Horror Stories in Pathology Informatics: In Two Places at Once

Dr. M. E. de Baca:
Welcome to CIPI Connections, the podcast of the College of American Pathologists' Council on Informatics and Pathology Innovation. Here, we connect you with the leaders and committees shaping the future of pathology. I'm Dr. M. E. de Baca, the chair of the College of American Pathologists' Council on Informatics and Pathology Innovation, also known as CIPI. We have a fascinating episode for you today. CAP Informatics Committee members Dr. Alexis Carter and Dr. Lauren Miller will be sharing another horror story in pathology informatics. This case dives into sharing credentials and the importance of safety regulations. Take it away, Dr. Carter.

Dr. Alexis Carter:
Hi, everyone. Welcome to Horror Stories in Pathology Informatics: Lessons Learned from Things Gone Awry, a series to help your healthcare organization, number one, keep your patients safe, and number two, avoid painful problems. I'm your host, Dr. Alexis Carter, a pathologist and the moderator for this series. And with me today is another pathologist, Dr. Lauren Miller. As a reminder, these podcasts are available from your favorite podcast service under CIPI Connections, that's C-I-P-I Connections. It is also available from the College of American Pathologists website at www.cap.org. Today's episode is, in two places at once, sharing is not always caring. As always, there are a few disclaimers needed before we get started. All of the situations discussed in this podcast are based on real events. So if any of our listeners think that the situation described can't or wouldn't happen, we can assure you that it can and did. Having said that, all of the information that could identify the personnel or the healthcare organization involved have been removed and replaced with fictitious characters and a fictitious location of Cabot Cove Memorial Hospital. Any locale-specific aspects, for example, regulations that are more specific than the national United States level, have been removed, and some details regarding the situation which do not affect the main point of the event have been changed. Finally, the person presenting the adverse event is not the person who contributed it for discussion, and all of these things were done to ensure that we focus on the lessons learned so that we can help others avoid these mistakes. Of course, this podcast does not represent legal or medical advice, and the lessons learned may not account for specific barriers that may be present at your own organization. All right, so now that we've done our disclaimers, let's get started. Again, here with me is Dr. Miller, who is going to present today's situation on point of care testing. So, Dr. Miller, let's start with the basics of the adverse event that we're going to discuss today. What happened?

Dr. Lauren Miller:
Thanks, Dr. Carter. So, again, we're at Cabot Cove Memorial Hospital. and the laboratory director received a request from the hospital legal team asking to provide all the records of personnel that had performed point-of-care testing for a particular patient because they were trying to clarify a discrepancy. So this patient had been in the ICU about a year prior and the patient was treated with extracorporeal membrane oxygenation, also known as ECMO, and now was pursuing legal action. For those who aren't aware, ECMO is a type of artificial life support that continuously pumps blood outside of your body into a machine that adds oxygen and removes carbon dioxide. Essentially, it acts as a heart and lungs when a patient's own heart and lungs aren't functioning adequately enough to sustain their life. Many hospital personnel are involved in caring for these patients, and unfortunately, all of them were also being subpoenaed to testify. The hospital legal team reached out specifically to the laboratory because one of the perfusionists, that is the person who is actually really focusing on running the ECMO on the patient at the bedside, was on record as having performed the point-of-care testing for the patient, but was actually on vacation during that time.

Dr. Alexis Carter:
Well, that's clearly a problem.

Dr. Lauren Miller:
Yes, very much so.

Dr. Alexis Carter:
So we're definitely going to talk about that in a minute, but now, for now, and for our listeners, let's take a step back and talk about point-of-care testing. Now, you and I know what point-of-care testing is, but just in case anyone listening to the podcast doesn't. What is point-of-care testing and why was it being used on this particular patient?

Dr. Lauren Miller:
So point-of-care testing is rapid testing that can be performed generally on a small device and is usually close to the patient, even at the bedside. A lot of devices are small and can be held in the user's hand. However, what some listeners may not know is that there are all kinds of laws that healthcare organizations follow regarding who can use these devices on patients and also to ensure that the devices themselves are accurate in providing results. These laws are crucial for patient safety. In this case, for our particular patient, the point-of-care testing being used was to get blood gas information, which essentially tells the perfusionist how well the patient's blood is being oxygenated by the ECMO machine. The ECMO team is very, very reliant on point-of-care testing, particularly blood gas, to get rapid results that help them care for their patients in real time.

Dr. Alexis Carter:
Okay, so how did Cabot Cove Hospital know which person had used the point-of-care device on the patient?

Dr. Lauren Miller:
So for any device that houses patient information for patient care purposes, and this does include point-of-care testing devices, there's a large federal law known as the Health Insurance Portability and Accountability Act, which very often we refer to as HIPAA. HIPAA requires that the software on the device maintains a record of who is using it and on which patient is being used. In addition, there's federal laboratory law, also known as the Clinical Laboratory Improvement Amendments, or CLIA. CLIA, and this requires that people who operate point-of-care devices, referred to as operators, must be competent to use those devices. And to maintain this competency, this requires periodic testing and verification. So the laboratory for our Cabot Cove Hospital have provided blood gas point-of-care devices with built-in operator lockout features.

Dr. Alexis Carter:
Oh, lockout features. How I love snarky software. Tell our listeners what that is.

Dr. Lauren Miller:
Well... It isn't just snarky, it's actually a huge safety feature. It turns out that this blood gas point of care instrument is considered moderate complexity. So in order for an operator of the device to be compliant with the laws that we just mentioned, he or she has to be appropriately trained prior to being approved to operate the device. This particular device was built to allow operators to scan their hospital badge prior to using the device. This recorded the operator into into the device. And if the operator was not marked as competent in the system software, the software was designed to lock them out of the device. This helps ensure that untrained individuals cannot use the device and that the operators who have not made their competency cannot either.

Dr. Alexis Carter:
Okay, so in this case, was the perfusionist actually working that day? Did the hospital have the vacation records wrong?

Dr. Lauren Miller:
No, they were not working.

Dr. Alexis Carter:
Oh, oh boy.

Dr. Lauren Miller:
Yeah, uh-oh is definitely right. So it turns out that not all members of the ECMO team had maintained the required competency training. And on further investigation, it was discovered that the perfusionist who was on vacation had made a photocopy of their hospital badge and taped it to the outside of the instrument prior to leaving. They were part of a team of ECMO perfusionists who cared for patients in the intensive care unit or the ICU, requiring life supporting temporary assistance to the heart and lungs.

Dr. Alexis Carter:
Oh boy. So I take it that members of the team whose operator competency had expired used the vacationing perfusionist's badge.

Dr. Lauren Miller:
That's exactly right. When this all came out, the perfusionist who had made a copy of their badge was subpoenaed and forced to testify that they had shared their badge with other members of the ECMO team so that other users that had let their competency lapse could continue to perform the blood gas point of care testing.

Dr. Alexis Carter:
Yikes. Okay. Wow. Just wow. Okay, so this case is demonstrating risk of a different kind.

Dr. Lauren Miller:
Absolutely. So this case is illustrating the risk of sharing credentials. So the laboratory had implemented credentials verification and lockout on point-of-care devices to ensure that only appropriately trained personnel were the ones performing the testing. All of the ECMO personnel had completed their initial training and evaluation, but not all of them had maintained the training and education needed to have ongoing competency. So therefore, they cannot perform the testing under their own credentials.

Dr. Alexis Carter:
So with regard to that issue, could this issue have been completely avoided or just mitigated?

Dr. Lauren Miller:
Although verification of credentials has been the foundation of digital security for decades, the effectiveness of this process can easily be undermined when users start using workarounds such as sharing credentials. When multiple users use the same credentials, it's impossible to hold anyone accountable. We can't even really know who was doing the testing or the documentation. So to avoid this scenario, each institution should have a clear policy on sharing of credentials and explicitly state the consequences for violations to ensure that they're enforced.

Dr. Alexis Carter:
So what do you think could have been done to avoid or mitigate the fundamental contributing factor in this case?

Dr. Lauren Miller:
Workplace culture really starts with leadership. So I think the hospital leadership must make it clear that sharing credentials including badges, is not an acceptable practice. A lot of organizations do a pretty good job of educating employees about good online practices, such as not sharing passwords or opening suspicious links because of potentially catastrophic consequences of a cyber attack. But some personnel may view badge sharing as innocuous practice because it is used to access internal applications. Or even sometimes they borrow a badge to open the door. So while this case illustrates that the electronic medical record is certainly a legal document, that has implications for both the institution and the individual. By sharing their badge, the ECMO perfusionist accepted all legal responsibility for the results and actions performed under their name, despite not even being on site. And in this case, a patient was suing the healthcare organization about the care they received during this time. This likely never occurred to the perfusionist that when they made a photocopy of their badge, And they probably never imagined having to explain in a deposition that they had allowed others to use their credentials for patient care.

Dr. Alexis Carter:
Okay, so we've talked about the main contributing factor, but there are always secondary and even sometimes tertiary or third step factors that can contribute to these issues. These can include inhibited communication due to poor relationships, silos between groups, systemic infrastructural issues, etc. What secondary and tertiary issues do you think contributed to this failure and or any delays in its correction?

Dr. Lauren Miller:
I think one of the driving forces is that sometimes operators don't maintain their competency because they don't realize how important it is. They might just think that it has to do with some silly lab documentation rule.

Dr. Alexis Carter:
Okay, so that begs the question, is it a silly lab rule or is it really there for patient safety?

Dr. Lauren Miller:
So resounding yes, it's there for patient safety. The trouble is, the reason it is a legal requirement to maintain competency is because point-of-care devices are deceptively easy to use. After all, they are actually designed to be used by non-laboratory personnel. That being the case, there are often more safeguards put in place to prevent errors, and this can lead to end-user and operator apathy about keeping competencies up to date. Having said that, there are so many ways to use these devices incorrectly. If a sample is not collected from a patient properly, if the sample type is not properly identified, such as venous blood versus capillary blood versus arterial blood, and if any warnings or notifications by the device are not heeded, the results coming off the device can be wrong. And that could certainly hurt a patient, especially because the results are so fast. The clinical team may have already acted on them before anyone in the laboratory is aware of a problem.

Dr. Alexis Carter:
So I suppose that if the device's software got updated, then that could also cause a problem, right? Users could get presented with screens that they don't even know how to use.

Dr. Lauren Miller:
Absolutely true. Though typically, with a software upgrade, all users are required to redo their competency before the new software goes live. Users often have the incentive to get retrained so they know how to use it. Having said that, there certainly can be outliers for which the operator lockout can be very useful.

Dr. Alexis Carter:
So how does each device know which operator or user needs to be locked out?

Dr. Lauren Miller:
Most point-of-care devices in a larger healthcare organization, such as Cabot Cove Hospital, are either wirelessly connected or connected by periodic docking to a base that connects the point-of-care instrument to the system server. The server maintains a list of operators and which ones are marked as currently competent to use that specific point-of-care device and who is not.

Dr. Alexis Carter:
With regard to some of the perfusionists letting their competency lapse, what do you think could have been done to prevent it from happening?

Dr. Lauren Miller:
So a number of things, really. First off, I want to recognize that point-of-care testing is a really tricky area for the laboratory because at most institutions, the testing is performed by non-laboratory personnel, such as nurses, perfusionists, and respiratory therapists. However, the authority to perform point-of-care testing often relies on the accreditation of the laboratory. So to maintain accreditation in the lab, the laboratory demonstrates compliance with CLIA regulations. However, because most of the hospital staff who perform point-of-care testing are not trained laboratory staff, they are likely not as knowledgeable about the processes and regulatory requirements or even about the safety reasons behind those requirements. And it makes sense because it's not necessarily part of their everyday job, but because it's a interdisciplinary team that includes laboratory staff, administrators, and clinical representatives, we need to have well-defined roles and responsibilities to ensure that the point-of-care program can be successful.

Dr. Alexis Carter:
Okay, so Dr. Miller, this has been fascinating. I have to tell you, I've run into some brazen things in my now somewhat long career. I have seen people, you know, post-it note passwords onto computer desktops. I've seen them try to be a little bit secretive and, you know, they put the post-it note under their keyboard. But that's a pretty obvious place to look if you're looking for stuff. but pasting your badge, you know, your badge barcode onto an ECMO device, that's pretty brazen.

Dr. Lauren Miller:
I mean, I was pretty floored the first time I heard this story. But the more I got to thinking about it, it's actually not so outlandish from a non-laboratorian's point of view. What comes to my mind are the Pyxis machines, where technically you're supposed to log in with your own credentials to remove any sort of medication. But I've definitely seen barcodes just hanging out on those machines that the personnel will scan and go right in. So to them, it may not have been such a crazy idea to share a barcode and do what they need to do to care for the patient.

Dr. Alexis Carter:
Yeah, until this particular situation occurred, and now they're having to go to court about it.

Dr. Lauren Miller:
Right.

Dr. Alexis Carter:
Right. And, you know, but the other thing I just want to bring up is is under HIPAA, there is a final security rule, right? And under that final security rule, that's where the rules come from for any software that is housing patient information has to, you have to have an audit log of who accessed the patient's data and when. And what's interesting about that is that really for For us in healthcare, if we have software that has patient information in it, we can get a request for an accounting of disclosures from a patient or from the hospital or from a healthcare entity. But basically from the patient that says, you know, for the last six years, I want to see everybody who's looked at my medical data. And so if you don't have that audit trail or if the audit trail is not correct, such as when you're sharing a badge, that can. cause a lot of problems. But the reason that was done, this was, you know, the Health Insurance Portability and Accountability Act. The idea behind it was privacy, right? So the reason that rule is in there is so that patients will know who all has seen their data because there were problems, you know, and unfortunately there still are with patient data being disclosed in an unauthorized manner. So the thing is... They give you some, that's the reason why all of these devices are supposed to have logins and passwords, really. But the reason why they allowed the use of badges probably has to do with the fact that these devices have to be used rather quickly, right?

Dr. Lauren Miller:
Yeah, I mean, it doesn't make sense for a patient who might be coding or requiring such rapid laboratory testing to have. a perfusionist in this case bending over some tiny handheld device with an itty bitty keyboard typing in a 16 character password before they can do anything by the time that they would get into the point of care testing device to actually perform the tests the patient and the clinical team who are not paying attention to whoever's operating the point of care device are eight steps ahead. And so It's really hard to care for these patients in really critical, dire situations if you're waiting for someone to just be clicking. And so it makes sense that you could just scan a badge in a perfect world. The one badge is for the one person and you can trust that no one's sharing their badge, which obviously in this situation didn't happen. But it's really trying to balance enough stop gaps so we can. really have our patients safe and well cared for with not putting so much red tape in the process that we can't care for our patients to make sure all of our T's are crossed and our I's are dotted.

Dr. Alexis Carter:
Right. So, but privacy is still important, right? So, you know, one of the things that I wonder about with some of these point of care devices is, is the ability to do, you know, two-factor authentication that doesn't. So two-factor authentication for you know, the listeners are when you have something you know, as well as something you have. So the something you have is a badge that you would scan, and then the something that you know, it could be a password, which we've already talked about how that is problematic when you're trying to take rapid care of a very sick patient, right? But it also could be a thumbprint. Now, the issues that you can run into there are that you've got a thumbprint that now you have to store that in a database and it has to work. Um, but one could definitely argue that if you use something like a thumbprint or a fingerprint, um, bearing in mind that there are groups of people who don't fingerprint well, um, and that's part of the reason why I think, many people have not used it. But if you had something like that, then, you know, I think it would have been difficult or impossible for any of the other profusionists who'd let their competency lapse to be able to use this device. Having said that, you know, it still doesn't answer the problem of people letting their competency lapse because then nobody would have been able to get testing. Right. And so so I'm curious, you and I were talking earlier about. that your previous experiences with a joint accountability program. Why don't you tell people what that was about?

Dr. Lauren Miller:
Yeah, so just for our listeners' background, I worked in the laboratory prior to going to medical school. So I've been around the lab block for over a decade at this point and have worked in a hospital caring for patients who are critically ill. And something that my laboratory had implemented, as Dr. Carter mentioned, was a joint accountability program. Point of care testing. was overseen by laboratory medical director leadership, as it should be because it falls under CLIA. But we had specific partners on the units who were not laboratory personnel, but served as essentially a super user for their unit. And so oftentimes they were nurse managers or charge nurses. And so they were responsible for the day-to-day maintenance of competency. They were able to... work with their staff, they were able to retrain, they were able to observe and mark competencies off. So even though it was the laboratory overseeing the entire process, we had to have champions on the floors talking with the end users regularly to have people really understand the importance of competency and to ensure that people maintain their competency because we're all busy. It's kind of crazy how many things we need to maintain. Honestly, I don't know how many emails I get. before I actually complete whatever online learning module is required of me. But if there's someone who's saying specifically, hey, Dr. Miller, you need to do this or your testing ability is going to stop, that's going to get my attention a lot faster than an email from someone I don't even know. And so that program worked really well for us as laboratorians because we knew exactly who we should go to if there was a problem. And then the bedside staff also knew exactly who they should go to. with an issue and we could talk back and forth easily, took some cooks out of the kitchen, but also made sure the laboratory had a presence on the floor as well.

Dr. Alexis Carter:
Yeah. So it also sounds like a much more proactive approach, right? So they were getting reports, it sounds like, of who had their competency had expired. And so that they could address that, you know, hopefully before it became an issue.

Dr. Lauren Miller:
Yeah. The partners that we had on the floors were really on top of it. I mean, there are a number of competencies that are not laboratory-based that all medical personnel have to maintain. I mean, if you're doing any sort of procedure, someone needs to make sure that you know how to do it. And so this just kind of became part of their workflow of, okay, I need to make sure that I know how to properly document X. Okay, I need to make sure that I know how to properly draw a patient specimen and put it into the point-of-care glucose measurement.

Dr. Alexis Carter:
Right. Okay. Well, I think this has been really educational. So we're going to sum this up for the listeners. What are the main lessons learned from this incident? And what do you recommend that our listeners should do to prevent this from happening in the future?

Dr. Lauren Miller:
So I think one of the most important things is that know your staff and have leadership be accountable. So it's crucial to really designate one super user for every 10 operators in the testing unit. And the super user needs to be knowledgeable about quality control. quality assurance, and safety regulations. This person also serves as the primary point of contact for the point-of-care testing leadership. This super user will be responsible for ensuring that all other operators in the testing unit maintain their competency and ensure why maintaining competency is important. Additionally, from a top-down leadership approach, the culture of the institution really needs to have a thorough understanding of what the consequences are of sharing credentials, not just don't log into someone else's computer, but even sharing badges can have really drastic effects. And so people need to be aware of how their own institution operates within the laws that we all have to follow.

Dr. Alexis Carter:
All right, great. Thanks so much, Dr. Miller, for presenting today. For our listeners, we hope you have found this podcast on In Two Places at Once, Sharing is Not Always Caring helpful. This podcast was produced by the College of American Pathologists and the content was produced by the College of American Pathologists' Informatics Committee. The Informatics Committee always welcomes questions about the podcast as well as questions for future podcasts. If you would like to contribute an issue that happened to you, And for instructions on how to anonymously contribute an educational issue and its lessons learned, please contact the committee at the email address listed in the show notes. Please do not send specifics on the issue to this email address. We thank you so much for listening, and we look forward to sharing our next podcast with you soon. Bye-bye.

Dr. M. E. de Baca:
Thank you to Dr. Carter and Dr. Miller for sharing these important lessons with us. Stay tuned for future horror stories in pathology informatics. And thank you for joining us for insights, updates, and the people behind the innovation. This has been CIPI Connections, where ideas meet action in pathology.