STATEMENT OF JAMES P. BAGIAN, MD, PE
CHIEF PATIENT SAFETY OFFICER
DIRECTOR, NATIONAL CENTER FOR PATIENT SAFETY
VETERANS HEALTH ADMINISTRATION
U.S. DEPARTMENT OF VETERANS AFFAIRS
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
COMMITTEE ON VETERANS' AFFAIRS
U.S. HOUSE OF REPRESENTATIVES
February 28, 2007
Mr. Chairman and Members of the Committee, I am pleased to be here today to discuss the issues of IT security, patient safety, culture and their relationships.
At the National Center for Patient Safety our mission is to prevent our patients being unintentionally harmed while under our care. This mission is quite large in scope and while most of our activities are concerned with direct clinical care they also address things that are a bit more removed such as safety during transport in vans, automatic doors and their potential to cause injury, and parking lot barrier design to name but a few. Similarly, the information system (IT) is also of great interest to us as our electronic health record (CPRS) is the tool that in large part is responsible for our ability to deliver the safe and high quality care for which the VA has received many kudos and is a model for the country and world. While IT security is not intimately related to the direct clinical/physical safety of the patient we still view it as a relevant endeavor under the overall umbrella of preventing unintended harm to our patients, because issues such as identity theft can result in harm to our patients. In addition to direct harm, such as that which might be caused by someone successfully pretending to be a veteran getting care at VA facilities, a larger and more wide-ranging harm can come from the energies expended responding to IT security issues. This redirection of resources can detract from our ability to render the medical care that is our basic mission.
The efforts of the National Center for Patient Safety have been based on creating an environment where problems can be identified in a timely manner, prioritized as to the appropriate action required, and analyzed to elicit the real underlying root causes and contributing factors. These steps result in the formulation of well-founded actions to mitigate risks. We often express this as three simple questions to be determined: What happened? Why did it happen? and What should be done to prevent it from happening in the future? We also have championed and implemented a system that promotes the extensive consideration of close calls, which are events where no significant harm befalls the patient. Studying close calls provides an opportunity to learn that is different from the traditional approach where learning begins only after a patient has suffered harm. The culture of the Veterans Health Administration has changed from one that was reactive to one that acts proactively to prevent undesirable outcomes. This did not happen overnight or by fiat. It happened through identifying problems that those at all levels of the organization perceived as real and worth tackling, and then removing the barriers that stood in the way of adopting more effective and risk-based strategies and techniques to prevent harm to patients. Through the implementation of a program that embraced these concepts and actively and aggressively solicited collaboration from all levels of the organization, as well as from stakeholders external to the organization such as Congressional committees, Veterans Service Organizations, and our unions, we have been able to make significant progress.
There is general agreement that the VA IT security efforts to date have not achieved the level of success as quickly as desired. There is little doubt that the VA has committed much effort to enhance the security of its IT systems and that the Secretary and senior management are dedicated and serious in their efforts to improve things. The real question at hand is why problems are still occurring. There are a myriad of factors, but I would like to point out several factors that may be worthy of consideration based on my experience and perspective.
Let me first state that there are no magic bullets here but there are some practices that have been applied in the area of patient safety as well as other areas that merit consideration. The use of root cause analysis (RCA) as developed by the VA National Center for Patient Safety (NCPS) has been a valuable tool that has identified the root causes and contributing factors behind many problems. These techniques include methodologies that go beyond the typical but ineffective initial questions such as 'whose fault is this' to the three more meaningful and productive questions that I mentioned earlier: 1) What happened? 2) Why did it happen? and 3) What do we do to prevent it in the future? In fact, several years ago NCPS suggested to Secretary Principi that we be allowed to lead a multidisciplinary RCA team in response to the Blaster Worm problem that the IT world experienced. Secretary Principi agreed and chartered this team, and the result was extremely successful. In fact, on the 21st of February 2007 in a meeting between Mr. Howard and some of his top managers, including Mr. Shyshka who worked with us on the Blaster Worm response, Mr. Shyshka brought up the fact that the group should currently consider employing the use of the RCA process on a widespread basis. The rationale he gave for this suggestion was the sustained success in preventing the reoccurrence of problems like that previously caused by the Blaster Worm. We agree with this suggestion and believe that the adoption of the RCA process might result in actions that are more effective than what we have experienced to date with regard to IT security. One important aspect of the RCA process is that it focuses on preventing future problems through understanding and mitigating the true underlying systems-based causative factors.
Some have indicated that what is needed is a culture change. While this may be true, culture changes do not happen by fiat or written directives. they happen through the creation of a shared vision of a goal that is deemed worthy, identification of the barriers to success through discussion at all levels of the organization and removal of these barriers, creation of tools and provision of the appropriate resources to accomplish the goals, and constant and unfettered communication both up and down the chain of command that encourages the candid identification of problems and appropriate responses to those problems. At the meeting with Mr. Howard mentioned above, the issue of communication and collaboration before the implementation of directives was discussed in an effort by all parties to maximize the chances of success. If this leads to a more proactive, collaborative, systems-based process that balances the security risks versus the clinical risks I think that meaningful progress can be made. A suggestion would be to do a cultural/attitudinal survey of top and middle management that includes some frontline staff. A reason to survey senior leaders is that it is difficult to proceed, in this case toward improving culture and attitudes about IT security, if you don't know where you are starting from and why you are there.
In order to enhance the likelihood of success I believe that this committee together with senior VA leadership needs to clearly communicate the types of approaches to be adopted. VA management and staff need to understand the various ramifications of the actions to be implemented, including schedules to be met and the expectations as to trade-offs to be made to reduce risk. This kind of understanding was pivotal to the planning and implementation of the patient safety program at the VA and without it the Patient Safety Program would have failed. There should be public acknowledgement that some IT security risk will always exist and that perfection is not possible. If such changes do not occur I am concerned that the security issues will not be resolved, and that clinical care will also suffer. This would result in our veterans losing in two ways.