Wireless healthcare devices a challenge for compliance

By TerryAnn Fitzgerald

It’s an exciting time in healthcare IT. More and more life-saving devices are becoming automated and wireless. For instance, blood pressure and heart monitors track patient vital signs around-the-clock, freeing nurses to perform other critical functions.

A recent report from ABI Research titled, “The Current State of Global Healthcare Wi-Fi,” states, “One of the quiet revolutions taking place in healthcare is the Wi-Fi enabling of so many different medical devices.”  The report goes on to state that one vendor, Zoll Medical, estimates that “nursing staffs can save seventy hours a year by having equipment report on its own condition and indicate when it needs repair” with the use of its Wi-Fi enabled defibrillators.

However, as time-saving as these devices are, they also pose security and compliance risks for hospital networks and patient privacy as anyone caught in the Conficker malware knows all too well. These devices automatically feed sensitive data into records and therefore must comply with HIPAA and other protective mandates. They must also follow network guidelines in terms of having up-to-date patches and virus scans, as well as approved configurations.

So what can you do to minimize the risk and ensure that all requirements for patient privacy and network security are being met?

IT has to manage these devices as part of their centralized network security plan. IT should develop device-specific policies that set configuration and patch standards. They can then use VPN firewalls, intrusion prevention systems, and other network security tools to enforce the policies. These tools would keep tabs on the devices to ensure compliance and scan them for potential threats. If the policy management software detects configuration errors, lapsed patching or malware, it can alert IT and quarantine a device until it is brought back in line with policy specifications.

These tools also can monitor and log any changes made to the device, such as operating system or application updates or unauthorized access. This data can be used to generate reports for internal or external compliance audits and to detect and resolve threat patterns. IT teams can set thresholds that alert them to possible threats to the devices so that problems can be mitigated in real time.

Centralized policy management and enforcement tools are essential for healthcare organizations to realize the full potential of wireless devices without worrying about disclosing sensitive patient data or jeopardizing the hospital network.

Has your organization taken a proactive look at your medical devices?  Are they a part of your centralized network security plan?

Buyer beware of the vendor who tells you a mixed-vendor network is bad

By TerryAnn Fitzgerald

This week, we have a guest blogger, John Gray, a product marketing manager at 3Com.  John is focused on H3C enterprise brand products and in particular, on data center solutions and technology.   He recently posted this discussion about the advantages of a multi-vendor network on the official 3Com blog.  I found it quite compelling given the challenge of “doing more with less” while simultaneously addressing the increasing demands on healthcare network and security. John has kindly given his permission to share his original post with you here.

Buyer beware of the vendor who tells you a mixed-vendor network is bad

By John Gray

I recently listened to a presentation in which an IT analyst presented a case for how mixed-vendor networks are less reliable, more complex and costlier than a single-source vendor strategy.

While the analyst made some interesting points, he failed to acknowledge any of the key benefits that a dual- or multivendor-network strategy offers customers.

For starters, a multivendor network provides enterprises with the freedom to choose.

Rather than having to adhere to one vendor’s proprietary or monolithic architectural view of the world, a multivendor strategy enables enterprises to leverage open standards‐based solutions that are aligned to a customer’s business priorities, and not the other way around. This freedom enables enterprises to choose the best possible solution, rather than having to settle or compromise for a certain product simply based on the logo on the front of the box.

Decades of standards work by industry groups such as the IETF have enabled this broad multivendor interoperability across L2/3 networks for key networking functions like switch trunking, VLANs, QoS and Power over Ethernet (PoE), to name just a few.

What is it going to take to earn YOUR business?

Furthermore, multivendor competition levels the playing field and creates an environment where competing vendors become VERY focused and innovative on how they can earn a customer’s business through aggressive pricing, value-added services and feature/product commitments.

If nothing else, this type of open competition at least keeps an incumbent vendor honest and as sharp as it can possibly be on pricing and support. In a best-case scenario, customers may learn they can save tens or hundreds of thousands of dollars.

But my (single-source) vendor keeps telling me about multivendor complexity, issues, etc., etc. …

There’s a reason they keep telling you this: There isn’t much upside for an incumbent supplier if you bring in a second vendor! The reality is that current best practices for running today’s network infrastructures apply to both a single or multivendor network. For example, establishing well-defined, open standards boundaries between the access and core network layers provides a logical demark to deploy a different vendor solution if it makes feature/function or economic sense to do so.

In fact Gartner recently published a research note around this very topic citing that: “The operational impacts of introducing a second vendor for basic network infrastructure are modest and easily handled by most organizations.” It continued: “Introducing a second vendor will reduce capital expenditures (capex) by at least 30% (and often more), while only minimally increasing operational expenditures (opex).”

I’d be interested in hearing your stance on single- versus multi-vendor networks. Which do you think is more advantageous?

Healthcare Informatics: Building the Bridge Between Clinicians and IT

By TerryAnn Fitzgerald

Back in 1999, the U.S. Institute of Medicine (IOM) published a report called “To Err is Human: Building a Safer Health System” that revealed as many as 98,000 people a year die from preventable medical errors. Rather than laying blame for this “epidemic,” the IOM called for leaders in the healthcare industry to develop solutions that would automate complicated processes and provide medical professionals with checks and balances. 

It was this rallying cry that has led to the emerging field of healthcare informatics, according to Dan Feinberg, director of Northeastern University’s Healthcare Informatics Graduate Program in Boston. “Most processes in the healthcare system are just too much for humans. Some have 20 to 30 steps and if you miss one, someone dies. We need to remake the system and use technology to automate the things that humans just aren’t that good at,” he says.

To that end, Northeastern has developed a targeted graduate program that does cross-training for clinicians and IT professionals. Students from diverse backgrounds, such as pharmaceutical, nursing, insurance, cardiology and IT, come together to learn how to manage complex healthcare informatics projects from planning to deployment.  They study the design and analysis of systems, get introduced to emerging technologies in the marketplace, and dig into the legal and social issues surrounding healthcare informatics, such as patient privacy.

Feinberg says students conclude their program with a Capstone Project that puts their knowledge to work solving real-world problems. The goal is to matriculate professionals that can go back to their workplaces and lead the process change, selection, installment, and ongoing management involved in systems such as electronic medical records or computerized physician order entry.

Having these leaders available is going to be critical as the organizations look to attract and spend the more than $19 billion allotted for healthcare IT within the American Recovery and Reinvestment Act of 2009. “A lot of hospitals and private medical companies are hiring healthcare informatics specialists in anticipation of stimulus money,” he says.

And the list of higher education institutions offering degrees in healthcare informatics is growing. For instance, the University of Wisconsin-Milwaukee, Northwestern University, the University of Central Florida and the University of Illinois at Chicago all have graduate programs.

What do you think? Will this cross-pollination of clinicians and IT make for a better overall healthcare system? Have you seen healthcare informatics specialists start to crop up in your organization? Let us know.

Healthcare compliance as easy as I-S-P

By TerryAnn Fitzgerald

Recently, we had the great fortune to speak with Caritas Christi Health Care System CIO Dr. Todd Rothenhaus and his team about the challenges they are facing with security and compliance among their New England branches.

As you can imagine, there were many different topics we touched upon, but the one that we found most interesting was the multi-state organization’s efforts to centralize and consolidate technology among its physician and hospital network. Dr. Rothenhaus was very clear that compliance and security demands could not be easily met if the healthcare system remained ad-hoc and decentralized.

To that end, his IT team is establishing itself as the ISP for doctors’ offices and other components of the healthcare system. The benefits of this move are endless, according to Dr. Rothenhaus. First and foremost, it will allow Caritas to standardize not only back-end equipment within the data center, but also desktop and enterprise application environments among users. In fact, his IT team is planning to utilize virtual desktops to further ease administration and upkeep of servers, PCs and mobile devices.

With virtual desktops, the IT team will be able to deploy, upgrade and manage enterprise applications, and ensure that the environment they are running in is highly secure. Also, rather than having to dispatch an IT member to go on-site to diagnose and repair application and infrastructure problems, IT can remotely assess and mitigate any situation that arises. This will enable the Caritas team to use its staff more strategically.

In addition, by centralizing application and infrastructure oversight, the Caritas team can put in place rock-solid usage policies that reflect the increased demands of HIPAA and a host of other privacy regulations. They can better manage authentication and authorization of all applications that deal with sensitive patient and employee data. And they can create audit trails and generate reports that show they are compliant with government and healthcare industry mandates.

While acting as ISP will be a significant undertaking for the Caritas team, it’s certainly one that Dr. Rothenhaus is thrilled to dive into. He believes it will pave the way for the organization to safely, cost effectively and efficiently deploy electronic medical records (EMR). He is also confident that it will ease the burden of future regulatory compliance as well as mergers and acquisitions.

What do you think? Are you a fan of the IT-as-ISP model, or do you think it puts too much strain on the IT organization? What other approaches are you seeing to address application support, compliance and resource demands being placed on IT? Let us know.

The Looming H1N1 Pandemic

By TerryAnn Fitzgerald

Many healthcare organizations are already running with very lean IT staffs. So are you prepared to lose up to 50% of your team for two weeks? What about a month?

If predictions hold true about the extent and severity of H1N1, this may be the reality that your healthcare organization will face in the next few months.

Researchers from the Harvard School of Public Health recently posed this question in a national survey of businesses.

They reported “that one-third of businesses believe they could sustain business without severe operational problems if half their workforce were absent for two weeks due to H1N1.” And I was surprised to read that one-fifth felt they could sustain their companies even if they lost half of their employees for up to a month.

It’s clear that the most effective response to H1N1 is to develop policies that allow sick workers to stay home. But healthcare is on the receiving end of this pandemic and does not have this luxury as “hospitals and doctors’ offices will be overwhelmed with H1N1 patients this flu season.”

In the article, “They’ve Asked Me to Write an H1N1 Flu Plan, Now What?” Ashley Pearson says that many healthcare organizations are asking some of their employees to take on the title of   “emergency planner,” “emergency director” or “disaster coordinator.” If you’re one of those folks you’ll want to check out the article. Pearson outlines three types of plans and ten H1N1 planning elements—it’s great food for thought if you’re just beginning the process.

Elsewhere, The British Journal of Healthcare Computing and Information Management features an article by Dr. Jean Challiner on how technology can help healthcare organizations prepare their constituents in advance for pandemics and other emergency situations.  Technology can provide multi-channel access direct to people’s homes, offer advice to mitigate risk, link consumers to healthcare professionals, and collect and analyze data for forward-looking responses.

How is your healthcare organization preparing for H1N1?

The Elixir for Healthcare Network Management – Part II

By TerryAnn Fitzgerald

We’re continuing our discussion with Les Stuart, product line manager for the H3C Intelligent Management Center platform about healthcare network management challenges and opportunities.  If you missed Part I, click here to catch up on that discussion.

TF: What are the benefits that centralized network management can enable?

LS: There are so many. But mainly, bringing everything under one umbrella gives you an amazing amount of control and helps you deliver quality of service for all local and remote voice, video and data applications. Business-appropriate thresholds can be set to alert you to network problems before users are impacted. And comprehensive metrics can be used for forecasting, modeling and capacity planning. All these things help save time and money and prepare you to tackle new projects in a strategic manner.

For example, the Intelligent Management Center (IMC) tool manages from a single console wired and wireless voice, video and data networks as a unified set of resources. Other tools either require a separate infrastructure or at least a separate management package. Right there, you’re losing productivity and visibility—you have to shuffle between products or take time to learn how to use a complicated piece of software. Productivity and efficiency are quantifiable metrics so you want a solution that can improve both and enable your staff to do more with fewer resources.

IMC  software features web-based service components that allow you to manage a range of heterogeneous network elements, including network access control, voice over IP traffic analysis, service-level agreements, and MPLS and VPN provisioning.

Many customers, in fact, have told me that they can use more than 80% of the features without needing a manual. This ease of use speeds implementation and lowers personnel overhead.

TF: How has centralized management improved healthcare IT environments?

LS: A good example is one hospital that wanted to deploy a new MRI application. However, its staff was worried that it would destabilize other mission-critical services and applications. With IMC  software, there’s now complete visibility and metrics to model the application’s impact on the overall infrastructure.

Therefore, staff can decide whether to provision more resources or reconfigure other parts of the network to ensure that end users aren’t negatively impacted by the new application.

TF: In your view, what are the keys to the successful deployment of centralized network management?

LS: I believe there are six steps a healthcare organization should take to ensure a successful deployment.

1. Evaluate the environment. An understanding of the environment to be managed and what technologies will be involved—including wired and wireless voice, video and data—is critical. Carefully consider current inventory of resources and what will need to be augmented or replaced. Also, examine the expertise of staff so that the addition of people or training can be included in the deployment plan.

2. Define project requirements. Before committing to any product, work with the vendor to understand exactly what the network management deployment will entail. Will it be necessary to upgrade drivers, operating systems, hardware and other infrastructure beforehand? How much staff will be required for the initial testing and rollout?

3. Phase-in the implementation. Ease into the rollout—don’t try to manage everything all at once. Get used to the tools and have time to set appropriate policies as well as thresholds for alerts.

4. Baseline the environment. Once the network management tool is in place, it’s critical to mark configuration and infrastructure performance baselines. If normal operating conditions can be identified, then management tools can be used to spot deviations. Baselines also provide benchmarks should issues arise that make it necessary to restore a network configuration.

5. Plan reporting. One of the most important benefits of centralized network management is the timely availability of relevant information. For instance, if subject to Sarbanes-Oxley regulations, set controls for the act’s requirements. If necessary, the tools can also be used to generate reports on user activities.

6. Don’t just set and forget. Revisit the network management tools to make sure they are at optimal settings. Use the reports and baselines to adjust the environment to gain the full advantage of the automation and oversight these tools provide.

Have you implemented a centralized network management at you healthcare organization?  Do you have any other suggestions for successful deployment or pitfalls to avoid?

The Elixir for Healthcare Network Management – Part I

By TerryAnn Fitzgerald

IT teams at healthcare organizations are no strangers to doing more with less – it’s an everyday reality.  Yet with the current economic conditions, CxOs and IT departments are expected to support revenue generating ideas in the form of new resource-intensive applications and processes with fewer staff and tighter budgets.    At the same time, healthcare “ecosystems” are often a hodgepodge of wired and wireless voice, video and data technologies that are not only built as silos, but managed that way, as well.

I recently had an opportunity to sit down with Les Stuart, product line manager for the H3C Intelligent Management Center to understand more about these challenges and how centralized network management is the ideal elixir.  In the next few postings, I’ll highlight some of our discussion and share the six steps that Les recommends to successful centralized network management.

TF: What are the main challenges that healthcare CxOs and their IT teams will face during the coming year?

LS: The biggest challenge—and it’s an ongoing one—is how to do more with less. While there will be exponentially more projects and users for IT to support, staffing and budgets will not increase exponentially to accommodate these demands. For instance, some healthcare IT teams have to merge remote, satellite and day facilities under their larger corporate umbrellas. This means consolidating infrastructure, applications and users.

In addition, this year many healthcare institutions will begin digitizing medical records. IDC predicts that organizations that go this route could see 30% savings. Yet there are many considerations, including how to handle security and patient privacy requirements.

Lastly, CxOs and their IT teams are dealing with the proliferation of wireless and other devices in their networks as well as the constant push to extend healthcare networks and make them more open and available to patients, as well as medical and administrative staff. All of these realities pose significant integration and management challenges for IT.

TF: What are the specific integration and management challenges that you’re seeing as a result of these changes?

LS: Managing basic infrastructure and integration is hard enough, and then you add in privacy and security requirements that increase the network management burden. Over the past five years, we’ve seen the adoption of best-of-breed solutions, which can also add to the complexity of network management. For instance, a healthcare institution in the northwest made a six-figure investment in server and desktop hardware and software, but it was in jeopardy of not realizing the ROI because the application—and what it would take to manage the environment—was just too complex. The organization didn’t have the resources to deal 24/7 with that one application.

The other thing that’s happened is that end users are asking for more bells and whistles on their applications, but that kind of flexibility results in a drain on IT resources.  And with the proliferation of privacy and compliance requirements, network complexity has eclipsed the capabilities of most legacy management network tools.

TF: So what have IT teams done to address this?

LS: Some have tried to accommodate ad-hoc networks by buying an overarching management platform, but that makes it very difficult to apply critical policies consistently across the enterprise and to create a compliance audit trail. Other IT teams don’t have the in-depth, in-house knowledge to manage some of these more management-intensive technologies such as voice over IP (VoIP). And there are so many applications fighting for bandwidth or priority in the network that if handled incorrectly, things start to break down.

As an example: digital X-ray transport can require a huge amount of bandwidth. If you haven’t accounted for that likelihood, then when that data starts moving around the network, other things start to break.

One hospital found integrating multiple business units’ voice, video and data traffic to be so complex that within six months, it decided to just keep the business units’ systems running autonomously. That frustration prevented the institution from realizing all the financial and business benefits of centralized, proactive network management.

Join us next week when Les and I will discuss the six steps for successful centralized network management.

Stimulating Conversation

By TerryAnn Fitzgerald

In early September, the U.S. hit the 200-day mark since the passage of the $787 billion American Recovery and Reinvestment Act and there is still confusion over how to distribute the more than $19 billion tagged for health care IT and the transition to electronic medical records (EMR).

A quick scan of ProPublica’s detailed list of stimulus spending shows that money could be channeled through such areas as information technology for health centers; the Office of the National Coordinator for Health Information Technology as well as its regional and subnational efforts; the Department of Commerce’s health care information enterprise integration activities with the National Coordinator for Health Information Technology; and the Department of Health and Human Services’ computer and information technology security.

The act calls for health care systems to receive incentive payments if they can demonstrate “meaningful use” of EMR. However, it’s clear that $19 billion is not enough to support a complete overhaul of every health care organization in the U.S. – it’s only a jumping-off point.

That means organizations like yours have to figure out the level of involvement you’re going to have regarding EMR. If you plan to be an early adopter in this initial phase of government spending, will you try to attract stimulus dollars on your own or will you join together with other health care organizations or associations to do collaborative work that might stretch whatever money you bring in?

While collaboration may seem the best route so you can pool resources and create group standards, remember that you’ll still need money for the actual EMR implementation. That is, whatever framework, applications and databases your collaborative develops to support EMR will require an expanded infrastructure within your own enterprise.

Therefore, you must secure within your own organization a budget commitment to supplement whatever is not covered by the stimulus dollars. Most likely you will need to increase your security, network management, storage, server and bandwidth to accommodate EMR as these areas will probably not be fully covered by government dollars. To find this out halfway through your EMR planning or deployment would jeopardize your entire project.

It’s a topic that came up at the April Healthcare Information and Management Systems Society (HIMSS) conference in April, according to ChannelWeb’s Chad Berndston. In fact, Berndston quotes one CIO as saying that if it came down to budgeting for a bone saw or a redundant server, the bone saw would win.

So as you’re thinking about budget, also think of how you can gain efficiencies, such as centralized policies and unified network management, to free up infrastructure, monetary and personnel resources to contribute to the EMR rollout.

Have you already started down this road? Have you considered the commitment that will be required by your organization beyond stimulus dollars and how have your senior managers received that reality? Are they still onboard or has that delayed your plans? Let us know.

Privacy vs. Convenience

By TerryAnn Fitzgerald

I just finished reading a research report titled “The Internet is for Healthcare” published in March 2009.  In this report, Datamonitor cites the growing cost of healthcare and the increase in patient and physician frustration with challenges such as wait times and administrative tasks as the impetus for change.  Datamonitor contends that “with the help of the Internet, healthcare assumptions will be flipped on their head.”

In the executive summary, Datamonitor writes:

“Datamonitor believes that, with the help of internet-based technologies, healthcare will be dramatically transformed in the next five to seven years…In the future, patient-centric and consumer driven will refer to the fact that instead of patients going to the doctor for care, providers that patients pick will be meeting patients when and where it is convenient for patients, whether that is in the office, through online video conferencing or email. Self-service will mark another seismic shift in the healthcare market. Rather than every single healthcare decision and response going through the provider, patients will be taking health matters into their own hands. From booking appointments online without going through the doctor’s receptionist to filling out medical forms without going into the office, choosing a specialist rather than being referred by a primary care physician (PCP) to paying for healthcare online, and even diagnosing and treating themselves for simple conditions, providers will no longer be the sole gatekeeper.”

Because I am a convenience freak, I love the idea of being able to choose when and where I receive my treatment.  I always opt for the Internet vs. calling on the phone when I need to place an order and online shopping has saved me countless hours of time and frustration.  My son’s bank account is linked to my own so that I can quickly transfer money when he, a college student, inevitably runs short at the end of each month.  And my DVR is my prized possession.  It has opened up a whole new world of television that my schedule prohibited me from viewing in the past.

But as I continued to read the report, I grew increasingly uncomfortable. I work in high tech and cover the healthcare market, so I know the risks.  I am all too aware of the headlines touting the latest breach and the increase in attacks and hackers targeting healthcare organizations.   So while I heartily agree with the idea that we need to change the way we do things and use technology to drive process improvements and wring out costs, I am also surprised by my own discomfort when my life, my information and my privacy are on the line.

Datamonitor’s research does acknowledge that “in order to move forward, healthcare must accomplish mission impossible: cultural change.” The research goes on to state that the cultural change must come from the medical establishment, healthcare IT vendors and patients who worry about privacy at the expense of their health.

And they’re right.  I remember my parents’ reaction to the first bank ATM. It seems almost comical now.  They refused to use it, instead insisting that they physically hand their check to the teller.  But in time they came to trust the technology and became avid users.

I believe as healthcare consumers, we will adjust as well.  What about you?  As an IT professional in healthcare, do you believe we are at a stage where you would use the convenience of the Internet to care for your family’s health?  If not, what do you think needs to happen to get us there?

Datamonitor’s research also speaks to the way we need to think as IT vendors, particularly in the area of security.  Widespread adoption of healthcare technology is dependent upon the level of confidence everyone – doctors, patients, healthcare IT professionals – has in our ability to think differently, innovate and deliver solutions that enable a new approach to providing a secure healthcare environment.  Recently, Gary Kinghorn, security product marketing manager, wrote a blog titled “Secure Network Fabric” on our approach to security. The goal is to help customers achieve the level of security that will be required to address sophisticated threats and implement complex policies without compromising network performance and exorbitant administrative overhead.  Check it out if you have a minute and let us know what you think.

Fines, Fines, Fines

By TerryAnn Fitzgerald

If you thought that U.S. government and industry regulations have been too vague and unenforceable thus far, get ready for the current round, which seem highly prescriptive and backed by fines and other penalties.

The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was included in the stimulus package and has put some teeth into the Health Insurance Portability and Accountability Act (HIPAA) of 1996. Now, if health care organizations don’t take the outlined measures to protect patient privacy they will be subject to monetary fines as well as public disclosure.

In addition, the Payment Card Industry’s Data Security Standard, which applies to organizations that accept electronic payments, calls for increased protection of sensitive customer data through security infrastructure, access control and policies.

Finally, individual states have enacted or are in the process of drafting laws that address corporate responsibility regarding customer privacy.

The upshot, if you haven’t reviewed your security plan to address all these mandates, it’s time. In fact, 3Com recently participated in a Webinar titled “Healthcare Data Security Update: Latest Changes and What Technologies You Need to Comply,” hosted by Healthcare Informatics.

In this Webinar, Reece Hirsch, partner at the law firm Morgan, Lewis and Bockius LLP in San Francisco, explains in detail the onus that health care IT bears in ensuring that their organizations are compliant. There are also great tips on how to meet those requirements using technology – rather than manually having to aggregate and search through miscellaneous logs.

To brush up on the PCI DSS standard, check out the PCI Security Standards Council Web site.  There you’ll find a clear discussion of the intent of the standard, the requirements and auditing guidelines.

You’ll find useful information about state privacy laws, including links to government Web sites at the National Conference of State Legislature’s site.  This is a comprehensive listing of updated statutes, what they cover and the repercussions for noncompliance.

While it may seem overwhelming to keep up to date on all of this, not doing so would be detrimental to your organization. And the good news is that once you familiarize yourself with the standards, you’ll find commonalities among their requirements, such as installing firewalls and anti-virus or ensuring access control, that will help you comply with future standards as well.

So let us know: Are you worried about the severity of new federal, state and industry mandates? Do you feel that they put an undue burden on IT? Or do you think that it’s about time that failing to protect a patient’s privacy results in monetary and reputational penalties?