Today, I came across a brief paper commissioned by Forrester Consulting titled “Managing and Securing Mobile Healthcare Data and Devices“,   which indicates through targeted polls that mobility and security are high on the list of Health CIO’s priorities.

What’s so hard, I must ask? Easier said than done, of course, but here are some ideas:

  • Implement a system where the sensitive data never leaves your premises or your trusted data center. Never. Not in the name of convenience or enabling mobility. Never. In our personal lives, we’re used to compromising a little privacy and security in exchange for convenience, but health data is not the place to consider a trade-off.
  • Implement a system where mobile users can still get to the data – not the raw data, but the representation of the data in the EMR application. That’s critical – with minimal effort and on pretty much any type of device – smart phones, personally owned laptops, iPads, etc. Note that just a browser based application does not necessarily fulfill that requirement as snippets of data can still be printed locally, stored on the hard drive, etc.
  • Get rid of your dependence on paper. Kick the habit and do it fast. Yes, it’s important to keep existing paper records around for historical purposes and it’s close to impossible to migrate paper records into electronic medical record systems, but let’s get started. Avoid printing things out of the medical record wherever possible. Notice that the department of Health and Human Services’ black list of privacy breaches includes a stunning number of breaches through improper access to paper records!

What are the technologies and implementation principles that enable what I am talking about?

For one, start thinking about application and desktop virtualization. The apps or an entire Windows desktop executes securely inside your own or a hosted datacenter and is remotely controlled via high-performance delivery protocols by the end user from a variety of devices. During the implementation, ensure that printing to the local device as well as file system access is disabled. Most larger scale EMR systems employ server side printing, so this should be relatively easy to implement.  The print job gets created and routed through the application layer of the EMR’s backend system, so that it avoids reliance on mapped or created Windows printers inside the user session.

SaaS is often cited as one way of accomplishing set goals. This is a viable option and many SaaS vendors actively employ desktop and application virtualization for the reasons I state above. Many clinicians don’t trust a third party with their patient data and prefer to keep it in house, which is fine. Virtualization technologies can be implemented in a cost effective way even on a smaller scale to allow for secure remote access and a good user experience even over poor networks and a variety of end points.

Thoughts? Please comment.

Florian

Follow me on twitter: @florianbecker