Posts Tagged ‘healthcare IT’

Today, we finish our conversation with Dr. Ruchi Dass on mobile health trends. We left off last week talking about the security issues surrounding mHealth. Below, Dr. Dass tells us more about mitigating security risks and what still needs to happen for mHealth to be fully optimized.

Dr. Ruchi Dass: To mitigate the risks authentication systems raise, it is essential that they be designed to offer individuals control over their personal information by supporting traditional principles of fair information practices.

While these principles have long formed the basis of federal and state law, industry rules of best practice, and international agreements related to information privacy protection, their application to authentication systems must be carefully considered and articulated so as to take into account the complex and unique questions raised by the technology. In fact, because fair information practices are often ignored in the current use of authentication, the move to new authentication systems offers implementers the ability to offer stronger privacy protections if privacy issues are addressed in the design of the technology.

On the technology front, these risks may be mitigated through deployment of diverse authentication products, by decentralizing their design and limiting the amount of personal information collected. It discusses the importance of applying fair information practices to the management of authentication data. Also, computer and mobile solutions should be designed and implemented using an enterprise-wide architectural methodology. An architectural methodology helps IT by providing a framework to consider all of the major issues, highlight the interdependencies and facilitate decision making between conflicting tradeoffs.

VPN Haus: What are the major barriers that need to be overcome before mHealth can be fully optimized and deployed on a wider scale?

Dr. Dass: When we think to e-connect patients with their providers, share their medical and other data and provide care i.e. anytime, anywhere; we get surrounded with questions of adoption, value, privacy & security, interoperability and standardisation. A lot of challenges remain because on one side, health care professionals are trying to make the world more healthful and connected through the use of technology, challenges are often a result of illogical or short-sighted business choices, not the technology challenges themselves.

When our approach will be sufficiently future focussed, interoperability and security implementations wouldn’t be cost consuming anymore. Cost to access vital data will drop, HIE will be easy, security concerns will be a few and we would be able to leverage technology more to solve some of the daily problems related to health systems, operations and delivery.

Ruchi Dass is CEO of HealthCursor Consulting based in India. 

Healthcare IT News recently asked its readers about the healthcare data breaches that worries them the most. Not surprisingly, the vast majority (80 percent) of respondents said electronic data breach/hack, while only 13% worried about hardware theft, followed by 7% concerned about the theft or loss of paper records. This trend is warranted. For instance, a recent article in the Fort Worth Star Telegram highlighted the growing trend of doctors using smartphones, tablets to access medical data. According to the story, hospitals in North America spent $7.4 billion on electronic records in 2010 – and the 2009 stimulus act has earmarked $50 billion to help government and private healthcare providers offer EHRs over the next five years.

So what does this look like? Here’s an anecdote from the piece:

If a patient of Arlington physician Ignacio Nuñez shows up at the emergency room when the doctor is not at the hospital, he doesn’t have to wait long to start investigating what might be wrong.

The obstetrician/gynecologist can call up an expectant mother’s medical records on his iPhone, or even watch the fetus’s heartbeat on the device once the woman is connected to a hospital monitor, wherever he might be at the time.

According to AirStrip, the San Antonio software company that developed the app Nuñez uses, there is only a three- to five-second lag to get information to the physician’s mobile device. AirStrip also makes a version for cardiologists and has an upcoming version that will monitor other critical data in intensive care units and emergency rooms.

Groundbreaking, indeed. But what about from a security perspective? We’d like to hear from you if you work for a healthcare organization is using mobile devices this way.

This week, we feature the final part of our conversation with Martin Rosner, director of standardization at Philips – North America. Rosner chairs Continua Health Alliance security and privacy discussions and contributes to relevant security initiatives within the healthcare industry. Continua Health Alliance is a non-profit, open industry organization of more than 230 healthcare and technology vendors focused on delivering interoperable health solutions.

VPN Haus: How can patients manage the sharing of their health data?
Martin Rosner: Sharing of health data can be realized only if there are means to prevent unauthorized access to the data and to protect it in accordance with security and privacy regulations. Furthermore, patient empowerment is an important aspect of preventative care—increasing the number of educated patients who have more control over their own healthcare increases the likelihood that conditions will be caught before they become more serious. Soon patients will have more fine-grained control over the dissemination of personally identifiable information as related to health status. Electronic consent that specifies and governs the use of patient health data will furthermore increase consistency, compliance and efficiency for both patients and healthcare providers in this process.

VPN Haus: What role does Continua play in this?
Rosner: Our architecture addresses several requirements enabling digital consent.  Patients should be able to define and manage their digital consent and privacy policies in a user-friendly manner, such as on an at-home device or online. Digital consent should propagate with patient data and systems of services and care providers should enforce this. Our 2011 guidelines will address the first two requirements, while work has begun to address the third requirement in the next release.

VPN Haus: Technically speaking, how does this consent management process work?
Rosner: Taking the enforcement piece aside, the 2011 specifications address consent management with the use of the HL7 CDA R2 Consent Directive standard. This recently approved draft standard for trial use defines a document format for digital consent and enables the expression of structured patient consent policies. An advantage is that it is based on CDA R2 therefore well-defined protocols exist for the exchange of these documents such as through the use of the IHE XD* family of profiles.

By Robert Dutt

For resellers and other IT solution providers supporting healthcare clients, VPN is ubiquitous a tool as is the stethoscope their customers use every day

“We will not support a client without a VPN. Period,” says Moshe Birnbaum, director of operations at EZ MSP, a Yonkers, NY-based solution provider.

Fellow solution provider Stemp Systems Group, out of Long Island City, NY, considers the technology as an equally important component of its healthcare business. President and founder, Morris Stemp, says the company currently maintains some 750 VPN-based connections to its clients.

So, why are VPNs so critical for healthcare solution providers? For one, VPNs are a significant part of the infrastructure these providers deploy and maintain for their customers. And, VPNs are the platform on which to build new applications and solve deep-seeded customer problems.

“Part of the Infrastructure”

Both EZ MSP and Stemp offer managed IT services for healthcare clients  — from doctors’ offices to hospitals. This means, in some cases, the solution providers act as a completely outsourced IT department — especially for many smaller clients. To successfully do this, solution providers need a VPN to quickly access technology on clients’ networks and to make sure everything is running as smoothly as possible.

“We look at [VPN] as part of the infrastructure,” Birnbaum says. “It’s also a service opportunity that’s covered under the company’s support contract with their customers.”

Stemp says that with just an IP address, his company can connect to any of its clients in seconds. To maximize uptime for customers’ mission-critical systems, the company rolls out dual redundant firewalls and Internet connections with clients.

“They simply must always be active in order for us to provide our service to our customers,” he adds.

Also, because the healthcare industry is so highly regulated, VPNs are an apt tool for connecting to medical facilities. In fact, security requirements force most medical offices to have firewalls in place to protect electronic medical records, Stemp says.

HIPAA requires [medical organizations] have [firewall] technology available, and we take advantage of that functionality,” he says.

And from a managed service provider’s point of view, VPNs offer an elegant and efficient way to have instant access anywhere into a customer’s infrastructure, even amid the myriad devices on diverse networks spread out around a region or even the world.

“It means we’re supporting a centralized appliance as opposed to individually configuring every computer on the network for remote access,” Birnbaum points out.

“It’s Very Different than the Way Most People Use VPNs”

But infrastructure – the plumbing aspect of a technology solution – only goes so far for a reseller. To truly show their customers value and help move them into new levels of efficiency and productivity, solution providers have to continually offer innovation and new functionality.

Although it may seem like a simple and obvious way to use a VPN, Stemp says the biggest game-changer for many of his clients is actually being able to securely connect to data on the customer network away from the office.

“It totally changed the lives of our doctors, who no longer had to rush to the office to check records when a patient calls up outside of business hours,” Stemp says.

Remote access also significantly changed Stemp’s own customer support models. Before remote access, much of the company’s support requirements were during business hours, from an office. But with easy and ubiquitous access anywhere or anytime, Stemp says he has to provide more responsive service for multiple locations at any time, 24/7.

“It magnified our support requirements,” Stemp says. “When [clients] can’t connect, we now have to diagnose that. And that includes on weekends and nights when we were effectively closed.”

Tablet computing is emerging as the next frontier for remote access to electronic medical records. Although Stemp initially struggled with a functional and reliable VPN connection to the Apple iPad, he says, the company has crossed that hurdle and now has doctors using tablets both in the office and securely from just about anywhere.

The biggest challenge remains the lack of electronic medical records applications designed for the touch interface of the iPad or Android-based tablets.

“We need iPad apps from the EMR companies,” he says. “Right now, you’re essentially just doing terminal services to your desktop, and navigating information that’s designed for a 19-inch screen on your nine-inch tablet screen.”

For EZ MSP, VPNs that meet a very specific customer need opens new revenue streams. For instance, in order for medics to be reimbursed for keeping an eye on some key vital sign measurement systems during surgery, those eyes must belong to an MD. But keeping a doctor on-hand for every surgery in every surgical suite is impractical and inefficient. However, since the eyes on the monitor don’t have to be in the surgical suite, EZ MSP sometimes uses a VPN to connect from the surgical suite to a doctor’s office. This way, a remote doctor can monitor the systems in real-time over the network – making this a much more efficient and scalable model.

“It’s still extending the network, but it’s very different than the way most people use VPNs,” Birnbaum adds.

The Cloud Effect

Cloud computing is a megatrend that’s reshaping almost every aspect of the technology industry today, but providers have different perspectives on how their clients are thinking about the cloud.

EZ MSP’s Birnbaum says because critical line-of-business applications are still not offered in hosted or Software-as-a-Service models, the cloud isn’t “much of a factor” for many customers. But that’s not to say that EZ MSP is steering clear of the trend entirely.

“We are pushing people towards going to hosted [Microsoft] Exchange,” Birnbaum points out.

At Stemp, they’re hosting as many as 40 virtual servers for some of their larger clients in Stemp’s own data center, building a private cloud environment, and other clients are re-architecting their own server room or data center for a more flexible, elastic, cloud-like structure.

In both cases, Stemp says, VPN connections remain a key enabling tool.

“It just makes it much easier to get to those hosted services,” he says.

This week, we feature the third part in our series with Shahid Shah, an enterprise software analyst that specializes in healthcare IT with an emphasis on e-health, EMRs, data integration, and legacy modernization.  He is also founder of the popular Healthcare IT Guy blog.

VPNHaus: What role does HIPAA play in mobile health?

Shahid Shah: Quite a bit because mobile devices are not treated any differently than any other computing device. If you’re running any application that has patient data on it, you must treat it the exact same way. It doesn’t matter if it’s on a computer or paper. That is, privacy must be protected using the rules and regulations laid out by HIPAA.

This essentially means you have encrypt data in transit and data at rest. If you’re dealing with a server and physical security, encryption at rest isn’t as big of a deal. It really comes into play for mobile devices. It’s important to point out that with healthcare application on mobile devices, it’s very difficult to enforce HIPAA regulations. Just because someone sets up a device to be secure, it doesn’t mean three months later that it’s operating that way.

VPNHaus: Do you think healthcare organizations do a good job of provisioning people on-and-off the network as appropriate?

Shah: Healthcare has roughly the same approach as other enterprises. That is, pretty poorly. How seriously people take provisioning is directly related to how big you are and how big your IT department is. A lot of companies do single sign-on solutions for provisioning but the most common reason for this is they don’t have central administration or the healthcare applications don’t support single sign-on. But once you have central administration, it becomes much easier.

VPNHaus: What other trends do you see in mobile health security?

Shah: The wireless sector is picking up steam because the numbers are really exciting for some people and really dangerous for others, depending on if you’re the guy handling the wireless. It’s exciting because the adoption rate in healthcare sector is significantly higher than other commercial sectors. When we think of wireless we think of mobile phones but that’s just one small area.

For the first two parts of this series, click here, and for more on upcoming trends on mHealth, see next week’s post.