Healthcare IT Risk Mitigation - A Network - Centric approach
The Healthcare is one of the fastest growing industries today - thanks to the increased consciousness to seek a healthy living and the ease of access to excellent medical care. With such unprecedented surge in demand for medical care, Hospitals cannot but seek a strong and robust IT system across their setting to manage efficiently. In fact today the IT department is as common as a radiology department in most hospitals. Hospitals rely on IT system, and Computer networks to manage the entire patient treatment cycle - from admission to discharge, to the extent that they have come to view the IT department as a value-enhancer, away from the "The cost-centre" that they were once considered to be.
The flip-side to this overarching reliance on IT is that even the slightest glitch in the IT system could bring down the hospital on its knees. Add to it the federal laws like HIPAA that seek intense scrutiny of the IT system security and patient data integrity, and the job of the IT System/Network manager becomes all the more difficult.
This paper puts forth a solution to overcome the various challenges/risks that today's healthcare institutions face and puts forth a solution to overcome the IT related risks.
The Healthcare Institution of today
Healthcare institutions come in all sizes - from the basic only-outpatient-treatment-centre down the road to the large Medical centre in Universities to the very large community healthcare centres. What is common to them is the strong IT system that each has in place and the much stronger strict federal laws that each is governed by - only that in the case of the large and very large centres the law is more pronounced and the fallouts of not complying with the laws could mean damaging ramifications. The IT spending by Healthcare Institutions today is like never before. This is mainly on account of the need to manage the health related information of numerous patients and their medical histories. The other reason for IT proliferation is the interest in leveraging the treatment given. The diagram below captures the prime drivers of IT in healthcare.
Prime Healthcare IT Drivers
Usage of IT to leverage Healthcare Delivery
Healthcare software and systems popularly termed the HIS(Healthcare Information) help to automate all the important process in the healthcare institution.
- the Patient registration centre at the Reception is computerised
- A unique MRN(Medical Record Number) is allocated to each new patient. In the case of returning patients the episode number is incremented to reflect in the Master Patient Index
- Allocation of rooms to the patient
- Should a patient be an In-Patient, an appropriate room can be allocated electronically.
- Patient Health Record Maintenance
- All patient health related info -medical history, and current health status is available as electronic records to be accessed by the Physicians and Nurses from anywhere
- Any update can be done to this information by authorised personnal and viewed by other authorised healthcare staff
- Simplified Order Management
- A doctor can clearly define the medication to be administered and lay out the frequency and prescription for the nurses to follow
- Also quick checks for any allergies the patient has, or any lapse in treatment administration can be identified and suitable remedy done
- Reduce paper and document overloads
- Thanks to PACS ( the Picture Archiving & Communication Systems software) that enables storing all documents and imageries in scanned format electronically - this is getting cheaper with time and has the advantage of renederign acceess to the same documnet by multiple physicians at various locations at the same time.
- An integrated process flow
- With a good IT system in place it is possible to track the patient's medical history and status at any point in time. Also billing gets easier - as each treatment given to the patient - lab tests, radiology , medicines, sophisticated rooms - all can be accounted for and billed as a whole. It is also much easier to stake claims from Insurance agencies with such a work-flow
- HIPAA & federal guidelines compliance
- The Health Insurance Portability and Accountability Act & the federal laws were the last straw on the camel's back that made the hospital systems take to IT in a big way. With growing emphasis on maintaining EMR (Electronic Medical Records) of patient health and ensuring the integrity and security of the patient data from unprivileged access, IT is the only way out
The Catch :
As can be seen from above the number of benefits the healthcare institution stands to gain with an IT system in place is far more than the upfront spending it has to incur in porcuring one. Yet, one major threat of such a system is its extreme reliance on IT systems, which in turn rely on the nebulous Computer networks.
So what it means for the Healthcare centre is a network glitch could render the IT system unusable - with it goes away the access to all the patient information and medication instructions.
Also with the wide spread use of electronic medium for the communication and entertainment purposes. the vital hospital network is always under threat of being abused for purposes that are not within the purview of patient treatment. Such a phenomenon could unnecessarily burden the network making the availability of bandwidth for a much more critical application a dream.
A network disaster namely :
- Failure of a network element that goes unnoticed
- Loss of access to the IT application (HIS)
- Non-availability of enough bandwidth for healthcare related activities
- Unauthorised intrusion in to the network by scrupulous elements and virus attacks
could pose serious risk to the reputation and even the existance of the healthcare institution. So attempts to mitigate the network risk by way of having mechanisms ready to combat a network disaster is well in order
A case in Point
Consider the case of a Large Community Medical System that has 5000 employees, has 60 distinct business units.To achieve high levels of service delivery and efficiency the medical center deploys a sophisticated Healthcare Information system(HIS) that spans its entire campus.
- A sophisticated Healthcare Information system to automate the whole process flow. This includes the
- Capability to digitise patient records
- A sound picture archiving system (PACS) to
- A High speed bandwidth line connecting its entire campus
- Voice Over IP Systems to enable easy and cost effective communication
- Access to wireless internet access anywhere in the campus through access points
This HIS has the ability to store electronic medical records of patients and facilitate quick reference to the patient health staus to authorised(prieveleged )physicians This apart it also has a strong Picture Archiving system (PACS) to electronically store patient image records. To support the access to HIS and PACS from anywhere the medical center has a high bandwidth network across its campus. This in turn facilitates Voice - Over - Ip communications, Access to wireless internet access from anywhere in the campus.
Risk Assessment - The key points to consider:
As the medical center is heavily reliant on IT and computer networks, ensuring remote data access and network connectivity is very critical for the smooth functioning of the whole enterprise. The Network Administrator/CIO has to anticipate the possible problems that may crop up disrupting the smooth functioning of the Healthcare delivery process. The possible problems/challenges are:
- The network going down and access to computer, printer systems taking a hit
- Ramifications: Physicians can't access patient health information and all medication and surgical orders passed on the patient gets disrupted, administrative staff cant access data relating to discharge and billing etc
- Heavy losses on account of mistakes that happen in the event of missing data access
- The network bandwidth being wasted on non-critical applications like streaming video etc
- Due to unwanted applications eating the bandwidth, the vital applications like PACS dont have enough bandwidth to support physician access from anywhere instantly
- Also the access to HIS takes a hit consequently
- Unpriveleged access to patient records and violating HIPAA norms
- The healthcare centre violates HIPAA norms by not ensuring adequate protection to patient data. Also in the event of any such event, the hospital is expected to be capable of reporting on the details of such incidents
- The losses include painful legal hassles, defamatory suits, and lost brand equity
- Very High Mean Time to Repair (MTTR)
- Any network dependant enterprise should have procedures and process in place that facilitate quick fixture of problems in the network. It gets all the more important in the case of a sensitive industry like the healthcare institution - Being able to fix and troubleshoot problems faster could define the life and death of the patients
- A system in place to quicse should have procedures and process in place that facilitate quick fixture of problems in the network. It getkly assign responsibility to personnel to fix problems and to track the progress of the resolution
Having assessed the potential risks that an enterprise is vulenrable to it is vital to address them effectively at the earliest.
The challenge (Perceived Risk)
( Risk Mitigation Mechanism )
|1. Monitor networks and proactively thwart any possible network failures
||A good network Monitoring software that can inspect your entire network and give meaningfull and in depth reports can help wade through the problem
|2. Monitor network bandwidth usage and ensure high bandwidth availability at all times to critical applications
Have a strong WAN monitoring solution that can monitor the entire network bandwidth and the entire network traffic as it happens. A report on who the Top Talkers are, what applications are eating the maximum bandwidth, at what time periods the bandwidth peaks, the bandwidth usage pattern over the last couple of months etc are very useful
More importantly such information can help decide whether to go in for a capacity planning and for how much
|3. Having log of all access done to HIS system and patient records
||A strong Log analyzer solution that can capture and store logs of information on all access - succesful / failed attempts, done to the HIS. It should also be able to report on the stored logs for actionable decisions and help in reporting for HIPAA compliance
|4. Reducing the MTTR(Mean Time to Repair) in case of any event/disaster - having a strong disaster recovery process
||A sound Help Desk Management Software that can help assigning ownership to individuals incharge of resolving the issue and being able to track the progress of the issue for quick resolution of the problem.
ManageEngine - a Healthcare enterprise network manager
While individual point solutions that address each of the risk mitigation solutions identified above exists, it is good to have a unified integrated solution that can address all these aspects. ManageEngine suite has this capability. The member module softwares OpManager, NetFlow Analyzer, EventLog Analyzer & ServiceDesk Plus software address the issues of Network Monitoring, Bandwidth Monitoring, Log Analyzis & Reporting and Help Desk Management respectively.
For more details on ManageEngine NetFlow Analyzer visit http://www.netflowanalyzer.com
For technical queries contact email@example.com
For comments on this article contact firstname.lastname@example.org
"NetFlow Analyzer has helped us reduce the time taken to isolate and
contain threats like worms and virus attacks. It has also helped us to solve network incidents faster, and do better capacity planning."
Fred Hassard, Sr. Network Engineer, Adventist Health