An Ounce of Prevention: Jim Seligman, CIO, Centers for Disease Control
Modernizing Authentication — What It Takes to Transform Secure Access
Like a CIO implementing a consolidation strategy in a corporate merger, Jim Seligman, associate director for program services and CIO of the Centers for Disease Control and Prevention, in Atlanta, is navigating huge organizational changes. Under its parent agency, the Department of Health and Human Services, the CDC is now collaborating with the Department of Homeland Security on bioterror protection. With a drastically swelled budget of almost $1 billion for bioterror authorized by a Congress shaken by the very real threat of anthrax, the CDC's new mandate involves building computerized surveillance systems to safeguard the nation. That means expanding its focus from reporting on outbreaks of contagious diseases after the fact to uncovering early indications of possible health threats.
To that end, the CDC has launched an initiative called BioSense to collect information from many different healthcare sources, from pharmacies to emergency rooms, to mine for data for early indicators of a bioterrorism attack. The CDC's strategy is a calculated risk that focuses on the six or eight pathogens, such as anthrax and plague, considered most likely to be used in a terrorist attack. While just two labs do most of the nation's testing, thousands of hospitals and healthcare practitioners are connected to the network. BioSense surveillance is meant for emerging epidemics like SARS and influenza, and most such naturally occurring pathogens take time to sicken people. But "weaponized" smallpox or anthrax can kill within hours, so a daily data dump from the local pharmacy chain simply won't be fast enough.
CIO, Centers for Disease Control
Jim Seligman is associate director for program services and CIO of the Centers for Disease Control and Prevention. He is responsible for the CDC's overall IT programs, including architecture, capital investment management, policy and standards development, information security, and IT workforce development.
Meanwhile, Seligman and his colleagues are making plans to use the increased bioterror funding to integrate many of the agency's hundred-odd computerized surveillance programs (including BioSense) into a system called the National Electronic Disease Surveillance Systems (NEDSS). Doing so, however, means retrofitting a good chunk of existing IT surveillance program software, and, as direct integration would be prohibitively expensive, Seligman and his team are championing universal data messaging and content standards for health information. That means not only getting state and local public health departments to standardize, but also linking medical providers nationwide, while preserving patient privacy. Their tactics include putting software in the public domain, requesting that IT vendors build standards into their medical information software, and providing funding to states for software development.
Seligman faces an additional conflict. The CDC's mission is public health, and critics assert that the emphasis on funding bioterror gives short shrift to conventional public health programs. Is money better spent on computerized surveillance or in fortifying resource-starved state and local public health systems? Technology journalist Wendy Wolfson recently spoke to Jim Seligman about the many challenges faced by the CDC in meeting its twin missions.
CIO Insight: How will you automate the public health information supply chain?
seligman: Typically, in public health surveillance, a healthcare practitioner makes a diagnosis of a particular reportable condition, and by state law is required to report it to the local health department, which in turn reports it to the state health department, which in turn reports it to CDC. Unfortunately, while some connections are automated, others are not.
There are 50-something nationally reportable diseases. Consistency and thoroughness of reporting is spotty. What we're trying to do in the long run is to make it more uniform and take the human element out of it to a large extent. Ultimately, that will be achieved through electronic medical records and hospital information systems that will trigger an automatic report to the appropriate jurisdiction. That's the holy grail of epidemiology and public health surveillance. We're not anywhere near there yet.
But that's the aim?
Part of it is the responsibility of Dr. David Brailer, the National Coordinator for Health Information Technology at the Department of Health and Human Services. His charge is advancing the creation of electronic medical records within the next decade. Our initiatives on BioSense are another key milestone along that line.
One of the key challenges for Dr. Brailer and the Public Health Information Network involves establishing national health data standards so we can do national and regional analysis with the data we collect.
What are the barriers?
In the U.S. we have a huge number of medical care providers. Even though the healthcare sector is one of the largest, at $1.5 trillion annually, it's also the least automated. Only 2 percent to 3 percent of healthcare expenditures are spent on IT. Health data standards and codes are not uniformly adopted. All that makes it difficult to collect standardized data.
The CDC is moving from an organization that reports on disease and solves outbreaks to one that is uncovering possible threats. How are you switching your IT strategy to meet this challenge?
BioSense is not a change in the data supply chain but an addition to public health surveillance to look for alternative ways to dramatically speed data access. We are going directly to the source, whether at a clinical lab or hospital, for earlier indicator information such as lab tests orderednot necessarily resultsto look for anomalies across the U.S. We have some of the early connections established. The BioSense initiative, as proposed in the president's budget next year, will then be put into effect. Collected data will be simultaneously made available to our state and local partners.
What does BioSense monitor?
BioSense is about generalized indicators of a potential health problem. A spike in respiratory illness, or fevers that may indicate a broad outbreak or exposure to an agent. The general premise is to get data from its source within 24 hours.
Does this system cover SARS or influenza?
Yes. Upper respiratory syndrome in an emergency room or a culture sent to a lab would be picked up.
But if it was weaponized anthrax, it might sicken people within hours. That may not register on the system.
Partly true. Anthrax and virtually all other human diseases have an incubation period that is never just hours unless it is acute poisoning, or a vapor or a chemical weapon. But an infectious disease typically takes hours to days to manifest itself. If it is a low-level or contained exposure, we are not going to pick it up. It will be picked up by an astute clinician who sees the patient and calls the CDC. That is how the first case of anthrax was picked up in Florida. This system will more likely pick up something that is widely exposed and multijurisdictional.
How much money is going to CDC?
Our total IT spending at CDC this year is $504 million, of which $290 million is for internal systems and the other $215 million goes out to the states. (Bioterrorism preparedness is $125 million of that $215 million.)
Are you using the threat of terrorism to build a wider structure?
We want to make sure the investments we make for terrorism will benefit daily public health, whether we have an event or not. We are trying to avoid building another stovepipe system that would only apply to terrorism and would sit idle 99.9 percent of the time. The surveillance we are doing for a bioterrorism event will certainly pick up a naturally occurring event at the same time.
How do you adapt a system for dual use?
By basing it all on standardsand in doing so, making it multidimensional. BioSense establishes standardized connectivity to healthcare providers and data collection. You focus first on building an algorithm detection capability. You look for six or eight Category A agents. Then, when you have built that, you look for other symptoms that are also of public health importance. You don't have to make a choice.
How do you distinguish the critical signals in the system from the noise?
We have to build very sensitive algorithms to do just that and test them over time. There are several ways the epidemiologists will go with this. One is looking prospectively at the data, mapping it geographically and by time series. And as they do follow-back investigations, analyzing what appears to be a spike, they will determine what is real and what isn't and further inform their algorithms.
Other surveillance we have in place involves finding out about actual outbreaks that have been investigated, then going back into a system like BioSense to determine if we can actually see these patterns in the data.
Would getting those systems to work on common data standards be enough?
Yes. Regardless of what particular software is used, if every agency is using the same kind of health data standards, you now have standardized data that you can communicate over the Internet.
Does that mean all these software systems will have to be retrofitted?
We are not necessarily retrofitting all 100 surveillance systems. The National Electronic Disease Surveillance System, which began rolling out last year, replaces a good chunk of those systems. The state public health departments are doing the work to make their systems compliant, or adopting the CDC systems. We also give grants for retrofitting systems.
How are you balancing making medical data accessible and exchangeable versus regulations for patient privacy?
In the case of BioSense, none of the data we are getting is individually identifiable. It is statistical in nature. When epidemiologists and biostatisticians detect something abnormal, they can go back to the data source and under appropriate public health authority get additional identifiable data.
The ultimate goal of your efforts?
To use surveillance and epidemiology to discover a problem as early as possible, and then take steps to prevent further spread and to remediate it. Ultimately, our goal is to prevent it from happening in the first place.
Wendy Wolfson, a Boston-based writer, covers emerging technologies and innovation.