Electronic Medical Records (EMR) implementations have their own, unique challenges. Healthcare organizations are concerned with selecting a vendor, complying with a myriad of regulations, and basically transforming the way healthcare is delivered to their patients.
Given the transformative nature of an EMR implementation, virtualization is often just a side thought for health CIOs. Therefore, I’d like to shed some light into the topic and share my personal top 5 reasons to pursue this topic further- starting with the centralization of medical records data.
For a quick definition of the term itself, please refer to yesterday’s blog.
I assume that the backend database for your electronic health records reside in a single, centralized datacenter. Through global server load balancing, you may have already implemented site-to-site redundancy, but that’s beside the point for today’s discussion.
So, traditionally, you would have rich client applications or web browsers on the user’s endpoint to consume and manipulate the medical records data. This automatically implies that a lot of health data moves to and from the datacenter and often to remote locations where it is challenging to maintain a tight grip on security.
Application or Desktop Virtualization can solve that problem. Both of these techniques move the client software piece (or web browser) to the datacenter, where it executes securely inside your facility. The health data never even leaves the datacenter. The user interaction happens via a secure, high performance protocol (such as Citrix’ HDX in the XenApp and XenDesktop product lines) and gives the user a snappy interaction with the software, while only exchanging screen updates and keyboard/mouse events between the end user and the datacenter. Additional data streams pertaining to peripherals, printers, USB devices, scanners, and client hard drives are possible, but can easily be disabled to promote further security.
No data ever makes it to the end point, and therefore reducing the risk of HIPAA/HITECH covered security breaches. In addition, user sessions can be audited to establish an independent trail of information in case the regulators or courts require a closer look.
If you’re curious, I encourage you to check out Dan Feller’s Ask the Architect site. Dan has a wealth of information on desktop and application virtualization and associated whitepapers and reference architectures.
Florian Becker
Twitter: @florianbecker
Virtualization Pulse: Tech Target Blog
Ask the Architect – Everything Healthcare

The following is a blog I posted on my “other” site – Virtualization Pulse, hosted by Tech Target. Most readers on these pages are already very knowledgeable, so please forgive the simplistic view. In the near future, I will publish additional blogs on virtualization and specifically focus on the the healthcare IT space. Consider this one a relatively simple level-set for the audience. Enjoy.
———————————

Given that there are a lot of incentives associated with the adoption of Electronic Medical Records, medical CIOs and their teams are inundated by vendor messages these days. Phrases like “Meaningful Use”, “HITECH”, “HIPAA” are on the forefront of everyone’s mind, but you may also hear about virtualization. Given that there is still some confusion on the topic, I’d like to clear a couple of things up:

“Virtualization” is a term that has been traditionally used in the context of server virtualization. The technology involved is often referred to as “Hypervisors” which basically allow a modern server with plenty of CPU and Memory resources to share those resources between multiple “workloads” or “virtual servers”. So, instead of having one physical server with 16 CPU cores and 128 GB of RAM, this server can often house 40-60+ individual workloads that act on your network just as if they were much smaller individual servers. The benefits are obvious. Today’s servers are relatively cheap to acquire and most server workloads don’t require nearly as many computing resources to do their job. IT departments can lower cost by running fewer physical servers, consume less rackspace, lower power consumption and cooling costs. Advanced virtualization solutions also allow for virtual servers to automatically move to a separate physical host in case of a hardware failure. The failover process is often seamless and therefore provides resiliency, but typically requires a separate, redundant storage area network for this to work on the fly. Workloads with less criticality can be moved in a semi-manual fashion where they are simply restarted on another physical host by the administrator.
Vendors in this space include VMware (vSphere), Citrix (XenServer), Microsoft (Hyper-V) and a number of other players.

Application Virtualization. This is another form of virtualization, which has virtually nothing to do with server virtualization (pun intended). In this model, an application (think about your office productivity suite, or your electronic medical records client) is installed on a central server and executes there. The user connects from their endpoint (PC, laptop, thin client devices, etc.) via a remoting protocol and essentially controls the application remotely. This can be done on the simple level with Microsoft Terminal Services and the RDP protocol, and on the higher end via specialized solutions such as Citrix XenApp (formerly known as Presentation Server or MetaFrame). The benefits are obvious. Applications can be centrally managed and IT support personnel would no longer have to touch an end users system to install or patch an application. All updates are performed on a few centrally located servers. This approach also has the advantage of the application being physically close to the backend data of the app (on a low-latency, high bandwidth network), which leads to faster execution of the app and much increased security as the data never leaves the datacenter. The only information that is exchanged between the end-user’s device and the central server are screen updates and mouse and keyboard events. The protocols also include the capability of conveying information such as audio, printing, USB device support etc. The performance is actually astonishing in many cases and the most demanding customers in the area of engineering run their complex design applications via Citrix XenApp.

Desktop Virtualization. This is the latest and greatest. Instead of executing just a set of applications in the datacenter, the industry is moving towards executing desktop operating systems in the datacenter and allowing users to connect to the desktops . One could write a whole book about desktop virtualization, so I am trying to keep it brief. Some vendors tout a “VDI” or “Virtual Desktop Infrastructure” model, where each user basically has their own, assigned, virtual desktop in the datacenter. This model moves the headache of desktop maintenance to a central location, but still encounters some of the same challenges associated with traditional desktop management (such as the need to patch multiple desktop instances and troubleshoot/fix corrupted or infected desktops).
More advanced models go towards a shared desktop image model, where each user connects to a brand new, pristine desktop operating system, which folds the applications and user settings into the desktop as the user connects. This has the advantage of ensuring the highest performance (after all, a brand new desktop always performs best) and can also cut down on the number of desktops to maintain. Having just one or a handful of desktop master images to patch and maintain for thousands of users provides great efficiency gains and cost savings.

So, let’s recap. Server, Application, and Desktop Virtualization are three distinct disciplines in healthcare IT and are important to understand. Don’t fall for the siren’s song and believe that a particular vendor who is good at one discipline is automatically an expert at the other virtualization disciplines.
Check back on these pages in the near future for my rundown on virtualization techniques for your EMR implementation.

Florian Becker
Twitter: @florianbecker
Virtualization Pulse: Tech Target Blog
Ask the Architect – Everything Healthcare

…No, I am not talking about the world-famous subway system in London, but rather like to pick up the topic by Dr. Philip Chase on the Physician’s view of an EMR. Dr. Chase describes how a recent visit to his physician revealed that the esteemed healthcare provider spent a lot of time typing Dr. Chase’s answers into an EMR application. The physician’s attention was divided between the patient and the computer system and the entire encounter had the appearance that the EMR itself interfered with the doctor – patient relationship; hence the “gap” between data acquisition and data entry.

Since there’s a lot of talk on EMR’s these days (one recent blog post describes the HITECH Anxiety), I figured it be a good time to reiterate some of the common sense EMR thoughts and best practices.
• Doctors don’t want to be IT admins. Correct. I don’t think they have to. Purely Internet-based EMR vendors use this tagline to entice providers to move all of their patient data to a hosting provider, but many physicians are more comfortable with on-premise solutions. Roughly 50% of office visits are delivered by 1-2 doctor practices. Like many other small business in all kinds of verticals, physicians can rely on other (often small) businesses in the IT / Computing world to setup a local system and support a locally running EMR. It’s “my computer guy” who takes care of installing, maintaining, patching, and backing up the systems in any small business, regardless of the industry. Action: Think about hosted vs. on-premise systems and pick the ones that you are most comfortable with.
• Usability is key. You don’t want your patients to stop seeing you, because the visits have become impersonal. Don’t focus more than 5-10% of your patient time looking at a computer screen. This will require discipline and some practice. Pick EMR software that lets you work from selection lists and templates rather than free text. Practice some typing (if that’s new to you) and have a vendor demonstrate the speed of documentation and order entry to you.
• Devices play a big role. Bigger than you think. Vendors bombard you with different options. Everything from regular office PCs, laptops, tablet PCs (including the Apple iPad), to computers on wheels (COWs) are options. Depending on your practice setup, one or more of these may fit. Here are some thoughts: Don’t set up your devices statically (that would require you to turn your back on the patient on occasion). If you go for wheeled devices, make sure they are not clumsy or blocking your space and movement in the practice. Ensure that wireless networks reach all your exam rooms and provide good signal strength. Consider a tablet device as you can carry it around. Be mindful of the device often occupying at least one of your hands that you won’t have avalailable to examine or treat the patient. Some devices with smaller form factors are said to fit in a lab coat. Try it before you buy! Consider the devices battery life and screen size. Action: Try the different devices in conjunction with the short list of EMRs you’re considering. Some vendors have specific user interfaces for mobile devices or iPads that improve usability when using a multi-touch interface.
• Multi-user environments pose special challenges. If you have more than 1 clinical user or running a group practice, consider the fact that physicians will physically move away from a device and into the hallway or next exam room. Unless you choose portable devices, consider fast log off and log on modalities and session roaming. The latter can be achieved through application and desktop virtualization, where your application executes centrally and the “terminals” in the exam rooms and hallways just provide interactive access to the application.
• Offsite usage. Nothing is more annoying than not having access to a system when you need it. Ensure that your system has secure offsite access built in. In most web-based EMRs , you should be covered. More elaborate systems may require app or desktop virtualization where the apps and data stay securely tucked away in the data center (or data closet, depending on your size) and allow your users to connect securely over the Internet to the user interfaces of the apps. Action: Discuss those options with your “computer guy” and your EMR vendor.

I plan on sharing more specific virtualization best practices with you in the upcoming weeks and months. Please let me know if there are specific topics you would like to hear about.

Florian
Twitter: @florianbecker
Ask the Architect – Everything Healthcare
Tech Target Blog – Virtualization Pulse

Computerworld posted an article titled E-Health and Web 2.0: The Doctor will tweet you now. The title made me cringe, to be honest. If any medical provider would communicate with a patient via facebook or twitter on patient related topics, we’d have an avalange of lawsuits on our hands. Thankfully, it is not that bad as the article cited above describes electronic communications between doctors and patients accurately. However, the slightly misleading title still leads me to believe that some clarification on web and social media is in place.

• Ever heard of email? It’s this killer app that spread from scientists to the rest of the world in the mid-to-late nineties. It’s not inherently secure, but there are systems that allow for secure communication and it is slowly being discovered by the healthcare world to allow patients and providers communicate with one another. Instant messaging also falls into this category and so is text messaging (txt is really a special form of telephony and we have been using that killer app for at least 50 years to communicate with our doctor). Sophisticated EMR vendors have implemented such capabilities into their systems. There are many, but Epic’s MyChart module comes to mind – for an idea on how it works, check out the various Group Health Seattle Ads: I actually only found a recent one here. Group Health Seattle implemented MyChart and secure patient to doctor communication in 2002/2003 – long before YouTube became mainstream, so I can’t find the original ads, which also shows you that this is nothing new. The key here is that patients and providers don’t use the “traditional” email systems that are often available for free by various providers on the Internet, but implement a system directly into the Electronic Medical Records app, which has the added benefit that the communication becomes part of the patient’s record.

• Twitter and facebook are still relatively new, and are certainly not intended for any kind of point to point communication, but rather for dissemination to larger groups or “Communities of followers”. Businesses (Joe’s Pizza as much as a doctor’s office, larger group practice, or large hospital) leverage twitter, facebook, MySpace, etc. to update their customers about things they deem important. Announcing new products or services, sending links of interest, or providing patient education on general topics are all things that lend themselves greatly to twitter and facebook. By the way, the same information can be effectively distributed via email lists, but twitter and facebook allow for customer controlled opt-in and opt-out. Both sides win – customers don’t get annoying unsolicited emails and business don’t have to manage email lists. Again, evem the direct message feature in twitter does not lend itself to securely communicate with patients, hence my introductory cringing at the beginning of this blog.

• Speaking of blogs….Blogs are also labeled “social media”. The idea is really nothing new. In the old days (by that, I mean the very old days in the mid 90s), we had to teach ourselves HTML, stand up a web site, and voila – we could get our thoughts and comments out on the web. In my mind, blogs are the great equalizer as they are very easy to use and provide the technical means to publish articles and opinions to the web (some are rants – actually, this blog could be described as a mild rant) . Blogs often allow for others to comment on the original article and that way get a nice discussion going. In healthcare, blogs play an important role as patients can discuss their own conditions with others (often anonymously by using screen names instead of their real names). This also allows for the sharing of information and the establishment of a support network. It’s the 2009 version of Fight Club without the hugging. Twitter and blogs often go together as bloggers leverage twitter to announce a new post to their community of followers. Healthcare providers can provide pro-active patient education via blog sites and use twitter to let their patients know that something noteworthy has been published.

So – none of these concepts are new or revolutionary in my mind. These are old technologies that either make the administration easier (blogs) or allow more user control when it comes to information blasts (twitter, facebook), or facilitate point to point communication (email, IM,txt). It goes without saying that both patients and providers must carefully consider their privacy (and the associated regulations) when using either of these media forms.

Thoughts? Comments? Please post them here.
Follow me on twitter: @florianbecker

Earlier this week I attended “The New Wave of Healthcare IT Virtual Seminar” from SearchHealthIT.com. Unfortunately, I had to leave for the airport, but I did catch one of the first sessions on mobile health by Claudia Tessler and C. Peter Waegermann of the mHealth Initiative, Inc.
mHealth is basically the area where electronic medical records (EMR), mobile computing, social media and direct patient / doctor communication intersect.
The vision is clear: Patients and their doctors communicate via all the modalities we’re already enjoying as consumers: eMail, text messages, and sometimes social media. The obvious challenge is that the desire for convenience must be carefully balanced with the mandated need for privacy and security.
Application and Desktop virtualization can confine the protected data to the datacenter, while enabling clinicians to interact with the data securely over any device without the need to re-write the application. Application vendors sometimes offer secure patient portals that allow for direct communication between patients and doctors and nurses. With app and desktop virtualization, even the relatively new iPad is supported out of the box through Citrix Receiver.
The following resources provide a best-practices based approach to designing virtualization environments based on Citrix XenApp and XenDesktop technologies:

• Windows XP Optimization Guide for Virtual Desktops
  Description: If Windows XP is still your desktop operating system of choice and it is going to be used within a virtual desktop environment, you need to optimize it appropriately. The optimizations will help deliver a better user experience and greater scalability on the hypervisor of choice (XenServer, Hyper-V, or ESX).
• XenDesktop Modular Reference Architecture
  Description: The architecture explained within this white paper is a recipe for creating a scalable XenDesktop environment using any required FlexCast option. This reference architecture discusses how to configure the controllers, imaging layer, application layer and the desktop layer.
• High-Availability for Desktop Virtualization – Reference Architecture
  Description: In environments where desktop virtualization is a critical business resource, it is imperative that the solution remains available even if a component or data center is lost. This reference architecture looks at all levels of the entire XenDesktop solution, and provides an architecture for creating a highly-available solution.
• High-Availability for Desktop Virtualization – Implementation Guide
  Description: Implementing a desktop virtualization solution oftentimes requires an investigation and implementation of the high-availability options. This white paper provides step-by-step instructions for enabling high-availability in XenDesktop within a single site and across multiple sites.
• Virtual Applications or Virtual Desktops
  floirDescription: Trying to decide between virtual desktops and virtual applications is oftentimes challenging. By understanding the core expectations and requirements for each delivery method helps make this decision easy. This white paper focuses on the decision and how to identify the most appropriate type of delivery solution.
• Networking topics, including Global Server Load Balancing- it’s like never having to worry about datacenter failures again.

These and many other good nuggets on real world implementations of virtualization and networking practices can be found at the Ask the Architect sites.

Florian Becker
follow me on twitter: @florianbecker

Under the much debated HITECH legislation in the American Recovery and Reinvestment Act of 2009, HIPAA covered entities and their business associates must notify patients and in some cases the secretary of Health and Human Services of privacy breaches pertaining to identifiable patient records. I have written previously about the distinction between privacy and security breaches, and I am going to focus on the security breach aspect today.
In the language, the secretary of HHS is required to specify technologies and methodologies that would render protected health information unusable, unreadable, or indecipherable to unauthorized individuals. If covered entities and their business associates apply such technologies and methodologies, they will not be required to provide notice of the breach as otherwise required by the act.
HHS specified that the “unusable, unreadable, indecipherable” test has been met if the breached data has been encrypted and the security of the key has not been compromised. HHS also specifies that the encryption must also comply with the HIPAA security rule’s provisions. To make things easier on us, HHS actually gives two examples of encryption that meets the standard:

• For data at rest, encryption consistent with NIST Publication 800-111
• For data in transit, encryption complying with Federal Information Processing Standard (FIPS) 140-2

One way of securing data in a NIST 800-111 consistent way is the use of disk encryption. Microsoft’s BitLocker is available with certain editions of Windows 7, Windows Server 2008, and Windows Vista and is also FIPS 140-2 validated, so is McAffee’s SafeBoot  and there are many others available as well.  It may be cumbersome for healthcare CIOs to have all their applications tested in a disk encrypted environment on the endpoints and the transition may take some time.
FIPS 140-2 includes several layers of security and HITECH/HIPAA does not seem to specify which one the government would deem appropriate to grant the reporting exception. I am certainly thinking about this topic from a virtualization perspective, where the data would never leave the datacenter. Applications or entire desktops would execute securely inside the datacenter and be accessed by end users over a high performance delivery protocol that provides a great user experience. This is already done widely for clinical apps in the healthcare space and providing FIPS 140-2 compliant remote access is a problem that has been solved. However, I am wondering what would need to happen inside the datacenter? I have my thoughts on this topic but I am curious to hear from you.
What do you anticipate the internal or external auditing procedures to be?

• Remote access only?
• FIPS 140-2 for all server to server communication inside the datacenter?
• FIPS 140-2 even for server to storage communication for medical apps?

Please comment directly on these pages.
Florian

Twitter: @florianbecker
Ask the Architect: Everything Healthcare
Tech Target Blog: Virtualization Pulse

There are two interesting trends going on in healthcare at this time (no, I am not talking about the current debate in congress). One is that we will see more and more healthcare providers use electronic medical records – a trend that is fueled by financial incentives through “stimulus money”. The other is one of the consumerization of IT – specifically healthcare IT.
We see this trend in other areas as well – like employees using their personal cell phones of choice to access corporate email, or even bringing their personal laptops to work.
In healthcare, doctors are already heavy users of mobile technology – cell phones, smart phones, the ubiquitous pager etc. But today we’re at a point where the consumer technology is good enough to be used for clinical purposes and can actually contribute to giving doctors a little bit of their free time and their personal life back.
Case in point: The patient calls their on-call doctor after hours with a rash or burn. In the old days, it would have required the physician to drive a possibly long distance to see the patient in order to recommend treatment. Today, she can simply ask the patient to take a picture of the ailment with a smart phone and simply email it over. In many cases, the image quality is good enough to recommend treatment and help the patient immediately.

This trend is obviously troublesome for healthcare administrators. Many actually recommend against their physicians employing “unapproved” avenues to make remote diagnosis out of fear of litigation and legal compliance violations. The dilemma is that both patients and doctors use technology out of convenience where it makes sense. It is against doctor’s nature to hold back care if it is obvious how the patient can be helped right then and there.
However, I stipulate that this is actually nothing new.

• For a long time, doctors have consulted their patients over the phone and gathered enough information to diagnose and make a recommendation for treatment, so the digital information exchange actually reduces risk in many cases.
• The patients are the only rightful owner (note that I am not saying the only legal owner, this would be a different discussion) of their medical data. If they choose to share some of it over less than secure connections with their physician, it’s their choice. In the age of social media and Internet-based commerce, people have become accustomed to giving up some privacy and security in exchange for faster and better service online.

So, can both groups – doctors and their patients on one side and privacy advocates, regulators, and lawyers on the other side be happy? Yes.
Some electronic medical record system vendors incorporate an internal, secure messaging feature that allows patients to communicate with their doctors and nurses directly, but through the established channels of an existing EMR implementation. In addition (or in lieu) of this capability, healthcare providers can use their smart phones, netbooks, tablets, home computers etc. to securely connect to their employers system to upload data, annotate patient notes in real time etc, check for potentially harmful allergies, etc. If the EMR implementation does not expose a fully functional web based user interface, both desktop and application virtualization technologies can make it so.
Instead of getting into the cold car and driving 50 miles through snow and ice to see a patient, the doctor on call can simply pause the movie on the living room TV, switch the set to the connected PC and securely connect to the patient’s medical record, review pertinent information, write a prescription electronically (a must have under the proposed “meaningful use” criteria) and finally go back to being a private person. More personal life for caregivers, faster service for patients – enabled through technology.

Follow me on twitter: @florianbecker

The American Recovery and Reinvestment Act of 2009 (ARRA) contains a whole chapter called HITECH. This catchy acronym stands for Health Information Technology for Economic and Clinical Health and makes you wonder if “they” construct the acronym before deciding on what information to convey. It basically mandates a number of fairly stringent disclosure requirements for HIPAA covered entities and their business associates  in the case of privacy  breaches leading to the disclosure of patient data. The act is intentionally aggressive in order to entice health care providers and insurance companies to be really cautious about patient privacy and record security.
I am at HIMSS in Atlanta this week and I notice that ARRA, HITECH, HIPAA and other related topics are front and center in many sessions and for many vendors on the floor.
Under HITECH, the burden of proof is on the side of the covered entity to prevent a breach, discover the breach, and then disclose the breach to the patients and – in some cases – to the secretary of health and human services. If the breach is affecting 500 or more patients in a state or region, the covered entity must notify the patients via public media and notify HHS immediately. 
So, let’s define what a breach really is, and then what you can do to never having to call your local newspaper for the disclosure ad.

Under HITECH, a breach is an “unauthorized acquisition, use, or disclosure that compromises the security or privacy of the health record”. There’s also something in the language that this must pose a significant risk of financial, reputational, or other harm to the individual. Note that I am not a lawyer, but I did stay in a holiday….. tonight. Kidding aside, I did listen to Gerry Hinkley and Deven KcGraw during their HIMSS session this week – both are legal experts in this field.

So, having a laptop with unencrypted, and personally identifiable patient information stolen would be a breach. If, however, the data is secured with federally accepted levels of encryption (and the security of the key is not compromised), OR the data does not include certain items such as DOB or the patient’s ZIP code, it’s not a breach.
As you can see, the devil is in the detail. So, how can you take steps to avoid that painful disclosure? For one, ensure that the patient information never leaves your data center. Leverage desktop or application virtualization and disable clipboard and local disk access on the client device. Many electronic health applications can only print through the server, so that client connected printers are not needed and can also turned off without compromising functionality. If mobile access to the data is needed, consider the Citrix Receiver for the iPhone or mobile access platform of your choice to deliver the information without delivering the data.
Even without HITECH, these are important considerations for any Electronic Medical Records (EMR) rollout. When done correctly, you could allow your doctors, nurses, and staffers to use the laptop, netbook, tablet, iPad of their choice without having to worry about IT managing the myriad of devices or any of them leaving the premises.

Now, unfortunately, this is only one aspect of HITECH. The other aspect involves the unauthorized access  of patient records by employees who have legitimate access to the systems, but are basically snooping around. HITECH covers privacy breaches, not just security breaches.  Looking up your own lab results, or the chart of your friend’s sick kid is an example of a well intentioned, but illegal breach. Looking up the local football player’s records to determine if that hamstring injury has healed before Sunday’s game is also an illegal breach, but not an innocent one.  Identifying those scenarios actually requires intelligent data mining to assess whether access was justified for a person to do their job or constitutes a breach. While you can’t fix the latter category through application or desktop virtualization, you can confidently use virtualization technology to prevent breaches through the loss of devices or data without restricting mobility. One less thing to worry about in the complex world of healthcare regulation.

Questions? Comments?
Follow me on twitter: @florianbecker