IT in Practice, A Jumpstart! Alex Phillips, MCSE, CCNP, OMSIII Lincoln Memorial University DeBusk College of Osteopathic Medicine [email protected] American Osteopathic Association of Medical Informatics
Dec 22, 2015
IT in Practice, A Jumpstart!Alex Phillips, MCSE, CCNP, OMSIII
Lincoln Memorial UniversityDeBusk College of Osteopathic Medicine
American Osteopathic Association of Medical Informatics
My Background• A decade of experience in designing, building, securing and support of
production networks in the Healthcare, Education, and Financial Sectors
• Previous Employers/Contracts:• SDS (Danaher): Systems Engineer / Project Manager/ Disaster Recovery
Officer (DRO) for Sites in Australia, Japan, Mexico and Europe and Corporate office in Orange, CA
• University of California at Irvine• UCI HealthSystems: Business Systems Analyst• UCI School of Medicine: Director of Medical Academic Computing
• University of California at Los Angeles• UCLA School of Medicine: Bioinformatics support for Ambulatory Care
Research • Citibank: Datacenter Operations Engineer / Y2K Audit Team• Ameriquest Mortgage: Network Engineer/Project Manager/ DRO / Security Audit
(Sarbanes-Oxley) Team• Argent Mortgage: Lead Network Engineer/ DRO / Security Audit (Sarbanes-
Oxley) Team• IndyMac (OneWest) Bank: Senior Systems Analyst / Shift Lead
Allscripts Electronic Health Records Stimulus Tour Partners:
• Microsoft: The server standard that most EMR systems will be built upon
– Earned Microsoft Certified Systems Engineer (MCSE’s) in Windows NT and Windows 2000 and was a trainer for that program for 3 years
• Cisco: The leading vendor of computer networking equipment
– Earned Cisco Certified Networking Associate (CCNA,) then Cisco Certified Networking Professional (CCNP) and have built and supported Cisco networks in many Fortune 100 companies
• Dell: One of the major server, desktop and laptop vendors in the industry
– Designed, built and supported equipment from most of their server, desktop and laptop product lines
• Citrix: The leader in remote deployment of applications across the country
– Certified (CCA) and experienced in large deployments of “Thin Clients” with connectivity back to the main server many miles away
Goals• NOT to make an engineer or programmer out of you!• Offer my experience and share IT Best Practices to help
avoid common pitfalls in implementation and audits• Prepare you for discussions with vendors you will partner
up with to build and support your office network• Discuss components of your office network
• Hardware: Network devices, Servers, Backup and Cooling
• Software: Choices and Licensing
• Disaster Recovery
• Introduce you to Electronic Medical Records with the first step being E-Prescribing through the SureScripts network
Network Requirements• Desktops Needing Wired Connections:
Doctors’ Office and Reception Areas• A “Full Complement” per every 2 devices
• (2) RJ45 CAT6 Ethernet ports to plug computers or printers into• (2) RJ45 CAT6 Ethernet ports used for Analog phones/fax machines (RJ11
adapters) or IP Telephones with full CAT6 Connectors
• Cabling run up the wall, through the ceiling to your Main Data Frame (MDF) where all of your network equipment will be stored
• All MDF connections run through proper cable management into the network switches
Audit Note: The door to the MDF must be closed and locked at all times per HIPPA
Network Requirements• Wireless Desktop
Connections: Exam Rooms• Use the same Brand and
model of wireless card in all PCs so you can quickly spot intruders
• Keep all desktops on the same driver revision for the wireless card
• Wireless Intercom system for STAT requests to nursing station
Network Requirements• Wireless Desktop Connections:
Exam Rooms, contd.• Security Configurations
– Use WPA2/AES (PSK2) Enterprise to encrypt it
– Key Exchange every 7 hours
– Don’t broadcast your SSID
– NO WEP EVER!
Network Requirements• Optional Wireless Connections: Waiting Area
• Have a separate Wireless Internet connection for guests that is isolated from your office network
• Have a cheap cable modem or DSL connection connected to a consumer-grade wireless router
– Example: Linksys WRTSL-54GS– Best processor, memory and wireless
speed for your patients• Still secure with WPA+TKIP (PSK) but
your patients don’t have to download special WPA2 drivers from Microsoft to get onto this network-NO WEP EVER!
• Change the password monthly and have it available at reception
Network Requirements, contd.• Switch
– Main component that all computers, servers and network connections outside the office are made through
– Usually 24 or 48 “client” ports per switch, 1 device per port– Laser or 1000 Mb Ethernet ports to connect to other
switches– Cisco example: 2960 Intelligent Ethernet Switch ($1600)
• 48 Ethernet (RJ45) Ports with Power over Ethernet (POE)• 2 Fiber or 1000 Base-T ports to connect to other equipment
– Advice: Buy 2 from your vendor and have a fully configured standby and pay for the cheaper support plan from the equipment maker: i.e. 8AM-5PM, Next Business Day
Network Requirements, contd.• Firewall
• Protects your internal network from the outside world
• One connection to your switch (internal) and one connection to your router (outside)
• Audit Note: A physical and logical separation of your network from the outside world will be required
• Advice: Purchase a router with integrated security features and purchase the highest level of support for it, i.e. 4 hour SLA at 24/7 support
Network Requirements, contd.• Routers
• TWO routers needed for TWO main connections
• YOUR router for the connection to your internal network, to the switch
• Internet Service Provider (ISP) Router Connection to the Internet
ISP
Practice Router
Network Requirements, contd.• Routers
– YOUR Router • Your router will be owned
and managed by you and your IT support
• Will be your controlled entry point into your network
• Will have firewall features integrated to reduce the cost of implementing and supporting a separate firewall
• Will incorporate Wireless Access (802.1 a, b, g) managed securely
• Offer secure remote Virtual Private Networking (VPN) Connections to your office
• (Optional) Offer Integrated PBX phone system support for IP Telephony
Practice Router
Network Requirements, contd.– Cisco Router Example: 1841 Modular Router with
“Security, IP Base” Feature Set ($3000):• Up to T1 (1.5 Mb) speeds • Up to four 10/100 Mbps built-in switch ports • Up to 800 Virtual Private Networking (VPN) tunnels • Support for wireless local-area network (LAN) standards
802.11a/b/g – Meets Design Requirements
• (1) Ethernet port to ISP Router• (1) Ethernet port to switch• (1) Cable/DSL Module or Ethernet Connection
– to possible 2nd ISP (Cable Modem) as backup• Wireless LAN 802.11a/b/g support
– Office Telephony Integration will require the 1861 Router Series ($5000) and IP Telephones ($400+ each)
Network Requirements, contd.• Routers
– Audit Note: A network redundancy plan with Service Level Agreements (SLA) for the hardware and ISP that connect you to the E-Prescribing system and the Internet will be required
– Advice: • Buy an Integrated Services Router that will offer your
office – Connectivity to outside networks– Protection from outside threats through an embedded
firewall feature set– Managed Wireless integration into your network
• Purchase the highest level of support for it, i.e. 4 hour SLA at 24/7/365 coverage
• Lease the Internet Router from ISP– All Hardware and Software will be covered under an (SLA)
that is usually 4 – 8 hours of Time to Service Restoration
IT Room (MDF)• Equipment Rack:
– Network Equipment at top• Router at the top• Switch below with network
cabling routed to it– Servers– Uninterruptable Power Supply
(UPS) • Mounted at least 4 inches
above the floor• You will need to have an
electrician install higher amperage electrical cabling to plug the UPS into
• Setup power management software to shut down servers automatically
• Audit Note: The door to the MDF must be closed and locked at all times per HIPPA
IT Room (MDF), contd.• Environmental Controls:
– Dedicated cooling• Routed through it’s own conduit in
the ceiling• Upgrade current HVAC system or
install a dedicated one in the office– Dedicated fire suppression and
notification• Dry fire-suppression system
prevents damage to equipment – Inergen– FM-200
• NO WATER EVER!• Connected to building fire alarm
system– Audit Note: Your office manager
and the on call physician contact information needs to be listed as contacts for the burglar and alarm monitoring systems
Server Hardware• Best Practices:
– Hard drives:• 15000 RPM drives help keep graphics files moving
quickly• RAID 5: High performance way that a group of hard
drives work together to protect you from data loss– Memory
• ECC RAM: Error Correction Memory for high processing servers
• At least 4GB is recommended for most applications– Processor: Intel Xeon
• Advice: When selecting any of the parts (drives, memory, CPU,) look for the obvious price break, and select the parts just below it
Server Hardware, contd.• Server Examples: ($6000 to $8000 each, fully
configured)– HP ProLiant DL385 G5 Server
• Industry Standard System• Setup and troubleshooting: SmartStart• Remote Administration: Insight Manager
– Dell PowerEdge R710• Good if you already have Dell equipment in your
current network• Setup and troubleshooting: Dell Systems Build and
Update Utility (SBUU)• Remote Administration: Dell OpenManage
Server Hardware, contd.• Tape Backup
• Protect your patient data in the event of an equipment failure or office disaster
• LTO-4-120 800/1600 GB tapes are the current standard
• Buy from the same manufacturer as the server systems you buy ($2500-3000)
• HP: 1/8 Ultrium 960 Tape Autoloader• Dell: PowerVault 124T LTO-4
• Rackmount kits remove clutter
Server Hardware, contd.• Support for Servers
• Record and scan in all model/serial numbers and a picture of your network setup and have it filed where it’s accessible
• Have contact information for all vendors in a centrally stored spreadsheet
• Have all equipment support contracts be co-terminus and managed by one vendor
• Have at least one spare part for hard drives and network cards
Server Software• Industry Standard: Windows Server 2003 or above– Small Office System 2003, Premium:
• Adds MS Exchange for email and SQL Database server if you have more than 10 employees
• You should license by connection for every employee you think may be connecting to the system at the same time
• Use Outlook Web Access in the practice to access email so that users can get into the server from any web browser
Server Software, contd.• Antivirus/Malware: Trend Micro Worry Free Security;
Advanced Server• Antivirus for your servers, desktops, email and wireless
systems
• Practice-wide management from one console
• Minimal ongoing administration
Disaster Recovery• Audit Note: A thorough and properly tested Disaster
Recovery Plan will be required• Advice: Plan should include:
– Auditing and Accountability: At least two named Disaster Recovery Officers (DRO) for the practice, at least one named staff liaison per site
– Server failure: at least 2 servers with overlapping network and domain functions that fail-over to the other should the need arise
– Service Restoration:• Contracted consultants with a block of hours and a Service
Level Agreement for turnaround time• Facility to see patients in if your primary one is compromised• Automatic phone system failover to second office or
answering service with a dedicated person until you can failback to the primary one
Disaster Recovery, contd.• Plan, contd.
• Off-site Data Storage: Storage of important documents and backup tapes in case of the loss of an entire site’s data/equipment
• Best choice: Iron Mountain pickup and on-call delivery• Tapes from one office sent to another office by courier• Bank vault that an office manager makes deliveries and
pickups from
Practice Optimization• Office Computers
– Backup critical staff PCs at least weekly– Have a default “image” of the desktops and laptops ready so you
can quickly bring them back up if their hard drives fail– Ghost– Altiris
– Use Windows XP for the desktop Operating System and set for automatic patch updates
– Use Microsoft Office for your Physicians, Billing and Accounting staff only ($700) and Star Office (Under $50 per PC from www.sun.com) for every other PC.
Practice Optimization, contd.• Dictation
• Digital recorders with USB, Olympus is the standard
• Plug in to PC and AS-5000 Software routes the dictations wherever they need to go
• Route to Dragon Naturally Speaking, Physician edition
• The preliminary transcription can go into the patient record immediately as a draft
Practice Optimization, contd.• Dictation, contd.
• Add a Medical terms “.dic” file to MS Word on the dictation/transcription workstation(s)to build in the most common words
• http://www.ptcentral.com/university/medterms_zip.html• http://mtherald.com/free-medical-spell-checker-for-microsoft-
word-custom-dictionary
• Your dictation is spell-checked against these medical dictionaries that are now on ICD-10 standards FOR FREE!
• The software does the majority of transcription and correction for you, so your costs are reduced.
Practice Optimization, contd.• Dictation Results
• Have a private area, hosted by either party or a 3rd party for uploading dictation files and downloading laboratory and pathology results
• Have an Input and Output folder for each day with a manifest of dictations done, and corresponding audio files
• That same manifest should be sent back from dictation with a file in MS Word 2003 format
Practice Optimization, contd.• Laboratory and Pathology Results
• Results should also be available electronically
• A hosted site for delivery would be the best, site administrators have passphrases for the sites• Passwords like “password” are insecure• Passphrases like “ibetiknowyourpassword” are just as easy
to remember but much more secure
• Fax is always a backup, have name, telephone and fax information for each vendor posted in several locations
Practice Optimization, contd.• Outside Vendors
• The main goal is to be able to have 3 files immediately available from any office:
• Dictation of last visit• Laboratory results• Pathology results
Practice Optimization, contd.• Worst case scenario: No chart available when on call
• Visit a place with Internet access or start up your laptop with a Wireless card
• Get to those 3 files
• Review all of the latest information needed
• Call back an educated opinion on what your plan of care is
• Also great for providers working in multiple offices
Time-Out!• Network Requirements
– Devices at the desktop– Switches and secured Routers
• IT Room (MDF)– Equipment Rack– Environmental Controls– Server Hardware– Server Software
• Disaster Recovery• Practice Optimization
Practice Electronic Records• EMR and E-Prescribing System Selection Goals
• Get a new Certification Commission for Health Information Technology (CCHIT) certified system deployed
• Get access to the national SureScripts E-Prescription network
• Quickly pass as many prescriptions through this system to qualify for “meaningful use” under American Recovery and Reinvestment Act (ARRA) incentive guidelines
Practice Electronic Records, contd.• Choosing your system
– Implementing any system will be a learning process requiring proper preparation, training and ongoing support
– Core SureScripts Services– Rx Benefit: eligibility, benefits and formulary information– Rx History: prescription history information across providers– Rx Routing: secure computer-to-computer exchange of
prescriptions between prescribers and pharmacies
– Buyer’s guide available at www.surescripts.net for systems that are certified to attach to the national prescription management system
Advice: More than 40 different software vendors– Focus on vendors that have Platinum or Gold Level Status
because they have the proper experience and resources to support your software
Practice Electronic Records, contd.• Top Certified Solution Providers
• SureScripts Platinum Solution Providers:
• NextGen EHR, RxNT
• SureScripts Gold Solution Providers:
• Allscripts ePrescribe, Axolotl Elysium, DrFirst Rcopia, eClinicalWorks, GE/Kryptiq Centricity, NewCrop.
• Try to sample as many of these systems as you can and make sure to involve other providers and office staff in the evaluation process
Practice Electronic Records, contd.• Transition Period: Scan Everything!
• Purchase several scanners and dedicate PC workstations to them• Install Adobe Acrobat Standard to scan documents into PDF format• Have a rotating group of people scanning the documents• Consider contracting with a staffing agency for some medical office
assistants that are technology savvy to be dedicated to this project for the bulk of the work
Practice Electronic Records, contd.• Before EMR is fully implemented
• Document Organization: Binary Large Object (BLOB)• Build folders with Medical Record Numbers (MR) on them on a
server and have all patient records scanned into those folders with subfolders based upon date
• When the EMR is implemented, these documents (BLOBs) can be imported into the patient’s electronic record since it is already sorted by the MR number and date of service
• Any paperwork that providers still prefer to use while getting used to using a tablet PC or laptop will continue to be scanned and added to the patient’s record
Practice Electronic Records, contd.• Before EMR is fully implemented
• Prescription printing: • Tamper proof paper with printing allowed from doctor’s
accounts only for that tray• Prescription Paper MUST BE SHIPPED to the License
address or the address on file with the DEA.• All scheduled drug security restrictions still apply; crossing
out RX date and post-dating prescriptions is not 100% guaranteed to be in compliance
• http://www.cpsintlinc.com/hospital-supplies/tamper-resistant-rx-paper.html
• http://www.rxpaper.com
Practice Electronic Records, contd.• Before EMR is fully implemented
• MOST CRITICAL: Practice Training• Project Champions: Select key office staff and providers that
have a technical background and send them for focused training
• Have system training incorporated as a part of normal, mandatory staff meetings
• Have a message board or email account set up for questions which an office staff member can compile, have a first try at answering
Practice Electronic Records, contd.• EMR Implemented:
• Make time in staff meetings for EMR concerns and address them promptly
• Have regular meetings with Project Champions to review results
• Triage current issues and propose solutions
• Discuss next phases for implementation (i.e. expansion modules)
• Conference calls with your IT Partner• At least once a week for the first four weeks after the system goes “live”
• Relay staff questions and concerns
• Follow up on support cases still outstanding
Next Step in Management…• Remote Access
• Virtual Private Network (VPN) access to your office
• Citrix MetaFrame remote access to EMR
• RSA SecurID Two-Factor Authentication
• Data Backup:
• Vaulting of tape system
• Storage Area Network (SAN) integration
• Security
• Best Practices
• Surviving an audit