Santa Barbara County, one of central California's most scenic areas, is nestled on a narrow shelf between the rugged Santa Ynez Mountains and the Pacific Ocean. It was there that information systems executive Alberto Kywi not long ago found himself between a rock and a hard place.
Kywi, chief information officer for Cottage Health System, had to find a way to make an array of information systems accessible to the medical staff of the system's three hospitals. But like many institutions, the conglomeration of healthcare computer applications came from several vendors, creating incompatibility among different information sources and a confusing variety of access and usage norms. In addition, each application required separate log-on identifications and passwords.
Matching the system's security needs with clinicians' demands for easier access has led to a serious headache. "We are moving to an electronic medical record, with everything online, but nothing is in one place. Doctors and nurses have to access at least four to five different vendors' applications to do their work," he says. What Cottage Health needed, Kywi says, was a way to guarantee that security procedures were followed, without turning off busy clinicians to the need to use clinical information systems.
On the other side of the continent in Savannah, Ga., Steve Stanic also faced the challenge of improving access while strengthening security. The vice president and CIO of Memorial Health, a three-hospital system, oversees an array of healthcare computer applications that doctors should be able to use productively. But that wasn't happening.
"Doctors in specialties, such as obstetrics/gynecology, were having to sign on to up to 10 or 12 applications," Stanic says. "If they wanted demographics, they had to sign on to the HIS (patient accounting system). If they wanted clinical data, or lab results, or nurses' notes, those were in other applications. Each application looked and felt different." As a result, doctors weren't using the systems to the extent Memorial had hoped.
Solutions to the types of problems Kywi and Stanic describe have been slow to arrive, but recently the two healthcare systems have found and deployed computer advances that allow doctors, nurses and administrators to sign on to all the applications at once.
One type of innovation, called context-based access, allows caregivers to flip from one application to another without searching from scratch for information on a specific patient. The applications are synchronized so they move directly to the information on the same patient viewed in the preceding application. For example, if a doctor looks up John Smith's lab results, and then wants to see what was prescribed for that patient, the pharmacy application will automatically bring up John Smith's record.
Another type of advance, called enterprise application integration, uses the stock capabilities of a Web browser to extract data from multiple information systems and present the information in one place for a clinician or business-office employee.
Organizing the access
Improving security while easing access are fast becoming twin objectives of healthcare information executives.
Many healthcare systems are moving to computerized clinical applications in hopes of increasing their efficiency while responding to heightened public concerns about medical-error prevention. At the same time, safeguarding sensitive information is the object of regulations implementing the Health Insurance Portability and Accountability Act of 1996 and various state laws and regulations.
At Cottage Health, a clinical system isn't just a nice idea-it's the law. The healthcare system's move to an electronic record comes partly in response to a new state statute, to take effect next January, requiring California providers to have in place a plan to reduce medical mistakes. A component of this plan is a physician order-entry system, which legislators hope will help reduce pharmacy errors.
"Our physicians have no choice about going online-they have to use it," Kywi says. "But if I don't make it easier for them, I will have a rebellion on my hands."
Access emerges as an issue when users find the log-on and password procedures multiplying with each new application. Such settings can be breeding grounds for security risks, says consultant Joseph Pokorney, vice president of Phoenix Health Systems, Montgomery Village, Md. Users quickly tire of logging in and out over and over, so they tend to share log-ons and passwords, he says.
Cottage Health is deploying software from Sentillion, an Andover, Mass., information technology company that was spun off in 1998 from the Hewlett-Packard medical products division, now Agilent Technologies' Healthcare Solutions Group. Sentillion was formed to commercialize a standard method of working easily among computer applications that Hewlett-Packard helped underwrite in the 1990s. The standard takes on the name of the organization that came up with it, the Clinical Context Object Workgroup, or CCOW.
Sentillion's practical application of that standard, a product dubbed Vergence, allows Kywi to offer a single sign-on entry point to his clinicians, despite the multivendor environment. The different applications "tune in" to the first patient whose record is called up.
The result is a method of authorizing different users to access varying subsets of applications according to their job needs, while managing the security headaches associated with it.
Security practices call for protecting electronic information from unauthorized access or disclosure, using methods such as encryption and authentication. With encryption, data is encoded for transmission and translated after being received. With authentication, authorized users are identified through traditional passwords or emerging electronic safeguards such as digital certificates, digital signatures, biometric readings or smart cards.
"Before Vergence, I could have done half of this-I could have done single sign-on and authentication. But that's as far as it would get me. Users would still have had to search for a patient through the dozens of different criteria that each application offers," Kywi says.
What the Vergence application brings into the system is the ability to provide a shared context for the different applications, ensuring that each successive application has tuned in to the original patient, he says.
Memorial Health's Stanic is rolling out a Web-based software package from McKesson Corp.'s information technology division based in Alpharetta, Ga. The product, called Horizon WP, extracts data from other applications by means similar to the way a Web portal such as Yahoo gathers information from many sources, says Robert Connely, vice president for Web technology at McKesson.
Horizon takes feeds of specific bits and pieces of data to present a single, complete record on a patient-all in typical browser style-without the user having to launch and run the specific applications from which the data is being drawn, he says. The McKesson version also employs Sentillion's Vergence product as part of the data-access equation.
The software was distributed to admitting physicians on a CD-ROM, just the way commercial Internet packages are promoted, so doctors could install it in their offices. Stanic estimates that training, when needed, took no more than 15 minutes and was conducted in groups.
"Seven hundred physicians with admitting privileges have access to the system," Stanic says. "Making it easier for physicians to practice at your institution absolutely gives you a strategic advantage."
Pace of adoption
The technology that makes context management possible is becoming closely associated with clinical applications, says Jim Klein, vice president and research director with Gartner, a Stamford, Conn.-based information technology research and advisory company. "The word is getting out there that single sign-on without context-based management is a dicey proposition in a clinical environment," he says.
In an industry noted for the intensity of its product claims, there hasn't been much fanfare over the deployment of the CCOW standard. Yet the following among vendors is intensifying, and the standard is poised for rapid acceptance-at least 30 vendors and 30 provider sites are implementing it or planning to do so. "I'd say there is a good probability that within 12 months there won't be a single first-tier vendor that doesn't support this standard," he says.
For providers whose sole focus is meeting HIPAA security standards, however, the deployment of such technology could be a long way off, says Bill Hanis, a senior manager with the Tampa, Fla., office of First Consulting Group.
In his engagements, Hanis sees most providers at the stage of gauging their readiness to comply with HIPAA regulations. "The biggest systems are focusing on assessment," he says. Most providers are planning to base security on a user's healthcare role, which doesn't go as far as context-based access management but will meet the intent of the HIPAA security rule.
"Given the fact that everyone is in contention for resources, I'd have a hard time pushing a client to move beyond that if they're meeting the HIPAA requirements," he says. "If you were a client talking to me about HIPAA, I'd say that single sign-on or browser-based extraction would be strategies for compliance. It's not the be-all or end-all, but it's a business decision."
A big question is whether these new security and access approaches are worth the price. "We already have 500 doctors accessing their data with Horizon. We mailed them a CD, offered them 15 minutes of training, and then it took off," Stanic says. "The hit count is high. The question is, are the doctors who were low admitters admitting now?" November 2001 will mark the one-year anniversary of Memorial's switch to the browser-based approach, at which point he'll begin answering these questions.
Pricing for Horizon's portal product generally ranges from around $300,000 to more than $1 million depending on the size of the organization and the configuration of the software. That includes all hardware, software, services and technical support for the first year. Annual support costs are about 18% to 25% of the product cost, depending on the level of support purchased.
Sentillion sets its price for Vergence using an equation that takes into account the number of users of the healthcare system's major application, as well as the number of users of various departmental applications. John Douglass, executive vice president at Sentillion, says the price comes out to a few dollars per user per month. "It's literally pennies per day per user," he said.
Installation costs run about $20,000, regardless of the size of the institution. Healthcare systems can choose subscription pricing or a one-time license purchase. Yearly maintenance is included in the cost of subscriptions, which Douglass says typically run five years or longer. Systems that buy the product outright pay a separate maintenance cost totaling 18% of the product price per year.