Archive for the ‘HIPAA’ Category

By Robert Dutt

For resellers and other IT solution providers supporting healthcare clients, VPN is ubiquitous a tool as is the stethoscope their customers use every day

“We will not support a client without a VPN. Period,” says Moshe Birnbaum, director of operations at EZ MSP, a Yonkers, NY-based solution provider.

Fellow solution provider Stemp Systems Group, out of Long Island City, NY, considers the technology as an equally important component of its healthcare business. President and founder, Morris Stemp, says the company currently maintains some 750 VPN-based connections to its clients.

So, why are VPNs so critical for healthcare solution providers? For one, VPNs are a significant part of the infrastructure these providers deploy and maintain for their customers. And, VPNs are the platform on which to build new applications and solve deep-seeded customer problems.

“Part of the Infrastructure”

Both EZ MSP and Stemp offer managed IT services for healthcare clients  — from doctors’ offices to hospitals. This means, in some cases, the solution providers act as a completely outsourced IT department — especially for many smaller clients. To successfully do this, solution providers need a VPN to quickly access technology on clients’ networks and to make sure everything is running as smoothly as possible.

“We look at [VPN] as part of the infrastructure,” Birnbaum says. “It’s also a service opportunity that’s covered under the company’s support contract with their customers.”

Stemp says that with just an IP address, his company can connect to any of its clients in seconds. To maximize uptime for customers’ mission-critical systems, the company rolls out dual redundant firewalls and Internet connections with clients.

“They simply must always be active in order for us to provide our service to our customers,” he adds.

Also, because the healthcare industry is so highly regulated, VPNs are an apt tool for connecting to medical facilities. In fact, security requirements force most medical offices to have firewalls in place to protect electronic medical records, Stemp says.

HIPAA requires [medical organizations] have [firewall] technology available, and we take advantage of that functionality,” he says.

And from a managed service provider’s point of view, VPNs offer an elegant and efficient way to have instant access anywhere into a customer’s infrastructure, even amid the myriad devices on diverse networks spread out around a region or even the world.

“It means we’re supporting a centralized appliance as opposed to individually configuring every computer on the network for remote access,” Birnbaum points out.

“It’s Very Different than the Way Most People Use VPNs”

But infrastructure – the plumbing aspect of a technology solution – only goes so far for a reseller. To truly show their customers value and help move them into new levels of efficiency and productivity, solution providers have to continually offer innovation and new functionality.

Although it may seem like a simple and obvious way to use a VPN, Stemp says the biggest game-changer for many of his clients is actually being able to securely connect to data on the customer network away from the office.

“It totally changed the lives of our doctors, who no longer had to rush to the office to check records when a patient calls up outside of business hours,” Stemp says.

Remote access also significantly changed Stemp’s own customer support models. Before remote access, much of the company’s support requirements were during business hours, from an office. But with easy and ubiquitous access anywhere or anytime, Stemp says he has to provide more responsive service for multiple locations at any time, 24/7.

“It magnified our support requirements,” Stemp says. “When [clients] can’t connect, we now have to diagnose that. And that includes on weekends and nights when we were effectively closed.”

Tablet computing is emerging as the next frontier for remote access to electronic medical records. Although Stemp initially struggled with a functional and reliable VPN connection to the Apple iPad, he says, the company has crossed that hurdle and now has doctors using tablets both in the office and securely from just about anywhere.

The biggest challenge remains the lack of electronic medical records applications designed for the touch interface of the iPad or Android-based tablets.

“We need iPad apps from the EMR companies,” he says. “Right now, you’re essentially just doing terminal services to your desktop, and navigating information that’s designed for a 19-inch screen on your nine-inch tablet screen.”

For EZ MSP, VPNs that meet a very specific customer need opens new revenue streams. For instance, in order for medics to be reimbursed for keeping an eye on some key vital sign measurement systems during surgery, those eyes must belong to an MD. But keeping a doctor on-hand for every surgery in every surgical suite is impractical and inefficient. However, since the eyes on the monitor don’t have to be in the surgical suite, EZ MSP sometimes uses a VPN to connect from the surgical suite to a doctor’s office. This way, a remote doctor can monitor the systems in real-time over the network – making this a much more efficient and scalable model.

“It’s still extending the network, but it’s very different than the way most people use VPNs,” Birnbaum adds.

The Cloud Effect

Cloud computing is a megatrend that’s reshaping almost every aspect of the technology industry today, but providers have different perspectives on how their clients are thinking about the cloud.

EZ MSP’s Birnbaum says because critical line-of-business applications are still not offered in hosted or Software-as-a-Service models, the cloud isn’t “much of a factor” for many customers. But that’s not to say that EZ MSP is steering clear of the trend entirely.

“We are pushing people towards going to hosted [Microsoft] Exchange,” Birnbaum points out.

At Stemp, they’re hosting as many as 40 virtual servers for some of their larger clients in Stemp’s own data center, building a private cloud environment, and other clients are re-architecting their own server room or data center for a more flexible, elastic, cloud-like structure.

In both cases, Stemp says, VPN connections remain a key enabling tool.

“It just makes it much easier to get to those hosted services,” he says.

This week, we feature the final post in our series with Shahid Shah, an enterprise software analyst that specializes in healthcare IT with an emphasis on e-health, EMRs, data integration, and legacy modernization.  He is also founder of the popular Healthcare IT Guy blog.

VPN Haus: When we last spoke, you said mobile phones will be just a small area of mobile health. What else can we expect?

Shahid Shah: There are going to be sensors as you walk into hospitals that will be placed on you, the way band aids were placed on you. Those sensors are going to collect information and that information is going to have to be shared somehow. So this data will have to be treated in a HIPAA compliant way.  So if you’re interested in healthcare IT in general, you typically hear about medical records, but really the big growth area is with the sensors, body area networks, wireless within hospitals and the ability to tie in the patient’s home to make the patient’s home a tie-in to the doctor’s office or hospital.

VPN Haus: How would this data be protected?

Shah: I would like to see smart information architectures, like patient data management, that keep the patient’s clinical data fully segregated from the patient’s ID data. So if you’re looking at a patient’s demographics, that might sit in on database separately than clinical or HIPAA protected information. So if somebody stole all the clinical data, it wouldn’t mean anything because they can’t identify the data.

VPN Haus: Thank you, Shahid.

For the first three parts of Shahid’s Q&A, click here.

As the Mobile Health Expo 2010 gets underway next month, we’ll feature experts on the topic of mobile health. This week, VPN Haus interviews Dr. Ruchi Dass, mHealth champion and council member for the Gerson Lehrman Group, in a three-part series on mobile health. Dass has been involved in specific healthcare IT, e-learning and ICT projects for the public/private sector in India.

VPN Haus: What are the major trends you’re noticing in healthcare mobility?

Dr. Ruchi Dass: In a country like India where the doctor to patient ratio is 1:900, doctors are a few and work is 24/7. Patients demand low costs, and timely and quality healthcare coverage. For healthcare enterprises, patient data is critical to collect and manage. Hence [mobile] health is primarily aimed at bridging the economic divide in terms of healthcare. Mobility is the key here- many healthcare enterprises which are spread over 10-20 establishments in India are now using VPNs as the enabling technology which allows doctors to use standard public Internet ISPs and high-speed lines to access closed private networks. A simple use case for this is to access virtual patient health records and there are other wireless technologies designed specifically for use in the provision of healthcare, like:

  • Standard mobile enterprise services used by health-care workers, such as remote access to e-mail and health-information systems;
  • Mobile applications to meet a specific need of medical workers, such as mobile prescriptions and remote diagnoses;
  • Applications that play a direct role in the provision of care, such as mobile data collection and wireless transmission of health data; and
  • Consumer-targeted applications to encourage health and help prevent illness.

VPN Haus: What are the security concerns around these trends?

Dass:  Security of patient data is important. Even if you comply with HIPAA, it doesn’t have that depth and breadth of protection, which is required as health care is comprised of exceedingly complex information environments that demand comprehensive patient data security approaches especially when the data is shared across networks. For a simple use case of accessing a patient’s Virtual Electronic Patient Records with a wireless device, there are 3 main security issues to address:

1. To Authenticate & authorize from the wireless to the wired network
2. Secure data share in transit
3. Integrity & good resolution in the information that is requested and visualized by the users/doctors.

Stay tuned, next week we’ll continue our conversation with Dass, discussing the most overrated and underrated mobile health security risks.

Oct 7 – Oct 14

VPN Haus recently talked to Marshall Maglothin, a Washington, DC-based consultant specializing in healthcare virtual management. Maglothin gives us his perspective on keeping patient information safe without hindering speedy access to urgent data.

VPN Haus: What are the basics for provisioning employees at healthcare organizations?

Maglothin: All systems should have all users using unique passwords. Thus, the system has an electronic audit trail to record which employees accessed which records, with statistical outlier reporting.

VPN Haus: How do you ensure that the records are not so tightly controlled that it delays specialists asked to consult on the case or ICU personnel from urgently accessing the records?

Maglothin: All stations should have a time-out feature, and work stations in areas such as ICU and CCU are considered more secure/personnel constantly present, so the station’s time out may be longer. Once a station is logged-on, switching users by password should be real-time.

The greater issue is all the bedside workstations/wireless devices. If it takes more than 15-30 seconds to log-on (some take 90 seconds), then if a physician logs-on to 30 patients a day, that’s 45 minutes of lost PHYSICIAN productivity – no patient care and no reimbursement. Doesn’t sound like much. But calculate 40 hours per week for 250 days per year, this equals 188 hours or more than 4.5 work weeks lost to nothing but logging in!

VPN Haus: Staggering. So, if the consultant couldn’t access the records, it would be an example of a poor sensitivity error. What other errors should healthcare organizations be mindful of?

Maglothin: There’s the error of excessive credulity. An example would be a unit clerk on a certain building having a password that would allow her access to, say outpatient records or mental health unit records, for which she would have no reason to have access to.

There’s also the error of excessive skepticism. An example would be, a cardiologist might not be cleared to access mental health records, but one of the patients has just had a cardiac code and the cardiologist is called in for a STAT consult.

Marshall Maglothin is owner of Blue Oak Consulting, based in Washington DC.

[tweetmeme source=”vpnhaus” only_single=false]

In last week’s highlights, we included a post from Branden Williams’ Security Convergence Blog on EMRs. We thought this weeks’ post would be a good opportunity to elaborate on Branden’s and our own from earlier in the year, How can businesses ensure HIPAA compliance?

The push is on for adoption and if healthcare providers don’t adapt, they face some potentially sharp teeth. We read that, “Failure to implement EMR by 2014 may result in increased malpractice premiums and increased exposure to malpractice claims, as well as a reduction in Medicare reimbursement, beginning in 2015”. Ouch!

So what’s the tie to VPN’s? We see a significant portion of the EMR communications being wireless. Don’t believe us? Next time you’re in a hospital, take note of all the handheld devices the staff is marching around with. How about hospice workers who update records via PDA’s? How about in-facility WLAN and WiFi networks? Doctors use laptops from room to room and hotspots are popping up in cafeterias, waiting rooms, etc. all over the country. The list goes on and as it grows so does the threat to information traveling wirelessly.

EMRs are a great benefit to the healthcare industry and have the potential to improve patient care definitively. With solid VPN’s in place, HIPAA can be satisfied as well as protecting the great benefits wireless communications have on worker productivity. The right VPN tech is important too – avoiding vendor lock, ensuring the tech fits facility policy and doesn’t force policy changes, and it must be easy enough to users that they don’t even notice it’s running (otherwise, they’ll find a way around it!).