IT in Practice, A Jumpstart! Alex Phillips, MCSE, CCNP, OMSIII Lincoln Memorial University DeBusk College of Osteopathic Medicine [email protected].

IT in Practice, A Jumpstart!Alex Phillips, MCSE, CCNP, OMSIII

Lincoln Memorial UniversityDeBusk College of Osteopathic Medicine

[email protected]

American Osteopathic Association of Medical Informatics

My Background• A decade of experience in designing, building, securing and support of

production networks in the Healthcare, Education, and Financial Sectors

• Previous Employers/Contracts:• SDS (Danaher): Systems Engineer / Project Manager/ Disaster Recovery

Officer (DRO) for Sites in Australia, Japan, Mexico and Europe and Corporate office in Orange, CA

• University of California at Irvine• UCI HealthSystems: Business Systems Analyst• UCI School of Medicine: Director of Medical Academic Computing

• University of California at Los Angeles• UCLA School of Medicine: Bioinformatics support for Ambulatory Care

Research • Citibank: Datacenter Operations Engineer / Y2K Audit Team• Ameriquest Mortgage: Network Engineer/Project Manager/ DRO / Security Audit

(Sarbanes-Oxley) Team• Argent Mortgage: Lead Network Engineer/ DRO / Security Audit (Sarbanes-

Oxley) Team• IndyMac (OneWest) Bank: Senior Systems Analyst / Shift Lead

Allscripts Electronic Health Records Stimulus Tour Partners:

• Microsoft: The server standard that most EMR systems will be built upon

– Earned Microsoft Certified Systems Engineer (MCSE’s) in Windows NT and Windows 2000 and was a trainer for that program for 3 years

• Cisco: The leading vendor of computer networking equipment

– Earned Cisco Certified Networking Associate (CCNA,) then Cisco Certified Networking Professional (CCNP) and have built and supported Cisco networks in many Fortune 100 companies

• Dell: One of the major server, desktop and laptop vendors in the industry

– Designed, built and supported equipment from most of their server, desktop and laptop product lines

• Citrix: The leader in remote deployment of applications across the country

– Certified (CCA) and experienced in large deployments of “Thin Clients” with connectivity back to the main server many miles away

Goals• NOT to make an engineer or programmer out of you!• Offer my experience and share IT Best Practices to help

avoid common pitfalls in implementation and audits• Prepare you for discussions with vendors you will partner

up with to build and support your office network• Discuss components of your office network

• Hardware: Network devices, Servers, Backup and Cooling

• Software: Choices and Licensing

• Disaster Recovery

• Introduce you to Electronic Medical Records with the first step being E-Prescribing through the SureScripts network

Network Requirements• Desktops Needing Wired Connections:

Doctors’ Office and Reception Areas• A “Full Complement” per every 2 devices

• (2) RJ45 CAT6 Ethernet ports to plug computers or printers into• (2) RJ45 CAT6 Ethernet ports used for Analog phones/fax machines (RJ11

adapters) or IP Telephones with full CAT6 Connectors

• Cabling run up the wall, through the ceiling to your Main Data Frame (MDF) where all of your network equipment will be stored

• All MDF connections run through proper cable management into the network switches

Audit Note: The door to the MDF must be closed and locked at all times per HIPPA

Network Requirements• Wireless Desktop

Connections: Exam Rooms• Use the same Brand and

model of wireless card in all PCs so you can quickly spot intruders

• Keep all desktops on the same driver revision for the wireless card

• Wireless Intercom system for STAT requests to nursing station

Network Requirements• Wireless Desktop Connections:

Exam Rooms, contd.• Security Configurations

– Use WPA2/AES (PSK2) Enterprise to encrypt it

– Key Exchange every 7 hours

– Don’t broadcast your SSID

– NO WEP EVER!

Network Requirements• Optional Wireless Connections: Waiting Area

• Have a separate Wireless Internet connection for guests that is isolated from your office network

• Have a cheap cable modem or DSL connection connected to a consumer-grade wireless router

– Example: Linksys WRTSL-54GS– Best processor, memory and wireless

speed for your patients• Still secure with WPA+TKIP (PSK) but

your patients don’t have to download special WPA2 drivers from Microsoft to get onto this network-NO WEP EVER!

• Change the password monthly and have it available at reception

Network Requirements

• Restroom?

Network Requirements, contd.• Switch

– Main component that all computers, servers and network connections outside the office are made through

– Usually 24 or 48 “client” ports per switch, 1 device per port– Laser or 1000 Mb Ethernet ports to connect to other

switches– Cisco example: 2960 Intelligent Ethernet Switch ($1600)

• 48 Ethernet (RJ45) Ports with Power over Ethernet (POE)• 2 Fiber or 1000 Base-T ports to connect to other equipment

– Advice: Buy 2 from your vendor and have a fully configured standby and pay for the cheaper support plan from the equipment maker: i.e. 8AM-5PM, Next Business Day

Network Requirements, contd.• Firewall

• Protects your internal network from the outside world

• One connection to your switch (internal) and one connection to your router (outside)

• Audit Note: A physical and logical separation of your network from the outside world will be required

• Advice: Purchase a router with integrated security features and purchase the highest level of support for it, i.e. 4 hour SLA at 24/7 support

Network Requirements, contd.• Routers

• TWO routers needed for TWO main connections

• YOUR router for the connection to your internal network, to the switch

• Internet Service Provider (ISP) Router Connection to the Internet

ISP

Practice Router

Network Requirements, contd.• Routers

– YOUR Router • Your router will be owned

and managed by you and your IT support

• Will be your controlled entry point into your network

• Will have firewall features integrated to reduce the cost of implementing and supporting a separate firewall

• Will incorporate Wireless Access (802.1 a, b, g) managed securely

• Offer secure remote Virtual Private Networking (VPN) Connections to your office

• (Optional) Offer Integrated PBX phone system support for IP Telephony

Practice Router

Network Requirements, contd.– Cisco Router Example: 1841 Modular Router with

“Security, IP Base” Feature Set ($3000):• Up to T1 (1.5 Mb) speeds • Up to four 10/100 Mbps built-in switch ports • Up to 800 Virtual Private Networking (VPN) tunnels • Support for wireless local-area network (LAN) standards

802.11a/b/g – Meets Design Requirements

• (1) Ethernet port to ISP Router• (1) Ethernet port to switch• (1) Cable/DSL Module or Ethernet Connection

– to possible 2nd ISP (Cable Modem) as backup• Wireless LAN 802.11a/b/g support

– Office Telephony Integration will require the 1861 Router Series ($5000) and IP Telephones ($400+ each)

Network Requirements, contd.• Routers

– Audit Note: A network redundancy plan with Service Level Agreements (SLA) for the hardware and ISP that connect you to the E-Prescribing system and the Internet will be required

– Advice: • Buy an Integrated Services Router that will offer your

office – Connectivity to outside networks– Protection from outside threats through an embedded

firewall feature set– Managed Wireless integration into your network

• Purchase the highest level of support for it, i.e. 4 hour SLA at 24/7/365 coverage

• Lease the Internet Router from ISP– All Hardware and Software will be covered under an (SLA)

that is usually 4 – 8 hours of Time to Service Restoration

IT Room (MDF)• Equipment Rack:

– Network Equipment at top• Router at the top• Switch below with network

cabling routed to it– Servers– Uninterruptable Power Supply

(UPS) • Mounted at least 4 inches

above the floor• You will need to have an

electrician install higher amperage electrical cabling to plug the UPS into

• Setup power management software to shut down servers automatically

• Audit Note: The door to the MDF must be closed and locked at all times per HIPPA

IT Room (MDF), contd.• Environmental Controls:

– Dedicated cooling• Routed through it’s own conduit in

the ceiling• Upgrade current HVAC system or

install a dedicated one in the office– Dedicated fire suppression and

notification• Dry fire-suppression system

prevents damage to equipment – Inergen– FM-200

• NO WATER EVER!• Connected to building fire alarm

system– Audit Note: Your office manager

and the on call physician contact information needs to be listed as contacts for the burglar and alarm monitoring systems

Server Hardware• Best Practices:

– Hard drives:• 15000 RPM drives help keep graphics files moving

quickly• RAID 5: High performance way that a group of hard

drives work together to protect you from data loss– Memory

• ECC RAM: Error Correction Memory for high processing servers

• At least 4GB is recommended for most applications– Processor: Intel Xeon

• Advice: When selecting any of the parts (drives, memory, CPU,) look for the obvious price break, and select the parts just below it

Server Hardware, contd.• Server Examples: ($6000 to $8000 each, fully

configured)– HP ProLiant DL385 G5 Server

• Industry Standard System• Setup and troubleshooting: SmartStart• Remote Administration: Insight Manager

– Dell PowerEdge R710• Good if you already have Dell equipment in your

current network• Setup and troubleshooting: Dell Systems Build and

Update Utility (SBUU)• Remote Administration: Dell OpenManage

Server Hardware, contd.• Tape Backup

• Protect your patient data in the event of an equipment failure or office disaster

• LTO-4-120 800/1600 GB tapes are the current standard

• Buy from the same manufacturer as the server systems you buy ($2500-3000)

• HP: 1/8 Ultrium 960 Tape Autoloader• Dell: PowerVault 124T LTO-4

• Rackmount kits remove clutter

Server Hardware, contd.• Support for Servers

• Record and scan in all model/serial numbers and a picture of your network setup and have it filed where it’s accessible

• Have contact information for all vendors in a centrally stored spreadsheet

• Have all equipment support contracts be co-terminus and managed by one vendor

• Have at least one spare part for hard drives and network cards

Server Software• Industry Standard: Windows Server 2003 or above– Small Office System 2003, Premium:

• Adds MS Exchange for email and SQL Database server if you have more than 10 employees

• You should license by connection for every employee you think may be connecting to the system at the same time

• Use Outlook Web Access in the practice to access email so that users can get into the server from any web browser

Server Software, contd.• Antivirus/Malware: Trend Micro Worry Free Security;

Advanced Server• Antivirus for your servers, desktops, email and wireless

systems

• Practice-wide management from one console

• Minimal ongoing administration

Disaster Recovery• Audit Note: A thorough and properly tested Disaster

Recovery Plan will be required• Advice: Plan should include:

– Auditing and Accountability: At least two named Disaster Recovery Officers (DRO) for the practice, at least one named staff liaison per site

– Server failure: at least 2 servers with overlapping network and domain functions that fail-over to the other should the need arise

– Service Restoration:• Contracted consultants with a block of hours and a Service

Level Agreement for turnaround time• Facility to see patients in if your primary one is compromised• Automatic phone system failover to second office or

answering service with a dedicated person until you can failback to the primary one

Disaster Recovery, contd.• Plan, contd.

• Off-site Data Storage: Storage of important documents and backup tapes in case of the loss of an entire site’s data/equipment

• Best choice: Iron Mountain pickup and on-call delivery• Tapes from one office sent to another office by courier• Bank vault that an office manager makes deliveries and

pickups from

Practice Optimization• Office Computers

– Backup critical staff PCs at least weekly– Have a default “image” of the desktops and laptops ready so you

can quickly bring them back up if their hard drives fail– Ghost– Altiris

– Use Windows XP for the desktop Operating System and set for automatic patch updates

– Use Microsoft Office for your Physicians, Billing and Accounting staff only ($700) and Star Office (Under $50 per PC from www.sun.com) for every other PC.

Practice Optimization, contd.• Dictation

• Digital recorders with USB, Olympus is the standard

• Plug in to PC and AS-5000 Software routes the dictations wherever they need to go

• Route to Dragon Naturally Speaking, Physician edition

• The preliminary transcription can go into the patient record immediately as a draft

Practice Optimization, contd.• Dictation, contd.

• Add a Medical terms “.dic” file to MS Word on the dictation/transcription workstation(s)to build in the most common words

• http://www.ptcentral.com/university/medterms_zip.html• http://mtherald.com/free-medical-spell-checker-for-microsoft-

word-custom-dictionary

• Your dictation is spell-checked against these medical dictionaries that are now on ICD-10 standards FOR FREE!

• The software does the majority of transcription and correction for you, so your costs are reduced.

Practice Optimization, contd.• Dictation Results

• Have a private area, hosted by either party or a 3rd party for uploading dictation files and downloading laboratory and pathology results

• Have an Input and Output folder for each day with a manifest of dictations done, and corresponding audio files

• That same manifest should be sent back from dictation with a file in MS Word 2003 format

Practice Optimization, contd.• Laboratory and Pathology Results

• Results should also be available electronically

• A hosted site for delivery would be the best, site administrators have passphrases for the sites• Passwords like “password” are insecure• Passphrases like “ibetiknowyourpassword” are just as easy

to remember but much more secure

• Fax is always a backup, have name, telephone and fax information for each vendor posted in several locations

Practice Optimization, contd.• Outside Vendors

• The main goal is to be able to have 3 files immediately available from any office:

• Dictation of last visit• Laboratory results• Pathology results

Practice Optimization, contd.• Worst case scenario: No chart available when on call

• Visit a place with Internet access or start up your laptop with a Wireless card

• Get to those 3 files

• Review all of the latest information needed

• Call back an educated opinion on what your plan of care is

• Also great for providers working in multiple offices

Time-Out!• Network Requirements

– Devices at the desktop– Switches and secured Routers

• IT Room (MDF)– Equipment Rack– Environmental Controls– Server Hardware– Server Software

• Disaster Recovery• Practice Optimization

Practice Electronic Records• EMR and E-Prescribing System Selection Goals

• Get a new Certification Commission for Health Information Technology (CCHIT) certified system deployed

• Get access to the national SureScripts E-Prescription network

• Quickly pass as many prescriptions through this system to qualify for “meaningful use” under American Recovery and Reinvestment Act (ARRA) incentive guidelines

Practice Electronic Records, contd.• Choosing your system

– Implementing any system will be a learning process requiring proper preparation, training and ongoing support

– Core SureScripts Services– Rx Benefit: eligibility, benefits and formulary information– Rx History: prescription history information across providers– Rx Routing: secure computer-to-computer exchange of

prescriptions between prescribers and pharmacies

– Buyer’s guide available at www.surescripts.net for systems that are certified to attach to the national prescription management system

Advice: More than 40 different software vendors– Focus on vendors that have Platinum or Gold Level Status

because they have the proper experience and resources to support your software

Practice Electronic Records, contd.• Top Certified Solution Providers

• SureScripts Platinum Solution Providers:

• NextGen EHR, RxNT

• SureScripts Gold Solution Providers:

• Allscripts ePrescribe,  Axolotl Elysium,  DrFirst Rcopia, eClinicalWorks, GE/Kryptiq Centricity, NewCrop.

• Try to sample as many of these systems as you can and make sure to involve other providers and office staff in the evaluation process

Practice Electronic Records, contd.• Transition Period: Scan Everything!

• Purchase several scanners and dedicate PC workstations to them• Install Adobe Acrobat Standard to scan documents into PDF format• Have a rotating group of people scanning the documents• Consider contracting with a staffing agency for some medical office

assistants that are technology savvy to be dedicated to this project for the bulk of the work

Practice Electronic Records, contd.• Before EMR is fully implemented

• Document Organization: Binary Large Object (BLOB)• Build folders with Medical Record Numbers (MR) on them on a

server and have all patient records scanned into those folders with subfolders based upon date

• When the EMR is implemented, these documents (BLOBs) can be imported into the patient’s electronic record since it is already sorted by the MR number and date of service

• Any paperwork that providers still prefer to use while getting used to using a tablet PC or laptop will continue to be scanned and added to the patient’s record

Practice Electronic Records, contd.• Before EMR is fully implemented

• Prescription printing: • Tamper proof paper with printing allowed from doctor’s

accounts only for that tray• Prescription Paper MUST BE SHIPPED to the License

address or the address on file with the DEA.• All scheduled drug security restrictions still apply; crossing

out RX date and post-dating prescriptions is not 100% guaranteed to be in compliance

• http://www.cpsintlinc.com/hospital-supplies/tamper-resistant-rx-paper.html

• http://www.rxpaper.com

Practice Electronic Records, contd.• Before EMR is fully implemented

• MOST CRITICAL: Practice Training• Project Champions: Select key office staff and providers that

have a technical background and send them for focused training

• Have system training incorporated as a part of normal, mandatory staff meetings

• Have a message board or email account set up for questions which an office staff member can compile, have a first try at answering

Practice Electronic Records, contd.• EMR Implemented:

• Make time in staff meetings for EMR concerns and address them promptly

• Have regular meetings with Project Champions to review results

• Triage current issues and propose solutions

• Discuss next phases for implementation (i.e. expansion modules)

• Conference calls with your IT Partner• At least once a week for the first four weeks after the system goes “live”

• Relay staff questions and concerns

• Follow up on support cases still outstanding

Next Step in Management…• Remote Access

• Virtual Private Network (VPN) access to your office

• Citrix MetaFrame remote access to EMR

• RSA SecurID Two-Factor Authentication

• Data Backup:

• Vaulting of tape system

• Storage Area Network (SAN) integration

• Security

• Best Practices

• Surviving an audit

• ANY QUESTIONS?

References• www.microsoft.com• www.cisco.com• www.dell.com• www.ironmountain.com• www.trendmicro.com• www.sun.com/software/staroffice/index.jsp• www.rxpaper.com• www.olympus.com• www.dragon-medical-transcription.com• www.rsa.com