July 3, 2013 1:00 PM
Posted by: Jenny Laurello
, threat management
Guest post by Michael Mathews, PhD, President and COO, CynergisTek, Inc.
It wasn’t so long ago that network purists were decidedly of the mindset that routers should route, switches should switch, and firewalls should firewall. The mindset behind that was to do one thing and do it well. As a long time information security person, I was fully in that camp. After all, it met several of our basic tenets because it was simple, easy to troubleshoot, had no single points of failure, and provided a clear separation of duties.
As we got better at protecting our perimeters, the nature of perimeter threats evolved, moving up the Open Systems Interconnection stack to the application layer, and eventually the human layer. As the threat evolved, so did the firewalls. It’s now almost as hard to find a simple packet filtering firewall as it is to find a network hub.
Modern effective perimeter security solutions can’t simply let the “firewall.” Perimeter security requires an increasingly complex mix of technology to effectively combat Internet threats. Enter the unified threat management (UTM) concept and multi-functional perimeter devices.
The perception of the firewall has largely remained unchanged in many organizations, with a substantial number of people still in the camp of “firewalls should firewall” and then have a number of ancillary devices (anti-virus, anti-SPAM, virtual private networks, intrusion detection/prevention systems, content filtering, data loss prevention, security information and event management, email encryption, etc.) should do other tasks at or around the perimeter.
Clearly the important thing is to ensure all the perimeter bases are covered, regardless of how it’s accomplished. There is definitely a significant argument, using the same criteria as above (keep it simple, easy to troubleshoot, no single points of failure, and separation of duties), that supports the UTM approach.
Going the UTM route of purpose-built devices with different components to fill each of the specific needs on the perimeter falls within the old keep it simple and easy to troubleshoot approach. Managing eight to ten different technologies that all need to evaluate traffic can quickly become overwhelming to design and troubleshoot. Not to mention the resources and expertise/training needed to staff it.
At first pass, no single points of failure seems to be a win for purpose-built devices, but there are high availability options for most UTM platforms that can either be a standby or actively load-balanced solution. Not only is it easier to implement and manage the availability of a UTM solution, it’s almost certainly cheaper. Achieving separation of duties has become a significant challenge with dwindling budgets and a whittling head count in organizations today, especially in the information security realm.
Implementing a fully managed UTM service is one of the more elegant solutions to achieve separation of duties and is a good foundation for change management. A managed services UTM platform not only frees up internal resources for other tasks, but it also ensures that changes to the organization’s perimeter security postures are evaluated, documented, and not performed by the same folks that run the day-to-day operations of the network.
Reporting is an added bonus to UTM perimeter protection. Budgeting is one of the hardest hurdles to overcome every year. It is especially challenging for information security folks because it is very hard to demonstrate a return on investment for protecting from potential catastrophes. While data analytics logs can help provide raw information from the many purpose-built perimeter security components, compiling the logs, analyzing them, and presenting output in a compelling form for executives is usually not something managers look forward to and would prefer to have as “out of the box” functionality. This is another plus for UTM since many platforms support some variety of reporting.
Much of what information security professionals learned from the Rainbow Series books in the early 80s and 90s is fundamental to what we do now. As such, we have a predisposition to resist change; that’s a good thing and part of our nature. But it’s definitely time to re-evaluate the perimeter and adapt our approach to better suit the evolution of Internet threats.
July 1, 2013 1:00 PM
Posted by: Jenny Laurello
Accountable Care Organizations
, Customer relationship management
, EHR implementation
, HIMSS 2013
Guest post by Baskar Mohan, director, healthcare practice, Virtusa Corporation
A few months ago, I attended the HIMSS 2013 conference in New Orleans. It was an excellent experience because I was able to see how healthcare providers are preparing for EHR and EMR implementations. This is certainly a very good first step. However, some provider organizations have started to look at the accountable care organization (ACO) model and recognized its potential to transform treatment for patients and provide a great customer experience. In this highly customer-centric world, providers should focus on transforming and managing the customer experience.
There is no better time than now to evaluate how to treat customers during care and before they enter the hospital facility. This starts with creating a fully functional, fully optimized website geared towards the customer. This is important because it is the first interaction customers will have with your hospital. A hospital should start by addressing this initial interaction, which will be done through various devices like laptops and other handheld devices. Building a robust customer portal is an important task that needs to be undertaken with utmost care.
I would like to address five key areas that providers should focus on while embarking on this journey of turning their static websites into more robust, fully functional, customer experience websites.
Visual design: This is the most important aspect of the requirements phase and requires the most amount of time. The recommendation is to create a responsive design even if there is no immediate plan make the site mobile-friendly. You will save a lot of effort and time if this is taken care of upfront, and the website visitors will get the information they are looking for at their convenience.
Content migration: Spend time on making sure the right content is migrated to the new website. The process can be less painful if the migration can be automated once the content has been finalized. This will also allow you to prioritize the information that is most important or most searched for.
Customer relationship management (CRM): This in an area neglected by providers that often sends frustrated customers to competitors. To avoid losing customers, make sure that contact information is readily available, and also have the links for patients and families, health professionals and researchers prominently located on the front page. If there was one area I would focus on it would be this one. It is estimated that hospitals lose 10% percent of their potential revenue due to poor CRM systems.
Content authoring: Put authoring power in the hands of the business and free IT to focus on maintenance and support. This will ensure that your message comes across exactly as you would like it to, and allows IT the ability to devote their time and resources to ensuring the backend runs smoothly. This way we ensure Doing this guarantees that the content on the website is always fresh and geared towards the customer. Most of today’s websites are outdated due to the fact that they do not have a proper content authoring environment coupled with a robust workflow for content approvals.
Taxonomy driven search: This is the most heavily used feature on a website. The key here is to provide the right content at the right time for the customer. Make sure this feature is implemented carefully with the utmost detail in mind. This is especially necessary for the websites of health providers, as customers generally visit the website with a specific purpose. Also, care should be taken to display the most appropriate and relevant content to the user by leveraging some of the latest search techniques.
Providers will have a successful EHR implementation and a robust, helpful and customizable website if they focus on the aforementioned areas. In my next blog, I will focus on the business side of customer experience management implementations. Stay tuned!
June 27, 2013 11:14 AM
Posted by: EmilyHuizenga
, mHealth applications
, Network optimization
, network security
Guest post by Sree Kannan, Senior Manager, Aerohive Networks
The business of healthcare is both mission-critical and life-critical. Putting accurate and up-to-date medical information in caregivers’ hands at patient bedsides, surgery suites, or at the emergency rooms can greatly accelerate diagnosis, enhance treatment efficacy and reduce overall cost of care.
Healthcare organizations primarily deploy Wi-Fi networking to provide guest access to the Internet and other non-critical internal resources. With the advent of the mobile-first workforce, the trend is shifting: Now, many organizations are using Wi-Fi to support critical patient care applications, provide mobile capabilities for care providers, and enable wireless clinical monitoring and tracking devices — all while ensuring patient privacy and confidential data is adequately protected and meets HIPAA compliance mandates.
Healthcare IT faces daunting challenges. Decisions must be made about how access to computing resources now will affect efficiency and effectiveness in years to come.
Top considerations for optimizing your network for mobility:
These five tips highlight the benefits of a mobile-first healthcare organization and the advantages of characterizing the requirements granularly to enable a modern Wi-fi network for years to come.
- Design around application access and users, not the network
Designing and optimizing network access for mobility is a key aspect of servicing critical healthcare applications and ensuring resources meet scale. Essentially, the important part is deploying a network infrastructure that is acutely cognizant and optimized for application access and user context (user privilege, device type, location and time).
- Converge wired and wireless management tools
Approaching the overall network with a true single-pane-of-glass view with converged wired, wireless and security management transforms the way health IT administrators view, monitor and manage the entire access network infrastructure. With application visibility and control over performance thrown-in, empowered IT admins will impersonate Captain Kirk of Star Trek in ensuring the near optimal usage and up-time of all resources.
- Implement proper security policies for guest and BYOD
Mobile devices in healthcare access critical applications in a variety of ways. Many access with a software agent installed on a laptop, or through hosted virtual desktops, or from tablets like iPads through plain web browsers. And the device could belong to the corporation or employee. Implement user-centric policies with proper virtual local area network (VLAN) assignment, application quality of service policy based on the user and proper authentication, including legacy certificate-based authentication.
- Optimize wireless connectivity
Neighboring Wi-Fi devices and other sources can affect wireless local area network (WLAN) availability and interfere with users’ ability to use the network. These sources can include medical equipment, guest devices, neighboring organizations with wireless networks, and any equipment that emits energy in the Wi-Fi bands, such as microwave ovens and wireless surveillance cameras.
Advanced WLANs have sophisticated radio frequency management tools that can automatically detect interference, dynamically adjust power levels, and switch channels to sidestep congestion. Some vendors also have strong radio frequency planning tools to select optimal locations for access points and avoid interference once deployed. However, because radio frequency environments continually change, it is far more efficient to automate the network to self-adjust and self-heal in the presence of interference and failures.
- Extending mobile-first architecture benefits into the future
Deploying a modern Wi-Fi network with a granular visible management platform, optimizing for productivity and flexibility and meeting security mandates is a great starting point for any healthcare organization. If you spend one dollar to buy and deploy a technology solution, many times it takes three dollars to maintain it annually. Establishing break-fix remediation best practices by leveraging solution tools like centralized troubleshooting, service tools to isolate network issues from device issues (especially from those pesky consumer-grade mobile devices) and an ability to extend IT policies for new users will ensure a mobility platform built to last.
June 25, 2013 9:12 AM
Posted by: Jenny Laurello
, data breach security
, Data security
, identity theft
Guest post by Michael Rothschild, director of field & channel marketing, SafeNet
The daily occurrence of massive data breaches have even the most seasoned C-level executives concerned about the security of their networks. Now, given the ongoing switch to electronic health records, this concern is increasingly prevalent in the healthcare space.
The security trifecta
Hacking has graduated from a hobby to a lucrative business and, as a result, major data heists occur with shocking regularity. Healthcare hackers target the industry because of the “trifecta” of data that can be used or resold for each patient. This coveted data includes the identity of the patient, their credit card or other payment information, and the health insurance information of the patient. There have been documented cases of identity theft, credit card fraud, and even the use of stolen health insurance credentials to obtain expensive medical procedures. Of the three pieces of stolen information, the third is the most significant because it alters a patient’s health record with bad information. It can result in getting denied for a job, to affecting the patient’s credit, or getting the wrong treatment if their EHR is incorrect.
Who holds the record?
Five years ago many offices, clinics and even hospitals were still writing charts, prescriptions and notes all on paper. Go to any healthcare facility today and the change is dramatic. Electronic health records are everywhere, and they’re not limited to the confines of the healthcare facility.
An EHR may be created in the field at the time of emergency responder’s first contact with a patient. The electronic record often is transmitted wirelessly to the hospital, arriving before the patient is offloaded to the accepting hospitals. The same file follows the patient through their cycle of care and becomes part of the overall EHR dossier or patient’s global record. This file can be shared and accessed by many different parties.
The volume of digital health information is constantly growing and EHRs are becoming universally accessible both inter and intra-facility. This is wholly, or in part, due to the different parties that are responsible for the patient’s care.
There is another massive change in healthcare that can potentially lead to security vulnerabilities. Hospitals have grown into medical centers or systems that extend beyond a single building. This has led to an increase to the amount of personnel that have access to a patient’s chart. There are generally no fewer than five to seven disciplines in the healthcare system that touch a patient’s chart, even during the most basic hospital visits. This may include the physician, nursing staff, lab, imaging, pharmacy, health insurance, billing, rehab, follow up/referral and more. There are more points of vulnerability than ever for health data due to the increased number of parties who access a patient’s record, an increased use of end-point devices, larger networks sizes, and the use of cloud-based applications.
How healthy is your network?
The ongoing switch to digital requires a change in the way we think about securing our environment, whether that environment is a private office or a large healthcare system. Past methodologies were predicated on securing the perimeter, also known as the “attack vector.” But with a more heterogeneous user environment that is connected with cloud-based applications from various places and devices (some of which may be third- party or unmanaged devices), it becomes far more difficult to define and protect the network perimeter. That leaves providers seeking flexible security that can protect patient data wherever it happens to be. In the event of a breach, the data can hopefully be rendered useless to the cyber criminal. In all industries including healthcare, IT pros are moving from a mindset of breach avoidance to breach acceptance.
A prescription for healthy data
There are several key steps to take in order to move on from a breach avoidance approach and start to secure what really matters.
- Encrypt data: Data is the target for all cyber criminals. The criminals may be internal or come from outside the organization. By encrypting the data you have, even if there is a breach, the captured data is useless to anyone lacking the appropriate credentials.
- Differentiate access: Ensure authorized personnel can only access the parts of the patient chart that they need to do their job. There should be few, if any, instances where someone has access to a complete chart. Access should be granular in nature and should be locked down through a strong, multi-factor authentication system which may include passwords, tokens, biometrics or other combinations.
- Lock down that wireless: Wireless networks are necessary for fast transmission of forms, image files, audio and video from virtually everywhere in a facility’s building. Several of the access points are bound to be unprotected. A quick network scan may show that the radiology department or cafeteria has a network that is not locked down or perhaps that an unauthorized network has been set up by an employee at their workstation. A careful audit of these networks and access points should take place to ensure that only authorized personnel are on the network, and that any open networks are intended to be that way. Chinese wall separation is essential for open networks because they prevent unauthorized personnel from gaining access to information that is not intended for their use.
- Ensure endpoint compliance: Every endpoint is a potential portal to the inner sanctum of your network, whether it is a Toughbook in an ambulance, a doctor’s tablet or a wireless registration console. By employing basic security standards such as password protection, remote wiping, identity tagging, and firewall/AV compliance, you significantly reduce the chances of damage occurring from rogue or compromised devices.
- Education is power: Sometimes we overlook the basics of educating our own people on how to maintain a secure and confidential environment. It’s often the case that an insider threat — authorized healthcare personnel obtaining and compromising confidential information — is accidental. Either the insider failed to follow procedure or they were not equipped or trained to follow proper safety standards. Documented data breaches have resulted from simple mistakes such as emailing confidential information to another party, leaving a device in an unsecure location, saving data to an external drive, or failing to recognize a phishing or spear phishing attack.
No silver bullet
There is no such thing as an impenetrable environment. This is particularly true when it comes to securing an ecosystem which is primarily focused on saving lives. But through a change in mindset — from securing a vector to securing the EHRs themselves using proper authentication, encryption, access control, and education — we can start to make our data healthier.
Michael Rothschild works for the data security company SafeNet. He holds advanced marketing degrees and certifications in IT and IT security for healthcare. He has been an EMT for 28 years, ER nursing assistant for 8 years and is an instructor for the American Heart Association.
June 10, 2013 11:21 AM
Posted by: Jenny Laurello
, covered entities
, Data breach
, data breach security
Guest post by Ruby Raley, director of healthcare solutions, Axway
What exactly are we talking about when we talk about HIPAA at the edge of the enterprise?
The enterprise, its IT network, and its data center have long comprised a digital fortress — a bastion that’s both fully accessible to on-site personnel and semi-accessible to off-site personnel — and its edge has always been well defined.
But today, this edge is no longer well defined as CIOs look to reduce costs by turning to the cloud, satisfy employees who want to access the network with iPads, notebooks, and other mobile devices, and give patients access per meaningful use stage 2. It’s now a porous boundary, one through which users — some of whom may access the network only once, on any device, and from any location — can come and go as they please.
Add HIPAA to that equation, and without proper security, the potential for a data breach grows dramatically. To secure it, you must have a plan.
First, you must ensure users have a consistent set of application access roles, regardless of their location or device. You don’t want them juggling multiple identities and rights — that would be impossible for you to manage and frustrating for them to endure, no matter if they’re doctors, nurses, clinicians, patients, partners, or some other member of your community.
Next, you need to work with your legal department and chief medical officer to define policies per the HIPAA omnibus rule. Determine whether you need to:
- Develop a policy regarding employees who work remotely
- Add restrictions to that policy
- Have your users sign agreements acknowledging that policy
- Give partners (e.g., physicians, specialists, patients, clearinghouses for other organizations, etc.) the ability to access your system
- Update your HIPAA consent policies as required by meaningful use stage 2
- Obtain patient consent for electronic interactions with your organization
- Provide additional training
After that, you’ll need to determine where the health records you generate will be stored, and what work must be done in addition to those records. In other words, if your enterprise stores health records in the cloud and your cloud application provider offers value-added services (e.g., clinical or payment services) on top of the health records themselves, then that provider is a full-blown business associate and they are subject to all the requirements to protect health records that you, as a covered entity, are subject to. Your business agreement with them must be updated, if it exists.
If it doesn’t exist, you have until September to get it squared away. Look for another organization’s policy set (their handling control, auditability, and reportability of HIPAA records in motion and at rest) that mirrors your own, and consider emulating it.
At this point, you may be asking, “What if my cloud application provider uses a cloud storage provider behind the scenes? What if they’ve hired another organization to help them handle my health records? Am I responsible for them?”
No. Your cloud application provider must have a proper understanding and agreement, per the HIPAA omnibus rule, with their cloud storage provider. That’s their responsibility, not yours.
Finally, you should resolve to create an efficient IT infrastructure, something most enterprises forget to do. After all, you don’t want to build another application to manage applications; another identity management system to manage identities; and another network that you have to separate, manage, and control.
You want to collaborate. You want your users and providers to come together and work in a distributive manner with centralized policy, governance, and administrative functions.
This last item, while often neglected, is essential to achieving the proper perspective on how decentralized your application deployment — and how centralized your management of that deployment — is going to be.
Once you’ve got a plan, you can lay the four foundations for succeeding as an enterprise at the edge: governance, credentialing, data management, and interoperability. In our next post, we’ll explore these foundations; highlight the new, emergent terminology that comes with them; and discuss how these foundations contribute to the realization of HIPAA’s dream for the future.
May 28, 2013 8:00 AM
Posted by: Jenny Laurello
, EHR implementation
, medical errors
, point of care
Guest post by Rob Leibrandt, senior market manager, Camcode,
Healthcare organizations are turning to electronic health records and point of care technology to increase productivity and efficiency. Proper documentation has always been a critical component of healthcare delivery, but the likelihood of human error in manual processes creates problems such as misinformation, inaccurate billing and can even lead to devastating consequences for patients in the most severe circumstances.
Electronic health records eliminate many of these concerns, and more providers are implementing EHRs every day. There are dozens of information sources that must be seamlessly combined for a comprehensive medical record in outpatient, acute and long-term care settings, including radiology reports, laboratory testing, pharmacy records, medical devices and supplies. When EHR and point of care (POC) are combined with the benefits of automatic identification and data capture (AIDC) for physical products, the process of data analysis becomes more functional.
What is AIDC?
Automatic identification and data capture is a process for identifying entities and processes using machine readable methods. In this article we will focus on its use for physical assets. Most often, whether for people or equipment, the solutions center on scannable bar code labels. These provide a foundation to easily and accurately enter data, pull up essential related data, improve patient care and reduce costs. AIDC can be used for medical devices, supplies and even advanced technological equipment for tracking maintenance, replacements, condition and location with ease. In the healthcare setting, AIDC can be used to track medical technology equipment, such as equipment found in radiology departments and laboratories.
The importance of accuracy in data capture
The healthcare industry is complex. Coordinating care for a single patient across multiple departments and specialties is challenging enough, let alone trying to maintain accurate records and deliver proper care to hundreds of patients simultaneously. Manual data collection leaves too much room for human error, which can impact a number of facets of a healthcare practice.
- Billing: Billing is one of the most error-filled areas in the healthcare system. The vast majority of billing errors can be traced back to inaccurate data collection and documentation. Billing issues are both time-consuming and costly, as records must be revisited, benefits reanalyzed and bills resubmitted for approval and payment.
- Medical errors: The consequences can be devastating for patients when inaccurate data capture results in medical errors. Even the most skilled physicians and other practitioners make occasional mistakes. Some errors can be reduced with precise data collection and documentation. Poor record-keeping can result in administering the wrong medication or wrong dosage to a patient.
- Inventory and re-ordering: Outpatient medical practices, emergency departments, hospitals, pharmacies and ancillary care providers must be equipped to meet patients’ needs at all times. When a provider runs out of a critical medication, patients’ lives are put at risk. Automatic identification and data capture enables providers to keep precise inventory controls. Providers can generate orders automatically — through alerts and/or data exchange — reducing the likelihood that inventory will run out during times of need.
New advancements provide instant and accurate EHR access for providers
Recent advancements include the use of patient-specific barcode wristbands which can be scanned by mobile devices, allowing physicians and other providers to instantly access the appropriate EHR for a patient, including their entire medical history, recent diagnostic tests, imaging results, lab work and more. This reduces the potential for errors introduced when providers must leave the exam room to obtain records or rely on less accurate electronic retrieval methods in which bar code identification systems aren’t utilized. A single keystroke can mean the difference between accessing the correct record and providing the proper treatments, and serious errors which can have devastating consequences. The potential for such errors is drastically reduced when using barcode identification.
The development and use of these new technologies points to the importance of speed and accuracy in healthcare. Using systems such as wristband barcodes can streamline the admissions process in acute care settings, speeding the delivery of critical care while offering ancillary benefits, including reductions in billing errors and other documentation.
How AIDC can help
Implementing EHR takes a great deal of planning, beginning with assessing the readiness of your practice and ending with meaningful use. Automatic identification and data capture can prepare you for assessing your success and compliance with meaningful use metrics, including:
- Better inventory control.
- More efficient reordering.
- Reductions in medical errors, including medication dosages.
- Reductions in billing errors.
- More accurate adverse event reporting.
- Improvements in patient care.
Automatic identification conducted using bar code labels ensures that providers are equipped with complete background information on each patient. That means it takes less time to obtain records from other providers and gather up-to-date information on the medications a patient is taking. A patient’s full medical history can also be obtained, including information about past surgeries, chronic illnesses, serious medical events and more.
Expensive technology equipment must be adequately maintained to ensure accuracy. Bar code labels provide an efficient means for identifying equipment across a healthcare organization, specifying locations, tracking maintenance and repair history. The FDA has proposed a rule that would require all medical devices meeting certain criteria to contain unique device identifiers (UDI). This is another area in which bar code labels enhance both compliance and the patient experience through accurate documentation. The proposed rule would enable bar code labels to ensure rapid replacement of recalled equipment and precise maintenance documentation to ensure these assets are in proper working order for patient safety.
Automatic identification and data capture adds value to patient-specific supplies and devices. With a simple scan, medication inventory can be accurately tracked in a physician’s office or pharmacy and reordering can be streamlined — reducing the likelihood that a patient’s life-saving medication is out of stock. This also reduces problems such as billing a patient for supplies that were actually used elsewhere or never used at all. This is due to AIDC’s ability to automatically identify and assign the correct supplies and medications to the appropriate patient record.
In all of these applications, AIDC serves as a supplementary, yet critical component of EHR and POC. Armed with the information obtained through AIDC, providers are able to provide more comprehensive care to each patient through streamlined processes, reduce billing errors and improve the efficiency of medical care delivery.
Read more from Rob Leibrandt on the benefits of auto ID and data capture, as well as the development of the UDI rule on Camcode’s blog.
May 24, 2013 8:00 AM
Posted by: Jenny Laurello
, Network optimization
Guest post by Andy Willett, senior vice president, NetMotion Wireless
Accessing patient data directly at the point of care via wireless technologies is a major focus among healthcare providers. This trend has led to a reduction in manual errors, an increase in clinician productivity and enhanced quality of patient care. Mandates have been made in response to this trend in order and ensure productivity gains are not negated by system complexity. This is a significant undertaking. Its downside is that clinicians will only partially comply or abandon a system if it makes mobile technology difficult or frustrating to use.
Organizations that learn how to deliver the seamless experience and “always there” reliability that clinicians have come to expect will largely avoid this setback.
Two working scenarios are generally to blame for an intermittent or complete lack of network connection. Clinicians on site at hospital campuses or outpatient clinics and other professional offices accessing data over a wireless land area network are susceptible to all kinds of coverage “dead spots.” A long hallway, stairwell or elevator shaft can drop an employee’s connection.
Clinicians can encounter spotty coverage when in their vehicles or otherwise out in the community when trying to access data networks using air cards from cellular carriers. Concrete buildings, reflective surfaces, varied terrain and cell tower distribution can lead to network connection drops and cause applications to crash. Physicians and nurses are then forced to re-log in to the system and re-enter lost data.
A set of best practices have emerged to help healthcare organizations overcome connection difficulties so that clinicians keep their focus on treating patients, not tackling IT issues.
Authenticate, don’t frustrate — Does your organization require single-factor (user name and password), two-factor (combination of something that the user knows, like a password, and something that the user has like a smart card or RSA SecurID token), or multi-factor authentication (single- or two-factor user authentication, combined with separate authentication of the device through a digital certificate)? Test how your current approach impacts usability and consider new methods, such as device authentication, which operates in the background without user intervention. This approach is great for user transparency.
Protect data with encryption –A proven approach to protecting confidential patient data is FIPS 140-2 validated Advanced Encryption Standard at 128-bit, 192-bit or 256-bit strengths. It secures the entire connection path, maintaining a continuous encrypted tunnel from the client device in the clinician’s hands to backend servers in the data center. It’s critical to safeguard both patients and the healthcare organization, regardless of the combination of networks the data traverses — including Wi-Fi, cellular or wired campus networks.
Deliver application persistence — It’s important to maintain both the network session and any open applications for an end user when network connections are interrupted. This can happen when a physician enters an elevator or an ambulance goes through a tunnel. A mobile virtual private network (VPN), built for such precarious environments, can maintain a network session and make sure that applications don’t lose data even when in the middle of a transmission. Make sure all the applications that run on a wired network also work in a wireless environment. Some critical applications to protect are medical records, picture archiving and communication systems (PACS), computerized physician order entry (CPOE), medical monitoring, pharmacy, patient registration, scheduling, housekeeping, billing and accounting.
Support internetwork roaming — When users cross network boundaries and access multiple networks, a mobile VPN can also automatically handle any separate network logins without requiring user intervention. This is especially advantageous when using cellular networks, as coverage is sometimes spotty and organizations often need to employ two or more carrier networks to fully cover their service area. The same seamless roaming applies when using multiple access points on a medical campus.
Leverage policy management — Policy management heightens security and productivity by controlling how applications, users and devices access networks. Policy management makes it possible to allow only specific clinical applications, prohibit Web browsing, restrict access to an intranet or specific clinical sites, or to set restrictions based on connection speed or time of day. Tablets used by roaming clinicians, smartphones in the hands of physicians, notebooks carried by health workers and executive laptops can all have different policies, with each defined at the user level.
Control network access — Integrated network access control verifies that devices have required security precautions in place — such as patches, operating system updates, and active antivirus with current signatures — before allowing a connection. Network access control integrates with policy management to automatically remediate devices, in a way that doesn’t interfere with patient care duties.
Administer quality of service — Traffic-shaping capabilities give priority network bandwidth access to the most critical applications, so that Web browsing or large file downloads don’t interfere with the medical mission. Patient monitoring systems or applications that physicians depend on such as point of care, CPOE or PACs, may be assigned higher priority than scheduling and billing. Medical centers that employ voice over IP devices for push-to-talk communications may single out voice traffic as their highest priority.
Manage devices — Managing hundreds of devices deployed throughout a medical center, inside ambulances or carried by roaming health workers is difficult, especially when management activities can’t risk interfering with clinical duties. Solutions that allow device management through a central console and also integrate with a third party enterprise-level management solution are particularly efficient because they allow management chores, such as application updates, to run when users aren’t actively logged on.
Measure and monitor performance — The practice of cellular network performance management gives IT staff the insight and visibility they need to optimize their mobile data deployments. Detailed technology performance reports expose poor network performance and chronic connectivity problems related to signal strength, location, network saturation, older network technologies, devices, drivers and more. This granular management capability can help energy providers verify they are paying appropriately for the data they’re using and creates new opportunities to decrease cellular expenditures, reduce employee downtime and expedite troubleshooting efforts.
These considerations will help healthcare organizations realize the clinical improvements of bedside data access, while sharply reducing helpdesk calls from users. Workers will be free to roam and use computing devices constantly, while experiencing uninterrupted use of open applications throughout the workday. Organizations can also be confident these productivity gains won’t sacrifice critical security objectives.
May 22, 2013 8:44 AM
Posted by: Jenny Laurello
Health care inventory management systems and software
, implantable devices
, Supply chain management
Guest post by Karen Conway, executive director of industry relations, GHX
Healthcare cannot afford to keep pushing forward with the old way of doing business. As factors like the medical device excise tax and declining reimbursements impact their respective bottom lines, providers and suppliers are looking for areas where they can remove unnecessary costs, while maintaining high quality care and service. One area gaining increased attention is the implantable device supply chain, which is rife with inefficiencies and lack of visibility. There is more than $5 billion in documented waste, shared equally by providers and suppliers in the U.S., according to research conducted by PNC Healthcare and GHX.
The implantable device supply chain’s (IDSC) problem can only be tackled through a collaborative effort because it relies on multiple parties from hospitals, physician practices, manufacturers and distributors. Its inefficiencies and waste are a result of four main problems.
- Error-prone processes: From the moment a case is scheduled, through product delivery and use, until after the procedure is completed, the entire process is painfully manual, disjointed, duplicative and error-prone. Managing inventory, preparing for cases, documenting and reconciling supply usage involves multiple parties — sales reps, surgeons and circulating nurses, just to name a few. Combine the number of parties with manual, paper-based processes and you have a breeding ground for errors and inefficiencies.
- Lack of data standardization and synchronization: The lack of data synchronization has historically been one of the barriers for automating the IDSC. For many hospitals, data on implantable devices is not well managed — or at all — in the item master. Unfiled items create confusion about the products used and the correct pricing, which can further delay the process and payment.
- Ineffective inventory models: As providers have experienced increasing cost pressures in the past 10 years, they have turned to suppliers to manage their inventory. As a result, a large percentage of devices are either consigned inventory or stock held by sales representatives — so called “trunk stock” — with a much smaller percentage owned by the hospitals. Suppliers report they can have up to 60% excess inventory and write off 7% to 10% due to loss, waste or expiration.
- Lack of demand or usage visibility: More timely communication (as soon as a case is scheduled) can help both parties better prepare the required products and instrumentation. Large volume hospitals generally try to keep enough stock on hand to manage a peak day — say five hip cases on average — but what if the patient requires an uncommon size or if each case that day requires the same size implant? Even with good planning, sometimes there are unexpected product needs, which can be harder to accommodate without synchronized product data in item masters.
A group of manufacturers and healthcare systems have been working together to address many of these issues by developing best practices and conducting pilots to measure the value of data synchronization, process automation, case preparation and product documentation. Industry-wide adoption is critical to truly change the status quo, though these pilot projects are the first step to automating the IDSC.
It’s important to help both providers and suppliers leverage their own technology investments for their internal purposes, while looking for opportunities to standardize around shared best practices when they are working together.
May 15, 2013 12:45 PM
Posted by: Jenny Laurello
, health IT
, Meaningful use
, portfolio management
Guest post by Kevin Kern, CEO, Innotas
Between changing regulations, healthcare reform requirements and the pressures of tight budgets and small staffs — all amid a commendable drive to improve patient care — hospital IT departments are often overwhelmed by the task of providing technology to support existing and new programs.
IT departments must also phase out legacy applications and implement new solutions in order to offer the interoperability, performance and reliability that clinicians and other users demand. It’s no wonder many IT organizations feel stretched beyond their limits with all these responsibilities. Without a clear plan, the result of different IT initiatives can be a mishmash of programs and projects that are puzzling to even the most organized IT project managers.
This all-too-common situation points to a critical need for clarity. IT departments must gain better visibility into IT processes and resources in order to thrive. That’s why integrated IT portfolio management solutions are gaining ground as a smart way to track ongoing projects, organize resources and staffing, and give hospital leadership big picture views of the status of IT projects and an understanding of how they affect key hospital performance measures.
Navigating regulations and supporting strategy
Some hospitals and other healthcare organizations are struggling to deal with EHR and meaningful use mandates. They are working toward readiness upgrades required for ICD-10, and are trying to overcome the challenges presented by the Affordable Care Act. Each of these new regulatory thresholds must be treated as its own IT project, with separate resources, management and analysis. Hospitals can efficiently manage even the most complex projects — such as EHR/EMR implementations — while improving their ability to test projects for meaningful use criteria through the use of project portfolio management (PPM) and application portfolio management (APM) solutions. These solutions also help increase accountability across the dozens of projects and thousands of support hours associated with healthcare modernization.
Control costs and track financial impact
Hospital leadership must be confident that a new technology will save the hospital money — they can’t simply take IT’s word for it. A tool that provides more visibility into the financial impact of IT investments, as well as the ramifications of compliance penalties, is critical in demonstrating the value that the IT department provides to the hospital. Having a better handle on IT financials and resources also means organizations can focus more on deadlines, and keeping much-needed incentive payments coming through the door.
Better visibility fuels innovation
End-to-end visibility of projects, their necessary reporting requirements and resources lets organizations plan for today as well as innovate for a more efficient, effective tomorrow. Developments like integration with consumer devices that capture medical information allow facilities to offer providers the latest solutions to help them deliver quality care to their patients.
The proper APM and PPM solutions offer significant strategic, regulatory, financial and competitive advantages. In today’s complex IT environment, these solutions are a “must-have” to provide a clear picture of where hospital IT projects have been, where they’re going and what value they deliver to the organization.