121 comments

[ 0.18 ms ] story [ 195 ms ] thread
As a software developer, I can relate so much! The amount of trash garbage that IT installs on my (company's) laptop, the unnatural things I need to do to access my cloud environments, the credentials expiring at an insane pace, — all of these contribute to quite a negative experience.
The article is about Epic, a terrible medical journal software.

What you say differs between IT environments and clients. We usually just deploy EDR/MDR like S1 or Defender (Defender that comes with Windows) and deploy settings, so you cannot have a crazy long uptime and force Windows updates, yes you need those.

According to some standard body like NIST, you are now supposed to have a longer password or passphrase that never expires.

(comment deleted)
I never understood what is so special about hospital pacient software. Why cant they do this with the Microsoft 365 suite with Sharepoint for files, Teams for chat, files etc and Word to write notes in?

Or Google Workspace for that matter.

Aren't they just writing notes and ordering meds?

Why is it this mess that is Epic and Oracle Cerner?

*Sure being in the downvotes

Partially it's about data privacy regulation (HIPAA) being especially strict for patient data. It's also a little more complicated than writing notes and ordering meds.
It seems from my naive perspective that Google and/or Microsoft could modify their existing workspace products quite easily to make then suitable for use in hospitals, no?
No. This is a very complicated domain due to the stringent legal requirements (which vary by country of course). Also, going in to healthcare software would trigger anti-trust lawsuits in a number of regions.
Regulations. MS365 isn't the right tool for the job similiar like you can (ab)use excel for many things it shouldn't be used for.
Audit logging requirements, national legislation concerning healthcare records, certification (ISO 27001 etc. and healthcare specific extensions), domain knowledge (just entering everything as searchable plain text may have its charms, but limits what can be done automatically with the data, which, crucially, includes generating reports on certain specific occurrences including incidents); the list goes on.

Doing this in a Google or Microsoft cloud environment is going to get messy real fast, and legal will block this for being non-compliant.

From what I know of enterprise software it's basically an MSSQL or MySQL box having all the data in the end and IT has to back up it, so they have db admin lmao

Yes very secure.

Epic is something entirely different.
Not a lawyer, but my understanding is the main issue with healthcare services on the cloud is auditing physical access to the machines. If any questions come up then the service provider "should" be able to tell a court exactly where a healthcare company's data is and what technicians had access at different times. Microsoft, Google, etc are still totally happy to sell that service, but there is a separate legal agreement that has to signed to say "we care about healthcare privacy".
Specifically, you have to get them to sign a HIPAA Business Associate Agreement (BAA). The good news is that Amazon makes this an automated process in their compliance portal, so you can knock that out in 5 minutes and then go on with the rest of the planning.
Also worth noting that not every resource and instance type is covered by a BAA so there’s a bit more to it than just signing an agreement and doing whatever you want.

The responsibility remains with the user rather than the cloud provider to ensure compliance but they will do their part if you set things up correctly.

You’re missing at least an order of magnitude of complexity here.

For starters the data generated by a single hospital EHR is something like 10-20 TB/year.

The data is stored (essentially indefinitely) in multiple databases of varying availability, formats and interfaces. It is generally on prem, with multiple failover systems as well as long term backup and a read-only failover usually in the cloud.

Somewhere in this process the data is stored in a non-clinical use data warehouse which has strict physical and digital access restrictions and detailed logs.

Backups are obviously automated. Logs cannot disclose protected health information.

IT accessing individual records would always be flagged to the CIO and CPO offices and audited.

A % of providers are randomly audited by the same offices and certain accesses automatically trigger an audit (for example if I open my own chart, or if I open the chart of a patient who has restricted access - this is audited even if I’m part of their care team and state so in the prompt that comes up when I open the chart).

Physical access by infra providers is disclosed and audited as well.

It’s actually quite secure largely because the fines for failing to do so are quite hefty for the hospital.

Standardised names and codes for every disease, injury, condition, diagnostic process or tool, medication and treatment.

Standardised workflows for entering diagnoses and treatments. Automated warnings when a treatment might be inappropriate, or drugs might interact.

The problem space is enormous.

> writing notes and ordering meds

This is something that is obscure to mostly young, mostly healthy people. When you think of "going to the doctor", you think of a checkup, or a UTI, or an annual gynecologist visit, or something else that happens in a clinic. Or maybe you think about your grandmother being admitted with pneumonia. And in that case, yes, it is largely writing a note and ordering meds (and a diet, and labs, and nursing order parameters for as-needed medications). But nurses are recording vital signs, and those should be searchable under vital signs. Ideally, they should flow directly from the machines taking those vitals - in anesthesia, for instance, we record vital signs at least every five minutes if not more often, which in a hairy case with a lot going on means treating the patient or treating the computer, with the understanding that you have ten or twenty minutes of data entry to follow an hour of actually treating the patient. EVERY code situation has a nurse (an RN, not an LPN or nurses' aide) whose entire job is to sit there and record the times that events occurred so that everyone else can go back after the fact and record meds given, interventions taken, etc., accurately. It takes much less time on a piece of paper than it does on a computer, because paper anesthetic records were designed to minimize cognitive workload and computer ones were not.

As for ordering meds, all of those orders have to be checked by a pharmacist and cross-referenced to ensure that there are no unexpected interactions. That's their legal obligation; they're not going to short-circuit it. And that has to be tied into billing (even in a national health system, you need to know what to order more of), and Medication Administration Records (the MAR). And every one of those notes needs to be classified by who wrote it and what department they were from, as well as the note type, so you can filter out the ones you don't need to see for one purpose or another. Intraoperative anesthetic records and surgical operative notes are the two most relevant to me as an anesthesiologist; what happened last time, and did they run into unexpected troubles? We don't like being surprised.

Billing is more complicated in the US than in most countries, but it's part of the game too (it factors into metrics, and you can't reasonably hold a neurosurgeon doing tumors to the pace of pediatricians doing well-baby visits).

The paper medical record, for all its faults, was a highly refined system, and it's not just a matter of "make a text file containing this note".

> Aren't they just writing notes and ordering meds?

This is the mistaken assumption. There is a _lot_ more going on. Sibling comments have given some examples but here's some more: - appointment booking and scheduling - waiting lists - referrals to other institutions (which may use a different IT system) - communications with patient (including automatic appointment reminders, bulk contacts etc) - integrations with many, many other systems - reporting - billing - complex IAM: there are many different roles in a healthcare setting all with different access requirements

Fwiw a lot of institutions _do_ use office 365, sharepoint etc but those tools just don't do enough by themselves and aren't integrated in the way that EHR software typically is.

Medical software that is based around billing, not treatment.
There is lot of more complex workflows than someone going to doctor for consult.

Just think of getting some labwork done. First it needs to be ordered. Then patient must go to nurse to get blood drawn either immediately or after not eating long enough. Nurse needs to know how many samples are needed and if there is something special. Then those needs to be tracked and delivered to lab. Lab needs to know what tests to run. And then results need to be available for years.

And you probably want some sort of alerts for values outside expected ranges and in cases where they are really off. This might consist of one or multiple systems, but all those should interoperate automatically.

And that isn't even imaging or treatments.

When I first moved to my current state some years ago, I shopped around for a primary care physician. One of my criteria was that the office not use Epic. I had seen it in action before and heard the complaints.

Unfortunately, it didn't last long. 6 months later, my GP was excited that their office was transitioning to Epic. Told her to be careful what she wished for. Another year later and her tone had changed completely.

Epic is the Blackboard of the medical industry.

I’m a doctor and have used Epic and other EMRs extensively. The most accurate thing I can say is that Epic is the least horrible EMR available. It’s probably a 3/10 overall while everything else is much worse.
I mean, are there any good EHR systems? Lol

I would love to see more wide spread adoption of FOSS EHR systems, once with actual feedback and development input from doctors. I don't think it will happen. Meaningful use and interoperability have basically made it so Epic and Cerner and the other big players have an advantage due to resources for development.

I had a glimmer of hope, Ohio (where I'm from) was considering allowing a companies to bid on a contract to to host a low-cost/subsidized OpenEMR instance and letting healthcare systems use it. Sadly nothing ever came to fruition.

It's big, it's complicated, and nobody wants to write all the necessary but mind-numbingly boring interfaces to a thousand older devices and systems to make the glue unless they're being paid well to do it.

For all that CPRS - the old VA EMR, paid for by the federal government and thus openly available - got a lot of flak from all angles, not least of which was IT (the whole thing is written in MUMPS and the CLI underneath the GUI could be charitably described as "arcane"), it was a fairly easy EMR to "get", and once you learned how to filter things, you could at least see everything going on.

With Epic, Cerner, and the others, you don't. You have a silo'ed role. Early on in our Epic migration, I discovered that I had been misclassified by the system. I was a doctor, yes, but I had a range of options open to me that were appropriate for an ICU doctor, not an anesthesiologist - I simply couldn't do a lot of things that were my bread and butter. Finding information outside your normal specialty is difficult and requires a very precise set of clicks (which are not in any way intuitive) to get to the information you want. I stunned one of the cardiac surgeons by showing him how to get access to the OR status board (which he had, just not as simply as we do) and how to customize it to show him everything going on in every cardiovascular surgery room and in the cardiac catheterization lab. Now, when a cardiologist calls him to say "I'd like to consult you about the patient I just did a cath on, think he needs bypass surgery instead of stents", he can skip getting a medical record number and just open the chart directly from the list.

I can't read nursing notes. I've tried, and I know the information is there somewhere, but unless I've been given access to a flowsheet that shows it (and that is another obscure thing), I can't see it. Labor and delivery nurses don't have access to anesthesia records, so they can't see what medications their patient got during a C-section, and end up having to call one of us to tell them precisely what was given and when. Most surgeons don't know how to look at the anesthesia records (it's not easy) for their own cases, let alone their partners' (when covering call), so again - they have to call us to ask. I had to open up one for the head of the peer review committee to show her what had happened in the operating room after a patient death.

There are always going to be privacy concerns, but these systems all have aliasing ability, and in any case retail-level, one-by-one accessing of sensitive people's info is going to raise a lot more flags than data breaches involving millions. Not letting me see what went on before, during, and after for a patient I have to care for is far worse.

These systems are highly configurable because every hospital wants to do things their own way. There's a good chance many of your complaints are a result of configuration that can be changed. Go to your IT staff with a list.
This.

Every hospital I’ve worked at has used Epic and every one has a different “custom” version with different UI and user role configuration.

Even within the same hospital the UI and default displays widely varies based on context and role selection when logging in.

Nursing notes are definitely accessible in every version I’ve used and I also read them fairly frequently (often more useful than MD progress notes) so your hospital may be hiding non-provider notes from you. It would be strange though, are you sure you don’t have “show provider notes only” checked off (or that box hidden)?

I've looked under the Notes tab, and under Chart Review -> Notes, and turned off all filters. Nope. I get nursing "plan of care" notes, but not their regular floor notes.
Strange, I'm a radiologist and this happened to us at the very beginning of the Epic transition as well (they also dropped ER MD notes from our profile) but we gave that feedback and they changed it within a few weeks as we used the magic words of "impacting patient care".

This limitation isn't an Epic default feature and must have been set by your institution or whoever created the anesthesia role for some inexplicable reason, there wasn't actually a justification or privacy concern for why this was set this way for radiologists at my institution and seemingly was set by someone in IT thinking it was extraneous to us.

That's the vibe I get. "You don't need to change it"... yes, we do.

Dunno, at this point I'd settle for being able to establish custom filters for my status board. But I've learned that a lot of weirdnesses have to do with interfacing with other software.

This is true, but these custom configurations have become so ossified into each hospital's workflow that there's minimal hope of reversing the mistake.
I'm sure that it can be configured that way. But they won't give me the keys to set up custom filters. I've got contacts that realize that I'm not a moron, and I would never touch defaults in production, but I can't even get a playground where I can do EVERYTHING to figure out where the problems might be.

And if a guy who has their own IT staff telling them it can't/won't happen, despite actual onsite EPIC staff saying it's entirely possible, you see why. When you tell users to go away, and tell interested users that they can't share their improvements, not even privately, you are doing a disservice and you owe me at the least an explanation of why doing it is bad. Maybe there's a good reason that I should be allowed to mess my own system up but not let anyone else enjoy it that way, but I struggle to understand why. The whole thing can be re-imaged if I screw up too badly, after all.

You're blocked from the Epic-PLY and developer sandbox environments?

Are you talking about custom chart review filters? Also not sure why that's blocked, I use those a lot and we can copy them from other user profiles without going through IT. But yes to have this be a default for new users we still need IT approval which no one has bothered with.

This sounds like draconian institutional policies are the limiting factor.

There's a playground, but I have no more power there than I do in my own production environment except that I can write an order like "all-unicorn diet" and nobody would see it. I don't know precisely what you mean by Epic-PLY and "developer sandbox"; I'm an end-user, not a developer. Other than knowing some of the IT team and being the local point of contact, I'm no different from any other anesthesiologist in terms of control. What I would like is a sandbox where I can do anything, figure out what's possible, and then report to the team the things I've found and ask if it would be possible to put them in production. Maybe yes, maybe no, but we live and die by the status board (if you ever get involved with EMR and anesthesia, a good status board is the most critical piece of infrastructure). And I can't even share mine with others.

Draconian institutional policies are indeed an issue. WiFi calling is blocked, despite the fact that a significant part of our first floor has zero cell signal.

If you get bored, PM me and we'll set up a time where I can show you some samples. I'll need a few days to sanitize them of identifiable info.

Got it, Epic-PLY is the playground version that comes with every Epic install. Sounds like they've restricted playground user roles as well, you'd need your hospital IT to change that in the playground environment.

There's a developer sandbox as well that's more feature rich but from what you're describing I doubt they would have enabled access for you although most hospitals do. I would ask someone in IT you know to either give you a superuser role in the playground or access to vendorservices.epic.com

You can't PM on here but my e-mail is in my profile. If you're hitting a dead-end shoot me an e-mail and I can add you to my developer playground to mess around with.

Ah, it's rather hard to find but I do indeed have Epic PLY, thank you for the information. I shall investigate. There may be more abilities there than I knew about.

Still, sad that I have to go to HN and actual tech workers in completely different places to figure out how to use a system that is nominally under control of my own hospital. I don't blame you for not giving doctors admin access; I don't need it and quite a few would make a total hash of things, but I'm a lot more curious and a nice free playground where I could do things like schedule cases would be fun. If I break it, so what? It will reset tomorrow, and I'm fine with that. If I have a play day, I'll apply my notes for everything I have done and ask the IT team to make a snapshot.

Again, thanks.

No worries. As an aside I'm not a tech worker I'm primarily a clinician as well so I don't make access decisions but if it were up to me I would give MDs more.

Some places are better, most institutions I've been at have given me full access because I have a tech background and had a previous relationship with Epic but occasionally I've hit similar brick walls to you.

Hope it works out.

Epic takes actual feedback and development input from clinicians. They aren't just ignoring them. But it's not straightforward to make a system that handles all kinds of healthcare, integrates them together, avoids any bugs that could put a real human being at risk, and also appeases the clinicians, the regulators, the insurers, the lawyers, the administrators, and the capitalists.

With all those requirements, even the smallest feedback might require many hours to implement so things don't break or piss someone else off.

Norway has recently changed our health software to Epic and it has been a huge failure. Pretty much everyone using it seem to be very unhappy. One of the many complains is that it just doesn't fit the Norwegian system since we have free healthcare while Epic is based on the American insurance system. Interesting to hear that it doesn't work well in the US either.

A couple of sources, can be viewed with google translate: https://www.cw.no/debatt-helse-it-bransjen/helseplattformen-... https://tidsskriftet.no/2023/01/helseplattformen-en-it-skand...

> Norway has recently changed our health software to Epic

Why? I'm assuming corruption and lobbying by Epic.

There were huge epic deployments in Denmark and Finland before this. And Oracle/Cerner going on in Sweden.

All of these entities had working EHR systems.

So why change?
There’s one major feature request that triggered the change: being able to see patient journal notes made by other branches of the public health service.
Norway has a "tender" system (not sure if that is the right word) where the public entity create a list of requirements and firms bid on getting the contract. Doing some research it seems that there were few bidders and in the end only Epic:

https://www.dagensmedisin.no/helse-midt-norge-rhf-helseokono...

To me this system just seems destined to fail because there is no chance the public entity is able to write comprehensive requirements. Creating the bid is also a huge undertaking, and large suppliers and consulting companies will have a large edge by having experience with creating such systems and with creating bids, so they usually win. I dont know how to solve this though.

How about if public software had an atomic structure, and required open source, with copyright owned by the public entity? Having smaller suppliers make changes to one area would then be possible, there would be a little less lock-in, perhaps?
This is exactly how government consulting in the US works, often with a US gov employee writing the requirements with a specific vendor in mind. Oh, that's illegal as hell, but how else does Deloitte stay in business?
Mandated to choose them due to cargo cult process.

They were the only vendor capable of submitting the «objective» tender that is madated by law, and the decisionmakers are too stupid and chickenshit to consider that this process is in itself guaranteed to produce a worse outcome than alternative approaches.

Not all Norway btw, just central.

The funny thing is they started this project even though there were earlier catastrophic Epic implementation examples from Denmark and Finland.

I’ve lived through 2 hospital transitions to Epic. Everyone hates it for the first two years and then when they learn it they generally love the benefits it provides (much faster chart review, documentation and billing).

As a physician, using Epic is a pre-requisite for me to consider working at a hospital.

Yes it has flaws (ordering and encounters are still very annoying but make sense for billing purposes), but it’s also incredibly powerful and once you learn how to use it there isn’t really a better alternative (in my opinion).

This is a controversial and not fully formed opinion, but I think a big part of the problem is the regulations are no longer fit for purpose.

Outside of healthcare if you see something broken then you can just fix it, maybe rope in your manager.

Inside healthcare regulations you have to start a massive change control process which involves several busy people to approve it. Those people are busy and focused on getting a few priority items approved. Starting a change control process without a customer request doesn’t make you any friends.

The reasons this process exists is so that patients are never harmed by changes. But patients are also harmed by software that’s difficult to use. They’re harmed if you don’t make a change.

The regulations were designed for blood pressure monitors and insulin pumps. A patient data portal is orders of magnitude more complex. Outside of healthcare teams iterate towards a good solution. Inside healthcare teams cannot iterate, because of the regulations. This stops healthcare teams from making good software and ultimately harms patient safety.

Making your point even more stark, for whatever reason the UI that you're forced to use can be substantially changed by your vendor every ~6 months and there's nothing you can do about it.
That is not what happens in health software, the UIs tend to stagnate for years with bugs, so users don’t have to learn new workflows.
Not sure why this comment is dead.

You’re partially correct that a fair bit of health software is stagnant and fixing bugs takes time (although not years) but when discussing EMRs, especially the biggest player (Epic), they fairly regularly change the UI and I’ve had to learn a new workflow at least once a year for the last decade.

Depends on how important the software, it seems like the more safety critical the software, the more likely it is non-critical UI bugs are left to fester until the bug becomes safety critical
As a user of Epic, I can tell you that my comment about Epic’s changing UI is what happens unfortunately. This has been true across two major US academic hospitals.

But you are right, other things are certainly left to stagnate.

It's hard to find the right solution. Users complain when the UI changes, for better or for worse. Users complain when the UI doesn't change and looks 10 years old. There's no good option
Yeah until you have to rollout a bugfix that changes the build of their system and totally reroutes their workflow. Its not like a graphical UI change but permissions updates, config updates, etc can all have impact that end users would consider a UI or workflow change.
Perhaps that makes sense if you can't release anything with more substance due to regulation, but need to show you've done something to validate the company. Customers likely recognize a UI change over a bug fix, so bug fixes are deprioritized.
> The regulations were designed for blood pressure monitors and insulin pumps.

Then again, in US, EHR systems (epic and cerner comes to mind) are not regulated by FDA

I used to work for a regional healthcare system that also owned an insurance company. We had to deal with many more regulations on the insurance side than on the provider side.
Everything about health IT systems is terrible, from protocols to classification systems. A lot of the problems predate regulations. On the other hand, health IT mirrors the real-world systems it meant to service - complex, rigid, and self-serving
The added complication is also because insurers refuse to pay providers unless every procedure, billing code, time of service, justification, physician notes, physician network accreditation, etc, etc is to their standards (which changes often) Health care providers have teams of full time admins who doing nothing but chase after insurers for missing payments and billing discrepancies. Insurers will delay payments, change billing codes, and refuse to pay pending audit, and then may decide not to pay at all. Doctors are pulled into doing extra admin work mostly because insurers wont pay them if the paperwork is not to their standards, or the patient doesn’t qualify.
I think this is closer to the truth. The problem is rarely "outdated regulation" (although that's what the organizations that build these systems will say) and more that there's so many cooks it becomes impossible to build anything worth anything. Everybody has an opinion about their little corner of the system, and no one is willing to understand anyone else's opinion. If you bring up some fundamental disconnect between the wants of different stakeholders they point to the current system and say "It works there", and ignore the fact that it doesn't actually work.

It's a problem of too many unfounded opinions, and too little actual engineering.

> Everybody has an opinion about their little corner of the system, and no one is willing to understand anyone else's opinion

This is true. If you talk to someone in insurance, fraud is a huge problem, and doctors providing expensive treatments for the wrong conditions is also a huge problem. They are society's defense against doctors prescribing exotic $20k/month cancer medicine for allergies because they heard a rumor it was 5% better than Claritin, and sending every patient with a cough to their brother-in-law's MRI clinic. And this is true to some extent (especially about the brother-in-law's MRI clinic.)

If you talk to a doctor, they won't outright say it, but they're committing insurance fraud on the daily so they can provide basic care. If they talk to a patient about how they've been eating differently since their spouse died, or they spend ten minutes coaxing details about pain from somebody who is reluctant to talk about it, they're going to bill that time as something they're 100% sure the insurance company will pay for. So it might go down as a consultation about blood pressure. Maybe they even think there's a good chance the insurance company will pay for it, but between the insurance companies constantly changing things and the doctor not having complete confidence in their office staff to figure out the right code, they just write down something that they're sure about.

I don't know what happens if you put a doctor and someone from an insurance company in a room together. They probably have a system of polite lies to tell each other.

> brother in law’s MRI clinic

This is a Stark law violation and there are clear rules against it

> Outside of healthcare if you see something broken then you can just fix it, maybe rope in your manager.

Your manager who then proceeds to ignore the request for improvement in favor of adding telemetry, dark patterns and advertising.

my (similarly uninformed) opinion is… similar. the industry is so regulated and unsexy that it doesn’t attracted the thought leaders and technical talent necessary to created modern, inoovative systems. instead you get more verbose epic garbage. i could be totally wrong, but i always assumed it’s related to the sexiness-quotient of the field.
Ads are even more unattractive, both intellectually and ethically. Yet somehow there's still a ridiculous amount of intellect being completely wasted on ads, likely due to the dull motivator called currency. I'm not sure what the factor is, but there are plenty of intellectually unattractive and societally useless careers that suck up capable people's entire lives.
Regulations such as CFR 21 Part 11 have a known quantity of dead people behind it. It is not regulation for regulation’s sake.

“Move fast, break things” is not how healthcare infrastructure should work.

This is the standard response, but we’re not measuring the deaths caused by bad software. Bad software causes deaths by:

- user error

- It’s expensive so people don’t get treated in the first place

- doctors making treatment errors because they couldn’t see the whole picture because they couldn’t work the software

Also the non-regulated software is observably better and more reliable than regulated software. The author even compares regulated software to non-regulated software in the article.

Paradoxically ensuring that an error is never made reduces the probability that the system will do the right thing.

There's no noted causation between poor software and patient death.

There is a high correlation against "move fast, break things" and patient death.

There’s a middle ground between “Move fast and break things” and “Don’t make any changes in case you break anything”
What specific regulations are you referring to, that apply to EHR software and the like? I know things sold as medical devices/appliances require FDA approval, but for general electronic healthcare record systems (e.g. Epic), what applies other than of course the security/privacy provisions of HIPAA?
It permeates the systems. For example, any time you want to update the complement that sends e-prescriptions the network will want you to recertify the system for conformance to requirements.
Seems like a better solution would be making the recertification an easy fast automatic process, not skipping it entirely
I doubt very many people skip recertification, because of the risk of losing it.
They are saying, in other words, the answer is not to remove regulations but to fix broken implementations of them.
I’ve worked with 62304 and 13485
Their very existance is a regulation that gets in the way of care. Doctors are in many cases required to keep databases of patient records and they have to be digital. Well that shoehorns them into using old bloated ehr software that takes forever to use when they could just use paper
(comment deleted)
(IANAL.)

> Outside of healthcare if you see something broken then you can just fix it, maybe rope in your manager.

For the sorts of software stuff the OP is discussing, you can do this inside of healthcare, too. I work in healthtech; in our company, a simple change can go from idea to deployed in prod in a few hours. (And a lot of that delay is our CI system or code reviews being slow, but not regulations.)

That's not to say regulations can't slow things down: I've seen some things take longer because of them. But it's things like "are we doing security adequately?" or "we need to retain these records", etc. Things that (speaking as a patient looking in) we should be slowed down to think about or do, frankly.

> Inside healthcare regulations you have to start a massive change control process which involves several busy people to approve it.

But this isn't entirely fiction: we integrate with a number of providers, and particularly there, these processes do exist. I've been on any number of calls ranging from 10pm to 2am where we're coordinating a production change, usually mostly on the provider's side. (We try to have our own change lined up so that, if at all possible, the 2am "change" is just "enable it". It's 2am, after all — you're basically already incapacitated due to sleep.) Moreover the changes are made frustrating by there usually being a whole pile of them: if you can only make changes once per month? quarter? at midnight, then everybody's changes get smushed together. It's not good, and SWE as a larger industry has (IME) moved on from this anti-pattern, but it persists in some places.

But HIPAA doesn't require this.

I can't speak to hardware.

> A patient data portal is orders of magnitude more complex.

It's funny, because as a patient, my data "portals" still routinely fail at seemingly basic functions. I cannot see accurate billing information, I cannot see forms I've signed, I can't obtain access, AFIACT, to my own data. (All this I've encountered in the last week, too.) AFAICT, data isn't transferred in standard formats. (I tried intercepting the AJAX calls to see … but nope, proprietary junk, AFAICT.)

> Outside of healthcare teams iterate towards a good solution. Inside healthcare teams cannot iterate, because of the regulations.

We do this same iterating at my company. (Which sometimes has its own dysfunction, but it's not unique to healthcare; you can see it in any HN thread about agile.)

Regulations like 62304 and ISO-13485 are specifically designed to stop ideas going to prod in a few hours.

HIPPA is something completely different. HIPPA is much more lightweight.

Probably your company has found a niche that manages to avoid requiring compliance with medical devices regulations. This is a great idea and it lets you make very good software quickly.

Both of these regulations you mentioned are indeed valuable when doing medical software development in EU (mdd/mdr).

However, in US, these giant EHR systems (epic, cerner etc) are not regulated by FDA.

Speaking from the perspective of healthcare software:

ISO-13485 really isn't that heavy in the grand scheme of things. Once you establish your policies you can automate most of it with Jira, which can provide good traceability.

It's really the testing requirements that are the most heavy, and whether you can do that in a few hours is 100% up to how good your testing setup is.

I suspect that the quality management system is often this way at any mature tech company anyways, but who knows.

When you need to perform a 510k, that's where the heaviness comes into play, even a special 510k can be considered heavy.

For those uninitiated, here's the FDA guidance on when to perform a 510k: https://www.fda.gov/regulatory-information/search-fda-guidan...

Rewriting a core piece of your software stack in a significantly different language is one such case (JavaScript to TypeScript? Probably not. Java to C++? Most certainly yes.).

*HIPAA (sorry, I'm in healthcare and it makes my eye twitch)
I think folks are confusing complex IT management in a big complex enterprise with various outsourced vendors and tight SLAs with regulation.

Healthcare is like government in that they had to computerize billing to interact with Medicare and Medicaid first. So some policy decision made 30 years ago by a hospital acquired a decade ago may impact operations today.

Asymmetrical risk/reward profiles breed hyper-conservative behavior. Legacy support and "if it ain't broke don't fix it" attitudes have negative externalities.

A good case study is the NASA Space Shuttle program and how expensive it was especially when compared to SpaceX. Not to downplay the sheer achievements of NASA by any means, plenty of people there are much smarter than I am.

The solution isn't just "ignore the risk", you have to do something fundamentally different (with strong conviction, investment, and leadership) in order to restore symmetry to the risk-reward profile, such as a truly best-in-class testing infrastructure. Operating your business as a meritocracy doesn't hurt either (although I suspect pure meritocracies to be impossible/unfeasible to implement).

Anyone who's worked in a hospital knows this. Medical staff looks down on the IT people, with a vengeance.
Yeah, but the IT people are the ones raining the vengeance down on medical staff with our crappy software
(comment deleted)
Got three doctors in the family and two among our neighbors. All of them hate software with a burning passion. And I can't blame them, to be honest.
My first job out of college was working in software for long term care/skilled nursing facilities. The software we were making was burdened in so many ways, it was painful. I have no problem believing people don't like this kind of thing.
This article is actually worth reading. It does not quite go to the "five whys" level, but it has a lot of leads for problem solvers.

If you want to cut to the chase, pull up the archive link posted in the sister comment, then search for

* Revenge of the Ancillaries

* Sadoughi

* Jessica Jacobs

(comment deleted)
It does seem to me some doctors are too busy typing things on their screen instead of listening to patients; like at work when I’m trying to have a conversation and someone is busy typing half of what we say in onenote (at this point, may as well email). I found a doctors office not using a computer system, at least not in front of the patients. I found they’re better listeners and don’t miss as many details. I’m guessing this is because they’re not trying to multitask during conversation. And I prefer the more human interaction.
There's just no time to work this way, in the US at least.
They’re trying to keep up with notes because notes are how they get paid and how they defend themselves against lawsuits.

My wife doesn’t do notes in front of patients, but as a consequence she spends several hours at home after her shift finishing up notes from memory. She does it because she works in the ER and it allows her to handle more patients (she hates it when patients have to wait 3+ hours so she does everything she can to get them seen quickly). It is definitely much more work for her to do it that way though.

Has your wife considered dictation software? Things like Dragon can be integrated into some EHRs. She could record what she's saying as she works with the patient and even talks directly to them, then clean it up after the fact.
She uses dragon for notes, but she said it’s too much of a mess if you just let it record everything while talking to the patient.

Even if it did work, the notes for future doctors and insurance companies have very little overlap with what you’d say to a patient.

Related to the other reply: this honestly seems like a kinda huge ML opportunity. Imagine if your wife and doctors everywhere were able to just talk to patients with microphones recording it and not worry about notes because the system automatically transcribes it and feeds the result into an LLM that automatically writes up the relevant information, so the end of the day bookkeeping is reduced to just checking its work and manually making changes where necessary. Hard to guess without actually being a doctor but that would surely eliminate a tremendous amount of mindless boilerplate busywork for the majority of patients, right?
There’s a few problems with that. There is very little overlap with what goes into notes written for other doctors and insurance companies and what a doctor says to a patient.

And physical exams have a ton of manual components where a doctor is just palpating things and asking if that hurts or this hurts or feeling if a lump is freely moving, or whether someone can rotate something at a specific angle etc…

Without the doctor annotating exactly what they are doing and what the patients response was every step of the way, the LLM would be missing too much data to really be useful.

Doctors need the best tools.

But their software is insane.

Doctors have a stressful job.

But my friend the ER surgeon works 24 hour shifts.

Sleep is the best healer.

But it's impossible to sleep in the hospital.

There's a terrible malfunction here.

I could see an AI based system ultimately winning this battle. Instead of everything needing to be human-input and human-crafted, the AI would be the "trusted mediator" of the system. It would be a front end to something like Epic, but the way it would work with the data would only be seen by it, not people.

The programmers and IT people would tune the AI but you could almost think of it as an "expert" in the Epic-like system.

It could be great! And then you run through the possiblity space and see how AI will destroy us, because once it works great, we'd start to rely on it and there would be no going back. We wouldn't even be capable of working with the lower layers.

As much as people are sensitive to human physician errors, they will be even less tolerant of AI hallucinations.
> But three years later I’ve come to feel that a system that promised to increase my mastery over my work has, instead, increased my work’s mastery over me. I’m not the only one. A 2016 study found that physicians spent about two hours doing computer work for every hour spent face to face with a patient—whatever the brand of medical software. In the examination room, physicians devoted half of their patient time facing the screen to do electronic tasks. And these tasks were spilling over after hours. The University of Wisconsin found that the average workday for its family physicians had grown to eleven and a half hours. The result has been epidemic levels of burnout among clinicians. Forty per cent screen positive for depression, and seven per cent report suicidal thinking—almost double the rate of the general working population.
Whenever I go to the doctor these days they sit facing the computer just reading what the nurse wrote and typing like a stenographer. As a patient, it’s very frustrating and disconcerting. It really does very little to inspire confidence. Sure, what I am saying is being heard and logged but the subtlety and tone is missed in the log and thus often missed by the preoccupied doctor themselves. It really feels like talking to someone half paying attention while they do their homework.

I am old enough to remember when it wasn’t like this; I would LOVE to just be able to go in and talk to a doctor like they and I are both human beings, with shared life experiences and understanding. Hell, have an audio recording going for butt covering purposes if they need it.

Going to the pediatrician with my new daughter has been a strange breath of fresh air. They look us in the eyes and talk to my wife and I like humans. Far less time spent playing stenographer. It’s such an interesting flip.

I know someone who is a medical scribe for a practice.

They follow the doctor around and write out everything.

It's fairly common, maybe explore a different doctor

I know a company who does that using speech recognition (Nabla), but no physicians I have met had a scribe, only observing / learning residents (« internes » here). Outside of consultations my dad records itself and sends it to its secretary.

On a side note I wish there was a way to communicate with (good) physicians asynchronously (via text for exemple) for non trivial issues, or something that allows them the time to research and think about an issue, which you don’t have the time during a consultation, without waiting months before the next appointment. Some try to get up to knowledge and read in front of me but, it doesn’t takes them more than 1 mn so they often have a shallow understanding. I’ve also met terrible ones who where annoyed that I knew more about the subject than they did and discouraged me from doing my own research (even from cochrane and serious meta-analysis), but I guess it is more a problem of the hubris of some french doctors than a process one (accordingly most of my issues stems from the fact that it is difficult to reliability avoid ignorants, that doesn’t care, or arrogant physicians that I could book, more than any other issues including software).

I have to say I have little sympathy. Common diagnoses should be able to be captured effectively in a common manner. If physician groups don't have the patience to train their staff on proper data entry or diligence to properly record within a reasonable time after a visit then they shouldn't accept new patients.
(comment deleted)
I'll add just this. Every time I have encountered health care software, I have been appalled at the poorly planned user interface. I do mean appalled. I would never tolerate this in software I normally use. With all the money (power) behind the health care industry, I don't know why they tolerate it nor why they don't demand change.
Having access to ones records is a big positive
I'm a physician and a tech nerd. My dream job is teaching physicians how to use their computers (with emphasis on EHR). The level of tech incompetence among physicians is astounding. Reciprocally, the level of understanding of "things that would actually be helpful" of most IT crews I interact with is abysmal.

So much room for disappointment on both sides, I sure I hope I can help bridge this someday.

For years, I had a PCP who was a D.O. (osteopath), and he was really good, in terms of conservative treatment decisions, rapport, medical knowledge, good office staff, etc.

However, his office moved around a lot, probably 3 times in 15 years. His practice, previously independent, was acquired by a medical group. Shortly after that acquisition, he carried a new notebook computer around, and he sincerely apologized to me, saying that he would be forced to look mostly at the computer and not at me. Do you see how important this person-to-person rapport was to both of us? He always called me "my friend" and he was an expert chess player.

I will miss him, especially this week, as I visit a PCP of the opposite sex, who is not a physician, who recently disavowed ever meeting me before, and argues about every detail of my treatment.

Ted Kaczinski wasn't wrong.