Procurement and compliance costs (from the comments)

From my time in both the military and healthcare I can say that the biggest problem are the compliance costs.

For example, I have a phone app that allows me to send texts. We pay very good money to have said app. It does nothing that my phone cannot innately do – except be HIPAA compliant. EMR software is clunky, an active time suck, and adds little or no value … but we are required by law to use it. In each case there are scads of less specific programs out there which are insanely cheaper and more functional, but those programs cannot justify the costs of becoming compliant for a small niche of their business.

In the military we had similar difficulties. If you want systems to be secure, you need to pay extra as the marketplace does not do real security for consumer goods. Likewise, if you worry about logistical tails, building in assured access drastically increases costs.

And I fully suspect that prices will continue to diverge. As ever more of the internet ends up in a giant interconnected mess there will be fewer people able to code in a secure fashion. There will be fewer parts of the ecosystem that can be used by security conscious actors.

Then we get to actual procurement itself. People worry that arcane institutions will somehow make off with lots of money and spend it either poorly or nefariously. Absent easily observed price and cost data in both sectors we began developing rules. These rules drive firms out of the market (e.g. we needed some light interior remodeling to comply with a regulation that specified inches between things, the contractor who has been most affordable and highest quality refused to bid because the hassle on his side was too great). Eventually the rules become too complicated and you start needing specialists to interpret them. Costs skyrocket and firms abuse rules to pad profits. Then the lawyers get involved and things get more expensive. Again, medical and military consumers become a captive market facing greater monopoly as fewer firms can navigate the thicket of rules to even try to make money.

Then we have the problem that people look at these sectors and say that it is public money. All public money should help with goal X (e.g. going “green”, affirmative action, boycotting South Africa/Israel, patriotism, “America first”) and then we become even more overly constrained. Find vendors who meet one hurdle is hard, finding ones that meet 30 is nigh unto impossible unless the vendor is engineering the firm to market solely to this niche – and charging monopoly rates as his reward.

Any single thing would not be too bad for prices, but the marketplace in general is diverging from military and healthcare. Even education is diverging with mandates in FERPA and political business constraints. We have pretty effectively restricted supply, why exactly would we not expect an increase in cost?

That is from “Sure.”


While I largely agree with this, I would like to point that that computer security has additional problems. In everyday life, if you buy a tool and that tool is useful for anything other than the immediate purpose for which you bought it, that is a bonus. In computer security any behaviour outside the minimum absolutely required for the intended application is a security risk, because history shows multiple examples of such behaviour being exploited to cause the system to do things that it was not supposed to do. A secure system will deliberately be entirely inflexible, even if attaining that inflexibility while maintaining its intended function requires that a great deal of time be spent precisely determining the intended function and deliberately removing everything outside that intended function.

As a career long cybersecurity professional, I agree with A. G. McDowell. Three things make this even worse than McDowell suspects:

1. Security is a cost center, which is why more than half of cybersecurity spending is government spending, despite our infrastructure being mostly privately held.

2. Cybersecurity is an externality. The costs are not priced in and the spillover effects are large. Equifax and OPM are the best examples, but this is true in every case.

3. Cybersecurity is and will always be, mostly a services sector and is therefore subject to Baumol's cost disease. This is how there is simultaneously not enough cybersecurity talent and too few entry level jobs to train more talent.

Of course, on top of this we have the alliance of big government and big business capturing legislators and executives through procurement, regulation and compliance. I'm a firm believer that the hope is in greater diversity and competition. This is why I left public sector cybersecurity and started my firm in New York,

One final thought, lest you think cybersecurity is some small backwater of procurement, "Government spending on cybersecurity has increased at an average annual rate of 14.5% between FY 2006 and FY 2017, outpacing procurement in every other type of major government program"

To paraphrase Marc Andreessen, "Cybersecurity is eating the government."

I see this, too. We sell products to all markets, mainly consumers, but occasionally we see a competitor who only sells to hospitals. They will sell the same product we do at 3 times the price.

We also can't sell to governments who require 3 bids, because we sell directly to customers. They end up buying from middlemen who can provide the bids.

It would be better if the software industry just made the move to secure coding standards and communications focused on secure communications.

This is as much a problem of both a form of race to the bottom and cost shifting as anything else.

Doesn't Signal send texts securely enough?

Security is not the goal. A well established audit trail is the goal. What I was told that being secure is not enough, you have to be able to demonstrate that everyone using the app is secure. The app we use appears to have a lot of its value tied up in being a risk repository.

Regulatory frameworks simply do not like open source. I mean for a trivial example our PR flacks hate open source images and are quite willing to pay for stock photos. If somebody sues, we were just being responsible customers who went with industry standard products - go sue some one else.

Since then I have read a detailed account of a doctors experience at a hospital and where the time goes.

According to this account it was not the standards at all, it was that management had more input in design than doctors, and service departments did is well.

Where a scribbled note might have gotten you an x-ray before, now both management and the X-ray department wanted more information. Management for cost management, and x-ray to make sure they knew everything about the request. The doctor filling the form was understandably frustrated that he had to do everybody else's CYA.

This matches with my experience supplying EPA compliant software for power plants. I literally never met a customer who just wanted compliance at low-cost. Every single customer wanted new add-ons to benefit every constituency within their organization.

So no, one cog in the organization is not going to know where the software design came from, and who else wanted "that annoying feature."

Ah, it was still in my tablet's history. Here is that other article:

The truth is about 99% of the time the X-ray falls into one of a couple of bins:
1. The tech knows (correctly) what I want and I do not need to specify. If I say "pneumonia" the tech is going to get an AP and a lateral chest. And this sufficient for the vast bulk of the pneumonia workups.
2. The tech doesn't know but then neither do I. In that case the best option is to consult a radiologist and have them choose the study. This will often require a three way conversation between the tech, the radiologist, and the referring doc. When the conversation has to happen regardless, you do not anything more advanced than a telephone.
3. There are multiple reasonable studies, I do not need/have access to a radiologist, and the tech doesn't know which order makes most clinical sense. In which case even the most illegible note is little more than a quick inquiry to fix and even if the patient gets the "wrong scan" there are decent odds they would get it regardless.

In any event, which do you suppose has a higher error rate - me at 0300 misclicking the box marked "PA" instead of "AP" or me at 0300 garbling my phrasing so bad that "pee eh" sounds remotely likely "eh pee"? Experience teaches that saying things out loud reduces errors. Click boxes are utterly terrible at quality control (too easy to check the wrong box).

As far as your article, it is a completely buried lead. Administration talks a good game about improving patient care and boosting productivity ... but the real game changer for EMR is what Atul makes only passing reference to - increased charge capture. EMRs make your billing codes machine readable and even the most technophobic individuals can find a few things that the EMR will accept that maximize billing.

The doc who has practiced for forty years and just cannot bring himself to write "poorly controlled diabetes with social factors" can learn to check the default box (or as noted have a scribe do it for him). Magically this let's the hospital bill for more RVUs and for them to be paid than a simple diabetes check up. In the old days, billing had to actually read notes and decide on charges. These days, the EMR captures everything and even suggests "tweaks" that can result in higher billing.

I mean think about how the story opens. A major hospital is budgeting a billion dollars to do an EMR upgrade. That is .1% of all hospital revenue in the country each year. If each of the ~5000 hospitals spend that sort of cash on EMR, we are looking at 5 times annual operating expenses.

With no upkeep costs that means the software has to last half a decade before replacement; how many other industries keep code that long? How many new, nearly universal functions will develop in that time that EMR will not support?

I mean I get this is one of the bigger hospitals ... but there are also the ongoing costs. And then there is that fact that EPIC, today, is at least worse than commercial software 5 years older.

All that money is not coming from buying a long lasting product that will age well into the future. It is not coming from seeing more patients or helping them live longer.

The money is coming from more efficient billing. Good for the hospital, but pretty damning for keeping anything affordable.

I enjoyed the article, and thank you for your additional comments on it.

There are obviously a lot of growing pains here, perhaps simply related to the low cost of computation and digital storage. If a hospital can save everything, suddenly everything is staring you in the face.

At some point old fashioned time and motion studies along with patient outcome data are going to streamline this process, but in the meantime it is pretty funky, with digital scribes and so forth.

EMR has great potential to improve patient care. Currently, it does not. What it does do is improve billing, by a lot, particularly with some of the mandates. It also acts as a liability shield.

Without various mandates from multiple sources, you get both of those and much better patient care ... but as is we are stuck with limited competition so management is going to take whatever is out there that is a net benefit to the hospital.

As an example of that, imagine that you are a hospital administrator, with malpractice exposure for the hospital as a whole, do you really want doctors and nurses sending "out of channel" texts to patients?

Or to add another interested party to the mix, would your lawyers suggest you be surprised with those texts in court?

There might be a tendency for people wary of "Congress" to lay a lot at their feet that is not really at their feet.

The author is also blaming a lot on HIPPA that he should be blaming on JACO - the private hospital accreditor. People like to blame things on the government that are actually entirely the fault of private industry.

When I speak of "compliance" I am talking not just about federal government regulations, but also about those from the insurance companies and other actors. HIPAA is an example of a mandate which increases costs. People can understand it and it is a significant driver.

JACO, CMS, ONC, comptrollers/auditors general ... the sources of hospital compliance costs are legion and threading the needle on all of them directly increases costs.

In my experience as a contractor for CMS, which may not be representative, I see the monopoly pricing thing as a big problem. The federal government is basically the only buyer of a lot of different kinds of specialized services, and it seems like a lot of companies deem it to be not worth the effort to assemble the necessary talent and skills to provide it, so the result is there's remarkably little competition in the bidding process.

For example, we track low income utililization rates at hospitals in a number of states, and CMS uses those statistics in some kind of formula that determines future budgets for federal matching funds in certain state level healthcare programs. Theoretically, a high schooler could do this work, because all it really involves is collecting some information in an Excel file, doing some simple calculations, and then summarizing it in a report. We had one competitor for this work until about five years ago, when we acquired them.

You'd think actual bureaucrats could do this, and not contract it out.

The notion that HIPPA drives new costs isn't surprising or objectionable. It rather it WOULD be unobjectionable if it had any real impact on my privacy. But given the reality of corporate and government espionage on our data lives, it's especially infuriating to be stuck paying the HIPPA bill for privacy I don't actually have.

It's one thing to have the foxes guard the henhouse, but it's ridiculous to charge the hens a security fee!

One obvious solution is to let the courts adjudicate all of this under tort law. If you feel your privacy has been harmed, sue the bast--ds.

"If you feel your privacy has been harmed, sue the bast--ds."

If feels (might not be correct) as if the trial lawyers have removed the effectiveness of the court system. If a large damage monetary damage occurs that effects a lot of people, a group of trial lawyers can effectively get the judicial system to turn over the case to them. Then they'll extract a premium from the law suit and provide some trivial compensation to those actually harmed. If looks as if the agency loyalty is extremely low with a lot of modern US class action suits.

It seems like there should be some competition in the process. Perhaps there should always be at least two teams of trial lawyers and the plaintiffs could pick who's offering them the best deal.

Now that the election is over, and Tyler's across-the-board votes for Democrats have been counted..... it's time to get all pensive about the Evils of Over-regulation on MR! Show that libertarian side, Ty!

In industries that attract persons with powerful ego's accountants are bossed as underlings and the most talented among them leave. Then it is that the administrators tell the accountants what to say and do and the costs of compliance rise and rise, ever increasing the importance and budgets of the administrators over the course of their rising careers.

Stop complaining about compliance costs. They fund all the compliance officers, good college graduates who might otherwise be barristas. Not to mention their bosses with graduate degrees.

And in education too. Many great new gigs as Director of Diversity etc... And school district administrators micromanaging what the Calculus teachers should have the students doing every minute of each lesson - all to "assure learning."

When I think about medical data security the first people who come mind when I think about who I would like to keep my health record from would be health insurance companies and they already have it.

Would it make sense for the government to cover the costs of checking compliance? Obviously it’s not ideal but I imagine that reducing the barrier to market entry should drive costs down for consumers more than the cost for taxpayers to foot the compliance bill.

Another government failure.

Wow, Tyler Cowen, this is awesome; goes on for ever , the positive side of info-overload!

Thanks Tyler for the information about Procurement Engineering

Comments for this post are closed