We have companies like Blackberry and Apple positioning themselves for mobile device integration & companies like GE and Siemens creating integrated devices for patient care. Where does that leave the IT staff? It leaves them with a big learning curve and the need to create a spider web of device and system integration. Many hospitals already have limited device integration within ICU and telemetry units. How do we roll that out to everyone else?
Within the hospital, we’ve enabled the use of bedside access to IT applications, order entry with hand held data collection devices, provided mobile computer carts, and, in general, support a multitude of other ways to access information vital to patient care. Along with those capabilities comes the responsibility to manage access methods. We have wired networks to hard mounted computers, secured wifi using encryption for mobile and hand held devices, and implemented secure vpn for devices using cellular technology for access. What seems to be missing is the security of the backend data message flow.
Each facility has their own requirements, but any time we have building-to-building transfer of data using outside connectivity we need to consider how we will secure that data during transfer. As we integrate these systems, that issue often doesn’t come up unless we ask about it. I find that even in large enterprise systems, they are using fiber or copper owned by a phone company to route data between buildings and systems that are not secure. A question to ask is: How should we secure the data - encryption, VPN, https postings? And, what will keep the integration project on track and within the scope and policy of each client’s regulations.
Let’s start with a focus on SSL encryption. As we approach and grasp these security standards, we also must account for the additional CPU and processing time to encrypt, then transmit, receive the acknowledgement, decrypt the ack/nak, and make a decision on how to proceed. While this typically only takes milliseconds, it adds up over time. This additional time may require a redesign to meet the needs of the organization and keep message throughput at an acceptable level so that hospitals do not have any backup of data within the interface engine or at the source.
Another issue to consider with data security is the creation and synchronization of keys. As changes or updates to individual keys occur within each system, they have to be kept in sync with each receiving system or application. The type of key each system uses can lead to high maintenance costs and the need for user intervention, as keys expire unexpectedly and require new key generation and submittal. So, each system needs to be aware of the process and issues surrounding the key generation.
When using VPN tunnels there is a higher initial cost for hardware, as well as a need for a network administrator who is aware of the configuration and firewalls that exist between the tunnel router and systems. Each firewall will need to have specific rules for data routing and port forwarding to enable seamless data transmission in both directions. This is an issue that we see in multi-datacenter environments. Without the knowledge of the network both the peer systems and integration team end up chasing network issues and most often find a single firewall preventing their connection in the end.
With the addition of ‘Meaningful Use’ criteria, securing and managing this data flow will become a larger issue and integration teams will need to consider other access methods between systems as they expand and use other network systems, data access methods, and various transmission protocols. So, as you approach your next project consider the cost impact related to the network and future maintenance, as those higher costs can weigh heavily on the actual project ROI.