

It is now common that medical devices and systems are all interconnected to various degrees, and medical facilities are heavily dependent on IT technologies for their day-to-day operations. Thus, errors that may have caused small issues only a few years ago can now cause significant issues today.
To make matters even worse, adding more and more interoperability has added a level of complexity within health care that never existed in the past.

Resource Demands

It could be easy to dismiss the type of errors seen in the original event and the more recent event as inevitable results of utilizing increasingly complex technology. It could be easy to dismiss them by saying that it is impossible for any individual to keep up with the technology, and thus they are prone to making errors. And, it could be easy to dismiss them saying that due to increasing demands on resources it is easy to make this type of error due to limited time and resource availability. Yet doing so clearly will never solve the problems, and will more likely only lead to more significant errors occurring in the future.

People will make errors for any number of different reasons. Certainly, systems and medical devices should be designed (and are being designed) to minimize the likelihood of human error in the use of those systems and devices. Nevertheless, despite the best design attempts, errors will still take place.

What is essential is to learn from those mistakes both within organizations and within the health care industry in general. I have seen many organizations that conduct post-incident evaluations or root cause analyses to determine the root cause of the incident, and then turn around and not put any measures or practices in place to ensure that similar events do not take place again. I have even seen facilities come up with practices that should be put in place, and then never implement them.

What is essential is to learn from those mistakes both within organizations and within the health care industry in general.

Many of the same excuses for why recommendations from root cause analyses go unimplemented are the same as why issues arise in the fist place—too little time or resources, too much complexity, etc. And the issues continue.

It is easy to conduct a root cause analysis that only skims the surface of why issues occurred, but this has little value. It does take time and resources to conduct a thorough root cause analysis—and the solutions may not be easy to implement. However, in the long run the cost in terms of time lost, resources wasted, recurring issues with more significant impacts, etc, greatly outweigh what is needed to understand where problems are occurring and to implement solutions and practices that would prevent those issues from happening over and over. This is not a new theme in health care or any other field, but it is one that is easy to overlook.

Sharing Failures

The other issue is that while individuals and organizations are willing to share their success stories, they do not want to share their failures. This is part of human nature. How often do you go to a conference and see sessions on things that did not work? How often do you read articles that highlight where organizations have failed? Unfortunately, it means that the results of root cause analyses are not routinely shared outside of the organizations that perform those analyses. And it means that mistakes made by one health care organization are made by other health care organizations on a daily basis.
Today, many of the mistakes made in the health care IT space are not new. While very complex technologies and integrations are being used, the mistakes made are those that have been made for years. Looking back at the column that I wrote in 2008, there were three basic causes of the issue that occurred at the time:
1) Fixed deadlines were allowed to drive project time lines, thereby cutting short the time needed to properly implement and test the device.
2) Vendor resources were allowed to implement a device on a facility’s network without oversight by facility resources who understood the environment into which the device was being installed.
3) Resources involved with the device setup were not adequately trained to understand the device’s networking components.

Not one of these causes is anything that anyone reading this column has not heard before. It is quite likely that if any of the three causes was addressed prior to the incident, then the incident may not have taken place.

Adding more and more interoperability has added a level of complexity within health care that never existed in the past.

As I mentioned earlier in this column, the facility I wrote about in 2008 learned from this mistake, took the time to perform a thorough analysis of the causes of the issue, and developed and implemented practices to ensure that this type of issue did not take place again. These practices have been successful, and there have been no instances of similar events taking place. However, in looking at the causes in hindsight, one could easily imagine that practices could have been in place to address these causes before the incident.

The health care IT space has recognized the potential criticality of errors for many years. Standards such as IEC-80001 have been developed to try to minimize the risks associated with incorporating IT technology into health care. Certainly, health care facilities should be looking at standards like IEC-80001 and similar ones developed by IT professionals in other industries. Nonetheless, even if they cannot, health care facilities should take the spirit of these standards and embody them in their day-to-day practices. Facilities should look at where they made mistakes, determine the cause of those mistakes, and put practices in place to ensure they do not happen again. Facilities should share their findings with other facilities to better educate the health care IT industry and health care in general. And, facilities should look at areas of potential failures based on knowledge gained from the industry.
Then, perhaps in another 4½ years, the story will be different. 24×7 Networking January 2013

Ken Olbrish, MSBE, is the communication product manager for Arthrex California Technology in Santa Barbara, Calif; and a member of 24×7’s editorial advisory board. For more information, contact the editor.