The system for getting donated kidneys, livers and hearts to desperately ill patients relies on out-of-date technology that has crashed for hours at a time and has never been audited by federal officials for security weaknesses or other serious flaws, according to a confidential government review obtained by The Washington Post.
The mechanics of the entire transplant system must be overhauled, the review concluded, citing aged software, periodic system failures, mistakes in programming and over-reliance on manual input of data.
In its review, completed 18 months ago, the White House’s U.S. Digital Service recommended that the government “break up the current monopoly” that the United Network for Organ Sharing, the non-profit agency that operates the transplant system, has held for 36 years. It pushed for separating the contract for technology that powers the network from UNOS’s policy responsibilities, such as deciding how to weigh considerations for transplant eligibility.
About 106,000 people are on the waiting list for organs, the vast majority of them seeking kidneys, according to UNOS. An average of 22 people die each day waiting for organs. In 2021, 41,354 organs were transplanted, a record.
UNOS is overseen by the Health Resources and Services Administration (HRSA), but that agency has little authority to regulate transplant activity. Its attempts to reform the transplant system have been rejected by UNOS, the report found. Yet HRSA continues to pay UNOS about $6.5 million annually toward its annual operating costs of about $64 million, most of which comes from patient fees.
“In order to properly and equitably support the critical needs of these patients, the ecosystem needs to be vastly restructured,” a team of engineers from the Digital Service wrote in the Jan. 5, 2021, report for HRSA, which is part of the Department of Health and Human Services.
“There are little to no incentives for ... UNOS ... to ever modernize the operations of the [system] and improve the current processes or technology, and the government has very little leverage,” the investigators wrote.
UNOS considers its millions of lines of code to be a trade secret and has said the government would have to buy it outright for $55 million if it ever gave the contract to someone else, according to the report.
Transplant doctors have complained for years about archaic aspects of the technology for sharing data and getting organs to the right place as quickly as possible.
“When nearly 100% of hospitals use electronic records, the notion that we rely on human beings to enter data into databases is crazy. It should be 85 to 95% automatic,” said University of California at San Francisco surgery vice chair Ryutaro Hirose, a former chair of the UNOS liver transplant policy committee. “We could concentrate more on improving patient care.”
Hirose said he had been forced to turn to travel sites such as Expedia to make plans for transporting organs. “With DoorDash, I know where my food is. That should at least be the case for a life-saving organ,” he said.
Carrie Frenette, who until December was medical director of liver transplants at Scripps Green Hospital in La Jolla, Calif., echoed that complaint. “You have to have your coordinator at your center arrange transportation, and there is no help from UNOS,” Frenette said.
“We had a very sick woman in the ICU on life-support systems. We finally got an organ offered, but there were difficulties in getting the surgeons to her and getting the liver back, and a week later she died,” Frenette said.
In an interview, UNOS Chief Executive Brian Shepard said the nonprofit was improving tracking and had a travel-planning app in development.
Shepard said the Digital Service report “reads more like an op-ed” opinion piece than a paper based on thorough research. He said the transplant system is secure and effective.
Yet leaders of the Senate Finance Committee, which has scheduled a hearing on the system for Wednesday, grew so alarmed during a closed-door briefing earlier this year that they warned officials at the Department of Homeland Security and intelligence agencies in a letter seen by The Post that they had “no confidence” in the security of the transplant network. They asked the White House to intervene to protect it from hackers.
“We request you take immediate steps to secure the national Organ Procurement and Transplantation Network system from cyber-attacks,” the committee chair, Sen. Ron Wyden, D-Ore., and Sen. Charles Grassley, R-Iowa, wrote to Federal Chief Information Officer Clare Martorana in February.
The senators wrote that “no one working for the federal government has ever examined the security of this system” and the government “has not imposed any cybersecurity requirements on UNOS.” The Digital Service report also noted that government experts have never been allowed to inspect the computer code that runs the complex transplant system.
An official in the administration’s Office of Management and Budget, which oversees the Digital Service, said OMB has worked with Health and Human Services on steps to “ensure the cybersecurity” of the transplant system.
HRSA said it was still working with the Digital Service and other experts. “We are consulting with the United States Digital Service to modernize the Network’s IT and we have sought best insights from patients, academics, tech experts, and clinical leaders,” it wrote in a statement.
UNOS’s Shepard stressed that the Digital Service report was still in draft form. But a former White House official involved in the review said that the report is normal; such reports are routinely labeled as “pre-decision” drafts because they are prepared for cabinet secretaries and their deputies who must then choose to act. He spoke on the condition of anonymity because he was not authorized to discuss the Digital Service findings.
That label also exempts the reports from Freedom of Information Act requests, and UNOS said it had been unable to obtain the document until The Post provided the text.
Shepard, who is stepping down in September, said his organization is audited yearly by HHS. He said that if officials visit the UNOS office, they can review specific chunks of the source code.
“The code is extremely large,” Shepard said. “They can come in and ask for specific pieces.”
UNOS said it was audited in 2020 by HRSA and last year by the office of the HHS inspector general, which is checking the security controls. A former HHS official familiar with the transplant system said the department ran through a checklist of questions but never won access to the system itself.
UNOS said in a statement that its refusal to turn over the full code is part of “an important balance: providing HRSA and other auditors the access they need to ensure the system’s security while limiting wider access in order to safeguard patient data and protect UNOS’ intellectual property.”
UNOS also said it would soon get a security penetration test by an HHS-recommended firm and a review of its “cyber-hygiene” by the U.S. Cybersecurity and Infrastructure Security Agency, the Department of Homeland Security division responsible for computer security.
UNOS oversees what is formally known as the Organ Procurement and Transplant Network, a complex collection of about 250 transplant-performing hospitals; 57 government-chartered non-profits that collect organs in their regions; labs that test organs for compatibility and disease; and other auxiliary services.
Located in Richmond, Va., UNOS sits at the center of the system. It is the only organization to ever hold the 36-year-old contract to run the operation, currently a multi-year pact worth more than $200 million, funded mainly by fees patients pay to be listed for transplants.
UNOS oversees controversial policies that determine which patients have priority for life-saving kidneys, hearts, livers and other organs. It reviews mistakes by members of the network and maintains the waiting list for organs. And it runs the complex technology that connects the entire enterprise.
Part of UNOS’s job is to monitor the performance of organ procurement organizations (OPOs) and hospitals where transplants are performed. When either is reported to have needlessly wasted an organ or endangered patient safety, UNOS is supposed to look into the incident. It can provide advice to the organization on how to improve or impose a variety of sanctions.
Critics have long said UNOS does little with many of these complaints, leaving the problems that caused them unresolved. Its findings and the work of its investigators are not made public.
Only the government, however, can revoke an OPO’s license to operate. That has never happened in the history of the transplant system.
More than 20% of all kidneys procured for transplant in the United States are not used, according to data from the Scientific Registry of Transplant Recipients. That rate reached a new high in 2020, when 21.3% of procured kidneys were not transplanted, a registry report found. The reasons are in dispute, with members of the network often blaming each other.
European countries report much lower “discard rates” for kidneys, according to various studies. France had a kidney discard rate of 9.1% from 2004-2014, a 2019 study found. The United Kingdom has a rate ranging from 10 to 12%. Eurotransplant, a consortium of eight countries including Germany, reported a rate of about 8%.
Some of the 57 OPOs also fail to meet government standards for their main job - collecting organs. After decades of allowing them to calculate and report their own compliance data, the government in 2019 took steps to hold the worst of them accountable.
As for UNOS itself, a comprehensive study requested by Congress was conducted by the National Academies of Sciences, Engineering and Medicine. In February, it came to one of the same conclusions as the Digital Service, recommending splitting the information technology infrastructure into a separate contract or requiring modernization when UNOS’s current contract comes up for re-bidding, likely in 2023.
“HHS should ensure that the OPTN uses a state-of-the-art information technology infrastructure that optimizes the use of new and evolving technologies to support the needs and future directions of the organ transplantation system,” the Academies wrote, adding that the system “could save additional lives” if it acted more cohesively with better oversight.
The Digital Service investigators found that the critical computers connecting the transplant network have crashed for a total of 17 days since 1999, with one February 2021 outage lasting about three hours, according to follow-up work conducted by the investigators. That’s a critical problem when organs can lose vitality after as little as four hours. Shepard blamed a firewall failure for the three-hour crash, adding that there have been no unplanned disruptions since then.
In another case, the former official in the Department of Health and Human Services said, UNOS allowed a programming error to push some lung patients lower on the priority list than they should have been. The mistake was eventually caught by a different federal contractor analyzing patient data, he said.
UNOS officials said they had gone back to assess the impact of the mistake and found that it had delayed some matches but that all the patients had eventually gotten one.
As portrayed in the report and interviews with current and former government officials, the technology that runs the transplant system is not only far behind current standards but also unlikely to catch up. That’s because UNOS owns the system under an unusual contract with the Department of Health and Human Services that prevents meaningful oversight.
The 1984 National Organ Transplant Act established the transplant network as a “quasi-governmental agency” - with UNOS in mind - run by a non-profit under a single contract, the Digital Service report said.
That “leaves the government with only a monitoring function to make sure the OPTN contractor follows the statute, rather than the kind of oversight authority” found in more traditional relationships between government and contractors, the report said. Any change in the way the system operates likely would require Congress to amend the 1984 law.
In its statement to The Post, HRSA said it was “committed to using all available tools to modernize the Organ Procurement and Transplantation Network, including leveraging the upcoming contracting process to increase accountability.” It also said it would “welcome the opportunity to work with Congress to update the nearly 40-year-old National Organ Transplant Act.”
UNOS has touted ambitious efforts to upgrade its technology, but most were quietly abandoned when they ran into problems, the report said.
UNOS’s shortcomings are compounded by HRSA’s own failings. The agency lacks technical expertise, can’t force the network to turn over data, and is so concerned about upsetting the nonprofit by asking for more intensive lung that it has been reluctant to push for a demonstrations of the system, according to the report and interviews. That allows UNOS “to wiggle through and around most new contract requirements for the [transplant network’s] technology by hand-waving at change with technical jargon, while making no substantive progress,” the Digital Service report said.
“There are no requirements, or mechanisms to create requirements, in the current contract” that would force UNOS to upgrade its technology, the report said. “UNOS knows this, and it is why when asked directly about their timeline for modernization, they point at HRSA and just say, ‘We’ll do it when they tell us to.’ "
UNOS has not allowed anyone in government to analyze its code base, instead providing only the English-language description of it known as pseudocode, officials said. That surprised Digital Service analysts; it was the only time that its engineers’ request to inspect code used by government agencies and contractors has been refused on nearly 100 occasions, according to the former White House adviser who was involved but not authorized to speak.
UNOS also “has at times even threatened to walk away and continue operating the [transplant network] without a contract, despite the fact that it would be illegal for them to operate such a network independent of a government contract,” the Digital Service wrote. That has kept HRSA “hesitant about pursuing avenues for real change in this program,” it added.
UNOS said that claim twisted a conversation during contract talks years ago in which it tried to assure the government that it would keep operating even if the old deal expired, rather than harm patients. But the former HHS official said the department saw the statement as a hardball tactic putting pressure on the government to meet UNOS’s terms.
Among the key technical findings of the report was that the vast majority of UNOS’s operation was running on a local data center instead of on the kind of cloud computing systems that have become the norm for most large businesses and public agencies. Switching to a cloud computing system would reduce system lags and downtime, allow greater automated access, and add computing power to support machine learning, the Digital Service said.
UNOS said that it used both public and private cloud architecture, with the latter in two physical locations.
The report found that the system still requires manual data entry that can lead to mistakes or narrow the timing window for successful organ matches.
Shepard said that in some cases hospitals had not modernized enough to automate data entry.
The Digital Service report also said the organizational structure of the software that matches donors with patients is so clunky that even a single change in priority policy can take a full year to be reflected in the code. Shepard acknowledged that some shifts take that long.
The Digital Service team also accused UNOS of misplaced priorities in its approach to technology.
“They have placed on their product roadmap things like artificial intelligence, mobile delivery of functionality and advanced predictive modeling,” the team wrote. “Where UNOS should be focused on getting the basics right for the core functionality before they layer in additional complexity ... they instead seem intent on adding shiny technology and distracting program stakeholders.”
Several former officials familiar with the transplant system confirmed the Digital Service’s description of UNOS’s resistance to government oversight. Robert P. Charrow, the HHS general counsel during the Trump administration, called the situation “the most topsy-turvy relationship I’ve ever seen.”
In its report, the Digital Service said it identified three other unspecified organizations with “clear capabilities” to take over UNOS’s technology.
But potential competitors for the contract are waiting to see how HRSA writes the requirements in a new bidding document. The last time the contract was up, in 2018, potential applicants ultimately were dissuaded by requirements that HRSA included that called for bidders to have at least three years of experience managing transplant projects of similar complexity - a description that fits only UNOS or a group running a transplant system in another country.
When the new request for proposals will be issued is uncertain. The government has so far issued only a “request for information,” a step before it calls for bids. That document describes a $248 million deal (presumably over multiple years), with $27.7 million coming from the government and the rest from fees patients pay to be listed for transplants.
Any transition to another vendor would cost more than $71 million, the Digital Service report estimated, including $55 million to purchase the current systems. The Digital Service called the figure “exorbitant” and said “the government should never have to be in a position to make the purchase of the existing systems” in order to modernize technology.
Even so, said the former White House adviser involved in the review, the government could recoup that much in a single year by improving the technology involved.
And for the same expenditure as now, according to the former HHS official not authorized to discuss the contract publicly, “You would be hard pressed to think you couldn’t at least get 5% better, which would be thousands of transplants.”
- - -
The Washington Post’s Todd C. Frankel contributed to this report.