Computerworld posted an article titled E-Health and Web 2.0: The Doctor will tweet you now. The title made me cringe, to be honest. If any medical provider would communicate with a patient via facebook or twitter on patient related topics, we'd have an avalange of lawsuits on our hands. Thankfully, it is not that bad as the article cited above describes electronic communications between doctors and patients accurately. However, the slightly misleading title still leads me to believe that some clarification on web and social media is in place.

• Ever heard of email? It's this killer app that spread from scientists to the rest of the world in the mid-to-late nineties. It's not inherently secure, but there are systems that allow for secure communication and it is slowly being discovered by the healthcare world to allow patients and providers communicate with one another. Instant messaging also falls into this category and so is text messaging (txt is really a special form of telephony and we have been using that killer app for at least 50 years to communicate with our doctor). Sophisticated EMR vendors have implemented such capabilities into their systems. There are many, but Epic's MyChart module comes to mind - for an idea on how it works, check out the various Group Health Seattle Ads: I actually only found a recent one here. Group Health Seattle implemented MyChart and secure patient to doctor communication in 2002/2003 - long before YouTube became mainstream, so I can't find the original ads, which also shows you that this is nothing new. The key here is that patients and providers don't use the "traditional" email systems that are often available for free by various providers on the Internet, but implement a system directly into the Electronic Medical Records app, which has the added benefit that the communication becomes part of the patient's record.

• Twitter and facebook are still relatively new, and are certainly not intended for any kind of point to point communication, but rather for dissemination to larger groups or "Communities of followers". Businesses (Joe's Pizza as much as a doctor's office, larger group practice, or large hospital) leverage twitter, facebook, MySpace, etc. to update their customers about things they deem important. Announcing new products or services, sending links of interest, or providing patient education on general topics are all things that lend themselves greatly to twitter and facebook. By the way, the same information can be effectively distributed via email lists, but twitter and facebook allow for customer controlled opt-in and opt-out. Both sides win - customers don't get annoying unsolicited emails and business don't have to manage email lists. Again, evem the direct message feature in twitter does not lend itself to securely communicate with patients, hence my introductory cringing at the beginning of this blog.

• Speaking of blogs....Blogs are also labeled "social media". The idea is really nothing new. In the old days (by that, I mean the very old days in the mid 90s), we had to teach ourselves HTML, stand up a web site, and voila - we could get our thoughts and comments out on the web. In my mind, blogs are the great equalizer as they are very easy to use and provide the technical means to publish articles and opinions to the web (some are rants - actually, this blog could be described as a mild rant) . Blogs often allow for others to comment on the original article and that way get a nice discussion going. In healthcare, blogs play an important role as patients can discuss their own conditions with others (often anonymously by using screen names instead of their real names). This also allows for the sharing of information and the establishment of a support network. It's the 2009 version of Fight Club without the hugging. Twitter and blogs often go together as bloggers leverage twitter to announce a new post to their community of followers. Healthcare providers can provide pro-active patient education via blog sites and use twitter to let their patients know that something noteworthy has been published.

So - none of these concepts are new or revolutionary in my mind. These are old technologies that either make the administration easier (blogs) or allow more user control when it comes to information blasts (twitter, facebook), or facilitate point to point communication (email, IM,txt). It goes without saying that both patients and providers must carefully consider their privacy (and the associated regulations) when using either of these media forms.

Thoughts? Comments? Please post them here.
Follow me on twitter: @florianbecker

Earlier this week I attended "The New Wave of Healthcare IT Virtual Seminar" from SearchHealthIT.com. Unfortunately, I had to leave for the airport, but I did catch one of the first sessions on mobile health by Claudia Tessler and C. Peter Waegermann of the mHealth Initiative, Inc.
mHealth is basically the area where electronic medical records (EMR), mobile computing, social media and direct patient / doctor communication intersect.
The vision is clear: Patients and their doctors communicate via all the modalities we're already enjoying as consumers: eMail, text messages, and sometimes social media. The obvious challenge is that the desire for convenience must be carefully balanced with the mandated need for privacy and security.
Application and Desktop virtualization can confine the protected data to the datacenter, while enabling clinicians to interact with the data securely over any device without the need to re-write the application. Application vendors sometimes offer secure patient portals that allow for direct communication between patients and doctors and nurses. With app and desktop virtualization, even the relatively new iPad is supported out of the box through Citrix Receiver.
The following resources provide a best-practices based approach to designing virtualization environments based on Citrix XenApp and XenDesktop technologies:

• Windows XP Optimization Guide for Virtual Desktops
  Description: If Windows XP is still your desktop operating system of choice and it is going to be used within a virtual desktop environment, you need to optimize it appropriately. The optimizations will help deliver a better user experience and greater scalability on the hypervisor of choice (XenServer, Hyper-V, or ESX).
• XenDesktop Modular Reference Architecture
  Description: The architecture explained within this white paper is a recipe for creating a scalable XenDesktop environment using any required FlexCast option. This reference architecture discusses how to configure the controllers, imaging layer, application layer and the desktop layer.
• High-Availability for Desktop Virtualization - Reference Architecture
  Description: In environments where desktop virtualization is a critical business resource, it is imperative that the solution remains available even if a component or data center is lost. This reference architecture looks at all levels of the entire XenDesktop solution, and provides an architecture for creating a highly-available solution.
• High-Availability for Desktop Virtualization - Implementation Guide
  Description: Implementing a desktop virtualization solution oftentimes requires an investigation and implementation of the high-availability options. This white paper provides step-by-step instructions for enabling high-availability in XenDesktop within a single site and across multiple sites.
• Virtual Applications or Virtual Desktops
  floirDescription: Trying to decide between virtual desktops and virtual applications is oftentimes challenging. By understanding the core expectations and requirements for each delivery method helps make this decision easy. This white paper focuses on the decision and how to identify the most appropriate type of delivery solution.
• Networking topics, including Global Server Load Balancing- it's like never having to worry about datacenter failures again.

These and many other good nuggets on real world implementations of virtualization and networking practices can be found at the Ask the Architect sites.

Florian Becker
follow me on twitter: @florianbecker

Under the much debated HITECH legislation in the American Recovery and Reinvestment Act of 2009, HIPAA covered entities and their business associates must notify patients and in some cases the secretary of Health and Human Services of privacy breaches pertaining to identifiable patient records. I have written previously about the distinction between privacy and security breaches, and I am going to focus on the security breach aspect today.
In the language, the secretary of HHS is required to specify technologies and methodologies that would render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. If covered entities and their business associates apply such technologies and methodologies, they will not be required to provide notice of the breach as otherwise required by the act.
HHS specified that the "unusable, unreadable, indecipherable" test has been met if the breached data has been encrypted and the security of the key has not been compromised. HHS also specifies that the encryption must also comply with the HIPAA security rule's provisions. To make things easier on us, HHS actually gives two examples of encryption that meets the standard:

• For data at rest, encryption consistent with NIST Publication 800-111
• For data in transit, encryption complying with Federal Information Processing Standard (FIPS) 140-2

One way of securing data in a NIST 800-111 consistent way is the use of disk encryption. Microsoft's BitLocker is available with certain editions of Windows 7, Windows Server 2008, and Windows Vista and is also FIPS 140-2 validated, so is McAffee's SafeBoot  and there are many others available as well.  It may be cumbersome for healthcare CIOs to have all their applications tested in a disk encrypted environment on the endpoints and the transition may take some time.
FIPS 140-2 includes several layers of security and HITECH/HIPAA does not seem to specify which one the government would deem appropriate to grant the reporting exception. I am certainly thinking about this topic from a virtualization perspective, where the data would never leave the datacenter. Applications or entire desktops would execute securely inside the datacenter and be accessed by end users over a high performance delivery protocol that provides a great user experience. This is already done widely for clinical apps in the healthcare space and providing FIPS 140-2 compliant remote access is a problem that has been solved. However, I am wondering what would need to happen inside the datacenter? I have my thoughts on this topic but I am curious to hear from you.
What do you anticipate the internal or external auditing procedures to be?

• Remote access only?
• FIPS 140-2 for all server to server communication inside the datacenter?
• FIPS 140-2 even for server to storage communication for medical apps?

Please comment directly on these pages.
Florian

Twitter: @florianbecker
Ask the Architect: Everything Healthcare
Tech Target Blog: Virtualization Pulse

The HiMSS group on LinkedIn features some interesting discussion. One of the longer threats evaluates why EHR/EMR implementations fail
Well, I must ask - please define failure! And this questions goes right to the heart of the matter. Defining success is probably one of the most prominent things any project management and executive steering committee must accomplish at the onset of the project - even before a vendor is picked.
I am well aware of the challenges associated with the technical implementation, workflow definition, workflow standardization and Computerized Physician Order Entry (CPOE) and much has been written about this topic.
A key point of any successful EMR is that the physicians and nurses accept the system and want to use it. Honestly, what's in it for them?
Thus far, physicians in larger organizations had the luxury that someone would transcribe their scribbled notes and mumbled dictations, so that they could focus their time on patient interaction. The fact that healthcare administrators want to reduce errors and establish audit trails of clinical decision making has often been perceived as being of little value to the physician - especially if viewed in comparison to the perceived hassle of learning a new system and having to type patient notes. In a litigious society such as the one in the United States, some physicians may be more comfortable without any trail of clinical decision making that could potentially used against them in trial.
So, for EMR implementation success, a few key principles must be considered:

1. Define clear success criteria. Administrators, tech experts and clinical staff must work together to jointly arrive at a common goal.
2. Workflows. Pay close attention to how much hassle it is for the clinician to complete a workflow. Software must support users, not the other way around. When I was at a major EMR vendor, we actually counted the number of required clicks to complete a task as a key performance metric of the system. In the development cycle, no workflow could execute slower or with more clicks in a new version.
3. Access. This is at the heart of the matter. Organizations should establish clear metrics on how a physician accesses the system. Set an aggressive goal - such as "no more than 15 seconds for the first interaction of the day, no more than 3 seconds to log on to any terminal and get the session back". This can be achieved through virtualization technology and session roaming with Citrix XenApp and XenDesktop. The use of two factor authentication such as proximity sensors in the user's security badges or certificate carrying smart cards negate the use of typing in passwords. Think about the access modality as well - is it a thin client, a tablet, an iPad, a computer on wheels? How many hands will the physician have to care for the patient? Are cable or monitor arms in the way? Are there terminals in the hallways so that a note can be amended without disturbing the patient?

I've written about this topic in a previous blog as well.

Please provide your thoughts and comments.

Florian
Twitter: @florianbecker

There are two interesting trends going on in healthcare at this time (no, I am not talking about the current debate in congress). One is that we will see more and more healthcare providers use electronic medical records - a trend that is fueled by financial incentives through "stimulus money". The other is one of the consumerization of IT - specifically healthcare IT.
We see this trend in other areas as well - like employees using their personal cell phones of choice to access corporate email, or even bringing their personal laptops to work.
In healthcare, doctors are already heavy users of mobile technology - cell phones, smart phones, the ubiquitous pager etc. But today we're at a point where the consumer technology is good enough to be used for clinical purposes and can actually contribute to giving doctors a little bit of their free time and their personal life back.
Case in point: The patient calls their on-call doctor after hours with a rash or burn. In the old days, it would have required the physician to drive a possibly long distance to see the patient in order to recommend treatment. Today, she can simply ask the patient to take a picture of the ailment with a smart phone and simply email it over. In many cases, the image quality is good enough to recommend treatment and help the patient immediately.

This trend is obviously troublesome for healthcare administrators. Many actually recommend against their physicians employing "unapproved" avenues to make remote diagnosis out of fear of litigation and legal compliance violations. The dilemma is that both patients and doctors use technology out of convenience where it makes sense. It is against doctor's nature to hold back care if it is obvious how the patient can be helped right then and there.
However, I stipulate that this is actually nothing new.

• For a long time, doctors have consulted their patients over the phone and gathered enough information to diagnose and make a recommendation for treatment, so the digital information exchange actually reduces risk in many cases.
• The patients are the only rightful owner (note that I am not saying the only legal owner, this would be a different discussion) of their medical data. If they choose to share some of it over less than secure connections with their physician, it's their choice. In the age of social media and Internet-based commerce, people have become accustomed to giving up some privacy and security in exchange for faster and better service online.

So, can both groups - doctors and their patients on one side and privacy advocates, regulators, and lawyers on the other side be happy? Yes.
Some electronic medical record system vendors incorporate an internal, secure messaging feature that allows patients to communicate with their doctors and nurses directly, but through the established channels of an existing EMR implementation. In addition (or in lieu) of this capability, healthcare providers can use their smart phones, netbooks, tablets, home computers etc. to securely connect to their employers system to upload data, annotate patient notes in real time etc, check for potentially harmful allergies, etc. If the EMR implementation does not expose a fully functional web based user interface, both desktop and application virtualization technologies can make it so.
Instead of getting into the cold car and driving 50 miles through snow and ice to see a patient, the doctor on call can simply pause the movie on the living room TV, switch the set to the connected PC and securely connect to the patient's medical record, review pertinent information, write a prescription electronically (a must have under the proposed "meaningful use" criteria) and finally go back to being a private person. More personal life for caregivers, faster service for patients - enabled through technology.

Follow me on twitter: @florianbecker

Well, not quite, but as a physicist working on the grand unified theory would say: The arrows are pointing into the right direction.
While patient care is not delivered virtually quite yet, the experts in the field of Health Information Management and Systems will have their annual gathering in Atlanta in early March (http://www.himss.org) to ensure we'll get there in the future. If you haven't been to the HIMSS show yet - it is an exciting conference with well over 20,000 attendees.
Questions on health record portability, privacy, interoperability, and the plain old task to get physicians to warm up to the idea of using a computer as the primary means of documenting clinical information will be at the center of the discussions, while musings on whether the federal government is going to pay for your healthcare IT initiative are sure to be overheard as well.
I myself will make my way up to Atlanta to find out what's going on in the industry and I seek to speak to many attendees and presenters on application delivery challenges in this unique field. Stay tuned on these pages for regular updates and follow me on twitter for a play by play of my HIMSS journey.
Before I pack my bags and decide whether or not to include foul weather gear and snow shoes, please let me know what specific topics around healthcare IT you are interested in.

Twitter: @florianbecker

Florian