Not too long ago I ran accross an article that talked about Ohio University’s server being hacked and in a hackers hands for a long period of time. I honestly don’t think this is really all that common. In fact, after working with a friend of mine in college who was excellent at hacking I think this happens a lot more than we ever realize and definitely more than ever gets published. Not that the practices of this article are acceptable, but I don’t think we should be naive.

Many may be wondering what a University getting hacked is doing on an EMR and HIPAA blog. Well, read this quote from the article:

How a server could be left open to intruders is still under investigation. But this much is known: A server supporting the alumni relations department was supposed to be offline, Sams said. The people responsible for shutting it down thought they had done so. The server continued to be connected to the Internet but didn’t receive security updates. It was the equivalent of leaving a backdoor open for thieves to walk in and seize what they wanted.

The culprits who broke into the other two servers made off with health records belonging to students treated at the university’s health center, as well as Social Security numbers of an additional 60,000 people.

Does this really make sense to any rational person? What is a student’s health record doing on a server supportint the alumni relations department? Not to mention on a server that someone isn’t updating. At the rate that Windows puts out updates I think we are all guilty of sometimes being a bit lazy in our updating policy. However, to forget about the machine and think it is shutdown is ridiculous. That has HIPAA violation and HIPAA lawsuit written all over it.

I’m thrilled to say that we just passed 30,000 visitors to EMR and HIPAA. It really is something else to think that so many people have come to this site to find out about EMR and HIPAA. I’m really happy to see its success. In fact, I didn’t realize how well I was doing at attracting visitors until I looked at a great Healthcare IT blogger recently posted that since tracking his statistics since September 2004 he just hit 10,000 visitors. Pretty amazing that I just started blogging in December 2005.

It’s been a roller coaster getting it started. Now that I’m a little more established with some quality content in place I have been taking a step back to see where I want to take my EMR and HIPAA blog. I definitely want to work on some of my fixed pages:
EMR and EHR Vendors
EMR vs. Paper Charts
EMR Evaluating and Purchasing
EMR Features
EMR Implementation Ideas

I also want to work more on giving details to those interested on implementing an EMR. I want to start doing my initial vision of reviewing various EMR systems. I’ve already started some of the reviews, but I’ve been debating the best way to review an EMR system in an unbiased and professional manner. If you have any ideas please post a comment so I can have your feedback.

Mostly, thanks for helping me reach 30,000. It’s amazing to me that I have gone from 0 to 30,000 so fast. Espescially since this EMR blog was started as a Christmas whim. Who would have thought I’d love EMR so much?

I had someone email me asking me what I thought about a small group of doctors developing their own EMR. Then, I was helping a doctor implement an EMR in a new office and his friend asked me why I didn’t just create my own EMR and make a ton of cash. All I have to say is….Are you CRAZY????

While developing your own EMR is a very nice thing because you are able to customize the process exactly the way you like I honestly think this is a big mistake. You will honestly be spending just as much money developing your own EMR as you will spend purchasing from an EMR vendor. Doing this for a small group of doctors is even worse. Gaining a consensus of these doctors on what is “best” for an EMR is like asking which type of ice cream is best. There are certainly some that are better than others, but it really just depends on a person’s preference. EMR choice is pretty much the same.

One of the biggest problems of creating your own EMR from scratch is what happens once your EMR is “created”. You have to continue paying development to continually create enhancements. If you stop enhancing your EMR program then you get farther and farther behind and lose some of the advantages of an EMR. If you go with an EMR vendor then you continue to benefit from the enhancements that they continue to create. Often there is a small update fee, but much less than you developing all these features yourself over time. An EMR vendor is able to generate a lot more revenue which can be funneled into enhancing your EMR. Do you really think that one programmer can compete with a whole team of programmers? Besides the time factor it is really hard to find a programmer that can do all of the specialized programming for an EMR. They would have to know how to do an HL7 interface, learn CCR, document management, reporting, just to name a few.

Even more important is it is just not realistic for one programmer to be able to build an EMR that has all the feature set of a good EMR system. Sure, I have the technical skill to program an entire EMR. It would just take time. Not a little bit of time, but hordes of time. Individual components of an EMR system really aren’t that complicated. When you pile them all together it would just require a lot of work to develop an EMR from square one. I really think developing your own EMR is a poor strategic decision.

Another point is that there are some great EMR companies that are reasonably priced and will certainly pay for themselves over time. There are even some different pricing models that don’t require an enormous up front fee which allows a doctor to minimize the risk of EMR implementation.

Here’s a few examples you might look at:
Doctors Partner – http://www.doctorspartner.com No up front, just a monthly fee
Medtuity – http://www.medtuity.com/ Charged per visit(does not include a PMS)
I know both of these companies personally and they are quality organizations and people with a unique cost structure.

There are so many EMR vendors to choose from. In fact, look at my enormous list of EMR systems.

Every doctor should be able to find an existing EMR system that meets their needs(pricing and features).

One other quick tip is to choose an established, but smaller EMR. These smaller EMR’s are able to listen and implement your specific requests much more quickly than a larger EMR that receives tons of requests.

One day at the beginning of the “EMR Experience”, I saw the nurses quite upset and overwhelmed with all the changes and the learning curve of implementing an EMR. You could literally feel the negativity in the air. My wife had supplied my office with a Costco box of candy bars. Seeing the candy bars gave me an idea. I walked through the clinic with the box of candy bars offering them to everyone. It was amazing how a little candy bar could literally change the mood of the entire clinic. Maybe every EMR system should provide a box of candy bars as part of every EMR purchase.

A friend of mine on EMRUpdate recently asked how a SAN applies to EMR. I took so much time to write a response I decided to copy it here. I’m sure I’m missing some details, but this should be a good start.

Really a SAN is basically a bunch of disks that can be connected to a bunch of different servers over fiber optics. You can see more formal definitions at the Wikipedia – Storage Area Networks and Webopedia – Storage Area Networks.

My personal experience with a SAN is that they are fantastic, but they are quite complex to work with. They are getting cheaper and easier to manage(evidenced by a nice SAN product from Apple), but it still takes some work to get it working.

To me the real advantage of a SAN is that it allows you to do clustering. It separates your data from your server making the 2 independent of each other. This makes managing servers very nice(pull out a server and update it with no down time) and backups of the data(you can backup your data to disk and then from disk to tape).

So, why would an EMR want to use a SAN? Quite frankly most won’t want to right now. Purchasing a server with a bunch of hard drives is good enough for most small doctors offices. It could be very beneficial for very large offices that need to maintain 24 x 7 uptime and/or store a whole lot of data. A server these days can only reach about 1.8 Terabytes of data(6-300 gig hard drives). SANS can easily hit 7 Terabytes of data(and plenty more if you have the $$).

Sure, you can hook up a nice scsi shelf to increase the number of drives on a server, but then you get much slower response reading the drive through the scsi connection. Often they use the term “High Availability” when they talk about the speed with which you can access data on a SAN. Besides storage space, the speed with which you can access a large amount of data is what sets SANs apart from just a bunch of drives.

There are some other real nice features with SANS, but these are the main ones in my mind. As they get cheaper and EMR’s databases get bigger I see them becoming a larger part of an EMR system. Until then, no need to worry about SANs with your EMR.

As far as “Why do they call it a “Storage Network” instead of just “storage”?”

I think the terminology “network” is applied because you are connected to the SAN(or storage) using fiber optics and you go through a fiber switch to enable fast access to the drives.

Right now I’m feeling quite overwhelmed. If it weren’t for this boring class I’m in I probably wouldn’t have time to even post to my blog. I’ve been participating in the HIT Blogposium which I haven’t been able to participate as much as I’d like. I’ve tried to keep up on my own EMR blog and my EMR and biometrics article. It’s been a fun experience participating in the blogposium experience. I’ve learned some very interesting things during the collaboration and hope they do it again when I have more time.

My EMR addiction has also left me in a vulnerable position because a local doctor has asked me for some help in choosing an EMR and more importantly ordering all the equipment that he needs to purchase to start a brand new office. It’s quite overwhelming even though I love EMR and helping him. I just wish he and I had more time to think through all the options. Weighing the I need it now with I want it done right is a real challenge. At least he’s selected an EMR and I think we have all the most important equipment ordered. We’ll see how good my off the cuff suggestions end up.

This EMR (and probably blogging) addiction has also really gotten in the way of a business plan that I submitted to a contest. My idea is pretty good and looks even better on paper and has nothing to do with EMR. I’m one of 6 finalists and I present on Wednesday. I’m pretty overwhelmed since a 20 minute presentation will determine a large difference in cash prizes. I’m stuck. Work on my blog and EMR which I love or polish my business plan. Unfortunately, I can’t work one dimensional. My mother always told me, “You can’t do everything.” I always replied, “You’re right…but I’m sure going to try.”

And of course, outside this EMR addiction my wife and son like to see me too. Imagine that! Besides me being stressed I think I’ve done a good job shielding my family from all that I’m trying to do. Sometimes I fail, but overall I think it’s not affecting my time with my family since I do most of it in boring classes or late at night. Family’s really what’s most important anyway. Maybe I just need to get my wife interested in EMR and blogging.

I initially announced the Healthcare IT Blogposium for April 18-19. It was since expanded a day to April 20th. I’m very excited to participate. This does mean that over the next few days I will just be posting and updating my posts for the blogposium. I think the good part is that it should have a group of Healthcare IT bloggers coming to my site to post comments on my post. I’ve chosen EMR and Biometrics Integrations. Should be fitting considering my recent rash of biometrics posts. I think it is also beneficial to put my previous posts into a nice document to contribute to the Clinical Wiki.

You can see all the contributors that have signed up at the Blogposium sign up page. Looks like there should be some interesting posts.

FOR ALL LURKERS – I love that you are reading my blog, but get out of the box and post some comments tomorrow on my biometrics article. Your feedback, ideas and criticism will certainly make it much better than what I could contribute alone. Don’t worry, you don’t have to register or give out any private information. You won’t get more spam if you participate. I will love you forever though.

We go to the bank and use an ATM to get cash or make a deposit. We arrive at the airport and check in for our flight using a kiosk. But we go to our doctor or local hospital and we get a clipboard, pencil, and several pages of forms to fill out. Worse yet, we move to a different department in the same institution and it’s likely we’ll be asked to fill those forms all over again. It doesn’t have to be that way.

-How Progressive Healthcare Organizations Are Using Patient Self-Service Kiosks and Devices

Amen!!

We are doing this with the patient health history and it is great. There are still some major enhancements that need to be made in how that data becomes part of the patient’s medical record, but it is so much better than paper. I think we’re getting close to having the signature done at the kiosk. The technology is there. Kiosk check-in really revolutionizes what happens at patient check in. The next step for us is to be able to check in patients at the kiosk without going to the front desk. In fact, once the magnetic card readers are here, patients will be able to check in with the swipe of their ID card.

The New York Times had a recent article casted some needed reality on what could still happen even with an EMR system. I think it is good to offer a nice dose of reality to those wanting to implement an EMR. EMR consultant will often tell you that you can make more money, treat patients more effectively and have it brew your coffee. While this can be the case(except for probably the coffee), there is always two possible outcomes for every decision. EMR is a complex decision that depends on thousands of factors. Miss an important one and you might be in trouble. Ok, now I’ll get off my EMR selection bandwagon.

The research and AMA editorial really puts an interesting perspective on how an EMR can cause bad side effects. A few examples they use is the number of screens needed to get to a prescription, the small print used for names, and system outages. I can see how these things could be concerns. However, there are solutions to these problem. The success of failure of an EMR system is more a matter of perspective than anything else. I personally feel that my implementation of an EMR system is somewhat of a failure because it doesn’t solve ALL of a clinic’s problems. The other day someone was touring our facility and they asked the Health Center director her opinion on the implementation of the EMR. She was very satisfied and very happy with EMR. That made me feel really good. I guess I can look at the EMR and know we are doing our very best with what I was given. How satisfying is that? Fantastic!!

Moral of the Story: Don’t be naive that ALL problems will be solved and an EMR won’t cause any new problems. Progress is defined as solving more problems than you create.

I briefly mentioned Face Authentication in a previous post. As a result of that post the vendor from Sensible Vision contacted me and got me a demo model right away. I must admit that their service was impeccable. All the way up the scale I’ve been impressed with the company and all I did was a demo.

Today they issued pricing on their FastAccess product that is very reasonable compared to other biometric devices. I’ve attached the release below and here’s a short review of the product with certainly more details to come as I continue to use it.

Setup
Setting up the FastAccess was a piece of cake. I got the box with only 15 minutes before I had to be somewhere. I unboxed the product, read the instructions(yes I always feel I must read the instructions on new products) and installed it on my computer. In 15 minutes I had it recognize my face and automatically log me in. The other nice part is that the set was really nothing but plug the camera in and run the CD install file. On restart it starts learning who you are when you log in. Couldn’t have been simpler. I repeated this process on my laptop so I could show my wife and had it set up in 5 minutes(booting my computer took longer than setup).

Facial Recognition/Training
Training facial recognition is much different than other biometrics. Fingerprint biometrics requires you to “train” it to know your fingerprint. Facial recognition(at least with FastAccess) is continually updating every time you login. In fact, it stores 90-100 different biometric “faces” that identify you. The biggest fault with this model is that initially the recognition is poorer than fingerprint recognition. However, with time I’ve seen that it actually is more reliable and recognizes you quicker than fingerprint. Not to mention it recognizes you just coming into view. No need to reach and hold your finger or eye to something. The lazy part of me loves that.

Active Directory Integration
FastAccess has very nice integration with active directory. The best part is that they have two methods of implementing active directory integration. First, they can extend the active directory schema. While this is a common practice, it is difficult to convince my system administrator to do since it can’t be rolled back if we decide we don’t want to do it anymore. Second, FastAccess can be implemented using existing active directory fields. This means that you can test the active directory implementation without extending the schema. I plan on doing this in the near future and you can expect a review of it soon.

Strong Audit Controls
Looking over the audit logs they are pretty standard for what you would need to satisfy HIPAA. Having active directory manage this type of audit control would be key to me.

Continuous Security
The biggest advantage to facial recognition is that it is continuously verifying your access. My biggest problem with fingerprint biometrics had to do with not having a way to easily lock the workstation. Facial recognition biometrics is constantly monitoring to see you are the authorized person. If you leave then it locks the computer. This really changes the way you deal with authentication since it can create a true single sign on.

Security Screen Capture
This idea is inegnious. Since you have a camera you might as well capture a picture of the person that was signed on to a machine. Imagine them saying they didn’t log in and you can show them the picture taken when they did log in. Fantastic!! There is also talk of using this technology as a digital signature. I’d love that with my EMR.

Pictures and Twins
I tried to see what I could do to fool the camera and nothing really worked. I imagine this is theoretically possible, but it would have to be a picture in the exact same place as the biometric match. FastAccess tells me that they add in environmental variables(such as light) which makes it much more difficult to fool. So far so good. The idea of twins is addressed in the documentation. I’ll be testing it on my wife and her twin sister to see how that goes. Sometimes it freaks me out how much they look alike.

Accuracy
In an EMR or healthcare environment FastAccess has designed it properly. Sometimes it didn’t recognize me and so it required me to enter my password and then after logging in, it stores another biometric image. While this could be annoying to some doctors, I see this as an essential key to proper authentication.

Instant Desktop Switching
This seems like it is a somewhat new module being developed by Sensible Vision. The idea is that multiple people can log in to the same account and have a different desktop. This currently works espescially well with Internet Explorer and a few other selected applications. I imagine this list will grow over time. They offered to make it work for my favorite apps. One interesting note is that they have it working for Cerner’s EMR. I’ll be having them develop it for Medicat EMR(my EMR)

Random Points
Since FastAccess is constantly checking for facial recognition, when you answer the phone that changes what your face looks like. This isn’t really a problem since they store 90-100 different biometric “prints”. You just have to “train” it to know what you look like with a phone in hand.

One nice feature is that you can turn off continuous facial recognition when you have a presentation. It lets you disable the recognition for a specified period of time. It also recognizes any keyboard or mouse input and disables locking when it sees either.

Here’s the Press Release:
Sensible Vision Innovates Biometric Facial Recognition for Continuous Computer Access Control and Authentication

FastAccess Virtually Eliminates Passwords, Makes Computer Easier to Use and Ensures Privacy Compliance and Identity Management

Introductory Pricing of $99 per Desktop License

Covert, Michigan, April 3, 2006 – Sensible Vision, an innovator of continuous authentication solutions, today revolutionized computer access control and authentication by replacing a user’s password with their face. Sensible Vision’s FastAccess™ is a powerful yet simple solution that uses patent-pending biometric facial recognition to automatically and continuously authenticate user log-in and instantly secure the computer when the user leaves. This virtually eliminates login passwords, makes the computer significantly more secure and easier to use, and strengthens access control auditing for privacy and identity management policies.

“Because a person’s face is unique and always with them, it is ultimately the ideal password and the best way of continuously ensuring who is accessing the computer,” said George Brostoff, CEO of Sensible Vision. “This is a new paradigm for secure and simplified computer access that goes well beyond initial log-in and inactivity timers. FastAccess identifies and authenticates users in less time than it takes to enter a password and knows the second they leave their computers. These breakthroughs make it a simple, secure and low-cost approach for securing the computer and network.”

Read more…